Your code is fine, you don't need to put an extra call for getting what is already need to be provided and it's available in the first place. Your PHP expressions would be rendered and the client won't see the code, if you see the rendered source code in the browser it would look like the following code:

</script> ... new QRCode(document.getElementById("qr-code"), "./functions/check_if_paid_qr.php?id=421512"); </script> 

Actually, what you need to take care of it are:

• Reducing redundant/extra network interaction between client and server.
• Reducing the number of DB Queries ( Database is bottle-neck )
• Keeping your code, as much as possible Simple, organized, readable, easy to understand, and maintainable
• Avoid exposing unnecessary data
• Prevent unauthorized action by not exposing unnecessary APIs to public users
• When you are accepting input from the client and you are going to show it somewhere later to avoid Cross Site Scripting/XSS attack, escape the input by htmlspecialchars() or htmlentities().
• When you are accepting input from the client and you are going to execute a Query on DB based on the provided input, You MUST DO Some action to prevent SQL Injection. Read More Here

Update: Thanks to @Lie Ryan, I've added some new points based on his answer.

Your code is somehow fine for some small projects, you don't need to put an extra call for retrieving what is need to be provided and it's available in the first place. Your PHP expressions would be rendered and the client won't see the code, if you see the rendered source code in the browser it would look like the following code:

</script> ... new QRCode(document.getElementById("qr-code"), "./functions/check_if_paid_qr.php?id=421512"); </script> 

But there are few important points, And what you need to take care of it are:

• Reducing redundant/extra network interaction between client and server.
• Reducing the number of DB Queries ( Database is bottle-neck )
• Keeping your code, as much as possible Simple, organized, readable, easy to understand, and maintainable
• Avoid exposing unnecessary data
• Prevent unauthorized action by not exposing unnecessary APIs to public users
• When you are accepting input from the client and you are going to show it somewhere later to avoid Cross Site Scripting/XSS attack, escape the input by htmlspecialchars() or htmlentities().
• When you are accepting input from the client and you are going to execute a Query on DB based on the provided input, You MUST DO Some action to prevent SQL Injection. Read More Here
• You need to take care of the variables that you are going to echo in your code, you need to make sure the format and data are valid before passing it as a parameter into your JS functions. Check Vlad Answer

Update 1: Thanks to @Lie Ryan, I've added some new points based on his answer.

Update 2: Thanks to @VLAZ, I've added some new points based on his answer.

Your code is fine, you don't need to put an extra call for getting what is already need to be provided and it's available in the first place. Your PHP expressions would be rendered and the client won't see the code, if you see the rendered source code in the browser it would look like the following code:

</script> ... new QRCode(document.getElementById("qr-code"), "./functions/check_if_paid_qr.php?id=421512"); </script> 

Actually, what you need to take care of it are:

• Reducing redundant/extra network interaction between client and server.
• Reducing the number of DB Queries ( Database is bottle-neck )
• Keeping your code, as much as possible Simple, organized, readable, easy to understand, and maintainable
• Avoid exposing unnecessary data
• Prevent unauthorized action by exposing not unnecessary APIs to public users

Your code is fine, you don't need to put an extra call for getting what is already need to be provided and it's available in the first place. Your PHP expressions would be rendered and the client won't see the code, if you see the rendered source code in the browser it would look like the following code:

</script> ... new QRCode(document.getElementById("qr-code"), "./functions/check_if_paid_qr.php?id=421512"); </script> 

Actually, what you need to take care of it are:

• Reducing redundant/extra network interaction between client and server.
• Reducing the number of DB Queries ( Database is bottle-neck )
• Keeping your code, as much as possible Simple, organized, readable, easy to understand, and maintainable
• Avoid exposing unnecessary data
• Prevent unauthorized action by not exposing unnecessary APIs to public users
• When you are accepting input from the client and you are going to show it somewhere later to avoid Cross Site Scripting/XSS attack, escape the input by htmlspecialchars() or htmlentities().
• When you are accepting input from the client and you are going to execute a Query on DB based on the provided input, You MUST DO Some action to prevent SQL Injection. Read More Here

Update: Thanks to @Lie Ryan, I've added some new points based on his answer.