PHP: Passwords with Special Characters

Question

I can't seem to come up with the right way to work with passwords in PHP. I'm hashing and using a salt when it comes to storing, but I'm trying to get the basic password down

stripslashes(mysql_real_escape_string($_POST["password"]));

I'm assuming some users will use passwords with "!@#$%^..." etc. I can imagine users using a password like <b>lulz</b>"u'mad?.

How can I include these special characters in my password variable?

Answer 1

You shouldn't need to do any kind of escaping or stripping here.^* Just something like $hashed = my_favourite_hash($_POST["password"] . $salt) should be fine.^† Any sane hashing function should return a string of alphanumeric characters, none of which need escaping.

Anyway, you should be using prepared statements for your SQL queries, so there's no chance of SQL injection, etc.

---

* Assuming that you don't have magic quotes enabled (and you really shouldn't!).

† Substitute your preferred hash function for my_favourite_hash here.

Upvotes: 5

Answer 2

Storing password in plain text format is extremely harmful. Instead you should store a hash of that password in database. If password is hashed, there is no limitation for the characters it might contain.

To create said hash I would recommend for you to use crypt() function. Preferably using SHA512 or BLOWFISH algorithm.

Additionally, i would recommend for you to stop using the ancient mysql_* functions (which are in the process of being deprecated) and learn how to utilize PDO or MySQLi with prepared statements.