Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is there any point in using a prepared statement on a password_hash value?

When using the password_hash() function to generate a hashed password is there any reason why I would want to use a prepared statement when inserting it into the database?

My assumption is that I do not need to use a prepared statement for the password but for consistency's sake it doesn't hurt to use one.

Additional question:

If I am using the PASSWORD_DEFAULT parameter of the password_hash function, it will currently use the bcrypt algorithm but can be replaced with a different algorithm in the future. Would a future algorithm ever use a single quote or some other symbol that might break the SQL statement if I do not use prepared statements?

like image 651
kojow7 Avatar asked Mar 12 '23 11:03

kojow7


1 Answers

is there any reason why I would want to use a prepared statement when inserting it into the database?

YES

Simply because a database layer should be absolutely ignorant about data source, nature, meaning or prior validations. The job of a database layer is to put your data in a database correctly. And prepared statements is the only proper way for doing so.

So, in your own words, "but for consistency's sake it doesn't hurt to use one".

like image 165
Your Common Sense Avatar answered Mar 16 '23 03:03

Your Common Sense