tags:

views:

511

answers:

2
+1  Q: 

Sanitize a PHP password string

I have a PHP page that allows people to run htpasswd to update their password. What is the best way to sanitize their input. I don't want to restrict the input to much because I want to allow for secure passwords. This is what I have. How can it be improved?

$newPasswd = preg_replace('/[^a-z0-9~!()_+=[]{}<>.\\\/?:@#$%^&*]/is', '', $inputPasswd);
$cmdline = $htpasswd . " " . $passwd_file . " " . escapeshellarg($username) . " " .escapeshellarg($newpasswd);
exec( $cmdline, $output, $return_var );
+1  A: 

I would not use preg_replace with empty string on "dangerous characters", since that will make the user believe he changed the password into something, but you exec something else.. So the user will set the password to something different than he put in... It would be better to give feedback to the user telling him that some characters (preferably capture and display the offending characters) did not pass through validation.

Other than that, I think it looks pretty good. I think it provides the user with a wide range of possible character, and he doesn't need more than those to create a secure password. It might also be useful to tell the user which characters that are allowed in the password so he doesn't have to guess.

PatrikAkerstrand  2009-06-12 12:58:19
This is actually part of a plug in, and I have limited ability to interact with the user. The likelyhood of a real user entering bad characters is low enough that I am willing to deal with the support calls.
Jon Drnek  2009-06-12 13:00:31
Although, I could probably cause the password change to fail earlier... I'll look into that
Jon Drnek  2009-06-12 13:04:40
+6  A: 

The ecscapeshellarg function is built-in to PHP, and differs across systems based on the shell to sanitize the text so that no "unsafe" characters can be passed into exec.

http://us2.php.net/manual/en/function.escapeshellarg.php

MiffTheFox  2009-06-12 13:00:51
Are you saying that I don't need to bother removing bad characters if I use escapeshellarg?
Jon Drnek  2009-06-12 13:26:19
Escapeshellarg will strip out anything that could be interpreted by the shell. (Or change it, for example ' => \') I'm not that familiar with htpasswd, but this would prevent any shell injection attacks.
MiffTheFox  2009-06-12 14:10:18

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases