PHP & Javascript: Unsecure?

Question

Is it unsecure to embed PHP code in a javascript function? My friend told me not to do it.

My script just inserts a number in the database if the message has been clicked (read).

<!--Insert into database when click-->
<script>
    function insert()
    { 
        <?php
        include 'db_connect.php';
        $usermsg = $_SESSION['username'];
        $message_id = $_GET['messageid'];
        mysql_query("UPDATE messages SET message_read='1' WHERE id='$message_id' AND to_user='$usermsg'");
        ?> 
    }
</script>

Should i do this any otherway? Or drop including php & mysql in my script and start over?

Answer 1

Your friend probably told you not to do it because it makes no sense whatsoever.

PHP is a preprocessing language whose parser runs on the webserver. The result of running PHP is the HTML/Javascript that your browser sees. Your PHP does not output anything (merely silently performing the SQL query whilst your HTML/Javascript page is being generated), so the Javascript that your browser sees is:

<script>
    function insert()
    { 
    }
</script>

PHP cannot be "inside" a Javascript function at all. There is no such concept.

Instead, consider an HTML form, or read up about "AJAX" when you're slightly more familiar with the web technologies heirarchy.

Answer 2

If you try that code, it won't even work that way. You cannot embed server side code in javascript function.

What you want is to make a sepearate request that will handle the request. This method is called AJAX. With jQuery library you can make AJAX POST request like this:

<script>
    function insert()
    { 
       //Example: Request the test.php page and send some additional data along (while still ignoring the return results).
       $.post("test.php", { messageid: "1" } );
    }
</script>

In test.php:

<?php 

  //Get Post Variables. The name is the same as 
  //what was in the object that was sent in the jQuery

  if (isset($_POST['messageid'])) {
      include 'db_connect.php';
      $usermsg = $_SESSION['username'];
      $message_id = $_POST['messageid'];
      mysql_query("UPDATE messages SET message_read='1' WHERE id='$message_id' AND to_user='$usermsg'");
  }

?>

Read the Beginners Guide to Using AJAX with jQuery

And don't forget to use parametrized sql to prevent sql injection attacks as this code in its current state is vulnurable.

Answer 3

It's insecure in that it's entirely possible for PHP to insert some text into the page that breaks the javascript. e.g.

<?php
    $name = "O'Brien";
?>

<script type="text/javascript">
   var name = <?php echo $name ?>;
</script>

This would produce:

   var name = O'Brien;

which is illegal JS syntax. You're assigning an undefined variable O, which is immediately followed by an unterminated string literal 'Brien. Surrounding this with quotes in the PHP page accomplishes nothing either:

  var name = '<?php echo $name ?>';
             ^                   ^-- added quotes

which now gives

  var name = 'O'Brien';

Now you've got a slightly different problem: Assigning a perfectly valid string literal 'O', followed immediately by an undefined variable Brien, followed by an unterminated string literal ';.

The proper way to have PHP output text into a JS code block safely is to use json_encode:

 var name = <?php echo json_encode($name) ?>;

which produces:

 var name = "O'Brien";

and off you go.

Answer 4

PHP/MySql runs on the web server. Javascript runs on the browser.

You should also think that anything that comes from the browser may be faked - therefore should validate/verify it. Javascript just makes the users experience more interactive as it does not require communication across the network. Use AJAX or forms to do the comms.