PHP preg_match for A-Z,a-z,0-9, _,-, and one space

Question

I have found a PHP preg match for A-Z,a-z,0-9, _,-, and one space. I am using it for username validation on my website. I will redirect if the preg_match is "not secure enough". I think the only character I need to worry about is the _ (underscore) from what I am reading up on. Does anyone know any SQL injection code I can run and test if this case is vulnerable? Or is this code sufficient for what I'm trying to achieve. PS - I will also be using prepared statements since this user input will be going to my database...

// escapes special characters
$username = mysqli_real_escape_string($connection, $username);
// checks to see if characters other than A-Z, a-z, 0-9, " "(white space), -(hyphen), and _ (underscore)...
if (preg_match('/^[a-zA-Z0-9\040\_\-]+$/i', $username))
{
    echo 'secure';
}
else
{
    echo 'not secure';
}

*"I will redirect if the preg_match is "not secure enough"."* - What do you mean by "not secure enough"? Are you afraid someone will hack you by using characters recognized as an injection? — Funk Forty Niner, Aug 06 '18 at 22:09
I deleted my answer; your comment you left under it *"I am doing this strictly for only a username check against my database. My user is allowed to create their own password and I have it using the standard PHP hash and salt functions. But if they input those characters initially I am considering it at malicious and simply them to redirect back out and retype their username again."* doesn't support what you posted here and makes no sense. Voted to close as unclear. — Funk Forty Niner, Aug 06 '18 at 22:26
"I will also be using prepared statements..." - if you use prepared statements, you don't have to worry about sql injections... — Philipp, Aug 06 '18 at 22:26
@Philipp okay my user when they create the username is only allowed to use the preg_match I specified up above. Is there still any need for real_escape_string or should I just eliminate this as well? — hbennet3, Aug 06 '18 at 22:35
use what I wrote in my answer and I'd have to undelete it in order for you to mark the question as answered, because that is what you should be doing instead. — Funk Forty Niner, Aug 06 '18 at 22:52
Your answer is confusing to me would you care to clarify a few points? I have to check 2 fields within my database "username" and "password" meaning I will need to take these two string inputs into my database which is user input (aka dangerous).... The password verify is what I am already doing to check my password but I have no way of checking if my username is correct. I only hash my password not my usernames so they are stored as plain text. So my question is how do I make password_verify work for usernames if it was never hashed to begin with? @FunkFortyNiner — hbennet3, Aug 06 '18 at 22:58
if you're wanting to check if a row matches or rows, then you need to either use `COUNT(col)` or `num_rows()`, if that's what you're asking. As for your *"how do I make password_verify work for usernames if it was never hashed to begin with?"* - You can't. You need to use the former part of my comment here. — Funk Forty Niner, Aug 06 '18 at 23:08
@FunkFortyNiner lol hold on you are just thinking about my question ahead of what I am doing... I know how to do all this stuff you have mentioned. The reason I am asking this preg_match question is to prevent SQL injection from the user input before I use the input as string input in my prepared statement. I figured since I only wanted certain characters to even exist as potentially input I would filter them out before I started checking the database columns of "username" and "password"... — hbennet3, Aug 06 '18 at 23:13
you don't need that function; as I said in my answer ;-) both `password_hash()` and `password_verify()` take injection into consideration and no need to escape passwords, it will work against you. A prepared statement is good for user input yes, but not for passwords when using those 2 functions. So I believe I understood your question from the start. — Funk Forty Niner, Aug 06 '18 at 23:16
@FunkFortyNiner okay from what I am understanding from what you are saying you are telling me to use the functions. In order to use these function I need to hash my username column? — hbennet3, Aug 06 '18 at 23:20
why would you hash a username column? it's not worth it, really. But that's up to you but it won't help. See the new answer below, I have nothing else to add here. — Funk Forty Niner, Aug 06 '18 at 23:21

Funk Forty Niner · Answer 1 · 2018-08-07T15:01:23.140

Don't limit passwords or check if there are any characters that you think will hack you. preg_match() isn't what you're looking for, believe me.

What you're doing now is by all means, not necessary.

By using password_hash() and password_verify() (along with a prepared statement), will ensure that your database does not get compromised.

Let your users choose their own passwords and use the functions from the manuals on PHP.net shown below.

References:

Passwords such as --DELETE 123, '\<br> are considered as being perfectly valid.

Both of those hashing functions are perfectly safe to be used and for any character. Nothing during transit will pose a security risk.

Using mysqli_real_escape_string() will have adverse effects on characters such as \.

I.e.: abc\ will turn into abc\\ with the slash being escaped.

So again, don't use what you're wanting to use now.

Read Cleansing User Passwords (here on Stack Overflow) as it talks about how hashing passwords makes the data safe for storage without having to prepare.

I am doing this strictly for only a username check against my database. My user is allowed to create their own password and I have it using the standard PHP hash and salt functions. But if they input those characters initially I am considering it at malicious and simply them to redirect back out and retype their username again. — hbennet3, Aug 06 '18 at 22:22
@hbennet3 I don't get what you're asking, sorry. I submitted this on what you posted. — Funk Forty Niner, Aug 06 '18 at 22:23

PHP preg_match for A-Z,a-z,0-9, _,-, and one space

1 Answers1