Reputation: 49
In a sign up / login form , we validate user input like username and email and make sure that it does not contain any special character . my question is about the Password input field . Is it possible to inject sql query using password input field? because we allow user to add special characters to it.
Upvotes: 3
Views: 2616
Reputation: 74217
my question is about the Password input field
Is it possible to inject sql query using password input field?
Not if you use a prepared statement.
However, both password_hash()
and password_verify()
already take this into account and you should not be manipulating passwords or limiting them.
This is something you should be using in this day and age.
If you escape a password that contains a quote for instance John'sPlace
, that will be modified to John\'sPlace
which in turn and if you use the hashing methods as stated, will fail silently on verification.
Even if a potential hacker were to try something like: String'); DROP TABLE USERS; --
into the password input, that would still be entered as a hash into the database, when using password_hash()
of course.
Something like $2y$10$.vGA1O9wmRjrwAVXD98HNOgsNpDczlqm3Jq7KnEd1rVAGv3Fykk1a
(example hash pulled from the manual) can't do any harm.
Upvotes: 5