Help with form validation(beginner..)

[benoit1980]

Hi all,

 

 

I am currently learning PHP and would need a bit of help to get me started please.

 

I have created a simple form with my css and try to add a PHP validation, everything is working perfectly except the last part of my validation. The password comparison is not working, any idea please? I do not even see the error.

 

 

 

  <form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="POST" enctype="application/x-www-form-urlencoded">
  <label class="control-label" for="input01">Username</label>
  <div class="controls"><input type="text" name="username" value="<?php echo htmlspecialchars($_POST['username']); ?>" class="input-xlarge" style="width:285px; padding:10px;" id="input01" /></div>
  <label class="control-label" for="input01">Email</label>
  <div class="controls"><input type="text" name="email" value="<?php echo htmlspecialchars($_POST['email']); ?>" class="input-xlarge" style="width:285px; padding:10px;" id="input01" /></div>
  <label class="control-label" for="input01">Password</label>
  <div class="controls"><input type="password" name="password" value="<?php echo htmlspecialchars($_POST['password']); ?>" class="input-xlarge" style="width:285px; padding:10px;" id="input01" /></div>
  <label class="control-label" for="input01">Confirm Password</label>
  <div class="controls"><input type="password" name="confirm_password" value="<?php echo htmlspecialchars($_POST['confirm_password']); ?>" class="input-xlarge" style="width:285px; padding:10px;" id="input01" /></div>
  <button type="submit" value="submit" name="submit" style="width:100%;" class="large lightblue button radius" >Submit</button>
  </form>
 

[ginerjm]

I don't see a password comparison here at all.

 

PS - Why would one create a form to SHOW somebody's password??

[Jacques1]

Hi,

 

since you showed us the form and not the validation code, I have no idea how we're supposed to help you.

 

However, your code has a bunch of serious security issues:

 

First of all, it's probably vulnerable to cross-site scripting attacks through $_SERVER['PHP_SELF']. Depending on the configuration, Apache allows the user to append arbitrary pseudo-directories to the actual file path. For example, they could request your script like this:

https://www.yourdomain.com/yourscript.php/<some JavaScript injection>

Apache would accept it as a valid path for yourscript.php, and you would happily insert the JavaScript code into your markup.

 

This again shows that you must escape any user-defined input before it can be inserted, no matter how restricted it may seem at first sight.

 

While you do escape the $_POST values, you have totally forgotten to specify which character encoding should be used. This again can lead to cross-site scripting in some cases. If the default encoding of htmlspecialchars() simply isn't the one you actually use for your document, the escaping mechanism may fail to recognize the critical characters and let them through. For example, there's an infamous UTF-7 attack which takes advantage of an encoding mismatch.

 

Last but not least, you must never send the password back to the client. Passwords are obviously very sensitive data, so the last thing you wanna do is send them back and forth around the globe. Apart from that, how exactly does this help the user? The passwords are masked, so the user can't just edit them.

 

Wrapping it up:

• Never insert raw user input into your HTML markup. The request path is user-defined input.
• Escaping depends on the character encoding, so always specify the encoding when you use htmlspecialchars(). It has to match the charset attribute of the Content-Type header. If you do not have a Content-Type header with a charset attribute, add it now.
• Be very careful with passwords. Do not send them around.

Edited March 21, 2014 by Jacques1