1

I have a PHP script that generates some Javascript for me in a manner like this:

foreach ($array as $element)
{
    echo '<a onClick="myFunctionTakesPHPValues('.$element[0].','.$element[1].')">'.$element[2].'</a>';
}

My problem is that how can I escape so that the Javascript bit will look more like

<a onClick='MyFunctionTakesPHPValues("'.$element[0].','.$element[1].'")>'.$element[2].'</a>';

I hope this makes sense. The short version is that I feel i need triple quotes inside double quotes inside single quotes, but there is no such thing as triple quotes, but I believe there is some way to escape quotes to nest it up three times.

Improve this question
7
  • 1
    Use backslash before your string-delimiter quotes. \' or \" Commented Jun 25, 2013 at 7:00
  • -1. Nothing personal but just to make this question less relevant in search Commented Jun 25, 2013 at 7:40
  • I can understand that, however judging from your comments to the other answer and the answer that is more or less the same as it could imply that there are many people out there with security breaches as a result of not understanding this properly. Cheers for your answer though. Would htmlspecialchars be as safe as json_encode, I seem to get quotes around all my strings when I use json_encode but not with htmlspecialchars. And I could only properly use json_encode as attributes in the onClick function as in your example. Commented Jun 25, 2013 at 8:06
  • 1
    Look, you have two medias in your short code snippet - a JS code and HTML code. Each require different formatting (as explained in the article I linked to) - so, that's why two functions were used. Commented Jun 25, 2013 at 8:16
  • 1
    Have a look at this link en.wikipedia.org/wiki/Unobtrusive_JavaScript . Putting onclick in html and echoing js from php is bad practice Commented Jun 25, 2013 at 8:58

5 Answers 5

Reset to default
3

Same as always: encode as JSON.

echo '<a onClick="myFunctionTakesPHPValues('.json_encode($element[0]).','.json_encode($element[1]).')">'.$element[2].'</a>';
Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

This works nicely too, however my string variables come up with quotes now, does that just mean I have too many quotes in there?
You shouldn't need to add any quotes to the values manually; JSON strings are valid JavaScript literals.
It turned out that you actually have to.
2
  1. Never echo JS from PHP. Escape from PHP mode instead, it will save you a lot of slashes and nerves.
  2. Every value have to be escaped properly, as explained in this article

So, for the JS values you have to escape them with json_encode() and, as they are going into HTML attribute, escape them as HTML too.
For the last element only HTML encoding is required.

foreach ($array as $element) 
{
    $param1 = htmlspecialchars(json_encode($element[0])); // better give them 
    $param2 = htmlspecialchars(json_encode($element[1])); // meaningful names
    $param3 = htmlspecialchars($element[2]);
?>
<a onClick="myFunctionTakesPHPValues(<?=$param1?>,<?=$param2?>)">
   <?=$param3?>
</a>
<? }

And yes, using raw JS in HTML attributes considered as a bad practice.

Improve this answer

Comments

1

Use Like

echo "<a onClick='myFunctionTakesPHPValues(\"".$element[0]."\",\"".$element[1]."\")'>".$element[2]."</a>";
Improve this answer

2 Comments

Worked like a charm, I was doing my escape slashes the opposite way >_< Cheers to all answers.
@Tom actually this is an awfully wrong answer. Making your code insecure
1

Use this:

echo "<a onClick='MyFunctionTakesPHPValues(\"'".$element[0]."','".$element[1]."'\")>'".$element[2]."'</a>'";
Improve this answer

Comments

1 
foreach ($array as $element)
{?>
<a onClick="myFunctionTakesPHPValues("<?php echo $element[0].','.$element[1].')>'.$element[2].'</a>'
} 
?>
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.