Pass vars from php to js without ajax

Question

Lets say I have a php page... I want the javascript in that page to access some user information variables (after logged in), such as userid, email, etc. If I use ajax, then it will take an extra half second, because the page has to load, then wait for ajax to go get those variables, so I'd rather embed it in the page, but that seems questionable as far as security to embed an email in the source.

Here are my options can you think of a better way?

1 - Embed the data into the php on the first request

<html>
<script>
    user_email='<?php echo $user_email; ?>';
</script>

2 - Have data load separately from a js/php file so its not in original page source

<html>
<script src="userdata.js.php"></script>

--- userdata.js.php ---

user_email='<?php echo $user_email; ?>';

3 - Request data via ajax after page loads (would be slower)

<html>
<script>
$(function(){
  $.post('getuserdata.php',[],function(result){
     userdata=result;
  });
});
</script>

Answer 1

Another option that you might consider is using JSONP to asynchronously call a function once the AJAX loads.

HTML

<script type="text/javascript">
    function handle_response(response)
    {
        // do whatever you want with the response
        // you get a json object here that looks like
        // { id: 1, username: 'jimmy' }
    }
</script>
<script type="text/javascript src="/path/to/ajax/script.php"></script>

script.php

<?php
   $arr = array('id' => 1, 'username' => 'jimmy');

   $param = json_encode($arr);

   header("Content-type: text/javascript");
   echo "handle_response({$param})";
   exit;

So now, once that valid javascript from script.php finishes loading it immediately calls your function that you defined client-side. This keeps your information out of the initial HTML source and you could even put that script behind an https without doing that for the rest of the site.

Answer 2

I always use the first step

var myvar = <?php echo $myvar; ?>;

Answer 3

People are rather accustomed with ajax nowadays and a circle saying loading, is not that uncommon. On the other hand if you can embed the data that's just as good. Making a separate file is even better. You should be careful what kind of info you give out though, you could use SSL to make it more secure.

All three are viable... depends on who you're trying to protect the data from. The user that called the page will have access to the information one way or another... so go for the more reliable implementation.

Answer 4

I don't like embedding information in the page for security reasons. At some point in time it is just going to be too easy to store something that shouldn't be there. You have two decent options that occur off the top of my head:

1. Perform the ajax call during the page load (body onload=ajax call) (more secure)

2. Store them in the cookie for the site (less secure)

I typically use option #1.

Answer 5

seems questionable as far as security to embed an email in the source.

Retrieving the email via ajax vs embedding it directly in the source suffer from the same security problem: someone sniffing traffic could get the email. To avoid this you would need to either

1. Figure out a way to not send the email to the client in the first place.
2. Only send the email address to the client over https

I imagine lots of websites just punt on this issue and send the email to the client unencrypted.