Skip to main content
  • Weldone! Add it do OnceBuilder

  • omerida

    Besides the use of sha256 instead of PHP’s built in password functions there are a couple of problematic samples in this article that I wouldn’t want novices to pick up as good habits.

    First, using constants for your database credentials is an unneeded global dependency for your DB() function. They really should be passed into DB as parameters. Consequently, DB() should be injected as a dependency to the DemoLib class, not pulled in from the global scope via $db = DB().

    Second, password should be uniquely salted not just hashed. Again, there’s a reason PHP added password_hash, just use it.

    The way validation is handled, you can only ever return one error to the user at a time. So if someone forgets to put in a value for name and email, they’ll be submitting the form a second time.

    The form should use a CSRF token to protect the form. Again, I understand this is for novices, but showing how to build a login form without one is dangerous.

    Also, I just noticed that $_POST[‘name’] is saved to the database and later displayed with name ?>, which could be vulnerable to XSS since the output is not being escaped with html_entities.

    • I appreciate your feedback, above all the things is going to cover in upcoming tutorials.

      • omerida

        Great! Although for #3 – you should never rely solely on clientside validation. You’ll still need to validate input with PHP (clients can misbehave or someone could do a POST to your form with using your HTML). For #5 – yes PDO with prepared statements guards you from SQL Injection attacks but if you’re storing what the user suppleis and then echo’ing without escaping, that’s a XSS vector.