On Thu, Jun 24, 2010 at 2:46 PM, Ashley Sheridan <ash@xxxxxxxxxxxxxxxxxxxx>wrote: > On Thu, 2010-06-24 at 20:37 +0200, David Česal wrote: > > > Yes, it is. > > > > D > > > > -----Original Message----- > > From: Ashley Sheridan [mailto:ash@xxxxxxxxxxxxxxxxxxxx] > > Sent: Thursday, June 24, 2010 8:32 PM > > To: Floyd Resler > > Cc: PHP > > Subject: Re: Making a Password Confirmation in PHP > > > > On Thu, 2010-06-24 at 14:29 -0400, Floyd Resler wrote: > > > > > On Jun 24, 2010, at 2:22 PM, Michael Calkins wrote: > > > > > > > > > > > This is very straight forward, if password a and b are not equal to > each > > other, how can I let the user know that with out losing all of the > entered > > information on the registration form? > > > > I was trying this: > > > > ---$p1 = "<input type=\"password\" name=\"usr_p1\" />"; > > > > $p2 = "<input type=\"password\" name=\"usr_p2\" />"; // if they > > > > didn't match return > > > > $p1 = "<input type=\"password\" name=\"usr_p1\" value=\"" . $p1 . > > > > "\"/>";--- I was trying to change the value of the variable which > shows > > the input field to have the password already in it. > > > > and either one would just be echo'd depending on the result. > > > > Any ideas please? > > > > > > > > From,Michael Calkinsmichaelcalkins@xxxxxxxx > > > > > > > > > > > If you aren't opposed to using JavaScript, I'd do it there. If you > don't > > want to use JavaScript then you can load the form data from the $_POST > (or > > $_GET) array that was passed back to your script. > > > > > > Take care, > > > Floyd > > > > > > > > > > > > > > > Is Javascript allowed to read the value of password boxes? I was of the > > understanding that it couldn't, so checking if a password field matches > > another is pretty moot. > > > > Thanks, > > Ash > > http://www.ashleysheridan.co.uk > > > > > > > > > Yes, so it does. That seems like a bit of a flaw in Javascript on > security grounds. > > Anyway, you still need to perform the same check on the server: > > * Javascript may be turned off > * Not every browser supports Javascript > * Someone may make a post request without using the form > > > Thanks, > Ash > http://www.ashleysheridan.co.uk > > > Yes, the checks should be performed server-side, too. In terms of security, the password field was meant merely to protect against nearby people peering over the shoulder of the user typing in their password (aka, shoulder surfing.) So in terms of security, nothing is flawed, and there has been some debate on the need and implementation of password fields, especially given interfaces like the iphone which let you view the last character entered for a brief amount of time: http://www.schneier.com/blog/archives/2009/07/the_pros_and_co.html http://www.useit.com/alertbox/passwords.html I'd recommend progressively enhancing the page with a plugin such as those listed below (I prefer jQuery, but there are other options for other frameworks): http://plugins.jquery.com/project/showPasswordCheckbox http://plugins.jquery.com/project/fvalidate http://plugins.jquery.com/project/iphone-password Adam -- Nephtali: PHP web framework that functions beautifully http://nephtaliproject.com
