Home » Php » jsGrid: How to pass additional variables from javascript to php using ajax

jsGrid: How to pass additional variables from javascript to php using ajax

Posted by: admin February 25, 2020 Leave a comment

Questions:

I’m using jsGrid for my project. View here for original source code

I want to pass an additional variable call $user_session to use for mysql select query in fetch.php but failed. Below is what i have been trying.

<script>

var user_session = "<?php echo $user_session; ?>"; //<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<

//......

 controller: {
  loadData: function(){
   return $.ajax({
    type: "GET",
    url: "fetch_data.php",
    data: {user_session:user_session} //<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
   });
  },

 //......

Here’s the fetch.php file

<?php

if($method == 'GET')
{
 $user_session = $_GET['user_session']; //<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<

 $query = "SELECT * FROM sample_data WHERE first_name=? ORDER BY id DESC";
 $statement = $connect->prepare($query);
 $statement->execute($user_session); //<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
 $result = $statement->fetchAll();
 foreach($result as $row)
 {
  $output[] = array(
   'id'    => $row['id'],   
   'first_name'  => $row['first_name'],
   'last_name'   => $row['last_name'],
   'age'    => $row['age'],
   'gender'   => $row['gender']
  );
 }
 header("Content-Type: application/json");
 echo json_encode($output);
}
//......
?>

What is the proper way to do this?

How to&Answers:

First of all, anyone could open up a dev console inside a browser and start fuzzing your session id. While you are correctly preparing your query, defusing sql injection, it does does not protect you from an IDOR, or, i could enumerate your users by just querying your application repeatedly.

If you really want to pass your session id client-side, maybe you could consider using a cookie, as it is less easily editable by a normal user.

Answer:

I’m able to do by this way.

<script>

//......

 controller: {
  loadData: function(filter){
    var user_session = "<?php echo $user_session; ?>"; //<<<<<<<<<<<<<<<<<<<<<<<<<<<
   return $.ajax({
    type: "GET",
    url: "fetch_data.php",
    data: {filter,
           user_session:user_session //<<<<<<<<<<<<<<<<<<<<<<<<<<<
          },
   });
  },

 //......
</script>

In fetch.php i do this.

<?php

if($method == 'GET')
{
 $user_session = $_GET['user_session'];//<<<<<<<<<<<<<<<<<<<<<<<<<<<

 $query = "SELECT * FROM sample_data WHERE first_name=? ORDER BY id DESC";
 $statement = $connect->prepare($query);
 $statement->execute([$user_session]); //<<<<<<<<<<<<<<<<<<<<<<<<<<<
 $result = $statement->fetchAll();
 foreach($result as $row)
 {
  $output[] = array(
   'id'    => $row['id'],   
   'first_name'  => $row['first_name'],
   'last_name'   => $row['last_name'],
   'age'    => $row['age'],
   'gender'   => $row['gender']
  );
 }
 header("Content-Type: application/json");
 echo json_encode($output);
}
//......
?>

For the security issue mentioned by @Andrea Golin, i will post another question.
Thanks.

Answer:

Finally, i found a better way.
I can directly call $user_session inside fetch.php.

<?php
require('user_session.php'); //<<<<<<<<<<<<<<<<<<<<<<<<<<<
require('includes/db.php');

$method = $_SERVER['REQUEST_METHOD'];

if($method == 'GET')
{
 $query = "SELECT * FROM sample_data WHERE first_name=? ORDER BY id DESC";
 $statement = $conn->prepare($query);
 $statement->execute([$user_session]); //<<<<<<<<<<<<<<<<<<<<<<<<<<<
 $result = $statement->fetchAll();
 foreach($result as $row)
 {
  $output[] = array(
   'ChildID'    => $row['ChildID'],
   'Name'  => $row['Name'],
   'BirthDate'   => $row['BirthDate'],
   'Gender'   => $row['Gender'],
   'StudyorWorking'   => $row['StudyorWorking'],
   'CourseorOccupation'   => $row['CourseorOccupation'],
   'Married'   => $row['Married']
  );
 }
 header("Content-Type: application/json");
 echo json_encode($output);
}
?>