Jump to content

Recommended Posts

Hi all, 


I have been reading in almost everywhere that we should not use our own custom login and password validations ( like regex etc.) but instead use the filter_var and filter_input built in functions provided by PHP 5 and above. However even after searching for more than an hour for with different search strings, I have not found even a single example that shows how we may validate for a username/login and password in a login form. Can someone be kind enough to provide a strong secure validations for username and login.


Additionally I would also like to clarify if the username and login fields in a Login form be manipulated in any manner to pose a security threat? I mean can a hacker craft a username/login or password in such a manner as to pose an injection or any other threat?


Thanks all.


Take a look at password_hash()

 

Now what you know to look for am sure can find some tutorials as well.

http://bit.ly/1w4LPwr

 

As for the injection concerns can use mysqli_real_escape string or pdo prepared statements

Edited by QuickOldCar

Hi, Thanks for the reply. However that is not what I was looking for. I am using mysqli_real_escape_string on the variables of my login form and I want to replace that with input_filters. Can you please suggest what filter would be most apt for login and password fields on my form.I want the username not exceed 30 characters in length and both the fields to be SQL injection safe.

I will use mysqli PDO for the database but I just want to validate my inputs at the point of entry into the program. I don't know if that's something redundant but I believe that it's good practice to validate inputs at the point of entry. At least that's what I have read on googled results.

 

Thanks !

There's obviously a misunderstanding. Validation is not a security feature, let alone a replacement for escaping. At best, it's a way to reject nonsense data and make your users aware of input errors.

 

I'd actually argue that validation is grossly overrated. I understand that people feel the need to “clean up” the incoming data in the hopes to make their application secure. But this is fundamentally wrong. Injection attacks are not an input problem. They're caused by incorrect handling of the input. For example, it's perfectly fine if the user input happens to include SQL keywords like “delete” or “drop”. Those are normal English words. It's your fault if you take those words and send them to the database server where they cause trouble.

 

So forget about this filter stuff and learn to use prepared statements. If you insist on limiting the username to 30 characters, you can of course do that. But don't randomly apply filters. This will do more harm than good. For example, you must not restrict the password, because this makes it easier for an attacker to find it.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.