2

I just want to understand what happens to the data when a user submits a login form to a PHP script on server?

Why we hash or encrypt the password on the server side script while the user submits it to the server via a form (I think it's client side script as HTML) in a plain text can be read by any hacker?

asked Apr 3, 2015 at 13:48
3
  • possible duplicate of Must logins be a https page and Secure hash and salt for PHP passwords Commented Apr 3, 2015 at 14:35
  • 1
    "Read by any hacker" is mostly a media exaggeration. Listening to someone's unencrypted internet traffic requires the cracker to connect at some point to your connection to the server, which is often not trivial. Approaches include offering free (malicious) wifi, listening to all traffic on public wifi (both easy), installing a hardware device at someone's office (getting harder), tapping into the public telecommunications network at a roadside routing box (harder still). Commented Apr 3, 2015 at 14:36
  • Passwords are just one (popular) authentication factor. But there are also others. Commented Apr 3, 2015 at 14:36

2 Answers 2

2

what happens to the data when a user submits a login form to a PHP script on server?

The data travels over the internet from one computer to another. Nothing more, nothing less. What the server does with the submitted data is up to the server.

Why we hash or encrypt the password on the server side...

In order not to store the password in plain text where anybody can see it. A password is a secret that only the user should know and nobody else. Yes, it needs to travel to the server in plain form, this is more or less inevitable. But then the server should do everything in its power to not leave any trace of this plain form around.

...can be read by any hacker.

That's why every data submission should be secured by a SSL/TLS connection. Without that, it's indeed just plaintext on the wire. A properly set up TLS connection in a secure environment is practically unbreakable.

answered Apr 3, 2015 at 14:11
Sign up to request clarification or add additional context in comments.

3 Comments

If the attacker has access to the server, he/she still can read the securely transmitted data. Same applies to the other end of the connection.
That's why I ambiguously carefully worded it as "secure environment". There are still any number of ways in which data can be intercepted, absolutely. If either peer is compromised, all bets are off.
@deceze Simple but informative and in the point explanation. Now I understand the process. Thank you so much.
0

You are right, there can be a MITM (Man In The Middle) attack and the hacker can eventually read your password. That's why the use of HTTPS (everywhere) is preferable to secure your form submission.

Some references that can help you:

URIs, Addressability, and the use of HTTP GET and POST

All you want to know about HTTPS

answered Apr 3, 2015 at 14:03

1 Comment

Thank you dear Akram for your answer and resource, they are really useful.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.