PHP Validation regex throws exception with what should be valid data

Question

i have encountered a problem with php server side validation. I am trying to validate the password field which should follow the following rules: between 8 and 15 symbols, at least 1 uppercase, at least 1 special symbol, at least 3 letters and at least 2 numbers. Every validation passes except for the password one and i can't figure out why. My php code is:

if (isset($_POST['register'])) {

        $form = $_POST;
        $username = $form['username'];
        $password = $form['password'];
        $confirmPass = $form['confirmPass'];
        $firstName = $form['firstName'];
        $lastName = $form['lastName'];
        $address = $form['address'];
        $email = $form['email'];
        $age = $form['age'];
        $phone = $form['phone'];
//Retrieve the field values from our registration form.
        $username = !empty($_POST['username']) ? trim($_POST['username']) : null;
        $password = !empty($_POST['password']) ? trim($_POST['password']) : null;

//TO ADD: Error checking (username characters, password length, etc).
//Basically, you will need to add your own error checking BEFORE
//the prepared statement is built and executed.

        //Validations username
        if (strlen($username) < 4 || strlen($username) > 8 || empty($username)) {
            throw new Exception("User name must be between 4 an 8 symbols.");
        }
        $patern = '#^[A-Za-z0-9]+$#';
        if (!preg_match($patern, $username)) {
            throw new Exception("User name must not contains Special characters.");
        }
        //Validation password
        if (strlen($password) < 8 || strlen($password) > 15 || empty($password)) {
            throw new Exception("Password must be between 8 an 15 symbols.");
        }
        $patern = '#^(?=(.*\d){2,})(?=.*[A-Z]{1,})(?=.*[a-zA-Z]{2,})(?=.*[!@~#$%^&?]{1,})[0-9a-zA-Z!@~#?$^%&`]+$#';
        if (!preg_match($patern, $password)) {
            throw new Exception("Password must contains at least 1 special symbol at least 1 uppercase letter at least 2 numbers at least 3 letters.");
        }
        if ($password != $confirmPass) {
            throw new Exception("Password do not match.");
        }
        //Validation email
        $patern = '#^(([^<>()\[\]\.,;:\s@\"]+(\.[^<>()\[\]\.,;:\s@\"]+)*)|(\".+\"))@(([^<>()[\]\.,;:\s@\"]+\.)+[^<>()[\]\.,;:\s@\"]{2,})$#';
        if (!preg_match($patern, $email)) {
            throw new Exception("Please fill valid email.");
        }
        //Validation phone
        if (strlen($phone) != 10) {
            throw new Exception("Phone must be 10 numbers.");
        }
        //Validation age
        if (intval($age) < 18) {
            throw new Exception("You must be at least 18 years old");
        }
        //Validation check
        if (!isset($_POST['gdpr'])) {
            throw new Exception("You must agree with GDPR.");
        }

        if (!isset($_POST['agreement'])) {
            throw new Exception("You must agree with the terms and conditions.");
        }
    }

You may benefit from [Reference - Password Validation](https://stackoverflow.com/questions/48345922/reference-password-validation/). Don't limit passwords to specific special characters, there's really no need to do that and you're making it less secure. Also, you should allow Unicode characters so that users can make their passwords more secure if they choose to do so, such as using `ô` or any other non-ASCII symbol. Also, `{1,}` is the same as `+` quantifier. You also need to change it to `(?:.*[a-zA-Z]){2,}` — ctwheels, Mar 22 '18 at 14:16
Do you have problems with your regular expression? if so, check it on that website https://regex101.com/ — wayneOS, Mar 22 '18 at 14:20
No on the website regex101 the regex is working perfectly fine and is matching correctly, it seems to be a problem elsewhere. — TwinAxe96, Mar 22 '18 at 14:22
Why are you capping the password at 15 characters? Jesus, no don't do that. — ctwheels, Mar 22 '18 at 14:31
It's an internal training project and the product owners defined the rules, it's pretty strange password validation anyway. — TwinAxe96, Mar 22 '18 at 14:37
@TwinAxe96 you should let the product owners that they're actually impeding the security of their application by defining rules. Take a look at the SO reference I posted and share the NIST guidelines with them; they might think twice about implementing such nonsensical rules, especially the upper limit on the password — ctwheels, Mar 22 '18 at 14:39

Karlo Kokkak · Answer 1 · 2018-03-22T15:15:06.317

0

# as delimeter and # in the content of regex cause premature end delimeter thus modifier error.

Rather than # use / instead as delimeter for successfully preg_match() without modifying the content of the regex.

Like from:

$patern = '#^(?=(.*\d){2,})(?=.*[A-Z]{1,})(?=.*[a-zA-Z]{2,})(?=.*[!@~#$%^&?]{1,})[0-9a-zA-Z!@~#?$^%&`]+$#';

To:

$patern = '/^(?=(.*\d){2,})(?=.*[A-Z]{1,})(?=.*[a-zA-Z]{2,})(?=.*[!@~#$%^&?]{1,})[0-9a-zA-Z!@~#?$^%&`]+$/';

edited Mar 22 '18 at 15:15

answered Mar 22 '18 at 14:34

Karlo Kokkak

3,674
4
18
33

1

While this does answer the question properly, add *why* to make it more complete. – ctwheels Mar 22 '18 at 14:35
If you prefer the old '#', then just escape #'s in the regex, like \# in [!@~\#$%^&?] – Karlo Kokkak Mar 22 '18 at 14:51

PHP Validation regex throws exception with what should be valid data

1 Answers1