A set of valid characters for web site passwords

Hi I was composing a regex for a password field of my site and had a concern:

Are there any characters I should block a user from entering? If so why?

Or is it enough just to escape dangerous characters like = and ' when pro开发者_运维技巧cessing data? It seems good for this topic to list the php functions for escaping those, if you would.

Thanks!

---

I hash anything a user enters as a password, so I don't care what they enter, it never touches my database and can't cause any harm. md5($_POST['password'])

Other fields are a different story...

mysql_real_escape_string() is a great function for escaping data in queries.

---

Like other people have already said, hashing the users password before saving it to the database will mean you don't have to worry about what the user enters.

Whilst we're on the subject of hashing, you might even want to consider adding a 'salt' to the password before it is hashed. A salt is a random string (for example, the user's email address) that will help to improve the uniqueness of the hash generated (different users that have the same password will generate the same hash without the salt).

For more information take a read of: http://phpsec.org/articles/2005/password-hashing.html

---

No restrictions should be placed passwords. Let the user decide.

As for escaping characters for database entry, no need; Just do some research on SQL Injection

---

What specifically are you guarding against? If it's SQL injection, then you shouldn't rely on escaping the user-supplied parameters, you should be using parameterized queries.

http://us.php.net/manual/en/mysqli-stmt.bind-param.php

---

None of this should be a problem as long as you escape everything the user enters on the server side. You can see more information at Where to use mysql_real_escape_string to prevent SQL Injection?.