7

New to all this so forgive my ignorance. I am trying to figure out how to add a "confirm your password" field to my form. Using PHP and mySQL. Is this entered in the html form code, and how can you set it to auto check that the password and confirm password fields match.

caitriona
  • 8,569
  • 4
  • 32
  • 36
bgadoci
  • 6,363
  • 17
  • 64
  • 91
  • 2
    How is this related to MySQL? Do you want to store both password fields in the DB and have a constraint to ensure that they match? If so, that would not be the best way to enforce this constraint in the UI... – dcrosta Oct 26 '09 at 02:29

5 Answers5

22

Just get both the password and confirm password fields in the form submit PHP and test for equality:

if ($_POST["password"] === $_POST["confirm_password"]) {
   // success!
}
else {
   // failed :(
}

where password and confirm_password are the IDs of the HTML text inputs for the passwords.

Nathan Arthur
  • 8,287
  • 7
  • 55
  • 80
Kaleb Brasee
  • 51,193
  • 8
  • 108
  • 113
  • The only attribute that php can read via method POST is using the _name_ of the object, NOT the _ID_ - Therefore $_POST receives the _name_ value of the password input element. – António Lima Mar 18 '22 at 12:53
4

What you're trying to do is form validation. It's a good idea do validate on the client side (using javascript) so you have a faster response for your user on the interface, and on your server side (since your user can have javascript disabled - and because you should never blindly trust in user input. Read Should you do validation on your server side for some more information about this subject).

You just need to compare the two posted values. If correct, insert in database. If not, dont do anything and returns a message to the user saying that the password is incorrect.

I can't give more details since you didn't provide enough or detailed information of your php environment (frameworks used, libs used, etc).

Community
  • 1
  • 1
GmonC
  • 10,924
  • 1
  • 30
  • 38
  • 1
    "and on your server side (since your user can have javascript disabled)." -- This is not a reason to use server-side validation. – strager Oct 26 '09 at 02:38
  • 2
    Uh, yes it is. Client side validation is useful, but server-side validation ensures that problems on the client side are accounted for. – ceejayoz Oct 26 '09 at 02:44
  • 1
    Supposing something like "Why can't I just write a javasctip validation?", I just wrote to validate in the server side to remember him he's needs to do it. I can't provide all information about security in a simple answer. – GmonC Oct 26 '09 at 02:48
  • Server-side validation is required because of malicious input. (NEVER trust the user's input.) Would you send the server SQL? – strager Oct 26 '09 at 02:49
  • 1
    @GmonC, You made it sound like the lack of Javascript is a reason to validate server-side. I would reword it to make it clearer you should have server-side validation anyway. – strager Oct 26 '09 at 02:49
  • @strager That terrifically semantic, you're both saying the same thing. – deceze Oct 26 '09 at 02:51
  • 1
    @strager: I just edited the answer, it's a simple clarification for all this discussion we're having. Since the user is new to all of this information I added a link to a topic here in SO as well. – GmonC Oct 26 '09 at 03:00
3

you can check it in JavaScript using 

    <html><title></title><head>
<script>
        function validate(){

    if(!document.getElementById("password").value==document.getElementById("confirm_password").value)alert("Passwords do no match");
    return document.getElementById("password").value==document.getElementById("confirm_password").value;
   return false;
    }
    </script>
</head>
<body>
    <form onSubmit="return validate()" action="nextPage.php">
    Password: <input type="text" id="password" name="password" /><br/>
    Reenter Password: <input type="text" id="confirm_password" name="confirm_password" />
    <input type="submit" value="submit"/>
    </form>
</body>
</html>

And on sever side you need to check it again in case client do not have JavaScript Enabled, 

if($_GET['password']==$_GET['confirm_password'])

You have to use $_POST instead of $_GET in case of POST method

Xinus
  • 29,617
  • 32
  • 119
  • 165
  • Would you want to ever use a GET with regards to a password? Seems like a POST would be the way to go... – Dscoduc Oct 26 '09 at 16:50
  • you are right for passwords we must use POST method ..I just gave an example , just the basic form submission using both methods with validation :) – Xinus Oct 26 '09 at 16:54
2

I updated the code, there is missing colon on form submit.

 <html>
   <title></title>
    <head>
    <script>
        function validate(){

            var a = document.getElementById("password").value;
            var b = document.getElementById("confirm_password").value;
            if (a!=b) {
               alert("Passwords do no match");
               return false;
            }
        }
     </script>
    </head>
    <body>
        <form onSubmit="return validate();" ">
        Password: <input type="text" id="password" name="password" /><br/>
        Re-enter Password: <input type="text" id="confirm_password" name="confirm_password" />
        <input type="submit" value="submit"/>
        </form>
    </body>
 </html>
JH_
  • 406
  • 1
  • 4
  • 15
Dharmendra
  • 21
  • 1
1

Are you using some kind of framework? If not it should be as simple as checking after save that both fields are set and that $confirmationPassword == $passWord. Then apply whatever validation you need to the password before storing it in SQL.

Ben Regenspan
  • 10,058
  • 2
  • 33
  • 44