password matching in codeigniter - php

I used to validate my registration form by the following code:
$this->form_validation->set_rules('password', 'Password', 'trim|required|matches[cpassword]|md5');
$this->form_validation->set_rules('cpassword', 'Confirm Password', 'trim|required');
but when i browse my form it shows me an error that password doesn't match.
codeigniter form result


Controllers are not for database. So, please change your code to this:
$this->form_validation->set_rules('password', 'Password', 'trim|required');
$this->form_validation->set_rules('cpassword', 'Confirm Password', 'trim|required|matches[password]');
If you want to put it as a hash into the database, you should use Models. Here is an example code:
public function signup() {
$password = $this->input->post('password', true);
$hash = password_hash($password, PASSWORD_BCRYPT); // put $hash variable into your database
...
}

Related

Codeigniter matches return false

i tried to save account to the db.
when validating the form with form_validation, it always returning false, even when i tried to insert the correct value. heres the code
public function save(){
$params = $this->input->post();
if(!empty($params['id_account']) && !empty($params['password']) ){
$this->form_validation->set_rules('confPass', 'Confirmation Password', 'matches[password]');
}else{
$this->form_validation->set_rules('password', 'Password', 'required');
$this->form_validation->set_rules('confPass', 'Confirmation Password', 'required|matches[password]');
}
$this->form_validation->set_data($params);
$this->form_validation->set_rules('username', 'Username', 'required');
$this->form_validation->set_rules('id_role', 'Role', 'required');
if ($this->form_validation->run() == TRUE) {
unset($params['confPass']);
$params['account_status'] = array_key_exists('account_status', $params) ? $params['account_status'] : ACCOUNT_STATUS_PENDING;
$this->load->model('user_model');
$this->user_model->save($params);
$this->session->set_flashdata('notif', '<div class="alert alert-success">Berhasil menyimpan data.</div>');
redirect('rbac/form/account');
} else {
$error = validation_errors();
echo '<pre>';
print_r($error);
echo '</pre>';
var_dump($params['password']);
var_dump($params['confPass']);
die();
// $this->session->set_flashdata('notif', '<div class="alert alert-danger">'.$error.'</div>');
// redirect('rbac/form/account');
}
}
i tried to returning the validation_errors(), $params['confPass'] & $params['password'] and here is the result :
The Confirmation Password field does not match the password field.
string(1) "e" string(1) "e"
as you can see $params['confPass'] and $params['password'] is match.

if(!empty($params['id_account']) && !empty($params['password']) ){
$this->form_validation->set_rules('confPass', 'Confirmation Password', 'matches[password]');
}else{
$this->form_validation->set_rules('password', 'Password', 'required');
$this->form_validation->set_rules('confPass', 'Confirmation Password', 'required|matches[password]');
}
When the condition you wrote above is true i.e. control is in if (below) block
if(!empty($params['id_account']) && !empty($params['password']) )
you did not put a condition for the 'password' field you only have confirm password rule. Which does not match to anything and although the passwords match it always return false.
You need to add validation rule for password
$this->form_validation->set_rules('password', 'Password', 'required');
before confirm password rule which is looking to match the password.
If your condition states that it does not require password you can do something like,
$this->form_validation->set_rules('password', 'Password', 'min_length[5]');
anything which fulfills your condition but not "required" i.e trim or min_length
Hope it helps.

When form validation fails how to redirect to different function based on inputs

I have a input page with 3 inputs username, password, OTP. When password is wrong i want to send it 1 function and if OTP fails i want to send it other function. How can i achieve this. Below is a sample code.
public function verifyLogin() {
$data['BASE_URL'] = base_url();
$this->load->library('form_validation');
$this->form_validation->set_rules('email', 'Email', 'trim|required|xss_clean');
$this->form_validation->set_rules('password', 'Password', 'trim|required|xss_clean|callback_check_database');
$this->form_validation->set_rules('otp', 'OTP', 'trim|xss_clean|callback_check_otpNum');
if ($this->form_validation->run() == false) {
if(//passwordFails)
$this->index();
else if(//otpfails)
$this->loginPage();
}
}

Try using $this->form_validation->error_array() to get all failed validations and then equating accordingly

callback not working in codeigniter 3.0

<?php
class Form extends CI_Controller {
public function index()
{
$this->load->helper(array('form', 'url'));
$this->load->library('form_validation');
$this->form_validation->set_rules('email', 'Email', 'required|valid_email');
$this->form_validation->set_rules('password', 'Password', 'required');
$this->form_validation->set_rules('confpassword', 'Password', 'required|matches[password]', 'callback__matcherror');
//$this->form_validation->set_rules('passconf', 'Password Confirmation', 'required');
//$this->form_validation->set_rules('email', 'Email', 'required');
if ($this->form_validation->run() == FALSE)
{
$this->load->view('login');
}
else
{
$this->load->view('insert_dream');
}
}
public function _matcherror() {
$this->form_validation->set_message('_matcherror', 'Passwords should match');
return FALSE;
}
}
?>
i am a newbie to codeigniter. The above code doesnt display passwords should match error message. Is something wrong with the callback or Am i missing something.

Take a look here. You don't need to make a callback.

You are passing callback__matcherror as fourth parameter of set_rules function.It should be 3rd parameter. Use this way
$this->form_validation->set_rules('confpassword', 'Password', 'required|matches[password]|callback__matcherror');
Note
You will get this error message if your password fields match.Because you applying 3 rule there.3rd rule(call_back_function) will apply when 2nd rule is success. Your 2nd rule will valid when passwords matches.

matches[password]
will automatically check for password. You need not to use callback function callback__matcherror

Security things to do in input data

I have a website build in CodeIgniter framework. The website contain a lot of forms for different purposes. I am submitting these forms directly to a controller function.
What are the things I should apply in this input before I save it to database through the model?
If I directly send this data without doing anything, what will be the security risk?

You need to use form_validation
https://ellislab.com/codeigniter/user-guide/libraries/form_validation.html
Best way will be if you will set rules for each field
like this
$this->load->helper(array('form', 'url'));
$this->load->library('form_validation');
$this->form_validation->set_rules('username', 'Username', 'required');
$this->form_validation->set_rules('password', 'Password', 'required');
$this->form_validation->set_rules('passconf', 'Password Confirmation', 'required');
$this->form_validation->set_rules('email', 'Email', 'required');
if ($this->form_validation->run() == FALSE)
{
$this->load->view('myform');
}
else
{
$this->load->view('formsuccess');
}
And you don't need to use any special escape
Or try to understand how to use PDO in CodeIgniter
http://codebyjeff.com/blog/2013/03/codeigniter-with-pdo

How to access data from form validating controller in codeigniter?

I followed the tutorial for making a registration form with validation, with 2 views and 1 controller.
I wrote this in the controller:
function index()
{
$this->load->helper(array('form', 'url'));
$this->load->library('form_validation');
$this->form_validation->set_rules('username', 'Username', 'trim|required|min_length[3]|max_length[16]|xss_clean|callback_username_check');
$this->form_validation->set_rules('password', 'Password', 'trim|required|matches[passconf]|md5');
$this->form_validation->set_rules('passconf', 'Password Confirmation', 'trim|required');
$this->form_validation->set_rules('email', 'Email', 'trim|required|valid_email');
if ($this->form_validation->run() == FALSE)
{
$this->load->view('register_form');
}
else
{
$this->load->view('register_success');
$data = array(
'IDUser' => NULL ,
'Username' => "$username" ,
'Password' => 'password' ,
'Email' => 'email' ,
'Gender' => 'gender' ,
'Birthday' => 'bday' ,
);
$this->db->insert('Accounts', $data);
}
}
First it is executes a working sql insert. After, a validation. Nevertheless, the values loaded from the database are not those from the validation. Instead, they are the same plain text in the array.
I don't want to get the values directly from the form/view with POST; that's pointless. What do i do? I'm new to Codeigniter and not that familiar with OOP PHP.

You just have to use Codeigniter Input class : http://ellislab.com/codeigniter/user-guide/libraries/input.html
So in your case:
$username = $this->input->post('username');
$password = $this->input->post('password');
$passconf = $this->input->post('passconf');
$email = $this->input->post('email');

dragu is correct but please use this format:
$username = $this->input->post('username', TRUE);
the TRUE tells codeigniter to XSS clean which is a security feature you definitely want. Thats also why you put XSS clean in the form validation. from yr example:
$this->form_validation->set_rules('username', 'Username', 'trim|required|min_length[3]|max_length[16]|xss_clean|callback_username_check');
If the form fails validation, then CI can display the results in the form again. having xss_clean in the validation cleans those values.

Categories