Hi,

I am looking for a Regular expression for a password for my RegExp 
ValidationControl

Requirements are,

At least 8 characters long.
At least one digit [0-9]
At least one upper case character [A-Z]
At least one lower case character [a-z]
At least one special character:    []{};':",./?><=+-_)(*&^%$#@!~`    ---  
this is difficult?

How do you escape []() etc...  \[?

Thank you,

Lit

Tried this 
(?=^.{8,30}$)(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[!@#$%^&*()_+}{"":;'?/>.<,]).*$ 
and it does NOT work
Any Ideas?

Thank You,

Lit


"Lit"  wrote in message 
news:OuVSmLp3HHA.1204@TK2MSFTNGP03.phx.gbl...

> Hi,
>
> I am looking for a Regular expression for a password for my RegExp 
> ValidationControl
>
> Requirements are,
>
> At least 8 characters long.
> At least one digit [0-9]
> At least one upper case character [A-Z]
> At least one lower case character [a-z]
> At least one special character:    []{};':",./?><=+-_)(*&^%$#@!~`    ---  
> this is difficult?
>
> How do you escape []() etc...  \[?
>
> Thank you,
>
> Lit
>
>
>
> 

On Aug 14, 7:05 pm, "Lit"  wrote:

> Tried this
> (?=^.{8,30}$)(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[!@#$%^&*()_}{"":;'?/>.<,]­).*$
> and it does NOT work
> Any Ideas?
>
> Thank You,
>
> Lit
>
> "Lit"  wrote in message
>
> news:OuVSmLp3HHA.1204@TK2MSFTNGP03.phx.gbl...
>
>
>
> > Hi,
>
> > I am looking for a Regular expression for a password for my RegExp
> > ValidationControl
>
> > Requirements are,
>
> > At least 8 characters long.
> > At least one digit [0-9]
> > At least one upper case character [A-Z]
> > At least one lower case character [a-z]
> > At least one special character:    []{};':",./?><=+_)(*&^%$#@!~`    ---  
> > this is difficult?
>
> > How do you escape []() etc...  \[?
>
> > Thank you,
>
> > Lit- Hide quoted text -
>
> - Show quoted text -


This should work

^(?=.*\d)(?=.*[a-z])(?=.*[A-Z])
(?=.*[\[\]{};':\",\.\/\?\>\<\=\\-_\)\(*&\^\%$#@\!~`])
..{8,30}$

One of the errors in your expression is that the special characters
like ! ? $ etc. you don't marked with leading \

Alexey,


I tried 
^(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[\[\]{};':\",\.\/\?\>\<\=\+\-_\)\(*&\^\%$#@\!~`]).{8,30}$ 
on abCD12!! and it does not validate if Failed???


Thank You,

Lit




"Alexey Smirnov"  wrote in message 
news:1187113219.698925.273260@d55g2000hsg.googlegroups.com...
On Aug 14, 7:05 pm, "Lit"  wrote:

> Tried this
> (?=^.{8,30}$)(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[!@#$%^&*()_+}{"":;'?/>.<,]).*$
> and it does NOT work
> Any Ideas?
>
> Thank You,
>
> Lit
>
> "Lit"  wrote in message
>
> news:OuVSmLp3HHA.1204@TK2MSFTNGP03.phx.gbl...
>
>
>
> > Hi,
>
> > I am looking for a Regular expression for a password for my RegExp
> > ValidationControl
>
> > Requirements are,
>
> > At least 8 characters long.
> > At least one digit [0-9]
> > At least one upper case character [A-Z]
> > At least one lower case character [a-z]
> > At least one special character:    []{};':",./?><=+-_)(*&^%$#@!~`    ---
> > this is difficult?
>
> > How do you escape []() etc...  \[?
>
> > Thank you,
>
> > Lit- Hide quoted text -
>
> - Show quoted text -


This should work

^(?=.*\d)(?=.*[a-z])(?=.*[A-Z])
(?=.*[\[\]{};':\",\.\/\?\>\<\=\+\-_\)\(*&\^\%$#@\!~`])
..{8,30}$

One of the errors in your expression is that the special characters
like ! ? $ etc. you don't marked with leading \

On Aug 14, 7:58 pm, "Lit"  wrote:

> Alexey,
>
> I tried
> ^(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[\[\]{};':\",\.\/\?\>\<\=\\-_\)\(*&\^\­%$#@\!~`]).{8,30}$
> on abCD12!! and it does not validate if Failed???
>
> Thank You,
>
> Lit
>


It seems that the control doesn't like it... Okay, the following code
supposed to work as expected

<asp:TextBox ID="txtName" runat="server"/>
    <asp:Button ID="btnSubmit" runat="server" Text="Submit" />
    <asp:RegularExpressionValidator ID="regexpName"
runat="server"
                                    ErrorMessage="This expression does
not validate."
                                    ControlToValidate="txtName"
ValidationExpression="(?=^.{8,}$)(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[\!
\[\]])([0-9a-zA-Z\!\[\]])*$" />

For the test I use only !, [, and ] to validate, simply add all others.

Hello Alexey,


> On Aug 14, 7:05 pm, "Lit"  wrote:
> 
>> Tried this
>> (?=^.{8,30}$)(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[!@#$%^&*()_+}{"":;'?
>> />.<,]?).*$
>> and it does NOT work
>> Any Ideas?
>> Thank You,
>> 
>> Lit
>> 
>> "Lit"  wrote in message
>> 
>> news:OuVSmLp3HHA.1204@TK2MSFTNGP03.phx.gbl...
>> 
>>> Hi,
>>> 
>>> I am looking for a Regular expression for a password for my RegExp
>>> ValidationControl
>>> 
>>> Requirements are,
>>> 
>>> At least 8 characters long.
>>> At least one digit [0-9]
>>> At least one upper case character [A-Z]
>>> At least one lower case character [a-z]
>>> At least one special character:    []{};':",./?><=+-_)(*&^%$#@!~`
>>> ---
>>> this is difficult?
>>> How do you escape []() etc...  \[?
>>> 
>>> Thank you,
>>> 
>>> Lit- Hide quoted text -
>>> 
>> - Show quoted text -
>> 
> This should work
> 
> ^(?=.*\d)(?=.*[a-z])(?=.*[A-Z])
> (?=.*[\[\]{};':\",\.\/\?\>\<\=\+\-_\)\(*&\^\%$#@\!~`]) .{8,30}$
> 
> One of the errors in your expression is that the special characters
> like ! ? $ etc. you don't marked with leading \
> 


There is no need to escape them in a character class.

Lit, which part of the regex isn't working. Have you tried the separate parts?

--
Jesse Houwing
jesse.houwing at sogeti.nl

Alexey,

This seems to pass for now,  I don't understand it however.
What does ?=.*\d mean exactly.  this looks like a conditional RegExp??

Are you also saying I need to add the rest of the special characters

(?=.*[\!\[\]])([0-9a-zA-Z\!\[\]])*$

like

(?=.*[\!\[\]@#$%^&*()_+-={}|\:";'//?,.<>~`])([0-9a-zA-Z\!\[\]@#$%^&*()_+-={}|\:";'//?,.<>~`])*$

Is this correct?  I will be testing but any input from you is greatly 
appreciated.

Thanks for your help.

Lit



"Alexey Smirnov"  wrote in message 
news:1187119402.783768.125960@q75g2000hsh.googlegroups.com...
On Aug 14, 7:58 pm, "Lit"  wrote:

> Alexey,
>
> I tried
> ^(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[\[\]{};':\",\.\/\?\>\<\=\+\-_\)\(*&\^\%$#@\!~`]).{8,30}$
> on abCD12!! and it does not validate if Failed???
>
> Thank You,
>
> Lit
>


It seems that the control doesn't like it... Okay, the following code
supposed to work as expected

<asp:TextBox ID="txtName" runat="server"/>
    <asp:Button ID="btnSubmit" runat="server" Text="Submit" />
    <asp:RegularExpressionValidator ID="regexpName"
runat="server"
                                    ErrorMessage="This expression does
not validate."
                                    ControlToValidate="txtName"
ValidationExpression="(?=^.{8,}$)(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[\!
\[\]])([0-9a-zA-Z\!\[\]])*$" />

For the test I use only !, [, and ] to validate, simply add all others.

Hello Alexey,


> On Aug 14, 7:58 pm, "Lit"  wrote:
> 
>> Alexey,
>> 
>> I tried
>> ^(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[\[\]{};':\",\.\/\?\>\<\=\+\-_\)\
>> (*&\^\?%$#@\!~`]).{8,30}$ on abCD12!! and it does not validate if
>> Failed???
>> 
>> Thank You,
>> 
>> Lit
>> 
> It seems that the control doesn't like it... Okay, the following code
> supposed to work as expected
> 
> <asp:TextBox ID="txtName" runat="server"/>
> <asp:Button ID="btnSubmit" runat="server" Text="Submit" />
> <asp:RegularExpressionValidator ID="regexpName"
> runat="server"
> ErrorMessage="This expression does
> not validate."
> ControlToValidate="txtName"
> ValidationExpression="(?=^.{8,}$)(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[\
> !
> \[\]])([0-9a-zA-Z\!\[\]])*$" />
> 
> For the test I use only !, [, and ] to validate, simply add all
> others.
> 


If you[r'e using a regex in a clientside rendering control (like the RegexValidator) 
you need to restrict yourself to functions which are supported by the JScript 
(and Javascript) engines. Look aheads (?=...) usually do not work in clientside 
languages.

You could split the regex up into multiple regex validators:

^.*[A-Z].*$
^.*[a-z].*$
^.*[0-9].*$
^.*[punctuation].*$

and a range validator to ensure it has the correct length.

Alternatively you could also set the ClientValidate property of the regex 
to false. That should enable the more advanced regex tricks serverside, but 
would result in a postback to validate the textbox.

Also, in a character class you only need to escape characters which are special 
in a character class: \ [ ] -. All other characters should be allowed in 
there without an escapign \ in front of them.

--
Jesse Houwing
jesse.houwing at sogeti.nl

On Aug 14, 9:59 pm, "Lit"  wrote:

> Alexey,
>
> This seems to pass for now,  I don't understand it however.
> What does ?=.*\d mean exactly.  this looks like a conditional RegExp??


\d is for 0..9



> Are you also saying I need to add the rest of the special characters
>
> (?=.*[\!\[\]])([0-9a-zA-Z\!\[\]])*$
>
> like
>
> (?=.*[\!\[\]@#$%^&*()_+={}|\:";'//?,.<>~`])([0-9a-zA-Z\!\[\]@#$%^&*()_+={­}|\:";'//?,.<>~`])*$
>


yes, like this

the first part

(?=.*[ ])

is to tell that at least one of the characters within the range is
required

the second part

([0-9a-zA-Z........)*$

is for validation of the input.

Jesse said that there is no need to escape using \ (maybe except of
two \[ \] )

Jesse, I'm right?

Actually, Lit, I think you may also have "\W" to pass any character,
because I think you put almost all characters in your expression.
Anyway, it looks like the last expression I sent you is working, hope
you can use it



> Is this correct?  I will be testing but any input from you is greatly
> appreciated.
>
> Thanks for your help.
>
> Lit
>
> "Alexey Smirnov"  wrote in message
>
> news:1187119402.783768.125960@q75g2000hsh.googlegroups.com...
> On Aug 14, 7:58 pm, "Lit"  wrote:
>
> > Alexey,
>
> > I tried
> > ^(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[\[\]{};':\",\.\/\?\>\<\=\\-_\)\(*&\^\­­%$#@\!~`]).{8,30}$
> > on abCD12!! and it does not validate if Failed???
>
> > Thank You,
>
> > Lit
>
> It seems that the control doesn't like it... Okay, the following code
> supposed to work as expected
>
> <asp:TextBox ID="txtName" runat="server"/>
>     <asp:Button ID="btnSubmit" runat="server" Text="Submit" />
>     <asp:RegularExpressionValidator ID="regexpName"
> runat="server"
>                                     ErrorMessage="This expression does
> not validate."
>                                     ControlToValidate="txtName"
> ValidationExpression="(?=^.{8,}$)(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[\!
> \[\]])([0-9a-zA-Z\!\[\]])*$" />
>
> For the test I use only !, [, and ] to validate, simply add all others.

Alexey,

Still testing and it is working so far...

specifically what does "?=."   mean?

Yes you are right I have the option on  "\W" that works also except for 
UnderScore character which is I suppose a character by definition.

I am a bit worried now because of what Jesse Houwing said about some engines 
will not work.

How to re-write the expression so all engines will accept is beyond me.

Jesse Houwing?????

Thank Alexey

Lit


"Alexey Smirnov"  wrote in message 
news:1187122527.635262.321920@o61g2000hsh.googlegroups.com...
On Aug 14, 9:59 pm, "Lit"  wrote:

> Alexey,
>
> This seems to pass for now,  I don't understand it however.
> What does ?=.*\d mean exactly.  this looks like a conditional RegExp??


\d is for 0..9



> Are you also saying I need to add the rest of the special characters
>
> (?=.*[\!\[\]])([0-9a-zA-Z\!\[\]])*$
>
> like
>
> (?=.*[\!\[\]@#$%^&*()_+-={}|\:";'//?,.<>~`])([0-9a-zA-Z\!\[\]@#$%^&*()_+-={}|\:";'//?,.<>~`])*$
>


yes, like this

the first part

(?=.*[ ])

is to tell that at least one of the characters within the range is
required

the second part

([0-9a-zA-Z........)*$

is for validation of the input.

Jesse said that there is no need to escape using \ (maybe except of
two \[ \] )

Jesse, I'm right?

Actually, Lit, I think you may also have "\W" to pass any character,
because I think you put almost all characters in your expression.
Anyway, it looks like the last expression I sent you is working, hope
you can use it



> Is this correct?  I will be testing but any input from you is greatly
> appreciated.
>
> Thanks for your help.
>
> Lit
>
> "Alexey Smirnov"  wrote in message
>
> news:1187119402.783768.125960@q75g2000hsh.googlegroups.com...
> On Aug 14, 7:58 pm, "Lit"  wrote:
>
> > Alexey,
>
> > I tried
> > ^(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[\[\]{};':\",\.\/\?\>\<\=\+\-_\)\(*&\^\%$#@\!~`]).{8,30}$
> > on abCD12!! and it does not validate if Failed???
>
> > Thank You,
>
> > Lit
>
> It seems that the control doesn't like it... Okay, the following code
> supposed to work as expected
>
> <asp:TextBox ID="txtName" runat="server"/>
>     <asp:Button ID="btnSubmit" runat="server" Text="Submit" />
>     <asp:RegularExpressionValidator ID="regexpName"
> runat="server"
>                                     ErrorMessage="This expression does
> not validate."
>                                     ControlToValidate="txtName"
> ValidationExpression="(?=^.{8,}$)(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[\!
> \[\]])([0-9a-zA-Z\!\[\]])*$" />
>
> For the test I use only !, [, and ] to validate, simply add all others.

Hi Jesse,

I am using the following so far and it seems to work

(?=^.{8,}$)(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[\!\[\]@#$%^&*()_+\-={}\\|;':",./<>?`~])([0-9a-zA-Z\!\[\]@#$%^&*()_+\-={}\\|;':",./<>?`~])*$ 
   -- this gives me more control for sql injection issues.

This works also   ^.*(?=.{8,})(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[\W]).*$ 
but Not the Underscore character... by definition I think.  OK.

However how to re-write it so it works with all engines??????

thank you for your help


Lit



"Jesse Houwing" <jesse.houwing@newsgroup.nospam> wrote in message 
news:21effc90e8f18c9acd3def05fb1@news.microsoft.com...

> Hello Alexey,
>
>> On Aug 14, 7:05 pm, "Lit"  wrote:
>>
>>> Tried this
>>> (?=^.{8,30}$)(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[!@#$%^&*()_+}{"":;'?
>>> />.<,]?).*$
>>> and it does NOT work
>>> Any Ideas?
>>> Thank You,
>>>
>>> Lit
>>>
>>> "Lit"  wrote in message
>>>
>>> news:OuVSmLp3HHA.1204@TK2MSFTNGP03.phx.gbl...
>>>
>>>> Hi,
>>>>
>>>> I am looking for a Regular expression for a password for my RegExp
>>>> ValidationControl
>>>>
>>>> Requirements are,
>>>>
>>>> At least 8 characters long.
>>>> At least one digit [0-9]
>>>> At least one upper case character [A-Z]
>>>> At least one lower case character [a-z]
>>>> At least one special character:    []{};':",./?><=+-_)(*&^%$#@!~`
>>>> ---
>>>> this is difficult?
>>>> How do you escape []() etc...  \[?
>>>>
>>>> Thank you,
>>>>
>>>> Lit- Hide quoted text -
>>>>
>>> - Show quoted text -
>>>
>> This should work
>>
>> ^(?=.*\d)(?=.*[a-z])(?=.*[A-Z])
>> (?=.*[\[\]{};':\",\.\/\?\>\<\=\+\-_\)\(*&\^\%$#@\!~`]) .{8,30}$
>>
>> One of the errors in your expression is that the special characters
>> like ! ? $ etc. you don't marked with leading \
>>
>
> There is no need to escape them in a character class.
>
> Lit, which part of the regex isn't working. Have you tried the separate 
> parts?
>
> --
> Jesse Houwing
> jesse.houwing at sogeti.nl
>
> 

On Aug 14, 10:50 pm, "Lit"  wrote:

> Alexey,
>
> Still testing and it is working so far...
>
> specifically what does "?=."   mean?
>


?=.{pattern} means that it must contain at least one character from
the {pattern}

For example, in our expression it is for

?=.*\d - must contain at least one digit
?=.*[a-z] - must contain one lowercase
?=.*[A-Z] - must contain one uppercase

The syntax is explained here: http://msdn2.microsoft.com/en-us/library/ae5bf541(VS.80).aspx

That is a combination of the "(?=pattern)" and the "."

Note, that this is about JScript regular expression syntax which is
used in the ValidationControl, on the client. On the server, Regex
syntax has to be used (Jesse is right, it will be slightly different,
I didn't pay attention on that in my first post).

On Aug 14, 10:50 pm, "Lit"  wrote:

> Yes you are right I have the option on  "\W" that works also except for
> UnderScore character which is I suppose a character by definition.
>


by the way, according to [1] you probably need "\w" and not "\W"

\w = Matches any word character including underscore. Equivalent to
'[A-Za-z0-9_]'.
\W = Matches any nonword character. Equivalent to '[^A-Za-z0-9_]'.

[1]
http://msdn2.microsoft.com/en-us/library/ae5bf541(VS.80).aspx

Hello Lit,


> Hi Jesse,
> 
> I am using the following so far and it seems to work
> 
> (?=^.{8,}$)(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[\!\[\]@#$%^&*()_+\-={}\
> \|;':",./<>?`~])([0-9a-zA-Z\!\[\]@#$%^&*()_+\-={}\\|;':",./<>?`~])*$
> -- this gives me more control for sql injection issues.
> This works also
> ^.*(?=.{8,})(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[\W]).*$ but Not the
> Underscore character... by definition I think.  OK.
> 
> However how to re-write it so it works with all engines??????
> 
> thank you for your help


I just looked in the Regular Expression Pocket Reference (a must have little 
book if you need to write multi platform regexes at some poitn in your career) 
and Look aheads (?=...) and (?!...) are supported by the Javascript spec, 
though it does not mention from which version onwards (couldn't find that 
on teh net eiter, but modern browsers should all work I guess). I must have 
confused look behinds (which aren't supported) (?<=...) and (?<!...). More 
information on look arounds can be found here:

http://www.regular-expressions.info/lookaround.html

http://www.regular-expressions.info/lookaround2.html



As I said, if you split it into seperate regex validators each taking one 
part of the expression, you'll be more flexible. Leaving the expression easier 
to read as well and you'll be able to provide the user with more specific 
feedback.

ensures there is at least a lower case character
^.*[a-z].*$ 

ensures there is at least an upper case character
^.*[A-Z].*$ 

ensures there is at least a number (can also be written as ^.*\d.*$)
^.*[0-9].*$ 

ensures there is one of your required punctuation characters, just include 
the underscore if you want it. (in serverside only mode you could use ^.*\p{P}.*$ 
to capture all possible punctuation).
^.*[\W_].*$ 

for length checks use a RangeValidator. Also check for the maximum length. 
Your field in the DB will surely have a max length.


Apart from the whole issue of the regex and if it will work, I would not 
be trusting regex validators on your input to prevent SQL injection. You're 
better off making sure you have all your parameters being passed using the 
Parameters collection of the DBCommand objects you're using. That will protect 
you an awful lot more than any regex on the input. Also note that the input 
is restricted to at least one of the above groups, but that the actual input 
is free. the first group .{8,} allows basically any characters as long as 
there are more than 8. So if I put in '/*Aa9-*/; drop database; it should 
still accespt it. No protection what so ever when you're not using proper 
DBParameters.

See http://msdn2.microsoft.com/en-us/library/yy6y35y8(VS.80).aspx for an 
explanation on commands and parameters.


Jesse Houwing





> 
> Lit
> 
> "Jesse Houwing" <jesse.houwing@newsgroup.nospam> wrote in message
> news:21effc90e8f18c9acd3def05fb1@news.microsoft.com...
> 
>> Hello Alexey,
>> 
>>> On Aug 14, 7:05 pm, "Lit"  wrote:
>>> 
>>>> Tried this
>>>> (?=^.{8,30}$)(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[!@#$%^&*()_+}{"":;
>>>> '?
>>>> />.<,]?).*$
>>>> and it does NOT work
>>>> Any Ideas?
>>>> Thank You,
>>>> Lit
>>>> 
>>>> "Lit"  wrote in message
>>>> 
>>>> news:OuVSmLp3HHA.1204@TK2MSFTNGP03.phx.gbl...
>>>> 
>>>>> Hi,
>>>>> 
>>>>> I am looking for a Regular expression for a password for my RegExp
>>>>> ValidationControl
>>>>> 
>>>>> Requirements are,
>>>>> 
>>>>> At least 8 characters long.
>>>>> At least one digit [0-9]
>>>>> At least one upper case character [A-Z]
>>>>> At least one lower case character [a-z]
>>>>> At least one special character:    []{};':",./?><=+-_)(*&^%$#@!~`
>>>>> ---
>>>>> this is difficult?
>>>>> How do you escape []() etc...  \[?
>>>>> Thank you,
>>>>> 
>>>>> Lit- Hide quoted text -
>>>>> 
>>>> - Show quoted text -
>>>> 
>>> This should work
>>> 
>>> ^(?=.*\d)(?=.*[a-z])(?=.*[A-Z])
>>> (?=.*[\[\]{};':\",\.\/\?\>\<\=\+\-_\)\(*&\^\%$#@\!~`]) .{8,30}$
>>> One of the errors in your expression is that the special characters
>>> like ! ? $ etc. you don't marked with leading \
>>> 
>> There is no need to escape them in a character class.
>> 
>> Lit, which part of the regex isn't working. Have you tried the
>> separate parts?
>> 
>> --
>> Jesse Houwing
>> jesse.houwing at sogeti.nl

--
Jesse Houwing
jesse.houwing at sogeti.nl

Alexey,

Thanks for your help,  I will follow the link and read it.

Lit


"Alexey Smirnov"  wrote in message 
news:1187126056.006543.81790@w3g2000hsg.googlegroups.com...

> On Aug 14, 10:50 pm, "Lit"  wrote:
>> Alexey,
>>
>> Still testing and it is working so far...
>>
>> specifically what does "?=."   mean?
>>
>
> ?=.{pattern} means that it must contain at least one character from
> the {pattern}
>
> For example, in our expression it is for
>
> ?=.*\d - must contain at least one digit
> ?=.*[a-z] - must contain one lowercase
> ?=.*[A-Z] - must contain one uppercase
>
> The syntax is explained here: 
> http://msdn2.microsoft.com/en-us/library/ae5bf541(VS.80).aspx
>
> That is a combination of the "(?=pattern)" and the "."
>
> Note, that this is about JScript regular expression syntax which is
> used in the ValidationControl, on the client. On the server, Regex
> syntax has to be used (Jesse is right, it will be slightly different,
> I didn't pay attention on that in my first post).
> 

Alexey,

good catch,  thanks again,

Lit


"Alexey Smirnov"  wrote in message 
news:1187126376.877750.211820@57g2000hsv.googlegroups.com...

> On Aug 14, 10:50 pm, "Lit"  wrote:
>> Yes you are right I have the option on  "\W" that works also except for
>> UnderScore character which is I suppose a character by definition.
>>
>
> by the way, according to [1] you probably need "\w" and not "\W"
>
> \w = Matches any word character including underscore. Equivalent to
> '[A-Za-z0-9_]'.
> \W = Matches any nonword character. Equivalent to '[^A-Za-z0-9_]'.
>
> [1]
> http://msdn2.microsoft.com/en-us/library/ae5bf541(VS.80).aspx
> 

Hi Jesse,

I am doing a client validation then a server validation incase if client 
validation has been compromised and bypassed somehow,  and using 
sqlParameters.

I did not think of using multiple validationControls and that is a good 
idea.  It does make things simpler.

Thanks for the Advice and links etc..

Lit



"Jesse Houwing" <jesse.houwing@newsgroup.nospam> wrote in message 
news:21effc90e9c18c9ace108fdb69d@news.microsoft.com...

> Hello Lit,
>
>> Hi Jesse,
>>
>> I am using the following so far and it seems to work
>>
>> (?=^.{8,}$)(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[\!\[\]@#$%^&*()_+\-={}\
>> \|;':",./<>?`~])([0-9a-zA-Z\!\[\]@#$%^&*()_+\-={}\\|;':",./<>?`~])*$
>> -- this gives me more control for sql injection issues.
>> This works also
>> ^.*(?=.{8,})(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[\W]).*$ but Not the
>> Underscore character... by definition I think.  OK.
>>
>> However how to re-write it so it works with all engines??????
>>
>> thank you for your help
>
> I just looked in the Regular Expression Pocket Reference (a must have 
> little book if you need to write multi platform regexes at some poitn in 
> your career) and Look aheads (?=...) and (?!...) are supported by the 
> Javascript spec, though it does not mention from which version onwards 
> (couldn't find that on teh net eiter, but modern browsers should all work 
> I guess). I must have confused look behinds (which aren't supported) 
> (?<=...) and (?<!...). More information on look arounds can be found here:
>
> http://www.regular-expressions.info/lookaround.html
>
> http://www.regular-expressions.info/lookaround2.html
>
>
>
> As I said, if you split it into seperate regex validators each taking one 
> part of the expression, you'll be more flexible. Leaving the expression 
> easier to read as well and you'll be able to provide the user with more 
> specific feedback.
>
> ensures there is at least a lower case character
> ^.*[a-z].*$
> ensures there is at least an upper case character
> ^.*[A-Z].*$
> ensures there is at least a number (can also be written as ^.*\d.*$)
> ^.*[0-9].*$
> ensures there is one of your required punctuation characters, just include 
> the underscore if you want it. (in serverside only mode you could use 
> ^.*\p{P}.*$ to capture all possible punctuation).
> ^.*[\W_].*$
> for length checks use a RangeValidator. Also check for the maximum length. 
> Your field in the DB will surely have a max length.
>
>
> Apart from the whole issue of the regex and if it will work, I would not 
> be trusting regex validators on your input to prevent SQL injection. 
> You're better off making sure you have all your parameters being passed 
> using the Parameters collection of the DBCommand objects you're using. 
> That will protect you an awful lot more than any regex on the input. Also 
> note that the input is restricted to at least one of the above groups, but 
> that the actual input is free. the first group .{8,} allows basically any 
> characters as long as there are more than 8. So if I put in '/*Aa9-*/; 
> drop database; it should still accespt it. No protection what so ever when 
> you're not using proper DBParameters.
>
> See http://msdn2.microsoft.com/en-us/library/yy6y35y8(VS.80).aspx for an 
> explanation on commands and parameters.
>
>
> Jesse Houwing
>
>
>
>
>>
>> Lit
>>
>> "Jesse Houwing" <jesse.houwing@newsgroup.nospam> wrote in message
>> news:21effc90e8f18c9acd3def05fb1@news.microsoft.com...
>>
>>> Hello Alexey,
>>>
>>>> On Aug 14, 7:05 pm, "Lit"  wrote:
>>>>
>>>>> Tried this
>>>>> (?=^.{8,30}$)(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[!@#$%^&*()_+}{"":;
>>>>> '?
>>>>> />.<,]?).*$
>>>>> and it does NOT work
>>>>> Any Ideas?
>>>>> Thank You,
>>>>> Lit
>>>>>
>>>>> "Lit"  wrote in message
>>>>>
>>>>> news:OuVSmLp3HHA.1204@TK2MSFTNGP03.phx.gbl...
>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> I am looking for a Regular expression for a password for my RegExp
>>>>>> ValidationControl
>>>>>>
>>>>>> Requirements are,
>>>>>>
>>>>>> At least 8 characters long.
>>>>>> At least one digit [0-9]
>>>>>> At least one upper case character [A-Z]
>>>>>> At least one lower case character [a-z]
>>>>>> At least one special character:    []{};':",./?><=+-_)(*&^%$#@!~`
>>>>>> ---
>>>>>> this is difficult?
>>>>>> How do you escape []() etc...  \[?
>>>>>> Thank you,
>>>>>>
>>>>>> Lit- Hide quoted text -
>>>>>>
>>>>> - Show quoted text -
>>>>>
>>>> This should work
>>>>
>>>> ^(?=.*\d)(?=.*[a-z])(?=.*[A-Z])
>>>> (?=.*[\[\]{};':\",\.\/\?\>\<\=\+\-_\)\(*&\^\%$#@\!~`]) .{8,30}$
>>>> One of the errors in your expression is that the special characters
>>>> like ! ? $ etc. you don't marked with leading \
>>>>
>>> There is no need to escape them in a character class.
>>>
>>> Lit, which part of the regex isn't working. Have you tried the
>>> separate parts?
>>>
>>> --
>>> Jesse Houwing
>>> jesse.houwing at sogeti.nl
> --
> Jesse Houwing
> jesse.houwing at sogeti.nl
>
> 

Hello Lit,


> Hi Jesse,
> 
> I am doing a client validation then a server validation incase if
> client validation has been compromised and bypassed somehow,  and
> using sqlParameters.


As a defense against SQL Injection, only the last one will really help you. 
as Imentioned before you're allowing enough characters through to allow for 
sql injection regardless of all you extra validations. It's the SQL Parameters 
that are your true defense.


> I did not think of using multiple validationControls and that is a
> good idea.  It does make things simpler.
> 
> Thanks for the Advice and links etc..


You're welcome.

Jesse


> 
> Lit
> 
> "Jesse Houwing" <jesse.houwing@newsgroup.nospam> wrote in message
> news:21effc90e9c18c9ace108fdb69d@news.microsoft.com...
> 
>> Hello Lit,
>> 
>>> Hi Jesse,
>>> 
>>> I am using the following so far and it seems to work
>>> 
>>> (?=^.{8,}$)(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[\!\[\]@#$%^&*()_+\-={
>>> }\
>>> \|;':",./<>?`~])([0-9a-zA-Z\!\[\]@#$%^&*()_+\-={}\\|;':",./<>?`~])*$
>>> -- this gives me more control for sql injection issues.
>>> This works also
>>> ^.*(?=.{8,})(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[\W]).*$ but Not the
>>> Underscore character... by definition I think.  OK.
>>> However how to re-write it so it works with all engines??????
>>> 
>>> thank you for your help
>>> 
>> I just looked in the Regular Expression Pocket Reference (a must have
>> little book if you need to write multi platform regexes at some poitn
>> in your career) and Look aheads (?=...) and (?!...) are supported by
>> the Javascript spec, though it does not mention from which version
>> onwards (couldn't find that on teh net eiter, but modern browsers
>> should all work I guess). I must have confused look behinds (which
>> aren't supported) (?<=...) and (?<!...). More information on look
>> arounds can be found here:
>> 
>> http://www.regular-expressions.info/lookaround.html
>> 
>> http://www.regular-expressions.info/lookaround2.html
>> 
>> As I said, if you split it into seperate regex validators each taking
>> one part of the expression, you'll be more flexible. Leaving the
>> expression easier to read as well and you'll be able to provide the
>> user with more specific feedback.
>> 
>> ensures there is at least a lower case character
>> ^.*[a-z].*$
>> ensures there is at least an upper case character
>> ^.*[A-Z].*$
>> ensures there is at least a number (can also be written as ^.*\d.*$)
>> ^.*[0-9].*$
>> ensures there is one of your required punctuation characters, just
>> include
>> the underscore if you want it. (in serverside only mode you could use
>> ^.*\p{P}.*$ to capture all possible punctuation).
>> ^.*[\W_].*$
>> for length checks use a RangeValidator. Also check for the maximum
>> length.
>> Your field in the DB will surely have a max length.
>> Apart from the whole issue of the regex and if it will work, I would
>> not be trusting regex validators on your input to prevent SQL
>> injection. You're better off making sure you have all your parameters
>> being passed using the Parameters collection of the DBCommand objects
>> you're using. That will protect you an awful lot more than any regex
>> on the input. Also note that the input is restricted to at least one
>> of the above groups, but that the actual input is free. the first
>> group .{8,} allows basically any characters as long as there are more
>> than 8. So if I put in '/*Aa9-*/; drop database; it should still
>> accespt it. No protection what so ever when you're not using proper
>> DBParameters.
>> 
>> See http://msdn2.microsoft.com/en-us/library/yy6y35y8(VS.80).aspx for
>> an explanation on commands and parameters.
>> 
>> Jesse Houwing
>> 
>>> Lit
>>> 
>>> "Jesse Houwing" <jesse.houwing@newsgroup.nospam> wrote in message
>>> news:21effc90e8f18c9acd3def05fb1@news.microsoft.com...
>>> 
>>>> Hello Alexey,
>>>> 
>>>>> On Aug 14, 7:05 pm, "Lit"  wrote:
>>>>> 
>>>>>> Tried this
>>>>>> (?=^.{8,30}$)(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[!@#$%^&*()_+}{""
>>>>>> :;
>>>>>> '?
>>>>>> />.<,]?).*$
>>>>>> and it does NOT work
>>>>>> Any Ideas?
>>>>>> Thank You,
>>>>>> Lit
>>>>>> "Lit"  wrote in message
>>>>>> 
>>>>>> news:OuVSmLp3HHA.1204@TK2MSFTNGP03.phx.gbl...
>>>>>> 
>>>>>>> Hi,
>>>>>>> 
>>>>>>> I am looking for a Regular expression for a password for my
>>>>>>> RegExp ValidationControl
>>>>>>> 
>>>>>>> Requirements are,
>>>>>>> 
>>>>>>> At least 8 characters long.
>>>>>>> At least one digit [0-9]
>>>>>>> At least one upper case character [A-Z]
>>>>>>> At least one lower case character [a-z]
>>>>>>> At least one special character:
>>>>>>> []{};':",./?><=+-_)(*&^%$#@!~`
>>>>>>> ---
>>>>>>> this is difficult?
>>>>>>> How do you escape []() etc...  \[?
>>>>>>> Thank you,
>>>>>>> Lit- Hide quoted text -
>>>>>>> 
>>>>>> - Show quoted text -
>>>>>> 
>>>>> This should work
>>>>> 
>>>>> ^(?=.*\d)(?=.*[a-z])(?=.*[A-Z])
>>>>> (?=.*[\[\]{};':\",\.\/\?\>\<\=\+\-_\)\(*&\^\%$#@\!~`]) .{8,30}$
>>>>> One of the errors in your expression is that the special
>>>>> characters
>>>>> like ! ? $ etc. you don't marked with leading \
>>>> There is no need to escape them in a character class.
>>>> 
>>>> Lit, which part of the regex isn't working. Have you tried the
>>>> separate parts?
>>>> 
>>>> --
>>>> Jesse Houwing
>>>> jesse.houwing at sogeti.nl
>> --
>> Jesse Houwing
>> jesse.houwing at sogeti.nl

--
Jesse Houwing
jesse.houwing at sogeti.nl

Hello Jesse,

I agree, thanks again for all you help.

Lit


"Jesse Houwing" <jesse.houwing@newsgroup.nospam> wrote in message 
news:21effc90ebae8c9ad3b9dd7ebc1@news.microsoft.com...

> Hello Lit,
>
>> Hi Jesse,
>>
>> I am doing a client validation then a server validation incase if
>> client validation has been compromised and bypassed somehow,  and
>> using sqlParameters.
>
> As a defense against SQL Injection, only the last one will really help 
> you. as Imentioned before you're allowing enough characters through to 
> allow for sql injection regardless of all you extra validations. It's the 
> SQL Parameters that are your true defense.
>
>> I did not think of using multiple validationControls and that is a
>> good idea.  It does make things simpler.
>>
>> Thanks for the Advice and links etc..
>
> You're welcome.
>
> Jesse
>
>>
>> Lit
>>
>> "Jesse Houwing" <jesse.houwing@newsgroup.nospam> wrote in message
>> news:21effc90e9c18c9ace108fdb69d@news.microsoft.com...
>>
>>> Hello Lit,
>>>
>>>> Hi Jesse,
>>>>
>>>> I am using the following so far and it seems to work
>>>>
>>>> (?=^.{8,}$)(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[\!\[\]@#$%^&*()_+\-={
>>>> }\
>>>> \|;':",./<>?`~])([0-9a-zA-Z\!\[\]@#$%^&*()_+\-={}\\|;':",./<>?`~])*$
>>>> -- this gives me more control for sql injection issues.
>>>> This works also
>>>> ^.*(?=.{8,})(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[\W]).*$ but Not the
>>>> Underscore character... by definition I think.  OK.
>>>> However how to re-write it so it works with all engines??????
>>>>
>>>> thank you for your help
>>>>
>>> I just looked in the Regular Expression Pocket Reference (a must have
>>> little book if you need to write multi platform regexes at some poitn
>>> in your career) and Look aheads (?=...) and (?!...) are supported by
>>> the Javascript spec, though it does not mention from which version
>>> onwards (couldn't find that on teh net eiter, but modern browsers
>>> should all work I guess). I must have confused look behinds (which
>>> aren't supported) (?<=...) and (?<!...). More information on look
>>> arounds can be found here:
>>>
>>> http://www.regular-expressions.info/lookaround.html
>>>
>>> http://www.regular-expressions.info/lookaround2.html
>>>
>>> As I said, if you split it into seperate regex validators each taking
>>> one part of the expression, you'll be more flexible. Leaving the
>>> expression easier to read as well and you'll be able to provide the
>>> user with more specific feedback.
>>>
>>> ensures there is at least a lower case character
>>> ^.*[a-z].*$
>>> ensures there is at least an upper case character
>>> ^.*[A-Z].*$
>>> ensures there is at least a number (can also be written as ^.*\d.*$)
>>> ^.*[0-9].*$
>>> ensures there is one of your required punctuation characters, just
>>> include
>>> the underscore if you want it. (in serverside only mode you could use
>>> ^.*\p{P}.*$ to capture all possible punctuation).
>>> ^.*[\W_].*$
>>> for length checks use a RangeValidator. Also check for the maximum
>>> length.
>>> Your field in the DB will surely have a max length.
>>> Apart from the whole issue of the regex and if it will work, I would
>>> not be trusting regex validators on your input to prevent SQL
>>> injection. You're better off making sure you have all your parameters
>>> being passed using the Parameters collection of the DBCommand objects
>>> you're using. That will protect you an awful lot more than any regex
>>> on the input. Also note that the input is restricted to at least one
>>> of the above groups, but that the actual input is free. the first
>>> group .{8,} allows basically any characters as long as there are more
>>> than 8. So if I put in '/*Aa9-*/; drop database; it should still
>>> accespt it. No protection what so ever when you're not using proper
>>> DBParameters.
>>>
>>> See http://msdn2.microsoft.com/en-us/library/yy6y35y8(VS.80).aspx for
>>> an explanation on commands and parameters.
>>>
>>> Jesse Houwing
>>>
>>>> Lit
>>>>
>>>> "Jesse Houwing" <jesse.houwing@newsgroup.nospam> wrote in message
>>>> news:21effc90e8f18c9acd3def05fb1@news.microsoft.com...
>>>>
>>>>> Hello Alexey,
>>>>>
>>>>>> On Aug 14, 7:05 pm, "Lit"  wrote:
>>>>>>
>>>>>>> Tried this
>>>>>>> (?=^.{8,30}$)(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[!@#$%^&*()_+}{""
>>>>>>> :;
>>>>>>> '?
>>>>>>> />.<,]?).*$
>>>>>>> and it does NOT work
>>>>>>> Any Ideas?
>>>>>>> Thank You,
>>>>>>> Lit
>>>>>>> "Lit"  wrote in message
>>>>>>>
>>>>>>> news:OuVSmLp3HHA.1204@TK2MSFTNGP03.phx.gbl...
>>>>>>>
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> I am looking for a Regular expression for a password for my
>>>>>>>> RegExp ValidationControl
>>>>>>>>
>>>>>>>> Requirements are,
>>>>>>>>
>>>>>>>> At least 8 characters long.
>>>>>>>> At least one digit [0-9]
>>>>>>>> At least one upper case character [A-Z]
>>>>>>>> At least one lower case character [a-z]
>>>>>>>> At least one special character:
>>>>>>>> []{};':",./?><=+-_)(*&^%$#@!~`
>>>>>>>> ---
>>>>>>>> this is difficult?
>>>>>>>> How do you escape []() etc...  \[?
>>>>>>>> Thank you,
>>>>>>>> Lit- Hide quoted text -
>>>>>>>>
>>>>>>> - Show quoted text -
>>>>>>>
>>>>>> This should work
>>>>>>
>>>>>> ^(?=.*\d)(?=.*[a-z])(?=.*[A-Z])
>>>>>> (?=.*[\[\]{};':\",\.\/\?\>\<\=\+\-_\)\(*&\^\%$#@\!~`]) .{8,30}$
>>>>>> One of the errors in your expression is that the special
>>>>>> characters
>>>>>> like ! ? $ etc. you don't marked with leading \
>>>>> There is no need to escape them in a character class.
>>>>>
>>>>> Lit, which part of the regex isn't working. Have you tried the
>>>>> separate parts?
>>>>>
>>>>> --
>>>>> Jesse Houwing
>>>>> jesse.houwing at sogeti.nl
>>> --
>>> Jesse Houwing
>>> jesse.houwing at sogeti.nl
> --
> Jesse Houwing
> jesse.houwing at sogeti.nl
>
>