Regex for Special Characters

DoubleDee 2012-07-05 23:18:30 UTC #1

I have some questions about the Regex below...

	// Check for Special-Character.
	if (empty($errors)){
		if (!preg_match("#[\\~\\`\\!\\@\\#\\$\\%\\^\\&\\*\\(\\)\\_\\-\\+\\=\\{\\}\\[\\]\\|\\:\\;\\&lt;\\&gt;\\.\\?\\/\\\\\\\\]+#", $newPass1)){
				$errors['newPass'] = 'Password must have at least 1 Special Character.';
		}
	}

1.) Someone told me I do NOT need to escape each Special Character? And yet others have said I DO need to escape them.

Which is correct and why?! :-/

2.) Someone told me to...

convert 's to &apos

Is the necessary, and how would I do that?

Do I literally just replace ' with a &apos

3.) Someone also told me to use mysqli_real_escape_string, but I am unsure of where or how to do that?

Since I use Prepared Statements, I thought using that function was unnecessary? :-/

4.) I was told that Commas, Single Quotes, and Double Quotes can be used in attacks, and thus are "dangerous" characters.

Is that true?

Thanks,

Debbie

cpradio 2012-07-05 23:39:16 UTC #2

It is true that you do not need to escape every special character, only the ones that contain meaning to regular expressions (?, :, . *, \ for example need to be escaped). You ARE permitted to escape ALL characters if you'd like, there is nothing wrong with doing that.

Since you are using prepared statements, you don't need to do this. This is a technique to help prevent sql injection attacks or to ensure the value shows up properly when being displayed in a textbox (which you wouldn't do, since this is a password).

You are correct, if you are using prepared statements, this is an unnecessary step for you as it will be done automatically.

Yes, this is true, but only if you are not escaping these characters or using prepared statements. Since you are using prepared statements, you are fine. Another thing to consider is if you are salting and encoding/encrypting your password (you should be), then the encryption will not contain any " ' or likewise characters used in sql injection attacks.

DoubleDee 2012-07-06 00:13:56 UTC #3

I think to be safe, I'll stick with escaping everything.

Since you are using prepared statements, you don't need to do this. This is a technique to help prevent sql injection attacks or to ensure the value shows up properly when being displayed in a textbox (which you wouldn't do, since this is a password).

Okay.

You are correct, if you are using prepared statements, this is an unnecessary step for you as it will be done automatically.

Okay.

Yes, this is true, but only if you are not escaping these characters or using prepared statements. Since you are using prepared statements, you are fine. Another thing to consider is if you are salting and encoding/encrypting your password (you should be), then the encryption will not contain any " ' or likewise characters used in sql injection attacks.

Well, I take the entered Password and concatenate it with a random Salt, and then I create a Hash like this...

            $newHash = hash_hmac('sha512', $newPass . $newSalt, VINEGAR);

Debbie

cpradio 2012-07-06 00:18:47 UTC #4

Your hashing of the password is perfectly fine, so I believe you are just fine.

DoubleDee 2012-07-06 00:59:31 UTC #5

Okay, thanks for the help!!

Now if I can just decide what my Password Requirements should be...

Thanks,

Debbie

logic_earth 2012-07-06 15:35:21 UTC #6

 $chars = preg_quote( '~`!@#$%^&*()_-+={}[]|:;&lt;&gt;.?/\\\\', '#' );
$regex = "#[$chars]+#";

See: preg_quote

cpradio 2012-07-06 16:17:16 UTC #7

Thanks for sharing that logic_earth, even I didn't know about that one

tpunt 2012-07-07 10:07:05 UTC #8

@Point #1, special characters have no meaning when inside a character class (other than the caret sign when used at the front) and so escaping them inside, whilst not harmful, is unecessary.

@Point #2 & 3, if you're going to hash your password, then the single quotes will not make a difference.

@Point #4, prepared statements will take care of any security risks; however again if you're hashing your password with the likes of SHA, then a hexadecimal string will be regurgitated anyways, so there will be no threat there.

Regarding you regular expression, perhaps it would be easier to specify a match for all non alpha numerical characters; as opposed to listing app of the special characters you can think of.

//Check for Special-Character.
if(empty($errors)){
    if(!preg_match('#[^a-z0-9]+#i', $newPass1)){
        $errors['newPass'] = 'Password must have at least 1 Special Character.';
    }
}

DoubleDee 2012-07-07 21:20:53 UTC #9

Interesting!

Thanks,

Debbie

DoubleDee 2012-07-07 21:23:36 UTC #10

Debbie

system 2014-10-08 02:38:35 UTC #11

ShopVersioningReferenceArticlesPremium