Nikhar Nikhar - 1 month ago 5
PHP Question

Is password is sent as text in this after submitting PHP?

i was searching about simple hashing with passwords in login form.
i came across this http://tinsology.net/2009/06/creating-a-secure-login-system-the-right-way/. here he hashes the password, creates a salt, and then again hashes the password & salt.
I am building a login form myself, this is abc.php

<form name="register" action="register.php" method="post">
Username: <input type="text" name="username" maxlength="30" />
Password: <input type="password" name="pass1" />
Password Again: <input type="password" name="pass2" />
<input type="submit" value="Register" />
</form>


after submitting goes to, register.php, it has

$u=$_REQUEST['username'];
$p=$_REQUEST['pass1'];
//salt create function
//hashing code
//final hash password


and then submitting $u & 'final password' in the database.

Q: my question is when submitting the form from abc.php, does the password goes as text?

and if yes, then there is a chance of someone reading it, and then what's the need of hashing passwords, because even when i login, i will submit the page, and retrieve the pass and username from $_REQUEST on maybe another page, where it will be checked, it travelled as text, and thus can be read by someone.

Answer

The password is now sent in clear text. There is a workaround without the use of HTTPS. You can hash the password before it is sent over the HTTP socket with javascript. There are several tutorials out there. This isn't as good as using https but still better than nothing.

Comments