Reviving a Vulnerable PHP User Registration Script

By: fyvo July 27, 2025 PHP

Description

This legacy PHP script handles user registration. It's vulnerable to SQL injection and uses outdated hashing techniques.

Original Code (Outdated)

<?php
$username = $_POST['username'];
$password = md5($_POST['password']);
$conn = mysql_connect('localhost', 'user', 'pass');
mysql_select_db('mydatabase', $conn);
$sql = "INSERT INTO users (username, password) VALUES ('$username', '$password')";
if (mysql_query($sql, $conn)) {
  echo "Registration successful!";
} else {
  echo "Error: " . mysql_error($conn);
}
mysql_close($conn);
?>

Updated Code (Modern)

<?php
  $username = filter_input(INPUT_POST, 'username', FILTER_SANITIZE_STRING);
  $password = filter_input(INPUT_POST, 'password', FILTER_SANITIZE_STRING);

  if(empty($username) || empty($password)){
    die('Username and password are required.');
  }

  $hashedPassword = password_hash($password, PASSWORD_DEFAULT);

  try {
    $pdo = new PDO('mysql:host=localhost;dbname=mydatabase', 'user', 'pass');
    $stmt = $pdo->prepare('INSERT INTO users (username, password) VALUES (?, ?)');
    $stmt->execute([$username, $hashedPassword]);
    echo "Registration successful!";
  } catch (PDOException $e) {
    echo "Error: " . $e->getMessage();
  }
?>

Reviving a Vulnerable PHP User Registration Script

Description

Original Code (Outdated)

Updated Code (Modern)

Discussion (0)