validating 2 passwords

Question

mukororokudo 0 Newbie Poster

13 Years Ago

hello guys .. here i go again .. i'm having a problem with my registration form .. my reg. form has 'password' field and 'confirm password' password field .. now i want to compare if the 2 passwords are entered the same but it doesn't seem to work .. its always saying that passwords does not match even if it really does .. i'm using the traditional 'if' statement and tried almost all possible ways on how to solve this problem but to no avail .. do i have to use special function to compare passwords ? ..

mysql_connect('localhost' , 'root' , '');
mysql_select_db('login_db');
$user=$_POST["user"];
$pass=$_POST["pass"];
$pass2=$_POST["pass2"];
$title=$_POST["title"];
$name=$_POST["name"];
$add=$_POST["add"];
$email=$_POST["email"];


$query = "insert into members (username , password , title , name , address , email) values ('{$user}' , '{$pass}' , '{$title}' , '{$name}' , '{$add}' , '{$email}' )";

if(empty($user) || empty($pass) || empty($pass2) || empty($title) || empty($name) || empty($add) || empty($email))
	{
	include "signup_form.php";
	echo "<br><br><center>Please Fill Out Empty Fields ....";
	}

elseif($_POST["pass"] != $pass2)
	{
	include "signup_form.php";
	echo "<br><br><center>Passwords Does Not Match ...";
	}
	
elseif(@mysql_query($query))
	{
	include "confirm.php";
	}
	
else
	{
	echo "<br><br><center>ERROR !!!";
	}
	
	
mysql_close();
?>

THANKS IN ADVANCE ..

php

3 Contributors
8 Replies
108 Views
1 Day Discussion Span
Latest Post 13 Years Ago Latest Post by rajesh205

diafol

13 Years Ago

You're not escaping form data, e.g. with mysql_real_escape_string().
You've got the insert BEFORE you validate. Why?

$query = "insert into members (username , password , title , name , address , email) values ('{$user}' , '{$pass}' , '{$title}' , '{$name}' , '{$add}' , '{$email}' )";

You don't need braces around the variables, but it won't hurt.

diafol

13 Years Ago

> and about the mysql_real_escape_string() .. what does it do ? ..

the php manual is but a click away...http://php.net

Edited 13 Years Ago by diafol because: n/a

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

mukororokudo 0 Newbie Poster · Answer 1 · 2011-09-25T18:15:09+00:00

You're not escaping form data, e.g. with mysql_real_escape_string().
You've got the insert BEFORE you validate. Why?
$query = "insert into members (username , password , title , name , address , email) values ('{$user}' , '{$pass}' , '{$title}' , '{$name}' , '{$add}' , '{$email}' )";
You don't need braces around the variables, but it won't hurt.

no i haven't inserted it yet .. i've just put it into a variable .. as you can see i have inserted it after the elseif condition of validating the PWs ..
and about the mysql_real_escape_string() .. what does it do ? ..

mukororokudo 0 Newbie Poster · Answer 2 · 2011-09-25T20:55:14+00:00

> and about the mysql_real_escape_string() .. what does it do ? ..
the php manual is but a click away...http://php.net

is it the cause of not validating passwords ? ..

diafol · Answer 3 · 2011-09-25T22:05:46+00:00

I'll say it again... You're updating the DB BEFORE you validate, so your validation code in pointless. passwords with a " or ' in them will cause an error on query unless they are sanitized with mysql_real_escape_string. This is how SQL injections are completed.

mukororokudo 0 Newbie Poster · Answer 4 · 2011-09-26T08:10:37+00:00

I'll say it again... You're updating the DB BEFORE you validate, so your validation code in pointless. passwords with a " or ' in them will cause an error on query unless they are sanitized with mysql_real_escape_string. This is how SQL injections are completed.

i already do it .. but the it still says that the 2 passwords do not match ..

<?php
$host="localhost";
$username=""; 
$password=""; 
$db_name="login_db"; 
$tbl_name="members"; 


mysql_connect('localhost', 'root', '')or

die("cannot connect");

mysql_select_db("$db_name")or die("cannot select DB");

$user=$_POST["user"];
$pass=$_POST["pass"];
$confirm_pass=$_POST["vpass"];
$title=$_POST["title"];
$name=$_POST["name"];
$add=$_POST["add"];
$email=$_POST["email"];

$user=stripslashes($user);
$pass=stripslashes($pass);
$confirm_pass=stripslashes($confirm_pass);
$user=mysql_real_escape_string($user);
$pass=mysql_real_escape_string($pass);
$confirm_pass=mysql_real_escape_string($confirm_pass);


$query = "insert into members (username , password , title , name , address , email) values ('{$user}' , '{$pass}' , '{$title}' , '{$name}' , '{$add}' , '{$email}' )";



	if(empty($user) || empty($pass) || empty($confirm_pass) || empty($title) || empty($name) || empty($add) || empty($email))
	{
	$problem=true;
	include "signup_form.php";
	echo "<br><br><center>Please Fill Out Empty Fields ....";
	}

	elseif(strcmp($pass,$confirm_pass) != 0)
	{
	$problem=true;
	include "signup_form.php";
	echo "<br><br><center>Passwords does not match ! ...";
	}
	
	elseif(@mysql_query($query))	
		{	
		include "confirm.php";
		}
	
	else
		{
		
		echo "FAILED !";
		}		
	
		
	
mysql_close();
?>

mukororokudo 0 Newbie Poster · Answer 5 · 2011-09-26T09:08:51+00:00

NVM .. i figured it out myself .. but still thanks for your time .. i really appreciate it ..

rajesh205 0 Newbie Poster · Answer 6 · 2011-09-27T10:33:17+00:00

why don't you chech by inserting the confirm password also into the database because in database confirm password will be empyt according to your code