BlueM Posted October 9, 2015 Share Posted October 9, 2015 I have a php script that generates a javascript code. [ <?php $conn=@mysql_connect("localhost","root",""); $select=mysql_select_db("dripp",$conn); $lalala=mysql_query("SELECT * FROM typo"); while ($display=mysql_fetch_assoc($lalala)){ $one='{"id":"'; $display['id']; $two='","name":"'; $display['name']; $three='"},'; echo $all=$one.$display['id'].$two.$display['name'].$three; ?> <?php } ?> ] The problem with this code is that it in the output the final comma is messing with the script. I've searched everywhere for a solution but I can not find a way to remove the last comma without removing them all. Please help Quote Link to comment Share on other sites More sharing options...
benanamen Posted October 9, 2015 Share Posted October 9, 2015 (edited) The problem with your code for starters as a you're using obsolete code that will not work in the latest version of PHP. You need to use PDO or mysqli. The second problem is you're creating your own problem. Just echo out the full string you want without creating all those variables with the commas. That sure doesn't look like javaScript. Edited October 9, 2015 by benanamen Quote Link to comment Share on other sites More sharing options...
BlueM Posted October 9, 2015 Author Share Posted October 9, 2015 Thanks for your input benanamen but i'm looking for a solution for the while loop not a solution for connecting to and pulling the data from the database. The script works without the last comma being echoed out. Quote Link to comment Share on other sites More sharing options...
mac_gyver Posted October 9, 2015 Share Posted October 9, 2015 see the json_encode() function. it will produce the output you are manually piecing together. make an array of arrays of all the rows, then just use - echo json_encode($your_array); Quote Link to comment Share on other sites More sharing options...
BlueM Posted October 9, 2015 Author Share Posted October 9, 2015 not sure if I am using it right but now its escaping all the special characters but i need them in order to have the script run correctly. Quote Link to comment Share on other sites More sharing options...
benanamen Posted October 9, 2015 Share Posted October 9, 2015 (edited) I was on my phone when I first read your post so I didn't notice the parenthesis making up the Javascript. @mac_gyver has given you what you need for the JS output. Edited October 9, 2015 by benanamen Quote Link to comment Share on other sites More sharing options...
Jacques1 Posted October 9, 2015 Share Posted October 9, 2015 Do not try to generate JavaScript code. Seriously, don't. Even if you use json_encode(), you will end up with security vulnerabilties and tons of bugs. Generating formally valid JavaScript code is already hard enough (and your example code shows that you have no idea how to do that). But when you're in a web context, you also have to worry about your JavaScript code interacting with the HTML markup. And that's when things get out of hands. I know this task looks easy: Let's just take the PHP strings, wrap them into a bunch of quotes and braces, and we're done. But this is an incredibly stupid idea and will blow up your application sooner or later. Many people have tried this, and they've all failed. So don't even try. Separate your data from the code: Either use Ajax (that's when JSON-encoding is actually appropriate). Or embed the JSON-encoded data into a hidden HTML element. This is described in the link above. Quote Link to comment Share on other sites More sharing options...
mac_gyver Posted October 9, 2015 Share Posted October 9, 2015 (edited) not sure if I am using it right but now its escaping all the special characters but i need them in order to have the script run correctly. you would need to post what your current code is, how the current code is being used in or requested by your page, some example data showing what special characters you are talking about, what output you got from that example data, and what problem, symptom, or error you get in your application due to that output. Edited October 9, 2015 by mac_gyver Quote Link to comment Share on other sites More sharing options...
BlueM Posted October 9, 2015 Author Share Posted October 9, 2015 This is the original output for the php code [ {"id":"1","name":"Rae Sremmurd"}, {"id":"2","name":"Tyga"}, {"id":"3","name":"Luke Christopher"}, {"id":"4","name":"Tink"}, {"id":"5","name":"Lil Herb"}, {"id":"6","name":"Lil Durk"}, {"id":"7","name":"Mac Miller"}, {"id":"8","name":"Kidd Kidd"}, {"id":"9","name":"Sage The Gemini"}, {"id":"10","name":"Blac Youngsta"}, {"id":"11","name":"John River"}, {"id":"12","name":"Migos"}, {"id":"13","name":"Danny Seth"}, {"id":"14","name":"Soulja Boy"}, {"id":"15","name":"Dave East"}, {"id":"16","name":"King Los"}, {"id":"17","name":"Wiz Khalifa"}, {"id":"18","name":"Lil Bibby"}, ] Quote Link to comment Share on other sites More sharing options...
Jacques1 Posted October 9, 2015 Share Posted October 9, 2015 Read the replies. The whole approach is simply wrong. What if the name contains a double quote? What if the name ends with a backslash? What if the name contains "}]; stealAdminSession(); //? What if the name contains </script><script>stealAdminSession();</script>? Quote Link to comment Share on other sites More sharing options...
BlueM Posted October 9, 2015 Author Share Posted October 9, 2015 I understand the security risks but the script is somewhat protected. That kind of data can not be stored in the database Quote Link to comment Share on other sites More sharing options...
scootstah Posted October 9, 2015 Share Posted October 9, 2015 (edited) That kind of data can not be stored in the database What? Of course it can. You can never implicitly trust your data source. A database is in fact a data source. You should treat it the same as if you were fetching the data from a third-party service. EDIT: And just for the record, you can remove the last character of a string with rtrim(). But as other's have pointed out that is not the correct approach. Edited October 9, 2015 by scootstah Quote Link to comment Share on other sites More sharing options...
Jacques1 Posted October 9, 2015 Share Posted October 9, 2015 I understand the security risks but the script is somewhat protected. That kind of data can not be stored in the database The last words of a programmer: “What could possibly go wrong?” Things do go wrong. Even if your application makes perfect sense in the localhost bubble, that doesn't mean it will survive in the real world: There are dozens of crazy syntax variations and browser quirks which none of us has ever heard of. Applications have bugs. Applications have security vulnerabilities. A single successful SQL injection attack is enough to insert all kinds of malicious data into your “safe” fields. If you're working in a team, there will always be an imbecile who changes the data directly and bypasses your filter. So you cannot rely on anything. The only chance to make an application secure is to write robust code and avoid as many risks as possible. This excludes dynamically generated JavaScript code. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.