**Warning** Your code has multiple security and usability issues.

[kamil-tekiela]

Your coding example has many serious issues, and yet it has come up for me in Google search as one of top results. Could you please either rewrite the code or take it offline, so that new PHP developers don't make the same mistakes?

1. You are wide open to SQL Injections and should really use parameterized prepared statements instead of manually building your queries. They are provided by PDO or by MySQLi. Never trust any kind of input, especially that which comes from the client side. Even when your queries are executed only by trusted users, you are still in risk of corrupting your data.
2. Never store passwords in clear text! Only store password hashes. Use PHP's password_hash() and password_verify() . If you're running a PHP version lower than 5.5 (which I really hope you aren't), you can use the password_compat library to get the same functionality.
3. Use utf8mb4 for your DB encoding, rather than latin1. At this day and age users should be able to use full range unicode characters in their usernames.
4. Don't strip off user's passwords before entering them into DB. In fact don't execute htmlspecialchars on the data being entered into DB. The whole purpose of this function is to sanitize data being displayed in HTML!
5. base64_encode is not a hashing mechanism. It should never be used in connection with passwords! It makes no difference whether you do or not, because everyone knows either way that you have used 12345 in your example script.
6. Don't kill your script with die() unless you really, really must! This should only be used if the rest of the script should not be executed, not as a control flow mechanism.

[keaikitse]

Im not having any error but its displaying this message "{"status":false,"message":"Username already exists!"}"

[Vedprakash19]

Your coding example has many serious issues, and yet it has come up for me in Google search as one of top results. Could you please either rewrite the code or take it offline, so that new PHP developers don't make the same mistakes?

1. You are wide open to SQL Injections and should really use parameterized prepared statements instead of manually building your queries. They are provided by PDO or by MySQLi. Never trust any kind of input, especially that which comes from the client side. Even when your queries are executed only by trusted users, you are still in risk of corrupting your data.
2. Never store passwords in clear text! Only store password hashes. Use PHP's password_hash() and password_verify() . If you're running a PHP version lower than 5.5 (which I really hope you aren't), you can use the password_compat library to get the same functionality.
3. Use utf8mb4 for your DB encoding, rather than latin1. At this day and age users should be able to use full range unicode characters in their usernames.
4. Don't strip off user's passwords before entering them into DB. In fact don't execute htmlspecialchars on the data being entered into DB. The whole purpose of this function is to sanitize data being displayed in HTML!
5. base64_encode is not a hashing mechanism. It should never be used in connection with passwords! It makes no difference whether you do or not, because everyone knows either way that you have used 12345 in your example script.
6. Don't kill your script with die() unless you really, really must! This should only be used if the rest of the script should not be executed, not as a control flow mechanism.

Try MD5 for storing password ( hash ) . It works in all php , mysql

[kamil-tekiela]

@Vedprakash19 "Try MD5 for storing password ( hash )". No! Please do not use MD5 for hashing password.

[Vedprakash19]

Why no MD5 ? Get Outlook for Android<https://aka.ms/ghei36>

…

________________________________ From: Kamil Tekiela <notifications@github.com> Sent: Friday, March 27, 2020 7:41:57 PM To: CodingInfinite/PHP-MySQL-User-Signup-Login-API <PHP-MySQL-User-Signup-Login-API@noreply.github.com> Cc: Vedprakash19 <vedprakash19@gmail.com>; Mention <mention@noreply.github.com> Subject: Re: [CodingInfinite/PHP-MySQL-User-Signup-Login-API] **Warning** Your code has multiple security and usability issues. (#1) @Vedprakash19<https://github.com/Vedprakash19> "Try MD5 for storing password ( hash )". No! Please do not use MD5 for hashing password. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub<#1 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AA6PRQYKYGCSCUUPMK7G3I3RJSX23ANCNFSM4G5GX5HA>.

[kamil-tekiela]

@Vedprakash19 Because it is not much better than plain text passwords. You can Google that https://www.google.com/search?q=md5+for+passwords&rlz=1C1CHBF_enIE798IE798&oq=md5+for+passwords&aqs=chrome..69i57.3047j0j1&sourceid=chrome&ie=UTF-8

Why would you want to use MD5 if you have proper PHP functions for password hashing: password_hash()