mysql insert to database Registration Page example?

Question

I am making my first attempts at creating secure logins via php/msql and things are going pretty well. I've been following the tutorial here: http://www.wikihow.com/Create-a-Secure-Login-Script-in-PHP-and-MySQL and amazingly I've got everything working and relating to my page and database. Going through this code has given me a much better understanding of how it all fits together.

The problem I'm having is, the example registration page they provided isn't very complete, or at least not in a way a newbie like me can wrap my head around. Below is what they posted for their registration page example. Would someone be able to fill it in a bit so I'm less lost? I'm guessing I need to build a form around this so users can make accounts but as for the //add your insert to database script here part and where to pull/place form variables from what they posted, I'm thus far disoriented.

// The hashed password from the form
$password = $_POST['p']; 
// Create a random salt
$random_salt = hash('sha512', uniqid(mt_rand(1, mt_getrandmax()), true));
// Create salted password (Careful not to over season)
$password = hash('sha512', $password.$random_salt);

// Add your insert to database script here. 
// Make sure you use prepared statements!
if ($insert_stmt = $mysqli->prepare("INSERT INTO members (username, email, password, salt) VALUES (?, ?, ?, ?)")) {    
   $insert_stmt->bind_param('ssss', $username, $email, $password, $random_salt); 
   // Execute the prepared query.
   $insert_stmt->execute();
}

As always, any help is greatly appreciated. Thank you in advance.

Answer 1

Your guess about the form is correct. There is a "NEW ACCOUNT FORM" that asks you a username, email and password. Probably earlier in that php code you should have something like this:

$username = $_POST['username';
$email = $_POST['email'];

This is, retrieve the values from the $_POST array that contains the values submitted in the "NEW ACCOUNT FORM". As for the insert part,

if ($insert_stmt = $mysqli->prepare("INSERT INTO members (username, email, password, salt) VALUES (?, ?, ?, ?)"))

This if condition is true if a valid value is assigned to $insert_stmt, I guess that it would be null if the conection to the database hasn't been established or something like that.

$insert_smtp would have now something as a "template" of the insert query, it is missing the parameters. The "?" symbols, stands for a parameter you would be sending later.

The instruction

$insert_stmt->bind_param('ssss', $username, $email, $password, $random_salt);

will bind the parameters marked "?" in the "template".

The reason for not to putting directly the username , email, password in the INSERT statment is that, they could include SQL statements that may result in an SQL injection attack. By passing the parameters via "bind_param" the function takes care of cleaning the variables before putting them in the insert.

The instruction

$insert_stmt->execute();

Finally executes the query on the database.

Answer 2

iam just modifying the code a little so that you can get it properly

 // The hashed password from the form

 $password = $_POST['p']; 

 // Create a random salt

 $random_salt = hash('sha512', uniqid(mt_rand(1, mt_getrandmax()), true));

// Create salted password (Careful not to over season)

 $password = hash('sha512', $password.$random_salt);


//insert query to insert values in to the databse table


 $sql = "INSERT INTO members (username, email, password, salt) VALUES($username,$password,, ?)";

 //for executing the query


 mysql_query($sql) or die("!query);