Check for empty field after encryption

Question

I have this piece of html code:

<form action="register.php" method="post">
       Email: <input type="text" name="email" /><br />
       Username: <input type="text" name="username" /><br />
       Password: <input type="password" name="p" id="password" /><br />
       <input type="button" value="Register" onclick="formhash(this.form, this.form.password);" />
</form>

Once the register button is pressed, an encryption gets called and the password gets encrypted immediately. I thought this would be a very good and secure way to do it, however I can't seem to check if the passworld field named "p" is empty or not because if the user leaves the field empty when registering, the encryption encrypts the empty field, hence it's not empty anymore. I need a way to check if the user leaves the "p" field empty or not, because it shouldn't be possible to make a password with 0 characters.

I know this problem can be solved by javascript, but I need a secure way to check if the field is empty or not, therefore I'd like to get a PHP solution.

The register.php:

<script type="text/javascript" src="sha512.js"></script>
<script type="text/javascript" src="forms.js"></script>

<?php
include 'db_connect.php';

//Just to check that the p field is encrypted already at this point. 
echo $_POST['p'];

// The username
$username = $_POST['username'];
// The email
$email = $_POST['email'];
// The hashed password from the form
$password = $_POST['p']; 
// Create a random salt
$random_salt = hash('sha512', uniqid(mt_rand(1, mt_getrandmax()), true));
// Create salted password (Careful not to over season)
$password = hash('sha512', $password.$random_salt);

// Add your insert to database script here. 
// Make sure you use prepared statements!
if ($insert_stmt = $mysqli->prepare("INSERT INTO members (username, email, password, salt) VALUES (?, ?, ?, ?)")) {    
   $insert_stmt->bind_param('ssss', $username, $email, $password, $random_salt); 
   // Execute the prepared query.
   $insert_stmt->execute();
}
?>

Answer 1

If anyone monitor your traffic they can still get that password. It's just changed from the original string to the hash. It is not a security feature!

If you are worried about someone intercepting the data, use https.

Remove your client side hash:

<form action="register.php" method="post">
       Email: <input type="text" name="email" /><br />
       Username: <input type="text" name="username" /><br />
       Password: <input type="password" name="p" id="password" /><br />
       <input type="submit" name="submit" value="Register" />
</form>

Note: password_hash is new in PHP 5.5, if your version is older try this userland implementation .

Change your PHP code to this:

<?php
include 'db_connect.php';

if (!isset($_POST['p']) || (10 > strlen($_POST['p']))) {
    //password too short!
}

if (!isset($_POST['username']) || (3 > strlen($_POST['username']))) {
    //username too short!
}

// The username
$username = $_POST['username'];
// The email
$email = $_POST['email']
if (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
    //not a valid email (mostly)
}
// The unaltered password from the form
$password = $_POST['p']; 

// Create salted password (Careful not to over season)
$password = password_hash($password, PASSWORD_BCRYPT);

// Add your insert to database script here. 
// Make sure you use prepared statements!
if ($insert_stmt = $mysqli->prepare("INSERT INTO members (username, email, password) VALUES (?, ?, ?)")) {    
   $insert_stmt->bind_param('sss', $username, $email, $password); 
   // Execute the prepared query.
   $insert_stmt->execute();
}

Use this to verify the password on login/auth:

password_verify($password, $passwordFromDb)

Answer 2

have a javascript function that validates the form when the register button is clicked:

use this to check if the password field has any input:

if (document.getElementById('Password').value.length!=0) {
   //encrypt and submit form
} else {
   //return to form and display error to user
} 

side note, always use SSL to submit passwords, forcing the user to hash their password before sending and then hashing it again could be excessive and won't prevent anyone from reusing the password or hash in an attack.