|
PHP - Pass Variables Javascript To/from Php
Similar TutorialsI am trying to build a website, whe
1) User logs in (UserA)
2) Inserting a name in the search box and pressing "Search", a list of all users matching that name is shown
3) The user selects a user (UserB) from that list (among several results)
4) By selecting the user (UserB) , a message box appears to insert text
5) The user(UserA) types the message
6) The user(UserA) presses the SUBMIT button and sends the message to the other user(UserB)
The problem i face is how to pass the variables from my PHP script to the JavaScript script. Its easy for me to get the values of input fiedls, select fields or any other DOM element value. But if the value i need to pass to Javascript file to perform an AJAX call isnt inside a DOM element, how do i do it?
For example, for me to determine the user that will send the message (userA), i will need several data. This data, i have them inside the PHP script as variables, but dont know how to pass them to Javascript file.
Getting the data from the URL, or from a hidden input field or any other DOM element, is a solution, but i want to know the way that is safer and better.
To summarize:
[PHP Script with necessary data]-->[pass necessary data from PHP to JavaScript file]-->[perform an AJAX call] --> [return data to PHP Script]
How do i do it?
Thanks in advance.
i hav this url n whenever i click on this url i get som mssg send on my mobile i hav a form whose code is Code: [Select] <form action="formprocess.php method="post"> telephone<input type="text name="telephone> <input type="submit" name="submit"> </form> i want to send telephone as parameter to this url so whenever user enters his telephone he gets d mssg after clicking on submit.....but i hav no idea how to do tht...help me somone plssssssss http://www.abc.in/smsapi/sendsms.php?sendto=9987234123&msg=your Hi guys, I have got a problem with the if variable statements. When I insert the text of the image location, the name of the strings and when I did not insert the username, all I get this: Code: [Select] image, strings or username are missing Username or password are missing. It should not display with the "Username or password are missing.", only the "image, strings or username are missing". The area of the code i am working on: if($image == '' && $strings == '' && $username == '') { $errmsg_arr[] = 'image, strings or username are missing'; $errflag = true; } elseif($username == '' && $password == ''){ $errmsg_arr[] = 'Username or password are missing.'; $errflag = true; } <?php session_start(); define('DB_HOST', 'localhost'); define('DB_USER', 'myusername'); define('DB_PASSWORD', 'mypassword'); define('DB_DATABASE', 'mydbname'); $errmsg_arr = array(); $errflag = false; $link = mysql_connect(DB_HOST, DB_USER, DB_PASSWORD); if(!$link) { die('Failed to connect to server: ' . mysql_error()); } $db = mysql_select_db(DB_DATABASE); if(!$db) { die("Unable to select database"); } function clean($var){ return mysql_real_escape_string(strip_tags($var)); } $image = clean($_GET['image']); $strings = clean($_GET['strings']); $username = clean($_GET['user']); $pass = clean($_GET['pass']); $delete = clean($_GET['delete']); if($image == '' && $strings == '' && $username == '') { $errmsg_arr[] = 'image, strings or username are missing'; $errflag = true; } elseif($username == '' && $password == ''){ $errmsg_arr[] = 'Username or password are missing.'; $errflag = true; } if($errflag) { $_SESSION['ERRMSG_ARR'] = $errmsg_arr; echo implode('<br />',$errmsg_arr); } else { $insert = array(); if(isset($_GET['image'])) { $insert[] = 'image = \'' . clean($_GET['image']) . '\''; } if(isset($_GET['strings'])) { $insert[] = 'strings = \'' . clean($_GET['strings']) . '\''; } if(isset($_GET['user'])) { $insert[] = 'username = \'' . clean($_GET['user']) .'\''; } if(isset($_GET['pass'])) { $insert[] = 'pass = \'' . clean($_GET['pass']) . '\''; } if(isset($_GET['delete'])) { $insert[] = 'delete = \'' . clean($_GET['delete']) . '\''; } if (count($insert)>0) { $names = implode(',',$insert); if(isset($image) && ($strings) && ($username)) { echo "test"; } elseif($username && $delete == 'all') { if ($delete != NULL) { mysql_query("DELETE FROM user_list WHERE username='$username'"); $deleted = mysql_affected_rows(); if($deleted > 0) { echo("The data are now deleted"); } else { echo("The user's data is empty"); } }else{ echo("failed"); } mysql_close($link); } } } ?> Do anyone know how i can get pass on those methods if I enter the images, the name of the strings and the username or the or the username with the password? Hello I have this login page with code Code: [Select] <?php header("Expires: Thu, 17 May 2001 10:17:17 GMT"); // Date in the past header ("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT"); // always modified header ("Cache-Control: no-cache, must-revalidate"); // HTTP/1.1 header ("Pragma: no-cache"); // HTTP/1.0 session_start(); //Below means if session database server crdentials is not set, require to use/set that connection then if (!isset($_SESSION['SESSION'])) require ( "../db_connection.php"); if($_SESSION['LOGGEDIN'] == TRUE) { header("Location: account.php"); exit; } $_SESSION['FORM_SUBMITTED'] = ""; $CRLF = chr(13).chr(10); $user_id = ""; if (isset($HTTP_GET_VARS["user_id"])) $user_id = $HTTP_GET_VARS["user_id"]; if ($user_id == '') { if (isset($_SESSION['user_id'])) $user_id = $_SESSION['user_id']; } //Validations $flg = ""; $error = ""; if (isset($HTTP_GET_VARS["flg"])) $flg = $HTTP_GET_VARS["flg"]; switch ($flg) { case "yellow": $error = "<font class=\"txt_main_str12_mar\"><BR>Your Account Has Not Been Verified.<BR>Check your email for Activation Instructions.<br>Click <a href=\"/courses/forgot_login.php\">here</a> to have the activation email resent.</font>"; break; case "red": $error = "<font class=\"txt_main_str12_mar\"><BR>That userid/password combination is not in our database.<br>Please Try Again.</font>"; break; case "blue": $error = "<font class=\"txt_main_str12_mar\"><BR>Your Session has Expired.<br>Please Login Again.</font>"; break; default: $error = " <br>"; } ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Login Page</title> <script language="JavaScript"> <!-- function loadedPage() { } function submitForm() { if (isEmpty(document.forms[0].user_id.value)) { alert("Please enter your UserID."); bSubmit = false; return false; } if (isEmpty(document.forms[0].password.value)) { alert("Please enter your Password."); bSubmit = false; return false; } document.forms[0].submit(); } //--> </script> </head> <body><center><br /><br /> <form name="form1" method="post" id="form1" action="/php/sessions/login/login_processing.php"> <table> <tr> <td>User ID</td> <td><input type="text" name="user_id" id="user_id" value="<?php echo $user_id ?>" size="24" maxlength="30" /></td> </tr> <tr> <td>Password</td> <td><input type="password" name="password" id="password" size="24" maxlength="30" /></td> </tr> <tr> <td> </td> <td><input type="submit" name="Submit" value="Submit" onclick="submitForm();" /></td> </tr> </table> </form> </center> </body> </html> and login processing page with code Code: [Select] <?php header("Expires: Thu, 17 May 2001 10:17:17 GMT"); // Date in the past header ("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT"); // always modified header ("Cache-Control: no-cache, must-revalidate"); // HTTP/1.1 header ("Pragma: no-cache"); // HTTP/1.0 session_start(); //Below means if session database server crdentials is not set, require to use/set that connection then if (!isset($_SESSION['SESSION'])) require ( "../db_connection.php"); // reset session variables... $_SESSION['user_id'] = ""; $_SESSION['LOGGEDIN'] = false; $_SESSION['EMAIL'] = ""; $_SESSION['FNAME'] = ""; $_SESSION['LNAME'] = ""; // initialize variables... $user_id = ""; $password = ""; $email = ""; // make sure post parameters were sent... if (isset($HTTP_POST_VARS["user_id"])) $user_id = addslashes($HTTP_POST_VARS["user_id"]); if (isset($HTTP_POST_VARS["password"])) $passwd = addslashes($HTTP_POST_VARS["password"]); $_SESSION['user_id'] = $user_id; // form variables must have something in them... if ($user_id == "" || $password == "") { header("Location: ./login_page.php?flg=yellow&user_id=".$user_id); exit; } ?> I'm having problem with the last piece of code above, it's redirecting me eventhough I have entered a value on the userid and password from the login page... I have a form, where I'm collecting registration info - like name, address, email, password. I'm calling another php file at server side code, where it will check whether the email exists or not. Pretty simple, just receiving those post variables and check with the database. The issue, if I find a match, I want to go back to the registration.php page, using the following code: if ($email_already_use == "y") { $_SESSION['ERROR'] = "Error"; $_SESSION['MESSAGE'] = "This email address already used. Please try another"; header("location: ".$settings['site_url']."registration.php"); exit; } Now, I would like to place the user input at the registration.php file, but I do not want to use pass variable at URL like this: header("location: ".$settings['site_url']."registration.php?".name=$name&address=$address&email=$email; Is there anyway, I can retrieve those variables at registration.php, without specifying .name=$name&address=$address&email=$email ? Thanks for your help. I see some sites has similar implementation, but did not find anything like how to do it. I have a search page that then submits to a php page that queries the database. I've been struggling to figure out how to paginate it, but I think I've narrowed down the problem. I didn't realize $_POST results didn't pass through when people clicked the pagination links at the bottom. I verified this by replacing the LIKE variable with a specific word and it worked. I'm trying to learn how to set up sessions, thinking this might solve my problem. Doesn't seem to be working. Can I get some suggestions on how to do this? What's happening now is that it's pulling a random 8 pages that have nothing to do with the original query. I start my entire page with: Code: [Select] <?php session_start(); $_SESSION['leafshape'] = $_post['select1']; $_SESSION['leafcolor'] = $_post['select2']; $_SESSION['leafvein'] = $_post['select3']; $_SESSION['leafmargin'] = $_post['select4']; $leafshape = $_SESSION['leafshape']; $leafcolor = $_SESSION['leafcolor']; $leafvein = $_SESSION['leafvein']; $leafmargin = $_SESSION['leafmargin']; and I'm setting up the queries like this: Code: [Select] $query = "SELECT COUNT(*) as num FROM descriptors JOIN plantae ON (descriptors.plant_id = plantae.plant_name) WHERE descriptors.leaf_shape LIKE '{$_SESSION['leafshape']}' AND descriptors.leaf_venation LIKE '{$_SESSION['leafvein']}' AND descriptors.leaf_margin LIKE '{$_SESSION['leafmargin']}'"; I also tried replacing the '{$_SESSION['leafshape']}' in the query with the assigned variable $leafshape Hello everyone, Can someone show me a way how to pass $_post variable from a form to a function? So, input username and input password to a function login($username, $password). Hello, I am new to PHP and would like to know what I am doing incorrectly. I have designed a login form which contains two variables: the username and the password. So for the username: <input type="hidden" name="email" id="email" value="example_username"> And for the password: <input type="password" name="password" id="password" size="15"> I then created a php script which I want to pass the variables "email" and "password" to the e-mail address: <?php { $message = "$email"; $message2 = "$password"; mail ("email@myserver.com", "Hello", $message, $message2); } ?> This should happen through the command: <action="http://www.myserver.com/myscript.php" method="post"> All I get is a blank email with the subject "Hello". Why are the email and password variables not being passed to my email by the php script? Thanks. Before, if I wanted to send a welcome letter when a user registers i'd do this. $body = "<inserted html code>"; mail('email@email.com', 'Subject', $body, $headers); Now that I am advancing in PHP, I was trying a different method, because when I did the above method, I would have to take all the HTML out of the variable to change something, like an image link, etc... I have tried doing another method, where I can actually leave all the HTML code in a separate file, so that I can easily edit it, and tried 3 things... This one works, but it doesn't pass variables: $body = file_get_contents("emailTemplate.inc.php"); mail('email@email.com', 'Subject', $body, $headers); When I do this one, the page actually just shows on the current page (naturally): $body = include("emailTemplate.inc.php"); mail('email@email.com', 'Subject', $body, $headers); Of course, this has the same effect as the include function: $body = require("emailTemplate.inc.php"); mail('email@email.com', 'Subject', $body, $headers); So my question is, how do I send a formatted HTML email, and pass variables to it, so I can personalize it by the persons name, etc, without adding the HTML to a variable, and so that I can easily update the page whenever I want, and without taking it out of the variable, and sticking back in the edited code? Any help would be appreciated! I would also like to say that I am using this code for the $headers variable too: $headers = 'MIME-Version: 1.0' . "\r\n"; $headers .= 'Content-type: text/html; charset=iso-8859-1' . "\r\n"; $headers .= 'From: from@email.com <email@email.com>' . "\r\n"; Thank you in advanced! I have the array defined and print_r (outside the function is show what I need...) However, I need to somewhay pass those three arguments - name, price, shipping (keys & values) into the "all_products" function and assign (inside the function) each element to a variable {name, price, shipping}. Code: [Select] function all_products($key,$value) { # This is where I'm lost - I know the values are passed to the function but how to I assign them to below variable? echo "$name"; echo "$price"; echo "$shipping"; // Products array defined to send values into "all_products" function & loop to display item name & individual pricing (using WHILE LOOP) $products = array('Product1' => array ( 'name' => 'item one', 'price' => '30.00', 'shipping' => '0.00'), 'Product2' => array ( 'item two', 'price' => '19.50', 'shipping' => '0.10'), 'Product3' => array ( 'item three', 'price' => '21.99', 'shipping' => '0.10') ); while (list($keys, $values) = each($products)) { while (list($k, $v) = each($values)) echo "Checking Looped Data Outside Function: <strong>$k: </strong> $v<br/>"; # echo "<pre>"; # print_r($value); # echo "</pre>"; # Trying to send array elements into "all_products" function & echo (name, price, shipping) keys and values inside that function all_products($k,$v); } I want to query a database (search) and pass the desired columns from the search results to another page like so: Code: [Select] <?php //address error handling ini_set ('display_errors', 1); error_reporting (E_ALL & ~E_NOTICE); //authenticate user require('auth.php'); if (isset($_POST['submit'])) { // Connect to the database. require_once ('config.php'); //Query the database. $sql = "SELECT* FROM members INNER JOIN images ON members.member_id = images_member_id WHERE members.ethnicity = '{$_POST['ethnicity']}'"; $query = mysql_query($sql); if(mysql_num_rows($query) > 0){ while(($row = mysql_fetch_assoc($query)) !== false) { //Redirect to search results page. header("Location: search_results.php?friend='.$row['member_id'].'&me='.$_SESSION['id'].' &pic='.$row['image'].'&name='.$row['username'].'"); } } else { //If no results found. echo 'No results match this search query.' ; } } ?> I get the following error when i try to run the page (by submitting a form from another page which executes this page): Parse error: syntax error, unexpected T_ENCAPSED_AND_WHITESPACE, expecting T_STRING or T_VARIABLE or T_NUM_STRING in /home/a4993450/public_html/profile_search.php on line 31 The culprit line is this one: header("Location: search_results.php?friend='.$row['member_id'].'&me='.$_SESSION['id'].' &pic='.$row['image'].'&name='.$row['username'].'"); As you can see, I eliminated all white space between the variables and concatenations, thinking that that was the problem but I keep getting the error message. I'm at a loss about what to do next. Any help? This topic has been moved to JavaScript Help. http://www.phpfreaks.com/forums/index.php?topic=347360.0 This topic has been moved to JavaScript Help. http://www.phpfreaks.com/forums/index.php?topic=359179.0 how can i do this ? i have a number of links , when i click one a pop up is displayed, i need to run a php script depending upon which link is clicked.
Or can i run a javascript function once a query string is passed in the url
Please advice.
Edited by chauhanRohit, 12 July 2014 - 04:10 AM. How would I pass variables from one page to another without using forms or $_GET features. Let say I have page (1.php) where If define $secret_phrase = "open sesame";. On that page (1.php) I have multiple html links to multiple pages (2.php, 3.php, ...) if you click on the link to 2.php page I would like to pass the $secret_phrase as well without having it encoded into a link or using forms. Is there a way to do it? Thanks I work with a large codebase and I have this situation come up fairly often:
the legacy class has large objects such as:
$design->motor->dimensions->a; $design->motor->dimensions->bd; $design->specifications->weight; $design->data->height; //etcWhen I create a new class, that class sometimes operates on the specific data, so say:
class MyClass
{
public function compute($weight, $height, $a)
{
//stuff
}
}
//and I call this for example as such:
(new MyClass())->compute($design->specifications->weight, $design->data->height, $design->motor->dimensions->a);
CONS: Potential issue: if design specs change and I need to change things parameters in "compute" function, I need to "re-key" the variables I pass to the function, and adjust things accordinly in MyClass as wel.
PROS: only the exact data is being passed, and this data can come from anywhere it is viable, so in effect the function is fairly well separated, I think.
Alternative option for me is to pass the entire design object, i.e
class MyClass
{
public function compute(&$design) //can also be done via DI through a setter or constructor.
{
print $design->specifications->weight;
print ($design->data->height + $design->motor->dimensions->a);
//stuff
}
}
(new MyClass())->compute($design);
PROS: In this case when things change internally in which variables are needed and how things are computed, I only need to change the code in compute function of the class itself.
CONS: MyClass now needs to be aware of how $design object is constructed.
When it comes to this parameter passing, and Dependency Injection like this in general, does Computer Science advocate a preference on this issue? Do I pass the entire object, or do I pass only the bits and pieces I need?
Since there have been some debates about how to safely pass PHP values to JavaScript, I hope I can clarify a few things.
One suggestion that kept recurring was to simply run the value through json_encode() and then inject the result into a script element. The JSON-encoding is supposed to (magically?) prevent cross-site scripting vulnerabilities. And indeed it seemingly works, because naïve attacks like trying to inject a double quote will fail.
Unfortunately, this approach doesn't work at all and is fundamentally wrong for several reasons:
json_encode() was never intended to be a security function. It simply builds a JSON object from a value. And the JSON specification doesn't make any security promises either. So even if the function happens to prevent some attack, this is implementation-specific and may change at any time.
JSON doesn't know anything about HTML entities. The encoder leaves entities like " untouched, not realizing that this represents a double quote which is dangerous in a JavaScript context.
The json_encode() function is not encoding-aware, which makes it extremely fragile and unsuitable for any security purposes. Some of you may know this problem from SQL-escaping: There used to be a function called mysql_escape_string() which was based on a fixed character encoding instead of the actual encoding of the database connection. This quickly turned out to be a very bad idea, because a mismatch could render the function useless (e. g. the infamous GBK vulnerability). So back in 2002(!), the function was abandoned in favor of mysql_real_escape_string(). Well, json_encode() is like the old mysql_escape_string() and suffers from the exact same issues.
Any of those issues can be fatal and enable attackers to perform cross-site scripting, as demonstrated below.
1)
The entire “security” of json_encode() is based on side-effects. For example, the current implementation happens to escape forward slashes. But the JSON standard doesn't mandate this in any way, so this feature could be removed at any time (it can also be disabled at runtime). If it does get disabled, then your application is suddenly wide open to even the most trivial cross-site scripting attacks:
<?php
header('Content-Type: text/html; charset=UTF-8');
$input = '</script><script>alert(String.fromCharCode(88, 83, 83));</script><script>';
?>
<!DOCTYPE HTML>
<html>
<head>
<meta charset="utf-8">
<title>XSS</title>
</head>
<body>
<script>
var x = <?= json_encode($input, JSON_UNESCAPED_SLASHES) ?>;
</script>
</body>
</html>
2)
In XHTML, a script element works like any other element, so HTML entities like " are replaced with their actual characters (in this case a double quote). But JSON does not recognize HTML entities, so an attacker can use them to bypass json_encode() and inject arbitrary characters:
<?php
header('Content-Type: application/xhtml+xml; charset=UTF-8');
$input = "";alert('XSS');"";
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>XSS</title>
<meta http-equiv="content-type" content="text/html; charset=UTF-8" />
</head>
<body>
<script type="text/javascript">
var x = <?= json_encode($input) ?>;
</script>
</body>
</html>
3)
json_encode() blindly assumes that the input and the output should always be UTF-8. If you happen to use a different encoding, or if an attacker manages to trigger a specific encoding, you're again left with no protection at all:
<?php
header('Content-Type: text/html; charset=UTF-7');
$input = '+ACIAOw-alert(+ACI-XSS+ACI)+ADsAIg-';
?>
<!DOCTYPE HTML>
<html>
<head>
<meta charset="utf-7">
<title>XSS</title>
</head>
<body>
<script>
var x = <?= json_encode($input) ?>;
</script>
</body>
</html>
(This particular example only works in Internet Explorer.)
I hope this makes it very clear that json_encode() is not a security feature in any way. Relying on it is conceptually wrong and simply a very bad idea.
It's generally not recommended to inject code directly into a script element, because any mistake or bug will immediately lead to a cross-site scripting vulnerability. It's also very difficult to do it correctly, because there are special parsing rules and differences between the various flavors of HTML. If you try it, you're asking for trouble.
So how should one pass PHP values to JavaScript? By far the most secure and robust approach is to simply use Ajax: Since Ajax cleanly separates the data from the application logic, the value can't just “leak” into a script context. This is essentially like a prepared statement.
If you're into micro-optimization and cannot live with the fact that Ajax may need an extra request, there's an alternative approach by the OWASP: You can JSON-encode the data, HTML-escape the result, put the escaped content into a hidden div element and then parse it with JSON.parse():
<?php
header('Content-Type: text/html; charset=UTF-8');
$input = 'bar';
?>
<!DOCTYPE HTML>
<html>
<head>
<meta charset="utf-8">
<title>XSS</title>
<style>
.hidden {
display: none;
}
</style>
</head>
<body>
<div id="my-data" class="hidden">
<?php
$json_object = json_encode(array(
'foo' => $input,
));
// HTML-escape the JSON object
echo htmlspecialchars($json_object, ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML5, 'UTF-8');
?>
</div>
<script>
var data = JSON.parse(document.getElementById('my-data').innerHTML);
alert('The following value has been safely passed to JavaScript: ' + data.foo);
</script>
</body>
</html>
Code: [Select] <form action='test.php' method='post'> <input id="Username" type="hidden" name="date2" /> <input type="submit" name="action" value="Submit"></form> Hi I want to pass a Username javascript variable to test.php as hidden, anyone can help? When code this Code: [Select] <input id="Username" type="input" name="date2" />Data can pass to test.php When code this Code: [Select] <input id="Username" type="hidden" name="date2" />Data fail to pass over I'm trying to get a simple table to display and am not sure how to make it happen. Table will have just 2 columns. A TIME and an EVENT. What I want to have happen is for the first row to show the TIME and next to that, the EVENT. If a TIME has more than one event going I want the next row to show an empty first cell and then the second event below the first. If I set up the loop the only way I know how (so far) it would also output the TIME value again and again as many times as there were events for that same time. For example what I don't want is: 9:15 Sunday School 9:15 Nursery Available What I do want is: 9:15 Sunday School Nursery Available Thanks. I am trying to get a JavaScript variable into a PHP variable, I can do this the other way around using the hidden input method and using something like var phpvar = document.getElementById('qwerty').value; to grab the PHP variable from within it. My problem is getting a JavaScript variable into a PHP variable, what methods are out there? Thanks |
|||||||