Running Javscript held inside my ajax response text
Judging by the amount of threads on this and very little success people are having it seems it is really hard but can anyone please help me figure this out.
The javscript in that script block simply will not run at all. The show main page function is supposed to show the logged in user's profile by loading it into the content_section div in index.php. Here is the js file code for that function:-
HTML Code:
function showMainPage(userid, page)
{
if (page=="")
{
document.getElementById("content_section").innerHTML="";
return;
}
if (window.XMLHttpRequest)
{// code for IE7+, Firefox, Chrome, Opera, Safari
xmlhttp=new XMLHttpRequest();
}
else
{// code for IE6, IE5
xmlhttp=new ActiveXObject("Microsoft.XMLHTTP");
}
xmlhttp.onreadystatechange=function()
{
if (xmlhttp.readyState==4 && xmlhttp.status==200)
{
document.getElementById("content_section").innerHTML=xmlhttp.responseText;
}
}
xmlhttp.open("GET", page+".php?userid="+userid,true);
xmlhttp.send();
}
Can anybody please help me out.
Last edited by jimmyoneshot; 03-28-2011 at 06:07 PM.
Ye sorry. The script type is in there in my version but I didn't copy and paste it over correctly.
I can encrypt my passwords anytime but for now I just need to figure out how to get javascript within an ajax response text working correctly but if you can't help no worries.
Oh -- you may also be interested in trying to do this with "JSONP" instead. Rather than write HTML, including a script tag back, just write the script to a new script element:
On the page, triggered by the form "submit" ...
HTML Code:
var d = new Date();
var t = document.createElement('script');
t.src = 'login_script.php?user=' + username + '&pass=' + pass + '&ts=' + d.getTime();
t.type = 'text/javascript';
document.appendChild(t);
Yeah ... the JSONP thing is meant to be in place of your existing method body. login_script.php should be returning a single line of javascript -- no HTML.
Yep I've put the json code you provided into my login() function as shown in my last post, so do you mean I also need to query the database within that function before I pass everything on to login_script.php?
No. You're missing the concept. This code creates a script tag:
EDITED: originally had some of your original AJAX in this snippet -- removed it!
HTML Code:
var d = new Date();
var t = document.createElement('script');
t.src = 'login_script.php?email=' + email + '&password=' + password + '&ts=' + d.getTime();
t.type = 'text/javascript';
document.appendChild(t);
It's meant to replace your existing AJAX call -- not add to it. The new script tag will reference an external script to be generated by login_script.php. Thus, login_script.php should be printing/echoing ONLY JavaScript, what would be found in a normal external JavaScript -- NO HTML WHATSOEVER!
So, you need to replace all existing output in login_script.php with JavaScript output. If you were to put all of your actual authentication code in another script, for example, call it auth.inc, and write an authenticate() function that takes in a user and password and modifies the session accordingly, your login_script.php would look like this, in its entirety:
PHP Code:
<?php
require_once("auth.inc");
// try to authenticate the user -- trust that the authenticate() function // is doing all of the necessary data sanitization authenticate($_GET['user'], $_GET['pass']);
// see whether a user_id has been set in the session and call the appropriate // client-side method if (isset($_SESSION['logged_in_userid']) && $_SESSION['logged_in_userid']) { print "showMainPage({$_SESSION['logged_in_userid']}, 'profile');"; } else { print "showLoginError('Invalid credentials');"; }
?>
From the browser's perspective, it sees one of the following:
You just need to ensure that both showMainPage() and showLoginError() are defined to display the correct thing to the user. To start with, I would suggest having each of them simply alert() their first parameter to ensure they're even getting called.
Another thing to note is that once you get the call-response working it might make more sense to use POST rather than GET along with a single use token to prevent CSRF.
Single-use tokens are generally a good idea -- yes. POST requests are not an option with JSONP though. Not something I would be terribly worried about though. If someone can snag your token, they can just as easily forge a POST request. And even in that case, the worst they can do is authenticate!
If you're worried about someone brute-forcing your users database, the best solution is usually just to implement some kind of rate-limiting. You would probably want some combination of limits on failed requests by IP, session, and intended user.
Single-use tokens are generally a good idea -- yes. POST requests are not an option with JSONP though. Not something I would be terribly worried about though. If someone can snag your token, they can just as easily forge a POST request. And even in that case, the worst they can do is authenticate!
If you're worried about someone brute-forcing your users database, the best solution is usually just to implement some kind of rate-limiting. You would probably want some combination of limits on failed requests by IP, session, and intended user.
I was meaning to POST the results (through AJAX) and receive the single use token with which to call the JSONP as a JSON object. This would allow you to use the more secure POST along with the ease of use of JSONP.
This is a little off-topic ... would you mind sending me a PM to explain it further. Perhaps I'm having a brain-fart, but I'm struggling to see why what you're proposing is more secure.
Hence I don't want the email and password to be submitted which is why I used the return false in the onclick property. I only want them to be passed to a javascript function and dealt with from there i.e. no page refresh. I'm not sure how this could work with the code you provided.
Reply With Quote
Originally Posted by svidgen
Bookmarks