Ali
Ali

Reputation: 49

Prevention of SQL injection in password input field? PHP

In a sign up / login form , we validate user input like username and email and make sure that it does not contain any special character . my question is about the Password input field . Is it possible to inject sql query using password input field? because we allow user to add special characters to it.

Upvotes: 3

Views: 2616

Answers (1)

Funk Forty Niner
Funk Forty Niner

Reputation: 74217

my question is about the Password input field
Is it possible to inject sql query using password input field?

Not if you use a prepared statement.

However, both password_hash() and password_verify() already take this into account and you should not be manipulating passwords or limiting them.

This is something you should be using in this day and age.

If you escape a password that contains a quote for instance John'sPlace, that will be modified to John\'sPlace which in turn and if you use the hashing methods as stated, will fail silently on verification.

Even if a potential hacker were to try something like: String'); DROP TABLE USERS; -- into the password input, that would still be entered as a hash into the database, when using password_hash() of course.

Something like $2y$10$.vGA1O9wmRjrwAVXD98HNOgsNpDczlqm3Jq7KnEd1rVAGv3Fykk1a (example hash pulled from the manual) can't do any harm.

Upvotes: 5

Related Questions