-1

Does hash values contain quotes?

If it is dependent to the algorithm, I want to know about blowfish using phpass.

I'm asking in regard to SQL injection because I don't want prepare the query for authentication and use place holders, just wrapping the username and password hash in quotes. ( I also have doubt that is username safe when just be validated to only consist of word chars [a-wA-W1-9_] (no quotes or other special chars)? )

MTVS
  • 2,046
  • 5
  • 26
  • 37
  • Validating the username to only contain chars you feel able to deal with is a good idea. But also respect your database client library and make use of the features it offers like prepared statements. – hakre Apr 25 '13 at 11:23

1 Answers1

2

Yes, hash values can contain quotes. As well as usernames.

You should also not base your database-interaction on the fragile assumption that they never should have (because you hope so much to not prepare which sounds ridiculous).

Instead make the database query as safe as possible regardless what you assume the data will be. Sometimes things go wrong on some end and you don't want that error stored in your persistence layer nor do you want to offer a potential door for SQL injection.

hakre
  • 193,403
  • 52
  • 435
  • 836