4

I have a question about Safety. I have a Javascript variable:

var toSearch = "something"

I want to send this variable to another php page. I'm using sessions: <?php session_start(); ?>

From what I've read I need to use a AJAX GET/POST procedure to pass this javascript client side variable to PHP server side.

I know it's possible to do this with:

window.location.href = "myphpfile.php?name=" + javascriptVariable;

then $_GET['name'] the variable. I've read that this isn't safe? Is it?

Improve this question
5
  • So, you want to send the variable 'toSearch' to PHP, then direct them to the page that PHP responds with? Commented Nov 25, 2012 at 1:13
  • Before considering safety, consider whether security is necessary enough in your context to do the extra work. Commented Nov 25, 2012 at 1:14
  • Using AJAX or using a JS redirect would have the same security concerns since both are being done client-side. Commented Nov 25, 2012 at 1:16
  • If you know how to properly manage an AJAX request, security issues are minimal. Try sending random tokens to your PHP page which are stored in the session. If the sent token doesn't match the session token, die('error'); Commented Nov 25, 2012 at 1:25
  • Thanks - I think i'm going to go with the 'passing search in URL' then read up about the points Kolink has made below. Otherwise if i had a variable that I needed to chnage get to a php variable could someone offer a clear example? Commented Nov 25, 2012 at 1:28

3 Answers 3

Reset to default
2

It's only unsafe depending on what you do with it. Anyone can type whatever they like in the address bar, and you have no control over that. For instance, I could go to

http://example.com/myphpfile.php?name=fuzzball

Now, that's not a danger in itself, but if I were to put some MySQL code and you were placing this directly in a MySQL database with no sanitisation, then it's dangerous. If I put in HTML which you then display to other users, then it's dangerous.

All you have to do is remember that while GET and POST aren't dangerous, they cannot be trusted to be what you expect them to be, therefore you should make sure that they are on the server side, where it can be trusted.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Thanks - so when you say "MySQL database with no sanitisation" what core points are there?
Sae Us: do a google search, php: htmlspecialchars and php: mysql_real_escape_string. they will do pretty much everything you need. Another good php method is trim()
htmlspecialchars and php: mysql_real_escape_string aren't 100% safe, nor would I consider them "good enough", because of the danger in sending non utf-8 characters (another sql injection attack vector). I recommend converting to utf-8, then applying mysql_real_escape_string before inserting the variable into a query. Even better, use PDO. php.net/manual/en/book.pdo.php This post has more good info: stackoverflow.com/questions/5139127/php-sql-injection-utf8-poc
1

Well the better solution would be to go with an ajax request if you dont want to force page reload. regarding security its the same hence every user can manipulate querystrings with ease... we have an address bar for this :)

window.XMLHttpRequest = window.XMLHttpRequest || window.ActiveXObject('MSXML2.XMLHTTP') || window.ActiveXObject('Microsoft.XMLHTTP');

var ajax = new XMLHttpRequest();

ajax.open('get', 'page.php?name=' + javascriptVariable, true);

if ( ajax.readyState == 4 && ajax.status == 200 )
{
    // ajax.responseText is the result from php server
    // ajax.responseXML is the result from php server
}

ajax.send(null);
Improve this answer

Comments

-1

If you are not good with JavaScript or Ajax requests, I suggest the jquery .ajax method. jQuery is really well-documented and great for beginners.

Also, your variable is not set properly. Should be:

var toSearch = "something";

So visit: http://api.jquery.com/jQuery.ajax/ to get started.

A sample of how to do this.

JS:

function myFunction() {

    var toSearch = "something";

    $.ajax({
       url: 'mysite/action_page.php?toSearch=' + toSearch,
       success: function(data) {
          alert('Here is some data from the $_GET request: ' + data);
       }
    });

}

PHP:

<?php
   /**
     * I strongly suggest a security measure here
     * ie: if($_GET['token'] != $_SESSION['token']) die('access not permitted');
    */


   //init
   $search_string = '';

   //set
   $search_string = htmlspecialchars(trim($_GET['toString']), ENT_QUOTES);
   //TAKE A LOOK AT PHP.net IF YOU DON'T KNOW WHAT THE TWO METHODS ABOVE DO.  
   // will help prevent xss

   echo $search_string;

   //all done!
 ?>
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.