Use regular expressions. The PHP functions are ereg() and eregi() (ignores case). For example, if you wanted usernames to include only letters, numbers, and the underscore...

function is_valid_username($str_username)
{
return ereg("^[_a-zA-Z0-9]$", $str_username);
}

Then, in your code..

if (is_valid_username($new_username) )
{
echo "Good name";
}
else
{
echo "Bad name";
}

Passwords in PHP scripts are less secure. Someone only needs to read your source code and they have access to your private parts (so to speak). I also wouldn't recommend it, because sometimes when you use the echo command and accidentally leave a quote out, it echos all your source code to the person viewing your webpage; they might see it that way.

Well, thing is, it's an admin password on a hard-to-find page and theres only one password for it. What's a safer way for checking that password than the If I gave?

(P.S. Thanks for the code :))

Welcome to WebmasterWorld theaverageidiot,

you might want to look through our library [webmasterworld.com]. There are a few threads in there about security that cover cleaning.

as far as protecting the admin portion, you could even go with using apache to password protect it using htpass. Normally you would encrypt the password using md5 then store that. Then once the password is entered into the form, you md5 it and compare to the stored value. Same premise but if someone got the value out of your file then they still couldn't log in.

If you want to store the password in your source code, but not let it be known, you can just store the hash in the source code.

First, use echo md5("whateverthepasswordis") to find the hash (string of 40 letters and numbers), then paste the hash in your code. It would look like this:

if (md5($my_password) == "ab490cd4b920aba9dfee98a98")
{
echo "Access granted"
}

That's a safer way of doing it, and it's quite simple. No need to waste effort connecting to a database and comparing to a list of users.

How about using a combination? As in, use the Apache/htaccess password protection from my hosts Control Panel, then also have MD5 on the files? Hopefully THAT is secure enough :).

Just to further complicate things, here is the approach I would take.

I would use the MD5 method that Andrew Bassett suggested, but I would also store the MD5 version not directly in the script but in an include file.

This include file should be with your other includes, above your apache document root. It is good practice to keep your includes above you apache document root, so if Apache becomes mis-misconfigured (and starts outputting .php and .inc files as text) your include files are given a level of protection.

admin_check.php:

require_once "/var/www/includes/functions.inc";
if (is_admin($my_password)
{
//do stuff
}

functions.inc:

function is_admin($the_pass)
{
return (md5($the_pass) == "ab490cd4b920aba9dfee98a98");
}