input type=password question

I've got a simple registration script that has an input field of type
password. When I retrieve what is typed in the password field via:

$_REQUEST["password"];

I always get the same encoded string: 8f404d5399b6eb816fe579381a0e2e6c

First, does PHP automatically encrypt the password type fields and if
so what method does it use and can I disable it?

and second, is that the correct way to get the password from a simple
form or is there a better way of doing it?

Thanks, Greg

An noise sounding like Greg Scharlemann said:[color=blue]
> I've got a simple registration script that has an input field of type
> password. When I retrieve what is typed in the password field via:
>
> $_REQUEST["password"];
>
> I always get the same encoded string: 8f404d5399b6eb816fe579381a0e2e6c
>[/color]
You should be getting a plain text string of whatever the user typed in. It is
up to you then to encode/encrypt that some way when storing it.

[color=blue]
> and second, is that the correct way to get the password from a simple
> form or is there a better way of doing it?
>[/color]
$_REQUEST is fine. Although if your form is using method="POST" you might
consider using $_POST instead.

db
--

/(bb|[^b]{2})/
Trees with square roots don't have very natural logs.

Greg Scharlemann wrote:[color=blue]
>
> I always get the same encoded string: 8f404d5399b6eb816fe579381a0e2e6c[/color]

Looks like an md5 hash.
[color=blue]
> First, does PHP automatically encrypt the password type fields[/color]

No.
[color=blue]
> and second, is that the correct way to get the password from a simple
> form or is there a better way of doing it?[/color]

The method is fine, but I can't tell why you get an md5 hash instead of
the plain password that was specified.

HTH.
Peter.
--
http://www.phpforums.nl

Greg Scharlemann wrote:
[color=blue]
> I've got a simple registration script that has an input field of type
> password. When I retrieve what is typed in the password field via:
>
> $_REQUEST["password"];
>
> I always get the same encoded string: 8f404d5399b6eb816fe579381a0e2e6c
>
> First, does PHP automatically encrypt the password type fields and if
> so what method does it use and can I disable it?
>
> and second, is that the correct way to get the password from a simple
> form or is there a better way of doing it?[/color]

The password field isn't encrypted by the client before being sent to
the server, it's just a method of hiding what is typed to other people
who may also be watching the same screen as the person who's typing it
in.

What happens if you output the following variables?
$_GET["password"]
$_POST["password"]
$_COOKIE["password"]

--
Kim André Akerø
- kimandre@NOSPAMbetadome.com
(remove NOSPAM to contact me directly)

Peter van Schie wrote:[color=blue]
> Greg Scharlemann wrote:[color=green]
> >
> > I always get the same encoded string: 8f404d5399b6eb816fe579381a0e2e6c[/color]
>
> Looks like an md5 hash.
>[color=green]
> > First, does PHP automatically encrypt the password type fields[/color]
>
> No.
>[/color]

Could this be a setting on the server perhaps?

Here's a simple script that I tried and it still encrypts the password
everytime to the same string: you can try it here:
http://devel.dailyunrest.com/test.php
--------------------------------------------------------
<?php

$register = $_REQUEST['Register'];

$valid = false;
if($register == "Register") {
$password = $_REQUEST['password'];
print $password;
}
?>
<html>
<body>
<form action="test.php" method="post">
<table width="50%" cellspacing="1" cellpadding="1" border="0">
<tr>
<td><b>Password:</b></td>
<td><input type="password" name="password" size="35"></td>
</tr>
<tr>
<td><b>Confirm Password:</b></td>
<td><input type="password" name="confirmPassword" size="35"></td>
</tr>
<tr>
<td>&nbsp;</td>
<td><input type="submit" name="Register" value="Register" /></td>
</table>
</form>
</body>
</html>
-----------------------------------------------------

>[color=blue]
> What happens if you output the following variables?
> $_GET["password"]
> $_POST["password"]
> $_COOKIE["password"]
>[/color]

Looks like it's from a cookie... if I'm not using cookie's how does
that work?

Greg Scharlemann said the following on 11/11/2005 16:01:[color=blue]
> Peter van Schie wrote:
>[color=green]
>>Greg Scharlemann wrote:
>>[color=darkred]
>>>I always get the same encoded string: 8f404d5399b6eb816fe579381a0e2e6c[/color]
>>
>>Looks like an md5 hash.
>>
>>[color=darkred]
>>>First, does PHP automatically encrypt the password type fields[/color]
>>
>>No.[/color]
>
> Could this be a setting on the server perhaps?
>
> Here's a simple script that I tried and it still encrypts the password
> everytime to the same string: you can try it here:
> http://devel.dailyunrest.com/test.php[/color]

It worked fine when I tried it...

--
Oli

Greg Scharlemann said the following on 11/11/2005 16:05:[color=blue][color=green]
>>What happens if you output the following variables?
>>$_GET["password"]
>>$_POST["password"]
>>$_COOKIE["password"]
>>[/color]
>
>
> Looks like it's from a cookie... if I'm not using cookie's how does
> that work?
>[/color]

I bet you have a cookie called "password" set in your browser for this
domain. Check it in your browser and see.

By default, in $_REQUEST, cookie variables override POST variables,
which override GET variables.

For this reason, it's generally safer to use $_GET, $_POST and $_COOKIE
explicitly.

--
Oli

Sweet. Thanks all for your help, now on to the next thing...

Greg