Page 1 of 1

Hashing $_POST values.

Posted: Wed Jul 14, 2010 5:37 am
by social_experiment
Values passed from a form using the 'post' method, can they be changed from plaintext to a hashed version prior to sending? Assume the following script sending a value to a database for login purposes :

Code: Select all

<html>
<head>
<title>Login page</title>
</head>
<body>
<form method="post" action="login.php">
<input type="text" name="password" />
<input type="submit" name="btn" value="login" />
</form>
</body>
</html>

Code: Select all

<?php
function create_hash($value) {
 if ($value != '') {
 $new_value = md5($value);
 return $new_value;
}
//create a hashed value
$password = create_hash($_POST['password']);

//send the data
login_check_function($password);
?>
1. Am i correct in thinking that the value of '$password' {as passed to the function (login_check_function)} is an md5 hashed value?
2. Secondly, the value of $_POST['password'] will stay plaintext until hashed by the function (create_hash)?

Code: Select all

<?php
echo '<pre>';
print_r($_POST);
echo '</pre>';  
/*
prints

Array
(
    [password] => password
    [btn] => send
)
*/
?>
Is there a way to hash the value passed to the 'login.php' page? As per example :

Code: Select all

<?php
/*
Array
(
    [fieldOne] => hashed_password
    [btn] => send
)
*/
?>

Re: Hashing $_POST values.

Posted: Wed Jul 14, 2010 6:09 am
by VladSun
Yes, it's possible. There are plenty of articles about client side password hashing using JavaScript. Start with a Google search :)

Though, you should still keep the ability of plain text password sending, when JS is not available or it's disabled.

Re: Hashing $_POST values.

Posted: Wed Jul 14, 2010 6:43 am
by social_experiment
Thanks Vladsun :) I purposefully left out a javascript option as i don't understand javascript and don't want to use a script i have no idea about. I normally develop / code with the assumption that javascript is disabled.

Re: Hashing $_POST values.

Posted: Wed Jul 14, 2010 9:42 am
by buckit
I personally wouldnt bother with a javascript hash. If sending plain text password is that big of a security risk (the data is that important) then you should be using an SSL cert to encrypt the data.

now for your hashing... all you are doing is creating an md5 hash of the plain text. md5 can be brute forced fairly easy (for hackers). what you want your hashing function to do is add some salt.

The functions used by the zencart community are pretty good... and something to learn from.

Code: Select all

// This function validates a plain text password with an encrpyted password
  function validate_password($plain, $encrypted) {
    if ($plain && $encrypted) {
// split apart the hash / salt
      $stack = explode(':', $encrypted);

      if (sizeof($stack) != 2) return false;

      if (md5($stack[1] . $plain) == $stack[0]) {
        return true;
      }
    }

    return false;
  }

////
// This function makes a new password from a plaintext password. 
  function encrypt_password($plain) {
    $password = '';

    for ($i=0; $i<10; $i++) {
      $password .= mt_rand();
    }

    $salt = substr(md5($password), 0, 2);

    $password = md5($salt . $plain) . ':' . $salt;

    return $password;
  }

Re: Hashing $_POST values.

Posted: Thu Jul 15, 2010 1:34 am
by social_experiment
buckit wrote:I personally wouldnt bother with a javascript hash. If sending plain text password is that big of a security risk (the data is that important) then you should be using an SSL cert to encrypt the data.
Thanks, yeah i was thinking something similar but if SSL isn't an option i would like to at least keep the information 'secure' in some way. It looks like javascript is a viable option if SSL is not available.

Thanks for zencart code sample. ;) My example script is simply that, an example, rest assured i won't use only md5 for hashing.