Variable Parameter in SQL Grid Connector in PHP

#1

Hello! I have no idea how to title this question!

I’m trying to populate a grid based on user input from an HTML form.

Here is my code:

<?php

    $Number = isset($_POST['Number']) ? $_POST['Number'] : NULL;

	$Host = "host";
	$User = "user";
	$Pass = "password";
	$DB = "db";
	
	$dbh = new PDO('dblib:host='.$Host.';dbname='.$DB, $User, $Pass);
	
	require("../../../../includes/dhtmlx/codebase-php/grid_connector.php");
	require("../../../../includes/dhtmlx/codebase-php/db_pdo.php");

	$grid = new GridConnector($dbh,"PDO");

    $sql = "select [columns] from [table] where [key] = ".$Number;
	$grid->render_sql($sql, "[ID]", "[columns]");
 ?>

(edited for security, assume the actual values are different)

This is simply not working at all, and I think it’s because it isn’t getting anything from the $_POST ?
I’m relatively new to PHP so I don’t fully understand how all this works.

I just know that I need to get a value from an HTML form into the SQL statement pictured above and I can’t figure out the best way to do that!

The code on the index is a javascript functions that looks like this:

	$('#Number').change(function() {
		var num = $(this).val();
		$.ajax({
			type: 'POST',
			url: "autofill.php",
			data: { Number: num },
			success: function(data) {

				if (arr[0].trim() != '') {
					$('#title').val(arr[0]);
					$('#submitButton').prop("disabled", false);
				} else {
					$('#submitButton').prop("disabled", true);
				}
				
				myGrid.load("connector.php");
				
			},
		});
	});

The ajax autofills a name in the HTML form based on the number that is typed, and then is supposed to populate the DHTMLX grid in the same action.
I’ve populated grids from ajax calls before, but never with a variable parameter.

Any help appreciated!

#2

I found a semi-decent solution for now!!

I changed my $_POST to a $_GET and my grid.load to:

myGrid.load("connector.php?Number="+num);

And that worked!
I don’t know how stable it is, but I think I can refine it and make it work for me!

#3

Update to this thread, I was able to create a better solution using $_SESSION instead of $_GET

In my ‘autofill.php’ file, which performs a SQL query to retrieve data, after the query executes I wrote

$_SESSION['num'] = numValue;

and then in the connector I replaced $_GET with $_SESSION. I felt that using a GET would be a security risk.

I also had to add session_start() to all of my files, which I did not have already.

My concern now is with security. Normally I use PDO bindParam to sanitize data inputs.
Reading the documentation for dhtmlxConnector, I know that all data is sanitized automatically. At which point does this occur? Is this after/during calling render_complex_sql?

Any help appreciated, I’d just like to know if my data is being sanitized properly!

#4

There is an xmlentities() function that replaces all the illegal chars in the xml data:


It processes after the data is already fetched from the database, during the xml generating. LIke:

Also there is a possiblity to configure the connector security settings with the:
https://docs.dhtmlx.com/connector__php__app_security.html