checking password confirmation in php

Question

<?php
include("../../config/database_connection.php");

if( isset($_POST) )
{
    $user_name   =$_POST['user_name'];
    $email   = $_POST['email'];
    $user_pass_init    = $_POST['password'];
    $user_pass_conf = $_POST['passconfirm'];
    $full_name = $_POST['full_name'];
    $gender = $_POST['gender'];

    if ($user_name!="" && $email!="" && $full_name!="" && $gender!="") {
        if ($_POST['password']!= $_POST['passconfirm']) {
            header("location:../index.php?err= password do not match");
        }else{
            $query   = "INSERT into admin_users (user_name,email,user_pass,full_name,gender) VALUES('" . $user_name . "','" . $email . "','" . md5($user_pass_init) . "','" . $full_name . "','" . $gender . "')";
            $success = $conn->query($query);
        }

        if (!$success) {
            die("Couldn't enter data: ".$conn->error);
        } else{
            header("location:../index.php");
        }
    } else{
        header("location:../index.php?err= Enter all the fields");
    }
} else{
    header("location:../index.php?err= couldnot enter data");
}
?>

this is the code I am trying to execute to check whether two passwords are matching or not... but while entering same passwords I get value of password do not match Whats the issue? Help me solve it

The `if (!$success)` test should be inside the `else` block where you perform the `INSERT`. Otherwise, `$success` isn't set. — Barmar, Nov 08 '18 at 16:32
Your check for entering all the fields should include the password field. — Barmar, Nov 08 '18 at 16:33
Your code is wide open to SQL injection. See https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php?rq=1 — Barmar, Nov 08 '18 at 16:34
Do not use MD5 for encrypting passwords. Use PHP's `password_hash` and `password_verify`. — Barmar, Nov 08 '18 at 16:35
var_dump($_POST) solved my mistake. Thanks a lot man. It was just a type mistake. — Ankit Shah, Nov 08 '18 at 16:38

score 1 · Accepted Answer · answered Nov 08 '18 at 16:42

Here is my recommendation, this may not completely solve your issue but it will make your code a bit more secure since your code is susceptible to SQL injection:

<?php
include("../../config/database_connection.php");
if( isset($_POST) )
{
    $user_name  = $conn->real_escape_string($_POST['user_name']);
    $email   = $conn->real_escape_string($_POST['email']);
    $user_pass_init    = $conn->real_escape_string($_POST['password']);
    $user_pass_conf = $conn->real_escape_string($_POST['passconfirm']);
    $full_name = $conn->real_escape_string($_POST['full_name']);
    $gender = $conn->real_escape_string($_POST['gender']);

    if (!empty($user_name) && !empty($email) && !empty($full_name) && !empty($gender)) {
        if ($user_pass_init != $user_pass_conf) {
            header("location:../index.php?err= password do not match");
        }else{
            $user_pass = md5($user_pass_init);
            $query   = "INSERT into admin_users (user_name,email,user_pass,full_name,gender) VALUES('$user_name', '$email', '$user_pass', '$full_name', '$gender')";
            $success = $conn->query($query);
            if (!$success) {
                die("Couldn't enter data: ".$conn->error);
            } else{
                header("location:../index.php");
            }
        }
    } else{
        header("location:../index.php?err= Enter all the fields");
    }
} else{
    header("location:../index.php?err= couldnot enter data");
}
?>

I also would recommend using password_hash() instead of md5()

@AnkitShah - But it is still utterly unsecure, use [password_hash()](http://www.php.net/manual/en/function.password-hash.php) and [password_verify()](http://www.php.net/manual/en/function.password-verify.php) as Antoine already mentioned. Another even better way to avoid SQL-injection can be achieved by using [prepared statements](https://stackoverflow.com/a/38422760/575765). — martinstoeckli, Nov 10 '18 at 09:55

checking password confirmation in php

1 Answers1