Link to home
Create AccountLog in
Avatar of Nathan Riley
Nathan RileyFlag for United States of America

asked on

Password and Email HTML Form Validation

I have an html5 form that I need to do some validation on the fields before submitting them.

I need to check the following two fields and make sure they match when I hit the submit button.

Password
Re-Enter Password

I'm assuming I would need to do with javascript, but I'm not familiar with it.
Avatar of Dave Baldwin
Dave Baldwin
Flag of United States of America image

Here's a simple version.  The checking should be done thru an 'onsubmit' in the <form> tag.
<!DOCTYPE HTML>

<html>
<head>
<title>Password verification</title>
<script type="text/javascript">
<!--
function chekpwd() {
var pwd1 = document.getElementById('password1').value;
var pwd2 = document.getElementById('password2').value;
if(pwd1 == pwd2) alert("They Match!");
else alert("The don't Match!!");
}
// -->
</script>
</head>
<body>
<h1>Password verification</h1>
<form action="#" method="post" onsubmit="chekpwd()">
Enter Password:<input type="password" id="password1" name="password1" /><br />
Re-Enter Password:<input type="password" id="password2" name="password2" /><br />
<input type="submit" name="submit" value="submit" />
</form>
</body>
</html>

Open in new window

Dave's solution is valid but since you can use jquery this is a solution with everything rolled into one from the other question
$(function() {
	$("#myform").submit(function (event) {
		e.preventDefault();
		$.ajax({type:'GET',url:'/checkusername.php?username='+$('#username').val(),
		success:function(response) {
			if(response==1){
				if($('#password1').val()==$('#password2').val(){
					$("#myform").submit();
				}
				else
				{
					alert('Passwords do not match');
				}
			}
			else{
				alert('Username is already taken');
			}
	}});
    });
}); 

Open in new window

You can do this on the client side, as a nicety to your client, but you MUST do it on the server side, too.  This article shows the general design pattern.
https://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_2391-PHP-login-logout-and-easy-access-control.html
Avatar of Nathan Riley

ASKER

So the above works, but once I click ok on the alert the submit still happens, how do you stop the submit until the passwords match?
Which code are you talking about?
Got a live link?
I was using David's first approach to test.

http://starcitizenbase.com/dev/company-signup.php
SOLUTION
Avatar of Gary
Gary
Flag of Ireland image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
Now if passwords don't match it still creates the account without any popups.
SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
Hmm..still processes and inserts the data, here is the rest of my page, maybe I need to have something in there to stop the post?

<?php 
    // First we execute our common code to connection to the database and start the session 
    require("assets/includes/common.php"); 
     
    // This if statement checks to determine whether the registration form has been submitted 
    // If it has, then the registration code is run, otherwise the form is displayed 
    if(!empty($_POST)) 
    { 
        $hash = md5( rand(0,1000) ); // Generate random 32 character hash and assign it to a local variable.
		
        // An INSERT query is used to add new rows to a database table. 
        // Again, we are using special tokens (technically called parameters) to 
        // protect against SQL injection attacks. 
        $query = " 
            INSERT INTO users ( 
                username, 
                password, 
                salt, 
                email,
				fname,
				lname,
				verificationid
            ) VALUES ( 
                :email, 
                :password, 
                :salt, 
                :email,
				:fname,
				:lname,
				:hash
            ) 
        "; 
        
		$query1 = " 
            INSERT INTO orgid ( 
                cname
            ) VALUES ( 
                :cname
            ) 
        "; 
		
        // A salt is randomly generated here to protect again brute force attacks 
        // and rainbow table attacks.  The following statement generates a hex 
        // representation of an 8 byte salt.  Representing this in hex provides 
        // no additional security, but makes it easier for humans to read. 
        // For more information: 
        // http://en.wikipedia.org/wiki/Salt_%28cryptography%29 
        // http://en.wikipedia.org/wiki/Brute-force_attack 
        // http://en.wikipedia.org/wiki/Rainbow_table 
        $salt = dechex(mt_rand(0, 2147483647)) . dechex(mt_rand(0, 2147483647)); 
         
        // This hashes the password with the salt so that it can be stored securely 
        // in your database.  The output of this next statement is a 64 byte hex 
        // string representing the 32 byte sha256 hash of the password.  The original 
        // password cannot be recovered from the hash.  For more information: 
        // http://en.wikipedia.org/wiki/Cryptographic_hash_function 
        $password = hash('sha256', $_POST['password'] . $salt); 
         
        // Next we hash the hash value 65536 more times.  The purpose of this is to 
        // protect against brute force attacks.  Now an attacker must compute the hash 65537 
        // times for each guess they make against a password, whereas if the password 
        // were hashed only once the attacker would have been able to make 65537 different  
        // guesses in the same amount of time instead of only one. 
        for($round = 0; $round < 65536; $round++) 
        { 
            $password = hash('sha256', $password . $salt); 
        } 
         
        // Here we prepare our tokens for insertion into the SQL query.  We do not 
        // store the original password; only the hashed version of it.  We do store 
        // the salt (in its plaintext form; this is not a security risk). 
        $query_params = array( 
            ':email' => $_POST['username'], 
            ':password' => $password, 
            ':salt' => $salt, 
            ':email' => $_POST['email'],
			':fname' => $_POST['fname'],
			':lname' => $_POST['lname'],
			':hash'	 => $hash
        ); 
        
		$query_params1 = array( 
            ':cname' => $_POST['cname']
        ); 
		
        try 
        { 
            // Execute the query to create the user 
            $stmt = $db->prepare($query); 
            $result = $stmt->execute($query_params); 
        } 
		
		catch(PDOException $ex) 
        { 
            // Note: On a production website, you should not output $ex->getMessage(). 
            // It may provide an attacker with helpful information about your code.  
            die("Failed to run query: " . $ex->getMessage()); 
        } 
		
		try 
        { 
            // Execute the query to create the user 
            $stmt1 = $db->prepare($query1); 
            $result1 = $stmt1->execute($query_params1); 
        } 
		
        catch(PDOException $ex) 
        { 
            // Note: On a production website, you should not output $ex->getMessage(). 
            // It may provide an attacker with helpful information about your code.  
            die("Failed to run query: " . $ex->getMessage()); 
        }
		
		$sql = 'select max(id) as userid from users';
		$sth = $db->query($sql);
		$sth->execute();
		$row= $sth->fetch(PDO::FETCH_ASSOC);
		$userid = $row['userid'];
		
		$sql = 'select max(id) as orgid from orgid';
		$sth = $db->query($sql);
		$sth->execute();
		$row1= $sth->fetch(PDO::FETCH_ASSOC);
		$orgid = $row1['orgid'];
		
		$sql = 'update users set orgid = '.$orgid.' where id = '.$userid;
		$sth = $db->query($sql);
		$sth->execute();
		
		//Send Verification Email
		$to      =  $_POST['email']; //Send email to our user
		$subject = 'Verify your Account!'; //// Give the email a subject 
		$message = '

		Thanks for signing up!
					
		Please click this link to activate your account:
		http://starcitizenbase.com/verify.php?email='.$_POST['email'].'&hash='.$hash.'

		'; // Our message above including the link
					
		$headers = 'From:noreply@starcitizenbase.com' . "\r\n"; // Set from headers
		mail($to, $subject, $message, $headers); // Send the email
		
		
        echo 'registration complete';
    } 
     
?>

Open in new window

ASKER CERTIFIED SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
Gary's probably right.  All my working forms do it that way.  You still need the 'if' to prevent database inserts when you first load the page.
Alright working now thanks, if they do match how do I just let the registration complete without the alert?
... let the registration complete without the alert?
Remove the alert() function call.