a dificult string search

[otuatail]

Hi I don't know a way around this. I want the user to input a password, but to make it a bit complcated the password can be several words. "Today is Sunday"

However I want to exclude certain chars from the string like "<>()?.+"

I need someway of examaning the string for any accurance of any of these chars. Is there away around this without going through each "Not allowed" char to be checked?

 

TIA

 

Desmond.

 

[Garethp]

if(preg_match('~["<>()?.+]~', $password))

{

// Contains Not Allowed Characters

}

[Daniel0]

Why do you want to prohibit certain characters from the password?

[otuatail]

I didn't want  --  "  '  as an extra precaution of SQL Injection. May being a bit over the top on this one. I wanted to make the password NOT A WORD somthing that can easly be remembered.

 

Desmond.

 

[otuatail]

Does this not need to be escaped

 

preg_match('~["<>()?.+]~', $password))

 

if I want '

as this is used for the string itself. ?

 

Desmond.

 

[Garethp]

Yes, just as \' in the [ and ]

[cags]

I think what Daniel0 was getting at is you should probably be hashing the password before storing it in the database making SQL Injection a non-entity. You should never echo out the password (and would infact be unable if it's hashed) so there's no threat of an XSS attack or similar. As such by limiting characters from being used you are merely reducing the available complexity of the password.

[Daniel0]

I think what Daniel0 was getting at is you should probably be hashing the password before storing it in the database making SQL Injection a non-entity. You should never echo out the password (and would infact be unable if it's hashed) so there's no threat of an XSS attack or similar. As such by limiting characters from being used you are merely reducing the available complexity of the password.

 

Indeed that is what I meant. There is no reason to decrease the number of possible passwords.

[otuatail]

I was going to MD5 the password into the database anyway. I wanted to restrict the passord from some chars.

 

 

[otuatail]

This is confusing now

<?php
// The "i" after the pattern delimiter indicates a case-insensitive search
if (preg_match("/php/i", "PHP is the web scripting language of choice.")) {
    echo "A match was found.";
} else {
    echo "A match was not found.";
}
?> 

This is looking for a word php

I want to return false if any of the chars <>(){}[] are found anywhere in the string

 

[Daniel0]

How is that confusing? What are you having trouble with exactly?

 

I'll have to say that I still don't see the point though.

[otuatail]

Ok

if(preg_match("[cd\[]/i", "ABDEFGHIJK[}"))
{
   echo "Fail";   // D d and [ not allowed
}

Warning: preg_match() [function.preg-match]: Unknown modifier '/'

/i case incensitive

\[  [ not allowed

[Daniel0]

You're missing a starting delimiter.

[mrMarcus]

my 2 cents...lot's and lot's of people (while it's an insecure practice), use the same passwords over and over again for multiple sites, programs, etc.

 

i use special characters in some of my passwords because it makes them harder (damn near impossible) to guess, ie. f7&$l()*^$ha6.':';'.< (not my actual password, btw)

 

while you are free to do what you want with your password script, i really don't believe there is a reason for not allowing since hashing your passwords with md5() eliminates (as has been said), the possibility of injection.  so, just let your users feel safe to use whatever password they like, 'cause if a site restricted me to use a simple 123abc password, i would not feel confident in my privacy on that website.

 

but, if you must, this function would work for all non-alphanumeric characters:

 

function strip_characters ($input)
{
$output = preg_replace('/[^a-z0-9]/i', '', $input);

return $output;
}

 

used like:

 

$password = strip_characters ($_POST['pasword']);

[Daniel0]

function strip_characters ($input)
{
$output = preg_replace('/[^a-z0-9]/i', '', $input);

return $output;
}

 

used like:

 

$password = strip_characters ($_POST['pasword']);

 

That'll just confuse people when characters are silently stripped from their password.

[mrMarcus]

function strip_characters ($input)
{
$output = preg_replace('/[^a-z0-9]/i', '', $input);

return $output;
}

 

used like:

 

$password = strip_characters ($_POST['pasword']);

 

That'll just confuse people when characters are silently stripped from their password.

haha, good catch .. i think i was more intent on getting my 2 cents across than the code .. my bad, don't use that code for what you're doing, OP.

[otuatail]

Ok this is ok. If i MD5 it then there is no problem with injection.

Only problem is if the user enters

I don't like mondays. when submitted it will be

I don\'t like mondays.

because of the '

[Daniel0]

Why would it be that unless you manually run something like addslashes() or mysql_real_escape_string()? (Or if you have magic quotes turned on, in which case you should turn it off)

[otuatail]

What I get is when I have

<input type="text" name="abc" value="Don't">

submit this

echo $_POST['abc']; // Don\'t

 

I have to get rid of the \

[mrMarcus]

if the users types in:  I don't like mondays

 

hashing that with md5() will then look like this: 580a783c1cb2b20613323f715d231a69

 

md5() hashes out whatever string it gets, regardless of what characters are in there .. it is one-way hashing, meaning once the value has been hashed, it cannot be reversed, so it's a pretty safe function to use on your passwords.

[Daniel0]

What I get is when I have

<input type="text" name="abc" value="Don't">

submit this

echo $_POST['abc']; // Don\'t

 

I have to get rid of the \

 

Turn off magic_quotes_gpc in php.ini. Which version of PHP are you using? It's turned off by default in PHP 5.

[otuatail]

No what happens is

enter Don't and posting to another page gives me

2a9e5a8851d473fcf01242d65b129cd6 // which is Don\t

 

instead of

2a959515a38921266f1aaf91fed64cf0 // which is Don't

 

When I post to another page any ' is replaced with \'

I need to catch this as when it is MD5d it has to be the correct password not one

with other chars added to it. If this makes sence.

 

Desmond.

 

[cags]

Daneil0 already gave you the answer. The slash is inserted by the magic_quotes setting. Either disable it if you have access, or call stripslashes on it if you don't.