Why doesn't this verify AJAX?

Question

Am I using the correct conditional statment to verify my PHP was called via AJAX?

I'm using isset($_SERVER['HTTP_X_REQUESTED_WITH']) && strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) == 'xmlhttprequest'

<?php

$name = $_GET['name'];
$nickname = $_GET['nickname'];
$email = $_GET['email'];
$phone = $_GET['phone'];
$pet = $_GET['pet'];
$number = $_GET['number'];
$disclaimer = $_GET['disclaimer'];
$from = 'From: Test From'; 
$to = 'euteneier@gmail.com'; 
$subject = 'Hello';
$message = "This is a message.";

$date = new DateTime();
$random = rand(1,50);

// Do even if AJAX wasn't used
if ( isset($_GET['name']) && isset($_GET['nickname']) && isset($_GET['email']) && isset($_GET['phone']) && isset($_GET['pet']) && isset($_GET['number']) && isset($_GET['disclaimer']) ) {               
    if (mail ($to, $subject, $message)) { 
        echo "You're information was successfully sent on:" . $date->format('n/j/Y g:i A') . "\n";
        if ($number == $random) {
            echo "Your number: $number matches the random number: $random" . "\n";
        } else {
            echo "Your number: $number does not match the random number: $random" . "\n";
            }
    } 
    if (isset($_SERVER['HTTP_X_REQUESTED_WITH']) && strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) == 'xmlhttprequest') {
            //requested with Javascript
            echo "Sent via AJAX!" . "\n"; //I HAVE TO COMMENT THIS OUT 
    } else { 
        echo "Something went wrong, go back and try again!" . "\n"; 
        } 
}

?>

Here is the corresponding Javascript

function submitFormAjax() {
    var xmlhttp= window.XMLHttpRequest ?
        new XMLHttpRequest() : new ActiveXObject("Microsoft.XMLHTTP");

    xmlhttp.onreadystatechange = function() {
        if (xmlhttp.readyState == 4 && xmlhttp.status == 200)
            alert(xmlhttp.responseText); // Here is the response
    }

    var name = document.getElementById('name').innerHTML;
    var nickname = document.getElementById('nickname').innerHTML;
    var email = document.getElementById('email').innerHTML;
    var number = document.getElementById('number').innerHTML;
    var radio = document.getElementsByName('pet');

        for (var i = 0, length = radio.length; i < length; i++) {
            if (radio[i].checked) {
            // do whatever you want with the checked radio
                var pet = (radio[i].value);

        // only one radio can be logically checked, don't check the rest
        break;
    }
}

    xmlhttp.open("GET","form.php?name=" + name + "&nickname=" + nickname + "&email=" + email + "&phone=" + phone + "&pet=" + pet + "&number=" + number + "&disclaimer=" + disclaimer, true);
    xmlhttp.send();
}

Thanks.

What is the problem? What do you expect this to do that it isn't? — miken32, Feb 21 '14 at 22:05
Is this the same as your [previous question](http://stackoverflow.com/questions/21925039/verify-ajax-and-return-server-status)? — miken32, Feb 21 '14 at 22:07
@miken32 nope. i thought i had solved it, but i didn't. i had replaced the 'isset($_SERVER['HTTP_X_REQUESTED_WITH']) && strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) == 'xmlhttprequest'' with '1 < 5' to test and that echoed Sent via AJAX. but when I put the real condition back in it report no AJAX. — justinae, Feb 21 '14 at 22:19
read [this](http://stackoverflow.com/questions/2579254/php-does-serverhttp-x-requested-with-exist-or-not) — , Feb 21 '14 at 22:40
@vlzvl thanks. i read it and it seems i need to use GET b/c I'm not using a framework or library. I admit I'm a bit lost then how to do that. — justinae, Feb 21 '14 at 23:06

score 0 · Answer 1 · answered Feb 21 '14 at 22:25

0

I believe X-Requested-With is a header that some JavaScript frameworks send. You're not using a framework so you'll need to add it yourself somehow.

answered Feb 21 '14 at 22:25

miken32

42,008
16
111
154

OK. I added a variable ajaxVerify to the JS, added that to the GET query and then set the value of ajaxVerify as the conditional in PHP. Is that barking up the right tree? – justinae Feb 21 '14 at 23:22
I expect that should do it. Usually when I had to do this, I just had `&xhr=1` at the end of my URLs when calling from JavaScript. Nowadays I just use jQuery which adds the X-Requested-With header... – miken32 Feb 21 '14 at 23:50

score 0 · Answer 2 · answered Feb 22 '14 at 01:18

I dont if you found a solution yet, but i see some problems:

i would change:

xmlhttp.open("GET","form.php?name=" + name + "&nickname=" + nickname + "&email=" + email + "&phone=" + phone + "&pet=" + pet + "&number=" + number + "&disclaimer=" + disclaimer, true);

into this:

var uri = encodeURIComponent("form.php?name=" + name + "&nickname=" + nickname + "&email=" + email + "&phone=" + phone + "&pet=" + pet + "&number=" + number + "&disclaimer=" + disclaimer);
xmlhttp.open("GET",uri, true);

since i don't know what horrors (etc. spaces) lurks in the HTML values.

Also this:

    ...
    for (var i = 0, length = radio.length; i < length; i++) {
        if (radio[i].checked) {
        // do whatever you want with the checked radio
            var pet = (radio[i].value);
    ...

You are declaring the variable pet inside a for-loop, which may or may not defined the time you send the request, which efficiently sends an undefined value (if no radio is selected, although i dont know your html setup), thus not-set in the .php, which pet is a required variable in the basic block condition there.

    ...
    var pet = "";   // dumb value, but exist
    for (var i = 0, length = radio.length; i < length; i++) {
        if (radio[i].checked) {
            // do whatever you want with the checked radio
            pet = (radio[i].value);  
    ...

About the condition

isset($_SERVER['HTTP_X_REQUESTED_WITH']) && strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) == 'xmlhttprequest'

i think you are fine, i'm just using it the same way without problems, yet can be easily mangled, and anything starting with HTTP_x in general. Definitely not use such logic in secure pages.

$_SERVER['HTTP_X_REQUESTED_WITH']

can be present or not in $_SERVER array and also can be sent by you, via javascript (client) or curl (server) in cases it doesnt exist at first.

xmlhttp.setRequestHeader("X-Requested-With", "XMLHttpRequest");
xmlhttp.open(..);

Why doesn't this verify AJAX?

2 Answers2