Or should we just escape and prepare the password and let the user have every character and special character possible? I mean at the end of the day, the people trying to SQL inject will fail and it will just escape the string, and am I right in saying there's no need to punish the normal, law abiding citizen for other people's wrong doings?
Asked
Active
Viewed 197 times
3
-
1You can use PDO, have a look http://stackoverflow.com/questions/26292890/what-is-pdo-how-its-related-with-sql-injection-why-i-should-use-this/26293078#26293078 – Tushar Gupta Dec 15 '14 at 07:00
-
What kind of characters are you referring to? ASCII and Unicode should be fine, but you might want to disallow control characters in user input. – BinarySpark Dec 15 '14 at 07:01
-
I do Tushar :) Hence the prepare statement :P – Dec 15 '14 at 07:01
-
Yes, you should always escape any text input by user before entering into database – Raptor Dec 15 '14 at 07:01
-
Some characters have multiple encodings which could conceivably be keyboard or input-device dependent. Disallowing them or always converting them might save some customer frustration. – Dwayne Towell Dec 15 '14 at 07:02
1 Answers
3
No, do not remove any characters from passwords. If you are following best practice and using password_hash and password_verify, the only thing you’ll be storing in your database are harmless hashes. Removing any characters might weaken the strength of their password for nothing.
icktoofay
- 126,289
- 21
- 250
- 231