validating 2 passwords

hello guys .. here i go again .. i'm having a problem with my registration form .. my reg. form has 'password' field and 'confirm password' password field .. now i want to compare if the 2 passwords are entered the same but it doesn't seem to work .. its always saying that passwords does not match even if it really does .. i'm using the traditional 'if' statement and tried almost all possible ways on how to solve this problem but to no avail .. do i have to use special function to compare passwords ? ..

mysql_connect('localhost' , 'root' , ''); mysql_select_db('login_db'); $user=$_POST["user"]; $pass=$_POST["pass"]; $pass2=$_POST["pass2"]; $title=$_POST["title"]; $name=$_POST["name"]; $add=$_POST["add"]; $email=$_POST["email"]; $query = "insert into members (username , password , title , name , address , email) values ('{$user}' , '{$pass}' , '{$title}' , '{$name}' , '{$add}' , '{$email}' )"; if(empty($user) || empty($pass) || empty($pass2) || empty($title) || empty($name) || empty($add) || empty($email)) { include "signup_form.php"; echo "<center>Please Fill Out Empty Fields ...."; } elseif($_POST["pass"] != $pass2) { include "signup_form.php"; echo "<center>Passwords Does Not Match ..."; } elseif(@mysql_query($query)) { include "confirm.php"; } else { echo "<center>ERROR !!!"; } mysql_close(); ?>

THANKS IN ADVANCE ..

mukororokudo

Newbie Poster

9 posts since Sep 2011

Reputation Points: 10

Solved Threads: 0

8 Months Ago

You're not escaping form data, e.g. with mysql_real_escape_string().
You've got the insert BEFORE you validate. Why?

$query = "insert into members (username , password , title , name , address , email) values ('{$user}' , '{$pass}' , '{$title}' , '{$name}' , '{$add}' , '{$email}' )";

You don't need braces around the variables, but it won't hurt.

diafol

Rhod Gilbert Fan (ardav)

Moderator

7,792 posts since Oct 2006

Reputation Points: 1,170

Solved Threads: 1,080

8 Months Ago

You're not escaping form data, e.g. with mysql_real_escape_string(). You've got the insert BEFORE you validate. Why?
$query = "insert into members (username , password , title , name , address , email) values ('{$user}' , '{$pass}' , '{$title}' , '{$name}' , '{$add}' , '{$email}' )";
You don't need braces around the variables, but it won't hurt.

no i haven't inserted it yet .. i've just put it into a variable .. as you can see i have inserted it after the elseif condition of validating the PWs ..
and about the mysql_real_escape_string() .. what does it do ? ..

mukororokudo

Newbie Poster

9 posts since Sep 2011

Reputation Points: 10

Solved Threads: 0

8 Months Ago

> and about the mysql_real_escape_string() .. what does it do ? ..

the php manual is but a click away... http://php.net

diafol

Rhod Gilbert Fan (ardav)

Moderator

7,792 posts since Oct 2006

Reputation Points: 1,170

Solved Threads: 1,080

8 Months Ago

> and about the mysql_real_escape_string() .. what does it do ? ..

the php manual is but a click away... http://php.net

is it the cause of not validating passwords ? ..

mukororokudo

Newbie Poster

9 posts since Sep 2011

Reputation Points: 10

Solved Threads: 0

8 Months Ago

I'll say it again... You're updating the DB BEFORE you validate, so your validation code in pointless. passwords with a " or ' in them will cause an error on query unless they are sanitized with mysql_real_escape_string. This is how SQL injections are completed.

diafol

Rhod Gilbert Fan (ardav)

Moderator

7,792 posts since Oct 2006

Reputation Points: 1,170

Solved Threads: 1,080

8 Months Ago

I'll say it again... You're updating the DB BEFORE you validate, so your validation code in pointless. passwords with a " or ' in them will cause an error on query unless they are sanitized with mysql_real_escape_string. This is how SQL injections are completed.

i already do it .. but the it still says that the 2 passwords do not match ..

<?php
$host="localhost";
$username=""; 
$password=""; 
$db_name="login_db"; 
$tbl_name="members"; 


mysql_connect('localhost', 'root', '')or

die("cannot connect");

mysql_select_db("$db_name")or die("cannot select DB");

$user=$_POST["user"];
$pass=$_POST["pass"];
$confirm_pass=$_POST["vpass"];
$title=$_POST["title"];
$name=$_POST["name"];
$add=$_POST["add"];
$email=$_POST["email"];

$user=stripslashes($user);
$pass=stripslashes($pass);
$confirm_pass=stripslashes($confirm_pass);
$user=mysql_real_escape_string($user);
$pass=mysql_real_escape_string($pass);
$confirm_pass=mysql_real_escape_string($confirm_pass);


$query = "insert into members (username , password , title , name , address , email) values ('{$user}' , '{$pass}' , '{$title}' , '{$name}' , '{$add}' , '{$email}' )";



	if(empty($user) || empty($pass) || empty($confirm_pass) || empty($title) || empty($name) || empty($add) || empty($email))
	{
	$problem=true;
	include "signup_form.php";
	echo "<center>Please Fill Out Empty Fields ....";
	}

	elseif(strcmp($pass,$confirm_pass) != 0)
	{
	$problem=true;
	include "signup_form.php";
	echo "<center>Passwords does not match ! ...";
	}
	
	elseif(@mysql_query($query))	
		{	
		include "confirm.php";
		}
	
	else
		{
		
		echo "FAILED !";
		}		
	
		
	
mysql_close();
?>

mukororokudo

Newbie Poster

9 posts since Sep 2011

Reputation Points: 10

Solved Threads: 0

8 Months Ago

NVM .. i figured it out myself .. but still thanks for your time .. i really appreciate it ..

mukororokudo

Newbie Poster

9 posts since Sep 2011

Reputation Points: 10

Solved Threads: 0

8 Months Ago

why don't you chech by inserting the confirm password also into the database because in database confirm password will be empyt according to your code

rajesh205

Newbie Poster

5 posts since Sep 2011

Reputation Points: 10

Solved Threads: 0

This question has already been solved

You