0

I am passing the variable sessionnum from the following Javascript function in the page chat.php:

$(document).ready(function(){

        timestamp = 0;
        updateMsg();
        $("form#chatform").submit(function(){
            $.post("backend.php",{
                        message: $("#msg").val(),
                        name: author,
                        action: "postmsg",
                        time: timestamp,
                        tablename1: sessionnum
                    }, function(xml) {
                $("#msg").empty();

                addMessages(xml);

                document.forms['chatform'].reset()
                fixScroll();
            });
            return false;
        });
    });

To the following PHP function in backend.php:

if(@$action == "postmsg") {
    mysql_query("INSERT INTO `$tablename1` (`user`,`msg`,`time`)
                VALUES ('$name','$message',".time().")",$dbconn);
    mysql_query("DELETE FROM `$tablename1` WHERE id <= ".
                (mysql_insert_id($dbconn)-$store_num),$dbconn);
    }

$messages = mysql_query("SELECT user,msg
                         FROM `$tablename1`
                         WHERE time>$time
                         ORDER BY id ASC
                         LIMIT $display_num",$dbconn);

It only works when I hard-code an assignment such as $tablename1 = 100 in backend.php even though both the variable and its value are integers and the same value. This hack is not acceptable, as I actually have to pass the variable. Is there a bug in my code?

This code is adapted from http://articles.sitepoint.com/article/ajax-jquery/3

Thanks for any help POSTING the variable correctly with jQuery.

Improve this question

2 Answers 2

Reset to default
2

Try changing the POST variables to $_POST['variable_name']. You're using a syntax that relies on globals being registered as variables. This is a feature that is a) not enabled by default and b) poses a major security risk when it is enabled. Thus, try changing your server-side code to:

$action = $_POST['action'];
$tablename1 = mysql_real_escape_string($_POST['tablename1']);
$name = mysql_real_escape_string($_POST['name']);
$message = mysql_real_escape_string($_POST['message']);

if(@$action == "postmsg") {
    mysql_query("INSERT INTO `$tablename1` (`user`,`msg`,`time`)
                VALUES ('$name','$message',".time().")",$dbconn);
    mysql_query("DELETE FROM `$tablename1` WHERE id <= ".
                (mysql_insert_id($dbconn)-$store_num),$dbconn);
    }

$messages = mysql_query("SELECT user,msg
                         FROM `$tablename1`
                         WHERE time>$time
                         ORDER BY id ASC
                         LIMIT $display_num",$dbconn);

Note that, in order to prevent some SQL injections, the variables that you're using in your SQL queries (that the user can potentially change) have been escaped using mysql_real_escape_string.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

It would appear as though you're relying on register_globals, and referencing what would be the POST variable in PHP, instead of referencing the $_POST superglobal index, e.g.

if ( $_POST['action'] == 'postmsg' ) {
    $name= mysql_real_escape_string( trim( $_POST['name'] ) );
    // query using $name reference
}

As an aside, you should really reconsider allowing the use of the tablename in the client side code.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.