0 Favourites

[SOLVED] It still shows as GET while I use POST

  • Turns out ajax is misfiring POST as GET...

    Not sure why yet..

  • You have to sanitize the date whether it's GET or POST

    Use mysqli_real_escape_string

    http://php.net/manual/en/mysqli.real-escape-string.php

    and use htmlspecialchars http://php.net/htmlspecialchars when echoing anything back to screen

  • You have to sanitize the date whether it's GET or POST

    *scratches head..

    I just have no clue what that means sorry.

    And regarding the charset.. Doesn't Construct2 determine the charset used?

    I understand php and mysql can also specify this but i am assuming we have to comply with what Construct2 does? I am so in over my head hahaha

  • Basically, clean the data before it gets anyway near the database mysqli_real_escape_string will achieve this.

    $username = mysqli_real_escape_string($username);

    etc

  • Ah i see.. data, not date.. That was confusing

    Thanks frozenpeas! Will see how far I get.

    P.S.

    So I don't have to use POST in this to make it secure? I got told with GET you can just see it in console view of the browser?

  • Sorry just noticed the typo

    Not sure about viewing POST and GET variables in the console though. Trying one then other I suppose is the answer.

  • Well the big issue i have is that people can see the data send. In this case the Username and Password.

    I know there is

    $username = $_GET['fname'];

    $password = $_GET['fpass'];

    I have tried simply replacing the word GET with POST but that seems to stop the php script from working.

    But there is more that i don't understand.

    In construct2 there is the option to use AJAX to 'request url' and 'post to url'. I have tried both but both show in the console in the browser.

    So the two questions I have are..

    1- Do I need to use the 'post to url' in my eventsheet to make the data invisible?

    2- How do I convert the bit of php to use POST instead of GET and does that make it invisible?

    I just don't want everyone with a tiny bit of knowledge to see the username and password.

    Hard to understand the tutorial I am using is on this website and that uses GET in both php and AJAX. But then states it is not a very secure way.however that it can be made more secure. The tutorial is more than two years old but there are no relevant posts on the scirra forums to make it secure. There is not even a post regarding how to use the AJAX function 'post to url' properly on here except the manual entry which doesn't explain my question. Is there a better way to go about this or something? Does nobody have large data sets to load or compare to a database? Now somebody mentioned somewhere else on this forum I should use JSON instead and load all my database into an array from a JSON file. *sigh* Then why is this AJAX even an option? And why is that tutorial still up if it is not really advised to use that method? *Bllllarg

  • 2- How do I convert the bit of php to use POST instead of GET and does that make it invisible?

    $username = $_GET['fname'];

    $password = $_GET['fpass'];

    Will become

    $username = $_POST['fname'];

    $password = $_POST['fpass'];

    Sorry can't help you on any of the Construct 2 options. I've only had the program a week.

  • Well like i said. I have tried exactly that (replacing the word GET with POST) but then it suddenly does not work anymore. Every username/password combination will comeback as not found pretty much. So not sure what is going on there. As far as i have found on forums it should not make a difference in the data that is returned. I must add that even when it is POST it is still visible in the console of the browser so I am just guessing it is visible because of the construct2 settings.. When I change the construct2 event to 'post to url' as well though it is still visible.

    *Aaaarg

    Thank you for the help sofar. I do really appreciate it. Have been stuck on this tutorial for days now and not many people seem to have actually got the thing to work or can actually answer the specific questions. What good is it if it is not secure and people can hack it easily right?

  • Well the big issue i have is that people can see the data send. In this case the Username and Password.

    I know there is

    $username = $_GET['fname'];

    $password = $_GET['fpass'];

    I have tried simply replacing the word GET with POST but that seems to stop the php script from working.

    But there is more that i don't understand.

    In construct2 there is the option to use AJAX to 'request url' and 'post to url'. I have tried both but both show in the console in the browser.

    So the two questions I have are..

    1- Do I need to use the 'post to url' in my eventsheet to make the data invisible?

    2- How do I convert the bit of php to use POST instead of GET and does that make it invisible?

    I just don't want everyone with a tiny bit of knowledge to see the username and password.

    Hard to understand the tutorial I am using is on this website and that uses GET in both php and AJAX. But then states it is not a very secure way.however that it can be made more secure. The tutorial is more than two years old but there are no relevant posts on the scirra forums to make it secure. There is not even a post regarding how to use the AJAX function 'post to url' properly on here except the manual entry which doesn't explain my question. Is there a better way to go about this or something? Does nobody have large data sets to load or compare to a database? Now somebody mentioned somewhere else on this forum I should use JSON instead and load all my database into an array from a JSON file. *sigh* Then why is this AJAX even an option? And why is that tutorial still up if it is not really advised to use that method? *Bllllarg

    I had to use POST in one of my project to send different array (and save in json file by php) for make the savegame for every user and that works perfect..

    if you use POST method, in construct2 would be:

    Post to url:

    Tag: "somename"

    URL: link of your php file

    data: "username="&usernameC2&"&"&"password="&passwordC2

    method: POST

    the php would be:

    [quote:mlsz2j52]$username= mysqli_real_escape_string($con,$_POST['username']);

    $password= mysqli_real_escape_string($con,$_POST['password']);

    and when you have the connection with your database, just start a query:

    $sql1="INSERT INTO user(username, password)

    VALUES

    ('$username','$password')";

    mysqli_query($con,$sql1);

    this works for me... if you have some error, in your server (where is the php file) the server will make a file with the name of the error, and you can check from the console of chrome when you try to send data to see some error

    for more information about POST and GET: http://www.w3schools.com/tags/ref_httpmethods.asp

  • That is not answering my questions... nevermind.

    I will just assume it is the way I am asking but this is not helping me even a bit.

    I do appreciate everyone for trying though.

    I have read everything about GET and POST in both php and Construct2 documentation. I understand that mysqli_real_escape_string bit but I think I can avoid using it by using 'prepare' instead. And mysqli_real_escape_string doesn't work on anything but strings anyways. But all of that is irrelevant.

    I am not getting errors except when i use POST in the php script I don't get any value returned. Console and network do not seem to make any mention of why btw but I won't linger on that because my main issue is not solved yet anyway.

    I am simply wondering why everything I do keeps showing up in the network view (shown below) as using GET even if both php and Construct2 are set to use POST.

  • That is not answering my questions... nevermind.

    I will just assume it is the way I am asking but this is not helping me even a bit.

    I do appreciate everyone for trying though.

    I have read everything about GET and POST in both php and Construct2 documentation. I understand that mysqli_real_escape_string bit but I think I can avoid using it by using 'prepare' instead. And mysqli_real_escape_string doesn't work on anything but strings anyways. But all of that is irrelevant.

    I am not getting errors except when i use POST in the php script I don't get any value returned. Console and network do not seem to make any mention of why btw but I won't linger on that because my main issue is not solved yet anyway.

    I am simply wondering why everything I do keeps showing up in the network view (shown below) as using GET even if both php and Construct2 are set to use POST.

    sorry but English isn't my first lenguage, so, I have to understand very well when we are talking about this stuff and I can't try the example, and If I miss something I misunderstood what do you would like to make....

    if you want to send a data with POST method to a php file, my example works, and the script that I posted works for insert a value inside the table user in the database...

    why you don't get any value returned? can you post here the php file with capx?

    in my projects, when the user is logged in, I save different value with SESSION like this:

    $_SESSION["username"] = "myname";

    $_SESSION["coin"] = "250";

    ...

    ...

    and I can recall the variable just with an AJAX and get the echo from the SESSION and destroy it when I used it... but you can do it in the same php file with the echo after the login in your php and get the lastData from construct2

    for the security there are a lot of method, for example, SESSION isn't to much sure if you don't use correctly, you can encrypt the password and other value/string...etc

    what version of PHP run in your server?

  • Construct 3

    Buy Construct 3

    Develop games in your browser. Powerful, performant & highly capable.

    Buy Now Construct 3 users don't see these ads
  • I am simply wondering why everything I do keeps showing up in the network view (shown below) as using GET even if both php and Construct2 are set to use POST.

    Perhaps calling the wrong function/Ajax call ?

    Some info

    GET method: This uses a method where the data is processed in the url. This leaves traces in various logs at different points between your connection over the http. Obviously, having passwords etc could be troublesome.

    POST method: leaves far less traces like the GET method.

    Difference, you can make simple links with the GET, like http://mysite/index.php?page=home

    Whereas POST methods require various FORM elements in web pages before being able to send stuff somewhere.

    Ajax takes care of the whole FORM formatting of your data request using POST.

    If you really want to protect your content, you should start by having a https capable server.

    By default, with https, your web connection will be encrypted and better protected.

    So your Ajax POST requests should point to files on your sever over https://yoursite/mypage.php

    You have control of what the user can enter, for instance, you could create a certain set of keys only to be allowed to enter, leaving out various mischievous characters.

    Next to that, you should encode manually entered content which are being passed

    You could use in construct 2

    URLEncode(str)

    URLDecode(str)

    Convert to and from a string in a format suitable for including in a URL or POST data.

    and in PHP you would use the base64_encode base64_decode counter part.

    mysql_real_escape_string is handy too; in PHP there are various options to strip certain undesired content from user input.

    When I have a user table in a game's database, I tend to generate md5 strings from the connection and browser information, gives me more in depth control of what to allow from a player.

    I would also try and add some flooding protection if the user is sending passwords to enter something, preventing brute force attempts.

  • Thank you both Ribis and lennaert. I see a lot of usefull information and tips here. I will learn to use the things like URLEncode/base_encode64. And I will also see what it takes to get a https capable server and if this is worth it for the purpose. I am trying to make something for a group of volunteers..

    I am still very confused about the picture I showed. I AM already using POST method in both the php and construct2. Why does it show GET in the screenshot?

  • You might wanna remove your password "$con = new mysqli('213.171.200.72','bloomdatabase','gLitterati1234','xxxxxxxxxxxxxx');"

    And better use PDO instead of mysqli!

Jump to:
Active Users
There are 1 visitors browsing this topic (0 users and 1 guests)