Removing non A-Z, integers from Usernames

[Polkin]

I am starting to build my own game and I am looking to remove the possibility of no letters to be used in the username portion.  IE, remove the ability for someone to drop my SQL DB. 

<?php      } else {
            $query = sprintf("INSERT INTO users(username,password) VALUES ('%s','%s');",
               mysql_real_escape_string($_POST['username']),
               mysql_real_escape_string(md5($password)));
            mysql_query($query);
         ?>

This is the coding I am using (Page 2 of the how-to)

I searched around for a previous thread but did not find anything. 

Thanks!

[Chris]

http://php.net/manual/en/function.preg-match.php

As for DB security enable MagicQuotes, use mysql_real_escape_string for strings and convert all numbers into numbers.

[Polkin]

Thanks a lot for the quick response.  I will go through this and post back if I have any troubles.

[Nox]

Don't enable magic_quotes, reasons listed here: http://en.wikipedia.org/wiki/Magic_quotes (plus probably coding habits)
Devs themselves made a decision to remove it in the next version
Besides the "addslashes" function is kinda useless
http://translate.google.com/translate?u=http%3A%2F%2Fphpfashion.com%2Fescapovani-definitivni-prirucka&ie=UTF8&sl=cs&tl=en

[JGadrow]

If you really want to "hardcore" prevent SQL injection, look into using the mysqli extension (instead of just plain mysql) and use prepared statements. In this method, you can allow your users to enter whatever password they wish and your system should not be affected by it.

I really hate when I have to reduce the security of my passwords (thereby making it easier to hack my account) simply because some developer couldn't figure out a proper way to sanitize it.

Here's a webcomic that I always find hillarious when talking about input sanitizing. I should totally do this with my next kid! lol

[Chris]

And it is going to start again, the magic_quotes argument My fault this time, feel guilty
Anyway, MCs are very good and you will appreciate them the day when you forget this one tiny little  mysql_real_escape_string in one place in your code. Sure, not perfect, but still better than nothing (and one day you might be sleepy and forget to put the proper protection).
Nevermind, I won't convince anyone anyway...

[JGadrow]

Nevermind, I won't convince anyone anyway...

Well, when the developers of PHP are saying not to use it, I would think you should be convincing yourself that magic_quotes = Microsoft = evil.

This feature is officially deprecated as of PHP 5.3.0, and removed in PHP 6 due to security concerns.

Hope your code doesn't rely on it when you switch to PHP 6.

[Chris]

Nevermind, I won't convince anyone anyway...

Well, when the developers of PHP are saying not to use it, I would think you should be convincing yourself that magic_quotes = Microsoft = evil.

But Microsoft is not evil, I love them! For example their awesome IE, it is so buggy that most competitors dropped support on it and I'm getting quite a huge share of the old IE6 market because there are not many games anymore that support it and Windows users do not know how to upgrade it. Or their Windows server (laggy and unsecure) or the inceredible ASP (that fooled some young ones to use it instead of something normal, and they clould turn into dangerous competitors otherwise). I owe them getting rid of a substantial number of potencial competitors, I wish them a long and massive production of their buggy software

This feature is officially deprecated as of PHP 5.3.0, and removed in PHP 6 due to security concerns.

Hope your code doesn't rely on it when you switch to PHP 6.

Well... I don't know how to say it... I still use PHP4

[JGadrow]

Not me... I can't wait until a majority of platforms switch over to 5.3 and 6 later on. Better unicode support, namespaces, and FINALLY I get to stop doing:

Code: [Select]

require (dirname (__FILE__) . '/' . $whatever_I_really_want_here);
instead, it's a little nicer:

Code: [Select]

require (__DIR__ . '/' . $whatever_I_really_want_here);
Personally, I think that an include should ALWAYS be relative to the file the include directive is written in. But that's just me and my crazy logic.

[codestryke]

Ok first of the question at hand, for user names and passwords I use the following code:

if( !preg_match("/^[\\w-_]*[\\w-_]$/", $login_name ) ) {
    header("location: password.php");
    exit;
}

This will only allow alpha, numeric and - _

I still run all my queries though the XCDB or ADODB databases classes that sanitize the query string but you can never be to cautious Plus I don't like really funky quasi graphical names in my games.

If I were at the level you are now I would look at creating a function that automatically cleans SQL statements. Typing out queries like the one you posted gets real old real fast, we have the technology lets us it Plus as things change down the road it's easier to rewrite one function for all your mySQL queries.

or the inceredible ASP (that fooled some young ones to use it instead of something normal, and they clould turn into dangerous competitors otherwise).

Being that I was in the beta group for ASP (when it was code named Delphi) I take a bit of offense to this statement and shows me how very little you know of the subject. For your education ASP was first out the gate, before ASP there was ISAPI (MSs first attempt at dynamic page), PERL or a compiled language, there was NO PHP to chose from. In fact PHP was created because of ASP! Even when PHP did finally come out it was pathetic compared to ASP because it was missing the second half of the equation which was storage! When ASP came out, it came out the gate with connectivity to both Access and/or MSSQL, both mature relational databases, mySQL finally added INNODB with relational capabilities. Even to this day myISAM isn't a true relational database as you have to write code for something the database should be doing which is enforcing referential integrity!

I moved away from ASP for the simple fact that at the time Windows based servers required twice the investment as a Linux server. Microsoft servers are both memory and processor hungry because they are going after big business, for the hobbyist like myself, the hardware investment was just to much. So I ended up picking up PHP which was nice, but the database access was pathetic, it was like working with (and still does at times) FoxPro or Paradox back in the day.

So long story short dynamic web developers picked up ASP first because there was no PHP!!!!

[Harkins]

So long story short dynamic web developers picked up ASP first because there was no PHP!!!!

I picked up Perl first... *shudder*

[dbest]

How about ctype_alnum($inputstring)?
No need to worry about regular expressions.

[Chris]

Being that I was in the beta group for ASP (when it was code named Delphi) I take a bit of offense to this statement

Sigh... What is past is past, who cares. Maybe ASP was great, maybe still is, maybe even today there is no better language than ASP. It does not matter. To use ASP you need to use Windows. Do you want to switch to Windows server?

But don't take my words alone, there is a quote from a respected member of this forum, read what he said about the topic

Microsoft servers are both memory and processor hungry because they are going after big business

[Polkin]

Ok first of the question at hand, for user names and passwords I use the following code:

if( !preg_match("/^[\\w-_]*[\\w-_]$/", $login_name ) ) {
    header("location: password.php");
    exit;
}

This will only allow alpha, numeric and - _

I still run all my queries though the XCDB or ADODB databases classes that sanitize the query string but you can never be to cautious Plus I don't like really funky quasi graphical names in my games.

If I were at the level you are now I would look at creating a function that automatically cleans SQL statements. Typing out queries like the one you posted gets real old real fast, we have the technology lets us it Plus as things change down the road it's easier to rewrite one function for all your mySQL queries.

Thanks for this info.  I am still reading a lot and trying to get a handle on a lot of it.  I am pretty versed in HTML and CSS but never took the time to learn the PHP outside of installing Joomla

[JGadrow]

Joomla eh? How deep into it are you? lol I've dealt with a few people regarding Joomla (despite having ZERO experience with Joomla) and they've all decided to utilize Drupal instead. I did mess around a little with Joomla for a friend of mine and I have to agree that the interface is horrid and not-at-all user-friendly. Not that I'm really a huge fan of Drupal either (um, how about giving me the ability in core to set one database server for reads and another for writes... <sarcasm>thanks Drupal!</sarcasm>).

But, the position that I currently hold was made possible because <nda protected> decided they didn't like Joomla so they hired <nda protected> to make them a new site. They decided on Drupal because they wanted an open-source solution. Unfortunately, <nda protected> didn't have any Drupal developers so they hired me because when I worked for <nda protected> they required me to learn Drupal.

I really wonder why these companies are so adverse to having you state that you provide them service. lol And is it, technically, a violation of my NDA agreements when I put them on my resume? lol Oh the realms my mind wanders to when I go off-topic.

So, back on topic: the post above by dbest is also good if you want to limit to alpha-numeric characters. It'll just make me roll my eyes when I sign up and have to enter only letters and numbers for my password (giving only a total of 36 character possibilities for anyone trying to crack rather than, literally, thousands).

[Chris]

But, the position that I currently hold was made possible because <nda protected> decided they didn't like Joomla so they hired <nda protected> to make them a new site. They decided on Drupal because they wanted an open-source solution. Unfortunately, <nda protected> didn't have any Drupal developers so they hired me because when I worked for <nda protected> they required me to learn Drupal.

LOL, JGadrow,  do you work as a secret agent or as a programmer?

[JGadrow]

I always seem to find work for large-scale corporations who are afraid at any moment that I'm going to betray a vital detail of their organization and their entire house of cards is going to come crasing down.

Can't wait until this project is done so I can get to some work that is easier to stand back and say, "I'm proud of this!"

[Polkin]

Joomla eh? How deep into it are you? lol I've dealt with a few people regarding Joomla (despite having ZERO experience with Joomla) and they've all decided to utilize Drupal instead. I did mess around a little with Joomla for a friend of mine and I have to agree that the interface is horrid and not-at-all user-friendly. Not that I'm really a huge fan of Drupal either (um, how about giving me the ability in core to set one database server for reads and another for writes... <sarcasm>thanks Drupal!</sarcasm>).

But, the position that I currently hold was made possible because <nda protected> decided they didn't like Joomla so they hired <nda protected> to make them a new site. They decided on Drupal because they wanted an open-source solution. Unfortunately, <nda protected> didn't have any Drupal developers so they hired me because when I worked for <nda protected> they required me to learn Drupal.

I really wonder why these companies are so adverse to having you state that you provide them service. lol And is it, technically, a violation of my NDA agreements when I put them on my resume? lol Oh the realms my mind wanders to when I go off-topic.

So, back on topic: the post above by dbest is also good if you want to limit to alpha-numeric characters. It'll just make me roll my eyes when I sign up and have to enter only letters and numbers for my password (giving only a total of 36 character possibilities for anyone trying to crack rather than, literally, thousands).

I have used a few other CM but Joomla was simple because it is so widely used and well supported.  The ability to learn that and then apply/edit simple CSS and themes makes it very simple to apply it to any webpage. 

So far I have been successful on the tutorial to build a registration page with e-mail confirmation! 

However, the buildingbrowsergames.com web server appears to be out of commission. 

[FrankBro]

This website has nice exemples of preg_match usage:

http://komunitasweb.com/2009/03/10-practical-php-regular-expression-recipes/