0

Say I have a simple form:

<form action="register.php" method="post">
<label>Password:</label>
<?php if (isset($errors[1])) echo $errors[1]; ?> <- Displays error message if there is one
<input type="password" name="user_pass" />
<label>Confirm Password:</label>
<input type="password" name="user_pass_confirm" />

<input type="submit" />
</form>

$user_pass = $security->encrypt($_POST['user_pass']);
$user_pass_confirm = $security->encrypt($_POST['user_pass_confirm']);

$registration->form($user_pass, $user_pass_confirm);

And a class:

if (empty($user_pass)) {
$errors[1] = 'Passwords  required';
} else if ($user_pass != $user_pass_confirm) {
$errors[1] = 'Passwords don't match';
}

//if error array empty, create member

What I'm trying to do is validate the password to make it required, make sure they match and I would also add in a preg_match regular expression to ensure that it was at least 8 characters long or whatever.

My problem is, I've already encrypted the password before I submit it (which I believe unencrypted passwords shouldn't be posted, correct me if I'm wrong).

And then when my class gets the encoded string I can't do anything to validate it. I could check for empty by comparing the fields to the encrypted/salted version of nothing but I'm certain that's not the way to do it.

Can anyone point me to the standard procedure for validating passwords or whatever your suggestions are on the solution.

Many thanks

Alex L
  • 651
  • 9
  • 22
  • 1
    How can you encrypt a plain password using PHP which has not been sent to the server yet? – 1' OR 1 -- Oct 29 '12 at 01:27
  • You would post the password, then check if they match and use strlen() to see if it is > 8 chars, after all these, you will encrypt them. – Richi González Oct 29 '12 at 01:34
  • Sorry, knew I missed something, the page posts to itself and checks for errors. If errors are found, it will display the error message next to each input with an error. This process encrypts the password and strips out anything nasty. My reason for posting was that I thought sending unencrypted password was not a good thing. I must be mistaken. That's what half one in the morning does to you ;) – Alex L Oct 29 '12 at 01:39

1 Answers1

1

PHP cannot be executed on the client side. You cannot encrypt a plain password using PHP without sending it to the server in plain as PHP is a server side language. The password has to be sent to the server before you can access it. You can make use of mechanisms like SSL/TLS over https but this does not affect your PHP-Code.

That means: You cannot encrypt a password using PHP before the form is submitted. This can be done by client-side programming languages like JavaScript. You could implement a JavaScript function checking if the password is OK (not empty and long/secure enough) and afterwards have JavaScript encrypt it and then send it to the server so that the encrypted password is transferred to the server.

<form action="register.php" method="post">
...
</form>
<?php
//$user_pass = $security->encrypt($_POST['user_pass']);
//$user_pass_confirm = $security->encrypt($_POST['user_pass_confirm']);
//$registration->form($user_pass, $user_pass_confirm);
//YOUR PASSWORD HAS NOT BEEN SENT TO YOUR SERVER YET. YOU CANNOT ACCESS IT USING PHP.
//YOU WOULD NORMALLY DO SOMETHING LIKE THIS (IN REGISTER.PHP)
if(isset($_POST["name_of_your_submit_field"])) //WHICH MEANS THAT YOUR FORM HAS BEEN SUBMITTED NOW
{
    //This checks whether the POST-variable of your submit field is set.
    //If it is, you know that the client has submitted the form and sent the form data to your server.
    //Only here you can access the form data.
    $user_pass=$_POST['user_pass'];
    if(strlen($user_pass) > 8)
    {
        $user_pass = $security->encrypt($user_pass);
        $user_pass_confirm = $security->encrypt($_POST['user_pass_confirm']);
        $registration->form($user_pass, $user_pass_confirm);
    }
}
?>
1' OR 1 --
  • 1,694
  • 1
  • 16
  • 32
  • But validating via JavaScript would be no help if it was turned off. Then users could sign up and could use the letter "a" for a password if they wished. – Alex L Oct 29 '12 at 01:47
  • Yes, they could, but it's only about 1-2% of users having JavaScript disabled: http://stackoverflow.com/questions/9478737/browser-statistics-on-javascript-disabled But I think in first place it is the user's problem if he uses a weak password, not so much yours. You could also add a `noscript`-tag to warn those users. The other possibility is sending the password in plain. At the moment I am not aware of any secure encryption algorithm allowing you to imply the password length after the encryption process. – 1' OR 1 -- Oct 29 '12 at 01:55
  • Okay, well thanks for your answer, I'll just do the validation first and encrypt it after. – Alex L Oct 29 '12 at 01:57