I have a register form called server with fields Name, IP, Password. The form will send the data prevously filled by operator, but the problems is:
How the field Password will travel until my insert verification code ?
some short example:
The form
<form method=POST action=myActPage.php>
<input type=PASSWORD name=PWD value="" />
<input type=SUBMIT value=GO />
</form>
THE PROBLEM IS HERE — BETWEEN — THE TRAFFIC — password can be stolen here.. how to prevent it to happen?
The PHP Action Page
if ($_POST) {
$pwd = $_POST['PWD'];
$pwd = md5($pwd);
$response = mysql_query("INSERT INTO tbl_pwd ('pwd') VALUES ('$pwd') ");
}
Thanks for any idea on this matter.
EDITED:
I really spent almost two hours searching on stackoverflow and I found nothing on this specifc matter, thats is why the question. No question about the “traffic between form and php action script”
Important: I’m looking for a solution without the use of SSL over HTTP.
If you’re concerned about the password getting intercepted, you’ll have to look into using HTTPS. Even if you hashed the password client-side, it would most likely still be susceptible to replay attacks.
Edit
As far as storing them, you don’t want to use MD5 anymore. It’s old and has flaws (see second paragraph). You should use a better hash algorithm such as SHA. You should also add a salt to them. The salt makes dictionary attacks more difficult, especially if you use a unique salt for every password. That will mean that even if two users have the same password, their hashes will be different.