Member Avatar for mahul000

Here is a problem faced by me while handling the GET request method :

suppose the login form has user-id and password fields as text boxes. now after clicking on "sign-in" button the address bar of the following page(i.e the homepage of a particular member) shows:

<serverURL>.php?id=<someID>&pass=<somePass>

- where "id" and "pass" are the names of above mentioned textfields of login form. The technique works fine, except the password is clearly displayed in the address bar. Any person havig very little intelligence will at once decode it and know the password of the user beside him. Now my qtn is, how to tackle with this shortcoming ?

REMEMBER: I have to do it by GET method only, and not by POST !

  • 3 Contributors
  • 2 Replies
  • 120 Views
  • 18 Hours Discussion Span
  • Latest Post Latest Post by Puckdropper
Member Avatar for mmonaco27

I don't see why you can't use GET, but, serialize/encyrpt the password first. It's easy to do in PHP, but as you have to do it client side, hopefully there is some javascript md5 function.

Another solution would be to send the form data to a hidden iframe which first handles the data. You can then either do what you were intending in the hidden iframe, or you can simply process the URL, use PHP to convert the password to md5 then pass it on to the page you'd originally intended.

The IFrame would redirect to <serverURL>.php?id=<someID>&pass=DF098er3DKjD6798daDDF

Member Avatar for Puckdropper

Truely encrypt your password before sending. Don't just hash it, and don't use the password passed through the URL.

Remember, when programming on the web, it's always a good idea to program as if somone can see your source code.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.