php - Secure registration -
i make protected recording in script , of course log.
so advice code if safe enough? how improve it? (i avoid password_hash).
public function registration( array $data ) { if( !empty( $data ) ){ // trim incoming data: $trimmed_data = array_map('trim', $data); // escape variables security $name = mysqli_real_escape_string( $this->_con, $trimmed_data['name'] ); $password = mysqli_real_escape_string( $this->_con, $trimmed_data['password'] ); $cpassword = mysqli_real_escape_string( $this->_con, $trimmed_data['confirm_password'] ); // check email address: if (filter_var( $trimmed_data['email'], filter_validate_email)) { $email = mysqli_real_escape_string( $this->_con, $trimmed_data['email']); } else { throw new exception( "please enter valid email address!" ); } if((!$name) || (!$email) || (!$password) || (!$cpassword) ) { throw new exception( fields_missing ); } if ($password !== $cpassword) { throw new exception( password_not_match ); } $password = md5( $password ); $query = "insert users (user_id, name, email, password, created) values (null, '$name', '$email', '$password', current_timestamp)"; if(mysqli_query($this->_con, $query)){ mysqli_close($this->_con); return true; }; } else{ throw new exception( user_registration_fail ); } }
$password = md5( $password );
no. no.
password_hash , 5.3+ compatibility layer password_compat designed use-case. please use it.
$password = mysqli_real_escape_string( $this->_con, $trimmed_data['password'] );
also, never escape or otherwise alter user-submitted password in way, including trimming it. pass directly password_hash().
Comments
Post a Comment