which I think is not the best choice (it's quite simple however).
• Use form1 to store the username and password (as it already does) and another form (say form2) with two hidden inputs that will hold the form1.username.value and the hash key of the form1.password.value and a submit button to send the form2 data to the server.
What you think?
Just curious, did you read volka's post and follow that link?
I wasn't quite sure javascript is allowed to touch a input-password element but it works with IE6 and mozilla 1.5.
One thing I also added is a kind of javascript-test. The whole thing doesn't work if javascript is either not available or disabled. So the password field is disabled by default (and does not have a name property -> isn't sent on submit)
volka wrote: The whole thing doesn't work if javascript is either not available or disabled. So the password field is disabled by default (and does not have a name property -> isn't sent on submit)
between this and spoofing, why would one to client side processing? client side processing also gives away a bunch about the structure of the processing done. login processing client side is bscially giving hackers an instruction sheet on hacking into someone else's name
not in this case. No vital information about the processing is added, only some kind of security is added (above|to) the transport layer. That the password is checked server-side we already knew
ok. now I missed the train a little
yes, I looked that link. The server in which my 'project' will be, supports (is this the right word..?) SSL too. But I'm stubborn and want to keep going
so I think I still try to do something with random value.
I will probably ask some stupid questions again pretty soon.
But thanks so far for helping little silly girl who wants to be big and smart
np. actually php has an md5 hashing functions. suprisingly, you get it by going $variable2=MD5($variable1);
$variable1 is the unhased vlaute and $variable 2 is the hashed value. if you just wanna change variable 1, then, $variable=MD5($variable);
hobu wrote:ok. now I missed the train a little
yes, I looked that link. The server in which my 'project' will be, supports (is this the right word..?) SSL too. But I'm stubborn and want to keep going
so I think I still try to do something with random value.
I will probably ask some stupid questions again pretty soon.
But thanks so far for helping little silly girl who wants to be big and smart
You're welcome. Don't be afraid to ask if you need anything else. Here we're all apprentices
I wrote something and of course it won't work. I marked the line which is wrong probably, but maybe you'll get an idea what I'm trying to do. Got the parts of this thing from different plasces and tried to put it all together
<?php
$plah1= $_POST['username'];
$plah2= $_POST['hiddenfield'];
$query = "select count(*) from User where
uname = '".$plah1."' and
'$_POST[hiddenfield]'=MD5(CONCAT(MD5(pword),$randomstring))";
?>
pword is password field name in my sql table. This query won't work. is it possible to use pword and $randomstring together that way?
when I printed out $query it looked like this:
select count(*) from User where uname = 'secret' and 'ef697a82070746272697c2a220f29e6b'=MD5(CONCAT(MD5(pword),))
so it doesn't understand $randomstring although $randomstring is passed by form correctly.
changing $_POST['hiddenfield'] to '".$plah2."' didn't help either.
$_POST['randomstring'] holds the randomstring, not $_POST['hiddenfield']
btw: if you've started the session (session_start()) the value should be stored in $_SESSION['random_number'] and there's no need to send it with the form anyway
yes, I wanted to md5 two times in crypting function, but I did it also in wrong place too. In mysql query I had to remove one md5 because passwords are in database already md5'd.
well, now I got the result what I want, but is it actually smart way to handle this? I mean: to create a random value, add it to md5'd password and result again crypt with md5. Is it helping to make it more secure or I just waste my time and profs look and laugh quietly ?
and if server supports SSL and the page won't contain any life-or-death data, can it be that way (for a newbie )?
one thing I know now - this wasn't the most easiest problem to solve considering the fact, that I 'meet' php and javascript about a week ago:)
I don't think that md5(md5(part1)+part2) improves security over md5(part1+part2).
The source "alphabet" is smaller since the result of md5 is limited to [0-9A-F] (only 16 characters). On the other hand it increases the string length to 32 characters (and how many users have passwords of that length ) before applying the second md5().
All put together I think (and it's nothing more than a guess) you gain nothing but also loose nothing (save the script is more complex).
Sometimes it's dangerous to apply the same algorithm twice as it narrows possible results, sometimes it increases security (two-fish, triple-DES, ...)