CORS: header is present but "if" statement negates the header

Question

I'm working on a pretty simple application.

Here's the overview:

I've got a web form where the URL contains a variable. I'm grabbing the value of that variable and sending it to my web server (it's hosted on another domain) through an AJAX call. Once retrieved, the variable is ran against a SQL DB, if a match is found, I send that data back to my web form to do something with.

I've got the CORS headers defined and set to only accept data from the origin source where my form resides. Thus far it's all worked fine.

Here's the PHP code that is working:

<?php
    // CORS headers to allow traffic from the form to run here
    header('Access-Control-Allow-Origin: https:mydomain.com');
    header('Content-Type: application/json');

    //Retrieve the value passed from the Ajax script
    $finderID = $_REQUEST['Finder'];    

    //SQL Statement to connect, retrieve and parse out the data as JSON
    $conn = new mysqli("localhost", "db_uname", "db_pswd", "db_table");
    $result = $conn->query("SELECT * FROM onlineFinderLookup WHERE printID = $finderID");
    $outp = array();
    $outp = $result->fetch_all(MYSQLI_ASSOC);         
        
    echo json_encode($outp);

?>

Now, I'd like to be able enforce some validation around the value of that variable. I want to know if it's numeric and greater than 0. IF so, then connect to the DB and get my data.

I've attempted to do that this way:

<?php
    // CORS headers to allow traffic from the form to run here
    header('Access-Control-Allow-Origin: https:mydomain.com');
    header('Content-Type: application/json');

    //Retrieve the value passed from the Ajax script
    $finderID = $_REQUEST['Finder'];   

    if ($finderID >= 0 && is_numeric($finderID) {

        //SQL Statement to connect, retrieve and parse out the data as JSON
        $conn = new mysqli("localhost", "db_uname", "db_pswd", "db_table");
        $result = $conn->query("SELECT * FROM onlineFinderLookup WHERE printID = $finderID");
        $outp = array();
        $outp = $result->fetch_all(MYSQLI_ASSOC);         
        
        echo json_encode($outp);
    }
    else {

    }

?>

When I run the code with an IF statement in it, my console throws me a CORS error and says the header isn't defined. Any idea why?

Also, would be curious if this seems like a secure way to be gathering data from my DB or if I'm way out in left field with this.

Thanks!

UPDATE: Including console error

Access to XMLHttpRequest at 'webserver' from origin 'webform' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

Maybe a typo... but the IF statement is not properly closed... must be `if ($finderID >= 0 && is_numeric($finderID)) {`. If the server throws an exception, that causes the headers not sent properly, and then get blocked by the browser — Pipe, Jan 21 '21 at 19:25
That makes sense, you're just missing an `)` (to be more clear) — ArSeN, Jan 21 '21 at 19:38
@Pipe that's what it was - bloody typo, good catch! It's running now as expected. thanks for the help! — HisPowerLevelIsOver9000, Jan 21 '21 at 20:08
@Dharman thank you, I appreciate the heads up on this. Security was going to be where I went next once things worked functionally. — HisPowerLevelIsOver9000, Jan 21 '21 at 20:11
@Dharman the prepared statements seem like a really secure way of doing this. Thank you for pointing me down that path. Saves me a bunch of time when I look to the security aspect of this. Time permitting, have you got any example you could provide me of how I could use what I have now with a prepared statement that would accept my variable value? — HisPowerLevelIsOver9000, Jan 21 '21 at 20:18
You can find an example here https://stackoverflow.com/questions/7537377/how-to-include-a-php-variable-inside-a-mysql-statement — Dharman, Jan 21 '21 at 20:19
Maybe it is a type error. But on your if statment is a small mistake. the final bracket is missing. if ($finderID >= 0 && is_numeric($finderID)) {...} Hope it helps. — Maik Lowrey, Jan 22 '21 at 08:50
@HisPowerLevelIsOver9000 I just added my comment as an answer, so you can mark it as correct. — Pipe, Jan 22 '21 at 15:11

score 0 · Accepted Answer · answered Jan 22 '21 at 15:11

0

You missed a ) at the end of the IF sentence. The correct way is:

if ($finderID >= 0 && is_numeric($finderID)) {

If the server throws an exception, that causes the headers not sent properly, and then get blocked by the browser

answered Jan 22 '21 at 15:11

Pipe

2,379
2
19
33

CORS: header is present but "if" statement negates the header

1 Answers1