Re: Scripting Languages and Secure Coding + code

["Paul R. C. Ming" <prcm () nmt edu>]

> I know this is not what You asked, but i'm no secure coding guru. It
> just occurred to me that this code:
>
> | $username=stripslashes(trim($_POST['username']));
> | $password=stripslashes(trim($_POST['password']));
>
> would disallow a user from having slashes (and possibly other characters
> - -- i don't know PHP and the stripslashes() command) in their passwords
> (and usernames, but i think they can live with that)

In general, it's better to check that input is valid, rather than trying
to check for invalid input or trying to sanitize the input.  For this
case, you would want to check that the username contains only valid
characters (e.g. letters and digits).  Match the username against a
regular expression, such as ^[A-Za-z][A-Za-z0-9]{0,31}$.  If it matches,
it's okay, otherwise, tell the user it's not a valid username and what
makes a valid username.

> ...
> Going on the assumption that
> PHP does not use \0 to indicate the end of a string (as i said, i don't
> know PHP), the only thing You do with the password field directly is
> check that it is not empty, then put it through MD5. I think MD5 is
> sanitation enough. What do others say? (This would also give You a
> really tiny speed improvement. :) ).

I believe that running the password through MD5 is enough, because PHP's
md5(string)'s output is going to be a 32 character hexadecimal string. 
(Just don't use the md5()'s raw option...)

On another note, I'd bet it'd be a good habit to use the
mysql_escape_string()/mysql_real_escape_string() functions whenever
creating SQL query strings.  The PHP manual says that they don't escape
% or _.  I don't know SQL that well, so what implications does that
have?

-- 
Paul Ming
[EMAIL PROTECTED]