User Registration

Overview

User registration is the process of creating a new user account in the system. The server receives the user’s information, validates it, hashes the password, and stores the account in the database.

The key steps are:

User fills out a registration form.
Server validates the input data.
Server hashes the password.
Server stores the user in the database.
User is redirected to the login page.

Registration Form

A typical registration form collects the following fields:

First Name and Last Name for personalization.
Username as an alternative login identifier.
Email as the primary identifier and for communication.
Password as the authentication credential.
Confirm Password to prevent typos.

Both email and username are collected so users can log in with either. The email serves for communication, while the username provides privacy by not exposing the email publicly.

Validation Rules

Server-side validation is critical. Never trust client-side validation alone, as users can bypass JavaScript validation easily.

Validation	Purpose
Required fields	Ensure data completeness
Email format	Must be valid email syntax
Email uniqueness	Prevent duplicate accounts
Username uniqueness	Prevent duplicate identifiers
Password length	Minimum 8 characters for security
Password complexity	Require numbers/special characters
Password match	Confirm password typed correctly

Password Security

The Problem

Storing passwords in plain text is one of the most dangerous mistakes in web development. If the database is compromised, an attacker immediately sees every password in the system. Users who reuse passwords across services are then compromised everywhere.

The Solution: Password Hashing

Hashing is a one-way mathematical function that converts passwords into unreadable fixed-length strings. PHP provides two functions for this:

password_hash($password, PASSWORD_DEFAULT) converts a plain-text password into a hash for storage.
password_verify($plainPassword, $storedHash) checks whether a plain-text password matches a stored hash.

Key properties of hashing:

It is one-way: you cannot reverse a hash back to the original password.
Each hash is unique because PHP automatically adds a random salt.
It is intentionally slow to prevent brute-force attacks.
PHP upgrades to stronger algorithms automatically when you use PASSWORD_DEFAULT.

For example, the password "myPassword123" might produce a hash like $2y$10$92IXUNpkjO0rOQ5byMi.Ye4oKoEa3Ro9llC/.og/at2.uheWG/igi. The original password is never stored anywhere.

Registration Flow

┌─────────────────┐
│  User fills     │
│  registration   │
│  form           │
└────────┬────────┘
         │
         ▼
┌─────────────────┐
│  Validate input │
│  - Required?    │
│  - Valid email?  │
│  - Unique?      │
│  - Strong pwd?  │
└────────┬────────┘
         │
    ┌────┴────┐
    │         │
    ▼         ▼
  Valid    Invalid
    │         │
    │         └──> Show errors,
    │              redirect back to registration form
    │
    ▼
┌─────────────────┐
│  Hash password  │
│  using bcrypt   │
└────────┬────────┘
         │
         ▼
┌─────────────────┐
│  INSERT into    │
│  users table    │
└────────┬────────┘
         │
         ▼
┌─────────────────┐
│  Redirect to    │
│  /login         │
└─────────────────┘

Database Schema

The users table needs to store identity, authentication, and authorization data:

id (INT, Primary Key, Auto-Increment)
first_name, last_name (VARCHAR) for the user’s name
username (VARCHAR, UNIQUE) for login
email (VARCHAR, UNIQUE) for login and communication
password_hash (VARCHAR 255) for the bcrypt hash
role (ENUM: ‘admin’, ‘customer’) for authorization
created_at, updated_at (DATETIME) for audit timestamps

The UNIQUE constraints on email and username prevent duplicate accounts. The password_hash column uses VARCHAR(255) because bcrypt produces hashes of about 60 characters, but 255 provides room for future algorithm upgrades.