A Basil Plant@lemmy.world to Cybersecurity - Memes@lemmy.world · 1 year agoYour password must also not contain the following character combinations: script, select, insert, update, delete, drop, --, ', /*, */.lemmy.worldimagemessage-square59fedilinkarrow-up1396arrow-down16
arrow-up1390arrow-down1imageYour password must also not contain the following character combinations: script, select, insert, update, delete, drop, --, ', /*, */.lemmy.worldA Basil Plant@lemmy.world to Cybersecurity - Memes@lemmy.world · 1 year agomessage-square59fedilink
minus-squarezqwzzlelinkfedilinkEnglisharrow-up55arrow-down1·1 year agoSo they’re not hashing or salting the passwords too. Cool…
minus-squareSemi-Hemi-Demigod@kbin.sociallinkfedilinkarrow-up19arrow-down2·1 year agoThey might be doing it in the DB query, but they’re definitely not sanitized beforehand.
minus-squareCrayonRosary@lemmy.worldlinkfedilinkarrow-up2·1 year agoSanitization has nothing to do with salting and hashing.
minus-squareSemi-Hemi-Demigod@kbin.sociallinkfedilinkarrow-up2·1 year agoIf you do the salting and hashing in a database query you need to sanitize the input before you use it or you open yourself to SQL injection. Databases have salting and hashing functions, after all
minus-squareRednax@lemmy.worldlinkfedilinkarrow-up9·1 year agoWhich makes me want to try and insert a password of a few megabytes worth of text. Should be fine, since there is no max lenght defined, right?
minus-squarelars@lemmy.sdf.orglinkfedilinkarrow-up4·1 year agoIf there is no overwrought prohibition of something I know that at least in America that means it’s Affirmatively legal and Legislatively encouraged by the FREEE Act So give ’em hell!
minus-squareCrayonRosary@lemmy.worldlinkfedilinkarrow-up1·edit-21 year agoThat’s not how it works. The code always has access to the submitted plaintext password. It’s salted and hashed after it’s verified for complexity. The complexity verification can even be done in JavaScript.
So they’re not hashing or salting the passwords too. Cool…
They might be doing it in the DB query, but they’re definitely not sanitized beforehand.
Sanitization has nothing to do with salting and hashing.
If you do the salting and hashing in a database query you need to sanitize the input before you use it or you open yourself to SQL injection.
Databases have salting and hashing functions, after all
Which makes me want to try and insert a password of a few megabytes worth of text. Should be fine, since there is no max lenght defined, right?
If there is no overwrought prohibition of something I know that at least in America that means it’s
So give ’em hell!
That’s not how it works. The code always has access to the submitted plaintext password. It’s salted and hashed after it’s verified for complexity. The complexity verification can even be done in JavaScript.