Secure AJAX POST/GET jquery

Question

So basically my question is simple. Imagine situation when you a making a login or register form. With jquery.post i make ajax call

$.post( "pages/form_handle.php", name: $.(".username").val(), pass: $.(".pass").val() , function( data ) {
$( ".result" ).html( data );
});

it's simple call(i belive so)...

How to make it secure? So if user look in my source code he or she know where i send my data in example pages/form_handle.php also he or she know what data i send to this page. One of idea what i have simple send all ajax calls to one page ajax.php adding extra variables who will call right php function for ajax call... But does it is the right way? Or maybe there is some better way to make it secure?

Answer 1

Stick to basics, and keep salting your passwords.

AJAX is not server side language, its a javascript plugin that does the same thing as forms, actions, etc... just in background as a new request.

Your ajax is not in danger, but your php files are, you can use jquery-validate.js to check on users input, but also you should make validation check in your ajax.php.

Here is a simple ajax login request:

function loginUser() {
    var process = "loginUser";
    var data = $("form").serializeArray();
    data[1].value = data[1].value; // data to ajax.php page 
    data = JSON.stringify(data);

    $("#loginButton").html('Login');
    $.ajax({
        type: "POST",
        url: "ajax.php",
        data: {"process": process, "data": data},
        success: function(data) {
            if (data.response.state == "success") {
                // if ajax.php returns success, redirect to homepage or whatever
            } else {
                // if ajax.php returns failure, display error
            }  
        },
        error: function(jqXHR, textStatus, errorThrown, data) {
            // error handling
        },
        dataType: "json"
    });
}

And the simple ajax.php login:

<?php // ajax.php

    require_once 'login.php';

    $db_server = mysql_connect($db_hostname, $db_username, $db_password);
    if (!$db_server) die("Unable to connect to MySQL: " . mysql_error());
        mysql_select_db($db_database)
    or die("Unable to select database: " . mysql_error());


    if (isset($_SERVER['PHP_AUTH_USER']) &&
        isset($_SERVER['PHP_AUTH_PW'])){
    $un_temp = mysql_entities_fix_string($_SERVER['PHP_AUTH_USER']);
    $pw_temp = mysql_entities_fix_string($_SERVER['PHP_AUTH_PW']);

        $query = "SELECT * FROM users WHERE username='$un_temp'";
        $result = mysql_query($query);
        if (!$result) die("Database access failed: " . mysql_error());

        elseif (mysql_num_rows($result)){
            $row = mysql_fetch_row($result);
            $salt1 = "qm&h*";
            $salt2 = "pg!@";
            $token = md5("$salt1$pw_temp$salt2");

            if ($token == $row[3]) echo "$row[0] $row[1] :
            Hi $row[0], you are now logged in as '$row[2]'";
                else die("Invalid username/password combination");
        } else die("Invalid username/password combination");
        }else{
            header('WWW-Authenticate: Basic realm="Restricted Section"');
            header('HTTP/1.0 401 Unauthorized');
            die ("Please enter your username and password");
        }
        function mysql_entities_fix_string($string){
            return htmlentities(mysql_fix_string($string));
        }
        function mysql_fix_string($string){
            if (get_magic_quotes_gpc()) $string = stripslashes($string);
            return mysql_real_escape_string($string);
        }

?>