PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!
Values passed from a form using the 'post' method, can they be changed from plaintext to a hashed version prior to sending? Assume the following script sending a value to a database for login purposes :
<?php
function create_hash($value) {
if ($value != '') {
$new_value = md5($value);
return $new_value;
}
//create a hashed value
$password = create_hash($_POST['password']);
//send the data
login_check_function($password);
?>
1. Am i correct in thinking that the value of '$password' {as passed to the function (login_check_function)} is an md5 hashed value?
2. Secondly, the value of $_POST['password'] will stay plaintext until hashed by the function (create_hash)?
Thanks Vladsun I purposefully left out a javascript option as i don't understand javascript and don't want to use a script i have no idea about. I normally develop / code with the assumption that javascript is disabled.
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
I personally wouldnt bother with a javascript hash. If sending plain text password is that big of a security risk (the data is that important) then you should be using an SSL cert to encrypt the data.
now for your hashing... all you are doing is creating an md5 hash of the plain text. md5 can be brute forced fairly easy (for hackers). what you want your hashing function to do is add some salt.
The functions used by the zencart community are pretty good... and something to learn from.
// This function validates a plain text password with an encrpyted password
function validate_password($plain, $encrypted) {
if ($plain && $encrypted) {
// split apart the hash / salt
$stack = explode(':', $encrypted);
if (sizeof($stack) != 2) return false;
if (md5($stack[1] . $plain) == $stack[0]) {
return true;
}
}
return false;
}
////
// This function makes a new password from a plaintext password.
function encrypt_password($plain) {
$password = '';
for ($i=0; $i<10; $i++) {
$password .= mt_rand();
}
$salt = substr(md5($password), 0, 2);
$password = md5($salt . $plain) . ':' . $salt;
return $password;
}
buckit wrote:I personally wouldnt bother with a javascript hash. If sending plain text password is that big of a security risk (the data is that important) then you should be using an SSL cert to encrypt the data.
Thanks, yeah i was thinking something similar but if SSL isn't an option i would like to at least keep the information 'secure' in some way. It looks like javascript is a viable option if SSL is not available.
Thanks for zencart code sample. My example script is simply that, an example, rest assured i won't use only md5 for hashing.
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering