Pass variable value PHP by Javascript

0

Now follows the function; what I need is to simply pass the value of a variable within JavaScript to PHP, if I make a single code without so many quotes and call works, but when I mix everything goes problem, I think it's two things

1-something related to tag closing < script > 2-start and end of quotation marks.

The problem lies in this blessed line

table $="< script > document.write (varTB) < / script >"

If I put the SQL string in hand, it works good ... but when I try to write well does not work. What can it be?

Give me strength, I'm crawling in the web world. grateful

   <button name="addEnvolvido" onclick="carregaCombo('tipolocal','idocorrencia')">Adicionar</button><br/>    

 <select id="idocorrencia">
          <option value=""></option>
</select>


<?php include("conexao.php"); ?>

<script type="text/javascript">
    function carregaCombo(nomeTB, nomeCombo)
    {
         select = document.getElementById(nomeCombo);
         var varTeste = '';
         var varTB = nomeTB;

            varTeste =
            <?php
                //echo '"item 1"';

                        $tabela = "<script>document.write(varTB)</script>";

                        $varResult = '"';
                        $result = mysqli_query($con, 'SELECT id, nome FROM ' . $tabela);
                                //nomeTB ORDER BY nome');

                        while($row = mysqli_fetch_array($result))
                        {  
                           $varResult .= $row[0] . '-' . $row[1] . ';';
                        }

                        //remove o ultimo ; da variavel
                        $varResult = substr($varResult,0,-1);
                        $varResult .= '"';

                        echo $varResult;
            ?>;

                                        //agora separar o ID do nome
            for (var i = 0; i < varTeste.split(";").length ; i++)
            {
                var opt = document.createElement('option');
                opt.value = varTeste.split(";")[i];
                opt.innerHTML = varTeste.split(";")[i];
                select.appendChild(opt);
            }


    }
    
asked by anonymous 15.03.2015 / 18:52

1 answer

2

Cleverton, what you need to understand is that PHP runs on the server and Javascript in case, in the browser.

Imagine the security flaw that would be if you were able to access the database through javascript, as is the case with your example. As the javascript runs in the browser, the user can easily manipulate the code, so nothing would prevent you from changing the value of Tb to:

usuarios; DROP TABLE usuarios;

Do you understand?

What you need to do in this case is a separation of responsibilities , perhaps create a webservice with PHP that responds to a request with the search result.

Example:

This would be webservice 'get_table.php'

<?php
    // Pega o nome da tabela da requisição (no caso, GET)
    $table = $_GET['tabela'];
    $result = mysqli_query($con, 'SELECT id, nome FROM ' . $table . ';');
    $varResult = '"';
    while ($row = mysqli_fetch_array($result)) {
        $varResult .= $row[0] . '-' . $row[1] . ';';
    }

    //remove o ultimo ; da variavel
    $varResult = substr($varResult, 0, -1);
    $varResult .= '"';

    echo $varResult;
?>;

And that would be your javascript

function carregaCombo(nomeTB, nomeCombo) {
    var select = document.getElementById(nomeCombo);
    var varTeste = '';

    var xhReq = new XMLHttpRequest();
    xhReq.open("GET", "get_table.php?tabela=" + nomeTB, false);
    xhReq.send(null);

    varTeste = xhReq.responseText;

    for (var i = 0; i < varTeste.split(";").length ; i++) {
        var opt = document.createElement('option');
        opt.value = varTeste.split(";")[i];
        opt.innerHTML = varTeste.split(";")[i];
        select.appendChild(opt);
    }
}

What I did was create a webservice called get_table.php that listens for HTTP requests. When it receives a request with the GET verb and with the "table" parameter, it performs the query in the database using the parameter and prints the result, as expected in its example.

But this example continues with the same problem I mentioned, if the parameter passed to "table" is "users; DROP TABLE users;", it will also remove the users table.

The best thing to do is create a webservice following the Single Responsibility Principle , for example:

<?php
    $result = mysqli_query($con, 'SELECT id, nome FROM usuarios;');

    while ($row = mysqli_fetch_array($result)) {
        $varResult .= $row[0] . '-' . $row[1] . ';';
    }

    //remove o ultimo ; da variavel
    $varResult = substr($varResult, 0, -1);
    $varResult .= '"';

    echo $varResult;
?>

In this case, you would make an HTTP request with the GET verb for example, get_users.php and it would return the result of your query, with no user input that could be exploited maliciously.

    
16.03.2015 / 02:54