Hi, i'm pretty new to Javascript and PHP so please bear with me if i'm asking some really dumbed down questions.
Ok, say i need to use values stored in a PHP $_GET or $_SESSION, is it advisable to just do something like
var something = PHP echo $_SESSION or $_GET
You need to make the data safe for JavaScript to parse. var something = <?php echo $SESSION['foo']; ?> would work if it is a number. If it was a string you need to add quotes. If the string contains special characters then they need to be escaped, etc.
Running the data through json_encode is a good way to make it JavaScript safe.
Since $_GET is user entered data, you can't know that it is a number without checking, so if you don't make things safe then you have a huge XSS hole. Even if you do, then what you do with the data in JavaScript afterward could sill expose you to XSS.
Putting this as an answer for the code formatting, but...
@luhiz: think of what happens you're inserting data into a javascript block that contains javascript "meta characters". Let's say you're passing a person's full name as a query parameter, like this:
http://example.com/index.php?name=John+O'toole
In PHP, you'll have:
$_GET['name'] = "John O'toole";
and when you place it into the javascript block, you'll get:
var name = John O'toole;
Now you've got a few problems:
Discussion:
http://example.com/index.php?name=alert("you've been hacked!");. Try it and see what happens.2&3: By using json_encode, PHP automatically converts whatever you're encoding into syntactically safe Javascript. This doesn't mean it's "safe" code - it can still contain malicious data. But it will not cause a syntax error when the page is loaded by the client browser. So by doing:
var name = <?php echo json_encode($_GET['name']);
you'll get something like:
var name = "John O'toole";
which the javascript interpreter will accept without any complaints.