• How do i hide a certain part of my script with the rest of the world?
    9 replies, posted
So i want to make a login page (Noob version of it at least) And i found a javascript on the internet that works just fine and is understandable for someone like me.. [CODE]<form name="login"> Username<input type="text" name="userid"/> Password<input type="password" name="pswrd"/> <input type="button" onclick="check(this.form)" value="Login"/> <input type="reset" value="Cancel"/> </form> <script language="javascript"> function check(form)/*function to check userid & password*/ { /*the following code checkes whether the entered userid and password are matching*/ if(form.userid.value == "myuserid" && form.pswrd.value == "mypswrd") { window.open('target.html')/*opens the target page while Id & password matches*/ } else { alert("Error Password or Username")/*displays error message*/ } } </script>[/CODE] But if you go to the log in page and you press F12 (with Google Chrome) The html code shows up and you can easily find the pass and username. Is there any way I can hide it for the rest of the world? :) [I] Thank you very much[/I]
You could always just use .htaccess to protect the page rather than overcomplicating things.
Never use clientside JavaScript for logins. You should use a serverside language like PHP or RoR to handle it. Anything clientside can be edited and there is no way to obfuscate that will provide significant security.
Ajax it
I haven't really been into the serverside yet, when creating a website - do u have some simple script that can do the trick?
[CODE] <?php if($_POST['username'] == "IShouldLearnPHP" && $_POST['pswrd'] == "EvenIfItsOnlyTheBasics"){ header("Location: target.html"); } else { print "Wrong username and/or password!!"; }; ?> <form method="post"> Username<input type="text" name="username"/> Password<input type="password" name="pswrd"/> <input type="submit" value="Login"/> <input type="reset" value="Cancel"/> </form> [/CODE] Haven't tested it, but it should work...
lol thanks! :)
The proper way to do logins is to store the username and a hash of the password so you're not actually storing a copy of the password anywhere. A hash uses the password as a starting point to generate a bunch of seemingly random numbers and letters which cannot be reversed to get the original password but is repeatable if you have the same original password. When the user's account is created the password is hashed and then that is stored. When the user goes to log on they enter their password and it goes through the same process once again and the two hashes are then compared, if they match then the server knows the password is correct despite not knowing what the password is. There is a lot more to this but this is the basics. As was recommend earlier a relatively simple way to secure pages assuming your server is apache is to use .htaccess and .htpasswd files. You can find online generators for them if you need. Also some things in Coment's code to watch out for and might be useful for other people are that a header('Location: /something') redirect is only an instruction to be sent to the user's browser which can be ignored so it should always be followed with an 'exit;'. Also 'echo' is preferred over 'print' since echo is a native part of the language. Use 'isset' to check if a variable is set before trying to use it. In Coment's code one the first viewing of the page $_POST['username'] and $_POST['pswrd'] have not been set and will be 'null', since null does not equal a string you would be showing 'Wrong username and/or password!!' even before they have used the form.
Yea, listen to C, that method is really insecure and easily exploitable. I would read up on StackOverflow guides for PHP security and login security before going live.
Ok, here is what you do: Instead of calling the page target.html, call it username_password.html, then change your code as follows: [CODE]<form name="login"> Username<input type="text" name="userid"/> Password<input type="password" name="pswrd"/> <input type="button" onclick="check(this.form)" value="Login"/> <input type="reset" value="Cancel"/> </form> <script language="javascript"> function check(form)/*function to check userid & password*/ { window.open(form.userid.value+'_'+form.pswrd.value+'.html') } </script>[/CODE] All clientside :D [IMG]http://www.facepunch.com/fp/ratings/funny2.png[/IMG][IMG]http://www.facepunch.com/fp/ratings/funny2.png[/IMG][IMG]http://www.facepunch.com/fp/ratings/funny2.png[/IMG]
Sorry, you need to Log In to post a reply to this thread.