javascript variables to php?

JavaScript and client side scripting.

Moderator: General Moderators

hobu
Forum Newbie
Posts: 10
Joined: Tue Oct 28, 2003 2:42 am
Location: Estonia

javascript variables to php?

Post by hobu »

I want to crypt password on client-side with md5 not to send it as a plain text to server. I am pretty dark in javascript :oops: . maybe you can help me and tell me what is totally wrong in this script? it won't crypt it, although I have md5.js in same catalog. Maybe it won't pass javascript variables correctly to php?
----------------------------------------------------------
<SCRIPT LANGUAGE="JavaScript" src = "md5.js">
function Login(){
var username=document.login.username.value;
var password=document.login.password.value;
password = md5("password");
return password;
}
</script>
<h1>Please Log In</h1>
This page is secret.
<form method="post" action="something.php">
<table border="1">
<tr>
<th> Username </th>
<td> <input type="text" name="username"> </td>
</tr>
<tr>
<th> Password </th>
<td> <input type="password" name="password"> </td>
</tr>
<tr>
<td colspan="2" align="center">
<input type="submit" value="Log In"
onSubmit= "Login()">
</td>
</tr>
</table>
</form>

<?php
// connect to mysql
$mysql = mysql_connect( 'localhost', 'user, 'password' );
if(!$mysql)
{
echo 'Cannot connect to database.';
exit;
}

// select the appropriate database
$mysql = mysql_select_db( 'database' );
if(!$mysql)
{
echo 'Cannot select database.';
exit;
}
$blah1= $HTTP_POST_VARS['username'];
$blah2= $HTTP_POST_VARS['password'];
// query the database to see if there is a record which matches
$query = "select count(*) from User where
uname = '".$blah1."' and
pword = '".$blah2."' ";

//echo $query;
$result = mysql_query( $query);

.... etc (the end is ok)
--------------------------------------------------------------------------

I would really preciate your help!
User avatar
scorphus
Forum Regular
Posts: 589
Joined: Fri May 09, 2003 11:53 pm
Location: Belo Horizonte, Brazil
Contact:

Post by scorphus »

• The script is not crypting the form data. You are not changing the value of the password field as you expected doing:

Code: Select all

function Login () &#123;
	var username=document.login.username.value;
	var password=document.login.password.value;
	password = md5("password");
	return password;
&#125;
• The above code is crypting the word "password" and storing the MD5 Sum in the variable password and returning it. The form data is left intact.
• The Login() function is not getting called because onSubmit is not an <input> but a <form> attribute.
login should be a form but I see no name="login" in your <form> tag

So, what has to be done? Let's take a walk:
• Name your <form> and add the onSubmit attribute to it:

Code: Select all

&lt;form name="form1" method="post" action="something.php" onSubmit="javascript:cryptData(this)"&gt;
The keyword this is a reference to the form itself.

• Build the Javascript cryptData() function (taking advantage of PHP syntax highlighting but it is Javascript):

Code: Select all

function cryptData (formPtr) {
	formPtr.password.value = md5(formPtr.password.value); // Update the password filed with the crypted data
	formPtr.submit(); // Submit the form
	return;
}
• Fix your submit button:

Code: Select all

&lt;input type="submit" name="login" value="Log In"&gt;
• Not too late to remember that the form must not have a field with name="submit" or the line formPtr.submit() does not work.

Take a jump to JavaScript Central to improve your Javascript skills.

Regards,
Scorphus.
hobu
Forum Newbie
Posts: 10
Joined: Tue Oct 28, 2003 2:42 am
Location: Estonia

Post by hobu »

Thank you very much. Forum in my homeland isn't so friendly at all :(
I dare to ask, that is it allright now that way? because it's still not working. was the php ( $blah2= $HTTP_POST_VARS['password']; )right before?



<html>

<head>
<SCRIPT LANGUAGE="JavaScript" src = "md5.js">
function cryptData (formPtr) {
formPtr.password.value = md5(formPtr.password.value);
formPtr.submit();
return;
}
</script>
<h1>Please Log In</h1>
This page is secret.
<form name="form1" method="post" action="something.php"
onSubmit="javascript:cryptData(this)">
<table border="1">
<tr>
<th> Username </th>
<td> <input type="text" name="username"> </td>
</tr>
<tr>
<th> Password </th>
<td> <input type="password" name="password"> </td>
</tr>
<tr>
<td colspan="2" align="center">
<input type="submit" name="login" value="Log In">
</td>
</tr>
</table>
</form>
...
User avatar
scorphus
Forum Regular
Posts: 589
Joined: Fri May 09, 2003 11:53 pm
Location: Belo Horizonte, Brazil
Contact:

Post by scorphus »

Good! Now let's solve the PHP problem. Just couple question to help me help you:

• What PHP version are you runnig?
• Could you please post the code of something.php and enclose it by [syntax=php][/syntax]?

Cheers,
Scorphus.
hobu
Forum Newbie
Posts: 10
Joined: Tue Oct 28, 2003 2:42 am
Location: Estonia

Post by hobu »

version is 4.3.2 I believe. And this is what I have now (in the end is user authentication based on their rights, but that's ok and just test variant also):

Code: Select all

<?php
 if(!isset($HTTP_POST_VARS['username'])&&!isset($HTTP_POST_VARS['password']))
 {
    //Visitor needs to enter a name and password

?>

<html>

<head>
  <SCRIPT LANGUAGE="JavaScript" src = "md5.js">
    function cryptData (formPtr) {
    formPtr.password.value = md5(formPtr.password.value);
    formPtr.submit();
   return true;
}
</script>
   <h1>Please Log In</h1>
    This page is secret.
  <form name="form1" method="post" action="something.php"
  onSubmit="javascript:cryptData(this)">
   <table border="1">
    <tr>
      <th> Username </th>
      <td> <input type="text" name="username"> </td>
    </tr>
       <tr>
      <th> Password </th>
      <td> <input type="password" name="password"> </td>
    </tr>
      <tr>
      <td colspan="2" align="center">
 <input type="submit" name="login" value="Log In">
    </td>
    </tr>
    </table>
    </form>
  </head>

<body>

<?php
  }
  else
  {


    // connect to mysql
    $mysql = mysql_connect( 'localhost', 'user', 'secretpassword' );
    if(!$mysql)
    {
      echo 'Cannot connect to database.';
      exit;
    }

    // select the appropriate database
    $mysql = mysql_select_db( 'databasename' );
    if(!$mysql)
    {
      echo 'Cannot select database.';
      exit;
    }
    $blah1= $HTTP_POST_VARS['username'];
        $blah2= $HTTP_POST_VARS['password'];
    // query the database to see if there is a record which matches
    $query = "select count(*) from User where
                 uname = '".$blah1."' and
           pword = '".$blah2."' ";

    //echo $query;
    $result = mysql_query( $query);

    //echo $result;
    if(!$result)
    {
      echo 'Cannot run query.';
      exit;
    }


    $count = mysql_result( $result, 0, 0 );
    //echo $count;
    if ( $count > 0 ){ //on tuvastatud
      echo ' oled tuvastatud ';
      //asking user level
$query_level = "SELECT level FROM User WHERE
        uname = '".$blah1."'
        and pword = '".$blah2."'";


 $level_q = mysql_query( $query_level);


 $level = mysql_result($level_q,0,0);


        if ($level == 4){
          echo 'you are regular user';
        }
        elseif ($level == 1){
          echo 'you are admin';
        }


        //if (
      // visitor's name and password combination are correct
      //echo '<h1>Here it is!</h1>';
      //echo 'ojee me ei olegi lootusetud ';

    }//ei ole tuvastatud
    else
    {
      // visitor's name and password combination are not correct
      echo '<h1>Go Away!</h1>';
      echo 'You are not authorized to view this resource.';
    }
  }
?>




</body>

</html>
User avatar
scorphus
Forum Regular
Posts: 589
Joined: Fri May 09, 2003 11:53 pm
Location: Belo Horizonte, Brazil
Contact:

Post by scorphus »

Change a bit the cryptData() function to check if the md5() function is crypting your password:

Code: Select all

function cryptData (formPtr) &#123;
	formPtr.password.value = md5(formPtr.password.value); // Update the password filed with the crypted data
	alert(formPtr.password.value); // this should open a message alert with the encrypted password on it before submit the form.
	formPtr.submit(); // Submit the form
	return;
&#125;
Also, let's take a look to the data that is being sent from the form to something.php. Right before the line that opens a connection to mysql (in the first line after the else) place:

Code: Select all

echo '<pre>';
print_r($HTTP_POST_VARS);
echo '</pre>';
This will print the content of the $HTTP_POST_VARS variable.

Just a tip: you can use $_POST instead of $HTTP_POST_VARS (Predefined variables).

Scorphus.
m3rajk
DevNet Resident
Posts: 1191
Joined: Mon Jun 02, 2003 3:37 pm

Post by m3rajk »

why are you doing this client side? client side is spoofable. imho all db stuff should be server side.

in the php have something like
$pass=MD5($_POST['password']);
hobu
Forum Newbie
Posts: 10
Joined: Tue Oct 28, 2003 2:42 am
Location: Estonia

Post by hobu »

the reason why I am doing this, is actually because it's a course project (client-server languages) and my professor seems to think that it's very important not to send password to server side as a plain text. I read somewhere that it's not much safer though if someone really wants to attack my page and database. But the project itself isn't so important to protect it very hard. Anyway, the second reason is, that if I started with this, I should be able to finish it too:) Can't give up anymore and you're are helping so nicely too.

well, the results to those printings:

alert didn't open any pop-up window:( I've tried it before too and it has never worked. I'm sure it's not browser problem. Other people's scripts with alerts work fine.

The second print_r gives before login: array() and after, for example, if password is secret:

Array
(
[username] => secret
[password] => secret
[login] => Log In
)


so, the crypting isn't work. I've done some 'research' here too and maybe I should use a hidden field to send crypted password? although I'm not sure how to do it exactly.
User avatar
scorphus
Forum Regular
Posts: 589
Joined: Fri May 09, 2003 11:53 pm
Location: Belo Horizonte, Brazil
Contact:

Post by scorphus »

hobu wrote:alert didn't open any pop-up window
If the alert is not being shown there is a problem inside md5.js or with the JavaScript md5() function. The script is not reaching the alert() line. What browser are you using? Does it report any Javascript error? Try Mozilla Firebird [http://www.mozilla.org/], it has a JavaScript Debugger tool.
hobu wrote:if password is secret:

Array
(
[username] => secret
[password] => secret
[login] => Log In
)

so, the crypting isn't work. I've done some 'research' here too and maybe I should use a hidden field to send crypted password? although I'm not sure how to do it exactly.
As you noticed, the password is not being crypted.

Let's make sure that indeed the problem is in the md5() function or inside md5.js. Modify the <script> section of the page:

Code: Select all

<script language="JavaScript1.2" type="text/javascript">
<!--
function cryptData (formPtr) &#123;
   formPtr.password.value += '#testing#'; //md5(formPtr.password.value);
   alert(formPtr.password.value);
   formPtr.submit();
   return;
&#125;
//-->
</script>
We stop loading md5.js, no function call is made, and we concatenate the string #testing# to the password. Run it and tell us what the print_r($_POST) outputs. It should be just like this:

Code: Select all

Array
(
    &#1111;username] => secret
    &#1111;password] => secret#testing#
    &#1111;login] => Log In
)
If print_r outputs this, then there is a problem either with the md5.js file or the md5() function. Try and see what is wrong with it, use the javascript debugger. Also post it here or provide a link to the md5.js so we can check it out too.
hobu wrote:I've done some 'research' here too and maybe I should use a hidden field to send crypted password? although I'm not sure how to do it exactly.
I think that's a good idea. When you press the submit button you can see the content of the password filed get changed and it's not good. Also you cannot set a max length for the password of i.e. 10 characters since MD5 phrase is 32 characters long. Let's shoot the problem first, make the hole thing work and then move ahead ;)

Regards,
Scorphus.
User avatar
volka
DevNet Evangelist
Posts: 8391
Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger

Post by volka »

Hi, I really don't intent to interfer. Feel free to ignore this post as it might take you nowhere. Only a short link to another thread that's related to m3rajk's concerns. It (again) points to a site that might be helpful for you ...and your prof ;)
viewtopic.php?t=3168
User avatar
scorphus
Forum Regular
Posts: 589
Joined: Fri May 09, 2003 11:53 pm
Location: Belo Horizonte, Brazil
Contact:

Post by scorphus »

Thanks volka. Your posts are always a significant help and always welcome.
hobu
Forum Newbie
Posts: 10
Joined: Tue Oct 28, 2003 2:42 am
Location: Estonia

Post by hobu »

prof is here again :D

one good thing. mozilla made the alert work. I don't know why I didn't try it with mozilla before :oops:
but the other thing gave exactly the same result as you said. the link where i got the md5:

http://pajhome.org.uk/crypt/md5/index.html

maybe I used the script checking wrongly but I didn't find any mistakes:(

I'm getting pretty ambitious here and now planning to add random string crypted with md5 also to this crypted password but as you said, let's try to solve this one first.

feeling like little bug climbing mount everest
[/url]
User avatar
scorphus
Forum Regular
Posts: 589
Joined: Fri May 09, 2003 11:53 pm
Location: Belo Horizonte, Brazil
Contact:

Post by scorphus »

Good! I tried here:

Code: Select all

<script language="JavaScript1.2" type="text/javascript" src="md5.js"></script>
<script language="JavaScript1.2" type="text/javascript">
<!--
function cryptData (formPtr) &#123;
	formPtr.password.value = md5(formPtr.password.value); // this is line 8
	//alert(formPtr.password.value);
	formPtr.submit();
	return;
&#125;
//-->
</script>
and the Javascript debugger gave me an error:

Code: Select all

Error: md5 is not defined
Source File: http://localhost/lab/form.php
Line: 8
So, there is not md5() function in md5.js file. The name of the function that return the hash of a string is hex_md5().

So just do it this way:

Code: Select all

<script language="JavaScript1.2" type="text/javascript" src="md5.js"></script>
<script language="JavaScript1.2" type="text/javascript">
<!--
function cryptData (formPtr) &#123;
	formPtr.password.value = hex_md5(formPtr.password.value);
	formPtr.submit();
	return;
&#125;
//-->
</script>
Note that we first add a <script> tag to load md5.js and then another <script> to define our cryptData() function. You must do this otherwise cryptData() will not be defined.

Make those changes and we'll be ready to move ahead.
User avatar
volka
DevNet Evangelist
Posts: 8391
Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger

Post by volka »

scorphus wrote:Thanks volka. Your posts are always a significant help and always welcome.
thanks. I was concered about pointing to another direction (which often does more harm than good) but
hobu wrote:as you said, let's try to solve this one first.
that's the proper attitude (to get things done) :]
hobu
Forum Newbie
Posts: 10
Joined: Tue Oct 28, 2003 2:42 am
Location: Estonia

Post by hobu »

thank youuuuuuuuuuuuuuuuuuuuuu! it's working! :D
and the mistake was so simple as always.

I think now should do this hidden field trick. I tried this:




Code: Select all

script language="JavaScript1.2" type="text/javascript" src="md5.js"&gt;&lt;/script&gt;
&lt;script language="JavaScript1.2" type="text/javascript"&gt;
&lt;!--
function cryptData (formPtr) &#123;
   formPtr.hiddenfield.value = hex_md5(formPtr.password.value);
   formPtr.submit();
   return;
&#125;
//--&gt;
&lt;/script&gt;

and then in this form I added line

Code: Select all

&lt;input type="hidden" name="hiddenfield"&gt;
and finally I changed:

Code: Select all

<?php
        $plah1= $_POST['username'];
        $plah2= $_POST['hiddenfield'];

?>
now this crypted password is sent with this hiddenfield but how can I get that the plain password won't be sent?
Post Reply