BradyM BradyM - 4 months ago 23
PHP Question

PDO password_verify, do I need to sanitize?

I have a

login.php
file using pdo for my website. For all my other queries up to this point based on user input, I've been using prepared statements, to protect against sql injection. However, for the login section, I'm comparing the inputted password against the hashed value in my database using
password_verify()
. I can't really use a prepared statement for this as my code looks like this:

if($res->fetchColumn() == 1){
$stmt2 = $conn->prepare("SELECT `password` FROM members WHERE :email = `email`");
$stmt2->bindParam(':email', $email);
$res2 = $stmt2->execute();
$passhash = $res2->fetchColumn();
$password_verify($_POST[password], $passhash);
//^^ do i need to sanitize that?


}else{
//login failed
}


This seems like it will be a simple answer, but I just want to make sure I'm doing it right.

Answer

you don't need to sanitize it as you are going to compare it with the hashed password from the database

plus on register.php you don't need to sanitize the password as you going to hash it using password_hash() then save it to the database which won't cause any harm because it's already hashed

any sanitize to the password on register may spoil it for example if the user used password like mypassword'1'2'3 after sanitize it will be mypassword\'1\'2\'3 which is not the same

hope it helps