Is only Password Hash enough to filter the input of a password field in a register?

Question

Is only Password Hash enough to filter the input of a password field in a register?

Asked 5 years, 8 months ago

Viewed 46 times

0

Currently I do as follows:

$senha = strip_tags(trim($_POST['Senha']));

$senha_segura = password_hash($senha, PASSWORD_DEFAULT);

I would like to know if this is the best way to protect the password field and if using password hash it is necessary to use strip_tags as well, since the password hash encrypts the data that are entering and generates a different value in the database, or the password hash already protects the sql injection bank and other attacks by changing tags and characters for a different value?

NOTE: I also use the PDO bindvalue:

$query->bindValue(':senha', $senha_segura, PDO::PARAM_STR);

strip_tags is an error, can harm a valid password

– Bacco

2018/10/16 at 22:42
The right thing would be to use only the same Password Hash?

– Luizinho

2018/10/16 at 22:44
Yes, password_hash is what you need (and password_verify to check). I posted 5 interesting links at the top of your question, but if you still have any questions, ask us here or click on [Edit] to specify the unresolved question.

– Bacco

2018/10/16 at 22:45
In addition, what you need to know besides the password part, is in this post and similar (a search for "Injection" at the top of the site helps): https://answall.com/questions/3864/70

– Bacco

2018/10/16 at 22:46
Bind generates additional protection (via code) in PDO, and in mysqli_ is native protection against injection (bind was not even made for this, but the protection is a side effect), both help, but pay close attention if there are parts with concatenation.

– Bacco

2018/10/16 at 22:49
Qq thing leave a comment here that has a nice people on the site who have a good experience on this. And if the links above are not enough to satisfy the doubt, comment here that we analyze and try to make the question more specific.

– Bacco

2018/10/16 at 22:50
Thanks Bacco, I will take the strip_tags, but in relation to damage the valid password, I use it in registration and login so even if you remove some character at the time registration, will happen the same in login and will validate the same way, if that’s what you meant.

– Luizinho

2018/10/16 at 22:55
1

Think of me: I put the password a<b>c#d --- In DB will be alone ac#d; I as a user will not even notice that my password has been corrupted, but besides you have weakened it, will generate problems in certain parts and others not. The user can not even analyze what went wrong. It is not good to touch other people’s password, even more "under the table". What you should do is prevent the use of unwanted characters in the register, but never MODIFY the value to accept.

– Bacco

2018/10/16 at 22:57

Show 3 more comments

No answers

Browser other questions tagged php password

You are not signed in. Login or sign up in order to post.