0

I'm using data from another server (not my server) and I need to login to this server. So I need to know password for every user account. I need to send this password to the server through HTTP request (no problem). But the server expect unsecure password.

So if the password is '123456' I have to send POST request with data: 

"username=user&password=123456"

I can not use md5 function because after it I am not able to get back the password so my question is how can I encode this password? Is exists some common PHP function for this? For example: 

$securePassword = php_encode("123456", "mykey")
php_decode($securePassword, "mykey")

Because I just do not want to store to my database "123456"

Improve this question
3
  • This is really REALLY insecure... also sending it by post... Commented Nov 5, 2013 at 13:32
  • you need to be able to do the operations when the user is offline? If you don't then you can simply store the password in session. Commented Nov 5, 2013 at 13:36
  • Yes, this password will be store into database just once and after it there will be some script which will be running every day automaticaly (without user). Commented Nov 5, 2013 at 14:13

6 Answers 6

Reset to default
1

Use mcrypt_encrypt() and mcrypt_decrypt()
for more info SO POST

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

This is propably what I need. The best think what I can do is secure password on my side (in my database), because there is NOT other way how to send password to this server then POST method.
@Lodhart happy to hear it helped. Well but I believe no algorithm is unbreakable.
1

The point of a hash is that you can't un-encrypt it. To check if someone entered a correct password, hash what they typed in and compare it to the hash of their password in the database. If it matches, the password is right; otherwise, it's wrong. Also, as long as you use SSL and a decent hash algorithm, you should be secure.

Improve this answer

Comments

1

If you have PHP >5.5, you can use the function password_hash. If you have a lower version that is bigger than PHP 5.3.7, you should use password compat.

Improve this answer

Comments

0

What you are looking for is not how to secure the password but how to secure the transport of the password. You do this using Transport Layer Security, aka TLS aka SSL.

That said, transmitting a password in this fashion isn't really advised and a better mechanism should probably be devised. If you encrypt or hash the password and transmit the cipher text this offers no protection at all because an attacker would simply send cipher text just as you would.

You need to encrypt the data in transit. Get SSL setup on your site.

Improve this answer

4 Comments

I know, I know, terrible idea to send password through POST request. But the other server is not my and if I want to use SSL, the other server must support the SSL, right? Problém is that I have a very limited information about the other server.
Yes the other server would need SSL. If it could handle comms over SSL then you could send the password in plain text and not worry too much but you shoudln't ever do that. It should always be hashed (and salted). If this really is your situation then you would appear to have little choice. Just understand that even if the password was encrypted/hashed then an attacker would just send the hashed password like you do. They can still impersonate you easily without knowing what the password is.
I really understand, does not matter WHAT you sent, if it is just POST request you can simply catch HTTP communication and use it. Problem is that I can not affect it. The POST req. is only one way how can I get data from this server. So I just want to encode password in my database because I'm not only one who has access to database.
If others have access to your database then you need to encrypt data on the way in and then decrypt it on the way out. You also need to store the key somewhere that others can't access it or use a protected API to fetch/place data from/to the db.
0

Have a look at below 2 functions

http://www.php.net/manual/en/function.mcrypt-encrypt.php and http://www.php.net/manual/en/function.mcrypt-decrypt.php.

Improve this answer

Comments

0

There is a reason passwords are hashed instead of encrypted. You cannot decrypt a hash. Generally the convention is to do the following:

Create Password

  1. Send the new password to the server
  2. Hash the password
  3. Store the hash in the database

Check Password

  1. Send the password to the server
  2. Hash the password
  3. Check if the hash matches the hash stored in the database

For this you should use something like SHA256:

// check password
$hash = hash('sha256', $password);
$db_hash = db_get_password($username, ...);
if ($hash == $db_hash) { 
    // correct password
}
Improve this answer

1 Comment

I know this principle and I'm using it on my server. But I need to get content form another server and to get content I need to login (everything by PHP). I triggered data between browser and server to understand how to login and I need to send POST req. with login and password. That is what I know about the second server.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.