1

I'm using sha1 to encrypt it. Should I mysql_real_escape_string() as well, or is encrypting it enough?

Doug Smith
  • 29,668
  • 57
  • 204
  • 388
  • 3
    You should be using parametrized queries instead. – Waleed Khan Feb 19 '13 at 22:28
  • Those are two orthogonal concepts. Furthermore, sha1 is not an encryption algorithm – knittl Feb 19 '13 at 22:29
  • Depends on if you use the binary sha1 output, or hexencoded. -- But why wouldn't you escape it anyway? You picked the dated database interface that requires escaping values. Are you trying to evade the consequences of that cumbersome choice? – mario Feb 19 '13 at 22:31

1 Answers1

5

Technically speaking, the output from sha1 will always be a hex-string, so you wouldn't need to escape it.

However: The answer to this question is always the same: escape the values. If it comes from a hard-coded variable 2 lines before your SQL, escape it. Always. Escape. Period. There are SO many other things to worry about optimizing.

Parameterized queries and PDO are always the best option, however

Second note: sha1 and md5 aren't the most secure for passwords. If you're not too far in, consider another solution such as blowfish

Colin M
  • 13,010
  • 3
  • 38
  • 58
  • Escape then encrypt then, I assume? – Doug Smith Feb 19 '13 at 22:56
  • 1
    @DougSmith There's no reason to escape before hashing. If you take my advice about always escaping, you would escape what _goes into_ your database (the already hashed value). Don't escape prior to hashing. – Colin M Feb 19 '13 at 23:24
  • Yes escaping sounds like a good idea, after hashing. Simply because there could be another hack in play against the encryption function. – Epirocks Nov 30 '17 at 12:10