When stored the user password hash to the database, developers often consider using technologies such as Escape_String () or Addslashhes () for pre -processing. However, this approach is neither necessary, and may cause hidden safety hazards.
Why not need to transfer the password?
The transfer of passwords before hash will not enhance security. The hash process itself ensures the security storage of the password, regardless of its content. The hash algorithm does not regard specific characters as special characters, and any behavior that trys to clean up the password may be introduced into loopholes. Potential security risks of password pre -processing
Cleaning password may bring additional security challenges:
Unnecessary complexity:
Cleaning unnecessary code, which may introduce errors or vulnerabilities.Compatibility issues:
Storage the password after the hash as Varchar (255) or Text to ensure that in the future can adapt to different hash methods.
| Method | Results |
|---|---|
| "I'm a" designrt topping "& a | |
| "I'm a & quot; dessert topping & quot; & amp; a & lt;! "(Special characters have been encoded) | |
| htmlspectchars () | the same as htmleentities () |
| addslashes () | "i \ 'm a \" dessert topping \ "& a !" (Already Add transit characters) |
| strip_tags () | "I'm a" desated topping "& a!" (Tags have been removed) |
Conclusion
It is unnecessary to transfer the password provided by the user before hash, and it may bring security risks. By following the above best practice, developers can ensure that their passwords are stored safely and efficient.The above is the detailed content of Should I Cleanse Passwords Before Hashing for Database Storage?. For more information, please follow other related articles on the PHP Chinese website!
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
