phpmysqlajaxsecuritypassword-storage

Is this method of ajax login secure at all?

I am building a login form using ajax php and MySql.

I've done my fair share of research and I didn't like much posts found online, so I've built the below code.

My question is, is this secure at all? I'm not using any hashing and I'm not sure how it would be done with ajax. All the examples are much appreciated

INDEX.PHP

<script>
$(document).ready(function(){

    $('form[name=loginForm]').submit(function() {

        $.post('ajax.php', {    username: $('[name=username]').val(), 
                                password: $('[name=password]').val()},
        function(data){
            if(data.success){

                alert('welcome');

            }else{  
                alert("incorrect"); 
            }
        }, 'json'); 

        return false;   
    });
});
</script>

ajax.php

<?php
if($_POST){

     /** Fetch data from mysql **/
        $u = $_POST['username'];
        $p = $_POST['password'];

    $sql = "SELECT * FROM users WHERE  username='$u' AND password='$p' ";
    $result = $conn->query($sql);

    if ($result->num_rows > 0) {
            while($row = $result->fetch_assoc()) {
                    $_SESSION['userid'] = $row["username"];
                    $_SESSION['userid'] = $row["username"];

                    $data['success'] = true;
                } 
            } 
            else 
            {

                $data['success'] = false;

            }
     /** Fetch data from mysql **/

    echo json_encode($data);
}  ?>

THANKS ALOT

Solution

  • My question is, is this secure at all?

    No, it is not secure.

    I'm not using any hashing and I'm not sure how it would be done with ajax.

    Authentication actually cannot be done with ajax. With respect, you're barking up the wrong tree.

    Start by reading this part of the PHP manual. http://php.net/manual/en/faq.passwords.php Go read it now. We'll wait.

    Welcome back. You should never put your plain text password into a database. If you're not sure why that's true read about the "Ashley Madison data breach" online or go visit https://haveIBeenPwned.com/

    You want to make it as hard as possible for a cybercriminal who steals your user table to guess your users' passwords. If you store them as text, they are trivial to guess.

    Let's say your users are registered already. The point of your password authentication is to

    1. gather the username and password from the user.
    2. look up the user by name in your database, pulling back the hashed password.
    3. compare the hashed password in your database with the one you gathered from the user. php's password_verify() function does this well.
    4. if the validation fails, refuse the user's information. Do not give them any hint what was wrong. Simply tell them "your login failed." You don't want to tell them "you gave the right username but the wrong password."
    5. if the validation succeeds, you then generate a session for that user so they can continue to use other pages in your web app without logging in again. Read about php sessions here.
    6. you use a session id to represent the session. A session id is a hard-to-guess data token with a limited lifetime. php offers a session_create_id() method for this.
    7. you put that session id in a cookie and feed it back to your browser. You can't reliably feed cookies to browsers with AJAX so your authentication strategy won't work.
    8. Subsequent requests to your web app present the session id in the cookie. You check it to make sure it it's valid and it hasn't timed out. Then you do what the user asks you to do.