0

bought a php software that allows users to build websites. But the guy I paid didn't build a signup form. I'm dangerous enough to do basic coding. But I feel this is past my skill level. The form I created inserts into the mysql database just fine, but it wold let the new users that use this form login because the password field isn't hashing.

HMTL signup form:

<form action="input.php" method="post" class="pcss3f pcss3f-type-hor">
            <header>Fillout the below to join.</header>

            <section class="state-normal">
                <label for="">First Name</label>
                <input type="text" name="first_name"/>
                <i class="icon-user"></i>
            </section>

            <section class="state-normal">
                <label for="">Last Name</label>
                <input type="text" name="last_name"/>
                <i class="icon-user"></i>
            </section>

            <section class="state-normal">
                <label for="">Email</label>
                <input type="email" name="email"/>
                <i class="icon-envelope"></i>
            </section>

            <section class="state-normal">
                <label for="">Password</label>
                <input type="password" name="password"/>
                <i class="icon-key"></i>
            </section>

            <footer>
                <button type="button" onclick="window.location = 'index.html'">Back</button>
                <button type="submit" class="color-blue">Submit</button>
            </footer>
        </form>

and the php script:

<?php
$con = mysql_connect("localhost","name","password");
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }

mysql_select_db("instantw_builder", $con);


$sql="INSERT INTO users (first_name, last_name, username, email, password)
VALUES
('$_POST[first_name]','$_POST[last_name]','$_POST[email]','$_POST[email]','$_POST[password]')";

if (!mysql_query($sql,$con))
  {
  die('Error: ' . mysql_error());
  }
echo "1 record added";

mysql_close($con)
?>

What do I need to do to hash the password field?

urdave
  • 1
  • 1
  • 1
    **Danger**: You are using [an **obsolete** database API](http://stackoverflow.com/q/12859942/19068) and should use a [modern replacement](http://php.net/manual/en/mysqlinfo.api.choosing.php). You are also **vulnerable to [SQL injection attacks](http://bobby-tables.com/)** that a modern API would make it easier to [defend](http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php) yourself from. – Quentin Nov 21 '14 at 13:16
  • The PHP manual has [a FAQ](http://php.net/manual/en/faq.passwords.php) on this subject as well as [examples](http://php.net/manual/en/function.password-hash.php). – Quentin Nov 21 '14 at 13:19
  • This http://daveismyname.com/login-and-registration-system-with-php-bp has everything you need. *Plus,* it uses PDO with prepared statements and `password_hash()`. – Funk Forty Niner Nov 21 '14 at 13:25
  • Really have a look at the function [password_hash()](http://www.php.net/manual/en/function.password-hash.php). – martinstoeckli Nov 21 '14 at 16:50

1 Answers1

-2

There are many different ways you can hash a password, some better than others. I'd recommend using the SHA1 hash function built into PHP.

$hash_password = sha1($_POST[password]);

You then want to store this password in the database.

When a user logs in, you want to hash the password they enter and check that the two hashes match.

For additional security, I'd suggest adding a string (known only to you), to the end of all passwords in order to limit the success of reserve hashing.

You also have other issues with this form regarding database exploits known as SQL injections. Read up on them here: http://www.tizag.com/mysqlTutorial/mysql-php-sql-injection.php

Adam Collins
  • 59
  • 3