[Webinar] Streamline your web hosting managementRegister Today


PHP Allowing safe non-alphanumeric characters

Posted on 2008-02-06
Medium Priority
Last Modified: 2013-12-12
I am still trying to make sense of PHP regular expressions.

My first half of the question is a bit of a security one.
My second is more syntactical.

I want to allow users to have some of the symbols such as (!, *, #, %) in there passwords for better security.  I wont be writing these passwords directly to the DB, they will be stored in alpha-numeric MD5 so I'm not to worried about the back-end queries.

Is it wise to allow some non-alphanumeric field input (PHP, MySQL environment)?
If so, what characters are safe?

Second question is about my attached code,
I chose some symbols to allow and am detecting invalid input.  I am not to confident in my abilities with regular expressions so; "how does it look?"
function validate_password($password) {
	$allowed_char_pattern = "[^-A-Za-z0-9!.#%&$*_]";
	// =============================================================================================
	$clean_string = ereg_replace( $allowed_char_pattern, "", $password );
	if(!strcmp($password, $clean_string))
		{return true;}
	return false;

Open in new window

Question by:gambit_642
  • 2
  • 2
LVL 48

Accepted Solution

hernst42 earned 750 total points
ID: 20835942
> If so, what characters are safe?
all if you deal correctly with user input. If you add user-input to the database always use mysql_real_escape_string to quote the string correctly for the database.
If you redisplay the user-input make sure to also escape that output correctly with htmlenties.

I prefer preg-functions:
function validate_password($password)
        $allowed_char_pattern = "/[^-A-Za-z0-9!.#%&$*_]/";
        //      END CONFIG
        // =============================================================================================
        $clean_string = preg_replace( $allowed_char_pattern, "", $password );
        if ($password !== $clean_string) {
                return false;
        return true;

Open in new window


Author Comment

ID: 20836434
Will that handle SQL keywords like "select", "insert", "update"?
LVL 48

Expert Comment

ID: 20844312
Yes mysql_real_escape_string also deas correctly with SQL-Tokens if the are declared within a string

Author Closing Comment

ID: 31428658

Featured Post

The 14th Annual Expert Award Winners

The results are in! Meet the top members of our 2017 Expert Awards. Congratulations to all who qualified!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Containers like Docker and Rocket are getting more popular every day. In my conversations with customers, they consistently ask what containers are and how they can use them in their environment. If you’re as curious as most people, read on. . .
In this article, I’ll talk about multi-threaded slave statistics printed in MySQL error log file.
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …
Suggested Courses

608 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question