SECURITY
Hi everyone! So, let's talk security. I'm not into cybersecurity or anything, so I'm not an expert. Maybe someone will even beat my ass for all of this later and I'll hastily correct it, but let's some good internet practices / convenience things for my scripts!
I thought I'd address a lot of this since Kail asked about it. I know a lot of users don't care, but you should, and also I want to assure people who do care, but don't know much!
This includes the code for hashing my other files refer to, but I explain all of it too. You're free to just gnab the code, but I think reading this will make you a better internet user, and/or not just go "I don't use PHP because it has security issues" without being able to elaborate.
PHP'S REPUTATION
So, let's discuss security? Why does PHP have such a bad reputation?
I am of the belief that it is because PHP is very old and it takes someone with a security mindset to really not screw up handling sensitive data. PHP to me is naturally very secure until you start handling things like credit card info and user passwords (though I think some data leaks are catastrophes because of user habits but I digress).
These are personal PUBLIC websites- imo you shouldn't be storing sensitive data on them anyway, but for example, imagine some guy at a bank fucks up and now someone can just type random emails in a browser and their information. Or like, a huge socal media used by tons of people has its passwords leaked by a ton of users who share their passwords across platfoms.
This is why I don't handle user data outside of my own in my own scripts. Number one: I don't trust people not to reuse their passwords and feel anxious even if the passwords are hashed, number 2, if anything were exposed, it's information that's already publicly available anyways.
The other reason PHP has such a bad reputation / data leaks happen and can be so devasting is because organizations don't hash their shit. This is what happened with that Tea app recently (as of September 2025). The developers relied on AI to code the program while not telling it to hash anything: exposing everything.
This is also why you shouldn't just hand over any sensitive data to just anyone. If they aren't handling that data correctly and it gets leaked, it's out there forever. And well, even if you trust an organization with sensitive data, you're still relying on the programmers to not screw up, and corporations don't care about you.
HOW DO YOU HASH?
All of my user form scripts accept hashes for password protected content. This is good practice, especially if you're sharing servers with anyone, are just paranoid about your files being exposed or hope to eventually bulk up my scripts for multiple users (or make your own), hashing is important.
PHP makes it very easy to hash. While I don't store passwords in databases cause I have no reason to, I do still use PHP's innate functions for hashing because it's the easiest.
Anyways, what is hashing? It's just math basically. Passwords are stored in a hash, obscuring them from people with access to the server files. If someone gets the hash, they still can't login to your account unless they figure out the hash. One plaintext password can have several hashes due to how the formula works.
That is to say, Hashes CAN be cracked if someone does get access to it which is why you shouldn't share passwords between services. If a leak happens, you're generally safe because your password is hashed, BUT if your password is cracked and you share it on another server (think Steam), you're fucked.
Hashes being cracked is a bother, which is why I think everyone should use a password generator. Anyone who tries to crack your passwords will struggle because all of the work will just display random strings since password generators are random. And if you change your password, it's even better because now any hash someone may have access to is null and void.
Since PHP can hash, I just hash everything in my website files. You don't need this publicly on server or anything. You can run this locally on your machine or keep the page on your website if you want. Can be convenient if you're generating multiple passwords and like to edit live. This will also show you the hashing formula in action. You can just keep generating hashes with the same plaintext password, and it will work everytime.
This code has copy button for the hash to make sure you don't miss anything. I also generate my passwords in KeePass then put them in here.
(There's also other hashing algorithms out there you can use if you want lol)
<!---
If you want to keep the hasher on your server to generate multiple passwords, comment this out after generating your hash
// <?php
// require_once $_SERVER['DOCUMENT_ROOT'] . '/includes/auth.php';
// check_login(); // This will show login form if not logged in
?>
--->
<?php
if ($_SERVER["REQUEST_METHOD"] === "POST") {
$plain_password = $_POST['password'] ?? '';
if (!empty($plain_password)) {
$hashed_password = password_hash($plain_password, PASSWORD_DEFAULT);
}
}
?>
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Password Hasher</title>
<script>
function copyHash() {
const textarea = document.getElementById("hashOutput");
textarea.select();
textarea.setSelectionRange(0, 99999); // For mobile
document.execCommand("copy");
alert("Hash copied to clipboard!");
}
</script>
</head>
<body>
<h2>Password Hasher</h2>
<form method="post" action="">
<label for="password">Enter password:</label>
<input type="text" name="password" id="password" required>
<button type="submit">Generate Hash</button>
</form>
<?php if (!empty($hashed_password)): ?>
<h3>Your secure hash:</h3>
<textarea id="hashOutput" rows="2" cols="80" readonly><?php echo htmlspecialchars($hashed_password); ?></textarea><br>
<button onclick="copyHash()">Copy Hash</button>
<?php endif; ?>
</body>
</html>
You've probably noticed this only applies to the auth file. You do not hash the config files. What gives?
SO. WHAT ABOUT THE DATABASE?
Databases have different challenges than auth files, but I'd say they're much more secure (along with PHP itself really.)
I'm sure you've heard of 'injection' though actually there's a large chance you haven't. Forms inputting data can be victims of injection which can execute things on your server. This practice is easily avoided via sanitization, and even older forms are generally good at handling this. Not always obviously, but it's something developers have been aware of for a long time.
But what does that even mean exactly? Well, you're storing user data in a database, so imagine, someone runs SQL commands from your form and drops a ton of your info. Even if nothing sensitive is there, now you've lost all of your blog entries or a bunch of members of your webring are gone or something! If you didn't back it up, that data is just lost!
But like I said, very easy to avoid, and generally, most of my scripts You should only have access to. Any form accepting user data is also sanitized quite a bit. No injection can happen that fucks up your server, just general annoying display things which won't matter because you have to approve every entry anyways.
The user forms that you login to yourself are much less sanitized since they allow HTML and things of the sort which is why they are locked behind an auth file and why I encourage hashing. Do make sure your auth file works (test wrong passwords, test correct passwords, test wrong usernames, etc)
Anyways, that is to say, your config files are safe It's easy to be concerned about the SQL database due to it being stored in plain text, but basically: PHP will obscure that information, and even if a user had access to that info somehow, they need access to your server to actually do anything with that information.
SO . TLDR
- Reputation caused by programmers mishandling data
- Hashing script you can put on your server
- Good girls (and boys and folks) use password generators
- Your config files are fine, but be aware of who has access to your files/login if sharing servers
- Test your auth/login files
Also I gave you the script for a reason!! Don't use online hashers I know it's tempting but dear god!!!!!
Much love !!!
