Thread: Validating Password Confirmation Fields on a Form

I would suggest you use ClientSide JavaScript to do your form validation as it is supported by almost all browsers. Its not adviseable to use client side VBScritpt or Server Side script for form validation as it involves going back and forth to the server.

Here is an example of your code in javascript:

VB Code:

<script>
function Validate()
{
    var d=document.frmRegister;
 
 
        if (d.txtPassword.value=="")
        {
        alert("Please enter a Password");
        d.txtPassword.focus();
        return false;
        }
 
        if (d.txtPassword2.value=="")
        {
        alert("Please confirm the Password");
        d.txtPassword2.focus();
        return false;
        }
 
        if (d.txtPassword.value != d.txtPassword2.value)
        {
        alert("Two typed password dont match");
        return false;
    }
 
    return true;
}
</script>

To use this

VB Code:

<form name="frmRegister" method="post" onSubmit="return Validate()" action="register.asp">

Put two password field called txtPassword and txtPassword2

Hope this helps

Danial

Its not adviseable to use client side VBScritpt or Server Side script for form validation as it involves going back and forth to the server.

I disagree. You must validate all user generated input (including HTTP headers, etc) Server side. Doing it client-side as well can speed things up, but doing only client-side data validation is as good as doing no data validation from a security standpoint.

Can you explain further why we "MUST" validate "ALL" user generated input.

Are there malicious users out there? You cannot trust any data the user has an opportunity to construct themselves. Read some books/articles on hacking for the clever stuff crackers come up with. One of my favorites is someone who had a script that ran a Unix shell command based on the Host Name - the cracker set up a fake DNS entry so that the host name resolved from his IP Address was the Unix equivalent to "format c:\".

Originally posted by JoshT


Are there malicious users out there? You cannot trust any data the user has an opportunity to construct themselves. Read some books/articles on hacking for the clever stuff crackers come up with. One of my favorites is someone who had a script that ran a Unix shell command based on the Host Name - the cracker set up a fake DNS entry so that the host name resolved from his IP Address was the Unix equivalent to "format c:\".

Thanks for the advice josh!! infact PC security is one of my major area of study and have done a lot of reasearch on this issue as you suggested, specially on Viruses and Hacking as you mentioned. Hoping to do further study on this area.

Anyway, I am not sure your example of fake DNS entry is really relevent here, as we are talking about form Validation. If you are talking about people miss using the scripts then you are right. Thats why we have to be careful how we write the script and dont leave any major holes for the hackers. There will be always people will take advantage of these issue and to be honest ASP has never been considered secure enough. You wouldnt see too many bank sites using ASP. Most uses JSP/Servlet.

Also it depends on what kind of input we are dealing with. Like i said before there is no point of sending data to server just for the simple validation.

As for transferring all the data to the server as you mentioned, the TCP/IP packets can be grabbed by anyone unless you are transmitting them securely.