1

I'm looking at a few Stack Overflow threads in regards to implementing the jQuery ajax method:

How to pass parameters in GET requests with jQuery

While this thread provides some really good info, I'm looking for clarification on whether this will actually do what I think it will do.

I have the ajax GET request within a jQuery click function:

//click an image
$(".img_div").click(function() {

    //get integer stored in element attribute and put it in variable
    var altCheck = $(this).find('.modal_img').attr('alt');

    //get MySQL data
    $.ajax({
        url: "get.php",
        type: "get"
        data: { 
        ajaxid: altCheck //variable from above - is this correct? 
        }
        ....
        ....
    });

In get.php, I want the variable to be used like this:

$sql = "SELECT * FROM table WHERE screeningId = $ajaxid";

Essentially, I'd like to modify my SQL statement by passing a variable into the AJAX request, but I'm not sure if this is how it's done.

rpivovar
  • 3,150
  • 13
  • 41
  • 79
  • 1
    Not related to OP's actual question. just before passing the value. you have to sanitize your variable. Look for any potential eval statements or scripts present in the alt attribute and then pass the data. Your code is open to sql injection at this point – karthick May 29 '17 at 20:13
  • I thought that, because the SQL statement is within get.php, it would be safe? – rpivovar May 29 '17 at 20:15
  • what happens with your current implementation – RohitS May 29 '17 at 20:17
  • Nothing happens yet. I'm still trying to figure out how to implement it. But I definitely would like it to be secure, which I'm not too familiar with. – rpivovar May 29 '17 at 20:18
  • 1
    No it wont what you are doing is directly assigning the value to the sql query. In the alt attribute, I can write anything. If you don't validate the alt attribute in your php file then the code is unsafe – karthick May 29 '17 at 20:18
  • 1
    @coffeebot have you checked console?? does it shows something?? also talking about the security you should sanitize your data before using in query.. check this http://php.net/manual/en/filter.filters.sanitize.php – RohitS May 29 '17 at 20:22
  • I see. Thanks for the info, I'll look into this. – rpivovar May 29 '17 at 20:36

4 Answers4

2

In your javascript use this

 $.ajax({ url: 'get.php',
         data: {'ajaxid':altCheck},
         type: 'post',
         dataType:'json'
        });

and in your get.php use

$ajaxid = $_POST['ajaxid'];
$sql = "SELECT * FROM table WHERE screeningId = $ajaxid";
Arshak Anjum
  • 142
  • 1
  • 10
2

Like I mentioned earlier in the comment. The code is unsafe at this point. To answer your original question. Yes you can pass values using data attribute in the ajax call.

quoting: arkash anjum's answer

 $.ajax({ url: 'get.php',
         data: {'ajaxid':altCheck},
         type: 'post',
         dataType:'json'
        });

and get the value in get.php like this

$ajaxid = $_POST['ajaxid'];
$sql = "SELECT * FROM table WHERE screeningId = $ajaxid";

But this means you are opening your application to injection attacks

One way of solving is to sanitize the js attributes. But still this is not a fool proof solution. What you have to use is a prepared statement in the sql query and assign the ajax value using that and then execute the statement. It will be wise to use both a sanitizer and prepared statement, to avoid xss attacks and sql injection attacks

<?php
$stmt = $dbh->prepare("SELECT * FROM table WHERE screeningId = ?");
if ($stmt->execute(array($_POST['ajaxid']))) {
  while ($row = $stmt->fetch()) {
    print_r($row);
  }
}
?>

Note: I don't know php so I might be wrong with some syntax.

Reference prepared statements http://php.net/manual/en/pdo.prepared-statements.php

karthick
  • 11,998
  • 6
  • 56
  • 88
1

In URL pass by giving slash as follows,

url: "get.php/" + altCheck;

and in get.php file access as $_GET['altCheck']

Remember in GET method, we need to pass data in URL.

Happy Coding!

Vrajesh Doshi
  • 744
  • 2
  • 8
  • 27
1

Here is some boilerplate..(i am using your code for example.)

Note : when sending data in bulk for ajax request, you should use POST method but as you mentioned you want to post data with get i have used Get else you can change type to Post

quick link's : for ajax http://api.jquery.com/jquery.ajax/

using PDOS https://www.w3schools.com/php/php_mysql_prepared_statements.asp

in js :

$(".img_div").click(function(){    

    //get integer stored in element attribute and put it in variable
    var altCheck = $(this).find('.modal_img').attr('alt');

   // lets send data.
    $.ajax({
        url: "get.php",
        type: "get",
        datatype : "json", 
        data:{ ajaxid: altCheck } //this is valid to use as you already have variable of name altCheck in case of string it should be in double quotes. 
        },
    success : function(data) // this will be called if ajax succeeds and data will hold the ref to your returned data if any.
    {
          // do whatever with data.
    }, error : function(data) // error handler if any error occurs (failed ajax)
    {
         // do handle error here.
    }
});

in PHP:

$value = filter_var($_REQUEST["ajaxid"], FILTER_SANITIZE_STRING); // used REQUEST So get/post request wont matter.
$value = mysqli_real_escape_string($value);

$stmt = $conn->prepare("select from table where id = ?");
$stmt->bind_param("s",$value);
RohitS
  • 1,036
  • 12
  • 17
  • What is the "s" doing in `$stmt->bind_param("s",$value);` ? – rpivovar May 29 '17 at 21:38
  • Ah, I think this answers my question : https://stackoverflow.com/questions/18426172/what-does-bind-param-accomplish – rpivovar May 29 '17 at 21:43
  • well you already has choosen an answer..for you query please follow this http://php.net/manual/en/mysqli-stmt.bind-param.php link – RohitS Jun 01 '17 at 18:58