0
Currently I do as follows:
$senha = strip_tags(trim($_POST['Senha']));
$senha_segura = password_hash($senha, PASSWORD_DEFAULT);
I would like to know if this is the best way to protect the password field and if using password hash it is necessary to use strip_tags as well, since the password hash encrypts the data that are entering and generates a different value in the database, or the password hash already protects the sql injection bank and other attacks by changing tags and characters for a different value?
NOTE: I also use the PDO bindvalue:
$query->bindValue(':senha', $senha_segura, PDO::PARAM_STR);
strip_tags is an error, can harm a valid password
– Bacco
The right thing would be to use only the same Password Hash?
– Luizinho
Yes, password_hash is what you need (and password_verify to check). I posted 5 interesting links at the top of your question, but if you still have any questions, ask us here or click on [Edit] to specify the unresolved question.
– Bacco
In addition, what you need to know besides the password part, is in this post and similar (a search for "Injection" at the top of the site helps): https://answall.com/questions/3864/70
– Bacco
Bind generates additional protection (via code) in PDO, and in mysqli_ is native protection against injection (bind was not even made for this, but the protection is a side effect), both help, but pay close attention if there are parts with concatenation.
– Bacco
Qq thing leave a comment here that has a nice people on the site who have a good experience on this. And if the links above are not enough to satisfy the doubt, comment here that we analyze and try to make the question more specific.
– Bacco
Thanks Bacco, I will take the strip_tags, but in relation to damage the valid password, I use it in registration and login so even if you remove some character at the time registration, will happen the same in login and will validate the same way, if that’s what you meant.
– Luizinho
Think of me: I put the password
a<b>c#d
--- In DB will be aloneac#d
; I as a user will not even notice that my password has been corrupted, but besides you have weakened it, will generate problems in certain parts and others not. The user can not even analyze what went wrong. It is not good to touch other people’s password, even more "under the table". What you should do is prevent the use of unwanted characters in the register, but never MODIFY the value to accept.– Bacco