For some reason the documentation does not mention this, but if you succeed in sending the null byte character to password_hash with the default Bcrypt algortihm, PHP with exit the application with a ValueError.<p>Normally the browser will encode the input, but you can force the issue using e.g. cURL:<p>printf "password=foo\0bar" | curl -X POST --data-binary @- https://example.com -H "Content-Type: application/x-www-form-urlencoded"<p>How do you deal with this issue?<p>Do you replace null byte characters or use e.g. the Argon2id algorithm to get around this problem?
Presumably you don't allow curl requests to your application to set passwords. In practice the password probably comes from an HTML form input, which doesn't allow entering a null byte. And you could sanitize the input before passing it to the password_hash function, or reject it as invalid. A couple of PHP applications I work on have a function to check for a valid password -- printable ASCII characters only, minimum length, etc. A null byte would not pass.<p>If someone deliberately tries to insert a null and get it to your backend code somehow they deserve to get an error.