tags:

views:

876

answers:

4
+2  Q: 

How to use MD5 in javascript to transmit a password

Hi,

I have a jquery dialog modal box pop up for logging into my website. When a user clicks login it does a post request to a login.php file as follows:

$.post(
      'includes/login.php', 
      { user: username, pass: password },
      onLogin, 
      'json' );

How do I do an md5 on that password before putting it in the post request? Also, I have the user's passwords stored in a MySQL database using MD5(), so I would like to just compare the stored version of the password with the MD5 of the password submitted. Thanks to anyone that replies.

A: 

You might want to check out this page: http://pajhome.org.uk/crypt/md5/

However, if protecting the password is important, you should really be using something like SHA256 (MD5 is not cryptographically secure iirc). Even more, you might want to consider using TLS and getting a cert so you can use https.

SapphireSun  2009-12-26 00:23:28
Thanks for the reply, I am using https for my website, but for some reason apache uses encryption when transmitting the page, but after the page has loaded it still uses https, but the page is not encrypted. Do you think it will still encrypt the the login info when it's submitted?
Silmaril89  2009-12-26 01:15:47
I'm not an expert, but you can try packet sniffing a test machine to see if it's encrypted or not.
SapphireSun  2009-12-26 02:16:16
+3  A: 

Here is a jQuery plugin for calculating the MD5 hash of a string:

Then all you have to do is call $.md5(password):

$.post(
  'includes/login.php', 
  { user: username, pass: $.md5(password) },
  onLogin, 
  'json' );
James Skidmore  2009-12-26 00:24:12
A: 

You could check my md5 hashing function implementation, which also works with 4-byte characters.

valums  2010-02-04 12:21:06
+1  A: 

If someone is sniffing your plain-text HTTP traffic (or cache/cookies) for passwords just turning the password into a hash won't help - The hash password can be "replayed" just as well as plain-text. The client would need to hash the password with something somewhat random (like the date and time) See the section on "AUTH CRAM-MD5" here: http://www.fehcom.de/qmail/smtpauth.html

jt  2010-02-09 01:18:42

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases