PHP-MySQL-User-Signup-Login-API icon indicating copy to clipboard operation
PHP-MySQL-User-Signup-Login-API copied to clipboard
verified publisher icon CodingInfinite

**Warning** Your code has multiple security and usability issues.

Open kamil-tekiela opened this issue 6 years ago • 5 comments

Your coding example has many serious issues, and yet it has come up for me in Google search as one of top results. Could you please either rewrite the code or take it offline, so that new PHP developers don't make the same mistakes?

  1. You are wide open to SQL Injections and should really use parameterized prepared statements instead of manually building your queries. They are provided by PDO or by MySQLi. Never trust any kind of input, especially that which comes from the client side. Even when your queries are executed only by trusted users, you are still in risk of corrupting your data.
  2. Never store passwords in clear text! Only store password hashes. Use PHP's password_hash() and password_verify() . If you're running a PHP version lower than 5.5 (which I really hope you aren't), you can use the password_compat library to get the same functionality.
  3. Use utf8mb4 for your DB encoding, rather than latin1. At this day and age users should be able to use full range unicode characters in their usernames.
  4. Don't strip off user's passwords before entering them into DB. In fact don't execute htmlspecialchars on the data being entered into DB. The whole purpose of this function is to sanitize data being displayed in HTML!
  5. base64_encode is not a hashing mechanism. It should never be used in connection with passwords! It makes no difference whether you do or not, because everyone knows either way that you have used 12345 in your example script.
  6. Don't kill your script with die() unless you really, really must! This should only be used if the rest of the script should not be executed, not as a control flow mechanism.

kamil-tekiela avatar Mar 11 '19 22:03 kamil-tekiela

Im not having any error but its displaying this message "{"status":false,"message":"Username already exists!"}"

keaikitse avatar Apr 03 '19 12:04 keaikitse

Your coding example has many serious issues, and yet it has come up for me in Google search as one of top results. Could you please either rewrite the code or take it offline, so that new PHP developers don't make the same mistakes?

  1. You are wide open to SQL Injections and should really use parameterized prepared statements instead of manually building your queries. They are provided by PDO or by MySQLi. Never trust any kind of input, especially that which comes from the client side. Even when your queries are executed only by trusted users, you are still in risk of corrupting your data.
  2. Never store passwords in clear text! Only store password hashes. Use PHP's password_hash() and password_verify() . If you're running a PHP version lower than 5.5 (which I really hope you aren't), you can use the password_compat library to get the same functionality.
  3. Use utf8mb4 for your DB encoding, rather than latin1. At this day and age users should be able to use full range unicode characters in their usernames.
  4. Don't strip off user's passwords before entering them into DB. In fact don't execute htmlspecialchars on the data being entered into DB. The whole purpose of this function is to sanitize data being displayed in HTML!
  5. base64_encode is not a hashing mechanism. It should never be used in connection with passwords! It makes no difference whether you do or not, because everyone knows either way that you have used 12345 in your example script.
  6. Don't kill your script with die() unless you really, really must! This should only be used if the rest of the script should not be executed, not as a control flow mechanism.

Try MD5 for storing password ( hash ) . It works in all php , mysql

Vedprakash19 avatar Mar 27 '20 13:03 Vedprakash19

@Vedprakash19 "Try MD5 for storing password ( hash )". No! Please do not use MD5 for hashing password.

kamil-tekiela avatar Mar 27 '20 14:03 kamil-tekiela

Why no MD5 ?

Get Outlook for Androidhttps://aka.ms/ghei36

From: Kamil Tekiela [email protected] Sent: Friday, March 27, 2020 7:41:57 PM To: CodingInfinite/PHP-MySQL-User-Signup-Login-API [email protected] Cc: Vedprakash19 [email protected]; Mention [email protected] Subject: Re: [CodingInfinite/PHP-MySQL-User-Signup-Login-API] Warning Your code has multiple security and usability issues. (#1)

@Vedprakash19https://github.com/Vedprakash19 "Try MD5 for storing password ( hash )". No! Please do not use MD5 for hashing password.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/CodingInfinite/PHP-MySQL-User-Signup-Login-API/issues/1#issuecomment-605021980, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AA6PRQYKYGCSCUUPMK7G3I3RJSX23ANCNFSM4G5GX5HA.

Vedprakash19 avatar Mar 27 '20 14:03 Vedprakash19

@Vedprakash19 Because it is not much better than plain text passwords. You can Google that https://www.google.com/search?q=md5+for+passwords&rlz=1C1CHBF_enIE798IE798&oq=md5+for+passwords&aqs=chrome..69i57.3047j0j1&sourceid=chrome&ie=UTF-8

Why would you want to use MD5 if you have proper PHP functions for password hashing: password_hash()

kamil-tekiela avatar Mar 27 '20 14:03 kamil-tekiela