Using window.parent in a script already

Question

Hello. So i have this:

/* ---------------------------- */
/* XMLHTTPRequest Enable */
/* ---------------------------- */
function createObject() {  
var request_type;
var browser = navigator.appName;
if(browser == "Microsoft Internet Explorer"){
request_type = new ActiveXObject("Microsoft.XMLHTTP");
}else{
request_type = new XMLHttpRequest();
}
return request_type;
}

var http = createObject();
/* -------------------------- */
/* INSERT */
/* -------------------------- */
var nocache = 0;
function insert() {
document.getElementById('insert_response').innerHTML = "Please Wait. "
var fID= encodeURI(document.getElementById('fID').value);
var kommentar= encodeURI(document.getElementById('kommentar').value);
nocache = Math.random();
// Pass variables like URL variable
http.open('get', 'insert.php?fID='+fID+'&kommentar=' +kommentar+'&nocache = '+nocache);
http.onreadystatechange = insertReply;
http.send(null);
}
function insertReply() {
if(http.readyState == 4){
var response = http.responseText;
document.getElementById('insert_response').innerHTML = ''+response;
}
} 

This do i have in index.php. And there you can write a comment, and press submit. When you press submit, it runs this script:: passing variable to insert.php, and show response in insert_response. In insert.php it inserts the comment to the database.

<?php
            mysql_query("INSERT INTO comments (fID, navn, kommentar, dato) VALUES ('$fID', '$pusername' ,'$kommentar', '$dato')") or
                die(mysql_error());
echo "Comment successfully";
?>
<script type="text/javascript">
if (window.parent) {
    window.parent.someFunction('hello world');
}
</script>

That is my insert.php^ and as you see i want to send message "hello world" to window.parent.

But it wont work for some reason, its like it dont want to innerhtml this script out to the insert_response div.

Now window.parent, what i thought, is my index.php where i have this:

<script type="text/javascript">
function someFunction(msg) {
    alert(msg);
}
</script>

Thanks!

Insert.php, dispactched to the client side:

<?php
ob_start();
header("Cache-Control: no-cache, must-revalidate"); // HTTP/1.1
header("Expires: Sat, 26 Jul 1997 05:00:00 GMT"); // Date in the past
header('Content-type: text/html; charset=utf-8');
include('../tilslut.php');
    define('IN_PHPBB', true);
    $phpbb_root_path = '../../../';
    $phpEx = substr(strrchr(__FILE__, '.'), 1);
    include($phpbb_root_path . 'common.' . $phpEx);

    // Start session management
    $user->session_begin();
    $auth->acl($user->data);
    $user->setup(); 
    $pusername = $user->data['username'];
if($user->data['is_registered']){
?>
<!-- Verify if user exists for login -->
<html>
<head>
<link href="../style.css" type="text/css" rel="stylesheet" />
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/jquery/1.4/jquery.min.js"&gt;&lt;/script&gt;
<script type="text/javascript" src="../ajax_framework.js" language="javascript" charset="UTF-8"></script>
</head>
<body> 
<?php
if(isset($_GET['fID']) && isset($_GET['kommentar'])){
$fID= $_GET['fID'];
$kommentar= $_GET['kommentar'];
       $resultat = mysql_query("SELECT * FROM member_filmcomments WHERE navn = '".mysql_real_escape_string($pusername)."' AND fID = '$fID'") or
            die(mysql_error());
        $row = mysql_fetch_array($resultat);
$resultat2 = mysql_query("SELECT * FROM member_filmcomments WHERE navn = '".mysql_real_escape_string($pusername)."' AND kommentar = '".$kommentar."' AND fID = '".$fID."'") or die(mysql_error());
        $row2 = mysql_fetch_array($resultat2);
        $k10check = mysql_query("SELECT * FROM member_filmcomments WHERE navn = '".mysql_real_escape_string($pusername)."'") or die(mysql_error());
$oldtimecheck = mysql_query("SELECT dato FROM member_filmcomments WHERE navn = '".mysql_real_escape_string($pusername)."' AND fID = '".$fID."'") or die(mysql_error());
$oldtimec = mysql_fetch_array($oldtimecheck);
$realDate = $oldtimec["dato"];
                if(empty($kommentar)){
        echo "Tomt! Du skal indtaste en kommentar i feltet.";
                }elseif (mysql_num_rows($resultat2) == 1) {
        echo "Dobbelpost. Du har allerede skrevet samme kommentar én gang.";
                }elseif( (strtotime($realDate) + 120) > time() ) {
        echo "Vent venligst 2 minutter, før du skriver en ny kommentar i samme klip!";
                }else{
                $dato = date("Y-m-d H:i:s"); 
                $pointsystem = mysql_query("SELECT gpk, gpk10 FROM member_pointsystem");
                $row = mysql_fetch_array($pointsystem);
                $k10 = mysql_real_escape_string($row["gpk10"]);
                $earning = mysql_real_escape_string($row["gpk"]);
                        if (mysql_num_rows($k10check) == 10) {
mysql_query("UPDATE member_profile SET points = points+$k10") or die(mysql_error());
echo "<b>Du har fået +".$k10." Points, for at have kommenteret 10 gange i video-sektionen!</b><br>";
}
mysql_query("UPDATE member_profile SET points = points+$earning") or die(mysql_error());
            mysql_query("INSERT INTO member_filmcomments (fID, navn, kommentar, dato) VALUES ('$fID', '$pusername' ,'$kommentar', '$dato')") or
                die(mysql_error());
?>
if (window.parent) {
    window.parent.someFunction('hello world');
}
<?
}
}
?>
<!-- Footer End of user logged in --> 
<?
}else{
echo "Authorited Users Only!";
}
ob_flush();
?>

Answer 1

Instead of embed a <script tag, why don't simply eval the code downloaded? Of course, you must trust in the server, and the response must always be javascript.

SERVER SIDE

<?php
            mysql_query("INSERT INTO comments (fID, navn, kommentar, dato) VALUES ('$fID', '$pusername' ,'$kommentar', '$dato')") or
                die(mysql_error());
echo "Comment successfully";
?>
if (window.parent) {
    window.parent.someFunction('hello world');
}

CLIENT SIDE

function insertReply() {
if(http.readyState == 4){
var response = http.responseText;
eval(response);
}
}