Codeigniter: ¿Cómo puedo cifrar la contraseña antes de enviar el formulario al controlador?

Tengo un simple html formulario de acceso

<form method="post" action="http://www.example.com/login">
    <input type="text" name="text_box" />
    <input type="password" name="pass_word" />
    <input type="submit" name="submit">
</form>

when I submit the form and in the controller

public function login(){
    $pass_word = $this->input->post('pass_word');
    die($pass_word);
}

The problem here, it shows the plain password, if I type 123456 in controller , I get 123456.

  1. Is this a security issue?
  2. Can any one get my password through a network monitoring tool like wireshark?

how to avoid this? Can I encrypt the password in view, before send to the controller?

preguntado el 28 de agosto de 12 a las 12:08

Use javascript for that... you can google a simple md5 encryption script. Just encode the password on form submit. -

@vishal , if i encrypt the password you can see the js and check what is the method i have used to do the encryption , and i think you can decrypt it -

@KanishkaPanamaldeniya I suggested MD5; that's a one way hashing algorithm, it produces a hash that cannot be reversed(you cannot revert a hash back to the original string anyway) MD5. -

@Vishal: client-side processing doesn't solve the problem. If an attacker has man-in-the-middle they can alter the .js as it is served to the consumer, and purloin the input without hashing it. -

5 Respuestas

If your post data (password etc.) was intercepted, then it would just be visible as plaintext. Using SSL/HTTPS will provide encryption for the data that you send. I wouldn't rely on client-side JavaScript or anything similar for the purposes for authenticating / logging in a user. It's likely to give your users more confidence too, seeing that a secure connection is being used.

First, I'd just read up about SSL and HTTPS in general, as well as SSL certificates - Wiki, Google and SO would all be be good places to look, there's loads of information out there.

For using SSL/HTTPS with CI, I found these useful:

In particular the force ssl function from Nigel's post:

Cree un archivo en la aplicación/ayudante llamado ssl_helper.php

if (!function_exists('force_ssl'))
{
    function force_ssl()
    {
        $CI =& get_instance();
        $CI->config->config['base_url'] =
                 str_replace('http://', 'https://',
                 $CI->config->config['base_url']);
        if ($_SERVER['SERVER_PORT'] != 443)
        {
            redirect($CI->uri->uri_string());
        }
    }
}

function remove_ssl()
{
    $CI =& get_instance();
    $CI->config->config['base_url'] =
                  str_replace('https://', 'http://',
                  $CI->config->config['base_url']);
    if ($_SERVER['SERVER_PORT'] != 80)
    {
        redirect($CI->uri->uri_string());
    }
}

Load the helper, then in the constructor for any controller that requires ssl, simply insert:

force_ssl();

En cada controlador que no desea que SSL ponga:

if (function_exists('force_ssl')) remove_ssl();

This is a programmatic approach, another way would be to use .htaccess (if you're using Apache).

contestado el 23 de mayo de 17 a las 13:05

Yes, it's definitely a security issue. Like you say, anyone with Wireshark (or similar) has the potential to intercept it.

This probably isn't something you want to rely on JavaScript for. Generally you'd use something like SSL/HTTPS, there's a blog post (a little old) detailing how to go about it with CodeIgniter, however it's pretty common so you might be able to find a more recent tutorial with a bit of Googling.

http://sajjadhossain.com/2008/10/27/ssl-https-urls-and-codeigniter/ http://nigel.mcbryde.com.au/2009/03/working-with-ssl-in-codeigniter/.

UPDATE: Lefter's answer provides more detail and is correct, please view it as well/instead

Respondido 29 ago 12, 00:08

Atravesar http://codeigniter.com/user_guide/libraries/encryption.html . Everything about the encryption and decryption is described here.

Performs the data encryption and returns it as a string. Example:

$pass_word = $this->encrypt->encode(input->post('pass_word'));  

Decrypts an encoded string. Example:

$encrypted_pass_word = 'APANtByIGI1BpVXZTJgcsAG8GZl8pdwwa84';

$plaintext_pass_word = $this->encrypt->decode($encrypted_pass_word);

You can optionally pass your encryption key via the second parameter if you don't want to use the one in your config file. Go through the link to read the detail explanation about it.

Respondido 28 ago 12, 12:08

yes , i can do encryption in the controller , the problem is some one can get the password in the middle of the post request ????? - Kanishka Panamáldeniya

SSL is the only answer to this. Everything else can be snooped or just done by looking at your Javascript. SSL is designed for this; if you're asking this question you definitely shouldn't be trying to come up with a better solution! - robar subvención

$password = sha1($this->input->post('password'));

or 

$hash= $this->input->post('password');

$password= $this->encrypt->sha1($hash);

puedes usar md5 en lugar de sha1 pero sha1 es más seguro luego md5... and both md5 & sha1 Fuck Cancer. non-decodable

Respondido 26 Abr '13, 09:04

There is a more easy way to user https.

Puse las siguientes líneas en el archivo ./application/config/config.php y funciona perfectamente:

$protocol = ( isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on' ) ? 'https' : 'http';
$config['base_url'] = $protocol.'://www.yoursite.com';

Respondido el 23 de Septiembre de 14 a las 08:09

May be it is very easy and simple process. - user1133648

No es la respuesta que estás buscando? Examinar otras preguntas etiquetadas or haz tu propia pregunta.