0

I am using the below code for a log in screen that uses an ajax call to check the user creds via the PHP script. As you can see I have put in a console call in which works but the if call is being skipped every time.

UPDATE *** I have realised that when I send the response to the console it seems to be an empty line then the echo from the PHP script on a new line.

Ajax Call

$(document).ready(function(){
// Variable to hold request
var request;

// Bind to the submit event of our form
$("#log").submit(function(event){

// Prevent default posting of form
event.preventDefault();

// Abort any pending request
if (request) {
    request.abort();
}
// setup some local variables
var $form = $(this);

// Let's select and cache all the fields
var $inputs = $form.find("input, select, button, textarea");

// Serialize the data in the form
var serializedData = $form.serialize();

// Disable the inputs for the duration of the Ajax request.
$inputs.prop("disabled", true);

// Fire off the request
request = $.ajax({
    url: "../php/auth.php",
    type: "post",
    data: serializedData
});

request.done(function (response){

    console.log(response);

    if (response == "ok") {

        setTimeout(function() {
        return window.location.href = "../drive.php";
    }, 3000);
    }
    else {
        $('#error').html('<p class="text-center">'+response+'</p>');
    }
});

PHP Script

session_start();

include '***';

$email = clean($_POST['email']);
$pass = clean($_POST['pass']);

$_SESSION['name'] = $email;

$query = "SELECT * from users WHERE user='$email' and pass='$pass'";

$result = mysql_query($query);

$count = mysql_num_rows($result);

if ($count == 1) {
    echo 'ok';
}

else {

    echo 'Please Try Again';
};
frankpiazza
  • 45
  • 6
  • http://stackoverflow.com/questions/359494/which-equals-operator-vs-should-be-used-in-javascript-comparisons – mxr7350 Apr 28 '17 at 14:13
  • 2
    Aaand what exactly is the output in the console? – Imanuel Apr 28 '17 at 14:13
  • Witch if is behing escaped? The JS if or the PHP if? – João Reis Apr 28 '17 at 14:13
  • 1
    Your code is likely vulnerable to [**SQL injection attacks**](https://en.wikipedia.org/wiki/SQL_injection). You should use [**mysqli**](https://secure.php.net/manual/en/mysqli.prepare.php) or [**PDO**](https://secure.php.net/manual/en/pdo.prepared-statements.php) prepared statements with bound parameters as described in [**this post**](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php). – Alex Howansky Apr 28 '17 at 14:13
  • 2
    Stop using the `mysql_*` functions. They have been deprecated since v5.5 (Jun 2013) and removed since v7.0 (Dec 2015). Instead use the [**mysqli_***](https://secure.php.net/manual/en/book.mysqli.php) or [**PDO**](https://secure.php.net/manual/en/book.pdo.php) functions with [**prepared statements**](https://secure.php.net/manual/en/pdo.prepare.php) and [**bound parameters**](https://secure.php.net/manual/en/pdostatement.bindparam.php). – Alex Howansky Apr 28 '17 at 14:13
  • 2
    **Never** store plain text passwords. You should use [`password_hash()`](http://us3.php.net/manual/en/function.password-hash.php) and [`password_verify()`](http://us3.php.net/manual/en/function.password-verify.php) instead. If you're using a version of PHP prior to 5.5, do **not** use MD5 or SHA1 to hash passwords. Instead you can use [this compatibility pack](https://github.com/ircmaxell/password_compat). – Alex Howansky Apr 28 '17 at 14:14
  • jQuery.ajax({ url: "http://url..', data: { Some Json To send with the request}, method: "GET" // You can set here the type of request GET/POST/PUT/DELETE/PATCH, success: function(response) { console.log(response); if(response == "ok") {} else {} }, error: function(error, message) { } }); – João Reis Apr 28 '17 at 14:19
  • Tell us what the console.log says and show us the "request" variable assignment and ajax call part – Picard Apr 28 '17 at 18:11
  • Thanks for the security advice, these are all on the list of things to update in the application. Also updating to mysqli too. The console log call outputs ok or whatever string I send back from PHP to the console. I just can't work out why it skips the JS if statement. If I take out the comparison and just use if(reposnse) then it works. More input would be great! – frankpiazza Apr 29 '17 at 09:11
  • @Picard the rest of the AJAX script added above. – frankpiazza Apr 29 '17 at 11:42
  • As per my above update I noticed that for some reason a newline was being added to my response so by adding a search and replace for whitespace it now works but I would think this is just a work around and there is a still an issue in the code? – frankpiazza Apr 29 '17 at 15:23

1 Answers1

0

The php script was sending back whitespace and a new line hence why even though the console was outputting the correct return string it wasn't satisfying the if statement.

The include at the top of my PHP script had two extra lines of white space after the ?> closing tag. After removing this the response is now correct and satisfying the if statement on the Ajax call.

frankpiazza
  • 45
  • 6