Jump to content

checking for illegal characters in an input

knobby2k

By knobby2k
in PHP Coding Help

Recommended Posts

knobby2k Member

knobby2k

Posted
Posted

Hi Guys,

 

This should be a simple one.

 

I am looking for the best way to ensure that any illegal characters are removed from an input.

 

I have a user registration form and login page. What I want to do is prevent against sql injection and therefore should be limiting the characters that can be entered.

 

For example I want a username to include only letters and numbers so I ideally want to strip out any white space, illegal characters such as " ' ( ) etc...

 

My issue with this is with the password, I would ideally like the user to be able to put as complex a password as they would like, so how would i prevent against illegal characters in this instance??

 

Cheers

 

 

wildteen88 Regular Member

wildteen88

Posted
Posted

For example I want a username to include only letters and numbers so I ideally want to strip out any white space, illegal characters such as " ' ( ) etc...

Using mysql_real_escape_string will help to prevent sql injection attacks.

 

My issue with this is with the password, I would ideally like the user to be able to put as complex a password as they would like, so how would i prevent against illegal characters in this instance??

Just encrypt the password straight away using md5 or sha1 encryption. These only return hashes that contain letters and numbers regardless of what characters the user has in their passwords. Example

echo sha1('mybad"password"');
echo "<br />";
echo md5('mybad"password"')

Will return the following hashes

107577e77c5ef454152af92f84ab36f5a9fdae75 <- sha1 hash
0c2f336b9977f0c40f1782e43f57e2e2 <- md5 hash

 

knobby2k Member

knobby2k

Posted
  • Author
Posted

For example I want a username to include only letters and numbers so I ideally want to strip out any white space, illegal characters such as " ' ( ) etc...

Using mysql_real_escape_string will help to prevent sql injection attacks.

 

My issue with this is with the password, I would ideally like the user to be able to put as complex a password as they would like, so how would i prevent against illegal characters in this instance??

Just encrypt the password straight away using md5 or sha1 encryption. These only return hashes that contain letters and numbers regardless of what characters the user has in their passwords. Example

echo sha1('mybad"password"');
echo "<br />";
echo md5('mybad"password"')

Will return the following hashes

107577e77c5ef454152af92f84ab36f5a9fdae75 <- sha1 hash
0c2f336b9977f0c40f1782e43f57e2e2 <- md5 hash

 

ahhh so that would protect against someone entering... ' ' OR 1'' ...into the password field because all i'm checking for is the hash?? I'm i understanding that correctly??

wildteen88 Regular Member

wildteen88

Posted
Posted

You can use trim which will remove any white space before/after a string. Or iif you don't want any spaces within a username you can use preg_replace

$username = 'Bad Username';
echo preg_replace('~\s+~', '', $username);

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.