Search code examples
phpsecuritypasswordspassword-hash

Sanitizing passwords for password_hash()

I was reading about the null-byte problem when using password_hash(). This gave me two questions:

  • Is the null-byte vulnerability still present as of PHP7? I tried replicating it with password_hash(), but either it was fixed or I cannot replicate it. password_verify() returns false when characters after \0 differ or are absent.
  • Is there any other caveat I should be aware of when processing passwords? I do not want to sanitize them per se (the user needs to be sure that the processed password string is exactly what they sent), but I saw code like this around (again, vs null-bytes): str_replace(chr(0), '', $input). Should I use this when processing passwords? Should I use something else too?
Solution

  • You can test this with

    $hash = password_hash("\x00 abc", PASSWORD_DEFAULT);
var_dump(password_verify("\x00 foo", $hash)); // true ???

    But when submitting a password from ie a form you receive the string '\x00 password' which will not interpolate like "\x00 password" would (single vs double quotes).

    $hash = password_hash("\x00 abc", PASSWORD_DEFAULT);
var_dump(password_verify('\x00 foo', $hash)); // false!