Freid001 Posted December 1, 2012 Share Posted December 1, 2012 (edited) The code below works in PHP 4 however in PHP 5 I get the following error: Deprecated: Function ereg() is deprecated in/srv/disk5/657046/www/worldwarfare.atwebpages.com/game/account/passwordcheck.phpon line 46 if (ereg('[^A-Za-z0-9]', $Password2)) { die ("Your new password should only contain letters and numbers!<br><a href='/game/account.php'>Back</a>"); } else { echo ""; } I think ereg doesn't work in PHP5 so what should I use instead of ereg? Edited December 1, 2012 by Freid001 Quote Link to comment Share on other sites More sharing options...
trq Posted December 1, 2012 Share Posted December 1, 2012 Why not check the manual. http://php.net/ereg Quote Link to comment Share on other sites More sharing options...
Freid001 Posted December 1, 2012 Author Share Posted December 1, 2012 It says: Warning This function has been DEPRECATED as of PHP 5.3.0. Relying on this feature is highly discouraged. So what should I use instead? Quote Link to comment Share on other sites More sharing options...
trq Posted December 1, 2012 Share Posted December 1, 2012 Keep reading. Quote Link to comment Share on other sites More sharing options...
Freid001 Posted December 1, 2012 Author Share Posted December 1, 2012 I have tried this but it doesn't work. Each time the if returns true. Even if $Password2 = abcdefg if (!preg_match("/^[_\.0-9a-zA-Z-]+@([0-9a-zA-Z][0-9a-zA-Z-]+\.)+[a-zA-Z]{2,6}$/i", $Password2)) { die ("Your new password should only contain letters and numbers!<br><a href='/game/account.php'>Back</a>"); } Quote Link to comment Share on other sites More sharing options...
Christian F. Posted December 1, 2012 Share Posted December 1, 2012 Why are you using a RegExp that validates a rudimentary e-mail address to validate the password? For that matter, why are you limiting the password in any way (other than minimum length) in the first place?! If there is one piece of data that should never have its complexity or its maximum length limited in any way, it's passwords. Limiting it in such a way only makes it easier, a lot easier, for anyone who wishes to attack your users/site. I strongly recommend that you read this article about secure login systems. You should find it very enlightening, and it'll help you make a properly secure login system. PS: Generally all you need to do, is to add a couple of delimiters at the start and end of the RegExp. They're usually either slashes (/) or hash tags (#), but can be just about anything that's not a letter or a number. Quote Link to comment Share on other sites More sharing options...
Freid001 Posted December 1, 2012 Author Share Posted December 1, 2012 This is not a login system script it it part of a script that is used to change user passwords. Quote Link to comment Share on other sites More sharing options...
Freid001 Posted December 1, 2012 Author Share Posted December 1, 2012 Fixed it this works fine: if(preg_match("/[^a-zA-z0-9_\-]/", $Password2)){ die ("Your new password should only contain letters and numbers!<br><a href='/game/account.php'>Back</a>"); } Quote Link to comment Share on other sites More sharing options...
Christian F. Posted December 1, 2012 Share Posted December 1, 2012 I know it's a part of a "change password" script, but that itself is a part of a login system. Trust me when I say that you need to update your scripts, and follow the guidelines in that article. I suspect that you're storing said passwords as plain text in the database, right? If so, what happens if someone gets access to it? How many people have used the same password on your site, as they have on their e-mail accounts (you included)? How many other sites would you and your users need to change passwords on, when your site is attacked? And how many people have financial or other private information available in their mails, or accounts accessible from said mail accounts? That's why it's so important to ensure a properly secure login system, for all sites. Quote Link to comment Share on other sites More sharing options...
Freid001 Posted December 1, 2012 Author Share Posted December 1, 2012 (edited) The password is stored as md5 but I didn't show that in the code above. However I am thinking about changing it to sha1 or maybe a some salt to the md5 cos apparently people can use something called a rainbow tables to work stuff out that has been md5 encrypted. Anyway at the minute I am trying to upgrade my system from PHP 4 to PHP 5 hence why I needed some help with the above problem. Also here is a link to my site if you are interested in taking a look at it: http://worldwarfare.atwebpages.com Edited December 1, 2012 by Freid001 Quote Link to comment Share on other sites More sharing options...
Christian F. Posted December 1, 2012 Share Posted December 1, 2012 You don't even need a rainbow table, Google is enough. Also, you should definitely use a hash, as that is the only thing that can stop rainbow tables and the likes. Won't really help against a brute-force attack, but for that you've got the enormous amount of traffic it creates. In any case, the article contains a lot of useful information on this, and it explains everything quite nicely and in good detail. PS: It's "hashed" not "encrypted". The difference being that a hash is a one-way operation, while an encryption can be reversed. Quote Link to comment Share on other sites More sharing options...
DavidAM Posted December 2, 2012 Share Posted December 2, 2012 Also, you should definitely use a hash, ... He means "salt" ... md5 is a hash. Quote Link to comment Share on other sites More sharing options...
Christian F. Posted December 2, 2012 Share Posted December 2, 2012 Ah, yes. Sorry about that mistype. Thanks for correcting it, DavidAM. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.