In php, if I put the following line
echo "<script type='text/javascript'>[javascript code here]</script>";
can I assume that the javascript code will be always be executed irrespective of where I put it in a php file? Assume that the php syntax is valid and the line gets executed (it is not barred by some conditions)
Edit: I have a php file where I have some javascript code and alert('ok'); but the messagebox never appears. I was wondering if the code actually got executed and the browser dismissed the messagebox as the page was changed.
No.
You might put it in a PHP file that doesn't output HTML (e.g. a PDF document or a zip file).
You might put it above a header() call and break the header
You might put it inside an if statement body so it would only be included conditionally
You might put it inside a <style> element, so it would be treated as invalid CSS
etc
PHP just outputs stuff. If you want it to output a <script> element, then you have to put it somewhere where it will be output and it somewhere where outputting it makes sense.
Yes it will be executed because it is returned to browser as html code and browser does not care where it comes from. It is also often abused in XSS attacks.
To conclude it will execute always until it is correct JS and it prints in proper place in html structure.
The code will be executed if the place in which it is inserted is valid. It will behave identically to if you had simply written the javascript code there.
For example, I'm sure the following code wouldn't work:
<ta<?php echo "<script type='text/javascript'>[javascript code here]</script>"; ?>ble>
You are messing with two pairs of shoes here. Your javascript code will not be executed anywhere on the server side (where PHP is executed). After the PHP prozessor is done and the output (including your line of javascript) is send to the client your javascript will be executed. Depending on how strict the clients browser is your <script>-element needs to be inside of the <head> or <body> Element of your HTML-page
Related
Is it possible to load a php file as text with jquery?
$('#loader').load('somefile.php', function(e){
console.log(e);
});
This always interprets/execute the php file but I'm looking for a way to only load it as text, without to resort to renaming my php file as .txt
Is it possible?
Cheers
It is not possible without making any server side modification. The web server will always interpret the php file and return the output. However does not matter what solution you find it'll be very dangereous since you'll be dumping content of your php file to public.
Possible solutions with server side modifications:
Create a PHP file that dumps the content of a file, which name is specified by a url argument
Rename the file (I know the op does not want this, just included since it's an option)
As #nicholas-young suggested, get rid of the PHP tags.
I'm not sure why you need this type of need but I want to emphasize that this might not be a good idea in most of the cases since you'll be make a working PHP file available to public. If you can explain more why you need this we might offer better solutions.
Update:
Create a dumper.php that requires authorization and call this file from the javascript side with passing the filename that you want to be dumped as a parameter (dumper.php?file=index.php)
echo file_get_contents($_GET['file']);
It is of course not possibile.
.load will make an HTTP request to yourwebsite.com/somefile.php hence you will obtain the result of your script not the PHP code inside it.
If you really need the raw code inside your javascript as a string you should output it from the php itself:
<script>
var yourCode = <?=json_encode(file_get_contents('somefile.php')) ?>;
</script>
NO! Would be a major security problem if possible. The header will not matter. If making request towards php file, it will execute prior to delivery.
Use some parameter to print out contents from file instead. But do it in the file itself.
Can you put PHP anywhere in a file? Inside tags and quotes? For example, is something like this guaranteed to work (even though it isn't always recognized by an IDE's syntax highlighter):
<tr><tbody <?php if(!$row) echo "style='display: none;'"; ?>>
<!-- stuff that we only want to show if $row exists -->
</tbody></tr>
Or for example:
<a href="http://www.google.com/search?q=<?= echo $searchTerm; ?>"</a>
I know I can test this sort of thing on my machine, but I'm wondering if it is guaranteed/defined behavior and if there are any edge cases that don't work that I've missed.
Also, is there good reason not to do this? Is it dangerous because the next person looking at the code might miss it? Should I put a comment in? Does having to add a comment defeat the purpose of this method - succinctness?
Yes you can put the php tags anywhere in the page (html) there is no stopping you on that.
If we go under the hood, your web server sends the code to the php interpreter via a handler and merges the output with your static html file and sends the merged file as the response.
To add to my answer, developers usually go for MVC based frameworks so that the php code inside html page is restricted to only printing the variables and the business logic is performed in the controllers. I personally prefer CakePHP. Apart from that you might not want to put code that manipulates session or performs redirection between html tags else you will recieve the headers already set error as you have already printed certain html code before modifying the headers.
I created now a Javascript Code that get the php variable into javascript code, my issue that the php variable is important and I don't want any can see this variable is there is any way to do that by the way I tried to use obfuscator but it doesn't work because of the PHP code inside the Javascript code, let's say this is my Code,
<?php
$var = "this is impotant";
?>
<script type="text/javascript">
var javaScriptVar = "<?php echo $var; ?>";
</script>
So, is there any way to use PHP variables in Javascript code or hide the result of the PHP code?
Nobody sees the PHP code. But if you expose values into Javascript, they are not secret anymore. There is no way to deal with this. You cannot use the value in Javascript and NOT reveal it.
If you want to keep process data secret on the server, and available for the next request of that user, use a session.
People will only see the value of the variable. They wont know what it is or how important it is supposed to be. Nobody will see the variable name because the PHP code is executed BEFORE the page is sent to the client. Therefore there is no need to obfuscate the value, and you cant anyway since you need the value.
An example. if I use this PHP code in my file
<p>Hello Mr <?php echo $MY_SUPER_SECRET_VARIABLE ?></p>
the only thing people will be able to see in the source when the page loads is
<p>Hello Mr Bond</p>
The same rule applies if it is placed in Javascript
First you need to understand that Javascript is executed on the client side, every piece of code and variable are in some way accessible by someone with some programming background.
Although you can obfuscate the source code and encrypt the variable to make it harder to read, there is no 100% protection when things happen on client side.
who wants to get the value, will get it. but you can
dynamically inject them via ajax
encode (base64 etc.) the value
obfuscate the code
PHP files will be interpreted into static (like html or xml format) file, means that all variables will be replaced with certain values.What users see is static, no php code displayed but just interpreted text.
I have a client, whose website has 108 different php static pages, and we need to add some content at the end of each page. I want to avoid doing this manually. Is there any way I can add a link at the end of each page programmatically by using .htaccess or php?
Its a limited hosting account, no ssl
You can use auto_append_file
webbiedave's answer looks simple - but what happens when you append the content to...
<html>
...
</html>
Whether the text is rendered, and how it is rendered will depend very much on the browser. Also, as per the link provided "If the script is terminated with exit(), auto-append will not occur" - while PHP does a good job of cleaning up the resources at exit, it is still good practice to explicitly call exit when the code should terminate.
Although it's still not a generic solution, I'd go with auto prepend script containing something like:
<?php
register_shutdown_function('add_footer');
function add_footer()
{
// try loading a javascript to render the required text
print '<script type="text/javascript" src="/somepath/addfooter.js"></script>' . "\n";
// and for browsers with js disabled but which will render the text include it inline
print '<noscript>' . $include_as_static_text_here . '</noscript>';
}
(IME a script tag appended after the closing html tag is generally acceptable to most browsers even though the resulting html is not well formed - and in the few cases where it is not, the worst that happens is that the script is ignored).
Then in addfooter.js, add the content to the end of the body of the document.
Obviously this will result in the content being sent twice in some cases - solutions to this should be obvious - but I've omitted them for reasons of time and clarity.
Hey everybody, this issue has had me stumped for the last week or so, here's the situation:
I've got a site hosted using GoDaddy hosting. The three files used in this issue are index.html , milktruck.js , and xml_http_request.php all hosted in the same directory.
The index.html file makes reference to the milktruck.js file with the following code:
<script type="text/javascript" src="milktruck.js"></script>
The milktruck.js file automatically fires when the site is opened. The xml_http_request.php has not fired at this point.
On line 79 out of 2000 I'm passing the variable "simple" to a function within the milktruck.js file with:
placem('p2','pp2', simple, window['lla0_2'],window['lla1_2'],window['lla2_2']);
"simple" was never initialized within the milktruck.js file. Instead I've included the following line of code in the xml_http_request.php file:
echo "<script> var simple = 'string o text'; </script>";
At this point I have not made any reference whatsoever to the xml_http_request.php file within the milktruck.js file. I don't reference that file until line 661 of the milktruck.js file with the following line of code:
xmlhttp.open('GET',"xml_http_request.php?pid="+pid+"&unLoader=true", false);
Everything compiles (I'm assuming because my game runs) , however the placem function doesn't run properly because the string 'string o text' never shows up.
If I was to comment out the line of code within the php file initializing "simple" and include the following line of code just before I call the function placem, everything works fine and the text shows up:
var simple = 'string o text';
Where do you think the problem is here? Do I need to call the php file before I try using the "simple" variable in the javascript file? How would I do that? Or is there something wrong with my code?
So, we meet again!
Buried in the question comments is the link to the actual Javascript file. It's 2,200 lines, 73kb, and poorly formatted. It's also derived from a demo for the Google Earth API.
As noted in both the comments here and in previous questions, you may be suffering from a fundamental misunderstanding about how PHP works, and how PHP interacts with Javascript.
Let's take a look at lines 62-67 of milktruck.js:
//experiment with php and javascript interaction
//'<?php $simpleString = "i hope this works"; ?>'
//var simple = "<?php echo $simpleString; ?>";
The reason this never worked is because files with the .js extension are not processed by PHP without doing some bizarre configuration changes on your server. Being on shared hosting, you won't be able to do that. Instead, you can rename the file with the .php extension. This will allow PHP to process the file, and allow the commands you entered to actually work.
You will need to make one more change to the file. At the very top, the very very top, before anything else, you will need the following line:
<?php header('Content-Type: text/javascript'); ?>
This command will tell the browser that the file being returned is Javascript. This is needed because PHP normally outputs HTML, not Javascript. Some browsers will not recognize the script if it isn't identified as Javascript.
Now that we've got that out of the way...
Instead I've included the following line of code in the xml_http_request.php file: <a script tag>
This is very unlikely to work. If it does work, it's probably by accident. We're not dealing with a normal ajax library here. We're dealing with some wacky thing created by the Google Earth folks a very, very long time ago.
Except for one or two in that entire monolithic chunk of code, there are no ajax requests that actually process the result. This means that it's unlikely that the script tag could be processed. Further, the one or two that do process the result actually treat it as XML and return a document. It's very unlikely that the script tag is processed there either.
This is going to explain why the variable never shows up reliably in Javascript.
If you need to return executable code from your ajax calls, and do so reliably, you'll want to adopt a mature, well-tested Javascript library like jQuery. Don't worry, you can mix and match the existing code and jQuery if you really wanted to. There's an API call just to load additional scripts. If you just wanted to return data, that's what JSON is for. You can have PHP code emit JSON and have jQuery fetch it. That's a heck of a lot faster, easier, and more convenient than your current unfortunate mess.
Oh, and get Firebug or use Chrome / Safari's dev tools, they will save you a great deal of Javascript pain.
However...
I'm going to be very frank here. This is bad code. This is horrible code. It's poorly formatted, the commenting is a joke, and there are roughly one point seven billion global variables. The code scares me. It scares me deeply. I would be hesitant to touch it with a ten foot pole.
I would not wish maintenance of this code on my worst enemy, and here you are, trying to do something odd with it.
I heartily encourage you to hone your skills on a codebase that is less archaic and obtuse than this one before returning to this project. Save your sanity, get out while you still can!
perhaps init your values like this:
window.simple = 'blah blah blah'
then pass window.simple
You could try the debugger to see what is going on, eg. FireBug