Considerations for my first php experiment

[stevex33]

Hi Guys,
I'm interested in getting started with php, so I thought I'd make a simple text browser based game (Including a mysql database) and just take it step by step from there.

The first thing I want to become knowledgeable about is security and how to record usernames passwords in the best possible way.

What should I take into consideration when designing the registration/login process, as well as any other form where the user can input data.

What should I prevent the user from typing in?

And how should I go about encrypting the login information, storing it, and then comparing what they type in next time they log in, to what's stored in the database?

I don't need a step by step walk through, just a list of things that I need to go look up, including specific things to includ in my validation/encryption if possible please.

Thanks.

regards
Steve

[vernon-oliver]

Accept only a-z, A-Z, 0-9, & @ in an email field.

Use the php crypt function for passwords. Documentation related to that should give you most of what you need on passwords.

[stevex33]

Great thanks for that, a few quick questions though.

Does [0-9] support floats as well or just integers? I imagine floats, but thought I better check.

How can I specify that I ONLY want integers?

Which type of encryption should I use? (here it talks about "salts" http://uk.php.net/crypt)

I've seen functions in a book I've got, such as "strip html tags" (Can't remember the others), are these just predefined set's of regex to use (In the form of a function) or are they something else? And is there a way to combine all of these functions in order to get a more squeeky clean result?

And with regards to password encryption, if a user registers with the password "dog" and that password is then encrypted, and the encrypted password is stored. If the user then tries to log in with the password "dog" will I just simply be encrypting it again and comparing it to what's already in the database? Or is it more involved than that?

[SJH]

Accept only a-z, A-Z, 0-9, & @ in an email field.

Right, so what happens if my username is firstname_lastname @ gmail.com then? (ignore spaces)

[vernon-oliver]

Right, so what happens if my username is firstname_lastname @ gmail.com then? (ignore spaces)

You are prevented from registering I guess I should have looked at the RFC, need to allow

Code:

. _ -

off the top of my head. Might have missed something.

[sk89q]

The RFC allows for a lot of characters, including spaces, @ symbols, and oh so much more!

Valid email address:
person+likes+things@example.com
"Bobby\@Tables"@example.com
"Frank\ Danger"@example.com
"Peter\\ Glo"@example.com
"\␤#!^\␡\ apple"@example.com
"\<?php\ echo\ sprintf\('&#37;0.2f',\ 4.3433\)\;\ ?\>"@example.com

+ *is* used by Gmail, by the way.

[stevex33]

Sorry, what is RFC?

And is there a conclusion as to what I should be filtering out? Speficially for email addresses, but what about everything else?