2

I want to allow using special chars in password, however I would like to know: is it safe to use untouched password from $_POST and then store its hash in the database?

Like This:

password_hash($_POST['password'], PASSWORD_BCRYPT)

and

password_verify($_POST['password'], $hashFromDatabase)

Username would be validated for alphanumeric, and both stored in database via PDO?

Gumbo
  • 643,351
  • 109
  • 780
  • 844
Pusic
  • 41
  • 1
  • 7

2 Answers2

3

Yes and no. Although you will not have any problems with the special characters, you can with the length. According to the manual:

Caution

Using the PASSWORD_BCRYPT for the algo parameter, will result in the password parameter being truncated to a maximum length of 72 characters.

Now the truncated passwords will always match, but you might give users a false sense of security as passwords longer than 72 characters are truncated.

See a simple example here.

A bit of a hypothetical situation though...

jeroen
  • 91,079
  • 21
  • 114
  • 132
0

Yes it is safe to use the $_POST['password'] variable directly as input of the password_hash() function, because BCrypt even works with binary input. The output of the function is a hash string, which cannot contain any "harmful" characters regarding SQL-injection.

martinstoeckli
  • 23,430
  • 6
  • 56
  • 87