I'm not entirely sure but if you're using the same hash at the client in JavaScript as you are at the back-end in PHP then I think you might be giving away the hashed password...or something along those lines.'
I have had interest in this issue but the problem always remains: the hacker can simply visit the site and look at the JavaScript code if they want. This would only prevent people who want quick access.
So we end up going back (I think) to the idea that only SSL can be a secure form of sending passwords. However I'm hardly a security guru but I'd love to implement a more secure way of submitting a password. You may want to submit this to the security forum here though I think the clientside forum was a good choice to post this in to as well.
If you salt + hash the password and store used salts to detect repeated salt attempts as hacks ( playbacks ), you can rule out reverse engineering and playback exploits, but each salted hash lets an attacker rule out a large # of possible brute force options