Sql injection in php limit my password requirement on register page ?
Posted on 2014-01-10
Today, I review password requirement for my site register page. After understanding of
SQL injection matter, I doubt about what the requirement or validation password
in input password field for users before submitting the register form ?
Do you think it is just let the requirement for password only with letters (upper or lowers cases or numbers) allowed that help to prevent any sql injection to mysql database
completely, (for example, such as password as '1' OR '1'='1' is not allowed) , Right ? Why I ask that , because I think if I am not allowing users or others
to input ' and '' or NULL or special characters to password requirement or validation on login page so that they are never able to do any SQL injection, Right ?
If what I said on question-1 is correct, why not let our users to input any character they like for his password including character of ' and '' if we can do hashing with md5() on those
password they input before running any mysql code in my register php page.
I mean hashing user passwords(any character they like) by md5() before submitting
to mysql database since the output of md5() is no any character of ' and " or NUL or
Anyway I guess that is not right, if right, why people suggest me to prevent SQL injection
by using PHP PDO or mysqli instead of mysql, and use prepare and bind_param
I read a lot of articles from search in EE for "SQL injection", but it is really
hard to read them all for solving SQL injection completely just for setting password
Duncan ( I was using mysql , NOW switch to mysqli and intend to use PHP PDO if need)