3

I am passing two pieces of info to a php page using the $_GET method (team1, team2). I'd like to use these as variables in some javascript. How can I do this?

Thanks

Jono
  • 195
  • 2
  • 3
  • 13
  • 3
    Just wanted to point out that all the examples here are allowing for major security holes. – Evert Mar 15 '11 at 12:59
  • be very very careful about using most of the answers here. Most of them are really insecure. Read the comments on the answers as well. – Spudley Mar 15 '11 at 14:29

7 Answers7

8

Since $_GET just access variables in the querystring, you can do the same from javascript if you wish:

<script>
var $_GET = populateGet();

function populateGet() {
  var obj = {}, params = location.search.slice(1).split('&');
  for(var i=0,len=params.length;i<len;i++) {
    var keyVal = params[i].split('=');
    obj[decodeURIComponent(keyVal[0])] = decodeURIComponent(keyVal[1]);
  }
  return obj;
}
</script>
Martin Jespersen
  • 25,743
  • 8
  • 56
  • 68
1

Original answer:

In your .php file.

<script type="text/javascript"> 
  var team1, team2; 
  team1 = <?php echo $_GET['team1']; ?>; 
  team1 = <?php echo $_GET['team1']; ?>; 
</script>

Safer answer:

Didn't even think about XSS when I blasted this answer out. (Look at the comments!) Anything from the $_GET array should be escaped, otherwise a user can pretty much insert whatever JS they want into your page. So try something like this:

<script type="text/javascript"> 
  var team1, team2; 
  team1 = <?php echo htmlencode(json_encode($_GET['team1'])); ?>; 
  team1 = <?php echo htmlencode(json_encode($_GET['team1'])); ?>; 
</script>

From here http://www.bytetouch.com/blog/programming/protecting-php-scripts-from-cross-site-scripting-xss-attacks/.

More about XSS from Google http://code.google.com/p/doctype/wiki/ArticleXSSInJavaScript.

Cheers to the commenters.

Nick Pyett
  • 3,338
  • 1
  • 23
  • 27
1

Make sure you use something like htmlentities to escape the values so that your application is not susceptible to cross-site scripting attacks. Ideally you would validate the variables to make sure they're an expected value before outputting them to the page.

<script type="text/javascript"> 
  var team1 = '<?php echo htmlentities($_GET['team1']); ?>'; 
  var team2 = '<?php echo htmlentities($_GET['team2']); ?>'; 
</script>
Randy H.
  • 616
  • 5
  • 8
  • 1
    good to see someone escaping the values in some way; there's too many answers here that are just really bad... but since we're outputting Javascript, we should be escaping it as Javascript, not HTML. Use `json_encode()` instead of `htmlentities()`. – Spudley Mar 15 '11 at 14:26
  • json_encode is used to convert arrays to JSON. Also, by default it does not escape anything except double quotes, which will still allow more sophisticated XSS attacks. Bottom line, do not output any user inputted data unless it's properly validated or every potentially unsafe value has been escaped. – Randy H. Mar 15 '11 at 15:40
  • The values are gathered via a drop down list, so that's somewhat secure right? – Jono Mar 16 '11 at 08:57
  • @Jono Since these are GET values, i.e., directly accessible in the URL, anyone can easily change them and pass in whatever they want, including javascript code that will execute on your page if you do not escape it. The reason this is a huge security risk is because someone could send a link to one your users that has some code hidden in it and then steal information or perform other actions on your site with that person's credentials. There's a great explanation of [cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting) on Wikipedia if you would like more information. – Randy H. Mar 16 '11 at 13:31
0
<script type="text/javascript">
  var team1 = <?php echo $_GET['team1'] ?>;
  var team2 = <?php echo $_GET['team2'] ?>;
</script>
Jan Zyka
  • 17,460
  • 16
  • 70
  • 118
0

The other methods are kind of dirty, and there can be some problems. Your better off just using javascript:

<script>
function get_data(name){
  name = name.replace(/[\[]/,"\\\[").replace(/[\]]/,"\\\]");
  var regexS = "[\\?&]"+name+"=([^&#]*)";
  var regex = new RegExp(regexS);
  var results = regex.exec(window.location.href);
  if(results == null) return "";
  else return results[1];
}

var var1 = get_data('var1');
var var2 = get_data('var2');
</script>

But this still isn't super secure.

Another way of doing this, which I just thought of, is to print the $_GET array. I don't know if that would work, though. Anyway, if it does, then here it is:

<script>
    var _get = <?php print_r($_GET); ?>

    var team1 = _get['team1'];
    var team2 = _get['team2'];
</script>

And you would want to run array_walk(or something like that), on a function to clean each string.

Tanner Ottinger
  • 2,970
  • 4
  • 22
  • 28
0

Another way to do this with javascript :

var team1 = $_GET('team1');

function $_GET(q,s) {
        s = s ? s : window.location.search;
        var re = new RegExp('&'+q+'(?:=([^&]*))?(?=&|$)','i');
        return (s=s.replace(/^?/,'&').match(re)) ? (typeof s[1] == 'undefined' ? '' : decodeURIComponent(s[1])) : undefined;
}
soju
  • 25,111
  • 3
  • 68
  • 70
-1

Make sure your $_GET vars are available and not empty and use the following:

<script type="text/javascript">
    var team1 = <?php echo $_GET['team1']; ?>;
    var team2 = <?php echo $_GET['team2']; ?>;
</script>
Aaron W.
  • 9,254
  • 2
  • 34
  • 45