4

Hi I was composing a regex for a password field of my site and had a concern:

Are there any characters I should block a user from entering? If so why?

Or is it enough just to escape dangerous characters like = and ' when processing data? It seems good for this topic to list the php functions for escaping those, if you would.

Thanks!

Bijou Trouvaille
  • 8,794
  • 4
  • 39
  • 42

5 Answers5

7

I hash anything a user enters as a password, so I don't care what they enter, it never touches my database and can't cause any harm. md5($_POST['password'])

Other fields are a different story...

mysql_real_escape_string() is a great function for escaping data in queries.

Fosco
  • 38,138
  • 7
  • 87
  • 101
  • 1
    cracked?.. if someone gets in your database, they might be able to google up a couple decrypted passwords, but they would have to get in first right? Separate issue entirely... hashing it before SQL entry will eliminate any chance that the PASSWORD itself is being used for sql injection or harm to your site. – Fosco Jul 08 '10 at 20:02
  • Also, there's no realistic way they could get decrypted passwords from google if you use a unique salt to your application, not to mention a unique salt to each user (that's my preference) – Matthew Jul 08 '10 at 20:05
  • Couldn't this be "dangerous" if users type unicode characters? If the input is coming from a different encoding or is not normalized, password verification will fail! – ItalyPaleAle Oct 17 '14 at 16:23
3

Like other people have already said, hashing the users password before saving it to the database will mean you don't have to worry about what the user enters.

Whilst we're on the subject of hashing, you might even want to consider adding a 'salt' to the password before it is hashed. A salt is a random string (for example, the user's email address) that will help to improve the uniqueness of the hash generated (different users that have the same password will generate the same hash without the salt).

For more information take a read of: http://phpsec.org/articles/2005/password-hashing.html

greenie
  • 1,732
  • 4
  • 18
  • 33
1

No restrictions should be placed passwords. Let the user decide.

As for escaping characters for database entry, no need; Just do some research on SQL Injection

Community
  • 1
  • 1
The Pixel Developer
  • 13,282
  • 10
  • 43
  • 60
1

What specifically are you guarding against? If it's SQL injection, then you shouldn't rely on escaping the user-supplied parameters, you should be using parameterized queries.

http://us.php.net/manual/en/mysqli-stmt.bind-param.php

Mike Baranczak
  • 8,291
  • 8
  • 47
  • 71
  • everything, so i suppose if hashing is the only secure option then sql injections are of lesser concern now – Bijou Trouvaille Jul 08 '10 at 20:00
  • SQL injection is still a huge concern for anything other than passwords in this case. And when will you ever have a SQL query with a password alone by itself? – TNi Jul 08 '10 at 20:03
  • i agree - thanks. Thats lots of code to look though - is this the one page i have to familiarize myself with in order to guard against injections? – Bijou Trouvaille Jul 08 '10 at 20:11
  • @audio.zoom: if you read the first code snippet on that page, you should get the general idea. The specifics will be different depending on what language and library you're using, but this design pattern looks the same pretty much everywhere. – Mike Baranczak Jul 08 '10 at 20:23
0

None of this should be a problem as long as you escape everything the user enters on the server side. You can see more information at Where to use mysql_real_escape_string to prevent SQL Injection?.

Community
  • 1
  • 1
TNi
  • 16,070
  • 3
  • 22
  • 20