-2

When an admin manually changes a user's password, they need to type (or generate) the password into an HTML input which is then submitted to PHP.

How would I secure a input that is purpose is for secure passwords, which means special/html characters such as '>', '#', '<', etc.

Previously, I used:

<?php htmlspecialchars(strip_tags($password)) ?>

But this was changing the password to something else, I'm guessing to the character entity format - I cannot see what it's changing it too, due to one-way hashing via bcrypt.

EDIT: For example, this is a password *62mA<Edq<Kfx)3y when I check the output of the above code, it outputs it to *62mA

Thanks

Sutton
  • 300
  • 2
  • 14
  • 2
    `strip_tags`? You're changing the users password/restricting them from using certain characters which I see as an immediate flaw. – Script47 Aug 14 '17 at 14:02
  • 2
    And why would and Admin manually change user's password? – Masivuye Cokile Aug 14 '17 at 14:03
  • 3
    If the password is hashed (and it must be), then there's nothing to protect it from. But as already suggested - allowing admins to change user passwords is a bad idea in the first place. – Narf Aug 14 '17 at 14:04
  • 2
    Just don't (limit passwords). Both `password_hash()` and `password_verify()` take this into account. This is an answer in its own right. Passwords such as `123'\DELETE` are considered as being perfectly valid. – Funk Forty Niner Aug 14 '17 at 14:04
  • Just remove `strip_tags` and you are good to go. – Mario Aug 14 '17 at 14:04
  • 2
    The OP should use no cleansing mechanism at all @Mario – Jay Blanchard Aug 14 '17 at 14:06
  • @JayBlanchard If I understand him right he wants do print the password into an HTML document so he should absolutely use htmlspecialchars. I think Quentin's answer is point on. – Mario Aug 14 '17 at 14:08
  • An "HTML input" @Mario, not a document. – Jay Blanchard Aug 14 '17 at 14:09
  • @JayBlanchard Well yes obviously... – Mario Aug 14 '17 at 14:10
  • @Mario the admin type the user password in html input to reset the password – Masivuye Cokile Aug 14 '17 at 14:11
  • I also can't see why you'd want to echo passwords in the form's input. [`htmlspecialchars()`](http://php.net/manual/en/function.htmlspecialchars.php) is what that is mostly used for, and suggests it. – Funk Forty Niner Aug 14 '17 at 14:15
  • Okay thank you guys, I shall make these corrections, I must've misunderstood the PHP docs. – Sutton Aug 14 '17 at 14:16

1 Answers1

4

There is no general purpose "make this data safe for every situation" tool. You need to use situation appropriate escaping.

Do not use destructive functions like strip_tags.

If you want to put it into an HTML document: Do use htmlspecialchars.

If you want to put it into an SQL database: Do use prepared statement.

If you want to put it into JavaScript: Do use json_encode.

… etc … etc.

The parser that deals with the data will decode any escape characters.

That said… Do not store passwords. Do Hash passwords. Do Protect passwords.

Quentin
  • 914,110
  • 126
  • 1,211
  • 1,335
  • So a PDO prepared statement will be sufficient enough to secure that input? – Sutton Aug 14 '17 at 14:04
  • 2
    It will be sufficient to safely insert it into a database without losing data. It won't help if you later insert it into an HTML document. – Quentin Aug 14 '17 at 14:05