Can I convert password to md5 in javascript before sending to php page? - Stack Overflow

admin管理员组

文章数量:1290935

Can I convert a password entered into a form to md5 hash using javascript before sending it to my php validation page using javascript?

If yes, how?

Or is there an easier way to do it?

Thank you.

Can I convert a password entered into a form to md5 hash using javascript before sending it to my php validation page using javascript?

If yes, how?

Or is there an easier way to do it?

Thank you.

• javascript
• md5

Share Improve this question Follow edited Mar 4, 2012 at 11:45 Gumbo 656k112112 gold badges791791 silver badges851851 bronze badges asked Mar 4, 2012 at 11:39 BrokenCodeBrokenCode 96144 gold badges2020 silver badges4848 bronze badges 5

• 1 Yes, it is possible. But what do you expect of doing so? The only advantage is that only the hash instead of the plain password is transmitted but now the hash is the new password. – Gumbo Commented Mar 4, 2012 at 11:43
• I don't want to save plain text passwords in my db (later). So I only need the md5 hash, whenever a user tries to log in I want to pare the md5(password) they entered to the md5 hash in the db. – BrokenCode Commented Mar 4, 2012 at 11:46
• 1 What’s wrong with hashing the password on the server side that actually is under your control? – Gumbo Commented Mar 4, 2012 at 11:48
• Sorry I am a newb. You suggestion makes much more sense than what I was trying to do. But I am unsure how to convert the password that's entered into my form to md5 and then pass it on to the JS (on the same page). – BrokenCode Commented Mar 4, 2012 at 11:50
• 2 @PartisanEntity: If i'm paring the client's hash against the server's...how's that any better than storing the passwords in plain text? If i break in, i have all the passwords -- i can just tweak my browser to send you the hash i just stole from your DB, instead of trying to figure out what password was used to create it. – cHao Commented Mar 4, 2012 at 11:51

Add a ment  | 

5 Answers 5

Sorted by: Reset to default 7

There are a few simple rules regarding password handling:

1. To safely transfer passwords from the browser to your server, use SSL! Don't settle for anything less if you're truly worried about security.

2. Perform password hashing on the server only. Hashing on the client side depends on JavaScript, which is not always there.

3. It may seem obvious, but you can only reliably hash passwords with a password hash function, such as password_hash() (ships with PHP since 5.5) or via the password_pat library.

Your intention not to send any plain password is absolutely mendable. But simply hashing the password on the client side and sending the hash instead of the plain password won’t help much. Because although it’s not the plain password that is used for authentication, it’s the hash that is now used instead. So an attacker that eavesdropped the munication would simply use the hash instead of the plain password. So this won’t help much, not to mention that a client won’t have JavaScript support.

However, it’s worth mentioning that there are authentication schemes that work that way (e. g. HTTP Digest Access Authentication Scheme). But there still needs to be a secure and trusted channel where the password is initially sent to the server. So HTTPS is still a must.

You shouldn't do that anyway.

JavaScript can easily be disabled and you will be saving/manipulating plain password. Use PHP instead for that.

You need to convert the plain-text password to a md5 hash using PHP only. As Sarfraz pointed out, the user can easily disable JavaScript in their browser, rendering the md5 process useless. If they disable JS, the plain-text password might be sent to the database without encryption.

If you're concerned about data transfer security, buy a SSL certificate to ensure everything in the form is being sent over HTTPS.

You can but there it does not increase the security of you application.

Here is a JS implementation of the PHP md5 function http://phpjs/functions/md5

本文标签： Can I convert password to md5 in javascript before sending to php pageStack Overflow