2

I clean the username input like so:

function clean($data) {
  $data = trim($data);
  $data = stripslashes($data);
  $data = htmlspecialchars($data);
  return $data;
}

I am using prepared statements in PDO format and hashing the passwords, so is it still advisable to also clean password input?

Below is the code. Beware, it is unfinished as of this very moment and also very messy. 

<?php
  // start session
  session_start();
?>
<!DOCTYPE html>
<head>
  <link href='css/verify-id.css' rel='stylesheet'>
</head>
<body>
<?php
function clean($data) {
  $data = trim($data);
  $data = stripslashes($data);
  $data = htmlspecialchars($data);
  return $data;
}

if ($_SERVER['REQUEST_METHOD'] === 'POST') {

  // set or enter password
  if (isset($_POST['password']) && empty($_POST['password'])) {

    $error    = 'A password is required.';
    $identity = '';
    $tip      = '';
    $prompt   = '';

  } else if (isset($_POST['password']) && !empty($_POST['password'])) {
    //echo '<br>SESSION idPersist<br>'.$_SESSION['idPersist'];
    //echo '<br><br>POST password<br>'.$_POST['password'];

    $password = $_SESSION['password'];
    $idPersist = $_SESSION['idPersist'];

    include 'include/database-connection.php';

    if ($_SESSION['prompt'] === 'Enter Password') {
      //echo '<br><br>SESSION prompt is Enter Password';

      // compare password
      $sql  = 'SELECT pass FROM guests WHERE id = :id';
      $stmt = $conn->prepare($sql);
      $stmt->bindParam(':id', $idPersist);
      $conn->exec($sql);

    } else if ($_SESSION['prompt'] === 'Set Password') {
      echo '<br><br>SESSION prompt is Set Password';
    /*
      // set password
      $sql  = 'INSERT INTO guests (pass)
        VALUES (:password)';
      $stmt = $conn->prepare($sql);
      $stmt->bindParam(':password', $password);
      //$conn->exec($sql);
    */
    }

    $conn = null;

    /*
    $error    = '';
    $identity = '';
    $tip      = '';
    $prompt   = '';
    */
  }

  // enter id
  if (!isset($_POST['password']) && empty($_POST['id'])) {
    $error  = 'An ID is required.';
  } else if (!isset($_POST['password']) && !empty($_POST['id'])) {
    include 'include/database-connection.php';
    $id     = clean($_POST['id']);
    $sql    = 'SELECT id, pass FROM guests WHERE id = :id';
    $stmt   = $conn->prepare($sql);
    $stmt->bindParam(':id', $id);
    $stmt->execute();
    $result = $stmt->fetch(PDO::FETCH_ASSOC);

    if ($result) {
      $_SESSION['idPersist'] = $id;
      $identity              = 'password';
      $tip                   = 'Password';
      $error                 = '';
      if (is_null($result['pass'])) {
        $prompt             = 'Set Password';
        $_SESSION['prompt'] = 'Set Password';
      } else {
        $prompt             = 'Enter Password';
        $_SESSION['prompt'] = 'Enter Password';
      }
    } else {
      $prompt = 'Enter Valid ID';
    }
    $conn = null;
  }

}
?>
  <form
    accept-charset ='UTF-8'
    action         ='<?php echo htmlspecialchars($_SERVER['PHP_SELF']); ?>'
    autocomplete   ='off'
    enctype        ='application/x-www-form-urlencoded'
    method         ='post'
    target         ='_self'>
      <input
        autofocus
        id          ='<?php
          if (empty($identity)) {
            echo 'id';
          } else {
            echo $identity;
          }
        ?>'
        name        ='<?php
          if (empty($identity)) {
            echo 'id';
          } else {
            echo $identity;
          }
        ?>'
        placeholder ='<?php
          if (empty($tip)) {
            echo 'ID';
          } else {
            echo $tip;
          }
        ?>'
        required
        size        ='25'
        title       ='<?php
          if (empty($tip)) {
            echo 'ID';
          } else {
            echo $tip;
          }
        ?>'
        type        ='text'>
      <span><?php echo $error; ?></span>
      <input
        id    ='submit'
        name  ='submit'
        type  ='submit'
        value ='<?php
        if (empty($prompt)) {
          echo 'Enter ID';
        } else {
          echo $prompt;
        }
        ?>'>
  </form>
</body>
</html>
oldboy
  • 5,729
  • 6
  • 38
  • 86
  • 1
    No, don't do that. Also that functions is usually incorrectly used, be careful with it. – chris85 Aug 07 '17 at 01:12
  • What do you gain from applying those filters on a password you are using for hashing only anyways? – Hubert Grzeskowiak Aug 07 '17 at 01:12
  • @HubertGrzeskowiak I'm not sure what you mean? I plan on hashing the passwords, but I'm not sure if hashing the password is conducted before any damage can be done? – oldboy Aug 07 '17 at 01:15
  • You also don't need `empty` and `isset`, one will suffice (unless `0` is a valid value for any of the fields). Also `` is open to XSS injections, single quotes aren't escaped by default. – chris85 Aug 07 '17 at 01:20
  • `$_POST['password']` is not always present in the form? Comments aren't really relevant to question asked to I'll remove, I think your conditionals are redundant though. I'm leaving `XSS` comment because that still is relevant. – chris85 Aug 07 '17 at 02:04
  • @chris85 no, it is not. the only `input[type=text]` becomes `input#id` and `input#password` at different page loads. it's not redundant, trust me. go load the code and play around with it urself if u dont believe me :p i do have one more question, however. how come it won't accept inline ternary statements in the HTML like so: `(empty($identity)) ? echo 'id'; : echo $identity;`?? it's giving me this error: **`Parse error: syntax error, unexpected 'echo' (T_ECHO)`** i've tried playing around with the semi colons to no avail, notably – oldboy Aug 07 '17 at 02:13
  • 1
    Ternary returns, it doesn't execute. Do `echo empty($identity) ? 'id' : $identity;` I'll just take your word for the DOM stuff. – chris85 Aug 07 '17 at 02:18
  • @chris85 ohhh ok interesting. diff from JS – oldboy Aug 07 '17 at 02:19

1 Answers1

8

NO.

Do not mess with users password. There is no need to clean and sanitize users password.

It can do no harm because password should always be hashed. It should never be stored in it's original form.

Hashed password like $2y$10$36PQzf67DtRPrn3ViqNFS.iswIU9AyIPRWV23KzmSXWD66RD7frIm can do no harm.

Anis Alibegić
  • 2,941
  • 3
  • 13
  • 28
  • Does that mean the hashing is conducted *before* the input is posted? And thus certain input (i.e. ``) turns into hashed strings before they're sent to the server? – oldboy Aug 07 '17 at 01:14
  • 2
    Passwords are hashed before inserting into database. If password contains some kind of potentially harmful code it will be useless because it's going to be hashed into something like `$2y$10$36PQzf67DtRPrn3ViqNFS.iswIU9AyIPRWV23KzmSXWD66RD7frIm`. – Anis Alibegić Aug 07 '17 at 01:16
  • 2
    @Anthony Look over http://php.net/manual/en/ref.password.php, the hash is what is being stored/compared, not the plain text value. – chris85 Aug 07 '17 at 01:17
  • @Spectarion ok, good, that's what i wanted to know. thanks guys <33 – oldboy Aug 07 '17 at 01:18
  • @chris85 yes, i know :) i'm just new to PHP so not entirely sure about the sequence of events – oldboy Aug 07 '17 at 01:19