best practice login (secure data) via ajax - POST JSON AJAX

**lse123** · 12-29-2012, 05:06 PM

best practice login (secure data) via ajax - IS IT POST JSON AJAX?

To submit via JavaScript plain - not jQuery... ajax JSON request to the server type=POST(secure log in request) required web form?

how do it without a web form ... where put the JSON sent string var and by how/what get in php?

ajax3.send(jsonStringhere); // ??? how get the in php??? WHAT $_get["what is here in post ajax no web form"]

Code:

function loginProcess() {
var userID = document.getElementById( "name" ).value;
var email = document.getElementById( "email" ).value;
var password = document.getElementById( "password" ).value;

ajax3 = new XMLHttpRequest();

//1st way
ajax3.open("GET","loginProcess.php?userID="+userID+"&email="+email+"&password="+password,false); 
ajax3.addEventListener("readystatechange", processResponse, true); 
ajax3.send();

changeDisplay("loginRegisterDiv");


//2nd way JSON post type here

//???

}

**traq** · 12-29-2012, 08:46 PM

First off, **nothing** will be secure without an ssl connection. There's no point in trying.

Once you're secure, it's very straightforward: compose your data (wherever you get it from, be it a form or something else) in javascript, stringify it into a JSON string, and then send a POST request via ajax. The JSON string will be available to PHP in the $_POST variable.

Using GET will work also, but a login request "changes state" of the web app, so POST is the appropriate method to send it.

**lse123** · 12-29-2012, 09:13 PM

yes, thanks but to send the stringfied json eg called strJSON , what ajax statement use for post request?

this is correct: ajax3.send(strJSON); // if yes how get(the post) with php...?
i need one statement in js and one in php... send and get respectively...
btw ... how thank a reply?

**traq** · 12-30-2012, 01:16 AM

What you're doing now should work just fine (the results will be in PHP's $_GET superglobal). This is a good basic example for post requests - it's very similar, except that you need to set a request header, and you pass the parameters differently.

for example, an easy way to create a JSON string is to simply stringify a plain JS object:

Code:

var myobj = {  name:'Joe Somebody',email:'email@example.com' };

var jsonstring = JSON.stringify( myobj );

However, this seems to be an extra step. You'll need to use json_decode() on the PHP side to read the info. Is there any reason you do not want to post the key : value pairs normally?

To "thank" someone, click the "Thanks" button at the bottom of the post.

**lse123** · 12-30-2012, 06:57 AM

when use in php: json_decode(hereWhatVariableToInsert)
what var to insert... how is represented in php the post var i am sending...in the two cases of js below

ARE THEY BOTH $_POST["name"]; // to access the first var, both, in individual and in JSON???

first no JSON

var parameters="name="+namevalue+"&age="+agevalue
mypostrequest.open("POST", "basicform.php", true)
mypostrequest.setRequestHeader("Content-type", "application/x-www-form-urlencoded")
mypostrequest.send(parameters)

second JSON

var myobj = { name:'Joe Somebody',email:'email@example.com' };
var jsonstring = JSON.stringify( myobj );
mypostrequest.open("POST", "basicform.php", true)
mypostrequest.setRequestHeader("Content-type", "application/x-www-form-urlencoded")
mypostrequest.send(jsonstring)

Originally Posted by traq

What you're doing now should work just fine (the results will be in PHP's $_GET superglobal). This is a good basic example for post requests - it's very similar, except that you need to set a request header, and you pass the parameters differently.

for example, an easy way to create a JSON string is to simply stringify a plain JS object:

Code:

var myobj = {  name:'Joe Somebody',email:'email@example.com' };

var jsonstring = JSON.stringify( myobj );

However, this seems to be an extra step. You'll need to use json_decode() on the PHP side to read the info. Is there any reason you do not want to post the key : value pairs normally?

To "thank" someone, click the "Thanks" button at the bottom of the post.

**lse123** · 12-30-2012, 06:58 AM

Content-type IN SECOND VERSION should be json mime?

**traq** · 12-30-2012, 05:17 PM

Edit:

On thing I forgot to mention - the example I linked to does not use semicolons to end each javascript statement (it simply uses newlines). This is very bad practice and can cause hard-to-track errors. You should always end statements with semicolons.

in your second example, you're not giving the json string a name (key) - I'm not sure it would be accessible at all. You'd need to do

Code:

var postjson = 'jsonstring='+encodeURIComponent( jsonstring );
mypostrequest.send( postjson );

and then

PHP Code:


<?php
$myarray = json_decode( $_POST['jsonstring'] );

print $myarray['name'];
print $myarray['email'];
//  etc...

In your first example (non-JSON), you'd have access to the values directly in the POST superglobal:

PHP Code:


<?php
print $_POST['name'];
print $_POST['email'];
//  etc...

The content-type should not be json, no. It should be application/x-www-form-urlencoded, as in the example I linked to.

Have you been trying out your code? Are you getting the results you expect?

**lse123** · 12-31-2012, 04:05 PM

encodeURIComponent

this needed for post requests... isn't only for get requests?

i try now to make it...

btw where is the THANK Button?

**traq** · 12-31-2012, 04:44 PM

no, it's necessary for post as well (what would happen if one of your POST values had an unencoded ampersand in its value?

the thanks button is on the grey bar directly below the post, on the left side.

**lse123** · 12-31-2012, 04:56 PM

ONLY FIRST WAY AJAX WORKS PHP GIVES TRUE THE OTHERS PHP GIVES FALSE...WELL?

Code:

function loginProcess() {
var userID = document.getElementById( "name" ).value;
var email = document.getElementById( "email" ).value;
var password = document.getElementById( "password" ).value;

ajax3 = new XMLHttpRequest();

//1st way  GET NOT SECURE
ajax3.open("GET","loginProcess.php?userID="+userID+"&email="+email+"&password="+password,false); 
ajax3.addEventListener("readystatechange", processResponse, true); 
ajax3.send();

changeDisplay("loginRegisterDiv");


//2nd way POST JSON   --  for secure really needed SSL
/*var myobj = { "userID":userID,"email":email,"password":password }; // p454
var jsonstring = JSON.stringify( myobj );
var postjson = "jsonstring="+encodeURIComponent( jsonstring );

ajax3.open("POST", "loginProcessJSON.php", true);
ajax3.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
ajax3.addEventListener("readystatechange", processResponse, true); 
ajax3.send(postjson);

changeDisplay("loginRegisterDiv");*/


//3rd way POST plain   --  for secure really needed SSL

/*var post1 = "userID="+userID+"&email="+email+"&password="+password;

ajax3.open("POST", "loginProcess.php", true);
ajax3.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
ajax3.addEventListener("readystatechange", processResponse, true); 
ajax3.send(post1);

changeDisplay("loginRegisterDiv");*/
}

Code:

<?php  // loginProcess.PHP
session_start();  

$_SESSION["userID"]="";

$userID = $_REQUEST['userID'];
$password = $_REQUEST['password'];
$email = $_REQUEST['email'];

if ($_GET['userID']=="logout") {
	$_SESSION["userID"]="0000000000000000000000000000000";
	return;
}

if ((isset($_GET['userID'])) && (isset($_GET['password'])) && (isset($_GET['email']))) 
{

if (($userID=="cust1") && ($password=="ju") && (($email=="9@es.com") || ($email=="9%40es.com"))) 
{
	$_SESSION["userID"]=$_GET['userID'];
	echo "true";
	return;
} else {
	echo "false";
	return;
}
} else {
	echo "false";
	return;
} 
?>

Code:

<?php  // loginProcessJSON.PHP
session_start();  
	//http://stackoverflow.com/questions/8517071/send-json-data-via-post-ajax-and-receive-json-response-from-controller-mvc
	
$yourJSONString = $_POST["jsonstring"];	

$array = json_decode($yourJSONString, true);	

$userID = $array['userID'];
$password = $array['password'];
$email = $array['email'];	
	
$_SESSION["userID"]="";

if ($_GET['userID']=="logout") {
	$_SESSION["userID"]="0000000000000000000000000000000";
	return;
}

if ((isset($_GET['userID'])) && (isset($_GET['password'])) && (isset($_GET['email']))) 
{

if (($userID=="cust1") && ($password=="ju") && (($email=="9@es.com") || ($email=="9%40es.com"))) 
{
	$_SESSION["userID"]=$_GET['userID'];
	echo "true";
	return;
} else {
	echo "false";
	return;
}
} else {
	echo "false";
	return;
} 
?>