0

I am trying to validate input login via javascript by passing PHP variables. I cannot execute it properly for some reason. I'd appreciate your comments. Here's the code:

PHP:

$personal = mysqli_query($connect,"SELECT * FROM basic ORDER BY user_id DESC ");
while($row = mysqli_fetch_array($personal)){
    $user = $row['username'];
    $user_password = $row['password'];
}

Javascript / jQuery:

function enter_log() { 
    var login_username =  $("#username_field_log");
    var pass_password =  $("#pass_field_log");
    var button =  $("#enter_field_log");
    var php = "<?= echo $user; ?>";

    if ((login_username.val() == "") || (pass_password.val() == "")) { 
        $("#user_log_info").fadeIn('slow');
        $("#user_log_info").text("Not a proper login input");
        login_username.addClass("error");
        pass_password.addClass("error");
        return false;
    }
    else if ((login_username.val() != php ) || (pass_password.val() == "")) { 
        $("#user_log_info").fadeIn('slow');
        $("#user_log_info").text("Not a proper login input");
        login_username.addClass("error");
        pass_password.addClass("error");
        return false;
    } 
}

So in other words - the code should return false ( and it does so ) when the fields are empty but it doesn't return TRUE when the input is correct ( I mean when the username is correct ) so I assume the PHP variable $user is not passed by correctly to javascript?

stealthyninja
  • 10,343
  • 11
  • 51
  • 59
Rod Rig Gez
  • 133
  • 2
  • 11
  • 3
    I would recommend not sending their password over the wire in your response. – Justin Helgerson Sep 16 '11 at 21:22
  • well you're resetting $user multiple times through a loop. That doesn't seem useful. Also how are you sending the input to PHP? You seem to say that as soon as they enter a correct entry it should validate but that's not going to work because the page wasn't submitted. – Cfreak Sep 16 '11 at 21:25
  • 1
    It looks like you may not have included enough of your javascript code for us to help. Your snippet doesn't include anything like a `return true;` statement where the function *would* return true. – adpalumbo Sep 16 '11 at 21:25
  • 1
    You could just look into the page source to see what got embedded in the JS block. it's not a black box, you know. – Marc B Sep 16 '11 at 21:25
  • The password is md5 encrypted. – Rod Rig Gez Sep 16 '11 at 21:25
  • @adpalumbo The function should return true automatically upon correct input - no need to add it I think... – Rod Rig Gez Sep 16 '11 at 21:27
  • @Cfreak - the javascript code and login are included into index.php page. I don't want to send anything to .php but I just want the function to return true ( refresh ) when the input is correct. It doesn't return true for some reason...When there's no input - it returns false correctly - but when the username is correct it still returns false ( it shouldn't no matter whether I send anything to PHP or not ) Of course I have backend PHP validation code as well - I just want to focus why it doesn't pass PHP variable to Javascript function correctly.. – Rod Rig Gez Sep 16 '11 at 21:29
  • MD5 is a compromised hash function. It can be broken within seconds nowadays. For more info see [here](http://en.wikipedia.org/wiki/MD5#Security). – nfechner Sep 16 '11 at 21:33
  • @nfechner - thank you...I'll mind it.. – Rod Rig Gez Sep 16 '11 at 21:34
  • @Mr X - your first loop is simply wrong. You're just overwriting a single variable every pass. It's completely unclear what you're trying to do. If you're trying to select a single user it won't work because your query is wrong and you aren't passing any input to the PHP. If you're trying to put EVERY user to in the javascript variable you need to concat or use an array and then change the Javascript for that to work. HOWEVER if that is what you're attempting it's a horrible idea from a security stand point. TL;DR Re-think your whole design. – Cfreak Sep 16 '11 at 21:35
  • @Mr X - Your javascript is not returning true because functions do **NOT** return true by default. A function without a return value will return `undefined`. – thedaian Sep 16 '11 at 21:40
  • @thedaian Thank you - I added ' else { return true; } ' it still returns false... – Rod Rig Gez Sep 16 '11 at 21:49
  • @Cfreak Yes I know - I'll validate input through PHP as well - always do this ! – Rod Rig Gez Sep 16 '11 at 21:50

4 Answers4

1

Validation should not be done via Javascript. For any number of reasons I can crack open Firebug or Chrome and hack your web page if you validate there. You should use PHP code for your validation and make sure you properly sanitize your input.

Regarding your use of PHP tags:

 var php = "<?php echo $user; ?>";

Is how you should write your code. Per the PHP Manual

http://www.php.net/manual/en/language.basic-syntax.phpmode.php

1.  <?php echo 'if you want to serve XHTML or XML documents, do it like this'; ?>

2.  <script language="php">
        echo 'some editors (like FrontPage) don\'t
              like processing instructions';
    </script>

3.  <? echo 'this is the simplest, an SGML processing instruction'; ?>
    <?= expression ?> This is a shortcut for "<? echo expression ?>"

4.  <% echo 'You may optionally use ASP-style tags'; %>
    <%= $variable; # This is a shortcut for "<% echo . . ." %>

Item 1 is actually the preferred format.

Short tags (example three) are only available when they are enabled via the short_open_tag php.ini configuration file directive, or if PHP was configured with the --enable-short-tags option.

Mech
  • 2,904
  • 3
  • 24
  • 29
  • Yes - thank you! I know very well you shouldn't validate through javascript - Regardless - why it returns false on correct username input ?? That was my question - thank you.. – Rod Rig Gez Sep 16 '11 at 21:43
0

It should be var php = "<? echo $user; ?>";

or

var php = "<?= $user; ?>";

echo and <?= is not needed

zod
  • 12,092
  • 24
  • 70
  • 106
0

I am in agreement that you should not be validating things like this.

Use JS to validate the form on submit to ensure its completed and all sections are complete, then use php or any scripting language then to do a server side validation.

If you want it so that if it fails then the JS displays a message then rather than passing the user details etc then pass a simple php boolean to a variable

for instance

var userValid =

The php $valResult will be the result given by the db check etc

then use this js variable.

Simon Davies
  • 3,668
  • 9
  • 41
  • 69
-1

A simple, reliable PHP to Javascript encoder is json_encode.

var jsVal = <?php echo json_encode($phpVal); ?>; // note trailing semicolon!
Steve Clay
  • 8,671
  • 2
  • 42
  • 48