jhomsrts Posted June 30, 2021 Posted June 30, 2021 Good morning for all! I ask because I'm not an expert in front and back programming, I share my way in which I communicate the client with the server. I would like you to tell me if it's well implemented or if it can be improved? The idea is to boost our knowledge/skills every day Method: Send with Ajax Client-side: <script> jQuery.ajax({ url: 'script.php', data:{'Var1': $('#ID').val(), 'Var2': $phpvariable},//May be FormData item too. type: 'POST', success:function(s){ //Received a encoded JSON from server-side with any data. var data = JSON.parse(s); $('#resultselement').html(data[0]); }, error:function (){ alert('Error message'); } }); </script> Server-side: <?php $POSTVAR1 = $_POST["Var1"]; $POSTVAR2 = $_POST["Var2"]; {INCLUDES, INTERNAL VARIABLES, PHP SCRIPT, ETC} array_push($array, $phpvar1, $phpvar2, $phpvar3....,$phpvarn); //Sending data to client-side echo json_encode($array); ?> I appreciate any correction or suggestion, thanks!
Krydos Posted July 1, 2021 Posted July 1, 2021 Looks pretty good. The one thing I would recommend is sanitizing your post variables. When you write code you have to always think like a hacker trying to break your system. You can't trust any data that is sent from a user in post variable. Worst case scenario if you're using database queries with the data you get from post variables it could end up being sql injection.
jhomsrts Posted July 1, 2021 Author Posted July 1, 2021 Ohh copied loud and clear!. I assume you mean using methods that prevent the user from sending "unsupported characters", like the mysqli_real_escape_string and htmlentities functions. In addition to these functions, are there other ways to guarantee the integrity of the data sent via POST variables? Thanks for your reply!
Krydos Posted July 2, 2021 Posted July 2, 2021 13 hours ago, jhomsrts said: I assume you mean using methods that prevent the user from sending "unsupported characters", like the mysqli_real_escape_string and htmlentities functions. You can go even further than that by determining exactly what characters are allowed. For instance on Linux usernames have to be all lowercase and numbers so you can do this $username = preg_replace("/[^a-z0-9]+/", "", $_POST["username"]); Everything that isn't a lowercase letter or a number gets removed, and then you can do various if then checks after that to make sure the remaining characters are valid.
jhomsrts Posted July 2, 2021 Author Posted July 2, 2021 You are right! In fact, I had already done these validations in the client side with JavaScript, for example ... //A defined range var regex_a = /[\x20-\x2a]/; var regex_b = /[\x2c-\x2f]/; var regex_c = /[\x3a-\x7e]/; if(regex_a.test(var) || regex_b.test(var) || regex_c.test(var)){ //Do something... } ... but I see that doing them on the server side gives better security in the process. 👍
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now