Pass PHP variable value by Javascript

Asked

Viewed 1,862 times

0

Now follow the function; what I need is to simply pass the value of a Javascript variable into PHP, if I make an isolated code without so many quotes and calls works, but when I mix everything gives problem, I believe it is two things

1-something related to closing tags < script > 2-start and end of quotation marks.

the problem lies in this blessed line

$table = "< script >Document.write(varTB)< /script >";

If I put the SQL string in the hand, it works well... but when I try to write it doesn’t work. what can be ?

Give me a strength there, I’m crawling in the web world. grateful

   <button name="addEnvolvido" onclick="carregaCombo('tipolocal','idocorrencia')">Adicionar</button><br/>    

 <select id="idocorrencia">
          <option value=""></option>
</select>


<?php include("conexao.php"); ?>

<script type="text/javascript">
    function carregaCombo(nomeTB, nomeCombo)
    {
         select = document.getElementById(nomeCombo);
         var varTeste = '';
         var varTB = nomeTB;

            varTeste =
            <?php
                //echo '"item 1"';

                        $tabela = "<script>document.write(varTB)</script>";

                        $varResult = '"';
                        $result = mysqli_query($con, 'SELECT id, nome FROM ' . $tabela);
                                //nomeTB ORDER BY nome');

                        while($row = mysqli_fetch_array($result))
                        {  
                           $varResult .= $row[0] . '-' . $row[1] . ';';
                        }

                        //remove o ultimo ; da variavel
                        $varResult = substr($varResult,0,-1);
                        $varResult .= '"';

                        echo $varResult;
            ?>;

                                        //agora separar o ID do nome
            for (var i = 0; i < varTeste.split(";").length ; i++)
            {
                var opt = document.createElement('option');
                opt.value = varTeste.split(";")[i];
                opt.innerHTML = varTeste.split(";")[i];
                select.appendChild(opt);
            }


    }
  • 1

    If anyone finds it easy, I’m sure this has been answered countless times. Damned template that makes people think that languages communicate directly.

  • tou here seeing. js runs on the client side, the PHP of the server. it is not possible to print in a PHP variable the variable js ?

  • Possibility of dup: http://answall.com/q/25136/101

  • Blza. Roger. Obg

1 answer

3

Cleverton, what you need to understand is that PHP runs on the server and Javascript in the case, in the browser.

Imagine the security flaw that would be if javascript could access the database, as is the case with your example. As javascript runs in the browser, the user can easily manipulate the code, so nothing would prevent him from changing the value of nomeTB for:

usuarios; DROP TABLE usuarios;

Got it?

What you need to do in this case is a separation of responsibilities, maybe create a web service with PHP that responds to a request with the search result.

Example:

That would be the webservice 'get_table.php'

<?php
    // Pega o nome da tabela da requisição (no caso, GET)
    $table = $_GET['tabela'];
    $result = mysqli_query($con, 'SELECT id, nome FROM ' . $table . ';');
    $varResult = '"';
    while ($row = mysqli_fetch_array($result)) {
        $varResult .= $row[0] . '-' . $row[1] . ';';
    }

    //remove o ultimo ; da variavel
    $varResult = substr($varResult, 0, -1);
    $varResult .= '"';

    echo $varResult;
?>;

And that would be yours javascript

function carregaCombo(nomeTB, nomeCombo) {
    var select = document.getElementById(nomeCombo);
    var varTeste = '';

    var xhReq = new XMLHttpRequest();
    xhReq.open("GET", "get_table.php?tabela=" + nomeTB, false);
    xhReq.send(null);

    varTeste = xhReq.responseText;

    for (var i = 0; i < varTeste.split(";").length ; i++) {
        var opt = document.createElement('option');
        opt.value = varTeste.split(";")[i];
        opt.innerHTML = varTeste.split(";")[i];
        select.appendChild(opt);
    }
}

What I did was create a webservice called get_table.php that listens for HTTP requests. When it receives a request with the verb GET and the parameter "table", it performs the query in the database using the parameter and prints the result, as expected in its example.

But this example continues with the same problem I mentioned, if the parameter passed to "table" is "users; DROP TABLE users;", it will also remove the table Users.

The right thing to do is to create a web service by following the Principle of Sole Responsibility, for example:

<?php
    $result = mysqli_query($con, 'SELECT id, nome FROM usuarios;');

    while ($row = mysqli_fetch_array($result)) {
        $varResult .= $row[0] . '-' . $row[1] . ';';
    }

    //remove o ultimo ; da variavel
    $varResult = substr($varResult, 0, -1);
    $varResult .= '"';

    echo $varResult;
?>

In this case, you would make an HTTP request with the verb GET to, for example, peg_usuarios.php and it would return the result of your query to you, without any user input that can be maliciously exploited.

  • The question of security André Abadesso.

Browser other questions tagged

You are not signed in. Login or sign up in order to post.