security help regarding php registration

Question

Possible Duplicate:
Best way to prevent SQL injection in PHP?

This is a simple registration I made in PHP. I just want to know how to make it really secure, as I am new to PHP, so examples would help also. All in all, any resources or guidance would be great.

<?php

$email = $_POST["email"];
$password = $_POST["password"];
$fname = $_POST["first_name"];
$lname = $_POST["last_name"];

$db = "mydatabase";
$connect = mysql_connect("localhost","root","");
if(!$connect){
    die('Could not connect.');  
}

$query = "INSERT INTO users (id, email, password, first_name, last_name) VALUES (DEFAULT, '".$email."', '".$password."', '".$fname."', '".$lname."')";

mysql_select_db($db, $connect);

if(!mysql_query($query)){
    echo 'Failed: '.mysql_error();
}
else{
    echo 'You have registered.';
}

mysql_close($connect);

?>

and this is the register input form

<html>
<head>
</html>
<body>

<form action="new_user_db.php" method="POST">
    <input type="text" name="first_name" placeholder="First Name" required><br>
    <input type="text" name="last_name" placeholder="Last Name" required><br>
    <input type="email" name="email" placeholder="E-mail" required><br>
    <input type="password" name="password" placeholder="Password" required><br>
    <input type="submit" value="Register">
</form>

</body>
</html>

thanks for all your feedback!

The first thing you can do is to stop using the `mysql_*` functions, they are no longer maintained and community has begun the [deprecation process](http://goo.gl/KJveJ) . Instead you should learn about [prepared statements](http://goo.gl/vn8zQ) and use either [PDO](http://php.net/pdo) or [MySQLi](http://php.net/mysqli). If you cannot decide, [this article](http://goo.gl/3gqF9) will help to choose. If you want to learn, [here is a good PDO-related tutorial](http://goo.gl/vFWnC). — vascowhite, Oct 18 '12 at 21:27
Email: `someone@someplace.com`. Password: `password`. First name: `First`. Last name: `Last');DROP TABLE users;--`. *There, the `users` table is gone.* — uınbɐɥs, Oct 18 '12 at 21:42
Please, don't use `mysql_*` functions to write new code. They are no longer maintained and the community has begun [deprecation process](http://goo.gl/KJveJ). See the *[red box](http://goo.gl/GPmFd)*? Instead you should learn about [prepared statements](http://goo.gl/vn8zQ) and use either [PDO](http://php.net/pdo) or [MySQLi](http://php.net/mysqli). If you can't decide which, [this article](http://goo.gl/3gqF9) will help you. If you pick PDO, [here is good tutorial](http://goo.gl/vFWnC). Also see [Why shouldn't I use `mysql` functions in PHP?](http://goo.gl/ycnmO) — Madara's Ghost, Oct 18 '12 at 21:44
@vascowhite: You're using an older version of this comment :) See the one above me for the newer version ^ — Madara's Ghost, Oct 18 '12 at 21:44
@vascowhite: Meh, the major difference is the red box, and the new "Why shouldn't I use `mysql_*` functions" question. — Madara's Ghost, Oct 18 '12 at 21:47
Bobby Tables yet again. You'd think after the XKCD comic got so well known people would finally stop making that mistake. http://xkcd.com/327/ — GordonM, Oct 18 '12 at 21:55
SQL injection is definitely something to worry about, but in this case, Bobby Tables just causes an error. By default, `mysql_query` refuses to run two statements in one string. — cHao, Oct 18 '12 at 22:38

score 2 · Accepted Answer · answered Oct 18 '12 at 21:31

Security Issues:

Use MySQLi/PDO. mysql_ functions are deprecated.
Stop using the root account to run your mysql queries. Create a new database user with the minimum required privileges
Finally (unrelated to PHP), look into SSL and securing the movement of credentials from client to server.

Also, not a security risk but...

Having your credentials in every single PHP file that uses it is bad practice. Put it in a separate PHP and include/require it, whenever you want to make a connection. That prevents you having to make several changes when changing database server/user/password.

score 1 · Answer 2 · answered Oct 18 '12 at 21:30

Use a Prepared Statement

$db = mysqli_connect($dbserver, $dbuser, $dbpass,$dbname);

$sql = "insert into mytable (mycol1, mycol2) values (?,?)";

$statement = $db->prepare($sql);

$statement -> bindparam("ss",$myval1, $myval2)'

mysqli_stmt_execute(#statement);

security help regarding php registration

2 Answers2