I am playing with a script to validate the user input on a password update form, and have hit a snag. The requirements for the password are as follows.

1. Greater than 8 characters.
2. Must contain at least one letter, one number, and one special character.

I have been playing with ereg and preg_match but haven't even come close to meeting these criteria. Here is where I am at now. The length restriction works, as does the characters that can be used, but it doesn't require at least one of each character type.

The howtos on ereg and preg_match are confusing. Can someone bump me in the right direction please?

<?php
$newpass = $_POST['newpass'];
if(preg_match('^([a-zA-Z0-9@*#]{8,15})$^',$newpass)) {
echo "Password matches criteria. Contains all types of characters.";
} else {
echo "Password fails testing. Missing at least one type of character.";
};
?>

Edited: Updated code still does not function correctly..

I've never been a big fan of complex regular expressions. I just broke it down into manageable conditions.

Thanks for helping me out crabboy, this regular expression stuff is making me pull out my hair. A couple of questions:

1. Doesn't the code below state that as long as it is between 8-15 characters, contains the letters a-z (or A-Z), contains the numbers 1-9, and contains anything other than the two above, it will pass. I was told that ^ means not and the third criteria seems to say anything else matches.

if ( strlen( $newpass ) > 8 && strlen($newpass) < 15 )
if ( preg_match('([a-zA-Z])',$newpass))
if ( preg_match('([0-9])',$newpass))
if ( preg_match('([^a-zA-Z0-9])',$newpass))
$good = true;

My boss is trying to make me learn regexp in PHP and would like to see me make it one preg_match. I have gotten pretty close to solving it, but the code below still rejects "aaa123!@&" as containing illegal characters.
Here is where I am so far..

<?php
$newpass = $_POST['newpass'];
if(preg_match("/^([a-zA-Z])|^([0-9])|^([\!\@\*\%\^\&])/", $newpass)) {
echo "Password contains illegal characters!";
} else {
echo "Password passes preg_match test!!";
};

?>

I know I am close here but just can't seem to make it work as I read it.

Well, the ([^a-zA-Z0-9]) checks for one character that is not a number or an alpha character, meaning special characters. The regex that you have is only checking for 6 special characters, when you could have many more special chars in a password. Like brackets, dashes, equal sign, colon ...

I'm sure most bosses that are not teachers would prefer less complex more maintainable code.

I asked him about special characters needed in the allowed password and his reply was to include any of the shift-number keys.

Updated..

I broke up my preg_match to see which part was broken and this is what I come up with..

<?php
$newpass = $_POST['newpass'];
if(preg_match("/^[a-zA-Z]+$/i", $newpass)) {
if(preg_match("/^[0-9]+$/i", $newpass)) {
if(preg_match("/^[\!\@\#\$\%\^\&\*\(\)\-\_\+\=]+$/i", $newpass)) {
echo "Password meets all criteria";
} echo "Password fails alpha check<br>";
} echo "Password fails numeric check<br>";
} echo "Password fails special character check<br>";
?>

If I pass it "a" it says failed numerical and special checks. If I pass it a "A1" is says it fails special character check, but if I pass it just a "1" or "!" it simply says it fails special character checks. How does a "1" or a "!" make it through my alpha check to be rejected by the others? Shouldn't it fail alpha and exit?