HiveBrain v1.2.0
Get Started
← Back to all entries
patternphpMinor

Preventing SQL Injection in user registration routine

Submitted by: @import:stackexchange-codereview··
0
Viewed 0 times
codereviewphpauthenticationstackoverflowmysqlsecuritypdo
registrationsqluserroutineinjectionpreventing

Problem

At the moment is my code secure for SQL injections and so forth? I still need to hash passwords and make sure fields are valid and so forth. 

setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
}

catch(PDOException $e){
    echo $e->getMessage();
    die();
}

$name = $_POST['name']; 
$username = $_POST['username']; 
$email = $_POST['email'];   
$password = $_POST['password']; 

$sql = "INSERT INTO userinfo (name ,username, email, password) VALUES (:name,:username,:email,:password)";
$query = $handler->prepare($sql);

$query->execute(array(      
    ':name' => $name,
    ':username' => $username,
    ':email' => $email,
    ':password' => $password
));

?>

Solution

It is safe.

You can improve your code like this:

  • no need to use closing ?> in case that you are not outputting any HTML / or something else after your PHP code



  • no need to use "" to wrap strings in case that you don't have any variables inside a string, you can use '' instead, PHP interpreter does not need to check in that case whether there are any variables in the string or not



  • you can replace echo $e->getMessage; die() by simplier exit($e->getMessage());



  • I added salt generation to your code $salt = md5(uniqid(null, true));



  • I added password hashing to your code by $password = hash('sha256', $password . $salt);



The whole code hereunder:

setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
} catch (PDOException $e){
    exit($e->getMessage());
}

$name = $_POST['name'];
$username = $_POST['username'];
$email = $_POST['email'];
$password = $_POST['password'];

$salt = md5(uniqid(null, true));
$password = hash('sha256', $password . $salt);

$sql = '
    INSERT INTO userinfo 
        (name ,username, email, password, salt) 
    VALUES 
        (:name,:username,:email,:password, :salt)
';

$query = $handler->prepare($sql);

$query->execute(array(
    ':name' => $name,
    ':username' => $username,
    ':email' => $email,
    ':password' => $password,
    ':salt' => $salt
));

Code Snippets

<?php

try {
    $handler = new PDO('mysql:host=localhost;dbname=s','root', '*');
    $handler->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
} catch (PDOException $e){
    exit($e->getMessage());
}

$name = $_POST['name'];
$username = $_POST['username'];
$email = $_POST['email'];
$password = $_POST['password'];

$salt = md5(uniqid(null, true));
$password = hash('sha256', $password . $salt);

$sql = '
    INSERT INTO userinfo 
        (name ,username, email, password, salt) 
    VALUES 
        (:name,:username,:email,:password, :salt)
';

$query = $handler->prepare($sql);

$query->execute(array(
    ':name' => $name,
    ':username' => $username,
    ':email' => $email,
    ':password' => $password,
    ':salt' => $salt
));

Context

StackExchange Code Review Q#48095, answer score: 5

Revisions (0)

No revisions yet.