Ajax providing different result than php serverside does

Question

Ok, I have this php code:

$_you = $_GET['you'];
$_answer = $_GET['answer'];
$_pass = md5($_GET['pass']);
$sql = "select password from users where username='$_you'";
$query = mysqli_query($db_conx, $sql);
while ($row = mysqli_fetch_array($query)) {
    $_oldpass = $row['password'];
}
if ($_pass !== $_oldpass) {
    $_passresult = "not ok";
} else {
    $_passresult = "ok";
}
$sql2 = "select answer from useroptions where username='$_you'";
$query2 = mysqli_query($db_conx, $sql2);
while ($row2 = mysqli_fetch_array($query2)) {
    $_veranswer = $row2['answer'];
}
if ($_answer !== $_veranswer) {
    $_answerresult = "not ok";
} else {
    $_answerresult = "ok";
}
$_result = array("Password" =>$_passresult, "Answer" =>$_answerresult);
header("Content-Type: application/json");
echo json_encode($_result);

?>

And this piece (fragment) of jquery that calls the above php:

$.get("verifydp.php?u="+you+"&pass="+pass+"&answer="+answer, function(result) {
    if (result.Password === "not ok" ) {
        $('#requiredp').html('<i class="fa fa-exclamation-triangle" aria-hidden="true"></i> Password is not correct');
        $('#cpassword').css("border", "solid 1px #f60");
        $('#cpassword').focus();
        $('#cpassword').val('');
        return false;
    } else {
        $('#requiredp').html('');
        $('#cpassword').css("border", "solid 1px #ccc");
    }
    if ( result.Answer === "not ok" ) {
        $('#requireda').html('<i class="fa fa-exclamation-triangle" aria-hidden="true"></i> This is not the correct answer.');
        $('#answer').css("border", "solid 1px #f60");
        $('#answer').focus();
        $('#answer').val('');
        return false;
    } else {
        $('#requireda').html('');
        $('#answer').css("border", "solid 1px #ccc");
    }   
});

As you may have guessed it, this is a little password verification thingie that I made, it's not done yet, so don't mention the fact that it's not 100 per cent safe yet. Just wanted to ask your help in the following remarkable problem that I get with the interaction between these two pieces of code:

It's verifying correct or incorrect passwords and answers, however, when I enter the correct password, it slaps me back saying the password is not correct. The funny thing is however that when I run the php part on its own with the same data it tells me the password is correct. So the php feeds an "OK" to Ajax and Ajax somehow turns it into a "NOT OK", which then causes the according mayhem in the rest of the script actions. Anybody got any idea why this is happening? Any help is greatly appreciated as it's doing my head in :-/ If you need more information, just let me know.

Thanks a million!

Thanks for your comment - however, even if the Answer part is faulty, it still would handle the password section and then just stop when coming to the answer? Or even stop altogether? Edit: the php does give the correct answers - eg: if I run it directly it says { Password: ok, Answer: ok } yet I alerted out the Ajax response and the alert says "Not OK" under password. — Mare Gaea, Apr 26 '16 at 11:50
[Little Bobby](http://bobby-tables.com/) says [your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! — Jay Blanchard, Apr 26 '16 at 12:25
You really shouldn't use [MD5 password hashes](http://security.stackexchange.com/questions/19906/is-md5-considered-insecure) and you really should use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. Make sure that you [don't escape passwords](http://stackoverflow.com/q/36628418/1011527) or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. — Jay Blanchard, Apr 26 '16 at 12:26
I hate when people say *"I'm not that far along..."* or *"This site will not be public..."* or *"It's only for school, so security doesn't matter..."*. If teachers and professors are not talking about security from day one, they're doing it wrong. Challenge them. They're teaching sloppy and dangerous coding practices which students will have to unlearn later. I also hate it when folks say, *"I'll add security later..."* or *"Security isn't important now..."*. If you don't have time to do it right the first time, when will you find the time to add it later? — Jay Blanchard, Apr 26 '16 at 12:28

slax0r · Accepted Answer · 2016-04-26T12:20:32.717

4

I am just going to ignore how insecure this is, just because you said to.

So, moving on. Ajax does not manipulate data in any way. Ajax is just a "way" for your webpage to asynchronously access the webserver and obtain some data.

The reason this is not working and password is always "not ok" is because your PHP is expecting the username to be in GET parameter you, but you are sending it in GET parameter u.

edited Apr 26 '16 at 12:20

answered Apr 26 '16 at 11:53

slax0r

688
4
8

1

You got to be kidding me - I must completely have overlooked that, how stupid of me - just goes to show that it's the little things that kill, not the big ones :) Anyway, as for the security - of course this is all gonna be sanitized and all, but as this is not finished yet, I just wanted to leave it out of the equation. Thanks a million for this! – Mare Gaea Apr 26 '16 at 12:01

Ajax providing different result than php serverside does

1 Answers1