0

Im fairly new to php/sql, but I did alot of research about this until I decided to get help.

Basically im trying to insert a new username/email/password/salt into a MySQL5 DB. This is my test register.php with just an echo:

include 'dbcxn.php';

$usr = $_POST['user'];
$mail = $_POST['mail'];
$pwd = $_POST['p'];
$random_salt = hash('sha512', uniqid(mt_rand(1, mt_getrandmax()), true));
$password = hash('sha512', $pwd.$random_salt);

$insert_stmt = DB::cxn()->prepare("INSERT INTO members (username, email, password, salt) VALUES ($usr, $mail, $password, $random_salt)");
echo $insert_stmt->param_count." parameters\n";

I tried using just "$insert_stmt = $mysqli->prepare", same thing happens. So I made the class DB. Here's my dbcxn.php if it helps:

define("HOST", "");
define("USER", "");
define("PASSWORD", "");
define("DATABASE", "");
define("PORT", "");

$mysqli = new mysqli(HOST, USER, PASSWORD, DATABASE, PORT);

class DB {
private static $mysqls;
private function __construct(){}

static function cxn() {
    if( !self::$mysqls ) {
        self::$mysqls = new mysqli(HOST, USER, PASSWORD, DATABASE, PORT);
    }
    return self::$mysqls;
}
}

Don't know what else to try and need to get some sleep :). Thanks in advance for any advice.

Improve this question
4
  • Where does the error appear exactly? Commented Aug 11, 2012 at 9:16
  • 1
    Congrats on salting & hashing passwords, but your code is vulnerable to SQL injection. You really should parameterise your variables, so that they do not get evaluated for SQL. If you don't know what I'm talking about, read the story of Bobby Tables. Commented Aug 11, 2012 at 9:16
  • thank you, I will study that. Commented Aug 11, 2012 at 18:17
  • Correct me if Im wrong, but after using the prepared statament (code below) like its suposed to be used, its no longer vulnerable to injection, right? Commented Aug 11, 2012 at 20:20

2 Answers 2

Reset to default
0

Your main problem is that your strings are not escaped, at all.

mysqli::prepare() is used for prepared queries. In order to make this work successfully, you should change your query to this:

$insert_stmt = DB::cxn()->prepare("INSERT INTO members (username, email, password, salt) VALUES (?, ?, ?, ?)");
$insert_stmt->bind_param('ssss', $usr, $mail, $password, $random_salt);
$insert_stmt->execute();

You can read up on the bind_param at http://www.php.net/manual/en/mysqli-stmt.bind-param.php for more information, and an explanation on that first parameter ('s' signifying a string value, there are 4 here because you're inserting 4 string values).

Improve this answer
Sign up to request clarification or add additional context in comments.

8 Comments

Guess what, didnt get any sleep yet. I figured the SQL syntax error meanwhile, then checked your code and you are absolutely right. I didnt get the prepare/bind_param right at all, but now I do. Thanks! I still have some hashing problems, because I can register but cant login afterwards. But thats another story. Again thanks to both.
Good that the insert works. For the hash problem, are you sure that both the password and salt columns in your database are wide enough, and that you're doing the same hash algorithm to check the user-supplied password + salt?
Nah, it wasnt hash problem after all.. i just had a duplicate email on the database, hence the error. Double hashing is working fine now. I have to work on a "check for existing user" code next :)
You can add a unique constraint in your mysql database, via: ALTER TABLE members ADD UNIQUE(email);
works! thanks... so simple. can you recommend any reading on how to interpret and echo SQL errors? such as that one, when someone tries to register the already reg email.
|
0

Your SQL has syntax error. What you get is something like: INSERT INTO members (username, email, password, salt) VALUES (username, [email protected], mypassword, lkjlk21j3lkjsdclksdmfl3i4)

You may want this:

INSERT INTO members (username, email, password, salt) VALUES (?, ?, ?, ?)

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.