-1

I am trying to check whether a name that the user is entering is valid or not. Very simple question but yes I am facing this problem.

I am writing following get the HTML and AJAX done:

<script>
function getUser(str) {
    if (str == "") {
        document.getElementById("txtHint").innerHTML = "";
        return;
    } else { 
        if (window.XMLHttpRequest) {
            // code for IE7+, Firefox, Chrome, Opera, Safari
            xmlhttp = new XMLHttpRequest();
        } else {
            // code for IE6, IE5
            xmlhttp = new ActiveXObject("Microsoft.XMLHTTP");
        }
        xmlhttp.onreadystatechange = function() {
            if (this.readyState == 4 && this.status == 200) {
                document.getElementById("txtHint").innerHTML = this.responseText;
            }
        };
        xmlhttp.open("GET","getuser.php?q="+str,true);
        xmlhttp.send();
    }
}
</script>
</head>
<body>

<form>
Name: <input type = "text" name="n1" onchange="getUser(this.value)">

<p id = "txtHint">
</form>
<br>
</body>
</html>

For PHP, it follows:

<?php
$q = $_REQUEST['q'];
#echo "$q";
$dc = mysql_connect('localhost','root','') or die(mysql_error());
if($dc > 0)
    mysql_select_db("sayak");
$r = "SELECT * FROM `check` WHERE name = '$q' "  or die(mysql_error());
    #echo "$r";
$s = mysql_query($r) or die(mysql_error());
    #echo "$s";
if($s > 0)
    echo "Correct";
else
    echo "Invalid";
mysql_close();

?>

In the case of names, that are not there in the database it is showing "Correct".

Thanks in advance.

S. P
  • 368
  • 3
  • 7
  • 20
  • 1
    don't modify code from a tutorial; I know this one all too well. – Funk Forty Niner Feb 28 '17 at 15:57
  • link please.. *lol* – xGeo Feb 28 '17 at 15:57
  • 1
    [Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)***. Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! – Jay Blanchard Feb 28 '17 at 15:58
  • 1
    ***Please [stop using `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php).*** [These extensions](http://php.net/manual/en/migration70.removed-exts-sapis.php) have been removed in PHP 7. Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [PDO](http://php.net/manual/en/pdo.prepared-statements.php) and [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and consider using PDO, [it's really pretty easy](http://jayblanchard.net/demystifying_php_pdo.html). – Jay Blanchard Feb 28 '17 at 15:58
  • Have you watched the AJAX request / response in the browser's developer tools? Are there any errors reported? Are you running this on a web-server? – Jay Blanchard Feb 28 '17 at 15:59

2 Answers2

1

Please find some remarks and corrections concerning your code below.

First consider using jQuery or any other Javascript toolkit in order to make AJAX calls much more easily.

Secondly, avoid using mysql PHP extension functions and prefer PDO to construct prepared statements

Thirdly, if you want to keep your code as it is, at least escape the parameters you receive from the JS to avoid SQL injections so change 

$q = $_REQUEST['q'];

by

$q = mysql_real_escape_string($_REQUEST['q']);

and finally, the next line is wrong so change

if($s > 0)

by

if (mysql_num_rows($s) > 0)
Gilles Verstraeten
  • 36
  • 4
0
$s = mysql_query($r) or die(mysql_error());
    #echo "$s";
if($s > 0)
    echo "Correct";
else
    echo "Invalid";

Your validation is incorrect and as Jay Blanchard commented mysql functions are deprecated.

For SELECT, SHOW, DESCRIBE, EXPLAIN and other statements returning resultset, mysql_query() returns a resource on success, or FALSE on error.

For other type of SQL statements, INSERT, UPDATE, DELETE, DROP, etc, mysql_query() returns TRUE on success or FALSE on error.

The returned result resource should be passed to mysql_fetch_array(), and other functions for dealing with result tables, to access the returned data.

This is also wrong:

$r = "SELECT * FROM `check` WHERE name = '$q' "  or die(mysql_error());

This part has no business being in the query string.

or die(mysql_error())

TopCheese
  • 220
  • 1
  • 8
  • I am using the lower PHP version for some reason. And yes there was a problem with my PHP code. Thank you for the comments anyway. The following PHP code worked perfectly: 0) mysql_select_db("sayak"); $r = "SELECT * FROM `check` WHERE name = '$q' " ; $s = mysql_query($r); if($b = mysql_fetch_array($s)) echo "Correct Name"; else echo "Invalid"; mysql_close(); ?> – S. P Feb 28 '17 at 16:13
  • Than up vote and accept the answer please.Thanks. – TopCheese Feb 28 '17 at 16:20