-1

I am attempting to create a register page and am having trouble trying to hash my password using PASSWORD_BCRYPT with mysqli. Can someone explain what is wrong with my code below?

 <?php

if(isset($_POST['Register'])) { // checking that form is submitted

    session_start();  //creating variables for form entries
    $FName = $_POST['First_Name'];
    $LName = $_POST['Last_Name'];
    $Email = $_POST['Email'];
    $PW = $_POST['Password'];


    $StorePassword = password_hash($PW, PASSWORD_BCRYPT, array('cost' => 10));


    $sql = $con->query("INSERT INTO users (Fname, Lname, Email, Password)Values('{$FName}', '{$LName}', '{$Email}', '{$PW}')");

    header('Location: Login.php');
alstonan25
  • 23
  • 8
  • Your code may contain syntax errors. Consult these following links http://php.net/manual/en/mysqli.error.php and http://php.net/manual/en/function.error-reporting.php and apply that to your code. – Funk Forty Niner Jul 30 '15 at 19:01
  • And you should always use _prepared statements_, specially when dealing with user credentials. – angelcool.net Jul 30 '15 at 19:04
  • It isn't showing me any errors in the code it just isn't hashing the passwords in my database in phpmyadmin. – alstonan25 Jul 30 '15 at 19:04

1 Answers1

3

Firstly, you're using the wrong variable for the password in the query being $PW rather than the intended $StorePassword variable where you're using it on top, then passing it to the hashing function.

Your password is being stored as "rasmuslerdorf" rather than "$2y$10$.vGA1O9wmRjrwAVXD98HNOgsNpDczlqm3Jq7KnEd1rVAGv3Fykk1a"

If that still doesn't work then that function may not be available for you to use and will need to use the password compatibility pack

Add error reporting to the top of your file(s) which will help find errors.

<?php 
error_reporting(E_ALL);
ini_set('display_errors', 1);

// rest of your code

Sidenote: Displaying errors should only be done in staging, and never production.

Consult these following links

and apply that to your code.

You may have errors in your query but you're not checking for them.

Plus, seeing you did not post your HTML form, make sure it is using a POST method and that all inputs bear the proper name attributes.

  • Just for argument's sake; your posted code is missing a closing brace }

  • Also add exit; after header, should there be more code after that. Otherwise, your code may want to continue to execute.

  • Make sure you are indeed successfully connected using the same MySQL API as you are using for querying, being mysqli_. That is unknownst to us.

    • Different APIs such as mysql_ and PDO do not intermix with mysqli_ and vice-versa.

  • Make sure you're not outputting before header using session_start(); in the place it's in now; it looks as if there's a space before your opening PHP tag, that is considered as output. Error reporting will tell you that also.

Your present code is open to SQL injection. Use prepared statements, or PDO with prepared statements, they're much safer.

Footnotes:

Make sure that the password column is long enough to store the hash. PHP.net recommends using VARCHAR(255) and in order to accomodate for the future. Same thing for all columns and of the correct lengths/types.

"Note that this constant is designed to change over time as new and stronger algorithms are added to PHP. For that reason, the length of the result from using this identifier can change over time. Therefore, it is recommended to store the result in a database column that can expand beyond 60 characters (255 characters would be a good choice)."

Community
  • 1
  • 1
Funk Forty Niner
  • 74,450
  • 15
  • 68
  • 141