PREG_MATCH: alphanumeric, length, char check in one statement

[xProteuSx]

I'm creating a registration, and need users to add a password that is alphanumeric, 8-20 characters in length, and contains at least one number and one letter.  I got this to work:

 

if ((!ereg("^([a-zA-Z0-9]){8,20}$", $_POST['password'])) || (!preg_match("#^.*(?=.*\d)(?=.*[a-z]).*$#i", $_POST['password'])))

  { $error = true; }

 

However, I am wondering if I can do this with a single preg_match statement.

 

This complex ereg and preg_match stuff makes me light headed ...

 

I haven't been able to find a similar example anywhere.  Thanks in advance.

[Pikachu2000]

I'm not a regex wizard, but I do know that ereg is deprecated.

[xyph]

Wait... so a partial goal of this snippet is to LIMIT the allowed types characters in a password?

 

Why?

 

What's wrong with my password containing a non alpha-numeric character?

[xProteuSx]

Yes, I would like to limit the password by disallowing non alphanumeric characters ... client's request.  Can this be done in one preg_match statement?

[salathe]

Of course you can.

 

/^(?=[a-zA-Z0-9]{8,20}$)(?=.*?\d)(?=.*?[a-zA-Z])/

 

This approach uses "look aheads" (?=...) anchored at the start of the string which might look a bit odd at first. The pattern basically says, at the start of the subject string does it a) contain only alphanumeric characters between 8 and 20 in length, b) contain something (or nothing) then a digit, and c) contain something (or nothing) followed by a letter.

 

Reading:

http://www.regular-expressions.info/anchors.html

http://www.regular-expressions.info/lookaround.html

[ManiacDan]

Also, as a consultant, part of your job is to tell a client when they're purposely making their system less secure and less functional.  My passwords always contain non alphanum characters.  Do you know why?  Because that's what you're supposed to do.  Making your passwords less secure is a bad idea, and you should at least mention that.