javascript variables to php?

JavaScript and client side scripting.

Moderator: General Moderators

User avatar
scorphus
Forum Regular
Posts: 589
Joined: Fri May 09, 2003 11:53 pm
Location: Belo Horizonte, Brazil
Contact:

Post by scorphus »

hobu wrote:thank youuuuuuuuuuuuuuuuuuuuuu! it's working! :D
and the mistake was so simple as always.
That's nice!
hobu wrote:now this crypted password is sent with this hiddenfield but how can I get that the plain password won't be sent?
Glad you did it... Well, you could:

• Make the JavaScript to erase the password filed:

Code: Select all

function cryptData (formPtr) {
   formPtr.hiddenfield.value = hex_md5(formPtr.password.value);
   formPtr.password.value = '';
   formPtr.submit(); 
   return;
}
which I think is not the best choice (it's quite simple however).

• Use form1 to store the username and password (as it already does) and another form (say form2) with two hidden inputs that will hold the form1.username.value and the hash key of the form1.password.value and a submit button to send the form2 data to the server.

What you think?

Just curious, did you read volka's post and follow that link?

Cheers,
Scorphus.
User avatar
volka
DevNet Evangelist
Posts: 8391
Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger

Post by volka »

why not setting the value of the password field directly skipping the hidden field?

Code: Select all

<html>
	<head>
		<title>password test</title>
		<script type="text/javascript">
			function enablePW()
			{
				obj = document.getElementById("pwfield");
				if (obj != null)
				{
					obj.disabled = false;
					obj.name = "password";
					
					obj = document.getElementById("divWarning");
					if (obj != null && obj.style != null)
						obj.style.display = "none";
					return true;
				}
				else
					return false;
			}
			
			function handlePassword()
			{
				obj = document.getElementById("pwfield");
				if (obj != null)
				{
					obj.value = "jabba jabba"; // or the md5 value 
					return true;
				}
				else
					return false;
			}
		</script>
	</head>
	<body>
		<fieldset><legend>POSTed values</legend>
			<pre><?php print_r(@$_POST); ?></pre>
		<fieldset>
	
		<form method="POST" action="<?php echo $_SERVER['PHP_SELF']; ?>" onSubmit="handlePassword()">
			<input type="text" name="username" />username<br />
			<div id="divWarning" style="display: block">domhtml compatible javascript is mandatory</div>
			<input type="password" id="pwfield" disabled="disabled" value="" />password<br />
			<input type="submit" />
		</form>
		<script type="text/javascript">enablePW();</script>
	</body>
</html>
I wasn't quite sure javascript is allowed to touch a input-password element but it works with IE6 and mozilla 1.5.
One thing I also added is a kind of javascript-test. The whole thing doesn't work if javascript is either not available or disabled. So the password field is disabled by default (and does not have a name property -> isn't sent on submit)
m3rajk
DevNet Resident
Posts: 1191
Joined: Mon Jun 02, 2003 3:37 pm

Post by m3rajk »

volka wrote: The whole thing doesn't work if javascript is either not available or disabled. So the password field is disabled by default (and does not have a name property -> isn't sent on submit)
between this and spoofing, why would one to client side processing? client side processing also gives away a bunch about the structure of the processing done. login processing client side is bscially giving hackers an instruction sheet on hacking into someone else's name
User avatar
volka
DevNet Evangelist
Posts: 8391
Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger

Post by volka »

not in this case. No vital information about the processing is added, only some kind of security is added (above|to) the transport layer. That the password is checked server-side we already knew ;)
m3rajk
DevNet Resident
Posts: 1191
Joined: Mon Jun 02, 2003 3:37 pm

Post by m3rajk »

when you know the encoding used, it's easier to write something to crack the pws.
hobu
Forum Newbie
Posts: 10
Joined: Tue Oct 28, 2003 2:42 am
Location: Estonia

Post by hobu »

ok. now I missed the train a little :roll:
yes, I looked that link. The server in which my 'project' will be, supports (is this the right word..?) SSL too. But I'm stubborn and want to keep going :wink:

so I think I still try to do something with random value.

I will probably ask some stupid questions again pretty soon.

But thanks so far for helping little silly girl who wants to be big and smart :wink:
m3rajk
DevNet Resident
Posts: 1191
Joined: Mon Jun 02, 2003 3:37 pm

Post by m3rajk »

np. actually php has an md5 hashing functions. suprisingly, you get it by going $variable2=MD5($variable1);
$variable1 is the unhased vlaute and $variable 2 is the hashed value. if you just wanna change variable 1, then, $variable=MD5($variable);
User avatar
volka
DevNet Evangelist
Posts: 8391
Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger

Post by volka »

m3rajk: the task was "not to send the plain password over the network". That's what this is all about ;)
User avatar
scorphus
Forum Regular
Posts: 589
Joined: Fri May 09, 2003 11:53 pm
Location: Belo Horizonte, Brazil
Contact:

Post by scorphus »

hobu wrote:ok. now I missed the train a little :roll:
yes, I looked that link. The server in which my 'project' will be, supports (is this the right word..?) SSL too. But I'm stubborn and want to keep going :wink:

so I think I still try to do something with random value.

I will probably ask some stupid questions again pretty soon.

But thanks so far for helping little silly girl who wants to be big and smart :wink:
You're welcome. Don't be afraid to ask if you need anything else. Here we're all apprentices ;)

See you around...

Regards,
Scorphus.
hobu
Forum Newbie
Posts: 10
Joined: Tue Oct 28, 2003 2:42 am
Location: Estonia

Post by hobu »

I wrote something and of course it won't work. I marked the line which is wrong probably, but maybe you'll get an idea what I'm trying to do. Got the parts of this thing from different plasces and tried to put it all together :oops:

Code: Select all

<?php
<?php
 if(!isset($_POST['username'])&&!isset($_POST['password']))
 {
    //Visitor needs to enter a name and password

?>

<html>

<head>
<?php
 $_SESSION['random_number'] = rand();
 $randomstring = $_SESSION['random_number'];
 ?>
 <script language="JavaScript1.2" type="text/javascript" src="md5.js"></script>
<script language="JavaScript1.2" type="text/javascript">
<!--
function cryptData (formPtr) {
   formPtr.hiddenfield.value = hex_md5(hex_md5(formPtr.password.value) + formPtr.randomstring.value);
   formPtr.password.value = "";
   formPtr.submit();
   return;
}
//-->
</script>






   <h1>Please Log In</h1>
    This page is secret.
  <form name="form1" method="post" action="proov3.php"
  onSubmit="javascript:cryptData(this)">
     <table border="1">
    <tr>
      <th> Username </th>
      <td> <input type="text" name="username"> </td>
    </tr>
       <tr>
      <th> Password </th>
      <td> <input type="password" name="password"> </td>
      <input type='hidden' name='randomstring' value='".$_SESSION['random_number']."'>"  
      <td> <input type="hidden" name="hiddenfield"> </td>
    </tr>



           <tr>
      <td colspan="2" align="center">


 <input type="submit" name="login" value="Log In">
    </td>
    </tr>

    </table>
    </form>
  </head>

<body>

<?php
  }
  else
     echo '<pre>';
print_r($_POST);
echo '</pre>';

  {



    // connect to mysql
    $mysql = mysql_connect( 'localhost', 'bi', 'kr00ks' );
    if(!$mysql)
    {
      echo 'Cannot connect to database.';
      exit;
    }

    // select the appropriate database
    $mysql = mysql_select_db( 'bidb' );
    if(!$mysql)
    {
      echo 'Cannot select database.';
      exit;
    }
             $blah1= $_POST['username'];
        //$blah2= $_POST['hiddenfield'];

           // query the database to see if there is a record which matches

        $query = "select count(*) from User where
                 uname = '".$blah1."' and
                 '$_POST['hiddenfield']'=MD5(CONCAT(pword,$_SESSION['random_number']))";
    //echo $query;
    $result = mysql_query( $query);

    //echo $result;
    if(!$result)
    {
      echo 'Cannot run query.';
      exit;
    }


    $count = mysql_result( $result, 0, 0 );
    //echo $count;
    if ( $count > 0 ){ //on tuvastatud
      echo ' oled tuvastatud ';
      //kysime kasutajataseme

$query_level = "SELECT level FROM User WHERE
        uname = '".$plah1."'
        and pword = '".$plah2."'";//this I will change later when first one is alright


 $level_q = mysql_query( $query_level);


 $level = mysql_result($level_q,0,0);


        if ($level == 4){
          echo 'oled k6igest tavakasutaja';
        }
        elseif ($level == 1){
          echo 'oled age v6i hedi';
        }


        //if (
      // visitor's name and password combination are correct
      //echo '<h1>Here it is!</h1>';
      //echo 'ojee me ei olegi lootusetud ';

    }//ei ole tuvastatud
    else
    {
      // visitor's name and password combination are not correct
      echo '<h1>Go Away!</h1>';
      echo 'You are not authorized to view this resource.';
    }
  }
?>




</body>

</html>
?>
User avatar
volka
DevNet Evangelist
Posts: 8391
Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger

Post by volka »

<input type='hidden' name='randomstring' value='".$_SESSION['random_number']."'>"
when the php syntax highlighter here assigns black to a code part it's outside a php-block
try

Code: Select all

<input type="hidden" name="randomstring" value="<?php echo $_SESSION['random_number']; ?>" />
instead
hobu
Forum Newbie
Posts: 10
Joined: Tue Oct 28, 2003 2:42 am
Location: Estonia

Post by hobu »

Code: Select all

<?php
$plah1= $_POST['username'];
$plah2= $_POST['hiddenfield'];
$query = "select count(*) from User where
                 uname = '".$plah1."' and
             '$_POST[hiddenfield]'=MD5(CONCAT(MD5(pword),$randomstring))";

?>
pword is password field name in my sql table. This query won't work. is it possible to use pword and $randomstring together that way?
when I printed out $query it looked like this:

Code: Select all

select count(*) from User where uname = 'secret' and 'ef697a82070746272697c2a220f29e6b'=MD5(CONCAT(MD5(pword),))
so it doesn't understand $randomstring although $randomstring is passed by form correctly.
changing $_POST['hiddenfield'] to '".$plah2."' didn't help either.
User avatar
volka
DevNet Evangelist
Posts: 8391
Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger

Post by volka »

<input type='hidden' name='randomstring' value='".$_SESSION['random_number']."'>"
$_POST['randomstring'] holds the randomstring, not $_POST['hiddenfield']

btw: if you've started the session (session_start()) the value should be stored in $_SESSION['random_number'] and there's no need to send it with the form anyway

and another thing
formPtr.hiddenfield.value = hex_md5(hex_md5(formPtr.password.value) + formPtr.randomstring.value)
are you sure you want to apply md5 two times there?
hobu
Forum Newbie
Posts: 10
Joined: Tue Oct 28, 2003 2:42 am
Location: Estonia

Post by hobu »

yes, I wanted to md5 two times in crypting function, but I did it also in wrong place too. In mysql query I had to remove one md5 because passwords are in database already md5'd.

well, now I got the result what I want, but is it actually smart way to handle this? I mean: to create a random value, add it to md5'd password and result again crypt with md5. Is it helping to make it more secure or I just waste my time and profs look and laugh quietly :wink: ?

and if server supports SSL and the page won't contain any life-or-death data, can it be that way (for a newbie :oops: )?

one thing I know now - this wasn't the most easiest problem to solve considering the fact, that I 'meet' php and javascript about a week ago:)
User avatar
volka
DevNet Evangelist
Posts: 8391
Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger

Post by volka »

I don't think that md5(md5(part1)+part2) improves security over md5(part1+part2).
The source "alphabet" is smaller since the result of md5 is limited to [0-9A-F] (only 16 characters). On the other hand it increases the string length to 32 characters (and how many users have passwords of that length ;) ) before applying the second md5().
All put together I think (and it's nothing more than a guess) you gain nothing but also loose nothing (save the script is more complex).
Sometimes it's dangerous to apply the same algorithm twice as it narrows possible results, sometimes it increases security (two-fish, triple-DES, ...)
Post Reply