ajoo Posted December 5, 2014 Share Posted December 5, 2014 Hi all, I have been reading in almost everywhere that we should not use our own custom login and password validations ( like regex etc.) but instead use the filter_var and filter_input built in functions provided by PHP 5 and above. However even after searching for more than an hour for with different search strings, I have not found even a single example that shows how we may validate for a username/login and password in a login form. Can someone be kind enough to provide a strong secure validations for username and login. Additionally I would also like to clarify if the username and login fields in a Login form be manipulated in any manner to pose a security threat? I mean can a hacker craft a username/login or password in such a manner as to pose an injection or any other threat? Thanks all. Quote Link to comment https://forums.phpfreaks.com/topic/292906-php-login-username-and-password-with-filters/ Share on other sites More sharing options...
QuickOldCar Posted December 5, 2014 Share Posted December 5, 2014 (edited) Take a look at password_hash() Now what you know to look for am sure can find some tutorials as well. http://bit.ly/1w4LPwr As for the injection concerns can use mysqli_real_escape string or pdo prepared statements Edited December 5, 2014 by QuickOldCar Quote Link to comment https://forums.phpfreaks.com/topic/292906-php-login-username-and-password-with-filters/#findComment-1498615 Share on other sites More sharing options...
ajoo Posted December 5, 2014 Author Share Posted December 5, 2014 Hi, Thanks for the reply. However that is not what I was looking for. I am using mysqli_real_escape_string on the variables of my login form and I want to replace that with input_filters. Can you please suggest what filter would be most apt for login and password fields on my form.I want the username not exceed 30 characters in length and both the fields to be SQL injection safe. I will use mysqli PDO for the database but I just want to validate my inputs at the point of entry into the program. I don't know if that's something redundant but I believe that it's good practice to validate inputs at the point of entry. At least that's what I have read on googled results. Thanks ! Quote Link to comment https://forums.phpfreaks.com/topic/292906-php-login-username-and-password-with-filters/#findComment-1498634 Share on other sites More sharing options...
Jacques1 Posted December 9, 2014 Share Posted December 9, 2014 There's obviously a misunderstanding. Validation is not a security feature, let alone a replacement for escaping. At best, it's a way to reject nonsense data and make your users aware of input errors. I'd actually argue that validation is grossly overrated. I understand that people feel the need to “clean up” the incoming data in the hopes to make their application secure. But this is fundamentally wrong. Injection attacks are not an input problem. They're caused by incorrect handling of the input. For example, it's perfectly fine if the user input happens to include SQL keywords like “delete” or “drop”. Those are normal English words. It's your fault if you take those words and send them to the database server where they cause trouble. So forget about this filter stuff and learn to use prepared statements. If you insist on limiting the username to 30 characters, you can of course do that. But don't randomly apply filters. This will do more harm than good. For example, you must not restrict the password, because this makes it easier for an attacker to find it. Quote Link to comment https://forums.phpfreaks.com/topic/292906-php-login-username-and-password-with-filters/#findComment-1499114 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.