in reply to Re: Re: Taint checks on passwords?
in thread Taint checks on passwords?
Most systems implement passwords that only allow letters and numbers. In this case, a decent taint check would be:
my ($checked) = $submitted =~ m/^([a-zA-Z0-9])$/; if (!defined $checked){ croak "Invalid name or password.\n" }
Almost right.
Most systems allow users to enter passwords that matches with
/[a-zA-Z_0-9\(\)\[\]\{\}\+\=\-\\\/\*]{$MinPwLen,$MaxPwLen}/
I would use something like this to untaint a password.
Where:
$MinPwLen is the minimal password size in chars.
$MaxPwLen is the maximal (if any maximal is needed password size in chars.
Note: Don't forget to document and tell your users about what characters are valid to compose a password. This is very important.
Note 2:Keep this kind of information away from evil internet script-kidies, they can use this to narrow a dictionary-like attack and break into your system faster.
May the gods bless you
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Just Another Perl Monk
|
|---|