Jump to content

Input validation AJAX PHP

ueharataichou

By ueharataichou
in PHP Coding Help

 Share

Recommended Posts

ueharataichou Newbie

ueharataichou

Posted
Posted

Somebody please help, I don't know what to do. It goes like this.

 

on Game.php I used AJAX to transfer a value to Scores.php which will be saved on MySql. Even a newbie programmer can change the value at his own will. I want to use Sha1 to compare if the value on Game.php is similar to the value passed on Scores.php, if they are the same then the value will be saved. Is my thinking correct?

 

Game.php

$(document).ready(function() {
        
          $('#bregister').click(function(){
	  
	  
    	   		var data = $("#f1").formToArray();
    			$.ajax({
    				type: 'POST',
    				url: 'page2.php',
    				data: data,
    				success: function(result) {		


					    setTimeout("location.reload(true);",1);	
    				}
    			});
    		});
    });
    

    </script>
    
    
</head>    


<body>
    
    <h1> Congratulations!</h1>
    <br>
    Your Name here...
    <form id="f1">
   
  		<input type="text" name = "sname" value="Anonymous">
        <input type="hidden" name="ntime" value="<?php echo sha1($_GET['ftime']);?>">
        <input type="button" id="bregister" value="OK">
    
    </form>

scores.php

<?php
mysql_connect("localhost", "","") or die("error");
mysql_select_db("scoreboard") or die("error!");


   $name = $_POST["sname"];
   $time = $_POST["ntime"];
   
  // $time = $_POST["timer"];
$query = "INSERT INTO score VALUES('$name','$time')";
$result = mysql_query($query);

?>

 

How do I validate it?

Link to comment
https://forums.phpfreaks.com/topic/189801-input-validation-ajax-php/
Share on other sites
MadTechie Regular Member

MadTechie

Posted
Posted

first fix the SQL injection

$name = $_POST["sname"];
$time = $_POST["ntime"];
$query = "INSERT INTO score VALUES('$name','$time')";

should be

$query = sprintf("INSERT INTO score VALUES('%s','%s')", 
mysql_real_escape_string($_POST['sname']),
mysql_real_escape_string($_POST['time']));

 

second.. where does the $_GET['ftime'] come from ?

it would probably be better to use a session (in fact you could do the same for the name)

 

EDIT: however..to answer your question in the form have

<input type="hidden" name="hash" value="<?php echo sha1($_GET['ftime']);?>">
<input type="hidden" name="ntime" value="<?php echo $_GET['ftime'];?>">

and in PHP have

if($_POST['hash'] == sha1($_POST['ntime']) ){
//VALID
}

you should also add salt..

 

MadTechie Regular Member

MadTechie

Posted
Posted

I'll like to point out 2 things, (number 2 is the big one)

 

1. that someone may workout that the hash is the sha1 of the time, to make them work harder you could add salt, 

for example

$salt = "long unique string but must be the same as the one on the form";
if($_POST['hash'] == sha1($_POST['ntime'].$salt) ){
//VALID
}

 

<?php
$salt = "long unique string but must be the same as the one on the form";
?><input type="hidden" name="hash" value="<?php echo sha1($_GET['ftime'].$salt);?>">
<input type="hidden" name="ntime" value="<?php echo $_GET['ftime'];?>">

 

2 . this page generates the time and the hash from the URL, this means anyone who visits the page could just simply change the URL and the new time and hash will be generated,

 

Now i am going to assume that you have no control over that and the game passes the data via a GET..

 

so a middle option maybe this

<?php
session_start();
$_SESSION['ftime'] = $_GET['ftime']; //save time to session
header("Location: Game.php"); //redirect to game.php

 

<?php
session_start();
if(empty($_SESSION['ftime']) || empty($_POST['sname'])) exit("Invalid Data!");
mysql_connect("localhost", "","") or die("error");
mysql_select_db("scoreboard") or die("error!");

// $time = $_POST["timer"];
$query = sprintf("INSERT INTO score VALUES('%s','%s')", 
    mysql_real_escape_string($_POST['sname']),
    mysql_real_escape_string($_SESSION['ftime']));
$result = mysql_query($query);
unset($_SESSION['ftime']);
?>

 

Now your need to update your code so instead of passing ftime to scores.php you pass it to gateway.php (that will load up scores),

Now if all that works correctly then your only need to post the sname to scores.php, and the URL for scores will not have the ?ftime= at the stop,

But this still has the same problem because its using GET, and the user could just enter the URL gateway.php?ftime=whatever but theirs not much you can do about that unless you can use something other than GET,

hence my second question

second.. where does the $_GET['ftime'] come from ?

it would probably be better to use a session

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.