[andymism]

Yes, this will work if you want to keep from sending the password in plain text. But you should make sure you send the request via POST rather than GET and know that you are still vulnerable to replay attacks--an attacker could just sniff out the username and hash, which they could present to you and still authenticate on your site (though they wouldn't know the actual password). Also, as far as md5 hashes go, rainbow table lookups work pretty well, so hashing alone won't provide great password security.

Another way to solve your problem would be post to your auth script via SSL. From what I know of SSL (correct me if I'm wrong, please), the handshake and encrypted connection is established before any data is sent, which will protect you against sending passwords in the clear and against password sniffing.