Sanitise Password field

[mattyvx]

Hi,

 

I want to safely sanitise a password field on my site. Normally all fields are passed through a function which runs the mysql_real_escape and htmlentities.

 

However, i dont want to change the users input for their password.

 

How can i safely sanitise and store a password without;

a) Changing the users input (within reason)

b) Presenting a risk to my SQL database. 

 

Thanks!

[oni-kun]

Use regular expressions to only allow a-zA-Z-_ etc. characters to be used. MySQL_real_escape will happen when the user creates the password, AND logs in later on. So there is nothing 'changed' since it escapes it each time it's entered/created.

[phant0m]

as already said, mysql_real_escape_string does not change your password. It just prevents mysql injection. However, you should check that magic_quotes are off -> get_magic_quotes_gpc()

2nd) encrypt the passwords (salted)

[mrMarcus]

you should be hashing your passwords to begin with, so any escaping functions is not necessary in such a matter.

 

mysql_real_escape_string(), if used in conjunction with a hashing function (md5()), will affect how a password is hashed.

 

e.g.

<?php
$pass = "this_is_a_'test'_password"; //note the ' in the password;

$pass = md5 (mysql_real_escape_string ($pass)); //prints 0f169d231c253884d26b0fac19c0e1e4
$pass = md5 ($pass); //prints 6695afdca4ea21d0870c40cc9ebad42c
?>

 

so, just keep in mind that any function that escapes special characters, can play a factor in how you password is ultimately stored.  so, do not use mysql_real_escape_string() in conjunction with a hashing function such as md5(), as it is not necessary to begin with.

 

just thought i'd point that out

[phant0m]

oh - right, what was I thinking 

 

but nontheless, magic_quotes should be reversed if it's enabled on the server. This will make things easier if the server changes the setting to off in the future or you move to a different server.