How to put php inside JavaScript?

Question

I've tried (but its not working):

<?php  
  $htmlString= 'testing';
?>
<html>
  <body>
    <script type="text/javascript">  
      var htmlString=<?php echo $htmlString; ?>;
      alert(htmlString);
    </script>
  </body>
</html>

Here is the tutorial that I've used for that purpose:

score 67 · Accepted Answer · answered Jul 27 '10 at 15:55

67

Try this:

<?php $htmlString= 'testing'; ?>
<html>
  <body>
    <script type="text/javascript">  
      // notice the quotes around the ?php tag         
      var htmlString="<?php echo $htmlString; ?>";
      alert(htmlString);
    </script>
  </body>
</html>

When you run into problems like this one, a good idea is to check your browser for JavaScript errors. Different browsers have different ways of showing this, but look for a javascript console or something like that. Also, check the source of your page as viewed by the browser.

Sometimes beginners are confused about the quotes in the string: In the PHP part, you assigned 'testing' to $htmlString. This puts a string value inside that variable, but the value does not have the quotes in it: They are just for the interpreter, so he knows: oh, now comes a string literal.

answered Jul 27 '10 at 15:55

Daren Thomas

67,947
40
154
200

1

@inf3rno, if it's wrong, we should fix it! can't let a wrong answer here... what exactly is wrong? (I'm assuming you're objecting to the last paragraph... hm... kinda hard to explain this to a beginner - do you have a better take?) – Daren Thomas Jun 27 '13 at 08:04
@inf3rno, oh... I just saw your own answer. Hm... you have a point there... except, I think that for the level OP is ATM, it's a bit TMI. He seems to not have got his head wrapped around some basic stuff yet. – Daren Thomas Jun 27 '13 at 08:08
3

It's easy to explain, if you want to inject string to javascript code, you have to escape it for javascript... json_encode does that... It is very similar to sql injection prevention, by there you have to escape for sql... – inf3rno Jun 27 '13 at 08:13
it goes wrong when php variable contains ' mark. like "person's" – Satanand Tiwari Oct 26 '17 at 09:19
is this still valid AND **is this secure??** – oldboy Mar 31 '18 at 18:53

score 31 · Answer 2 · answered Jul 27 '10 at 15:54

31

You're missing quotes around your string:

...
var htmlString="<?php echo $htmlString; ?>";
...

answered Jul 27 '10 at 15:54

John Conde

217,595
99
455
496

2

`$htmlString = "\""` huh, I wonder why that JavaScript suddenly stopped working... – zzzzBov Jun 27 '13 at 04:55

JLavoie · Answer 3 · 2014-11-14T18:39:19.083

All the explanations above doesn't work if you work with .js files. If you want to parse PHP into .js files, you have to make changes on your server by modfiying the .htaccess in which the .js files reside using the following commands:

<FilesMatch "\.(js)$">
    AddHandler application/x-httpd-php .js
</FilesMatch>

Then, a file test.js files containing the following code will execute .JS on client side with the parsed PHP on server-side:

<html>
<head>
<script>
function myFunction(){
   alert("Hello World!");
}
</script>
</head>
<body>
<button onclick="myFunction()"><?php echo "My button";?></button>
</body>
</html>

inf3rno · Answer 4 · 2014-02-07T04:44:56.700

10

The only proper way to put server side data into generated javascript code:

<?php $jsString= 'testing'; ?>
<html>
  <body>
    <script type="text/javascript">      
      var jsStringFromPhp=<?php echo json_encode($jsString); ?>;
      alert(jsStringFromPhp);
    </script>
  </body>
</html>

With simple quotes the content of your variable is not escaped against HTML and javascript, so it is vulnerable by XSS attacks...

For similar reasons I recommend to use document.createTextNode() instead of setting the innerHTML. Ofc. it is slower, but more secure...

edited Feb 07 '14 at 04:44

answered Jun 27 '13 at 04:38

inf3rno

24,976
11
115
197

2

Technically it's not the *only* way, but it's certainly a safe way. That said, one shouldn't be building JavaScript with PHP to begin with. – zzzzBov Jun 27 '13 at 04:54
It depends on what kind of data would you like to send. The html unicode characters are not the same as the javascript unicode characters so you have to transform them... Another way to use REST services and a proper client side library to handle requests, for example extjs or backbone. Btw. you have to use json_encode in that case too... – inf3rno Jun 27 '13 at 05:05

score 7 · Answer 5 · answered Jul 27 '10 at 15:55

7

you need quotes around the string in javascript

var htmlString="<?php echo $htmlString; ?>";

answered Jul 27 '10 at 15:55

second

28,029
7
75
76

score 0 · Answer 6 · answered Apr 15 '20 at 00:21

As others have pointed out you need the quotes, but I just want to point out that there's a shorthand method of writing this same line of code

var htmlString="<?=$htmlString?>";

See you can leave out the "php echo" stuff and replace it with a simple "=".

score -1 · Answer 7 · answered Aug 18 '20 at 16:42

Let's see both the options:

1.) Use PHP inside Javascript

<script>
    <?php $temp = 'hello';?>
    console.log('<?php echo $temp; ?>');
</script>

Note: File name should be in .php only.

2.) Use Javascript variable inside PHP

<script>
  var res = "success";
</script>
<?php
   echo "<script>document.writeln(res);</script>";
?>

How to put php inside JavaScript?

7 Answers7

Linked

Related