📣 iio7

PHP password_hash exits on null byte character

For some reason the documentation does not mention this, but if you succeed in sending the null byte character to password_hash with the default Bcrypt algortihm, PHP with exit the application with a ValueError.
Normally the browser will encode the input, but you can force the issue using e.g. cURL:
printf "password=foo\0bar" | curl -X POST --data-binary @- https://example.com -H "Content-Type: application/x-www-form-urlencoded"
How do you deal with this issue?
Do you replace null byte characters or use e.g. the Argon2id algorithm to get around this problem?

👤 gregjor Accepted Answer ✓

Presumably you don't allow curl requests to your application to set passwords. In practice the password probably comes from an HTML form input, which doesn't allow entering a null byte. And you could sanitize the input before passing it to the password_hash function, or reject it as invalid. A couple of PHP applications I work on have a function to check for a valid password -- printable ASCII characters only, minimum length, etc. A null byte would not pass.
If someone deliberately tries to insert a null and get it to your backend code somehow they deserve to get an error.

Web Analytics Made Easy - Statcounter