0

just a quick question,

Is this function secure, if not how can I make it more secure?

  public function Reg($name, $email, $password)
{
    try {
        
        $db=DB();
        $state = $db->prepare("INSERT INTO reg (name, email, password) VALUES (:name, :email, :password)");
        $state->bindParam("name", $name);
        $state->bindParam("email", $email);
        $encpass= hash('sha256', $password);
        $state->bindParam("password", $encpass, PDO::PARAM_STR);
        $state->execute();
      return $db->lastInsertId();
    } catch (PDOException $e){
        exit($e->getMessage());
    }    
}

As always thanks for any help in advance and its much appreciated for any help you can give

So is this correct

    public function Reg($name, $email, $password)
{
    try {
        
        $db=DB();
        $state = $db->prepare("INSERT INTO reg (name, email, password) VALUES (:name, :email, :password)");
        $state->bindParam("name", $name);
        $state->bindParam("email", $email);
        $hashed_password = password_hash($password, PASSWORD_DEFAULT);
        $state->bindParam("password", $hashed_password, PDO::PARAM_STR);
        $state->execute();
      return $db->lastInsertId();
    } catch (PDOException $e){
        exit($e->getMessage());
    }    
}
Isitabird
  • 71
  • 9
  • 4
    A: No. Use [`password_hash()`](https://www.php.net/manual/en/function.password-hash.php). – Funk Forty Niner Aug 24 '20 at 18:03
  • 1
    ***You shouldn't use [SHA1 password hashes](https://konklone.com/post/why-google-is-hurrying-the-web-to-kill-sha-1)*** or ***[MD5 password hashes](http://security.stackexchange.com/questions/19906/is-md5-considered-insecure)*** and you really should use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. Make sure you [don't escape passwords](http://stackoverflow.com/q/36628418/1011527) or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. – Jay Blanchard Aug 24 '20 at 18:06
  • Edited question to make sure I am doing it right – Isitabird Aug 24 '20 at 18:41
  • it is not secure. remove the try catch and exit operators – Your Common Sense Aug 24 '20 at 19:02
  • Hi thank you, I have removed the "try" "catch", but why? – Isitabird Aug 24 '20 at 19:24
  • Just read up about it, now I understand, Thank you for all your help, I will become a master one day...probably the day hell freezes over – Isitabird Aug 24 '20 at 19:28
  • because they are useless and harmful? showing the system error message to anyone is anything but security, it can contain a lot of sensitive information. – Your Common Sense Aug 24 '20 at 19:35
  • Ohhhh right it is more down to the error reporting, now I fully get it. Thank you again – Isitabird Aug 24 '20 at 20:13
  • "Secure" by which terms? – Nico Haase Oct 05 '20 at 12:17

0 Answers0