SitePoint Sponsor

User Tag List

Results 1 to 6 of 6
  1. #1
    SitePoint Zealot
    Join Date
    Apr 2004
    Location
    RS, Brazil
    Posts
    128
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    eval function and ajax security

    Hi guys,

    I'm coding my first "real life" ajax application. It consists in an async search. An user will search for a word and the script will search on a couple databases and display the results... My dilemma is:

    My request script calls a php page that will return an array. Once I cannot pass a PHP array to the JavaScript, I'm converting it to a JS array. My code will explain better, so here's the script that is called using ajax:
    Code:
    <?php 
    // some code here...
    $return = "var searchResult = new Array(); \n";
    		foreach($r as $area) {
    			if (is_array($area)) {
    				foreach($area as $result) {					
    					$return .= "var arrTmp = new Array('".$result['title']."','".$result['text']."','".$result['section']."','".$result['href']."');   \n";
    					$return .= "searchResult.push(arrTmp); \n";
    				}
    			}
    		}
    return $return;
    ?>
    In the main page (the one that calls the php) I was thinking about a code like:

    Code:
    // i'm using prototype to make JS funnier 
    function remoteSearch() {
    			var url = 'index.php';
    			var params = Form.serialize($('searchInfo'));
    			var asyncSearch = new Ajax.Request(
    												url,
    												{
    													method: 'get',
    													parameters: params,
    													onSuccess: success,
    													onFailure: owned
    												});													
    	}
    	
    	/* add record */
    	function success(response) {
    		eval(response.responseText);
    		//$('results_dynamic').innerHTML = '<pre>'+response.responseText+'</pre>';
    		//alert('pim');
    		//inc();
    	}
    This will work. My only concern is about the use of "eval()". As i'm not a JS Expert, I don't know how dangerous it may be. Is there a safer way to handle this situation? or, am I using eval() on a safe way?

    thanks in advance.
    matheus

  2. #2
    SitePoint Zealot
    Join Date
    Jul 2006
    Posts
    151
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Eval = evil!

    I'd say find a way to do it without Eval, you are just setting yourself up for problems with it. Remember that all of your JS is completely visible to your users (if they know how to look for it).

    If you want to pass an array of information back to the JS, here is how I would do it.

    Create a string in PHP with each element of the PHP array separated by a character not present in the data (like a ';' or something similar - which would look like $myString = $data1.";".$data2.";"; or using an loop to accomplish the same thing), and then use

    Code:
    var myArray =  response.responseText.split(";");
    to convert it from a string into an array in Javascript.

    If you want a two dimensional array, at the end of each row of the array, use a different character (like '&#37;' or something else that will not appear in your data) and split the string once, and then split each element of the new array with the other character.

    This way, you don't have to use eval.

    Dave

  3. #3
    SitePoint Zealot
    Join Date
    Apr 2004
    Location
    RS, Brazil
    Posts
    128
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I cannot use this 'delimiter' approach once I have no control of the content of the returning results... I'm going to display part of the search content (just like google do), if I use ";" or "&#37;" I will probably get in trouble when converting the string into JS arrays.

  4. #4
    SitePoint Addict jtrelfa's Avatar
    Join Date
    Oct 2004
    Location
    Troy, Mi
    Posts
    231
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by dwees View Post
    Eval = evil!
    While I would agree with you in most cases, this is one of those times I don't. The eval() command works great when it comes to Ajax apps - though it isn't the 'best'. Here are some suggestions:

    Use JSON - it's probably the most efficient way to move data back and forth.

    www.json.org

    There's links to a PHP script to convert arrays. This is what I like to do:
    PHP Code:
    <?
    $json 
    = new json_object();
    $arrayOfData $object->GetWhateverData();
    echo 
    $json->encode($arrayOfData);
    ?>
    In javascript, you'll need the json.js from json.org
    Code:
    function ajaxhandler(XHRResponse) {
      var string = XHRResponse.responseText;
      var newObject = string.parseJSON();
    }
    It's efficient, and you don't have to use eval()

  5. #5
    SitePoint Zealot
    Join Date
    Apr 2004
    Location
    RS, Brazil
    Posts
    128
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I'm gonna give it a try.

    Thanks!

  6. #6
    SitePoint Wizard Pepejeria's Avatar
    Join Date
    Jan 2005
    Location
    Too far up north
    Posts
    1,566
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by jtrelfa View Post
    It's efficient, and you don't have to use eval()
    Did you ever look at the parseJSON() implementation? Guess what it uses...


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •