I create my HTML this way
$('<form>')
.attr('method',"POST")
.attr('action',"postMetier.php?metier="+"<?php echo $GET['metier'] ?>")
How can I make the echo work ?
$GET variable doesn't exists, correct name is $_GET.
.attr('action',"postMetier.php?metier="+"<?php echo $_GET['metier'] ?>")
^
Of course, you JS code has to be in PHP file (or other which is parsed by server).
it is not $GET['metier'] but $_GET['metier'], if there is value recieved on your page by get method then echo $GET['metier'] will give you some value.
Note: if $GET['metier'] is your defined variable, then it should have some value in it so that it can be echoed.
Related
I've been searching around for security concerns about using PHP json_encode inside javascript context but I'm not exactly satisfied with the results
I got a lot of warnings about doing this but they always assume that I was going to inject data from the json_encode object directly to HTML without any type of sanitizing at all
So, I want to know if this and only this little snippet presents any security issues (like xss attacks etc)
<?php
$obj = isset($_POST['js']) ? json_encode($_POST['js']) : false;
if ($obj === false) $obj = '{}';
?>
<script>var x = <?php echo $obj ?>;</script>
EDIT:
Changed the snippet to handle json_encode returning false
With that line of code
var x = <?php echo $obj ?>;
...the server application echoes back the data that was submitted to it via the "js" key. It will be client that sent it that will receive it, so if in some way it is malicious, it will be that same client dealing with the consequences.
The actual sending to the server is in fact the irrelevant part of the chain: if one has the data to submit, one can also assign it to the variable x directly without the server's interference (e.g. through browser's dev tools).
It would be a different story if in PHP you would use the data to manipulate a server database, call a service, or otherwise change the application's state, and you would not first validate that data.
As to the use of json_encode: if indeed you verify that the argument is valid JSON (by checking that the return value is not false), it will produce a valid JavaScript object literal. The known cases of incompatibility (characters U+2028 and U+2029) will not occur, as by default json_encode escapes these characters.
It is correct as per coding. However you have to validate the variable x should not be empty or the posted value.
<script>var x = "<?php if(isset($_POST['js']))
{
echo json_encode($_POST["js"]);
}";
</script>
Sometimes json_encode returns false, if return it that js expression will broke. this will works safer.
<script>var x = JSON.parse(<?php echo (json_encode($_POST["js"]) ? json_encode($_POST["js"]) : '{}'));</script>
if json_encode returns false, var x will get just empty object.
I googled about it and didn't find an solution, can you help me with this issue?
I have a javascript variable that is the name of a php session address, and I want to use this session value in my javascript code, but I don't know how to pass this name to the php and return the session value to my js code.
I'm using the session to set values of my dynamic form fields. So I use
var field_name = "field";
document.getElementById(field_name).value = "<?php if(isset($_SESSION['field_name'])) echo $_SESSION['field_name'];?>";
The field ID have the same name of the session address. I can't simply use the word "field" because it's dynamic.
I thank you in advance.
Just use:
var info= <?php echo json_encode("some_php_variable_here", JSON_HEX_TAG); ?>;
This is probably only with a data attribute in the HTML. In the JS code one should definitely (actually never) run PHP code.
The data attributes can then be filled with PHP and read out in the JS.
When I creat a php variable in javascript, I use this method:
var jArray = <?php echo json_encode($myArray); ?>;
It's very good but if i view the source code, ther is my full array in the script area.
My problem is that, my php array contains secret data, and I want to use this data in javascritp.
How can I hide from my sourc code, or what can I do?
I tride javascript obfuscation but it can't work with <?php ?> tag.
Thanks!
I'm not sure why this isn't working, as a lot of the examples on the internet suggest doing it this way. Anyway, I have a SQL result that I've converted to JSON and now I'm trying to use that with Javascript.
json_encode($test, true); ?>
<script type="text/javascript">
var obj = (<?php echo $test; ?>);
alert(obj.toSource());
</script>
This does not work and Chrome gives me an error of "illegal character" and the Javascript variable somehow displays some x-debug HTML from the PHP server:
If I simple echo the JSON out to display on the webpage that works fine without any errors. What am I doing wrong?
Do it like this:
$test = json_encode($test, true);
json_encode doesn't change the variable in place.
You're doing a couple of things wrong here..
json_encode($test, true);
I think you're probably thinking of json_decode, but the second parameter to json_encode is supposed to be a bitmask of options. Passing true here is probably wrong.
#ElmoVanKielmo is also correct, the variable doesn't change because you call a function, you must reassign the variable to the return value.
You got hmtl that looks line an xdebug error/notice message. Fix that before you proceed! (You cut out the part where the message is put).
Additionally you do not encode $test correctly. json_encode returns the changed value and does not modify it by reference.
I have a javascript function which I am calling from php code. The function is not working if the argument passed is text; it works fine for integer argument. There is probably some very basic issue I am missing. Please point that out.
function make_entry(game)
{
window.location.href="generate.php?game="+game;
}
<? echo "<div style='text-align:center'>Click <a onclick='make_entry(".$game.")' style='cursor:pointer'><b>Here</b></a> to download your Certificate.</div>"; ?>
php code is fine in my humble opinion
you have to place the content of $game between quotes in order to work with a string
onclick='make_entry("\".$game.\"")'
keep in mind, of course, that this way you'll be alway passing a string to the function.
And $game must not contain double quotes or again the JavaScript code will fail.
Just consider your JavaScript code when the content of the variable is actually put in place.
You need to escape the double quotes around your $game variable if the argument is to be passed as text.
<?php echo "<div style='text-align:center'>Click <a onclick=\"make_entry('$game')\" style='cursor:pointer'><b>Here</b></a> to download your Certificate.</div>"; ?>
See fiddle: http://phpfiddle.org/lite/code/rq9-x8e
<? echo should be <?php echo