-
Notifications
You must be signed in to change notification settings - Fork 64
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
**Warning** Your code has multiple security and usability issues. #1
Comments
Im not having any error but its displaying this message "{"status":false,"message":"Username already exists!"}" |
Try MD5 for storing password ( hash ) . It works in all php , mysql |
@Vedprakash19 "Try MD5 for storing password ( hash )". No! Please do not use MD5 for hashing password. |
Why no MD5 ?
Get Outlook for Android<https://aka.ms/ghei36>
…________________________________
From: Kamil Tekiela <notifications@github.com>
Sent: Friday, March 27, 2020 7:41:57 PM
To: CodingInfinite/PHP-MySQL-User-Signup-Login-API <PHP-MySQL-User-Signup-Login-API@noreply.github.com>
Cc: Vedprakash19 <vedprakash19@gmail.com>; Mention <mention@noreply.github.com>
Subject: Re: [CodingInfinite/PHP-MySQL-User-Signup-Login-API] **Warning** Your code has multiple security and usability issues. (#1)
@Vedprakash19<https://github.com/Vedprakash19> "Try MD5 for storing password ( hash )". No! Please do not use MD5 for hashing password.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub<#1 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AA6PRQYKYGCSCUUPMK7G3I3RJSX23ANCNFSM4G5GX5HA>.
|
@Vedprakash19 Because it is not much better than plain text passwords. You can Google that https://www.google.com/search?q=md5+for+passwords&rlz=1C1CHBF_enIE798IE798&oq=md5+for+passwords&aqs=chrome..69i57.3047j0j1&sourceid=chrome&ie=UTF-8 Why would you want to use MD5 if you have proper PHP functions for password hashing: |
Your coding example has many serious issues, and yet it has come up for me in Google search as one of top results. Could you please either rewrite the code or take it offline, so that new PHP developers don't make the same mistakes?
password_hash()
andpassword_verify()
. If you're running a PHP version lower than 5.5 (which I really hope you aren't), you can use the password_compat library to get the same functionality.htmlspecialchars
on the data being entered into DB. The whole purpose of this function is to sanitize data being displayed in HTML!base64_encode
is not a hashing mechanism. It should never be used in connection with passwords! It makes no difference whether you do or not, because everyone knows either way that you have used 12345 in your example script.die()
unless you really, really must! This should only be used if the rest of the script should not be executed, not as a control flow mechanism.The text was updated successfully, but these errors were encountered: