passing password values using javacript/ajax to php page.

Question

iam using a simple insert script function to pass the values from registration html page to register php page. Here is my script:

function insert() {
// Optional: Show a waiting message in the layer with ID login_response
document.getElementById('insert_response').innerHTML = "Just a second..."
// Required: verify that all fileds is not empty. Use encodeURI() to solve some issues about character encoding.
var dispname= encodeURI(document.getElementById('disp_name').value);
var firstname= (document.getElementById('first_name').value);
var lastname= (document.getElementById('last_name').value);
var gender= (document.getElementById('genderreg').value);
var day= (document.getElementById('day').value);
var month= (document.getElementById('month').value);
var year= (document.getElementById('year').value);
var country= (document.getElementById('countryreg').value);
var city= (document.getElementById('cityreg').value);
var suburb= (document.getElementById('suburbreg').value);
var email= (document.getElementById('emailreg').value);
var password= (document.getElementById('regpassword').value);
var code= (document.getElementById('code').value);
var service= (document.getElementById('termservice').value);

// Set te random number to add to URL request
nocache = Math.random();
// Pass the login variables like URL variable
http.open('get', 'register_insert.php?site_url='+dispname+'&fname= '+firstname+'&lname= '+lastname+'&gender= '+gender
       +'&day= '+day+'&month= '+month+'&year= '+year+'&country= '+country+'&city= '+city+'&suburb= '+suburb
       +'&email= '+email+'&password= '+password+'&code= '+code+'&service= '+service+'&nocache= '+nocache);
http.onreadystatechange = insertReply;
http.send(null);
}

I just have a small question that is it a good pratice of passing the password values like this from html to php page. If it is not good idea then what is the best why to do so.

Thanks in advance for sugesstions.

Answer 1

Hello,

Sending The password in this manner is no different from a regular From Submission via GET. Generally however, you would use POST. The downside to using get is that the password will appear in the URL. If you care about security, you should be using SSL.

Consider using a JS library like jQuery... it would make what you are doing above.. very easy.

Answer 2

Yeah, ordinarily I wouldn't immediately suggest that someone go to a javascript library, but I make an exception for AJAX. Getting that sort of thing to work cross-browser is just plain not-worth-it. Go for jQuery and save yourself a heap of stress.

Also take a look at the jQuery Form Plugin - it'll do all this for you in a very easy way. The site is at http://malsup.com/jquery/form/ but going there now, my browser is being redirected to a site which Firefox is blocking as a dangerous site, so they might have been hacked or something. _{(someone please remove this warning if it's been fixed up now)}

But to answer your question, I'd use POST data. The general rule of thumb is that if you're retrieving something, use GET, but if you're sending or changing something, use POST.

Another quick pointer is that the code could be made a lot more legible by doing something like this:

var fields = {'disp_name', 'first_name', 'last_name', 'genderreg' /* etc ... */ ];
var values = {};
for (var i = 0, l = fields.length; i < l; ++i) {
    values[fields[i]] = document.getElementById(fields[i]).value;
}

http.open(
    'get',
    'register_insert.php'
    + '?site_url=' + values.dispname
    + '&fname=' + values.first_name
    + '&lname=' + values.last_name /* etc */
);

...but it's not really that important I suppose.