sha256, mysql_real_escape_string - are both needed?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
Dave2000
Forum Contributor
Posts: 126
Joined: Wed Jun 21, 2006 1:48 pm

sha256, mysql_real_escape_string - are both needed?

Post by Dave2000 »

1) If I am going to be sha256 hashing all passwords, do i need to also pass them through mysql_real_escape_string() before inserting into database?

2)

Code: Select all

$password = hash('sha256', $password);
Is this the recommend way for sha256ing something? It's the only way I can find to do it, yet this page doesn't seem very busy - I am thinking there would be more user comments if the function is recommended... :?

Thanks

Shears
User avatar
Oren
DevNet Resident
Posts: 1640
Joined: Fri Apr 07, 2006 5:13 am
Location: Israel

Post by Oren »

These are 2 different things. In general, you should always use mysql_real_escape_string() before inserting any user input to the database.
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

It is not necessary to escape your data if it is being hashed.
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Post by Benjamin »

I generally escape everything unless I know it's an integer. That way I don't have to worry about whether or not it contains anything that needs to be escaped and it makes the code more robust and secure. Having multiple layers of defense is not a bad thing.
User avatar
Oren
DevNet Resident
Posts: 1640
Joined: Fri Apr 07, 2006 5:13 am
Location: Israel

Post by Oren »

As I said, these are 2 different things. It has nothing to do with multiple layers of defense... but yes, escaping even the hash - although isn't really needed would be a good idea since you have to expect the unexpected. It won't harm, that's for sure :wink:
Dave2000
Forum Contributor
Posts: 126
Joined: Wed Jun 21, 2006 1:48 pm

Post by Dave2000 »

Thanks for replying guys :) I will escape my hashes then. As you said, it cant hurt ;)

Shears :)

PS.
Oren wrote:These are 2 different things.
I never meant to imply I thought they were connected - hmm, I dont think I did 8O
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

If you want to make sure hashing works, check out the sha256 link in my signature. It will use the built-in function(s) if they are available. Otherwise it will perform the hash itself, provided you have bcmath loaded.
Post Reply