MasterCMS | The RetroServers Revolution | Themes System | Multi Emulator | Multi Lan

[ovflowd]

I have no words for this.

Design isn't revolutionizing. Housekeeping looks Material.

Code is like... @NoBrains over 9000. That's something awful to look.

How did you coded this without in your head something popup like "I think there is so much if/elses here"...

Guy what the hell it's that encryption method. Does you ever know that passwords need be hashed and not encrypted.

I can just decode the password with base64_decode.

Dafuq. That method isn't even secure.

Anyways, good luck with refactoring this. Maybe you be a newbie on programming field, so good luck.

[LxBlack]

The design is a "Default Theme" you can to create your own theme easy, and i know i use a lot of if/else, At first I liked to use them but now I realized that they look orribles, I could use elseif.
I create the encryption function for if a CMS uses an encryption type do not have to restart users and simply change the type of encryption to that of its old cCMS

[Emily]

The design is a "Default Theme" you can to create your own theme easy, and i know i use a lot of if/else, At first I liked to use them but now I realized that they look orribles, I could use elseif.
I create the encryption function for if a CMS uses an encryption type do not have to restart users and simply change the type of encryption to that of its old cCMS

B-B-But you don't ENCRYPT passwords... you HASH them o_O If you encrypt them and somehow the database is leaked all the passwords can be decrypted o_O.

[LxBlack]

I will change to MD5, Thanks!

[Tafelglotzer]

I will change to MD5, Thanks!

Dont use md5!!! use password_hash()

[ovflowd]

I will change to MD5, Thanks!

MD5 isn't anymore secure. Use password_hash() or at least bcrypt() or something else.

[Emily]

I will change to MD5, Thanks!

You should as others suggested as well use password_hash. It will become like:

PHP Code:

$password = password_hash('password'); 


Where as 'password' is the password you want to hash.

You can verify using password_verify:

PHP Code:

if (password_verify('inputpassword', $hash)) 


Where as 'inputpassword' is the input password you want to check the user inserts (non-hashed) and $hash is the hashed password from the database.

[ovflowd]

You should as others suggested as well use password_hash. It will become like:

PHP Code:

$password = password_hash('password'); 


Where as 'password' is the password you want to hash.

You can verify using password_verify:

PHP Code:

if (password_verify('inputpassword', $hash)) 


Where as 'inputpassword' is the input password you want to check the user inserts (non-hashed) and $hash is the hashed password from the database.

Regarding, that by default password_hash() will use RANDOM Salts. Because that, recommend to use "PASSWORD_BCRYPT" flag.

becoming something like

PHP Code:

$hash = password_hash('password', PASSWORD_BCRYPT); 


You also can provide a custom salt, becoming something like

PHP Code:

$hash = password_hash('password', PASSWORD_BCRYPT, 'my-hash'); 


For the signature verification just:

PHP Code:

$hash = RECOVER_HASH_FROM_DATABASE();

if(password_verify('password', $hash)) {
//SEEMS LEGIT
} 


[Emily]

Regarding, that by default password_hash() will use RANDOM Salts. Because that, recommend to use "PASSWORD_BCRYPT" flag.

***

Warning
The salt option has been deprecated as of PHP 7.0.0. It is now preferred to simply use the salt that is generated by default.

So, shouldn't use custom salts.

[ovflowd]

So, shouldn't use custom salts.

The salt option is the third argument from the function, the second one "PASSWORD_BCRYPT" still recommended.

[Taiga]

Not going to bash on this but there is nothing advanced on this project. I think this is more of an learning experience for you guys and you should drop the 'advanced framework' and just call it a website for retro servers.

It's good to see you guys working on this project and I really encourage you guys to keep working on it but don't say it's something that it isn't it just makes it look bad.

MD5 on it's own was never secure in the first place, it's just another hashing algorythm.
You should always seed your passwords when you hash them so it will not be obvious inside the database if users share the same password.

Anyways as many suggested, use the password_hash function which is build-in into PHP since 5.5. It has hashing and seeding built-in.
PHP: password_hash - Manual

Here is a friendly warning as a developer:

YOU SHOULD NEVER ENCRYPT PASSWORDS; HASH THEM INSTEAD.
HASHING IS A ONE WAY OPERATION AND CANNOT BE REVERSED.
DO NOT USE OLD TUTORIALS FOR PASSWORD HASHING; LOOK UP RECENT ONES.

- - - Updated - - -

The salt option is the third argument from the function, the second one "PASSWORD_BCRYPT" still recommended.

No need to manually supply a salt since it's done on the fly in PHP. I suggest a minimum cost of 10.

Code:

password_hash("test", PASSWORD_BCRYPT, ["cost" => 10]);

[Livar]

lol this section turned to fucking shit. look at you all acting like you're 10x better than him and are naturally born web developers, stfu

i don't quite get why u all overcomplicate cms' now adays, it's not that deep bro. just use ubercms or idk make one from scratch, use joopies mysqli class, use raintpl and bobs your uncle fannys your aunt.

[JerryCool]

lol this section turned to fucking shit. look at you all acting like you're 10x better than him and are naturally born web developers, stfu

i don't quite get why u all overcomplicate cms' now adays, it's not that deep bro. just use ubercms or idk make one from scratch, use joopies mysqli class, use raintpl and bobs your uncle fannys your aunt.

Sorry, but the fact that he used str_replace to "prevent" SQL injections. https://github.com/DenzelCode/Master...ection.php#L38