PHP与javascript通信

Question

Static Page A has a form with an action submitting to a Authorization page B which is a dynamic page. After authorization, B will redirect to a callback url C which is passed to B by A.

Besides redirecting to page C, B also post some parameters indicated the auth states. uin is a most important parameter that will be used in the content of page C namely the scripts. The scripts need uin to send Ajax request later. Question is how can I pass uin to the static page C?

A quick and dirty idea I got is to wrap the static page C with a PHP file, and output the data in a hidden div for example:

<?php
$html = file_get_contents("callback.html")
$div = "<div stype='display:none' uin={$_POST['uin']}></div>"
//add this div to $html and print it, need a little more work to figure out how to do this
?>

Is there a better way of doing this , because this is sort of 'idiot' I think...

Answer 1

Your code: (with stype typo fixed)

$div = "<div style=\"display:none\" uin={$_POST['uin']}></div>";

Looking at this code, the biggest problem I can see with it is that you're outputting a $_POST value without doing any escaping on it.

This a potential security threat; consider what would happen if someone provided a form that posted to your site, with the uin value set to a string of HTML code, starting with > to close the div . Their code would appear in your site, exactly as if you'd put it there. With a careful bit of styling, they could use this make your site look and behave however they want. Not great.

You can fix that by using wrapping the $_POST variable in html_entities() so it is properly escaped when it is output to the site.

Or, in this case, since it is (or appears to be) a numeric ID value, you could simply cast it as an int to ensure that it contains no unwanted data, no matter what the actual post data contains:

$uin = (int)$_POST['uin'];

...and then use $uin in the output rather than the raw post data.

The second point I'd make is one of validity. uin is not a valid HTML attribute. It may work, but it's not valid. The correct standards-compliant way to do custom attributes in HTML is to use a data attribute, like so:

$div = "<div style=\"display:none\" data-uin={$uin}></div>";

... ie the names of all custom attributes should start with data-

This is recommended because it allows you to have custom attributes with the same name as real attributes without risking any problems. eg you could have data-style , without colliding with the real style attribute.

It also means that the HTML spec can have new attributes added to it without risking clashes with other people's code. eg if a future version of HTML includes a uin attribute that future browsers use to do something clever with the element, it would cause problems with your code. Those problems would not happen if you use data-uin . (okay, so uin is an unlikely name for a new standard HTML attribute, but the point stands)

Answer 2

You have an syntax errors in your php code you need to mask the quotes around your inline style and you missed to add some colons:

<?php
$html = file_get_contents("callback.html");
$div = "<div style=\"display:none\" uin={$_POST['uin']}></div>";
//add this div to $html and print it, need a little more work to figure out how to do this
echo($html); // print variable $html
echo($div); // print variable $div
?>

Answer 3

Perhaps you should store parameters from page B in user session. Than on page C you can use these parameters (after calling session_start() before anything is outputted to the browser). Also, if you are using javascript, consider placing uin in javascript variable instead of html div. Something like <script type="text/javascript">var uin = 123; </script> <script type="text/javascript">var uin = 123; </script> .