Security is a vital part of web development. If you have poor security on your system this may result in serious consequences to you, and your users too. It’s important to keep data secure so that if for some reasons if there may be an area of vulnerability, even if your database were to be compromised, your users’ data such as passwords should be hashed and secure so that they cannot be seen. Even recently there have been publicised examples of massive businesses who have been attacked and the attacker has found their way into databases which do not have passwords hashed or protected in any form. When this kind of breach happens, the user’s are at risk if they reuse passwords across multiple platforms where hackers could then access any system you have signed up to using the same credentials.
Bcrypt hashing is used in the system in order to hold passwords on the database. Designed in 1999, bcrypt changed the way people would hash and encrypt passwords. Before this, unsalted MD5 was the most common form of hashing, albeit it’s better than plain text, rainbow tables are 100% effective to this form of hashing and if databases were compromised, it would not be long before the MD5 hashed passwords are compromised too. bcrypt is extremely resistant to rainbow tables which has massive advantages over unsalted hashes. bcrypt hashes can be identified with the prefix $2a$" or “$2b$" or “$2y$” followed by a long string of characters.
Prepared statements are a method of querying the database in a very safe manner, by using prepared statements you are able to eradicate the risk of SQL injection. SQL injection involves a user who types unexpected data into forms to be entered into the database, this data can include malicious executions to the database which you would otherwise not wish to run such as DROP TABLE statements where a username might be expected. There are several methods for avoiding this however prepared statements are certainly one of the best methods for this.
Another way to improve security might be to use POST instead of GET where applicable. It should be noted, however, that POST is not fully secure - it merely stores data in the request body of the HTTP request.
Input validation is another good method to improve security. If you can ensure users are inputting safe data int your database, you are less likely to become victim to SQL injection. PHP functions such as preg_match() can be used to perform a regular expression match on a string. The mysqli_real_escape_string() function exists to escape special characters from strings to assemble them for SQL usage.
word count: 443