First of all I searched on Google and didn't find any help to my problem.
I'm working on my local server with MAMP and I'm following a tutorial to try securing a php page with md5.
In my login.php page there is a form with login/password fields which calls a JS function when submitted:
<form id='log' method='post' action='templates/auth.php' onsubmit='javascript:submit_pass();'>
<input type='hidden' name='md5' />
<table align='center'>
<tr><td>Login</td><td><input name='login' /></td></tr>
<tr><td>Mot de passe</td><td><input type='password' name='passwd' /></td></tr>
<tr><td colspan='2' align='center'><input type='submit' value='Login !' /></td></tr>
</table>
</form>
The login.js script called on submit:
function submit_pass()
{
pass=document.forms['log'].passwd.value;
document.forms['log'].passwd.value="";
buf=MD5(pass);
document.forms['log'].md5.value=buf;
return true;
}
Then it sends the parameters by POST to auth.php
So I type in the fields a random login and password.
On my auth.php page I echo $_POST['login'] and $_POST['md5']
The problem is that $_POST['md5'] is empty. So I try to echo its size and it appears 0!
I don't undrestand, is something missing? Wrong?
Thanks
Do not hash the password on the client. It will not improve security, because nothing has changed: The server can only see the MD5 hash and the username now, and if I can intercept that, I have everything I need to also log in! Because the server can only check the MD5.
Additionally, Javascript does not come with a built in MD5 function.
And on top of that: An unsalted MD5 hash is as insecure as the plain text password itself - it is only marginally more effort to scan the whole password space.
If you really want to improve password security, you have to use SSL for the client-server-communication (otherwise anything is sent as clear text), and on the server you should hash with the new and shiny password_hash() function of PHP 5.5 (and there is a compatibility library that allows you to do it starting with PHP 5.3.7).
For passwords you should use crypt(). http://php.net/manual/en/function.crypt.php
Related
I want to the page 'encryptionmachine1.php' to run a query against a database to ensure that the inputted password is correct. To keep things safe, I first want the page to encrypt the password that is inputted and then check against the database field 'EncryptedPasswords' to see if it exists. At the moment when I input a correct a password (number1) only the message 'pwd does not exists' displays. I am also using the md5() function to encrypt the passwords. Any help? Thanks Dan
<?php
if(isset($_POST['submit'])){
$str=$_POST['pwd'];
md5($str);
$dblink=mysql_connect("localhost","Dan");
mysql_select_db("Dan");
$rs=mysql_query("SELECT * FROM passwords WHERE EncryptedPassword='".$str."'");
if($row = mysql_fetch_assoc($rs)){
$dbPassword=$row['EncryptedPassword'];
echo "password exists";
header('Location:http://localhost/encryptionmachine2.php?pwd='.$str);//http://194.36.155.250/POO12104368/encryptionmachine2.php
}else{
echo"pwd does not exist";
}
}
?>
<html>
<head>
<title>EncryptionMachine1</title>
</head>
<body>
<form name="myForm" action="#" method="POST">
<p>Pwd:<input type="text" name="pwd"></p>
<input type="submit" value="Submit" name="submit">
</form>
</body>
</html>
There's a lot of things that need to be changed with your code to be secure. The most pressing two are:
You want to hash passwords, not encrypt them.
Furthermore, you want to use a password hashing function rather than a general-purpose hash function like MD5 (which is also insecure.
You want to use prepared statements.
This necessarily means stop using mysql_query() and mysql_fetch_assoc() in favor of PDO or mysqli.
I highly recommend starting with A Gentle Introduction to Application Security. It can seem like a lot, but I promise you this is manageable and you can do it.
I have a small login form, I will send the name and password via GET, but I don't want to put the password in a url in plain text. Can I Md5 it after pressing submit button, but before sending it via GET?
You should not use md5 for hashing passwords.
If you want to learn to hash your user password safely then have a good read of How do you use bcrypt for hashing passwords in PHP? and Secure hash and salt for PHP passwords .
I will send the name and password via GET
Never use GET for login in, yes it shows in the url but also it shows the GET parameters in the server request log.
I just want to hide the characters from people around the user
computer.
Using the form input type type="password" will solve that issue. But there is also the issue of Man-In-The-Middle attacks whereas an attacker can inject themselves into the packet routing mechanism and capture & record then re-route every packet between hops, capturing POST, GET ect parameters. So you should at least use SSL to encrypt the connection packets between point A and point B if your serious about securing your users/site from an easy hack.
But to answer your question here is what you asked(ish) o_O, your need to use javascript to process the form before its POSTed, but it obviously wont work if javascript is off:
<?php echo '<pre>'.print_r($_POST,true).'</pre>';?>
<script type="text/javascript"
src="http://github.com/kvz/phpjs/raw/master/functions/xml/utf8_encode.js"></script>
<script type="text/javascript"
src="http://github.com/kvz/phpjs/raw/master/functions/strings/md5.js"></script>
<script type="text/javascript">
<!--
function pwd_handler(form)
{
if (form.password.value != '')
{
form.md5password.value = md5(form.password.value);
form.password.value = '';
}
}
//-->
</script>
<form action="" method="post" onsubmit="pwd_handler(this);">
<input type="text" name="username" />
<input type="password" name="password" />
<input type="hidden" name="md5password" value="" />
<input type="submit" value="Log in" />
</form>
Title may be a little misleading but I'll try to explain here.
Basically, when I put my website in 'offline mode' I have a section where admins can log in with a password. (They are not logging in with their accounts) The password is 'password' for this example. When a user types in the correct password, it should redirect them to the webpage, howvever it isn't, it's just echoing 'Incorrect password' - when it is in fact correct.
The code is made up by me, as you can probably tell. I expected this not to work because I'm still in the very early stages of learning PHP
HTML:
<div class="backdroplogin">
<h2>Login to your account:</h2>
<form action="/Offline" method="GET">
<input type ="password" name="password_login" size="25" Value="" />
<input type="submit" name="login" value="Login" />
</div>
</form>
PHP:
//ADMIN LOGIN
$password = "AbCd0987connekt£*^%";
if (isset($_GET["password_login"])) {
$password_login = $_GET["password_login"];
if ($password_login == $password) {
header("Location:/Admin/Panel");
} else {
echo "Incorrect password";
}
}
Thanks for any help.
Like Svetlio said.. It is a bad habit to send passwords using the get method. So instead use method="post" in your html form and $_POST["password_login"] in your php.
In your text you say you use "password" as the password for this tool, while in your php you check if the sent password is equal to "AbCd0987connekt£*^%", so if you put in your password you should use "AbCd0987connekt£*^%"... or did you mean you use "$password"
Just another tip: for readability ability of your code try to indent :)
You could verify that the password is correct and put a flag into a session variable. Then on the admin page do a check to see if that session flag is correct to access.
if($_SESSION['IsAdmin'] === true {
//load/redirect to page
} else {
die("You aren't an admin.");
}
Also, like others said - don't use GET for passwords, and definitely don't pass them as plaintext.
I agree with comment. But just to answer your question:
Everything is working all right in your script, but I think you have a confusion when says "The password is 'password' for this example, instead the password is exactly: AbCd0987connekt£*^% as you wrote it in your code. I copied your code in my platform (changed action) and it's working as you want.
I am using secureImage which is a simple way to implement captcha,
i follow the guideline there to add the code, however, the checking is always invalid even i have input the correct value
It is the website of that plugin, within ten lines of code:
And this is my code:
in html form
<img id="captcha" src="http://www.phpcaptcha.org/securimage3/securimage_show.php?0.6905195268336684" alt="CAPTCHA Image">
<input type="text" class="required" name="captcha_code" size="10" maxlength="6">
in verification php
include_once '../plugin/securimage/securimage.php';
$securimage = new Securimage();
if ($securimage->check($_POST['captcha_code']) == false) {
die ("<div class='alert alert-success'><strong>The security code entered was incorrect.</strong><br /><br />Please go <a href='javascript:history.go(-1)'>back</a> and try again.</div>");
}
I have checked the post value, that is exactly what i have inputted. I would like to know which data the plugin used to compare with my input, however, i can not do this by echo the $secureimage
Thank you
To compare the randomly generated image with the code entered by a user a valid session is required. Please check this quick start guide and read the section about putting session_start() on top of your PHP script.
If you are too lazy to code, maybe you can try at http://www.google.com/recaptcha. It's widely used, I think it is better than the secureimage. You can get a php implementation at this site. I am if sorry if I don't answer your questions directly, this was because mr.GolezTrol suggested to not to use it.
We have script http://site.com/ourscript.php
How to add something like "enter password" block on that page?
Just some simple, maybe popup.
Like, we open the page in browser, we should type password, if its ok - function will run.
It has to be done only inside requested php file, .htaccess should not be used.
Thanks.
This is about as simple as it gets:
<html>
<body>
<?php if (isset($_POST['secret']) && $_POST['secret'] == "lolsecurity") { ?>
<h1>Secret Page!</h1>
<p>This type of password-protection is completely open to packet sniffing.</p>
<?php } else { ?>
<form method="POST">
<p>Enter Password:</p>
<input type="password" name="secret">
<input type="submit" value="Submit">
</form>
<?php } ?>
</body>
</html>
Here's a tutorial for a basic authentication system. I'm sure if you spend two minutes googling, you'll find about a million pre-made, ready-to-go PHP login systems.
If you want to create your own, authenticating a user generally requires the following:
First set up a users table in your database where you store valid usernames and their passwords (as well as any other pertinent user information). Passwords should not be stored in plain text, but should generally be salted and hashed.
Add a login form to your application. When a user successfully logs in (which you can determine by taking the given password, salting and hashing it as above, and comparing it to the value in the database), use cookies or session to keep track of a login token.
On each page requiring authentication, the login token should be verified. If an invalid login token or no login token is given, redirect to the login form.