Ask HN: PHP password_hash exits on null byte character
For some reason the documentation does not mention this, but if you succeed in sending the null byte character to password_hash with the default Bcrypt algortihm, PHP with exit the application with a ValueError.
Normally the browser will encode the input, but you can force the issue using e.g. cURL:
printf "password=foo\0bar" | curl -X POST --data-binary @- https://example.com -H "Content-Type: application/x-www-form-urlencoded"
How do you deal with this issue?
Do you replace null byte characters or use e.g. the Argon2id algorithm to get around this problem?
3 comments
[ 3.7 ms ] story [ 21.7 ms ] threadIf someone deliberately tries to insert a null and get it to your backend code somehow they deserve to get an error.
And its documented in the changelog of the function. I would catch it, send an response that is explaining that the password is invalid and implement a check that limits valid characters to be outside the non printable range.