-1

what the bellow code does is making sure the user isn't allowed to submit a comment unless he's signed in by using $_SESSION['login_user'] supervariable. But it's giving me an error. I think the problem is because I'm calling a javascript function in onsumbit="return(checkUser())". There's something wrong there but I don't know why.

I have the following code:

<script type="text/javascript">  
      // notice the quotes around the ?php tag 
      function checkUser() {     
          <?php
          if(isset($_SESSION['login_user'])){
            $isExist = true;

        }
        ?>
        else{
            $isExist= false;
            alert( "Please register first!" );

        }
      var htmlString="<?php echo $isExist; ?>";
      return isExist;
      }
    </script>

...
...

<?php
echo "<form method='POST' onsubmit="return(checkUser());" action='".setComments($connection, $res['post_id'])."'>
    //echo "<form method='POST' action='".setComments($connection, $res['post_id'])."'>
    <input type='hidden' name='uid' value='".$_SESSION['login_user']."'>
    <input type='hidden' name='date' value='".date('Y-m-d H:i:s')."'>
    <textarea name='message'> </textarea><br>
    <button type='submit' name='commentSubmit'>Comment</button>
     </form>";
    getComments($connection, $res['post_id']);

?>

....

If this is not the right method to stop the user from submitting a comment, then what could be another method?

John Sall
  • 1,027
  • 1
  • 12
  • 25
  • 2
    Regardless of the obivous wrong syntax: do not do this.. All I have to do is open my console any write `function checkUser(){return true}` to send any comment I feel like. Validate it on the server and provide an output and dont provide the field in the first place if there is no access. – Lain Nov 28 '19 at 22:25
  • Possible duplicate of [PHP quotes inside quotes](https://stackoverflow.com/questions/21107329/php-quotes-inside-quotes) – ChrisGPT was on strike Nov 28 '19 at 22:26
  • `onsubmit="return(checkUser());"` must be `onsubmit='return(checkUser());'` – RonaldT Nov 28 '19 at 22:27
  • Possible duplicate of [When and where does JavaScript run, how about PHP? Can I combine the two?](https://stackoverflow.com/q/25093905/354577) – ChrisGPT was on strike Nov 28 '19 at 22:27
  • @RonaldT didn't work – John Sall Nov 28 '19 at 22:28

1 Answers1

1

In addition to what @RonaldT said, you need to understand that the PHP code is executed on the server before being sent to the browser. So checking for $_SESSION['login_user'] inside a Javascript function is kind of silly, since it will always be the same until the user refreshes the page (only then will PHP re-check the value).

So your function can be simplified like this:

<script type="text/javascript">
    // on page load, define a global variable using PHP
    var isLoggedIn = <?php echo isset($_SESSION['login_user']) ? "true" : "false"; ?>;

    function checkUser() {
        // check that global variable every time checkUser() is called in Javascript
        if (!isLoggedIn) {
            alert( "Please register first!" );
        }

        return isLoggedIn;
    }
</script>

Keep in mind that this kind of "security" is extremely easy to fool (any user can just open their browser console, type isLoggedIn = true; and voila), so be sure to check on the server as well when the form is submitted.

Or better yet: if a user is not allowed to do something, don't give them the opportunity. Why display the form at all if the user will not be allowed to submit it anyway?

<?php
if (!isset($_SESSION['login_user'])) {
    echo "Please register to add a comment";
} else {
    echo "<form [...everything else...] /form>";
}

getComments($connection, $res['post_id']);
?>
rickdenhaan
  • 10,857
  • 28
  • 37
  • I wanted to do the same like stackoverflow. When you're not logged in, in stackoverflow, it still shows "Post Your Answer". But when you click it, it forces you to register. – John Sall Nov 28 '19 at 23:43