需要输入密码输入清理？ [英] Is password input sanitization required?

问题描述

我想是消毒的通过确保数据是有效的特定字段（如名称不能包含特殊字符/数字等。）但是，我不知道该怎么做输入任何数据当涉及到密码字段。我甚至会需要使用任何消毒打扰作为密码简直是哈希？如果用户是注入任何通过密码文本框恶意，我应该麻烦检查任何可疑？据我所知，一些用户可能（！应该）有特殊的字符，例如'＆LT; >，这通常会触发潜在的攻击警报。如果我只是离开了密码字段unsanitized？限制输入口令对我来说是一个不得已而为之，因为我觉得用户应该使用各种字符的密码。

感谢

解决方案

只要你在你的应用程序散列它，你应该确定。

一个有点题外话考虑您正在使用asp.net，但如果你正在使用PHP和MySQL做这样的事情一个值得注意的例外，这将是：

 更新用户设置密码= PASSWORD（'$ PWD'）其中userid = $ UID
 

在这种情况下，你想先消毒$ PWD。

I'm trying to sanitize any data that's inputted by making sure the data is valid for a particular field (e.g. a name can't contain special characters/numbers etc..) However, I'm not sure what to do when it comes to a password field. Would I even need to bother with any sanitization as the password is simply hashed? If the user was to inject anything malicious via the password textbox, should I bother checking for anything suspicious? AFAIK, some users may (should!) have special characters such as '< >', which would normally trigger a potential attack alert. Should I just leave the password field unsanitized? Limiting input for passwords is a last resort for me, as I feel users should use all sorts of characters in their passwords.

Thanks

解决方案

As long as you are hashing it in your application, you should be OK.

A bit off topic considering you are using asp.net, but a notable exception to that would be if you are using PHP and MySQL and doing something like this:

UPDATE users SET password = PASSWORD('$pwd') WHERE userid = $uid

In that case you would want to sanitize $pwd first.

这篇关于需要输入密码输入清理？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！