Ereg Php 4 To Php 5

[Freid001]

The code below works in PHP 4 however in PHP 5 I get the following error: Deprecated: Function ereg() is deprecated in/srv/disk5/657046/www/worldwarfare.atwebpages.com/game/account/passwordcheck.phpon line 46

 

if (ereg('[^A-Za-z0-9]', $Password2)) {
die ("Your new password should only contain letters and numbers!<br><a href='/game/account.php'>Back</a>");
} else {
echo "";
}

 

I think ereg doesn't work in PHP5 so what should I use instead of ereg?

Edited December 1, 2012 by Freid001

[trq]

Why not check the manual. http://php.net/ereg

[Freid001]

It says: Warning This function has been DEPRECATED as of PHP 5.3.0. Relying on this feature is highly discouraged.

 

So what should I use instead?

[trq]

Keep reading.

[Freid001]

I have tried this but it doesn't work. Each time the if returns true. Even if $Password2 = abcdefg

if (!preg_match("/^[_\.0-9a-zA-Z-]+@([0-9a-zA-Z][0-9a-zA-Z-]+\.)+[a-zA-Z]{2,6}$/i", $Password2)) {   
die ("Your new password should only contain letters and numbers!<br><a href='/game/account.php'>Back</a>"); 
}

[Christian F.]

Why are you using a RegExp that validates a rudimentary e-mail address to validate the password?

For that matter, why are you limiting the password in any way (other than minimum length) in the first place?! If there is one piece of data that should never have its complexity or its maximum length limited in any way, it's passwords. Limiting it in such a way only makes it easier, a lot easier, for anyone who wishes to attack your users/site.

 

I strongly recommend that you read this article about secure login systems. You should find it very enlightening, and it'll help you make a properly secure login system.

 

PS: Generally all you need to do, is to add a couple of delimiters at the start and end of the RegExp. They're usually either slashes (/) or hash tags (#), but can be just about anything that's not a letter or a number.

[Freid001]

This is not a login system script it it part of a script that is used to change user passwords.

[Freid001]

Fixed it this works fine:

if(preg_match("/[^a-zA-z0-9_\-]/", $Password2)){
die ("Your new password should only contain letters and numbers!<br><a href='/game/account.php'>Back</a>"); 
}

[Christian F.]

I know it's a part of a "change password" script, but that itself is a part of a login system.

Trust me when I say that you need to update your scripts, and follow the guidelines in that article.

 

I suspect that you're storing said passwords as plain text in the database, right? If so, what happens if someone gets access to it? How many people have used the same password on your site, as they have on their e-mail accounts (you included)? How many other sites would you and your users need to change passwords on, when your site is attacked?

And how many people have financial or other private information available in their mails, or accounts accessible from said mail accounts?

 

That's why it's so important to ensure a properly secure login system, for all sites.

[Freid001]

The password is stored as md5 but I didn't show that in the code above. However I am thinking about changing it to sha1 or maybe a some salt to the md5 cos apparently people can use something called a rainbow tables to work stuff out that has been md5 encrypted.

 

Anyway at the minute I am trying to upgrade my system from PHP 4 to PHP 5 hence why I needed some help with the above problem.

 

Also here is a link to my site if you are interested in taking a look at it: http://worldwarfare.atwebpages.com

Edited December 1, 2012 by Freid001

[Christian F.]

You don't even need a rainbow table, Google is enough.

 

Also, you should definitely use a hash, as that is the only thing that can stop rainbow tables and the likes. Won't really help against a brute-force attack, but for that you've got the enormous amount of traffic it creates. In any case, the article contains a lot of useful information on this, and it explains everything quite nicely and in good detail.

 

PS: It's "hashed" not "encrypted". The difference being that a hash is a one-way operation, while an encryption can be reversed.

[DavidAM]

Also, you should definitely use a hash, ...

 

He means "salt" ... md5 is a hash.

[Christian F.]

Ah, yes. Sorry about that mistype.

Thanks for correcting it, DavidAM.