0

Client wants us to allow all possible symbols for password inputs but what I know is that there are some characters that can ruin a code like

"double quotation (")" for c# coding

string name = "jose" jose"

"single quotation (')" for mssql

DECLARE @name VARCHAR(50) = 'jose' jose'

"ampersand (&)" and "vertical line for or (|)" possible for sql injection in mssql

and "backslash (\)" like this sample that it is used for character escape. (it is actually double slash to show)

Is there any symbols am I missing or I made a wrong idea with the symbols declared?

jace
  • 1,433
  • 2
  • 10
  • 35
  • 5
    Don't use string concatenation to pass parameters to your sql query. Instead use real sql-parameters. Otherwise you are open for sql injection and other issues(conversion, broken sql, localization,...). – Tim Schmelter Dec 07 '17 at 09:10
  • None of these symbols ruin code if handled correctly. You shouldn't be worrying about symbols in passwords anyway as you shouldn't be storing passwords as strings. This smells like something else is wrong. – Equalsk Dec 07 '17 at 09:12
  • @Equalsk if I will convert string to encrypted or hashed values, then I won't have a problem? like if my input to my text box in c# is jose"jose, c# can still understand that and will encrypt it? I'm just worried about having a "jose"jose" value that will break the string to "jose" and will have a problem on next jose" – jace Dec 07 '17 at 09:15
  • @TimSchmelter thanks for the reminder. I'll take note of that. – jace Dec 07 '17 at 09:15
  • Yes, you can encrypt a string containing any of the characters you've mentioned. A basic example is that when the user enters their password you compare the hash of the entered password to the stored hash to see if they match. – Equalsk Dec 07 '17 at 09:17
  • I tried it and yes it's working without a problem, thanks. – jace Dec 07 '17 at 09:45

2 Answers2

3

No symbol is harmful when you store passwords correctly.
There are only 2 rules for that:

  1. Always use parameters when passing data to the database.
    This is the only effective way to prevent SQL Injection attacks.

  2. Never store plain text passwords in your database.
    Instead, store a salted hash value representing the password.

You can read this SO post on how to hash passwords, and some more information on Microsoft Docs.

Edit: Just found quite a long article on CodeProject that explains in details why and how to hash passwords.

Zohar Peled
  • 73,407
  • 8
  • 53
  • 101
0

for C# code you will need to add \ before each double quotation 

string name = "jose\" jose"

for SQL server you will need to add an extra quote:

DECLARE @name VARCHAR(50) = 'jose'' jose'
Haitham Qaffesha
  • 23
  • 5