0

I have a basic login page that uses this PHP code to upload directly to my database. When I use this code it works fine and it uploads everything to my table: 

    $fname = $_POST['fname'];
    $lname = $_POST['lname'];
    $Email = $_POST['Email'];
    $username = $_POST['username'];
    $password = ($_POST['password']);
    $PhoneNumber = ($_POST['PhoneNumber']);
    $query = $con-> prepare("
    INSERT INTO Users (fName, lName,Email, username, pass_word,PhoneNumber)
    VALUES (:fname, :lname, :Email, :username,:password, :PhoneNumber)

    ");
    $success = $query-> execute ([
        'fname' => $fname,
        'lname' => $lname,
        'Email' => $Email,
        'username' => $username,
        'password' => $password,
        'PhoneNumber' => $PhoneNumber
    ]);

But when i add the hash password function it just doesnt upload anything to the database at all. 

        $fname = $_POST['fname'];
        $lname = $_POST['lname'];
        $Email = $_POST['Email'];
        $username = $_POST['username'];         
        $password = ($_POST['password']);
        $PhoneNumber = ($_POST['PhoneNumber']);
        $hashed_password = password_hash($password, PASSWORD_DEFAULT);
        $query = $con-> prepare("
        INSERT INTO Users (fName, lName,Email, username, pass_word,PhoneNumber)
        VALUES (:fname, :lname, :Email, :username,:password, :PhoneNumber)

        ");
    $success = $query-> execute ([
            'fname' => $fname,
            'lname' => $lname,
            'Email' => $Email,
            'username' => $username,
            'password' => $hashed_password,
            'PhoneNumber' => $PhoneNumber
        ]);

Update: I made the changes that were suggested but I am still having the same issue. This is my updated code:

$password = $_POST['password'];


    $hashed_password = password_hash($_POST['password'], PASSWORD_BCRYPT, ['cost' => 15]);

    $query = $con-> prepare("
        INSERT INTO Users (fName, lName,Email, username, pass_word,PhoneNumber)
        VALUES (:fname, :lname, :Email, :username,:password, :PhoneNumber)

        ");
    $success = $query-> execute ([
            'fname' => $fname,
            'lname' => $lname,
            'Email' => $Email,
            'username' => $username,
            'password' => $hashed_password,
            'PhoneNumber' => $PhoneNumber
        ]);
Daniel.carv12
  • 13
  • 3
  • You didn't parameterize it... compare `:username,$hashed_password, :PhoneNumber` with `:username,:password, :PhoneNumber` – user3783243 Mar 30 '20 at 19:50

1 Answers1

5

1:

 $hashed_password = password_hash($hashed_password, PASSWORD_DEFAULT);

You are hashing an empty string.

You should be hashing the variable containing the password: 

 $hashed_password = password_hash($_POST['password'], PASSWORD_DEFAULT);

2:

Your SQL query should not contain any variables, this is bad practise and potentially unsafe (for other non-hashed variables).

VALUES (:fname, :lname, :Email, :username,$hashed_password, :PhoneNumber)

But you have $hashed_password as a hardcoded variable. This is incorrect on a syntax level and will cause SQL errors as it's not encased in quotes.

You need to set this value in the ->execute as you do with all the other variables:

    $query = $con-> prepare("
    INSERT INTO Users (fName, lName,Email, username, pass_word,PhoneNumber)
    VALUES (:fname, :lname, :Email, :username, :pwd, :PhoneNumber)

    ");
$success = $query-> execute ([
        'fname' => $fname,
        'lname' => $lname,
        'Email' => $Email,
        'username' => $username,
        'pwd' => $hashed_password,
        'PhoneNumber' => $PhoneNumber
    ]);

SECURITY NOTES:

A:

You are not setting a cost value on your PASSWORD_DEFAULT (at time of writing this is BCRYPT) hashing mechanism. It is STRONGLY ENCOURAGED that you set this cost value to as high as possible, rather than the default of 10.

I would suggest setting the cost value to at least 15, and reading the PHP Manual Page, which also sets out how to find the ideal cost value of your server. 

 $hashed_password = password_hash($password, PASSWORD_BCRYPT, ['cost' => 15]);

B:

I would also highly recommend using one of the ARGON password hashing mechanisms. You will need to recompile PHP with this enabled. I'm sure this will be made easier in coming PHP versions.

C:

I would also highly recommend ensuring your MySQL collations and character sets are UTF8mb4_ prefixed unicode: UTF8mb4_unicode_ci with respect to your password storage column/table (Also ensure your column is long enough*).

* that's what she said!

Martin
  • 22,212
  • 11
  • 70
  • 132
  • 1
    Putting `$hashed_password` into the SQL string wouldn't work anyway, because it's not inside single-quotes as an SQL string literal. But no risk of SQL injection, since the hashing will not return a string with anything besides hex digits. – Bill Karwin Mar 30 '20 at 20:08
  • @BillKarwin I have updated point 3 and referenced your comment, thanks `:-)` – Martin Mar 30 '20 at 20:11
  • thank you this helps a lot, yes it was a typo where i have just password without the @. Thank you for the security suggestions, I will definitely be taking the advice to make my page more secure. – Daniel.carv12 Mar 30 '20 at 20:17
  • @Daniel.carv12 I have updated your question and my answer. Happy to help, cheers! – Martin Mar 30 '20 at 20:20
  • i made all the changes but i am still having the same issue where nothing is uploaded to the database. I updated the question with my new code. Thank you. – Daniel.carv12 Mar 30 '20 at 21:03
  • @Daniel.carv12 what does your PHP error log tell you? – Martin Mar 30 '20 at 21:05
  • @Daniel.carv12 https://stackoverflow.com/questions/5127838/where-does-php-store-the-error-log-php5-apache-fastcgi-cpanel – Martin Mar 30 '20 at 21:07
  • it doesnt have any errors, only has warnings but none about the password – Daniel.carv12 Mar 30 '20 at 21:23
  • @Daniel.carv12 No MySQL errors at all? Are you sure the `$_POST` data is populated? (try `print_r($_POST)` at the top of the page. Does MySQL insert successfully but it is an empty row? Or does it not insert even an empty row? If there is a missing column (`pass_word` for example) can you tell me which columns are missing? – Martin Mar 30 '20 at 21:29
  • when i dont hash at all it populates all the fields but when i add the hash it doesnt populate any – Daniel.carv12 Mar 30 '20 at 22:00
  • @Daniel.carv12 But you have no errors? You need to turn on MySQL errors maybe; Please give details for the pass_word column, as in its length and collation/character set. – Martin Mar 30 '20 at 22:10
  • sorry for late response i sent you a photo of my pass_word column – Daniel.carv12 Mar 30 '20 at 23:30
  • I managed to get it to work, the problem was in my password field in the database. Thank you so much for your help !!!!!! – Daniel.carv12 Mar 30 '20 at 23:43
  • Yes, your field character length should be a minimum of 72 characters long for BCRYPT hashes, and longer for Argon2I ones (This is stated on the manual page ). Glad you found it `:-)` – Martin Mar 31 '20 at 07:17