validating input type="password" created in php?

Question

I have a page with PHP and HTML. The PHP section contains an input-type="password"

I want to put the value of the password fields inside a hidden-input on the HTML side of the page (in a form)...

<?php
INPUT PASSWORD
?>

<HTML>
<form with password inputs>
</HTML>

How can I do this? I cant put the password inside the form directly because of several reasons. It MUST stay in the php!

Thanks

UPDATE: I meant put the password value inside a password field in the form! I want to submit this with the rest of the values in that form, thats the reason... Is this also dangerous and not good?

UPDATE2:

I have a main form. after submit a php page opens up containing all data. I put these data inside hidden inputs on that page. This because the user has to verify all data is correct, and also chose a password! Now, the password input field is created with php, so I need to get that field submitted also, with the second 'approvalForm' containing all data!

Answer 1

Don't do it. It's dangerous to put sensible data into HTML code, where it is cached and whatnot.

It's probably not possible to access a password field's value anyway (I have never tried it). And if it is, you can't rely on it.

If you need to keep form values until some steps have been completed, store them in a PHP Session.

Basic info on session handling: http://www.php.net/manual/en/book.session.php

Answer 2

you really really should not do that, putting it in the hidden input field makes it freely readable for everyone that can open the page, even if your session would time out the password would still be retreivable in the page's source. scenario: user presses logout, next user comes along, presses back, view source and tada password for grabs

Answer 3

Maybe I don't fully understand, but hidden fields within a form are not really hidden... they are still visible with a "view source". Do not place your clear text passwords in your HTML.

Are your passwords stored in an encrypted format? If so, encrypting your password and placing it in your hidden field in that manner may be acceptable if your workflow absolutely requires it.

Answer 4

Hash it.

At the top of the page, you parse all the $_POST values. when you are parsing the password value, convert it to a hash (sha1, or better ones with hash).

This should be what is stored in the db anyway (or else anyone with db access could read the plain text passwords).

This can be safely stored in the hidden field on the page, and just use stars or circles to show that a password was selected.

BTW, I recommend Lynda's php essential training. They have a good video just on dealing with this.