Hi Matt, > I'm authenticating users and currently using the > PASSWORD() function of MySQL, however I realise > that this is still transmitting the password in > plain text and therefore can be hacked. > Is there a way of encrypting the information BEFORE > it is send to the server?
Yup, client-side, with Javascript. I don't know what algorithm MySQL uses for PASSWORD(), but I personally use MD5 hashing for storing encrypted passwords. Finding a JS implementation of MySQL's PASSWORD() is left as an exercise for the reader. The docs may help, or you could switch to MD5 (for which there is a JS algorithm at http://pajhome.org.uk/crypt/md5/md5src.html). So you need an onsubmit handler for your form, which takes whatever's been entered into the password field, hashes it, overwrites the password field with the hash, and lets the form submission continue. I do this on our Intranet but I also control UA configuration, so I *know* everyone has JS enabled. Of course, if you're using this on a public site, protected areas are permanently broken for anyone without JS. If you do it, I'd suggest putting up a message that says "for your increased security, javascript is required to access protected areas" or something, for politeness' sake if nothing else. Cheers Jon ____ � The WDVL Discussion List from WDVL.COM � ____ To Join wdvltalk, Send An Email To: mailto:wdvltalk-join@;lists.wdvl.com Send Your Posts To: [EMAIL PROTECTED] To change subscription settings to the wdvltalk digest version: http://wdvl.internet.com/WDVL/Forum/#sub ________________ http://www.wdvl.com _______________________ You are currently subscribed to wdvltalk as: [email protected] To unsubscribe send a blank email to [EMAIL PROTECTED]
