Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is password is sent as text in this after submitting PHP?

Tags:

php

i was searching about simple hashing with passwords in login form. i came across this http://tinsology.net/2009/06/creating-a-secure-login-system-the-right-way/. here he hashes the password, creates a salt, and then again hashes the password & salt. I am building a login form myself, this is abc.php

<form name="register" action="register.php" method="post">
Username: <input type="text" name="username" maxlength="30" />
Password: <input type="password" name="pass1" />
Password Again: <input type="password" name="pass2" />
<input type="submit" value="Register" />
</form>

after submitting goes to, register.php, it has

$u=$_REQUEST['username'];
$p=$_REQUEST['pass1'];
//salt create function
//hashing code
//final hash password 

and then submitting $u & 'final password' in the database.

Q: my question is when submitting the form from abc.php, does the password goes as text?

and if yes, then there is a chance of someone reading it, and then what's the need of hashing passwords, because even when i login, i will submit the page, and retrieve the pass and username from $_REQUEST on maybe another page, where it will be checked, it travelled as text, and thus can be read by someone.

like image 568
Nikhar Avatar asked Jan 08 '12 08:01

Nikhar


3 Answers

The password is now sent in clear text. There is a workaround without the use of HTTPS. You can hash the password before it is sent over the HTTP socket with javascript. There are several tutorials out there. This isn't as good as using https but still better than nothing.

like image 83
Daan Pape Avatar answered Nov 09 '22 12:11

Daan Pape


Your password is sent via HTTP Post or HTTP Get, depends on method in your form. HTTP Post or HTTP Get is sent via socket stream and someone can sniff your data along the way, your network admin, your ISP provider, etc.

If you want to create secure login, your server must support HTTPS. If you sent via HTTPS, no one can read your data.

like image 6
Niyoko Avatar answered Nov 09 '22 13:11

Niyoko


The "secure" part of that article clearly relates to the storage of the password. Someone could intercept the password if the network on the client or the server side is not secure (i.e. someone with a packet sniffer on the network).

If this is a concern, you can mitigate that risk by using SSL, which will encrypt the conversation between client and server.

like image 2
Steve Rukuts Avatar answered Nov 09 '22 13:11

Steve Rukuts