Brandon Dixon Brandon Dixon -3 years ago 85
PHP Question

Passing Variables References to PHP from Javascript via AJAX

I have an idea for "using", or "referencing" PHP variables in Javascript. This would apply to a webpage that will send an email. A simplified example is shown below. Note: this is called via AJAX, so it is not the case that I am trying to call a PHP variable from a script that has already been executed.

The javascript will include a "$midSection" string in the body of the email to be sent, and then send the entire body to a PHP script. The PHP script will store this String, create and assign a value to $fmidSection, and send the body string in an email. If it works, the resulting email would include the main body sent from the client side, with an inserted "midSection" in the middle of the email (perhaps, depending on the person's name and info stored in a database).

It seems to me that this should work, given my understanding of PHP. However, it also seems to me that this will open a window for attack similar to an SQL injection (where' perhaps, we can trick the script to assign a different value to $midSection, for example). Has anyone taken this approach, and if so, can you validate whether this will work, and open up any security holes?

Thank you.

EDIT: The application is for a mailing list, not a contact form. I have an admin panel which allows me to send emails to the mailing list, and I am thinking that this is a good way to include variables from the PHP in a similar way that I would on the PHP script, by putting the $var in the string itself. I understand how passing variables from JS to PHP works, I want JS to reference a PHP variable, essentially. I am not using this for validation purposes, I am using this for an easy way to insert information, rather than doing string parsing manually. The variable will be created and stored server side on a script that I have created.

Also, the JAVASCRIPT will be performing an AJAX call on the PHP script. Therefore, the Javascript will be executed first. I'm essentially sending an email template to the PHP, where the PHP will loop through the email list and add information dynamically, such as first name, last name, etc. Instead of doing string processing, I'm thinking of sending "Hello, $firstName $lastName....." essentially, in the hopes that the PHP script will insert the variable information.

Answer Source

From the comments above I can see what you're trying to do, but it won't work.

Consider the following code:

$(document).ready(function() {
    $.ajax({
        url: 'ajax.php',
        data: {'name' : 'andy'},
        method: "POST", 
    }).done(function (data) {
        console.log(data);
    });
});

This is ajax.php:

<?php
echo $_POST['name'];
?>

All you're doing in the javascript is making a POST request to ajax.php. It's able to give you the output "andy" in your console because you're passing this data string - not a reference to anything. So far, so simple.

Now imagine if you change data: in the jquery to the following:

data: {'name' : '$var'}

In your console you would get a string "$var".

Even if you had this in ajax.php:

<?php
$var = 'foo';
echo $_POST['name'];
?>

You will never get the output "foo".

This is because PHP and javascript are completely separate. So if you pass $var, it's just going to treat it as a string. There's no way of asking javascript to mean a PHP variable or some reference. You have to pass the data itself.

In the case of your application, what you'd typically do is pass something in the ajax request that PHP can refer to (like the primary key ID for a particular record). PHP would then generate all of the required content and send it back to the browser. If you need to do things with a template, str_replace is your friend.

Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download