0

I have this code

            $("#btn_log").click(function(){
                var frm=$("#frm_usuario").serialize();
                    $.ajax({ 
                    type:"GET",
                    url:"http://www.MYWEB.com/cstapp/validarUsuario.php",
                    data:frm,
                    dataType:'json',
                    success:function(response){ 
                        if(response.estado==1){
         window.location.href = response.url;                      
                        } else { 

         alert("ERROR");                            
                        }  
                    } 
                }); 

            });

And the PHP for get it

    $usuario= strtolower(htmlentities($_REQUEST["txt_usuario"], ENT_QUOTES));       
    $clave=htmlspecialchars(trim($_REQUEST['txt_clave']));

    $sql="SELECT * FROM table WHERE usuari='$usuario' AND passw='$clave'";
    $result = mysql_query($sql,$connection) or die('La consulta falló'.mysql_error());
    $tmp_usu="";
    $tmp_clave="";

    $arr_rpta=array();
    while($obj = mysql_fetch_object($result)) {
     $tmp_usu=$obj->nomusuari;
     $tmp_clave=$obj->passw;
     $tmp_id=$obj->id;
    }
    if(($tmp_usu==$usuario)&&($tmp_clave==$clave)){

       $arr_rpta=array("estado"=>1,"url"=>"segunda.html","id" => $tmp_id);
    }else{  
       $arr_rpta=array("estado"=>"0","url"=>"fallo en ellogin");   
    }
    echo json_encode($arr_rpta);

Ok, this works on my computer. Not works on XDK compilation apk and not works on a XDK simulator.

Has anyone any suggestions? Thank you very much

rafa_pe
  • 155
  • 1
  • 4
  • 15
  • what exactly "doesn't work" be specific. – I wrestled a bear once. Nov 07 '16 at 21:40
  • 4
    [Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)***. Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! ***SQL Injection!*** *It's not just for breakfast any more!* – Jay Blanchard Nov 07 '16 at 21:47
  • 4
    ***Please [stop using `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php).*** [These extensions](http://php.net/manual/en/migration70.removed-exts-sapis.php) have been removed in PHP 7. Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [PDO](http://php.net/manual/en/pdo.prepared-statements.php) and [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and consider using PDO, [it's really pretty easy](http://jayblanchard.net/demystifying_php_pdo.html). – Jay Blanchard Nov 07 '16 at 21:47
  • 3
    **Never store plain text passwords!** Please use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). Make sure you ***[don't escape passwords](http://stackoverflow.com/q/36628418/1011527)*** or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. – Jay Blanchard Nov 07 '16 at 21:47
  • the login action don't work, @I wrestled a bear once. My PHP script is not my problem now (That's not mine) Exactly, now it is necessary to use mysqli, we know, thank you. This is a pattern. The storage of the passwords is required to be MD5, we also know. Thank you. This is a pattern. My problem is not PHP / MySql is AJAX in this case, @jaylblanchard Thanks a lot (Sorry, I do not even mention names) – rafa_pe Nov 07 '16 at 21:56
  • You really shouldn't use [MD5 password hashes](http://security.stackexchange.com/questions/19906/is-md5-considered-insecure). – Jay Blanchard Nov 07 '16 at 22:19
  • Maybe SHA256, @jaylblanchard? – rafa_pe Nov 07 '16 at 22:20
  • PHP 7 doesnt have `mysql_*`. What PHP version is the intel running? Anything in the error logs? Also `htmlspecialchars` requires the `ENT_QUOTES` to encode quotes so this is not sufficient to stop SQL injections. Should update the driver and use parameterized queries. – chris85 Nov 07 '16 at 22:35
  • This works correctly on computer, Intel does not use PHP, it is running on an external server @chris85 – rafa_pe Nov 07 '16 at 22:40
  • So what doesn't work on the intel, the AJAX request? Does it send? – chris85 Nov 07 '16 at 22:41
  • The script does not work. It seems not to connect to the destination AJAX URL @chris85 – rafa_pe Nov 07 '16 at 22:47
  • Open your developer console and see what happens with the request. – chris85 Nov 08 '16 at 02:55

0 Answers0