Jump to content

Recommended Posts

I have a php script that generates a javascript code.

[
<?php 
$conn=@mysql_connect("localhost","root","");
$select=mysql_select_db("dripp",$conn);
$lalala=mysql_query("SELECT * FROM typo");
while ($display=mysql_fetch_assoc($lalala)){

	$one='{"id":"';
	$display['id'];
	$two='","name":"';
	$display['name'];
	$three='"},';	
	
echo $all=$one.$display['id'].$two.$display['name'].$three;
?>
<?php
}
?>
]

The problem with this code is that it in the output the final comma is messing with the script. I've searched everywhere for a solution but I can not find a way to remove the last comma without removing them all.

 

Please help

Link to comment
https://forums.phpfreaks.com/topic/298500-removing-last-character/
Share on other sites

The problem with your code for starters as a you're using obsolete code that will not work in the latest version of PHP. You need to use PDO or mysqli. The second problem is you're creating your own problem. Just echo out the full string you want without creating all those variables with the commas. That sure doesn't look like javaScript.

Edited by benanamen

Do not try to generate JavaScript code. Seriously, don't. Even if you use json_encode(), you will end up with security vulnerabilties and tons of bugs.

 

Generating formally valid JavaScript code is already hard enough (and your example code shows that you have no idea how to do that). But when you're in a web context, you also have to worry about your JavaScript code interacting with the HTML markup. And that's when things get out of hands.

 

I know this task looks easy: Let's just take the PHP strings, wrap them into a bunch of quotes and braces, and we're done. But this is an incredibly stupid idea and will blow up your application sooner or later. Many people have tried this, and they've all failed.

 

So don't even try. Separate your data from the code: Either use Ajax (that's when JSON-encoding is actually appropriate). Or embed the JSON-encoded data into a hidden HTML element. This is described in the link above.

not sure if I am using it right but now its escaping all the special characters but i need them in order to have the script run correctly.

 

you would need to post what your current code is, how the current code is being used in or requested by your page, some example data showing what special characters you are talking about, what output you got from that example data, and what problem, symptom, or error you get in your application due to that output.

Edited by mac_gyver

This is the original output for the php code

[ {"id":"1","name":"Rae Sremmurd"}, {"id":"2","name":"Tyga"}, {"id":"3","name":"Luke Christopher"}, {"id":"4","name":"Tink"}, {"id":"5","name":"Lil Herb"}, {"id":"6","name":"Lil Durk"}, {"id":"7","name":"Mac Miller"}, {"id":"8","name":"Kidd Kidd"}, {"id":"9","name":"Sage The Gemini"}, {"id":"10","name":"Blac Youngsta"}, {"id":"11","name":"John River"}, {"id":"12","name":"Migos"}, {"id":"13","name":"Danny Seth"}, {"id":"14","name":"Soulja Boy"}, {"id":"15","name":"Dave East"}, {"id":"16","name":"King Los"}, {"id":"17","name":"Wiz Khalifa"}, {"id":"18","name":"Lil Bibby"}, ]

Read the replies. The whole approach is simply wrong.

 

What if the name contains a double quote?

What if the name ends with a backslash?

What if the name contains "}]; stealAdminSession(); //?

What if the name contains </script><script>stealAdminSession();</script>?

That kind of data can not be stored in the database

What? Of course it can.

 

You can never implicitly trust your data source. A database is in fact a data source. You should treat it the same as if you were fetching the data from a third-party service.

 

EDIT: And just for the record, you can remove the last character of a string with rtrim(). But as other's have pointed out that is not the correct approach.

Edited by scootstah

I understand the security risks but the script is somewhat protected. That kind of data can not be stored in the database

 

The last words of a programmer: “What could possibly go wrong?” ;)

 

Things do go wrong. Even if your application makes perfect sense in the localhost bubble, that doesn't mean it will survive in the real world:

  • There are dozens of crazy syntax variations and browser quirks which none of us has ever heard of.
  • Applications have bugs.
  • Applications have security vulnerabilities. A single successful SQL injection attack is enough to insert all kinds of malicious data into your “safe” fields.
  • If you're working in a team, there will always be an imbecile who changes the data directly and bypasses your filter.

So you cannot rely on anything. The only chance to make an application secure is to write robust code and avoid as many risks as possible. This excludes dynamically generated JavaScript code.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.