Destramic Posted July 29, 2014 Share Posted July 29, 2014 im trying to get this ajax function working but for some reason it runs the error function...I've corresponded with the manual and I can't see a fault...any advise would be great...thanks $(document).ready(function() { $.ajax( { url: "items.php", dataType: "json", data: '<?php echo $data; ?>', timeout: '2000', cache: false, error: function(data) { alert('error'); }, success: function(data) { $.each(data, function() { $("#table").append('<div class="row"><span class="cell">'+ data.title +'</span><span class="cell"></span><span class="cell"></span></div>'); }); } }); }); Quote Link to comment Share on other sites More sharing options...
gristoi Posted July 30, 2014 Share Posted July 30, 2014 what is items.php returning? Quote Link to comment Share on other sites More sharing options...
Jacques1 Posted July 30, 2014 Share Posted July 30, 2014 Do not, I repeat, do not echo PHP values into a JavaScript context. This is almost guaranteed to cause a cross-site scripting vulnerability or at least a severe bug. For example, if $data happens to contain a single quote, then the whole script will blow up with a syntax error. And if $data includes user-provided data, then an attacker can purposely break out of the JavaScript string and inject arbitrary code into your page (aka cross-site scripting). First of all: What is $data, and why do you need to pass it from your page to the target script? Can't you retrieve it in the target script itself? Quote Link to comment Share on other sites More sharing options...
Frank P Posted August 18, 2014 Share Posted August 18, 2014 Do not, I repeat, do not echo PHP values into a JavaScript context. This is almost guaranteed to cause a cross-site scripting vulnerability or at least a severe bug. For example, if $data happens to contain a single quote, then the whole script will blow up with a syntax error. And if $data includes user-provided data, then an attacker can purposely break out of the JavaScript string and inject arbitrary code into your page (aka cross-site scripting). If $data includes user-provided data one should indeed be careful with echoing PHP data in a JS context. But the syntax error argument is a weak one, and no reason to "not, I repeat, not" echo them as such. That would limit the options way too much. Just keep a keen eye on the syntax. And in case of problems, just use a debugger, which generally will point out the line with the (syntax) error. Quote Link to comment Share on other sites More sharing options...
Jacques1 Posted August 18, 2014 Share Posted August 18, 2014 Yeah, “just be careful”. We know how well that works. Unfortunately, programmers are not always as smart and careful as they think they are. Just recently, a fellow PHP developer had to load server-side translation strings into JavaScript. The strings don't come from the user, so the super-smart programmer figured that he didn't have to follow our standard practice of escaping all dynamic data. Things indeed went well – until we switched to French. The French use a lot of apostrophes in all kinds of places, and that's a problem within single-quoted strings. Long story short: Large parts of the application blew up, and our super-smart programmer began to understand why rules are sometimes a good idea. Of course you're free to make your own mistakes. But I think every programmer should eventually realize that they aren't infallible and that “just be careful” just isn't good enough. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.