Thomas Goirand <[email protected]> writes: > Ansgar Burchardt wrote: >> DTC only allows the use of alphanumeric characters in passwords. It >> also limits passwords to a maximum length of 16 characters. These >> limitations do prevent the use of strong passwords that include special >> characters like "!$.,;:". > > The control over the password function is made as follow: > > function isDTCPassword($pass){ > $reg = "^([a-zA-Z0-9]){4,16}\$"; > if(!ereg($reg,$pass)) return false; > else return true; > } > > This should be a password that is MySQL safe, because no further testing > is made on it. Eg, no single quote or things like this that could > interfere with a MySQL query. If you mind providing a new regular > expression, I will commit the change.
There are two easy things to do: a) just save a (salted) hash of the password (for the same reasons that /etc/shadow only saves hashes of passwords), and b) use parameter binding for SQL statements so that one does not have to worry about escaping anything at all. I believe even PHP supports this for several years now. Regards, Ansgar -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
