NYCPHP Meetup

[David Sklar]

> 1.  SSL protects the data from being sniffed out as it goes from the 
> form on the client machine to the server.  This seems to be the only 
> way, or at least the best way to prevent the data from being transmitted 
> in the clear?

You're correct about what SSL does. However, another way to prevent the 
data from being transmitted in the clear is to encrypt it (with 
Javascript) before it is sent to the server.

http://pajhome.org.uk/crypt/md5/ has some links and demos of encryption 
with Javascript.

With this method, the data passes in the clear to the server, but a 
sniffer sees the encrypted version of the password instead of the real 
password.

The downsides of this method:
  - the user must have Javascript turned on
  - a sniffer could capture the entire session and replay it
    to pretend to be a valid user

To prevent the capture and replay, you'd need to put something *else* in 
the form that is unique each time you present the log in form. That way, 
if you see a duplicate on the server, you know that it's an invalid form 
submission.

If you (or your ISP) can flip a switch and enable SSL on your server, 
it's simpler (no changes required in your pages) and more standard. If 
for some reason you can't use SSL, all this Javascript whatnot can be 
helpful.

> 2.  When you crypt their password to compare it to the one stored in the 
> database, and it's a one way encryption, that means that the password 
> stored in your database has been put in via crypt as well at some point, 
> correct?

Yes. The logic in your account signup page might look something like

if (form_is_submitted() && form_data_is_valid()) {
     $encrypted_password = crypt($_POST['password']);
     db_query("INSERT INTO users (username,password) VALUES 
('$_POST[username]','$encrypted_password');
     print "You're all signed up now.";
  }



David