Don't know if the author is a genius or an idiot. Thoughts ?

no escaping.. yikes!

This makes me scream on so many levels

AAAAAAAAAAAAAAAAAAAHHHHH

That's JavaScript, right? That $page variable is a JavaScript variable, and he's filling that policy_err variable from PHP when rendering the output.

Or maybe he has mixed one with the other thinking (like many starters do) that they can run PHP code just like that from client code?

@ethernetzero $page is valid jQuery, nuff said

@xewl Yeah, that's what adds to the confusion.

You can use var like this in PHP!

@linuxxx Wait, WHAT?

@linuxxx @PrivateGER

echo 'var say=' . (!empty($_GET['what']) && is_string($_GET['what']) ? '"'.escape_str($_GET['what']).'"' : 'null' ) . ';';

@xewl Wouldn't you have to echo out script tags first?

@PrivateGER probably.. depends on how/where exactly u'd use it (thinking eg. a dynamically built .js file/endpoint)

That code is actually a great cross-site scripting opportunity. Your coworker is a genius if he/she is planning to steal from your company, or trick your users. But most probably is an idiot. Yes, he's an idiot.