-2

I have a simple registration form that uses jQuery and Ajax to validate the user input. When the Ajax tries to do the server side validation of the e-mail address (for example) and connect to the database, it doesn't return a result via $msg.

function checkUser () {
    $search = mysql_query("SELECT * FROM users WHERE username = '" . $username . "'"); 
    $match  = mysql_num_rows($search);

    if($match > 0) {
        $msg .= 'Username already in use, please try another.';
    } 
}

Here is the JS:

function send(datastr) {
    $.ajax({
        type: "POST",
        url: "./scripts/addmember.php",
        dataType: "text",
        data: datastr,
        cache: false,
        success: function(html) {
            $("#errordiv").fadeIn("slow");
            $("#errordiv").html(html);
            //setTimeout('$("#errordiv").fadeOut("slow")',2000);
        }
    });
}
Ry-
  • 218,210
  • 55
  • 464
  • 476
user1104022
  • 1
  • 1
    Hey just if you are wondering why the down votes (not me) this is terrible application design passing SQL through js / Ajax . You may want to reconsider your design. – Damen TheSifter Dec 18 '11 at 00:38
  • Without addmember.php it is very hard to give anything but general suggestions. – Purefan Dec 18 '11 at 00:41
  • @DamenTheSifter and @ anyone who downvoted for that reason: the title is wrong. There's no SQL being passed through Ajax. The first snippet is *PHP*. It's probably not even vulnerable to SQL injection, since we see only the variable `$username`. You're escaping it, right? – Ry- Dec 18 '11 at 01:08
  • 2
    That code *screams* SQL injection. – Chris Eberle Dec 18 '11 at 01:08
  • As Chris says, you should be aware of SQL injection attacks - $username is totally unescaped and someone more nefarious than I could put raw SQL commands to execute in there. See http://www.unixwiz.net/techtips/sql-injection.html . What you are doing there is dangerous and bad in a very direct sense. – tacos_tacos_tacos Dec 18 '11 at 01:14

3 Answers3

3

In your checkUser() function you're using $msg and $username, which aren't defined. You either left those out or you are very new to programming.

In PHP, variables usually have only a single "scope". This means that a variable $msg isn't accessible in a function, unless you define it there.

In javascript, this is valid :

var msg = "";
function appendToMsg(text) {
    msg += text;
}
appendToMsg("test");

In PHP, this is not:

$msg = "";
function appendToMsg($text) {
    $msg += $text;
}
appendToMsg("test");

This will throw a notice PHP Notice: Undefined variable: msg. The function appendToMsg will only know $text, not $msg.

The correct PHP representation of the little JavaScript code is:

$msg = "";
function appendToMsg(&$msg, $text) {
    $msg += $text;
}
appendToMsg($msg, "test");

More on variable scopes:

Tom van der Woerdt
  • 29,532
  • 7
  • 72
  • 105
0

You need to echo the output:

echo 'Username already in use, please try another.';
Richard
  • 4,341
  • 5
  • 35
  • 55
0

after you are setting text for the $msg variable, write this:

echo $msg;
Shades88
  • 7,934
  • 22
  • 88
  • 130