Passing a password in plain text from a form input type password?

S

Slovo2015-09-22 13:26:51

HTML

Slovo, 2015-09-22 13:26:51

Dear colleagues, IT-specialists, programmers and just good people, welcome!
I read a lot of questions and answers on the toaster. And now the moment has come when the question itself has matured, to which I would like to hear your answer / opinion.
For example, I found an authorization script on the site, I think it's a fairly common design in php:

<?php
# Функция для генерации случайной строки 
function generateCode($length=6) { 
$chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPRQSTUVWXYZ0123456789"; 
$code = ""; 
$clen = strlen($chars) - 1;   
while (strlen($code) < $length) { 
$code .= $chars[mt_rand(0,$clen)];   
} 
return $code; 
} 
  
# Если есть куки с ошибкой то выводим их в переменную и удаляем куки
if (isset($_COOKIE['errors'])){
$errors = $_COOKIE['errors'];
setcookie('errors', '', time() - 60*24*30*12, '/');
}
if(isset($_POST['submit'])) 
{ 
# Вытаскиваем из БД запись, у которой логин равняеться введенному 
$names = mysql_fetch_assoc(mysql_query("SELECT id, name, password FROM `users` WHERE `name`='".mysql_real_escape_string($_POST['name'])."' LIMIT 1")); 
# Сравниваем пароли 
if($names['password'] === md5(md5($_POST['password']))) 
{ 
# Генерируем случайное число и шифруем его 
 $hash = md5(generateCode(10)); 
 # Записываем в БД новый хеш авторизации и IP 
mysql_query("UPDATE users SET hash='".$hash."' WHERE id='".$names['id']."'") or die("MySQL Error: " . mysql_error()); 
       
 # Ставим куки 
 setcookie("id", $admins['id'], time()+60*60*24*30); 
 setcookie("hash", $hash, time()+60*60*24*30); 
 # Переадресовываем браузер на страницу проверки нашего скрипта 
 header("Location: admin.php"); exit(); 
 } 
 else  { print "Вы ввели неправильный логин/пароль<br>";  } 
} 
?>
  <form method="POST"> 
  Логин <input name="name" type="text"><br><br> 
  Пароль <input name="password" type="password"><br><br> 
  <input name="submit" type="submit" value="Войти"> 
  </form>
 
<?php
# Проверяем наличие в куках номера ошибки
if (isset($errors)) {print '<h4>'.$error[$errors].'</h4>';}
?>

Attention to the question: In the form, we sent the password in CLEAR form, and all manipulations with it in terms of verification and encryption take place AFTER this data has been transferred to the server ... I.e. an attacker can intercept it. Is everything correct in the code? Well, it's natural here, if it's not an https connection. And how do you like this script itself, is it usable?
Or poke your nose where it's wrong. Well, as they say, do not kick much. Thanks in advance.

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

P

Puma Thailand, 2015-09-22
@opium

Yes, if you don't want to use HTTPS, if
you want, you can use it if you don't want 10 lines of code there.

D

Dmitry Kovalsky, 2015-09-22
@dmitryKovalskiy

Yes, without https you can catch the password in the clear. This morning I saw a site that offered to fill in payment data without https. And the code? I don’t know. Maybe in PHP textbooks they teach you to put PHP, SQL, and html into one file, but I’m stupidly indignant at seeing this.