Jump to content

a dificult string search

otuatail

By otuatail
in PHP Coding Help

 Share

Recommended Posts

otuatail Advanced Member

otuatail

Posted
Posted

Hi I don't know a way around this. I want the user to input a password, but to make it a bit complcated the password can be several words. "Today is Sunday"

However I want to exclude certain chars from the string like "<>()?.+"

I need someway of examaning the string for any accurance of any of these chars. Is there away around this without going through each "Not allowed" char to be checked?

 

TIA

 

Desmond.

 

Link to comment
https://forums.phpfreaks.com/topic/178109-a-dificult-string-search/
Share on other sites
cags Member

cags

Posted
Posted

I think what Daniel0 was getting at is you should probably be hashing the password before storing it in the database making SQL Injection a non-entity. You should never echo out the password (and would infact be unable if it's hashed) so there's no threat of an XSS attack or similar. As such by limiting characters from being used you are merely reducing the available complexity of the password.

Daniel0 Advanced Member

Daniel0

Posted
Posted

I think what Daniel0 was getting at is you should probably be hashing the password before storing it in the database making SQL Injection a non-entity. You should never echo out the password (and would infact be unable if it's hashed) so there's no threat of an XSS attack or similar. As such by limiting characters from being used you are merely reducing the available complexity of the password.

 

Indeed that is what I meant. There is no reason to decrease the number of possible passwords.

otuatail Advanced Member

otuatail

Posted
  • Author
Posted

This is confusing now

<?php
// The "i" after the pattern delimiter indicates a case-insensitive search
if (preg_match("/php/i", "PHP is the web scripting language of choice.")) {
    echo "A match was found.";
} else {
    echo "A match was not found.";
}
?>

This is looking for a word php

I want to return false if any of the chars <>(){}[] are found anywhere in the string

 

mrMarcus Member

mrMarcus

Posted
Posted

my 2 cents...lot's and lot's of people (while it's an insecure practice), use the same passwords over and over again for multiple sites, programs, etc.

 

i use special characters in some of my passwords because it makes them harder (damn near impossible) to guess, ie. f7&$l()*^$ha6.':';'.< (not my actual password, btw)

 

while you are free to do what you want with your password script, i really don't believe there is a reason for not allowing since hashing your passwords with md5() eliminates (as has been said), the possibility of injection.  so, just let your users feel safe to use whatever password they like, 'cause if a site restricted me to use a simple 123abc password, i would not feel confident in my privacy on that website.

 

but, if you must, this function would work for all non-alphanumeric characters:

 

function strip_characters ($input)
{
$output = preg_replace('/[^a-z0-9]/i', '', $input);

return $output;
}

 

used like:

 

$password = strip_characters ($_POST['pasword']);

Daniel0 Advanced Member

Daniel0

Posted
Posted 

function strip_characters ($input)
{
$output = preg_replace('/[^a-z0-9]/i', '', $input);

return $output;
}

 

used like:

 

$password = strip_characters ($_POST['pasword']);

 

That'll just confuse people when characters are silently stripped from their password.

mrMarcus Member

mrMarcus

Posted
Posted 

function strip_characters ($input)
{
$output = preg_replace('/[^a-z0-9]/i', '', $input);

return $output;
}

 

used like:

 

$password = strip_characters ($_POST['pasword']);

 

That'll just confuse people when characters are silently stripped from their password.

haha, good catch .. i think i was more intent on getting my 2 cents across than the code .. my bad, don't use that code for what you're doing, OP.
mrMarcus Member

mrMarcus

Posted
Posted

if the users types in:  I don't like mondays

 

hashing that with md5() will then look like this: 580a783c1cb2b20613323f715d231a69

 

md5() hashes out whatever string it gets, regardless of what characters are in there .. it is one-way hashing, meaning once the value has been hashed, it cannot be reversed, so it's a pretty safe function to use on your passwords.

Daniel0 Advanced Member

Daniel0

Posted
Posted

What I get is when I have

<input type="text" name="abc" value="Don't">

submit this

echo $_POST['abc']; // Don\'t

 

I have to get rid of the \

 

Turn off magic_quotes_gpc in php.ini. Which version of PHP are you using? It's turned off by default in PHP 5.

otuatail Advanced Member

otuatail

Posted
  • Author
Posted

No what happens is

enter Don't and posting to another page gives me

2a9e5a8851d473fcf01242d65b129cd6 // which is Don\t

 

instead of

2a959515a38921266f1aaf91fed64cf0 // which is Don't

 

When I post to another page any ' is replaced with \'

I need to catch this as when it is MD5d it has to be the correct password not one

with other chars added to it. If this makes sence.

 

Desmond.

 

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.