I have following script printed from PHP . If some one has a single quote in description it shows javascript error missing ; as it thinks string terminated .
print "<script type=\"text/javascript\">\n
var Obj = new Array();\n
Obj.title = '{$_REQUEST['title']}';
Obj.description = '{$_REQUEST['description']}';
</script>";
Form does a post to this page and title and description comes from textbox.Also I am unable to put double quotes around {$_REQUEST['title']} as it shows syntax error . How can I handle this ?
a more clean (and secure) way to do it (imo):
<?php
//code here
$title = addslashes(strip_tags($_REQUEST['title']));
$description = addslashes(strip_tags($_REQUEST['description']));
?>
<script type="text/javascript">
var Obj = new Array();
Obj.title = '<?php echo $title?>';
Obj.description = '<?php echo $description?>';
</script>
You also need to be careful with things like line breaks. JavaScript strings can't span over multiple lines. json_encode is the way to go. (Adding this as new answer because of code example.)
<?php
$_REQUEST = array(
'title' => 'That\'s cool',
'description' => 'That\'s "hot"
& not cool</script>'
);
?>
<script type="text/javascript">
var Obj = new Array();
Obj.title = <?php echo json_encode($_REQUEST['title'], JSON_HEX_TAG); ?>;
Obj.description = <?php echo json_encode($_REQUEST['description'], JSON_HEX_TAG); ?>;
alert(Obj.title + "\n" + Obj.description);
</script>
Edit (2016-Nov-15): Adds JSON_HEX_TAG parameter to json_encode calls. I hope this solves all issues when writing data into JavaScript within <script> elements. There are some rather annoying corner cases.
Use the string concatenation operator:
http://php.net/manual/en/language.operators.string.php
print "<script type=\"text/javascript\">\n
var Obj = new Array();\n
Obj.title = '".$_REQUEST['title']."';
Obj.description = '".$_REQUEST['description']."';
</script>";
Related
I have a problem, have stored some encoded html into a mySQL database.
but when I decode and echo the variable. it adds double quotes on to the output.
Code:
$content = mysqli_fetch_array($r);
$data = $content['contentHTML'];
$html = html_entity_decode($data,ENT_COMPAT, 'UTF-8');
$output = <<<MY_MARKER
$html
MY_MARKER;
echo $output;
$html = "I am going to hax0r your site, hahaha! <script type='text/javascript'> window.location = 'http://www.example.com/' </script>"
but it will add " when echoing to browser.
this works:
$str = <<<MY_MARKER
<script type="text/javascript">
document.write("Hello World2!<br>");
</script>
MY_MARKER;
echo $str;
and this works:
$userInput = "I am going to hax0r your site, hahaha! <script type='text/javascript'> window.location = 'http://www.example.com/' </script>";
$str = <<<MY_MARKER
$userInput
MY_MARKER;
but my code outputs with quotes, so the javascript is printed out in the browser.
it's something to do with getting the text from mySQL...
thanks in advance
screen grab of browser output, and web inspector
SOLUTION: use mysqli_real_escape_string to encode html and then store in mySql database
For a while I have wondered why PHP throws source code indentation out.
Example
PHP:
<script type="text/javascript">
swfobject.embedSWF("a.swf", "a", "100%", "100%", "10.0.0", "a.swf", params);
params.1 = "<?php echo implode(',', $_POST['1']); ?>";
params.2 = "<?php echo $_POST['2']; ?>";
params.3 = "<?php echo $_POST['3']; ?>";
<?php if ($_POST['4']) { ?>params.5 = "/mode <?php echo $_POST['2']; ?> +D";<?php } ?>
params.6 = "Test";
</script>
Generates source code:
<script type="text/javascript">
swfobject.embedSWF("a.swf", "a", "100%", "100%", "10.0.0", "a.swf", params);
params.1 = "A";
params.2 = "B";
params.3 = "C";
params.5 = "/mode B +D";
params.6 = "Test";
</script>
Why does PHP throw source code indentation out on the next row, and how can I stop it from making my code ugly?
I agree that this is not nice. Anybody who doesn't care about the source code will not get a job with us. Ugly source codes are the source of all evil! No, just kidding.
However, you make a basic mistake in your code by mixing PHP and HTML in the way you do. Yes, I know it can be done, but should you? Is your PHP code very readable? I think not.
This is the way I would code it:
<?php
// get parameters
$params[1] = implode(',', $_POST['1']);
$params[2] = $_POST['2'];
$params[3] = $_POST['3'];
if ($_POST['4']) $params[5] = "/mode {$_POST['2']} +D";
$params[6] = "Test";
// create javascript
echo '<script type="text/javascript">'.PHP_EOL.
' swfobject.embedSWF("a.swf","a","100%","100%","10.0.0","a.swf",params);'.PHP_EOL;
foreach ($params as $no => $value) {
echo " params.$no = \"$value\";".PHP_EOL;
}
echo '</script>';
?>
In other words: You have a powerful programming language, why not use it? Since all output is now done by PHP you have full control over it.
There are still many things wrong with this code, but that's for another time.
I am new to JS & JSON.I am struggle with converting JSON array to JavaScript array.How to do that? Here is my code:
var data = {
items: [
<? $i=1; foreach($query->result() as $row){ ?>
<? if($i!=1){ ?>,<? } ?>
{label: '<?=$row->district_name;?>', data: <?=$row->countid;?>}
<? $i++; } ?>
]
};
how to get the JSON array value to JavaScript Array.
i just tried but it doesn't work. please some suggestions.
here is my javascript array
for(i=0;i<5;i++){
chartData[i]=data.items[i].label+";"+data.items[i].data;
}
As the others already said, be careful when talking about JavaScript and JSON. You actually want to create a JavaScript object and not JSON.
Don't mix PHP and JavaScript like this. It is horrible to maintain. Create an array beforehand, encode it as JSON* and print it:
<?php
$results = $query->result(); // get results
function m($v) { // a helper function for `array_map`
return array('label' => $v->district_name,
'data' => $v->countid);
}
$data = array('items' => array_map('m', $results));
?>
var data = <?php echo json_encode($data); ?>
*: Here we use the fact that a JSON string is valid JavaScript too. You can just echo it directly in the JavaScript source code. When the JS code runs, it is not JSON, it is interpreted as JavaScript object.
You really oughtn't think too hard about this. PHP does a fine job of serializing arrays as JSON.
var data = {
items: <?php
$arr = array();
foreach($query->result() as $row) {
$arr[] = array('label' => $row->district_name,
'data' => $row->countid);
}
echo json_encode($arr);
?>
};
[insert same disclaimer as above about how you're really trying to create a JavaScript object]
This is JSON:
var foo = "{bar: 1}";
This is not JSON:
var foo = {bar: 1};
Your code snippet is not using JSON at all and my educated guess is that you don't even need it. If you are using PHP to generate some JavaScript code, you can simply tweak your PHP code to print text that will contain real JavaScript variables. There is no need to encode stuff as plain text!
Now it's clear we don't need JSON, let's use a dirty trick. PHP has json_encode() and we can abuse the fact that a JSON strings resemble JavaScript variables. All we have to do is call json_encode() on our PHP variable and forget to quote the result:
<?php
$foo = array(
'bar' => 1,
'dot' => FALSE,
);
echo 'var JSONString = "' . json_encode($foo) . '";' . PHP_EOL;
echo 'var realVariable = ' . json_encode($foo) . ';' . PHP_EOL;
Compare:
var JSONString = "{"bar":1,"dot":false}";
var realVariable = {"bar":1,"dot":false};
Edit: Yep, my JSONString is not a valid string... but we get the idea <:-)
I seem to have a syntax error and can't see it myself, could someone run over it for me please?
Thanks.
<script>
var acurl_<?php echo $request_data['friendship_id']; ?> = "sn-include/create_bond_accept.php?friendship_id=<?php echo $request_data['friendship_id']; ?>&friend_id=<?php echo $fromuser['id']; ?>";
</script>
Because you got some answers that intended to show you how to improve your code, but actually don't do so (IMO), here is my attempt:
<?php
$acurl = array();
$acurl[$request_data['friendship_id']] = sprintf('sn-include/create_bond_accept.php?friendship_id=%s&friend_id=%s', $request_data['friendship_id'], $fromuser['id']);
?>
<script>
var acurl = <?php echo json_encode($acurl); ?>
</script>
I would not create dynamic variable names. This code would create a JS object, where the properties are the friendship IDs, something like:
{
'42': 'sn-include/create_bond_accept...'
}
You can access these URLs more easily from JavaScript than if you have dynamic variable names.
David, on the bright side, you don't have a syntax error.
If you're developing PHP, I would recommend two things:
Get a better IDE. Dreamweaver is TERRIBLE for working with PHP. I recommend NetBeans (it's awesome and free).
Start breaking up your code into chunks. The big ball of html and PHP is hard to debug.
Check this out:
<?php
// prepare output
$segment = '?friendship_id=' . $request_data['friendship_id'];
$segment .= '&friend_id=' . $fromuser['id'] . '";' . "\n";
$acurl = 'var acurl_' . $request_data['friendship_id'];
$acurl .= ' = "sn-include/create_bond_accept.php';
$acurl .= $segment;
$dnurl = 'var dnurl_' . $request_data['friendship_id'];
$dnurl .= ' = "sn-include/create_bond_deny.php';
$dnurl .= $segment;
?>
<script type="text/javascript">
<?php
echo $acurl;
echo $dnurl;
?>
</script>
Use here doc instead:
<?php
echo <<<JS
<script>
var acurl_{$request_data['friendship_id']} = "sn-include/create_bond_accept.php?friendship_id={$request_data['friendship_id']}&friend_id={$fromuser['id']}";
</script>
<script>
var dnurl_{$request_data['friendship_id']} = "sn-include/create_bond_deny.php?friendship_id={$request_data['friendship_id']}&friend_id={$fromuser['id']}";
</script>
JS;
?>
See http://www.php.net/manual/en/language.types.string.php#language.types.string.syntax.heredoc
Working Example:
This is almost identical to code I use in another places on my page but fails here for some reason.
<?php
//$p = "test";
?>
<script>
alert('posts are firing? ');
parent.document.getElementById('posts').innerHTML = "test";
</script>
Failing example: (alert still works)
<?php
$p = "test of the var";
?>
<script>
alert('posts are firing? ');
parent.document.getElementById('posts').innerHTML = '<?php $p; ?>';
</script>
Try
'<?php echo $p; ?>';
or
'<?= $p ?>';
Debugging 101: Start checking all variable values.
alert(parent);
alert(parent.document);
alert(parent.document.getElementById('posts'));
as well as the value rendered by: '<?php $p; ?>'
Make sure your 'posts' object (I guess it is DIV or SPAN) loads before you fill it using javascript.
You're trying to generate javascript with php, here I use a simple echo:
<?php
$p = "test of the var";
echo"
<div id='posts'></div>
<script type='text/javascript'>
var posts = document.getElementById('posts');
posts.innerHTML = '$p';
</script>
";
?>
Note the $p and that the div is printed before the javascript!
You are not outputting the variable data is why it isn't working. You need to echo or print the variable $p.
In your example the $p is being evaluated, not printed.
To print it you should use print, echo, or the syntax <\?=$p;?>. without the \