Server throws exception, client misinterprets as success

Question

I am coding a simple login/register functionality using JQuery, PHP and PostgreSQL. The following code is from a PHP file which deals with logins. It throws an exception when the login/password combination is wrong.

$username = $_POST['username'];
$password = $_POST['password'];

$query = "SELECT * FROM users WHERE username='$username' AND password='$password'";
$result = pg_query($query) or die('Query failed: ' . pg_last_error());
$numResults = pg_num_rows($result);

if ($numResults == 0) {
  throw new Exception("Incorrect combination of username and password.");
  //die('Incorrect combination of username and password.');
}

However, on the client-side in Jquery file the success function is executed even though the server throws an exception.

      $.ajax({
        type: "POST",
        url:"login.php",
        data: dataString,
        success: function() {
//THIS FUNCTION IS EXECUTED....
          $('#errorMsg').html('Login is successful!');
          $('#errorMsg').show();
          $('#usernameTxtBx').val("");
          $('#passwordTxtBx').val("");
        },
        error:function (xhr, ajaxOptions, thrownError){
          window.alert(xhr.status);
          window.alert(thrownError);
        }
      });

Answer 1

First of all: Please look into SQL Injections, because you are pretty vulnerable... ;)

The problem is, that the HTTP response code is not set to something that is interpreted as an error when you throw a PHP Exception. You could do something like this to workaround this:

function exception_handler($exception) {
    header("HTTP/1.1 400 Bad Request");
    echo "Uncaught exception: " , $exception->getMessage(), "\n";
}

set_exception_handler('exception_handler');

This will set the exception handler to a function of your own, which sets the correct HTTP header before exiting. This way, jQuery will now that an error occurred and call the error handler instead of success.

I chose 400 Bad Request as the status code, because the error in this case seems to be caused by wrong input. I'd suggest to subclass your own exception in order to check if it is actually a client-related exception and if it is not, send a generic 500 Internal Server Error instead.

The error handler would look something like this (if you named your subclass UserErrorException):

function exception_handler($exception) {
    if($exception instanceof UserErrorException) {
        header("HTTP/1.1 400 Bad Request");
    } else {
        header("HTTP/1.1 500 Internal Server Error");
    }
    echo "Uncaught exception: " , $exception->getMessage(), "\n";
}

set_exception_handler('exception_handler');

Answer 2

PHP exceptions are NOT trappable by Javascript catches. The languages are executing at completely different times. JS will only see your exception MESSAGE come across the wire. Unless your PHP-side exception takes measures to send an HTTP status code of something other than '200 OK', JS will interpret the incoming text and 200 ok code as meaning the AJAX request successfully completed.

Answer 3

if you want JQuery to know there was an error, you will have to set the correct header in your PHP script's response.

a list of header error codes can be found here: http://www.jqueryphp.com/http-header-codes/2011/01/