0

Good day. I would like to use an ajax function to transfer data to my php page but i am using $_GET variable for verification purposes. When i put 

$.ajax({
          type: "POST",
          url: "coordsave.php?username=<?php echo($_GET['username']);?>",
          data: {x: pos_x, y: pos_y,}
        }).done(function( msg ) {
          alert( "Data Saved: " + msg );
        });
  }

and here is the php page that it sends data to

$x_coord=$_POST["x"];
$y_coord=$_POST["y"];
$id=$_GET["username"];

//Setup our Query
$sql = "UPDATE $coords SET x2='$x_coord', y2='$y_coord' WHERE user_uname='$id'";

//Execute our Query
if (mysql_query($sql)) {
      echo "success $x_coord $y_coord ";
     }
    else {
    die("Error updating Coords :".mysql_error());   
}

Thanks for the help. I really need it. :)

bjmonts
  • 15
  • 7
  • You cannot verify anything using data from the client. – SLaks Jan 19 '14 at 14:25
  • It looks like it should work like this. Can you post the entire code? And like @SLaks pointed out, you have a security problem. Check out this page : http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php – mogosselin Jan 19 '14 at 14:25
  • 2
    You have a SQL injection vulnerability. – SLaks Jan 19 '14 at 14:25
  • Just a friendly reminder.. You can use `= $_GET['username'] ?>` instead of `` – MortenMoulder Jan 19 '14 at 14:26
  • only works if short tags arre enabled ^ – I wrestled a bear once. Jan 19 '14 at 14:27
  • 2
    You also have an XSS vulnerability. – SLaks Jan 19 '14 at 14:31
  • **[XSS](http://en.wikipedia.org/wiki/Cross-site_scripting)**, **[SQL Injection](http://en.wikipedia.org/wiki/SQL_injection)** – mpyw Jan 19 '14 at 15:19
  • I'm not that strict when it comes to security yet because this is just run in a local server and this project is for my school requirement. got it to work though, used location.search.split('username=') to get the username from the URL and pass use it in the AJAX function. thanks for the help guys. :) – bjmonts Jan 21 '14 at 00:22

1 Answers1

1

JavaScript

$.ajax({
          type: "POST",
          url: "coordsave.php?username=<?php echo(htmlspecialchars(isset($_GET['username']) ? $_GET['username'] : '', ENT_QUOTES, 'UTF-8'));?>",
          data: {x: pos_x, y: pos_y,}
        }).done(function( msg ) {
          alert( "Data Saved: " + msg );
        });
  }

PHP

header('Content-Type: text/plain; charset=utf-8');

$x = isset($_POST["x"]) or die('Param x required with POST');
$y = isset($_POST["y"]) or die('Param y required with POST');
$id = isset($_GET["username"]) or die('Param username required with GET');

//Setup our Query
$sql = sprintf(
    "UPDATE table_name SET x2='%s', y2='%s' WHERE user_uname='%s'",
    mysql_real_escape_string($x),
    mysql_real_escape_string($y),
    mysql_real_escape_string($id)
);

//Execute our Query
if (mysql_query($sql)) {
    echo "success $x $y";
} else {
    die("Error updating Coords :" . mysql_error());   
}

However, all mysql_* functions are officially deprecated, so you should use PDO or Mysqli.

mpyw
  • 5,526
  • 4
  • 30
  • 36