Retrieve a php value and use it in javascript

Question

In my website I set some values to session object like "user_status", "user_name" and like so. The php file looks like this:

<script type="text/javascript">
    var logged = <? echo $this->session->getValueOf("user_status"); ?>;
</script>

<a class="show_message" href="#">SHow my status</a>

Well, I have a js script that pretends do an action according to user status in the website, so, I have this:

$('.show_status').click(function(event){

    //ask for user status
    if (logged){
        //do something
    }
    else{
        //do another action for visitors
    }
});

Walking around I thought if it is the best way flow data between session -> javascript, because if you inspect the page source at browser the value of user_status will be visible and could be riskable for website security.

Thanks in advance

EDIT:

logged var only takes a boolean value.
The js action must be executed each time the element #(".show_status") is clicked.

Really, if simply reading a (logged-in) user's status is a high-almighty security threat, *damn dawg, **you got problems***. — Jared Farrish, Jul 30 '12 at 03:16
@JaredFarrish I think you need to walk around and thong for a bit longer. — Michael Robinson, Jul 30 '12 at 03:17
@manix there is *nothing* wrong with your English, had you not told us just now we wouldn't have guessed you're not a native speaker. I thought it was a typo. — Michael Robinson, Jul 30 '12 at 03:19
@manix, there is no shame in having a few grammar/spelling mistakes if English isn't your native tongue. A bit of advice for the future though is that you may wish to state that in your question to reduce the amount of joking you get from other people. — Michael Fenwick, Jul 30 '12 at 03:21
@MichaelFenwick - I was actually thinking iOS completion bologne, but hey, I get your point. I didn't really think the OP was ESL, but he seems to have humor, which helps regardless. `:)` — Jared Farrish, Jul 30 '12 at 03:24
Hahaha, no problem! I took this moment so funny, you are welcome :D — manix, Jul 30 '12 at 03:24
@manix, you're awesome. I wish more SO users had your humor. `:)` I don't mean that lightly, either. — Jared Farrish, Jul 30 '12 at 03:25

Michael Fenwick · Accepted Answer · 2012-07-30T03:50:39.570

3

If the JavaScript is just being used for interface stuff, and doesn't have any back end effects, I probably wouldn't worry too much about the insecurity of handling that logic client-side.

If security is an important thing though, I would recommend you use PHP to write the appropriate JavaScript function. For example:

On the page being viewed, perhaps in the header, you have:

<script type="text/javascript">
    <?php
    if ($this->session->getValueOf("user_status")) {
        require_once('logged_in_user_functions.js');
    } else {
        require_once('visitor_functions.js');
    }
    ?>
</script>

In the file `logged_in_user_functions.js' you have:

function showComment(id) {
    //logic that shows the comment here
}

function showCommentSubmissionForm() {
    //logic that adds this form to the page goes here
}

Meanwhile, in the file `visitor_functions.js' you have:

function showComment(id) {
    //logic that shows the comment in a different way goes here
}

function showCommentSubmissionForm() {
    //logic to display a message saying the user needs to log in to post a comment goes here
}

Then you can add your logic into your page without having to check the user status. The proper behaviour is provided by virtue of which .js file was included:

<button id='add_comment_button' onclick='showCommentSubmissionForm()'>Add Comment</button>

This gives PHP (and thus the server, not the client) final say in what gets displayed to the user.

edited Jul 30 '12 at 03:50

answered Jul 30 '12 at 03:18

Michael Fenwick

2,374
2
19
28

I wouldn't advice inline code execution just to achieve a restricted action. In short, JavaScript should not be doing any private-access related type stuff in the first place. You can manipulate a UI via JavaScript console but at the end of the day, the server is the enforcer of data I/O. In this case, I'd set a constant or define a config. – Matt Lo Jul 30 '12 at 03:25
1

Hmmm, I like this method, the only "negative" part is that my php markup becomes so chaotic – manix Jul 30 '12 at 03:26
1

@manix, Chaotic how? Do you mean that the opening and closing php tags just look ugly? I can't disagree there, but functionally it's not all that bad. One thing that you can do to help clean in up is to use the same code outline to import (using `require_once`) the appropriate JavaScript functions. This would keep the whole logic in a single set of `` tags and could import the appropriate version of multiple JavaScript functions as needed. – Michael Fenwick Jul 30 '12 at 03:30
@MichaelFenwick, brilliant idea, but what happened after the php is procesed? The js action will be displayed once time. It should be lauched in every `.show_message` click – manix Jul 30 '12 at 03:36
@manix, the idea is to write two versions of the JavaScript function that define the proper behaviour in each case. I'll edit my answer to explain in a little more detail what I mean. – Michael Fenwick Jul 30 '12 at 03:42
awesome! Thank you so much, and the rest of people too. PS: I did not know that `require_once` could include js files! – manix Jul 30 '12 at 03:56

score 2 · Answer 2 · edited May 23 '17 at 12:21

2

Assuming that user_status will be something like Active, then this isn't really a security risk.

If you want to hide everything from casualy prying eyes, you could try using an encrypted cookie, using something like How to save encrypted data in cookie (using php)? to encrypt your values.

edited May 23 '17 at 12:21

Community

1
1

answered Jul 30 '12 at 03:16

Michael Robinson

29,278
12
104
130

yes, `user_status` only can takes the value of `1` or `0`, and the cookie is actually encrypted – manix Jul 30 '12 at 03:20

Retrieve a php value and use it in javascript

2 Answers2