Potential leak of data: Simple Password

Detected 1 occurrence(s) of ‘\s*pass[word]+\s*[:=]\s*["'][a-z0-9\-_\!\$]+["']‘: ['hidden']) && $_POST['hidden'] ==1){ $username = $mysqli->real_escape_string($_POST['username']); $password = $mysqli->real_escape_string($_POST['password']); $sql = $mysqli->query("SELECT * from user WHERE username = '$username' AND password = '$password' LIMIT 1"); $hash =CRYPT_BLOWFISH ; if(password_verify($password, $hash)) == true{ echo "<p>Logged in successfully</p>"; session_regenerate_id(true); $_SESSION['user'] = "test"; Source: http://pastebin.com/raw.php?i=UYJqEQhN