Hi everyone. Hoping someone can help as I’ve been banging my head against my keyboard for some time now.
I have a game which requires the user to login with their username and password (after registering) using php/mysqli. The players name and scores are retrieved from the database upon successful login.
I had it working perfectly until I had another problem and was told in no uncertain terms on the stackoverflow forum that I should not be using GET but POST because of possible sql injection. I thought it would be a simple matter of just replacing GET with POST in both as3 and the php. Not so!!
No problems with registering as that uses just php. But logging in uses xml within php. Below is the original code that worked with GET…
else if(e.currentTarget.name == “login_btn”)
{
var us:String = mc_now.loginuser.text;
var pa:String = mc_now.loginpass.text;
if(us.length > 0 && pa.length > 0) {
getXML(filePHP+"?todo=login&username="+us+"&userpass="+pa, "login");
}
else {
if(us.length < 1 || pa.length < 1) {
positioningInterface(login, 0, 0);
login.loginuser.text = "Login Failed";
setTimeout(function() {login.loginuser.text = "";login.loginpass.text = "";}, 5000);
}
}
}
And the xml functions in flash…
function getXML(xmlfile,type:String)
{
if(type == “login”) {
xmlLoader.addEventListener(Event.COMPLETE, LoadUser);
}
xmlLoader.addEventListener(IOErrorEvent.IO_ERROR, ioError, false, 0, true);
}
function LoadUser(e:Event):void{
xmlLoader.removeEventListener(Event.COMPLETE, LoadUser);
myxml = new XML(e.target.data);
trace("Logged In:",myxml..player.username != undefined);
if(myxml..player.username != undefined) {
positioningInterface(welcome, 0, 0);
welcome.username_txt.text = myxml.player.username.text();
welcome.msg1_txt.text = "Welcome Back";
nameActive = myxml.player.username;
TotalScore = myxml.player.userscore;
trace( "Username:", myxml.player.username, "HighScore:", myxml.player.userscore);
}
And this is the portion of the php file concerned with logging in…
$username = mysqli_real_escape_string($connect, $_POST[‘username’]);
$userpass = sha1($_POST[‘userpass’]);
$todo = mysqli_real_escape_string($connect, $_POST[‘todo’]);
if ($todo == “login”) {
$result = mysqli_query($connect, “SELECT * FROM $nameTable WHERE userpass = ‘$userpass’ AND username = ‘$username’”);
if (mysqli_num_rows($result)== 0) {
echo 0;
}
else if (mysqli_num_rows($result)== 1)
{
header('Content-Type: text/xml');
echo "<?xml version='1.0'?>";
echo "<".$nameTable.">";
while ($data = mysqli_fetch_array($result))
{
echo "<player>";
echo "<username>".$data['username']."</username>";
echo "<userscore>".$data['userscore']."</userscore>";
echo "</player>";
}//end while
echo "</".$nameTable.">";
}
}
Referring again to the login button… am aware that this line of code…
getXML(filePHP+"?todo=login&username="+us+"&userpass="+pa, “login”);
specifically use variables in the URL and I know you can’t do that with POST. I tried to change it to just getXML(filePHP, “login”) but I just get a blank screen. It doesn’t matter what I do I cannot seem to get the xml data back out when using POST.
Help very much appreciated.