Page 1 of 1
sha256, mysql_real_escape_string - are both needed?
Posted: Sun Jul 22, 2007 11:23 am
by Dave2000
1) If I am going to be sha256 hashing all passwords, do i need to also pass them through mysql_real_escape_string() before inserting into database?
2)
Code: Select all
$password = hash('sha256', $password);
Is this the recommend way for sha256ing something? It's the only way I can find to do it, yet
this page doesn't seem very busy - I am thinking there would be more user comments if the function is recommended...
Thanks
Shears
Posted: Sun Jul 22, 2007 11:41 am
by Oren
These are 2 different things. In general, you should always use mysql_real_escape_string() before inserting any user input to the database.
Posted: Sun Jul 22, 2007 11:51 am
by John Cartwright
It is not necessary to escape your data if it is being hashed.
Posted: Sun Jul 22, 2007 1:03 pm
by Benjamin
I generally escape everything unless I know it's an integer. That way I don't have to worry about whether or not it contains anything that needs to be escaped and it makes the code more robust and secure. Having multiple layers of defense is not a bad thing.
Posted: Sun Jul 22, 2007 2:40 pm
by Oren
As I said, these are 2 different things. It has nothing to do with multiple layers of defense... but yes, escaping even the hash - although isn't really needed would be a good idea since you have to expect the unexpected. It won't harm, that's for sure

Posted: Sun Jul 22, 2007 2:47 pm
by Dave2000
Thanks for replying guys

I will escape my hashes then. As you said, it cant hurt
Shears
PS.
Oren wrote:These are 2 different things.
I never meant to imply I thought they were connected - hmm, I dont think I did

Posted: Sun Jul 22, 2007 4:46 pm
by feyd
If you want to make sure hashing works, check out the sha256 link in my signature. It will use the built-in function(s) if they are available. Otherwise it will perform the hash itself, provided you have bcmath loaded.