0

I'm making a login form in HTML and the backend with PHP

this is the form

<form class=" col-md-8" action="inicio.php" method="POST" onsubmit="encrypt()">
<br>
<p><?php echo $error; ?></p>
 <div class="mt-3">
  <h5><label for="materialLoginFormEmail">USUARIO</label></h5>
  <input type="text" id="user" name="username" class="form-control" required="true" placeholder="Introduce tu usuario">       
 </div>
<br>
 <div>
  <h5><label for="materialLoginFormPassword">CONTRASEÑA</label> </h5>
  <input type="password" class="form-control" required="true" id="password" name="password" value="" placeholder="Introduce tu contraseña">
 </div>
 <div class="d-flex justify-content-around">
  <div>
   <button class="btn my-4" name ="btnLogin" type="submit" style="background-color: rgba(78,133,172);  color: white;">Iniciar Sesión</button>
  </div>
 </div>
</form>

When I clicked on the submit button in the network request appears this password is showed

Can I encrypt that field or hide?

Tirdad Abbasi
  • 707
  • 5
  • 17
Juan José González Romero
  • 11
  • 2
  • 3
    Does this answer your question? [Should I hash the password before sending it to the server side?](https://stackoverflow.com/questions/3391242/should-i-hash-the-password-before-sending-it-to-the-server-side) – Julia Aug 10 '20 at 16:01
  • 5
    The request should be over https. That's really all you need. – Taplar Aug 10 '20 at 16:02
  • "the network request appear this password is showed" — Are you really worried about the user who typed the password being able to see what they typed using the network inspector? – Quentin Aug 10 '20 at 16:13

1 Answers1

0

You send a plain password via HTTPS to your server, and your server will hash it there and store the hashed password in a database.

As long as you send it via HTTPS, you're good. Even big sites do it without using any additional encryption of the password string

You also might read about CSRF protection. In every post request you should integrate an CSRF protection.

In theorie a hacker could recreate your frontend website with a form. The user that visit his page will think its your page and he will try to register/login into your page. With no CSRF protection the user will be able to login and will be redirected to your site for example a Dashboard and the hacker could then save these information in his database.