A set of valid characters for web site passwords

Question

Hi I was composing a regex for a password field of my site and had a concern:

Are there any characters I should block a user from entering? If so why?

Or is it enough just to escape dangerous characters like = and ' when processing data? It seems good for this topic to list the php functions for escaping those, if you would.

Thanks!

Answer 1

I hash anything a user enters as a password, so I don't care what they enter, it never touches my database and can't cause any harm. md5($_POST['password'])

Other fields are a different story...

mysql_real_escape_string() is a great function for escaping data in queries.

Answer 2

Like other people have already said, hashing the users password before saving it to the database will mean you don't have to worry about what the user enters.

Whilst we're on the subject of hashing, you might even want to consider adding a 'salt' to the password before it is hashed. A salt is a random string (for example, the user's email address) that will help to improve the uniqueness of the hash generated (different users that have the same password will generate the same hash without the salt).

For more information take a read of: http://phpsec.org/articles/2005/password-hashing.html