[SOLVED] It still shows as GET while I use POST

Get help using Construct 2

Post » Thu Apr 23, 2015 1:15 pm

Turns out ajax is misfiring POST as GET...
Not sure why yet..
Last edited by UberDark on Sun Apr 26, 2015 2:50 pm, edited 4 times in total.
B
54
S
7
G
8
Posts: 150
Reputation: 5,817

Post » Thu Apr 23, 2015 1:26 pm

You have to sanitize the date whether it's GET or POST

Use mysqli_real_escape_string

http://php.net/manual/en/mysqli.real-escape-string.php

and use htmlspecialchars http://php.net/htmlspecialchars when echoing anything back to screen
B
9
S
3
Posts: 146
Reputation: 1,150

Post » Thu Apr 23, 2015 1:32 pm

frozenpeas wrote:You have to sanitize the date whether it's GET or POST


*scratches head..
I just have no clue what that means sorry.

And regarding the charset.. Doesn't Construct2 determine the charset used?
I understand php and mysql can also specify this but i am assuming we have to comply with what Construct2 does? I am so in over my head hahaha
B
54
S
7
G
8
Posts: 150
Reputation: 5,817

Post » Thu Apr 23, 2015 1:36 pm

Basically, clean the data before it gets anyway near the database mysqli_real_escape_string will achieve this.

$username = mysqli_real_escape_string($username);

etc
B
9
S
3
Posts: 146
Reputation: 1,150

Post » Thu Apr 23, 2015 1:39 pm

Ah i see.. data, not date.. That was confusing :)
Thanks frozenpeas! Will see how far I get.

P.S.
So I don't have to use POST in this to make it secure? I got told with GET you can just see it in console view of the browser?
B
54
S
7
G
8
Posts: 150
Reputation: 5,817

Post » Thu Apr 23, 2015 3:15 pm

Sorry just noticed the typo :oops:

Not sure about viewing POST and GET variables in the console though. Trying one then other I suppose is the answer.
B
9
S
3
Posts: 146
Reputation: 1,150

Post » Thu Apr 23, 2015 4:24 pm

Well the big issue i have is that people can see the data send. In this case the Username and Password.
I know there is
$username = $_GET['fname'];
$password = $_GET['fpass'];
I have tried simply replacing the word GET with POST but that seems to stop the php script from working.
But there is more that i don't understand.

In construct2 there is the option to use AJAX to 'request url' and 'post to url'. I have tried both but both show in the console in the browser.

So the two questions I have are..

1- Do I need to use the 'post to url' in my eventsheet to make the data invisible?
2- How do I convert the bit of php to use POST instead of GET and does that make it invisible?

I just don't want everyone with a tiny bit of knowledge to see the username and password.

Hard to understand the tutorial I am using is on this website and that uses GET in both php and AJAX. But then states it is not a very secure way.however that it can be made more secure. The tutorial is more than two years old but there are no relevant posts on the scirra forums to make it secure. There is not even a post regarding how to use the AJAX function 'post to url' properly on here except the manual entry which doesn't explain my question. Is there a better way to go about this or something? Does nobody have large data sets to load or compare to a database? Now somebody mentioned somewhere else on this forum I should use JSON instead and load all my database into an array from a JSON file. *sigh* Then why is this AJAX even an option? And why is that tutorial still up if it is not really advised to use that method? *Bllllarg
B
54
S
7
G
8
Posts: 150
Reputation: 5,817

Post » Thu Apr 23, 2015 6:05 pm

2- How do I convert the bit of php to use POST instead of GET and does that make it invisible?

$username = $_GET['fname'];
$password = $_GET['fpass'];

Will become

$username = $_POST['fname'];
$password = $_POST['fpass'];

Sorry can't help you on any of the Construct 2 options. I've only had the program a week.
B
9
S
3
Posts: 146
Reputation: 1,150

Post » Thu Apr 23, 2015 6:45 pm

Well like i said. I have tried exactly that (replacing the word GET with POST) but then it suddenly does not work anymore. Every username/password combination will comeback as not found pretty much. So not sure what is going on there. As far as i have found on forums it should not make a difference in the data that is returned. I must add that even when it is POST it is still visible in the console of the browser so I am just guessing it is visible because of the construct2 settings.. When I change the construct2 event to 'post to url' as well though it is still visible. :?:

*Aaaarg :(
Thank you for the help sofar. I do really appreciate it. Have been stuck on this tutorial for days now and not many people seem to have actually got the thing to work or can actually answer the specific questions. What good is it if it is not secure and people can hack it easily right?
B
54
S
7
G
8
Posts: 150
Reputation: 5,817

Post » Thu Apr 23, 2015 7:21 pm

UberDark wrote:Well the big issue i have is that people can see the data send. In this case the Username and Password.
I know there is
$username = $_GET['fname'];
$password = $_GET['fpass'];
I have tried simply replacing the word GET with POST but that seems to stop the php script from working.
But there is more that i don't understand.

In construct2 there is the option to use AJAX to 'request url' and 'post to url'. I have tried both but both show in the console in the browser.

So the two questions I have are..

1- Do I need to use the 'post to url' in my eventsheet to make the data invisible?
2- How do I convert the bit of php to use POST instead of GET and does that make it invisible?

I just don't want everyone with a tiny bit of knowledge to see the username and password.

Hard to understand the tutorial I am using is on this website and that uses GET in both php and AJAX. But then states it is not a very secure way.however that it can be made more secure. The tutorial is more than two years old but there are no relevant posts on the scirra forums to make it secure. There is not even a post regarding how to use the AJAX function 'post to url' properly on here except the manual entry which doesn't explain my question. Is there a better way to go about this or something? Does nobody have large data sets to load or compare to a database? Now somebody mentioned somewhere else on this forum I should use JSON instead and load all my database into an array from a JSON file. *sigh* Then why is this AJAX even an option? And why is that tutorial still up if it is not really advised to use that method? *Bllllarg


I had to use POST in one of my project to send different array (and save in json file by php) for make the savegame for every user and that works perfect..

if you use POST method, in construct2 would be:

Post to url:

Tag: "somename"

URL: link of your php file

data: "username="&usernameC2&"&"&"password="&passwordC2

method: POST

the php would be:

$username= mysqli_real_escape_string($con,$_POST['username']);
$password= mysqli_real_escape_string($con,$_POST['password']);

and when you have the connection with your database, just start a query:

$sql1="INSERT INTO user(username, password)
VALUES
('$username','$password')";
mysqli_query($con,$sql1);


this works for me... if you have some error, in your server (where is the php file) the server will make a file with the name of the error, and you can check from the console of chrome when you try to send data to see some error

for more information about POST and GET: http://www.w3schools.com/tags/ref_httpmethods.asp
B
21
S
9
Posts: 298
Reputation: 2,967

Next

Return to How do I....?

Who is online

Users browsing this forum: No registered users and 32 guests