JSON: PHP to JavaScript Safe or Not

Json: PHP to JavaScript safe or not?

Yes and no:

Yes: PHP produces valid JSON

No: PHP may as well return malicious code as in JSON.

If you can trust the source, or if you even have full control over it (because its yours), there is no problem.

Is it safe to do this? PHP's json_encode and javascript

With that line of code

var x = <?php echo $obj ?>;

...the server application echoes back the data that was submitted to it via the "js" key. It will be client that sent it that will receive it, so if in some way it is malicious, it will be that same client dealing with the consequences.

The actual sending to the server is in fact the irrelevant part of the chain: if one has the data to submit, one can also assign it to the variable x directly without the server's interference (e.g. through browser's dev tools).

It would be a different story if in PHP you would use the data to manipulate a server database, call a service, or otherwise change the application's state, and you would not first validate that data.

As to the use of json_encode: if indeed you verify that the argument is valid JSON (by checking that the return value is not false), it will produce a valid JavaScript object literal. The known cases of incompatibility (characters U+2028 and U+2029) will not occur, as by default json_encode escapes these characters.

data transfer from php to javascript using json_encode

JSON is a data exchange format, not a programming language. When you include something like "new google.maps.LatLng..." in a string, that's all it is: a string. It doesn't mean anything – and even if it did, your PHP code isn't returning anything, and your JavaScript code isn't executing anything.

You are sort of on the right track though, so let's make some small changes.

In your PHP, you can do this:

<?php

function get_coordinates() {
    $hotpointquery = query("SELECT `locationLatitude`, `locationLongitude` FROM `location_values` ");
    confirm($hotpointquery);
    while ($row = fetch_array($hotpointquery)) {
        $coordinates = [$row['locationLatitude'], $row['locationLongitude']];
    }
    return json_encode($coordinates);
}

Later in the page, within the <script> element you can have PHP print out that array, then JS can manipulate it into the objects you're looking for using the map function:

function getPoints() {
   var coords = <?= get_coordinates() ?>
   var points = coords.map(function(coord) {
       return new google.maps.LatLng(coord[0], coord[1]);
    });
    return points;
}

Safe to pull directory contents will PHP and read them using JQuery?

Yes, this is perfectly safe. You will just need to ensure the security is part of the php code when needed, by limiting or filtering what it can select (already fine there) and how .json files are validated and stored, once that is addressed you will be fine and your existing solution is perfectly safe. You can also modify .htaccess file to hide folder content if you have a concern about others viewing directories on your website.

Javascript to PHP Security

Security isn't really an issue at this point: JavaScript runs on client side, so anything that could go wrong here could be easily faked by an attacker. You can't trust the client anyway, as @Jan puts it in the comments above. Also, everything you do on the JavaScript end can be eavesdropped and manipulated by the client - that's why you can't do a password check in JavaScript, for example. So, the environment JavaScript operates in is fundamentally insecure, anyway.

Security comes into play when the server accepts and uses the data. You need to have all necessary protections in place so the data can't harm your server - for example, remove any SQL injections by using escaping or prepared statements, deal properly with invalid input characters, etc.

Two exceptions to the rule come to mind:

• If you are on a SSL (https://) connection, make sure your JavaScript sends the data that way too

• Sending the browser to a new location with sensitive GET parameters:

  http://www.domain.com/newpage?username=pekka&password=superman85069

  is less secure than POSTing a form, because the URL may be cached.

Passing PHP JSON to Javascript: echo json_encode vs echo json declaration

In your case $json_obj is already a string. So it is not necessary. But if you have an array you want to pass to javascript json_encode will help you with this.

what is safe way to send php data to js?

I'm not entirely sure what you mean by "safe", but if I understand your question correctly, you can inject data from PHP directly into your JavaScript using json_encode:

var jsVar = <?php echo json_encode($phpVar) ?>;

If all you want to do is to inject actual PHP source code into your script, then just print it as a string:

var jsVar = "<?php echo '<?php echo $phpVar ?>' ?>";

I can't imagine this is what you mean though, as I can't think of a reason for wanting to do this :)

JavaScript, passing User ID via JSON is a security risk?

This is a security risk: anybody could try to edit the user id and overwrite the data from other users.
You should consider using sessions, which will let you identify the user on the server: when the server gets a request, you know who it is coming from and can act accordindly.

---

Related Topics