From: Ashley Sheridan on
On Thu, 2010-06-24 at 20:37 +0200, David Česal wrote:

> Yes, it is.
>
> D
>
> -----Original Message-----
> From: Ashley Sheridan [mailto:ash(a)ashleysheridan.co.uk]
> Sent: Thursday, June 24, 2010 8:32 PM
> To: Floyd Resler
> Cc: PHP
> Subject: Re: [PHP] Making a Password Confirmation in PHP
>
> On Thu, 2010-06-24 at 14:29 -0400, Floyd Resler wrote:
>
> > On Jun 24, 2010, at 2:22 PM, Michael Calkins wrote:
> >
> > >
> > > This is very straight forward, if password a and b are not equal to each
> other, how can I let the user know that with out losing all of the entered
> information on the registration form?
> > > I was trying this:
> > > ---$p1 = "<input type=\"password\" name=\"usr_p1\" />";
> > > $p2 = "<input type=\"password\" name=\"usr_p2\" />"; // if they
> > > didn't match return
> > > $p1 = "<input type=\"password\" name=\"usr_p1\" value=\"" . $p1 .
> > > "\"/>";--- I was trying to change the value of the variable which shows
> the input field to have the password already in it.
> > > and either one would just be echo'd depending on the result.
> > > Any ideas please?
> > >
> > > From,Michael Calkinsmichaelcalkins(a)live.com
> > >
> > >
> > If you aren't opposed to using JavaScript, I'd do it there. If you don't
> want to use JavaScript then you can load the form data from the $_POST (or
> $_GET) array that was passed back to your script.
> >
> > Take care,
> > Floyd
> >
> >
> >
>
>
> Is Javascript allowed to read the value of password boxes? I was of the
> understanding that it couldn't, so checking if a password field matches
> another is pretty moot.
>
> Thanks,
> Ash
> http://www.ashleysheridan.co.uk
>
>
>


Yes, so it does. That seems like a bit of a flaw in Javascript on
security grounds.

Anyway, you still need to perform the same check on the server:

* Javascript may be turned off
* Not every browser supports Javascript
* Someone may make a post request without using the form


Thanks,
Ash
http://www.ashleysheridan.co.uk


From: Adam Richardson on
On Thu, Jun 24, 2010 at 2:46 PM, Ashley Sheridan
<ash(a)ashleysheridan.co.uk>wrote:

> On Thu, 2010-06-24 at 20:37 +0200, David Česal wrote:
>
> > Yes, it is.
> >
> > D
> >
> > -----Original Message-----
> > From: Ashley Sheridan [mailto:ash(a)ashleysheridan.co.uk]
> > Sent: Thursday, June 24, 2010 8:32 PM
> > To: Floyd Resler
> > Cc: PHP
> > Subject: Re: [PHP] Making a Password Confirmation in PHP
> >
> > On Thu, 2010-06-24 at 14:29 -0400, Floyd Resler wrote:
> >
> > > On Jun 24, 2010, at 2:22 PM, Michael Calkins wrote:
> > >
> > > >
> > > > This is very straight forward, if password a and b are not equal to
> each
> > other, how can I let the user know that with out losing all of the
> entered
> > information on the registration form?
> > > > I was trying this:
> > > > ---$p1 = "<input type=\"password\" name=\"usr_p1\" />";
> > > > $p2 = "<input type=\"password\" name=\"usr_p2\" />"; // if they
> > > > didn't match return
> > > > $p1 = "<input type=\"password\" name=\"usr_p1\" value=\"" .. $p1 .
> > > > "\"/>";--- I was trying to change the value of the variable which
> shows
> > the input field to have the password already in it.
> > > > and either one would just be echo'd depending on the result.
> > > > Any ideas please?
> > > >
> > > > From,Michael Calkinsmichaelcalkins(a)live.com
> > > >
> > > >
> > > If you aren't opposed to using JavaScript, I'd do it there. If you
> don't
> > want to use JavaScript then you can load the form data from the $_POST
> (or
> > $_GET) array that was passed back to your script.
> > >
> > > Take care,
> > > Floyd
> > >
> > >
> > >
> >
> >
> > Is Javascript allowed to read the value of password boxes? I was of the
> > understanding that it couldn't, so checking if a password field matches
> > another is pretty moot.
> >
> > Thanks,
> > Ash
> > http://www.ashleysheridan.co.uk
> >
> >
> >
>
>
> Yes, so it does. That seems like a bit of a flaw in Javascript on
> security grounds.
>
> Anyway, you still need to perform the same check on the server:
>
> * Javascript may be turned off
> * Not every browser supports Javascript
> * Someone may make a post request without using the form
>
>
> Thanks,
> Ash
> http://www.ashleysheridan.co.uk
>
>
>
Yes, the checks should be performed server-side, too.

In terms of security, the password field was meant merely to protect against
nearby people peering over the shoulder of the user typing in their password
(aka, shoulder surfing.) So in terms of security, nothing is flawed, and
there has been some debate on the need and implementation of password
fields, especially given interfaces like the iphone which let you view the
last character entered for a brief amount of time:

http://www.schneier.com/blog/archives/2009/07/the_pros_and_co.html
http://www.useit.com/alertbox/passwords.html

I'd recommend progressively enhancing the page with a plugin such as those
listed below (I prefer jQuery, but there are other options for other
frameworks):

http://plugins.jquery.com/project/showPasswordCheckbox
http://plugins.jquery.com/project/fvalidate
http://plugins.jquery.com/project/iphone-password

Adam

--
Nephtali: PHP web framework that functions beautifully
http://nephtaliproject.com
From: Richard Quadling on
On 24 June 2010 19:46, Ashley Sheridan <ash(a)ashleysheridan.co.uk> wrote:
> On Thu, 2010-06-24 at 20:37 +0200, David Česal wrote:
>
>> Yes, it is.
>>
>> D
>>
>> -----Original Message-----
>> From: Ashley Sheridan [mailto:ash(a)ashleysheridan.co.uk]
>> Sent: Thursday, June 24, 2010 8:32 PM
>> To: Floyd Resler
>> Cc: PHP
>> Subject: Re: [PHP] Making a Password Confirmation in PHP
>>
>> On Thu, 2010-06-24 at 14:29 -0400, Floyd Resler wrote:
>>
>> > On Jun 24, 2010, at 2:22 PM, Michael Calkins wrote:
>> >
>> > >
>> > > This is very straight forward, if password a and b are not equal to each
>> other, how can I let the user know that with out losing all of the entered
>> information on the registration form?
>> > > I was trying this:
>> > > ---$p1 = "<input type=\"password\" name=\"usr_p1\" />";
>> > > $p2 = "<input type=\"password\" name=\"usr_p2\" />"; // if they
>> > > didn't match return
>> > > $p1 = "<input type=\"password\" name=\"usr_p1\"  value=\"" . $p1 .
>> > > "\"/>";--- I was trying to change the value of the variable which shows
>> the input field to have the password already in it.
>> > > and either one would just be echo'd depending on the result.
>> > > Any ideas please?
>> > >
>> > > From,Michael Calkinsmichaelcalkins(a)live.com
>> > >
>> > >
>> > If you aren't opposed to using JavaScript, I'd do it there.  If you don't
>> want to use JavaScript then you can load the form data from the $_POST (or
>> $_GET) array that was passed back to your script.
>> >
>> > Take care,
>> > Floyd
>> >
>> >
>> >
>>
>>
>> Is Javascript allowed to read the value of password boxes? I was of the
>> understanding that it couldn't, so checking if a password field matches
>> another is pretty moot.
>>
>> Thanks,
>> Ash
>> http://www.ashleysheridan.co.uk
>>
>>
>>
>
>
> Yes, so it does. That seems like a bit of a flaw in Javascript on
> security grounds.
>

And the fact that a browser will transmit <input type="password"> as
plain text isn't a security issue?



--
-----
Richard Quadling
"Standing on the shoulders of some very clever giants!"
EE : http://www.experts-exchange.com/M_248814.html
EE4Free : http://www.experts-exchange.com/becomeAnExpert.jsp
Zend Certified Engineer : http://zend.com/zce.php?c=ZEND002498&r=213474731
ZOPA : http://uk.zopa.com/member/RQuadling
From: Andrew Ballard on
On Fri, Jun 25, 2010 at 5:35 AM, Richard Quadling <rquadling(a)gmail.com> wrote:
> And the fact that a browser will transmit <input type="password"> as
> plain text isn't a security issue?

That's what SSL is for.

Andrew
First  |  Prev  | 
Pages: 1 2
Prev: Quick session question
Next: in_array - what the...