Say I have a simple form:
<form action="register.php" method="post">
<label>Password:</label>
<?php if (isset($errors[1])) echo $errors[1]; ?> <- Displays error message if there is one
<input type="password" name="user_pass" />
<label>Confirm Password:</label>
<input type="password" name="user_pass_confirm" />
<input type="submit" />
</form>
$user_pass = $security->encrypt($_POST['user_pass']);
$user_pass_confirm = $security->encrypt($_POST['user_pass_confirm']);
$registration->form($user_pass, $user_pass_confirm);
And a class:
if (empty($user_pass)) {
$errors[1] = 'Passwords required';
} else if ($user_pass != $user_pass_confirm) {
$errors[1] = 'Passwords don't match';
}
//if error array empty, create member
What I'm trying to do is validate the password to make it required, make sure they match and I would also add in a preg_match regular expression to ensure that it was at least 8 characters long or whatever.
My problem is, I've already encrypted the password before I submit it (which I believe unencrypted passwords shouldn't be posted, correct me if I'm wrong).
And then when my class gets the encoded string I can't do anything to validate it. I could check for empty by comparing the fields to the encrypted/salted version of nothing but I'm certain that's not the way to do it.
Can anyone point me to the standard procedure for validating passwords or whatever your suggestions are on the solution.
Many thanks
PHP cannot be executed on the client side. You cannot encrypt a plain password using PHP without sending it to the server in plain as PHP is a server side language. The password has to be sent to the server before you can access it. You can make use of mechanisms like SSL/TLS over https but this does not affect your PHP-Code.
That means: You cannot encrypt a password using PHP before the form is submitted. This can be done by client-side programming languages like JavaScript. You could implement a JavaScript function checking if the password is OK (not empty and long/secure enough) and afterwards have JavaScript encrypt it and then send it to the server so that the encrypted password is transferred to the server.
<form action="register.php" method="post">
...
</form>
<?php
//$user_pass = $security->encrypt($_POST['user_pass']);
//$user_pass_confirm = $security->encrypt($_POST['user_pass_confirm']);
//$registration->form($user_pass, $user_pass_confirm);
//YOUR PASSWORD HAS NOT BEEN SENT TO YOUR SERVER YET. YOU CANNOT ACCESS IT USING PHP.
//YOU WOULD NORMALLY DO SOMETHING LIKE THIS (IN REGISTER.PHP)
if(isset($_POST["name_of_your_submit_field"])) //WHICH MEANS THAT YOUR FORM HAS BEEN SUBMITTED NOW
{
//This checks whether the POST-variable of your submit field is set.
//If it is, you know that the client has submitted the form and sent the form data to your server.
//Only here you can access the form data.
$user_pass=$_POST['user_pass'];
if(strlen($user_pass) > 8)
{
$user_pass = $security->encrypt($user_pass);
$user_pass_confirm = $security->encrypt($_POST['user_pass_confirm']);
$registration->form($user_pass, $user_pass_confirm);
}
}
?>