Please Help! - Verifying Password

[Krishan]

Hi people.

I have a "New User Sign Up" page. It has several fields including a "Password" field. The sign up form creates a -new record in the Users.fp5 database.

How do I create a "Verify Password" field which will only create a new record in my Users.fp5 if the two password fields are the same?

I don't want to use Javascript. I would prefer using FMP to do the verification..... any ideas?

I would be extremely grateful for your help! Thanks!

[proton]

quote:

---

Originally posted by Krishan:

Hi people.

I have a "New User Sign Up" page. It has several fields including a "Password" field. The sign up form creates a -new record in the Users.fp5 database.

How do I create a "Verify Password" field which will only create a new record in my Users.fp5 if the two password fields are the same?

I don't want to use Javascript. I would prefer using FMP to do the verification..... any ideas?

I would be extremely grateful for your help! Thanks!

---

Krishan,

You always come up with some good questions! You said you want to create a verify password field that would only create a new record if the two password fields were the same. I have a solution like that, but I took a different route.

What I did, I have the two fields "Pass1" and "Pass2". In the new user signup CDML form, the user types the password in Pass1 and re-enters it in Pass2. When they submit the form it creates the new record in the user database. I have a calculation field (lets call it "verification field") in the user database that uses the IF function to check that the data entered in the two fields is the same. If it is it returns a result of 1...if not it returns a result of 0.

Now when the user submits the record, it takes them to a confirmation page. On this confirmation page I have FMP-IF statements that say if verification field is 1 then display "Congratulations, you were added" or something like that. If verification field is 0 then display "Sorry your passwords do not match, please click on this link to re-enter your passwords" and I have a link that takes them to an edit cdml page to edit their record, and they can re-submit.

The trick is you don't want to stop them when they submit the form, it's okay to create the record in the database, then just let them edit the passwords. Hope this helps you out.

[Keith M. Davie]

"The trick is you don't want to stop them when they submit the form, it's okay to create the record in the database, then just let them edit the passwords. Hope this helps you out."

I agree that you do not want to stop them, yet if they decide to exit after being prompted to resubmit, you now have a record that does what? If they then come back to your site and start over what happens to the new record? What happens to the old record which was left "incomplete" by the stated criteria? Are they able to use one of the passwords in the "incomplete" record to gain entry even though not properly registered by your criteria?

Really the best way to handle the situation is with a script. Of course you will need a workaround in FMPro 4 or 5. Or you will need to upgrade to a version of 5.5.

SIMPLIFY ...

Keith

[Krishan]

Hello.

Thanks for the advice guys.

Proton, your idea sounds really good. It seems user friendly.

But Keith does have a point. What happens if they decide to exit after being prompted to resubmit?

I'm wondering if there is a way of verifying the password without creating a new record, using FMP-If and -Token tags.

I guess I'll try and find a javascript to verify the password. Are there any problems with using javascripts to do this?

Thanks again for the help.

[Garry Claridge]

On the first page you can use the -view tag and then in the subsequent format page use the IF tags. The -new tag can then be substituted if the passwords are the same, else an error page can be called.

All the best.

Garry

[Simon]

The way I do it is this.

I have people put the password in two boxes. Password and password_check.

On the next page I have the following statement

[fmp-if: (password.neq.password_check).and(currenttoken:9.eq.newregistration)]I am sorry you enter your password differently in the two boxes please re-enter your password.

Password: enter box here

Verify: box here

-edit (Button editing the record)[fmp-elseif: (password.neq.password_check).and(currenttoken:9.eq.login)]I am sorry but you did not complete registration last time. You entered your password differently in the two boxes please re-enter your password.

Password: enter box here

Verify: box here

-edit (Button editing the record)[[fmp-else]The proper page here[/fmp-if]

Now, if someone enteres differently in to the two boxes they get the text that has an edit form in it to allow them to try again. If they are the same they get the page. The edit page brings them back to this same page to check passwords again.

but here is the good bit. The registration page includes a token like this.

<type="hidden" name="-token.9" value="newregistration"> This tells the format page that they have just entered the registration details so it gives them the appropriate message. If they decided to stop registration and come back later. They log in using the log in area. The format page reply is the same as the format page used for the reply to the registration page. So it checks their password and gives them the appropriate message as the log in page has the token

<type="hidden" name="-token.9" value="login">

This accomplishes the same as above but doesn't use calculation fields and such and also gives you a way around people who don't finish registering and try to come back later.

I think I've explained it well, but any more questions please ask

Simon

[proton]

quote:

---

Originally posted by Keith M. Davie:

"The trick is you don't want to stop them when they submit the form, it's okay to create the record in the database, then just let them edit the passwords. Hope this helps you out."

I agree that you do not want to stop them, yet if they decide to exit after being prompted to resubmit, you now have a record that does what? If they then come back to your site and start over what happens to the new record? What happens to the old record which was left "incomplete" by the stated criteria? Are they able to use one of the passwords in the "incomplete" record to gain entry even though not properly registered by your criteria?

Really the best way to handle the situation is with a script. Of course you will need a workaround in FMPro 4 or 5. Or you will need to upgrade to a version of 5.5.

SIMPLIFY ...

Keith

---

Great point Keith! Really great, but it's still simple. Remember, you have a password verification field and the value in that field is determined by whether the passwords match or not. So if they decide to not re-submit, all you need is a script that finds all records in the database where the value in the verification field is 0 or whatever and delete them. That way you don't have any 'incomplete' records in your database (with respect to passwords that is). The script can be set to run manually or periodically (everyday, every two hours whatever).

With regards to them trying to log in as the record exists (as Keith rightfully put it), this is why I use a login database Krishan (as I said in "Exactly How Secure") so it will verify that they entered a correct username and password and also that their member record is valid (in terms of the two passwords matching).

[Krishan]

Thanks for all your ideas and help everyone.

So, I think the only way of getting FMP to do the password verification is by creating a new record and then using IF tags to edit the record? Then you would need a script to delete incomplete records.

Okay, well I guess I've taken the lazy route and used Javascript to verify my passwords now. I didn't want to use Javascript but it seems much easier.

Does anyone know if using Javascript to do this password verification can have problems or security flaws?

The script I'm using verifies the password and also validates the email address (making sure it's in a legal format).

Thanks for your help! Here's the Javascript:

code:

---

<!-- TWO STEPS TO INSTALL PASSWORD AND EMAIL ADDRESS VALIDATION:

1. Copy the coding into the HEAD of your HTML document

2. Add the last code into the BODY of your HTML document -->

<!-- STEP ONE: Paste this code into the HEAD of your HTML document -->

<HEAD>

<SCRIPT LANGUAGE="JavaScript">

<!-- Begin

function validatePwd() {

var invalid = " "; // Invalid character is a space

var minLength = 6; // Minimum length

var pw1 = document.myForm.password.value;

var pw2 = document.myForm.password2.value;

var emailStr = document.myForm.email.value;

// check for a value in both fields.

if (pw1 == '' || pw2 == '') {

alert('Please enter your password twice.');

return false;

}

// check for minimum length

if (document.myForm.password.value.length < minLength) {

alert('Your password must be at least ' + minLength + ' characters long. Try again.');

return false;

}

// check for spaces

if (document.myForm.password.value.indexOf(invalid) > -1) {

alert("Sorry, spaces are not allowed.");

return false;

}

else {

if (pw1 != pw2) {

alert ("You did not enter the same new password twice. Please re-enter your password.");

return false;

}

}

{

/* The following variable tells the rest of the function whether or not

to verify that the address ends in a two-letter country or well-known

TLD. 1 means check it, 0 means don't. */

var checkTLD=1;

/* The following is the list of known TLDs that an e-mail address must end with. */

var knownDomsPat=/^(com|net|org|edu|int|mil|gov|arpa|biz|aero|name|coop|info|pro|museum)$/;

/* The following pattern is used to check if the entered e-mail address

fits the user@domain format. It also is used to separate the username

from the domain. */

var emailPat=/^(.+)@(.+)$/;

/* The following string represents the pattern for matching all special

characters. We don't want to allow special characters in the address.

These characters include ( ) < > @ , ;

" . [ ] */

var specialChars="()><@,;:".[]";

/* The following string represents the range of characters allowed in a

username or domainname. It really states which chars aren't allowed.*/

var validChars="[^s" + specialChars + "]";

/* The following pattern applies if the "user" is a quoted string (in

which case, there are no rules about which characters are allowed

and which aren't; anything goes). E.g. "jiminy cricket"@disney.com

is a legal e-mail address. */

var quotedUser="("[^"]*")";

/* The following pattern applies for domains that are IP addresses,

rather than symbolic names. E.g. joe@[123.124.233.4] is a legal

e-mail address. NOTE: The square brackets are required. */

var ipDomainPat=/^[(d{1,3}).(d{1,3}).(d{1,3}).(d{1,3})]$/;

/* The following string represents an atom (basically a series of non-special characters.) */

var atom=validChars + '+';

/* The following string represents one word in the typical username.

For example, in [email protected], john and doe are words.

Basically, a word is either an atom or quoted string. */

var word="(" + atom + "|" + quotedUser + ")";

// The following pattern describes the structure of the user

var userPat=new RegExp("^" + word + "(." + word + ")*$");

/* The following pattern describes the structure of a normal symbolic

domain, as opposed to ipDomainPat, shown above. */

var domainPat=new RegExp("^" + atom + "(." + atom +")*$");

/* Finally, let's start trying to figure out if the supplied address is valid. */

/* Begin with the coarse pattern to simply break up user@domain into

different pieces that are easy to analyze. */

var matchArray=emailStr.match(emailPat);

if (matchArray==null) {

/* Too many/few @'s or something; basically, this address doesn't

even fit the general mould of a valid e-mail address. */

alert("Email address seems incorrect (check @ and .'s)");

return false;

}

var user=matchArray[1];

var domain=matchArray[2];

// Start by checking that only basic ASCII characters are in the strings (0-127).

for (i=0; i<user.length; i++) {

if (user.charCodeAt(i)>127) {

alert("This email address' username contains invalid characters.");

return false;

}

}

for (i=0; i<domain.length; i++) {

if (domain.charCodeAt(i)>127) {

alert("This email address' domain name contains invalid characters.");

return false;

}

}

// See if "user" is valid

if (user.match(userPat)==null) {

// user is not valid

alert("The email address' username doesn't seem to be valid.");

return false;

}

/* if the e-mail address is at an IP address (as opposed to a symbolic

host name) make sure the IP address is valid. */

var IPArray=domain.match(ipDomainPat);

if (IPArray!=null) {

// this is an IP address

for (var i=1;i<=4;i++) {

if (IPArray

>255) {

alert("Destination IP of the email address is invalid!");

return false;

}

}

return true;

}

// Domain is symbolic name. Check if it's valid.

var atomPat=new RegExp("^" + atom + "$");

var domArr=domain.split(".");

var len=domArr.length;

for (i=0;i<len;i++) {

if (domArr

.search(atomPat)==-1) {

alert("The email address' domain name does not seem to be valid.");

return false;

}

}

/* domain name seems valid, but now make sure that it ends in a

known top-level domain (like com, edu, gov) or a two-letter word,

representing country (uk, nl), and that there's a hostname preceding

the domain or country. */

if (checkTLD && domArr[domArr.length-1].length!=2 &&

domArr[domArr.length-1].search(knownDomsPat)==-1) {

alert("The email address must end in a well-known domain or two letter " + "country.");

return false;

}

// Make sure there's a host name preceding the domain.

if (len<2) {

alert("This email address is missing a hostname!");

return false;

}

// If we've gotten this far, everything's valid!

return true;

}

}

// End -->

</script>

</HEAD>

<!-- STEP TWO: Copy this code into the BODY of your HTML document -->

<BODY>

<form name=myForm onSubmit="return validatePwd()">

Password

<input type="password" name=password size="10" maxlength="12">

Verify Password

<input type="password" name=password2 size="10" maxlength="12">

Email

<input type="text" name=email size="20">

<input type="submit" name="submit" value="Sign Up">

---

[Vaughan]

I'm a Java weenie: I dunno anything about it. What will happen if I have Java turned off in my browser? Will it still let me enter the records?