Hello and welcome to our community! Is this your first visit?
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 2 of 2
  1. #1
    New to the CF scene
    Join Date
    Oct 2008
    Thanked 0 Times in 0 Posts

    Allowing Spaces in Username/Password

    I'm on a coldfusion server and one of the biggest issues with login problems with clients is that, when they copy and paste login information down, they copy spaces with it too. Then a lot of time gets wasted trying to figure out why they can't login.

    So I thought about allowing whitespace characters with login so this issue would be resolved once and for all. I checked some major sites and they do not accept it, but google seems to accept whitespace characters.

    Does anyone see any security issue to this?

    If not, how do you think I should code the TRIM value for the username/password in the form login, so that before the page hits the database to check for a match on the username/password, it would remove the whitespace characters the person would enter.

    As far as what I need accomplished, basically the ability to accept spaces entered before or after the username and password.

  2. #2
    Regular Coder
    Join Date
    Feb 2009
    NJ, USA
    Thanked 70 Times in 69 Posts
    There's no real security issue that I know of with allowing white space in a username or password, as long as you have the proper code on the backend to avoid SQL injection attacks. That includes either calling a stored procedure to access the database, or using <cfqueryparam> tags in direct SQL (with <cfquery>).

    I personally use trim() for usernames and passwords, both when they are creating them, and when they are using them. When copying from MS word, a web page, or some other programs, a little white space can automatically be copied as well. However, people won't realize this in a password field which just shows **********.

    This is pretty much my query to check a username/password:
    <cfquery name="checkUser" datasource="db">
        SELECT username, password FROM users
            username = <cfqueryparam value="#trim( form.username )#" cfsqltype="CF_SQL_VARCHAR">
            AND password = <cfqueryparam value="#trim( form.password )#" cfsqltype="CF_SQL_VARCHAR">
    However if you do want to accept white space before and after, then just don't run trim() on the values that are provided to the database.

    Hope that helps.



Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts