How to Create Secure Registration Page in PHP/MySQL Part II

mysqli extension works differently compared to mysql extension. The 'i' stands for improved. Which means that it has some features that cannot be found in mysql extension.
There are two approach in using mysqli extension. They are Object Oriented style and Procedural style.
If you are migrating your old PHP file to mysqli extension, I prefer you use the procedural style. It's very easy to convert it to mysqli this way.
Looking at the example in our previous tutorial. We will still use the same database called "login".
We will just change some of the code under "registration.html" and "register.php".

Procedural style

registration2a.html
  1. <!<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
  2. <html xmlns="http://www.w3.org/1999/xhtml">
  3. <head>
  4. <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
  5. <title>Register</title>
  6. </head>
  7. <body>
  8. <form name="register" action="register2a.php" method="post">
  9. <table width="510" border="0">
  10. <tr>
  11. <td colspan="2"><p><strong>Registration Form</strong></p></td>
  12. </tr>
  13. <tr>
  14. <td>Username:</td>
  15. <td><input type="text" name="username" maxlength="20" /></td>
  16. </tr>
  17. <tr>
  18. <td>Password:</td>
  19. <td><input type="password" name="password1" /></td>
  20. </tr>
  21. <tr>
  22. <td>Confirm Password:</td>
  23. <td><input type="password" name="password2" /></td>
  24. </tr>
  25. <tr>
  26. <td>Email:</td>
  27. <td><input type="text" name="email" id="email" /></td>
  28. </tr>
  29. <tr>
  30. <td>&nbsp;</td>
  31. <td><input type="submit" value="Register" /></td>
  32. </tr>
  33. </table>
  34. </form>
  35. </body>
  36. </html>
Note that we just change the value of action parameter under the form tag above. The previous value is register.php and now it was register2a.php
Register2a.php
  1. <?php
  2. $username = $_POST['username'];
  3. $password1 = $_POST['password1'];
  4. $password2 = $_POST['password2'];
  5. $email = $_POST['email'];
  6. if($password1 != $password2)
  7. header('Location: registration.html');
  8. if(strlen($username) > 30)
  9. header('Location: registration.html');
  10. $hash = hash('sha256', $password1);
  11. function createSalt()
  12. {
  13. $text = md5(uniqid(rand(), true));
  14. return substr($text, 0, 3);
  15. }
  16. $salt = createSalt();
  17. $password = hash('sha256', $salt . $hash);
  18. $conn = mysqli_connect('localhost', 'root', '', 'login'); //we have added the database name called "login"
  19. //mysql_select_db('login', $conn); //we remove this line
  20. //sanitize username
  21. $username = mysqli_real_escape_string($conn, $username);
  22. $query = "INSERT INTO member ( username, password, email, salt ) VALUES
  23. ( '$username', '$password', '$email', '$salt' )";
  24. //added $conn variable in order to connect to our database.
  25. mysqli_query($conn, $query);
  26. mysqli_close($conn);
  27. header('Location: login.php');
  28. ?>

Object Oriented Style

registration2b.html
Just change the line above from:
<form name="register" action="register2a.php" method="post">
to:
<form name="register" action="register2b.php" method="post">
register2b.php
  1. <?php
  2. $username = $_POST['username'];
  3. $password1 = $_POST['password1'];
  4. $password2 = $_POST['password2'];
  5. $email = $_POST['email'];
  6. if($password1 != $password2)
  7. header('Location: registration.html');
  8. if(strlen($username) > 30)
  9. header('Location: registration.html');
  10. $hash = hash('sha256', $password1);
  11. function createSalt()
  12. {
  13. $text = md5(uniqid(rand(), true));
  14. return substr($text, 0, 3);
  15. }
  16. $salt = createSalt();
  17. $password = hash('sha256', $salt . $hash);
  18. $mysqli = new mysqli('localhost', 'root', '', 'login'); //we change the mysqli_connect to "new mysqli"
  19. //sanitize username
  20. $username = $mysqli->real_escape_string($username);
  21. $query = "INSERT INTO member ( username, password, email, salt ) VALUES
  22. ( '$username', '$password', '$email', '$salt' )";
  23. //remove $conn variable in order to connect to our database using OOP.
  24. $mysqli->query($query);
  25. $mysqli->close();
  26. header('Location: login.php');
  27. ?>
Now you see the difference? When it comes to features, there is no difference between Procedural and Object Oriented approach. Use the style which you think you are comfortable.

Write Comment...
EmoticonEmoticon