Re: [PHP] User Passwords: checking for unique chars

2005-02-23 Thread Jochem Maas 
Richard Lynch wrote:
Jochem Maas wrote:
Alex Gemmell wrote:
On Mon, 14 Feb 2005 22:51:42 +0100, Jochem Maas [EMAIL PROTECTED]
wrote:

Alex Gemmell wrote:
#Contain at least one number
if ( !preg_match ('/\\d/', $password) ) return false;
Im pretty sure the double backslash is a typo.

nice explainationthanks for that! I will definitely be changing my 
habits
BUT then again your average regexp is a mind enough without escaping
the bslash oh well at least I now know what I _should_ be doing :-)
No, it's *NOT* a typo.
Inside of apostrophes, \ *IS* a special character.
It's also special inside of quotes, but let's stick with apostrophes for now.
\ is used to escape an apostrophe inside of apostrophes.
So you can do:
$var = 'Don\'t forget to escape apostrophes!';
Because \ is used to escape the apostrophe, you also use it to escape the
backslash itself:
$var = 'Backslash \\ should also be escaped';
Inside apostrophes, those are the ONLY two special cases:
\' turns into apostrophe:   '
\\ turns into backslash:\
Inside quotes, you've got a bunch more like \n, \r, \t as well as variable
substitution going on.
Now, because ONLY those two special cases exist, you *CAN* type:
$var = '\d';
and PHP will store internally:   \d
because the backslash wasn't followed by ' or \, so it must be just a
literal backslash.
But that doesn't make it Good Style.
In my *opinion* one should use:
$var = '\\d';
so that it is completely clear that the backslash is being escpaed, and
you're not trying to get a control-D (end of file) or whatever.
Or, put it this way:
It's incredibly unlikely that PHP will ever change '\d' to mean control-D.
But it'e even MORE unlikely that PHP would change '\\d' to mean anything
other than:\d
The same sort of paradigm is true for quote marks -- You *CAN* get away
with a single \ inside of quotes, so long as it's not followed by:
n
r
t
$

x[0-9A-Fa-f]{1,2} (a Hex number with \x in front)
[0-7]{1,3} (an Octal number with \ in front)
But with *THAT* many possible following characters, people have gotten
more in the habit of using \\ inside quotes.
But PHP is consistent with *BOTH* apostrophes and quotes about the \
character:  There are always a limited number of character combinations
that can follow \ to give it special meaning.  Any other character
combination following \ just uses \ literally.
\d always turns into \d inside quotes or apostrophes.
\a always turns into \a
\b turns into \b
.
.
.
ONLY \, \n, \r, \t, etc (see above) turn into something else inside quotes.
ONLY \' and \\ turn into something else inside apostrophes.
To be CLEAR in your code, however, I highly recommend using \\ in ALL
strings when you want a literal backslash -- so that there is no question
whether you are trying to escape the next character as something special,
or you just want a backslash.
\\ *always* means a single backslash
\ sometimes means a single backslash, and sometimes means something
entirely different depending on what follows it.
Use \\, so you *always* know what is going on.

well you have to escape the bslash if your using double quotes.
there is a reason sane people (normally) write regexps in php
using single quotes :-)

Unless your regex contains apostrophes a lot, and then quotes are easier. :-)
//Bad Example: (strstr would be better choice here)
$contraction = ereg(', $word);
I'm sure others will disagree with me, but this is my opinion on writing
clear code with \ inside of apostrophes and quotes:
Always use \\ to get a literal backslash, and you'll never get confused,
because \\ always means one (1) backslash.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] User Passwords: checking for unique chars

2005-02-15 Thread Burhan Khalid 
[ snipped ]

Oh!  You're so mean!!  ;)
A lot of people are making some great points.  I feel I must strighten
this out a little.  While I may not be the best coder in the world I
do have my reasons.  I originally made the passwords automatically
generated and emailed to the user.  Nice complicated ones!  I was
immediately shot down for doing this because no one here liked the
idea of having complicated passwords!  I was told to allow the user to
chose their own so I merely wanted to make sure no one could have
stupid passwords like aaa.  So I just added a few limitations. 
Besides, my small website doesn't hold any sensitive information about
anyone so it wouldn't be the end of the world if some cracked it!
Try something like http://sourceforge.net/projects/pwgen/ which 
generates passwords that are easy for humans to remember, yet not that 
dumb.

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] User Passwords: checking for unique chars

2005-02-15 Thread Richard Lynch 
Jochem Maas wrote:
 Alex Gemmell wrote:
 On Mon, 14 Feb 2005 22:51:42 +0100, Jochem Maas [EMAIL PROTECTED]
 wrote:

Alex Gemmell wrote:
  #Contain at least one number
  if ( !preg_match ('/\\d/', $password) ) return false;

Im pretty sure the double backslash is a typo.

No, it's *NOT* a typo.

Inside of apostrophes, \ *IS* a special character.

It's also special inside of quotes, but let's stick with apostrophes for now.

\ is used to escape an apostrophe inside of apostrophes.

So you can do:

$var = 'Don\'t forget to escape apostrophes!';

Because \ is used to escape the apostrophe, you also use it to escape the
backslash itself:

$var = 'Backslash \\ should also be escaped';

Inside apostrophes, those are the ONLY two special cases:
\' turns into apostrophe:   '
\\ turns into backslash:\

Inside quotes, you've got a bunch more like \n, \r, \t as well as variable
substitution going on.

Now, because ONLY those two special cases exist, you *CAN* type:

$var = '\d';

and PHP will store internally:   \d

because the backslash wasn't followed by ' or \, so it must be just a
literal backslash.

But that doesn't make it Good Style.

In my *opinion* one should use:

$var = '\\d';

so that it is completely clear that the backslash is being escpaed, and
you're not trying to get a control-D (end of file) or whatever.

Or, put it this way:

It's incredibly unlikely that PHP will ever change '\d' to mean control-D.

But it'e even MORE unlikely that PHP would change '\\d' to mean anything
other than:\d

The same sort of paradigm is true for quote marks -- You *CAN* get away
with a single \ inside of quotes, so long as it's not followed by:
n
r
t
$

x[0-9A-Fa-f]{1,2} (a Hex number with \x in front)
[0-7]{1,3} (an Octal number with \ in front)

But with *THAT* many possible following characters, people have gotten
more in the habit of using \\ inside quotes.

But PHP is consistent with *BOTH* apostrophes and quotes about the \
character:  There are always a limited number of character combinations
that can follow \ to give it special meaning.  Any other character
combination following \ just uses \ literally.

\d always turns into \d inside quotes or apostrophes.
\a always turns into \a
\b turns into \b
.
.
.

ONLY \, \n, \r, \t, etc (see above) turn into something else inside quotes.
ONLY \' and \\ turn into something else inside apostrophes.

To be CLEAR in your code, however, I highly recommend using \\ in ALL
strings when you want a literal backslash -- so that there is no question
whether you are trying to escape the next character as something special,
or you just want a backslash.

\\ *always* means a single backslash

\ sometimes means a single backslash, and sometimes means something
entirely different depending on what follows it.

Use \\, so you *always* know what is going on.

 well you have to escape the bslash if your using double quotes.
 there is a reason sane people (normally) write regexps in php
 using single quotes :-)

Unless your regex contains apostrophes a lot, and then quotes are easier. :-)

//Bad Example: (strstr would be better choice here)
$contraction = ereg(', $word);

I'm sure others will disagree with me, but this is my opinion on writing
clear code with \ inside of apostrophes and quotes:

Always use \\ to get a literal backslash, and you'll never get confused,
because \\ always means one (1) backslash.

-- 
Like Music?
http://l-i-e.com/artists.htm

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] User Passwords: checking for unique chars

2005-02-14 Thread Alex Gemmell 
Hello!

I'm checking user chosen passwords for validity and have created 7
tests.  It's not 100% bulletproof but it will do for now.  My problem
is with the last check have 6 unique characters.  I'm at a loss at
how to check for this in a neat one-liner.

My brain is starting to go off on some horribly complicated routines
but I'm sure it can be done neatly (like the regular expressions). 
Can anyone help me with this?  By the way - I've only just learnt
regular expressions this morning so I'm no expert on them...


# Code:

function check_password($password) {
  # It exists
  if ( !isset($password) ) return false;
  # Not empty
  if ( empty($password) ) return false;
  #At least 8 characters long
  if ( strlen($password)8 ) return false;
  #Does not contain special characters e.g. ([EMAIL 
PROTECTED]:?,./;'`[=\]{space})
  if ( !preg_match ('/[][)(.,[EMAIL PROTECTED]:?\/;\'`=\\s]/', 
$password)
) return false;
  #Contain at least one number
  if ( !preg_match ('/\\d/', $password) ) return false;
  #Contain at least one letter
  if ( !preg_match ('/[a-zA-Z]/', $password) ) return false;
  #Have 6 unique characters
  if ( ? ) return false;

  return true;
}


Thanks,

Alex

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] User Passwords: checking for unique chars

2005-02-14 Thread Mike Johnson 
From: Alex Gemmell [mailto:[EMAIL PROTECTED] 

 Hello!
 
 I'm checking user chosen passwords for validity and have created 7
 tests.  It's not 100% bulletproof but it will do for now.  My problem
 is with the last check have 6 unique characters.  I'm at a loss at
 how to check for this in a neat one-liner.
 
 My brain is starting to go off on some horribly complicated routines
 but I'm sure it can be done neatly (like the regular expressions). 
 Can anyone help me with this?  By the way - I've only just learnt
 regular expressions this morning so I'm no expert on them...

The quick  dirty way, I think, would be the following:

?

// create an assoc. array of the chars
$pass_chars = array();
for ($i = 0; $i  strlen($password); $i++) {
$pass_chars[substr($password, $i, 1)]++;
}
// array keys are the # of unique chars
if (count($pass_chars)  6) return FALSE;

?

I'm curious to see if there's an easier way to do it, though. I'm not
sure regexps are the answer.


-- 
Mike Johnson Smarter Living, Inc.
Web Developerwww.smartertravel.com
[EMAIL PROTECTED]   (617) 886-5539

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] User Passwords: checking for unique chars

2005-02-14 Thread Richard Lynch 
Alex Gemmell wrote:
 I'm checking user chosen passwords for validity and have created 7
 tests.  It's not 100% bulletproof but it will do for now.  My problem
 is with the last check have 6 unique characters.  I'm at a loss at
 how to check for this in a neat one-liner.

if (count(count_chars($password, 1))  6) return false;

http://php.net/count_chars

No regex at all :-)

-- 
Like Music?
http://l-i-e.com/artists.htm

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] User Passwords: checking for unique chars

2005-02-14 Thread Alex Gemmell 
Wow - good job!  That nailed it and in one neat line too!

Thanks very much Richard and thanks also to Mike for his help too. 
I'm really liking these php lists!

On Mon, 14 Feb 2005 09:41:00 -0800 (PST), Richard Lynch [EMAIL PROTECTED] 
wrote:
 Alex Gemmell wrote:
  I'm checking user chosen passwords for validity and have created 7
  tests.  It's not 100% bulletproof but it will do for now.  My problem
  is with the last check have 6 unique characters.  I'm at a loss at
  how to check for this in a neat one-liner.
 
 if (count(count_chars($password, 1))  6) return false;
 
 http://php.net/count_chars
 
 No regex at all :-)
 
 --
 Like Music?
 http://l-i-e.com/artists.htm
 
 

-- 
Alex Gemmell
|:| [EMAIL PROTECTED] |:|

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] User Passwords: checking for unique chars

2005-02-14 Thread Chris W. Parker 
Alex Gemmell mailto:[EMAIL PROTECTED]
on Monday, February 14, 2005 7:24 AM said:

 Hello!

Hi!

 
 # Code:
 

beingfunnynotmean!Do you also have a label on your computer that says
Computer?/beingfunnynotmean!

Some questions (because I'm curious):

1. Why would you *not* allow special characters? Wouldn't allowing
special characters make the password stronger?

2. Why are you forcing the password to have all unique characters? I
don't think I've ever read this as being a recommendation for strong
passwords.



Chris.

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] User Passwords: checking for unique chars

2005-02-14 Thread Jason Barnett 
Chris W. Parker wrote:
Alex Gemmell mailto:[EMAIL PROTECTED]
on Monday, February 14, 2005 7:24 AM said:

Hello!

Hi!
Bonjour!


# Code:


beingfunnynotmean!Do you also have a label on your computer that says
Computer?/beingfunnynotmean!
No, but I do have a label that says My Computer.  Close enough, isn't
it?  ;)
Some questions (because I'm curious):
1. Why would you *not* allow special characters? Wouldn't allowing
special characters make the password stronger?
Agreed.
2. Why are you forcing the password to have all unique characters? I
don't think I've ever read this as being a recommendation for strong
passwords.
If anything unique characters would make a password less secure (from
the perspective of a dictionary attack).  Because once you know where
the A is, and where the B is, etc. that only leaves you with the
rest of the characters on the next cycle...

Chris.

--
Teach a man to fish...
NEW? | http://www.catb.org/~esr/faqs/smart-questions.html
STFA | http://marc.theaimsgroup.com/?l=php-generalw=2
STFM | http://www.php.net/manual/en/index.php
STFW | http://www.google.com/search?q=php
LAZY |
http://mycroft.mozdev.org/download.html?name=PHPsubmitform=Find+search+plugins


signature.asc
Description: OpenPGP digital signature

Re: [PHP] User Passwords: checking for unique chars

2005-02-14 Thread Alex Gemmell 
On Mon, 14 Feb 2005 10:17:53 -0800, Chris W. Parker
[EMAIL PROTECTED] wrote:
 Alex Gemmell mailto:[EMAIL PROTECTED]
on Monday, February 14, 2005 7:24 AM said:
 
  Hello!
 
 Hi!
 
  
  # Code:
  
 
 beingfunnynotmean!Do you also have a label on your computer that says
 Computer?/beingfunnynotmean!
 
 Some questions (because I'm curious):
 
 1. Why would you *not* allow special characters? Wouldn't allowing
 special characters make the password stronger?
 
 2. Why are you forcing the password to have all unique characters? I
 don't think I've ever read this as being a recommendation for strong
 passwords.
 
 
 Chris.
 

Oh!  You're so mean!!  ;)

A lot of people are making some great points.  I feel I must strighten
this out a little.  While I may not be the best coder in the world I
do have my reasons.  I originally made the passwords automatically
generated and emailed to the user.  Nice complicated ones!  I was
immediately shot down for doing this because no one here liked the
idea of having complicated passwords!  I was told to allow the user to
chose their own so I merely wanted to make sure no one could have
stupid passwords like aaa.  So I just added a few limitations. 
Besides, my small website doesn't hold any sensitive information about
anyone so it wouldn't be the end of the world if some cracked it!

So, no special characters because the passwords don't need to be THAT
strong (nor would any of our users chose passwords that good - I'll
bet money on it!).

Oh, and the password won't have ALL unique chars, I was thinking 6
unique chars and a minimum of 8 chars for the whole password (could be
more if they chose).

-- 
Alex Gemmell
|:| [EMAIL PROTECTED] |:|

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] User Passwords: checking for unique chars

2005-02-14 Thread Jochem Maas 
Alex Gemmell wrote:
Hello!
I'm checking user chosen passwords for validity and have created 7
tests.  It's not 100% bulletproof but it will do for now.  My problem
is with the last check have 6 unique characters.  I'm at a loss at
how to check for this in a neat one-liner.
My brain is starting to go off on some horribly complicated routines
but I'm sure it can be done neatly (like the regular expressions). 
Can anyone help me with this?  By the way - I've only just learnt
regular expressions this morning so I'm no expert on them...


# Code:

function check_password($password) {
  # It exists
  if ( !isset($password) ) return false;
this is pointless, the function will hurl if you don't pass an arg.
  # Not empty
  if ( empty($password) ) return false;
  #At least 8 characters long
  if ( strlen($password)8 ) return false;

  #Does not contain special characters e.g. ([EMAIL 
PROTECTED]:?,./;'`[=\]{space})
  if ( !preg_match ('/[][)(.,[EMAIL PROTECTED]:?\/;\'`=\\s]/', 
$password)
) return false;
why are you not allowing 'special' chars? these can increase pwd complexity 
-
which is a good thing.
  #Contain at least one number
  if ( !preg_match ('/\\d/', $password) ) return false;
Im pretty sure the double backslash is a typo.
here are some regexps from a php5 class I use:
class RegExp
{
const UNSIGNED_INT  = '^\d*$';
const SIGNED_INT= '^[-+]?\d*$';
const FLOATING_POINT= '^[-+]?([0-9]*\.)?[0-9]+$';
const FLOAT_GTEQ1   = '^[1-9](\.\d+)?$';

// 
}
  #Contain at least one letter
  if ( !preg_match ('/[a-zA-Z]/', $password) ) return false;
  #Have 6 unique characters
  if ( ? ) return false;

if (count($chars = preg_split(//, $password, -1, PREG_SPLIT_NO_EMPTY)) 
(array_unique($chars) !== $chars)) return false;
its a one liner - just a rather long line. the count() is not really ness.
but really is this a good check? consider the following password:
aNalR3teNt1vE$%^.
rather better than:
jack1234.
the second pwd would pass your test, the first one wouldn't
you might want to pass the passwd check to a cmdline utility
which is made for the job.
  return true;
}

Thanks,
Alex
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] User Passwords: checking for unique chars

2005-02-14 Thread Jochem Maas 
Alex Gemmell wrote:
On Mon, 14 Feb 2005 22:51:42 +0100, Jochem Maas [EMAIL PROTECTED] wrote:
Alex Gemmell wrote:
...


 #Contain at least one number
 if ( !preg_match ('/\\d/', $password) ) return false;
Im pretty sure the double backslash is a typo.
here are some regexps from a php5 class I use:

Intersting you should say that because I was told to escape my slashes
in this case, otherwise I wouldn't have either.  I've tested it and it
works so...
well you have to escape the bslash if your using double quotes.
there is a reason sane people (normally) write regexps in php
using single quotes :-)
php -r  echo '\d';
php -r ' echo \n;'
php -r  echo '\\d';
php -r ' echo \n;'
php -r ' echo \\d;'
php -r ' echo \n;'
php -r ' echo d;'
php -r ' echo \n;'
don't ask (me) why this is so. I just learn how from bitter experience :-),
the why for greater mortals than I.

Thanks Jochem - all advice much appreciated.
you might curse me in the long term ;-)
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php