How do I change this name to a variable defined in PHP?

[TeddyKiller]

$user->username

Is defined as the users username.

 

By default, the chat users username is .. Ryan Smith. heh.

 

How can I use it so it users $user->username

(This is probably a dumb question)

 

            function sendChatText() {
                if(document.getElementById('txt_message').value == '') {
                    alert("You have not entered a message");
                    return;
                }
                if (sendReq.readyState == 4 || sendReq.readyState == 0) {
                    sendReq.open("POST", 'getChat.php?chat=1&last=' + lastMessage, true);
                    sendReq.setRequestHeader('Content-Type','application/x-www-form-urlencoded');
                    sendReq.onreadystatechange = handleSendChat; 
                    var param = 'message=' + document.getElementById('txt_message').value;
                    param += '&name=Ryan Smith';
                    param += '&chat=1';
                    sendReq.send(param);
                    document.getElementById('txt_message').value = '';
                }                            
            }

[premiso]

On the javascript page, if it is .php, you just need to access that object and populate it. But doing this is unwise, due to anyone could easily spoof someone elses name.

 

Instead why grab the name on the php side then pass it to the ajax call to use, this way you control what name is displayed and what name is used.

[TeddyKiller]

I dont understand how it'd spoof it, because.. you have to sign in to access the chat, and it'll be that users login username. Not some chat one? It can only be registered once aswell.

 

Would it be then..

param += '&name=$user->username';

 

Sorry if I sound dumb.

[premiso]

Once I am logged in, I can easily spoof the the js page and send fake data to your script. It is not really hard for me to create a page that all it does is post to that script using certain means. There are methods to be put in place that can prevent this, but if they are not it is pretty easy to spoof data.

 

That would work, if your js page is created by php and you use proper syntax:

 

param += '&name=<?php echo $user->username; ?>';

 

Would be more of what you need to put in there, but like I said you have to have that object defined / instantiated previously on that js page in the code behind and it has to be parsed as php even though it is serving out javascript code.