CODEWITHSUNDEEP
javascriptphpmysqlpdo
Rafal Olszewski
Rafal Olszewski

Reputation: 51

PHP escape in javascript

I'm trying to output item description from database query.

This is piece of code that should output the description with name etc...

<?PHP

$type = "item";
$limit = 16;

$preparedStatement = $SQL->prepare('SELECT * FROM z_shop_offer WHERE offer_type = :type LIMIT :limit');

$preparedStatement->bindParam(':type', $type, PDO::PARAM_STR);
$preparedStatement->bindParam(':limit', $limit, PDO::PARAM_INT);
$preparedStatement->execute();

if ($preparedStatement->rowCount() > 0) {
        // Define how we want to fetch the results
        $preparedStatement->setFetchMode(PDO::FETCH_ASSOC);
        $iterator = new IteratorIterator($preparedStatement);

        foreach ($iterator as $item) {

        echo '
        <div class="ServiceID_Icon_Container" id="ServiceID_Icon_Container_'.$item['id'].'">

          <div class="ServiceID_Icon_Container_Background" id="" style="background-image:url('.$layout_name.'/images/serviceid_icon_normal.png);">

            <div class="ServiceID_Icon" id="ServiceID_Icon_'.$item['id'].'" style="background-image:url(' . $config['site']['item_images_url'] . $item['itemid1'] . $config['site']['item_images_extension'] . ');" onclick="ChangeService('.$item['id'].', 12);" onmouseover="MouseOverServiceID('.$item['id'].', 12);" onmouseout="MouseOutServiceID('.$item['id'].', 12);">

              <div class="PermanentDeactivated">
                <span class="HelperDivIndicator" onmouseover="ActivateHelperDiv($(this), \''.$item['offer_name'].'\', \''.htmlentities($item['offer_description']).'<BR><BR>\', \'\');" onmouseout="$(\'#HelperDivContainer\').hide();">
                  <div class="ServiceID_HelperDiv"></div>
                </span>
              </div>

            </div>
          </div>
        </div>
        ';

        }
}
?>

I've already tried htmlentities, htmlspecialchars and addslashes.

This is the description that's stored in database (on this one, it stops showing tooltip with description.

Activate one hour of 1.5x more Experience. It has only one charge. Using any other injection while one is active will only stack it's time and not the experience. The time will not stop if you log out or die.

How to properly escape / output the description ?

Upvotes: 0

Views: 72

Answers (1)

C&#233;dric
C&#233;dric

Reputation: 411

The problem you probably have is that you need to double escape data. You need :

  • first to escape it for HTML
  • second for javascript.

So you need to use json_encode() in addition to htmlspecialchars.

 onmouseover="'.htmlspecialchars(
     'ActivateHelperDiv($(this), '.json_encode($item['offer_name']).')'
 ).'">'

Here, you are using htmlspecialchars for the entire attrtibute value, and json_encode for the values passed from PHP to JavaScript

Upvotes: 2

Related Questions