*** login.php	2011-10-21 09:25:39.000000000 -0400
--- login_1.php	2011-10-21 09:22:25.000000000 -0400
***************
*** 8,14 ****
  }
  
  function check_input($input){
!   if(preg_match("/^[\@a-zA-Z0-9_\:\,\(\)]/", $input) && strlen($input) <= 15){
      return true; 
    }        
    else{
--- 29,35 ----
  }
  
  function check_input($input){
!   if(preg_match("/^[\@a-zA-Z0-9_\:\,\(\)]+$/", $input) && strlen($input) <= 15){  
      return true; 
    }        
    else{
***************
*** 17,22 ****
--- 38,54 ----
    }
  } 
  
+ # rejecting NULLs or empty strings because they end-up doing an anonymous LDAP bind
+ function legal_password($input){
+   global $logger;
+   if (isset($input) && !is_null($input) && !empty($input)) {
+     return true;
+   } else {
+     $logger->info("Empty passwords are explicitly rejected");
+     return false;
+   }
+ }
+ 
  //TODO are we being too difficult on what we accept as a password? ie: pass starting with ; is invalid
  function check_sensitive_input($input){
    if(preg_match("/^[\@a-zA-Z0-9_\:\,\(\)]/", $input) && strlen($input) <= 15){
***************
*** 165,171 ****
      }
    }
  
!   if (isset($_POST['username'], $_POST['password']) && check_input($_POST['username']) && check_sensitive_input($_POST['password'])) {
      $hash = validate_user($_POST['username'], $_POST['password']);
      if(!$hash || !isset($_COOKIE['test'])){
        $failed = true;
--- 227,233 ----
      }
    }
  
!    if (isset($_POST['username'], $_POST['password']) && check_input($_POST['username']) && legal_password($_POST['password']) && check_sensitive_input($_POST['password'])) {  
      $hash = validate_user($_POST['username'], $_POST['password']);
      if(!$hash || !isset($_COOKIE['test'])){
        $failed = true;