Reputation: 67
I need help escaping string parameters for a javascript function using PHP
I am dynamically creating an anchor that calls a javascript function. It works with one string parameter but not with two. I believe I am not escaping the quotes around the parameters correctly. In search for an answer I came across the following
onclick="alert('<?echo $row['username']?>')"
and the next one I found left me completely baffled
echo('<button type="button" id="button'.$ctr.'"onClick="showMapsInfo(\''.str_replace("'", "\\'", $maps_name).'\', \''.str_replace("'", "\\'", $ctr).'\');"><img src="img/maps_logo.gif"></button><br/>');
If someone would please
Explain why the single quotes around username do not have to be escaped?
Where there is a "dummies" write up on escaping characters so I could try to decipher the second example.
Upvotes: 0
Views: 2020
Answers (5)
Reputation: 9305
You can replace the quotes and then use heredoc, it is more legible and easier to understand.
$maps_name = str_replace("'", "\\'", $maps_name);
$ctr = str_replace("'", "\\'", $ctr);
echo <<<HTML
<button type="button" id="button$ctr" onClick="showMapsInfo('$maps_name', '$ctr');"><img src="img/maps_logo.gif"></button><br/>
HTML;
Upvotes: 1
Reputation: 54734
Let's examine your first example
onclick="alert('<?echo $row['username']?>')"
The important part here is, that everything outside of <? … ?> is pure HTML and never looked at by the PHP interpreter. Therefore, the only part that is relevant for PHP is the code inside <? … ?>, namely echo $row['username']. Here, one does not need to do any escaping.
Your second example, in contrast
echo('<button type="button" id="button'.$ctr.'"onClick="showMapsInfo(\''.str_replace("'", "\\'", $maps_name).'\', \''.str_replace("'", "\\'", $ctr).'\');"><img src="img/maps_logo.gif"></button><br/>');
is written purely in PHP, no surrounding HTML. Therefore, you have to be careful with the quotes. Let's build this up from scratch to see what happens here. When you build something like this, you would probably start with
echo('<button type="button" id="button1" onClick="showMapsInfo(\'...\');"><img src="img/maps_logo.gif"></button><br/>');
Because the single quotes were already used as string delimiters, they must be escaped inside the string with \'. Now for the part inside the javascript function. Put even simpler, the above code boils down to
echo('showMapsInfo(\'...\');');
which results in
showMapsInfo('...');
when we want to insert some dynamic parts instead of the '...' part, we need to end the string with ' and concatenate it back together with .. Suppose you wanted to insert a variable $foobar in there, then you would write:
echo('showMapsInfo(\''.$foobar.'\');');
which results in
showMapsInfo('<VALUE OF $foobar>');
Your example does not insert $foobar into this string, but rather the following expression:
str_replace("'", "\\'", $maps_name).'\', \''.str_replace("'", "\\'", $ctr)
Which uses str_replace in order to again escape the content, but with a little twist: It is not escaped for PHP, but for the resulting Javascript! Every single quote ' becomes an escaped single quote \' in the output, but you need to write \\' because the backslash needs to be escaped itself, in order to produce a backslash as output.
Upvotes: 1
Reputation: 38253
The single quotes around username do not have to be escaped because it is part of the PHP variable, not the JavaScript.
Information on injecting PHP variables into JavaScript can be found here and more info here.
You only need to enclose the PHP variables in quotes if the variable is a string.
Upvotes: 0
Reputation: 3117
I think you dont have problem in escaping single quote as the function is working when you are
calling it using one parameter only.
Check if you are creating the whole parameter sting correctly, if the comma is added properly and in javascript if single quote comes around bot the parameters.
finally the parameter string should look like
'param1', 'param2'
Upvotes: 0
Reputation: 160943
You could use json_encode function for the javascript variable.
echo sprintf(
'<button type="button" id="button%s" onClick="showMapsInfo(%s, %s);">
<img src="img/maps_logo.gif"></button><br/>',
htmlspecialchars($ctr), json_encode($maps_name), json_encode($ctr));
Upvotes: 0
Related Questions
- How to echo php string with special characters inside javascript function parameter
- Escaping this javascript code in php
- Escaping quotes in javascript function
- Using PHP variables as parameters for JavaScript function
- Correctly escaping a string in php before passing it to javascript
- Escaping quotation marks in PHP for JavaScript function argument
- JS inside PHP Escape String (for functions)
- Passing string with apostrophe from PHP into JavaScript function
- Pass a string into a Javascript function all in PHP - How to escape correctly?
- PHP: How should I escape a string that will be going into a Javascript String?