You are seeing » PHP » How to protect login or change password form in web applications

How to protect login or change password form in web applications


Developing web application often carry a lot of concepts and knowledge like the programming language, CSS, HTML, JavaScript, database, security and so on.


Security is important for any software, but actually is very hard to implement a perfect security system, so what we would need to do is create some level of difficult in which some attacker could try.

At first, when you build a personalized web application that allow users access, you need to create forms to login this users and an administration area where your web application allow users to change their passwords after it sign in.

Of course there are a lot of manners to protect any software and I am here to tell you one way to increase a security level in your web application forms that use password fields.

For example, your web application has a table called "Users", that store some fields to allow some user do a login.

user_id   integer not null autoincrement primary key
login      varchar(255) not null
password   varchar(255) not null

login:         this field store the user email, that can be used to send some administrative information.
password:     this field store the user password, but we do not store it in a plain text, we will use a hash, like sha1('mypassword').

After create a login form with two fields (login, password), like in this example:

<form method='post' id='frm' action="login.php">
    Login: <input type='text' name='login'>
    Password: <input type='text' name='password'>
    <input type='button' value='Login' onclick="doLogin()">

This form won't send the password in plain text, the function "doLogin()" on the button will do the trick.

This function will create a hash of password typed and replace the same field with it, using some javascript library, for example: jssha.

After this the form data will be sent with login and password(hashed).

When login.php receive this request, it will search user by login and compare hashed password sent against stored in database.

See that the real password was not sent, only hashed value, and if someone get this form data it will have some difficult to discover real password by hash.

Discover the real password still is possible, but will do a lot of work to get it (even in a SSL connection).

You can use a HMAC functions to increase more difficult too.

The same behavior occur in change password form, is sent login, password(hashed) and new_password(hashed), where the password will be checked with stored in database and after updated to new_password.

This is a little tip of how you can insert some security in your web application.

I recommend read more about web application security here: OWASP.

Name : Email :