Vaidas Visk - 2015-03-27 18:12:49
You are using bad things:
- md5 for password hashing. wtf man? md5 is vulnerable a long time ago. Please use at least sha1 or sha256, but I recommend to use mcrypt or bcrypt libraries.
- you are not validating entered data at all. This is really bad thing.
- your login and registration is vulnerable to SQL Injection. Do not directly include variables to your SQL queries. Use prepared statements when you need to include entered data to a query.
- don't mix html code and php in a same class. this class should only validate credentials, login and register users. loginBox/registerBox should be deleted and separated to another file (template).
- you are using already deprecated MySQL functions (mysql_*). Use MySQLi or PDO instead. (I would recommend PDO :) )
- don't use @ symbol (it is everywhere in database class) before functions to hide warnings/errors. It is really bad coding practise. PHP has nice function "set_error_handler" to register custom error handler, to manage almost all errors (for example, you can do, that all errors would throw an exception instead of directly outputing an error text, and then catch them and show/hide errors where you want to show them without killing all application with die or exit).
- don't output database error messages to an user. Show something without specific information (e.g. "Database error"). Specific errors write to log file or somewhere else.
- comments should be written in english to understand what your code should do exactly.
That's all for this time. Have a nice day :)
