This is probably not secure but ignore that.
Ive made a simple homepage with login, registration and logout. But im having a problem storing the password in my database. It somewhat looks hashed/salted.
I dont understand much when Im not hashing it myself. In fact I have no experience with salting at all, so please dont come with a professional solution.
This is how it looks like in the database after registration:
The database has the following attributes: id, username, password, email:
9, test, *94BDCEBE19083CE, test@mail.com
But should look like this:
9, test, test, test@mail.com
My registration.php looks like this:
<html>
<head>
<link rel="stylesheet" type="text/css" href="styles.css">
</head>
<body>
<?php
// loggin in and selects the database
include ("dbConfig.php");
//Input vaildation and the dbase code
if ( $_GET["op"] == "reg" )
{
$bInputFlag = false;
foreach ( $_POST as $field )
{
if ($field == "")
{
$bInputFlag = false;
}
else
{
$bInputFlag = true;
}
}
// If we had problems with the input, exit with error
if ($bInputFlag == false)
{
die( "Problem with your registration info. "
."Please go back and try again.");
}
// Fields are clear, add user to database
// Setup query
$q = "INSERT INTO dbUsers (username, password , email ) "
."VALUES ('".$_POST["username"]."', "
."PASSWORD('".$_POST["password"]."'), "
."'".$_POST["email"]."')";
// Run query
$r = mysql_query($q);
// Make sure query inserted user successfully
if ( !mysql_insert_id() )
{
die("Error: User not added to database.");
}
else
{
// Redirect to thank you page.
Header("Location: register.php?op=thanks");
}
} // end if
//The thank you page
elseif ( $_GET["op"] == "thanks" )
{
echo "<form action='members.php' method='POST'>";
echo "<div class='panel'> <span><font color='lime'>Thanks for registering!</font></span>";
echo "<label><input type='submit' class ='button' value='Back'></label></div></form>";
}
//The web form for input ability
else
{
echo "
<div class='box'>
<h1>Registration</h1>
<form action=\"?op=reg\" method=\"POST\">
<label>
<span>Username</span>
<input autocomplete='off' class='input_text' name='username'>
</label>
<label>
<span>Password</span>
<input autocomplete='off' class='input_text' type='password' name='password'>
</label>
<label>
<span>Email</span>
<input autocomplete='off' class='input_text' name='email'>
</label>
<label>
<input type='submit' class='button' value='Registrer'>
</label>
</form>
</div>";
}
?>
</body>
</html>
Just remove the
PASSWORD()function from the SQL statement.So you have to modify your code like this:
Beware that this is unsecure because a SQL injection is possible. You can use prepared statements with the
mysqli_*functions to prevent this. If you cannot usemysqli_*you can also usemysql_real_escape_string().Your code would then look like this: