DEV Community

Discussion on: Chat Application using PHP

Collapse
reegodev profile image
Matteo Rigon • Edited on

This post is a good example of why PHP is bashed by the whole programming community.

  • You are saving passwords in clear text.
  • All your queries are vulnerable to SQL injections.

I don't wanna sound rude but new programmers are going to see this and think this is OK. Please do not deploy this code to production.

Collapse
rupeshmohanty profile image
Rupesh Chandra Mohanty Author

Yeah we can use md5 and salt to make the password protected. This is just an experiment on how to make a chat application with PHP.

Collapse
jorgecasas profile image
Jorge Casas

Please, don't use MD5 either. It's insecure. Don't try it in production.

Thread Thread
rupeshmohanty profile image
Rupesh Chandra Mohanty Author

Yeah that's why we can use md5 and salt which can generate an unique Id hence encrypting the password field.

Thread Thread
jorgecasas profile image
Jorge Casas

No, seriously. Never use MD5 to encrypt a password. The are other methods more secure available php.net/manual/en/function.passwor...

Thread Thread
rupeshmohanty profile image
Rupesh Chandra Mohanty Author

Okay I will look into it. Thank you for the suggestion 😇

Thread Thread
joelbonetr profile image
JoelBonetR

You can use sha256 joining the string with an application token or salt, or a cookie hash and it will be ok. If you want more security you can use 512-bit encrypt such whirlpool, sha-512 and so

Thread Thread
rupeshmohanty profile image
Rupesh Chandra Mohanty Author

I was going to use uniqid() in php and join it with the password string. I will try your approach too. Thank you for the suggestion 😇

Thread Thread
reegodev profile image
Matteo Rigon

Please do not create your own auth implementation, you will regret it eventually ( there's a big yellow box in uniqid manual that says you should never use it to salt passwords).
Use one of the many well-known, tested and audited auth libraries.
If you really wanna learn how to implement a custom authentication I suggest you to browse the source code of said libraries and see how they handle it.

Thread Thread
joelbonetr profile image
JoelBonetR

There's nothing bad on implementing own auth if you're a senior dev and you know all about what it implies. Specially when working on a big company and being in need to create a self implemented auth to avoid extra costs of Auth APIs (Oauth, Oauth2, SSO ...), you just need to pass a security audit and the tests after building it and before linking your services to it on production