I'm working on a pretty simple application.
Here's the overview:
I've got a web form where the URL contains a variable. I'm grabbing the value of that variable and sending it to my web server (it's hosted on another domain) through an AJAX call. Once retrieved, the variable is ran against a SQL DB, if a match is found, I send that data back to my web form to do something with.
I've got the CORS headers defined and set to only accept data from the origin source where my form resides. Thus far it's all worked fine.
Here's the PHP code that is working:
<?php
// CORS headers to allow traffic from the form to run here
header('Access-Control-Allow-Origin: https:mydomain.com');
header('Content-Type: application/json');
//Retrieve the value passed from the Ajax script
$finderID = $_REQUEST['Finder'];
//SQL Statement to connect, retrieve and parse out the data as JSON
$conn = new mysqli("localhost", "db_uname", "db_pswd", "db_table");
$result = $conn->query("SELECT * FROM onlineFinderLookup WHERE printID = $finderID");
$outp = array();
$outp = $result->fetch_all(MYSQLI_ASSOC);
echo json_encode($outp);
?>
Now, I'd like to be able enforce some validation around the value of that variable. I want to know if it's numeric and greater than 0. IF so, then connect to the DB and get my data.
I've attempted to do that this way:
<?php
// CORS headers to allow traffic from the form to run here
header('Access-Control-Allow-Origin: https:mydomain.com');
header('Content-Type: application/json');
//Retrieve the value passed from the Ajax script
$finderID = $_REQUEST['Finder'];
if ($finderID >= 0 && is_numeric($finderID) {
//SQL Statement to connect, retrieve and parse out the data as JSON
$conn = new mysqli("localhost", "db_uname", "db_pswd", "db_table");
$result = $conn->query("SELECT * FROM onlineFinderLookup WHERE printID = $finderID");
$outp = array();
$outp = $result->fetch_all(MYSQLI_ASSOC);
echo json_encode($outp);
}
else {
}
?>
When I run the code with an IF statement in it, my console throws me a CORS error and says the header isn't defined. Any idea why?
Also, would be curious if this seems like a secure way to be gathering data from my DB or if I'm way out in left field with this.
Thanks!
UPDATE:
Including console error
Access to XMLHttpRequest at 'webserver' from origin 'webform' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
question from:
https://stackoverflow.com/questions/65834286/cors-header-is-present-but-if-statement-negates-the-header 与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…