-2

I am making a register script that lets a user register for an account on a website. I decided to use sha256 to encrypt the password.

Here is my code:

    // Set error message as blank upon arrival to page
$errorMsg = "";
// First we check to see if the form has been submitted 
if (isset($_POST['Submit'])){
    //Connect to the database through our include 
    require_once ('includes/connect.inc.php');
    // Filter the posted variables
    $forename = $_POST['forename'];
    $surname = $_POST['surname'];
    $email = stripslashes($_POST['email']);
    $password = preg_replace("[^A-Za-z0-9]", "", $_POST['password']); // filter everything but numbers and letters
    $email = strip_tags($email);
    $town = preg_replace("[^A-Z a-z0-9]", "", $_POST['town']); // filter everything but spaces, numbers, and letters

    // Check to see if the user filled all fields with
    // the "Required"(*) symbol next to them in the join form
    // and print out to them what they have forgotten to put in
    if((!$forename) || (!$surname) || (!$email) || (!$password) || (!$town)){

        $errorMsg = "You did not submit the following required information!<br /><br />";
        if(!$forename){
            $errorMsg .= "--- Forename";
        } else if(!$surname){
            $errorMsg .= "--- Surname"; 
        } else if(!$email){ 
            $errorMsg .= "--- email"; 
       } else if(!$password){ 
           $errorMsg .= "--- password"; 
       } else if(!$town){ 
           $errorMsg .= "--- town"; 
       }
    } else {

           $hash = hash("sha256", $password);

            $sql = "INSERT INTO customers (forename, surname, email, password, town, registeredDate, active) 
            VALUES('$forename','$surname','$email', '$hash', '$town', GETDATE(), 'True')" ;
            $stmt2 = sqlsrv_query($conn,$sql);


  } // Close else after missing vars check
} //Close if $_POST
?>

<form action="join_form.php" method="post" enctype="multipart/form-data">
    <tr>
      <td colspan="2"><font color="#FF0000"><?php echo "$errorMsg"; ?></font></td>
    </tr>

    <tr>
      <td width="163"><div align="right">Forename:</div></td>
      <td width="409"><input name="forename" type="text"/></td>
    </tr>

    <tr>
      <td width="163"><div align="right">Surname:</div></td>
      <td width="409"><input name="surname" type="text"/></td>
    </tr>

    <tr>
      <td><div align="right">Email: </div></td>
      <td><input name="email" type="text" /></td>
    </tr>

     <tr>
      <td><div align="right"> Password: </div></td>
      <td><input name="password" type="password" /> 
      <font size="-2" color="#006600">(letters or numbers only, no spaces no symbols)</font></td>
    </tr>

    <tr>
      <td><div align="right">Town: </div></td>
      <td>
        <input name="town" type="text" />
      </td>
    </tr>

    <tr>
      <td><div align="right"></div></td>
      <td><input type="submit" name="Submit" value="Submit Form" /></td>
    </tr>
  </form>

When I press Submit button nothing happens. I don't get an error message, but the record does not get added to the database either.

I know it has something to do with me using 

$hash = hash("sha256", $password);

Maybe I put it in the wrong place or something? I am very new to PHP.

Alex
  • 876
  • 6
  • 17
  • 38
  • 3
    Not again... Don't use SHA for passwords. http://stackoverflow.com/a/10471744/34397 – SLaks May 06 '12 at 16:10
  • 3
    and **NEVER _restrict characters allowed in passwords_!** And especially never do that silently. – SLaks May 06 '12 at 16:10
  • 1
    You have a SQL injection vulnerability. – SLaks May 06 '12 at 16:12
  • I know this script is not perfect and has many flaws. I am doing it for a uni project and unfortunately I am forced to use sha256 for password. I am just trying to get it to work first and then I will fix other things like SQL injection etc. – Alex May 06 '12 at 16:15
  • 2
    Can you switch to a university that doesn't force you to create security issues? (explain to whoever gave that requirement how stupid it is) – SLaks May 06 '12 at 16:16
  • And, whatever you do, _get rid of that evil `preg_replace`_. You're silently _penalizing_ secure passwords. – SLaks May 06 '12 at 16:16
  • 4
    If your uni professor lets SQL injection pass as "working", I'm so sorry – Cory Carson May 06 '12 at 16:19
  • No, I can't do that I'm sorry. Can you see why sha256 encryption doesn't work in my register script? Maybe I put it in the wrong place. I am very new to PHP. Thanks. I am just trying to get sha256 to work with my password that's all. Once I get it to work I will fix other things like you mentioned – Alex May 06 '12 at 16:19
  • No; I don't know PHP very well. – SLaks May 06 '12 at 16:22
  • In addition calling strip_tags on the email address will actually mangle known good email addresses. You're using a string type in your database to store a Boolean/bit value. You're also using timezone dependent datetimes in your database. – Cory Carson May 06 '12 at 16:47
  • The use of stripslashes on input indicates magic quotes are enabled. Note this feature was removed as of PHP 5.4: it may work on your machine but fail on whoevers grading you's machine. – Cory Carson May 06 '12 at 17:04
  • @SLaks, preg_replace on the password is better than that: it's silently *changing* the users password without telling them. You can register but never log in! – Cory Carson May 06 '12 at 17:14
  • Thanks for all your help. But any ideas why I can't insert a record in the database? Maybe my insert query is not right? Thanks – Alex May 06 '12 at 17:33
  • @CoryCarson: Hopefully, there is a similar replace in the login page. – SLaks May 06 '12 at 17:39
  • Lots of comments but no actual answer. Have you looked at the database logs? Is there anything indicating that the INSERT is reached or the INSERT gets executed? Does the INSERT work with constant values? Are the values compatible with the column types? Blaming this on the hash function sounds a bit premature to me. – Maarten Bodewes May 07 '12 at 21:43
  • I managed to fix the problem. It all works now – Alex May 07 '12 at 21:50
  • Could you post the answer please Alex? You may accept it after a while as well. Thanks for reporting back! – Maarten Bodewes May 07 '12 at 23:18

1 Answers1

1

I changed my code entirely and used params in order to add a record to the database

<?php
require_once ('includes/connect.inc.php');

if ($_POST['Register'] == "register")
{

 $params = array($_POST['email']);

 $sql= "SELECT * FROM customers WHERE Email=?";
 $stmt = sqlsrv_query($conn,$sql,$params);

 if(sqlsrv_has_rows($stmt))
 {
// echo"<h2>You have already signed up with this email </h2>";
  header('Location: register_login_forms.php?error=2');
  die();
 } else if($_POST['password'] != $_POST['password2'])
 {
 // echo"<h2>Wrong Passwod</h2>";
  header('Location: register_login_forms.php?error=3');
  die();
 }

 $pass = hash("sha256", $_POST['password']);

 $params = array($_POST['forename'],$_POST['surname'],$_POST['email'],$pass, $_POST['phone'], $_POST['question'],
 $_POST['answer']);

 $sql="INSERT INTO customers (forename,surname,email,password,phone,secret_question, secret_answer,active,registeredDate)
 VALUES (?,?,?,?,?,?,?,'True',GETDATE())";
    $stmt=sqlsrv_query($conn,$sql,$params);
header('Location: registerSuccess.php');    

}

?>

And here is the form

<Form name = "Register" action="register.php" method="POST" >

                    <label>Forename</label><br />
                    <input required title="Please only use Letters"  type="text" pattern="\s*[A-z]+\s*" name="forename" /><br/>
                    <label>Surname</label><br />
                    <input required title="Please only use Letters"  type="text" pattern="\s*[A-z]+\s*" name="surname" /><br/>
                    <label>Email</label><br />
                    <input required title="Please enter a Valid Email Address"  type="email" name="email" /></br>
                    <label>Password</label><br />
                    <input required title="Please have a Password of Minimum of 6 Characters with Numbers"   type="password" pattern="[A-z0-9]{6,20}" name="password" /></br>
                    <label>Confirm Password</label><br />
                    <input required title="Confirm Password"   type="password" pattern="[A-z0-9]{6,20}" name="password2" /></br>
                    <label>Secret Question</label><br />
                    <input required  type="text" name="question" /></br>
                    <label>Secret Answer</label><br />
                    <input required  type="text" name="answer" /></br>
                    <label>Phone Number</label><br />
                    <input required title="Please only use numbers"  type="text" pattern="\d+" name="phone" /></br>

                    <input type="hidden" name="Register" value="register">
                    <input class="button" type = "submit"/>

            </Form>
Alex
  • 876
  • 6
  • 17
  • 38
  • You should not use plain SHA-256 as a password hash. Use a slow key derivation function, such as bcrypt together with a salt. Check http://chargen.matasano.com/chargen/2007/9/7/enough-with-the-rainbow-tables-what-you-need-to-know-about-s.html for background info. – CodesInChaos May 13 '12 at 16:21