You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Apr 8, 2023. It is now read-only.
"Okay, let's start again. You're running strip_tags() on the input password which has absolutely no purpose. Should a user choose a password such as , their password will be an empty string and anyone can log into their account without a password."
You actually don't need any sanitisation on the input for the password, so long as one exists and meets some validation criteria if applicable, like >= 8 characters, at least one uppercase, at least one digit, at least one symbol not in A-Z, a-z, 0-9.
After that, you have a hash, which is fine. Use bcrypt instead of md5. The code will need significant clean up for PHP 7 and explicitly support it, without backwards compatibility for PHP 5. There's no good reason to keep it stuck with PHP 5.
You need sanitisation and additional checks when any untrusted input goes into the database.
Sign up for freeto subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Contributed by @nmalcolm
"Okay, let's start again. You're running strip_tags() on the input password which has absolutely no purpose. Should a user choose a password such as , their password will be an empty string and anyone can log into their account without a password."
test.php:
The text was updated successfully, but these errors were encountered: