SitePoint Sponsor

User Tag List

Results 1 to 4 of 4
  1. #1
    SitePoint Addict
    Join Date
    Feb 2007
    Posts
    230
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    sending password onClick from form

    I have a registration form which is processed by using javascript and php. First I show registration.php and data from it is sended with ajax to registration_process.php

    <form id="registration">
    Name<input type="name" id="name" />
    Password<input type="password" id="password" />
    </form>
    <script>
    $(document).ready(function(){
    $('#submit').click(function() {
    var name=$('#name').val();
    var password=$('#password').val();
    //then it sends those data with ajax to registration.php
    ...
    </script>

    registration_process.php
    <?
    if($_POST[password]){
    $password=$_POST[password]
    ...
    }
    ?>

    The problem is that is probably not secure way. Is any way to encrypt value of input? For example something like this
    var name=$('#name').encrypt().val();

    tnx!
    Dilster.com - Dating blog where you can find new dating tips, advices and ideas or your partner.

  2. #2
    SitePoint Wizard bronze trophy chris.upjohn's Avatar
    Join Date
    Apr 2010
    Location
    Melbourne, AU
    Posts
    2,191
    Mentioned
    17 Post(s)
    Tagged
    1 Thread(s)
    The best thing you can do without buying an SSL certificate is to send an encrypted PHP string using either base64, sha1 or md5 randomly mixed with say 5 static characters to ensure the code cannot be cracked. You could also send a value that can only be passed by the javascript form say something like ajax_submission then on the PHP side check for both of those values and run the encrypted string against something to ensure the user sending the form isn't a security risk.

    The way i would secure the password is by base64 encoding it using javascript then decode it that way it has at least some protection, i believe there are ways to fully encrypt values using javascript but i don't know of any off the top of my head

  3. #3
    SitePoint Addict
    Join Date
    Feb 2007
    Posts
    230
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Is that even any huge security risk if I send password with ajax without encrypt before I validate it?

    I see that also Facebook doesn't do it. As you can try, Facebook sends to 2nd step of registration the value of password with ajax (POST reg_passwd__) without encrypt it.
    Dilster.com - Dating blog where you can find new dating tips, advices and ideas or your partner.

  4. #4
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,810
    Mentioned
    25 Post(s)
    Tagged
    1 Thread(s)
    The most secure way to send it if you don't have an SSL certificate is as plain text.

    If you use JavaScript to "encrypt" it to send then you also need to accept the plain text version from those without JavaScript and that means that there are two alternative passwords that will work making it twice as easy to crack as if you only send in plain text. The encrypted one will be no harder to crack than a plain text one since all that is necessary is to capture the value being passed as that IS the password as far as the server is concerned.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •