everurssantosh Posted September 5, 2008 Share Posted September 5, 2008 Hi , I am facing problems in encryting text in PHP. I am having an input form for the user to enter the password and a key for security. I am going to store those in database for future use. My site is SSL enabled too. I want to encrypt the password and store them in database. I will get those varriables to PHP for encryption only after the page is submitted to one more page. My Concern is "To transmit the data through form post varriables from one page to another as plane text." Is it safe to transmit the plane text (password and key) to the other page and then encrypt them and store in the database? I have also tried to encrypt the password in JavaScript and send it across to the other page. But in that page again I need to decrypt and encrypt in PHP and store in database. I am really confused for this issue. Kindly Help..... Thank you. Santosh Quote Link to comment Share on other sites More sharing options...
ranjuvs Posted September 5, 2008 Share Posted September 5, 2008 For posting to another page r u storing the password in the hidden field. If that is the case then it is not secure. Quote Link to comment Share on other sites More sharing options...
everurssantosh Posted September 5, 2008 Author Share Posted September 5, 2008 For posting to another page r u storing the password in the hidden field. If that is the case then it is not secure. Hi I am not storing the password in hidden field. The password will be masked in a Password filed (input type=password) and I am then submiting the form to go to the other page where I will encrypt the text in PHP. Is this secured over SSL... my concern is : is form post varriables are secured in a SSL channel? Thanks Quote Link to comment Share on other sites More sharing options...
ranjuvs Posted September 5, 2008 Share Posted September 5, 2008 yes it is secured Quote Link to comment Share on other sites More sharing options...
everurssantosh Posted September 5, 2008 Author Share Posted September 5, 2008 Cant the hackers access my form values? is this becoz of the SSL?? Quote Link to comment Share on other sites More sharing options...
elmas156 Posted September 5, 2008 Share Posted September 5, 2008 why do you have to pass the information to another page in the form? try doing it this way: <?php if (!isset($_POST['submit'])) { // If the form has not been submitted "Put code for the form here" // Make sure the submit button name is actually "submit" in this case. If you want to change the //name you have to change (!isset($_POST['change_this'])) to equal the name of the submit button. } else { $username = form($_POST['username']); $password = md5($_POST['password']); // This encrypts the password to store in the database. mysql_query("INSERT INTO `users` (username,password) VALUES ('$username','$password')") or die (mysql_error()); // Inserts the user info. header("Location: yournextpage.php"); ?> If you do it this way there's no need to pass the information from one page to the next because everything is done on the same page... just make the form action point to the same page, for example if this page is called signup.php, make the form action="signup.php" Quote Link to comment Share on other sites More sharing options...
everurssantosh Posted September 5, 2008 Author Share Posted September 5, 2008 in both the cases, the page takes one round to the server and data comes from server after getting submitted !!! Well, since it is safe to submit the form and get the data in post, i think i sud go for it... Quote Link to comment Share on other sites More sharing options...
everurssantosh Posted September 5, 2008 Author Share Posted September 5, 2008 Any other suggestion is welcomed !!! Quote Link to comment Share on other sites More sharing options...
kenrbnsn Posted September 5, 2008 Share Posted September 5, 2008 If the form is accessed via https://... then your data is sent encrypted, if not it is sent plain text and could be intercepted. Ken Quote Link to comment Share on other sites More sharing options...
everurssantosh Posted September 5, 2008 Author Share Posted September 5, 2008 If the form is accessed via https://... then your data is sent encrypted, if not it is sent plain text and could be intercepted. Ken Hi Ken, I didnt understand it properly. "if not it is sent plain text and could be intercepted"... is it secured ? is it advisable to send information like password, security numbers thru SSL channel in form post ?? Thank you Santosh Quote Link to comment Share on other sites More sharing options...
discomatt Posted September 5, 2008 Share Posted September 5, 2008 You're using SSL, so any data ( including POST variablesdata ) that is transmitted to and from the user is ENCRYPTED. This doesn't mean the data CAN'T be intercepted, but it will NOT be sent in plain text. The cracker must decrypt any intercepted data, which is not an easy task. Don't forget to flag your cookies as secure as well. There's an option for it in the setcookie() function. Quote Link to comment Share on other sites More sharing options...
Jabop Posted September 5, 2008 Share Posted September 5, 2008 Slightly off topic and not resolving the issue at hand, but don't some sites have their forms on a normal http page and then as soon as it's submitted it gets posted to https? Quote Link to comment Share on other sites More sharing options...
discomatt Posted September 5, 2008 Share Posted September 5, 2008 Not an issue, as long as the 'action' page is https:// When the user clicks submit on the form, the browser collects all the information within that form, and builds a POST query. It then sends a POST request to the action page ( which is secured ) with that POST query in the header. The info never gets transmitted plain text. Quote Link to comment Share on other sites More sharing options...
Jabop Posted September 5, 2008 Share Posted September 5, 2008 Makes sense. Thank you. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.