From 21ad06603c5b74da73b8be6f9c16624797052c0a Mon Sep 17 00:00:00 2001
From: Thies Mueller <git@td00.de>
Date: Fri, 8 Jan 2021 20:44:05 +0100
Subject: [PATCH] added regex for password reset

---
 resetpass.php | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/resetpass.php b/resetpass.php
index ec7afc6..c0ccd61 100644
--- a/resetpass.php
+++ b/resetpass.php
@@ -41,10 +41,19 @@ if(sha1($code) != $user['passwordcode']) {
 if(isset($_GET['send'])) {
  $password = $_POST['password'];
  $password_confirm = $_POST['password_confirm'];
- 
+  //regexes for passvalidation:
+    $REuppercase = preg_match('@[A-Z]@', $password);
+    $RElowercase = preg_match('@[a-z]@', $password);
+    $REnumber    = preg_match('@[0-9]@', $password);
+    $REspecialChars = preg_match('@[^\w]@', $password);
  if($password != $password_confirm) {
  echo "password or confirmed password wrong";
- } else { 
+ }
+ if(!$REuppercase || !$RElowercase || !$REnumber || !$REspecialChars || strlen($password) < 8) {
+    echo '<color="red">Password needs to be more complex.</color><br />';
+    echo '<i>Please implement at least 8 chars, upper & downer caser, one number & one special char.</i><br />';
+    $error = true;
+}  else { 
  $passwordhash = password_hash($password, PASSWORD_DEFAULT);
  $statement = $pdo->prepare("UPDATE users SET password = :passwordhash, passwordcode = NULL, passwordcode_time = NULL WHERE id = :userid");
  $result = $statement->execute(array('passwordhash' => $passwordhash, 'userid'=> $userid ));