I'm trying to implement an authentication from.
My current version works. However, is it consider a bad practice to send the password unencrypted, though I'm using POST?
JavaScript:
$.ajax({
type : "POST",
url : "script.php",
data : {
q : "login",
user: $("#user").val(),
pass: $("#pass").val()
},
success : function(data) {
if(data){
alert("VALID")
}else{
alert("INVALID")
}
}
});
PHP:
if ($_POST ["q"] == "login") {
$user = $_POST ["user"];
$pass = $_POST ["pass"];
$sql = "SELECT user, pass FROM users WHERE user='" . $user . "'";
$stmt = sqlsrv_query ( $conn, $sql );
if ($stmt === false) {
die ( print_r ( sqlsrv_errors (), true ) );
}
$arr = array ();
$row = sqlsrv_fetch_array ( $stmt );
$hash = $row ["pass"];
if (password_verify ( $pass, $hash )) {
die ( true );
exit ();
} else {
die ( false );
exit ();
}
sqlsrv_free_stmt ( $stmt );
sqlsrv_close ( $conn );
exit ();
}
Is there a best practice for sending password from JS (Ajax) to PHP?
is it consider a bad practice to send the password unencrypted
Yes, very bad.
Is there a best practice for sending password from JS (Ajax) to PHP?
Whether the request is made via a standard page load or an Ajax request is irrelevant. Whether the request is made to PHP or another system is irrelevant. Whether you're using GET or POST is irrelevant. If you're sending passwords, use HTTPS, always. If the cost of an SSL certificate is stopping you, you can get free ones at letsencrypt.org