Home/ Questions/Q 6547345
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-25T11:49:12+00:00

Is it unsecure to embed PHP code in a javascript function? My friend told

  • 0

Is it unsecure to embed PHP code in a javascript function?
My friend told me not to do it.

My script just inserts a number in the database if the message has been clicked (read).

<!--Insert into database when click-->
<script>
    function insert()
    { 
        <?php
        include 'db_connect.php';
        $usermsg = $_SESSION['username'];
        $message_id = $_GET['messageid'];
        mysql_query("UPDATE messages SET message_read='1' WHERE id='$message_id' AND to_user='$usermsg'");
        ?> 
    }
</script>

Should i do this any otherway? Or drop including php & mysql in my script and start over?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    If you try that code, it won’t even work that way. You cannot embed server side code in javascript function.

    What you want is to make a sepearate request that will handle the request. This method is called AJAX. With jQuery library you can make AJAX POST request like this:

    <script>
    function insert()
    { 
       //Example: Request the test.php page and send some additional data along (while still ignoring the return results).
       $.post("test.php", { messageid: "1" } );
    }
</script>

    In test.php:

    <?php 

  //Get Post Variables. The name is the same as 
  //what was in the object that was sent in the jQuery

  if (isset($_POST['messageid'])) {
      include 'db_connect.php';
      $usermsg = $_SESSION['username'];
      $message_id = $_POST['messageid'];
      mysql_query("UPDATE messages SET message_read='1' WHERE id='$message_id' AND to_user='$usermsg'");
  }

?>

    Read the Beginners Guide to Using AJAX with jQuery

    And don’t forget to use parametrized sql to prevent sql injection attacks as this code in its current state is vulnurable.

    • 0