0

I've been at this for quite a while now, and I have pretty much no experience with PHP and I've only begun with JavaScript.

I'm attempting to run a PHP script that I have on my server from the JavaScript on the webpage using AJAX. To be honest, I don't really have much of an idea of what I'm doing.

My current code:

JS:

function Write() {
    $.ajax({
        type: "POST",
        url: "Write.php",
        data: {
            'GUID': "12345678987654321",
            'IP': "127.0.0.2",
            'USERNAME': "George",
            'BAN_REASON': "Broke my pencil."
        },
        success: function(data) {
            console.log(data);
        }
    });
}

PHP:

<?php
exec("java -jar Database.jar '.$_POST['GUID']' '.$_POST['IP']' '.$_POST['USERNAME']' '.$_POST['BAN_REASON']'");
?>

(I'm also not too entirely sure that I did that String correctly, so help on that would be appreciated)

Basically, that PHP code is using a Java program I made to write to a MySQL database using the arguments that are being sent by the PHP "exec()." It's not writing to the database at all, so I'm assuming it's something with the AJAX going to the PHP function.

When "Write()" is ran, all it does is print out the PHP code to the console...

NEW CODE

<?php

//Server 
$servername = "localhost";
$dbusername = $_POST['DB_USERNAME'];
$password = $_POST['DB_PASSWORD'];
$dbname = "bansdb";

$username = $_POST['USERNAME'];
$guid = $_POST['GUID'];
$ip = $_POST['IP'];
$ban_reason = $_POST['BAN_REASON'];

$connection = new mysqli($servername, $dbusername, $password, $dbname);

if ($connection->connect_error) {
    die("Connection Failed: " . $connection->connect_error);
}

$sql = "INSERT INTO bans (GUID, IP, USERNAME, BAN_REASON)
VALUES ('$guid', '$ip', '$username', '$ban_reason')";

if (mysqli_query($connection, $sql)) {
    echo "Ban successfully added.";
} else {
    echo "Error: " . $sql . mysqli_error($connection);
}

mysqli_close($connection);

?>
Improve this question
9
  • 1
    You encapsulated with double quotes, not single. Also huge security flaw with this approach. e.g. this '.$_POST['GUID']' is not concatenating. Why not just write to the DB using PHP's mysqli or PDO? Commented May 17, 2016 at 1:42
  • Yeah, the way that I want to set it up is for the user has to supply a password on the webpage, which is then passed to the "Database.jar." So if the password isn't right, it won't be able to do anything with MySQL. If there's any other flaws, please let me know. I'm very new to all this, so there's probably glaring issues with my approach. Commented May 17, 2016 at 1:44
  • 2
    Why not do it all in PHP though? Also passing user data direct to the command line opens you to all sorts of injections. Commented May 17, 2016 at 1:46
  • 1
    Try php.net/manual/en/function.escapeshellarg.php on each field. Also enable error reporting and monitor your errors logs. Additionally use some outputting mechanics (print, echo, var_dump, error_log) to confirm what you think you are executing is what you are executing (and test the execution as the same user). Commented May 17, 2016 at 1:51
  • 1
    From your description of the problem, it looks like the php interpreter is not configured properly in your server (apache ?) , and the server just treats the php like a text file and returns it to the caller ( your console.log statement). Give details about your server setup. Commented May 17, 2016 at 1:58

2 Answers 2

Reset to default
1

I would not pass your DB user/password over the network. Just make a simple application password and store the password statically in the PHP with the db user/password (in HTML modify form to have APP_PASSWORD input). With parameterized queries aside from closing SQL injection you also can have single quotes in your value and don't have to worry about the query breaking (the driver handles the quoting).

<?php
//Server 
$servername = "localhost";
$dbusername = 'static_db_user';//$_POST['DB_USERNAME'];
$password = 'staticpassword';//$_POST['DB_PASSWORD'];
$dbname = "bansdb";
if($_POST['APP_PASSWORD'] != 'Some generic password') {
    die('Invalid Credentials');
}
$username = $_POST['USERNAME'];
$guid = $_POST['GUID'];
$ip = $_POST['IP']; // I would store IP as an unsigned int, ip2long
$ban_reason = $_POST['BAN_REASON'];

$connection = new mysqli($servername, $dbusername, $password, $dbname);

if ($connection->connect_error) {
    die("Connection Failed: " . $connection->connect_error);
}

$sql = "INSERT INTO bans (GUID, IP, USERNAME, BAN_REASON)
VALUES (?,?,?,?)";
if ($stmt = mysqli_prepare($connection, $sql)) {
    mysqli_stmt_bind_param($stmt, , 'ssss', $guid, $ip, $username, $ban_reason;
    if(mysqli_stmt_execute($stmt)) {
        echo "Ban successfully added.";
    } else {
        echo "Execute Error: " . $sql . mysqli_error($connection);
    }
} else {
    echo "Prepare Error: " . $sql . mysqli_error($connection);
}
mysqli_close($connection);

?>
Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

I'm still very new to all this, but could someone not just come along and download the PHP file and then have the password that is stored in it?
No, PHP is (should be) handled by the PHP process according to your server's configuration file. You could move the passwords to a non-web accessible directory then include that file with PHP's include. If that happens even if the PHP data were exposed (which should be very rare to begin with) the file won't have the password in it.
Got all of it working just fine, except for one bug, but the project has been scrapped anyways. 15 hours of work down the drain. Oh well, at least I gained some experience with JS and PHP! Was fun, thank you for all your help, Chris.
0

all it does is print out the PHP code to the console...

Do you have a web server that's configured to execute PHP code? You must realize that you cannot just run a plain php file in your browser opened from the filesystem on your "server".

Make a new file called info.php and save it to your web server. Inside it should only be this:

<?php
phpinfo();

If you see that code when you browse to it, then you do not have PHP enabled. Otherwise, you will see a lot of information about your configuration.

not too entirely sure that I did that String correctly

pretty close, but you should read up about some quotes

this might work for you:

<?php
exec("java -jar Database.jar $_POST[GUID] $_POST[IP] $_POST[USERNAME] $_POST[BAN_REASON]");
Improve this answer

2 Comments

You should add a note about shell injections with that approach.
@chris85 in deed! I Upvoted your comment on the question, as well as almost every other. There's a lot more that can be said on this, but I wanted to pick a digestible start pointed at the specific questions raised.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.