Tell me more ×
Stack Overflow is a question and answer site for professional and enthusiast programmers. It's 100% free, no registration required.
up vote 3 down vote favorite
1

I am passing two pieces of info to a php page using the $_GET method (team1, team2). I'd like to use these as variables in some javascript. How can I do this?

Thanks

share|improve this question
3  
Just wanted to point out that all the examples here are allowing for major security holes. – Evert Mar 15 '11 at 12:59
be very very careful about using most of the answers here. Most of them are really insecure. Read the comments on the answers as well. – Spudley Mar 15 '11 at 14:29

7 Answers

up vote -1 down vote accepted

Original answer:

In your .php file.

<script type="text/javascript"> 
  var team1, team2; 
  team1 = <?php echo $_GET['team1']; ?>; 
  team1 = <?php echo $_GET['team1']; ?>; 
</script>

Safer answer:

Didn't even think about XSS when I blasted this answer out. (Look at the comments!) Anything from the $_GET array should be escaped, otherwise a user can pretty much insert whatever JS they want into your page. So try something like this:

<script type="text/javascript"> 
  var team1, team2; 
  team1 = <?php echo htmlencode(json_encode($_GET['team1'])); ?>; 
  team1 = <?php echo htmlencode(json_encode($_GET['team1'])); ?>; 
</script>

From here http://www.bytetouch.com/blog/programming/protecting-php-scripts-from-cross-site-scripting-xss-attacks/.

More about XSS from Google http://code.google.com/p/doctype/wiki/ArticleXSSInJavaScript.

Cheers to the commenters.

share|improve this answer
6  
bad choice, XSS hole – soju Mar 15 '11 at 13:08
@Jono: @soju is totally right! – Michiel Pater Mar 15 '11 at 13:13
1  
json_encode($_GET['team1']). Always use json_encode when passing value to JavaScript file to be safe. – Thai Mar 15 '11 at 13:46
up vote 6 down vote

Since $_GET just access variables in the querystring, you can do the same from javascript if you wish:

<script>
var $_GET = populateGet();

function populateGet() {
  var obj = {}, params = location.search.slice(1).split('&');
  for(var i=0,len=params.length;i<len;i++) {
    var keyVal = params[i].split('=');
    obj[decodeURIComponent(keyVal[0])] = decodeURIComponent(keyVal[1]);
  }
  return obj;
}
</script>
share|improve this answer
up vote 1 down vote

Make sure you use something like htmlentities to escape the values so that your application is not susceptible to cross-site scripting attacks. Ideally you would validate the variables to make sure they're an expected value before outputting them to the page.

<script type="text/javascript"> 
  var team1 = '<?php echo htmlentities($_GET['team1']); ?>'; 
  var team2 = '<?php echo htmlentities($_GET['team2']); ?>'; 
</script>
share|improve this answer
1  
good to see someone escaping the values in some way; there's too many answers here that are just really bad... but since we're outputting Javascript, we should be escaping it as Javascript, not HTML. Use json_encode() instead of htmlentities(). – Spudley Mar 15 '11 at 14:26
json_encode is used to convert arrays to JSON. Also, by default it does not escape anything except double quotes, which will still allow more sophisticated XSS attacks. Bottom line, do not output any user inputted data unless it's properly validated or every potentially unsafe value has been escaped. – Randy H. Mar 15 '11 at 15:40
The values are gathered via a drop down list, so that's somewhat secure right? – Jono Mar 16 '11 at 8:57
@Jono Since these are GET values, i.e., directly accessible in the URL, anyone can easily change them and pass in whatever they want, including javascript code that will execute on your page if you do not escape it. The reason this is a huge security risk is because someone could send a link to one your users that has some code hidden in it and then steal information or perform other actions on your site with that person's credentials. There's a great explanation of cross-site scripting on Wikipedia if you would like more information. – Randy H. Mar 16 '11 at 13:31
up vote 0 down vote 
<script type="text/javascript">
  var team1 = <?php echo $_GET['team1'] ?>;
  var team2 = <?php echo $_GET['team2'] ?>;
</script>
share|improve this answer
There is no attribute "language". It has been deprecated. – Michiel Pater Mar 15 '11 at 12:55
My bad, was pretty in hurry, fixed. Thanks – Jan Zyka Mar 15 '11 at 12:56
Hi, do i not need PHP tags anywhere in there then? – Jono Mar 15 '11 at 12:57
Since short_open_tags option is sometimes disabled, you should avoid use of short tags – soju Mar 15 '11 at 12:58
<? is shortcut for <?php, may be disabled on some servers but usualy works. The <?php is probably better way to go since it works always – Jan Zyka Mar 15 '11 at 12:58
up vote 0 down vote

Another way to do this with javascript :

var team1 = $_GET('team1');

function $_GET(q,s) {
        s = s ? s : window.location.search;
        var re = new RegExp('&'+q+'(?:=([^&]*))?(?=&|$)','i');
        return (s=s.replace(/^?/,'&').match(re)) ? (typeof s[1] == 'undefined' ? '' : decodeURIComponent(s[1])) : undefined;
}
share|improve this answer
up vote 0 down vote

The other methods are kind of dirty, and there can be some problems. Your better off just using javascript:

<script>
function get_data(name){
  name = name.replace(/[\[]/,"\\\[").replace(/[\]]/,"\\\]");
  var regexS = "[\\?&]"+name+"=([^&#]*)";
  var regex = new RegExp(regexS);
  var results = regex.exec(window.location.href);
  if(results == null) return "";
  else return results[1];
}

var var1 = get_data('var1');
var var2 = get_data('var2');
</script>

But this still isn't super secure.

Another way of doing this, which I just thought of, is to print the $_GET array. I don't know if that would work, though. Anyway, if it does, then here it is:

<script>
    var _get = <?php print_r($_GET); ?>

    var team1 = _get['team1'];
    var team2 = _get['team2'];
</script>

And you would want to run array_walk(or something like that), on a function to clean each string.

share|improve this answer
You should use decodeURIComponent – soju Mar 15 '11 at 13:03
@soju How would that help with getting the variable out of the query string? – Tanner Ottinger Mar 15 '11 at 13:11
It won't help getting vars, just ensure to get correct var content – soju Mar 15 '11 at 13:23
up vote -1 down vote

Make sure your $_GET vars are available and not empty and use the following:

<script type="text/javascript">
    var team1 = <?php echo $_GET['team1']; ?>;
    var team2 = <?php echo $_GET['team2']; ?>;
</script>
share|improve this answer
There is no attribute "language". It has been deprecated. – Michiel Pater Mar 15 '11 at 12:56
Ha, didn't even realize I put that, fixed in example. – Aaron W. Mar 15 '11 at 13:05

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.