问题
Can I convert a password entered into a form to md5 hash using javascript before sending it to my php validation page using javascript?
If yes, how?
Or is there an easier way to do it?
Thank you.
回答1:
You shouldn't do that anyway.
JavaScript can easily be disabled and you will be saving/manipulating plain password. Use PHP instead for that.
回答2:
There are a few simple rules regarding password handling:
To safely transfer passwords from the browser to your server, use SSL! Don't settle for anything less if you're truly worried about security.
Perform password hashing on the server only. Hashing on the client side depends on JavaScript, which is not always there.
It may seem obvious, but you can only reliably hash passwords with a password hash function, such as password_hash() (ships with PHP since 5.5) or via the password_compat library.
回答3:
Your intention not to send any plain password is absolutely commendable. But simply hashing the password on the client side and sending the hash instead of the plain password won’t help much. Because although it’s not the plain password that is used for authentication, it’s the hash that is now used instead. So an attacker that eavesdropped the communication would simply use the hash instead of the plain password. So this won’t help much, not to mention that a client won’t have JavaScript support.
However, it’s worth mentioning that there are authentication schemes that work that way (e. g. HTTP Digest Access Authentication Scheme). But there still needs to be a secure and trusted channel where the password is initially sent to the server. So HTTPS is still a must.
回答4:
You need to convert the plain-text password to a md5 hash using PHP only. As Sarfraz pointed out, the user can easily disable JavaScript in their browser, rendering the md5 process useless. If they disable JS, the plain-text password might be sent to the database without encryption.
If you're concerned about data transfer security, buy a SSL certificate to ensure everything in the form is being sent over HTTPS.
回答5:
You can but there it does not increase the security of you application.
Here is a JS implementation of the PHP md5 function http://phpjs.org/functions/md5
来源:https://stackoverflow.com/questions/9554565/can-i-convert-password-to-md5-in-javascript-before-sending-to-php-page