Passing two variables from onclick to xml via javascript

[Serihon]

Hey everyone,

I am not quite positive where to post this as this issue may involve more than just one coding language. I am a experienced html/css/php/mysql coder who has been delving into Javascript/XML/AJAX coding.

Here is what I am attempting to accomplish using a picture of praying hands as a button with an onclick event.

1. Button is displayed as praying hands that say "Please pray for me".
2. User/Guest clicks on button.
3. Username and Prayer Post ID are passed to the prayFor JS function
4. PrayFor JS function passes Username and Prayer Post ID onto a separate PHP file and the JS changes the original image to one of praying hands that states "Thank You!" on them.

So far the code works as intended, however when I am passing the prayer ID and then the username and somewhere along the way the username is getting lost as the php files that the JS calls on cannot see that variable. Also the prayer ID is an int and the username is a string.

Here is what I have so far code wise.

Javascript/XML bit

Code:

<script type="text/javascript">
var xmlhttp;
function prayFor(i,u){
	if (window.XMLHttpRequest){// code for IE7+, Firefox, Chrome, Opera, Safari
	  xmlhttp=new XMLHttpRequest();
	}else{// code for IE6, IE5
	  xmlhttp=new ActiveXObject("Microsoft.XMLHTTP");
	}
	
	xmlhttp.onreadystatechange=function(){
		if(xmlhttp.readyState==4 && xmlhttp.status==200){
			document.getElementById("prayFor"+i).innerHTML=xmlhttp.responseText;
		}
	}
	
	xmlhttp.open("GET", "prayerInc.php?i="+i+"&u="+u);
	xmlhttp.send();
}
</script>

HTML/PHP bit

Code:

<?php $id = 1; $un='Serihon'; ?>
<input type="image" src="images/prayingHands.png" alt="praying hands" onclick="prayFor('<?php echo $id; ?>','<?php echo $un; ?>');" />

Here is the PHP code I call on to use the u and i variables.

PHP Code:

<?php
include('config.php');

function clean($str) {
    $str = @trim($str);
    if(get_magic_quotes_gpc()) {
        $str = stripslashes($str);
    }
    return mysql_real_escape_string($str);
}

$i=clean($_GET['i']);
$u=clean($_GET['u']);

$sql = "UPDATE pickles SET u='$u' WHERE i='$i' ";
$result=mysql_query($sql);

echo "<img src=\"images/prayingHands2.png\" alt=\"Thank you!\" />";
?>

Any help with this would be greatly appreciated!

Serihon

[Dormilich]

your passed parameters are using the keys i and u, therefore you need these to get the data from $_GET.


PS. you should turn register_globals to Off for security reasons

[Serihon]

Thanks for the reply. I am using $_GET in the php files to pull the information and the id is being succesfully passed through the JS/XML to the php file as it is being updated on the db correctly. For some reason the username isn't being passed correctly. I have a feeling it is because it is a string and needs additional quotes but I'm not sure of the proper way to add them.

I will look into the register_globals thing but according to documentation it is off by default as of PHP 4.3, but I suppose this may change from host to host.

Thanks!

Frank

[Dormilich]

Quote:

Originally Posted by Serihon

I am using $_GET in the php files to pull the information

but you didn't show that code. so, based on the code given, I had to assume you didn't use $_GET at all.

[Serihon]

And here it is.

PHP Code:

<?php
include('config.php');

function clean($str) {
    $str = @trim($str);
    if(get_magic_quotes_gpc()) {
        $str = stripslashes($str);
    }
    return mysql_real_escape_string($str);
}

$i=clean($_GET['i']);
$u=clean($_GET['u']);

$sql = "UPDATE pickles SET u='$u' WHERE i='$i' ";
$result=mysql_query($sql);

echo "<img src=\"images/prayingHands2.png\" alt=\"Thank you!\" />";
?>

[Dormilich]

1) var_dump($_GET);
2) Prepared Statements offer easier and better safety.
3)

Quote:

PHP Code:

$sql = "UPDATE table SET u='$u' WHERE i='$i' "; 


that should fail with an SQL error. (table is a reserved keyword)

[Serihon]

Quote:

Originally Posted by Dormilich

1) var_dump($_GET);
2) Prepared Statements offer easier and better safety.
3)

that should fail with an SQL error. (table is a reserved keyword)

1) Could you explain how var_dump works? From the PHP manual I understand that it destroys variables. By using this wouldn't it destroy the u and i before they were used?
2) What do you mean by prepared statements?
3) I used the name table for example purposes only here, it isn't that in my code.

[Dormilich]

not sure which manual you used, my manual says:

Quote:

void var_dump ( mixed $expression [, mixed $... ] )

This function displays structured information about one or more expressions that includes its type and value. Arrays and objects are explored recursively with values indented to show structure.

Prepared Statements: http://en.wikipedia.org/wiki/Prepared_statement, http://php.net/manual/en/pdo.prepared-statements.php

[Serihon]

Please forgive that I misread var_dump as it is early here. I guess I am just not understanding how I should use var_dump or prepared statements but I will look into them.

Verified that register_globals was already set to off.

Still could use some input on why u isn't being passed.

[Dormilich]

first, check with var_dump() if all information is indeed present in $_GET

[Serihon]

Quote:

Originally Posted by Dormilich

first, check with var_dump() if all information is indeed present in $_GET

Yes I figured out how to use var_dump() just a bit before you posted this and of course it is an extremely useful debug tool that I will keep close from now on, thanks for pointing it out.

Turns out the u was being set and passed into PHP and I had some variables wrong such as a field name in my table. I fixed it and it still wasnt inputting the data into the table correctly.

Here is the var_dump result.
array(2) { ["i"]=> string(1) "6" ["u"]=> string(8) "serihon;" }

If you look closely at the var_dump result you will notice that the username has a semi-colon appended to the end of it. Turns out another issue with this was in the code below.

Code:

<input type="image" src="images/prayingHands.png" alt="praying hands" onclick="prayFor('<?php echo $id; ?>','<?php echo "$un;" ?>');" />

The $un has the semi-colon inside of the parenthesis rather than on the outside which caused this error. I was so determined that it was an error with parenthesis that I somehow botched this portion up. I know my original code doesn't show it but it was an error I fixed.

So the code is working properly as intended now.

Thanks for all of your help Dormilich. Guess I just need to figure out prepared statements now.

Thanks!

[Dormilich]

Quote:

Originally Posted by Serihon

If you look closely at the var_dump result you will notice that the username has a semi-colon appended to the end of it. Turns out another issue with this was in the code below.

Code:

<input type="image" src="images/prayingHands.png" alt="praying hands" onclick="prayFor('<?php echo $id; ?>','<?php echo "$un;" ?>');" />

to avoid this issue never put a variable in quotes where not necessary, since echo automatically converts the variable into a string.

PHP Code:

// unnecessary
echo "$myvar";

// better
echo $myvar;