current community

your communities

more stack exchange communities

company blog
Stack Exchange Inbox Reputation and Badges
tour help
Join the Stack Overflow Community
Stack Overflow is a community of 4.7 million programmers, just like you, helping each other.
Join them; it only takes a minute:
Sign up
up vote 0 down vote favorite

There are a number of tutorials about passing PHP variables in Javascript (for example). There are 3 alternative methods I am aware of:

  1. Using AJAX: A separate Javascript file is used to load the required data, then loaded into all HTML (or PHP) pages where required
  2. Hidden form inputs: e.g. <input type="hidden" id="X" value="<?php echo $X;?>"/> and then using Javascript to get the value
  3. Injecting Javascript into the returned HTML: e.g. <script> var X = "<?php echo $X;?>";</script>

But I am concerned that these methods are not really secure (EDIT: what I need is to just hide variables from the source code , more is not possible), and can become confusing when the number of variables to pass is large.

Are there any tips or tricks to pass large numbers of variables , from PHP to Javascript? What methods do major websites (Wikipedia, Google, etc.) use?

EDIT2: for example
imagine I'm going to pass rootpath of my project and some form keys to js
I'm passing rootpath in this case so I can't link everything before it(I can't use external JS)
and it's really Unbecoming to have something like this:

<script>
     rootpath = "example/foo";
     KEY1 = "example";
     KEY2 = "example";
</script>

and also this:

<input type="hidden" id="rootpath" value="example/foo"/>
<input type="hidden" id="KEY1" value="example"/>
<input type="hidden" id="KEY2" value="example"/>

think about a bigger project with lot's of variables to be passed

share|improve this question
    
How do you mean they are not "secured"? What security do you expect from JavaScript - it's executed on the client's machine. It can be edited by client. All data JavaScript is working with can be seen by page visitor. – MilanG Feb 20 '15 at 13:03
    
my fault! I've meant the showing of the code , at last there is no trusted way to secure a variable in JS , but I'm looking for a way to hide it from source code – mahdi Feb 20 '15 at 13:08
up vote 0 down vote

Javascript can be perfectly secure if used with some common sense and a couple of checks here and there, but hiding a variable looks like impractical (or maybe overkill) to me.

However, that doesn't mean you can't approach your goal while specifying your variables. Maybe you could try something like mcrypt_encrypt() to define your variable as an encrypted value and using mcrypt_decrypt() in the server side to get the value you try to hide.

Don't take me wrong... it's as overkill as hiding or obfuscating the code is, plus you have to store the initialization vector and the key somewhere to be able to decrypt the value on its way back.

So it's more like a mixture between step C and A. Encrypt your variables, send them to PHP through AJAX and decrypt them afterwards.

Hope that helps :)

share|improve this answer
up vote 0 down vote

Try this code...

<?php
  $php_var="Hello World";
?>   

<script>

   var js_var = "<?php echo $php_var; ?>";
   alert(js_var);
</script>
share|improve this answer

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.