Validation needed on a comparison form field?

I am wondering how much validation is needed (and what other security checks I might need to run) on a field that has a confirmation field. An example of this is a “password” form field that has an associated “confirm your password.”

In my code, I have:

$password = $_POST['password']
$confirmpassword = $_POST['confirmpassword']

if (!$password == $confirmpassword)
  // give error message

But $password itself is highly validated and (I believe) secure. The $confirmpassword is not used other than to be compared to $password, so it is never used in output or used in a database. I could easily duplicate the same code to apply to $confirmpassword, but I thought this might be unnecessary. Should I have any concerns here?

if($password != $confPassword){
   //out error msg

should be sufficient to compare the values of the 2 strings.

Then, just as you said, make sure you validate and sanitise properly just 1 of the 2 strings before using them in an sql query.

I’m sure you do, but just to make sure: sanitise after the comparison.

yep, I do - just as I suggested to the op in post 2.

I’d run trim() over both variables too, easy for a user to accidentally add a leading/trailing space.

Thanks for everyone’s help. Glad to hear I don’t have to replicate the code!

Of course you do. I was talking to the OP.

oh, ok :slight_smile:

I wasn’t sure who you were talking to since you were only repeating what I already said in post 2.

I’m really confused as to what constitutes fluff nowadays on this website :frowning: (: