Are GET and POST prone to faulty delimiters?

I want user to send over a password through POST to another page. The password can be anything. After the password is received on the other side, I clean it up and make sure it won’t hurt anything further.

But for the POST transfer alone, is it safe to give user full power over input? 821d^&%*0231i'dl;;lafd;/c-==-= is allowed for example. Though I will clean it up once it arrives. Is there a vulnerability I should know about?

Or better yet, you could allow them to use whatever junk password they want to use and you can just use password_hash to hash their passwords. You don’t have to worry about users using any malicious passwords and you don’t have to worry about escaping the passwords. Here’s the best part of all, you don’t touch their passwords and you allow them to use a vast selection of characters instead of a-zA-Z0-9 which is actually really dangerous because when you limit the amount of different characters they can use including special characters such as ?!,;:()$&@:~<>#%*€£¥+•'\/|[]{} then you allow their passwords to be weak and prone to easy attacks.


This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.