stackoom
  简体   繁体   中英

Registration php, mysql password, database

 原文  2018-05-18 10:31:20       php/ mysql/ database/ login/ phpmyadmin

Question

I'm trying to make a registration form that will save username and password to database in phpmyadmin.

The problem is that username is saved but the password is not. I mean when I register with password "12345" and when I go to database my password is not saved as "12345", instead it is saved as "96991368fec63c8a1bfc48a70010f84a" or some other random numbers... In database I put Char(40) for password.

this is my code: 

<?php
session_start();
$db=mysqli_connect("localhost","root","","register");

if(isset($_POST['register'])){
session_start();

$username=mysqli_real_escape_string($db,$_POST['username']);
$email=mysqli_real_escape_string($db,$_POST['email']);
$password=mysqli_real_escape_string($db,$_POST['password']);

    $password =md5($password);
    $sql = "INSERT INTO users(username,email,password) 
    VALUES('$username', '$email', '$password')";
    mysqli_query($db, $sql);
    $_SESSION['message'] = " You are now logged in";
    $_SESSION['username'] = $username;
    header("location: Login.php");
}
?>

And this is form: 

form method="post"  action="Registration.php">
    <table>
        <tr>
            <td>Username:</td>
            <td><input type="text" name="username" class="textInput"></td>
        </tr>

        <tr>
            <td>Email:</td>
            <td><input type="email" name="email" class="textInput"></td>
        </tr>

        <tr>
            <td>Password:</td>
            <td><input type="password" name="password" class="textInput"></td>
        </tr>

        <tr>
            <td></td>
            <td><input type="submit" name="register"Value="Register"></td>
        </tr>
    </table>
</form>

3 answers

solution1
 1  2018-05-18 11:21:00

Do not save the password, save a password hash of the password. When using PHP the simplest approach is to use password_hash and password_verify , the pair are secure and easy to use.

This makes the password secure against attackers and allows easy validation of the password on user login.

More:
When saving a password verifier just using a hash function is not sufficient and just adding a salt does little to improve the security. Instead use a function such as PBKDF2 , Rfc2898DeriveBytes , Argon2 , password_hash , Bcrypt or similar functions with an iteration count such that ~100ms or CPU time is consumed. The point is to make the attacker spend substantial of time finding passwords by brute force.

solution2
 1  2018-05-18 18:37:34

Your call to the md5 function, on line 12 of your posted code, is converting the user's plaintext entry of the password to the hash string about which you're complaining. Zaph's answer is completely correct; if you store the plaintext password, any intruder has easy access to it -- which is about as insecure as it's possible to be.

In other words, it looks as if your code is doing exactly what you're telling it to do -- even when that's not what you intended or expected.

solution3
 1  2018-05-18 18:54:08

Use prepared statements 

<?php
$host = 'localhost';
$user = 'root';
$pass = '';
$db = 'register';

try {
    $db_conn = new mysqli("$host", "$user", "$pass", "$db");
    $db_conn->set_charset("utf8");
} catch (Exception $e) {
    echo "Connection failed: " . $e->getMessage();
}

if(isset($_POST['register'])) {
    session_start();

    $username = filter_input(INPUT_POST, 'username', FILTER_SANITIZE_STRING);
    $email = filter_input(INPUT_POST, 'email', FILTER_SANITIZE_STRING);
    $password = filter_input(INPUT_POST, 'password', FILTER_SANITIZE_STRING);


    $password = password_hash($password, PASSWORD_BCRYPT);
    $query = $db_conn->prepare("INSERT INTO users(username,email,password)VALUES(?,?,?)");
    $query->bind_param('sss', $username, $email, $password);
    $query->execute();
    $counts = $query->num_rows;
    $query->close();

    if ($counts > 0) {
        $_SESSION['message'] = " You are now logged in";
        $_SESSION['username'] = $username;
        header("location: Login.php"); 
    } else {
        echo 'registration failed... Something went wrong';
    }
}
?>

End when user tries to login do this 

$query = $db_conn->prepare("select password from users where username = ? limit 1");
$query->bind_param('s', $username);
$query->bind_result($dbpassword);
$query->execute();
$query->store_result();
$query->fetch();
$query->close();

if (password_verify($password, $dbpassword)) { 
     echo "login success";
} else {
     echo "wrong password";
}

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question PHP registration form not sending data to MySQL database registration form using Javascript and Php with MySql Database Registration form not processed to database properly (PHP/MySQL) php User registration system without mysql database Basic MYSQL/PHP Event Registration (Database Relationships) How to connect hashed password from registration to login PHP/MySQL PHP mySQL check if username and password are in the database Issues hiding password to MySQL Database in PHP file Resetting password using PHP for mySQL database Error to validate Username and password PHP to MySQL database
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM