I am trying to create a signup form that allows potential users to input their first and last name, a username and a password. With this password, I want to use PHP's hash function and some "salts" to make the password secure. To do so, I created a function inside my PHP script to save on redundancy. To accomplish this, I changed variables $connection, $iniSalt, and $endSalt to global variables - thinking this would allow me to use them inside the function addUser(). Can someone tell me what I am doing wrong here? Any advice on how to go about this would be greatly appreciated. Here is my code:
global $connection;
$connection = new mysqli($db_host, $user, $pass, $db);
if ($connection->connect_error) {
die($connection->connect_error);
}
$query = "CREATE TABLE users (
firstname VARCHAR(32) NOT NULL,
lastname VARCHAR(32) NOT NULL,
username VARCHAR(32) NOT NULL UNIQUE,
password VARCHAR(32) NOT NULL
)";
$result = $connection->query($query);
if (!$result) {
die($connection->error);
}
global $iniSalt, $endSalt;
$iniSalt = "xb&z*";
$endSalt = "nb!@";
function addUser($conn, $firstname, $lastname, $username, $password) {
$token = hash('ripemd128', "$iniSalt$password$endSalt");
$query = "INSERT INTO users VALUES('$firstname', '$lastname', '$username', $token)";
$result = $connection->query($query);
if (!$result) {
die($connection->error);
}
}
addUser($connection, 'Bill', 'Murray', 'bmurray', 'mysecret');
addUser($connection, 'Jacki', 'Hughes', 'jhughes', 'somepw');
Besides the other answers given in regards to the placement of global, and that I also pointed out in comments about its placement:
Sidenote: Consult my footnotes.
The $token variable is a string and it also must be quoted.
$query = "INSERT INTO users VALUES('$firstname', '$lastname', '$username', $token)";
When your query fires up, you will get a syntax error for it.
So, quote the variable:
$query = "INSERT INTO users VALUES('$firstname', '$lastname', '$username', '$token')";
ripemd128 produces a string, not an integer
ripemd128 32 789d569f08ed7055e94b4289a4195012
Also, if you're planning on going live with this, you'd be better off using password_hash() or the compatibility pack for it.
It's much safer.
References:
password_hash() function.If and when you do decide to use password_hash() or crypt, it is important to note that if your present password column's length is anything lower than 60, it will need to be changed to that (or higher). The manual suggests a length of 255.
You will need to ALTER your column's length and start over with a new hash in order for it to take effect. Otherwise, MySQL will fail silently.
Footnotes:
Read up on variable scope:
If you're looking to protect against SQL injection which is something worthwhile doing, consult the following:
You need to declare global scope for those variables inside your function:
function addUser($conn, $firstname, $lastname, $username, $password) {
global $connection, $iniSalt, $endSalt;
// Then use those global variables
...
}
Document for global keyword here: http://php.net/manual/en/language.variables.scope.php
That's not how globals work. Put global $connection; at the top of your addUser() function to use it in your function.
function addUser($conn, $firstname, $lastname, $username, $password) {
global $connection;
...
}