I'll look into this and try it out. The only thing that is important to me is that the password get encrypted before transmitting across the internet. I'm not worry if the JS is disabled because if it is then the login will never be authenticated. I'll keep on exploring for way to increase security. Thanks for the response.
"Marek Kilimajer" <[EMAIL PROTECTED]> wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > The way you want it can be securely done only using asymetric > encryption, which is not available to JS. > Do you really need to encrypt user_id? You could use md5 to hash > password with some random string, > store the hash in a hidden field and erase password. On server side if > the hidden field is set compare it > whith a hash you create with password and the random string (keep the > string as a session variable, don't > pass it as a form hidden field). If the hidden hash field is not set, > use normal procedure. > > code: > > server: > $_SESSION[random]=create_random_string(); > > client: > function onsubmit(form) { > form.hiddenfield.value= md5( md5(form.password.value) + > form.randomstring.value); > form.password.value=''; > return true; > } > > server: > if($_POST[hiddenfield]) { > $res=mysql_query("SELECT * FROM users WHERE user='$_POST[user]' > AND > '$_POST[hiddenfield]'=MD5(CONCAT(password,$_SESSION[random]))"); > > } else { > $res=mysql_query("SELECT * FROM users WHERE user='$_POST[user]' > AND password=MD5($_POST[password]"); > } > > this example assumes passwords are stored as md5 hashes in the database > > Scott Fletcher wrote: > > >Here's the challenging project I'm doing. I'm trying to encrypt the user_id > >and password in javascript and submit it. Then have PHP to decrypt the > >user_id and password. The only problem I have is I don't know what > >javascript function or javascript algorithm that can also work the same way > >as the php function or php algorithm. Anybody know? > > > >Thanks, > > FletchSOD > > > > > > > > > > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
