0

Currently I am using this small php script to eval the javascript on a page.

EDIT

Note: this is working, I just want to avoid using php to change part of the javascript

 <script type="text/javascript">
 <?php 
        include 'n1.inc';
        if (isset($_GET['resultado']))
        {       
            if($_GET["resultado"] != null){
                echo $_GET['resultado'];
            }
        }
        include 'n2.inc';
 ?>
 </script>

I know that it is possible to read the querystring with only javascript as it was already demonstrated in the following questions:

How can I get query string values in JavaScript?

JavaScript query string

I have tried with:

<script src="n1.js"></script>
<script> eval(someQueryStringFunction()); </script>
<script src="n2.js"></script>

it gives an error as the values on the querystring should be in the middle of the function.

If you want to look at the n1.js and n2.js feel free to look at https://github.com/kyllopardiun/MapaColoracao

Community
  • 1
  • 1
Mansueli
  • 6,223
  • 8
  • 33
  • 57
  • 1
    just don't use eval. lookinto requirejs or a simple "dom script adder" and review basic JS conditionals. – dandavis Dec 10 '13 at 20:27
  • 2
    1. Don't use `eval`. 2. What the hell is this code even doing (besides including the files)? All it does is `echo`-ing `null`. – Ingo Bürk Dec 10 '13 at 20:27
  • I get one part of one javascript function via querystring. So what this code does is: 1. include the first part of the function 2. Get the result to be included via querystring 3. include the last part of the function – Mansueli Dec 10 '13 at 20:30
  • 2
    You can't split and merge your JavaScript files like that. They are evaluated individually within the `` tags. In other words, you can't begin a `{` in n1.js and close it in n2.js. They must be completely self sufficient, syntactically correct/complete files. – Brandon Boone Dec 10 '13 at 20:30
  • 1
    Why are you trying to include Javascript code into PHP code? If you want to do that, they need to be wrapped in ` – devnull69 Dec 10 '13 at 20:33
  • @BrandonBoone, so If I put the eval and the rest all in the same **** will it work? – Mansueli Dec 10 '13 at 20:33
  • Also, PHP and JS are different languages: PHP is run on the server, JS on the client. It looks like you have absolutely no idea of any of those languages. Please start again with basics. – Ingo Bürk Dec 10 '13 at 20:33
  • I know the differences, and I know that what I did was a tricky and ugly workaround. I use the fact that php run on the server to change part of the javascript code, by getting the values in the querystring. – Mansueli Dec 10 '13 at 20:36
  • Not sure since I don't know what the result of your `eval` would be, but I would definitely start by combining your files. – Brandon Boone Dec 10 '13 at 20:39
  • Since you're claiming your current version is working: What exactly is that PHP code doing? I mean in detail. Because to me it makes absolutely no sense. I'm not doubting that it works – just that the PHP part actually does anything. – Ingo Bürk Dec 10 '13 at 20:42
  • This page gets via querystring the answer to the map colouring problem. (https://en.wikipedia.org/wiki/Four_color_theorem). As that I receive an amount of javascript code that have all the information about Nodes and Edges to display the graph (then javascript is printed in the middle of the function which renders the graph visually). And the user can see the graph with the colours remapped. – Mansueli Dec 10 '13 at 20:51
  • But the only time `$_GET['resultado']` is going to be `echo`d is when it is `null`. What's the point of that? – Ingo Bürk Dec 10 '13 at 21:03
  • I am sorry, it is meant to do the opposite, I corrected it in the question. – Mansueli Dec 10 '13 at 21:07

1 Answers1

0

Passing javascript in a query string will simply not work atall. Javascript will contain characters that are not allowed in a querystring.

As mentioned above requirejs will allow you to embed javascript files into the page DOM.

eval is quite a serious security risk and not recomended for security reason. There's plenty of articles on why eval is evil.

Captain John
  • 1,859
  • 2
  • 16
  • 30
  • I used **document.location=("index_.php?resultado="+encodeURIComponent(jResult));** And there was no problem in getting those lines of code. – Mansueli Dec 10 '13 at 21:01
  • 1
    Yes that will encode your urlParameter. Not sure what your situation is, suggest you add a URL param then use a switch statement to run the correct code on your actual page. There are fewer security risks this way. – Captain John Dec 10 '13 at 21:07