Page 1 of 1

[SOLVED] Password being shown in url bar

Posted: Sun Apr 23, 2006 7:39 am
by m0u53m4t
Here is my basic login thing:

Code: Select all

<?php 
$username = $_GET["username"];
$password = md5($_GET["password"]);


if ($username == 'John' && $password == '5f4dcc3b5aa765d61d8327deb882cf99') { 
   echo 'Correct username and password'; 
} 
else { 
   echo 'Incorrect username and password'; 
} 
?>
But I use the method 'get' on my html, and therefore you can read the password in the url bar! What would I have to change to be able to change the html to use post?

Posted: Sun Apr 23, 2006 7:42 am
by Chris Corbyn
<form method="post" ... > ? :?

Posted: Sun Apr 23, 2006 7:44 am
by m0u53m4t
Yes sorry, I got that, I meant in the php. I just changed the two at the top to

Code: Select all

$username = $_POST["username"];
$password = md5($_POST["password"]);
and it worked :P

Posted: Sun Apr 23, 2006 7:51 am
by m0u53m4t
Is it more secure to use

Code: Select all

$password = crc32(md5($_POST["password"]));
instead of just md5 btw?

Posted: Sun Apr 23, 2006 7:53 am
by Chris Corbyn
m0u53m4t wrote:Is it more secure to use

Code: Select all

$password = crc32(md5($_POST["password"]));
instead of just md5 btw?
No it's less secure since once you start hashing hashes you're more likely to generate collisions.

Posted: Sun Apr 23, 2006 8:33 am
by m0u53m4t
so $password = md5(crc32(sha1($_POST["password"]))); is less secure than $password = md5($_POST["password"]); ???

Posted: Sun Apr 23, 2006 9:05 am
by timvw
m0u53m4t wrote:so $password = md5(crc32(sha1($_POST["password"]))); is less secure than $password = md5($_POST["password"]); ???
CRC returns a number that exists out of 32 bits. Thus one only has to try 2 ^ 32 bit combinations...

Posted: Sun Apr 23, 2006 9:42 am
by m0u53m4t
So whats the most secure hash I can use?

Posted: Sun Apr 23, 2006 10:13 am
by feyd
Portable across all PHP 4 installs? SHA256. Look in Code Snippets for a class that performs such a function.