SitePoint Sponsor

User Tag List

Results 1 to 6 of 6
  1. #1
    SitePoint Enthusiast
    Join Date
    Nov 2008
    Posts
    38
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)

    Javascript variable to $_POST

    Hello,

    I have a login form where the user types a password.

    I have found out how to has the password in javascript using md5.

    I now want to send the hashed password to the server so that it can be compared with a hashed password in the database.

    I just can't find how to do this. All the examples I look at ignore this stage as if it's obvious. I'm sorry but not to me.

    Thanks

    Steve

  2. #2
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,785
    Mentioned
    25 Post(s)
    Tagged
    1 Thread(s)
    To encrypt the data being sent from the browser to the server you need to have a security certificate attached to the web site. That certificate encrypts all of the information the browser sends using a key that only the specific web site knows how to decrypt.

    The server can then apply the hash to the password before comparing it with the stored copy.

    This will work even where the person has JavaScript disabled in their browser.

    Sending the MD5 hash of the password in plain text doesn't provide any protection as that hash effectively is the password in that instance and anyone intercepting it would be able to use it to log in just the same as if the plain text version were sent. Only the encryption provided by the security certificate provides the protection from being intercepted.

    All the examples ignore the step you are talking about because it doesn't serve any purpose.

    JavaScript can send things to the server using POST by creating and submitting a form - but that doesn't help with the situation you describe.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  3. #3
    SitePoint Wizard silver trophybronze trophy Stormrider's Avatar
    Join Date
    Sep 2006
    Location
    Nottingham, UK
    Posts
    3,133
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    You should also know that using MD5 to hash a password is pretty much as insecure as storing the password in plain text these days.

  4. #4
    I solve practical problems. bronze trophy
    Michael Morris's Avatar
    Join Date
    Jan 2008
    Location
    Knoxville TN
    Posts
    2,015
    Mentioned
    62 Post(s)
    Tagged
    0 Thread(s)
    Only if it's unsalted.

  5. #5
    SitePoint Enthusiast
    Join Date
    Nov 2008
    Posts
    38
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Thank you both. I will now read up about using a safety certificate.

    It is worrying to know that there are a lot of people who think that md5 is the way to go and as such steer others in that direction.

    Steve

  6. #6
    SitePoint Wizard bronze trophy chris.upjohn's Avatar
    Join Date
    Apr 2010
    Location
    Melbourne, AU
    Posts
    2,189
    Mentioned
    17 Post(s)
    Tagged
    1 Thread(s)
    MD5 had been around for so long it's pretty much thrown at new developers, I myself stick to salt encryption which I have found to be much more unique as far as security is concerned.

    As for the SSL certificate there are some rapid SSL websites out there that use well known providers to generate the certificate if you can't afford around $700-1000 per year.


    Sent from my iPhone using Tapatalk


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •