Are special characters harmful?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
waqas_punjabian
Forum Commoner
Posts: 67
Joined: Wed Aug 10, 2005 9:53 am

Are special characters harmful?

Post by waqas_punjabian »

Hi everybody,

I've not much idea about the security issues and hackers attacks. I got a program written by some other programmer which Resets User Password.

Code: Select all

$newpass = preg_replace ('/[\\:\\/\\>\\<\\)\\(\\?\\#\\!\'\\"\\]\\[\\%\\,\\~\\=\\+\\&\\*\\{\\}\\|\\;]/', '_', $newpass);
I think the person have restricted these characters

Code: Select all

/><)(?#!’”][%,~=+&*}{;|
he have replaced these characters with "_"

I think this is bad because we are restricting a user to enter his desired password. Please tell me. Are these characters harmful in php ?

As I have read in an article regarding SQL injection, if a user enters ' or / or some of these characters PHP Engine adds an additional Slash with that character and takes care of security itself. Please tell me am I right or wrong?

Should I remove the above check or not ?

thanks.

Waqas
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

Passwords should accept any character possible. I can understand why you would limit such characters on usernames and such, but passwords are hashed anyways so it doesn't matter and should be encouraged to use special characters in passwords.
As I have read in an article regarding SQL injection, if a user enters ' or / or some of these characters PHP Engine adds an additional Slash with that character and takes care of security itself. Please tell me am I right or wrong?
ahem, mysql_real_escape_string() for all of your escaping needs.
waqas_punjabian
Forum Commoner
Posts: 67
Joined: Wed Aug 10, 2005 9:53 am

Post by waqas_punjabian »

Thanks Jcart,

I got the answer of my question. But here I want to ask a couple of things.
I can understand why you would limit such characters on usernames and such
1) Can you please tell me or guide me about this thing, "Why we can't use these characters?" or can you give me some article to read.

2) I don't have much idea about the securities, so can you please tell me which things I should take care of in my php program ? any helping website ? or any article ?


once again thanks.

Waqas
User avatar
Chalks
Forum Contributor
Posts: 447
Joined: Thu Jul 12, 2007 7:55 am
Location: Indiana

Post by Chalks »

Making a simple, secure login script I found very confusing for awhile, but I think (think) I can break it down into simple steps for you:

front end:
1. User inputs username and password
2. Javascript checks username to see if it contains anything other than a-z, 0-9, or _.
3. Javascript makes sure username and password are a minimum length
4. Javascript hashs password using your prefered algorithm (sha256 is good)
5. Validated username and hashed password is sent to server.

You can skip steps 2, 3 & 4 if you want, however, step 4 does add a bit more security to it (prevents packet sniffing I think).

back end:
1. Check if javascript was used, if not do steps A and B
A. Make sure username fits your guidelines (ie. 8 characters, a-z 0-9 etc.)
B. Make sure password has 8 characters (or whatever), hash it using the same hash you used in the front end (sha256)
2. Check username and hashed password against database.
3. Continue if #2 is true, return error if #2 is false.

Another step I took was adding the username to the password before I hashed it. That way there was no way anyone could have the same password as anyone else. Maybe not a step that was needed, but I like it. :)




As for why you would limit the characters in an username: Because having "°¿°" as an username could be rather confusing for other people. Also, if you don't use mysql_escape_string(), you could get sql injection. Which is Bad (note the uppercase b).
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

Chalks wrote: Another step I took was adding the username to the password before I hashed it. That way there was no way anyone could have the same password as anyone else. Maybe not a step that was needed, but I like it. :)
Just so you know, that does not add any entropy or benefit, therefore pointless :)
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Post by Mordred »

Jcart wrote:
Chalks wrote: Another step I took was adding the username to the password before I hashed it. That way there was no way anyone could have the same password as anyone else. Maybe not a step that was needed, but I like it. :)
Just so you know, that does not add any entropy or benefit, therefore pointless :)
I beg to differ: combined with a site-wide salt, this is a good enough measure against offline attacks on leaked login credentials.
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

Okay, it has potential to increase it's entropy. Typically usernames and passwords are very simple, and typically does not involve special chars, etc. If your salt is weak, then so is your hash entropy. Is that what you meant?
Last edited by John Cartwright on Fri Dec 14, 2007 12:15 pm, edited 1 time in total.
User avatar
Chalks
Forum Contributor
Posts: 447
Joined: Thu Jul 12, 2007 7:55 am
Location: Indiana

Post by Chalks »

The only reason I did it was because I figured that if user IDontUnderstandSecurity had the password 12345 and the user NeitherDoI had the password 12345, someone who managed to get ahold of the database wouldn't be able to see those who had the same password hash, as they would _all_ be unique.
waqas_punjabian
Forum Commoner
Posts: 67
Joined: Wed Aug 10, 2005 9:53 am

Post by waqas_punjabian »

Thanks to everybody here,

and thanks to Chalks.

I got your points. And I am already taking care for most of them. The thing I want to ask, is there any other way that can cause of hacking, like I have used $_SESSION['variable'] to store some data. and I am using $_POST instead of GET so, I am not sure about the things to whom I can restrict in my program if a hacker attacks.

For example,

>> A hacker can insert invalid characters (%*$#'><= etc) I will use mysql_real_escape_string() to make it safer.

Now is there some other way as well that a hacker can use to attack a website. and how can I make it more secure?
Which things I must have to be in care? sessions, files, post variables db or what ?

I made a website a year ago, I was not that much experienced then, so hackers used to attack on my website and inserted dirty records in DB :cry: .

Now I am still confused in one thing, how can a person know the information of our Database server? it's username, password and database name. Where as it was only me who knows such information. Can a person get into our FTP and access our information files? How can we get rid of this kind of things ?

thanks,
Waqas
Post Reply