Skip to content
This repository has been archived by the owner on Apr 8, 2023. It is now read-only.

Strip Tags #82

Open
jfm-so opened this issue Aug 2, 2018 · 1 comment
Open

Strip Tags #82

jfm-so opened this issue Aug 2, 2018 · 1 comment

Comments

@jfm-so
Copy link
Owner

jfm-so commented Aug 2, 2018

Contributed by @nmalcolm

"Okay, let's start again. You're running strip_tags() on the input password which has absolutely no purpose. Should a user choose a password such as , their password will be an empty string and anyone can log into their account without a password."

test.php:

<?php

function hashp($password) {
    return md5(addslashes(strip_tags($password)));
}

echo hashp('<secretpassword>') . " | " . hashp(null);
Output:

d41d8cd98f00b204e9800998ecf8427e | d41d8cd98f00b204e9800998ecf8427e
@auscash
Copy link

auscash commented Aug 16, 2019

You actually don't need any sanitisation on the input for the password, so long as one exists and meets some validation criteria if applicable, like >= 8 characters, at least one uppercase, at least one digit, at least one symbol not in A-Z, a-z, 0-9.

After that, you have a hash, which is fine. Use bcrypt instead of md5. The code will need significant clean up for PHP 7 and explicitly support it, without backwards compatibility for PHP 5. There's no good reason to keep it stuck with PHP 5.

You need sanitisation and additional checks when any untrusted input goes into the database.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants