Reputation: 1460
PHP password_hash return value and SQL
There are lots of questions about password_hash() function but non answered my question:
I am trying to find information about password_hash function return value. All I see is that it returns the actual hash.
I am planning to save the hash in SQL table.
Can the hash contain quotes? If it can contain quotes, will I have to escape the hash before inserting it?
Thank you
Upvotes: 0
Views: 290
Answers (1)
Reputation: 24071
There is no need for escaping a BCrypt hash, regarding SQL-injection. A BCrypt hash calculated by password_hash() is base64 encoded, it contains only "harmless" characters of this alphabet...
./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
...plus the & sign to separate the parameters. That said, it is still a good idea to use parametrized queries of course.
Upvotes: 3
Related Questions
- Secure hash and salt for PHP passwords
- php password_hash (problems when store in db)
- Is "double hashing" a password less secure than just hashing it once?
- Is there any point in using a prepared statement on a password_hash value?
- Ruby access hash within an array within a hash (and add new hash)
- PHP password_hash() / bcrypt
- Security on hashing passwords with CryptoJS and then use php password_hash()
- Using hashing to safely store user passwords