Javascript Passing inline variables to external : security issue?

So I've looked around to try to find some posts 开发者_如何转开发on this and there are many but none that address my specific question (that I could find).

So essentially I need to get some data from my database to my external javascript document.

What I am currently doing is something like this...

<?php for (loop through products): ?>
    <script>
    var $each_image_information = new Array(
        "<?php echo $getVariable; ?>",
         "<?php echo $getVariable; ?>");
    </script>
<?php endfor ?>

And then my external .js file accesses the variable $each_image_information. I realize this is somewhat messy code since these variables are somewhat global - but I'm not sure I know of a possible (with my skillset) alternative.

My real question is if this lends any security holes for the website I am implementing it on. Since these values are echo'd from the database to the inline javascript file, can those variables be manipulated?

This may be a foolish question but I have had past experience with SQL injection when I had no idea that those were possible, so I am trying to err on the safe side.

Thanks in advance!

Ok, to understand this problem you have to understand that Javascript is client-side. That means anyone can do anything they want on it, so the answer to "can those variables be manipulated?" is a resounding yes! If you want just go download Firebug, and you can start changing them to the latest Google logo if you want :-)

But, none of that matters, because if a user can mess with their own client-side stuff, that's no security hole. What you need to be worried about is user A getting scary code on user B's client. That is only a problem if user A can pick the file names of these images, because then they can name their image insert scary code here and that code could get run on user B's computer.

But as long as you control the image file names (or just escape any JS in them), you should be all good.

This is what you are doing

Sql -> Php -> Javascript

As long as you are not doing this

Sql -> Php -> Javascript -> Php -> Sql, then you should be fine from an SQL injection point of view.

Javascript variables are ALWAYS modifiable, and if you are using them inside a SQL query you should sanitize them first (mysql_escape_string() or something similar).

So long as you don't provide a path back into your database, you should be fine.

Keep in mind that if you don't have a path back into your database, but may have one in the future, that you might want to do some obscuration of primary keys on your data; that's always a good idea just to make sure that your internal database representation isn't exposed.