How To Create Secure Registration Flow with PHP and Password Hashing

Building a secure user registration form with PHP seems like a scary task. How do I protect myself from MySQL injection and other methods of hacking. Surprisingly, with only a few steps and precautions, you can greatly reduce the chance of success for attacks. In this post, I will talk you through some basic but important steps to build a robust and secure registration form in PHP. $host = ; $db = ; $user = ; $pass = ; $options = [ PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION, PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC, PDO::ATTR_EMULATE_PREPARES => , ]; $dsn = ; { $pdo = PDO($dsn, $user, $pass, $options); } (\PDOException $e) { \PDOException($e->getMessage(), (int)$e->getCode()); } Establish your database connection using . You can copy & paste the above and you're good to go. PDO Next, you need to grab the fields from the submitted registration form. In my case, I'm only asking the user to submit their first name, email, and password + confirmation. $fname = filter_input(INPUT_POST, , FILTER_SANITIZE_STRING); $email = filter_input(INPUT_POST, , FILTER_SANITIZE_EMAIL); $pwd = filter_input(INPUT_POST, ); $pwd_confirm = filter_input(INPUT_POST, ); Make sure to use FILTER_SANITIZE_STRING on the password as you don't invalidate a user's password. Someone, especially tech-savvy, people, might like having something like ' ' as part of their password. not $activation_key = bin2hex(random_bytes( )); $activation_link = .$activation_key. .$fname; Generate an activation key and have new users confirm their account registration via email. This will greatly reduce the number of spam accounts. In my case, I used to generate a random 15 character string to avoid any conflicts should a large number of users sign-up with your site. I also added the first name of the user to the string, which I can then verify server-side. bin2hex ($pwd !== $pwd_confirm) { $errors[] = ; } (strlen($pwd) I'm now checking for errors in the form submission. Note that the check whether the password is secure is not very sophisticated at this point. I recommend to introduce further checks, e.g. capital and non-capital letters, special characters etc. You can do this using a . regular expression $email_query = $pdo->prepare( ); $email_query->bindParam( , $email); $email_query->execute(); $email_found = $email_query->fetchColumn(); ($email_found) { $errors[] = ; } I'm also checking whether the email address already exists in the database. When you or values from/to your database, always use prepare statements and bind the parameters to avoid SQL injection. SELECT INSERT INTO prepare( ); $create_account->bindParam( , $fname); $create_account->bindParam( , $email); $create_account->bindParam( , $hashed_password); $create_account->bindParam( , $activation_key); $create_account->execute(); $to=$email; $subject= ; $ = ; $body= .$fname. .$activation_link. .$activation_link. ; $headers = .$ ; mail($to,$subject,$body,$headers); header( ); exit; } ?> // If no errors, continue with user account creation if // Hash password // Create database entry "INSERT INTO users (first_name,email,password, activation_key) VALUES (:fname, :email, :password, :activation_key)" ':fname' ':email' ':password' ':activation_key' // Send out activation email "Activate your account" from 'no-reply@example.com' 'Thank you for creating your account, ' '. Please click on the following link to activate your account: ' ' ' "From:" from // Redirect user to the dashboard "Location: /dashboard.php" If you've found no errors with the form submission, it's time to create a new account. To do this, you should first hash the submitted password. NEVER store plain-text passwords in your database. You are then going to prepare the statement, bind the parameters and execute to insert the values into the database. Last but not least, you want to send out the activation email. In this example, I used PHP's mail() function but you might want to go with PHPMailer instead. Also, you might want to use to build the activation string in case the user's first name is not url-compliant, e.g. uses ampersands. http_build_query() You can now exit the registration process and wait until the user activated his/her account or redirect them to the next page, e.g. dashboard. However, note that you probably want to initiate the session if you do go with a redirect. That's it! Thomaso