Reputation: 641
Showing PHP variable in Javascript - Security point
Originally I had the following structure:
index.html file:
...
<script src="myfunctions.js" />
...
myfunctions.js file:
...
function one() {
....
}
function two() {
....
}
function three() {
....
}
That way I got over 2 500 lines of Javascirpt written but then I had to add a PHP variable to a function so I had to rename index.html to index.php, rename myfunctions.js to myfunctions.js.php and do the following changes:
index.php file:
...
<?php
include("myfunctions.js.php");
?>
...
myfunctions.js.php file:
<script>
...
function one() {
....
}
function two() {
....
}
function three() {
....
}
function four() {
var x = <?php echo $_conf['user_id'];?>
console.log(x);
}
</script>
I have achieved my purpose of using PHP variable in JavaScript but I have noticed that the web page in the browser started to show all the included function, i.e. if in the first case when I was looking at the page with a debug tool or by saving that page on a disk I saw just some little JavaScript code contained in index.html but now looking at or saving the index.php file I see all the functions from myfunctions.js.php visible. Of course the visible content didn't change but the actual output got 2 500 lines longer. Would that be a security problem? Should I avoid this way of showing a PHP variable in JavaScript or I shouldn't be concern about it and leave it how it is?
My concern is that in the second case all my functions gets open so a malicious user can see all the server-side PHP scripts names and required parameters which gives more ways to attack.
Upvotes: 0
Views: 160
Answers (3)
Reputation: 33538
Careful you aren't introducing a XSS vulerability. If $_conf['user_id'] is an integer then you should be fine, but be careful of mixing client side and server side script like this. @Paul S's comment is the way to go.
See here for more tips https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
Upvotes: 0
Reputation: 1579
Using index.php is fine but you don't really want to do a PHP include of a JS file like that.
The simplest way to go about it is to include the JS file like you were doing
<script src="myfunctions.js" />
and then add a small amount of Javascript to the PHP file which outputs the user_id.
function userId() {
return <?php echo $_conf['user_id'];?>
}
Then function four can access it like
function four() {
console.log(userId());
}
Ideally you will want your functions as part of an Object or module.
Another approach would be for function four to query the server for the user_id and then cache it in some way.
Upvotes: 0
Reputation: 219834
The PHP code is processed on the server so all anyone will see if the output of that PHP. So your PHP code is still hidden.
If you're seeing PHP code in your HTML output then either your server is configured incorrectly or you have a syntax error which echo's out what you intend for the parser to process.
Upvotes: 2
Related Questions
- Security of adding php information into javascript
- Php variables inside Javascript
- PHP variable inside javascript
- php variable into javascript
- How to secure the php code?
- how can we inject a PHP variable into Javascript
- Passing variables from php to javascript (Safely)
- php var inside javascript
- PHP variable in Javascript
- php variable in javascript