I'm really confused with hashing password when sending via ajax and sanitizing and validating the login in php.
Should I hash passwords before sending it via ajax?If I do what about sanitizing and validating hashed-password and storing another hash of ajax submitted hashed-password in database?
I know hashing a javascript hashed-password doesn't make any sense here.
Anyone can tell what is the best practice for sending passwords via ajax and sanitizing/validating in php.
The common approach is to send the passwords as plain text to the server (making an AJAX call, in your case) and then in server make the hashing, before you hit the database either for creating a new user of checking if the inserted password is the correct one.
If you aren't using HTTPS on the wire, you might want to perform the hash on the client just to make it a bit harder for a hacker to retrieve the cleartext password. It's still best to use HTTP of course.
There's also a cryptographic protocol called Secure Remote Password, which is intended to make it harder to dictionary attack the user's password. It takes a bit of work to implement, though.
http://en.wikipedia.org/wiki/Secure_Remote_Password_protocol