Notification system using PHP+jQuery+Ajax











up vote
1
down vote

favorite












I have this code to display a counter on the side of <i class="fas fa-bell mr-3"></i>. I want to know if this code is good on security and perfomance.



I just started using jquery and ajax, i had heard people saying that someone could disable the javascript and do bad things. What you guys think about my code?



 <div>

    <ul class="navbar-nav textoPerfilDesk dropMenuHoverColor">

        <li class="nav-item dropdown pr-2 dropleft navbarItem ">

        <a class="nav-link dropdown-toggle-fk" href="#" id="navbarDropdownMenuLink" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">

            <i class="fas fa-bell mr-3"></i>

        </a>

        <div class="dropdown-menu dropdown-menu-fk py-3" aria-labelledby="navbarDropdownMenuLink">

            <a class="dropdown-item dropMNitemNT" href="um-link">

            <span class="d-flex">

                <img class="imgNT" src="img/1.jpg">

                <span class="pl-2 pt-1">

                    titutlo

                </span>

            </span>

            </a>

        </div>

        </li>

    </ul>

    <span class="text-white divCountNT" id="datacount"></span>

  </div>


script:



<script>

  $(document).ready(function(){

     var intervalo, carregaDiv;

     (carregaDiv = function(){

        $("#datacount").load('select.php', function(){

           intervalo = setTimeout(carregaDiv, 1000);

        });

     })();

     $('.fa-bell').on('click', function (){

        clearTimeout(intervalo);

        $.ajax({

           url: "update.php",

           complete: function(){

             setTimeout(carregaDiv, 1000);

           }

        });

     });

  });

</script>


select.php



<?php

require_once 'db.php';



if(!isset($_SESSION))session_start();



if(isset($_SESSION['userid'])) {

  $userid = $_SESSION['userid'];

}



    $status = 'unread';



    $sql = $conn->prepare("SELECT * FROM noti WHERE status = :status AND 

    userid = :userid");

    $sql->bindParam(':userid', $userid, PDO::PARAM_INT);

    $sql->bindParam(':status', $status, PDO::PARAM_STR);

    $sql->execute();

    $countNT = $sql->rowCount();



    echo $countNT;



    $conn = null;



    ?>


update.php



<?php

require_once 'db.php';



if(!isset($_SESSION))session_start();



if(isset($_SESSION['userid'])) {

  $userid = $_SESSION['userid'];

}



$status = 'read';

$sql = $conn->prepare("UPDATE noti SET status = :status WHERE userid = :userid");

$sql->bindParam(':user_id', $userid, PDO::PARAM_INT);

$sql->bindParam(':status', $status, PDO::PARAM_STR);

$sql->execute();

$countNT = $sql->rowCount();



echo $countNT;



$conn = null;

?>





php jquery security ajax







share|improve this question






















  • (I'd be more inclined to delve into the code if comments, the introduction and, to the extent feasible, the title of this post told who or what is notified how about what.)
    – greybeard
    Dec 1 at 15:24

















up vote
1
down vote

favorite












I have this code to display a counter on the side of <i class="fas fa-bell mr-3"></i>. I want to know if this code is good on security and perfomance.



I just started using jquery and ajax, i had heard people saying that someone could disable the javascript and do bad things. What you guys think about my code?



 <div>

    <ul class="navbar-nav textoPerfilDesk dropMenuHoverColor">

        <li class="nav-item dropdown pr-2 dropleft navbarItem ">

        <a class="nav-link dropdown-toggle-fk" href="#" id="navbarDropdownMenuLink" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">

            <i class="fas fa-bell mr-3"></i>

        </a>

        <div class="dropdown-menu dropdown-menu-fk py-3" aria-labelledby="navbarDropdownMenuLink">

            <a class="dropdown-item dropMNitemNT" href="um-link">

            <span class="d-flex">

                <img class="imgNT" src="img/1.jpg">

                <span class="pl-2 pt-1">

                    titutlo

                </span>

            </span>

            </a>

        </div>

        </li>

    </ul>

    <span class="text-white divCountNT" id="datacount"></span>

  </div>


script:



<script>

  $(document).ready(function(){

     var intervalo, carregaDiv;

     (carregaDiv = function(){

        $("#datacount").load('select.php', function(){

           intervalo = setTimeout(carregaDiv, 1000);

        });

     })();

     $('.fa-bell').on('click', function (){

        clearTimeout(intervalo);

        $.ajax({

           url: "update.php",

           complete: function(){

             setTimeout(carregaDiv, 1000);

           }

        });

     });

  });

</script>


select.php



<?php

require_once 'db.php';



if(!isset($_SESSION))session_start();



if(isset($_SESSION['userid'])) {

  $userid = $_SESSION['userid'];

}



    $status = 'unread';



    $sql = $conn->prepare("SELECT * FROM noti WHERE status = :status AND 

    userid = :userid");

    $sql->bindParam(':userid', $userid, PDO::PARAM_INT);

    $sql->bindParam(':status', $status, PDO::PARAM_STR);

    $sql->execute();

    $countNT = $sql->rowCount();



    echo $countNT;



    $conn = null;



    ?>


update.php



<?php

require_once 'db.php';



if(!isset($_SESSION))session_start();



if(isset($_SESSION['userid'])) {

  $userid = $_SESSION['userid'];

}



$status = 'read';

$sql = $conn->prepare("UPDATE noti SET status = :status WHERE userid = :userid");

$sql->bindParam(':user_id', $userid, PDO::PARAM_INT);

$sql->bindParam(':status', $status, PDO::PARAM_STR);

$sql->execute();

$countNT = $sql->rowCount();



echo $countNT;



$conn = null;

?>





php jquery security ajax







share|improve this question






















  • (I'd be more inclined to delve into the code if comments, the introduction and, to the extent feasible, the title of this post told who or what is notified how about what.)
    – greybeard
    Dec 1 at 15:24















up vote
1
down vote

favorite









up vote
1
down vote

favorite











I have this code to display a counter on the side of <i class="fas fa-bell mr-3"></i>. I want to know if this code is good on security and perfomance.



I just started using jquery and ajax, i had heard people saying that someone could disable the javascript and do bad things. What you guys think about my code?



 <div>

    <ul class="navbar-nav textoPerfilDesk dropMenuHoverColor">

        <li class="nav-item dropdown pr-2 dropleft navbarItem ">

        <a class="nav-link dropdown-toggle-fk" href="#" id="navbarDropdownMenuLink" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">

            <i class="fas fa-bell mr-3"></i>

        </a>

        <div class="dropdown-menu dropdown-menu-fk py-3" aria-labelledby="navbarDropdownMenuLink">

            <a class="dropdown-item dropMNitemNT" href="um-link">

            <span class="d-flex">

                <img class="imgNT" src="img/1.jpg">

                <span class="pl-2 pt-1">

                    titutlo

                </span>

            </span>

            </a>

        </div>

        </li>

    </ul>

    <span class="text-white divCountNT" id="datacount"></span>

  </div>


script:



<script>

  $(document).ready(function(){

     var intervalo, carregaDiv;

     (carregaDiv = function(){

        $("#datacount").load('select.php', function(){

           intervalo = setTimeout(carregaDiv, 1000);

        });

     })();

     $('.fa-bell').on('click', function (){

        clearTimeout(intervalo);

        $.ajax({

           url: "update.php",

           complete: function(){

             setTimeout(carregaDiv, 1000);

           }

        });

     });

  });

</script>


select.php



<?php

require_once 'db.php';



if(!isset($_SESSION))session_start();



if(isset($_SESSION['userid'])) {

  $userid = $_SESSION['userid'];

}



    $status = 'unread';



    $sql = $conn->prepare("SELECT * FROM noti WHERE status = :status AND 

    userid = :userid");

    $sql->bindParam(':userid', $userid, PDO::PARAM_INT);

    $sql->bindParam(':status', $status, PDO::PARAM_STR);

    $sql->execute();

    $countNT = $sql->rowCount();



    echo $countNT;



    $conn = null;



    ?>


update.php



<?php

require_once 'db.php';



if(!isset($_SESSION))session_start();



if(isset($_SESSION['userid'])) {

  $userid = $_SESSION['userid'];

}



$status = 'read';

$sql = $conn->prepare("UPDATE noti SET status = :status WHERE userid = :userid");

$sql->bindParam(':user_id', $userid, PDO::PARAM_INT);

$sql->bindParam(':status', $status, PDO::PARAM_STR);

$sql->execute();

$countNT = $sql->rowCount();



echo $countNT;



$conn = null;

?>





php jquery security ajax







share|improve this question













I have this code to display a counter on the side of <i class="fas fa-bell mr-3"></i>. I want to know if this code is good on security and perfomance.



I just started using jquery and ajax, i had heard people saying that someone could disable the javascript and do bad things. What you guys think about my code?



 <div>

    <ul class="navbar-nav textoPerfilDesk dropMenuHoverColor">

        <li class="nav-item dropdown pr-2 dropleft navbarItem ">

        <a class="nav-link dropdown-toggle-fk" href="#" id="navbarDropdownMenuLink" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">

            <i class="fas fa-bell mr-3"></i>

        </a>

        <div class="dropdown-menu dropdown-menu-fk py-3" aria-labelledby="navbarDropdownMenuLink">

            <a class="dropdown-item dropMNitemNT" href="um-link">

            <span class="d-flex">

                <img class="imgNT" src="img/1.jpg">

                <span class="pl-2 pt-1">

                    titutlo

                </span>

            </span>

            </a>

        </div>

        </li>

    </ul>

    <span class="text-white divCountNT" id="datacount"></span>

  </div>


script:



<script>

  $(document).ready(function(){

     var intervalo, carregaDiv;

     (carregaDiv = function(){

        $("#datacount").load('select.php', function(){

           intervalo = setTimeout(carregaDiv, 1000);

        });

     })();

     $('.fa-bell').on('click', function (){

        clearTimeout(intervalo);

        $.ajax({

           url: "update.php",

           complete: function(){

             setTimeout(carregaDiv, 1000);

           }

        });

     });

  });

</script>


select.php



<?php

require_once 'db.php';



if(!isset($_SESSION))session_start();



if(isset($_SESSION['userid'])) {

  $userid = $_SESSION['userid'];

}



    $status = 'unread';



    $sql = $conn->prepare("SELECT * FROM noti WHERE status = :status AND 

    userid = :userid");

    $sql->bindParam(':userid', $userid, PDO::PARAM_INT);

    $sql->bindParam(':status', $status, PDO::PARAM_STR);

    $sql->execute();

    $countNT = $sql->rowCount();



    echo $countNT;



    $conn = null;



    ?>


update.php



<?php

require_once 'db.php';



if(!isset($_SESSION))session_start();



if(isset($_SESSION['userid'])) {

  $userid = $_SESSION['userid'];

}



$status = 'read';

$sql = $conn->prepare("UPDATE noti SET status = :status WHERE userid = :userid");

$sql->bindParam(':user_id', $userid, PDO::PARAM_INT);

$sql->bindParam(':status', $status, PDO::PARAM_STR);

$sql->execute();

$countNT = $sql->rowCount();



echo $countNT;



$conn = null;

?>





php jquery security ajax




php jquery security ajax






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Dec 1 at 3:18









515948453225

185




185












  • (I'd be more inclined to delve into the code if comments, the introduction and, to the extent feasible, the title of this post told who or what is notified how about what.)
    – greybeard
    Dec 1 at 15:24




















  • (I'd be more inclined to delve into the code if comments, the introduction and, to the extent feasible, the title of this post told who or what is notified how about what.)
    – greybeard
    Dec 1 at 15:24


















(I'd be more inclined to delve into the code if comments, the introduction and, to the extent feasible, the title of this post told who or what is notified how about what.)
– greybeard
Dec 1 at 15:24






(I'd be more inclined to delve into the code if comments, the introduction and, to the extent feasible, the title of this post told who or what is notified how about what.)
– greybeard
Dec 1 at 15:24












1 Answer
1






active

oldest

votes

















up vote
1
down vote



accepted










JAVASCRIPT SECURITY



Javascript is running on the client, and is therefore under full control of the user. It can be disabled, inspected, manipulated, and everything else that can done in a programming language. You knew this, didn't you?



Javascript is, almost by definition, insecure. Things that have to do with the security of your site, like validating passwords, should not be done in Javascript. And in your code you don't do anything security related in Javascript. All you do is set a timer running and call two PHP scripts. No risks there.






PHP SECURITY



The PHP scripts are another matter. Here is where things really happen, and you should implement your security measures here. Even though these scripts implement AJAX calls, they can be executed by anybody.



You seem to have users, that can log in. Their user ID is stored in $_SESSION['userid']. I notice that you don't do anything, in your PHP scripts, when this ID is absent. You still execute the database queries. That is a bad idea.



When the two current PHP scripts are called, without an user ID, they will probably just perform database queries that are invalid. No real harm done. But you shouldn't rely on just pure luck. Good security should leave no doubts about what will happen.



I therefore propose I slight change to your code. Instead of writing this:



if (isset($_SESSION['userid'])) {

  $userid = $_SESSION['userid'];

}


you could write this:



if (!isset($_SESSION['userid'])) die('Not logged in.');

$userid = $_SESSION['userid'];


this means that the PHP scripts will halt execution when there's no user, as they should.






PERFORMANCE



You code is evidently not very efficient. Polling the database every second does not scale very well. There are other ways to do this. For instance with web sockets: https://developer.mozilla.org/en-US/docs/Web/API/Websockets_API ( you would use a combination of the tools mentioned there). Updates will be quicker, without polling.



For now polling will probably be fine for you, after all you're still learning Jquery and that is a challenge in itself. It takes time to understand how everything hangs together.






share|improve this answer























  • Lets talk about this paragraph PHP SECURITY. I use echo to print out on the screen the HTML code for this notification, and it's all inside a if (!empty($user_id)) { example: pastebin.com/wmty3PKd is it enough? This way i will not execute the queries if the user is not logged in.
    – 515948453225
    Dec 4 at 17:23












  • And i changed intervalo = setTimeout(carregaDiv, 1000); to intervalo = setTimeout(carregaDiv, 60000);
    – 515948453225
    Dec 4 at 17:25






  • 1




    Yes, as long as you check that there is a valid user, before you do user-related things, it should be fine. Raising the interval of the timer to 60 seconds will certainly help, but the principle won't change. I also noted that you 'chain' your timers, instead of having one timer created with setInterval(). Your counter will stop whenever a single connection problem is encountered. In other words: It's not robust.
    – KIKO Software
    Dec 5 at 8:34











Your Answer





StackExchange.ifUsing("editor", function () {
return StackExchange.using("mathjaxEditing", function () {
StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix) {
StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [["\$", "\$"]]);
});
});
}, "mathjax-editing");

StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "196"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcodereview.stackexchange.com%2fquestions%2f208803%2fnotification-system-using-phpjqueryajax%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes








up vote
1
down vote



accepted










JAVASCRIPT SECURITY



Javascript is running on the client, and is therefore under full control of the user. It can be disabled, inspected, manipulated, and everything else that can done in a programming language. You knew this, didn't you?



Javascript is, almost by definition, insecure. Things that have to do with the security of your site, like validating passwords, should not be done in Javascript. And in your code you don't do anything security related in Javascript. All you do is set a timer running and call two PHP scripts. No risks there.






PHP SECURITY



The PHP scripts are another matter. Here is where things really happen, and you should implement your security measures here. Even though these scripts implement AJAX calls, they can be executed by anybody.



You seem to have users, that can log in. Their user ID is stored in $_SESSION['userid']. I notice that you don't do anything, in your PHP scripts, when this ID is absent. You still execute the database queries. That is a bad idea.



When the two current PHP scripts are called, without an user ID, they will probably just perform database queries that are invalid. No real harm done. But you shouldn't rely on just pure luck. Good security should leave no doubts about what will happen.



I therefore propose I slight change to your code. Instead of writing this:



if (isset($_SESSION['userid'])) {

  $userid = $_SESSION['userid'];

}


you could write this:



if (!isset($_SESSION['userid'])) die('Not logged in.');

$userid = $_SESSION['userid'];


this means that the PHP scripts will halt execution when there's no user, as they should.






PERFORMANCE



You code is evidently not very efficient. Polling the database every second does not scale very well. There are other ways to do this. For instance with web sockets: https://developer.mozilla.org/en-US/docs/Web/API/Websockets_API ( you would use a combination of the tools mentioned there). Updates will be quicker, without polling.



For now polling will probably be fine for you, after all you're still learning Jquery and that is a challenge in itself. It takes time to understand how everything hangs together.






share|improve this answer























  • Lets talk about this paragraph PHP SECURITY. I use echo to print out on the screen the HTML code for this notification, and it's all inside a if (!empty($user_id)) { example: pastebin.com/wmty3PKd is it enough? This way i will not execute the queries if the user is not logged in.
    – 515948453225
    Dec 4 at 17:23












  • And i changed intervalo = setTimeout(carregaDiv, 1000); to intervalo = setTimeout(carregaDiv, 60000);
    – 515948453225
    Dec 4 at 17:25






  • 1




    Yes, as long as you check that there is a valid user, before you do user-related things, it should be fine. Raising the interval of the timer to 60 seconds will certainly help, but the principle won't change. I also noted that you 'chain' your timers, instead of having one timer created with setInterval(). Your counter will stop whenever a single connection problem is encountered. In other words: It's not robust.
    – KIKO Software
    Dec 5 at 8:34















up vote
1
down vote



accepted










JAVASCRIPT SECURITY



Javascript is running on the client, and is therefore under full control of the user. It can be disabled, inspected, manipulated, and everything else that can done in a programming language. You knew this, didn't you?



Javascript is, almost by definition, insecure. Things that have to do with the security of your site, like validating passwords, should not be done in Javascript. And in your code you don't do anything security related in Javascript. All you do is set a timer running and call two PHP scripts. No risks there.






PHP SECURITY



The PHP scripts are another matter. Here is where things really happen, and you should implement your security measures here. Even though these scripts implement AJAX calls, they can be executed by anybody.



You seem to have users, that can log in. Their user ID is stored in $_SESSION['userid']. I notice that you don't do anything, in your PHP scripts, when this ID is absent. You still execute the database queries. That is a bad idea.



When the two current PHP scripts are called, without an user ID, they will probably just perform database queries that are invalid. No real harm done. But you shouldn't rely on just pure luck. Good security should leave no doubts about what will happen.



I therefore propose I slight change to your code. Instead of writing this:



if (isset($_SESSION['userid'])) {

  $userid = $_SESSION['userid'];

}


you could write this:



if (!isset($_SESSION['userid'])) die('Not logged in.');

$userid = $_SESSION['userid'];


this means that the PHP scripts will halt execution when there's no user, as they should.






PERFORMANCE



You code is evidently not very efficient. Polling the database every second does not scale very well. There are other ways to do this. For instance with web sockets: https://developer.mozilla.org/en-US/docs/Web/API/Websockets_API ( you would use a combination of the tools mentioned there). Updates will be quicker, without polling.



For now polling will probably be fine for you, after all you're still learning Jquery and that is a challenge in itself. It takes time to understand how everything hangs together.






share|improve this answer























  • Lets talk about this paragraph PHP SECURITY. I use echo to print out on the screen the HTML code for this notification, and it's all inside a if (!empty($user_id)) { example: pastebin.com/wmty3PKd is it enough? This way i will not execute the queries if the user is not logged in.
    – 515948453225
    Dec 4 at 17:23












  • And i changed intervalo = setTimeout(carregaDiv, 1000); to intervalo = setTimeout(carregaDiv, 60000);
    – 515948453225
    Dec 4 at 17:25






  • 1




    Yes, as long as you check that there is a valid user, before you do user-related things, it should be fine. Raising the interval of the timer to 60 seconds will certainly help, but the principle won't change. I also noted that you 'chain' your timers, instead of having one timer created with setInterval(). Your counter will stop whenever a single connection problem is encountered. In other words: It's not robust.
    – KIKO Software
    Dec 5 at 8:34













up vote
1
down vote



accepted







up vote
1
down vote



accepted






JAVASCRIPT SECURITY



Javascript is running on the client, and is therefore under full control of the user. It can be disabled, inspected, manipulated, and everything else that can done in a programming language. You knew this, didn't you?



Javascript is, almost by definition, insecure. Things that have to do with the security of your site, like validating passwords, should not be done in Javascript. And in your code you don't do anything security related in Javascript. All you do is set a timer running and call two PHP scripts. No risks there.






PHP SECURITY



The PHP scripts are another matter. Here is where things really happen, and you should implement your security measures here. Even though these scripts implement AJAX calls, they can be executed by anybody.



You seem to have users, that can log in. Their user ID is stored in $_SESSION['userid']. I notice that you don't do anything, in your PHP scripts, when this ID is absent. You still execute the database queries. That is a bad idea.



When the two current PHP scripts are called, without an user ID, they will probably just perform database queries that are invalid. No real harm done. But you shouldn't rely on just pure luck. Good security should leave no doubts about what will happen.



I therefore propose I slight change to your code. Instead of writing this:



if (isset($_SESSION['userid'])) {

  $userid = $_SESSION['userid'];

}


you could write this:



if (!isset($_SESSION['userid'])) die('Not logged in.');

$userid = $_SESSION['userid'];


this means that the PHP scripts will halt execution when there's no user, as they should.






PERFORMANCE



You code is evidently not very efficient. Polling the database every second does not scale very well. There are other ways to do this. For instance with web sockets: https://developer.mozilla.org/en-US/docs/Web/API/Websockets_API ( you would use a combination of the tools mentioned there). Updates will be quicker, without polling.



For now polling will probably be fine for you, after all you're still learning Jquery and that is a challenge in itself. It takes time to understand how everything hangs together.






share|improve this answer














JAVASCRIPT SECURITY



Javascript is running on the client, and is therefore under full control of the user. It can be disabled, inspected, manipulated, and everything else that can done in a programming language. You knew this, didn't you?



Javascript is, almost by definition, insecure. Things that have to do with the security of your site, like validating passwords, should not be done in Javascript. And in your code you don't do anything security related in Javascript. All you do is set a timer running and call two PHP scripts. No risks there.






PHP SECURITY



The PHP scripts are another matter. Here is where things really happen, and you should implement your security measures here. Even though these scripts implement AJAX calls, they can be executed by anybody.



You seem to have users, that can log in. Their user ID is stored in $_SESSION['userid']. I notice that you don't do anything, in your PHP scripts, when this ID is absent. You still execute the database queries. That is a bad idea.



When the two current PHP scripts are called, without an user ID, they will probably just perform database queries that are invalid. No real harm done. But you shouldn't rely on just pure luck. Good security should leave no doubts about what will happen.



I therefore propose I slight change to your code. Instead of writing this:



if (isset($_SESSION['userid'])) {

  $userid = $_SESSION['userid'];

}


you could write this:



if (!isset($_SESSION['userid'])) die('Not logged in.');

$userid = $_SESSION['userid'];


this means that the PHP scripts will halt execution when there's no user, as they should.






PERFORMANCE



You code is evidently not very efficient. Polling the database every second does not scale very well. There are other ways to do this. For instance with web sockets: https://developer.mozilla.org/en-US/docs/Web/API/Websockets_API ( you would use a combination of the tools mentioned there). Updates will be quicker, without polling.



For now polling will probably be fine for you, after all you're still learning Jquery and that is a challenge in itself. It takes time to understand how everything hangs together.







share|improve this answer














share|improve this answer



share|improve this answer








edited Dec 4 at 9:30

























answered Dec 4 at 9:19









KIKO Software

1,549512




1,549512












  • Lets talk about this paragraph PHP SECURITY. I use echo to print out on the screen the HTML code for this notification, and it's all inside a if (!empty($user_id)) { example: pastebin.com/wmty3PKd is it enough? This way i will not execute the queries if the user is not logged in.
    – 515948453225
    Dec 4 at 17:23












  • And i changed intervalo = setTimeout(carregaDiv, 1000); to intervalo = setTimeout(carregaDiv, 60000);
    – 515948453225
    Dec 4 at 17:25






  • 1




    Yes, as long as you check that there is a valid user, before you do user-related things, it should be fine. Raising the interval of the timer to 60 seconds will certainly help, but the principle won't change. I also noted that you 'chain' your timers, instead of having one timer created with setInterval(). Your counter will stop whenever a single connection problem is encountered. In other words: It's not robust.
    – KIKO Software
    Dec 5 at 8:34


















  • Lets talk about this paragraph PHP SECURITY. I use echo to print out on the screen the HTML code for this notification, and it's all inside a if (!empty($user_id)) { example: pastebin.com/wmty3PKd is it enough? This way i will not execute the queries if the user is not logged in.
    – 515948453225
    Dec 4 at 17:23












  • And i changed intervalo = setTimeout(carregaDiv, 1000); to intervalo = setTimeout(carregaDiv, 60000);
    – 515948453225
    Dec 4 at 17:25






  • 1




    Yes, as long as you check that there is a valid user, before you do user-related things, it should be fine. Raising the interval of the timer to 60 seconds will certainly help, but the principle won't change. I also noted that you 'chain' your timers, instead of having one timer created with setInterval(). Your counter will stop whenever a single connection problem is encountered. In other words: It's not robust.
    – KIKO Software
    Dec 5 at 8:34
















Lets talk about this paragraph PHP SECURITY. I use echo to print out on the screen the HTML code for this notification, and it's all inside a if (!empty($user_id)) { example: pastebin.com/wmty3PKd is it enough? This way i will not execute the queries if the user is not logged in.
– 515948453225
Dec 4 at 17:23






Lets talk about this paragraph PHP SECURITY. I use echo to print out on the screen the HTML code for this notification, and it's all inside a if (!empty($user_id)) { example: pastebin.com/wmty3PKd is it enough? This way i will not execute the queries if the user is not logged in.
– 515948453225
Dec 4 at 17:23














And i changed intervalo = setTimeout(carregaDiv, 1000); to intervalo = setTimeout(carregaDiv, 60000);
– 515948453225
Dec 4 at 17:25




And i changed intervalo = setTimeout(carregaDiv, 1000); to intervalo = setTimeout(carregaDiv, 60000);
– 515948453225
Dec 4 at 17:25




1




1




Yes, as long as you check that there is a valid user, before you do user-related things, it should be fine. Raising the interval of the timer to 60 seconds will certainly help, but the principle won't change. I also noted that you 'chain' your timers, instead of having one timer created with setInterval(). Your counter will stop whenever a single connection problem is encountered. In other words: It's not robust.
– KIKO Software
Dec 5 at 8:34




Yes, as long as you check that there is a valid user, before you do user-related things, it should be fine. Raising the interval of the timer to 60 seconds will certainly help, but the principle won't change. I also noted that you 'chain' your timers, instead of having one timer created with setInterval(). Your counter will stop whenever a single connection problem is encountered. In other words: It's not robust.
– KIKO Software
Dec 5 at 8:34


















draft saved

draft discarded




















































Thanks for contributing an answer to Code Review Stack Exchange!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


Use MathJax to format equations. MathJax reference.


To learn more, see our tips on writing great answers.





Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


Please pay close attention to the following guidance:


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcodereview.stackexchange.com%2fquestions%2f208803%2fnotification-system-using-phpjqueryajax%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







-

Popular posts from this blog

Список кардиналов, возведённых папой римским Каликстом III

Image
Папа Каликст III Кардиналы, возведённые Папой римским Каликстом III  — 9 прелатов и мирян были возведены в сан кардинала на двух Консисториях за трёхлетний понтификат Каликста III. Самой крупной консисторией были Консистория от 17 декабря 1456 года, на которой было возведено шесть кардиналов. Папа Каллист III хотел назвать отца Жан Сорета, O.Carm., епископом или кардиналом, но он отказался, потому что хотел посвятить себя своему ордену и продвижению религиозного рвения и соблюдения устава монашеского ордена. Консистория от 17 сентября 1456 года | Луис Хуан дель Мила, племянник Его Святейшества, епископ Сегорбе (королевство Арагон); Жайме Португальский, администратор архиепархии Лиссабона (королевство Португалия); Родриго де Борха-и-Борха, племянник Его Святейшества, ризничий Валенсии (Папская область). Консистория от 17 декабря 1456 года | Ринальдо Пишичелло, архиепископ Неаполя (Неаполитанское королевство); Хуан де Мелья, епископ Саморы (королевство Ка
Read more

Deduzione

Image
.mw-parser-output .nota-disambigua{clear:both;margin-bottom:.5em;border:1px solid #CCC;padding-left:4px}.mw-parser-output .nota-disambigua i{vertical-align:middle} Disambiguazione – Se stai cercando il teorema, vedi Teorema di deduzione . Disambiguazione – Se stai cercando il concetto di deduzione in economia, vedi deduzione fiscale . Il ragionamento deduttivo umano assimilato a un meccanismo Il metodo deduttivo o deduzione è il procedimento razionale che fa derivare una certa conclusione da premesse più generiche, dentro cui quella conclusione è implicita. Il termine significa letteralmente «condurre da», perché proviene dal latino "de" (traducibile con da , preposizione indicante provenienza, o moto di discesa dall'alto verso il basso) e "ducere" ( condurre ). Questo metodo parte da postulati e princìpi primi e, attraverso una serie di rigorose concatenazioni logiche, procede verso determinazioni più particolari attinenti alla realtà tangi
Read more

Mysql.sock missing - “Can't connect to local MySQL server through socket”

Image
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box; } 0 Operating System - OSX 10.11.2 MAMP version - 3.5 I'm following along with this guide, setting up wordpress with Xammp on PC and MAMP on Mac, where I'm in step "Mac - 4" is asked to input: "In the Terminal run: /Applications/MAMP/Library/bin/mysqladmin -u root -p password {Your Windows MySQL password here}" However, this (with out bracket text) results in error message: error: 'Can't connect to local MySQL server through socket '/Applications/MAMP/tmp/mysql/mysql.sock' (2)' Check that mysqld is running and that the socket: '/Applications/MAMP/tmp/mysql/mysql.sock'
Read more