In a sign up / login form , we validate user input like username and email and make sure that it does not contain any special character . my question is about the Password input field . Is it possible to inject sql query using password input field? because we allow user to add special characters to it.
-
4Yes it is perfectly possible if you don't protect against it. Use prepared statements.Phylogenesis– Phylogenesis2018-02-02 12:01:09 +00:00Commented Feb 2, 2018 at 12:01
-
1Yes, it is possible. To prevent your database from hacking, try to use MySQLi or PDO.Rohit Singh– Rohit Singh2018-02-02 12:01:28 +00:00Commented Feb 2, 2018 at 12:01
-
2@jeroen "You are hashing your passwords, right?" --- one would hope so ;-)Funk Forty Niner– Funk Forty Niner2018-02-02 12:52:09 +00:00Commented Feb 2, 2018 at 12:52
-
1@JorgeCampos about the possible duplicate; for the injection part, yes. However, that Q&A does not talk about manipulating passwords and what escaping does for injection characters or any other that MySQL may complain about ;-) which is the basis of the question.Funk Forty Niner– Funk Forty Niner2018-02-02 12:54:30 +00:00Commented Feb 2, 2018 at 12:54
-
2@jeroen yep I am and thanks for the reply :)Ali– Ali2018-02-02 13:02:38 +00:00Commented Feb 2, 2018 at 13:02
|
Show 17 more comments
1 Answer
my question is about the Password input field
Is it possible to inject sql query using password input field?
Not if you use a prepared statement.
However, both password_hash() and password_verify() already take this into account and you should not be manipulating passwords or limiting them.
- https://secure.php.net/manual/en/function.password-hash.php
- https://php.net/manual/en/function.password-verify.php
This is something you should be using in this day and age.
If you escape a password that contains a quote for instance John'sPlace, that will be modified to John\'sPlace which in turn and if you use the hashing methods as stated, will fail silently on verification.
Even if a potential hacker were to try something like: String'); DROP TABLE USERS; -- into the password input, that would still be entered as a hash into the database, when using password_hash() of course.
Something like $2y$10$.vGA1O9wmRjrwAVXD98HNOgsNpDczlqm3Jq7KnEd1rVAGv3Fykk1a (example hash pulled from the manual) can't do any harm.
3 Comments
Funk Forty Niner
@FrankerZ I think you should read the comments area and the question again and very carefully. The question wasn't about that, it was about passwords.
Blue
Let's see here, 1. "Use a prepared statement". (Bullet point 1 on that post: Use prepared statements and parameterized queries.) 2.A password field is nothing more than a regular input field when concerned with the backend. If you wish to add to the duplicate list, add this or one of the other 50 duplicate questions.
Funk Forty Niner
@FrankerZ There was far more at stake than just sql injection. The post should have been written differently. Forget the prepared statement stuff; I know that quite well and they themselves (the OP) does not know what escaping passwords does.