Ajax XMLHttp Asynchronous calls and CURLOPT_RETURNTRANSFER
When using an Ajax connection (Asynchronous JavaScript and XML), making a cURL call to an external data source through your PHP or ASP script, given the fact that you have an open Ajax connection, any return from your cURL call will simply be echoed out to the interface and thus not enabling the return code to be used in any future validation routines.
To disable the echoing of the return code to the Java Script xmlhttp object’s response method, and to enable the return code to be used in either your ASP or PHP code, simply set the CURLOPT_RETURNTRANSFER property of the cURL object to TRUE, as shown in the following example.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 | FILE: "file_extract1.php" $url="http://www.somewebsite.com/webservice.asp"; $ch = curl_init(); if(!$ch) { die("Couldn't initialize a cURL handle"); } $ret = curl_setopt($ch, CURLOPT_URL,$url); curl_setopt ($ch, CURLOPT_POST, 1); curl_setopt ($ch, CURLOPT_RETURNTRANSFER,1); curl_setopt ($ch, CURLOPT_POSTFIELDS,"User=username&passwd=password&mobilenumber=".$mobile."&message=".$message."&sid=xxx.xxx.x.x"); $ret = curl_setopt($ch, CURLOPT_TIMEOUT, 30); $curlResponse = curl_exec($ch); |
When the CURLOPT_RETURNTRANSFER is set to TRUE (or 1), the return, or response, will be either of two values: a boolean value of false in the event that the call was unsuccessful, or an expected response code, in a string format, from the service you are calling. In an SMS application we could assume that the response code could be an SMS job number, in other words, the return of a number expressed in a character array to indicate a successful SMS transaction .
With these return values in mind, we may wish to report on the SMS transactions, requiring us to store the response code in a database table. In order to do so, we must implement testing for both the false value (SMS transaction failure) and the success value, we can do so in the following way.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 | FILE: "file_extract2.php" if(empty($ret)) { // some kind of an error occurred die(curl_error($ch)); curl_close($ch); } else { $info = curl_getinfo($ch); curl_close($ch); // if there is a response in the $curlResponse (i.e. success) if($curlResponse != false) { $sql="update TABLE set JOB_NO ='".$curlResponse."' where MOBILE ='".$mobile."'"; // get a database connection object $con = getDBCon(); $result = mysql_query($sql,$con); mysql_close($con); } } |
In this example we prevent the default echoing of the cURL response to the Ajax connection and we are able to then work with our response in our code as it is returned as a string.
There are two additional points to be made on the use of Ajax, (i) We should validate data at the Java Script level to minimize server traffic and we MUST do thorough validation at the ASP or PHP end. Ajax essentially leaves the back door to your corporate data open, such that malicious coders may be able to access your system or deface websites by exploiting bad Java Script code. (ii) Whenever you are using Ajax, you should use code minimization and obfuscation where possible to deter the fly by night hacker and consider implementing a tokenized validation system to check for valid requests.
