Strip Tags

[jfm-so]

Contributed by @nmalcolm

"Okay, let's start again. You're running strip_tags() on the input password which has absolutely no purpose. Should a user choose a password such as , their password will be an empty string and anyone can log into their account without a password."

test.php:

<?php

function hashp($password) {
    return md5(addslashes(strip_tags($password)));
}

echo hashp('<secretpassword>') . " | " . hashp(null);
Output:

d41d8cd98f00b204e9800998ecf8427e | d41d8cd98f00b204e9800998ecf8427e

[auscash]

You actually don't need any sanitisation on the input for the password, so long as one exists and meets some validation criteria if applicable, like >= 8 characters, at least one uppercase, at least one digit, at least one symbol not in A-Z, a-z, 0-9.

After that, you have a hash, which is fine. Use bcrypt instead of md5. The code will need significant clean up for PHP 7 and explicitly support it, without backwards compatibility for PHP 5. There's no good reason to keep it stuck with PHP 5.

You need sanitisation and additional checks when any untrusted input goes into the database.