php login username and password with filters

[ajoo]

Hi all, 

I have been reading in almost everywhere that we should not use our own custom login and password validations ( like regex etc.) but instead use the filter_var and filter_input built in functions provided by PHP 5 and above. However even after searching for more than an hour for with different search strings, I have not found even a single example that shows how we may validate for a username/login and password in a login form. Can someone be kind enough to provide a strong secure validations for username and login.

Additionally I would also like to clarify if the username and login fields in a Login form be manipulated in any manner to pose a security threat? I mean can a hacker craft a username/login or password in such a manner as to pose an injection or any other threat?

Thanks all.

[QuickOldCar]

Take a look at password_hash()

 

Now what you know to look for am sure can find some tutorials as well.

http://bit.ly/1w4LPwr

 

As for the injection concerns can use mysqli_real_escape string or pdo prepared statements

Edited December 5, 2014 by QuickOldCar

[ajoo]

Hi, Thanks for the reply. However that is not what I was looking for. I am using mysqli_real_escape_string on the variables of my login form and I want to replace that with input_filters. Can you please suggest what filter would be most apt for login and password fields on my form.I want the username not exceed 30 characters in length and both the fields to be SQL injection safe.

I will use mysqli PDO for the database but I just want to validate my inputs at the point of entry into the program. I don't know if that's something redundant but I believe that it's good practice to validate inputs at the point of entry. At least that's what I have read on googled results.

 

Thanks !

[Jacques1]

There's obviously a misunderstanding. Validation is not a security feature, let alone a replacement for escaping. At best, it's a way to reject nonsense data and make your users aware of input errors.

 

I'd actually argue that validation is grossly overrated. I understand that people feel the need to “clean up” the incoming data in the hopes to make their application secure. But this is fundamentally wrong. Injection attacks are not an input problem. They're caused by incorrect handling of the input. For example, it's perfectly fine if the user input happens to include SQL keywords like “delete” or “drop”. Those are normal English words. It's your fault if you take those words and send them to the database server where they cause trouble.

 

So forget about this filter stuff and learn to use prepared statements. If you insist on limiting the username to 30 characters, you can of course do that. But don't randomly apply filters. This will do more harm than good. For example, you must not restrict the password, because this makes it easier for an attacker to find it.