richo wrote:Everah wrote:Secondly, you should not be replcaing anything in the username and password. If the username only allows letters and numbers, preg_match it and if it fails error out. For passwords, if you are hashing the password, a space will be hashed along with the rest of the string so manipulating the password could lock your users out. Really give some consideration as to what you are doing with this.
I don't really understand which bit you think i'm doing wrong, could you explain further?
What I mean is, on a login script, you don't want to try to guess what the user should have entered. They should be entering correctly formatted data or the script should kill its process. For example, my logins are always going to be either alphanumeric or numeric. Spaces and special characters are not allowed. So in my script, I
preg_match() the passed username against a pattern that matches my settings, and if it passes that step, then I move on to checking the password. If not, then I error out at that point.
For passwords, you should be hashing your passwords.
md5() or
sha1(), or better yet, Feyd's sha256 would be a good choice as a hashing mechanism (using a salt of course, but we can cover that later). When you hash, you are taking the password and running it through a one way algorithm that makes it difficult or impossible to unhash. This is a security precaution for protecting your users information.
When hashing, each character has a value in the algorithm, even a space. So if my password was 'my password' and you removed the space, then m login would fail because a hashed 'my password' would not equal a hashed 'mypassword'. Again, straight hash to hash match and if it fails, error out.