I went over many posts regarding this issue, yet can't figure out how to escape this syntax.
I'm simply trying to pop up an editing window via PHP echo of a JavaScript window.open and pass that window a prame from MySQL.
The code is echo'ed out along with a table that is dynamically generated via PHP.
Inside that echo the last line is the problematic one, that I can't seem to get to function properly.
E</td>
Note: I have went over many posts here dealing with this issue, and tried out many solutions, none of which worked out. I'm sure this is very simple to handle, yet I have been steering at this thing it is slipping my attention.
You can embed PHP into your HTML:
<a href="#"
onClick="window.open(
'popup.php?message=<?php echo $Url; ?>',
'myWindow',
'status = 1, height = 350, width = 1022, resizable = 0'
)"
class="bstyle">
E
</a>
P.S. The weird indentation is just so that you can read it here on SO. Don't actually use it in your code.
Use a backslash to escape characters in PHP.
echo 'E</td>';
echo '<a href="#" onClick="window.open(\'popup.php?message='.$Url.'\', \'myWindow\',
\'status = 1, height = 350, width = 1022, resizable = 0\')" class="bstyle">E</a></td>';
If you were writing html, and wrote this:
<a href="#" onClick="window.open( "popup.php?message=blah", "myWindow",
"status = 1, height = 350, width = 1022, resizable = 0 " )" class="bstyle">E</a></td>
your onclick wouldn't work because it would just hold the value window.open(. You can define the string within the string value of onclick using single quotes. And since in my case I (not sure if you are, but it looks like it) am defining my string to echo using single quotes, I need to escape the ones in my string with the \ character.
You can put a variable inside your HTML code by echo'ing the variable.
E</td>
I would also like to recommend urlencode in this case.
The reason behind this is, because you echo out the $Url variable.
Whenever $Url contains HTML characters like for example " or ' then your javascript call will break.
In your popup.php you can then urldecode the message so that it becomes normal again.
Related
I'm trying to mix <?php echo do_shortcode('[...]') with a field from Advanced Custom Fields within Wordpress.
So basically what I'm trying to do is give the user a text field in the page edit screen where she can paste in the ID of a youtube vide. This field will then update my do_shortcode to display the correct video.
I'm not sure what I'm doing wrong considering I've done this several times before and been succesful. I do have a feeling I'm not escaping the string correctly?
<?php echo do_shortcode('[video_lightbox_youtube video_id="' . the_field("youtube_video") . '" width="640" height="480" anchor="Play Video"]'); ?>
Anyone able to lead me in the right direction? :)
EDIT
The code above returns q_cHD1lcEOo with multiple spaces in front of it as well as this: "Error! You must specify a value for the Video ID, Width, Height parameters to use this shortcode!" That's why I was thinking I'm not escaping it correctly as these are all specified.
I'll add that if I remove the_field("...") and replace it with just an ID it displays perfectly.
SECOND EDIT
Since I was not supposed to echo it, I was using the wrong function to get the field. Instead of using the_field() which prints the value, I was supposed to use get_field() to simply return it to the string.
Your question is somewhat unclear, but I'm also 20 hours without sleep.
Anyways, as far as mixing PHP within a PHP string, there's numerous ways to do it..
You can use concatenation or { } within the string itself.
For example, say we want to echo out the property of an object within a string.
We could do the following
echo "This is my property " . $object->property;
Or, we can do this
echo "This is my property {$object->property}";
You can even do cool things like access associative arrays within strings like so
echo "This is my property {$object->property['cool']}";
Hopefully this leads you in the ride direction.
At first glance it looks like you should be using get_field instead of the_field. the_field will print without being prompted, whereas get_field will return its value, which is what you want.
I see you've also mentioned whitespace at the start, you should consider wrapping the function in trim.
See below:
<?php echo do_shortcode('[video_lightbox_youtube video_id="' . trim(get_field("youtube_video")) . '" width="640" height="480" anchor="Play Video"]'); ?>
I'll show the main parts of the code as most of it is irrelevant:
$url = $row['url'];
echo "<div id='anything'><img id='$url' src='$cover' alt='$title' onclick='myFunction($url)'>";
and the javascript function:
function myFunction(something) {
alert (something);
}
I recieve the following error in firebug:
missing ) after argument list
[Break On This Error]
myFunction(http://anything.com/anything...
-------------------^
I am relatively new to javascript but I can tell it is obviously not allowing the ":" from the url. However, I can't change or alter the id, as I need to alert the exact id of the Image.
I have made this work in a different format without the php, so I assume it's there where the problem lies?
The URL needs to be a string, but you're just outputting the string's contents.
You could just put quotes around it as suggested elsewhere, but that's at best an incomplete solution.
Fortunately, PHP gives you a better answer: json_encode combined (in your case) with htmlspecialchars. This is a function that (amongst other things) will properly wrap a string for you such that you can use it in JavaScript code. So:
$escapedUrl = htmlspecialchars(json_encode($url));
then
...onclick='myFunction($escapedUrl)'...
json_encode is for encoding text as JSON, but as JSON is a subset of JavaScript literal notation, and json_encode quite happily returns a valid, properly-escaped JavaScript string...
You need the htmlspecialchars as well because you're then outputting the JavaScript code you're generating into the onclick attribute, and the content of all HTML attributes in HTML text (even ones with code in them) must be properly encoded so (for instance) & must be &, etc.
Do this:
$escapedString = json_encode($url);
echo "<div id='anything'><img id='$url' src='$cover' alt='$title' onclick='myFunction($escapedString)'>";
T.J. Crowder is right, and you can check this out for more information:
What is the correct way to escape text in JSON responses?
Why is my first solution incorrect (even if it seems to work with 1 case)?
Read this: http://kunststube.net/escapism/
echo "<div id='anything'><img id='$url' src='$cover' alt='$title' onclick='myFunction(\"$url\")'>";
You basically need to print double quotes around the the value passed into the myFunction call:
onclick='myFunction(\"$url\")'
This is because you are doing something like this:
myFunction(http://anything.com)
Function parameter need to be enclosed within quotes or doble quotes in case of string parameters:
myFunction("http://anything.com")
So your echo should look like:
"<div id='anything'><img id='$url' src='$cover' alt='$title' onclick='myFunction(\"$url\")'>"
Also you should take into account that $url doesn't have to contain valid characters, so you should add some encoding/escaping (think in terms of XSS).
You have to use the encodeURI(uri) function:
"<div id='anything'><img id='$url' src='$cover' alt='$title' onclick='myFunction(encodeURI(\'$url\'))'>";
I am using php4 and jquery, I have got a php string variable $content which stores a string as shown below.
<html>
<head></head>
<table>
<tr>
<td>comments:</td>
<td>Good</td>
.....
...n rows
</table>
</html>
So, Now i want to change the color of all occurrences of text "Good" to red. So How to write a jquery function which takes a php string $content variable and changes the color of each "Good" word, (adds a style color:red) and returns it.
Pure PHP solution:
echo str_replace('Good', '<span style="color:red">Good</span>', $content);
You cannot access PHP variables in Javascript. Also, javascript works on the client side and PHP works on the server side.
I am unsure of the exact usage for this, but, here's my take on doing this:
// in javascript code
var x = "<?php echo $content; ?>"; // do take care of stripping quotes (")
x.replace("Good", "<span style='color:red'>Good</span>");
I guess that should do it.
Just to explain a bit more, on the server, PHP will dump the contents of the variable $content to the variable x in JS. On the client side, when JS is executed, it will pick this up and do the replacement.
$("td").each(function(){
$(this).html($(this).html().replace(/Good/, '<span style="color:#f00">Good</span>'));
});
This will look through each cell and find if there is a text value of "Good" and wrap a span around it
$content .= '<span class="red">';
$content .= {your existing code here}
$content .= '</span>';
After it you create a CSS Rule:
.red{ color:red; }
As you see you don't need jQuery at all.
I am trying to assign values in javascript assigned from PHP and the use document.write() to output them. The problem is when I do this, a complete blank screen shows up but no errors are ever thrown. But if I take the PHP out and put in a value such as 'ABC' it works. And example of my code can be this:
var comment_text="<?php echo $value['comment_text'];?>";
var bodyelement = document.getElementsByTagName('body')[0];
var newdiv = document.createElement('div');
newdiv.style.textAlign = 'center';
newdiv.style.zIndex = 10001;
newdiv.style.left = (<?php echo $comment_x;?>+getPos('browserwindow',"Left")-23) + 'px';
newdiv.style.top = (<?php echo $comment_y;?>+getPos('browserwindow',"Top")-90) + 'px';
newdiv.style.position = 'absolute';
newdiv.innerHTML = comment_text;
bodyelement.appendChild(newdiv);
I do have an PHP error log and no errors are beign thrown either. The values are retrieved from the database, the probem comes with outputting them.
*UPDATE*
Ok, I had this problem before.
Basically a newline is created like this:
var comment_text="cool Beans
";
I have tried to remove the newline with string replace but doesn't seem to work. Why would a new line like this cause this error?
Your issue is cleary in the output from PHP. If you get a blank page, means you most likely have a PHP issue that is HALTING the processing of said page.
As PHP is parsed before anything is sent to the viewer, this will result in a blank / error page.
When you substitute your $value['comment_text'] for ABC you remove the location that causes the error.
I am going to assume that $value['comment_text'] is either a result of a function, or a Database query, try just outputting the $value['comment_text'] first, then worry about sticking it in JS (which will work if your PHP code works).
As I don't see any of your PHP code, I cannot help you further.
Use
var comment_text=String(<?php echo json_encode($value['comment_text']);?>);
instead of
var comment_text="<?php echo $value['comment_text'];?>";
This will protect you from cross-site-scripting attacks by escaping all special characters like backslashes, quotes or line feeds.
The String(...) ensures that comment_text has type String and is not interpreted as a number (if $value['comment_text'] is has a number type).
If PHP is causing an error (sounds like it is) you can turn on your error reporting to see the issues
error_reporting(E_ALL)
The solution was just using trim.
echo trim($value['comment_text']);
I recommend you use a heredoc for the javascript code with %s in the js. and use sprintf to substitute the variables.
have a question about a php echoing script that has a link to a javascript with some variables. I need to know the format for the echo so it will work properly. Could anyone shed any light on this? My code is posted below
echo "<a href='javascript: toggle('variable1', 'variable2')'><label1 for='nameEditor'>Manage</label1></a>";
Now when you hover over the link it just shows javascript:toggle( Now I have tried multiple things and I still cant get it to work. Anyone have any suggestions?
Assuming variable1 and variable2 are the PHP bits you want inserted into the javascript, then
echo "<a href='javascript: toggle('$variable1', '$variable2')'><label1 for='nameEditor'>Manage</label1></a>";
However, be aware that if either of those variables contain Javascript metacharacters, such as a single quote, you'll be breaking the script with a syntax error (think of it as the same situation as SQL injection).
To be sure that the variable's contents become legal Javascript, you'd want to do something like:
<script type="text/javascript">
var variable1 = <?php echo json_encode($variable1); ?>;
var variable2 = <?php echo json_encode($variable2); ?>
</script>
...
try like this:
echo "<label1 for='nameEditor'>Manage</label1>";
you have to escape \ quotes
It's because you're mixing your quotes that the browser see. Do this:
echo "<label1 for='nameEditor'>Manage</label1>";
If you escape the double quotes (\"), you'll be fine. The browser itself is seeing '''' (all single quotes), so you need to retain "''" (double,single,single,double) in your html element attribute, irregardless of PHP (except for the escaping).