Jump to content

What is the best way to communicate the client with the server?


Recommended Posts

Good morning for all!

I ask because I'm not an expert in front and back programming, I share my way in which I communicate the client with the server. I would like you to tell me if it's well implemented or if it can be improved? The idea is to boost our knowledge/skills every day ;)

Method: Send with Ajax

Client-side:
			<script>
				jQuery.ajax({
					url: 'script.php',
					data:{'Var1': $('#ID').val(), 'Var2': $phpvariable},//May be FormData item too.
					type: 'POST',
					success:function(s){
						//Received a encoded JSON from server-side with any data.
						var data = JSON.parse(s);
						$('#resultselement').html(data[0]);
					},
					error:function (){
						alert('Error message');
					}
				});
			</script>
Server-side:

<?php

	$POSTVAR1 = $_POST["Var1"];
	$POSTVAR2 = $_POST["Var2"];

	{INCLUDES, INTERNAL VARIABLES, PHP SCRIPT, ETC}

	array_push($array, $phpvar1, $phpvar2, $phpvar3....,$phpvarn);
	
	//Sending data to client-side
	echo json_encode($array);

?>

I appreciate any correction or suggestion, thanks!

Link to comment
Share on other sites

Looks pretty good. The one thing I would recommend is sanitizing your post variables. When you write code you have to always think like a hacker trying to break your system. You can't trust any data that is sent from a user in post variable. Worst case scenario if you're using database queries with the data you get from post variables it could end up being sql injection.

Link to comment
Share on other sites

Ohh copied loud and clear!.

I assume you mean using methods that prevent the user from sending "unsupported characters", like the mysqli_real_escape_string and htmlentities functions.

In addition to these functions, are there other ways to guarantee the integrity of the data sent via POST variables?

Thanks for your reply!

Link to comment
Share on other sites

13 hours ago, jhomsrts said:

I assume you mean using methods that prevent the user from sending "unsupported characters", like the mysqli_real_escape_string and htmlentities functions.

You can go even further than that by determining exactly what characters are allowed. For instance on Linux usernames have to be all lowercase and numbers so you can do this

$username = preg_replace("/[^a-z0-9]+/", "", $_POST["username"]);

Everything that isn't a lowercase letter or a number gets removed, and then you can do various if then checks after that to make sure the remaining characters are valid.

Link to comment
Share on other sites

You are right!

In fact, I had already done these validations in the client side with JavaScript, for example

...
//A defined range
var regex_a = /[\x20-\x2a]/;
var regex_b = /[\x2c-\x2f]/;
var regex_c = /[\x3a-\x7e]/;
	if(regex_a.test(var) || regex_b.test(var) || regex_c.test(var)){
		//Do something...
	}
...

but I see that doing them on the server side gives better security in the process. 👍

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...