SitePoint Sponsor

User Tag List

Results 1 to 10 of 10
  1. #1
    SitePoint Wizard DoubleDee's Avatar
    Join Date
    Aug 2010
    Location
    Arizona
    Posts
    3,764
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)

    Regex for Special Characters

    I have some questions about the Regex below...
    PHP Code:
        // Check for Special-Character.
        
    if (empty($errors)){
            if (!
    preg_match("#[\~\`\!\@\#\$\%\^\&\*\(\)\_\-\+\=\{\}\[\]\|\:\;\<\>\.\?\/\\\\]+#"$newPass1)){
                    
    $errors['newPass'] = 'Password must have at least 1 Special Character.';
            }
        } 

    1.) Someone told me I do NOT need to escape each Special Character? And yet others have said I DO need to escape them.

    Which is correct and why?!


    2.) Someone told me to...

    convert 's to &apos
    Is the necessary, and how would I do that?

    Do I literally just replace ' with a &apos


    3.) Someone also told me to use mysqli_real_escape_string, but I am unsure of where or how to do that?

    Since I use Prepared Statements, I thought using that function was unnecessary?


    4.) I was told that Commas, Single Quotes, and Double Quotes can be used in attacks, and thus are "dangerous" characters.

    Is that true?

    Thanks,


    Debbie

  2. #2
    Hosting Team Leader silver trophybronze trophy
    cpradio's Avatar
    Join Date
    Jun 2002
    Location
    Ohio
    Posts
    5,129
    Mentioned
    152 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by DoubleDee View Post
    I have some questions about the Regex below...
    PHP Code:
        // Check for Special-Character.
        
    if (empty($errors)){
            if (!
    preg_match("#[\~\`\!\@\#\$\%\^\&\*\(\)\_\-\+\=\{\}\[\]\|\:\;\<\>\.\?\/\\\\]+#"$newPass1)){
                    
    $errors['newPass'] = 'Password must have at least 1 Special Character.';
            }
        } 

    1.) Someone told me I do NOT need to escape each Special Character? And yet others have said I DO need to escape them.

    Which is correct and why?!
    It is true that you do not need to escape every special character, only the ones that contain meaning to regular expressions (?, :, . *, \ for example need to be escaped). You ARE permitted to escape ALL characters if you'd like, there is nothing wrong with doing that.

    Quote Originally Posted by DoubleDee View Post
    2.) Someone told me to... convert 's to &apos;



    Is the necessary, and how would I do that?

    Do I literally just replace ' with a &apos
    Since you are using prepared statements, you don't need to do this. This is a technique to help prevent sql injection attacks or to ensure the value shows up properly when being displayed in a textbox (which you wouldn't do, since this is a password).

    Quote Originally Posted by DoubleDee View Post
    3.) Someone also told me to use mysqli_real_escape_string, but I am unsure of where or how to do that?

    Since I use Prepared Statements, I thought using that function was unnecessary?
    You are correct, if you are using prepared statements, this is an unnecessary step for you as it will be done automatically.

    Quote Originally Posted by DoubleDee View Post
    4.) I was told that Commas, Single Quotes, and Double Quotes can be used in attacks, and thus are "dangerous" characters.

    Is that true?
    Yes, this is true, but only if you are not escaping these characters or using prepared statements. Since you are using prepared statements, you are fine. Another thing to consider is if you are salting and encoding/encrypting your password (you should be), then the encryption will not contain any " ' or likewise characters used in sql injection attacks.

  3. #3
    SitePoint Wizard DoubleDee's Avatar
    Join Date
    Aug 2010
    Location
    Arizona
    Posts
    3,764
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by cpradio View Post
    It is true that you do not need to escape every special character, only the ones that contain meaning to regular expressions (?, :, . *, \ for example need to be escaped). You ARE permitted to escape ALL characters if you'd like, there is nothing wrong with doing that.
    I think to be safe, I'll stick with escaping everything.


    Since you are using prepared statements, you don't need to do this. This is a technique to help prevent sql injection attacks or to ensure the value shows up properly when being displayed in a textbox (which you wouldn't do, since this is a password).
    Okay.


    You are correct, if you are using prepared statements, this is an unnecessary step for you as it will be done automatically.
    Okay.


    Yes, this is true, but only if you are not escaping these characters or using prepared statements. Since you are using prepared statements, you are fine. Another thing to consider is if you are salting and encoding/encrypting your password (you should be), then the encryption will not contain any " ' or likewise characters used in sql injection attacks.

    Well, I take the entered Password and concatenate it with a random Salt, and then I create a Hash like this...

    PHP Code:
                $newHash hash_hmac('sha512'$newPass $newSaltVINEGAR); 

    Debbie

  4. #4
    Hosting Team Leader silver trophybronze trophy
    cpradio's Avatar
    Join Date
    Jun 2002
    Location
    Ohio
    Posts
    5,129
    Mentioned
    152 Post(s)
    Tagged
    0 Thread(s)
    Your hashing of the password is perfectly fine, so I believe you are just fine.

  5. #5
    SitePoint Wizard DoubleDee's Avatar
    Join Date
    Aug 2010
    Location
    Arizona
    Posts
    3,764
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by cpradio View Post
    Your hashing of the password is perfectly fine, so I believe you are just fine.
    Okay, thanks for the help!!

    Now if I can just decide what my Password Requirements should be...

    http://www.sitepoint.com/forums/show...-for-Passwords

    Thanks,


    Debbie

  6. #6
    . shoooo... silver trophy logic_earth's Avatar
    Join Date
    Oct 2005
    Location
    CA
    Posts
    9,013
    Mentioned
    8 Post(s)
    Tagged
    0 Thread(s)
    PHP Code:
     $chars preg_quote'~`!@#$%^&*()_-+={}[]|:;<>.?/\\''#' );
    $regex "#[$chars]+#"
    See: preg_quote
    Logic without the fatal effects.
    All code snippets are licensed under WTFPL.


  7. #7
    Hosting Team Leader silver trophybronze trophy
    cpradio's Avatar
    Join Date
    Jun 2002
    Location
    Ohio
    Posts
    5,129
    Mentioned
    152 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by logic_earth View Post
    PHP Code:
     $chars preg_quote'~`!@#$%^&*()_-+={}[]|:;<>.?/\\''#' );
    $regex "#[$chars]+#"
    See: preg_quote
    Thanks for sharing that logic_earth, even I didn't know about that one

  8. #8
    SitePoint Enthusiast
    Join Date
    Feb 2012
    Location
    United Kingdom
    Posts
    78
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    @Point #1, special characters have no meaning when inside a character class (other than the caret sign when used at the front) and so escaping them inside, whilst not harmful, is unecessary.

    @Point #2 & 3, if you're going to hash your password, then the single quotes will not make a difference.

    @Point #4, prepared statements will take care of any security risks; however again if you're hashing your password with the likes of SHA, then a hexadecimal string will be regurgitated anyways, so there will be no threat there.

    Regarding you regular expression, perhaps it would be easier to specify a match for all non alpha numerical characters; as opposed to listing app of the special characters you can think of.

    PHP Code:
    //Check for Special-Character.
    if(empty($errors)){
        if(!
    preg_match('#[^a-z0-9]+#i'$newPass1)){
            
    $errors['newPass'] = 'Password must have at least 1 Special Character.';
        }


  9. #9
    SitePoint Wizard DoubleDee's Avatar
    Join Date
    Aug 2010
    Location
    Arizona
    Posts
    3,764
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by logic_earth View Post
    PHP Code:
     $chars preg_quote'~`!@#$%^&*()_-+={}[]|:;<>.?/\\''#' );
    $regex "#[$chars]+#"
    See: preg_quote
    Interesting!

    Thanks,


    Debbie

  10. #10
    SitePoint Wizard DoubleDee's Avatar
    Join Date
    Aug 2010
    Location
    Arizona
    Posts
    3,764
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by modernW View Post
    Regarding you regular expression, perhaps it would be easier to specify a match for all non alpha numerical characters; as opposed to listing app of the special characters you can think of.

    PHP Code:
    //Check for Special-Character.
    if(empty($errors)){
        if(!
    preg_match('#[^a-z0-9]+#i'$newPass1)){
            
    $errors['newPass'] = 'Password must have at least 1 Special Character.';
        }

    Interesting suggestion!

    At one point, I had this which is similar...
    PHP Code:
    //Check for Special-Character.
    if(empty($errors)){
       if (!
    preg_match("#[\W_]+#"$newPass1)){
            
    $errors['newPass'] = 'Password must have at least 1 Special Character.';
        }


    Debbie


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •