Passing PHP variables into JavaScript

Question

I am an amateur web developer and I am developing an application that mainly uses JavaScript but needs to use PHP/MySQL because it is a quiz application and I don't want people to see all the quiz answers by going to "View Source." The pages of relevance are: index.html, problems.php, functions.js. The index.html is the main quiz page. The problems.php is the page used to connect to the server and get the answers to the questions on the quiz page. And the functions.js is used to check whether the answers are correct among other things that prompt the app to do something.

index.html:

<?php
    include ("problems.php");                                    
?>
...

problems.php

<?php
    // Connect to server
    $con = mysql_connect("XXXXXXXXXXXXX", "XXXXXXXXXXX", "XXXXXXXXXXXX");
    mysql_select_db("problems", $con);
    if (!$con) {
         die("Didn't connect");
    }
    $question_num = $_GET["num"];
    $sql = "SELECT question FROM questions WHERE num='" . $question_num . "';";
    $answer = mysql_fetch_array(mysql_query($sql))['question'];
?>

functions.js

function checkAnswer(ans, input) {
    if (ans == input) {
        alert("Correct!");
    }
}

I am not a PHP developer and know very little PHP (which is why I'm choosing to use JavaScript for the application). But I would like to use the GET method in getting the answers to the quiz questions (when the user clicks "Submit" pass in ?num=1,2,3,4,5). Then pass in the quiz answers obtained from the database to the functions.js checkAnswer function to check the answer. My problem is the pass in the answers to the questions to the functions in JavaScript. Also, it doesn't seem my server is even connecting to the database in my code.

Your code is vulnerable to [SQL injection](http://php.net/manual/en/security.database.sql-injection.php). You need to use the appropriate method of your database library to escape your data prior to making the query. — Matt Ball, Jan 20 '13 at 18:05
I suggest you avoid using the dated mysql_* functions. Using them for new code is [highly discouraged](http://php.net/mysql_query). More modern alternatives are available and better maintained. Instead, consider learning about [prepared statements](http://en.wikipedia.org/wiki/Prepared_statement), and that you use either [PDO or MySQLi](http://php.net/manual/en/mysqlinfo.api.choosing.php). When used strictly, they avoid the tedious and manual escaping part, which thus become heaps easier and (as a by-product) safer to use. Check out [this PDO tutorial](http://goo.gl/vFWnC) for a good start. — Matt Ball, Jan 20 '13 at 18:07

score 0 · Answer 1 · answered Jan 20 '13 at 18:10

I suggest not storing the answers in javascript since anyone can just open the javascript file and take a peek. I would suggest doing all the answer checking server side.

Pass the answers as parameters ina GET or POST request to the server, capture the answers, and then use mysqli_* or PDO to create a prepared statement to check your answers are correct.

Wolf · Accepted Answer · 2013-01-20T18:22:09.890

0

You can achieve this as follows

Steps

Pass the question ID and answer entered by user to a PHP page
Validate the answer on the php page
Then return true/false based on the answer

I will suggest you to use jQuery ajax for this

$.ajax({
   url: "GetAnswerStatus.PHP?questionid=4&input=3"
}).done(function ( data ) {
   // data = true/ false
   console.log("Answer:" + data);
});

Or use jQuery .get

$.get('GetAnswerStatus.PHP?questionid=4&input=3', function(data) {
    console.log("Answer:" + data);
});

edited Jan 20 '13 at 18:22

answered Jan 20 '13 at 18:11

Wolf

2,150
1
15
11

What is the most efficient way to run the .php file locally (or using a local server)? What about passing in multiple id's and answers to the same .php page? Thanks. – user11235 Jan 20 '13 at 18:36
Check this server if you need something simpple. [questions/3004696](http://stackoverflow.com/questions/3004696/is-there-a-simple-php-development-server) Or you could use the [built in server](http://php.net/manual/en/features.commandline.webserver.php) – Wolf Jan 20 '13 at 18:43
Multiple ids? that means you want to validate multiple questions in one go? – Wolf Jan 20 '13 at 18:45
Yep, multiple questions when clicked "Check" button so in one go – user11235 Jan 20 '13 at 18:59
Ok. Easiest option will be sending those as formatted string `QID1#ANS1,QID2#ANS2,QID3#ANS3,QID4#ANS4`. Then in your PHP code you can split it down and loop through. – Wolf Jan 20 '13 at 19:04

score 0 · Answer 3 · answered Jan 20 '13 at 18:13

0

If you fetch your answers to client using javascript, user will be able to see it. Send the answer to server (e.g. using ajax) and check it there (only return whether it was right).

Also inserting the GET value to mysql query directly isn't really safe. Use something like mysql_real_escape_string.

answered Jan 20 '13 at 18:13

Jan Tojnar

5,306
3
29
49

Am I using the "include" statement correctly or does the file have to be ".php" instead of "index.html" The reason why I'm using .html is because I would like to test the app locally but maybe that's why it's preventing the server from connecting? – user11235 Jan 20 '13 at 18:23
You should use .PHP and also you should run it using a server(atleast localhost)... – Wolf Jan 20 '13 at 18:26

Passing PHP variables into JavaScript

3 Answers3