0

hello guys .. here i go again .. i'm having a problem with my registration form .. my reg. form has 'password' field and 'confirm password' password field .. now i want to compare if the 2 passwords are entered the same but it doesn't seem to work .. its always saying that passwords does not match even if it really does .. i'm using the traditional 'if' statement and tried almost all possible ways on how to solve this problem but to no avail .. do i have to use special function to compare passwords ? ..

mysql_connect('localhost' , 'root' , '');
mysql_select_db('login_db');
$user=$_POST["user"];
$pass=$_POST["pass"];
$pass2=$_POST["pass2"];
$title=$_POST["title"];
$name=$_POST["name"];
$add=$_POST["add"];
$email=$_POST["email"];


$query = "insert into members (username , password , title , name , address , email) values ('{$user}' , '{$pass}' , '{$title}' , '{$name}' , '{$add}' , '{$email}' )";

if(empty($user) || empty($pass) || empty($pass2) || empty($title) || empty($name) || empty($add) || empty($email))
	{
	include "signup_form.php";
	echo "<br><br><center>Please Fill Out Empty Fields ....";
	}

elseif($_POST["pass"] != $pass2)
	{
	include "signup_form.php";
	echo "<br><br><center>Passwords Does Not Match ...";
	}
	
elseif(@mysql_query($query))
	{
	include "confirm.php";
	}
	
else
	{
	echo "<br><br><center>ERROR !!!";
	}
	
	
mysql_close();
?>

THANKS IN ADVANCE ..

3
Contributors
8
Replies
9
Views
5 Years
Discussion Span
Last Post by rajesh205
0

You're not escaping form data, e.g. with mysql_real_escape_string().
You've got the insert BEFORE you validate. Why?

$query = "insert into members (username , password , title , name , address , email) values ('{$user}' , '{$pass}' , '{$title}' , '{$name}' , '{$add}' , '{$email}' )";

You don't need braces around the variables, but it won't hurt.

0

You're not escaping form data, e.g. with mysql_real_escape_string().
You've got the insert BEFORE you validate. Why?

$query = "insert into members (username , password , title , name , address , email) values ('{$user}' , '{$pass}' , '{$title}' , '{$name}' , '{$add}' , '{$email}' )";

You don't need braces around the variables, but it won't hurt.

no i haven't inserted it yet .. i've just put it into a variable .. as you can see i have inserted it after the elseif condition of validating the PWs ..
and about the mysql_real_escape_string() .. what does it do ? ..

0

> and about the mysql_real_escape_string() .. what does it do ? ..

the php manual is but a click away...http://php.net

is it the cause of not validating passwords ? ..

0

I'll say it again... You're updating the DB BEFORE you validate, so your validation code in pointless. passwords with a " or ' in them will cause an error on query unless they are sanitized with mysql_real_escape_string. This is how SQL injections are completed.

0

I'll say it again... You're updating the DB BEFORE you validate, so your validation code in pointless. passwords with a " or ' in them will cause an error on query unless they are sanitized with mysql_real_escape_string. This is how SQL injections are completed.

i already do it .. but the it still says that the 2 passwords do not match ..

<?php
$host="localhost";
$username=""; 
$password=""; 
$db_name="login_db"; 
$tbl_name="members"; 


mysql_connect('localhost', 'root', '')or

die("cannot connect");

mysql_select_db("$db_name")or die("cannot select DB");

$user=$_POST["user"];
$pass=$_POST["pass"];
$confirm_pass=$_POST["vpass"];
$title=$_POST["title"];
$name=$_POST["name"];
$add=$_POST["add"];
$email=$_POST["email"];

$user=stripslashes($user);
$pass=stripslashes($pass);
$confirm_pass=stripslashes($confirm_pass);
$user=mysql_real_escape_string($user);
$pass=mysql_real_escape_string($pass);
$confirm_pass=mysql_real_escape_string($confirm_pass);


$query = "insert into members (username , password , title , name , address , email) values ('{$user}' , '{$pass}' , '{$title}' , '{$name}' , '{$add}' , '{$email}' )";



	if(empty($user) || empty($pass) || empty($confirm_pass) || empty($title) || empty($name) || empty($add) || empty($email))
	{
	$problem=true;
	include "signup_form.php";
	echo "<br><br><center>Please Fill Out Empty Fields ....";
	}

	elseif(strcmp($pass,$confirm_pass) != 0)
	{
	$problem=true;
	include "signup_form.php";
	echo "<br><br><center>Passwords does not match ! ...";
	}
	
	elseif(@mysql_query($query))	
		{	
		include "confirm.php";
		}
	
	else
		{
		
		echo "FAILED !";
		}		
	
		
	
mysql_close();
?>

Edited by mukororokudo: n/a

0

NVM .. i figured it out myself .. but still thanks for your time .. i really appreciate it ..

0

why don't you chech by inserting the confirm password also into the database because in database confirm password will be empyt according to your code

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.