Sign In
Create Account
Follow Us on Twitter
Subscribe on Youtube
Hello, I am wondering if I have a form in html, which sends information like username, password, ID. It then sends that file to a php file, which processes on that data. On that point I encrypt the password. However, is this really safe? I wouldn't assume it to be so, since it looks like it's sending the data over to the .php file in which the information could get read as pure text before it reaches the .php file. If it isn't, what's the alternative solution.
Thanks,
HiRo.
(I accidentally posted this on the php tutorial section :( sorry.)
7 replies to this topic
Back to top|
|
|
#2
Posted 03 October 2010 - 06:43 AM
Orjan
-
- Moderators
-
- 3,299 posts
Writes binary right handed and hex left handed
One alternative is to encrypt the password upon sending with javascript. it's not very safe either, as ppl can read your code on how you do, but the sending itself would be some safer. (it's not pure text at least...)
__________________________________________
I study Information Systems at Karlstad University when I'm not on CodeCall
I study Information Systems at Karlstad University when I'm not on CodeCall
#3
Posted 03 October 2010 - 05:19 PM
Alexander
-
- Moderators
-
- 4,124 posts
It's Science!
The only real security solution would be to use SSL, as any plaintext sent from computer A to server B can be read in plaintext otherwise.
Be sure to read the updated FAQ! || Health is achieved through the same 10,000 steps.
If a suggested code/method fails, informing us is less important than telling us why or what errors occurred.
If a suggested code/method fails, informing us is less important than telling us why or what errors occurred.
#4
Posted 04 October 2010 - 07:50 AM
SoN9ne
-
- Members
-
- 129 posts
Programmer
An example of what I do for my login systems:
This is very similar to what I do. I have a few other steps I perform but this is the main concept of my login systems. I try to protect the user's password as best as I can but even hashing it with JS is not that secure since it can easily be deciphered but I'd rather make hackers go through the extra step.
- I use the onsubmit to call a JS method to hash the user's password with their username and a unique random salt that is generated and saved to the session for verification. (this will semi-protect the users password. It can still be deciphered but will take some work)
- I verify the hash with the salt in the session before I attempt a login.
- I then query the db using the username to retrieve the user specific salt (regenerated every successful login) and their password hash. I use a different Hash algorithm for passwords stored in the db. (the trick here is to store the hash with the proper salt and hashing standard to be used throughout the script.) I use the same unique salt from the form to verify the password when validating the hash to ensure the hash is the same.
- I then clear the session vars used and regenerate the session ID and delete the old session file to protect the session.
This is very similar to what I do. I have a few other steps I perform but this is the main concept of my login systems. I try to protect the user's password as best as I can but even hashing it with JS is not that secure since it can easily be deciphered but I'd rather make hackers go through the extra step.
"Life would be so much easier if we only had the source code."
#5
Posted 16 October 2010 - 10:04 PM
bbqroast
-
- Members
-
- 554 posts
Codecall Addict
If you want to stop the code being read as it goes USER --------> PHP then you need to use public key encryption.
Its reasonably complex but i'm sure you'll work it out (eventually).
Even if the user has the encrypting key (which is handed out freely) they can't unencrypt the message and vica versa.
Its reasonably complex but i'm sure you'll work it out (eventually).
Even if the user has the encrypting key (which is handed out freely) they can't unencrypt the message and vica versa.
Please, write clearly with proper structure. Double spacing makes the text feel un-jointed, Capitalizing Every Word Means People Stop Before Every Word Sub-Consciously Which Is A Pain In The Backside, and use code tags! (The right most styling box).
#6
Posted 16 October 2010 - 10:27 PM
Alexander
-
- Moderators
-
- 4,124 posts
It's Science!
bbqroast said:
If you want to stop the code being read as it goes USER --------> PHP then you need to use public key encryption.
Its reasonably complex but i'm sure you'll work it out (eventually).
Even if the user has the encrypting key (which is handed out freely) they can't unencrypt the message and vica versa.
Its reasonably complex but i'm sure you'll work it out (eventually).
Even if the user has the encrypting key (which is handed out freely) they can't unencrypt the message and vica versa.
GPG over HTTP?
Be sure to read the updated FAQ! || Health is achieved through the same 10,000 steps.
If a suggested code/method fails, informing us is less important than telling us why or what errors occurred.
If a suggested code/method fails, informing us is less important than telling us why or what errors occurred.
#7
Posted 16 October 2010 - 11:44 PM
BlaineSch
-
- Members
-
- 2,448 posts
Writes binary right handed and hex left handed
SoN9ne said:
An example of what I do for my login systems:
This is very similar to what I do. I have a few other steps I perform but this is the main concept of my login systems. I try to protect the user's password as best as I can but even hashing it with JS is not that secure since it can easily be deciphered but I'd rather make hackers go through the extra step.
- I use the onsubmit to call a JS method to hash the user's password with their username and a unique random salt that is generated and saved to the session for verification. (this will semi-protect the users password. It can still be deciphered but will take some work)
- I verify the hash with the salt in the session before I attempt a login.
- I then query the db using the username to retrieve the user specific salt (regenerated every successful login) and their password hash. I use a different Hash algorithm for passwords stored in the db. (the trick here is to store the hash with the proper salt and hashing standard to be used throughout the script.) I use the same unique salt from the form to verify the password when validating the hash to ensure the hash is the same.
- I then clear the session vars used and regenerate the session ID and delete the old session file to protect the session.
This is very similar to what I do. I have a few other steps I perform but this is the main concept of my login systems. I try to protect the user's password as best as I can but even hashing it with JS is not that secure since it can easily be deciphered but I'd rather make hackers go through the extra step.
Not everybody has JS enabled.
#8
Posted 16 October 2010 - 11:51 PM
Alexander
-
- Moderators
-
- 4,124 posts
It's Science!
Quote
Not everybody has JS enabled.
Be sure to read the updated FAQ! || Health is achieved through the same 10,000 steps.
If a suggested code/method fails, informing us is less important than telling us why or what errors occurred.
If a suggested code/method fails, informing us is less important than telling us why or what errors occurred.
