CorgaE Posted November 21, 2009 Share Posted November 21, 2009 Hi there, i have been thinking a bit. Atm ive just got a simple injection protection for my username and password field at the site. But there is a catch with it.in the password field if you want lets say: ajfds" as password. Thats not possible because it sets the password with slashes. Is there any way to fix so usersstill can use the characters in their passwords?All help is really appriciated! Link to comment Share on other sites More sharing options...
chibineku Posted November 21, 2009 Share Posted November 21, 2009 Are you saving the passwords verbatim - the actual string that someone enters? The easy way round it is to save only a hash of the password. That is, in PHP pick a hash, like sha1, and use it to scramble the password, and save the scrambled mess. To sign people in, scramble their login password and compare the hashes. That way you are protected from SQL injection and aren't storing passwords. Or, use MySQL's built in password algorithm, like this:"INSERT INTO users (password) VALUES (PASSWORD('".$_POST["password"]."')";Obviously that's a pretty lousy query Link to comment Share on other sites More sharing options...
CorgaE Posted November 21, 2009 Author Share Posted November 21, 2009 Are you saving the passwords verbatim - the actual string that someone enters? The easy way round it is to save only a hash of the password. That is, in PHP pick a hash, like sha1, and use it to scramble the password, and save the scrambled mess. To sign people in, scramble their login password and compare the hashes. That way you are protected from SQL injection and aren't storing passwords. Or, use MySQL's built in password algorithm, like this:"INSERT INTO users (password) VALUES (PASSWORD('".$_POST["password"]."')";Obviously that's a pretty lousy query The passwords are md5'md so there is no accually passwords in the database. Link to comment Share on other sites More sharing options...
chibineku Posted November 21, 2009 Share Posted November 21, 2009 And you still can't have slashes? Hm. Okay, I wouldn't have thought there'd be a problem. Link to comment Share on other sites More sharing options...
CorgaE Posted November 21, 2009 Author Share Posted November 21, 2009 Maybe somewhere else in the code thats replaces it to slashes. I will check everything through again. Thanks for the fast answeres! Link to comment Share on other sites More sharing options...
Synook Posted November 21, 2009 Share Posted November 21, 2009 I don't see why that should be a problem. Say for example, the user takes a" as their password. To prevent injection, your code escapes the ", so the string is a\". That then gets concatenated into a query, for example ... VALUES("username", "a\""). The password is now in the database as a". So what is the problem?If you are storing your password as a hash in the database, as is best practice, then you should not be sanitizing it in the first place. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.