1

I am selecting some data from my database and I can echo it with PHP in my document. How can I straight pass it to JavaScript, or it its not duable, how do people deal with these things?

Here is how I get and echo:

$q=mysql_real_escape_string($_GET['q']);
$query="SELECT * FROM contacts WHERE id = '".$q."'";
$result = mysql_query($query);
while($row = mysql_fetch_array($result)) {
    echo "Name: " . $row['first'] . " <br />";
    echo "Surname: " . $row['last'] . " <br />";
}
mysql_close();
Improve this question
4
  • What do you mean "it its not duable"? Commented Mar 13, 2012 at 17:22
  • Just use JSON to encode the data into a script element. It will also not allow the various injection attacks allowed by the above (and some of the answers). Commented Mar 13, 2012 at 17:28
  • @pst json_encode() turns this [{"id":"item-1", into [{\"id\":\"item-1\", . Can you please check this question stackoverflow.com/questions/9674305/… Commented Mar 13, 2012 at 18:05
  • @user1090545 That looks like an "addslashes" issue. Alternatively, it can be caused by passing a string-representation (e.g. already-JSONized) value to json_encode which then tries to encoded the already encoded data ;-) Commented Mar 13, 2012 at 18:36

3 Answers 3

Reset to default
2

This is a quick and simple way to get this setup.

echo("<script>");
echo("var myJSvar = " . json_encode($row) . ";");
echo("</script>");

Then in any JS from there you can use myJSvar;

alert(myJSvar['first'] + " " + myJSvar['last']);
Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

+1 for the use of json_encode (which also magically prevents against early script element closing and [other] injection vectors). However, I would be tempted to massage the data first (even if a 1-1 mapping) to create a fixed API between the PHP and JS.
Also, make sure $row is initialized as an empty array, so you would get an empty object (so you won't be throwing javascript errors). Note that you can also use myJSvar.first to access the same parameter.
@Chris json_encode() turns this [{"id":"item-1", into [{\"id\":\"item-1\", . Can you please check this question stackoverflow.com/questions/9674305/…
@pst if i just use row() i retrieve it properly, because when I pass it i use the stripslashes(). But if I retrieve it with json_encode its where the addslashes issue happen
@user1090545 Don't use add/strip slashes, unless fixing "magic quotes". It was a failure approach from the start. If the problem still persists when using json_encode, open up a new question (after searching/research!) focusing on just that issue.
0 
<div id="name">
<?php echo $name; ?>
</div>

<script type="text/javascript">
//jquery example
$(document).ready(function(){
    alert($('#name').text());
});
</script>
Improve this answer

6 Comments

You could also just echo the variable directly into the middle of some javascript code. I assume you're doing it this way to protect against js code injection, which seems like a good idea.
@octern Except ... it doesn't protect again anything.
@octern XSS protection: echo htmlspecialchars($name); I do not like inline-script on page. By this method you can handle name by method in included js-file. Example /*external.js*/var nameBehavior = function() { alert($('#name').text()); }
@cetvar Except it isn't XSS protection... there are values of $name which will happily wreak havoc.
@pst Can you provide any example, which bypass htmlspecialchars ?
|
0

$x is a string (or anything else really, just make sure the types are compatible before passing them)

$x = phpvar

echo "<script type='text/javascript'>
function Javascript_function(){
var passed = ".$x."}</script>";

That should do it. Don't forget the script <> tags, SO wouldn't let me insert them probably to prevent me just throwing javascript on every page.

Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.