Hi,

I am very new to the PHP IDS. I have been searching on Google but was unable to find a solution to my problem so here goes.

We are being hammered with notifications from the PHP IDS everytime a valid user logs in with credentials that my include '#' and/or '--' values.
What can we do to get PHP IDS to recognise them as valid without compromising security?

Any feedback would be appreciated.

I can confirm -- is a problem, but not #.
At any rate, you could add your password field to the exceptions rather than make those characters allowable. Since you should (key word :P) be hashing the passwords anyway, you shouldn't be vulnerable.
(e.g.,

$init->setConfig(array('General' => array(
'exceptions' => array('POST.password')
)), TRUE);