Welcome to the Treehouse Community

Want to collaborate on code errors? Have bugs you need feedback on? Looking for an extra set of eyes on your latest project? Get support with fellow developers, designers, and programmers of all backgrounds and skill levels here with the Treehouse Community! While you're at it, check out some resources Treehouse students have shared here.

Looking to learn something new?

Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and join thousands of Treehouse students and alumni in the community today.

Start your free trial

JavaScript

Ryan Smee
Ryan Smee
3,392 Points
Posted by Ryan Smee
Ryan Smee
3,392 Points

Is Ajax & PHP a secure way to login?

I have written a basic PHP Script to send login details to a stored procedure in my db to cross reference login details and return a Boolean. I have used Ajax to post from my login form to this script.

Is Ajax a secure method of doing these sorts of transactions? Is there any essential steps to making php & Ajax login securer to malicious attacks?

Cheers

2 Answers

Stone Preston
Stone Preston
42,016 Points
Stone Preston
Stone Preston
42,016 Points

are you hashing the passwords at all?

Ryan Smee
Ryan Smee
3,392 Points
Ryan Smee
Ryan Smee
3,392 Points

what do you mean by Hashing the password? I'm using Input type password so that it *s it out?

A simplified version of my JS is:

$('#jsLoginBut').click(function() {

    var username=$("#username").val();
    var password=$("#password").val();
    var dataString = 'username='+username+'&password='+password;

    if($.trim(username).length>0 && $.trim(password).length>0) {
        $.ajax({
            type: "POST",
            url: "login.php",
            data: dataString,
            dataType: 'json',
            success: function(result) {
                // If login credentials are correct
                if (result[0] !== 0) {
                  //do something
                }
                else {
                    //do something else
                }
            }
        });
    }
    return false;
});
Stone Preston
Stone Preston
42,016 Points
Stone Preston
Stone Preston
42,016 Points

see this article on hashing passwords and PHP. you need to hash your password values. dont store the actual password in the db, and hash what the user enters and compare it to whats in the db to authenticate

Ryan Duchene
Ryan Duchene
Courses Plus Student 46,022 Points

Going off on a tangent here. A trick with jQuery: you don't have to format the data strings themselves. Use jQuery's .serialize() method on the form and it'll extract all the data and return it.

$("#login-form").submit(function() { // when the login form is submitted

  var data = $(this).serialize(); // gets data from the form and returns it back to you

  // run the Ajax request

  $.ajax({
            type: "POST",
            url: "login.php",
            data: data,
            dataType: 'json',
            success: function(result) {
                // If login credentials are correct
                if (result[0] !== 0) {
                  //do something
                }
                else {
                    //do something else
                }
            }
   });

  return false;
});
Ryan Smee
Ryan Smee
3,392 Points
Ryan Smee
Ryan Smee
3,392 Points

cheers guys! I will add .serialize() and I will have a look through that article and ensure that I am handling my passwords in the correct way etc :)

Cheers!

Ryan Duchene
PLUS
Ryan Duchene
Courses Plus Student 46,022 Points
Ryan Duchene
Ryan Duchene
Courses Plus Student 46,022 Points

If done right, using Ajax to log in is no more secure or insecure than a regular page visit. Either way, you're still sending a POST request to the server, and it's still authenticating you. The only difference is in how the user perceives it. :)