Storing php $_GET variable in a javascript variable? [duplicate]
I am passing two pieces of info to a php page using the $_GET method (team1, team2). I'd like to use these as variables in some javascript. How can I do this?
Thanks
Since $_GET just access variables in the querystring, you can do the same from javascript if you wish:
<script>
var $_GET = populateGet();
function populateGet() {
var obj = {}, params = location.search.slice(1).split('&');
for(var i=0,len=params.length;i<len;i++) {
var keyVal = params[i].split('=');
obj[decodeURIComponent(keyVal[0])] = decodeURIComponent(keyVal[1]);
}
return obj;
}
</script>
Original answer:
In your .php file.
<script type="text/javascript">
var team1, team2;
team1 = <?php echo $_GET['team1']; ?>;
team1 = <?php echo $_GET['team1']; ?>;
</script>
Safer answer:
Didn't even think about XSS when I blasted this answer out. (Look at the comments!) Anything from the $_GET array should be escaped, otherwise a user can pretty much insert whatever JS they want into your page. So try something like this:
<script type="text/javascript">
var team1, team2;
team1 = <?php echo htmlencode(json_encode($_GET['team1'])); ?>;
team1 = <?php echo htmlencode(json_encode($_GET['team1'])); ?>;
</script>
From here http://www.bytetouch.com/blog/programming/protecting-php-scripts-from-cross-site-scripting-xss-attacks/.
More about XSS from Google http://code.google.com/p/doctype/wiki/ArticleXSSInJavaScript.
Cheers to the commenters.
Make sure you use something like htmlentities to escape the values so that your application is not susceptible to cross-site scripting attacks. Ideally you would validate the variables to make sure they're an expected value before outputting them to the page.
<script type="text/javascript">
var team1 = '<?php echo htmlentities($_GET['team1']); ?>';
var team2 = '<?php echo htmlentities($_GET['team2']); ?>';
</script>
<script type="text/javascript">
var team1 = <?php echo $_GET['team1'] ?>;
var team2 = <?php echo $_GET['team2'] ?>;
</script>
Another way to do this with javascript :
var team1 = $_GET('team1');
function $_GET(q,s) {
s = s ? s : window.location.search;
var re = new RegExp('&'+q+'(?:=([^&]*))?(?=&|$)','i');
return (s=s.replace(/^?/,'&').match(re)) ? (typeof s[1] == 'undefined' ? '' : decodeURIComponent(s[1])) : undefined;
}
The other methods are kind of dirty, and there can be some problems. Your better off just using javascript:
<script>
function get_data(name){
name = name.replace(/[\[]/,"\\\[").replace(/[\]]/,"\\\]");
var regexS = "[\\?&]"+name+"=([^&#]*)";
var regex = new RegExp(regexS);
var results = regex.exec(window.location.href);
if(results == null) return "";
else return results[1];
}
var var1 = get_data('var1');
var var2 = get_data('var2');
</script>
But this still isn't super secure.
Another way of doing this, which I just thought of, is to print the $_GET array. I don't know if that would work, though. Anyway, if it does, then here it is:
<script>
var _get = <?php print_r($_GET); ?>
var team1 = _get['team1'];
var team2 = _get['team2'];
</script>
And you would want to run array_walk(or something like that), on a function to clean each string.
Make sure your $_GET vars are available and not empty and use the following:
<script type="text/javascript">
var team1 = <?php echo $_GET['team1']; ?>;
var team2 = <?php echo $_GET['team2']; ?>;
</script>
加载中,请稍侯......
精彩评论