Can hash output be dangerous for SQL Queries?

Question

There was a question about using stripslashes and mysql_real_escape_string on a password before hashing it and storing it. And the stripping or escaping before the hashing isn't necessary as the special characters don't carry meaning to the hashing function.

However, is it possible that certain hash results may create dangerous SQL queries?

I realize that with a sufficient hash and a salt that there's such a small chance of this happening intentionally, but would it still be a good practice to run a strip and escape on the hashed results?

Answer 1

It would be overzealous and unnecessary to do so. Hashing functions don't output any quotes that could introduce a SQL injection vulnerability. Also, you shouldn't really have to use both stripslashes() and mysql_real_escape_string(). Just use mysql_real_escape_string().

Example Not that I am condoning the use of MD5, but from its Wikipedia page:

An MD5 hash is typically expressed as a 32-digit hexadecimal number.

Hexidecimal numbers should never pose a problem with SQL injections because they just consist of /[0-9a-f]/. If you search for the hashing function that you're using you should find something similar. You don't need to sanitize the hash. You should be safe!

Answer 2

The result of a hash function is a number. To my knowledge, most if not all php hash functions return the number in hex. There can be no danger of an unsafe string result from a hash function.

However, it is always a good practice to escape everything you put into a query - or even better, use parameterized queries.