4

When using the password_hash() function to generate a hashed password is there any reason why I would want to use a prepared statement when inserting it into the database?

My assumption is that I do not need to use a prepared statement for the password but for consistency's sake it doesn't hurt to use one.

Additional question:

If I am using the PASSWORD_DEFAULT parameter of the password_hash function, it will currently use the bcrypt algorithm but can be replaced with a different algorithm in the future. Would a future algorithm ever use a single quote or some other symbol that might break the SQL statement if I do not use prepared statements?

kojow7
  • 7,165
  • 11
  • 60
  • 109
  • 1
    Consult the following Q&A on Stack http://stackoverflow.com/questions/36628418/cleansing-user-passwords and you'll get your answer. Short answer: No, don't. – Funk Forty Niner Apr 27 '16 at 22:11
  • *"for consistency's sake it doesn't hurt to use one"* - It will and you don't have to. – Funk Forty Niner Apr 27 '16 at 22:12
  • 2
    @Fred-ii- Can you elaborate on the _It will_ part please? – Alon Eitan Apr 27 '16 at 22:13
  • 1
    @AlonEitan I don't have to; look at the link I left the OP up there. – Funk Forty Niner Apr 27 '16 at 22:13
  • 2
    Also consult http://codereview.stackexchange.com/questions/79668/login-with-password-hash and see the answer by ircmaxell http://codereview.stackexchange.com/a/79681/ who knows his stuff on the subject better than most. I think that explains it in its own right. – Funk Forty Niner Apr 27 '16 at 22:18
  • possible duplicate of [Cleansing User Passwords](http://stackoverflow.com/questions/36628418/cleansing-user-passwords) – Funk Forty Niner Apr 27 '16 at 22:21
  • 1
    @Fred-ii- the ircmaxell answer you linked says "Please use prepared statements." – Don't Panic Apr 27 '16 at 22:25
  • @Don'tPanic Read his answer again and read the question again. – Funk Forty Niner Apr 27 '16 at 22:31
  • and my first two comments, should also have been upvoted, because that's what the question's about. – Funk Forty Niner Apr 27 '16 at 22:33
  • 3
    When inserting the *hash*, you don't *have* to use a prepared statement, but *you should anyway* because prepared statements are *the bees knees* and also consistency. – Sammitch Apr 27 '16 at 22:40
  • 3
    @Fred-ii- all of your remarks are flippant, unclear, and the link doesn't clarify anything no matter how much you insist that it does. – Sammitch Apr 27 '16 at 22:41
  • @Sammitch You sure about that? Did you check out what ircmaxell had to say on that? *Unclear?* Ok so ircmaxell knows squat then, is that what you're saying? If so, then he should leave PHP.net then. – Funk Forty Niner Apr 27 '16 at 22:42
  • 3
    @Fred-ii- I still don't see how the ircmaxell answer says that it _will_ hurt to use a prepared statement. Sorry, I'm not trying to be dense. I feel like I must be missing something. – Don't Panic Apr 27 '16 at 22:43
  • @Sammitch Guess what this does `$pass = "pass$word";` and use a prepared statement against that. It will strip everything after `$` thus rendering verification null. I know this for a fact, I tried it. Edit: Now all comments have been deleted, ok, why? – Funk Forty Niner Apr 27 '16 at 22:44
  • @Don'tPanic see this comment ^ – Funk Forty Niner Apr 27 '16 at 22:46
  • 2
    @Fred-ii- So basically you're operating on the assumptions that 1. OP is inserting the plaintext password, despite having `password_hash` in the title. 2. OP is defining their password in the PHP source, in a double-quoted string? You're normally pretty on-point with your answers, but right now I think you need to take a fresh read on the question and maybe ask if OP can clarify points that we're both currently making assumptions about. – Sammitch Apr 27 '16 at 22:48
  • @Sammitch I'm going to get a second opinion on this, but it can't be tonight. If I'm wrong on this, I'll admit my mistake. If I'm right though... well... ;-) maybe you could post a comment under ircmaxell's answer? I might even try and get a hold of him too and have him look at the question, see what he has to say about it. – Funk Forty Niner Apr 27 '16 at 22:51
  • Thank you all for your input! I think the answer posted by "Your Common Sense" is quite correct. Please let me know your thoughts. – kojow7 Apr 28 '16 at 17:12
  • I also do not feel any that any of the links above address my question as I was not talking about sanitizing the password before hashing it. I am also not sure why there are votes to close this question as I think the answer would be beneficial to others as well. – kojow7 Apr 28 '16 at 17:18

1 Answers1

7

is there any reason why I would want to use a prepared statement when inserting it into the database?

YES

Simply because a database layer should be absolutely ignorant about data source, nature, meaning or prior validations. The job of a database layer is to put your data in a database correctly. And prepared statements is the only proper way for doing so.

So, in your own words, "but for consistency's sake it doesn't hurt to use one".

Community
  • 1
  • 1
Your Common Sense
  • 152,517
  • 33
  • 193
  • 313