Remove unnecessary error message with form validation

Question

Using Codeigniter, I'm able to create a function for user authentication. I have a function that I call to check if the username/password given are valid. The problem I'm having is, I don't want the code to display "Invalid Login" if a password isn't given. It should read "Password is required" or something like that.

I guess I could NOT require the password field, in that case a blank password would result in a failed log in anyways. However, I want to make sure sql injection doesn't occur.

$this->form_validation->set_rules('username','username','required|callback_authenticate');
$this->form_validation->set_rules('password','password','required');

$this->form_validation->set_message('authenticate','Invalid login. Please try again.');

authenticate function

function authenticate() {

    return Current_User::checkLogin($this->input->post('username'),
                                          $this->input->post('password'));
}

Answer 1

I suggest that you create a callback function that you can use as a rule that you can add to the set_rules() function like this:

$this->form_validation->set_rules('password','Password','required|your_callback_function');

This way, the required rule is sure to be called first. When the user types in a password, then the next rule is checked. In this case, it goes through your callback validation function. If the user doesn't enter anything in your password field, then the error message should automatically show that the password is required.

If you want to prevent SQL injection on the password field, add the sha1 or md5 rule to the password field.

Check out the Callbacks: Your own Validation Functions in the Form Validation library.

Also, if you will use the Active Record class instead of manually typing in your query, your queries will be safer since values are automatically escaped by the system. You also have the option to use prepared statements to prevent SQL injection.