How to pass variable from JavaScript to PHP using jQuery POST

Question

I am passing the variable sessionnum from the following Javascript function in the page chat.php:

$(document).ready(function(){

        timestamp =         


        

Answer 1

It would appear as though you're relying on register_globals, and referencing what would be the POST variable in PHP, instead of referencing the $_POST superglobal index, e.g.

if ( $_POST['action'] == 'postmsg' ) {
    $name= mysql_real_escape_string( trim( $_POST['name'] ) );
    // query using $name reference
}

As an aside, you should really reconsider allowing the use of the tablename in the client side code.

Answer 2

Try changing the POST variables to $_POST['variable_name']. You're using a syntax that relies on globals being registered as variables. This is a feature that is a) not enabled by default and b) poses a major security risk when it is enabled. Thus, try changing your server-side code to:

$action = $_POST['action'];
$tablename1 = mysql_real_escape_string($_POST['tablename1']);
$name = mysql_real_escape_string($_POST['name']);
$message = mysql_real_escape_string($_POST['message']);

if(@$action == "postmsg") {
    mysql_query("INSERT INTO `$tablename1` (`user`,`msg`,`time`)
                VALUES ('$name','$message',".time().")",$dbconn);
    mysql_query("DELETE FROM `$tablename1` WHERE id <= ".
                (mysql_insert_id($dbconn)-$store_num),$dbconn);
    }

$messages = mysql_query("SELECT user,msg
                         FROM `$tablename1`
                         WHERE time>$time
                         ORDER BY id ASC
                         LIMIT $display_num",$dbconn);

Note that, in order to prevent some SQL injections, the variables that you're using in your SQL queries (that the user can potentially change) have been escaped using mysql_real_escape_string.