PHP variable to Javascript variable

Question

I am currently working on making a simple php script to edit certain aspects of a game in JavaScript. When attempting to pass variables from the script to the game using forms, the variable data does not seem to transfer. As of now, the script is meant to edit the RDG value of one player in the game. The code is as follows:

script.php:

<html>
<head>
<title>Form</title>
</head>
<body>

<form method="get" action="tron2.html">


<p>What are your player 1's RGB values:
<input type="text" name="color1r" /> Red 
<input type="text" name="color1g" /> Green 
<input type="text" name="color1b" /> Blue </p>

<input type="submit" value="Submit" />

</form>

</body>
</html>

And the portion of the code in javascript where variables are assigned

<?php

$color1r = $_POST["color1r"];
$color1g = $_POST["color1g"];
$color1b = $_POST["color1b"];


?>


<HTML>
    <HEAD>
    <TITLE>
        Tron2 
    </TITLE>
    <script>
                    var x = "<?=  $color1r; ?>";
                    var y = "<?=  $color1g; ?>";
        var z = "<?=  $color1b; ?>";
                     //more code for the game

When the game runs, the color of the player stays black, so the values of x,y,z must all be 0. Is there any reason why the values aren't being passed?

To make sure other parts were working properly, I changed the values to regular values between 0 and 255 and the color did change so I do believe the problem is isolated here — Alex Alex, Feb 21 '13 at 02:34

Popnoodles · Answer 1 · 2013-02-21T02:30:59.537

6

<form method="get" ...>

and

$color1r = $_POST["color1r"];

are not friends.

<form method="post" ...> and $color1r = $_POST["color1r"]; are friends, and
<form method="get" ...> and $color1r = $_GET["color1r"]; are also friends.

Also <?= echo should error. Use <? echo $string or <?=$string

edited Feb 21 '13 at 02:30

answered Feb 21 '13 at 02:01

Popnoodles

28,090
2
45
53

I changed the "method = "get"" to "post" but it seems that the problem is still there, nothing changes – Alex Alex Feb 21 '13 at 02:05
I like your description :) – Mike Feb 21 '13 at 02:13

Kornel · Answer 2 · 2013-02-21T02:11:54.687

0

Aside from tangential POST/GET mixup, always use json_encode() to output PHP variables in JS code.

echo without escaping or other escaping functions will generate invalid and/or insecure code.

<script>var jsvalue = <?php echo json_encode($phpvalue) ?>;</script>

In your specific case:

<form method="post" action="tron2.html">

and

<script>
    var x = <?= json_encode($color1r) ?>;

edited Feb 21 '13 at 02:11

answered Feb 21 '13 at 02:02

Kornel

97,764
37
219
309

1

Why is that needed/how does this fix the problem which is obviously a get/post data mixup? – James Coyle Feb 21 '13 at 02:04
This is not an answer to the question and is not true. echo without escaping or other escaping functions **may** generate invalid and/or insecure code. – Popnoodles Feb 21 '13 at 02:05
1

@popnoodles saying "not true" is a bit harsh; you're pedantic about lucky secure case in a very common most-likely-vulnerable pattern. – Kornel Feb 21 '13 at 02:08
1

@jimjimmy1995 if somebody sends data with value `"; evil_session_hijacking_code(); "` then your site will run attacker's code. There's plenty of non-obvious filter-evading tricks here, but `json_encode()` protects against them all by default. – Kornel Feb 21 '13 at 02:09
I concur with @porneL, Properly escaping the data is important. Outputting unsanitized output in JS code is just as bad as doing it in HTML. – kittycat Feb 21 '13 at 02:12
@porneL if you're not pedantic about programming, you may generate invalid or insecure code. – Popnoodles Feb 21 '13 at 02:26
otherwise it is a good idea. – Popnoodles Feb 21 '13 at 02:32

PHP variable to Javascript variable

2 Answers2

Linked