Reputation: 1267
what is safe way to send php data to js?
I want to know what is the safe method to send php data to js. I found by search to start php tags in js and pass data by this way.
var jsVar = "<"+"?php echo $phpVar;"+"?"+">";
But it seems a dangerous way to pass data exposing threats. I want to know whats alternative way to do same that is safe.
Upvotes: 0
Views: 1240
Answers (4)
Reputation: 33358
I'm not entirely sure what you mean by "safe", but if I understand your question correctly, you can inject data from PHP directly into your JavaScript using json_encode:
var jsVar = <?php echo json_encode($phpVar) ?>;
If all you want to do is to inject actual PHP source code into your script, then just print it as a string:
var jsVar = "<?php echo '<?php echo $phpVar ?>' ?>";
I can't imagine this is what you mean though, as I can't think of a reason for wanting to do this :)
Upvotes: 3
Reputation: 27478
If its your data coming from your database this is pretty safe. The problem occurs when you are storing and re-displaying data entered by the user. In which case you need to ensure that there is no possibility of executabe javascript being embedded in the data. Removing or escaping '"{}();+-/* and thier hex equvalents should do it.
You could use json_encode as suggested in answer this
Upvotes: 1
Reputation: 1074355
I want to know whats alternative way to do same that is safe.
I'm not sure what you mean by "safe", but you have to assume that any data you send to the client's browser can and will be viewed by a sufficiently-motivated user. You can secure the data from prying eyes in transit (by using SSL, e.g., https), but the client user's browser needs to be able to read the data, which means the client user can too.
You can raise the bar slightly (for instance, by obfuscating the data you embed in the page, by supplying it only in response to an Ajax call, etc.), but with today's 'net and web tools (which are increasingly just embedded in browsers) a sufficiently-motivated user will get around the precautions you take (by stepping through your code and looking at the variable you store the de-obfuscated data or the data from the Ajax response in, for instance).
If you want to raise the bar further, you can require a plug-in like Flash or Java and send obfuscated (or even encrypted) data to your flash app / Java applet and de-obfuscate / decrypt it within the app / applet. But that just raises the bar to the level of someone with debugging tools for Flash or Java.
Probably not worth the bother, I bet you have better things to do. :-)
If you don't want the user to see the data in question, don't send it to them, keep it on your server where it's safe and have the browser ask for only the information it's actually allowed to show the user.
Upvotes: 3
Related Questions
- What is the right way to pass data from PHP application to JS?
- securely passing sensitive data from PHP to javascript
- Send data sensitive data to javascript
- Alternative to passing Data to JavaScript from PHP?
- Passing a JS variable to PHP Safely
- Safety in sending JavaScript variable to PHP variable
- Passing variables from php to javascript (Safely)
- The authoritative way to pass values from PHP to Javascript
- Pass vars from php to js without ajax
- What are some best practices for transporting data from PHP to Javascript?