Prev: Quick session question
Next: in_array - what the...
From: Ashley Sheridan on 24 Jun 2010 14:46 On Thu, 2010-06-24 at 20:37 +0200, David Äesal wrote: > Yes, it is. > > D > > -----Original Message----- > From: Ashley Sheridan [mailto:ash(a)ashleysheridan.co.uk] > Sent: Thursday, June 24, 2010 8:32 PM > To: Floyd Resler > Cc: PHP > Subject: Re: [PHP] Making a Password Confirmation in PHP > > On Thu, 2010-06-24 at 14:29 -0400, Floyd Resler wrote: > > > On Jun 24, 2010, at 2:22 PM, Michael Calkins wrote: > > > > > > > > This is very straight forward, if password a and b are not equal to each > other, how can I let the user know that with out losing all of the entered > information on the registration form? > > > I was trying this: > > > ---$p1 = "<input type=\"password\" name=\"usr_p1\" />"; > > > $p2 = "<input type=\"password\" name=\"usr_p2\" />"; // if they > > > didn't match return > > > $p1 = "<input type=\"password\" name=\"usr_p1\" value=\"" . $p1 . > > > "\"/>";--- I was trying to change the value of the variable which shows > the input field to have the password already in it. > > > and either one would just be echo'd depending on the result. > > > Any ideas please? > > > > > > From,Michael Calkinsmichaelcalkins(a)live.com > > > > > > > > If you aren't opposed to using JavaScript, I'd do it there. If you don't > want to use JavaScript then you can load the form data from the $_POST (or > $_GET) array that was passed back to your script. > > > > Take care, > > Floyd > > > > > > > > > Is Javascript allowed to read the value of password boxes? I was of the > understanding that it couldn't, so checking if a password field matches > another is pretty moot. > > Thanks, > Ash > http://www.ashleysheridan.co.uk > > > Yes, so it does. That seems like a bit of a flaw in Javascript on security grounds. Anyway, you still need to perform the same check on the server: * Javascript may be turned off * Not every browser supports Javascript * Someone may make a post request without using the form Thanks, Ash http://www.ashleysheridan.co.uk
From: Adam Richardson on 24 Jun 2010 15:03 On Thu, Jun 24, 2010 at 2:46 PM, Ashley Sheridan <ash(a)ashleysheridan.co.uk>wrote: > On Thu, 2010-06-24 at 20:37 +0200, David Äesal wrote: > > > Yes, it is. > > > > D > > > > -----Original Message----- > > From: Ashley Sheridan [mailto:ash(a)ashleysheridan.co.uk] > > Sent: Thursday, June 24, 2010 8:32 PM > > To: Floyd Resler > > Cc: PHP > > Subject: Re: [PHP] Making a Password Confirmation in PHP > > > > On Thu, 2010-06-24 at 14:29 -0400, Floyd Resler wrote: > > > > > On Jun 24, 2010, at 2:22 PM, Michael Calkins wrote: > > > > > > > > > > > This is very straight forward, if password a and b are not equal to > each > > other, how can I let the user know that with out losing all of the > entered > > information on the registration form? > > > > I was trying this: > > > > ---$p1 = "<input type=\"password\" name=\"usr_p1\" />"; > > > > $p2 = "<input type=\"password\" name=\"usr_p2\" />"; // if they > > > > didn't match return > > > > $p1 = "<input type=\"password\" name=\"usr_p1\" value=\"" .. $p1 . > > > > "\"/>";--- I was trying to change the value of the variable which > shows > > the input field to have the password already in it. > > > > and either one would just be echo'd depending on the result. > > > > Any ideas please? > > > > > > > > From,Michael Calkinsmichaelcalkins(a)live.com > > > > > > > > > > > If you aren't opposed to using JavaScript, I'd do it there. If you > don't > > want to use JavaScript then you can load the form data from the $_POST > (or > > $_GET) array that was passed back to your script. > > > > > > Take care, > > > Floyd > > > > > > > > > > > > > > > Is Javascript allowed to read the value of password boxes? I was of the > > understanding that it couldn't, so checking if a password field matches > > another is pretty moot. > > > > Thanks, > > Ash > > http://www.ashleysheridan.co.uk > > > > > > > > > Yes, so it does. That seems like a bit of a flaw in Javascript on > security grounds. > > Anyway, you still need to perform the same check on the server: > > * Javascript may be turned off > * Not every browser supports Javascript > * Someone may make a post request without using the form > > > Thanks, > Ash > http://www.ashleysheridan.co.uk > > > Yes, the checks should be performed server-side, too. In terms of security, the password field was meant merely to protect against nearby people peering over the shoulder of the user typing in their password (aka, shoulder surfing.) So in terms of security, nothing is flawed, and there has been some debate on the need and implementation of password fields, especially given interfaces like the iphone which let you view the last character entered for a brief amount of time: http://www.schneier.com/blog/archives/2009/07/the_pros_and_co.html http://www.useit.com/alertbox/passwords.html I'd recommend progressively enhancing the page with a plugin such as those listed below (I prefer jQuery, but there are other options for other frameworks): http://plugins.jquery.com/project/showPasswordCheckbox http://plugins.jquery.com/project/fvalidate http://plugins.jquery.com/project/iphone-password Adam -- Nephtali: PHP web framework that functions beautifully http://nephtaliproject.com
From: Richard Quadling on 25 Jun 2010 05:35 On 24 June 2010 19:46, Ashley Sheridan <ash(a)ashleysheridan.co.uk> wrote: > On Thu, 2010-06-24 at 20:37 +0200, David Äesal wrote: > >> Yes, it is. >> >> D >> >> -----Original Message----- >> From: Ashley Sheridan [mailto:ash(a)ashleysheridan.co.uk] >> Sent: Thursday, June 24, 2010 8:32 PM >> To: Floyd Resler >> Cc: PHP >> Subject: Re: [PHP] Making a Password Confirmation in PHP >> >> On Thu, 2010-06-24 at 14:29 -0400, Floyd Resler wrote: >> >> > On Jun 24, 2010, at 2:22 PM, Michael Calkins wrote: >> > >> > > >> > > This is very straight forward, if password a and b are not equal to each >> other, how can I let the user know that with out losing all of the entered >> information on the registration form? >> > > I was trying this: >> > > ---$p1 = "<input type=\"password\" name=\"usr_p1\" />"; >> > > $p2 = "<input type=\"password\" name=\"usr_p2\" />"; // if they >> > > didn't match return >> > > $p1 = "<input type=\"password\" name=\"usr_p1\" Â value=\"" . $p1 . >> > > "\"/>";--- I was trying to change the value of the variable which shows >> the input field to have the password already in it. >> > > and either one would just be echo'd depending on the result. >> > > Any ideas please? >> > > >> > > From,Michael Calkinsmichaelcalkins(a)live.com >> > > >> > > >> > If you aren't opposed to using JavaScript, I'd do it there. Â If you don't >> want to use JavaScript then you can load the form data from the $_POST (or >> $_GET) array that was passed back to your script. >> > >> > Take care, >> > Floyd >> > >> > >> > >> >> >> Is Javascript allowed to read the value of password boxes? I was of the >> understanding that it couldn't, so checking if a password field matches >> another is pretty moot. >> >> Thanks, >> Ash >> http://www.ashleysheridan.co.uk >> >> >> > > > Yes, so it does. That seems like a bit of a flaw in Javascript on > security grounds. > And the fact that a browser will transmit <input type="password"> as plain text isn't a security issue? -- ----- Richard Quadling "Standing on the shoulders of some very clever giants!" EE : http://www.experts-exchange.com/M_248814.html EE4Free : http://www.experts-exchange.com/becomeAnExpert.jsp Zend Certified Engineer : http://zend.com/zce.php?c=ZEND002498&r=213474731 ZOPA : http://uk.zopa.com/member/RQuadling
From: Andrew Ballard on 25 Jun 2010 09:06
On Fri, Jun 25, 2010 at 5:35 AM, Richard Quadling <rquadling(a)gmail.com> wrote: > And the fact that a browser will transmit <input type="password"> as > plain text isn't a security issue? That's what SSL is for. Andrew |