0

I have a login.php file using pdo for my website. For all my other queries up to this point based on user input, I've been using prepared statements, to protect against sql injection. However, for the login section, I'm comparing the inputted password against the hashed value in my database using password_verify(). I can't really use a prepared statement for this as my code looks like this:

if($res->fetchColumn() == 1){
        $stmt2 = $conn->prepare("SELECT `password` FROM members WHERE :email = `email`");
        $stmt2->bindParam(':email', $email);
        $res2 = $stmt2->execute();
        $passhash = $res2->fetchColumn();
        $password_verify($_POST[password], $passhash);
        //^^ do i need to sanitize that?


    }else{
        //login failed
    }

This seems like it will be a simple answer, but I just want to make sure I'm doing it right.

Rasclatt
  • 12,498
  • 3
  • 25
  • 33
BradyM
  • 15
  • 4
  • You have to make sure that if you do anything to the password by way of sanitization or filtering when you first stored the hash into your database that you do the same when you check it. If you hashed it without sanitizing it, then you don't sanitize it when you verify it. You are not displaying it to the page or storing it in a database raw, so it should be fine as is. – Rasclatt Jul 16 '16 at 00:12
  • Also it's not `$password_verify` with a `$`. Probably just a typo... – Rasclatt Jul 16 '16 at 00:15
  • Thanks! Didn't sanitize the original password, but did use a prepared statement when hashing/ storing it. – BradyM Jul 16 '16 at 00:15
  • Yeah so if you stored it raw (hash an unsanitized post), then you are good to go not to do anything to the post. – Rasclatt Jul 16 '16 at 00:15

1 Answers1

4

you don't need to sanitize it as you are going to compare it with the hashed password from the database

plus on register.php you don't need to sanitize the password as you going to hash it using password_hash() then save it to the database which won't cause any harm because it's already hashed

any sanitize to the password on register may spoil it for example if the user used password like mypassword'1'2'3 after sanitize it will be mypassword\'1\'2\'3 which is not the same

hope it helps

Ahmad ghoneim
  • 844
  • 7
  • 13