0

Could someone help me to understand why this isn't working?

var uname = "<?php echo strtolower($_GET['un']) ?>";
var source = "<?php echo file_get_contents('accounts/"+uname+"') ?>";
console.log(source);

I've been trying for a while to get this working and it just doesn't seem to. Before I added in the source variable, it was working fine and displayed the un variable on the page.

Thanks.

Improve this question

4 Answers 4

Reset to default
4

You are mixing client side and server side technologies... +uname+ looks like a JavaScript variable within a PHP command... The JavaScript variable isn't available until the page is rendered.

Try...

var source = "<?php echo file_get_contents('accounts/'. $_GET['un']) ?>";
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

This is wide open to attacks... It gives an attacker the means to read any files on your webserver.
2

You set uname as a javascript variable and then you try to read it with php.

var source = "<?php echo file_get_contents('accounts/'.strtolower($_GET['un'])) ?>";
console.log(source);

I must say that this is not safe for a public usage in anyway.

Improve this answer

3 Comments

It's not really for the public, it's more for just me and my friends. ;]
I would highly recommend checking if the file exists in the folder, doing some traversing with ../ can reveal your passwords or other sensitive file contents on the server.
In case that wasn't clear, what Dave Chen meant is that it's possible for anyone to read anything on your disk, not just in the accounts folder (subject to file permissions).
0

I just want to point out that you don't need PHP to access variables in your query string, as some already mentioned, you are mixing technologies here. Also note that your questions example has security issues and I'm pretty sure that these will persist as you need to sanitize the input in the script you call!

Your complete example can be done in javascript. I'll use jQuery for the ajax call (you can omit it ofc and handle the ajax call yourself obviously - I'm just being lazy ;-) ) and an MDN snippte for query string retrieval.

// populate a variable with your query string (window.location.search) - courtesy of MDN
var oGetVars = new (function (sSearch) {
  var rNull = /^\s*$/, rBool = /^(true|false)$/i;
  function buildValue(sValue) {
    if (rNull.test(sValue)) { return null; }
    if (rBool.test(sValue)) { return sValue.toLowerCase() === "true"; }
    if (isFinite(sValue)) { return parseFloat(sValue); }
    if (isFinite(Date.parse(sValue))) { return new Date(sValue); }
    return sValue;
  }
  if (sSearch.length > 1) {
    for (var aItKey, nKeyId = 0, aCouples = sSearch.substr(1).split("&"); nKeyId < aCouples.length; nKeyId++) {
      aItKey = aCouples[nKeyId].split("=");
      this[unescape(aItKey[0])] = aItKey.length > 1 ? buildValue(unescape(aItKey[1])) : null;
    }
  }
})(window.location.search);

// with jQuery
$.ajax({
    url: "accounts/" + oGetVars.un,
    success: function(data, textStatus, jqXHR) {
        console.log(data);
    }
});

// plain javascript
var xhr = new XMLHttpRequest();
xhr.open("GET", "accounts/" + oGetVars.un, true);
xhr.onreadystatechange = function () {
    if(http.readyState == 4 && http.status == 200) {
        console.log(this.responseText);
    }
};
xhr.send();

[edit] Update the example with a plain javascript XMLHttpRequest call.

Improve this answer

1 Comment

I don't actually have jQuery on my site yet, but I am adding it now.
-3

Try this:

<?php $uname = strtolower($_GET['un']); ?>
var source = "<?php echo file_get_contents('accounts/'.$uname) ?>";
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.