hello guys .. here i go again .. i'm having a problem with my registration form .. my reg. form has 'password' field and 'confirm password' password field .. now i want to compare if the 2 passwords are entered the same but it doesn't seem to work .. its always saying that passwords does not match even if it really does .. i'm using the traditional 'if' statement and tried almost all possible ways on how to solve this problem but to no avail .. do i have to use special function to compare passwords ? ..

mysql_connect('localhost' , 'root' , '');
mysql_select_db('login_db');
$user=$_POST["user"];
$pass=$_POST["pass"];
$pass2=$_POST["pass2"];
$title=$_POST["title"];
$name=$_POST["name"];
$add=$_POST["add"];
$email=$_POST["email"];


$query = "insert into members (username , password , title , name , address , email) values ('{$user}' , '{$pass}' , '{$title}' , '{$name}' , '{$add}' , '{$email}' )";

if(empty($user) || empty($pass) || empty($pass2) || empty($title) || empty($name) || empty($add) || empty($email))
	{
	include "signup_form.php";
	echo "<br><br><center>Please Fill Out Empty Fields ....";
	}

elseif($_POST["pass"] != $pass2)
	{
	include "signup_form.php";
	echo "<br><br><center>Passwords Does Not Match ...";
	}
	
elseif(@mysql_query($query))
	{
	include "confirm.php";
	}
	
else
	{
	echo "<br><br><center>ERROR !!!";
	}
	
	
mysql_close();
?>

THANKS IN ADVANCE ..

Member Avatar for diafol

You're not escaping form data, e.g. with mysql_real_escape_string().
You've got the insert BEFORE you validate. Why?

$query = "insert into members (username , password , title , name , address , email) values ('{$user}' , '{$pass}' , '{$title}' , '{$name}' , '{$add}' , '{$email}' )";

You don't need braces around the variables, but it won't hurt.

You're not escaping form data, e.g. with mysql_real_escape_string().
You've got the insert BEFORE you validate. Why?

$query = "insert into members (username , password , title , name , address , email) values ('{$user}' , '{$pass}' , '{$title}' , '{$name}' , '{$add}' , '{$email}' )";

You don't need braces around the variables, but it won't hurt.

no i haven't inserted it yet .. i've just put it into a variable .. as you can see i have inserted it after the elseif condition of validating the PWs ..
and about the mysql_real_escape_string() .. what does it do ? ..

Member Avatar for diafol

> and about the mysql_real_escape_string() .. what does it do ? ..

the php manual is but a click away...http://php.net

> and about the mysql_real_escape_string() .. what does it do ? ..

the php manual is but a click away...http://php.net

is it the cause of not validating passwords ? ..

Member Avatar for diafol

I'll say it again... You're updating the DB BEFORE you validate, so your validation code in pointless. passwords with a " or ' in them will cause an error on query unless they are sanitized with mysql_real_escape_string. This is how SQL injections are completed.

I'll say it again... You're updating the DB BEFORE you validate, so your validation code in pointless. passwords with a " or ' in them will cause an error on query unless they are sanitized with mysql_real_escape_string. This is how SQL injections are completed.

i already do it .. but the it still says that the 2 passwords do not match ..

<?php
$host="localhost";
$username=""; 
$password=""; 
$db_name="login_db"; 
$tbl_name="members"; 


mysql_connect('localhost', 'root', '')or

die("cannot connect");

mysql_select_db("$db_name")or die("cannot select DB");

$user=$_POST["user"];
$pass=$_POST["pass"];
$confirm_pass=$_POST["vpass"];
$title=$_POST["title"];
$name=$_POST["name"];
$add=$_POST["add"];
$email=$_POST["email"];

$user=stripslashes($user);
$pass=stripslashes($pass);
$confirm_pass=stripslashes($confirm_pass);
$user=mysql_real_escape_string($user);
$pass=mysql_real_escape_string($pass);
$confirm_pass=mysql_real_escape_string($confirm_pass);


$query = "insert into members (username , password , title , name , address , email) values ('{$user}' , '{$pass}' , '{$title}' , '{$name}' , '{$add}' , '{$email}' )";



	if(empty($user) || empty($pass) || empty($confirm_pass) || empty($title) || empty($name) || empty($add) || empty($email))
	{
	$problem=true;
	include "signup_form.php";
	echo "<br><br><center>Please Fill Out Empty Fields ....";
	}

	elseif(strcmp($pass,$confirm_pass) != 0)
	{
	$problem=true;
	include "signup_form.php";
	echo "<br><br><center>Passwords does not match ! ...";
	}
	
	elseif(@mysql_query($query))	
		{	
		include "confirm.php";
		}
	
	else
		{
		
		echo "FAILED !";
		}		
	
		
	
mysql_close();
?>

NVM .. i figured it out myself .. but still thanks for your time .. i really appreciate it ..

why don't you chech by inserting the confirm password also into the database because in database confirm password will be empyt according to your code

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.