Simple password validation in PHP

Question

I'm a beginner to PHP trying to learn the basics of validating form data. I want to check if the password has been set, and if it has then to further check if it is the right length and has the right characters etc.

//check if set
if (empty($_POST['password']) {

    //further validate - check length, characters etc
    if (myFunction(($_POST['password'])) {
        //success
        $password = $_POST['password'];
    }
    else {
        $error = "Password must be at least 8 characters and contain at least one number";
    }
}
else {
    $error = "Password is required";
}

The problem I'm having is if the user enters "0" as a password, the empty() function treats this as empty, and they're given the "Password is required" error, rather than the "Password must have..." etc error.

Using the isset() function instead wouldn't work either because an empty field would return an empty string, which would be considered to be set.

At the moment I have a workaround where I have a further conditional to check if the password is set to "0", but there must be a more elegant way.

Apologies if this has been covered in another question, I couldn't find anything. Thanks

Answer 1

The 'PHP Type Comparison Table' is your friend.
http://php.net/manual/en/types.comparisons.php

To check if the password has been set.

// Check if it has been set and contains characters.
if (isset($_POST['password']) && strlen($_POST['password']) > 0)
{
    // Passed, now check for the right length, characters, etc.
    if (myFunction(($_POST['password']))
    {
        // Success.
        $password = $_POST['password'];
    } else {
        // Error.
        $error = "Password must be at least 8 characters and contain at least one number";
    }
} else {
    // Failed.
    $error = "Password is required";
}

If you require help with your 'myFunction()' function to check length, characters, etc then you will need to post that code as well.

Hope this helps.

Answer 2

If you are just learning the basics, then use the function below. However, do remember in a live environment you will want to be hashing passwords properly. Read this link for more info: http://php.net/manual/en/faq.passwords.php

    function PasswordCheck($password_string)
    {
        $password_string = trim($password_string);
        if($password_string == '')
        {
            die("Password not entered");
        }
        elseif(strlen($password_string) < 8)
        {
        die("Password must be more than 8 characters in length");
        }
        elseif(!(preg_match('#[0-9]#', $password_string)))
        {
            die("Password must contain at least one number");
        }
        else
        {
        //Success, now process password
        }
    }

    $password = $_POST['password'];
    PasswordCheck($password);

Answer 3

0 is considered to be empty in php. (source: http://php.net/empty )

You could get around this by checking if it is empty or if there is nothing in the string, or if it is exactly null, like so:

if ((empty($_POST['password']) || ($_POST['password']=='') ||
 ($_POST['password']===null) ) {

  ...
 }

This should cover all your bases, however it is easy to check that something is there than checking a negative (I find it cognitively easier), such as making sure the password is entered, instead of checking to see whether it is not entered

Answer 4

please don't forget to use htmlspecialchars once before you use $_POST to make sure no XSS scripting attacK. Isset function is better than empty in your case. Additonally if you want user to get at least 8 characters and contain one number, use regular expression it is much better.

Answer 5

You can use is_null() function or:

if ($_POST['password']==NULL)

Answer 6

Use isset() (and possibly strlen(trim()), not empty(). Although the way this code is shown, it will process only an empty password, and give an error to anyone who puts in a password.

if(isset($_POST['password']) && strlen(trim($_POST['password']))){
   //process
}else{
   //error 
}