Jump to content

Recommended Posts

Hi All

 

I am currently writing a script for online reviews.  I'm allowing people to register for the site.  For their passwords I have decided to allow them alphanumeric characters only.  I don't feel individual accounts are likely to be highly targetted by hackers because no valuable personal details are being recorded there. 

 

So, do you share my view that restricting passwords to alphanumeric characters will be sufficient?  Or should I allow punctuation in passwords? 

 

Thanks all for any opinions.

From my point of view as a relative newbie to php, it's going to be a lot easier to code if I just restrict the field to alphanumeric only, otherwise I'll have to make sure I handle all the various special characters, which I can imagine will be a pain. 

 

Rgds

No, password 'phrases' are becoming more and more popular. The wider the character set available to users, the harder it is to crack the passwords...

 

Just for example....

 

Alphanumeric = 65 possible characters

Any = 95 possible characters... assuming only printable characters are allowed

 

May not seem like much, but now let's take that up to a 6 character password.

 

65^6 = 75,418,890,625

95^6 = 735,091,890,625

 

That's roughly 10x more possible combinations, and the number will increase exponentially as the password length increases. That's a BIG difference for a cracker.

Also, when you encrypt the passwords with whatever algorithm you're using (I'll assume md5 or SHA1)...it ends up with alphanumeric characters anyway in the hash so you don't need to escape anything.  Allow them whatever password they wish.

If you md5 it, it provides a) better security server and handling side, b) allows all sort of password types, so better security there, and you just store it in a string, so you don't need to worry about anything there. Encode the password on sign up, and check against that.

If I allow every character, doesn't it make it easier to do an SQL injection attack? 

 

Rgds

 

The way SQL injection attacks work is you finish off the query string by adding a ' and then starting a new query string or adding a new command or adding a condition that will always be true like 1=1 in order to alter the query string.  SQL injection attacks pretty much rely on being able to add that quote in there, so it is virtually eliminated by simply doing mysql_real_escape_string($input) on your vars. If someone tries to input a quote it will be escaped like \' so that it will be taken literally.

It depends if you have magic quotes enabled for Post and such. I think as of PHP 6 it is being disabled, but if you need to see and learn about injections, I just made this for you;

 

<?php
mysql_connect("localhost", "...", "...") or die(mysql_error());
mysql_select_db("testing") or die(mysql_error());

if (isset($_POST['jeff'])){

// I have magic quotes enabled. If you don't, get rid of stripslashes(). I have that there to emulate it.
$jeff = stripslashes($_POST['jeff']);

// Checking

$q = "SELECT * FROM `test` WHERE `id` = '1' AND `val` = '$jeff'";

$result = mysql_query($q);

$num = mysql_num_rows($result);

if ($num == '1'){

echo 'Correct';

}else{

echo 'Incorrect';

}

echo '<br><br><b>Query Being Executed: </b>'.$q;

}else{
?>

<form action="" method="post">
Value: <input type="text" name="jeff">
<br>
<input type="submit">
</form>

<?

}

?>

 

Your sql code

SET SQL_MODE="NO_AUTO_VALUE_ON_ZERO";

--
-- Database: `testing`
--

-- --------------------------------------------------------

--
-- Table structure for table `test`
--

CREATE TABLE IF NOT EXISTS `test` (
  `id` int(11) NOT NULL auto_increment,
  `val` text NOT NULL,
  PRIMARY KEY  (`id`)
) ENGINE=MyISAM  DEFAULT CHARSET=latin1 AUTO_INCREMENT=2 ;

--
-- Dumping data for table `test`
--

INSERT INTO `test` (`id`, `val`) VALUES
(1, 'chickenpie');

 

I presume you understand all that code.

 

Play around with that, and you will see what works and what doesn't. Then protect against it.

 

An example of what works is

' or '' = '
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.