Validation needed on a comparison form field?

ShinVe · November 27, 2011, 5:05am

I am wondering how much validation is needed (and what other security checks I might need to run) on a field that has a confirmation field. An example of this is a “password” form field that has an associated “confirm your password.”

In my code, I have:


$password = $_POST['password']
$confirmpassword = $_POST['confirmpassword']

if (!$password == $confirmpassword)
{
  // give error message
}

But $password itself is highly validated and (I believe) secure. The $confirmpassword is not used other than to be compared to $password, so it is never used in output or used in a database. I could easily duplicate the same code to apply to $confirmpassword, but I thought this might be unnecessary. Should I have any concerns here?

system · November 27, 2011, 5:15am

if($password != $confPassword){
   //out error msg
}

should be sufficient to compare the values of the 2 strings.

Then, just as you said, make sure you validate and sanitise properly just 1 of the 2 strings before using them in an sql query.

DarthGuido · November 27, 2011, 9:00am

I’m sure you do, but just to make sure: sanitise after the comparison.

system · November 27, 2011, 9:10am

yep, I do - just as I suggested to the op in post 2.

Cups · November 27, 2011, 11:46am

I’d run trim() over both variables too, easy for a user to accidentally add a leading/trailing space.

ShinVe · November 28, 2011, 12:29am

Thanks for everyone’s help. Glad to hear I don’t have to replicate the code!

DarthGuido · November 28, 2011, 7:42am

Of course you do. I was talking to the OP.

system · November 28, 2011, 8:42am

oh, ok

I wasn’t sure who you were talking to since you were only repeating what I already said in post 2.

I’m really confused as to what constitutes fluff nowadays on this website (: