0

To reduce an attacker's possibilities, is it worth to have only alphanumeric values inside the table ? For example on username and password inputs on registration form applay the following: 

preg_replace("/[^A-Za-z0-9 ]/", '', $input);

And of course, perform the same each time before login ?

Alegro
  • 7,534
  • 17
  • 53
  • 74
  • 2
    You don't need to cripple your application, you just need to escape for the right context. [HTML](http://php.net/manual/en/function.htmlspecialchars.php), XML, [MySQL](http://php.net/manual/en/pdo.prepared-statements.php), SMTP, CSV, etc.. all need their own types of character escaping. – Xeoncross Jan 15 '13 at 14:58
  • 1
    As a rule of thumb: Escape data, don't discard it. – Quentin Jan 15 '13 at 14:59

2 Answers2

2

By removing any characters you're actually weaken security.

there is absolutely no point in removing whatever characters, while some non alanum characters are required in passwords for better security

See my other answer on the "illegal" characters topic: https://stackoverflow.com/a/2995163/285587

Community
  • 1
  • 1
Your Common Sense
  • 156,878
  • 40
  • 214
  • 345
1

We can use other means like PHP prepared statements to guard around the possible SQL injection. However we must also be sure that arbitrary user input is not returned back to the server for display, otherwise script injection possible. While the latter is avoidable if designing the system from scratch, it may be difficult to patch something that has been written without care long time ago.

Hence if some user-supplied database strings may return back to the browser, in some cases it may make sense to use some filtering in order go guard against JavaScript injection.

Audrius Meškauskas
  • 20,936
  • 12
  • 75
  • 93
  • Audrius, thanks. It seems everything finishes on prepared statement :) – Alegro Jan 15 '13 at 15:14
  • 1
    Imagine, a malicious user puts JavaScript into his changeable signature in the forum. This script will run on every browser that displays the signature - but this is only half of the problem. The worst, the script may run authenticated and under rights of the current user, probably administrator. As a result, it is dangerous to pass the user input through database and back as browser HTML. – Audrius Meškauskas Jan 15 '13 at 15:14