So I’ve looked around to try to find some posts on this and there are many but none that address my specific question (that I could find).
So essentially I need to get some data from my database to my external javascript document.
What I am currently doing is something like this…
<?php for (loop through products): ?>
<script>
var $each_image_information = new Array(
"<?php echo $getVariable; ?>",
"<?php echo $getVariable; ?>");
</script>
<?php endfor ?>
And then my external .js file accesses the variable $each_image_information. I realize this is somewhat messy code since these variables are somewhat global – but I’m not sure I know of a possible (with my skillset) alternative.
My real question is if this lends any security holes for the website I am implementing it on. Since these values are echo’d from the database to the inline javascript file, can those variables be manipulated?
This may be a foolish question but I have had past experience with SQL injection when I had no idea that those were possible, so I am trying to err on the safe side.
Thanks in advance!
Ok, to understand this problem you have to understand that Javascript is client-side. That means anyone can do anything they want on it, so the answer to “can those variables be manipulated?” is a resounding yes! If you want just go download Firebug, and you can start changing them to the latest Google logo if you want 🙂
But, none of that matters, because if a user can mess with their own client-side stuff, that’s no security hole. What you need to be worried about is user A getting scary code on user B’s client. That is only a problem if user A can pick the file names of these images, because then they can name their image insert scary code here and that code could get run on user B’s computer.
But as long as you control the image file names (or just escape any JS in them), you should be all good.