Search code examples
phpmd5user-registration

PHP MD5 Create User Form

I have used a tutorial here: http://www.phpeasystep.com/phptu/26.html to create a login form for my website. I have set the uPassword field in my database to be md5 and all of the passwords in the database are encrypted with md5.

The login works perfectly, however I am slightly confused about creating a registration form.

The form requests for a user to input their desired password. I am slightly confused as to how I will then take the password that the user inputs, converting it to md5 and then inputting the md5 password into the uPassword field in the user table.

Below is the code that I have for the processresgistration.php file:

/* Database connection info*/
mysql_select_db("dbname", $con);

$encryptedpassword = md5($_POST['uPassword']);

md5($uPassword);

$sql="INSERT INTO users (uName, uPassword, uSurname, uFirstName)
VALUES
('$_POST[uName]','$encryptedpassword','$_POST[uSurname]','$_POST[uFirstName]'";

if (!mysql_query($sql,$con))
  {
  die('Error: ' . mysql_error());
  }
echo "Account created.  You can now login";

mysql_close($con)
?>

The code above is supposed to:

  • Create a variable named encryptedpassword
  • Use uPassword as encryptedpassword
  • Convert encrypted password to MD5
  • Input the MD5 password into the users table as uPassword

I'm sure that I've not used a correct variable somewhere, or I have done a simple error with my syntax; any comments/help is greatly appreciated!

Thanks, Chris M

Solution

  • You code require some validation & escaping, more like this :

    <?php

/* Database connection info */
mysql_select_db("dbname", $con);

if ($_REQUEST['METHOD'] == 'POST') {
    $uName = filter_input(INPUT_POST, 'uName');
    $uPassword = filter_input(INPUT_POST, 'uPassword');
    $uSurname = filter_input(INPUT_POST, 'uSurname');
    $uFirstName = filter_input(INPUT_POST, 'uFirstName');

    // do some validation here ...

    // if everything OK, then crypte the password
    $hashedPassword = md5($uPassword);

    // and store it

    $sql = sprintf(
        'INSERT INTO users (uName, hashedPassword, uSurname, uFirstName)
         VALUES (%s, %s, %s, %s);',
            mysql_real_escape_string($uName, $con),
            mysql_real_escape_string($hashedPassword, $con),
            mysql_real_escape_string($uSurname, $con),
            mysql_real_escape_string($uFirstName, $con)
    );

    if (!mysql_query($sql,$con)) {
        die('Error: ' . mysql_error());
    }

    mysql_close($con);
    echo "Account created.  You can now login";
}

?>

    Now for login

    <?php

if ($_REQUEST['METHOD'] == 'POST') {
    $uName = filter_input(INPUT_POST, 'uName');
    $uPassword = filter_input(INPUT_POST, 'uPassword');
    $hashedPassword = md5($uPassword);

    $sql = sprintf(
        'SELECT * FROM users WHERE uName = "%s" AND hashedPassword = "%s" LIMIT 1',
            mysql_real_escape_string($uName, $con),
            mysql_real_escape_string($hashedPassword, $con),
        );

    // etc etc ...
}
?>