How to Implement Strong Password Policies in Websites that Generated by PHPMaker 9.0.2

This following trick will show you how to implement the Password Policies or Password Rules in the websites that generated by PHPMaker 9. This is very useful since security is one of the most important things that should be handled seriously and carefully in your web applications, especially when your users either register their account or changing their password. Most of time we have to force users to comply with this policies/rules. Unfortunately, PHPMaker 9 has not implemented Strong Password Policies completely, yet.

The good news is, I have successfully added the Strong Password Policies or Strong Password Rules features in the websites that generated with PHPMaker 9. After implementing the following customization, now you are able to enable or disable the certain policy by adjusting the related constants in your configuration (ewcfg9.php) file. You may implement some or even all of the password policies below easily and quickly.

For example, you only want to implement the policies as following:

Minimum length password must at least 6 characters and password must contain at least one numeric character, one alpha character, and one uppercase character

and you want to avoid the other policies, then simply adjust the related constants for the first, third, fourth, and fifth policy item below in your configuration (ewcfg9.php) file. In other words, you may change your Strong Password Policies anytime you want easily and quickly in your web applications.

So here is the Strong Password Policies/Rules available after implementing the customization:

1. Password length at least must comply with the minimum length.
2. Password length at most must comply with the maximum length.
3. Password must include at least one numeric character.
4. Password must include at least one alpha character.
5. Password must include at least one uppercase character.
6. Password must include at least one symbol/special character.
7. While changing password, new password cannot be the same with old password.

Besides those policies/rules, PHPMaker actually has handled the other policies, such as whether password is case-sensitive, or whether password must be changed periodically (password expiry times in days).

Updated on July 22, 2012: This customization has been implemented in PHPMaker version 9.0.3, it matches to each other, and as a result, it works properly.

Updated on September 5, 2012: This customization has been implemented in PHPMaker version 9.0.4, it matches to each other, and as a result, it works properly.

Updated on November 29, 2012: This customization has been implemented in PHPMaker version 9.1.0, it matches to each other, and as a result, it works properly.

Updated on February 9, 2013: This customization has been implemented in PHPMaker version 9.2.0, it matches to each other, and as a result, it works properly.

Updated on June 17, 2013: This customization below has been handled by using MasinoChangePwd and MasinoRegister extensions. You don’t need to implement the customization below if you use my extensions together with the original PHPMaker Template and Extension files.

[hidepost]
Now let's get started. Please follow the steps below:

1. Open your \Script\ewcfg.php file, and find this code:

   // General
   

   before that line, please insert the following code:

   // Begin of modification Strong Password Policies/Rules, by Masino Sinaga, June 11, 2012
   define("MS_PASSWORD_MINIMUM_LENGTH", 6, TRUE); // default minimum 6 characters
   define("MS_PASSWORD_MAXIMUM_LENGTH", 20, TRUE); // default maximum 20 characters
   define("MS_PASSWORD_MUST_COMPLY_WITH_MIN_LENGTH", TRUE, TRUE);
   define("MS_PASSWORD_MUST_COMPLY_WITH_MAX_LENGTH", TRUE, TRUE);
   define("MS_PASSWORD_MUST_INCLUDE_AT_LEAST_ONE_NUMBER", TRUE, TRUE);
   define("MS_PASSWORD_MUST_INCLUDE_AT_LEAST_ONE_LETTER", TRUE, TRUE);
   define("MS_PASSWORD_MUST_INCLUDE_AT_LEAST_ONE_CAPS", TRUE, TRUE);
   define("MS_PASSWORD_MUST_INCLUDE_AT_LEAST_ONE_SYMBOL", TRUE, TRUE);
   define("MS_PASSWORD_MUST_DIFFERENT_OLD_AND_NEW", TRUE, TRUE);
   // End of modification Strong Password Policies/Rules, by Masino Sinaga, June 11, 2012
   

2. Open your C:\Program Files\PHPMaker 9\languages\english.xml file, and find this code:

   </global>
   

   before that line, please insert the following code:

   	<phrase id="ErrorPassTooShort" value="Password too short. Minimum %n characters."/>
   	<phrase id="ErrorPassTooLong" value="Password too long. Maximum %n characters."/>
   	<phrase id="ErrorPassDoesNotIncludeNumber" value="Password must contain at least one numeric character."/>
   	<phrase id="ErrorPassDoesNotIncludeLetter" value="Password must contain at least one alpha character."/>
   	<phrase id="ErrorPassDoesNotIncludeCaps" value="Password must contain at least one uppercase character."/>
   	<phrase id="ErrorPassDoesNotIncludeSymbol" value="Password must contain at least one symbol or special character."/>
   	<phrase id="ErrorPassCouldNotBeSame" value="Password cannot be the same between old and new."/>
   

   Do the same way with your another .xml language file. For example, I am also using Indonesian, then I will add the similar phrases into my C:\Program Files\PHPMaker 9\languages\indonesian.xml file:

   	<phrase id="ErrorPassTooShort" value="Kata sandi terlalu singkat. Minimum %n karakter."/>
   	<phrase id="ErrorPassTooLong" value="Kata sandi terlalu panjang. Maksimum %n karakter."/>
   	<phrase id="ErrorPassDoesNotIncludeNumber" value="Kata sandi harus mengandung sedikitnya satu karakter angka."/>
   	<phrase id="ErrorPassDoesNotIncludeLetter" value="Kata sandi harus mengandung sedikitnya satu karakter huruf."/>
   	<phrase id="ErrorPassDoesNotIncludeCaps" value="Kata sandi harus mengandung sedikitnya satu karakter huruf besar."/>
   	<phrase id="ErrorPassDoesNotIncludeSymbol" value="Kata sandi harus mengandung sedikitnya satu karakter simbol."/>	
   	<phrase id="ErrorPassCouldNotBeSame" value="Kata sandi lama tidak boleh sama dengan kata sandi baru."/>
   

3. Before doing the next step below, make sure you have closed your PHPMaker application right now. This is important, since the following step will affect after you change your phpcodebase.xml file which is a part of PHPMaker application.
4. Open your C:\Program Files\PHPMaker 9\src\phpcodebase.xml file, and find this code:

   function User_ChangePassword(&$rs, $usr, $oldpwd, &$newpwd) {
   	// Return FALSE to abort
   	return TRUE;
   }
   

   then replace it with the following code:

   function User_ChangePassword(&$rs, $usr, $oldpwd, &$newpwd) {
   // Begin of modification Strong Password Policies/Rules, by Masino Sinaga, June 12, 2012
   	global $Language;
   	$isError = FALSE;		
   	if (MS_PASSWORD_MUST_COMPLY_WITH_MIN_LENGTH==TRUE) {
   		if( strlen($newpwd) < MS_PASSWORD_MINIMUM_LENGTH ) {
   			$this->setFailureMessage(str_replace("%n", MS_PASSWORD_MINIMUM_LENGTH, $Language->Phrase("ErrorPassTooShort")));
   			$isError = TRUE;
   		}
   	}
   	if (MS_PASSWORD_MUST_COMPLY_WITH_MAX_LENGTH==TRUE) {
   		if( strlen($newpwd) > MS_PASSWORD_MAXIMUM_LENGTH ) {
   			$this->setFailureMessage(str_replace("%n", MS_PASSWORD_MAXIMUM_LENGTH, $Language->Phrase("ErrorPassTooLong")));
   			$isError = TRUE;
   		}
   	}
   	if (MS_PASSWORD_MUST_INCLUDE_AT_LEAST_ONE_NUMBER==TRUE) {
   		if( !preg_match("#[0-9]+#", $newpwd) ) {
   			$this->setFailureMessage($Language->Phrase("ErrorPassDoesNotIncludeNumber"));
   			$isError = TRUE;
   		}
   	}
   	if (MS_PASSWORD_MUST_INCLUDE_AT_LEAST_ONE_LETTER==TRUE) {
   		if( !preg_match("#[a-z]+#", $newpwd) ) {
   			$this->setFailureMessage($Language->Phrase("ErrorPassDoesNotIncludeLetter"));
   			$isError = TRUE;
   		}
   	}
   	if (MS_PASSWORD_MUST_INCLUDE_AT_LEAST_ONE_CAPS==TRUE) {
   		if( !preg_match("#[A-Z]+#", $newpwd) ) {
   			$this->setFailureMessage($Language->Phrase("ErrorPassDoesNotIncludeCaps"));
   			$isError = TRUE;
   		}
   	}
   	if (MS_PASSWORD_MUST_INCLUDE_AT_LEAST_ONE_SYMBOL==TRUE) {
   		if( !preg_match("#\W+#", $newpwd) ) {
   			$this->setFailureMessage($Language->Phrase("ErrorPassDoesNotIncludeSymbol"));
   			$isError = TRUE;
   		}
   	}
   	if (MS_PASSWORD_MUST_DIFFERENT_OLD_AND_NEW==TRUE) {
   		if ($oldpwd==$newpwd) {
   			$this->setFailureMessage($Language->Phrase("ErrorPassCouldNotBeSame"));
   			$isError = TRUE;
   		}
   	}
   
   	if ($isError == TRUE) { 
   		// Return FALSE to abort
   		return FALSE;
   	} else {
   		return TRUE;
   	}
   // End of modification Strong Password Policies/Rules, by Masino Sinaga, June 12, 2012
   }
   

5. Open your \Script\share-script.php file, and find this code:

   		// Return validate result
   		$ValidateForm = ($gsFormError == "");
   

   before that line, please insert the following code:

   	// Begin of modification Strong Password Policies/Rules, by Masino Sinaga, June 12, 2012
   	<!--## 
   	if (CTRL.CtrlID == "register") { 
   	##-->
   	
   	<!--## 	// Set security table current
       if (ew_IsNotEmpty(PROJ.SecPasswdFld)) {
           FIELD = SECTABLE.Fields(PROJ.SecPasswdFld);
           sPasswordFldName = FIELD.FldName;
   	##-->
   	if ($this->CurrentAction <> "I") {
       	if (MS_PASSWORD_MUST_COMPLY_WITH_MIN_LENGTH==TRUE) {
       		if( strlen($this-><!--##=ew_Quote(sPasswordFldName)##-->->FormValue) < MS_PASSWORD_MINIMUM_LENGTH ) {
       			ew_AddMessage($gsFormError, str_replace("%n", MS_PASSWORD_MINIMUM_LENGTH, $Language->Phrase("ErrorPassTooShort")));
       		}
       	}
       	if (MS_PASSWORD_MUST_COMPLY_WITH_MAX_LENGTH==TRUE) {
       		if( strlen($this-><!--##=ew_Quote(sPasswordFldName)##-->->FormValue) > MS_PASSWORD_MAXIMUM_LENGTH ) {
       			ew_AddMessage($gsFormError, str_replace("%n", MS_PASSWORD_MAXIMUM_LENGTH, $Language->Phrase("ErrorPassTooLong")));
       		}
       	}
       	if (MS_PASSWORD_MUST_INCLUDE_AT_LEAST_ONE_NUMBER==TRUE) {
       		if( !preg_match("#[0-9]+#", $this-><!--##=ew_Quote(sPasswordFldName)##-->->FormValue) ) {
       			ew_AddMessage($gsFormError, $Language->Phrase("ErrorPassDoesNotIncludeNumber"));
       		}
       	}
       	if (MS_PASSWORD_MUST_INCLUDE_AT_LEAST_ONE_LETTER==TRUE) {
       		if( !preg_match("#[a-z]+#", $this-><!--##=ew_Quote(sPasswordFldName)##-->->FormValue) ) {
       			ew_AddMessage($gsFormError, $Language->Phrase("ErrorPassDoesNotIncludeLetter"));
       		}
       	}
       	if (MS_PASSWORD_MUST_INCLUDE_AT_LEAST_ONE_CAPS==TRUE) {
       		if( !preg_match("#[A-Z]+#", $this-><!--##=ew_Quote(sPasswordFldName)##-->->FormValue) ) {
       			ew_AddMessage($gsFormError, $Language->Phrase("ErrorPassDoesNotIncludeCaps"));
       		}
       	}
       	if (MS_PASSWORD_MUST_INCLUDE_AT_LEAST_ONE_SYMBOL==TRUE) {
       		if( !preg_match("#\W+#", $this-><!--##=ew_Quote(sPasswordFldName)##-->->FormValue) ) {
       			ew_AddMessage($gsFormError, $Language->Phrase("ErrorPassDoesNotIncludeSymbol"));
       		}
       	}
   	}
   	<!--## 
   	} 
   	##-->
   		
   	<!--## 
   	} 
   	##-->
   	// End of modification Strong Password Policies/Rules, by Masino Sinaga, June 12, 2012
   

6. Since we use ValidateForm function that belongs to Server Events in order to validate the password, then we have to enable server side validation (by default it is disabled). To do this, open your .pmp project file using PHPMaker application. Go to PHP tab menu, click on General Options tab, click on Validation sub-tab, and make sure you have already given a check mark at the Server-side item.
7. Save the project, and then re-generate your script files using PHPMaker as always.

[/hidepost]