giraffemedia Posted August 21, 2008 Share Posted August 21, 2008 Hi guys i've got a form that gets validated by php and i'm thinking of sending a username and password via the URL to a processing script that the user never sees, which, if successful takes the user to a home page. Is it a security issue if I do this when the page only gets used on the server, or should I encrypt the password, or do it all differently altogether? Regards James Link to comment https://forums.phpfreaks.com/topic/120686-sending-password-via-url-security-issue/ Share on other sites More sharing options...
Fadion Posted August 21, 2008 Share Posted August 21, 2008 Im guessing the login request is sent to a php script via ajax. Even if you would use post without ssl encryption, the data would be vulnerable, so it's just a matter of choice. If you have hashed your passwords in the db (md5 or sha1) then use the same hashing technique for sending the password via get. Even though, from my point of view I don't see this as a security problem. Link to comment https://forums.phpfreaks.com/topic/120686-sending-password-via-url-security-issue/#findComment-621879 Share on other sites More sharing options...
giraffemedia Posted August 21, 2008 Author Share Posted August 21, 2008 Hi Guilty Gear, i'm not sure about the ajax bit (I don't really understand what it is/does). I have a form on login.php that has two fields called login and password and a hidden field called process. At the top of the page I have this to validate the inputs. The problem is, for some reason having this at the top of the page is stopping the field values from being sent in the form itself so I was thinking of sending the variables via the URL. <? include ('../config.php'); if ($_POST['process'] == 'yes') { $login = $_POST['login']; $password = $_POST['password']; if (!empty($login) && !empty($password)) { header( "location: ../library/login_exec.php"); } $login_empty = "* Please enter your Login Name *"; $password_empty = "* Please enter your Password *"; $login_name = $_POST['login']; $loginclass = "errortext"; } ?> Regards James Link to comment https://forums.phpfreaks.com/topic/120686-sending-password-via-url-security-issue/#findComment-621883 Share on other sites More sharing options...
adam291086 Posted August 21, 2008 Share Posted August 21, 2008 well you are using post and not get. Which is indicating your not using the url to pass information. If you use post the user will never see the password. Therefore if someone is screen watching they will never get an idea of the password If you use the URL and encrypt the password what is stopping someone else copying the url from that users and pasting it into there own browser. If they do then they will get access. Therefore look into the $_POST method If you post all the code of the form page and the process page exluding any passowords then we can help Link to comment https://forums.phpfreaks.com/topic/120686-sending-password-via-url-security-issue/#findComment-621887 Share on other sites More sharing options...
giraffemedia Posted August 21, 2008 Author Share Posted August 21, 2008 well you are using post and not get. Which is indicating your not using the url to pass information. I was already using $_POST adam, I was just thinking of using the URL method of passing the information to the login process page. Here is the complete page... <?php include ('../config.php'); if ($_POST['process'] == 'yes') { $login = $_POST['login']; $password = $_POST['password']; if (!empty($login) && !empty($password)) { header( "location: ../library/login_exec.php"); } $login_empty = "* Please enter your Login Name *"; $password_empty = "* Please enter your Password *"; $login_name = $_POST['login']; $loginclass = "errortext"; } ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" /> <title>Customer Management - Please Log In</title> <link rel="stylesheet" type="text/css" href="database.css"/> <style> .errortext { width:920px; display:block; text-align:center; font-family: Arial, Helvetica, sans-serif; font-size: 14px; color:#C00000; font-weight: bold; } </style> <link rel="icon" href="favicon.ico" type="image/x-icon"/> <script language="JavaScript" type="text/javascript"> function checkForm() { var clogin, cpassword; with(window.document.loginForm) { clogin = login; cpassword = password; } if(trim(clogin.value) == '') { alert('Please enter your Login Name'); clogin.focus(); return false; } else if(trim(cpassword.value) == '') { alert('Please enter your Password'); cpassword.focus(); return false; } else { clogin.value = trim(clogin.value); cpassword.value = trim(cpassword.value); return true; } } /* Strip whitespace from the beginning and end of a string Input : a string */ function trim(str) { return str.replace(/^\s+|\s+$/g,''); } /* Check if a string is in valid email format. Returns true if valid, false otherwise. */ </script> </head> <body> <div id="wrapper"> <div id="header"></div> <div id="main_nav"></div> <div id="main_content"> <h1>Customer Management</h1> <form id="loginForm" name="loginForm" method="post" action=""> <? if (empty($login)) { print '<span class="errortext">'. $login_empty."</span><br>\n"; } ?> <table width="100%" border="0" cellpadding="0" cellspacing="10"> <tr> <td width="40%" align="right" valign="top"> <b>Login Name:</b> </td> <td width="188" align="left" valign="top"> <input name="login" type="text" class="textfield" id="login" value="<? echo $login_name; ?>"/> </td> </tr> </table> <? if (empty($password)) { print '<span class="errortext">'. $password_empty."</span><br>\n"; } ?> <table width="920" border="0" cellpadding="2" cellspacing="10"> <tr> <td width="40%" align="right" valign="top"> <b>Password:</b> </td> <td align="left" valign="top"> <input name="password" type="password" class="textfield" id="password" /> </td> </tr> <tr> <td align="right" valign="top"> </td> <td align="left" valign="top"> </td> </tr> <tr> <td width="40%"> </td> <td align="left" valign="top"> <input type="submit" name="Submit" value="Login" onclick="return checkForm();" /> <input type="hidden" name="process" value="yes" /> </td> </tr> </table> </form> </div> <div id="footer"><?php echo SITE_VERSION; ?></div> </div> </body> </html> I'm using js to check the form as well, but I want to get the php side of things right in case the user has js turned off. Regards James Link to comment https://forums.phpfreaks.com/topic/120686-sending-password-via-url-security-issue/#findComment-621890 Share on other sites More sharing options...
adam291086 Posted August 21, 2008 Share Posted August 21, 2008 well you are setting variables with the error messages and then redirecting. This causes the variables to be lost. Therefore set a session with the error messages and then in your html echo that error message out. If its presnt it will be seen otherwise it will be blank Link to comment https://forums.phpfreaks.com/topic/120686-sending-password-via-url-security-issue/#findComment-621892 Share on other sites More sharing options...
giraffemedia Posted August 21, 2008 Author Share Posted August 21, 2008 well you are setting variables with the error messages and then redirecting. This causes the variables to be lost. Therefore set a session with the error messages and then in your html echo that error message out. If its presnt it will be seen otherwise it will be blank Can you elaborate Adam, i'm not quite sure what you mean that i'm setting variables with the error messages. James Link to comment https://forums.phpfreaks.com/topic/120686-sending-password-via-url-security-issue/#findComment-621896 Share on other sites More sharing options...
MasterACE14 Posted August 21, 2008 Share Posted August 21, 2008 you shouldn't really send a password via the URL at all. Link to comment https://forums.phpfreaks.com/topic/120686-sending-password-via-url-security-issue/#findComment-621903 Share on other sites More sharing options...
giraffemedia Posted August 21, 2008 Author Share Posted August 21, 2008 you shouldn't really send a password via the URL at all. Any ideas on how to restructure my page to get it sorted by using the $_POST method guys? James Link to comment https://forums.phpfreaks.com/topic/120686-sending-password-via-url-security-issue/#findComment-621946 Share on other sites More sharing options...
adam291086 Posted August 21, 2008 Share Posted August 21, 2008 your page is set up to use POST. What errors are you getting? Link to comment https://forums.phpfreaks.com/topic/120686-sending-password-via-url-security-issue/#findComment-621947 Share on other sites More sharing options...
giraffemedia Posted August 21, 2008 Author Share Posted August 21, 2008 I'm getting this on the login execution page. Notice: Undefined index: login in /Applications/MAMP/htdocs/database/_database_files/library/login_exec.php on line 3 Notice: Undefined index: password in /Applications/MAMP/htdocs/database/database_files/library/login_exec.php on line 5 Link to comment https://forums.phpfreaks.com/topic/120686-sending-password-via-url-security-issue/#findComment-621958 Share on other sites More sharing options...
Fadion Posted August 21, 2008 Share Posted August 21, 2008 That's just a notice which tells that the 'login' and 'password' indexes of POST haven't been set yet. You may use: <?php if(isset($_POST['login'])){ //check if any of the post variables exists, meaning that the form is submitted //the rest of the login validation code } ?> I can see you have a hidden input "process". If it's aim is just to understand if the form has been submitted, then there's no need for it as the above snippet will do it. Link to comment https://forums.phpfreaks.com/topic/120686-sending-password-via-url-security-issue/#findComment-622007 Share on other sites More sharing options...
giraffemedia Posted August 21, 2008 Author Share Posted August 21, 2008 That still gives me the same problem GuiltyGear. Not sure what is stopping this working!!!! Link to comment https://forums.phpfreaks.com/topic/120686-sending-password-via-url-security-issue/#findComment-622016 Share on other sites More sharing options...
Fadion Posted August 21, 2008 Share Posted August 21, 2008 Ohh i didn't notice the errors (notices) were happening on the "login_exec.php". Actually this line of your code doesn't make sense: header("location: ../library/login_exec.php"); You cant just redirect and take for granted that the script will process the form. There are actually two ways to achieve that, one is validating the form in the same script, the other is send the post information to another script using the "action" attribute of the form. For the second: <form id="form" name="form" method="post" action="../library/login_exec.php"> In the "login_exec" script you must write all the validation code. Hope this clears it out. Link to comment https://forums.phpfreaks.com/topic/120686-sending-password-via-url-security-issue/#findComment-622036 Share on other sites More sharing options...
giraffemedia Posted August 21, 2008 Author Share Posted August 21, 2008 You cant just redirect and take for granted that the script will process the form. There are actually two ways to achieve that, one is validating the form in the same script, the other is send the post information to another script using the "action" attribute of the form. If that's the case would it be better to echo the entire form in an isset statement so that all the data get's sent as it would normally without php? Link to comment https://forums.phpfreaks.com/topic/120686-sending-password-via-url-security-issue/#findComment-622041 Share on other sites More sharing options...
Fadion Posted August 21, 2008 Share Posted August 21, 2008 You mean to hide the form if it is submitted? Something like: <?php if(!isset($_POST['login'])){ //show the form } ?> If you are going to redirect the user to the processing script, there's no reason to use the above. I would suggest having the form processing script in the same page with the actual form and you would do it as i suggested in a previous post. A real scenario would be: <?php session_start(); if(isset($_POST['login'])){ $user = mysql_real_escape_string($_POST['user']); //clean input $password = sha1($_POST['password']); //hash with sha1() if you are using hashed passwords if($user != '' and $_POST['password'] != ''){ //if none of the fields is empty $_SESSION['login'] = true; //set the session variale header('Location profile.php'); //redirect the user to the profile page (just an example) if the login was successful } else{ $error = 'Please write something'; } } ?> html with forms, inputs and such <?php if(isset($message)){ echo $error; } //display the message ?> Hope this helps. Link to comment https://forums.phpfreaks.com/topic/120686-sending-password-via-url-security-issue/#findComment-622046 Share on other sites More sharing options...
giraffemedia Posted August 21, 2008 Author Share Posted August 21, 2008 That makes sense to me. I think i'll rewrite the pages as one and see where I go from there. Thanks for all your help guys. James Link to comment https://forums.phpfreaks.com/topic/120686-sending-password-via-url-security-issue/#findComment-622059 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.