what is safe way to send php data to js?

Question

I want to know what is the safe method to send php data to js. I found by search to start php tags in js and pass data by this way.

  var jsVar = "<"+"?php echo $phpVar;"+"?"+">";

But it seems a dangerous way to pass data exposing threats. I want to know whats alternative way to do same that is safe.

I'd say JSON, if you make an AJAX call to fetch the variable. — Jorge Guberte, Nov 23 '10 at 08:11
@Fred Indeed! At least the values aren't explicitly exposed... — Jorge Guberte, Nov 23 '10 at 08:17
Me thinks that if you need the data that you're sending to be secure, you shouldn't be using AJAX, but SSL with encryption. Just a thought. — Fred, Nov 23 '10 at 08:22

Will Vousden · Accepted Answer · 2015-07-29T09:01:51.707

I'm not entirely sure what you mean by "safe", but if I understand your question correctly, you can inject data from PHP directly into your JavaScript using json_encode:

var jsVar = <?php echo json_encode($phpVar) ?>;

If all you want to do is to inject actual PHP source code into your script, then just print it as a string:

var jsVar = "<?php echo '<?php echo $phpVar ?>' ?>";

I can't imagine this is what you mean though, as I can't think of a reason for wanting to do this :)

score 3 · Answer 2 · answered Nov 23 '10 at 08:24

I want to know whats alternative way to do same that is safe.

I'm not sure what you mean by "safe", but you have to assume that any data you send to the client's browser can and will be viewed by a sufficiently-motivated user. You can secure the data from prying eyes in transit (by using SSL, e.g., https), but the client user's browser needs to be able to read the data, which means the client user can too.

You can raise the bar slightly (for instance, by obfuscating the data you embed in the page, by supplying it only in response to an Ajax call, etc.), but with today's 'net and web tools (which are increasingly just embedded in browsers) a sufficiently-motivated user will get around the precautions you take (by stepping through your code and looking at the variable you store the de-obfuscated data or the data from the Ajax response in, for instance).

If you want to raise the bar further, you can require a plug-in like Flash or Java and send obfuscated (or even encrypted) data to your flash app / Java applet and de-obfuscate / decrypt it within the app / applet. But that just raises the bar to the level of someone with debugging tools for Flash or Java.

Probably not worth the bother, I bet you have better things to do. :-)

If you don't want the user to see the data in question, don't send it to them, keep it on your server where it's safe and have the browser ask for only the information it's actually allowed to show the user.

score 1 · Answer 3 · answered Nov 23 '10 at 08:12

1

json_encode is the best way to sent back.

echo json_encode($phpVar)

answered Nov 23 '10 at 08:12

ArK

20,698
67
109
136

score 1 · Answer 4 · edited May 23 '17 at 10:24

1

If its your data coming from your database this is pretty safe. The problem occurs when you are storing and re-displaying data entered by the user. In which case you need to ensure that there is no possibility of executabe javascript being embedded in the data. Removing or escaping '"{}();+-/* and thier hex equvalents should do it.

You could use json_encode as suggested in answer this

edited May 23 '17 at 10:24

Community

1
1

answered Nov 23 '10 at 08:25

James Anderson

27,109
7
50
78

what is safe way to send php data to js?

4 Answers4