There was a question about using stripslashes and mysql_real_escape_string on a password before hashing it and storing it. And the stripping or escaping before the hashing isn’t necessary as the special characters don’t carry meaning to the hashing function.
However, is it possible that certain hash results may create dangerous SQL queries?
I realize that with a sufficient hash and a salt that there’s such a small chance of this happening intentionally, but would it still be a good practice to run a strip and escape on the hashed results?
It would be overzealous and unnecessary to do so. Hashing functions don’t output any quotes that could introduce a SQL injection vulnerability. Also, you shouldn’t really have to use both
stripslashes()andmysql_real_escape_string(). Just usemysql_real_escape_string().Example
Not that I am condoning the use of MD5, but from its Wikipedia page:
Hexidecimal numbers should never pose a problem with SQL injections because they just consist of
/[0-9a-f]/. If you search for the hashing function that you’re using you should find something similar. You don’t need to sanitize the hash. You should be safe!