Is the use of special characters in a login form a security risk?

I require users registering a password to use at least one special character. Passwords can be up to 20 characters long. When gathering password from POST, I think <> tags will be removed. Am I correct about that?

Also are there any special characters that could pose a security risk and should not be allowed? In other words could someone write code into the password input field and what characters would they use? Keep in mind the max length is 20 characters.
$password = trim(strip_tags($_POST['password']));

Open in new window

kadinAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

GaryCommented:
Allow any character, if someone uses <> in their password and you strip it then their password will not work
Really you should be hashing the password when storing use md5 to encrypt it so you end up with something like this which is completely safe and protects the password.
5251eb4034d5575829b64d804dc4ffd4

You will then use md5 to hash the password when checking the login

Using PDO/MySQLi and bound parameters there is nothing to worry about.
0
kadinAuthor Commented:
Thanks for your response.

What about strip_tags() above? Won't that remove < > symbols? Should I not use strip_tags() on a password before storing in a database?
0
GaryCommented:
No don't strip tags. What are you using to connect to the db
(I did edit my comment above slightly)
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
kadinAuthor Commented:
I all ready use hashing and PDO prepared statements. Thanks for your help.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
PHP

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.