MadDogSh

You don't at the moment user types it in, you do it afterwards, either at point of control whether the password or md5 representation of it is identical with md5-ed password already stored in user table in database or at the point of insertion of that password into database record. Use input field of type password, md5 input, store it md5-ed into database. At next login, compare md5-ed users input with already md5-ed password stored in users record. Simple, isn't it? You can, of course use SHA1() too. If you're using MySQL as database server, use MySQL function password() which gives you 12 character representation of string entered as password. This raises a question: What happens if you have HTML login without any php code and you pass input via POST method into an php script where you perform autorization? I.e. what happens with entered password that comes into php script non-encripted? Example: - in HTML, say login.html: <input name="passw" type="password" /> - user's input is visible as ******, but still it's very readable string -HTML form is defined: <FORM name="form" method="POST" action="verify.php"> in verify.php: $pass_entered = md5('$_POST[passw]'); At that moment input is being encrypted, but what was going on with this input while browser invoked and opened "verify.php", variables made throuhg POST method in HTML should have been passed in some way, although no verify.php?passw weren't used? Isn't there some kind of security leak where unauthorized person can catch password user entered? Sorry for lenght of that post? That's something taht's on my mind for some time... Thanks for understanding.