PHP-generated javascript and quote marks

Question

I'm generating some javascript in my PHP code, and I need to assign some php variables to javascript variables. Unfortunately, sometimes my PHP variables contain quote marks. for instance:

$foo = "'Dis here be a \"string\"";
print "<script type='text/javascript'>var foo = '{$foo}';</script>";

will generate a javascript error because the resulting javascript will look like this:

<script type='text/javascript'>var foo = '"'Dis here be a \"string\"';

I know I can use regexp on $foo to replace all ' marks with \' but this is hard for various reasons. Is there anything I can do short of that? Something akin to the perl q() function...

various reasons are that this js is being generated by a smarty template and smarty doesn't let you use full php, but {$foo|addslashes} does the trick — Igor Serebryany
– Igor Serebryany, Commented Nov 19, 2009 at 1:41

mauris · Accepted Answer · 2009-11-19 01:22:07Z

6

Tried doing this?

$foo = "'Dis here be a \"string\"";
echo '<script type="text/javascript">var foo = "'.addslashes($foo).'";</script>';

See: http://php.net/manual/en/function.addslashes.php

answered Nov 19, 2009 at 1:22

mauris

43.6k16 gold badges102 silver badges132 bronze badges

Sign up to request clarification or add additional context in comments.

3 Comments

Frank Farmer Over a year ago

Addslashes() is sufficient in this case, but won't escape every character that could potentially bork a js string.

Igor Serebryany Over a year ago

addslashes is what i was looking for, and seems to work for now.

Doug Neiner Over a year ago

@Frank is right though, it won't take into account everything related to a javascript string.

Community · Accepted Answer · 2023-11-17 19:49:36Z

3

I use json_encode().

https://www.php.net/manual/en/function.json-encode.php

edited Nov 17, 2023 at 19:49

CommunityBot

11 silver badge

answered Nov 19, 2009 at 1:35

TRiG

10.7k9 gold badges62 silver badges113 bronze badges

2 Comments

Hamish Moffatt Feb 25 at 1:57

This doesn't work if your value is a plain string. You still need some way to convert it back to the original in Javascript, and JSON.parse won't process a simple string, but expects a full JSON document.

TRiG Feb 25 at 22:37

On the contrary, '<script type="text/javascript">var foo = ' . json_encode($foo) . ';</script>' will work admirably to supply a PHP string to a javascript variable.

Frank Farmer · Accepted Answer · 2009-11-19 01:23:40Z

2

This should be a step in the right direction:

addcslashes($str, "\"\r\n\\\t/\0..\37");

answered Nov 19, 2009 at 1:23

Frank Farmer

39.6k12 gold badges73 silver badges90 bronze badges

Comments

powtac · Accepted Answer · 2009-11-19 01:21:40Z

1

Are you sure? Isn't it:

var foo = ''Dis here be a "string"'

In order to prevent the double ' try:

$foo = "\'Dis here be a \"string\"";

or

$foo = '\\\'Dis here be a "string"';

answered Nov 19, 2009 at 1:21

powtac

41.1k28 gold badges120 silver badges173 bronze badges

Comments

Luke Brown · Accepted Answer · 2016-04-19 11:18:18Z

1

It's also worth noting that you can use a PHP file as a JavaScript file

<script type="text/javascript" src="js/main.php"></script>

And you're able to execute PHP code in that file, as well as output JavaScript code by echoing from PHP.

edited Apr 19, 2016 at 11:18

Luke Brown

1,9022 gold badges30 silver badges50 bronze badges

answered Nov 19, 2009 at 1:48

Elle H

12.3k7 gold badges43 silver badges42 bronze badges

Comments

Doug Neiner · Accepted Answer · 2009-11-19 01:36:18Z

0

Since you are using the final value in JavaScript, I would use json_encode:

$foo = "'Dis here be a \"string\"";
print "<script type='text/javascript'>var foo = " . json_encode($foo) . ";</script>";

And it will correctly output:

<script type='text/javascript'>var foo = "'Dis here be a \"string\"";</script>

Notice I didn't put an extra set of quotes around the json_encode function. It will add the necessary quotes to make it a valid JavaScript string automatically.

answered Nov 19, 2009 at 1:36

Doug Neiner

66.4k14 gold badges111 silver badges118 bronze badges

Comments

Eric L. · Accepted Answer · 2013-01-31 20:51:39Z

0

Frank Farmer's answer is interesting, but it's escaping some things that don't need to be escaped, like tabs.

Try this snippet, it works just fine:

<script type="text/javascript">
    alert("Hi!\n\tHi!\n<?php echo '\tHI!',"\\n\tHI!";?>");
</script>

Since I'm always connected to a database in my PHP scripts that pass text directly into Javascript strings, I lean on real_escape_string to do my dirty work. addslashes() doesn't handle newlines and those sometimes sneak into strings I'm passing on to Javascript.

A simple $sql->real_escape_string($string) makes it all better, escaping whatever the database spits out into a Javascript-friendly form.

answered Jan 31, 2013 at 20:51

Eric L.

3,3642 gold badges25 silver badges20 bronze badges

Collectives™ on Stack Overflow

PHP-generated javascript and quote marks

7 Answers 7

3 Comments

2 Comments

Comments

Comments

Comments

Comments

Comments

Your Answer

Linked

Hot Network Questions

Collectives™ on Stack Overflow

7 Answers 7

3 Comments

2 Comments

Comments

Comments

Comments

Comments

Comments

Your Answer

Sign up or log in

Post as a guest

Linked

Related