I am making my first attempts at creating secure logins via php/msql and things are going pretty well. I've been following the tutorial here: http://www.wikihow.com/Create-a-Secure-Login-Script-in-PHP-and-MySQL and amazingly I've got everything working and relating to my page and database. Going through this code has given me a much better understanding of how it all fits together.
The problem I'm having is, the example registration page they provided isn't very complete, or at least not in a way a newbie like me can wrap my head around. Below is what they posted for their registration page example. Would someone be able to fill it in a bit so I'm less lost? I'm guessing I need to build a form around this so users can make accounts but as for the //add your insert to database script here part and where to pull/place form variables from what they posted, I'm thus far disoriented.
// The hashed password from the form
$password = $_POST['p'];
// Create a random salt
$random_salt = hash('sha512', uniqid(mt_rand(1, mt_getrandmax()), true));
// Create salted password (Careful not to over season)
$password = hash('sha512', $password.$random_salt);
// Add your insert to database script here.
// Make sure you use prepared statements!
if ($insert_stmt = $mysqli->prepare("INSERT INTO members (username, email, password, salt) VALUES (?, ?, ?, ?)")) {
$insert_stmt->bind_param('ssss', $username, $email, $password, $random_salt);
// Execute the prepared query.
$insert_stmt->execute();
}
As always, any help is greatly appreciated. Thank you in advance.
Your guess about the form is correct. There is a "NEW ACCOUNT FORM" that asks you a username, email and password. Probably earlier in that php code you should have something like this:
$username = $_POST['username';
$email = $_POST['email'];
This is, retrieve the values from the $_POST array that contains the values submitted in the "NEW ACCOUNT FORM". As for the insert part,
if ($insert_stmt = $mysqli->prepare("INSERT INTO members (username, email, password, salt) VALUES (?, ?, ?, ?)"))
This if condition is true if a valid value is assigned to $insert_stmt, I guess that it would be null if the conection to the database hasn't been established or something like that.
$insert_smtp would have now something as a "template" of the insert query, it is missing the parameters. The "?" symbols, stands for a parameter you would be sending later.
The instruction
$insert_stmt->bind_param('ssss', $username, $email, $password, $random_salt);
will bind the parameters marked "?" in the "template".
The reason for not to putting directly the username , email, password in the INSERT statment is that, they could include SQL statements that may result in an SQL injection attack. By passing the parameters via "bind_param" the function takes care of cleaning the variables before putting them in the insert.
The instruction
$insert_stmt->execute();
Finally executes the query on the database.