From fb80cb78eb21953183adae7ca79eeba3f3f8c3be Mon Sep 17 00:00:00 2001
From: Christos Choutouridis <hoo2@hoo2.net>
Date: Sun, 11 Jan 2026 21:06:49 +0200
Subject: [PATCH] Fix plain text in user authendication -- part 2.

---
 passman-dev/php/passman/register.php | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/passman-dev/php/passman/register.php b/passman-dev/php/passman/register.php
index 1c3516f..a4abd0d 100644
--- a/passman-dev/php/passman/register.php
+++ b/passman-dev/php/passman/register.php
@@ -37,8 +37,17 @@ if ($_SERVER["REQUEST_METHOD"] === "POST") {
 			$login_message = "Database error (prepare failed).";
 			$result = false;
 		} else {
-			$stmt->bind_param("ss", $new_username, $new_password);
-			$result = $stmt->execute();
+			// Hash the password before storing it.
+			// Never store login passwords in plaintext.
+			$password_hash = password_hash($new_password, PASSWORD_DEFAULT);
+			if ($password_hash === false) {
+				$login_message = "Password hashing failed.";
+				$result = false;
+			} else {
+				// Store the hash (not the plaintext password).
+				$stmt->bind_param("ss", $new_username, $password_hash);
+				$result = $stmt->execute();
+			}
 			$stmt->close();
 		}