I am setting up a registration form and am using the password hashing api, which from what i have read is currently the best way to protect passwords.
my form is
<form action="register.php" method="post">
<div class="fluid reg_firstname">
<label for="first-name">First Name</label>
<input name="first-name" type="text" style="width:90%;">
</div>
<div class="fluid reg_lastname">
<label for="last-name">Last Name</label>
<input name="last-name" type="text" style="width:90%;">
</div>
<div class="fluid reg_email">
<label for="email">Email</label>
<input name="email" type="text" style="width:50%;">
</div>
<div class="fluid reg_password">
<label for="create-password">Create Password</label>
<input name="create-password" type="password" style="width:70%;">
</div>
<div class="fluid reg_password">
<label for="confirm-password">Confirm Password</label>
<input name="confirm-password" type="password" style="width:70%;">
</div>
<div class="fluid reg_agreement">
<p>
By clicking 'Submit' I agree that:
</p>
<ul>
<li>I accept the User Agreement- opens in a new window or tab.</li>
<li>I give consent to the processing of my data- opens in a new window or tab.</li>
<li>I may receive communications from SLF and I understand that I can change my notification preferences at any time in My Account.</li>
<li>I am at least 18 years old.</li>
</ul>
</div>
<div class="fluid reg_submit">
<input name="step1" type="submit" value="Submit">
</div>
</form>
So i am adding some validtion to my form once the submit button is pressed which looks like this
<?php if(isset($_POST['step1']))
{
#RETRIEVE VARIBLES
$first = mysqli_real_escape_string($db,$_POST['first-name']);
$last = mysqli_real_escape_string($db,$_POST['last-name']);
$email = mysqli_real_escape_string($db,$_POST['email']);
$password1 = password_hash($_POST['create-password'], PASSWORD_DEFAULT);
$password2 = password_hash($_POST['confirm-password'], PASSWORD_DEFAULT);
#VALIDATION CHECKS
if($first == "")
{
$error[] = "Please Enter First Name";
}
if(strlen($first) < 2 OR strlen($first) > 16)
{
$error[] = "Name between 2 and 16 chars long";
}
if(!ctype_alnum ( $first ))
{
$error[] = "Letters Only Please";
}
if($last == "")
{
$error[] = "Please Enter Last Name";
}
if(strlen($last) < 2 OR strlen($last) > 16)
{
$error[] = "Surname between 2 and 16 chars long";
}
if(!ctype_alnum ( $last ))
{
$error[] = "Letters Only Please";
}
if($email == "")
{
$error[] = "Please Enter Vaild Email";
}
if (!filter_var($email, FILTER_VALIDATE_EMAIL))
{
$error[] = "Invalid email format";
}
if($password1 == "")
{
$error[] = "Please enter a valid password";
}
if($password1 <> $password2)
{
$error[] = "Passwords Dont Match";
}
if(isset($error) && (count($error) >0))
{
echo "<pre>";
print_r($error);
echo "</pre>";
}
echo "step one complete<br />";
echo $password1."<br />".$password2;
}?>
the trouble im having is with my password check
if($password1 <> $password2)
{
$error[] = "Passwords Dont Match";
}
im checking if the two varibles match but im guessing because i have added the password_hash to them it is checking the hash value and not the actual value entered by the user? how would i correct this so it checks the actual data and not the hash value (which will never match)?
appreciate any help!
Cheers
If you want to test the original data, then why not just actually test the original data?
Am I missing something?