homepage Welcome to WebmasterWorld Guest from 54.163.139.36
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Home / Forums Index / Code, Content, and Presentation / JavaScript and AJAX
Forum Library, Charter, Moderator: open

JavaScript and AJAX Forum

    
responseText
includes elements and such i did not assign to it
nyteshade



 
Msg#: 4408795 posted 12:25 am on Jan 20, 2012 (gmt 0)

My first attempt to create 'username availability' check using only javascript and php script only. All my steps work as expected but the ajax.responseText includes a string of elements prefixing the value I echo back in my php script as shown below.

This function initializes the ajax object, I show you this so that you may view the ajax.open statement. This and the calling function and the functions it invokes work ok.

function init(input_value, input_name) {

var ajax = getXMLHttpRequestObject();
if(ajax){

if(input_name == 'username'){

ajax.open("get", "avail_querydb.php?username="+encodeURIComponent(input_value));

ajax.onreadystatechange = function(){

handleResponse(ajax, 'username');
}

ajax.send(null);

return false;
}...


Next, the repsonse from the server is handled, and here I can see that the switch condition is never executed because content of responseText includes stuff like br, form, and misc elements and content that does not even exist in any of the files involved, well I should say nothing that I've keyed in?


function handleResponse(ajax, target_label){
d = document;
if(ajax.readyState ==4){
if((ajax.status == 200) || (ajax.status == 304)){
if (ajax.responseText == 'not available') {
switch (target_label){
case 'username':
document.form.avail_entry_form.username_label.value = 'username not available';
break;
case 'email':
document.form.avail_entry_form.email_label.value = 'email not available'
break;
}
}
}
} else {//Bad status response :: submit the form
//document.getElementById('avail_entry_form').submit();
}
}


And finally the server-side script:


<?php
...
$resultBack = 'available';

if (isset( $_GET["username"])) {
$username = $_GET["username"];
$sql = "SELECT username FROM users WHERE username = '$username'";
if($result = $mysqli->query($sql)) $resultBack = 'not available';
}

if (isset( $_GET["email"])) {
$email = $_GET["email"];
$sql = "SELECT username FROM users WHERE email = '$email'";
if($result = $mysqli->query($sql)) $resultBack = 'not available';
}


$mysqli->close;

echo $resultBack;
?>


Using Firebug I can see that 'not available' is at the end of about 100 characters of text but I have no idea how it is being appended to $resultBack? Odd... any idea what I'm missing? Thanks all.

 

daveVk

WebmasterWorld Senior Member 5+ Year Member



 
Msg#: 4408795 posted 5:28 am on Jan 20, 2012 (gmt 0)

Seems like some other echo or similar going on in PHP, try inserting echo "*1" at start and so on at regular intervals, then see where 100 chars are relative to *numbers.

nyteshade



 
Msg#: 4408795 posted 12:56 pm on Jan 20, 2012 (gmt 0)

daveVK: thanks for the suggestion, I did get my code to work but there are forces working here that I do not understand, as follows:

First, I scaled down my php script to this:

<?php

ini_set("include_path","./includes");
require_once('mysqli.avail.inc.php');

$username = strip_tags(trim($_GET['username']));

if (!empty($username)) {
$sql = "SELECT username FROM users WHERE username = '$username'";
if($result = $mysqli->query($sql)) $resultsBack = 'not available';
}

echo $resultsBack;

?>

I experimented with removing the ini_set and using the absolute path in the require_once but that was not the problem; also, you see that I've used strip_tags and trim, but again I do not believe that added anything to resolving the mystery of the chars being appended to $resultsBack.


And, to top things off, once the mysterious chars vanished, I discovered that the following:


document.getElementById('username_label').value = 'username not available'


would not work (at least in FF)! AND, that the 'value' is set on screen before the statement is executed at the <<<HERE below.

Of course I'm happy my little piece of code works, finally, but I'm anxious that 1) I do not know what I did that fixed my initial problem
2) Why the screen display is reflecting the label value before the statement is executed 3)Why is innerHTML working when the supposedly standard statement referencing the value of the label element does not work?


function handleResponse(ajax, target_label){
d = document;
if(ajax.readyState ==4){ <<<HERE THE VALUE IN THE FORM IS SET
if((ajax.status == 200) || (ajax.status == 304)){
if (ajax.responseText == 'not available') {
switch (target_label){
case 'username':
d.getElementById('username_label').innerHTML = 'username not available';
break;
case 'email':
d.getElementById('email_label').value = 'email not available'
break;
}
}
}
} else {//Bad status response :: submit the form
//document.getElementById('avail_entry_form').submit();
}
}


Ok, maybe I'm being too fussy about #1, that was very odd and I'm grateful it is fixed. But I'll be researching #2 and #3, thanks again for the suggestion, it helped.

daveVk

WebmasterWorld Senior Member 5+ Year Member



 
Msg#: 4408795 posted 1:58 pm on Jan 20, 2012 (gmt 0)

document.getElementById('username_label').value = 'username not available'

if username_label is a label element then use .innerHTML or similar.

.value applies to likes of input elements that hold form data.

Note that .innerHTML changes the HTML (Dom) whereas .value changes the form data and not the HTML. The form data has a separate life than the HTML and can outlast it.

Fotiman

WebmasterWorld Senior Member fotiman us a WebmasterWorld Top Contributor of All Time 5+ Year Member



 
Msg#: 4408795 posted 3:05 pm on Jan 20, 2012 (gmt 0)


if (isset( $_GET["username"])) {
$username = $_GET["username"];
$sql = "SELECT username FROM users WHERE username = '$username'";

Note, this code makes you susceptible to a SQL injection attack.

username=' OR '1' = '1

Result:
$sql = "SELECT username FROM users WHERE username = '' OR '1' = '1'";

You should address that.

Next, if the response is coming back with more than you expect, then perhaps one of your includes is writing out part of a response. I would start by inspecting the responseText (either with a debugger like Firebug, or even just putting in an alert). Sounds like you may have resolved this by stripping down your php.


<?php

ini_set("include_path","./includes");
require_once('mysqli.avail.inc.php');

$username = strip_tags(trim($_GET['username']));

if (!empty($username)) {
$sql = "SELECT username FROM users WHERE username = '$username'";
if($result = $mysqli->query($sql)) $resultsBack = 'not available';
}

echo $resultsBack;

?>

In that code, resultsBack is not set to anything if no results where returned from SQL.

rainborick

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 4408795 posted 5:13 pm on Jan 21, 2012 (gmt 0)

I think it would be best to use mysql_real_escape_string() rather than strip_tags() to prevent MySQL injections. strip_tags() removes HTML and PHP tags, but doesn't touch special characters like ',",\n, and \r.

nyteshade



 
Msg#: 4408795 posted 1:30 pm on Jan 22, 2012 (gmt 0)

Regarding the mysterious characters appearing in my ajax object property responseText. After more careful examination of Firebugs 'Watch' (thanks Fotiman) I see that responseText includes results from what appears to be Xdebug flagging an error on an attempt to use the resultset $result from $mysqli->query($sql) as a string? See *** THIS FAILS EVERYTIME *** below. That block of code generates different errors depending on, well I'm not sure. Sometimes it generates the error I described above, sometimes the responseText looks ok but the 'not available' is always returned.


<?php
ini_set("include_path","./includes");
require_once('mysqli.avail.inc.php');

$resultsBack = 'available';

if(isset($_GET['username'])) {
$username = strip_tags(trim($_GET['username']));
$username = $mysqli->real_escape_string($username);
}

//***1 THIS WORKS EVERYTIME
if (!empty($username)) {
$sql = "SELECT username FROM users WHERE username = '$username'";

$result = $mysqli->query($sql);
$row_cnt = $result->num_rows;
if($row_cnt>0) {
echo $resultsBack = 'not available';
} else {
echo $resultsBack = 'available';
}
}

//***2 THIS FAILS EVERYTIME ***
//if (!empty($username)) {
//$sql = "SELECT username FROM users WHERE username = '$username'";
//if($result = $mysqli->query($sql)) echo $resultsBack = 'not available';
//}
?>


However, if I run the routine above as a standalone file rather than making an ajax.open request, altered to do this:


<?php
ini_set("include_path","./includes");
require_once('mysqli.avail.inc.php');

$username = 'nyteshade';

echo ' username: '.$username;

if (!empty($username)) {
$sql = "SELECT username FROM users WHERE username = '$username'";
if ($result = $mysqli->query($sql)) {
printf("\nSelect returned %d rows.\n", $result->num_rows);
}
}
?>


...just to make sure the if statement is legal, then it works ok and returns:

username: nyteshade Select returned 1 rows.


I thought I had ***2 above working earlier but I was mistaken. It appears like legal code but it just does not return what is expected. If anyone sees something obviously incorrect then please let me know before I scratch a hole in my head (maybe I should just let it go because the more verbose lines ***1 work).

Thanks Fotiman for getting me to look more deeply into Firebug, the 'Watch' component makes more sense now that I have a handle on objects; daveVK for the debugging suggestion; rainborick, Fotiman for the injection recommendations.

nyteshade



 
Msg#: 4408795 posted 2:06 pm on Jan 25, 2012 (gmt 0)

Arrgh! This is my month to admit being a fool. I was confusing mysqli_query and $mysqli->query results, even when staring at the PHP manual; mea culpa. Whenever I was seeing mysqli_ my brain was automatically thinking object, incorrectly.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / JavaScript and AJAX
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved