Web Hosting Talk






PDA

View Full Version : PHP Password field

fstudios
10-05-2005, 09:12 AM
Fairly new to php... but been reading a lot on security.

When checking for a valid password I 'm disallowing the following in the password:

;
>
<
|
=
'

Is there any other characters it would be best to keep out of the password field?

All other fields are only allowed to submit a-z and 0-9, but passwords I want to allow some special characters to help users in having a secure password.

Thanks
Oshaka
10-05-2005, 10:10 AM
Originally posted by fstudios
Fairly new to php... but been reading a lot on security.

When checking for a valid password I 'm disallowing the following in the password:

;
>
<
|
=
'

Is there any other characters it would be best to keep out of the password field?

All other fields are only allowed to submit a-z and 0-9, but passwords I want to allow some special characters to help users in having a secure password.

Thanks

I would just use md5 encryption using php's md5() function. Then an If statement to validate...

if(md5(password) == $md5_pass) { echo "validated"; } else { echo "failed"; }

something like that....
laserlight
10-05-2005, 10:10 AM
Generally when doing this kind of check it is better to check that all the characters entered are allowed rather than check for any disallowed characters.

Still, for passwords wouldnt it be better to not place any restrictions, but just take a cryptographic hash (say SHA1 with PHP's sha1() function) of the user's password for storage?
fstudios
10-05-2005, 10:49 AM
yes, I md5 the password... but I was doing the md5 after the requested password met all the other validation checks. (length, number of letters and numbers etc).

I was under the impression that any of the above characters should not be allowed in the input fields because of possible SQL injection attacks.

But your saying if it's been md5 hashed anyway that it doen't matter?
laserlight
10-05-2005, 11:49 AM
I was under the impression that any of the above characters should not be allowed in the input fields because of possible SQL injection attacks.
Since you take the hash before you use it in an SQL statement, an SQL injection attack should not be possible.

Incidentally, you might prefer to use SHA1 instead of MD5, though for passwords both should be fine, especially if used with a salt. SHA1 is somewhat stronger than MD5, but both cryptographic hash algorithms are (at least theoretically) broken, though the attack does not apply when used for passwords.
fstudios
10-05-2005, 12:47 PM
Helps to now that. thanks.

:)