views:

876

answers:

4

Hi,

I have a jquery dialog modal box pop up for logging into my website. When a user clicks login it does a post request to a login.php file as follows:

$.post(
      'includes/login.php', 
      { user: username, pass: password },
      onLogin, 
      'json' );

How do I do an md5 on that password before putting it in the post request? Also, I have the user's passwords stored in a MySQL database using MD5(), so I would like to just compare the stored version of the password with the MD5 of the password submitted. Thanks to anyone that replies.

A: 

You might want to check out this page: http://pajhome.org.uk/crypt/md5/

However, if protecting the password is important, you should really be using something like SHA256 (MD5 is not cryptographically secure iirc). Even more, you might want to consider using TLS and getting a cert so you can use https.

SapphireSun
Thanks for the reply, I am using https for my website, but for some reason apache uses encryption when transmitting the page, but after the page has loaded it still uses https, but the page is not encrypted. Do you think it will still encrypt the the login info when it's submitted?
Silmaril89
I'm not an expert, but you can try packet sniffing a test machine to see if it's encrypted or not.
SapphireSun
+3  A: 

Here is a jQuery plugin for calculating the MD5 hash of a string:

Then all you have to do is call $.md5(password):

$.post(
  'includes/login.php', 
  { user: username, pass: $.md5(password) },
  onLogin, 
  'json' );
James Skidmore
A: 

You could check my md5 hashing function implementation, which also works with 4-byte characters.

valums
+1  A: 

If someone is sniffing your plain-text HTTP traffic (or cache/cookies) for passwords just turning the password into a hash won't help - The hash password can be "replayed" just as well as plain-text. The client would need to hash the password with something somewhat random (like the date and time) See the section on "AUTH CRAM-MD5" here: http://www.fehcom.de/qmail/smtpauth.html

jt