Secure Coding mailing list archives
Re: Scripting Languages and Secure Coding + code
From: "Paul R. C. Ming" <prcm () nmt edu>
Date: Fri, 05 Dec 2003 02:53:37 +0000
I know this is not what You asked, but i'm no secure coding guru. It just occurred to me that this code: | $username=stripslashes(trim($_POST['username'])); | $password=stripslashes(trim($_POST['password'])); would disallow a user from having slashes (and possibly other characters - -- i don't know PHP and the stripslashes() command) in their passwords (and usernames, but i think they can live with that)
In general, it's better to check that input is valid, rather than trying to check for invalid input or trying to sanitize the input. For this case, you would want to check that the username contains only valid characters (e.g. letters and digits). Match the username against a regular expression, such as ^[A-Za-z][A-Za-z0-9]{0,31}$. If it matches, it's okay, otherwise, tell the user it's not a valid username and what makes a valid username.
... Going on the assumption that PHP does not use \0 to indicate the end of a string (as i said, i don't know PHP), the only thing You do with the password field directly is check that it is not empty, then put it through MD5. I think MD5 is sanitation enough. What do others say? (This would also give You a really tiny speed improvement. :) ).
I believe that running the password through MD5 is enough, because PHP's md5(string)'s output is going to be a 32 character hexadecimal string. (Just don't use the md5()'s raw option...) On another note, I'd bet it'd be a good habit to use the mysql_escape_string()/mysql_real_escape_string() functions whenever creating SQL query strings. The PHP manual says that they don't escape % or _. I don't know SQL that well, so what implications does that have? -- Paul Ming [EMAIL PROTECTED]
Current thread:
- Re: Scripting Languages and Secure Coding M. Buchzik (Dec 03)
- Re: Scripting Languages and Secure Coding Timo Sirainen (Dec 03)
- Re: Scripting Languages and Secure Coding Martin Stricker (Dec 03)
- Re: Scripting Languages and Secure Coding + code Ghita Serban (Dec 04)
- Re: Scripting Languages and Secure Coding + code David A. Wheeler (Dec 04)
- RE: Scripting Languages and Secure Coding + code Dave Paris (Dec 04)
- Re: Scripting Languages and Secure Coding + code Andrew Rucker Jones (Dec 04)
- Re: Scripting Languages and Secure Coding + code Paul R. C. Ming (Dec 04)
- Re: Scripting Languages and Secure Coding + code David M. Wilson (Dec 05)
- RE: Scripting Languages and Secure Coding + code Dave Paris (Dec 07)
- Re: Scripting Languages and Secure Coding + code ck (Dec 08)
- Re: Scripting Languages and Secure Coding + code ck (Dec 08)
- Re: Scripting Languages and Secure Coding + code David M. Wilson (Dec 09)
- Re: Scripting Languages and Secure Coding + code Carsten Kuckuk (Dec 09)
- Re: Scripting Languages and Secure Coding + code David A. Wheeler (Dec 04)
- Re: Scripting Languages and Secure Coding + code securecodingorg (Dec 04)
- Re: Scripting Languages and Secure Coding + code Jeremy Thibeaux (Dec 04)