I can't for the life of me figure out how to store this javascript function in a php variable. Basically I want to store this function as a standard string in a php variable, and then it get's printed out on a page. I know that I have to escape javascript to have it work with PHP, but the reason I'm stuck on this is because this particular Javascript and HTML combination seems to make use of both " and ' so I can't figure out how to escape it. Maybe you guys could help me out?
Here's the code I want to store in the php variable:
<a href='javascript:PopupContact_OpenForm("PopupContact_BoxContainer","PopupContact_BoxContainerBody","PopupContact_BoxContainerFooter");'><img src='/popup-contact-form.jpg' /></a>
<div style="display: none;" id="PopupContact_BoxContainer">
<div id="PopupContact_BoxContainerHeader">
<div id="PopupContact_BoxTitle">Contact Us</div>
<div id="PopupContact_BoxClose">Close</div>
</div>
<div id="PopupContact_BoxContainerBody">
<form action="#" name="PopupContact_Form" id="PopupContact_Form">
<div id="PopupContact_BoxAlert"> <span id="PopupContact_alertmessage"></span> </div>
<div id="PopupContact_BoxLabel_Page"> Your Name </div>
<div id="PopupContact_BoxLabel_Page"><input name="PopupContact_name" class="PopupContact_TextBox" type="text" id="PopupContact_name" maxlength="120"></div>
<div id="PopupContact_BoxLabel_Page"> Your Email </div>
<div id="PopupContact_BoxLabel_Page"><input name="PopupContact_email" class="PopupContact_TextBox" type="text" id="PopupContact_email" maxlength="120"></div>
<div id="PopupContact_BoxLabel_Page"> Enter Your Message </div>
<div id="PopupContact_BoxLabel_Page"><textarea name="PopupContact_message" class="PopupContact_TextArea" rows="3" id="PopupContact_message"></textarea></div>
<div id="PopupContact_BoxLabel_Page"><input type="button" name="button" class="PopupContact_Button" value="Submit" onClick="javascript:PopupContact_Submit(this.parentNode,'/popup-contact-form/');"></div>
</form>
</div>
</div>
<div style="display: none;" id="PopupContact_BoxContainerFooter"></div>
Hopefully you can see what I mean, I want to store it in my $button variable
Thanks!
You could put the whole thing in single quotes and then escape every single quote within it like \', but a much nicer approach would be to use PHP's nowdoc syntax:
$str = <<<'STR_HTML'
// All your HTML goes here
STR_HTML;
If you're PHP version is earlier than 5.3 you can't use nowdoc, so you should use heredoc instead. The difference is like the difference between double quotes (heredoc) and single quotes (nowdoc).
See the PHP manual page on strings for more information.
The best thing you can do, is to move your JavaScript functions to separate files. Mixing them into your PHP will create a lot of clutter.
In your PHP:
<html>
<head>
<script src="path/to/my/script.js"></script>
</head>
<body>
....
</html>
In the script file:
function PopupContact_OpenForm( ... ) {
...
}
This will make it much more easy to organize your source code and add more functions without mixing PHP and JavaScript.
(If you still want to keep everything in the PHP file, use HEREDOC as the others suggest.)
heredoc syntax to the rescue!
It's really not good to have all of that in a variable mixing code and html.
To answer your question though, use a heredoc:
$bar = <<<LABEL
Nothing in here...
LABEL;
Related
I'm using a conditional in templating engine tinybutstrong to show a <div> when a variable is not blank.
<div class="notice">[onshow;block=div;when [var.notice;noerr]!=''][var.notice;noerr]</div>
It works well except for when the $notice variable has an apostrophe ' in it. Otherwise the onshow conditonal doesn't run.
How do I fix this?
The values may have quotes, you have to use delimiters and escaping :
<div class="notice">
[onshow;block=div;when '[var.notice;strconv=esc;noerr]'!='']
[var.notice;noerr]
</div>
The manual has been updated in order to have this clearer.
But is you case, using a magnet seems smarter:
<div class="notice">
[onshow.notice;noerr;magnet=div]
</div>
I'm working on a website for my internship and i'm facing some troubles.
I want to create a button with a special value. I'll link my code below so you'll be able to understand easier what i'm talking about :
<input type="button" class="newu" value="<i class='fa fa-pencil-square' aria-hidden='true'></i> <?php echo $nom_prod['nom_produit'] ; ?>"/>
The problem is that quotes aren't working like i would like them to since i'm using xxx times simple and double quotes.
If you guys have any clue how i could manage to fix this it would be really nice to tell me how.
Thanks in advance & bybye.
You could try using a button element instead of an input.
<button class="newu"> <i class='fa fa-pencil-square' aria-hidden='true'></i> <?php echo $nom_prod['nom_produit'] ;?> </button>
Good luck with your internship and happy coding!
Looking at your requirement you need to use tag instead of using tag. Refer the difference here..
You can have almost anything between tags.
And if you really want to go conventional way then you wrap your tag with other tags and set your values inside that using javascript. But that's impracticable.
I basically have a search form with input:
<input type="text" name="search" />
This ends up sending the user off to:
/search/[URL_ENCODED_STRING]
So if they searched for
http://www.stackoverflow.com/
The url would be:
/search/http%253A%252F%252Fwww.stackoverflow.com%252F
My problem comes with knowing if the input I then read later is safe. I would then on the search page use Drupal's inherent ways of reading the value (arg(1)). But even without drupal, the result would be essential the same. I would end up with:
$variable = urldecode($input);
If I then print out $variable, it will show:
http://www.stackoverflow.com/
My question is, what kind of sanitizing must I apply to this string before using it in SQL? Is it simply "addslashes"? Or should I remove all non alphanumeric and number values?
NOTE
I haven't gotten to that part yet, but I'm fairly certain Drupal will apply it's own sanitization if I pass this variable to the built-in search function, but I still would like to know what the right way is to sanitize this input to avoid malicious users doing strange things on the website.
UPDATE
I got to the part and Drupal does take care of the prepared statement part. But I still don't know how I would sanitize the string when printing it here:
<div id="searchedFor">
<span class="preLabel">You searched for</span>
<h2><?php print $_REQUEST['search']; ?></h2>
</div>
What is the most correct way to print that out?
To sanitize to the page, use htmlentities() or strip_tags() or htmlspecialchars():
<div id="searchedFor">
<span class="preLabel">You searched for</span>
<h2><?php echo htmlentities($_REQUEST['search'], ENT_QUOTES); ?></h2>
</div>
Example:
<?php echo htmlentities("<script>NastyJS('code');</script>", ENT_QUOTES); ?>
<!-- Shows in browser this way -->
<script>NastyJS('code');</script>
<!-- but shows in source this way -->
<script>NastyJS('code');</script>
I am trying to improve on my programming theory and in a previous question it was pointed out to me that I should not use multi-line ehcos in my programming as show in the first example. I use this because once it is complied it automatically minimizes the out put html. Which of the there examples below is the best practice for making use of php and why?
1)
echo '<div class="row cf">';
echo '<div class="col_8 cf alpha">'.$page_title.'</div>';
echo '<div class="col_4 cf omega right">';
echo '<a href="'.$table_url.'-action.php?action=add" class="button blue">';
echo '<i class="icon-plus-sign"> </i> Add a Site</a>';
echo '</div>';
echo '</div><hr>';
2)
echo '
<div class="row cf">
<div class="col_8 cf alpha">'.$page_title.'</div>
<div class="col_4 cf omega right">
<a href="'.$table_url.'-action.php?action=add" class="button blue">
<i class="icon-plus-sign"> </i> Add a Site</a>
</div>
</div>
<hr>
';
3)
<div class="row cf">
<div class="col_8 cf alpha"><?php echo $page_title; ?></div>
<div class="col_4 cf omega right">
<a href="<?php echo $table_url; ?>-action.php?action=add" class="button blue">
<i class="icon-plus-sign"> </i> Add a Site</a>
</div>
</div>
<hr>
Thanks.... Pete
There is significant difference. The first one is especially hard to maintain. The second is a bit better, but still inconvenient.
The third one allows you to write plain HTML without the need of escaping anything. You only briefly open PHP tags to insert variables. This HTML is also property syntax-highlighted if you got a smart editor like Netbeans or even Notepad++.
So I would choose the third one, except maybe when I insert a very tiny piece of HTML.
If I may suggest a small improvement:
<?php echo $x; ?>
can also be written as
<?= $x ?>
In case of performance, I think there won't be much difference. I would guess that the third one is faster, since it needs to parse and execute smaller pieces of PHP. In the other ones the strings need to be parsed as well to check for special characters.
That said, I doubt if you would be able to measure any difference at all, and it shouldn't be your concern. Choose the one you like best. For optimization, you'd better find real bottle necks, which are ususally found in the area of executing too many, too complex, or poorly optimized database queries.
I prefer solution 3 for two reasons:
My IDE (notepad++) will actually syntax highlight the HTML and the PHP and not just colour it the "string colour". I also do not have to escape ''s in the HTML by changing it to \' every time I use it.
I would like for posts returned from my database, from users, to be formatted the same way they originally input them.
Like when I echo out the text from a row of data it comes out like this:
Hello There.
When the user originally formatted it like this:
Hello
There.
Notice the return? How do I achieve this?
Here is my html:
<form method="post" action="share.php">
<textarea name="story"></textarea>
<div id="share-something-bottom">
<div id="share-something-camera">
<img src="images/camera.png"/>
<button type="submit" class="share"
name="share"><p>Share</p></button>
</div>
</div>
</form>
I am using a varchar field in my database table.
Thanks
Store the formatting in the DB and make sure you escape it before storing it.
If you wish to preserve newlines when you echo them on the page, you need to use nl2br().
echo nl2br($string_from_database);
You could also wrap the string in <pre> tag, but that will also affect the used font (by default).