sanitation script in php for login credentials...

Question

What I am looking for currently is a simple, basic, login credentials sanitation script.

I understand that I make a function to do so and I have one...but all it does right now is strip tags...

am I doomed to use replace? or is there a way i can just remove all special characters and spaces and limit it to only letters and numbers...then as for the password limit it to only letters and numbers exclimation points, periods, and other special chars that cannot affect my SQL query.

Please help :/

Thanks, Matt

Answer 1

If you want to make strings safe for SQL, use mysql_real_escape_string().

If you want to limit a string to certain chars, use a regex.

For example, if you want only a-z, 0-9 and exclamation mark you can use.

   $string = preg_replace('^[^a-z0-9!]+$', '', $string);

This will strip out anything that doesn't match the regex.

If you want to check for the string matches that pattern, use preg_match(). For readability you may want to take out the ^ and proceed the expression with the bang / not / ! operator instead.

If you are talking about stripping out things to make echoing to your page safe, use htmlspecialchars(). Depending on context, you may need to sanitize further.

Remember: If you are limiting characters in passwords, it only makes sense from a theoretical point of view that they will be easier to remember by the end user. Limiting chars makes password brute forcers easier (smaller pool of chars to check), and it shouldn't affect their storage (as they should be salted and hashed).

Answer 2

Sounds like you want to limit which characters people are allowed to use in their usernames and passwords. Sort of like this.

if (!preg_match('/^[a-zA-Z0-9_]++$/', $username)) {
  // reject username
}

if (!preg_match('/^[a-zA-Z0-9\.!@#$%^&*_-]++$/', $password)) {
  // reject password
}

It's a bad idea to silently replace/remove characters in someone's credentials. You need to give them the feedback that these characters aren't allowed. It's also a bad idea to be too restrictive in what characters you allow in a password, for security reasons which others have already touched upon.

Answer 3

First off, don't ever sanitize a password. It should be hashed long before getting anywhere close to an SQL query, so it will actually have the opposite effect and making your application less secure for the users.

$password = "hey'; --droptable";
$hashedPass = sha1("salt" . $password);
// sha1 returns a alphanumerical hash of the password
// stick the hash in the database

If you're dealing with a MySQL database, mysql_real_escape_string() is good enough as alex said. One thing you have to keep in mind with that method is that you will need an open connection to your MySQL database for it to work.

mysql_connect();
$string = "hey'; --droptable";
$string = mysql_real_escape_string($string);
echo $string; // outputs "hey\' --droptable"

There are a few other DBMS APIs that has an escape string method, here are a few: http://au2.php.net/manual-lookup.php?pattern=escape_string&lang=en