Thursday, April 12, 2012

ajax call to login.php , response failed

I am doing login.php with the ajax call..Below is my ajax bit code and login.php code..while giving valid user name and password also..am getting invalid user name or password message..am totally failed understand these lines of code 


$is_ajax = $_REQUEST['is_ajax'];
     if(isset($is_ajax) && $is_ajax) // in login.php, Many thanks
 
 $("#login").click(function() {    
     var action = $("#form1").attr('action');
     var form_data = {
         username: $("#username").val(),
         password: $("#password").val(),
         is_ajax: 1
     };
 
     $.ajax({
         type: "POST",
         url: login.php,
         data: form_data,
         success: function(response)
         {
             if(response == 'success')
                 $("#form1").slideUp('slow', function() {
                     $("#message").html("<p class='success'>You have logged in successfully!</p>");
                 });
             else
                 $("#message").html("<p class='error'>Invalid username and/or password.</p>");    
         }
     });
 
     return false;
 });


and this is the login.php code.


<?PHP
 if(isset($_REQUEST['is_ajax']) && $_REQUEST['is_ajax']) {
     $is_ajax = $_REQUEST['is_ajax'];
 
     $uname = $_POST['username'];
     $pword = $_POST['password'];
     $uname = htmlspecialchars($uname);
     $pword = htmlspecialchars($pword);
 
     $user_name = "root";
     $pass_word = "root";
     $database = "test";
     $server = "127.0.0.1";
 
     $username = $_REQUEST['username'];
     $password = $_REQUEST['password'];
 
     $db_handle = mysql_connect($server, $user_name, $pass_word);
     $db_found = mysql_select_db($database, $db_handle);
     $uname = quote_smart($uname, $db_handle);
     $pword = quote_smart($pword, $db_handle);
     $SQL = "SELECT * FROM login WHERE L1 =  $uname AND L2 = md5($pword)";
     $result = mysql_query($SQL);
     $num_rows = mysql_num_rows($result);
     if ($num_rows > 0) {
         echo "success"; 
     }
 
     mysql_close($db_handle);
 }
 ?>

Answer:


A few things:
  1. You need to sanitize your user input before using it in a query. htmlspecialchars doesn't do it. Use mysql_real_escape_string (maybe quote_smart does this?).
  2. Your URL is not quoted, so it is interpreted as code. Put login.php in quotes.
  3. Make sure you understand what $_POST and $_REQUEST are. It looks like you don't actually use$username or $password anywhere, so it doesn't look like this is hurting you right now, but you should know that the entire contents of the $_POST array are also found in the $_REQUEST array (along with $_GET and $_COOKIE).
  4. For debugging, in your PHP script, you should echo some kind of failure message to see where the script fails and in your jQuery script, you should add the response to your failure message to see what the response actually was.
Try this:
$("#login").click(function() {    
    var action = $("#form1").attr('action');
    var form_data = {
        username: $("#username").val(),
        password: $("#password").val(),
        is_ajax: 1
    };

    $.ajax({
        type: "POST",
        url: "login.php",
        data: form_data,
        success: function(response)
        {
            if(response == 'success')
                $("#form1").slideUp('slow', function() {
                    $("#message").html("<p class='success'>You have logged in successfully!</p>");
                });
            else
                $("#message").html("<p class='error'>Invalid username and/or password. (debugging, response = '". response ."'</p>");    
        }
    });

    return false;
});
login.php:
if(isset($_POST['is_ajax']) && $_POST['is_ajax'])
{
    $username = mysql_real_escape_string($_POST['username']);
    $password = mysql_real_escape_string($_POST['password']);

    $dbUsername = "root";
    $dbPassword = "root";
    $database = "test";
    $server = "127.0.0.1";

    $db_handle = mysql_connect($server, $dbUsername, $dbPassword);
    $db_found = mysql_select_db($database, $db_handle);
    $result = mysql_query("SELECT * FROM login WHERE L1 = '{$username}' AND L2 = MD5('{$password}')");
    $num_rows = mysql_num_rows($result);
    if ($num_rows > 0)
        echo "success";
    else
        echo "username '{$username}' and password '{$password}' not found";

    mysql_close($db_handle);
}
else
    echo "is_ajax = {$_POST["is_ajax"]}";

Posted by at

1 comment:

  1. javatubeApril 12, 2012 at 11:38 PM

    your PHP is not very save and works with GET/POST because you are using $_REQUEST. Debug login.php first, if you are getting any PHP Notices you have to fix those because it will change your ajax response.

    try running this in browser yoursite.com/login.php?is_ajax=1&username=XXXX&password=XXXX

    If you are getting only "success" word in the browser, then see what JavaScript is receiving by adding console.debug(response) to the success handler. Preview the value in firebug console or chrome console.

    ReplyDelete

Subscribe to: Post Comments (Atom)