My previous posting didn't appear until now, so i am posting this again (sorry about that!).

I have a form that takes user's name and password as input.
I want to send these values to another page but with the password encrypted. I want to encrypt the password before sending to the latter page.
Any suggestions?

    Don't rightly now if this is a good way to do it, but i had the same problem myself, and decided to use javascript, more specifically the md5.js file in an inclusion and then using the md5 function on an appropriate event handler.

      you can do this

      ie you click the submit button, and for example you want the values to be sent to test.php
      in the submit button you send all the values first to cript.php, then in cript.php you can encrypt the password, with header() you can resend the values to the test.php

      hope you understand what i mean

        Hi bernouli,
        i understand what u r saying, but thats not what i wanted to do. I don't want to send the passwords naked to any form(not even to self). But thanx for coming up with that suggestion.

        Jernhernik,
        i did a search on md5.js but couldn't find a good example of its implementaion. Do u have a sample code for my problem?
        -appreciate it

          ysrinu - mmm i am at work atm, so i dont have an example here, but i can take a look when i get home, but i'm not sure i have the code anymore....
          I'll take a look though, and see what i can find 🙂

          But here is a link for the md5.js source code and example file

          http://pajhome.org.uk/crypt/md5/

          cheers

            Hi jernhernik,
            i found a good example in
            http://www.php.net/manual/en/function.md5.php
            (posted by mogster@boomdesign.no)

            I got the pre-submit encryption to work
            but i had to put the whole source code of md5.js inside the javascript of the php file that had the form.
            Instead, when i am using require ("md5.js") or include<"md5.js"> , the function MD5() just wouldn't work and all the code in md5.js gets displayed on the browser.

            How should i include the file md5.js in my php form without pasting the code in it (i mean how to call the md5.js file to be included) ?
            -thanx

              Hey, i figured it out.
              Just in case someone wanted to know, here how it looks like:

              <html>
              <head>

              <script src="md5.js" language="javascript" >
              alert("md5.js script loaded");
              </script>

              <script language="javascript" type="text/javascript">
              <!--

              function doLogin()
{
  document.formname.hash.value=MD5(document.formname.password.value);
  document.formname.password.value = "";
  document.formname.submit();
}

              // -->
              </script>

              <form name="formname" method="GET" action="somefile.php" >

              Username<input type="text" name="username" size="9" maxlength="15">
              Password<input type="password" name="password" value="" size="9" maxlength="70">
              <input onClick="doLogin(); return true;" type="submit" value="Login">
              <input type="hidden" name="hash" value="">

              </form>

              </body>
              </html>

                MD5ing it on the client side is not offering much (if any) additional security. A packet sniffer can sniff out and pass the encrypted password almost as easy as a plain text one. There is nothing you can do on the client side that cannot be sniffed out and exploited, do not trust the client!

                You can throw some twists and turns on the server side which will make it difficult to hijack a session, but there is nothing to stop a hacker in possesion of the encrypted password from initiating a new session in the user's name.

                SSL is your only real option if security is an issue.

                  Write a Reply...