Page 1 of 1
[SOLVED] Password being shown in url bar
Posted: Sun Apr 23, 2006 7:39 am
by m0u53m4t
Here is my basic login thing:
Code: Select all
<?php
$username = $_GET["username"];
$password = md5($_GET["password"]);
if ($username == 'John' && $password == '5f4dcc3b5aa765d61d8327deb882cf99') {
echo 'Correct username and password';
}
else {
echo 'Incorrect username and password';
}
?>
But I use the method 'get' on my html, and therefore you can read the password in the url bar! What would I have to change to be able to change the html to use post?
Posted: Sun Apr 23, 2006 7:42 am
by Chris Corbyn
<form method="post" ... > ?

Posted: Sun Apr 23, 2006 7:44 am
by m0u53m4t
Yes sorry, I got that, I meant in the php. I just changed the two at the top to
Code: Select all
$username = $_POST["username"];
$password = md5($_POST["password"]);
and it worked

Posted: Sun Apr 23, 2006 7:51 am
by m0u53m4t
Is it more secure to use
Code: Select all
$password = crc32(md5($_POST["password"]));
instead of just md5 btw?
Posted: Sun Apr 23, 2006 7:53 am
by Chris Corbyn
m0u53m4t wrote:Is it more secure to use
Code: Select all
$password = crc32(md5($_POST["password"]));
instead of just md5 btw?
No it's less secure since once you start hashing hashes you're more likely to generate collisions.
Posted: Sun Apr 23, 2006 8:33 am
by m0u53m4t
so $password = md5(crc32(sha1($_POST["password"]))); is less secure than $password = md5($_POST["password"]); ???
Posted: Sun Apr 23, 2006 9:05 am
by timvw
m0u53m4t wrote:so $password = md5(crc32(sha1($_POST["password"]))); is less secure than $password = md5($_POST["password"]); ???
CRC returns a number that exists out of 32 bits. Thus one only has to try 2 ^ 32 bit combinations...
Posted: Sun Apr 23, 2006 9:42 am
by m0u53m4t
So whats the most secure hash I can use?
Posted: Sun Apr 23, 2006 10:13 am
by feyd
Portable across all PHP 4 installs? SHA256. Look in Code Snippets for a class that performs such a function.