Null values being entered into DB when attempting to hash passwords

Question

I have used PHP in the past a small amount for projects and such however am trying something new with attempting to hash passwords.

On a separate page there is a web form that redirects on submit to a checkRegistration.php form which then connects to the database, takes the users values, verifies them and enters them into their respective columns.

So far all the values are being passed across are entering correctly except the ones being passed by the password_hash function which are being entered as "0" or empty. I think as it's 0 its not being handled correctly and was wondering what I'm doing wrong.

<?php
$con = mysqli_connect("127.0.0.1","root","","projectdatabase");


if (mysqli_connect_errno())
 {
  echo "Failed to connect to MySQL: " . mysqli_connect_error();
 }

 $password_user_input = $_POST['password'];
 $options = array('cost' => 10);


$sql="INSERT INTO user_information (firstName, lastName, userName, password, email, contactNum)
VALUES
('$_POST[firstname]','$_POST[lastname]','$_POST[uname]','password_hash($password_user_input, PASSWORD_BCRYPT, $options)','$_POST[email]','$_POST[number]')";

if (!mysqli_query($con,$sql))
{
  die('Error: ' . mysqli_error($con));
}
  header("location:login.php");

mysqli_close($con);

?>

Answer 1

You're not using the password_hash() function correctly, and you can't pass a function in your VALUES.

You would have, or should have received an error telling you about it being an undefined function, or the password column would contain password_hash(hashed_password_string, PASSWORD_BCRYPT, Array) as a string. Those are two results that I received when testing.

Here's what you need to do.

You need to pre-defined the variable and passing it to the function.

$password_user_input = $_POST['password'];
$options = array('cost' => 10);

$pass = password_hash($password_user_input, PASSWORD_BCRYPT, $options);

$sql="INSERT INTO user_information (firstName, lastName, userName, password, email, contactNum) 
VALUES 
('$_POST[firstname]','$_POST[lastname]','$_POST[uname]','$pass','$_POST[email]','$_POST[number]')";

---

However, using this method leaves you open to SQL injection.

Use prepared statements, or PDO with prepared statements, they're much safer.

---

Here is a method pulled from ircmaxell's answer https://stackoverflow.com/a/29778421/ using PDO with prepared statements.

Just use a library. Seriously. They exist for a reason.

• PHP 5.5+: use password_hash()
• PHP 5.3.7+: use password-compat (a compatibility pack for above
• All others: use phpass

Don't do it yourself. If you're creating your own salt, YOU'RE DOING IT WRONG. You should be using a library that handles that for you.

$dbh = new PDO(...);

$username = $_POST["username"];
$email = $_POST["email"];
$password = $_POST["password"];
$hash = password_hash($password, PASSWORD_DEFAULT);

$stmt = $dbh->prepare("insert into users set username=?, email=?, password=?");
$stmt->execute([$username, $email, $hash]);

And on login:

$sql = "SELECT * FROM users WHERE username = ?";
$stmt = $dbh->prepare($sql);
$result = $stmt->execute([$_POST['username']]);
$users = $result->fetchAll();
if (isset($users[0]) {
    if (password_verify($_POST['password'], $users[0]->password) {
        // valid login
    } else {
        // invalid password
    }
} else {
    // invalid username
}