[RESOLVED] JSON

cluelessPHP

So I have decided to finally take the first steps into JSON, where is the best place for materials to learn?

laserlight

You could start by visiting json.org for the syntax, then read the PHP manual on JSON.

cluelessPHP

Pass

cluelessPHP

cluelessPHP;11054731 wrote:
Pass

I was thinking great and typed pass and didn't notice :queasy:

Thanks laserlight

<?php
require_once'connection.php';

header('Content-Type: application/json');
    $errors = [];
    $username = trim($_GET['username']);
    $email = trim($_GET['email']);
    $password = trim($_GET['password']);
    $repeatPassword = trim($_GET['repeatPassword']);

 $query = $db->prepare("SELECT username.username FROM username WHERE username.username = :username LIMIT 1");
 $query->bindValue(':username', $username, PDO::PARAM_STR);
 $query->execute();

if ( $query->rowCount() > 0 ) {
    $response=1;
     $errors[]= ["name"=>"username","error"=>"Username taken"];
}

if(filter_var($username,  FILTER_VALIDATE_REGEXP,["options"=> [ "regexp" => "/.{3,25}/"]]) === FALSE){
    $errors[]= ["name"=>"username","error"=>"invalid Id (3 to 25 characters)"];
}
if(preg_match('/[^a-z_\-0-9]/i', $username))
	{
		$errors[]= ["name"=>"username","error"=>"invalid Id (Usernames may not contain symbols)"];
	}

if(filter_var($email,FILTER_VALIDATE_EMAIL) === FALSE) {
    $errors[]= ["name"=>"email","error"=>"invalid Email"];
}

$emailQ = $db->prepare("SELECT username.eMail FROM username WHERE username.eMail = :email LIMIT 1");
 $emailQ->bindValue(':email', $email, PDO::PARAM_STR);
 $emailQ->execute();

if ( $query->rowCount() > 0 ) {
    $response=1;
     $errors[]= ["name"=>"email","error"=>"Email registered"];
}


if(filter_var($password,  FILTER_VALIDATE_REGEXP,["options"=> [ "regexp" => "/.{6,25}/"]]) === FALSE){
    $errors[]= ["name"=>"password","error"=>"invalid password (6 to 25 characters)"];
}
if($password !== $repeatPassword){
    $errors[]= ["name"=>"repeatPassword","error"=>"passwords don't match"];
}
if (count($errors) === 0) {
    // everything is OK, the browser should send us to the next page

	$sql = "INSERT INTO username (username,password, eMail ,joinedDate) VALUES (:username, :password, :email ,NOW())";
	$query = $db->prepare($sql);

	$query->execute(array(
		':username'=> $username,
		':password'=> $password,
		'email'=> $email
	));

}
echo json_encode($errors);

How's it looking so far?

maxxd

You've got a race condition issue with your logic. If two users attempt to create the same username and/or email at almost the same time, the system will report to both that the username/email address is available, then throw an error on the second attempt to actually insert that username or email address into the database. You'd be better off simply trying to insert the data and catching the PDO Exception on a unique key violation - this also cuts the number of queries run from 3 to 1 on successful registration attempts.

cluelessPHP

Didn't think of that, I'll add to my to do list, arguing with email activation currently

cluelessPHP

Rather than make a new thread, currently trying to figure out why this won't work.

<?php require_once 'connection.php'; ?>
<!DOCTYPE html>
<html>
<head>
	<meta charset="utf-8">
	<meta http-equiv="X-UA-Compatible" content="IE=edge">
	<link rel="stylesheet" href="css/mystyle.css">
	<title>Game of Thrones social</title>


<link rel="stylesheet" href="https://ajax.googleapis.com/ajax/libs/jqueryui/1.11.4/themes/smoothness/jquery-ui.css">
<script src="https://ajax.googleapis.com/ajax/libs/jquery/1.11.2/jquery.min.js"></script>
<script src="https://ajax.googleapis.com/ajax/libs/jqueryui/1.11.4/jquery-ui.min.js"></script>

<script>
$(document).ready(function() {
    $("form").on("submit", function(event) {
            event.preventDefault();
            $("span.error").empty()
            $.getJSON('registerForm.php', $(this).serialize(), function(data) {
                    if (!data.errors) {
                        alert(data.message) // deal with a no-error response ( all is good)
                    }else{
                        $.each(data.errors,function(i,datum){
                            $("[name='"+datum.name+"']").next().html(datum.error)
                        })
                    }
            });
    });
});
</script>

</head>
	<body>

<form action="" method="GET">
<div class="formControl">
	<input type="input" name="username" placeholder="Username" value="<?php echo isset($_POST['username']) ? $_POST['username'] : '' ?>">
	<span class="error"> </span>
</div>
<div class="formControl">
	<input type="text" name="email" placeholder="E-mail"  value="<?php echo isset($_POST['email']) ? $_POST['email'] : '' ?>">
	<span class="error"></span>
</div>
<div class="formControl">
	<input type="password" name="password" placeholder="Password">
	<span class="error"> </span>
</div>
<div class="formControl">
	<input type="password" name="repeatPassword" placeholder="Repeat password">
	<span class="error"> </span>
</div>	
<div class="formControl">
	<input type="hidden" name="code" value="<?php echo substr(str_shuffle("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"), 0, 1).substr(md5(time()),1); ?>">
	<span class="error"> </span>
</div>	
<input type="submit" value="Submit">
</form>

</body>
</html>



<?php
require_once'connection.php';

header('Content-Type: application/json');
    $errors = [];
    $username = trim($_GET['username']);
    $email = trim($_GET['email']);
    $password = trim($_GET['password']);
    $repeatPassword = trim($_GET['repeatPassword']);
	$code = $_GET['code'];
	 $query = $db->prepare("SELECT username.username FROM username WHERE username.username = :username LIMIT 1");
     $query->bindValue(':username', $username, PDO::PARAM_STR);
     $query->execute();


if ( $query->rowCount() > 0 ) {
    $response=1;
     $errors[]= ["name"=>"username","error"=>"Username taken"];
}

if(filter_var($username,  FILTER_VALIDATE_REGEXP,["options"=> [ "regexp" => "/.{3,25}/"]]) === FALSE){
    $errors[]= ["name"=>"username","error"=>"invalid Id (3 to 25 characters)"];
}
if(preg_match('/[^a-z_\-0-9]/i', $username))
	{
		$errors[]= ["name"=>"username","error"=>"invalid Id (Usernames may not contain symbols)"];
	}

if(filter_var($email,FILTER_VALIDATE_EMAIL) === FALSE) {
    $errors[]= ["name"=>"email","error"=>"invalid Email"];
}

$emailQ = $db->prepare("SELECT username.eMail FROM username WHERE username.eMail = :email LIMIT 1");
 $emailQ->bindValue(':email', $email, PDO::PARAM_STR);
 $emailQ->execute();

if ( $query->rowCount() > 0 ) {
    $response=1;
     $errors[]= ["name"=>"email","error"=>"Email registered"];
}


if(filter_var($password,  FILTER_VALIDATE_REGEXP,["options"=> [ "regexp" => "/.{6,25}/"]]) === FALSE){
    $errors[]= ["name"=>"password","error"=>"invalid password (6 to 25 characters)"];
}

if(!preg_match("/(?=[a-z]*[0-9])(?=[0-9]*[a-z])([a-z0-9-]+)/i",$password)) {
	 $errors[]= ["name"=>"password","error"=>"Password must contain numbers and letters"];
}

if($password !== $repeatPassword){
    $errors[]= ["name"=>"repeatPassword","error"=>"passwords don't match"];
}


$salt= uniqid(mt_rand(), true);
$options=['salt'=>$salt, 'cost'=>12];

if (count($errors) === 0) {
    // everything is OK, the browser should send us to the next page
	echo json_encode(["message"=>"Please view your emails to activate your account"]);
	$sql = "INSERT INTO username (username,password, eMail ,joinedDate, active, activecode) VALUES (:username, :password, :email ,NOW(), 0, :code)";
	$query = $db->prepare($sql);

	$query->execute(array(
		':username'=> $username,
		':password'=> $cryptpwd=crypt($password,'$2y$12$'.$salt.'$'),
		':email'=> $email,
		':code'=> $code
	));


echo $message = '
http://gotsocial.co.uk/active.php?activecode='.$code.'.
';
$to = $email;
$subject = 'Game of Thrones Social';
$from = "register@gotsocial.co.uk";

$result = mail($to, $subject, $message, "From: $from");
}
echo json_encode($errors);

When it fails validation it gives me an undefined alert rather than falling pack on the server side validation

Currently it's running here:

http://gotsocial.co.uk/register.php

cluelessPHP

Updated to this but still nothing

<?php
require_once'connection.php';

header('Content-Type: application/json');
    $errors = [];
    $username = trim($_GET['username']);
    $email = trim($_GET['email']);
    $password = trim($_GET['password']);
    $repeatPassword = trim($_GET['repeatPassword']);
	$code = $_GET['code'];
	 $query = $db->prepare("SELECT username.username FROM username WHERE username.username = :username LIMIT 1");
     $query->bindValue(':username', $username, PDO::PARAM_STR);
     $query->execute();


if ( $query->rowCount() > 0 ) {
    $response=1;
     $errors[]= ["name"=>"username","error"=>"Username taken"];
}

if(filter_var($username,  FILTER_VALIDATE_REGEXP,["options"=> [ "regexp" => "/.{3,25}/"]]) === FALSE){
    $errors[]= ["name"=>"username","error"=>"invalid Id (3 to 25 characters)"];
}
if(preg_match('/[^a-z_\-0-9]/i', $username))
	{
		$errors[]= ["name"=>"username","error"=>"invalid Id (Usernames may not contain symbols)"];
	}

if(filter_var($email,FILTER_VALIDATE_EMAIL) === FALSE) {
    $errors[]= ["name"=>"email","error"=>"invalid Email"];
}

$emailQ = $db->prepare("SELECT username.eMail FROM username WHERE username.eMail = :email LIMIT 1");
 $emailQ->bindValue(':email', $email, PDO::PARAM_STR);
 $emailQ->execute();

if ( $query->rowCount() > 0 ) {
    $response=1;
     $errors[]= ["name"=>"email","error"=>"Email registered"];
}


if(filter_var($password,  FILTER_VALIDATE_REGEXP,["options"=> [ "regexp" => "/.{6,25}/"]]) === FALSE){
    $errors[]= ["name"=>"password","error"=>"invalid password (6 to 25 characters)"];
}

if(!preg_match("/(?=[a-z]*[0-9])(?=[0-9]*[a-z])([a-z0-9-]+)/i",$password)) {
	 $errors[]= ["name"=>"password","error"=>"Password must contain numbers and letters"];
}

if($password !== $repeatPassword){
    $errors[]= ["name"=>"repeatPassword","error"=>"passwords don't match"];
}


$salt= uniqid(mt_rand(), true);
$options=['salt'=>$salt, 'cost'=>12];

if (count($errors) === 0) {
    // everything is OK, the browser should send us to the next page
	echo json_encode(["message"=>"Please view your emails to activate your account"]);
	$sql = "INSERT INTO username (username,password, eMail ,joinedDate, active, activecode) VALUES (:username, :password, :email ,NOW(), 0, :code)";
	$query = $db->prepare($sql);

	$query->execute(array(
		':username'=> $username,
		':password'=> $cryptpwd=crypt($password,'$2y$12$'.$salt.'$'),
		':email'=> $email,
		':code'=> $code
	));
$params = array(
'to'        => $email,
'subject'   => 'Game of',
'html'      => 'http://gotsocial.co.uk/active.php?activecode='.$code,
'text'      => 'the plain text',
'from'      => 'register@gotsocial.co.uk'
  );
  print_r($params);

}
echo json_encode($errors);

pbismad

You need to look at the network response you are getting back from the server. When you have errors, there is no data.errors element, because you haven't given the array you are json encoding an index name of 'errors', like the 'message' index name you are supplying in the success condition.

In addition to the race condition already mentioned, you have a security hole in the activation code. By passing it through the form, rather than generating it in the registerForm.php code, anyone can supply their own code value and won't need to have access to the email account being used. They can just register, supply their own code, then simply visit your site with that code in the url to complete registration.

cluelessPHP

<?php
require_once'connection.php';

 header('Content-Type: application/json');
 $errors = [];
    $username = trim($_GET['username']);
    $email = trim($_GET['email']);
    $password = trim($_GET['password']);
    $repeatPassword = trim($_GET['repeatPassword']);
	$code = $_GET['code'];
	 $query = $db->prepare("SELECT username.username FROM username WHERE username.username = :username LIMIT 1");
     $query->bindValue(':username', $username, PDO::PARAM_STR);
     $query->execute();

if ( $query->rowCount() > 0 ) {
    $response=1;
     $errors[]= ["name"=>"username","error"=>"Username taken"];
}

if(filter_var($username,  FILTER_VALIDATE_REGEXP,["options"=> [ "regexp" => "/.{3,25}/"]]) === FALSE){
    $errors[]= ["name"=>"username","error"=>"invalid Id (3 to 25 characters)"];
}
if(preg_match('/[^a-z_\-0-9]/i', $username))
	{
		$errors[]= ["name"=>"username","error"=>"invalid Id (Usernames may not contain symbols)"];
	}

if(filter_var($email,FILTER_VALIDATE_EMAIL) === FALSE) {
    $errors[]= ["name"=>"email","error"=>"invalid Email"];
}

$emailQ = $db->prepare("SELECT username.eMail FROM username WHERE username.eMail = :email LIMIT 1");
 $emailQ->bindValue(':email', $email, PDO::PARAM_STR);
 $emailQ->execute();

if ( $query->rowCount() > 0 ) {
    $response=1;
     $errors[]= ["name"=>"email","error"=>"Email registered"];
}


if(filter_var($password,  FILTER_VALIDATE_REGEXP,["options"=> [ "regexp" => "/.{6,25}/"]]) === FALSE){
    $errors[]= ["name"=>"password","error"=>"invalid password (6 to 25 characters)"];
}

if(!preg_match("/(?=[a-z]*[0-9])(?=[0-9]*[a-z])([a-z0-9-]+)/i",$password)) {
	 $errors[]= ["name"=>"password","error"=>"Password must contain numbers and letters"];
}

if($password !== $repeatPassword){
    $errors[]= ["name"=>"repeatPassword","error"=>"passwords don't match"];
}
if (count($errors) === 0) {
    // everything is OK, the browser should send us to the next page
	$sql = "INSERT INTO username (username,password, eMail ,joinedDate, active, activecode) VALUES (:username, :password, :email ,NOW(), 0, :code)";
	$query = $db->prepare($sql);

	$query->execute(array(
		':username'=> $username,
		':password'=> $cryptpwd=crypt($password,'$2y$12$'.$salt.'$'),
		':email'=> $email,
		':code'=> $code
	));

echo $message = '
http://gotsocial.co.uk/active.php?activecode='.$code.'.
';
$to = $email;
$subject = 'Game of Thrones Social';
$from = "register@gotsocial.co.uk";

$result = mail($to, $subject, $message, "From: $from");

    echo json_encode(["message"=>"Please view your email account to activate your account"]);
}
if (count($errors) === 0) {

}

else{
    echo json_encode(["errors"=>$errors]);
}

This is the problem

echo $message = '
	http://gotsocial.co.uk/active.php?activecode='.$code.'.
	';
	$to = $email;
	$subject = 'Game of Thrones Social';
	$from = "register@gotsocial.co.uk";

$result = mail($to, $subject, $message, "From: $from");

Yes I know I haven't corrected the race conditions yet, honestly not learnt how to do it yet, it's on my to do list after I figure this out.

sneakyimp

cluelessPHP;11054873 wrote:

This is the problem

echo $message = '
	http://gotsocial.co.uk/active.php?activecode='.$code.'.
	';
	$to = $email;
	$subject = 'Game of Thrones Social';
	$from = "register@gotsocial.co.uk";

$result = mail($to, $subject, $message, "From: $from");

Indeed that does look problematic. What do you mean "this is the problem?"

maxxd

cluelessPHP;11054873 wrote:
Yes I know I haven't corrected the race conditions yet, honestly not learnt how to do it yet, it's on my to do list after I figure this out.

Basically, you'll drop the 2 queries that check for existing values that match the user-supplied email and username altogether. Validate the other data, then run the insert inside a try...catch() block. Assuming you've set PDO to throw exceptions and you've got a unique index set up covering both username and email in the table, the catch() block will catch the PDOException containing a unique index violation message and code. If it does, return an error message to the user requesting that they try again. I wouldn't recommend you tell the user which key was a duplicate as that lets a malicious user know that either the username or the email exists - just tell the user that the combination is invalid. No need to make a determined hacker's life easier by giving them a valid username or email and making sure they only have to guess the password...

cluelessPHP

sneakyimp;11054875 wrote:
Indeed that does look problematic. What do you mean "this is the problem?"

If I take it out, my success message will display, if I leave it in my success message won't show but I will get an email sent to my email address

pbismad

You need to remove the echo statement from that block of code. It is sending output to the client that is not of the expected format and it interferes with the processing of the json encoded output.

cluelessPHP

I don't know if I should laugh or cry...it worked

sneakyimp

I see that you are trying to output JSON with this script. Have you bothered to examine the actual output that comes out? If there are any E_NOTICE or E_WARNING messages that get thrown, this will result in garbled JSON output but it may nevertheless be quite informative.

cluelessPHP


<!DOCTYPE html>
<html>
<head>
    <meta charset="utf-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <link rel="stylesheet" href="css/mystyle.css">
    <title>Game of Thrones social</title>


<link rel="stylesheet" href="https://ajax.googleapis.com/ajax/libs/jqueryui/1.11.4/themes/smoothness/jquery-ui.css">
<script src="https://ajax.googleapis.com/ajax/libs/jquery/1.11.2/jquery.min.js"></script>
<script src="https://ajax.googleapis.com/ajax/libs/jqueryui/1.11.4/jquery-ui.min.js"></script>

<script>
$(document).ready(function() {
    $("form").on("submit", function(event) {
            event.preventDefault();
            $("span.error").empty()
			$("span.success").empty()
            $.getJSON('registerForm.php', $(this).serialize(), function(data) {
                    if (!data.errors) {
                        $(".success").append(data.message) // deal with a no-error response ( all is good)
                    }else{
                        $.each(data.errors,function(i,datum){
                            $("[name='"+datum.name+"']").next().html(datum.error)
                        })
                    }
            });
    });
});
</script>

</head>
    <body>
	<span class="success"></span>
    <form action="" method="POST">
    <div class="formControl">
        <input type="input" name="username" placeholder="Username" value="">
        <span class="error"> </span>
    </div>
    <div class="formControl">
        <input type="text" name="email" placeholder="E-mail"  value="">
        <span class="error"></span>
    </div>
    <div class="formControl">
        <input type="password" name="password" placeholder="Password">
        <span class="error"> </span>
    </div>
    <div class="formControl">
        <input type="password" name="repeatPassword" placeholder="Confirm Password">
        <span class="error"> </span>
    </div>
	<div class="formControl">
		<input type="hidden" name="code" value="<?php echo substr(str_shuffle("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"), 0, 1).substr(md5(time()),1); ?>">
		<span class="error"> </span>
	</div>	
    <input type="submit" value="Submit">
    </form>

</body>
</html>

<?php
require_once'connection.php';

error_reporting(E_ALL);
ini_set('display_errors', '1');

 header('Content-Type: application/json');
 $errors = [];
    $username = trim($_GET['username']);
    $email = trim($_GET['email']);
    $password = trim($_GET['password']);
    $repeatPassword = trim($_GET['repeatPassword']);
	$code = $_GET['code'];
	 $query = $db->prepare("SELECT username.username FROM username WHERE username.username = :username LIMIT 1");
     $query->bindValue(':username', $username, PDO::PARAM_STR);
     $query->execute();

if ( $query->rowCount() > 0 ) {
    $response=1;
     $errors[]= ["name"=>"username","error"=>"Username taken"];
}

if(filter_var($username,  FILTER_VALIDATE_REGEXP,["options"=> [ "regexp" => "/.{3,25}/"]]) === FALSE){
    $errors[]= ["name"=>"username","error"=>"invalid Id (3 to 25 characters)"];
}
if(preg_match('/[^a-z_\-0-9]/i', $username))
	{
		$errors[]= ["name"=>"username","error"=>"invalid Id (Usernames may not contain symbols)"];
	}

if(filter_var($email,FILTER_VALIDATE_EMAIL) === FALSE) {
    $errors[]= ["name"=>"email","error"=>"invalid Email"];
}

$emailQ = $db->prepare("SELECT username.eMail FROM username WHERE username.eMail = :email LIMIT 1");
 $emailQ->bindValue(':email', $email, PDO::PARAM_STR);
 $emailQ->execute();

if ( $query->rowCount() > 0 ) {
    $response=1;
     $errors[]= ["name"=>"email","error"=>"Email registered"];
}


if(filter_var($password,  FILTER_VALIDATE_REGEXP,["options"=> [ "regexp" => "/.{6,25}/"]]) === FALSE){
    $errors[]= ["name"=>"password","error"=>"invalid password (6 to 25 characters)"];
}

if(!preg_match("/(?=[a-z]*[0-9])(?=[0-9]*[a-z])([a-z0-9-]+)/i",$password)) {
	 $errors[]= ["name"=>"password","error"=>"Password must contain numbers and letters"];
}

if($password !== $repeatPassword){
    $errors[]= ["name"=>"repeatPassword","error"=>"passwords don't match"];
}
if (count($errors) === 0) {
    // everything is OK, the browser should send us to the next page
	$salt= uniqid(mt_rand(), true);
	$options=['salt'=>$salt, 'cost'=>12];

	$sql = "INSERT INTO username (username,password, eMail ,joinedDate, active, activecode) VALUES (:username, :password, :email ,NOW(), 0, :code)";
	$query = $db->prepare($sql);

	$query->execute(array(
		':username'=> $username,
		':password'=> $cryptpwd=crypt($password,'$2y$12$'.$salt.'$'),
		':email'=> $email,
		':code'=> $code
	));

 $message = '
http://gotsocial.co.uk/active.php?activecode='.$code.'.
';
$to = $email;
$subject = 'Game of Thrones Social';
$from = "register@gotsocial.co.uk";

$result = mail($to, $subject, $message, "From: $from");

    echo json_encode(["message"=>"Please view your email account to activate your account"]);
}
if (count($errors) === 0) {

}

else{
    echo json_encode(["errors"=>$errors]);
}

This was the results so far, next is reading about condition races

sneakyimp

That doesn't look like JSON output to me.

cluelessPHP

There is a JSON way for doing emails? I did think I was mixing languages again but wasn't sure

Weedpacket

There isn't a "JSON way" for doing anything; it's just an object notation language. A convention for writing structured data (which in this case uses the syntax JavaScript uses for the job).