I have table which read all the database from phpMyAdmin and dysplay it by php code.
- I am also can update each cell on the table, example by using the the row of the table which equal to ID in my database and colume which equal to (first name,last name,password)everting work ok.
so if the user click on the one of cell inside the table the jquery send by ajax the parameter ID and the colume one of the field(first name,last name,password).
what is my problem?
my problem is how can I prevent from haker or smart user which can see the jquery code and he will
understanding that he can change the value of any ID or password parmeters and ajax can update database not the correct ID?
supose I display to user table with 10 lines which have ID from 11-20 the user will change the ID parameter ID equal to 500 it can hapend.
$(document).ready(function()
{
var COLUME, VAL,ROW,STATUS,DATASTRING;
$('td').click(function() {
COLUME = $(this).attr('class');
});
//****************
$('tr').click(function() {
ROW = $(this).attr('id');
$('#display_Colume_Raw').html(COLUME+ROW);
//$('#display').html(COLUME+ROW);
$('#span' + COLUME + ROW).hide();
$('#input'+ COLUME + ROW ).show();
STATUS = $("#input" + COLUME + ROW).val();
});
//********************
$(".edittd").mouseup(function() {
return false;
});
//*************
$(document).mouseup(function() {
$('#span' + COLUME + ROW).show();
$('#input'+ COLUME + ROW ).hide();
VAL = $("#input" + COLUME + ROW).val();
$("#span" + COLUME + ROW).html(VAL);
if(STATUS != VAL){
$('#statuS').removeClass('statuSnoChange')
.addClass('statuSChange');
$('#statuS').html('THERE IS CHANGE');
DATASTRING=$('#display_Colume_Raw').html()+','+VAL;
//******ajax code
//dataString = $.trim(this.value);
$.ajax({
type: "POST",
dataType: 'html',
url: "./public/php/ajax.php",
data: 'DATASTRING=' + DATASTRING, //{"dataString": dataString}
cache: false,
success: function(data)
{
//alert(data);
$("#statuS").html(data);
}
});
//******end ajax
}
else
{
//alert(DATASTRING+'status not true');
}
});
});
There is no point showing front-end code as this is something you implement on the back end.
In the method that gets called via AJAX, simply check whether the user has permissions to perform the requested action or not. You can either have a separate check at the top of the method and return if the user it not allowed, or you can build it in to the delete query itself, e.g., by adding a WHERE clause making sure those IDs are ones that user is allowed to delete.
You cannot assign per-row permissions in MySQL so that row A can be viewed/edited by a user but row B cannot.
There is one workaround that's a bit of a pain if you absolutely have to have a solution, and that is that instead of using direct queries against a table (SELECT, INSERT, etc.), write store procedures that do some sort of authentication and/or validation. The procedure can do any kind of complex validation you want--check user ids, check column values, etc.--and return only what that user is authorized to see and/or edit.
Related
I'm developing a web based inventory system. In my project i have a user management page and it has a table to view all the users.
+----------------------------------------+
+ username + user type + + +
+----------+-----------+--------+--------+
+ sample + sample + edit + delete +
+----------+-----------+--------+--------+
+ sample + sample + edit + delete +
+----------+-----------+--------+--------+
+ sample + sample + edit + delete +
+----------+-----------+--------+--------+
It has two buttons to edit user type and to delete user from the database. i need to get username from this table to php script, to execute delete query. I tried this,
$(document).on('click','.remove' ,function(){
var $item = $(this).closest("tr").find('td:eq(0)').html();
console.log($item);
<?php $username = <script>$item</script>?>
});
but i can't pass this 'username' variable to php. How to do this? Thank you :-)
To achieve this you need to perform an ajax request like this:
$(document).on('click','.remove' ,function(){
var $item = $(this).closest("tr").find('td:eq(0)').html();
$.post("url/file.php", { // your php file
username: $item
}, function(data, status){
// you will get response from your php page (what you echo or print)
});
});
PHP side:
$username = $_POST['username'];
//Do whatever you want ...
echo "success";
You can do it by Ajax, this is suggested for your code:
$.ajax({
url: "data.php",//file wich has query select to db table
data: {id:theid},//describe your data here
dataType: 'json',// type of data that will you get (JSON/HTML).
type: 'POST',//sending type (POST/GET)
success: function(data) {
//do change the select option
}
});
Goodluck!
This is how I pass the array into the function
$rate=$data["rate"];//this is an array like rate[10,20,30,60,70]
$car->rate = $rate;
$car->rentalRate();
In the function , it accepts the array and insert into the table
public function rentalRate()
{
$rate = implode("','",$this->rate);
$sql = "INSERT INTO rental(day_1,day_3,day_7,day_15,day_30)VALUES('$rate')";
$stmt =connection::$pdo->prepare($sql);
$stmt->execute();
unset($rate);
}
Problem is,second time onwards it repeats the records. I mean for the first time when I insert only one row is inserted. The second time I insert, the same new record inserted twice. Third time I insert, thrice inserted..same goes for the number of times I insert. If I refresh than I don't have this issue.
WHat could be tracking the number of time I insert the data, could it be the array? or ajax?
This is how I submit the form via ajax
$("#submit").on("click",function()
{
$("#add_car_form").submit(function(){
var data = {
"action": "test"
};
data = $(this).serialize() + "&" + $.param(data);
$.ajax({
type: "POST",
dataType: "json",
url: "add_car_submit.php", //Relative or absolute path to response.php file
data: data,
success: function(data) {
$(".the-return").html("<br />JSON: " + data["json"] );
}
});
return false;
});
});
hard to say without seeing your full code but here is waht you can do:
Fist, use the dev tools on your browser and see how many requests you are submitting on every click. If they grow with every click it's your JS fault. If not then try to var_dump your POST data at the point of entry in your php scritpt. If the data is not repeated, there is a problem with your php part. (My bet would be with JS, as on AJAX request you create a new instance of php process so it can not track your submissions).
I have a table with dynamic data from database, each row consist of a text filed and 2 link (accept or reject). then if user clicks on any of these link, the row will disappear and the rest of the rows are only visible in table.
I get ID of each row with ajax by clicking on each link, however I also need to get the text-field value.
how can I get it?
I need to have in ajax cause after getting value I need to insert in database with php+sql.
this is my ajax part for link:
$('a.accept').click(function(d) {
d.preventDefault();
var parent = $(this).parent();
$.ajax({
type: 'get',
url: 'Test.php',
data: 'ajax=1&accept=' + parent.attr('id').replace('record-',''),
beforeSend: function() {
parent.animate({'backgroundColor':'#fb6c6c'},300);
},
success: function() {
parent.slideUp(300,function() {
parent.remove();
});
}
});
});
});
how can I include text filed value in it?
please comment me which I'm really in need to solve it,
Thanks
You can add manually your text to the GET request.
(snippet)
data: 'ajax=1&accept=' + parent.attr('id').replace('record-','') + '&text=VALUE',
Substitute text with the name you want to be received in PHP. Substitute VALUE with the text entered on the page that you want to grab - and don't forget to encode the value.
You will need the name of id of the textfield first. Then you could do something like this:
var textboxvalue = $('name or id of textfield').val();
Then you will need to append this value to your data string:
data: 'ajax=1&textvalue='+textboxvalue+'accept=' + parent.attr('id').replace('record-',''),
Then you can use $_GET['textvalue']; to get the value of textbox.
Use following and you're good to go. Also you had extra '});' at the end line of JS fragment. I had it removed. But make sure you give id to text fields in following pattern : text-fld-RECORD_ID where RECORD_ID is the ID of the record.
$('a.accept').click(function(d) {
d.preventDefault();
var parent = $(this).parent();
var id = parent.attr('id').replace('record-','');
//make sure that text field has ID in pattern 'text-fld-RECORD_ID'
var text_fld = $('#text-fld-'+id).val();
$.ajax({
type: 'post', // I suggest using post; get will be harmful in such occasions
url: 'Test.php',
data: {ajax:1,accept:id,text:text_fld},
beforeSend: function() {
parent.animate({'backgroundColor':'#fb6c6c'},300);
},
success: function() {
parent.slideUp(300,function() {
parent.remove();
});
}
});
});
I'm trying to create a script that will save a ticked checkbox. The code I have as of now disables add & approve when read is ticked and disables read when either of add/approve is ticked. Now the problem I have is when I added ajax submission to the jquery it doesn't save the record and it no longer disables the checkboxes(assuming I ticked read).
Here's what I got so far.
$(document).ready(function(){
$('#list-tbl tr').each(function(){
var $this = $(this);
var id = $('#input').val();
$('input[type=checkbox]', $this).change(function(){
if($('.read', $this).is(':checked')){
$('input[type=checkbox]', $this).prop('disabled',true);
$.ajax({
type: 'POST',
url: <?= site_url('admin/update')?>,
dataType: "json",
data: { id: id },
success: function(data) {
alert("Updated");
}
});
$(this).prop('disabled',false);
} else if($('.add', $this).is(':checked') || $('.approve', $this).is(':checked')) {
$('.read', $this).prop('disabled', true);
$(this).prop('disabled', false);
} else{
$('input[type=checkbox]', $this).prop('disabled',false);
$(this).prop('disabled',false);
}
});
});
});
Ex: http://jsfiddle.net/bGatX/
I'm getting a lil bit frustrated I just want to save the data in the right manner and perform the disabling as it is....
Many thanks.
Looking at your jsFiddle... you don't actually have a HTML element with id="input", even though, you've trying to save an id using: var id = $('#input').val();
This is the id you're trying to send to the server but it doesn't really exist. What are you really trying to do? Establish whether a certain user has read/added/approved a particular item? If that's the case what you need to send to the server is a user id combined with a string that represents whether the user read/added or approved an item.
On a minor note and as a matter of redundancy and performance: $(this).prop('disabled',false); is common amongst all conditionals and can be pulled out to the front as a common factor.
I've got several div id's, each containing a different client. I want to be able to click the delete button and using ajax and jquery delete the specific div from the database. I'm getting success in AJAX but it's not deleting anything from the DB. And then obviously, upon deletion, I would like the container to reload dynamically. help!!!
function DeleteClient(){
clientID = $('.clientblock').attr('id')
alert(clientID);
var yes = confirm("Whoa there chief! Do you really want to DELETE this client?");
if (yes == 1) {
dataToLoad = 'clientID=' + clientID + '&deleteclient=yes',
$.ajax({
type: 'post',
url: '/clients/controller.php',
datatype: 'html',
data: dataToLoad,
success: function(html) {
alert('Client' + clientID + ' should have been deleted from the database.');
$('#clientscontainer').html(html);
},
error: function() {
alert('error');
}});};
};
controller.php info //
Variables necessary are:
$deleteClient
$clientID
on the delete click, when being passed through post (via firebug)
clientID = 0
deleteClient = yes
edit: so obviously, it's not getting the correct client ID to delete it to the DB as it is passing through post but I am getting an ajax success call and where i have the client ID variable displaying there, it is picking the correct client ID.
alert(clientID) is pulling in 0 as well.
Any ideas?
dataToLoad = 'clientID=' + clientID + '&deleteclient=yes',
Your controller is getting clientID value of 0.
Track down your clientID javascript variable and see if it is fetching the correct clientID.