Proper way to sanitize a password?

php mysql hash sanitization
15,380

Solution 1

If you are going to put the variable in an SQL query, then you either need to call mysqli_read_escape_string or (even better!) use prepared statements.

There's no other sanitization you need to do. However, if the value will be coming from freeform user input (e.g. a text box instead of a drop down menu) then you may also want to trim whitespace and lowercase it as a courtesy to the user (to correct accidental mistakes they might make). It really depends on the application.

Solution 2

Just to be clear, you're receiving from an un-trusted source a hash (effectively random data) + salt (actually random data), and you want to 'sanitize' it? There is probably a definition of sanity that applies (a data format like base64 encoding, a maximum / expected length), but I strongly suspect there is a functional security mistake in there somewhere.

Most notably, why are you accepting a hash+salt from an un-trusted source, rather than accepting a password and doing the transformation within your trusted environment? Accepting a hash+salt from an un-trusted source probably turns them into plain-text equivalents (you lose the benefit you got from hashing and salting the original password).

Share:
15,380
daniel__
Author by

daniel__

Founder of Teamlyzer Something between Glassdoor and Stackoverflow for portuguese speakers.

Updated on June 28, 2022

Comments

  • daniel__
    daniel__ almost 2 years

    How I can sanitize a string that receives a hash+random salt?

    I can remove the white spaces, check the length and use mysqli_real_escape_string, but it sufficient? The filter_var is really useful but it can't help in this case, right?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Connect to MySQL with hashed password?
PHP & MYSQL: using bcrypt hash and verifying password with database
How to add md5 hash of a password in phpmyadmin 4.1.6?
How to encrypt a password that is inserted into a MySQL table?
MySQL Hashing Function Implementation
function to sanitize input to Mysql database
PHP salt and hash SHA256 for login password
Using PHP 5.5's password_hash and password_verify function
php mysqli_connect: authentication method unknown to the client [caching_sha2_password]
Check WordPress hashed password with plain password