0

I am passing the variable sessionnum from the following Javascript function in the page chat.php:

$(document).ready(function(){
 timestamp = 0;
 updateMsg();
 $("form#chatform").submit(function(){
 $.post("backend.php",{
 message: $("#msg").val(),
 name: author,
 action: "postmsg",
 time: timestamp,
 tablename1: sessionnum
 }, function(xml) {
 $("#msg").empty();
 addMessages(xml);
 document.forms['chatform'].reset()
 fixScroll();
 });
 return false;
 });
 });

To the following PHP function in backend.php:

if(@$action == "postmsg") {
 mysql_query("INSERT INTO `$tablename1` (`user`,`msg`,`time`)
 VALUES ('$name','$message',".time().")",$dbconn);
 mysql_query("DELETE FROM `$tablename1` WHERE id <= ".
 (mysql_insert_id($dbconn)-$store_num),$dbconn);
 }
$messages = mysql_query("SELECT user,msg
 FROM `$tablename1`
 WHERE time>$time
 ORDER BY id ASC
 LIMIT $display_num",$dbconn);

It only works when I hard-code an assignment such as $tablename1 = 100 in backend.php even though both the variable and its value are integers and the same value. This hack is not acceptable, as I actually have to pass the variable. Is there a bug in my code?

This code is adapted from http://articles.sitepoint.com/article/ajax-jquery/3

Thanks for any help POSTING the variable correctly with jQuery.

asked Mar 4, 2010 at 4:37

2 Answers 2

2

Try changing the POST variables to $_POST['variable_name']. You're using a syntax that relies on globals being registered as variables. This is a feature that is a) not enabled by default and b) poses a major security risk when it is enabled. Thus, try changing your server-side code to:

$action = $_POST['action'];
$tablename1 = mysql_real_escape_string($_POST['tablename1']);
$name = mysql_real_escape_string($_POST['name']);
$message = mysql_real_escape_string($_POST['message']);
if(@$action == "postmsg") {
 mysql_query("INSERT INTO `$tablename1` (`user`,`msg`,`time`)
 VALUES ('$name','$message',".time().")",$dbconn);
 mysql_query("DELETE FROM `$tablename1` WHERE id <= ".
 (mysql_insert_id($dbconn)-$store_num),$dbconn);
 }
$messages = mysql_query("SELECT user,msg
 FROM `$tablename1`
 WHERE time>$time
 ORDER BY id ASC
 LIMIT $display_num",$dbconn);

Note that, in order to prevent some SQL injections, the variables that you're using in your SQL queries (that the user can potentially change) have been escaped using mysql_real_escape_string.

answered Mar 4, 2010 at 4:50
Sign up to request clarification or add additional context in comments.

Comments

1

It would appear as though you're relying on register_globals, and referencing what would be the POST variable in PHP, instead of referencing the $_POST superglobal index, e.g.

if ( $_POST['action'] == 'postmsg' ) {
 $name= mysql_real_escape_string( trim( $_POST['name'] ) );
 // query using $name reference
}

As an aside, you should really reconsider allowing the use of the tablename in the client side code.

answered Mar 4, 2010 at 4:50

Comments

Your Answer

Draft saved
Draft discarded

Sign up or log in

Sign up using Google
Sign up using Email and Password

Post as a guest

Required, but never shown

Post as a guest

Required, but never shown

By clicking "Post Your Answer", you agree to our terms of service and acknowledge you have read our privacy policy.