Home/ Questions/Q 7771613
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-01T16:41:42+00:00

I have a a simple form to login using a username and password. I

  • 0

I have a a simple form to login using a username and password. I want to apply a whitelist to allow only certain characters. I dont know if anybody requires this but here is the code to retrieve the username and password:

$stmt = $conn2->prepare("SELECT username FROM users WHERE username = ? AND password = ?");

$stmt->bind_param("ss", $username, $password);      
$stmt->execute();
$stmt->store_result();

Do I incorporate something like this:

preg_replace( "/[^a-zA-Z0-9_]/", "", $stringToFilter );

If so, where do I include it within my code? And what happens if a user tries to input something other than what is in the whitelist?

ADDED: Ok well what about if it is during registration and it is using INSERT to store username and password?

//insert data
$stmt = $conn2->prepare("INSERT INTO users (username, email, password) VALUES (?, ?, ?)");

//bind the parameters
$stmt->bind_param('sss', $username, $email, $password);
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Add the filtering code before your INSERT during registration. Check that the string is not empty after filtering, so that a username of "!!*&%$#()*&#$" does not get inserted as a blank string.

    $username_clean = preg_replace( "/[^a-zA-Z0-9_]/", "", $_POST['username'] );

if (!strlen($username_clean)){

    die("username is blank!");
}

$stmt = $conn2->prepare("INSERT INTO users (username, email, password) VALUES (?, ?, ?)");
$stmt->bind_param('sss', $username_clean, $email_clean, $password_clean);
    • 0