|
|
|
|
|
|
by gregjor
733 days ago
|
|
|
Presumably you don't allow curl requests to your application to set passwords. In practice the password probably comes from an HTML form input, which doesn't allow entering a null byte. And you could sanitize the input before passing it to the password_hash function, or reject it as invalid. A couple of PHP applications I work on have a function to check for a valid password -- printable ASCII characters only, minimum length, etc. A null byte would not pass. If someone deliberately tries to insert a null and get it to your backend code somehow they deserve to get an error. |
|
|
And its documented in the changelog of the function. I would catch it, send an response that is explaining that the password is invalid and implement a check that limits valid characters to be outside the non printable range.