JavaScript doesn't implement any kind of one-way hashing. But that's for a 
good reason: suppose JavaScript encoded your password and sent it encoded to 
the server. The in-between hacker would retrieve the encoded password as it 
is sent to the server and simply pass that as the password - he doesn't ever 
need to know your undencoded password to break in, since the server expects 
it to be encoded anyway!

So you're only left with SSL for proper security...

HTTP_AUTH is just another way of sending the unsername and password as plain 
text -- it's just more comfortable to use than checking if you have proper 
credeintials in every page. My personal recommendation is to forget about 
HTTP_AUTH and use SSL plus phplib for proper security.


> Hi
> The most insecure part of entering a password in a web
> form is when you click "submit" and your password is
> sent in plain text form to your next PHP script.
> Is there any way around this without using JavaScript?
> How secure is it to use HTTP_AUTH?

PHP General Mailing List (
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to