Csalt Csalt - 5 days ago 6
PHP Question

Codeigniter password matches not working with md5

When I use the following code in a validation form the password matches do not match the two passwords even when the two passwords are same.

$this->form_validation->set_rules('password','Password','required|md5|trim|xss_clean|matches[rpassword]');
$this->form_validation->set_rules('rpassword','Repeat Password','required|md5|trim|xss_clean');


But when I remove the md5 function then the password matches is working properly.

Can someone understand why this happens?

Answer

When you do matches[rpassword], it's looking at the current value of password after the md5 but rpassword before the md5.

Switch it to this so that it does the match validation BEFORE converting to md5:

$this->form_validation->set_rules('password','Password','required|matches[rpassword]|md5|trim|xss_clean');
$this->form_validation->set_rules('rpassword','Repeat Password','required|md5|trim|xss_clean');

Also, if this is an application where security truly matters - please know that md5 is very easy to crack and that if someone is able to ever get into your database that they will be able to hack all of these passwords. So basically using md5 is almost the equivalent to not encrypting in the first place.

For password storage, use CRYPT_BLOWFISH or PHP 5.5's password_hash() function. For PHP < 5.5 use the password_hash() compatibility pack.

Comments