开发者

how i can secure html password tag from spaces by php?

开发者 https://www.devze.com 2023-02-06 01:19 出处:网络
h开发者_如何学JAVAello i explore that when somebody try to write spaces in password field php handle with it as chatter .so how i can prevent it . pleas i want if try to write space get message say do

h开发者_如何学JAVAello i explore that when somebody try to write spaces in password field php handle with it as chatter .so how i can prevent it . pleas i want if try to write space get message say dont try to write space


if (strpos($_POST['password'], ' ') !== false) {
    echo "Don't try to write space.";
}


This will do the job:

if (strpos($_POST['password'], ' ') !== false) {
    echo "Don't try to write space.";
}

BUT... the arguement that Thai(look above) gave is a good one. You shouldn't restrict the user from being able to use spaces and other characters in their password.

    $upass = $_POST['password'];
    $usalt = substr(md5(uniqid(rand(), true)),0,7);
    $upasshash = sha1(md5($upass).$usalt);      

Now store the userinformation in your database. For security reasons please clean the $_POST['username']. Also use trim to clean the fields for unnecessary spaces.

    $upass = trim($_POST['password']);
    $uname = mysql_real_escape_string(trim($_POST['username']));
    //Get the from data.
    $usalt = substr(md5(uniqid(rand(), true)),0,7);
    $upasshash = sha1(md5($upass).$usalt);  
    //Salt for extra security (prevent attackers from using rainbow tables)

    $sql =  "   INSERT INTO users (uname, upasshash, usalt)
            VALUES ('$uname', '$upasshash', '$usalt');";
    mysql_query($sql);

An advantage is that you do nmot create overhead in your database on the password field. The $upasshash is allways 40 characters long.

UPDATE: This is a way to login the user.

$mysqlcon = dbconnect();
$sql = "SELECT * FROM users WHERE uname = '$unamein';";
$result = mysql_query($sql);
if(mysql_num_rows($result) == 1){ //Does the user exists and is it only 1 user?
//Yes 1 match exacly
    $fetch = mysql_fetch_assoc($result);
    if(sha1(md5($upassin).$fetch['usalt']) == $fetch['upasshash']){ //Are the password hashes equal?
    //Yes the hashes are equal
        $_SESSION['check'] = true;
        $_SESSION['uid'] = $fetch['uid'];
        $_SESSION['uname'] = $fetch['uname'];
        $message = 'Login succeded!';                           
    }else{
    //NO the hashes ar not equal
        $message = 'Wrong password and/or username.';
    }
mysql_close($mysqlcon);
}else{
// USER doest exist.
    $message = 'Wrong password and/or username.';
}

For security reasons, please do not tell them which field they filled in incorrectly.


You could also add a check in JavaScript to improve user experience (faster response time than doing a server round trip). In case you go for this route, don't rely on it exclusively since a user could have JavaScript disabled and also add a check in PHP.

<html>
<head>
<title>JavaScript Form Validation</title>
<script type='text/javascript'>
function validate() {
     var pass = document.myForm.passwd.value;
     for (var i = 0; i < pass.length; i++) {
         if (pass.charAt(i) == ' ') {
             alert("Please don't use spaces in the password");
             document.myForm.login.disabled = true;
             return;
         }
     }
     document.myForm.login.disabled = false;
}
</script>
</head>
<body>

<form method='post' name='myForm'>

<input type='password' name='passwd' id='passwd' onblur='validate()'/>
<input type='submit' name='login' id='login'/>

</form>

</body>
</html>
0

精彩评论

暂无评论...
验证码 换一张
取 消