PHP - Json_encode() Function Problem
when trying to decode a array of rows taken from my database I found that the json_encode function doesn't allow you to present you array as (with brackets [ ])
[{"name":"Destramic"}]but returns the array as (without brackets [ ]) {"name":"Destramic"}I looked into the documentation and it doesn't seem as if php offer such a way of having bracket which Is a bit of a problem with passing to jquery (which I've found using their autocomplete plugin) this has resulted in me having to add brackets myself $data = "[" . json_encode($rows2) . "]";does anyone know if you can encode it with the brackets or readable for jquery...thank you Similar Tutorialshi i have this code: Code: [Select] //sql $sql -> bind_param('s',$offer); $sql -> execute(); $sql -> bind_result($oferta, $cargo, $conteudo, $tipo_oferta, $local); $arr = array(); while ($sql -> fetch()) { $arr[] = array($oferta, $cargo, $conteudo, $tipo_oferta, $local); }; return $arr; then i make this in ajax (jquery) Code: [Select] data: 'all=<?php echo json_encode($arr); ?>', and in other page i make: Code: [Select] $editar = $_POST['all']; $e = json_decode($editar, true); echo $e[0][0]; the problem is: if i only do : Code: [Select] $arr[] = array($oferta); this echo $e[0][0]; outputs: designer (is the value of $oferta) but if i do Code: [Select] $arr[] = array($oferta, $cargo, $conteudo, $tipo_oferta, $local); echo $e[0][0]; simply doesn't show anything. the question is why ? and how can be solved? If i run data that has HTML entities such as ( ) though json_encode($results) it seems to produce NULL any ideas? Hey everyone. So i'm trying to json_encode one of my arrays like such:
heres an example of how the array is being created (From the array results, everything seems to be fitting OK into the actual array creation) but it's just the actual array creating a multi demension after each result.
$num = 1; $num2 = 1; $i = 0; if ($num > 0) { $array[$i][1] = 40; } if ($num2 > 0) { $array[$i][2] = 50; } ++$i;I'm trying to achive this: var array_one_results = new Array(); array_one[1][0] = 40; array_one[1][0] = 50; array_one[2][1] = 40; array_one[2][1] = 50;right now, this is my results: var array_name = new Array(); array_name["0"] = new Array();array_taken["0"]["0"] = "10"; array_taken["0"]["1"] = "20"; array_name["1"] = new Array();array_taken["1"]["0"] = "10"; array_taken["1"]["1"] = "20"; array_name["2"] = new Array();array_taken["2"]["0"] = "10"; array_taken["2"]["1"] = "20"; array_name["3"] = new Array();array_taken["3"]["0"] = "10"; array_taken["3"]["1"] = "20"; array_name["4"] = new Array();array_taken["4"]["0"] = "10"; array_taken["4"]["1"] = "20";It's creating a new array for each. If anyone could help me through this, i'd really appreciate it. I'm encoding it with this: function js_str($s) { return '"'.addcslashes($s, "\0..\37\"\\").'"'; } function js_array($array, $keys_array) { foreach ($array as $key => $value) { $new_keys_array = $keys_array; $new_keys_array[] = $key; if(is_array($value)) { echo 'array_name'; foreach($new_keys_array as $key) { echo '["'.$key.'"]'; } echo ' = new Array();'; js_array($value, $new_keys_array); } else { echo 'array_taken'; foreach($new_keys_array as $key) { echo '["'.$key.'"]'; } echo ' = '.js_str3($value).";\n"; } } } Reasons to use json_last_error() is obvious when decoding, but was not so to me when encoding. Looking at the documents, malformed UTF-8 characters will result in an error. The examples given show encoding a string, however, an array with an index value which is malformed UTF-8 characters will result in the same error. Are there other cases which json_encode() will result in error? Why would one actually want to use json_encode() on a string? Hello
I am having an issue with encoding an array to JSON, my array seems to be formed correctly but when I try and echo the json_encode version I get "null". I echo the JSON error code and it is "0" indicating no issue..
I have read that non UTF-8 characters can be an issue, but this is simple data, no strange characters... but I added the utf8_encode anyway....
Here is my code:
$dataArray = array( 'title' => 'Test Item', 'icon_url' => 'http://url/api/testimage.jpg', 'item_id' => '12345', 'expiration' => 600 ); utf8_encode($dataArray); $responsArray = array( 'success' => '1', 'data' => $dataArray ); utf8_encode($responsArray); header('Content-type: application/json'); echo print_r($responsArray); echo json_encode ($responseArray); echo json_last_error(); Hi guys, I need to know how to json_encode a mysql output, so far the PHP ref manual for json_encode is not proving very helpful. Any help is much appreciated. I have a function where I am returning a few different arrays into one return json_encode(); but how would I do this? I'm bulling an array from 2 different database tables, and I can't join or union these, because I am actually going to have quite a few different calls that needs to call into other areas. Anyway, My 2 variables are,' $names and $posts If I put one of these in the return json_encode($posts); like that, then the $posts show up fine while the names of course display Undefined, and if I put in return json_encode($names); then my code works for the names to be displayed but anything in the posts of course is undefined, how do I put these two together? Thanks Dear all hello. I am facing a major issue with greek characters. Here is the php script: Code: [Select] <?php $connect = mssql_connect($db_server,$db_username,$db_password) or die("0001"); mssql_select_db($wf_db) or die("0002"); $sql_a = "SELECT [ID],[WASTE_SN] FROM [Webforms].[dbo].[Waste_Types] ORDER BY [WASTE_SN] ASC"; $waste_name = array(); $waste_id = array(); $query_a = mssql_query($sql_a) or die("0003"); while ($row = mssql_fetch_assoc($query_a)){ $waste_name[] = $row['WASTE_SN']; $waste_id[] = $row['ID']; } mssql_close($connect); $final_array = array( "waste_name" => $waste_name, "waste_id" => $waste_id ); $json = json_encode($final_array); echo $json; ?> Json_encode returns null for all values of array $waste_name when greek words are found. When I use print_r($waste_name), i can see all words fine. I've tried almost everything, including utf8_encode without results. Any help will be really appreciated! Hi All I got some help to write this code and it is not working because i get the error ( ! ) Parse error: syntax error, unexpected '{' in C:\wamp\www\blackrain\Resources\json-gen.php on line 14 Here is the php code Code: [Select] <?php error_reporting(-1); ini_set('display_errors',1); $link = mysql_connect('localhost', 'root', ''); if (!$link) { die('Could not connect: ' . mysql_error()); } echo 'Connected successfully<br />'; mysql_select_db("php"); $arr = array(); $rs =mysql_query("SELECT `id`, `title`, `author`, `date`, `imageUrl`, `text` FROM `items`"); while($obj = mysql_fetch_array($rs,MYSQL_ASSOC) { $arr[0] = $obj['id']; $arr[1] = $obj['title']; $arr[2] = $obj['author']; $arr[3] = $obj['date']; $arr[4] = $obj['imageUrl']; $arr[5] = $obj['text']; } //numbering the array indexes, will only return 5 array indexes EVER. All indexes will be over written on each loop. echo json_encode($arr); ?> the sql data is below please put in a db named php and a table named items -- phpMyAdmin SQL Dump -- version 3.3.9 -- http://www.phpmyadmin.net -- -- Host: localhost -- Generation Time: Sep 10, 2011 at 11:49 AM -- Server version: 5.5.8 -- PHP Version: 5.3.5 SET SQL_MODE="NO_AUTO_VALUE_ON_ZERO"; /*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */; /*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */; /*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */; /*!40101 SET NAMES utf8 */; -- -- Database: `php` -- -- -------------------------------------------------------- -- -- Table structure for table `items` -- CREATE TABLE IF NOT EXISTS `items` ( `id` int(11) NOT NULL AUTO_INCREMENT, `title` text NOT NULL, `author` text NOT NULL, `date` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP, `imageUrl` text NOT NULL, `text` text NOT NULL, `catagory` text NOT NULL, KEY `id` (`id`) ) ENGINE=InnoDB DEFAULT CHARSET=latin1 AUTO_INCREMENT=25 ; -- -- Dumping data for table `items` -- INSERT INTO `items` (`id`, `title`, `author`, `date`, `imageUrl`, `text`, `catagory`) VALUES (2, 'some random title', 'me', '0000-00-00 00:00:00', 'http://forums.mysql.com/read.php?45,55300,56787#msg-56787', 'fvsdhlihldj sdfjvhduolh dvjichis', '0'), (4, '', '', '0000-00-00 00:00:00', '', '', '0'), (5, 'yet another trial', 'me', '0000-00-00 00:00:00', 'http://www.gaj-it.com/wp-content/uploads/apple5.jpg', ' nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn nnnnnnnnnnnnnnnnnnnnnnnn', '0'), (6, 'yet another trial', 'me', '0000-00-00 00:00:00', 'http://www.gaj-it.com/wp-content/uploads/apple5.jpg', ' nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn nnnnnnnnnnnnf nnnnnnnnnnnnnnnnnn nnnnnnnnnnnnnnnnnn nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn nnnnnnnnnnnnnnnn nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn nnnnnnnn nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn nnnnnnnn', '0'), (7, '', '', '0000-00-00 00:00:00', '', ' ', '0'), (8, '', '', '0000-00-00 00:00:00', '', '', '0'), (9, 'n', '', '0000-00-00 00:00:00', '', '', '0'), (10, 'n', 'me', '0000-00-00 00:00:00', '0000', 'me', '0'), (11, 'n', 'me', '0000-00-00 00:00:00', '0000', 'me1', '0'), (12, 'M', 'Me', '0000-00-00 00:00:00', 'url', 'jdoiheouhfviuehvuiohbeuiofhvuiheiufhvuiehuifvheio uhfvoiuhrovheovhuhfvbuohouifhbouehouhbveiouhfbveb hsousuobv ousiuodfbvibfuibvousdubfdfbfbuvbbfdbufvbjjbfvdjfj fvdjfbfbfdfbbfbbfkbjkbjbfdjbjfkbjkbjbjnbjnnbdnbnj jnbdnjkbfdjknbdnjkbdnjkbdnjkbfdnjkbdnjkbfdnjkbnjk bfdnjkgbnjkgbnjknknknbngbbbd', '0'), (13, 'M', 'Me', '0000-00-00 00:00:00', 'url', 'jdoiheouhfviuehvuiohbeuiofhvuiheiufhvuiehuifvheio uhfvoiuhrovheovhuhfvbuohouifhbouehouhbveiouhfbveb h0pvipjfvoejnv oaiehnfvolijeaofvihn olan', '0'), (14, 'M', 'Me', '0000-00-00 00:00:00', 'url', 'jdoiheouhfviuejnjfnfviejnfvienfivnloidfhnvvihn olan', '0'), (15, 'hhikuh', 'h', '0000-00-00 00:00:00', 'j', ' uhuhiuhuhuiohuoiho', '0'), (16, '', '', '0000-00-00 00:00:00', '', '', '0'), (17, 'brenton', 'me', '0000-00-00 00:00:00', 'http://www.gaj-it.com/wp-content/uploads/apple5.jpg', 'hi all ', '0'), (18, '', '', '0000-00-00 00:00:00', '', '', '0'), (19, 'something', 'me', '0000-00-00 00:00:00', 'http://www.gaj-it.com/wp-content/uploads/apple5.jpg', 'ihfdvuikhavh\r\n ', '0'), (20, '', '', '0000-00-00 00:00:00', '', '', '0'), (21, '', '', '0000-00-00 00:00:00', '', '', '0'), (22, '', '', '0000-00-00 00:00:00', '', '', '0'), (23, 'cd', 'fg', '0000-00-00 00:00:00', 'srf', 'dfsf ', '0'), (24, 'cd', 'fg', '0000-00-00 00:00:00', 'srf', 'dfsf ', 'audi'); thanks matt Good morning,
I am trying to convert a mssql query into json format so that I can then later pass this through google's visualisation api. The query and encoding seems to be working but the encode returns NULL.
I have checked the normal gotcha's of making sure its utf8 encoded and that I have used a version of PHP that has the encode (using php 5.3.19).
Can any one help me with getting the encode to work.
PHP CODE:
<?php Hello, I am new to pHp and javascript languages and I am trying to do some math calculations in pHp, then display the results with google charts. However, I got stuck with inserting data from pHp using json_encode. It works for the most simple array, with using 2 values. When using array of arrays, it does not work. I believe it could be a syntax errors with all those brackets but I could not figure it out. Thanks for any ideas! <?php // some arrays with dim 2x2 $testarr0 = array( 0.1, 2.5); $testarr = array( 1.0, 3.5); $testarr = array( $testarr0, $testarr ) ; // this is how it looks in pHp $json = json_encode($testarr); echo($json); echo '<br/>'; echo json_encode($json); ?> <html> <head> <script type="text/javascript" src="https://www.gstatic.com/charts/loader.js"> </script> <script type="text/javascript"> google.charts.load('current', {'packages':['line']}); google.charts.setOnLoadCallback(drawChart); function drawChart() { var data = new google.visualization.DataTable(); data.addColumn('number', 'x values'); data.addColumn('number', 'y1 '); //var dataArray = <?php echo json_encode($testarr);?>; //document.body.innerHTML = " Data Array with json: " + dataArray ; // defining array here works well /* data.addRows( [ [0.1 ,2.5], [1.0 ,3.5] ] ); */ // this here does not work: data.addRow( <?php echo json_encode($testarr);?> ); // some options for the chart var options = { chart: { title: 'Points over time', }, width: 600, height: 400, axes: { x: { 0: {side: 'top'} } } }; var chart = new google.charts.Line(document.getElementById('line_top_x')); chart.draw(data, google.charts.Line.convertOptions(options)); } </script> </head> <body> <div id="line_top_x" style="width: 900px; height: 500px"></div> </body> </html>
I have a piece of code that outputs json as you can see from the example below it add \ / in front of urls & for ' it turns it into ' is there something i can do to correct this? Code: [Select] if (mysqli_num_rows($r) > 0) { // Available. while ($row = mysqli_fetch_array($r, MYSQLI_ASSOC)) { $results[] = array( 'blog_id' => ($row['ID']), 'post_date' => ($row['pd']), 'post_title' => ($row['post_title']), 'article_img' => ('http://www.socialnewsoffice.com/uploads/'.$row['article_img']), 'post_content' => ($row['post_content']), 'tags' => ($row['tags']), 'views' => ($row['views']), 'categorie_id' => ($row['categorie_id']), 'post_url' => ($row['post_url'])); } echo $json = Pretty_JSON(json_encode($results)); it outputs Code: [Select] [{ "blog_id":"3", "post_date":"Thu, 1 March 2012", "post_title":"Facebook's New Fan Page Learn How To Use Features", "article_img":"http:\/\/www.socialnewsoffice.com\/uploads\/17963.jpg", "post_content":"<p>This week saw the release of Facebook's latest functionality changes (Timeline for Businesses) that will shape the future of how businesses will market their campaigns, through the social media giant Facebook. A number of marketers are wondering how they will incorporate the new features in an attempt to progress and move forward with their online social media presence.<\/p>\r\n<p>Taking all the key changes in to consideration we have managed to create a guide on how to smoothly move with the times and embrace the new Facebook layout.<\/p>\r\n<p>Please read on below for helpful tips and tricks on how to excel with 'Timeline for Brands'<\/p>\r\n<h2>New Features Announced at the Facebook Marketing Conference:<\/h2>\r\n<p><strong>View and Apps:<\/strong> What was once known as Application pages has changed to 'Tabs'. These can now have customizable images linked with them and the order of them can be changed too. Below you can see from the screenshot what a customized Facebook Timeline looks like.<\/p>\r\n<p><strong>Pinning Content:<\/strong> With this new feature you can 'pin' a post to the very top of your Facebook Timeline. This is Very effective when working on a new campaign and is a great way to entice increased traffic to your tab or application page.<\/p>\r\n<p><strong>Featured 'Starred' Content:<\/strong> This feature allows you to select key content or imagery and extend it so it fits across your entire page. Therefore giving you featured content on your Facebook Timeline and making it more visible.<\/p>\r\n<p><strong>Cover Photos:<\/strong> Cover Photos are another great new feature that allow you to announce your latest campaign, welcome your following community or just simply show visitors to your timeline what you can do. There are some slight flaws with this feature though and will be addressed below.<\/p>\r\n<p><strong>Page Dimensions:<\/strong> Dimensions of application pages has now changed with the release of Facebook Timeline. If you happen to be an SML user then you have all the tools necessary to update your page on your own. If your using Involvers App Suite then those applications will be updated soon.<\/p>\r\n<p><strong>Removal of Default Landing Pages:<\/strong> The commonly used Facebook landing pages have been removed and replaced with various options to allow brands to drive content to application pages. These options allow you to use your cover photo and pinned content to attract users to your personal application pages. Despite the changes it is however still possible to link directly to application pages from ads, posts and outside of Facebook.<\/p>\r\n<h2>Getting Started with Timeline For Brand:<\/h2>\r\n<p>Firstly when accessing and logging in to your New Facebook Brand Page, you will see this admin message displayed below:<\/p>\r\n<p>When will my Page change to the latest design?<\/p>\r\n<p>To see a preview of what your new pages will look like, simply click on the green button at the top of your current pages. A second option is to wait until March 30th 2012 when all pages will be upgraded automatically.<\/p>\r\n<p>Where can I visit to learn more about how to use the new Pages?<\/p>\r\n<p><strong>There are a number of places you can visit to learn all you need to know about Pages:<\/strong><\/p>\r\n<ul>\r\n<li>To find out more about new features, download the Pages Overview guide by clicking here.<\/li>\r\n<li>If your wondering how to get started with Pages then download Facebook's full Pages Product Guide by clicking here.<\/li> \r\n<li>The Pages Learning video allows you to walk through the key features with Facebook's product experts.<\/li> \r\n<li>If you need answers to specific questions, visit Facebook's Help Centre. <\/li>\r\n<\/ul>\r\n<h2>How should I choose a cover photo for my Page?<\/h2>\r\n<p>Firstly select a unique image that represents your page. Facebook itself recommends using a photo of a popular menu item, album artwork or an image of your product being used by someone. You need to experiment with a number of different images that your audience responds positively to. \r\nFew key elements of Cover Images:\r\n<\/p>\r\n<p><strong>Each Cover image must be at least 399 pixels wide and must not contain the following:<\/strong><\/p>\r\n<ul>\r\n<li>Prices \/ Purchase information and displaying offers such as \"60% off this month\" are not permitted. Also 'Download this from our website' is not allowed.<\/li> \r\n<li>No email addresses, web addresses and any other contact information.<\/li>\r\n<li>References to clicking on or the use of Facebook interface elements such as Like or Share or any other Facebook Features.<\/li>\r\n<li>\"Tell your friends\" or \"Get it now\" or any other calls to action are not allowed in the latest version of Facebook Timeline.<\/li>\r\n<\/ul>\r\n<p>All Timeline cover imagery is public and therefore means anyone visiting your Page will be able to see exactly which image you have chosen. The photos you display must not be deceptive, false or misleading any way that infringes on third party intellectual property. You must also not encourage of incentivize other fellow users, friends or business associates to display the same cover image as yours on personal Timelines.<\/p>\r\n<p>To sum up we are extremely excited about the latest Facebook feature release this week. They constantly deliver new services that are amazing and incredibly innovative to the market place.<\/p>\r\n<p>Here at Northplanet we are commited to provide you with the latest information on the hottest online topics around, to keep you ahead in the game. We would love to hear some feedback from you on the brand new Facebook 'Timeline for Brands' release and invite you to visit our very own <a href=\"https:\/\/www.facebook.com\/northplanet\">Northplanet Facebook Timline page by clicking here.<\/a><\/p>", "tags":"facebook, new fan page", "views":"253", "categorie_id":"2", "post_url":"facebooks-new-fan-page-learn-how-to-use-features" } Since there have been some debates about how to safely pass PHP values to JavaScript, I hope I can clarify a few things.
One suggestion that kept recurring was to simply run the value through json_encode() and then inject the result into a script element. The JSON-encoding is supposed to (magically?) prevent cross-site scripting vulnerabilities. And indeed it seemingly works, because naïve attacks like trying to inject a double quote will fail.
Unfortunately, this approach doesn't work at all and is fundamentally wrong for several reasons:
json_encode() was never intended to be a security function. It simply builds a JSON object from a value. And the JSON specification doesn't make any security promises either. So even if the function happens to prevent some attack, this is implementation-specific and may change at any time.
JSON doesn't know anything about HTML entities. The encoder leaves entities like " untouched, not realizing that this represents a double quote which is dangerous in a JavaScript context.
The json_encode() function is not encoding-aware, which makes it extremely fragile and unsuitable for any security purposes. Some of you may know this problem from SQL-escaping: There used to be a function called mysql_escape_string() which was based on a fixed character encoding instead of the actual encoding of the database connection. This quickly turned out to be a very bad idea, because a mismatch could render the function useless (e. g. the infamous GBK vulnerability). So back in 2002(!), the function was abandoned in favor of mysql_real_escape_string(). Well, json_encode() is like the old mysql_escape_string() and suffers from the exact same issues.
Any of those issues can be fatal and enable attackers to perform cross-site scripting, as demonstrated below.
1)
The entire “security” of json_encode() is based on side-effects. For example, the current implementation happens to escape forward slashes. But the JSON standard doesn't mandate this in any way, so this feature could be removed at any time (it can also be disabled at runtime). If it does get disabled, then your application is suddenly wide open to even the most trivial cross-site scripting attacks:
<?php header('Content-Type: text/html; charset=UTF-8'); $input = '</script><script>alert(String.fromCharCode(88, 83, 83));</script><script>'; ?> <!DOCTYPE HTML> <html> <head> <meta charset="utf-8"> <title>XSS</title> </head> <body> <script> var x = <?= json_encode($input, JSON_UNESCAPED_SLASHES) ?>; </script> </body> </html>2) In XHTML, a script element works like any other element, so HTML entities like " are replaced with their actual characters (in this case a double quote). But JSON does not recognize HTML entities, so an attacker can use them to bypass json_encode() and inject arbitrary characters: <?php header('Content-Type: application/xhtml+xml; charset=UTF-8'); $input = "";alert('XSS');""; ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>XSS</title> <meta http-equiv="content-type" content="text/html; charset=UTF-8" /> </head> <body> <script type="text/javascript"> var x = <?= json_encode($input) ?>; </script> </body> </html>3) json_encode() blindly assumes that the input and the output should always be UTF-8. If you happen to use a different encoding, or if an attacker manages to trigger a specific encoding, you're again left with no protection at all: <?php header('Content-Type: text/html; charset=UTF-7'); $input = '+ACIAOw-alert(+ACI-XSS+ACI)+ADsAIg-'; ?> <!DOCTYPE HTML> <html> <head> <meta charset="utf-7"> <title>XSS</title> </head> <body> <script> var x = <?= json_encode($input) ?>; </script> </body> </html>(This particular example only works in Internet Explorer.) I hope this makes it very clear that json_encode() is not a security feature in any way. Relying on it is conceptually wrong and simply a very bad idea. It's generally not recommended to inject code directly into a script element, because any mistake or bug will immediately lead to a cross-site scripting vulnerability. It's also very difficult to do it correctly, because there are special parsing rules and differences between the various flavors of HTML. If you try it, you're asking for trouble. So how should one pass PHP values to JavaScript? By far the most secure and robust approach is to simply use Ajax: Since Ajax cleanly separates the data from the application logic, the value can't just “leak” into a script context. This is essentially like a prepared statement. If you're into micro-optimization and cannot live with the fact that Ajax may need an extra request, there's an alternative approach by the OWASP: You can JSON-encode the data, HTML-escape the result, put the escaped content into a hidden div element and then parse it with JSON.parse(): <?php header('Content-Type: text/html; charset=UTF-8'); $input = 'bar'; ?> <!DOCTYPE HTML> <html> <head> <meta charset="utf-8"> <title>XSS</title> <style> .hidden { display: none; } </style> </head> <body> <div id="my-data" class="hidden"> <?php $json_object = json_encode(array( 'foo' => $input, )); // HTML-escape the JSON object echo htmlspecialchars($json_object, ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML5, 'UTF-8'); ?> </div> <script> var data = JSON.parse(document.getElementById('my-data').innerHTML); alert('The following value has been safely passed to JavaScript: ' + data.foo); </script> </body> </html> I have a function that needs to return a value and it isn’t.I think it’s a scope issue but can’t solve it. The function is function is_connected() { $addr= 'www.google.com'; if (!$socket = @fsockopen($addr, 80, $num, $error, 5)){ $connection = 0; }else { $connection = 1; { return $connection; } is_connected() echo $connection; The function works, but I do get a warning $connection not defined and I don’t get a value. Any help appreciated. I am having trouble getting a function to work. The function I am having trouble with is in a database.php include file that I am using successfully already. In this particular case I have had it read a function in the same file immediately before, with no problem. Here is the code. $database->addlog($username, $processname, "Can access database", 0); $prodidisused = $database->prodisused($prodid); and the error I am getting is Fatal error: Call to undefined method MySQLDB::prodisused() in /home/paulsinc/public_html/testcrm/create_product.php on line 217 The function which is in database.php is function prodisused($prodid) { $q = "SELECT * FROM orderitems WHERE productid = '$prodid'"; $result = mysql_query($q, $this->connection); /* Error occurred, return given name by default */ if (!$result || (mysql_numrows($result) < 1)) { return false; } /* Return result array */ return true; } As you can see, the function addlog which is also in database.php is working. Thanks for all suggestions. Hi, I am calling the sms gateway to send sms, Quote $sms_msg = "hi this is mubarak"; $url = $urlAccount_home."?username=".$userAccount."&password=".$passAccount."&number=".$O_Mobile."&sender=".$userSenderSMS."&msg=".$sms_msg; if (!($fp =fopen($url,"r"))) echo "<br><center>خطا في الاتصال </center><br>"; $result =fread($fp,10); fclose($fp); when i am sending like this am sending only the message "Hi" I am not getting the whole message... What might be the problem in sending the sms gateway.. Please help me if you guys came to know, Thanks and Regards, Mubarak OK, this is a strange one I am hoping someone can help with. I have a file with a heap of functions which work fine. This file is included in my other files, and the function to display the content is called. For example I include the master file in guestbook.php, which calls showGuestbook(). Same with contact.php, it calles showContact(); etc. The file is outside the web root of the website calling it. So I went to add another function called downloadFile(). When I try to call the function, it gives me the "call to undefined function" error. I have tried renaming it to a few diff things, same error. So I thought there could be a brace error somewehere in the file. This is the strange bit.... When I put that function at the top of the file, the page seems to fail to parse. None of the functions are available... The function so far is simply: function downloadFile() { echo "Download File"; } Can anyone shed some light on this strange behaviour, especially the errors that occur just because I move the code higher up the file. Hey there, I guess, theres something wrong with this page, 'cause it isnt loading the page I'm trying to include, please take a look: <? require "/backend/functions.php"; $con = mysql_connect('localhost', 'mdown', 'e5r8htt9'); mysql_select_db("actual", $con); dbconn(true); ?> <html> <body BGCOLOR="#000000"> [...] </style> <div class="wrapper"> <div class="rec"> <img src=test/recs.png border=0> </div> <div class="hormenu"> <img src=test/hormenu.png border=0> </div> <div class="cpanel"> <img src=test/cpanel.png border=0> </div> <div class="menu"> <img src=test/menu.png border=0> </div> <div class="baresq"> <img src=test/baresq.png border=0> </div> <div class="table"> <? include 'home/newtable.php'; ?> </div> <div class="bardir"> <img src=http://mdown.org/tretas/teste.V4/bardir.png border=0> </div> </div> </body> </html> Now the page with this code isnt showing anything inside the TABLE div and I guess it should display the content of newtable.php. The newtable.php is working perfectly and the is just the data selected from a table. Any idea about where did I messed up? thanks I just want to compare this two functions <?php function myfunction($x) { if($_GET['x']==$x) { return "SELECTED"; } } echo "<option value='test'".myfunction('test').">TEST</option>"; ?> ======================================================= <?php function myfunction($x) { if($_GET['x']==$x) { echo "SELECTED"; } } ?> <option value="test" <?php myfunction("test");?>>TEST</option> * Assume that $_GET['x']=="test" My question: I try to use echo for the first case and option didnt SELECTED until i use return Same thing with the second one, where i have to use return instead of echo can anyone simply explain this thanks |