[SOLVED] Password being shown in url bar

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
m0u53m4t
Forum Contributor
Posts: 101
Joined: Wed Apr 19, 2006 7:47 am
Location: Wales

[SOLVED] Password being shown in url bar

Post by m0u53m4t »

Here is my basic login thing:

Code: Select all

<?php 
$username = $_GET["username"];
$password = md5($_GET["password"]);


if ($username == 'John' && $password == '5f4dcc3b5aa765d61d8327deb882cf99') { 
   echo 'Correct username and password'; 
} 
else { 
   echo 'Incorrect username and password'; 
} 
?>
But I use the method 'get' on my html, and therefore you can read the password in the url bar! What would I have to change to be able to change the html to use post?
Last edited by m0u53m4t on Sun Apr 23, 2006 9:02 am, edited 1 time in total.
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Post by Chris Corbyn »

<form method="post" ... > ? :?
User avatar
m0u53m4t
Forum Contributor
Posts: 101
Joined: Wed Apr 19, 2006 7:47 am
Location: Wales

Post by m0u53m4t »

Yes sorry, I got that, I meant in the php. I just changed the two at the top to

Code: Select all

$username = $_POST["username"];
$password = md5($_POST["password"]);
and it worked :P
User avatar
m0u53m4t
Forum Contributor
Posts: 101
Joined: Wed Apr 19, 2006 7:47 am
Location: Wales

Post by m0u53m4t »

Is it more secure to use

Code: Select all

$password = crc32(md5($_POST["password"]));
instead of just md5 btw?
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Post by Chris Corbyn »

m0u53m4t wrote:Is it more secure to use

Code: Select all

$password = crc32(md5($_POST["password"]));
instead of just md5 btw?
No it's less secure since once you start hashing hashes you're more likely to generate collisions.
User avatar
m0u53m4t
Forum Contributor
Posts: 101
Joined: Wed Apr 19, 2006 7:47 am
Location: Wales

Post by m0u53m4t »

so $password = md5(crc32(sha1($_POST["password"]))); is less secure than $password = md5($_POST["password"]); ???
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

m0u53m4t wrote:so $password = md5(crc32(sha1($_POST["password"]))); is less secure than $password = md5($_POST["password"]); ???
CRC returns a number that exists out of 32 bits. Thus one only has to try 2 ^ 32 bit combinations...
User avatar
m0u53m4t
Forum Contributor
Posts: 101
Joined: Wed Apr 19, 2006 7:47 am
Location: Wales

Post by m0u53m4t »

So whats the most secure hash I can use?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Portable across all PHP 4 installs? SHA256. Look in Code Snippets for a class that performs such a function.
Post Reply