I have a form where I have a password field. When the users submits the form, all the fields including the passwords are clearly visible in the url when they passes through the URL to another php page. Is there any way to avoid this ? I dont want the password to be visible.
Asked
Active
Viewed 89 times
-2
-
10You don't want to do it with GET, you want POST and SSL. – DeDee Oct 25 '15 at 20:44
-
@Deva, The above comment is a MUST – Mi-Creativity Oct 25 '15 at 20:46
-
**You really *don't* want to be encrypting passwords.** You need to **hash** them, so passwords cannot be retrieved if the database is hacked. Transmission on the other hand, should use SSL & POST. – AStopher Oct 25 '15 at 20:48
-
To add to what @bob said, the first rule in security is don't bother with security, use the secure systems designed by other more knowledgeable people. – Kyll Oct 25 '15 at 20:51
1 Answers
6
You should be POSTing the form data rather than using the GET method to remove the data from the query-string :
<form method="post" ...
And encrypting the data using SSL - that way all the data will be sent securely.
This answer eloquently explains the difference between POST and GET.
Community
- 1
- 1
Tom Walters
- 13,978
- 5
- 53
- 71
-
1Should also probably mention that passwords should be hashed, and not encrypted, when stored in a database. – AStopher Oct 25 '15 at 20:49
-
1@bob Yes and no; in this instance we're talking about sending data to the server rather than storing anything, therefore encryption is sufficient. However I agree that OP should note that [hashing](http://security.stackexchange.com/questions/51959/why-are-salted-hashes-more-secure) is required when storing passwords. – Tom Walters Oct 25 '15 at 20:53
-
@bob kinda off topic in this question, but a good mention none the less. You definitely want to encrypt the password from the client to the server (SSL), and then hash it if you're going to persist it. – JimL Oct 25 '15 at 20:53