Hashing $_POST values.

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
social_experiment
DevNet Master
Posts: 2793
Joined: Sun Feb 15, 2009 11:08 am
Location: .za

Hashing $_POST values.

Post by social_experiment »

Values passed from a form using the 'post' method, can they be changed from plaintext to a hashed version prior to sending? Assume the following script sending a value to a database for login purposes :

Code: Select all

<html>
<head>
<title>Login page</title>
</head>
<body>
<form method="post" action="login.php">
<input type="text" name="password" />
<input type="submit" name="btn" value="login" />
</form>
</body>
</html>

Code: Select all

<?php
function create_hash($value) {
 if ($value != '') {
 $new_value = md5($value);
 return $new_value;
}
//create a hashed value
$password = create_hash($_POST['password']);

//send the data
login_check_function($password);
?>
1. Am i correct in thinking that the value of '$password' {as passed to the function (login_check_function)} is an md5 hashed value?
2. Secondly, the value of $_POST['password'] will stay plaintext until hashed by the function (create_hash)?

Code: Select all

<?php
echo '<pre>';
print_r($_POST);
echo '</pre>';  
/*
prints

Array
(
    [password] => password
    [btn] => send
)
*/
?>
Is there a way to hash the value passed to the 'login.php' page? As per example :

Code: Select all

<?php
/*
Array
(
    [fieldOne] => hashed_password
    [btn] => send
)
*/
?>
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: Hashing $_POST values.

Post by VladSun »

Yes, it's possible. There are plenty of articles about client side password hashing using JavaScript. Start with a Google search :)

Though, you should still keep the ability of plain text password sending, when JS is not available or it's disabled.
Last edited by VladSun on Wed Jul 14, 2010 7:58 am, edited 1 time in total.
There are 10 types of people in this world, those who understand binary and those who don't
User avatar
social_experiment
DevNet Master
Posts: 2793
Joined: Sun Feb 15, 2009 11:08 am
Location: .za

Re: Hashing $_POST values.

Post by social_experiment »

Thanks Vladsun :) I purposefully left out a javascript option as i don't understand javascript and don't want to use a script i have no idea about. I normally develop / code with the assumption that javascript is disabled.
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
buckit
Forum Contributor
Posts: 169
Joined: Fri Jan 01, 2010 10:21 am

Re: Hashing $_POST values.

Post by buckit »

I personally wouldnt bother with a javascript hash. If sending plain text password is that big of a security risk (the data is that important) then you should be using an SSL cert to encrypt the data.

now for your hashing... all you are doing is creating an md5 hash of the plain text. md5 can be brute forced fairly easy (for hackers). what you want your hashing function to do is add some salt.

The functions used by the zencart community are pretty good... and something to learn from.

Code: Select all

// This function validates a plain text password with an encrpyted password
  function validate_password($plain, $encrypted) {
    if ($plain && $encrypted) {
// split apart the hash / salt
      $stack = explode(':', $encrypted);

      if (sizeof($stack) != 2) return false;

      if (md5($stack[1] . $plain) == $stack[0]) {
        return true;
      }
    }

    return false;
  }

////
// This function makes a new password from a plaintext password. 
  function encrypt_password($plain) {
    $password = '';

    for ($i=0; $i<10; $i++) {
      $password .= mt_rand();
    }

    $salt = substr(md5($password), 0, 2);

    $password = md5($salt . $plain) . ':' . $salt;

    return $password;
  }
User avatar
social_experiment
DevNet Master
Posts: 2793
Joined: Sun Feb 15, 2009 11:08 am
Location: .za

Re: Hashing $_POST values.

Post by social_experiment »

buckit wrote:I personally wouldnt bother with a javascript hash. If sending plain text password is that big of a security risk (the data is that important) then you should be using an SSL cert to encrypt the data.
Thanks, yeah i was thinking something similar but if SSL isn't an option i would like to at least keep the information 'secure' in some way. It looks like javascript is a viable option if SSL is not available.

Thanks for zencart code sample. ;) My example script is simply that, an example, rest assured i won't use only md5 for hashing.
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
Post Reply