Passing results to Javascript

Bete

I'm trying to use Javascript for inline validation of an HTML form, but there is one validation that needs to happen in PHP. Is there anyway to call the PHP script from Javascript and have the result passed back to Javascript as a variable? I've searched the web and seen some suggestions (treating the php file as an href, etc.) but I haven't had any luck so far.

The PHP script called is:

<?php

include_once 'securimage/securimage.php';

$securimage = new Securimage();

if ($securimage->check($_POST['code']) == false) {

  echo "2";
}

exit;

?>

I tried the Javascript as follows:

PHPCode = <a href="checkcaptcha.php">

if (PHPcode == 2) {
hideAllErrors();
document.getElementById("code2Error").style.display = "block";
document.getElementById("code").select();
document.getElementById("code").focus();
return false;

Any ideas?

bretticus

Bete;10882140 wrote:
Is there anyway to call the PHP script from Javascript and have the result passed back to Javascript as a variable?

This is what ajax was invented for.

Here's a good demo project to get you started.

Here's a tutorial with the popular prototype javascript library and ajax with php.

Best one I've seen for simplicity: Rasmus' 30 second AJAX Tutorial

Possibly a more simple example.

Ashley_Sheridan

You should do ALL the validation server side, as the user can simply turn off JavaScript to thwart your checking. By all means, use JavaScript validation, as it helps trap problems before waiting for a browser response, but don't rely on it for any sort of validation.

bretticus

I have one client that I'm writing some box office software for. My login page for them was done AJAX style. Because it is not quite done yet, there is no ssl certificate and thus, no ssl. Albeit the chance for a man-in-the-middle attack is slim, I actually do not send the password in my authentication request. Instead, on the client side, I hash the username, password, and some client-side random salt (as random as javascript gets I guess.) I then send: the username, my hashed value, and the salt via AJAX to the server (the salt gets stored in the database and cannot be replayed.) Then, serverside, I look up the username in the database. I take the username and salt (that I know already from the POST or GET) and the password in the database (password is not hashed, but I am using their database design, not mine) and I hash that (this time with php of course) and compare that with the hash that I received. If they match, I set a session variable signifying a successful login. I then send a "success" signal back to the javascript handler for the AJAX call. Because the browser acquired a session cookie, either by just loading the login page, or by sending the AJAX request, when the javascipt is instructed to proceed to the homepage, the serverside code can check the session and allow the subsequent scripts to proceed.

Why did I just type all of this? 🙂 Well, I wanted to show an example of using AJAX for authentication without compromising the end-users ability to inject javascript code. For example, a hacker could instruct the script to proceed to the homepage (spoof the "success" message), but since the checking and session setting are server-side, he or she won't get in. The best the hacker can do is get an authenticated session cookie by being man-in-the-middle. The only thing that defeats man in the middle, is ssl.

Ashley is right, you don't want to rely on javascript authentication only. However, with the captcha you are doing, this may be a good way to thwart spam bots.