Validation program returns nothing

Beginners - Learning PHP
#1

[code]

Password Strength <?php $password = array( "12?b5A", "A234567?", "aBcdefg?", "Mno edf1?", "abcde1?n", "Sasuke!Naruto9", "Anime_Rules!", "Fairy_Tail2", "Natsu_dragoneal1"); foreach {($password as $Passwordchk) if( strlen($Passwordchk) < 8 ) { $error .= "Password too short! "; }

if( !preg_match("#[0-9]+#", $Passwordchk) ) {
$error .= "Password must include at least one number!
";
}

if( !preg_match("#[a-z]+#", $Passwordchk) ) {
$error .= "Password must include at least one letter!
";
}

if( !preg_match("#[A-Z]+#", $Passwordchk) ) {
$error .= "Password must include at least one CAPS!
";
}

if( !preg_match("#\W+#", $Passwordchk) ) {
$error .= "Password must include at least one symbol!
";
}

if($error){
echo “Your password is invalid: $error”;
} else {
echo “Your password is strong.”;
}
}
?>

[/code]

This is am assignment I have to do to validate passwords. I have to have an array that includes at least 10 passwords and six of those must fail. I have to use regular expressions and the passwords must test to be at least 8 characters, include one uppercase, one lower case, one number and one character that is not a letter. It can also not have any spaces. I have to display if each one is strong enough and display the errors. This is what I have so far but it displays nothing. I am not sure what I have done wrong. I also do not have the code to test for spaces included yet…Could someone point me in the right direction with this…thanks

#2

unless you have to do it that way, use an array to do the errors, then you can display them as needed. right now, all you’re doing is creating one huge string (.= conatates).

The loop is wrong, you put the { after the foreach, not before it :slight_smile:
foreach($password as $Passwordchk) {

as for what I was saying about the errors, just do something

if(strlen($Passwordchk) < 8 ) {
 	$error['toshort'] = "Password too short!";
}
if( !preg_match("#[0-9]+#", $Passwordchk) ) {
 	$error['onenumber'] = "Password must include at least one number!";
}

Then to display it, you can either use a loop, or just specify which one to display. You could even use a switch, but that’s adding a lot of code and its not really practicle. I use this method to do my validation because its faster and I can tell it where I want to display the error code.
[php]if($error){
echo “Your password is invalid:
”;
for($i=0; $i<count($error); $i++) {
echo $error[$i];
}
} else {
echo “Your password is strong.”;
}[/php]

#3

First of all, if you have to use regular expressions then your strlen check isn’t going to be accepted.

And please take note or comment on how silly this is. I’m hoping this is only to learn regex, because when you have perfectly good functions to run instead, regex is just a slow and unreadable way of doing things.

Also the password policy is stupid as hell, please refer to: http://xkcd.com/936/

Consider this code:

[php]<?php

$passwords = array(
‘pass’,
‘12?b5A’,
‘A234567?’,
‘aBcdefg?’,
‘Mno edf1?’,
‘abcde1?n’,
‘Sasuke!Naruto9’,
‘Anime_Rules!’,
‘Fairy_Tail2’,
‘Natsu_dragoneal1’
);

$result = array();
foreach ($passwords as $password) {
$result[$password] = array(
‘status’ => ‘’,
‘errors’ => array()
);

if (!preg_match('#(.){7,2048}#',$password)) {
   $result[$password]['errors'][] = "Password too short!";
}

if (preg_match('#\s#', $password)) {
   $result[$password]['errors'][] = "Password cannot contain spaces!";
}

if (!preg_match('#\d#',$password)) {
   $result[$password]['errors'][] = "Password must include at least one number!";
}

if (!preg_match('#[a-z]+#',$password)) {
   $result[$password]['errors'][] = "Password must include at least one lower case letter!";
}

if (!preg_match('#[A-Z]+#',$password)) {
   $result[$password]['errors'][] = "Password must include at least one upper case letter!";
}

if (!preg_match('#(\W|_)#',$password)) {
   $result[$password]['errors'][] = "Password must include at least one symbol!";
}

$result[$password]['status'] = empty($result[$password]['errors']) ? 'Valid' : 'Invalid';

}

?>

Password Strength <?php foreach ($result as $password => $data) { ?>

<?= $password ?>

Status: <?= $data['status'] ?>
<?php if ($data['status'] === 'Invalid') { ?> Errors:
    <?php foreach ($data['errors'] as $error) { ?>
  • <?= $error ?>
    • <?php } ?>
<?php } ?>
<?php } ?> [/php]

The result array looks like this:

[code]Array
(
[pass] => Array
(
[status] => Invalid
[errors] => Array
(
[0] => Password too short!
[1] => Password must include at least one number!
[2] => Password must include at least one upper case letter!
[3] => Password must include at least one symbol!
)

    )

[12?b5A] => Array
    (
        [status] => Invalid
        [errors] => Array
            (
                [0] => Password too short!
            )

    )

[A234567?] => Array
    (
        [status] => Invalid
        [errors] => Array
            (
                [0] => Password must include at least one lower case letter!
            )

    )

[aBcdefg?] => Array
    (
        [status] => Invalid
        [errors] => Array
            (
                [0] => Password must include at least one number!
            )

    )

[Mno edf1?] => Array
    (
        [status] => Invalid
        [errors] => Array
            (
                [0] => Password cannot contain spaces!
            )

    )

[abcde1?n] => Array
    (
        [status] => Invalid
        [errors] => Array
            (
                [0] => Password must include at least one upper case letter!
            )

    )

[Sasuke!Naruto9] => Array
    (
        [status] => Valid
        [errors] => Array
            (
            )

    )

[Anime_Rules!] => Array
    (
        [status] => Invalid
        [errors] => Array
            (
                [0] => Password must include at least one number!
            )

    )

[Fairy_Tail2] => Array
    (
        [status] => Valid
        [errors] => Array
            (
            )

    )

[Natsu_dragoneal1] => Array
    (
        [status] => Valid
        [errors] => Array
            (
            )

    )

)[/code]

Output:

[code]pass
Status: Invalid
Errors:
Password too short!
Password must include at least one number!
Password must include at least one upper case letter!
Password must include at least one symbol!

12?b5A
Status: Invalid
Errors:
Password too short!

A234567?
Status: Invalid
Errors:
Password must include at least one lower case letter!

aBcdefg?
Status: Invalid
Errors:
Password must include at least one number!

Mno edf1?
Status: Invalid
Errors:
Password cannot contain spaces!

abcde1?n
Status: Invalid
Errors:
Password must include at least one upper case letter!

Sasuke!Naruto9
Status: Valid

Anime_Rules!
Status: Invalid
Errors:
Password must include at least one number!

Fairy_Tail2
Status: Valid

Natsu_dragoneal1
Status: Valid[/code]

#4

Here’s my take on the password:

[php]<?php
$passwords = array(
‘pass’,
‘12?b5A’,
‘A234567?’,
‘aBcdefg?’,
‘Mno edf1?’,
‘abcde1?n’,
‘Sasuke!Naruto9’,
‘Anime_Rules!’,
‘Fairy_Tail2’,
‘Natsu_dragoneal1’
);

function checkPassword($pass) {

if (strlen($pass) < 8) {
	echo $pass , ' -> password is too short<br>';
	return false;
}

if (strpos($pass, " ") !== false) {
	echo $pass , ' -> password must contain no spaces.<br>';
	return false;	
}	

if (preg_match("#[0-9]+#", $pass) === 0) {
	echo $pass , ' -> password must contain one number.<br>';
	return false;	
}

if (preg_match("#[a-z]+#", $pass) === 0) {
	echo $pass , ' -> password must contain one lowercase letter.<br>';	
	return false;
}

if (preg_match("#[A-Z]+#", $pass) === 0) {
	echo $pass , ' -> password must contain one capital letter.<br>';	
	return false;
}


if (preg_match("#\W+#", $pass) === 0) {
	echo $pass , ' -> password must contain one symbol.<br>';	
	return false;
}
return true;

}
// Here’s mine that I personally use for my website, I personally don’t care if the user puts spaces in his password and I don’t like users entering symbols as part of the password.
function myPasswordCHK($pass) {
if (preg_match("/^.(?=.{8,})(?=.[0-9])(?=.[a-z])(?=.[A-Z]).*$/", $pass) === 0) {
echo $pass ,’ -> password must be at least 8 characters, and must contain at least one lower case letter, one upper case letter and one digit.
’;
return false;
}
return true;
}

foreach ($passwords as $pass) {
$result = checkPassword($pass);
echo ($result) ? $pass . ’ is OK to use!!!
’ : NULL;
}
echo ‘
’;
echo ‘
’;
foreach ($passwords as $pass) {
$result = myPasswordCHK($pass);
echo ($result) ? $pass . ’ is OK to use!!!
’ : NULL;
}
?>[/php]

Instead of echoing out the error message one could easily modify it to $errMsg[]= and I know this is an assignment but if this was in the real world I would just use one regex (thoroughly tested of course ;D) and just have one generic message telling the user that password must be…without the actual password in the string for that tends to freak out people. :o The less specific you are the better you are off in fending off the script kiddies (true hackers that’s a different story). ;D

#5

Strider: why limit passwords at all? You’re not responsible for users choosing lousy passwords.

And a password policy forcing a combination of different characters/symbols doesn’t comply with Correct Horse Battery Staple

#6

You want people to comply with a comic book? It makes sense, but i’d never use it. I’m happy if I can remember the few passwords I use now. But a lot of sites I use require a combination of upper and lowercase letters and numbers.

#7

When it makes so much sense literally every internet security site has quoted it multiple times then yes, I would like people to take its advise.

That’s a different story, some argue it would be easier to remember sentences which you personally relate to the site/service in question. I myself don’t really see passwords as the solution at all. Ordinary people can not remember strong unique passwords for all the sites/services they use. Adding password expiration rules to that and it’s practically impossible.

The only solution I see atm is using a password service like lastpass/keepass/1password/etc. Where you have only one password/key to remember and you’re free to use long and complex passwords for every site/service you use.

#8

I don’t trust sites like that, seems like an awfully big target for hackers.

#9

Clever, also most of them are based in the US, which makes trusting them practically impossible.

Since AES is available for both PHP and JS it’s not hard to code it yourself though. Worst part is getting it working well on Android.

#10

I didn’t say anything about limiting passwords, I could careless if a person puts abcdef as their password and putting limited “restraints” on passwords just give the appearance of having going beyond taking security precautions. :wink: For example when a person logs onto their banking website for example and gets that asinine security question(s) ("What is your favorite food?’ for example). It doesn’t add any “Tighter” security for the bank. A true hacker can easily bypass that in seconds flat, it is just a nuisance for the customer the only thing is ----> most people don’t realize it and think it’s for security reasons. Anyway a true person who is knowledgeable will use something like http://keepass.info/ and personally I don’t want a person on my website if they can’t remember a password or have some kind software aid on my website. ;D

Don’t get me wrong I take security very seriously on my website, but at sometime a person has to cut the cord and let the code go live knowing I have taken the latest security measures that are out there at that given time. An with always being on the lookout for improvements when it comes to security.

#11

Sorry I read your post as you saying you used that password validation regex yourself.

Regarding questions
If anything those weakens security, a lot

Sponsor our Newsletter | Privacy Policy | Terms of Service