Jump to content

Sanitizing Log In?

doubledee

By doubledee
in Application Design

 Share

Recommended Posts

doubledee Advanced Member

doubledee

Posted
Posted

(I'm sure to get hell for asking this...)

 

What do I have to do to validate and/or sanitize my Log In form, consisting of E-mail and Password?

 

I always use Prepared Statement.

 

Some people would say, "Nothing.  If they don't give valid credentials, the log in will fail?!"

 

All I am currently checking for is empty().

 

I guess I could use the same Regex I used during Registration...

 

 

Debbie

 

Link to comment
https://forums.phpfreaks.com/topic/264314-sanitizing-log-in/
Share on other sites
scootstah Member

scootstah

Posted
Posted

Some people would say, "Nothing.  If they don't give valid credentials, the log in will fail?!"

 

Yup.

 

 

I guess I could use the same Regex I used during Registration...

 

There's no reason to do that. If the username/password is invalid, it fails - there's nothing else to sanitize.

Link to comment
https://forums.phpfreaks.com/topic/264314-sanitizing-log-in/#findComment-1354527
Share on other sites
scootstah Member

scootstah

Posted
Posted

you will need to sanitize if you plan to use that information anywhere else. for example logging failed login attempts for admin accounts ..

 

You could sanitize it on output for that. I think it would be better to maintain data integrity in this case because it might help you to see if anyone is attempting to exploit/attack the system.

Link to comment
https://forums.phpfreaks.com/topic/264314-sanitizing-log-in/#findComment-1354655
Share on other sites
doubledee Advanced Member

doubledee

Posted
  • Author
Posted

The only thing I can think to do is run my Log-In credentials through the same Regex that I used during Registration.

 

I'd just like to know why you think that is necessary.

 

Well, the short answer is "That is why I am asking here, because I am unsure."

 

Several people seem to think I need to sanitize Log In data just like any other Form.

 

It can't hurt.

 

The fear would be, I suppose, SQL Injections, XSS, and whatever else.

 

Again, since I am using Prepared Statements, I think if you were a hacker you'd be pretty helpless on my Log-In Form.

 

If I checked that the Log-In E-mail and Password were valid formats, it would add a level of security, but I'm not sure how much...

 

Obviously if my Form was to INSERT or UPDATE I'd scrutinize things much much more.  But for Logging In, which is really "read-only", I personally don't think it is much of a risk, but then again, hackers are pretty smart!!

 

 

Debbie

 

 

Link to comment
https://forums.phpfreaks.com/topic/264314-sanitizing-log-in/#findComment-1354673
Share on other sites
kicken Prolific Member

kicken

Posted
Posted

Well, the short answer is "That is why I am asking here, because I am unsure."

...

The fear would be, I suppose, SQL Injections, XSS, and whatever else.

 

For something like a login all you need to do is you protect against SQL Injections.  By using prepared statements, you have that covered.

 

If for some reason you echo back the user-submitted values (such as to re-populate the username, or in an audit-log) then you'd want to protect against XSS by using htmlentities().

 

Beyond that, there is no need for any further validation/sanitation.  If the username or password doesn't match whatever your rules are that you enforce during registration, it simply won't match anything in the database and the login will fail.

 

Link to comment
https://forums.phpfreaks.com/topic/264314-sanitizing-log-in/#findComment-1354679
Share on other sites
doubledee Advanced Member

doubledee

Posted
  • Author
Posted

Well, the short answer is "That is why I am asking here, because I am unsure."

...

The fear would be, I suppose, SQL Injections, XSS, and whatever else.

 

For something like a login all you need to do is you protect against SQL Injections.  By using prepared statements, you have that covered.

 

If for some reason you echo back the user-submitted values (such as to re-populate the username, or in an audit-log) then you'd want to protect against XSS by using htmlentities().

 

Beyond that, there is no need for any further validation/sanitation.  If the username or password doesn't match whatever your rules are that you enforce during registration, it simply won't match anything in the database and the login will fail.

 

I think that nicely sums up my original thinking.

 

Thanks,

 

 

Debbie

 

 

Link to comment
https://forums.phpfreaks.com/topic/264314-sanitizing-log-in/#findComment-1354682
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.