Jump to content

json ajax


Destramic
 Share

Recommended Posts

im trying to get this ajax function working but for some reason it runs the error function...I've corresponded with the manual and I can't see a fault...any advise would be great...thanks

$(document).ready(function() 
{
	$.ajax(
	{
		url: "items.php",
		dataType: "json",
		data: '<?php echo $data; ?>',
		timeout: '2000',
		cache: false,

		error: function(data) 
		{ 
                  alert('error');
	    },

		success: function(data)
		{ 
			$.each(data, function() 
			{
				$("#table").append('<div class="row"><span class="cell">'+ data.title +'</span><span class="cell"></span><span class="cell"></span></div>');
			});
		}
	 });
});
Link to comment
Share on other sites

Do not, I repeat, do not echo PHP values into a JavaScript context. This is almost guaranteed to cause a cross-site scripting vulnerability or at least a severe bug.

 

For example, if $data happens to contain a single quote, then the whole script will blow up with a syntax error. And if $data includes user-provided data, then an attacker can purposely break out of the JavaScript string and inject arbitrary code into your page (aka cross-site scripting).

 

First of all: What is $data, and why do you need to pass it from your page to the target script? Can't you retrieve it in the target script itself?

Link to comment
Share on other sites

  • 3 weeks later...

Do not, I repeat, do not echo PHP values into a JavaScript context. This is almost guaranteed to cause a cross-site scripting vulnerability or at least a severe bug.

 

For example, if $data happens to contain a single quote, then the whole script will blow up with a syntax error. And if $data includes user-provided data, then an attacker can purposely break out of the JavaScript string and inject arbitrary code into your page (aka cross-site scripting).

 

If $data includes user-provided data one should indeed be careful with echoing PHP data in a JS context. But the syntax error argument is a weak one, and no reason to "not, I repeat, not" echo them as such. That would limit the options way too much.

 

Just keep a keen eye on the syntax. And in case of problems, just use a debugger, which generally will point out the line with the (syntax) error.

Link to comment
Share on other sites

Yeah, “just be careful”. We know how well that works. ;)

 

Unfortunately, programmers are not always as smart and careful as they think they are. Just recently, a fellow PHP developer had to load server-side translation strings into JavaScript. The strings don't come from the user, so the super-smart programmer figured that he didn't have to follow our standard practice of escaping all dynamic data. Things indeed went well – until we switched to French. The French use a lot of apostrophes in all kinds of places, and that's a problem within single-quoted strings. Long story short: Large parts of the application blew up, and our super-smart programmer began to understand why rules are sometimes a good idea.

 

Of course you're free to make your own mistakes. But I think every programmer should eventually realize that they aren't infallible and that “just be careful” just isn't good enough.

Link to comment
Share on other sites

This thread is more than a year old.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.