Problems with ctype_alnum() Input Validation

[Glese]

I tried to use ctype_alnum as input validation for the name and the password, so that only letters and numbers are allowed with no spaces.

 

If I use ctype_alnum only with the nickname, then the nickname will not get entered properly into the database, it will get entered as "1" into the database. And the password does not make it past the elseif statement:

 

 

        // check password char length
        } elseif (strlen($password) > 25 || strlen($password) < 6) {

 

 

 

Here's the script:

 

/* REGISTER FORM */
// check if submit button has been clicked
if (isset($_POST['submit_signup'])) {

// process and assign variables after post submit button has been clicked
$user_email 		= strip_tags($_POST['email']);
$user_email             = filter_var($user_email, FILTER_VALIDATE_EMAIL);

$nickname 			= ctype_alnum(strip_tags($_POST['nickname']));
$password 			= ctype_alnum($_POST['password']);
$repassword 		= ctype_alnum($_POST['repassword']);
$month				= $_REQUEST['month'];
$day				= $_REQUEST['day'];
$year				= $_REQUEST['year'];
$dob 				= $year . "-" . $month . "-" . $day;
$find_us_question 	= strip_tags(trim($_POST['find_us_question']));

// connect to database
$dbc = mysqli_connect(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME);

$check_query = "SELECT * FROM user WHERE nickname = '$nickname'";

$check_connect  = mysqli_query($dbc, $check_query) or die(mysqli_error($dbc));

$check_count =  mysqli_num_rows($check_connect);

        
        
        
        // Check if the email exists twice
        
        $query_get = "SELECT email FROM user WHERE email = '$user_email'";

        $query_run = mysqli_query($dbc, $query_get);

        $num_rows = mysqli_num_rows($query_run);
        
        
        
        
        if(!$nickname) {
            
            echo 'Please do fill out the name in letters and numbers only, without spaces and special characters.';
            
        } elseif(!$password || !$repassword) {
            
            echo 'Please choose a password which conists of letters and numbers only, without spaces and special characters.';
          
            
        // check if username is already taken    
        }elseif ($check_count != 0) {
            
	echo "Username already exists!";
            
                
        } elseif ($num_rows != 0) {
            
            echo "This email address is already registered in the database, you can not register it twice.";
            
            
// check if fields are empty
} elseif (empty($user_email) || empty($nickname) || empty($password) || empty($day) || empty($month) || empty($year)) {

                echo "Please fill out all the fields!";

        // check char length of input data
        } elseif (strlen($nickname) > 30 || strlen($user_email) > 50) {

                echo "Maximum allowed character length for nickname/firstname/lastname are 30 characters!";

        // check password char length
        } elseif (strlen($password) > 25 || strlen($password) < 6) {

                echo "Your password must be between 6 and 25 characters!";

        // check if passwords match with each other						
        } elseif ($password != $repassword) {

                echo "Please make sure your passwords are matching!";

        } else {
        // encrypt password
                $password = sha1($password);

        // generate random number for activation process
        $random = rand(1212121212, 9854241752);

        // write into database

 

Any ideas why I am getting these problems with ctype_alnum() ?

[xyph]

You need to use the manual for these types of problems

ctype_alnum will return boolean true/false, not a 'stripped' version of the input string.

 

You you use ctype_alnum in a conditional statement, not in a definition statement.

[requinix]

Why do you care what the password consists of? Your restrictions are making the passwords weaker.

[Glese]

xyph, thanks.

 

requinix, this is my first application and I try to keep it simple. I would like to allow certain special characters, but I also do not want to allow all of them, because the input field also can be used for SQL injections.

 

Though allowing numbers, letters, and certain special characters, I do not know how to do yet, so I'll put it for later and keep it simple for now by simply allowing letters and numbers, which is good enough in my opinion, the next step for me would be to make it case-sensitive as well.

[Pikachu2000]

In a password, you should allow all characters. There's no reason not to.

[Glese]

In a password, you should allow all characters. There's no reason not to.

 

When I wrote all characters I meant all characters of UTF-8, which you for example can also find in the windows character map, why would you allow those? Makes no sense to me.

 

So how would I be able to allow letters, numbers, and all characters of the keyboard in the input field, and also case-sensitive at best, since there is no ctype function, that's why I am asking, excuse the novice question, I am a new comer.

[Pikachu2000]

Why wouldn't you allow all characters? The larger the set of possible characters in a password, the more secure it is. It doesn't matter if the password is "&''0x001*'UNION ALL';;;;%)($$$, because once it's hashed it's nothing but a hexadecimal number anyhow.

 

*Keep in mind, this is for the password field, not necessarily any other field.

[xyph]

I don't think this is for a production environment, more educational.

 

Keep up what you're doing, but also keep in mind what was said here. When you're ready to move into production, there's a LOT to know before taking someone's sensitive information and storing it. Generally, it's best left to those who focus on security.

 

There's a great article in my signature, when you're ready for it.