0

I've created a jquery dialog modal box for logging into my website:

$('#login').dialog({
  modal: true,
  position: 'center',
  autoOpen: false,
  title: 'Login',
  height: '750px',
  width: '300px',
  zIndex: 9999,
  closeOnEscape: false,
  buttons: {
    'Login': function() {
      $(this).dialog('close');
      $('#mask').hide();
      Login();
    },
    'Cancel': function() {
      $(this).dialog('close');
      $('#mask').hide();
    }
  }
});

I've created a php function called Login() in a separate php file, is it possible for me to call that php function when they click on the Login button? If not, how can I get that dialog's Login box to use php to attempt logging in.

Improve this question

2 Answers 2

Reset to default
7

Update: Do this over an SSL connection for true security

You simply need to make a behind-the-scenes request using AJAX. For example, $.post in jQuery.

  1. Click Login
  2. Get username/password from dialog.
  3. $.post() it to the /login.php file that contains the login code
  4. Process this request in PHP.
  5. Output one thing if the login is succesful, or another if it fails.
  6. Recieve this output in the callback function of $.post
  7. Either call window.location = '/nextpage.php' or display an error message.

As per http://docs.jquery.com/Ajax/jQuery.post, you have 4 arguments to $.post:

$.post( url, [data], [callback], [type] )

so that

function onLogin(data)
{
    if(data['success'])
        window.location = 'nextpage.php';
    else
        alert(data['error']);
}

var u = get_username_from_form();
var p = get_password_from_form();

$.post(
   '/login.php', 
   {username: u, password: p}, 
   onLogin, 
   'json' 
)

and in the file login.php, you would:

<?php

$username = (isset($_POST['username']) ? $_POST['username'] : '');
$password = (isset($_POST['password']) ? $_POST['password'] : '');

//Assuming you wrote the authenticate() function
if(authenticate($username, password))
{
   echo json_encode(array('success' => true));
   exit;
}
else
{
   echo json_encode(array('success' => false, 'message' => 'Login Failed!'));
   exit;
}
Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

What an answer! :) This says it all, deleting mine.
I should be writing my code for a December 31 deadline, not coding out SO questions, but... lol.
Great info @gahooa, thank you. Could you elaborate a bit on the process for setting u and p in your jquery? Specifically the process for passing the $_POST values from PHP to javascript. Thanks!
0

@gahooa:

this is a great answer! however, you'll definitely want to use an message digest on that password (preferrably with some padding) to make it so that people can't see their username / password clear text.

http://pajhome.org.uk/crypt/md5/scripts.html Here's a great set of JavaScript that will encrypt the information before you send it over the network.

Basically the concept is that you can store the user's password as this encrypted format (also a really good idea) or dynamically compute them if you wish, but after both have been digested they should match.

And then you'd add just 1 function to (gahooa's code):

$.post(
   '/login.php', 
   {username: u, password: hex_md5(p)}, // here
   onLogin, 
   'json' 
);

This is not the most secure that you can be, as you could consider doing a salt as well, where you do this:

var salt = '$@.@^-^$'; // any random value with $p3c14l ch@|2$ (special chars)

$.post(
   '/login.php', 
   {username: u, password: hex_md5(hex_md5(p) + salt)}, // here
   onLogin, 
   'json' 
);

then in the server-side authentication function you'd do a comparison of the hashed values, i.e.:

<?php

    $salt = '$@.@^-^$'; // same as on client-side

    function authenticate( $user, $pass ){
       ...
       if( md5( md5( $storedPassword ) . $salt ) == $_POST['username'] ){ ... }
       ...
    }

?>

or, like I said, you could store the already hashed version

md5( md5( $_POST['signup_password'] ) . $salt )

of users' passwords when they sign up (and convert all existing ones)

Improve this answer

4 Comments

In the javascript, when I call hex_md5(password), it fails. and doesn't do a POST request. Any idea why?
you have to download the md5 scrip from the URL I gave you, host it on your site, and include the script on your page with <script url="/wherever/it/is/md5.js"></script>
You are effectively making the password a 32 char string. It would be trivial to intercept this (on an open network) and login as the user anytime I want to. This is the kind of problem that SSL was designed to solve.
yes, SSL is a good solution for encrypting your data, but why not use message digest as well? the reason I hash passwords is to avoid attackers re-using the same credentials on a different site. for instance, if I authenticate to your site and it hashes the password before it is transmitted, tell me the clear text password from this: 2eb60122b172ade05b997a68274236f3. i'll even give you the alg order: md5( '$@.@^-^$' + md5( password ) ). post it here when you crack it, :D

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.