Page 1 of 1

js and php intertwine

Posted: Mon Jun 13, 2005 10:47 pm
by thegreatone2176
I dont think this is the right spot for this but it is theory so here it goes

I been hearing some stuff and have seen a few pages talking about developers trying to get js and php to run more closely and i think this is a bad idea for security reasons. Imagine if js was developed to use and/or read php variables. That would mean any type of xss attack could read variables and output them to the attacker and the admin would not have much of a chance of noticing it. Also for big open source projects where all variables can easily be looked up by checking the souce this could be a huge problem for example an attacker could document.write($DbPassword) and have the mysql details of the site.

Also if developers used php variables in javascript and someone edited the html source there could be all sorts of manipulation problems/authentication bypasses and more problems of gaining passwords and usernames.

Has anyone else been hearing/seeing about these two languages merging more closely and/or thought of the security consequences of such an action.

Posted: Tue Jun 14, 2005 3:02 am
by CoderGoblin
One link:
Sitepoint Article

I seem to remember seeing another link somewhere on these forums the other day but cannot remember where unfortunately. Security with this kind of processing is a potential problem at the moment.

Posted: Tue Jun 14, 2005 3:17 am
by phpScott
the 2 technologies I think are called ajax (AJAX or Asynchronous JavaScript and XML)
and sajax (Sajax makes it easy to call PHP functions from your webpages via JavaScript
without performing a browser refresh)

done a similar thing using IFRAMES and the js dom.