Notification system using PHP+jQuery+Ajax











up vote
1
down vote

favorite












I have this code to display a counter on the side of <i class="fas fa-bell mr-3"></i>. I want to know if this code is good on security and perfomance.



I just started using jquery and ajax, i had heard people saying that someone could disable the javascript and do bad things. What you guys think about my code?



 <div>

    <ul class="navbar-nav textoPerfilDesk dropMenuHoverColor">

        <li class="nav-item dropdown pr-2 dropleft navbarItem ">

        <a class="nav-link dropdown-toggle-fk" href="#" id="navbarDropdownMenuLink" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">

            <i class="fas fa-bell mr-3"></i>

        </a>

        <div class="dropdown-menu dropdown-menu-fk py-3" aria-labelledby="navbarDropdownMenuLink">

            <a class="dropdown-item dropMNitemNT" href="um-link">

            <span class="d-flex">

                <img class="imgNT" src="img/1.jpg">

                <span class="pl-2 pt-1">

                    titutlo

                </span>

            </span>

            </a>

        </div>

        </li>

    </ul>

    <span class="text-white divCountNT" id="datacount"></span>

  </div>


script:



<script>

  $(document).ready(function(){

     var intervalo, carregaDiv;

     (carregaDiv = function(){

        $("#datacount").load('select.php', function(){

           intervalo = setTimeout(carregaDiv, 1000);

        });

     })();

     $('.fa-bell').on('click', function (){

        clearTimeout(intervalo);

        $.ajax({

           url: "update.php",

           complete: function(){

             setTimeout(carregaDiv, 1000);

           }

        });

     });

  });

</script>


select.php



<?php

require_once 'db.php';



if(!isset($_SESSION))session_start();



if(isset($_SESSION['userid'])) {

  $userid = $_SESSION['userid'];

}



    $status = 'unread';



    $sql = $conn->prepare("SELECT * FROM noti WHERE status = :status AND 

    userid = :userid");

    $sql->bindParam(':userid', $userid, PDO::PARAM_INT);

    $sql->bindParam(':status', $status, PDO::PARAM_STR);

    $sql->execute();

    $countNT = $sql->rowCount();



    echo $countNT;



    $conn = null;



    ?>


update.php



<?php

require_once 'db.php';



if(!isset($_SESSION))session_start();



if(isset($_SESSION['userid'])) {

  $userid = $_SESSION['userid'];

}



$status = 'read';

$sql = $conn->prepare("UPDATE noti SET status = :status WHERE userid = :userid");

$sql->bindParam(':user_id', $userid, PDO::PARAM_INT);

$sql->bindParam(':status', $status, PDO::PARAM_STR);

$sql->execute();

$countNT = $sql->rowCount();



echo $countNT;



$conn = null;

?>





php jquery security ajax







share|improve this question






















  • (I'd be more inclined to delve into the code if comments, the introduction and, to the extent feasible, the title of this post told who or what is notified how about what.)
    – greybeard
    Dec 1 at 15:24

















up vote
1
down vote

favorite












I have this code to display a counter on the side of <i class="fas fa-bell mr-3"></i>. I want to know if this code is good on security and perfomance.



I just started using jquery and ajax, i had heard people saying that someone could disable the javascript and do bad things. What you guys think about my code?



 <div>

    <ul class="navbar-nav textoPerfilDesk dropMenuHoverColor">

        <li class="nav-item dropdown pr-2 dropleft navbarItem ">

        <a class="nav-link dropdown-toggle-fk" href="#" id="navbarDropdownMenuLink" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">

            <i class="fas fa-bell mr-3"></i>

        </a>

        <div class="dropdown-menu dropdown-menu-fk py-3" aria-labelledby="navbarDropdownMenuLink">

            <a class="dropdown-item dropMNitemNT" href="um-link">

            <span class="d-flex">

                <img class="imgNT" src="img/1.jpg">

                <span class="pl-2 pt-1">

                    titutlo

                </span>

            </span>

            </a>

        </div>

        </li>

    </ul>

    <span class="text-white divCountNT" id="datacount"></span>

  </div>


script:



<script>

  $(document).ready(function(){

     var intervalo, carregaDiv;

     (carregaDiv = function(){

        $("#datacount").load('select.php', function(){

           intervalo = setTimeout(carregaDiv, 1000);

        });

     })();

     $('.fa-bell').on('click', function (){

        clearTimeout(intervalo);

        $.ajax({

           url: "update.php",

           complete: function(){

             setTimeout(carregaDiv, 1000);

           }

        });

     });

  });

</script>


select.php



<?php

require_once 'db.php';



if(!isset($_SESSION))session_start();



if(isset($_SESSION['userid'])) {

  $userid = $_SESSION['userid'];

}



    $status = 'unread';



    $sql = $conn->prepare("SELECT * FROM noti WHERE status = :status AND 

    userid = :userid");

    $sql->bindParam(':userid', $userid, PDO::PARAM_INT);

    $sql->bindParam(':status', $status, PDO::PARAM_STR);

    $sql->execute();

    $countNT = $sql->rowCount();



    echo $countNT;



    $conn = null;



    ?>


update.php



<?php

require_once 'db.php';



if(!isset($_SESSION))session_start();



if(isset($_SESSION['userid'])) {

  $userid = $_SESSION['userid'];

}



$status = 'read';

$sql = $conn->prepare("UPDATE noti SET status = :status WHERE userid = :userid");

$sql->bindParam(':user_id', $userid, PDO::PARAM_INT);

$sql->bindParam(':status', $status, PDO::PARAM_STR);

$sql->execute();

$countNT = $sql->rowCount();



echo $countNT;



$conn = null;

?>





php jquery security ajax







share|improve this question






















  • (I'd be more inclined to delve into the code if comments, the introduction and, to the extent feasible, the title of this post told who or what is notified how about what.)
    – greybeard
    Dec 1 at 15:24















up vote
1
down vote

favorite









up vote
1
down vote

favorite











I have this code to display a counter on the side of <i class="fas fa-bell mr-3"></i>. I want to know if this code is good on security and perfomance.



I just started using jquery and ajax, i had heard people saying that someone could disable the javascript and do bad things. What you guys think about my code?



 <div>

    <ul class="navbar-nav textoPerfilDesk dropMenuHoverColor">

        <li class="nav-item dropdown pr-2 dropleft navbarItem ">

        <a class="nav-link dropdown-toggle-fk" href="#" id="navbarDropdownMenuLink" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">

            <i class="fas fa-bell mr-3"></i>

        </a>

        <div class="dropdown-menu dropdown-menu-fk py-3" aria-labelledby="navbarDropdownMenuLink">

            <a class="dropdown-item dropMNitemNT" href="um-link">

            <span class="d-flex">

                <img class="imgNT" src="img/1.jpg">

                <span class="pl-2 pt-1">

                    titutlo

                </span>

            </span>

            </a>

        </div>

        </li>

    </ul>

    <span class="text-white divCountNT" id="datacount"></span>

  </div>


script:



<script>

  $(document).ready(function(){

     var intervalo, carregaDiv;

     (carregaDiv = function(){

        $("#datacount").load('select.php', function(){

           intervalo = setTimeout(carregaDiv, 1000);

        });

     })();

     $('.fa-bell').on('click', function (){

        clearTimeout(intervalo);

        $.ajax({

           url: "update.php",

           complete: function(){

             setTimeout(carregaDiv, 1000);

           }

        });

     });

  });

</script>


select.php



<?php

require_once 'db.php';



if(!isset($_SESSION))session_start();



if(isset($_SESSION['userid'])) {

  $userid = $_SESSION['userid'];

}



    $status = 'unread';



    $sql = $conn->prepare("SELECT * FROM noti WHERE status = :status AND 

    userid = :userid");

    $sql->bindParam(':userid', $userid, PDO::PARAM_INT);

    $sql->bindParam(':status', $status, PDO::PARAM_STR);

    $sql->execute();

    $countNT = $sql->rowCount();



    echo $countNT;



    $conn = null;



    ?>


update.php



<?php

require_once 'db.php';



if(!isset($_SESSION))session_start();



if(isset($_SESSION['userid'])) {

  $userid = $_SESSION['userid'];

}



$status = 'read';

$sql = $conn->prepare("UPDATE noti SET status = :status WHERE userid = :userid");

$sql->bindParam(':user_id', $userid, PDO::PARAM_INT);

$sql->bindParam(':status', $status, PDO::PARAM_STR);

$sql->execute();

$countNT = $sql->rowCount();



echo $countNT;



$conn = null;

?>





php jquery security ajax







share|improve this question













I have this code to display a counter on the side of <i class="fas fa-bell mr-3"></i>. I want to know if this code is good on security and perfomance.



I just started using jquery and ajax, i had heard people saying that someone could disable the javascript and do bad things. What you guys think about my code?



 <div>

    <ul class="navbar-nav textoPerfilDesk dropMenuHoverColor">

        <li class="nav-item dropdown pr-2 dropleft navbarItem ">

        <a class="nav-link dropdown-toggle-fk" href="#" id="navbarDropdownMenuLink" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">

            <i class="fas fa-bell mr-3"></i>

        </a>

        <div class="dropdown-menu dropdown-menu-fk py-3" aria-labelledby="navbarDropdownMenuLink">

            <a class="dropdown-item dropMNitemNT" href="um-link">

            <span class="d-flex">

                <img class="imgNT" src="img/1.jpg">

                <span class="pl-2 pt-1">

                    titutlo

                </span>

            </span>

            </a>

        </div>

        </li>

    </ul>

    <span class="text-white divCountNT" id="datacount"></span>

  </div>


script:



<script>

  $(document).ready(function(){

     var intervalo, carregaDiv;

     (carregaDiv = function(){

        $("#datacount").load('select.php', function(){

           intervalo = setTimeout(carregaDiv, 1000);

        });

     })();

     $('.fa-bell').on('click', function (){

        clearTimeout(intervalo);

        $.ajax({

           url: "update.php",

           complete: function(){

             setTimeout(carregaDiv, 1000);

           }

        });

     });

  });

</script>


select.php



<?php

require_once 'db.php';



if(!isset($_SESSION))session_start();



if(isset($_SESSION['userid'])) {

  $userid = $_SESSION['userid'];

}



    $status = 'unread';



    $sql = $conn->prepare("SELECT * FROM noti WHERE status = :status AND 

    userid = :userid");

    $sql->bindParam(':userid', $userid, PDO::PARAM_INT);

    $sql->bindParam(':status', $status, PDO::PARAM_STR);

    $sql->execute();

    $countNT = $sql->rowCount();



    echo $countNT;



    $conn = null;



    ?>


update.php



<?php

require_once 'db.php';



if(!isset($_SESSION))session_start();



if(isset($_SESSION['userid'])) {

  $userid = $_SESSION['userid'];

}



$status = 'read';

$sql = $conn->prepare("UPDATE noti SET status = :status WHERE userid = :userid");

$sql->bindParam(':user_id', $userid, PDO::PARAM_INT);

$sql->bindParam(':status', $status, PDO::PARAM_STR);

$sql->execute();

$countNT = $sql->rowCount();



echo $countNT;



$conn = null;

?>





php jquery security ajax




php jquery security ajax






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Dec 1 at 3:18









515948453225

185




185












  • (I'd be more inclined to delve into the code if comments, the introduction and, to the extent feasible, the title of this post told who or what is notified how about what.)
    – greybeard
    Dec 1 at 15:24




















  • (I'd be more inclined to delve into the code if comments, the introduction and, to the extent feasible, the title of this post told who or what is notified how about what.)
    – greybeard
    Dec 1 at 15:24


















(I'd be more inclined to delve into the code if comments, the introduction and, to the extent feasible, the title of this post told who or what is notified how about what.)
– greybeard
Dec 1 at 15:24






(I'd be more inclined to delve into the code if comments, the introduction and, to the extent feasible, the title of this post told who or what is notified how about what.)
– greybeard
Dec 1 at 15:24












1 Answer
1






active

oldest

votes

















up vote
1
down vote



accepted










JAVASCRIPT SECURITY



Javascript is running on the client, and is therefore under full control of the user. It can be disabled, inspected, manipulated, and everything else that can done in a programming language. You knew this, didn't you?



Javascript is, almost by definition, insecure. Things that have to do with the security of your site, like validating passwords, should not be done in Javascript. And in your code you don't do anything security related in Javascript. All you do is set a timer running and call two PHP scripts. No risks there.






PHP SECURITY



The PHP scripts are another matter. Here is where things really happen, and you should implement your security measures here. Even though these scripts implement AJAX calls, they can be executed by anybody.



You seem to have users, that can log in. Their user ID is stored in $_SESSION['userid']. I notice that you don't do anything, in your PHP scripts, when this ID is absent. You still execute the database queries. That is a bad idea.



When the two current PHP scripts are called, without an user ID, they will probably just perform database queries that are invalid. No real harm done. But you shouldn't rely on just pure luck. Good security should leave no doubts about what will happen.



I therefore propose I slight change to your code. Instead of writing this:



if (isset($_SESSION['userid'])) {

  $userid = $_SESSION['userid'];

}


you could write this:



if (!isset($_SESSION['userid'])) die('Not logged in.');

$userid = $_SESSION['userid'];


this means that the PHP scripts will halt execution when there's no user, as they should.






PERFORMANCE



You code is evidently not very efficient. Polling the database every second does not scale very well. There are other ways to do this. For instance with web sockets: https://developer.mozilla.org/en-US/docs/Web/API/Websockets_API ( you would use a combination of the tools mentioned there). Updates will be quicker, without polling.



For now polling will probably be fine for you, after all you're still learning Jquery and that is a challenge in itself. It takes time to understand how everything hangs together.






share|improve this answer























  • Lets talk about this paragraph PHP SECURITY. I use echo to print out on the screen the HTML code for this notification, and it's all inside a if (!empty($user_id)) { example: pastebin.com/wmty3PKd is it enough? This way i will not execute the queries if the user is not logged in.
    – 515948453225
    Dec 4 at 17:23












  • And i changed intervalo = setTimeout(carregaDiv, 1000); to intervalo = setTimeout(carregaDiv, 60000);
    – 515948453225
    Dec 4 at 17:25






  • 1




    Yes, as long as you check that there is a valid user, before you do user-related things, it should be fine. Raising the interval of the timer to 60 seconds will certainly help, but the principle won't change. I also noted that you 'chain' your timers, instead of having one timer created with setInterval(). Your counter will stop whenever a single connection problem is encountered. In other words: It's not robust.
    – KIKO Software
    Dec 5 at 8:34











Your Answer





StackExchange.ifUsing("editor", function () {
return StackExchange.using("mathjaxEditing", function () {
StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix) {
StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [["\$", "\$"]]);
});
});
}, "mathjax-editing");

StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "196"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcodereview.stackexchange.com%2fquestions%2f208803%2fnotification-system-using-phpjqueryajax%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes








up vote
1
down vote



accepted










JAVASCRIPT SECURITY



Javascript is running on the client, and is therefore under full control of the user. It can be disabled, inspected, manipulated, and everything else that can done in a programming language. You knew this, didn't you?



Javascript is, almost by definition, insecure. Things that have to do with the security of your site, like validating passwords, should not be done in Javascript. And in your code you don't do anything security related in Javascript. All you do is set a timer running and call two PHP scripts. No risks there.






PHP SECURITY



The PHP scripts are another matter. Here is where things really happen, and you should implement your security measures here. Even though these scripts implement AJAX calls, they can be executed by anybody.



You seem to have users, that can log in. Their user ID is stored in $_SESSION['userid']. I notice that you don't do anything, in your PHP scripts, when this ID is absent. You still execute the database queries. That is a bad idea.



When the two current PHP scripts are called, without an user ID, they will probably just perform database queries that are invalid. No real harm done. But you shouldn't rely on just pure luck. Good security should leave no doubts about what will happen.



I therefore propose I slight change to your code. Instead of writing this:



if (isset($_SESSION['userid'])) {

  $userid = $_SESSION['userid'];

}


you could write this:



if (!isset($_SESSION['userid'])) die('Not logged in.');

$userid = $_SESSION['userid'];


this means that the PHP scripts will halt execution when there's no user, as they should.






PERFORMANCE



You code is evidently not very efficient. Polling the database every second does not scale very well. There are other ways to do this. For instance with web sockets: https://developer.mozilla.org/en-US/docs/Web/API/Websockets_API ( you would use a combination of the tools mentioned there). Updates will be quicker, without polling.



For now polling will probably be fine for you, after all you're still learning Jquery and that is a challenge in itself. It takes time to understand how everything hangs together.






share|improve this answer























  • Lets talk about this paragraph PHP SECURITY. I use echo to print out on the screen the HTML code for this notification, and it's all inside a if (!empty($user_id)) { example: pastebin.com/wmty3PKd is it enough? This way i will not execute the queries if the user is not logged in.
    – 515948453225
    Dec 4 at 17:23












  • And i changed intervalo = setTimeout(carregaDiv, 1000); to intervalo = setTimeout(carregaDiv, 60000);
    – 515948453225
    Dec 4 at 17:25






  • 1




    Yes, as long as you check that there is a valid user, before you do user-related things, it should be fine. Raising the interval of the timer to 60 seconds will certainly help, but the principle won't change. I also noted that you 'chain' your timers, instead of having one timer created with setInterval(). Your counter will stop whenever a single connection problem is encountered. In other words: It's not robust.
    – KIKO Software
    Dec 5 at 8:34















up vote
1
down vote



accepted










JAVASCRIPT SECURITY



Javascript is running on the client, and is therefore under full control of the user. It can be disabled, inspected, manipulated, and everything else that can done in a programming language. You knew this, didn't you?



Javascript is, almost by definition, insecure. Things that have to do with the security of your site, like validating passwords, should not be done in Javascript. And in your code you don't do anything security related in Javascript. All you do is set a timer running and call two PHP scripts. No risks there.






PHP SECURITY



The PHP scripts are another matter. Here is where things really happen, and you should implement your security measures here. Even though these scripts implement AJAX calls, they can be executed by anybody.



You seem to have users, that can log in. Their user ID is stored in $_SESSION['userid']. I notice that you don't do anything, in your PHP scripts, when this ID is absent. You still execute the database queries. That is a bad idea.



When the two current PHP scripts are called, without an user ID, they will probably just perform database queries that are invalid. No real harm done. But you shouldn't rely on just pure luck. Good security should leave no doubts about what will happen.



I therefore propose I slight change to your code. Instead of writing this:



if (isset($_SESSION['userid'])) {

  $userid = $_SESSION['userid'];

}


you could write this:



if (!isset($_SESSION['userid'])) die('Not logged in.');

$userid = $_SESSION['userid'];


this means that the PHP scripts will halt execution when there's no user, as they should.






PERFORMANCE



You code is evidently not very efficient. Polling the database every second does not scale very well. There are other ways to do this. For instance with web sockets: https://developer.mozilla.org/en-US/docs/Web/API/Websockets_API ( you would use a combination of the tools mentioned there). Updates will be quicker, without polling.



For now polling will probably be fine for you, after all you're still learning Jquery and that is a challenge in itself. It takes time to understand how everything hangs together.






share|improve this answer























  • Lets talk about this paragraph PHP SECURITY. I use echo to print out on the screen the HTML code for this notification, and it's all inside a if (!empty($user_id)) { example: pastebin.com/wmty3PKd is it enough? This way i will not execute the queries if the user is not logged in.
    – 515948453225
    Dec 4 at 17:23












  • And i changed intervalo = setTimeout(carregaDiv, 1000); to intervalo = setTimeout(carregaDiv, 60000);
    – 515948453225
    Dec 4 at 17:25






  • 1




    Yes, as long as you check that there is a valid user, before you do user-related things, it should be fine. Raising the interval of the timer to 60 seconds will certainly help, but the principle won't change. I also noted that you 'chain' your timers, instead of having one timer created with setInterval(). Your counter will stop whenever a single connection problem is encountered. In other words: It's not robust.
    – KIKO Software
    Dec 5 at 8:34













up vote
1
down vote



accepted







up vote
1
down vote



accepted






JAVASCRIPT SECURITY



Javascript is running on the client, and is therefore under full control of the user. It can be disabled, inspected, manipulated, and everything else that can done in a programming language. You knew this, didn't you?



Javascript is, almost by definition, insecure. Things that have to do with the security of your site, like validating passwords, should not be done in Javascript. And in your code you don't do anything security related in Javascript. All you do is set a timer running and call two PHP scripts. No risks there.






PHP SECURITY



The PHP scripts are another matter. Here is where things really happen, and you should implement your security measures here. Even though these scripts implement AJAX calls, they can be executed by anybody.



You seem to have users, that can log in. Their user ID is stored in $_SESSION['userid']. I notice that you don't do anything, in your PHP scripts, when this ID is absent. You still execute the database queries. That is a bad idea.



When the two current PHP scripts are called, without an user ID, they will probably just perform database queries that are invalid. No real harm done. But you shouldn't rely on just pure luck. Good security should leave no doubts about what will happen.



I therefore propose I slight change to your code. Instead of writing this:



if (isset($_SESSION['userid'])) {

  $userid = $_SESSION['userid'];

}


you could write this:



if (!isset($_SESSION['userid'])) die('Not logged in.');

$userid = $_SESSION['userid'];


this means that the PHP scripts will halt execution when there's no user, as they should.






PERFORMANCE



You code is evidently not very efficient. Polling the database every second does not scale very well. There are other ways to do this. For instance with web sockets: https://developer.mozilla.org/en-US/docs/Web/API/Websockets_API ( you would use a combination of the tools mentioned there). Updates will be quicker, without polling.



For now polling will probably be fine for you, after all you're still learning Jquery and that is a challenge in itself. It takes time to understand how everything hangs together.






share|improve this answer














JAVASCRIPT SECURITY



Javascript is running on the client, and is therefore under full control of the user. It can be disabled, inspected, manipulated, and everything else that can done in a programming language. You knew this, didn't you?



Javascript is, almost by definition, insecure. Things that have to do with the security of your site, like validating passwords, should not be done in Javascript. And in your code you don't do anything security related in Javascript. All you do is set a timer running and call two PHP scripts. No risks there.






PHP SECURITY



The PHP scripts are another matter. Here is where things really happen, and you should implement your security measures here. Even though these scripts implement AJAX calls, they can be executed by anybody.



You seem to have users, that can log in. Their user ID is stored in $_SESSION['userid']. I notice that you don't do anything, in your PHP scripts, when this ID is absent. You still execute the database queries. That is a bad idea.



When the two current PHP scripts are called, without an user ID, they will probably just perform database queries that are invalid. No real harm done. But you shouldn't rely on just pure luck. Good security should leave no doubts about what will happen.



I therefore propose I slight change to your code. Instead of writing this:



if (isset($_SESSION['userid'])) {

  $userid = $_SESSION['userid'];

}


you could write this:



if (!isset($_SESSION['userid'])) die('Not logged in.');

$userid = $_SESSION['userid'];


this means that the PHP scripts will halt execution when there's no user, as they should.






PERFORMANCE



You code is evidently not very efficient. Polling the database every second does not scale very well. There are other ways to do this. For instance with web sockets: https://developer.mozilla.org/en-US/docs/Web/API/Websockets_API ( you would use a combination of the tools mentioned there). Updates will be quicker, without polling.



For now polling will probably be fine for you, after all you're still learning Jquery and that is a challenge in itself. It takes time to understand how everything hangs together.







share|improve this answer














share|improve this answer



share|improve this answer








edited Dec 4 at 9:30

























answered Dec 4 at 9:19









KIKO Software

1,549512




1,549512












  • Lets talk about this paragraph PHP SECURITY. I use echo to print out on the screen the HTML code for this notification, and it's all inside a if (!empty($user_id)) { example: pastebin.com/wmty3PKd is it enough? This way i will not execute the queries if the user is not logged in.
    – 515948453225
    Dec 4 at 17:23












  • And i changed intervalo = setTimeout(carregaDiv, 1000); to intervalo = setTimeout(carregaDiv, 60000);
    – 515948453225
    Dec 4 at 17:25






  • 1




    Yes, as long as you check that there is a valid user, before you do user-related things, it should be fine. Raising the interval of the timer to 60 seconds will certainly help, but the principle won't change. I also noted that you 'chain' your timers, instead of having one timer created with setInterval(). Your counter will stop whenever a single connection problem is encountered. In other words: It's not robust.
    – KIKO Software
    Dec 5 at 8:34


















  • Lets talk about this paragraph PHP SECURITY. I use echo to print out on the screen the HTML code for this notification, and it's all inside a if (!empty($user_id)) { example: pastebin.com/wmty3PKd is it enough? This way i will not execute the queries if the user is not logged in.
    – 515948453225
    Dec 4 at 17:23












  • And i changed intervalo = setTimeout(carregaDiv, 1000); to intervalo = setTimeout(carregaDiv, 60000);
    – 515948453225
    Dec 4 at 17:25






  • 1




    Yes, as long as you check that there is a valid user, before you do user-related things, it should be fine. Raising the interval of the timer to 60 seconds will certainly help, but the principle won't change. I also noted that you 'chain' your timers, instead of having one timer created with setInterval(). Your counter will stop whenever a single connection problem is encountered. In other words: It's not robust.
    – KIKO Software
    Dec 5 at 8:34
















Lets talk about this paragraph PHP SECURITY. I use echo to print out on the screen the HTML code for this notification, and it's all inside a if (!empty($user_id)) { example: pastebin.com/wmty3PKd is it enough? This way i will not execute the queries if the user is not logged in.
– 515948453225
Dec 4 at 17:23






Lets talk about this paragraph PHP SECURITY. I use echo to print out on the screen the HTML code for this notification, and it's all inside a if (!empty($user_id)) { example: pastebin.com/wmty3PKd is it enough? This way i will not execute the queries if the user is not logged in.
– 515948453225
Dec 4 at 17:23














And i changed intervalo = setTimeout(carregaDiv, 1000); to intervalo = setTimeout(carregaDiv, 60000);
– 515948453225
Dec 4 at 17:25




And i changed intervalo = setTimeout(carregaDiv, 1000); to intervalo = setTimeout(carregaDiv, 60000);
– 515948453225
Dec 4 at 17:25




1




1




Yes, as long as you check that there is a valid user, before you do user-related things, it should be fine. Raising the interval of the timer to 60 seconds will certainly help, but the principle won't change. I also noted that you 'chain' your timers, instead of having one timer created with setInterval(). Your counter will stop whenever a single connection problem is encountered. In other words: It's not robust.
– KIKO Software
Dec 5 at 8:34




Yes, as long as you check that there is a valid user, before you do user-related things, it should be fine. Raising the interval of the timer to 60 seconds will certainly help, but the principle won't change. I also noted that you 'chain' your timers, instead of having one timer created with setInterval(). Your counter will stop whenever a single connection problem is encountered. In other words: It's not robust.
– KIKO Software
Dec 5 at 8:34


















draft saved

draft discarded




















































Thanks for contributing an answer to Code Review Stack Exchange!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


Use MathJax to format equations. MathJax reference.


To learn more, see our tips on writing great answers.





Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


Please pay close attention to the following guidance:


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcodereview.stackexchange.com%2fquestions%2f208803%2fnotification-system-using-phpjqueryajax%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







-

Popular posts from this blog

Сан-Квентин

Image
Сан-Квентин Местоположение Сан-Квентин, Калифорния Координаты 37°56′13″ с. ш. 122°29′20″ з. д. H G Я O L Текущий статус Действует Режим безопасности минимальный и максимальный Количество мест 3 302 Открытие Июнь 1852 Находится в ведомстве California Department of Corrections and Rehabilitation Начальник Mike Martel, начальник  Сан-Квентин на Викискладе Сан-Квентин (англ.  San Quentin ) — тюрьма, располагающаяся на 432 акрах (около 1,7 км²), на мысе Сан-Квентин, в округе Марин, штат Калифорния, США. Тюрьма штата Калифорния Сан-Квентин была открыта в июле 1852 года и является старейшей в штате. Она была построена заключёнными, которые проживали в течение строительства на тюремном судне Вабан. В Сан-Квентине отбывали наказание и мужчины, и женщины до 1934 года, когда построили женскую тюрьму в Техачапи и туда перевели всех заключённых женщин. В Сан-Квентине приводятся в исполнение смертные казни, для этого имеется газовая камера, но
Read more

Алькесар

Image
Муниципалитет Алькесар Alquézar Герб 42°10′16″ с. ш. 0°01′27″ в. д. H G Я O L Страна Испания   Испания Автономное сообщество Арагон Провинция Уэска Комарка Сомонтано-де-Барбастро Алькальд Хосе Марияно Альтемир Ласкорс (ИСРП) История и география Площадь 32,36 км² Высота НУМ 660 м Часовой пояс UTC+1, летом UTC+2 Население Население 313 человек ( 2010 ) Плотность 9,92 чел./км² Этнохороним alquezarano/-a Цифровые идентификаторы Телефонный код +34 974 Почтовые индексы 22112 Автомобильный код HU alquezar.org   (исп.) Показать/скрыть карты Алькесар Алькесар Алькесар  Аудио, фото и видео на Викискладе Алькесар (исп.  Alquézar ) — муниципалитет в Испании, входит в провинцию Уэска, в составе автономного сообщества Арагон. Муниципалитет находится в составе района (комарки) Сомонтано-де-Барбастро. Занимает площадь 32,36 км². Население — 321 челове
Read more

Josef Freinademetz

Image
San Ujöp (Giuseppe/Josef) Freinademetz Josef Freinademetz in abiti cinesi   Religioso e missionario   Nascita 15 aprile 1852 Morte 28 gennaio 1908 Venerato da Chiesa cattolica Beatificazione 1975 Canonizzazione 5 ottobre 2003 Ricorrenza 28 gennaio Manuale Ujöp Freinademetz noto anche come Giuseppe o Josef Freinademetz (Oies, 15 aprile 1852 – Taikia, 28 gennaio 1908) è stato un presbitero austriaco, membro della Società del Verbo Divino, fu missionario in Cina; è venerato come santo dalla Chiesa cattolica. .mw-parser-output .citazione-table{margin-bottom:.5em;font-size:95%}.mw-parser-output .citazione-table td{padding:0 1.2em 0 2.4em}.mw-parser-output .citazione-lang{vertical-align:top}.mw-parser-output .citazione-lang td{width:50%}.mw-parser-output .citazione-lang td:first-child{padding:0 0 0 2.4em}.mw-parser-output .citazione-lang td:nth-child(2){padding:0 1.2em} «Io amo la Cina e i cinesi; voglio morire in mezzo a loro, e tra loro
Read more