This question already has an answer here:
When an admin manually changes a user's password, they need to type (or generate) the password into an HTML input which is then submitted to PHP.
How would I secure a input that is purpose is for secure passwords, which means special/html characters such as '>', '#', '<', etc.
Previously, I used:
<?php htmlspecialchars(strip_tags($password)) ?>
But this was changing the password to something else, I'm guessing to the character entity format - I cannot see what it's changing it too, due to one-way hashing via bcrypt.
EDIT: For example, this is a password *62mA<Edq<Kfx)3y when I check the output of the above code, it outputs it to *62mA
Thanks
</div>
There is no general purpose "make this data safe for every situation" tool. You need to use situation appropriate escaping.
Do not use destructive functions like strip_tags.
If you want to put it into an HTML document: Do use htmlspecialchars.
If you want to put it into an SQL database: Do use prepared statement.
If you want to put it into JavaScript: Do use json_encode.
… etc … etc.
The parser that deals with the data will decode any escape characters.
That said… Do not store passwords. Do Hash passwords. Do Protect passwords.