3

I've got this in index.php

    <?php

    include_once '..\connect.php';

    session_start();

    if (isset($_SESSION['username'])){
        $player_name = $_SESSION['username'];

    } else {    
        header( 'Location: http://localhost/Inventory/index.php' ) ;
        exit;
    }

    ?>

and im making a ajax request to request.php

    <?php
    //connect to databate and check for errors
    $con = mysql_connect ("localhost","root","");
    if (!$con) {
        die ('Could not connect to database: ' . mysql_error());
    }

    //select database and check selection
    if (!mysql_select_db ("GotA", $con)) {
        die ('Could not select database: ' . mysql_error());
    }

//I have to create this if not it doesnt find the sessions $player_name variable
    $player_name = $_POST['name']; 

    //***Create Player Array**//
    $player_info = "SELECT * from players where id = $player_name";
    $player_info2 = mysql_query($player_info) or die ('Couldnt get players name');
    $player_info3 = mysql_fetch_array($player_info2);

Well it just seems unsecure to retrive data from the databe using a variable sent with javascript isnt there a way to directly use the variable from the index.php (session part)? or is it safe to just pass the information with javascript?

Thaiscorpion
  • 479
  • 1
  • 8
  • 18
  • Please, PLEASE read [this question](http://stackoverflow.com/questions/60174/best-way-to-stop-sql-injection-in-php) and its accepted answer thoroughly. Understand it. Use it. – Justin ᚅᚔᚈᚄᚒᚔ Jul 26 '11 at 15:07
  • Thank you all for you comments and answers im going to read through them and the links ill report when i find the solution – Thaiscorpion Jul 26 '11 at 15:32

3 Answers3

3

Why don't you just retrieve the session again in request.php?

Instead of:

$player_name = $_POST['name'];

Use:

$player_name = $_SESSION['username'];

Also be sure to use session_start() before this.

Jason Kaczmarsky
  • 1,666
  • 1
  • 17
  • 30
  • Right, but I'm not talking about any JS here, only PHP. JS is just making a call to a PHP page, which _can_ access the session. – Jason Kaczmarsky Jul 26 '11 at 15:17
  • Jason, Correct, it *can* if it knows the session id and you call `session_id(hash)`. Just calling `session_start` will not re-instate the session because PHP sees AJAX as being it's own unique session. – Jim Jul 26 '11 at 15:20
  • I've never had to use session_id for something like this. The way I stated has worked fine for me in the past numerous times. – Jason Kaczmarsky Jul 26 '11 at 15:22
  • Then I may be incorrect and my usage was probably also incorrect. My apologies. – Jim Jul 26 '11 at 15:23
  • Just to clarify this point for any future readers of these comments: a `GET`/`POST` initiated by a user by typing a URL or clicking a link is no different than a `GET`/`POST` initiated by XmlHttpRequest. HTTP is HTTP. PHP does not assign an AJAX request its own session because it doesn't know that the request originated from a script (unless you build in the logic to do so in your PHP and JS code). – Justin ᚅᚔᚈᚄᚒᚔ Jul 26 '11 at 15:39
2

From my previous experience using jQuery the session still works with an ajax request, as long as you session_start() at the top of the script being called you should be able to access the session variables.

David Nguyen
  • 8,368
  • 2
  • 33
  • 49
  • pretty sure you're wrong...I'm 90% sure I've been able to set/get session variables using AJAX http://stackoverflow.com/questions/607673/setting-a-php-sessionvar-using-jquery – David Nguyen Jul 26 '11 at 15:15
1

Your AJAX request, though it's coming from JavaScript, can still access your browser's session state. You can also fall back to a POSTed variable:

request.php:

<?php
session_start();

// Set $dbuser and $dbpass in a secure configuration file
$dbh = new PDO('mysql:host=localhost;dbname=GotA', $dbuser, $dbpass);

if (isset($_SESSION['username']))
    $player_name = $_SESSION['username'];
else
    $player_name = $_POST['name'];

$stmt = $dbh->prepare('SELECT * from players where id = :playername');
$stmt->execute(array(':playername' => $player_name));

$result = $stmt->fetchAll();

One other thing, having asyncronous session-aware requests can result in race conditions if you're running multiple asynchronous requests. See this article for information. As long as you're only reading session variables and not writing them (or explicitly ending the session), then you should be okay. (If someone has a definitive answer for the previous statement, please share in the comments)

Justin ᚅᚔᚈᚄᚒᚔ
  • 15,081
  • 7
  • 52
  • 64