How do I have PHP work inside JavaScript?

Question

I know JavaScript is client-side and PHP is server-side but how do I get information from a database then use that information in a JavaScript function?

I'm using this for password change functionality.

function validateForm()
{
var oldpassword = document.forms["senhaform"]["oldpassword"].value;
var password = document.forms["senhaform"]["password"].value;
var password2 = document.forms["senhaform"]["password2"].value;

if (oldpassword==null || oldpassword=="")
  {
  alert("Please enter your current password.");
  return false;
  }
if (password==null || password=="")
  {
  alert("Please enter your new password.");
  return false;
  }
if (password2==null || password2=="")
  {
  alert("Please type your new password again.");
  return false;
  }

if (oldpassword==<?php echo $oldpassword; ?>)
  {
      if ( password!==null && password == password2 ) {
         <?php $con->runQuery("UPDATE CLIENTES
                        SET CLIENTES_PASSWORD='{$password}'
                        WHERE CLIENTES_EMAIL='{$_SESSION['USER']}'");
                        ?>
  alert("Your password was altered");
  return false;
      }
      else {
          alert("Your new passwords do not match.");
          return false;
      }
  }
  else 
  {
  alert("Your current password does not match our records.");
  return false;
  }
}

Answer 1

You're going to have to pull out some AJAX skills here.

http://api.jquery.com/jQuery.ajax/

Consider this page. It will teach you what you need.

Basically, you're going to have to call a function that references a script on your server that you can send get/post data to and have it return information in a format like JSON or plaintext. That's the way you should go about this!

Answer 2

To get that working, try this:

if (oldpassword === '<?php echo addslashes($oldpassword) ?>') {

What's happening here is that you are forgetting to use the quote marks that you'd normally use in JavaScript, and so you are getting a client-side syntax error.

Also, I've added addslashes so that if your password contains apostrophe or quote marks, it will still write out valid JavaScript. Try setting $oldpassword to contain one of those characters, and then view source to see what I mean.

Now, whilst that fixes your immediate problem, it's worth considering where $oldpassword comes from. Do you store that in your database? If so, you shouldn't. Passwords should be stored in a hashed and salted format, and not in plain text, so if your database is stolen (it does happen) then you have another layer of protection (and it will delay, if not stop, the thieves misusing the data).

It is true that you could have a salting and hashing routine in JavaScript, so that the above comparison can be made in JavaScript, but when you get to this level of complexity it is often better to hand off to the server. This is where AJAX comes in, which Matt suggests in the comments. This sends the contents of a form (old password and two new passwords) to the server, where the hashing checks can be made, and a result returned.

Certainly it is easier to do this in a standard form, so you can do without JavaScript entirely. But, if you want to do this client side, AJAX is probably the way to go.

Answer 3

You need to make PHP parse the file this code is in. Either set your web server to parse .js files (or whatever extension you have) or move this code into a .php file that will be parsed, perhaps between script tags if it's HTML.