Re: [PHP] Making a Password Confirmation in PHP
On 24 June 2010 19:46, Ashley Sheridan a...@ashleysheridan.co.uk wrote: On Thu, 2010-06-24 at 20:37 +0200, David Česal wrote: Yes, it is. D -Original Message- From: Ashley Sheridan [mailto:a...@ashleysheridan.co.uk] Sent: Thursday, June 24, 2010 8:32 PM To: Floyd Resler Cc: PHP Subject: Re: [PHP] Making a Password Confirmation in PHP On Thu, 2010-06-24 at 14:29 -0400, Floyd Resler wrote: On Jun 24, 2010, at 2:22 PM, Michael Calkins wrote: This is very straight forward, if password a and b are not equal to each other, how can I let the user know that with out losing all of the entered information on the registration form? I was trying this: ---$p1 = input type=\password\ name=\usr_p1\ /; $p2 = input type=\password\ name=\usr_p2\ /; // if they didn't match return $p1 = input type=\password\ name=\usr_p1\ value=\ . $p1 . \/;--- I was trying to change the value of the variable which shows the input field to have the password already in it. and either one would just be echo'd depending on the result. Any ideas please? From,Michael calkinsmichaelcalk...@live.com If you aren't opposed to using JavaScript, I'd do it there. If you don't want to use JavaScript then you can load the form data from the $_POST (or $_GET) array that was passed back to your script. Take care, Floyd Is Javascript allowed to read the value of password boxes? I was of the understanding that it couldn't, so checking if a password field matches another is pretty moot. Thanks, Ash http://www.ashleysheridan.co.uk Yes, so it does. That seems like a bit of a flaw in Javascript on security grounds. And the fact that a browser will transmit input type=password as plain text isn't a security issue? -- - Richard Quadling Standing on the shoulders of some very clever giants! EE : http://www.experts-exchange.com/M_248814.html EE4Free : http://www.experts-exchange.com/becomeAnExpert.jsp Zend Certified Engineer : http://zend.com/zce.php?c=ZEND002498r=213474731 ZOPA : http://uk.zopa.com/member/RQuadling -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Making a Password Confirmation in PHP
On Fri, Jun 25, 2010 at 5:35 AM, Richard Quadling rquadl...@gmail.com wrote: And the fact that a browser will transmit input type=password as plain text isn't a security issue? That's what SSL is for. Andrew -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Making a Password Confirmation in PHP
This is very straight forward, if password a and b are not equal to each other, how can I let the user know that with out losing all of the entered information on the registration form? I was trying this: ---$p1 = input type=\password\ name=\usr_p1\ /; $p2 = input type=\password\ name=\usr_p2\ /; // if they didn't match return $p1 = input type=\password\ name=\usr_p1\ value=\ . $p1 . \/;--- I was trying to change the value of the variable which shows the input field to have the password already in it. and either one would just be echo'd depending on the result. Any ideas please? From,Michael calkinsmichaelcalk...@live.com elementFontfont-familyfont-sizefont-stylefont-variantfont-weightletter-spacingline-heighttext-decorationtext-aligntext-indenttext-transformwhite-spaceword-spacingcolorBackgroundbg-attachmentbg-colorbg-imagebg-positionbg-repeatBoxwidthheightborder-topborder-rightborder-bottomborder-leftmarginpaddingmax-heightmin-heightmax-widthmin-widthoutline-coloroutline-styleoutline-widthPositioningpositiontopbottomrightleftfloatdisplayclearz-indexListlist-style-imagelist-style-typelist-style-positionTablevertical-alignborder-collapseborder-spacingcaption-sideempty-cellstable-layoutEffectstext-shadow-webkit-box-shadowborder-radiusOtheroverflowcursorvisibility _ Hotmail has tools for the New Busy. Search, chat and e-mail from your inbox. http://www.windowslive.com/campaign/thenewbusy?ocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_1
Re: [PHP] Making a Password Confirmation in PHP
On Thu, 2010-06-24 at 11:22 -0700, Michael Calkins wrote: This is very straight forward, if password a and b are not equal to each other, how can I let the user know that with out losing all of the entered information on the registration form? I was trying this: ---$p1 = input type=\password\ name=\usr_p1\ /; $p2 = input type=\password\ name=\usr_p2\ /; // if they didn't match return $p1 = input type=\password\ name=\usr_p1\ value=\ . $p1 . \/;--- I was trying to change the value of the variable which shows the input field to have the password already in it. and either one would just be echo'd depending on the result. Any ideas please? From,Michael calkinsmichaelcalk...@live.com elementFontfont-familyfont-sizefont-stylefont-variantfont-weightletter-spacingline-heighttext-decorationtext-aligntext-indenttext-transformwhite-spaceword-spacingcolorBackgroundbg-attachmentbg-colorbg-imagebg-positionbg-repeatBoxwidthheightborder-topborder-rightborder-bottomborder-leftmarginpaddingmax-heightmin-heightmax-widthmin-widthoutline-coloroutline-styleoutline-widthPositioningpositiontopbottomrightleftfloatdisplayclearz-indexListlist-style-imagelist-style-typelist-style-positionTablevertical-alignborder-collapseborder-spacingcaption-sideempty-cellstable-layoutEffectstext-shadow-webkit-box-shadowborder-radiusOtheroverflowcursorvisibility _ Hotmail has tools for the New Busy. Search, chat and e-mail from your inbox. http://www.windowslive.com/campaign/thenewbusy?ocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_1 When you output the form again, output it with the values that were sent to you (take care about deliberate injection though) For things like select lists, I find I end up creating these from an array in PHP anyway, so it's easy to loop through the array and set the selected attribute if that's the value that was picked. Checkboxes and radio buttons; if the value has been sent by the user, then mark them checked when you output the html for them. Don't fill password boxes, as that confuses the user. If they mistyped, how do they know what value it holds anyway? Thanks, Ash http://www.ashleysheridan.co.uk
Re: [PHP] Making a Password Confirmation in PHP
On Jun 24, 2010, at 2:22 PM, Michael Calkins wrote: This is very straight forward, if password a and b are not equal to each other, how can I let the user know that with out losing all of the entered information on the registration form? I was trying this: ---$p1 = input type=\password\ name=\usr_p1\ /; $p2 = input type=\password\ name=\usr_p2\ /; // if they didn't match return $p1 = input type=\password\ name=\usr_p1\ value=\ . $p1 . \/;--- I was trying to change the value of the variable which shows the input field to have the password already in it. and either one would just be echo'd depending on the result. Any ideas please? From,Michael calkinsmichaelcalk...@live.com If you aren't opposed to using JavaScript, I'd do it there. If you don't want to use JavaScript then you can load the form data from the $_POST (or $_GET) array that was passed back to your script. Take care, Floyd -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Making a Password Confirmation in PHP
On Thu, 2010-06-24 at 14:29 -0400, Floyd Resler wrote: On Jun 24, 2010, at 2:22 PM, Michael Calkins wrote: This is very straight forward, if password a and b are not equal to each other, how can I let the user know that with out losing all of the entered information on the registration form? I was trying this: ---$p1 = input type=\password\ name=\usr_p1\ /; $p2 = input type=\password\ name=\usr_p2\ /; // if they didn't match return $p1 = input type=\password\ name=\usr_p1\ value=\ . $p1 . \/;--- I was trying to change the value of the variable which shows the input field to have the password already in it. and either one would just be echo'd depending on the result. Any ideas please? From,Michael calkinsmichaelcalk...@live.com If you aren't opposed to using JavaScript, I'd do it there. If you don't want to use JavaScript then you can load the form data from the $_POST (or $_GET) array that was passed back to your script. Take care, Floyd Is Javascript allowed to read the value of password boxes? I was of the understanding that it couldn't, so checking if a password field matches another is pretty moot. Thanks, Ash http://www.ashleysheridan.co.uk
RE: [PHP] Making a Password Confirmation in PHP
Yes, it is. D -Original Message- From: Ashley Sheridan [mailto:a...@ashleysheridan.co.uk] Sent: Thursday, June 24, 2010 8:32 PM To: Floyd Resler Cc: PHP Subject: Re: [PHP] Making a Password Confirmation in PHP On Thu, 2010-06-24 at 14:29 -0400, Floyd Resler wrote: On Jun 24, 2010, at 2:22 PM, Michael Calkins wrote: This is very straight forward, if password a and b are not equal to each other, how can I let the user know that with out losing all of the entered information on the registration form? I was trying this: ---$p1 = input type=\password\ name=\usr_p1\ /; $p2 = input type=\password\ name=\usr_p2\ /; // if they didn't match return $p1 = input type=\password\ name=\usr_p1\ value=\ . $p1 . \/;--- I was trying to change the value of the variable which shows the input field to have the password already in it. and either one would just be echo'd depending on the result. Any ideas please? From,Michael calkinsmichaelcalk...@live.com If you aren't opposed to using JavaScript, I'd do it there. If you don't want to use JavaScript then you can load the form data from the $_POST (or $_GET) array that was passed back to your script. Take care, Floyd Is Javascript allowed to read the value of password boxes? I was of the understanding that it couldn't, so checking if a password field matches another is pretty moot. Thanks, Ash http://www.ashleysheridan.co.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Making a Password Confirmation in PHP
On Thu, 2010-06-24 at 20:37 +0200, David Česal wrote: Yes, it is. D -Original Message- From: Ashley Sheridan [mailto:a...@ashleysheridan.co.uk] Sent: Thursday, June 24, 2010 8:32 PM To: Floyd Resler Cc: PHP Subject: Re: [PHP] Making a Password Confirmation in PHP On Thu, 2010-06-24 at 14:29 -0400, Floyd Resler wrote: On Jun 24, 2010, at 2:22 PM, Michael Calkins wrote: This is very straight forward, if password a and b are not equal to each other, how can I let the user know that with out losing all of the entered information on the registration form? I was trying this: ---$p1 = input type=\password\ name=\usr_p1\ /; $p2 = input type=\password\ name=\usr_p2\ /; // if they didn't match return $p1 = input type=\password\ name=\usr_p1\ value=\ . $p1 . \/;--- I was trying to change the value of the variable which shows the input field to have the password already in it. and either one would just be echo'd depending on the result. Any ideas please? From,Michael calkinsmichaelcalk...@live.com If you aren't opposed to using JavaScript, I'd do it there. If you don't want to use JavaScript then you can load the form data from the $_POST (or $_GET) array that was passed back to your script. Take care, Floyd Is Javascript allowed to read the value of password boxes? I was of the understanding that it couldn't, so checking if a password field matches another is pretty moot. Thanks, Ash http://www.ashleysheridan.co.uk Yes, so it does. That seems like a bit of a flaw in Javascript on security grounds. Anyway, you still need to perform the same check on the server: * Javascript may be turned off * Not every browser supports Javascript * Someone may make a post request without using the form Thanks, Ash http://www.ashleysheridan.co.uk
Re: [PHP] Making a Password Confirmation in PHP
On Thu, Jun 24, 2010 at 2:46 PM, Ashley Sheridan a...@ashleysheridan.co.ukwrote: On Thu, 2010-06-24 at 20:37 +0200, David Česal wrote: Yes, it is. D -Original Message- From: Ashley Sheridan [mailto:a...@ashleysheridan.co.uk] Sent: Thursday, June 24, 2010 8:32 PM To: Floyd Resler Cc: PHP Subject: Re: [PHP] Making a Password Confirmation in PHP On Thu, 2010-06-24 at 14:29 -0400, Floyd Resler wrote: On Jun 24, 2010, at 2:22 PM, Michael Calkins wrote: This is very straight forward, if password a and b are not equal to each other, how can I let the user know that with out losing all of the entered information on the registration form? I was trying this: ---$p1 = input type=\password\ name=\usr_p1\ /; $p2 = input type=\password\ name=\usr_p2\ /; // if they didn't match return $p1 = input type=\password\ name=\usr_p1\ value=\ . $p1 . \/;--- I was trying to change the value of the variable which shows the input field to have the password already in it. and either one would just be echo'd depending on the result. Any ideas please? From,Michael calkinsmichaelcalk...@live.com If you aren't opposed to using JavaScript, I'd do it there. If you don't want to use JavaScript then you can load the form data from the $_POST (or $_GET) array that was passed back to your script. Take care, Floyd Is Javascript allowed to read the value of password boxes? I was of the understanding that it couldn't, so checking if a password field matches another is pretty moot. Thanks, Ash http://www.ashleysheridan.co.uk Yes, so it does. That seems like a bit of a flaw in Javascript on security grounds. Anyway, you still need to perform the same check on the server: * Javascript may be turned off * Not every browser supports Javascript * Someone may make a post request without using the form Thanks, Ash http://www.ashleysheridan.co.uk Yes, the checks should be performed server-side, too. In terms of security, the password field was meant merely to protect against nearby people peering over the shoulder of the user typing in their password (aka, shoulder surfing.) So in terms of security, nothing is flawed, and there has been some debate on the need and implementation of password fields, especially given interfaces like the iphone which let you view the last character entered for a brief amount of time: http://www.schneier.com/blog/archives/2009/07/the_pros_and_co.html http://www.useit.com/alertbox/passwords.html I'd recommend progressively enhancing the page with a plugin such as those listed below (I prefer jQuery, but there are other options for other frameworks): http://plugins.jquery.com/project/showPasswordCheckbox http://plugins.jquery.com/project/fvalidate http://plugins.jquery.com/project/iphone-password Adam -- Nephtali: PHP web framework that functions beautifully http://nephtaliproject.com
