I'm trying to validate the form using AJAX. This is what I've done so far:

$('#login-form').submit(function(e) {
  e.preventDefault();
  var user = username.value;
  var pass = password.value;

  if (user != '' && pass != '') {
    $('#login').html('Proccessing...');
    $.ajax({
      url: 'login.php',
      type: 'POST',
      data: {
        username: user,
        password: pass
      },
      processData: false,
      contentType: false,
      success: function(response) {
        if (response == 'success') {
          window.location.href = 'admin.php';
        } else {
          $('.login_message').html('Incorrect Credentails');
          $('#login').html('Login');
        }
      }
    });
  } else {
    $('.login_message').html('Fill All Fields');
    $('#login').html('Login');
  }
})

and it seems like response doesn't return success. Below is the login.php file

<?php
session_start();
$password = $username = '';
$_SESSION['user'] = $_SESSION['error'] = '';


if ($_SERVER['REQUEST_METHOD'] == 'POST') {
    if (isset($_POST['login'])) {
        include_once('db.php');
        $username = strip_tags($_POST['username']);
        $password = strip_tags($_POST['password']);

        $password = md5($password);
        echo 'username: ' . $username . ' and ' . ' password: ' . $password;
        $sql   = "select * from users where username = '" . $username . "' limit 1";
        $query = mysql_query($sql);

        if ($query) {
            $row    = mysql_fetch_assoc($query);
            $dbpass = $row['password'];
            if ($password == $dbpass) {
                ;
                $_SESSION['user'] = $username;
                header('Location: admin.php');
            } else {
                $_SESSION['error'] = 'Wrong username or password!';
            }
        } else {
            echo mysql_error();
        }
    }
}
?>

If it happens you have found the solution, please explain to me how you find the solution and what I've done wrong. Thank you in advance.

Returning values from PHP back to JS

When using AJAX, I believe if you do echo in the PHP target file (here login.php) it will act as a return. Therefore the code after a echo will not run as you might expect.

Also in your code you have: echo $_SESSION['error'] = '';

Use == to compare two object, = is the assignment operator.

Retrieving AJAX data in PHP file

The use of the ajax() method from jQuery in your code looks correct to me. So when the call is made the information is sent asynchronously to the server. More precisely it will send the parameters to the PHP file you've specified in the ajax object properties: login.php.

In login.php you can access your passed parameters in the $_POST array.

You would have the following:

$username = $_POST['username'];
$password = $_POST['password'];

// process information...
$state = 'success'

// now you can return a JSON object back to your page
// I strongly recommend using a PHP array and converting it to JSON
// this way it's very easy to access it back with JS

$response = array(state=$state)
echo json_encode($response);

And back in your jQuery code you access the state value with response.state

if(response.state == 'success') {
  alert('It is a succcess!');
}

Debugging PHP target files

Now you generally have problems in the code in this PHP files. And it's not an easy thing to debug it. So the way I proceed is: I set the parameters in stone in login.php for instance:

$username = 'usernameTest'; // $username = $_POST['username'];
$password = 'passwordTest'; // $password = $_POST['password'];

Then I would open the PHP file in a browser and run it do see if it echoes the object and if there are any bugs.

Then you can put back $username = $_POST['username']; and $password = $_POST['password'];.

Actual code

<?php
session_start();

if (isset($_POST['username'], $_POST['password']) {
    include_once('db.php');

    $username = strip_tags($_POST['username']);

    $password = strip_tags($_POST['password']);
    $password = md5($password);

    $sql   = "select * from users where username = '" . $username . "' limit 1";
    $query = mysql_query($sql);

    if ($query) {
      $row = mysql_fetch_assoc($query);
      $dbpass = $row['password'];

        if ($password == $dbpass) {
           $state = 'success';
        } else {
           $state = 'failed';
        }

    } else {
      echo mysql_error();
    }
}

Warning mysql(), md5() and SQL injections

• Don't use the deprecated and insecure mysql_* functions. They have been deprecated since PHP 5.5 (in 2013) and were completely removed in PHP 7 (in 2015). Use MySQLi or PDO instead.

• You are wide open to SQL Injections and should really use Prepared Statements instead of concatenating your queries. Using strip_tags() is far from a safe way to escape data.

• Don't use md5() for password hashing. It's very insecure. Use PHP's password_hash() and password_verify() instead. If you're running a PHP version lower than 5.5 (which I really hope you aren't), you can use the password_compat library to get the same functionality.

- Magnus Eriksson

Since this is ajax request,we need to send some response from server. As you did in your question check if(response=='success'). To do that, you need to send success to your client. If everything is ok (data send to server and query) then in your login.php edit this line

if($password == $dbpass) {
    $_SESSION['user'] = $username;
     //comment this line
    //header('Location: admin.php');
    echo "success";
} else {
    $_SESSION['error'] = 'Wrong username or password!';
}

Here I put one line code echo "success"; and I believe this will resolve your issue.