bradgrafelman;11027601 wrote:+1 with actually sanitizing and validating your inputs as appropriate rather than trying to find a blanket approach (because there isn't one; it's even worse than "jack of all trades, master of none" if you ask me). Simple example, say I come up with this rather secure password of " <mySuper$ecret>password", and say you fall victim of using some variant of garbage like:
//prevent SQL injections and stuff and things
$password = trim(strip_tags($_POST['password']));
Not only did you mangle user input, but you've now reduced my rather secure password to the word "password" for no apparent reason. (And I bet you didn't even admit to me in some sort of error/explanatory message, did you?!)
This actually happened to me at a critical moment at work. Story time!
We were dealing with this website that was constantly being hacked (garbage text was being injected into their site for Googlebots to find). Our client was becoming increasingly aggravated with us since we were unable to find the source (even though we encouraged them to upgrade their years-old Joomla! installation and they refused - basically they were blaming us). Eventually we took the "scorched Earth" approach and deleted everything on their FTP and reuploaded the files. We also changed all their passwords, including their control panel password. We have a password scheme but I made the call that it wasn't sufficient in this case and used KeePass' password generator to generate 40 character passwords of random letters, numbers, and symbols. The passwords are stored securely so no one has to remember them or even type them in.
I changed the control panel password without issue (a success message was posted after I changed it). After I recorded the password I went to log back in and my attempt failed. Tried again. Tried the old password, still couldn't get in. By this time I'm sure the hosting company had locked the account. The "critical moment" was that we were supposed to be done in about 15 minutes (the client's deadline), or the client was going to drop us. We tried contacting the hosting company but they couldn't do anything for us except send out a password retrieval email to whoever was on the account - which included the client contact we were dealing with directly (the one who gave us the deadline). So my boss had to call him and twist facts to try to keep the heat off us while getting him to forward us the password retrieval email.
I got the email and the password looked the same but was able to log in with it. I was perplexed, but on a tight timeline so I finished up my work and the crisis with the client was averted (kind of - payment is still pending). I went back and looked at the password that was in the email and noticed it was 1 character short - only 39 characters. Lining them up in Notepad I noticed the password that was in the email had a backslash stripped from it (forward slashes were okay). I relayed this info to my boss because I wanted to make sure he knew I didn't mess up. I couldn't believe it, though. This was a major hosting company (not GoDaddy) that we had used and still do use quite a bit. I sent a strongly worded email to them explaining the poor practice this was and the situation it had put us in. Never heard from them.
TL;DR: Popular hosting company stripped backslashes from their control panel password without notice and I couldn't get back in while in the middle of fixing our biggest client's website who was threatening to drop us.
So yeah. Absolutely do not do this. There is no reason to strip characters or otherwise change user-supplied passwords.
