0

This is the current code to get data from JS to PHP:

JavaScript:

window.location.href="samepage.php?points=" + data[picked].question;

PHP GET:

<?php
    if (isset($_GET["points"])){
        //do stuff to store the points into MySQL table
        
        $value = $_GET['points'];
        echo $value;
    }
?>

The problem is that the user can now edit the url to get more points. How can I do this without using GET so the user can't manipulate the value? I have tried AJAX, but I can't get it to work.

JavaScript with AJAX:

$(document).ready(function(){
                        var url = window.location.href;
                        var params = url.split('?points=');
                        var id = data[picked].question;
                        $("#submit").click(function(){ $.ajax({
                            type:"POST",
                            url:"samepage.php",
                            data:{id:id},
                            success:function(result){
                                $("#content").html(result);
                                $("#submit").hide();
                            }
                        });
                        });
                    });

PHP POST:

if( isset($_POST["points"]) )
    {
        $random = $_POST["points"];
        echo $random;
    }

What am I doing wrong, and how can I solve this?

Test
  • 3
  • 3
  • 2
    You do realise that the user can also fiddle with the data when you use POST or AJAX :) – RiggsFolly Dec 02 '20 at 12:26
  • 1
    You should never trust the client, even if you know input comes from trusted users. We dont know how you determine via JavaScript how many points the user should recieve. JavaScript should not decide this, but rather PHP. – Definitely not Rafal Dec 02 '20 at 12:27
  • @DefinitelynotRafal The points is decided from a wheel of fortune. How do you suggest I do it? :) – Test Dec 02 '20 at 12:28
  • 1
    Well we need more information here. Lets assume you have a JavaScript animation for you to do the wheel of fortune. Once the user clicks on the start-button (or whatever you have) you could use AJAX to ask the PHP server how many points the user should recieve. During the AJAX request you let the wheel of fortune moving until your recieve an answer. After PHP is finished just add the points, then you know how many points you should answer to your clients AJAX request. Once the client recieves how many points it should add you stop the animation and show the correct amount. – Definitely not Rafal Dec 02 '20 at 12:34
  • @DefinitelynotRafal I can create the array in PHP and display it in JS like this: `var data = ;`. But still not sure how to get the value using PHP. – Test Dec 02 '20 at 14:31
  • If you did it as i explained in my last comment then you would need to use [AJAX](https://stackoverflow.com/questions/6009206/what-is-ajax-and-how-does-it-work). Im sure you do not do that. What you are commenting goes beyond the current question. You need to update your question or create a new one. This is a completely different issue. If you do so provide all needed code to [reproduce](https://stackoverflow.com/help/minimal-reproducible-example) your problem. – Definitely not Rafal Dec 02 '20 at 14:37

1 Answers1

2

How can I do this without using GET so the user can't manipulate the value?

If the value is sent from the client, you can't stop the user from manipulating it.

It's not entirely clear what the end goal is, but it looks like you need to something very roughly along these lines:

  1. Generate an identifier to represent a user (e.g. a session)
  2. Send the choices the user makes to the server instead of the points those choices are worth
  3. Calculate the value of those choices server-side
  4. Store the result in the session
Quentin
  • 914,110
  • 126
  • 1,211
  • 1,335