将参数从服务器端 PHP 传递到客户端 JavaScript 的最安全方法是什么
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/3613186/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
What is the safest way of passing arguments from server-side PHP to client-side JavaScript
提问by Goro
In my application I rely heavily on JavaScript to enhance the user interface, but all of the data comes from a database and is processed by PHP. By default I use 'echo' statements to substitute the required values "just in time" like so:
在我的应用程序中,我非常依赖 JavaScript 来增强用户界面,但所有数据都来自数据库并由 PHP 处理。默认情况下,我使用“echo”语句来“及时”替换所需的值,如下所示:
var myVariable = <?php echo $myVariableInPHP ?>
This, however, does not strike me as very elegant and I am concerned about stability and maintainability of such code.
然而,这并没有让我觉得非常优雅,我担心此类代码的稳定性和可维护性。
Do I have any alternatives here?
我这里有其他选择吗?
For server-side, I am using the Symfony 1.4 PHP framework.
对于服务器端,我使用的是 Symfony 1.4 PHP 框架。
Thanks,
谢谢,
回答by Yanick Rochon
My favorite way is :
我最喜欢的方式是:
<?php
$var = array(
'prop1' => 'value1',
'prop2' => 'value2',
// ...
);
?>
<script type="text/javascript">
var varNameSpace = <?php echo json_encode($var); ?>;
alert( varNameSpace.prop1 ); // -> 'value1'
</script>
Using json_encode()ensures that the values passed to Javascript are escaped and well formatted. Using a common variable container also prevents from over using the global space (window).
Usingjson_encode()确保传递给 Javascript 的值被转义并格式化。使用公共变量容器还可以防止过度使用全局空间(窗口)。
回答by svens
You might want to use JSON for this, it's really simple to use in both PHP (check json_encode()) and JavaScript.
您可能希望为此使用 JSON,它在 PHP (check json_encode()) 和 JavaScript中都可以使用非常简单。
It's safe to use within <script>-Tags and browsers which understand JavaScript. Note that the PHP function doesn't encode <and >.
在<script>-Tags 和理解 JavaScript 的浏览器中使用是安全的。请注意,PHP 函数不会对<和进行编码>。
Some example PHP:
一些示例 PHP:
$user = (object) array("name"=>"Joseph", "age"=>29, "email"=>"[email protected]");
echo '<script type="text/javascript"> var user = '.json_encode($user).'; </script>';
回答by Octavian A. Damiean
I'd try to use JSON. Here is a link for you to php.net explaining how to do this.
我会尝试使用 JSON。这是一个指向 php.net 的链接,解释了如何执行此操作。
回答by Alfred
First of your solution does work, but It is not a good practice to mix client-side code with server-side code. It is a best practice to put javascript in seperate .js files(no PHP in it)
您的第一个解决方案确实有效,但是将客户端代码与服务器端代码混合使用并不是一个好习惯。最佳做法是将 javascript 放在单独的 .js 文件中(其中没有 PHP)
I would first create an API(write documentation) like for example
我会首先创建一个 API(编写文档),例如
GET
http://localhost/getProfile?username=$username
POST
http://localhost/getProfile/$username
It will return JSON-object using json_encode. You could use json-p for cross domain communication. Then from for example Jqueryyou can easily get the data.
它将使用 json_encode 返回 JSON 对象。您可以使用 json-p 进行跨域通信。然后从例如Jquery您可以轻松获取数据。
This way your javascript would stay clean.
这样你的 javascript 就会保持干净。
回答by Andrei Dziahel
I prefer use_dynamic_javascript()helper. "Bad" thing about it is you have to think a bit more on splitting rendering template itself and config for it into separate requests.
我更喜欢use_dynamic_javascript()帮手。关于它的“坏”事情是你必须更多地考虑将渲染模板本身和它的配置拆分为单独的请求。
