Hi there, I am trying to make every effort in making the registration process as secure as possible. One way of this, I was told was to ensure that a user registering on the site MUST enter a password that is encrypted in the database (done) and to ensure they enter an alpha numeric password. in my user.rb file I have various rules of validation, such as password length, email address validation etc.. I want to make sure users enter an alpha numeric password. so far I have this: validates_format_of :password, :with => /^[\w\.\-\+]+$/, :message => "must contain alpha and numeric characters!" However, i can still enter just numerics if i want... the above validates_format_of rule was taken from this site: http://guides.rubyonrails.org/security.html#good-passwords if i leave the password blank, the message ''''must contain alpha and numeric characters!'''' does get output on the site, but isn''t working as i want... Any ideas???? Thanks for your help!!
RubyonRails_newbie wrote:> Hi there, > > I am trying to make every effort in making the registration process as > secure as possible. > > One way of this, I was told was to ensure that a user registering on > the site MUST enter a password that is encrypted in the database > (done) and to ensure they enter an alpha numeric password.If you want security, then don''t restrict users to alphanumeric passwords. It''s harder to guess passwords if they also contain punctuation marks.> > > in my user.rb file I have various rules of validation, such as > password length, email address validation etc.. > > I want to make sure users enter an alpha numeric password. so far I > have this: > > validates_format_of :password, > :with => /^[\w\.\-\+]+$/, > :message => "must contain alpha and numeric > characters!" > > However, i can still enter just numerics if i want... > > the above validates_format_of rule was taken from this site: > http://guides.rubyonrails.org/security.html#good-passwords > > if i leave the password blank, the message ''''must contain alpha and > numeric characters!'''' does get output on the site, but isn''t working > as i want... > > Any ideas????You''ll need a custom validation routine for this. A single regex will not be sufficient.> > Thanks for your help!!Best, -- Marnen Laibow-Koser http://www.marnen.org marnen-sbuyVjPbboAdnm+yROfE0A@public.gmane.org -- Posted via http://www.ruby-forum.com/.
I''d think the easiest way to allow people to use whatever characters they want would be not to use validates_format_of at all. -eric On Sep 19, 7:06 am, Marnen Laibow-Koser <rails-mailing-l...@andreas- s.net> wrote:> RubyonRails_newbie wrote: > > Hi there, > > > I am trying to make every effort in making the registration process as > > secure as possible. > > > One way of this, I was told was to ensure that a user registering on > > the site MUST enter a password that is encrypted in the database > > (done) and to ensure they enter an alpha numeric password. > > If you want security, then don''t restrict users to alphanumeric > passwords. It''s harder to guess passwords if they also contain > punctuation marks. > > > > > > > in my user.rb file I have various rules of validation, such as > > password length, email address validation etc.. > > > I want to make sure users enter an alpha numeric password. so far I > > have this: > > > validates_format_of :password, > > :with => /^[\w\.\-\+]+$/, > > :message => "must contain alpha and numeric > > characters!" > > > However, i can still enter just numerics if i want... > > > the above validates_format_of rule was taken from this site: > >http://guides.rubyonrails.org/security.html#good-passwords > > > if i leave the password blank, the message ''''must contain alpha and > > numeric characters!'''' does get output on the site, but isn''t working > > as i want... > > > Any ideas???? > > You''ll need a custom validation routine for this. A single regex will > not be sufficient. > > > > > Thanks for your help!! > > Best, > -- > Marnen Laibow-Koserhttp://www.marnen.org > mar...-sbuyVjPbboAdnm+yROfE0A@public.gmane.org > -- > Posted viahttp://www.ruby-forum.com/.
First , please use the white list not the black list in the regex. Second, please validate the length of the input data. /^[\d\w]+$/i 2009/9/20 Eric <ericghill-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>> > I''d think the easiest way to allow people to use whatever characters > they want would be not to use validates_format_of at all. > > -eric > > On Sep 19, 7:06 am, Marnen Laibow-Koser <rails-mailing-l...@andreas- > s.net> wrote: > > RubyonRails_newbie wrote: > > > Hi there, > > > > > I am trying to make every effort in making the registration process as > > > secure as possible. > > > > > One way of this, I was told was to ensure that a user registering on > > > the site MUST enter a password that is encrypted in the database > > > (done) and to ensure they enter an alpha numeric password. > > > > If you want security, then don''t restrict users to alphanumeric > > passwords. It''s harder to guess passwords if they also contain > > punctuation marks. > > > > > > > > > > > > > in my user.rb file I have various rules of validation, such as > > > password length, email address validation etc.. > > > > > I want to make sure users enter an alpha numeric password. so far I > > > have this: > > > > > validates_format_of :password, > > > :with => /^[\w\.\-\+]+$/, > > > :message => "must contain alpha and numeric > > > characters!" > > > > > However, i can still enter just numerics if i want... > > > > > the above validates_format_of rule was taken from this site: > > >http://guides.rubyonrails.org/security.html#good-passwords > > > > > if i leave the password blank, the message ''''must contain alpha and > > > numeric characters!'''' does get output on the site, but isn''t working > > > as i want... > > > > > Any ideas???? > > > > You''ll need a custom validation routine for this. A single regex will > > not be sufficient. > > > > > > > > > Thanks for your help!! > > > > Best, > > -- > > Marnen Laibow-Koserhttp://www.marnen.org > > mar...-sbuyVjPbboAdnm+yROfE0A@public.gmane.org > > -- > > Posted viahttp://www.ruby-forum.com/. > > >-- Code our future Name : Wang Pengcheng Nick : QJGui --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Am 20.09.2009 um 05:46 schrieb Wang Pengcheng:> First , please use the white list not the black list in the regex. > Second, please validate the length of the input data. > > /^[\d\w]+$/iAs a side note, and if you insist on being pedantic, I''d suggest using \A and \Z to delimit the beginning and the end of the whole string in the regex, as opposed to ^ and $ only matching the beginning and the end of a line in ruby, who knows, maybe one your users will try to use a password with a newline in it ;-) Felix
Thanks for your words. I am sorry for my words. /\A[\d\w]+\Z/im 2009/9/20 Felix Schäfer <schaefer-SjIeUF6ADzXby3iVrkZq2A@public.gmane.org>> > > Am 20.09.2009 um 05:46 schrieb Wang Pengcheng: > > > First , please use the white list not the black list in the regex. > > Second, please validate the length of the input data. > > > > /^[\d\w]+$/i > > As a side note, and if you insist on being pedantic, I''d suggest using > \A and \Z to delimit the beginning and the end of the whole string in > the regex, as opposed to ^ and $ only matching the beginning and the > end of a line in ruby, who knows, maybe one your users will try to use > a password with a newline in it ;-) > > Felix > > > >-- Code our future Name : Wang Pengcheng Nick : QJGui Sent from Wuhan, 42, China --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
2009/9/20 Wang Pengcheng <wpc0000-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>:> Thanks for your words. > I am sorry for my words. > /\A[\d\w]+\Z/imI think the point of the OP''s post was that he wanted the user to have to enter alphabetic _and_ numeric characters, not to limit them to only those characters. Colin> > 2009/9/20 Felix Schäfer <schaefer-SjIeUF6ADzXby3iVrkZq2A@public.gmane.org> >> >> >> Am 20.09.2009 um 05:46 schrieb Wang Pengcheng: >> >> > First , please use the white list not the black list in the regex. >> > Second, please validate the length of the input data. >> > >> > /^[\d\w]+$/i >> >> As a side note, and if you insist on being pedantic, I''d suggest using >> \A and \Z to delimit the beginning and the end of the whole string in >> the regex, as opposed to ^ and $ only matching the beginning and the >> end of a line in ruby, who knows, maybe one your users will try to use >> a password with a newline in it ;-) >> >> Felix >> >> > > > > -- > Code our future > Name : Wang Pengcheng > Nick : QJGui > > Sent from Wuhan, 42, China > > > >
I am sorry to misunderstanding the author''s needing. Waiting for solving. :-) 2009/9/20 Colin Law <clanlaw-gM/Ye1E23mwN+BqQ9rBEUg@public.gmane.org>> > 2009/9/20 Wang Pengcheng <wpc0000-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>: > > Thanks for your words. > > I am sorry for my words. > > /\A[\d\w]+\Z/im > > I think the point of the OP''s post was that he wanted the user to have > to enter alphabetic _and_ numeric characters, not to limit them to > only those characters. > > Colin > > > > > 2009/9/20 Felix Schäfer <schaefer-SjIeUF6ADzXby3iVrkZq2A@public.gmane.org> > >> > >> > >> Am 20.09.2009 um 05:46 schrieb Wang Pengcheng: > >> > >> > First , please use the white list not the black list in the regex. > >> > Second, please validate the length of the input data. > >> > > >> > /^[\d\w]+$/i > >> > >> As a side note, and if you insist on being pedantic, I''d suggest using > >> \A and \Z to delimit the beginning and the end of the whole string in > >> the regex, as opposed to ^ and $ only matching the beginning and the > >> end of a line in ruby, who knows, maybe one your users will try to use > >> a password with a newline in it ;-) > >> > >> Felix > >> > >> > > > > > > > > -- > > Code our future > > Name : Wang Pengcheng > > Nick : QJGui > > > > Sent from Wuhan, 42, China > > > > > > > > > > >-- Code our future Name : Wang Pengcheng Nick : QJGui Sent from Wuhan, 42, China --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---