Regular Expression

L

Lit

Hi,

I am looking for a Regular expression for a password for my RegExp
ValidationControl

Requirements are,

At least 8 characters long.
At least one digit [0-9]
At least one upper case character [A-Z]
At least one lower case character [a-z]
At least one special character: []{};':",./?><=+-_)(*&^%$#@!~` ---
this is difficult?

How do you escape []() etc... \[?

Thank you,

Lit
 
L

Lit

Tried this
(?=^.{8,30}$)(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[!@#$%^&amp;*()_+}{&quot;&quot;:;'?/&gt;.&lt;,]).*$
and it does NOT work
Any Ideas?

Thank You,

Lit
 
G

Guest

Tried this
(?=^.{8,30}$)(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[!@#$%^&*()_+}{"":;'?/>.<,]­).*$
and it does NOT work
Any Ideas?

Thank You,

Lit




Hi,
Click to expand...
I am looking for a Regular expression for a password for my RegExp
ValidationControl
Click to expand...
Requirements are,
Click to expand...
At least 8 characters long.
At least one digit [0-9]
At least one upper case character [A-Z]
At least one lower case character [a-z]
At least one special character: []{};':",./?><=+-_)(*&^%$#@!~` ---
this is difficult?
Click to expand...
How do you escape []() etc... \[?
Click to expand...
Thank you,
Click to expand...
Lit- Hide quoted text -
Click to expand...

- Show quoted text -
Click to expand...

This should work

^(?=.*\d)(?=.*[a-z])(?=.*[A-Z])
(?=.*[\[\]{};':\",\.\/\?\>\<\=\+\-_\)\(*&\^\%$#@\!~`])
..{8,30}$

One of the errors in your expression is that the special characters
like ! ? $ etc. you don't marked with leading \
 
L

Lit

Alexey,


I tried
^(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[\[\]{};':\",\.\/\?\>\<\=\+\-_\)\(*&\^\%$#@\!~`]).{8,30}$
on abCD12!! and it does not validate if Failed???


Thank You,

Lit




Tried this
(?=^.{8,30}$)(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[!@#$%^&*()_+}{"":;'?/>.<,]­).*$
and it does NOT work
Any Ideas?

Thank You,

Lit




Hi,
Click to expand...
I am looking for a Regular expression for a password for my RegExp
ValidationControl
Click to expand...
Requirements are,
Click to expand...
At least 8 characters long.
At least one digit [0-9]
At least one upper case character [A-Z]
At least one lower case character [a-z]
At least one special character: []{};':",./?><=+-_)(*&^%$#@!~` ---
this is difficult?
Click to expand...
How do you escape []() etc... \[?
Click to expand...
Thank you,
Click to expand...
Lit- Hide quoted text -
Click to expand...

- Show quoted text -
Click to expand...

This should work

^(?=.*\d)(?=.*[a-z])(?=.*[A-Z])
(?=.*[\[\]{};':\",\.\/\?\>\<\=\+\-_\)\(*&\^\%$#@\!~`])
..{8,30}$

One of the errors in your expression is that the special characters
like ! ? $ etc. you don't marked with leading \
 
G

Guest

Alexey,

I tried
^(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[\[\]{};':\",\.\/\?\>\<\=\+\-_\)\(*&\^\­%$#@\!~`]).{8,30}$
on abCD12!! and it does not validate if Failed???

Thank You,

Lit
Click to expand...

It seems that the control doesn't like it... Okay, the following code
supposed to work as expected

<asp:TextBox ID="txtName" runat="server"/>
<asp:Button ID="btnSubmit" runat="server" Text="Submit" />
<asp:RegularExpressionValidator ID="regexpName"
runat="server"
ErrorMessage="This expression does
not validate."
ControlToValidate="txtName"
ValidationExpression="(?=^.{8,}$)(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[\!
\[\]])([0-9a-zA-Z\!\[\]])*$" />

For the test I use only !, [, and ] to validate, simply add all others.
 
J

Jesse Houwing

Hello Alexey,
Tried this
(?=^.{8,30}$)(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[!@#$%^&*()_+}{"":;'?
/>.<,]?).*$
and it does NOT work
Any Ideas?
Thank You,

Lit


Hi,

I am looking for a Regular expression for a password for my RegExp
ValidationControl

Requirements are,

At least 8 characters long.
At least one digit [0-9]
At least one upper case character [A-Z]
At least one lower case character [a-z]
At least one special character: []{};':",./?><=+-_)(*&^%$#@!~`
---
this is difficult?
How do you escape []() etc... \[?

Thank you,

Lit- Hide quoted text -
Click to expand...
- Show quoted text -
Click to expand...
This should work

^(?=.*\d)(?=.*[a-z])(?=.*[A-Z])
(?=.*[\[\]{};':\",\.\/\?\>\<\=\+\-_\)\(*&\^\%$#@\!~`]) .{8,30}$

One of the errors in your expression is that the special characters
like ! ? $ etc. you don't marked with leading \
Click to expand...

There is no need to escape them in a character class.

Lit, which part of the regex isn't working. Have you tried the separate parts?
 
J

Jesse Houwing

Hello Alexey,
Alexey,

I tried
^(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[\[\]{};':\",\.\/\?\>\<\=\+\-_\)\
(*&\^\?%$#@\!~`]).{8,30}$ on abCD12!! and it does not validate if
Failed???

Thank You,

Lit
Click to expand...
It seems that the control doesn't like it... Okay, the following code
supposed to work as expected

<asp:TextBox ID="txtName" runat="server"/>
<asp:Button ID="btnSubmit" runat="server" Text="Submit" />
<asp:RegularExpressionValidator ID="regexpName"
runat="server"
ErrorMessage="This expression does
not validate."
ControlToValidate="txtName"
ValidationExpression="(?=^.{8,}$)(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[\
!
\[\]])([0-9a-zA-Z\!\[\]])*$" />

For the test I use only !, [, and ] to validate, simply add all
others.
Click to expand...

If you[r'e using a regex in a clientside rendering control (like the RegexValidator)
you need to restrict yourself to functions which are supported by the JScript
(and Javascript) engines. Look aheads (?=...) usually do not work in clientside
languages.

You could split the regex up into multiple regex validators:

^.*[A-Z].*$
^.*[a-z].*$
^.*[0-9].*$
^.*[punctuation].*$

and a range validator to ensure it has the correct length.

Alternatively you could also set the ClientValidate property of the regex
to false. That should enable the more advanced regex tricks serverside, but
would result in a postback to validate the textbox.

Also, in a character class you only need to escape characters which are special
in a character class: \ [ ] -. All other characters should be allowed in
there without an escapign \ in front of them.
 
L

Lit

Alexey,

This seems to pass for now, I don't understand it however.
What does ?=.*\d mean exactly. this looks like a conditional RegExp??

Are you also saying I need to add the rest of the special characters

(?=.*[\!\[\]])([0-9a-zA-Z\!\[\]])*$

like

(?=.*[\!\[\]@#$%^&*()_+-={}|\:";'//?,.<>~`])([0-9a-zA-Z\!\[\]@#$%^&*()_+-={}|\:";'//?,.<>~`])*$

Is this correct? I will be testing but any input from you is greatly
appreciated.

Thanks for your help.

Lit



Alexey,

I tried
^(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[\[\]{};':\",\.\/\?\>\<\=\+\-_\)\(*&\^\­%$#@\!~`]).{8,30}$
on abCD12!! and it does not validate if Failed???

Thank You,

Lit
Click to expand...

It seems that the control doesn't like it... Okay, the following code
supposed to work as expected

<asp:TextBox ID="txtName" runat="server"/>
<asp:Button ID="btnSubmit" runat="server" Text="Submit" />
<asp:RegularExpressionValidator ID="regexpName"
runat="server"
ErrorMessage="This expression does
not validate."
ControlToValidate="txtName"
ValidationExpression="(?=^.{8,}$)(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[\!
\[\]])([0-9a-zA-Z\!\[\]])*$" />

For the test I use only !, [, and ] to validate, simply add all others.
 
G

Guest

Alexey,

This seems to pass for now, I don't understand it however.
What does ?=.*\d mean exactly. this looks like a conditional RegExp??
Click to expand...

\d is for 0..9

Are you also saying I need to add the rest of the special characters

(?=.*[\!\[\]])([0-9a-zA-Z\!\[\]])*$

like

(?=.*[\!\[\]@#$%^&*()_+-={}|\:";'//?,.<>~`])([0-9a-zA-Z\!\[\]@#$%^&*()_+-={­}|\:";'//?,.<>~`])*$
Click to expand...

yes, like this

the first part

(?=.*[ ])

is to tell that at least one of the characters within the range is
required

the second part

([0-9a-zA-Z........)*$

is for validation of the input.

Jesse said that there is no need to escape using \ (maybe except of
two \[ \] )

Jesse, I'm right?

Actually, Lit, I think you may also have "\W" to pass any character,
because I think you put almost all characters in your expression.
Anyway, it looks like the last expression I sent you is working, hope
you can use it

Is this correct? I will be testing but any input from you is greatly
appreciated.

Thanks for your help.

Lit


Alexey,
Click to expand...
I tried
^(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[\[\]{};':\",\.\/\?\>\<\=\+\-_\)\(*&\^\­­%$#@\!~`]).{8,30}$
on abCD12!! and it does not validate if Failed???
Click to expand...
Thank You,
Click to expand...
Lit
Click to expand...

It seems that the control doesn't like it... Okay, the following code
supposed to work as expected

<asp:TextBox ID="txtName" runat="server"/>
<asp:Button ID="btnSubmit" runat="server" Text="Submit" />
<asp:RegularExpressionValidator ID="regexpName"
runat="server"
ErrorMessage="This expression does
not validate."
ControlToValidate="txtName"
ValidationExpression="(?=^.{8,}$)(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[\!
\[\]])([0-9a-zA-Z\!\[\]])*$" />

For the test I use only !, [, and ] to validate, simply add all others.
Click to expand...
 
L

Lit

Alexey,

Still testing and it is working so far...

specifically what does "?=." mean?

Yes you are right I have the option on "\W" that works also except for
UnderScore character which is I suppose a character by definition.

I am a bit worried now because of what Jesse Houwing said about some engines
will not work.

How to re-write the expression so all engines will accept is beyond me.

Jesse Houwing?????

Thank Alexey

Lit


Alexey,

This seems to pass for now, I don't understand it however.
What does ?=.*\d mean exactly. this looks like a conditional RegExp??
Click to expand...

\d is for 0..9

Are you also saying I need to add the rest of the special characters

(?=.*[\!\[\]])([0-9a-zA-Z\!\[\]])*$

like

(?=.*[\!\[\]@#$%^&*()_+-={}|\:";'//?,.<>~`])([0-9a-zA-Z\!\[\]@#$%^&*()_+-={­}|\:";'//?,.<>~`])*$
Click to expand...

yes, like this

the first part

(?=.*[ ])

is to tell that at least one of the characters within the range is
required

the second part

([0-9a-zA-Z........)*$

is for validation of the input.

Jesse said that there is no need to escape using \ (maybe except of
two \[ \] )

Jesse, I'm right?

Actually, Lit, I think you may also have "\W" to pass any character,
because I think you put almost all characters in your expression.
Anyway, it looks like the last expression I sent you is working, hope
you can use it

Is this correct? I will be testing but any input from you is greatly
appreciated.

Thanks for your help.

Lit


Alexey,
Click to expand...
I tried
^(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[\[\]{};':\",\.\/\?\>\<\=\+\-_\)\(*&\^\­­%$#@\!~`]).{8,30}$
on abCD12!! and it does not validate if Failed???
Click to expand...
Thank You,
Click to expand...
Lit
Click to expand...

It seems that the control doesn't like it... Okay, the following code
supposed to work as expected

<asp:TextBox ID="txtName" runat="server"/>
<asp:Button ID="btnSubmit" runat="server" Text="Submit" />
<asp:RegularExpressionValidator ID="regexpName"
runat="server"
ErrorMessage="This expression does
not validate."
ControlToValidate="txtName"
ValidationExpression="(?=^.{8,}$)(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[\!
\[\]])([0-9a-zA-Z\!\[\]])*$" />

For the test I use only !, [, and ] to validate, simply add all others.
Click to expand...
 
L

Lit

Hi Jesse,

I am using the following so far and it seems to work

(?=^.{8,}$)(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[\!\[\]@#$%^&*()_+\-={}\\|;':",./<>?`~])([0-9a-zA-Z\!\[\]@#$%^&*()_+\-={}\\|;':",./<>?`~])*$
-- this gives me more control for sql injection issues.

This works also ^.*(?=.{8,})(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[\W]).*$
but Not the Underscore character... by definition I think. OK.

However how to re-write it so it works with all engines??????

thank you for your help


Lit



Jesse Houwing said:
Hello Alexey,
Tried this
(?=^.{8,30}$)(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[!@#$%^&*()_+}{"":;'?
/>.<,]?).*$
and it does NOT work
Any Ideas?
Thank You,

Lit



Hi,

I am looking for a Regular expression for a password for my RegExp
ValidationControl

Requirements are,

At least 8 characters long.
At least one digit [0-9]
At least one upper case character [A-Z]
At least one lower case character [a-z]
At least one special character: []{};':",./?><=+-_)(*&^%$#@!~`
---
this is difficult?
How do you escape []() etc... \[?

Thank you,

Lit- Hide quoted text -

- Show quoted text -
Click to expand...
This should work

^(?=.*\d)(?=.*[a-z])(?=.*[A-Z])
(?=.*[\[\]{};':\",\.\/\?\>\<\=\+\-_\)\(*&\^\%$#@\!~`]) .{8,30}$

One of the errors in your expression is that the special characters
like ! ? $ etc. you don't marked with leading \
Click to expand...

There is no need to escape them in a character class.

Lit, which part of the regex isn't working. Have you tried the separate
parts?
Click to expand...
 
G

Guest

Alexey,

Still testing and it is working so far...

specifically what does "?=." mean?
Click to expand...

?=.{pattern} means that it must contain at least one character from
the {pattern}

For example, in our expression it is for

?=.*\d - must contain at least one digit
?=.*[a-z] - must contain one lowercase
?=.*[A-Z] - must contain one uppercase

The syntax is explained here: http://msdn2.microsoft.com/en-us/library/ae5bf541(VS.80).aspx

That is a combination of the "(?=pattern)" and the "."

Note, that this is about JScript regular expression syntax which is
used in the ValidationControl, on the client. On the server, Regex
syntax has to be used (Jesse is right, it will be slightly different,
I didn't pay attention on that in my first post).
 
J

Jesse Houwing

Hello Lit,
Hi Jesse,

I am using the following so far and it seems to work

(?=^.{8,}$)(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[\!\[\]@#$%^&*()_+\-={}\
\|;':",./<>?`~])([0-9a-zA-Z\!\[\]@#$%^&*()_+\-={}\\|;':",./<>?`~])*$
-- this gives me more control for sql injection issues.
This works also
^.*(?=.{8,})(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[\W]).*$ but Not the
Underscore character... by definition I think. OK.

However how to re-write it so it works with all engines??????

thank you for your help
Click to expand...

I just looked in the Regular Expression Pocket Reference (a must have little
book if you need to write multi platform regexes at some poitn in your career)
and Look aheads (?=...) and (?!...) are supported by the Javascript spec,
though it does not mention from which version onwards (couldn't find that
on teh net eiter, but modern browsers should all work I guess). I must have
confused look behinds (which aren't supported) (?<=...) and (?<!...). More
information on look arounds can be found here:

http://www.regular-expressions.info/lookaround.html

http://www.regular-expressions.info/lookaround2.html



As I said, if you split it into seperate regex validators each taking one
part of the expression, you'll be more flexible. Leaving the expression easier
to read as well and you'll be able to provide the user with more specific
feedback.

ensures there is at least a lower case character
^.*[a-z].*$

ensures there is at least an upper case character
^.*[A-Z].*$

ensures there is at least a number (can also be written as ^.*\d.*$)
^.*[0-9].*$

ensures there is one of your required punctuation characters, just include
the underscore if you want it. (in serverside only mode you could use ^.*\p{P}.*$
to capture all possible punctuation).
^.*[\W_].*$

for length checks use a RangeValidator. Also check for the maximum length.
Your field in the DB will surely have a max length.


Apart from the whole issue of the regex and if it will work, I would not
be trusting regex validators on your input to prevent SQL injection. You're
better off making sure you have all your parameters being passed using the
Parameters collection of the DBCommand objects you're using. That will protect
you an awful lot more than any regex on the input. Also note that the input
is restricted to at least one of the above groups, but that the actual input
is free. the first group .{8,} allows basically any characters as long as
there are more than 8. So if I put in '/*Aa9-*/; drop database; it should
still accespt it. No protection what so ever when you're not using proper
DBParameters.

See http://msdn2.microsoft.com/en-us/library/yy6y35y8(VS.80).aspx for an
explanation on commands and parameters.


Jesse Houwing



Lit

Hello Alexey,
Tried this
(?=^.{8,30}$)(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[!@#$%^&*()_+}{"":;
'?
/>.<,]?).*$
and it does NOT work
Any Ideas?
Thank You,
Lit



Hi,

I am looking for a Regular expression for a password for my RegExp
ValidationControl

Requirements are,

At least 8 characters long.
At least one digit [0-9]
At least one upper case character [A-Z]
At least one lower case character [a-z]
At least one special character: []{};':",./?><=+-_)(*&^%$#@!~`
---
this is difficult?
How do you escape []() etc... \[?
Thank you,

Lit- Hide quoted text -

- Show quoted text -

This should work

^(?=.*\d)(?=.*[a-z])(?=.*[A-Z])
(?=.*[\[\]{};':\",\.\/\?\>\<\=\+\-_\)\(*&\^\%$#@\!~`]) .{8,30}$
One of the errors in your expression is that the special characters
like ! ? $ etc. you don't marked with leading \
Click to expand...
There is no need to escape them in a character class.

Lit, which part of the regex isn't working. Have you tried the
separate parts?
Click to expand...
Click to expand...
 
L

Lit

Alexey,

Thanks for your help, I will follow the link and read it.

Lit


Anon User said:
Alexey,

Still testing and it is working so far...

specifically what does "?=." mean?
Click to expand...

?=.{pattern} means that it must contain at least one character from
the {pattern}

For example, in our expression it is for

?=.*\d - must contain at least one digit
?=.*[a-z] - must contain one lowercase
?=.*[A-Z] - must contain one uppercase

The syntax is explained here:
http://msdn2.microsoft.com/en-us/library/ae5bf541(VS.80).aspx

That is a combination of the "(?=pattern)" and the "."

Note, that this is about JScript regular expression syntax which is
used in the ValidationControl, on the client. On the server, Regex
syntax has to be used (Jesse is right, it will be slightly different,
I didn't pay attention on that in my first post).
Click to expand...
 
L

Lit

Alexey,

good catch, thanks again,

Lit


Anon User said:
Yes you are right I have the option on "\W" that works also except for
UnderScore character which is I suppose a character by definition.
Click to expand...

by the way, according to [1] you probably need "\w" and not "\W"

\w = Matches any word character including underscore. Equivalent to
'[A-Za-z0-9_]'.
\W = Matches any nonword character. Equivalent to '[^A-Za-z0-9_]'.

[1]
http://msdn2.microsoft.com/en-us/library/ae5bf541(VS.80).aspx
Click to expand...
 
L

Lit

Hi Jesse,

I am doing a client validation then a server validation incase if client
validation has been compromised and bypassed somehow, and using
sqlParameters.

I did not think of using multiple validationControls and that is a good
idea. It does make things simpler.

Thanks for the Advice and links etc..

Lit



Jesse Houwing said:
Hello Lit,
Hi Jesse,

I am using the following so far and it seems to work

(?=^.{8,}$)(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[\!\[\]@#$%^&*()_+\-={}\
\|;':",./<>?`~])([0-9a-zA-Z\!\[\]@#$%^&*()_+\-={}\\|;':",./<>?`~])*$
-- this gives me more control for sql injection issues.
This works also
^.*(?=.{8,})(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[\W]).*$ but Not the
Underscore character... by definition I think. OK.

However how to re-write it so it works with all engines??????

thank you for your help
Click to expand...

I just looked in the Regular Expression Pocket Reference (a must have
little book if you need to write multi platform regexes at some poitn in
your career) and Look aheads (?=...) and (?!...) are supported by the
Javascript spec, though it does not mention from which version onwards
(couldn't find that on teh net eiter, but modern browsers should all work
I guess). I must have confused look behinds (which aren't supported)
(?<=...) and (?<!...). More information on look arounds can be found here:

http://www.regular-expressions.info/lookaround.html

http://www.regular-expressions.info/lookaround2.html



As I said, if you split it into seperate regex validators each taking one
part of the expression, you'll be more flexible. Leaving the expression
easier to read as well and you'll be able to provide the user with more
specific feedback.

ensures there is at least a lower case character
^.*[a-z].*$
ensures there is at least an upper case character
^.*[A-Z].*$
ensures there is at least a number (can also be written as ^.*\d.*$)
^.*[0-9].*$
ensures there is one of your required punctuation characters, just include
the underscore if you want it. (in serverside only mode you could use
^.*\p{P}.*$ to capture all possible punctuation).
^.*[\W_].*$
for length checks use a RangeValidator. Also check for the maximum length.
Your field in the DB will surely have a max length.


Apart from the whole issue of the regex and if it will work, I would not
be trusting regex validators on your input to prevent SQL injection.
You're better off making sure you have all your parameters being passed
using the Parameters collection of the DBCommand objects you're using.
That will protect you an awful lot more than any regex on the input. Also
note that the input is restricted to at least one of the above groups, but
that the actual input is free. the first group .{8,} allows basically any
characters as long as there are more than 8. So if I put in '/*Aa9-*/;
drop database; it should still accespt it. No protection what so ever when
you're not using proper DBParameters.

See http://msdn2.microsoft.com/en-us/library/yy6y35y8(VS.80).aspx for an
explanation on commands and parameters.


Jesse Houwing



Lit

Hello Alexey,


Tried this
(?=^.{8,30}$)(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[!@#$%^&*()_+}{"":;
'?
/>.<,]?).*$
and it does NOT work
Any Ideas?
Thank You,
Lit



Hi,

I am looking for a Regular expression for a password for my RegExp
ValidationControl

Requirements are,

At least 8 characters long.
At least one digit [0-9]
At least one upper case character [A-Z]
At least one lower case character [a-z]
At least one special character: []{};':",./?><=+-_)(*&^%$#@!~`
---
this is difficult?
How do you escape []() etc... \[?
Thank you,

Lit- Hide quoted text -

- Show quoted text -

This should work

^(?=.*\d)(?=.*[a-z])(?=.*[A-Z])
(?=.*[\[\]{};':\",\.\/\?\>\<\=\+\-_\)\(*&\^\%$#@\!~`]) .{8,30}$
One of the errors in your expression is that the special characters
like ! ? $ etc. you don't marked with leading \

There is no need to escape them in a character class.

Lit, which part of the regex isn't working. Have you tried the
separate parts?
Click to expand...
Click to expand...
Click to expand...
 
J

Jesse Houwing

Hello Lit,
Hi Jesse,

I am doing a client validation then a server validation incase if
client validation has been compromised and bypassed somehow, and
using sqlParameters.
Click to expand...

As a defense against SQL Injection, only the last one will really help you.
as Imentioned before you're allowing enough characters through to allow for
sql injection regardless of all you extra validations. It's the SQL Parameters
that are your true defense.
I did not think of using multiple validationControls and that is a
good idea. It does make things simpler.

Thanks for the Advice and links etc..
Click to expand...

You're welcome.

Jesse
Lit

Hello Lit,
Hi Jesse,

I am using the following so far and it seems to work

(?=^.{8,}$)(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[\!\[\]@#$%^&*()_+\-={
}\
\|;':",./<>?`~])([0-9a-zA-Z\!\[\]@#$%^&*()_+\-={}\\|;':",./<>?`~])*$
-- this gives me more control for sql injection issues.
This works also
^.*(?=.{8,})(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[\W]).*$ but Not the
Underscore character... by definition I think. OK.
However how to re-write it so it works with all engines??????

thank you for your help
Click to expand...
I just looked in the Regular Expression Pocket Reference (a must have
little book if you need to write multi platform regexes at some poitn
in your career) and Look aheads (?=...) and (?!...) are supported by
the Javascript spec, though it does not mention from which version
onwards (couldn't find that on teh net eiter, but modern browsers
should all work I guess). I must have confused look behinds (which
aren't supported) (?<=...) and (?<!...). More information on look
arounds can be found here:

http://www.regular-expressions.info/lookaround.html

http://www.regular-expressions.info/lookaround2.html

As I said, if you split it into seperate regex validators each taking
one part of the expression, you'll be more flexible. Leaving the
expression easier to read as well and you'll be able to provide the
user with more specific feedback.

ensures there is at least a lower case character
^.*[a-z].*$
ensures there is at least an upper case character
^.*[A-Z].*$
ensures there is at least a number (can also be written as ^.*\d.*$)
^.*[0-9].*$
ensures there is one of your required punctuation characters, just
include
the underscore if you want it. (in serverside only mode you could use
^.*\p{P}.*$ to capture all possible punctuation).
^.*[\W_].*$
for length checks use a RangeValidator. Also check for the maximum
length.
Your field in the DB will surely have a max length.
Apart from the whole issue of the regex and if it will work, I would
not be trusting regex validators on your input to prevent SQL
injection. You're better off making sure you have all your parameters
being passed using the Parameters collection of the DBCommand objects
you're using. That will protect you an awful lot more than any regex
on the input. Also note that the input is restricted to at least one
of the above groups, but that the actual input is free. the first
group .{8,} allows basically any characters as long as there are more
than 8. So if I put in '/*Aa9-*/; drop database; it should still
accespt it. No protection what so ever when you're not using proper
DBParameters.

See http://msdn2.microsoft.com/en-us/library/yy6y35y8(VS.80).aspx for
an explanation on commands and parameters.

Jesse Houwing
Lit


Hello Alexey,


Tried this
(?=^.{8,30}$)(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[!@#$%^&*()_+}{""
:;
'?
/>.<,]?).*$
and it does NOT work
Any Ideas?
Thank You,
Lit


Hi,

I am looking for a Regular expression for a password for my
RegExp ValidationControl

Requirements are,

At least 8 characters long.
At least one digit [0-9]
At least one upper case character [A-Z]
At least one lower case character [a-z]
At least one special character:
[]{};':",./?><=+-_)(*&^%$#@!~`
---
this is difficult?
How do you escape []() etc... \[?
Thank you,
Lit- Hide quoted text -

- Show quoted text -

This should work

^(?=.*\d)(?=.*[a-z])(?=.*[A-Z])
(?=.*[\[\]{};':\",\.\/\?\>\<\=\+\-_\)\(*&\^\%$#@\!~`]) .{8,30}$
One of the errors in your expression is that the special
characters
like ! ? $ etc. you don't marked with leading \
There is no need to escape them in a character class.

Lit, which part of the regex isn't working. Have you tried the
separate parts?
Click to expand...
Click to expand...
Click to expand...
 
L

Lit

Hello Jesse,

I agree, thanks again for all you help.

Lit


Jesse Houwing said:
Hello Lit,
Hi Jesse,

I am doing a client validation then a server validation incase if
client validation has been compromised and bypassed somehow, and
using sqlParameters.
Click to expand...

As a defense against SQL Injection, only the last one will really help
you. as Imentioned before you're allowing enough characters through to
allow for sql injection regardless of all you extra validations. It's the
SQL Parameters that are your true defense.
I did not think of using multiple validationControls and that is a
good idea. It does make things simpler.

Thanks for the Advice and links etc..
Click to expand...

You're welcome.

Jesse
Lit

Hello Lit,

Hi Jesse,

I am using the following so far and it seems to work

(?=^.{8,}$)(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[\!\[\]@#$%^&*()_+\-={
}\
\|;':",./<>?`~])([0-9a-zA-Z\!\[\]@#$%^&*()_+\-={}\\|;':",./<>?`~])*$
-- this gives me more control for sql injection issues.
This works also
^.*(?=.{8,})(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[\W]).*$ but Not the
Underscore character... by definition I think. OK.
However how to re-write it so it works with all engines??????

thank you for your help

I just looked in the Regular Expression Pocket Reference (a must have
little book if you need to write multi platform regexes at some poitn
in your career) and Look aheads (?=...) and (?!...) are supported by
the Javascript spec, though it does not mention from which version
onwards (couldn't find that on teh net eiter, but modern browsers
should all work I guess). I must have confused look behinds (which
aren't supported) (?<=...) and (?<!...). More information on look
arounds can be found here:

http://www.regular-expressions.info/lookaround.html

http://www.regular-expressions.info/lookaround2.html

As I said, if you split it into seperate regex validators each taking
one part of the expression, you'll be more flexible. Leaving the
expression easier to read as well and you'll be able to provide the
user with more specific feedback.

ensures there is at least a lower case character
^.*[a-z].*$
ensures there is at least an upper case character
^.*[A-Z].*$
ensures there is at least a number (can also be written as ^.*\d.*$)
^.*[0-9].*$
ensures there is one of your required punctuation characters, just
include
the underscore if you want it. (in serverside only mode you could use
^.*\p{P}.*$ to capture all possible punctuation).
^.*[\W_].*$
for length checks use a RangeValidator. Also check for the maximum
length.
Your field in the DB will surely have a max length.
Apart from the whole issue of the regex and if it will work, I would
not be trusting regex validators on your input to prevent SQL
injection. You're better off making sure you have all your parameters
being passed using the Parameters collection of the DBCommand objects
you're using. That will protect you an awful lot more than any regex
on the input. Also note that the input is restricted to at least one
of the above groups, but that the actual input is free. the first
group .{8,} allows basically any characters as long as there are more
than 8. So if I put in '/*Aa9-*/; drop database; it should still
accespt it. No protection what so ever when you're not using proper
DBParameters.

See http://msdn2.microsoft.com/en-us/library/yy6y35y8(VS.80).aspx for
an explanation on commands and parameters.

Jesse Houwing

Lit


Hello Alexey,


Tried this
(?=^.{8,30}$)(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[!@#$%^&*()_+}{""
:;
'?
/>.<,]?).*$
and it does NOT work
Any Ideas?
Thank You,
Lit


Hi,

I am looking for a Regular expression for a password for my
RegExp ValidationControl

Requirements are,

At least 8 characters long.
At least one digit [0-9]
At least one upper case character [A-Z]
At least one lower case character [a-z]
At least one special character:
[]{};':",./?><=+-_)(*&^%$#@!~`
---
this is difficult?
How do you escape []() etc... \[?
Thank you,
Lit- Hide quoted text -

- Show quoted text -

This should work

^(?=.*\d)(?=.*[a-z])(?=.*[A-Z])
(?=.*[\[\]{};':\",\.\/\?\>\<\=\+\-_\)\(*&\^\%$#@\!~`]) .{8,30}$
One of the errors in your expression is that the special
characters
like ! ? $ etc. you don't marked with leading \
There is no need to escape them in a character class.

Lit, which part of the regex isn't working. Have you tried the
separate parts?
Click to expand...
Click to expand...
Click to expand...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Regular expression help 1
regular expression AND required validator together? 9
Regular Expression in password 4
Need regular expression for at least 7 characters and at least 1 special chatacter 0
Regular Expression for a password 2
RegEx 0
Help in this program. 2
Regular Expression for the special character "|" pipe 7

Members online

Total: 39 (members: 2, guests: 37)
Robots: 348

Forum statistics

Threads
473,769
Messages
2,569,582
Members
45,061
Latest member
KetonaraKeto

Latest Threads

Top