What's the best way to validate usernames?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
bschaeffer
Forum Newbie
Posts: 24
Joined: Thu Apr 30, 2009 9:10 pm

What's the best way to validate usernames?

Post by bschaeffer »

I'm working on a little project that's really just a way for me to learn how to build a login system and I have a few questions about validating usernames (or passwords, for that matter) before I check them against information stored in a MySQL database to protect myself against SQL injection.

I'm thinking that using an email address as the username would be much easier to validate before I even get to the database side of the check. How would I even check if a submitted username wasn't something like 0' OR id = '23 ? A preg_match() for spaces or for a set of not-allowed characters?

Is hashing a submitted username and password, then checking it against the table the best way to go? But I guess that would only work for validating a user, and not creating one.

As you can see, I have no idea which method to choose.

Any suggestions or links or references would just be the bees knees, and I really appreciate any help I can get.

Thanks in advance.
User avatar
pickle
Briney Mod
Posts: 6445
Joined: Mon Jan 19, 2004 6:11 pm
Location: 53.01N x 112.48W
Contact:

Re: What's the best way to validate usernames?

Post by pickle »

The easiest way is to not care what the user types in - always run it through mysqli_real_escape_string() (or the equivalent escaping function for your database).

Never store plain text passwords. At the very least, store a hash of the password, then similarly hash what the user enters & compare the 2 hashes.
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
User avatar
Chalks
Forum Contributor
Posts: 447
Joined: Thu Jul 12, 2007 7:55 am
Location: Indiana

Re: What's the best way to validate usernames/passwords?

Post by Chalks »

store the passwords as a hash. There are many topics on the forum about such a thing, search for them! :)

For my applications, I usually require usernames to be one character or longer in length and have only Aa-Zz, 0-9, -, _, and [space]. To ensure that this is what is registered, I use regular expresssions (usually abbreviated to regex) and the preg_match() function. For string length, the strlen() function.

the regex I use is: "/[^a-z0-9 \-_]/i"
This means, match all characters that are NOT a-z, 0-9, [space], -, or _. the "i" means to ignore case.

Code: Select all

$desiredUsername1 = "Charlie Chap_lin-";
$desiredUsername2 = "Ch@arlie";
 
$pattern = "/[^a-z0-9 \-_]/i";
 
if(preg_match($pattern, $desiredUsername1)==1)
  echo "This will not print, because DU1 is a good username";
else
  echo "This will print.";
 
if(preg_match($pattern, $desiredUsername2)==1)
  echo "This will print, because DU1 is a _bad_ username";
else
  echo "This will not print.";

Edit: I hope this is what you were asking for. Also: as for passwords, I just make sure it's longer than 6 characters. Sometimes I make sure it contains a number and a letter. Other than that, I let the user input anything.

Edit2: Here is an excellent topic on regex and how to get started using it.
Last edited by Benjamin on Sun Jun 07, 2009 11:44 pm, edited 1 time in total.
Reason: Changed code type from text to php.
Paul Arnold
Forum Contributor
Posts: 141
Joined: Fri Jun 13, 2008 10:09 am
Location: Newcastle Upon Tyne

Re: What's the best way to validate usernames?

Post by Paul Arnold »

Just as a side note, if you're using PHP 5.2.0> the following validates email addresses.

Code: Select all

 
if(filter_var($email, FILTER_VALIDATE_EMAIL) == FALSE) {
    //Generate an error;
}
 
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: What's the best way to validate usernames?

Post by kaisellgren »

Like pickle said, you can just escape the username. There is no need to validate it and in fact, if someone wants to use UTF-8 characters as part of his username, he should be capable of doing that. The same should apply to special characters, too.
leonel.machava
Forum Newbie
Posts: 10
Joined: Fri May 15, 2009 4:28 pm

Re: What's the best way to validate usernames?

Post by leonel.machava »

If you have rules for the username, I recommend that you validate it during the registration (using an approach identical to the proposed by Chalks). Otherwise escape the username during the registration.

For login, you should just escape the username.
User avatar
bschaeffer
Forum Newbie
Posts: 24
Joined: Thu Apr 30, 2009 9:10 pm

Re: What's the best way to validate usernames?

Post by bschaeffer »

Wow! I appreciate all the replies. Everything is completely new to me, so it's really good to get some helpful feed back.

I've got one new question (outside of username validation) about storing data with escaped strings. In my test project, I've been storing long text inputs as they are submitted because it appears that (and remember, I'm a noob here) form data submitted via POST escapes itself automatically. For instance, John Smith's bike becomes John Smith\'s bike.

In my test project, I tried to use nukeMagicQuotes() (a function I got from PHP Solutions), but I kept getting an error, so I stopped doing that and it worked fine.

After reading some replies, I've been testing some suggestions, started using real_escape_string() and now, whenever I post the long text inputs to my database, instead of getting back John Smith's bike from the db like I was before, I'm now getting back John Smith\'s bike with a backslash.

It doesn't seem like a big deal to me. I could just eliminate the magic quotes after I get the string from the db and before I echo/print, but I'm just wondering, since it seems like all real_escape_string is doing is adding backslashes, should I even use it in this case, since it looks like POST is already doing that for me?

Does this make sense? Should storing a username be handled differently than storing something like a blog/comment entry? I'll post some example code if I need to be clearer, but I'm not sure the code is the issue, just the implementation.

I was just wondering....

Thanks in advance!
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: What's the best way to validate usernames?

Post by kaisellgren »

The feature, which automatically escapes input for you, is called Magic Quotes. It is not a replacement for database specific escaping functions like mysql_real_escape_string(). You should always use the database specific function and disable Magic Quotes. You are right about Magic Quotes adding backslashes; most databases use backslashes to escape characters/bytes. This, however, does not apply to all databases. In general, there are four reasons to not use Magic Quotes: it does not take the current character set into account, it escapes all input regardless whether they are actually used in queries or not, it does not escape all required characters (or actually "bytes"), and it is not designed for any specific database systems. It can also make things more confusing, harder to debug, etc.
User avatar
bschaeffer
Forum Newbie
Posts: 24
Joined: Thu Apr 30, 2009 9:10 pm

Re: What's the best way to validate usernames?

Post by bschaeffer »

Thanks!

Maybe one more questions... if it's cool.

Should I turn off MagicQuotes? Is that possible? I mean, for long text posts that are meant to be placed into a database, I feel like I'm going to have to get rid of the magic quotes, then use real_escape_string(). Wouldn't it be easier to just turn off that function? If so... how do you do that?
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: What's the best way to validate usernames?

Post by kaisellgren »

bschaeffer wrote:Should I turn off MagicQuotes?
Yes. And here's how: http://fi2.php.net/manual/en/security.m ... abling.php
User avatar
pickle
Briney Mod
Posts: 6445
Joined: Mon Jan 19, 2004 6:11 pm
Location: 53.01N x 112.48W
Contact:

Re: What's the best way to validate usernames?

Post by pickle »

I wouldn't worry about whether it's on or off. Just use get_magic_quotes_gpc() - that way if your code ever moves to another server, you can handle whatever the situation is.
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
Post Reply