jQuery get.JSON confusion

FewFew

Hi, I'm in the middle of a project where I have to do some server side stuff with PHP.
I'm trying to use jQuery to make my connection, specifically the getJSON function, but I'm have some trouble figuring out what variables to change. I used an example given in the course, which takes a set value following an onClick event. I'm trying to change it so it will work once a form is filled.

//Function to handle login
function login540()
{
    // validates the data entered is an integer. 
    var loginNo = document.getElementById("login540id").value;
     if((parseFloat(loginNo) == parseInt(loginNo)) && !isNaN(loginNo))
    {
     jSonCaller(); 
    }
  else 
      {
    // alert(loginNo);  
    alert("Please make sure to insert only a whole number");
      } 

function jSonCaller(){

    $.getJSON('http://localhost:8888/login540.php?login540id=?', function(data){
    
    $('#login540div').html("<p>firstName="+
    data.firstName+
    "</p> lastName="+data.lastName+" </p>moduleNo1="+
    data.moduleNo1+"</p> moduleNo2="+
    data.moduleNo2+"<p> courseID="+
    data.courseID+"</p>");
        });//end of getJSON call
    }//end of jSonCaller
    
}

The alert will pop up if I enter a decimal or letter, so I know it's getting that far, but if I enter the correct number nothing happens, though I can see the URL changing.

I've looked at the JSON api, but I'm not quite sure what it wants in the URL section... it's correctly linked, but I'm not sure how the URL interacts with the PHP get command.

I assumed I could leave the code as was with the static value, but it didn't seem to like it.

The PHP is unchanged from the working version, it's still expecting the login540id variable.

[PHP]
<?php
include ("config.php");

$dbhost = 'localhost';
$dbuser = 'root';
$dbpass = 'root';
$dbname = 'collegeData';

$login540id=$_GET["login540id"];
$table = "studentTable";
$conn = mysql_connect($dbhost, $dbuser, $dbpass);

if (!$conn)
die('Could not connect: ' . mysql_error());
if (!mysql_select_db($dbname))
die("Can't select database");

$result = mysql_query("SELECT * FROM {$table} WHERE studentID = '".$login540id."'");
if (!$result)
die("Query to show fields from table failed!" . mysql_error());

$json = array();
while($row = mysql_fetch_array ($result))
{
$json = array(
'firstName' => $row,
'lastName' => $row,
'moduleNo1' => $row,
'moduleNo2' => $row,
'courseID' => $row
);
}

$jsonstring = json_encode($json);
echo $jsonstring;

mysql_close($conn);
?>[/PHP]

Creamy Goodness

$.getJSON('http://localhost:8888/login540.php?login540id=?', function(data){

you need to remove the ? mark there and substitute in a variable

change your jsoncaller function to this.

jSonCaller(loginNo);

function jSonCaller(loginNO){

    $.getJSON('http://localhost:8888/login540.php?login540id=' + loginNo, function(data){
    
    $('#login540div').html("<p>firstName="+
    data.firstName+
    "</p> lastName="+data.lastName+" </p>moduleNo1="+
    data.moduleNo1+"</p> moduleNo2="+
    data.moduleNo2+"<p> courseID="+
    data.courseID+"</p>");
        });//end of getJSON call
    }//end of jSonCaller
    
}

oh and don't forget to escape and validate your clients data on the server side

FewFew

Thanks for the help!

Ok, that makes sense. In the example I was looking at there was a str in the brackets, I just assumed it was something to do with a string or something so I removed it, thinking it would just take in any value.

Firebug shows it working away, so obviously there's a choke point in my PHP now.

Thought I had the PHP side sorted, but I guess not. D'oh.

Thanks again

fcrossen

As Creamy Goodness says - ESCAPE!

[PHP]$login540id=$_GET["login540id"];
$table = "studentTable";
$conn = mysql_connect($dbhost, $dbuser, $dbpass);

if (!$conn)
die('Could not connect: ' . mysql_error());
if (!mysql_select_db($dbname))
die("Can't select database");

$result = mysql_query("SELECT * FROM {$table} WHERE studentID = '".$login540id."'");[/PHP]

SQL injection example:
User posts "1' OR 1=1 --"

See http://www.phpfreaks.com/tutorial/php-security - escpecially section 3