Nathan Riley
asked on
Password and Email HTML Form Validation
I have an html5 form that I need to do some validation on the fields before submitting them.
I need to check the following two fields and make sure they match when I hit the submit button.
Password
Re-Enter Password
I'm assuming I would need to do with javascript, but I'm not familiar with it.
I need to check the following two fields and make sure they match when I hit the submit button.
Password
Re-Enter Password
I'm assuming I would need to do with javascript, but I'm not familiar with it.
Is this what you are looking for?
http://stackoverflow.com/questions/16342177/php-form-validation-using-preg-match-for-password-checks
HTH,
Kent
http://stackoverflow.com/questions/16342177/php-form-validation-using-preg-match-for-password-checks
HTH,
Kent
Dave's solution is valid but since you can use jquery this is a solution with everything rolled into one from the other question
$(function() {
$("#myform").submit(function (event) {
e.preventDefault();
$.ajax({type:'GET',url:'/checkusername.php?username='+$('#username').val(),
success:function(response) {
if(response==1){
if($('#password1').val()==$('#password2').val(){
$("#myform").submit();
}
else
{
alert('Passwords do not match');
}
}
else{
alert('Username is already taken');
}
}});
});
});
You can do this on the client side, as a nicety to your client, but you MUST do it on the server side, too. This article shows the general design pattern.
https://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_2391-PHP-login-logout-and-easy-access-control.html
https://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_2391-PHP-login-logout-and-easy-access-control.html
ASKER
So the above works, but once I click ok on the alert the submit still happens, how do you stop the submit until the passwords match?
Which code are you talking about?
Got a live link?
Got a live link?
ASKER
SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
Now if passwords don't match it still creates the account without any popups.
SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
Hmm..still processes and inserts the data, here is the rest of my page, maybe I need to have something in there to stop the post?
<?php
// First we execute our common code to connection to the database and start the session
require("assets/includes/common.php");
// This if statement checks to determine whether the registration form has been submitted
// If it has, then the registration code is run, otherwise the form is displayed
if(!empty($_POST))
{
$hash = md5( rand(0,1000) ); // Generate random 32 character hash and assign it to a local variable.
// An INSERT query is used to add new rows to a database table.
// Again, we are using special tokens (technically called parameters) to
// protect against SQL injection attacks.
$query = "
INSERT INTO users (
username,
password,
salt,
email,
fname,
lname,
verificationid
) VALUES (
:email,
:password,
:salt,
:email,
:fname,
:lname,
:hash
)
";
$query1 = "
INSERT INTO orgid (
cname
) VALUES (
:cname
)
";
// A salt is randomly generated here to protect again brute force attacks
// and rainbow table attacks. The following statement generates a hex
// representation of an 8 byte salt. Representing this in hex provides
// no additional security, but makes it easier for humans to read.
// For more information:
// http://en.wikipedia.org/wiki/Salt_%28cryptography%29
// http://en.wikipedia.org/wiki/Brute-force_attack
// http://en.wikipedia.org/wiki/Rainbow_table
$salt = dechex(mt_rand(0, 2147483647)) . dechex(mt_rand(0, 2147483647));
// This hashes the password with the salt so that it can be stored securely
// in your database. The output of this next statement is a 64 byte hex
// string representing the 32 byte sha256 hash of the password. The original
// password cannot be recovered from the hash. For more information:
// http://en.wikipedia.org/wiki/Cryptographic_hash_function
$password = hash('sha256', $_POST['password'] . $salt);
// Next we hash the hash value 65536 more times. The purpose of this is to
// protect against brute force attacks. Now an attacker must compute the hash 65537
// times for each guess they make against a password, whereas if the password
// were hashed only once the attacker would have been able to make 65537 different
// guesses in the same amount of time instead of only one.
for($round = 0; $round < 65536; $round++)
{
$password = hash('sha256', $password . $salt);
}
// Here we prepare our tokens for insertion into the SQL query. We do not
// store the original password; only the hashed version of it. We do store
// the salt (in its plaintext form; this is not a security risk).
$query_params = array(
':email' => $_POST['username'],
':password' => $password,
':salt' => $salt,
':email' => $_POST['email'],
':fname' => $_POST['fname'],
':lname' => $_POST['lname'],
':hash' => $hash
);
$query_params1 = array(
':cname' => $_POST['cname']
);
try
{
// Execute the query to create the user
$stmt = $db->prepare($query);
$result = $stmt->execute($query_params);
}
catch(PDOException $ex)
{
// Note: On a production website, you should not output $ex->getMessage().
// It may provide an attacker with helpful information about your code.
die("Failed to run query: " . $ex->getMessage());
}
try
{
// Execute the query to create the user
$stmt1 = $db->prepare($query1);
$result1 = $stmt1->execute($query_params1);
}
catch(PDOException $ex)
{
// Note: On a production website, you should not output $ex->getMessage().
// It may provide an attacker with helpful information about your code.
die("Failed to run query: " . $ex->getMessage());
}
$sql = 'select max(id) as userid from users';
$sth = $db->query($sql);
$sth->execute();
$row= $sth->fetch(PDO::FETCH_ASSOC);
$userid = $row['userid'];
$sql = 'select max(id) as orgid from orgid';
$sth = $db->query($sql);
$sth->execute();
$row1= $sth->fetch(PDO::FETCH_ASSOC);
$orgid = $row1['orgid'];
$sql = 'update users set orgid = '.$orgid.' where id = '.$userid;
$sth = $db->query($sql);
$sth->execute();
//Send Verification Email
$to = $_POST['email']; //Send email to our user
$subject = 'Verify your Account!'; //// Give the email a subject
$message = '
Thanks for signing up!
Please click this link to activate your account:
http://starcitizenbase.com/verify.php?email='.$_POST['email'].'&hash='.$hash.'
'; // Our message above including the link
$headers = 'From:noreply@starcitizenbase.com' . "\r\n"; // Set from headers
mail($to, $subject, $message, $headers); // Send the email
echo 'registration complete';
}
?>
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
Gary's probably right. All my working forms do it that way. You still need the 'if' to prevent database inserts when you first load the page.
ASKER
Alright working now thanks, if they do match how do I just let the registration complete without the alert?
... let the registration complete without the alert?Remove the alert() function call.
Open in new window