Is it unsecure to embed PHP code in a javascript function? My friend told me not to do it.
My script just inserts a number in the database if the message has been clicked (read).
<!--Insert into database when click-->
<script>
function insert()
{
<?php
include 'db_connect.php';
$usermsg = $_SESSION['username'];
$message_id = $_GET['messageid'];
mysql_query("UPDATE messages SET message_read='1' WHERE id='$message_id' AND to_user='$usermsg'");
?>
}
</script>
Should i do this any otherway? Or drop including php & mysql in my script and start over?
Is it unsecure to embed PHP code in a javascript function? My friend told me not to do it.
My script just inserts a number in the database if the message has been clicked (read).
<!--Insert into database when click-->
<script>
function insert()
{
<?php
include 'db_connect.php';
$usermsg = $_SESSION['username'];
$message_id = $_GET['messageid'];
mysql_query("UPDATE messages SET message_read='1' WHERE id='$message_id' AND to_user='$usermsg'");
?>
}
</script>
Should i do this any otherway? Or drop including php & mysql in my script and start over?
Share Improve this question asked Sep 8, 2011 at 16:24 KaizokupuffballKaizokupuffball 2,8438 gold badges43 silver badges64 bronze badges 5- 1 Um ... that won't do anything. – zellio Commented Sep 8, 2011 at 16:27
- Why didn't you try if it worked? As Mimisbunnr said, it won't do anything. – Furicane Commented Sep 8, 2011 at 16:29
- I know the code wont do anything yet, but is it secure to do PHP & Mysql inside a javascript function? – Kaizokupuffball Commented Sep 8, 2011 at 16:29
- 3 @Kaizokupuffball: It's pletely meaningless. PHP & MySQL can never be "inside" a Javascript function. – Lightness Races in Orbit Commented Sep 8, 2011 at 16:29
- This makes no sense. Javascript runs on the browser. PHP runs on the server. – Ed Heal Commented Sep 8, 2011 at 16:32
4 Answers
Reset to default 10Your friend probably told you not to do it because it makes no sense whatsoever.
PHP is a preprocessing language whose parser runs on the webserver. The result of running PHP is the HTML/Javascript that your browser sees. Your PHP does not output anything (merely silently performing the SQL query whilst your HTML/Javascript page is being generated), so the Javascript that your browser sees is:
<script>
function insert()
{
}
</script>
PHP cannot be "inside" a Javascript function at all. There is no such concept.
Instead, consider an HTML form, or read up about "AJAX" when you're slightly more familiar with the web technologies heirarchy.
If you try that code, it won't even work that way. You cannot embed server side code in javascript function.
What you want is to make a sepearate request that will handle the request. This method is called AJAX. With jQuery library you can make AJAX POST request like this:
<script>
function insert()
{
//Example: Request the test.php page and send some additional data along (while still ignoring the return results).
$.post("test.php", { messageid: "1" } );
}
</script>
In test.php:
<?php
//Get Post Variables. The name is the same as
//what was in the object that was sent in the jQuery
if (isset($_POST['messageid'])) {
include 'db_connect.php';
$usermsg = $_SESSION['username'];
$message_id = $_POST['messageid'];
mysql_query("UPDATE messages SET message_read='1' WHERE id='$message_id' AND to_user='$usermsg'");
}
?>
Read the Beginners Guide to Using AJAX with jQuery
And don't forget to use parametrized sql to prevent sql injection attacks as this code in its current state is vulnurable.
It's insecure in that it's entirely possible for PHP to insert some text into the page that breaks the javascript. e.g.
<?php
$name = "O'Brien";
?>
<script type="text/javascript">
var name = <?php echo $name ?>;
</script>
This would produce:
var name = O'Brien;
which is illegal JS syntax. You're assigning an undefined variable O, which is immediately followed by an unterminated string literal 'Brien. Surrounding this with quotes in the PHP page acplishes nothing either:
var name = '<?php echo $name ?>';
^ ^-- added quotes
which now gives
var name = 'O'Brien';
Now you've got a slightly different problem: Assigning a perfectly valid string literal 'O', followed immediately by an undefined variable Brien, followed by an unterminated string literal ';.
The proper way to have PHP output text into a JS code block safely is to use json_encode:
var name = <?php echo json_encode($name) ?>;
which produces:
var name = "O'Brien";
and off you go.
PHP/MySql runs on the web server. Javascript runs on the browser.
You should also think that anything that es from the browser may be faked - therefore should validate/verify it. Javascript just makes the users experience more interactive as it does not require munication across the network. Use AJAX or forms to do the ms.