I'm new to Javascript and PHP, but I have been able to setup a simple web app at www.gearedwebdesigns.com/BPHCalcEnter.php I want to be able to also insert the google Id token into my database alongside with the 2 number inputs on the site. That way each record will belong to a specific google ID. Please correct me if this is horribly wrong.
The problem that I face now is that I am doing database inserts and deletes right now on a different php file. www.gearedwebdesigns.com/BPHTable.php but this redirects back to BPHCalcEnter.php so is it possible to insert the Google ID token the same way I am inserting right now? I'm not too sure how to access a javascript variable via php
Here's the external javascript I use to set the variables from the Google Sign in.
function onSignIn(googleUser) {
// Useful data for your client-side scripts:
var profile = googleUser.getBasicProfile();
console.log("ID: " + profile.getId()); // Don't send this directly to your server!
console.log('Full Name: ' + profile.getName());
console.log('Given Name: ' + profile.getGivenName());
console.log('Family Name: ' + profile.getFamilyName());
console.log("Image URL: " + profile.getImageUrl());
console.log("Email: " + profile.getEmail());
// Used to display in HTML
document.getElementById("gName").innerHTML = profile.getName();
document.getElementById("gPic").src = profile.getImageUrl();
// The ID token you need to pass to your backend:
var id_token = googleUser.getAuthResponse().id_token;
console.log("ID Token: " + id_token);
};
And here's my BPHTable.php code. I'm sure a lot can be improved here too. Please criticize away.
<?php header("Location: http://www.gearedwebdesigns.com/BPHCalcEnter.php");?>
<!doctype html>
<html>
<head>
</head>
<body>
<?php
// Define MySQL connection and credentials
$pdo_dsn='mysql:dbname=gearedwe_ODFLtest;host=localhost';
$pdo_user='gearedwe_admin';
$pdo_password='dbtest';
// Check that user sent some data to begin with.
if(!empty($_POST) && !empty($_REQUEST['yourfield'])&& isset($_REQUEST['hoursWorked'])) {
// Establish connection to database
$conn = new PDO($pdo_dsn, $pdo_user, $pdo_password);
$con=mysqli_connect("localhost","gearedwe_admin","dbtest","gearedwe_ODFLtest");
// Throw exceptions in case of error.
$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
/* Sanitize input. Trust *nothing* sent by the client.
* When possible use whitelisting, only allow characters that you know
* are needed. If username must contain only alphanumeric characters,
* without puntation, then you should not accept anything else.
* For more details, see: https://stackoverflow.com/a/10094315
*/
$yourfield=preg_replace('/[^a-zA-Z0-9\ ]/','',$_REQUEST['yourfield']);
$hoursWorked=$_REQUEST['hoursWorked'];
/* Escape your input: use htmlspecialchars to avoid most obvious XSS attacks.
* Note: Your application may still be vulnerable to XSS if you use $yourfield
* in an attribute without proper quoting.
* For more details, see: https://stackoverflow.com/a/130323
*/
$yourfield=htmlspecialchars($yourfield);
$hoursWorked=htmlspecialchars($hoursWorked);
try {
// Establish connection to database
$conn = new PDO($pdo_dsn, $pdo_user, $pdo_password);
$con=mysqli_connect("localhost","gearedwe_admin","dbtest","gearedwe_ODFLtest");
// Throw exceptions in case of error.
$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
// Use prepared statements to mitigate SQL injection attacks.
// See https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php for more details
$qry=$conn->prepare("INSERT INTO `gearedwe_ODFLtest`.`yourtable` ( `billsEntered`, `dateEntered`, `hoursWorked`, `BPH`) VALUES ( :yourvalue, CURRENT_DATE(), $hoursWorked, `billsEntered`/$hoursWorked);");
// Execute the prepared statement using user supplied data.
$qry->execute(Array(":yourvalue" => $yourfield));
mysqli_close($con);
}
catch (PDOException $e) {
echo 'Error: ' . $e->getMessage() . " file: " . $e->getFile() . " line: " . $e->getLine();
exit;
}
}
else {
die('User did not send any data to be saved!');
}
?>
</body>
</html>
