PHP Form is being submitted with different values in POST?

Question

I am currently trying to build a signup form using HTML/PHP. For some reason the password that I input is being replaced with a saved password upon post and I'm not sure why.

The code for my signup form:

            <form autocomplete="off" name="signupform" action="includes/signup_function" method="POST">
                <label>First Name: </label>
                <input type="text" id="firstname" name="firstname">
                <label>Last Name: </label>
                <input type="text" id="lastname" name="lastname">
                <label>Username: </label>
                <input type="text" id="email" name="email"></br></br>
                <label>Password: </label>
                <input type="password" autocomplete="new-password" id="pwd" name="pwd"></br></br>
                <label>Confirm Password: </label>
                <input type="password" autocomplete="new-password" id="passwordconfirm" name="passwordconfirm"></br></br>
                <input type="submit" name="submit"></input>
            </form>

I am simply doing a password match, and it is returning false -- my debug values are showing completely different to what I input and the password post is returning a saved cpanel password.

        $firstname = $_POST["firstname"];
        $lastname = $_POST["lastname"];
        $email = $_POST["email"];
        $password = $_POST["pwd"];
        $passwordconfirm = $_POST["passwordconfirm"];

        if(matchPassword($password, $passwordconfirm) !== true) {
            header("Location: ../signup?err=password=");
            exit();
        }

    function matchPassword($password, $passwordconfirm) {
        $result;
        if($password == $passwordconfirm) {
            $result = true;
        } else {
            $result = false;
            error_log("password invalid: " .$password.",".$passwordconfirm);
        }
        return $result;
    }

If I input the password as Alex -- the form posts with Password as H9wL^X938*i (the saved password) and Confirm Password as Alex.

Debugging to Error Log shows this - (The password inputted to the form is Alex) [22-Nov-2023 15:59:09 Australia/Sydney] password invalid: H9wL^X938*i,Alex

I've never encountered this before, hopefully someone can help me, TIA.

Answer 1

It seems that the issue might be related to the browser's password autofill feature. When you set autocomplete="off" on your form, it may not completely disable password autofill in some browsers. Instead, you can try using autocomplete="new-password" specifically for the password fields.

Update your form to include autocomplete="new-password" for both password fields:

<form autocomplete="off" name="signupform" action="includes/signup_function" method="POST">
    <!-- ... other fields ... -->
    <label>Password: </label>
    <input type="password" autocomplete="new-password" id="pwd" name="pwd"></br></br>
    <label>Confirm Password: </label>
    <input type="password" autocomplete="new-password" id="passwordconfirm" name="passwordconfirm"></br></br>
    <input type="submit" name="submit"></input>
</form>

By using autocomplete="new-password", you signal to the browser that these fields are specifically for entering a new password, and it may help to prevent interference from autofill features.

If the issue persists, you might want to check if any browser extensions or settings are affecting the behavior. Additionally, you can try testing your form in different browsers to see if the problem occurs uniformly or if it's browser-specific.