undefined | Better HN

0 pointstrickstra5y ago0 comments

Every time I see passwords with a list of excluded characters, I assume their system breaks when processing such passwords in plaintext. Hashes wouldn't cause any problems.

0 comments

thephyber5y ago

It could also be because they had imperfect character escaping in the codebase at some previous point in time and didn't bother to migrate user credentials to work exclusively with the newer correctly-escaped code.

Fun fact: PHP used to escape some characters in some POSTed data by default before a specific version, then changed the default config:

> Prior to PHP 5.4.0, the PHP directive magic_quotes_gpc was on by default and it essentially ran addslashes() on all GET, POST and COOKIE data.[1]

I know for a fact some of users of a previous site I worked on had stored their password (hash) with one escaping mechanism, only to start failing authentication after that function was no longer used upon data input (all escaping should be done upon output for more perfect control of different security contexts eg. escaped HTML versus escaped SQL versus escaped JSON).

[1] https://www.php.net/manual/en/function.addslashes.php

j / k navigate · click thread line to collapse

0 comments

thephyber5y ago

Fun fact: PHP used to escape some characters in some POSTed data by default before a specific version, then changed the default config:

> Prior to PHP 5.4.0, the PHP directive magic_quotes_gpc was on by default and it essentially ran addslashes() on all GET, POST and COOKIE data.[1]

[1] https://www.php.net/manual/en/function.addslashes.php

j / k navigate · click thread line to collapse