-1

I have an html/php composite document that uses the login variable from a user. (This came from a separate php file on signin):

    <html> Welcome <?php echo $login; ?> </html>

//Now when the user uses the chatbox, and clicks send, I would like to pass the data (inclusive of the username) from this html file to the .js so it can in turn pass onto another php file. (ps I tried the following but to no avail, as the .js file is external to the html/php composite):

    $("#newMsgSend").click(function()//triggers script to send the message
        {
            $("#newMsgCnt").val(''); // clears the box when the user sends a message
            var username = "<?php echo $login; ?>";
            alert(username); 
        });
Dahker Furm
  • 7
  • 4

3 Answers3

3

Your current code is likely introducing an XSS vulnerability. Instead, take advantage of the fact that valid JSON is valid JavaScript:

var username = <?php echo json_encode($login); ?>;

In some situations, it may also be better to use an XMLHttpRequest or WebSocket that requests the data from another URL (typically encoded as plain text, XML or JSON). One scenario for that would be notifying the user once new items have been added after the user loaded the webpage.

phihag
  • 278,196
  • 72
  • 453
  • 469
  • Besides XSS, a tab within the string would break your page – Ruan Mendes May 06 '16 at 21:45
  • @Juan Mendes How so? [Here's the rendered page with a tab](https://jsfiddle.net/phihag/abqk6g7h/), works fine for me. – phihag May 06 '16 at 21:49
  • actually He's right. it did break my script for some reason lol – Dahker Furm May 06 '16 at 22:05
  • @phihag I didn't mean that your solution will break with tabs, I meant that using `json_encode` is not just to prevent XSS, it also properly encodes tabs, quotes and the like. The user doesn't have to be doing something malicious to cause a problem. – Ruan Mendes May 07 '16 at 14:34
0

when the user logs in, create a session for that user and populate it with the data (such as username, email, phone number or whatever) from the database - as followings (assuming that the login is correct and authentic:

$_SESSION['user'] = $row; //where $row is the row of data returned from the db

Then whenever you want to access that information include the following at the top of the page:

session_start();

and then access the information such as 

$userfirst_name=$_SESSION['user']['first_name'];

then your html will be something like:

<h1> Welcome <?php echo "$userfirst_name"; ?> </h1>

note that session start must be at the top of each page you are wanting to access the sessiobn variables. Then to clear the user details (such as when the user logs out you can use the following:

unset($_SESSION["user"]);
gavgrif
  • 15,194
  • 2
  • 25
  • 27
-2

Thanks to both: Ivan Rodriguez Torres and phihag. I got a solution somewhere in the middle of both posts:

<input id="login" readonly type="text" <?PHP echo "value= '$login'/>"; ?>

Ivan's suggestion was somehow returning an "undefined" variable for me. The above works like a charm though. Hope its safe and doesnt lead to any problems.

Thanks again guys

Dahker Furm
  • 7
  • 4
  • if you are using this as part of a form - you will need a name attribute as this will not be included in the form as it is.also your echo is in the wrong place, you don't need the value= part inside the echo - nmakes for less readability in the code. - it should be value="" and then close the input outside of the PHP .../>; – gavgrif May 07 '16 at 00:20
  • You must be kidding me that you went with this option after a great suggestion by phihag, your code is susceptible to XSS. – Ruan Mendes May 07 '16 at 14:37