dhoca wrote: ↑2020-05-28 19:38
Thanks for the suggestion. Unfortunately, it turns out '<?php $mi = getMemberInfo(); $sql = "select SpendingLimit from Users where Email = '{$mi['username]}' )"; $result = sqlValue($sql); echo $result;?>'; is merely treated as text in the alert.
I now understand that Javascript is client side and not easily used to extract data from the database and hence the attempt to use php to query the database. I guess that's where I'm stumbling in getting the server side to talk to the client side.
In my research, I've come across AJAX. Can AJAX be used in appgini? What's the prefered way to query the database in appgini?
Thanks again for the suggestion.
yes you're right, ideally you wanna use AJAX calls, make sure to use function makeSafe() when passing your variables!! that prevents sql injection vulnerabilities, heres how I do it, hope it helps:
js code
Code: Select all
var xds = var_to_be_passed;
$j.ajax({
url: 'hooks/ajax-file.php',
data: { xds_var: xds },
success: function(data){
if (data) {
console.log(data);
}else{
console.log('no data');
}
}
});
ajax-file.php
Code: Select all
<?php
$currDir = dirname(__FILE__) . '/..'; // assuming file inside hooks folder
include("$currDir/defaultLang.php");
include("$currDir/language.php");
include("$currDir/lib.php");
$con = mysqli_connect($dbServer, $dbUsername, $dbPassword);
mysqli_select_db($con,$dbDatabase);
$mi = getMemberInfo();
$var_coming = makesafe($_REQUEST['xds_var']);
$sql = "SELECT field FROM table WHERE user = '{$mi['username']}' AND whatever = '{$var_coming}' ";
$data_returning = sqlValue($sql);
echo $data_returning;
?>
above example was for single variables returning, to return a table use:
js code
Code: Select all
var xds = var_to_be_passed;
$j.ajax({
url: 'hooks/ajax-file-table.php',
data: { xds_var: xds },
success: function(data){
if (data) {
console.log(data);
var tbl = jQuery.parseJSON(data);
if (tbl) {
console.log(tbl.field_name);
}
}else{
console.log('no data');
}
}
});
ajax-file-table.php
Code: Select all
<?php
$currDir = dirname(__FILE__) . '/..'; // assuming file inside hooks folder
include("$currDir/defaultLang.php");
include("$currDir/language.php");
include("$currDir/lib.php");
$con = mysqli_connect($dbServer, $dbUsername, $dbPassword);
mysqli_select_db($con,$dbDatabase);
$mi = getMemberInfo();
$xds_var = makesafe($_REQUEST['xds_var']);
$query = mysqli_query($con,"select * from table where ID= '{$xds_var}'");
$table_data = mysqli_fetch_array($query);
echo json_encode($table_data);
?>