Evaluate my regex pleeze?
 

Hey, this should be an ongoing thread for people to validate others' Regex. I mean, without valid Regex, you could have a security hole. And with a security hole comes your customers' credit card numbers in your neighbors hands...

Anyway, does this work the way I want it to?
It should accept any string of characters 4 to 50 characters long. The string cannot have any spaces or tabs or anything of the like, and cannot have quotation marks.

There's already a regular expression thread over here, if you like: http://www.talkphp.com/advanced-php-...pressions.html

...what should the string accept? Just characters? or numbers as well? If I was writing a regex to, say, accept valid MD5 strings, instead of telling it what I don't want, I'd ask it to look just for what I do want, like so:

~^[A-Za-z0-9]{32}$~

...on that note yours could be the same, just swap {32} for {4,50}
-m

This is the plaintext password. It comes from the registration/login form and has to pass that before getting sha1'd and mixed with all these other hashes and salts.

And you want to make sure it only contains alphanumerical characters? And maybe an underscore? From 4 to 50 characters in length, I would do

$bBool = preg_match("~[A-Za-z0-9_]{4, 50}$~", $szPassword);

I personally use + instead of {} and check the length in a seperate statement so I can return a more specific error message, but that'll do the trick for you if you just want to get it all done in one.
-m

First off, it's a bad idea to suggest restricting passwords to only alphanumeric and underscore characters. People are advised to mix in other less common characters to give stronger passwords -- your code should accept good, strong passwords!

Going back to the original post, you say that the string should not have any whitespace characters but the $ will allow for one newline character at the end of the string: /^abcd$/ will successfully allow the string "abcd\n". To disallow the newline, use the D (PCRE_DOLLAR_ENDONLY) pattern modifier.

Since this is for passwords, why wouldn't you allow whitespace or quotes? On a more general note, be aware that patterns like the one provided in the original post will allow any other character except the ones specified (whitespace, single- and double-quote). For example, !!!! is a valid password as is ⌘☃ (two UTF-8 characters) when tested against the original pattern.

I'm not sure that a regular expression test is really very useful in this particular instance.

You contradicted yourself there...

A password should be allowed to be strong... If the person knows how to form unicode characters (and I doubt it), they can use it in their password, can't they?

I honestly don't care if the password is an insane 50 character unicode mess (unless if they can accidentally form unicode characters and scew something up).

Also, from the top, I said it only disallows whitespace and quotation marks. Where did I say only alphanumeric?

1) Whats with the tildes?
2) What is the D pattern modifier and how do I incorporate it into that regex?

My initial paragraph was aimed at delayedinsanity, which I assumed was clear from the response. Oops!

The tildes are acceptable delimiters for the PCRE extension (preg_* functions -- which should be used rather than the ereg* functions), the more usual delimiter (a character which signifies the start and end of the pattern) is the forward slash (e.g. /abc/).

The D modifier means that (to quote the PHP manual) "a dollar metacharacter in the pattern matches only at the end of the subject string. Without this modifier, a dollar also matches immediately before the final character if it is a newline (but not before any other newlines)."

Practically speaking, if we have a string which ends in a newline character "abc\n" then /^abc$/ would be successful whereas /^abc$/D would not match because the 'c' character isn't the absolute final character in the string.

Fuller information can be found in the PHP manual's PCRE Section.

Er... Sorry about that then...

Okay, thank you. I now know that my Regex works :P

I guess I just assumed there, about the alphanumerical passwords. It hadn't crossed my mind that <:*h*&*k*:??> might be a stronger password than "hellokitty", but as usual somebody else has thought of what I haven't.

Just updated my authentication class to allow for this. ;-) Though I wouldn't say using a regular expression still isn't a bad idea to disallow certain things. Perhaps ~[\t\n\r\f\v[:cntrl:]]+~ might be a start?

This kind of makes me re-evaluate my basic sanitization routine too... I have it right now so that it strips anything off the ends that looks like the user is trying to do a basic SQL injection (such as comment characters) and changes anything that looks like HTML to their entities (specifcally <script> etc). I want my scripts to be secure, but not at the cost of usability.
-m

edit: let me rephrase that last bit; I want my code to be secure AND usable.