0

I wanted to ask a question because i have been going mad why my code does not work.. I mean the post request is sent by ajax to the backend file where the data should be checked and then sent to the database.. I checked if i have an error in the mysql database but the stored procedure works just fine. Also checked if the post request is sent to the backend which it is (proof showed in the pictures..). And i cant find the mistake i am making.. Why the sent json variables are not written into the new generated php variables with $_POST? Also tried $_GET and still does not work.. Here is the code of the php file.. Thanks

<?php

function isPOSTBack(){
    return ($_SERVER['REQUEST_METHOD'] == 'POST');
}


if(!isPOSTBack()){
    header("location: /security/assetThreatScenarios1.php");
    exit;
}

include("configfile.php");

$tabela; $id; $par1; $par2;


if(isset($_POST["tabela"] ) ) {
    if (empty($_POST["tabela"]) || strlen($_POST["tabela"]) <2){
        echo "{\"error\":true, \"errorText\":\"Table is not set\"}";
        exit;
    }
    $tabela = $_POST["tabela"];
}

if(isset($_POST['id'] ) ) {
    if (empty($_POST['id'])) {
        echo "{\"error\":true, \"errorText\":\"id is not set\"}";
        exit;
    }
    $id = $_POST['id'];
}

if(isset($_POST['par1'] ) ) {
    if (empty($_POST['par1']) || strlen($_POST['par1']) < 2 ) {
        echo "{\"error\":true, \"errorText\":\"id is not set\"}";
        exit;
    }
    $par1 = $_POST['par1'];
}

if(isset($_POST['par2'] ) ) {
    if (empty($_POST['par2']) || strlen($_POST['par2']) < 2 ) {
            //$par2 = NULL;
        echo "{\"error\":true, \"errorText\":\"id is not set\"}";
        exit;
    }
    $par2 = $_POST['par2'];
}
else{
    $par2 = "";
}


$sql = "CALL updateATSTables('$tabela', '$id', '$par1', '$par2')";

if (mysqli_query($conn, $sql)){
    echo "{\"error\":false, \"errorText\":\"The assessment was updated successfully!\",\"affectedRow\":".$rowId."}";
}

else{
    echo "{\"error\":true, \"errorText\":\"An error occured, please contact the security/safety section!\"".$tabela."}";

    exit;
}
?>

The var_dump response

array(1) { ["{"tabela":"assetCategories","id":"1","par1":"Physical1"}"]=> string(0) "" }.. and with a variable i get NULL

The ajax request


    function saveRowWithAjax(inputs){

        var jsonstring = "{";

        jsonstring+="\"tabela\":"+"\""+tabela+"\""+","+"\"id\":"+"\""+id+"\""+",";
        inputs.forEach(function(el, i, arr){
            jsonstring+="\""+el.name+"\""+":"+"\""+el.value+"\"";
            if(arr.length-1!=i){
                jsonstring+=",";
            }
        });
        jsonstring+="}";
        $.ajax({
            url:"backend/ATSSaveEdit.php",
            method:"POST",
            data:jsonstring,
            beforeSend:function(){

        },
        success:function(data){
            var res = $.parseJSON(data);
            if(res.error){
                alert(res.errorText);
            }
            else {

                input.innerHTML=res.htmltext;

                addeventlisteners();
            }
        },
        error:function(data){

        },
        always: function(data){

        }
    }); return false;

}

The ajax post request

The error i get from the php file

king
  • 13
  • 4
  • 1
    On a sidenote, instead of manually creating JSON use json-encoded arrays. Where is `$conn` set? – brombeer Dec 03 '20 at 15:35
  • 1
    **Warning**:You are wide open to [SQL Injections](https://php.net/manual/en/security.database.sql-injection.php) and should use parameterized prepared statements instead of manually building your queries. They are provided by [PDO](https://php.net/manual/pdo.prepared-statements.php) or by [MySQLi](https://www.php.net/manual/en/mysqli.quickstart.prepared-statements.php). Never trust any kind of input! Even by trusted users, [you are still in risk of corrupting your data](https://bobby-tables.com/). [Escaping is not enough](https://stackoverflow.com/q/5741187). – Jason K Dec 03 '20 at 15:42
  • 1
    Echo out your sql statement. Does that look right. what [error](https://www.php.net/manual/en/mysqli.error.php) do you get? – Jason K Dec 03 '20 at 15:51
  • inside the configfile.php file which is located in the same folder as the file which contains the code i posted.. Also i have to manually create a json because i get the wanted parameters from a different locations and send them to the backend with ajax.. you think that is the problem? I use mysql stored procedures so i am not open to sql injections that wide haha.. you can see in the code.. The error is posted in the second picture because mysqli_query can not be executed.. – king Dec 03 '20 at 17:14
  • the error i get in the php log file is: [03-Dec-2020 15:03:55 UTC] PHP Notice: Undefined variable: tabela in /Applications/MAMP/htdocs/security/backend/ATSSaveEdit.php on line 59 [03-Dec-2020 15:03:55 UTC] PHP Notice: Undefined variable: id in /Applications/MAMP/htdocs/security/backend/ATSSaveEdit.php on line 59 [03-Dec-2020 15:03:55 UTC] PHP Notice: Undefined variable: par1 in /Applications/MAMP/htdocs/security/backend/ATSSaveEdit.php on line 59 [03-Dec-2020 15:03:55 UTC] PHP Notice: Undefined variable: tabela in /Applications/MAMP/htdocs/security/backend/ATSSaveEdit.php on line 76 – king Dec 03 '20 at 17:20
  • this is what i get when i echo the $sql: CALL updateATSTables('', '', '', '').. I cant understand because i have a similar file where i use $_POST to get some variables from the frontend and everyting works.. how? – king Dec 03 '20 at 17:24
  • Dump `$_POST` on the page and see what it contains. – El_Vanja Dec 03 '20 at 17:27
  • just echo $_POST right? hmm in response i get - Array.. with the variable i get none (empty) – king Dec 03 '20 at 20:45
  • No, not `echo`, `var_dump` or `print_r`. – El_Vanja Dec 03 '20 at 20:46
  • array(1) { ["{"tabela":"assetCategories","id":"1","par1":"Physical1"}"]=> string(0) "" }.. and with a variable i get NULL – king Dec 03 '20 at 20:48
  • Can you show your AJAX? You're not sending the data properly. – El_Vanja Dec 03 '20 at 20:54
  • function saveRowWithAjax(inputs){ var jsonstring = "{"; jsonstring+="\"tabela\":"+"\""+tabela+"\""+","+"\"id\":"+"\""+id+"\""+","; inputs.forEach(function(el, i, arr){ jsonstring+="\""+el.name+"\""+":"+"\""+el.value+"\""; if(arr.length-1!=i){ jsonstring+=","; } }); jsonstring+="}"; $.ajax({ url:"backend/ATSSaveEdit.php", method:"POST", data:jsonstring, beforeSend:function(){ }, – king Dec 03 '20 at 23:10
  • success:function(data){ //console.log("asd"); var res = $.parseJSON(data); if(res.error){ alert(res.errorText); } else { input.innerHTML=res.htmltext; addeventlisteners(); } }, error:function(data){ }, always: function(data){ } }); return false; } – king Dec 03 '20 at 23:11
  • had to send it in two comments.. it was too long.. – king Dec 03 '20 at 23:11
  • Please add new information by editing the question (link is at the bottom of it), not through comments. This is unreadable. – El_Vanja Dec 04 '20 at 07:38
  • sorry, i added them. – king Dec 04 '20 at 10:21
  • Never build a JSON string on your own. Especially here, where there is no need to send a string; you can simply send a javascript object under `data`. The `ajax` function will encode it for you. – El_Vanja Dec 04 '20 at 11:50
  • yes but i get the data from different locations of the document.. u mean i form an object with the four variables i need in javascript and then just send it with data in the ajax? – king Dec 04 '20 at 12:13
  • Exactly. Fetch what you need from whatever sources you need and then simply create a new JS object with those variables. – El_Vanja Dec 04 '20 at 12:14
  • thank you very much! i made it and now it works :D cheers :D – king Dec 08 '20 at 23:06
  • Glad to have helped. – El_Vanja Dec 08 '20 at 23:20

0 Answers0