
Show HN: Instanote – self-hosted pinboard - lcnmrn
https://github.com/lucianmarin/instanote
======
krapp
You need to update your code to follow more modern and more secure PHP
practices .

Instead of reading from and writing to a JSON file, use a database... this is
the kind of thing they were made for, after all. If you do, though, use
PDO[0,1] to prevent SQL injection.

Also, instead of md5, which is a very weak and thoroughly broken algorithm,
use password_hash[2,3] along with password_verify[4] to compare in a way
that's safe against timing attacks. Also _don 't authorize users by storing
the password in a cookie, even as a hash._ The typical way to do authorization
is through secure sessions. Users can't create session cookies, but they can
create arbitrary POST variable and cookies with their own hashed values, which
means it's probably possible for anyone to authorize themselves with minimal
effort.

I'm also just assuming you've got some XSS issues as well because I don't see
any attempts to escape variables in templates.

You've publicly exposed phpinfo() which makes it easier to tailor exploits for
your PHP installation.

I notice you seem to have a startup as well. I really hope for the sake of
your users that it's built a bit more substantially.

[0][https://code.tutsplus.com/tutorials/why-you-should-be-
using-...](https://code.tutsplus.com/tutorials/why-you-should-be-using-phps-
pdo-for-database-access--net-12059)

[1][https://phpdelusions.net/pdo](https://phpdelusions.net/pdo)

[2][http://php.net/manual/en/function.password-
hash.php](http://php.net/manual/en/function.password-hash.php)

[3][https://stackoverflow.com/questions/30279321/how-to-use-
pass...](https://stackoverflow.com/questions/30279321/how-to-use-password-
hash)

[4][http://php.net/manual/en/function.password-
verify.php](http://php.net/manual/en/function.password-verify.php)

------
stephenr
Um.. Wow.

> PHP 5.2

Why? The 5.2.x line hasn't been supported for 7 years.

> MD5

Wat. Just. No. Don't.

> chmod 777

Wat^2. Holy shit balls. No. This is ridiculous.

~~~
technion
I'm the first person to be horribly critical of companies where I feel it's
suited.

This is however one person putting time into coding, and probably involving
following the recommendations in any of the many highly SEO'd tutorials.

In the spirit of feedback, I would urge the poster to consider:

* Modern versions of PHP. You may find you don't even need to change your code * password_hash() in place of MD5 * chmod 660 - where the group ownership is appropriate.

