Page 1 of 1

Are special characters harmful?

Posted: Thu Dec 13, 2007 9:52 am
by waqas_punjabian
Hi everybody,

I've not much idea about the security issues and hackers attacks. I got a program written by some other programmer which Resets User Password.

Code: Select all

$newpass = preg_replace ('/[\\:\\/\\>\\<\\)\\(\\?\\#\\!\'\\"\\]\\[\\%\\,\\~\\=\\+\\&\\*\\{\\}\\|\\;]/', '_', $newpass);
I think the person have restricted these characters

Code: Select all

/><)(?#!’”][%,~=+&*}{;|
he have replaced these characters with "_"

I think this is bad because we are restricting a user to enter his desired password. Please tell me. Are these characters harmful in php ?

As I have read in an article regarding SQL injection, if a user enters ' or / or some of these characters PHP Engine adds an additional Slash with that character and takes care of security itself. Please tell me am I right or wrong?

Should I remove the above check or not ?

thanks.

Waqas

Posted: Thu Dec 13, 2007 9:56 am
by John Cartwright
Passwords should accept any character possible. I can understand why you would limit such characters on usernames and such, but passwords are hashed anyways so it doesn't matter and should be encouraged to use special characters in passwords.
As I have read in an article regarding SQL injection, if a user enters ' or / or some of these characters PHP Engine adds an additional Slash with that character and takes care of security itself. Please tell me am I right or wrong?
ahem, mysql_real_escape_string() for all of your escaping needs.

Posted: Thu Dec 13, 2007 11:37 pm
by waqas_punjabian
Thanks Jcart,

I got the answer of my question. But here I want to ask a couple of things.
I can understand why you would limit such characters on usernames and such
1) Can you please tell me or guide me about this thing, "Why we can't use these characters?" or can you give me some article to read.

2) I don't have much idea about the securities, so can you please tell me which things I should take care of in my php program ? any helping website ? or any article ?


once again thanks.

Waqas

Posted: Fri Dec 14, 2007 10:15 am
by Chalks
Making a simple, secure login script I found very confusing for awhile, but I think (think) I can break it down into simple steps for you:

front end:
1. User inputs username and password
2. Javascript checks username to see if it contains anything other than a-z, 0-9, or _.
3. Javascript makes sure username and password are a minimum length
4. Javascript hashs password using your prefered algorithm (sha256 is good)
5. Validated username and hashed password is sent to server.

You can skip steps 2, 3 & 4 if you want, however, step 4 does add a bit more security to it (prevents packet sniffing I think).

back end:
1. Check if javascript was used, if not do steps A and B
A. Make sure username fits your guidelines (ie. 8 characters, a-z 0-9 etc.)
B. Make sure password has 8 characters (or whatever), hash it using the same hash you used in the front end (sha256)
2. Check username and hashed password against database.
3. Continue if #2 is true, return error if #2 is false.

Another step I took was adding the username to the password before I hashed it. That way there was no way anyone could have the same password as anyone else. Maybe not a step that was needed, but I like it. :)




As for why you would limit the characters in an username: Because having "°¿°" as an username could be rather confusing for other people. Also, if you don't use mysql_escape_string(), you could get sql injection. Which is Bad (note the uppercase b).

Posted: Fri Dec 14, 2007 10:32 am
by John Cartwright
Chalks wrote: Another step I took was adding the username to the password before I hashed it. That way there was no way anyone could have the same password as anyone else. Maybe not a step that was needed, but I like it. :)
Just so you know, that does not add any entropy or benefit, therefore pointless :)

Posted: Fri Dec 14, 2007 11:09 am
by Mordred
Jcart wrote:
Chalks wrote: Another step I took was adding the username to the password before I hashed it. That way there was no way anyone could have the same password as anyone else. Maybe not a step that was needed, but I like it. :)
Just so you know, that does not add any entropy or benefit, therefore pointless :)
I beg to differ: combined with a site-wide salt, this is a good enough measure against offline attacks on leaked login credentials.

Posted: Fri Dec 14, 2007 11:20 am
by John Cartwright
Okay, it has potential to increase it's entropy. Typically usernames and passwords are very simple, and typically does not involve special chars, etc. If your salt is weak, then so is your hash entropy. Is that what you meant?

Posted: Fri Dec 14, 2007 11:38 am
by Chalks
The only reason I did it was because I figured that if user IDontUnderstandSecurity had the password 12345 and the user NeitherDoI had the password 12345, someone who managed to get ahold of the database wouldn't be able to see those who had the same password hash, as they would _all_ be unique.

Posted: Fri Dec 14, 2007 12:20 pm
by waqas_punjabian
Thanks to everybody here,

and thanks to Chalks.

I got your points. And I am already taking care for most of them. The thing I want to ask, is there any other way that can cause of hacking, like I have used $_SESSION['variable'] to store some data. and I am using $_POST instead of GET so, I am not sure about the things to whom I can restrict in my program if a hacker attacks.

For example,

>> A hacker can insert invalid characters (%*$#'><= etc) I will use mysql_real_escape_string() to make it safer.

Now is there some other way as well that a hacker can use to attack a website. and how can I make it more secure?
Which things I must have to be in care? sessions, files, post variables db or what ?

I made a website a year ago, I was not that much experienced then, so hackers used to attack on my website and inserted dirty records in DB :cry: .

Now I am still confused in one thing, how can a person know the information of our Database server? it's username, password and database name. Where as it was only me who knows such information. Can a person get into our FTP and access our information files? How can we get rid of this kind of things ?

thanks,
Waqas