2

Sorry for the bad title, but I don't know how to name this. My problem is that whenever I pass a value from a select box I trigger this jquery event in order to check on the check boxes. Bassically I echo $res[]; at selecctedgr.php. Do I need to use json? and how can I do this?

Mainpage:

$("#group_name").change(function(){
    var groupname = $("#group_name").val();
    var selectedGroup = 'gr_name='+ groupname;
    $.post("selectedgr.php", {data: selectedGroup}, function(data){
        $.each(data, function(){
            $("#" + this).attr("checked","checked");
        });
    },"json");


});

PHP (selectedgr.php):

<?php
    include_once '../include/lib.php';
    $gr_name=mysql_real_escape_string($_POST['gr_name']);

    $sqlgr = "SELECT * FROM PRIVILLAGE WHERE MAINGR_ID=".$gr_name;
    $resultgr = sql($sqlgr);
    while($rowgr = mysql_fetch_array($resultgr)){
        $res[] = $rowgr['ACT_ID'];
    }

    echo $res[];
?>
Improve this question
7
  • 4
    Your code has a SQL injection vulnerability Commented Mar 21, 2011 at 9:04
  • where?? please guide me > <'' Commented Mar 21, 2011 at 9:05
  • 2
    @Eric you need to escape $gr_name using mysql_real_escape_string() if it's a string (then you need to add quotes) or if it's a numeric id, check whether it's a number using intval(). Commented Mar 21, 2011 at 9:08
  • what is the purpose of ` $.each(data, function(){ $("#" + this).attr("checked","checked"); });` Commented Mar 21, 2011 at 9:08
  • 1
    $sqlgr = "SELECT * FROM PRIVILLAGE WHERE MAINGR_ID=".$gr_name; here. You should use sql placeholders (bind vars). Something like this: $sql = "SELECT * FROM PRIVILLAGE WHERE MAINGR_ID=:n"; $stmt = $pdo->prepare($sql); // bind php variables to the placeholders in the statement $stmt->bindParam(':n', $gr_name); $stmt->execute(); //sorry, i'm not a php guru ;) But you've got an idea... Commented Mar 21, 2011 at 9:08

4 Answers 4

Reset to default
9

Change the last line in your PHP sample (echo $res[];) to:

echo json_encode($res);

json_encode() manual page will tell you more.

Also as @Unicron says you need to validate the $gr_name variable before passing it to your SQL statement.

You could use:

if(isset($_POST['gr_name'])) {
    $gr_name = mysql_real_escape_string($_POST['gr_name']);
}

See: http://php.net/manual/en/function.mysql-real-escape-string.php for more information in the PHP manual.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

That would be my advice if you want to use JSON
6

You can use json_encode function to convert arbitrary data into JSON. Assuming that you want to return an array of strings, here is how you will use json_encode:

<?php
    include_once '../include/lib.php';
    $res = array(); // initialize variables
    $sqlgr = sprintf("
        SELECT ACT_ID
        FROM PRIVILLAGE
        WHERE MAINGR_ID=%d
        ",
        $_POST['gr_name']
    ); // only select those columns that you need
       // and do not trust user input
    $resultgr = sql($sqlgr);
    while($rowgr = mysql_fetch_array($resultgr)){
        $res[] = $rowgr['ACT_ID'];
    }
    echo json_encode($res); // use json_encode to convert the PHP array into a JSON object
                            // this will output something like ['foo', 'bar', 'blah', 'baz'] as a string
?>

On the client side you can use jQuery.post method, like this:

<script type="text/javascript">
$("#group_name").change(function () {
    $.post("selectedgr.php", {
        gr_name: $(this).val()
    }, function (data) {
        // console.log(data);
        // jQuery will convert the string "['foo', 'bar', 'blah', 'baz']" into a JavaScript object
        // (an array in this case) and pass as the first parameter
        for(var i = 0; i < data.length; i++) {
            $("#" + data[i]).attr("checked", "checked");
        }
    }, "json");
});
</script>
Improve this answer

Comments

1

If you want to use JSON then just use echo json_encode($res); But I don't really understand what you'll gain if your code is working now, since you'll still have to do some processing in the Javascript to handle the result.

Improve this answer

Comments

0

I found my major problem as below

instead of (before):

 $.post("selectedgr.php", {data: selectedGroup}, function(data){

do this (after):

$.post("selectedgr.php", selectedGroup, function(data){

Forgive my bad. Ahh ya guys, regarding the escaping on mysql actually #group_name is not any input field but a select box. Appreciate for every comment, suggestion and guide.

Eric.

Improve this answer

2 Comments

Don't assume that some one will not attempt to post values that you do not expect just because it is a select box. There are plenty of plugins for firefox to change field types in forms, some one could write a bot, make a CURL request your AJAX endpoint or simply write their own HTML form to submit onto your PHP. Validate everything!
Okay get it, will do escape~ Thx

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.