I have simple login form which runs jQuery script which send request to PHP (ajax) and then return true if login is successful.
My 2 questions will be based on safety.
I am sending data through ajax like this:
$.ajax({
type: "POST",
url: "../Php/CheckUserLogin.php",
data: {"userName" : userName, "password" : password},
success: function(result){
switch(result)
{
case "0":
document.getElementById('errorMessage').innerHTML = "Uspesno ste se ulogovali!";
document.getElementById('errorMessage').style.color = "green";
break;
case "NEPOSTOJECI_KORISNIK":
document.getElementById('errorMessage').innerHTML = "Korisnik ne posotoji!";
document.getElementById('errorMessage').style.color = "red";
break;
case "-1":
case "1":
document.getElementById('errorMessage').innerHTML = "Pogresna sifra!";
document.getElementById('errorMessage').style.color = "red";
break;
default:
document.getElementById('errorMessage').innerHTML = "Greska!";
document.getElementById('errorMessage').style.color = "red";
break;
}
}
});
input filtering before sending it to my PHP (i am checking if strings are empty)?In PHP i am creating sql statement like this: $sql = "SELECT SIFRA FROM KORISNIK WHERE IME = '$input_Username'";
parameters in sql - c#?you should use {$input_Username} in strings it is more readable. it is okay to send ajax requests and you should check your strings.
$sql = "SELECT SIFRA FROM KORISNIK WHERE IME = {$input_Username}";
In terms of client-side validation, it's up to you what you want to validate.
In terms of backend. You should definitely never use that code unless you don't care about the data in your database.
You should use prepared statements if you use PDO or mysqli, so you can bind parameters.
$sql = "SELECT SIFRA FROM KORISNIK WHERE IME = :input_username";
$stmt = $dbh->prepare($sql);
$stmt->bindParam(':input_username', $input_username);