How to sanitize user password information in WordPress?

Question

I'm capturing username, email and password in a custom registration form on my WordPress site. I'm sanitising the username using sanitize_user() and sanitize_email() sanitises the email address.

For example:

$username = sanitize_user( $username );
$email = sanitize_email( $email );

How should I sanitise the password entered by the user? All I can think of is sanitize_text_field( $pass ) but I'm sure that isn't the right way to do it.

Ref:

___Why___ should you sanitize the password? If I create an account using a strong password, I don't want a site to weaken it for me — Mark Baker, Aug 01 '14 at 10:13
I assumed you sanitize everything in case someone was trying to inject something nasty into the database? — henrywright, Aug 01 '14 at 10:15
The password is hashed by `wp_insert_user()`. Is that enough? — henrywright, Aug 01 '14 at 10:23
hashing is enough... the generated hash creates a string containing only characters that are valid for insertion into a database (no quotes, etc) and nothing nasty that can be added to the database — Mark Baker, Aug 01 '14 at 10:59

score 4 · Answer 1 · answered Aug 01 '14 at 10:41

4

Sanitizing won't necessarily protect you from injection. To protect against that you need to use prepared statements - or in the case of WordPress, use the $wpdb class.

Sanitization simply strips invalid characters, in the cases you've given above, it removes characters not allowed in usernames, or are not allowed in a valid email address. Passwords allow lots of different character types because that's what makes them 'strong' so you don't want to strip them out.

If you're using wp_insert_user() to create a WP User, then you don't need to sanitize any of it anyway, the function will take care of it all for you.

answered Aug 01 '14 at 10:41

Mark

3,005
1
21
30

1

Out of interest, how does `wp_insert_user()` take care of sanitization? – henrywright Aug 01 '14 at 12:02
1

You can see it in [core](https://core.trac.wordpress.org/browser/tags/3.9.1/src/wp-includes/user.php#L0). It uses `sanitize_user()` for the username and [`wp_hash_password`](http://codex.wordpress.org/Function_Reference/wp_hash_password) for the password. As @Mark Barker says above, hashing a password is enough for sanitization. Of course, WP handles the database insertion correctly so there is no chance of injection - which I believe was your initial concern. – Mark Aug 01 '14 at 19:06
I noticed `sanitize_user()` and `wp_hash_password()` in core. I didn't notice anything associated with sanitizing the email address. Did I miss that? Or is the user's email inserted into the database unsanitized? – henrywright Aug 01 '14 at 21:39
its stil a good idea to limit the amount of charaters of the password field in the registration and login process. – Sagive Apr 10 '17 at 14:34
2

Looking through wp_insert_user, it looks like you still need to do your own sanitizing for fields like first_name, last_name, user_email, display_name, and a variety of others depending on which fields you are submitting. – Matt Keys Feb 20 '18 at 23:45

amarinediary · Answer 2 · 2021-04-02T17:39:07.207

`wp_insert_user()` state of sanitization and filters as off (2021) WordPress `5.7`

wp_insert_user() and user_pass by default:

Hash user_pass via wp_hash_password().

Should NOT be sanitized.

wp_insert_user() and user_login by default:

Sanitize user_login via sanitize_user().
Filter user_login via empty().
Filter user_login via mb_strlen. (60 characters maximum).
Compare user_login via username_exists() to users.
Compare user_login via illegal_user_logins to illegal user logins.

wp_insert_user() and user_nicename by default:

Sanitize user_nicename via sanitize_user().
Filter user_nicename via mb_strlen. (50 characters maximum).
Sanitize user_nicename via sanitize_title().

wp_insert_user() and user_email by default:

No distinct sanitization.
Filter user_email via empty().
Compare user_email via strcasecmp to old.
Compare user_email via email_exists() to old.

wp_insert_user() and user_url, display_name, nickname, first_name, last_name, last_name, description, by default:

No distinct sanitization.
No distinct filters.
No distinct comparison.

Sources

user.php @ https://github.com/WordPress/WordPress/blob/master/wp-includes/user.php

score 1 · Answer 3 · answered Mar 14 '19 at 06:37

1

As mentioned you can use the sanitize_text_field() function. It may cause some issues on some crazy passwords with special characters etc.

But it should be okay.

answered Mar 14 '19 at 06:37

Andrew

76
1
5

2

You do not need to sanitize the password field for WordPress as wp_insert_user or wp_update_user will hash the data and this sanitizes it. You can use `sanitize_text_field` but it would make some passwords fail and convert some %20 values to HTML entities like spaces or characters etc. – Andrew Jan 21 '20 at 11:44

How to sanitize user password information in WordPress?

3 Answers3

`wp_insert_user()` state of sanitization and filters as off (2021) WordPress `5.7`

Sources

Linked

How to sanitize user password information in WordPress?

3 Answers3

wp_insert_user() state of sanitization and filters as off (2021) WordPress 5.7

Sources

Linked

`wp_insert_user()` state of sanitization and filters as off (2021) WordPress `5.7`