Putting limits on names that users can sign up with

[Daron]

Hey can anyone help me or point me in the right direction to putting limits on my register.php so that i can limit what people can sign up with? i already have this

if(strlen($_POST['username']) < 3)
{
die("Sorry, the username is too short.<br />
><a href='register.php'>Back</a>");
}

which obviously stops names from being less than 3 characters. But call me a strictler but is it possible to prevent the following things;

1. Names in all caps

2.Names that are all numbers

3. symbols such as the @ symbol and both back slashes and forward slashes

and also in yall opinion whats a good a good limit on max characters for a name? i hate when people sign up for games with dumb long names like mnomonomnomon and yes i've seen a name like that b4

[Seker]

Hey can anyone help me or point me in the right direction to putting limits on my register.php so that i can limit what people can sign up with? i already have this

if(strlen($_POST['username']) < 3)
{
die("Sorry, the username is too short.<br />
><a href='register.php'>Back</a>");
}

which obviously stops names from being less than 3 characters. But call me a strictler but is it possible to prevent the following things;

1. Names in all caps

2.Names that are all numbers

3. symbols such as the @ symbol and both back slashes and forward slashes

and also in yall opinion whats a good a good limit on max characters for a name? i hate when people sign up for games with dumb long names like mnomonomnomon and yes i've seen a name like that b4

Probably could use some kind of variation of preg_match(). But I don't personally know much about it.

As far as character limit, I've always thought 7 was a good number. Not too long, not too short.

[Octet]

Hey can anyone help me or point me in the right direction to putting limits on my register.php so that i can limit what people can sign up with? i already have this

if(strlen($_POST['username']) < 3)
{
die("Sorry, the username is too short.<br />
><a href='register.php'>Back</a>");
}

which obviously stops names from being less than 3 characters. But call me a strictler but is it possible to prevent the following things;

1. Names in all caps

2.Names that are all numbers

3. symbols such as the @ symbol and both back slashes and forward slashes

and also in yall opinion whats a good a good limit on max characters for a name? i hate when people sign up for games with dumb long names like mnomonomnomon and yes i've seen a name like that b4

Hello, putting limits on what your users can register with is extremely important.

The first thing I suggest you do is include mysql_real_escape_string to help prevent MySQL injection (a form of hacking). The I also suggest you to strip all usernames to lowercase so that they can be queryed, otherwise someone can have a username 'bob' or 'BoB' or 'Bob' and even though they are the same, they are going to be classed as different.

To do this, use:

 

$Username = mysql_real_escape_string(strtolower($_POST['Username']);

 

The second step, is to remove all spaces so that someone can't have Bob and B o b.

To do this, use:

 

$Username = preg_replace('/\s+/', '', $Username);

 

Finally, you want to remove all numbers. You would want to use the is_numeric() function such as:

 

if (is_numeric($Username))
{
  die ("That is not allowed");
}

 

Hope this helps!

 

Also, in my opinion I think between 5 and 25 for Usernames and between 6 and 25 for passwords. Admittedly I would normally use a password longer than six but considering you are addressing the public (which has varying views on security) then you need to have a line between security and usability.

Edited July 29, 2012 by Octet

[SilverStar]

Hello, putting limits on what your users can register with is extremely important.

The first thing I suggest you do is include mysql_real_escape_string to help prevent MySQL injection (a form of hacking). The I also suggest you to strip all usernames to lowercase so that they can be queryed, otherwise someone can have a username 'bob' or 'BoB' or 'Bob' and even though they are the same, they are going to be classed as different.

To do this, use:

 

$Username = mysql_real_escape_string(strtolower($_POST['Username']);

 

The second step, is to remove all spaces so that someone can't have Bob and B o b.

To do this, use:

 

$Username = preg_replace('/\s+/', '', $Username);

 

Finally, you want to remove all numbers. You would want to use the is_numeric() function such as:

 

if (is_numeric($Username))
{
  die ("That is not allowed");
}

 

Hope this helps!

 

Also, in my opinion I think between 5 and 25 for Usernames and between 6 and 25 for passwords. Admittedly I would normally use a password longer than six but considering you are addressing the public (which has varying views on security) then you need to have a line between security and usability.

How do you know he isn't using mres on the variable he will input into the database? Why would you not allow users to have uppercase and lowercase letters? In a mysql query Bob, BoB and BOB would be queried in the same way. Why would you want to remove spaces? I know quite a few games do remove spaces but it's not essential (I know it can cause some issues in some cases). Why would you want to remove numbers from usernames? This makes no sense.

[Octet]

How do you know he isn't using mres on the variable he will input into the database? Why would you not allow users to have uppercase and lowercase letters? In a mysql query Bob, BoB and BOB would be queried in the same way. Why would you want to remove spaces? I know quite a few games do remove spaces but it's not essential (I know it can cause some issues in some cases). Why would you want to remove numbers from usernames? This makes no sense.

In my opinion, you want to disallow upper and lower case because when you query it such as if ($Username_From_Form == $Username_From_Database) then to query Bob would not be the same as BoB (but this may just be the way I query my usernames to avoid duplication of accounts).

I also suggest the removal of spaces because of the same reason as above, you don't want to have duplicate, or extremely similar accounts.

Thirdly, I wouldn't remove numbers personally, but that is what Daron is asking ('Names that are all numbers').

Also, in response to 'how do you know he isn't using mres on the variable he will input into the database'. You should always slash and sanitize your users inputs at the soonest possible moment for security, NEVER trust the user.

Edited July 29, 2012 by Octet

[SilverStar]

In my opinion, you want to disallow upper and lower case because when you query it such as if ($Username_From_Form == $Username_From_Database) then to query Bob would not be the same as BoB (but this may just be the way I query my usernames to avoid duplication of accounts).

I also suggest the removal of spaces because of the same reason as above, you don't want to have duplicate, or extremely similar accounts.

Thirdly, I wouldn't remove numbers personally, but that is what Daron is asking ('Names that are all numbers').

Also, in response to 'how do you know he isn't using mres on the variable he will input into the database'. You should always slash and sanitize your users inputs at the soonest possible moment for security, NEVER trust the user.

Ahem. You could use a simple mysql_num_rows query to check the users table to see if an account with the desired username already exists, if 0 is the output then obviously it doesn't exist (no need to use all lowercase letters then).

I still can't understand your concern about spaces but fair enough.

Ok.

Fair enough but I'd also recommend strip_tags rather than mres on it's own.

[Octet]

Ahem. You could use a simple mysql_num_rows query to check the users table to see if an account with the desired username already exists, if 0 is the output then obviously it doesn't exist (no need to use all lowercase letters then).

But surely you would still need to do,

 

$Fetch_Usernames = mysql_query("SELECT Username FROM Members WHERE Username = '$Username'");
$Count = mysql_num_rows($Fetch_Usernames);

 

In that query, surely you still need to convert it to lowercase?

[Seker]

Just do this to check for all caps and numbers. Simple and to the point.

 

$all_upper = !preg_match("/[a-z]/", $string);

 

Then, just use something like this:

 

if($_POST['username'] = $all_upper)
{
die("Sorry, the username is not acceptable.
><a href='register.php'>Back</a>");
}

 

I believe that should work.

[SilverStar]

But surely you would still need to do,

 

$Fetch_Usernames = mysql_query("SELECT Username FROM Members WHERE Username = '$Username'");
$Count = mysql_num_rows($Fetch_Usernames);

 

In that query, surely you still need to convert it to lowercase?

No, you don't.

[Daron]

Just do this to check for all caps and numbers. Simple and to the point.

 

$all_upper = !preg_match("/[a-z]/", $string);

 

Then, just use something like this:

 

if($_POST['username'] = $all_upper)
{
die("Sorry, the username is not acceptable.
><a href='register.php'>Back</a>");
}

 

I believe that should work.

this worked! Thank you!

[Octet]

Thanks for clearing that up Guest!

[SilverStar]

*cough* I don't see anything wrong with what I said. :rolleyes:

[Octet]

*cough* I don't see anything wrong with what I said. :rolleyes:

And of course, thank you SilverStar for bringing it to my attention originally!