Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Is password is sent as text in this after submitting PHP?

Tags:

php

i was searching about simple hashing with passwords in login form. i came across this http://tinsology.net/2009/06/creating-a-secure-login-system-the-right-way/. here he hashes the password, creates a salt, and then again hashes the password & salt. I am building a login form myself, this is abc.php

<form name="register" action="register.php" method="post">
Username: <input type="text" name="username" maxlength="30" />
Password: <input type="password" name="pass1" />
Password Again: <input type="password" name="pass2" />
<input type="submit" value="Register" />
</form>

after submitting goes to, register.php, it has

$u=$_REQUEST['username'];
$p=$_REQUEST['pass1'];
//salt create function
//hashing code
//final hash password

and then submitting $u & 'final password' in the database.

Q: my question is when submitting the form from abc.php, does the password goes as text?

and if yes, then there is a chance of someone reading it, and then what's the need of hashing passwords, because even when i login, i will submit the page, and retrieve the pass and username from $_REQUEST on maybe another page, where it will be checked, it travelled as text, and thus can be read by someone.

like image 568
Nikhar Avatar asked Jan 08 '12 08:01

Nikhar

3 Answers

The password is now sent in clear text. There is a workaround without the use of HTTPS. You can hash the password before it is sent over the HTTP socket with javascript. There are several tutorials out there. This isn't as good as using https but still better than nothing.

like image 83
Daan Pape Avatar answered Nov 09 '22 12:11

Daan Pape

Your password is sent via HTTP Post or HTTP Get, depends on method in your form. HTTP Post or HTTP Get is sent via socket stream and someone can sniff your data along the way, your network admin, your ISP provider, etc.

If you want to create secure login, your server must support HTTPS. If you sent via HTTPS, no one can read your data.

like image 6
Niyoko Avatar answered Nov 09 '22 13:11

Niyoko

The "secure" part of that article clearly relates to the storage of the password. Someone could intercept the password if the network on the client or the server side is not secure (i.e. someone with a packet sniffer on the network).

If this is a concern, you can mitigate that risk by using SSL, which will encrypt the conversation between client and server.

like image 2
Steve Rukuts Avatar answered Nov 09 '22 13:11

Steve Rukuts
Sign in to Comment

Related questions

PHP Require and Include GET
PHP Explode Function
How to search array of string in another string in PHP?
Best solution to remove duplicate values from case-insensitive array [duplicate]
PHP strange bitwise operator impact on strings
Remove the image resize ratio in OpenCart
paypal, php - integrate a paypal payment into a website
Facebook canvas apps HTTPS and HTTP
Short Text, PHP
Configuring Notepad++ to run php on localhost?
Fastest way of getting a character inside a string given the index (PHP)
How to disable deprecated messages in Joomla?
MySQL: Display only 200 characters from total value
Using C/C++ code in PHP without writing an extension
How to check if a word exists in a sentence
How to programmatically log in into phpBB forum?
How to make .PHP file only accessible to the server?
Magento API v2 PHP error
php - find date for same day of week for last year
PHP CURL follow redirect to get HTTP status

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!