All geek questions in one place

Codeigniter: how can I encrypt the password before submitting the form to the controller?

I have a simple html login form

 <form method="post" action="http://www.example.com/login"> <input type="text" name="text_box" /> <input type="password" name="pass_word" /> <input type="submit" name="submit"> </form>

when I submit the form and to the controller

 public function login(){ $pass_word = $this->input->post('pass_word'); die($pass_word); }

The problem is here, it shows a simple password, if I 123456 in the controller, I get 123456 .

  1. Is this a security issue?
  2. Can someone get my password through a network monitoring tool like wireshark ?

how to avoid this? Is it possible to encrypt the password in the view before sending it to the controller? Please help, thanks in advance.

+6
source share
6 answers

If your message data (password, etc.) has been intercepted, then it will simply be seen as plain text. Using SSL / HTTPS will encrypt the data you send. I would not rely on client-side JavaScript or something similar for authentication / user registration purposes. This will most likely also give your users more confidence that a secure connection is being used.

Firstly, I just read about SSL and HTTPS in general, as well as SSL certificates - Wiki, Google and SO - all this will be a good place to search, there will be a ton of information.

To use SSL / HTTPS with CI, I found this useful:

In particular, the power ssl function from Nigel post :

Create a file in the / helper application called ssl_helper.php

 if (!function_exists('force_ssl')) { function force_ssl() { $CI =& get_instance(); $CI->config->config['base_url'] = str_replace('http://', 'https://', $CI->config->config['base_url']); if ($_SERVER['SERVER_PORT'] != 443) { redirect($CI->uri->uri_string()); } } } function remove_ssl() { $CI =& get_instance(); $CI->config->config['base_url'] = str_replace('https://', 'http://', $CI->config->config['base_url']); if ($_SERVER['SERVER_PORT'] != 80) { redirect($CI->uri->uri_string()); } }

Download the helper, then into the constructor for any controller that requires ssl, just paste:

force_ssl();

In every controller that you do not want to use ssl:

if (function_exists('force_ssl')) remove_ssl();

This is a programmatic approach, another way would be to use .htaccess (if you are using Apache).

+12
source

Yes, this is definitely a security issue. As you say, anyone with a Wireshark (or similar) can intercept it.

This is probably not what you want to rely on JavaScript for. Typically, you use something like SSL / HTTPS, there is a blog post (a bit old) that details how to do this with CodeIgniter, however this is pretty common so you can find a more recent tutorial with a small amount Google

http://sajjadhossain.com/2008/10/27/ssl-https-urls-and-codeigniter/ http://nigel.mcbryde.com.au/2009/03/working-with-ssl-in-codeigniter/ .

UPDATE: Lefter's answer gives more details and is correct, please review it, and instead

+2
source 
 $password = sha1($this->input->post('password')); or $hash= $this->input->post('password'); $password= $this->encrypt->sha1($hash);

you can use md5 instead of sha1 , but sha1 is more secure and then md5 strong> ... and both md5 and sha1 are not decoded

+2
source

Go through http://codeigniter.com/user_guide/libraries/encryption.html . Everything about encryption and decryption is described here.

Performs data encryption and returns it as a string. Example:

 $pass_word = $this->encrypt->encode(input->post('pass_word'));

Decrypts the encoded string. Example:

 $encrypted_pass_word = 'APANtByIGI1BpVXZTJgcsAG8GZl8pdwwa84'; $plaintext_pass_word = $this->encrypt->decode($encrypted_pass_word);

If necessary, you can transfer your encryption key by the second parameter if you do not want to use it in your configuration file. Follow the link to read a detailed explanation.

0
source

There is an easier way for the https user.

I put the following lines in a file. /application/config/config.php and it works fine:

 $protocol = ( isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on' ) ? 'https' : 'http'; $config['base_url'] = $protocol.'://www.yoursite.com';
0
source

Use md5 (string) for encryption, which is very safe for the codeigniter website. To encrypt the password, enter this code when submitting the form.

password = MD5 ($ this-> input-> entry ('password'));

0
source

Source: https://habr.com/ru/post/923955/

More articles:


All Articles