When using the password_hash() function to generate a hashed password is there any reason why I would want to use a prepared statement when inserting it into the database?
My assumption is that I do not need to use a prepared statement for the password but for consistency's sake it doesn't hurt to use one.
Additional question:
If I am using the PASSWORD_DEFAULT parameter of the password_hash function, it will currently use the bcrypt algorithm but can be replaced with a different algorithm in the future. Would a future algorithm ever use a single quote or some other symbol that might break the SQL statement if I do not use prepared statements?
is there any reason why I would want to use a prepared statement when inserting it into the database?
Simply because a database layer should be absolutely ignorant about data source, nature, meaning or prior validations. The job of a database layer is to put your data in a database correctly. And prepared statements is the only proper way for doing so.
So, in your own words, "but for consistency's sake it doesn't hurt to use one".
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With