I'm trying to implement an authentication from.
My current version works. However, is it consider a bad practice to send the password unencrypted, though I'm using POST?
JavaScript:
$.ajax({
type : "POST",
url : "script.php",
data : {
q : "login",
user: $("#user").val(),
pass: $("#pass").val()
},
success : function(data) {
if(data){
alert("VALID")
}else{
alert("INVALID")
}
}
});
PHP:
if ($_POST ["q"] == "login") {
$user = $_POST ["user"];
$pass = $_POST ["pass"];
$sql = "SELECT user, pass FROM users WHERE user='" . $user . "'";
$stmt = sqlsrv_query ( $conn, $sql );
if ($stmt === false) {
die ( print_r ( sqlsrv_errors (), true ) );
}
$arr = array ();
$row = sqlsrv_fetch_array ( $stmt );
$hash = $row ["pass"];
if (password_verify ( $pass, $hash )) {
die ( true );
exit ();
} else {
die ( false );
exit ();
}
sqlsrv_free_stmt ( $stmt );
sqlsrv_close ( $conn );
exit ();
}
Is there a best practice for sending password from JS (Ajax) to PHP?