Jump to content

Recommended Posts

Hi all,

 

 

I am currently learning PHP and would need a bit of help to get me started please.

 

I have created a simple form with my css and try to add a PHP validation, everything is working perfectly except the last part of my validation. The password comparison is not working, any idea please? I do not even see the error.

 

 

 

  <form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="POST" enctype="application/x-www-form-urlencoded">
  <label class="control-label" for="input01">Username</label>
  <div class="controls"><input type="text" name="username" value="<?php echo htmlspecialchars($_POST['username']); ?>" class="input-xlarge" style="width:285px; padding:10px;" id="input01" /></div>
  <label class="control-label" for="input01">Email</label>
  <div class="controls"><input type="text" name="email" value="<?php echo htmlspecialchars($_POST['email']); ?>" class="input-xlarge" style="width:285px; padding:10px;" id="input01" /></div>
  <label class="control-label" for="input01">Password</label>
  <div class="controls"><input type="password" name="password" value="<?php echo htmlspecialchars($_POST['password']); ?>" class="input-xlarge" style="width:285px; padding:10px;" id="input01" /></div>
  <label class="control-label" for="input01">Confirm Password</label>
  <div class="controls"><input type="password" name="confirm_password" value="<?php echo htmlspecialchars($_POST['confirm_password']); ?>" class="input-xlarge" style="width:285px; padding:10px;" id="input01" /></div>
  <button type="submit" value="submit" name="submit" style="width:100%;" class="large lightblue button radius" >Submit</button>
  </form>
 
Link to comment
https://forums.phpfreaks.com/topic/287134-help-with-form-validationbeginner/
Share on other sites

Hi,

 

since you showed us the form and not the validation code, I have no idea how we're supposed to help you.

 

However, your code has a bunch of serious security issues:

 

First of all, it's probably vulnerable to cross-site scripting attacks through $_SERVER['PHP_SELF']. Depending on the configuration, Apache allows the user to append arbitrary pseudo-directories to the actual file path. For example, they could request your script like this:

https://www.yourdomain.com/yourscript.php/<some JavaScript injection>

Apache would accept it as a valid path for yourscript.php, and you would happily insert the JavaScript code into your markup.

 

This again shows that you must escape any user-defined input before it can be inserted, no matter how restricted it may seem at first sight.

 

While you do escape the $_POST values, you have totally forgotten to specify which character encoding should be used. This again can lead to cross-site scripting in some cases. If the default encoding of htmlspecialchars() simply isn't the one you actually use for your document, the escaping mechanism may fail to recognize the critical characters and let them through. For example, there's an infamous UTF-7 attack which takes advantage of an encoding mismatch.

 

Last but not least, you must never send the password back to the client. Passwords are obviously very sensitive data, so the last thing you wanna do is send them back and forth around the globe. Apart from that, how exactly does this help the user? The passwords are masked, so the user can't just edit them.

 

Wrapping it up:

  • Never insert raw user input into your HTML markup. The request path is user-defined input.
  • Escaping depends on the character encoding, so always specify the encoding when you use htmlspecialchars(). It has to match the charset attribute of the Content-Type header. If you do not have a Content-Type header with a charset attribute, add it now.
  • Be very careful with passwords. Do not send them around.
Edited by Jacques1
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.