4

Hi I was composing a regex for a password field of my site and had a concern:

Are there any characters I should block a user from entering? If so why?

Or is it enough just to escape dangerous characters like = and ' when processing data? It seems good for this topic to list the php functions for escaping those, if you would.

Thanks!

Improve this question

5 Answers 5

Reset to default
7

I hash anything a user enters as a password, so I don't care what they enter, it never touches my database and can't cause any harm. md5($_POST['password'])

Other fields are a different story...

mysql_real_escape_string() is a great function for escaping data in queries.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

cracked?.. if someone gets in your database, they might be able to google up a couple decrypted passwords, but they would have to get in first right? Separate issue entirely... hashing it before SQL entry will eliminate any chance that the PASSWORD itself is being used for sql injection or harm to your site.
Also, there's no realistic way they could get decrypted passwords from google if you use a unique salt to your application, not to mention a unique salt to each user (that's my preference)
Couldn't this be "dangerous" if users type unicode characters? If the input is coming from a different encoding or is not normalized, password verification will fail!
3

Like other people have already said, hashing the users password before saving it to the database will mean you don't have to worry about what the user enters.

Whilst we're on the subject of hashing, you might even want to consider adding a 'salt' to the password before it is hashed. A salt is a random string (for example, the user's email address) that will help to improve the uniqueness of the hash generated (different users that have the same password will generate the same hash without the salt).

For more information take a read of: http://phpsec.org/articles/2005/password-hashing.html

Improve this answer

1 Comment

many good answers - thanks I was looking for a good salt tutorial
1

No restrictions should be placed passwords. Let the user decide.

As for escaping characters for database entry, no need; Just do some research on SQL Injection

Improve this answer

Comments

1

What specifically are you guarding against? If it's SQL injection, then you shouldn't rely on escaping the user-supplied parameters, you should be using parameterized queries.

http://us.php.net/manual/en/mysqli-stmt.bind-param.php

Improve this answer

4 Comments

everything, so i suppose if hashing is the only secure option then sql injections are of lesser concern now
SQL injection is still a huge concern for anything other than passwords in this case. And when will you ever have a SQL query with a password alone by itself?
i agree - thanks. Thats lots of code to look though - is this the one page i have to familiarize myself with in order to guard against injections?
@audio.zoom: if you read the first code snippet on that page, you should get the general idea. The specifics will be different depending on what language and library you're using, but this design pattern looks the same pretty much everywhere.
0

None of this should be a problem as long as you escape everything the user enters on the server side. You can see more information at Where to use mysql_real_escape_string to prevent SQL Injection?.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.