Possible Duplicate:
Best way to prevent SQL injection in PHP?
This is a simple registration I made in PHP.
I just want to know how to make it really secure, as I am new to PHP, so examples would help also. All in all, any resources or guidance would be great.
<?php
$email = $_POST["email"];
$password = $_POST["password"];
$fname = $_POST["first_name"];
$lname = $_POST["last_name"];
$db = "mydatabase";
$connect = mysql_connect("localhost","root","");
if(!$connect){
die('Could not connect.');
}
$query = "INSERT INTO users (id, email, password, first_name, last_name) VALUES (DEFAULT, '".$email."', '".$password."', '".$fname."', '".$lname."')";
mysql_select_db($db, $connect);
if(!mysql_query($query)){
echo 'Failed: '.mysql_error();
}
else{
echo 'You have registered.';
}
mysql_close($connect);
?>
and this is the register input form
<html>
<head>
</html>
<body>
<form action="new_user_db.php" method="POST">
<input type="text" name="first_name" placeholder="First Name" required><br>
<input type="text" name="last_name" placeholder="Last Name" required><br>
<input type="email" name="email" placeholder="E-mail" required><br>
<input type="password" name="password" placeholder="Password" required><br>
<input type="submit" value="Register">
</form>
</body>
</html>
thanks for all your feedback!
Security Issues:
Use MySQLi/PDO. mysql_ functions are deprecated.
Stop using the root account to run your mysql queries. Create a new database user with the minimum required privileges
Finally (unrelated to PHP), look into SSL and securing the movement of credentials from client to server.
Also, not a security risk but…
Having your credentials in every single PHP file that uses it is bad practice. Put it in a separate PHP and include/require it, whenever you want to make a connection. That prevents you having to make several changes when changing database server/user/password.