Secure validation technique on password inputs

Question

So is that better to use $code when validating password inputs or i just have to use $_POST['code']?

When exactly should the secure_input function be used when it comes to security?

Is there a better way to perform the below password validation?

More on php form security here

<?php
    function secure_input($data) {
      $data = stripslashes($data);
      $data = htmlspecialchars($data);
      return $data;
    }
        $code = secure_input($_POST['code']);

        if($code == "ok") echo 'success';
    ?>
     <form method="post" action="">  
     Name: <input type="text" name="code">
    <input type="submit">
    </form>

read the w3schools link it explains a lot about form security like Cross-site scripting — , Mar 27 '18 at 21:24
depending on type and use of 'input' your `secure_input` function could break it — , Mar 27 '18 at 21:24
W3Schools is not the place for security, believe me. Ok, I have no idea what it is you want to use this for, I'll let someone else dive in here. — Funk Forty Niner, Mar 27 '18 at 21:25
The fact that you're suggesting this be done on passwords screams "I am using plaintext passwords, and also not using prepared statements". http://php.net/manual/en/function.password-hash.php, http://php.net/manual/en/pdo.prepare.php, http://php.net/manual/en/mysqli.prepare.php — Sammitch, Mar 27 '18 at 21:25
@Sammitch well it is an example that is why it is not a password input. Can you post an answer with a prepare statement? There is not SQL involved by the way. I am just comparing if password is correct — , Mar 27 '18 at 21:38
What do you want to use your secure_input function for? If you stripslashes from a user submitted password (that contains slashes), they'll be gone. You've mutated their password. — Progrock, Mar 27 '18 at 21:43
I got confused, i thought it works for security because w3schools is using that but only to echo form results, see here https://www.w3schools.com/php/showphp.asp?filename=demo_form_validation_complete. Is there a better way to compare if the user's password is correct? — , Mar 27 '18 at 21:44
There is no validation for password. unless you want to make sure it must contain a specific character, which in my own opinion is wrong since you are making a spawn point for attacks — Ghostff, Mar 27 '18 at 21:51
And you never wanna ``stripslashes`` or use ``htmlspecialchars`` in passwords — Ghostff, Mar 27 '18 at 21:52
You can take a hash of the password, and compare hashes. See password_hash and password_verify. — Progrock, Mar 27 '18 at 22:04
Well this is what should be done, the password should be standard and the users will enter it to access the web application. If you have a suggestion to make it better please post an answer — , Mar 27 '18 at 22:35

score 1 · Accepted Answer · answered Mar 28 '18 at 09:53

1

When exactly should the secure_input function be used when it comes to security?

Never. It is just awful.

$data = stripslashes($data); — Don't do this. It is hack to deal with the magic quotes problem. In 2018 you should not be using a version of PHP which even supports magic quotes.

$data = htmlspecialchars($data); — This makes it safe to insert a string of text into an HTML document. You are not outputting the value into an HTML document, so don't do that here.

Is there a better way to perform the below password validation?

You should not store the password in plain text. It should be hashed, and then the user input (which should be the original user input without any escaping as you are comparing the password and not the html representation of the password) should be compared to it using the password_verify function.

PHP has a FAQ about how to handle passwords.

<?php

    $submitted_password = $_POST['code'];
    $submitted_password = "ok"; # Because this demo doesn't get any POST data

    if (password_verify($submitted_password, "$2y$10$76xEMDyKtZEo036w2mQ/zemy3VUDXFhOHRvrljK1F9/6a7rVqlsdi")) {
        print "Good password";
    } else {
        print "Bad password";
    }

?>

answered Mar 28 '18 at 09:53

Quentin

914,110
126
1,211
1,335

what is this? `$2y$10$76xEMDyKtZEo036w2mQ/zemy3VUDXFhOHRvrljK1F9/6a7rVqlsdi` is that a random password? It shouldn't be generated by PHP ? – Mar 28 '18 at 11:36
@GragasIncoming — It is the password you used previously, as hashed using `password_hash`, as described in the documentation linked to in the answer. – Quentin Mar 28 '18 at 11:38
I can set a variable that hashes the password automatically? Also isn't better to use `if (isset($_POST['code'])) {$submitted_password = $_POST['code'];}` in my form example ? – Mar 28 '18 at 11:48
Also my application does not store data into the database, so hashing is not necessary: [php.net] It is important to note, however, that hashing passwords only protects them from being compromised in your data store, but does not necessarily protect them from being intercepted by malicious code injected into your application itself. – Mar 28 '18 at 11:56
"Also my application does not store data into the database, so hashing is not necessary" — Your PHP source code is just as vulnerable as a database. It is still a data store. – Quentin Mar 28 '18 at 12:04
"does not necessarily protect them from being intercepted by malicious code injected into your application itself" — That is asking about code reading `$_POST` before you has it, not about an attacker with access to the PHP reading it. – Quentin Mar 28 '18 at 12:05
okay, i still did not get how you generated `$2y$10$76xEMDyKtZEo036w2mQ/zemy3VUDXFhOHRvrljK1F9/6a7rVqlsdi` – Mar 28 '18 at 12:10
1

`password_hash("ok", PASSWORD_DEFAULT)` – Quentin Mar 28 '18 at 12:12
You said You should not store the password in plain text but you leave that line `$submitted_password = "ok";` Should it be removed normally and leave only the hash code in the file? – csandreas1 Apr 05 '18 at 07:37
@csandreas1 — Look at the comment on that line. It is there to simulate **user input** for the sake of demonstration. In the real world, you would have real user input so that line would break the system entirely. – Quentin Apr 05 '18 at 07:41
Yes but you could do `$SecretKey = "ok";` `$hash_Password = password_hash($_POST['code'], PASSWORD_DEFAULT);` and then ` if (password_verify($submitted_password, $code))` – csandreas1 Apr 05 '18 at 07:44
1

@csandreas1 — Don't do that. Hash the password when you create it. Store the hashed password. It is entirely pointless to store it in plain text and rehash it everytime the script runs. – Quentin Apr 05 '18 at 07:44

Progrock · Answer 2 · 2018-03-28T09:42:32.910

You don't need to escape the password input for your purpose of comparison as you have outlined above.

<?php

if($_SERVER['REQUEST_METHOD'] == 'POST')
{
    $authorised = 'secret' == ($_POST['password'] ?? null);
    echo $authorised ? 'Credential match.' : 'Credential mismatch.';
}

?>
<form method="post">
    Password:<input type="password" name="password">
    <input type="submit" value="Authorise me">
</form>

It would perhaps be wiser to store a hash of your password.

When exactly should the secure_input function be used when it comes to security?

See: https://stackoverflow.com/a/4224002/3392762

Secure validation technique on password inputs

2 Answers2