254
seCure develoPment For mobIle APPs
$formFields['username'] = mb_substr($_POST['username'], 0, 40,
"UTF-8");
Note the use of m b _ su bstr() and the setting of UTF-8 for completeness.
m b _ su bstr() is not exactly required for this case, but it begins the process of
treating all strings as Unicode strings, and makes it easier if username is changed to
allow Unicode characters.
Double Encryption of User Passwords
e second sanitization action is completely destructive. Both the password, and the
password confirmation are hashed and then originals are destroyed.
$formFields['passwordOrig'] = hash('sha256',
$_POST['passwordOrig']);
$formFields['passwordConfirm'] = hash('sha256', $_
POST['passwordConfirm']);
is accomplishes a few goals for sec ...