hello, all:
I am having trouble to make ajax work for my tiny php app.
I have a index.php file, which is
[php]<?PHP
session_start();
$_SESSION['ajaxKey'] = md5(uniqid(rand(), TRUE));
?>
<script src="clienthint.js"></script>
<script>
var ajaxKey = '<?PHP echo $_SESSION['ajaxKey']; ?>';
</script>
</head>
<body onLoad="showresult(ajaxKey);">
<p>result: <span id="txtHint"></span>
</body>
</html>
I have a ajax jS file, the relavant part is
function showresult(str)
{
if (str.length==0)
{
document.getElementById("txtHint").innerHTML=""
return;
}
xmlHttp=GetXmlHttpObject();
if (xmlHttp==null)
{
alert ("Browser does not support HTTP Request");
return;
}
var url = "read.php";
url=url+"?q="+str;
xmlHttp.onreadystatechange=stateChanged;
xmlHttp.open("GET",url,true);
xmlHttp.send(null);
}
I have the read.php,
<?php
$q=$_GET["q"];
if ($q == $_SESSION['ajaxKey'])
{
$filename = "myfile.txt";
$fp = fopen($filename, "rb") or die("Couldn't operate properly");
$buffer = fread($fp, filesize($filename));
echo $buffer;
}
else
{
echo "terminated".$_SESSION['ajaxKey'];
}
?>
[/php]
The idea is:
1: index.php generate a session key
2: index.php call read.php
3: read.php check if session exists, if yes, then read it, if not, then it is a forging attempt
Basically, I plan to use session key to defeat forging. But in read.php, the session key is always empty.
Can anyone help me please?