Javascript variable to $_POST

steveob200653 · March 12, 2012, 11:57pm

Hello,

I have a login form where the user types a password.

I have found out how to has the password in javascript using md5.

I now want to send the hashed password to the server so that it can be compared with a hashed password in the database.

I just can’t find how to do this. All the examples I look at ignore this stage as if it’s obvious. I’m sorry but not to me.

Thanks

Steve

felgall · March 13, 2012, 1:48am

To encrypt the data being sent from the browser to the server you need to have a security certificate attached to the web site. That certificate encrypts all of the information the browser sends using a key that only the specific web site knows how to decrypt.

The server can then apply the hash to the password before comparing it with the stored copy.

This will work even where the person has JavaScript disabled in their browser.

Sending the MD5 hash of the password in plain text doesn’t provide any protection as that hash effectively is the password in that instance and anyone intercepting it would be able to use it to log in just the same as if the plain text version were sent. Only the encryption provided by the security certificate provides the protection from being intercepted.

All the examples ignore the step you are talking about because it doesn’t serve any purpose.

JavaScript can send things to the server using POST by creating and submitting a form - but that doesn’t help with the situation you describe.

Stormrider · March 13, 2012, 11:26am

You should also know that using MD5 to hash a password is pretty much as insecure as storing the password in plain text these days.

Michael_Morris1 · March 13, 2012, 12:14pm

Only if it’s unsalted.

steveob200653 · March 13, 2012, 12:47pm

Thank you both. I will now read up about using a safety certificate.

It is worrying to know that there are a lot of people who think that md5 is the way to go and as such steer others in that direction.

Steve

chris_upjohn · March 13, 2012, 1:22pm

MD5 had been around for so long it’s pretty much thrown at new developers, I myself stick to salt encryption which I have found to be much more unique as far as security is concerned.

As for the SSL certificate there are some rapid SSL websites out there that use well known providers to generate the certificate if you can’t afford around $700-1000 per year.

Sent from my iPhone using Tapatalk