-1
<?php 
$conn=mysqli_connect("localhost", "root", "","users");

if (!$conn) {
    echo "Bad connection!!!";
}

        $user_name=$_POST['user_name'];
        $user_password=$_POST['user_password'];


$sql_check=mysqli_query($conn, "SELECT user_name, password FROM user_info WHERE user_name='$user_name' AND password='$user_password'") or die("Bad sql query");

if (mysqli_num_rows($sql_check)>0) {
    echo "user exists";
}



else {
    $sql_insert=mysqli_query($conn, "INSERT INTO user_info (id, user_name, password) VALUES (null,'$user_name', '$user_password')");
    echo "New user added!!!";
}
 ?>

 <!DOCTYPE html>
 <html>
 <head>
    <title></title>
 </head>
 <body>



<form method="POST" action="pdo_konekcija.php">
<input type="text" name="user_name">
<input type="password" name="user_name">
<input type="submit" name="btn_submit" value="REGISTER">
</form>


 </body>
 </html>

I have basic form for user registration. I can't figure best way for checking if the user exists or not, so if not I want to register new user as you can see from sql statements. How can I include hash() for password for the user_password field? Both fields must be filled for checking and registering process. Can I use this kind of mysql I procedural way for preventing sql injection or not? I am building register/login from scratch so need help, thank you all.

sKhan
  • 9,694
  • 16
  • 55
  • 53
FAMO_php
  • 41
  • 7
  • 1
    **Danger**: You are **vulnerable to [SQL injection attacks](http://bobby-tables.com/)** that you need to [defend](http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php) yourself from. – Quentin Mar 23 '16 at 09:32

2 Answers2

1

Use PHP's built in functions for hashing and verifying passwords however this requires version 5.5.0 and above. http://php.net/manual/en/function.password-hash.php

Store a salt in the database which is created on registration. When the user logs in, check if they exists, get their salt and verify using password_verify.

Use prepared statements when dealing with this data to stop SQL Injection

There is a compatibility version on github (https://github.com/ircmaxell/password_compat) if you don't have 5.5.0 and above.

Matt
  • 1,749
  • 2
  • 12
  • 26
0

For checking if a users password matches, first check the user exists and retrieve their password hash, then run it through your hash verification function afterwards.

In answer to your second question, yes your current system is vulnerable to SQL injection.

Chris
  • 5,571
  • 2
  • 20
  • 32