g0d / micro-MVC

Hello! I stubmled upon this project as I was looking for a PHP framework. I noticed that in the auth.php module the passwords as just their unsalted MD5 hash.

micro-MVC/framework/misc/dispatchers/gates/auth.php

Lines 57 to 58 in 8ed8b2f

    
           						 WHERE `username` = "' . mysqli_real_escape_string($db_conn_link, $username) . '" AND ' . ' 
        
           							   `password` = "' . mysqli_real_escape_string($db_conn_link, md5($password)) . '" AND ' . '

This is insecure for many reasons: it is extremely easy to crack MD5 hashes, and leaks information in cases two users have the same password. I recommend you to consult guides such as https://crackstation.net/hashing-security.htm to learn how to securely hash passwords.

Thanks!

Hello you are right!

However, this is not a final solution but rather a test template as part of the module for "auth" in the framework. It is there to showcase the basic usage.

It has been noted by other fellow engineers as well, so I will updated to avoid any further misunderstandings...

Any news with this? It would be helpful to keep this issue open until it gets fixed.

	WHERE `username` = "' . mysqli_real_escape_string($db_conn_link, $username) . '" AND ' . '
	`password` = "' . mysqli_real_escape_string($db_conn_link, md5($password)) . '" AND ' . '

Insecure storage of credentials in `auth.php`.