Hello!
I have a small problem. On my website there is some information I would like
to protect. Right now I am using .htaccess to password-protect the
directory, but I was thinking about using php and a form with
usernames/passwords in a MySQL database. Thankfully, I read the following in
the manual right before I was about to use the crypt() function to encrypt
my password and compare it to the encrypted hash in the DB:
"It seems that a lot of people don't understand the point of using one-way
encryption. More importantly, a lot of web designers forget that PHP
encryption is done entirely on the web server, not the client.
Point being, if your form has a password input option and the user clicks
SUBMIT, the password is then sent _as plain text_ over the Internet to the
web server where it is then encrypted for comparison against a password
database.
Do _not_ use these types of functions to add security to a form unless
you're using an SSL or TLS (etc.) encrypted session. The only potential way
around this issue is for you to write a JavaScript program that does the
hashing on the client side before being sent over the Internet (which would
make this function unnecessary)."
I am pretty new to PHP and absolutely clueless as far as
encryption/algorithims are concerned. Could anyone possibly point me to a
viable solution for this problem?
Thanks in advance!
Tom Malone
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
