BradyM BradyM - 1 year ago 73
PHP Question

PDO password_verify, do I need to sanitize?

I have a

file using pdo for my website. For all my other queries up to this point based on user input, I've been using prepared statements, to protect against sql injection. However, for the login section, I'm comparing the inputted password against the hashed value in my database using
. I can't really use a prepared statement for this as my code looks like this:

if($res->fetchColumn() == 1){
$stmt2 = $conn->prepare("SELECT `password` FROM members WHERE :email = `email`");
$stmt2->bindParam(':email', $email);
$res2 = $stmt2->execute();
$passhash = $res2->fetchColumn();
$password_verify($_POST[password], $passhash);
//^^ do i need to sanitize that?

//login failed

This seems like it will be a simple answer, but I just want to make sure I'm doing it right.

Answer Source

you don't need to sanitize it as you are going to compare it with the hashed password from the database

plus on register.php you don't need to sanitize the password as you going to hash it using password_hash() then save it to the database which won't cause any harm because it's already hashed

any sanitize to the password on register may spoil it for example if the user used password like mypassword'1'2'3 after sanitize it will be mypassword\'1\'2\'3 which is not the same

hope it helps