Building a secure user registration form with PHP seems like a scary task. How do I protect myself from MySQL injection and other methods of hacking. Surprisingly, with only a few steps and precautions, you can greatly reduce the chance of success for attacks. In this post, I will talk you through some basic but important steps to build a robust and secure registration form in PHP. $host = ; $db = ; $user = ; $pass = ; $options = [ PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION, PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC, PDO::ATTR_EMULATE_PREPARES => , ]; $dsn = ; { $pdo = PDO($dsn, $user, $pass, $options); } (\PDOException $e) { \PDOException($e->getMessage(), (int)$e->getCode()); } <?php // Replace $user and $pass with strong values for production 'localhost' 'new_db' 'root' '' false "mysql:host=$host;dbname=$db" try new catch throw new ?> Establish your database connection using . You can copy & paste the above and you're good to go. PDO Next, you need to grab the fields from the submitted registration form. In my case, I'm only asking the user to submit their first name, email, and password + confirmation. $fname = filter_input(INPUT_POST, , FILTER_SANITIZE_STRING); $email = filter_input(INPUT_POST, , FILTER_SANITIZE_EMAIL); $pwd = filter_input(INPUT_POST, ); $pwd_confirm = filter_input(INPUT_POST, ); <?php // Get form field values 'fname' 'email' 'password' 'confirm-password' ?> Make sure to use FILTER_SANITIZE_STRING on the password as you don't invalidate a user's password. Someone, especially tech-savvy, people, might like having something like '<script>' as part of their password. not $activation_key = bin2hex(random_bytes( )); $activation_link = .$activation_key. .$fname; <?php 15 'https://www.example.com/activate?id=' '&name=' ?> Generate an activation key and have new users confirm their account registration via email. This will greatly reduce the number of spam accounts. In my case, I used to generate a random 15 character string to avoid any conflicts should a large number of users sign-up with your site. I also added the first name of the user to the string, which I can then verify server-side. bin2hex ($pwd !== $pwd_confirm) { $errors[] = ; } (strlen($pwd) < ) { $errors[] = ; } ($fname === $pwd) { $errors[] = ; } <?php // Check if passwords match if "Passwords don't match" // Check if password is secure if 8 "Password not long enough! Must be at least 8 characters long" // Check if username equals password if "Your name cannot be your password!" ?> I'm now checking for errors in the form submission. Note that the check whether the password is secure is not very sophisticated at this point. I recommend to introduce further checks, e.g. capital and non-capital letters, special characters etc. You can do this using a . regular expression $email_query = $pdo->prepare( ); $email_query->bindParam( , $email); $email_query->execute(); $email_found = $email_query->fetchColumn(); ($email_found) { $errors[] = ; } <?php // Check if email address exists in database "SELECT count(1) FROM users WHERE email = :email" ':email' if "Your email address is associated with another account." ?> I'm also checking whether the email address already exists in the database. When you or values from/to your database, always use prepare statements and bind the parameters to avoid SQL injection. SELECT INSERT INTO <?php (!$errors) { $hashed_password = password_hash($pwd, PASSWORD_DEFAULT); $create_account = $pdo->prepare( ); $create_account->bindParam( , $fname); $create_account->bindParam( , $email); $create_account->bindParam( , $hashed_password); $create_account->bindParam( , $activation_key); $create_account->execute(); $to=$email; $subject= ; $ = ; $body= .$fname. .$activation_link. .$activation_link. ; $headers = .$ ; mail($to,$subject,$body,$headers); header( ); exit; } ?> // If no errors, continue with user account creation if // Hash password // Create database entry "INSERT INTO users (first_name,email,password, activation_key) VALUES (:fname, :email, :password, :activation_key)" ':fname' ':email' ':password' ':activation_key' // Send out activation email "Activate your account" from 'no-reply@example.com' 'Thank you for creating your account, ' '. Please click on the following link to activate your account: <a href="' '">' '</a>' "From:" from // Redirect user to the dashboard "Location: /dashboard.php" If you've found no errors with the form submission, it's time to create a new account. To do this, you should first hash the submitted password. NEVER store plain-text passwords in your database. You are then going to prepare the statement, bind the parameters and execute to insert the values into the database. Last but not least, you want to send out the activation email. In this example, I used PHP's mail() function but you might want to go with PHPMailer instead. Also, you might want to use to build the activation string in case the user's first name is not url-compliant, e.g. uses ampersands. http_build_query() You can now exit the registration process and wait until the user activated his/her account or redirect them to the next page, e.g. dashboard. However, note that you probably want to initiate the session if you do go with a redirect. That's it! Thomaso
