prompt box verification

Question

UK-1991 0 Posting Whiz

9 Years Ago

Hello guyz,

I have created a security on a page like there are several password issued to the users like on join us page if the person click on it the prompt box and user enters the password users are on that page and password is wrong it redirects to homepage.

I have created this in php but the prompt box is always created in javascript how can i combine them.

<?php
        error_reporting(0);

        if(isset($_POST['submit'])) {
            $password1  = array("alcd", "abcd", "abx");
            $password   = $_POST['password'];

            if(in_array($password, $password1)) {
                header("Location: home.php");
                exit;
            } else {
                header("Location: incorrect.php");
            }
        } 
?>

    <form name="submition" action="sinlge_form.php" method="post">
    Password : <input type="password" name="password" value="" /><br />
    <input type="submit" name="submit" value="submit" />
    </form>

and here is the code i created for prompt box

<script type="text/javascript">

    nam=window.prompt("Enter Your name:","Name plz");
    window.alert("Welcome " + nam);

</script>

but don't know how to combine both of them

Thank You

javascript php

3 Contributors
6 Replies
291 Views
2 Days Discussion Span
Latest Post 9 Years Ago Latest Post by diafol

diafol

9 Years Ago

If I understand the code correctly you're testing a password against an array of possible values. I really don't think this is very secure at all.

Nothing stopping a user going directly to home.php via url from what I can see.

Really don't understand the js prompt.

I would create a proper login (username and password), hash the pw and check the hash and username against values in DB.

The alert is pretty pointless as it just echoes whatever is typed into the prompt. The prompt value doesn't go anywhere. You'd need Ajax for that or a location forwarder with the data in the url. Not slick.

What do u think?

t_thakar 0 Newbie Poster

9 Years Ago

I agree with Diafol.

You have an array with passwords and you are checking the possword against the password that is entered is not efficient.. Like Diafol said you would hash the password. Store the hash into the database and then when the user enters a password you hash the entered password and do select on database where the hash matches the hash on the database.

also the other suggestion would be to add a unique salt when hashing so its difficult to hack the password hash

Another security tip is that you never tell your user that the password is wrong or username doesnot exists...

just give them the message login failed. And ask them to reset password when they have 3 or 4 failed login attempts.

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

UK-1991 0 Posting Whiz · Answer 1 · 2014-11-27T19:00:40+00:00

Yes i see that and it wa just an example well the thing looking to do is let suppose you click on join us page if you enter a given password and hit okay you will be on the join us page and in case if your password is wrong you are then right away redirected to home page and regarding the array passwords its just a sample to let you know how i will be building but that needs to be done in the prompt box not in the input field. and the password will be stored in the database not in array cuz there will be only 4 passwords that gonna be provided to the users who are able to join.

for the promt box is just a sample i shown not will be done like once the passsword is entered and clicked on ok it will not even tell the user that the password is either is wrong or correct one it will only give redirection.

and one more thing i want to point out i had made a mistake

        if(in_array($password, $password1)) {
            header("Location: join_us.php");
            exit;
        } else {
            header("Location: home.php");
        }

diafol · Answer 2 · 2014-11-27T22:02:30+00:00

I think this may an unwise strategy. Security is a bit shaky.

UK-1991 0 Posting Whiz · Answer 3 · 2014-11-28T13:09:33+00:00

Okay so sir what will you suggest me to go with or to do please advise me so I can do for it and yes i also have to use session start query right.

but using a prompt box i will also try your hash query but didnt know to with using propmt box.
Thank You

diafol · Answer 4 · 2014-11-29T13:40:01+00:00

I wouldn't use a prompt box at all. It looks absolutely horrible too. Can't be styled.

I think many of use have posted login scripts over the years. A good place to start may be the snippets or tuorials section. Else a general PHP forum search. But there are literally hundreds or thousands of scripts out there.

A secure login script is no trivial thing. Input must be validated and possibly sanitized - although thanks to prepared statements, this isn't as much of a problem as it was prior to mysqli/PDO.