jhomsrts Posted June 30, 2021 Share Posted June 30, 2021 Good morning for all! I ask because I'm not an expert in front and back programming, I share my way in which I communicate the client with the server. I would like you to tell me if it's well implemented or if it can be improved? The idea is to boost our knowledge/skills every day Method: Send with Ajax Client-side: <script> jQuery.ajax({ url: 'script.php', data:{'Var1': $('#ID').val(), 'Var2': $phpvariable},//May be FormData item too. type: 'POST', success:function(s){ //Received a encoded JSON from server-side with any data. var data = JSON.parse(s); $('#resultselement').html(data[0]); }, error:function (){ alert('Error message'); } }); </script> Server-side: <?php $POSTVAR1 = $_POST["Var1"]; $POSTVAR2 = $_POST["Var2"]; {INCLUDES, INTERNAL VARIABLES, PHP SCRIPT, ETC} array_push($array, $phpvar1, $phpvar2, $phpvar3....,$phpvarn); //Sending data to client-side echo json_encode($array); ?> I appreciate any correction or suggestion, thanks! Quote Link to comment Share on other sites More sharing options...
Krydos Posted July 1, 2021 Share Posted July 1, 2021 Looks pretty good. The one thing I would recommend is sanitizing your post variables. When you write code you have to always think like a hacker trying to break your system. You can't trust any data that is sent from a user in post variable. Worst case scenario if you're using database queries with the data you get from post variables it could end up being sql injection. Quote Link to comment Share on other sites More sharing options...
jhomsrts Posted July 1, 2021 Author Share Posted July 1, 2021 Ohh copied loud and clear!. I assume you mean using methods that prevent the user from sending "unsupported characters", like the mysqli_real_escape_string and htmlentities functions. In addition to these functions, are there other ways to guarantee the integrity of the data sent via POST variables? Thanks for your reply! Quote Link to comment Share on other sites More sharing options...
Krydos Posted July 2, 2021 Share Posted July 2, 2021 13 hours ago, jhomsrts said: I assume you mean using methods that prevent the user from sending "unsupported characters", like the mysqli_real_escape_string and htmlentities functions. You can go even further than that by determining exactly what characters are allowed. For instance on Linux usernames have to be all lowercase and numbers so you can do this $username = preg_replace("/[^a-z0-9]+/", "", $_POST["username"]); Everything that isn't a lowercase letter or a number gets removed, and then you can do various if then checks after that to make sure the remaining characters are valid. Quote Link to comment Share on other sites More sharing options...
jhomsrts Posted July 2, 2021 Author Share Posted July 2, 2021 You are right! In fact, I had already done these validations in the client side with JavaScript, for example ... //A defined range var regex_a = /[\x20-\x2a]/; var regex_b = /[\x2c-\x2f]/; var regex_c = /[\x3a-\x7e]/; if(regex_a.test(var) || regex_b.test(var) || regex_c.test(var)){ //Do something... } ... but I see that doing them on the server side gives better security in the process. 👍 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.