Does it make sense to use a prepared statement for the password_hash value?

Question

Does it make sense to use a prepared statement for the password_hash value?

When using the password_hash () function to generate a hashed password, is there a reason why I would like to use a prepared statement when pasting it into the database?

My assumption is that I do not need to use a prepared statement for the password, but for consistency this will not hurt to use it.

Additional question:

If I use the PASSWORD_DEFAULT parameter for the password_hash function, it will currently use the bcrypt algorithm, but in the future it may be replaced by another algorithm. Will the future algorithm use a single quote or some other character that could violate the SQL statement if I do not use prepared statements?

+4

php pdo prepared-statement hash

kojow7 Apr 27 '16 at 10:08

source share

1 answer

Your common sense · Answer 1 · 2016-04-28T03:28:14+0000

Is there a reason why I would like to use a prepared statement when pasting it into the database?

YES

Just because the database layer should be completely unaware of the data source, nature, value or previous validation. The task of the database level is to correctly place your data in the database. And prepared statements are the only right way to do this.

So, in your own words, "but for consistency, it will not hurt to use one."

Does it make sense to use a prepared statement for the password_hash value?

YES

More articles: