AJAX / PHP, POST question.

Get help using Construct 2

Post » Tue May 19, 2015 6:48 pm

I'm just returning to this after a break. I understand the basics of C2 and PHP etc, but I'm having a bit of trouble getting my head around a few things, because when I check PHP tutorials / articles online, they usually assume the request has come from a form or an url. So in short, let's say I'm sending a login request to my server from C2, what do I send and how do I retrieve it in PHP?

E.G C2 would be something like AJAX - Post to Url, I use a tag, the url for the php script, 'POST' and the data. How do I post the data? Do I just send a string, e.g the user name that he typed?

I've managed to produce a script which collects the data and echo's it back out and I also know how to add it to my database, but I want to sanitize it first. Most PHP articles suggest something like ..

$myusername=mysqli_real_escape_string($db,$_POST['username']);

How does the POST find 'username' from my C2 string? Do I need to add something like 'username=name' as part of the string I'm sending from C2?
B
25
S
5
G
3
Posts: 446
Reputation: 5,633

Post » Tue May 19, 2015 7:41 pm

There are 2 common ways to send data to your php server from a webpage and both in essence are the exact same process.

1) POST - Request: This is most common for form submission (IE.. username, and password text boxes that submit those variables to a url). The variables are sent behind the scenes somewhat protected from general view. The user is taken to mydomain.com but the data you sent was passed in the request headers and not out in the open for the user to see.

Pros: data is hidden from plain view and more secure

2) GET - Request: This is most common for page drawing and not for sending sensitive information and passed in url param string (ei.. mydomain.com?version=1)
This sends a request to url just like the post does but the data you are passing is not hidden behind the scenes and is out in the open attached to the end of the url for the user to see.

Pros: when the page loads that param is still at the top so all future ajax request from that domain will also have this param attached to it

Both of these methods however require the browser to reload a url or goto a new one to pass this data to the server. Sometimes you may just want to send data but not have to reload the entire page for the user. This is where AJAX comes in. Ajax can do either of those by faking a form submission or url request and then returning what ever the server echo'ed back.

PHP sees an AJAX request no different than a form submission or url page request. its all the same. PHP gives you 3 global arrays for accessing

$_POST - this global var will contain any variables sent from a for submisison
$_GET - this global var will contain any variables that were sent in the url string
$_REQUEST this gets both. i don't see many people use this but its my favorite as i can use it for testing (putting params in the url) orproduction (actually POST'ing them)

And as you would expect the AJAX plugin in C2 supports both :) ..in truth it really doesn't matter which you choose since AJAX is hidden anyway (keep in mind you can press f12 on any browser and see it in the network traffic so no its not's completely hidden its just out of plain view of the user)

now when you are posting variables to PHP that will end up in a SQL command you need to protect your SQL database from injection. Imagine you have a SQL command like this

$username = $_REQUEST['username']
"SELECT * FROM users WHERE username='$username';"

if you think about it for a sec if some guy that understands SQL could instead of typing "troublesum" in the username text box you provided they type "troublesum'; DROP TABLES" . SQL will execute the two querys both selecting the user and the DROPPING ALL YOUR TABLES. You need to protect against and make sure SQL treats the entire $username var as a string and not allow additional commands. thats where mysqli_real_escape_string(). This will add slashes to those dangerous chars ; ' that allow them to hijack your command and wil see the whole thing as one long username which of course SQL wont find because the username "troublesum'; DROP TABLES" doesnt exist.

I think that about covers POST GET SQL 101 for today. :) good luck
B
20
S
7
G
1
Posts: 221
Reputation: 2,077

Post » Tue May 19, 2015 8:07 pm

Thanks, lots of really useful advice there :)

I've got it working now, I was making some minor errors. I'm using PDO on the server side, so the solution to protecting against injects appears to be the bindparam instruction. I was confused about the very basics of how to send my username as part of the post in C2, but I think it's simply...

UserName=&Textbox.Text (build as a string then send in the 'data' part of the AJAX Post to URl).

Then at my server side, I now have....

// Already connected to database....
$UserName = trim($_POST['UserName']);
echo $UserName; // Obviously this is just for testing, it's picked up by C2 as the AJAX.Lastdata

$db->beginTransaction();

try {
$query = $db->prepare("INSERT INTO Users
(Name)
VALUES (:Name)");

$Name = $UserName;

$query->bindParam(':Name', $Name, PDO::PARAM_STR);

$query->execute();
$db->commit();

Not sure if this is all a bit over-cautious, but it does work. From what I've read, the whole 'bindparam' procedure does protect from injects etc anyway.

One thing that was causing me problems was the strict capitalization rules. For example, 'Username' and 'UserName' are not the same, so that sent me wrong a few times :)

Thanks again for your input, that really helped :)
B
25
S
5
G
3
Posts: 446
Reputation: 5,633


Return to How do I....?

Who is online

Users browsing this forum: JoyfulDreamer, StillSarah and 24 guests