PDA

View Full Version : Resolved best practice login (secure data) via ajax - POST JSON AJAX



lse123
12-29-2012, 05:06 PM
best practice login (secure data) via ajax - IS IT POST JSON AJAX?

To submit via JavaScript plain - not jQuery... ajax JSON request to the server type=POST(secure log in request) required web form?

how do it without a web form ... where put the JSON sent string var and by how/what get in php?

ajax3.send(jsonStringhere); // ??? how get the in php??? WHAT $_get["what is here in post ajax no web form"]


function loginProcess() {
var userID = document.getElementById( "name" ).value;
var email = document.getElementById( "email" ).value;
var password = document.getElementById( "password" ).value;

ajax3 = new XMLHttpRequest();

//1st way
ajax3.open("GET","loginProcess.php?userID="+userID+"&email="+email+"&password="+password,false);
ajax3.addEventListener("readystatechange", processResponse, true);
ajax3.send();

changeDisplay("loginRegisterDiv");


//2nd way JSON post type here

//???

}

traq
12-29-2012, 08:46 PM
First off, **nothing** will be secure without an ssl connection. There's no point in trying.

Once you're secure, it's very straightforward: compose your data (wherever you get it from, be it a form or something else) in javascript, stringify it into a JSON string, and then send a POST request via ajax. The JSON string will be available to PHP in the $_POST variable.

Using GET will work also, but a login request "changes state" of the web app, so POST is the appropriate method to send it.

lse123
12-29-2012, 09:13 PM
yes, thanks but to send the stringfied json eg called strJSON , what ajax statement use for post request?

this is correct: ajax3.send(strJSON); // if yes how get(the post) with php...?
i need one statement in js and one in php... send and get respectively...
btw ... how thank a reply?

traq
12-30-2012, 01:16 AM
What you're doing now should work just fine (the results will be in PHP's $_GET superglobal). This is a good basic example (http://www.javascriptkit.com/dhtmltutors/ajaxgetpost2.shtml) for post requests - it's very similar, except that you need to set a request header, and you pass the parameters differently.

for example, an easy way to create a JSON string is to simply stringify a plain JS object:
var myobj = { name:'Joe Somebody',email:'email@example.com' };

var jsonstring = JSON.stringify( myobj );

However, this seems to be an extra step. You'll need to use json_decode() (http://php.net/json_decode) on the PHP side to read the info. Is there any reason you do not want to post the key : value pairs normally?

To "thank" someone, click the "Thanks" button at the bottom of the post.

lse123
12-30-2012, 06:57 AM
when use in php: json_decode(hereWhatVariableToInsert)
what var to insert... how is represented in php the post var i am sending...in the two cases of js below

ARE THEY BOTH $_POST["name"]; // to access the first var, both, in individual and in JSON???

first no JSON

var parameters="name="+namevalue+"&age="+agevalue
mypostrequest.open("POST", "basicform.php", true)
mypostrequest.setRequestHeader("Content-type", "application/x-www-form-urlencoded")
mypostrequest.send(parameters)

second JSON

var myobj = { name:'Joe Somebody',email:'email@example.com' };
var jsonstring = JSON.stringify( myobj );
mypostrequest.open("POST", "basicform.php", true)
mypostrequest.setRequestHeader("Content-type", "application/x-www-form-urlencoded")
mypostrequest.send(jsonstring)




What you're doing now should work just fine (the results will be in PHP's $_GET superglobal). This is a good basic example (http://www.javascriptkit.com/dhtmltutors/ajaxgetpost2.shtml) for post requests - it's very similar, except that you need to set a request header, and you pass the parameters differently.

for example, an easy way to create a JSON string is to simply stringify a plain JS object:
var myobj = { name:'Joe Somebody',email:'email@example.com' };

var jsonstring = JSON.stringify( myobj );

However, this seems to be an extra step. You'll need to use json_decode() (http://php.net/json_decode) on the PHP side to read the info. Is there any reason you do not want to post the key : value pairs normally?

To "thank" someone, click the "Thanks" button at the bottom of the post.

lse123
12-30-2012, 06:58 AM
Content-type IN SECOND VERSION should be json mime?

traq
12-30-2012, 05:17 PM
On thing I forgot to mention - the example I linked to does not use semicolons to end each javascript statement (it simply uses newlines). This is very bad practice and can cause hard-to-track errors. You should always end statements with semicolons.

in your second example, you're not giving the json string a name (key) - I'm not sure it would be accessible at all. You'd need to do

var postjson = 'jsonstring='+encodeURIComponent( jsonstring );
mypostrequest.send( postjson ); and then
<?php
$myarray = json_decode( $_POST['jsonstring'] );

print $myarray['name'];
print $myarray['email'];
// etc...

In your first example (non-JSON), you'd have access to the values directly in the POST superglobal:
<?php
print $_POST['name'];
print $_POST['email'];
// etc...

The content-type should not be json, no. It should be application/x-www-form-urlencoded, as in the example I linked to.

Have you been trying out your code? Are you getting the results you expect?

lse123
12-31-2012, 04:05 PM
encodeURIComponent

this needed for post requests... isn't only for get requests?

i try now to make it...

btw where is the THANK Button?

traq
12-31-2012, 04:44 PM
no, it's necessary for post as well (what would happen if one of your POST values had an unencoded ampersand in its value?

the thanks button is on the grey bar directly below the post, on the left side.

lse123
12-31-2012, 04:56 PM
ONLY FIRST WAY AJAX WORKS PHP GIVES TRUE THE OTHERS PHP GIVES FALSE...WELL?
function loginProcess() {
var userID = document.getElementById( "name" ).value;
var email = document.getElementById( "email" ).value;
var password = document.getElementById( "password" ).value;

ajax3 = new XMLHttpRequest();

//1st way GET NOT SECURE
ajax3.open("GET","loginProcess.php?userID="+userID+"&email="+email+"&password="+password,false);
ajax3.addEventListener("readystatechange", processResponse, true);
ajax3.send();

changeDisplay("loginRegisterDiv");


//2nd way POST JSON -- for secure really needed SSL
/*var myobj = { "userID":userID,"email":email,"password":password }; // p454
var jsonstring = JSON.stringify( myobj );
var postjson = "jsonstring="+encodeURIComponent( jsonstring );

ajax3.open("POST", "loginProcessJSON.php", true);
ajax3.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
ajax3.addEventListener("readystatechange", processResponse, true);
ajax3.send(postjson);

changeDisplay("loginRegisterDiv");*/


//3rd way POST plain -- for secure really needed SSL

/*var post1 = "userID="+userID+"&email="+email+"&password="+password;

ajax3.open("POST", "loginProcess.php", true);
ajax3.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
ajax3.addEventListener("readystatechange", processResponse, true);
ajax3.send(post1);

changeDisplay("loginRegisterDiv");*/
}
<?php // loginProcess.PHP
session_start();

$_SESSION["userID"]="";

$userID = $_REQUEST['userID'];
$password = $_REQUEST['password'];
$email = $_REQUEST['email'];

if ($_GET['userID']=="logout") {
$_SESSION["userID"]="0000000000000000000000000000000";
return;
}

if ((isset($_GET['userID'])) && (isset($_GET['password'])) && (isset($_GET['email'])))
{

if (($userID=="cust1") && ($password=="ju") && (($email=="9@es.com") || ($email=="9%40es.com")))
{
$_SESSION["userID"]=$_GET['userID'];
echo "true";
return;
} else {
echo "false";
return;
}
} else {
echo "false";
return;
}
?>
<?php // loginProcessJSON.PHP
session_start();
//http://stackoverflow.com/questions/8517071/send-json-data-via-post-ajax-and-receive-json-response-from-controller-mvc

$yourJSONString = $_POST["jsonstring"];

$array = json_decode($yourJSONString, true);

$userID = $array['userID'];
$password = $array['password'];
$email = $array['email'];

$_SESSION["userID"]="";

if ($_GET['userID']=="logout") {
$_SESSION["userID"]="0000000000000000000000000000000";
return;
}

if ((isset($_GET['userID'])) && (isset($_GET['password'])) && (isset($_GET['email'])))
{

if (($userID=="cust1") && ($password=="ju") && (($email=="9@es.com") || ($email=="9%40es.com")))
{
$_SESSION["userID"]=$_GET['userID'];
echo "true";
return;
} else {
echo "false";
return;
}
} else {
echo "false";
return;
}
?>

lse123
12-31-2012, 05:00 PM
Seems found error will retry ... Used again get but must use json or post... Or request ... If problem come here...thks

lse123
12-31-2012, 05:10 PM
Problem fixed was the get global replaced now... Thanks but have not found the thank button yet, can you send a screenshot with a circle where located...

traq
01-01-2013, 12:22 AM
So, fixed?

If your question has been answered, please mark your thread "resolved":
On your original post (post #1), click [edit], then click [go advanced]. In the "thread prefix" box, select "Resolved". Click [save changes].

------------------------------------------------
"Thanks":
http://custom-anything.com/sand/tmp/DDthanks.png


------------------------------------------------
On a side note, you should avoid using $_REQUEST. It's bad practice to not know where your input is coming from - it can lead to naming conflicts, other unexpected errors, or even security holes, depending on your PHP configuration.

When you want to access a $_GET variable, always use $_GET.
When you want to access a $_POST variable, always use $_POST.
When you want to access a $_COOKIE variable, always use $_COOKIE.