-3

This is my html code for my login page. If I echo the password in the same page, the password is echoed as is. How do I hide the password string so the password is displayed like ******* instead?

<div class="form">
    <div style="width:20%; float:left;">&nbsp;</div>
        <div style="width:60%; padding:10px 10px 80px 10px; position:relative; margin-top: 6%; float: left;">
            <form action="login.php" method="post"> 
                <h2 style= color:orange; >Log In</h2>
                <h3 style=  color:orange;>User name:<input type="text" id="username" name="username" required></h3>
                <h3 style= color:orange; >User password:<input type="password" id="password" name="password" required></h3>
                <button type="submit" name="submit" value="Submit"  style= color:orange; >Login</button>
            </form>
        </div>

    if (!$conn) {
        die("Connection failed: " . mysqli_connect_error());
    }
    include('session.php');

    echo $Name = $_POST['username'];
    echo $psw  = $_POST['password'];
    $_SESSION["username"]=$Name ;

    if(mysql_errno() != 0) {
        echo "Query Failed".mysql_errno();
    }

    $row = mysqli_fetch_array($login);
    $password = $row['Pass_word'];

    if($password==$psw) {
        header('location:menu.php');
        exit();
        echo $Name;
    } else {
        echo "<h6 style='text-align:center; color:Red'> USERNAME AND PASSWORD DOES NOT MATCH </h6>";    
    }
}
mysqli_close($conn);
Rasclatt
  • 12,498
  • 3
  • 25
  • 33
Shivu
  • 33
  • 8
  • You probably want to use `sprintf()` or something. I would hope you have not stored plaintext passwords though, that would be the first thing to fix. – Rasclatt Dec 04 '17 at 04:57
  • Side note, `exit(); echo $Name;` will not echo the name because you already exited. Also you redirected before that, so you can remove `echo $Name;` – Rasclatt Dec 04 '17 at 05:01
  • Any site that prints my password on a page, even if it is masked in a password input, indicates they are likely storing my password as plain text. And that isn't good. – Progrock Dec 04 '17 at 05:01
  • **Danger**: You are using [an **obsolete** database API](http://stackoverflow.com/q/12859942/19068) which has been **removed** entirely from the latest version of PHP. You should use a [modern replacement](http://php.net/manual/en/mysqlinfo.api.choosing.php). – Quentin Dec 18 '17 at 09:20
  • **Danger**: This code is [vulnerable to XSS](https://www.owasp.org/index.php/XSS) User input needs escaping before being inserted into an HTML document!. – Quentin Dec 18 '17 at 09:20
  • Please [learn to love labels](http://www.456bereastreet.com/archive/200711/use_the_label_element_to_make_your_html_forms_accessible/) – Quentin Dec 18 '17 at 09:20

3 Answers3

0

If you want to secure your password use any php encryption function for that. You could not completely hide the password characters.

You can use md5(), crypt(), password_hash(), etc. function and encrypt your password and store encrypted password in your database.

Rasclatt
  • 12,498
  • 3
  • 25
  • 33
Bhupendra Mistry
  • 598
  • 3
  • 11
0
str_repeat("*",strlen($password));
yivi
  • 42,438
  • 18
  • 116
  • 138
Shivu
  • 33
  • 8
-1

<input type="password" value="my unsecure password">

Please read on HASH function for php to encrypt your password. But what you need is an input that have a password type so the browser will show ********. But there is no point hiding it if its not encrypted. I do not know the password of my site's user.

MadeInDreams
  • 1,991
  • 5
  • 33
  • 64