php sql sign login system using bcrypt mysqli and security like (prevent sql inject)

Question

I am trying to build a website with login system. i have read this stuff in the web. But i find it difficult to put them together. and i think i am missing a lots of important things, like security.

mysqli
verify email
prepared statement (i have no idea what its ><)
is there any security risk otherthan injection in the code below?

I am a self-learn programmer (just started coding several month, please help ><)

i do not know OOP and PDO, so plesae use procedural format T.T
do not know much about security
This is not a project, i would like to publish it. So there must be good security.
please help to improve it, thanks a lot!!!

am i asking to many question??

<?php
      if(isset($_POST['signup-name']) and isset($_POST['signup-password-1']) and isset($_POST['signup-password-2']) and isset($_POST['signup-email-1']) and isset($_POST['signup-email-2']) and isset($_POST['signup-country']) and isset( $_POST['recaptcha_challenge_field']) and isset( $_POST['recaptcha_response_field'])){
        if(!empty($_POST['signup-name']) and !empty($_POST['signup-password-1']) and !empty($_POST['signup-password-2']) and !empty($_POST['signup-email-1']) and !empty($_POST['signup-email-2']) and !empty($_POST['signup-country']) and !empty( $_POST['recaptcha_challenge_field']) and !empty( $_POST['recaptcha_response_field'])){

          //echo"ok1";

          $username = $_POST['signup-name'];
          $email1 = $_POST['signup-password-1'];
          $email2 = $_POST['signup-password-2'];
          $password1 = $_POST['signup-email-1'];
          $password2 = $_POST['signup-email-2'];
          $country = $_POST['signup-country'];
          $recaptcha_challenge_field = $_POST['recaptcha_challenge_field'];
          $recaptcha_response_field = $_POST['recaptcha_response_field'];

          if($email1==$email2 and $password1==$password2){


      include 'db_info.php';
      $connect = mysqli_connect("localhost", $db_uusseerrss, $db_ppwwdd) or die(mysql_error("Unable to select database"));

      $username = mysqli_real_escape_string($connect, $username);
      $email1 = mysqli_real_escape_string($connect, $email1);
      $password1 = mysqli_real_escape_string($connect, $password1);  
      $country = mysqli_real_escape_string($connect, $username);

      $bcrypt_option = array('cost'=>12);
      $hashed_password = password_hash($password1, PASSWORD_BCRYPT,$bcrypt_option);
      echo $hashed_password;

      $query = "INSERT INTO user_info (`username`, `email`, `password`, 'country') VALUES( ?, ?, ?, ?)";
      echo "ok3";
      if ($stmt = mysqli_prepare($connect, $query) ) {
        $stmt->bind_param("ssss", $username, $email1, $hashed_password, $country );
        $stmt->execute();
        echo "ok4";


              //redirect to main page
              headr(....)
            }
          }
        }
      }else{

      } 
    ?>

You're asking a lot of stuff in the same quesiton, but I would recommending learning about prepared statements first. That will prevent sql-injection. Begin here: http://se2.php.net/pdo.prepared-statements. There are high risk for sql-injection(s) in your code. — bestprogrammerintheworld, Apr 26 '14 at 16:26
Please don't use bulletin board speak. If you don't want any help links, do you expect a full rewrite then instead? That would be off-topic, and unlikely to help you in the future if you don't understand and research it afterwards. — mario, Apr 26 '14 at 16:28
you can send an activation link to the user's email then they have to click the activation link to activate their account. — Maduka Jayalath, Apr 26 '14 at 16:28
thz, i hv considered to add email activation but i already have recaptcha so i am not sure if it is still necessary to hv email activation. — John, Apr 26 '14 at 16:32
Bear in mind that OCD-levels of grammar pickiness are common in the audience you are addressing. Thus, if you would expand "hv" to "have" and "plz" to "please", it would be appreciated, and may even help avoid the odd down-vote. Thanks. — halfer, Apr 26 '14 at 16:34
Why not? you need to store honest email address, otherwise how they are going to recover their password? — Maduka Jayalath, Apr 26 '14 at 16:34
You can simplify `isset($a) && isset($b) && …` with `isset($a, $b, …)`. — Gumbo, Apr 26 '14 at 16:51
And you can’t mix [MySQL](http://php.net/book.mysql) and [MySQLi](http://php.net/book.mysqli). — Gumbo, Apr 26 '14 at 16:56
@user3472320 [check this answer it might help you as it is a login with MySQLi and bCrypt!](http://stackoverflow.com/a/18971788/342740) — Prix, Apr 26 '14 at 18:17

michaelp · Accepted Answer · 2014-04-26T16:57:17.077

3

I think an easy solution, and one you should always use when inserting user values into the database, is to use a prepared statement. Prepared statements allow you to tell the database what to expect and will treat it as such, even if a malicious user attempts to throw sql injections. The basics are one ? per parameter and then you must tell it what to expect in the bind_param with a s, i, or whatnot. Hope this helps.

$query = "INSERT INTO users (`username`, `email`, `password`, 'country') VALUES( ?, ?, ?, ?)";
if ($stmt = mysqli_prepare($conn, $query) ) {
$stmt->bind_param("ssss", $username, $email1, $hashed_password, $country );
$stmt->execute();
} else {
    //I always put some sort of error message here
    ob_clean();
    header("Location: ".$_SERVER['HTTP_REFERER']);
    mysqli_close($conn);
    exit();
}

edited Apr 26 '14 at 16:57

answered Apr 26 '14 at 16:30

michaelp

353
6
24

Change the single quotation mark around country. Other than that, I am unsure. – michaelp Apr 28 '14 at 11:16
John mysqli prepared statements are the best way to go. The only problem with them is that you have to have everything exactly right. You miss one comma out or put something in wrong you will get an error. Sometimes it takes a while to debug a prepared statement so be patient and check your code thoroughly. – Thomas Williams Sep 06 '16 at 13:02

score 1 · Answer 2 · edited Apr 27 '14 at 11:40

1

You have an XSS vulnerability in your code. If visitor enter a JavaScript code in the username field for example, when his name will be diplayed, the code will be executed. You have to use htmlentities('string message') to prevent any code injection in your page.

Use it like this on all your user entry :

$username = htmlentities($username);

edited Apr 27 '14 at 11:40

halfer

19,824
17
99
186

answered Apr 26 '14 at 16:43

Emrys Myrooin

2,179
14
39

php sql sign login system using bcrypt mysqli and security like (prevent sql inject)

2 Answers2