CODEWITHSUNDEEP
phpjqueryajaxsecuritypost
Sinac
Sinac

Reputation: 11694

How to post the password using ajax and php?

I have a fixed username password and one variable text.

this is first method but it's not safe: 

<form action="http://site.com/foo.php" method="post">
  <input type="hidden" name="username" value="user123" />
  <input type="hidden" name="password" value="pass123" />
<input type="text" name="text" />
<input type="submit" />

</form>

this is secound method Please complete this:

index.html

<form action="foo.php" method="post">
<input type="text" name="text" />
<input type="submit" />
</form>

foo.php

$username = "user123";
$password = "pass123";

$text = $_POST["text"];

$url  = "http://site.com/foo.php?text=".$text."&password=".$password."&username=".$username;

HOW TO post $url safe? (without HTTPS)

Upvotes: 1

Views: 2685

Answers (2)

uınbɐɥs
uınbɐɥs

Reputation: 7341

UPDATE:

You can't securely log in without HTTPS.
This is terribly insecure, and doesn't prevent people from logging in if they intercept the hash.
Just use HTTPS.

Use the MD5 function.

e.g.

$url = "http://example.com/foo.php?text=".$text."&password=".md5($password)."&username=".$username;

Then on the receiving site (http://example.com/foo.php?...), check the received password with a hash (MD5) of the actual password.

Example:

sending file:

$username = "user123";
$password = "pass123";

$text = $_POST["text"];

$url = "http://example.com/foo.php";
$data = "text=".$text."&password=".md5($password)."&username=".$username;

$handle = curl_init($url);
curl_setopt($handle, CURLOPT_POST, true);
curl_setopt($handle, CURLOPT_POSTFIELDS, $data);
$result = curl_exec($handle);
curl_close($handle);
if($result) {
    // Success
} else {
    // Failed
}

receiving file:

$username = $_POST["username"];
$password = $_POST["password"];

// Insert code here to escape the username with mysqli_real_escape_string,
// then retrieve data from database with MySQLi.

if($password == md5($db_password)) {
    // Correct password
} else {
    echo 'Incorrect password.';
}
unset($username, $password, $db_password); // For security, remove variables from memory

Upvotes: 1

Ali
Ali

Reputation: 22317

There is no safe without HTTPS.

Because when you send the password even if you encrypt it, the network relay nodes will get access to it and they can use it that way.

You can only MD5 to prevent password observing, but it's yet accessible.

But in HTTPS which is an encryption by itself, the password can't be broken because there is a public and private key which is known only to client and server.

Maybe you can do the login through HTTPS. There is no need to buy a certificate. you can easily issue one yourself and setup it on your host.

Use HTTPS for important business.

Upvotes: 2

Related Questions