Summary:
Registration stores plaintext passwords, and login compares raw input directly against DB values. No hashing is used.
Description:
Multiple files insert password directly from POST and compare pass with row password fields as plain text. This violates basic authentication security requirements.
Steps to Reproduce:
- Register new patient/doctor account.
- Inspect DB record for created account.
- Password appears in plain text.
- Login path compares plain string against DB field.
Expected:
Passwords should be hashed (for example password_hash/password_verify), never stored plaintext.
Actual:
Passwords are saved and checked as raw strings.
Impact:
Critical security risk: credential disclosure, account takeover, compliance violations.
Suggested Labels:
security, authentication, high priority
Summary:
Registration stores plaintext passwords, and login compares raw input directly against DB values. No hashing is used.
Description:
Multiple files insert password directly from POST and compare pass with row password fields as plain text. This violates basic authentication security requirements.
Steps to Reproduce:
Expected:
Passwords should be hashed (for example password_hash/password_verify), never stored plaintext.
Actual:
Passwords are saved and checked as raw strings.
Impact:
Critical security risk: credential disclosure, account takeover, compliance violations.
Suggested Labels:
security, authentication, high priority