I'm curious to get opinions on using strip_tags() for fields that will be encrypted in a database. I often see websites that say "choose a password that contains X certain characters but not Z other characters." And I got curious.
Let's say there's a registration form where a new user creates a username and password, and the server will store the password as ...
sha1( $user_entered_value )
... or some other sort of hashed/encrypted string.
In this case, why would it ever matter that a user had entered <div> or some other such text in their password? The password will only ever be hashed into something before it is matched... so why would you bother stripping tags? Why bother preventing any "special" characters?
Thoughts?