How to encrypt form data?
Solution 1
SSL is the answer. The only answer.
However, if you must try go go with a home brew solution here is an idea to consider:
- Have the PHP code provide Javascript with the current time stamp.
- You take the password the user enters, append the time stamp, then encrypt it.
- Pass back the encrypted password to the server with the time stamp.
- Have the server make sure that the returned data is recent, let it check the encrypted password against its own math.
- If the time stamp is too old or has been used to log in already reject it.
This is still a lousy idea, but it isn't as lousy as sending plain text passwords.
Use SSL. Really.
Solution 2
Using a secure SSL connection is the only real way to ensure the form data is encrypted. However you could use a bit of JavaScript to encode the password in some way before sending. It won't provide much security (since anyone who can view your site can see the JavaScript and reverse-engineer it) but it does at least avoid sending plain-text passwords around.
Comments
-
lonewaft almost 2 years
I have a login form that will submit id and password to a php file which will then check that id and pw against data in an SQL database. How can i encrypt the outgoing form data to make sure nobody can see it until it gets to its destination? the login form code is
<html> <head> <title> Login page </title> </head> <body> <form name="login" action="fetchalldata.php" method="post"> Username : <input type="text" name="userid"/> Password : <input type="password" name="pswrd"/> <input type="button" name="submit" value="Login"/> </body> </html>
would prehashing the password on the database and sending a hashed password be more effective?
-
Admin over 11 yearsMore importantly, if a user of your site is being MITMed, the attacker can easily disable whatever script is performing the encryption, or modify it to send them a copy of the clear text. Javascript encryption over HTTP is fundamentally unreliable.
-
The Alpha over 11 years@duskwuff, He mentioned it here
It won't provide much security (since anyone who can view your site can see the JavaScript and reverse-engineer it) but it does at least avoid sending plain-text passwords around
. -
PeeHaa over 11 yearsI think you forgot to mention that OP really should use SSL. :)
-
Jeremy J Starcher over 11 years@PeeHaa -- Oh.. sorry. I'll have to fix that. Thanks for the heads up.