Sign in to follow this  
jamcas2_2002

Web page SQL calls without page reload.

Recommended Posts

I have done some reaserch and there is a way to send information and retieve it from the server. The only thing is that it passes data to the server not data and SQL/stored procedure calls. Does anyone know how to update and retrieve information from a website to where it is transparent to the user. I would like to build a web game that can have multiple players and does not require the player to constantly re-load the web page. Here is the javascript code that I have found: <SCRIPT LANGUAGE="javascript" src="exchanger.js"></SCRIPT> <SCRIPT LANGUAGE="javascript"> var theBuffer; //call this function in page onload event handler function initialize() { theBuffer = new exchanger(); } //call this function when data needs to be sent to server function sendDataToServer(data) { theBuffer.sendData("receiver.jsp?" + data); } //call this function to check what the server returns. function showReturnData() { alert(theBuffer.retrieveData("myNewData")); } </SCRIPT> Thanks

Share this post


Link to post
Share on other sites
It would be INCREDIBLY dangerous to allow your players' browsers to submit SQL directly!

They should send data to receiver.jsp, and then receiver.jsp contains code to INTERPRET the data you send to it and do the appropriate SQL/procedure calls.

receiver.jsp should check things like:
- Is the user logged in?
- Are they doing something allowed by the rules of the game?
- SQL injection? (Google this if you haven't heard of it!)



For example (not real code!):




Your page does this:

sendDataToServer("action=Drop_Item&item_id=42334");





Part of receiver.jsp does:

if ($action == "Drop_Item") {
run_sql(" delete from inventory_item where id = $item_id and player_id = $player ");
}




Alternatively, you could have receiver.jsp accept the name of a procedure and a list of arguments and then call the specified procedure, which contains all of the game rule logic and security stuff.

Share this post


Link to post
Share on other sites
Quote:
Original post by WavyVirus
if ($action == "Drop_Item") {
run_sql(" delete from inventory_item where id = $item_id and player_id = $player ");
}


Even this is really dangerous. You really ought to parameterize all SQL queries via prepared statements, but at the very least you can use mysql_real_escape_string instead. (For servlets, use PreparedStatement of course.)

Anyway, best advise is to never trust anything coming from the client. Check the ranges of all numeric input. Scrub incoming text for html tags and the like.

@OP: I recommend getting a javascript framework like Mootools, Prototype, or jQuery. It will save you some typing and provide some extra functionality.

Share this post


Link to post
Share on other sites
Thanks everyone. Your suggestions lead me to understand there are two good ways of accomplishing the task. 1) Flash and 2)AJAX. I have chosen AJAX because it has pretty much no learning curve for me. It uses technologies that I already know excpet for a few new functions that are used to transmit and recieve info from the sever. It is amazing that even a full blown web based operating system has been built using the AJAX concept.

Thanks again. =-)

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Sign in to follow this