0

I am setting an jQuery array with PHP, like this:

    <script type='text/javascript'>
    var postQuote = new Array();
    postQuote[<?php echo $post['post_id']; ?>] = <?php echo mysql_real_escape_string(html_entity_decode($post['post_text'])); ?>
   </script>

My problem is, that $post['post_text']; can literally contain all characters. Therefore, I am getting an unexpected identifier error with jQuery.

My question is: how can I avoid this?

Improve this question
4
  • 1
    You probably need to wrap the php into quotes: postQuote["<?php ... ?>"]. Commented Aug 26, 2014 at 13:23
  • 1
    mysql_real_escape_string is for sql, not for javascript. use json_encode. Commented Aug 26, 2014 at 13:24
  • @EndeNeu Just wrapping with quotes won't work if the string contains quotes, newlines, or any characters that require encoding in a JavaScript string. Commented Aug 26, 2014 at 13:48
  • @JuanMendes true that. Commented Aug 26, 2014 at 13:49

1 Answer 1

Reset to default
2

Why don't you do a json_encode. json_encode will convert your PHP variables into a variable that's usable by JavaScript. This also might remove the need to use html_entity_decode on most occasions, since this is not really something you should be doing to convert something that will be used by JavaScript. mysql_real_escape_string is not needed at all.

<script type='text/javascript'>
    var postQuote = new Array();
    postQuote[<?php echo json_encode($post['post_id']); ?>] = <?php echo json_encode($post['post_text']); ?>
</script>

I would also set them as separate variables so that they're easier to debug and keep track of:

<script type='text/javascript'>
    var postQuote = new Array();
    var postQuoteKey = <?php echo json_encode($post['post_id']); ?>;
    var postQuoteValue = <?php echo json_encode($post['post_text']); ?>;
    // See what the key and value are
    console.log(postQuoteKey);
    console.log(postQuoteValue);
    postQuote[postQuoteKey] = postQuoteValue;
</script>

The following example works as expected:

<script>
// Number
console.log(<?php echo json_encode(1); ?>); 
// String
console.log(<?php echo json_encode("hello"); ?>);
// Boolean
console.log(<?php echo json_encode(false); ?>);
// Boolean
console.log(<?php echo json_encode(true); ?>);
// Array
console.log(<?php echo json_encode(array(1,2,3)); ?>);
// Outputs a JavaScript object
console.log(<?php echo json_encode(array("a" => 345, "b" => '242', "c" => 'hello')); ?>);
</script>
Improve this answer
Sign up to request clarification or add additional context in comments.

9 Comments

you should use mysql_real_escape_string before inserting something into the database, it doesn't make sense at this point because it can still be manipulated at client-side
+1 It'd be good to note that if the do want to use the string in JavaScript to put HTML onto the page, they should HTML escape the content, but only when inserting it into the DOM. Encoding with JSON is definitely the easiest way to get a PHP string to play nice with a JavaScript string.
@Sepultura You should not use mysql_real_escape_string, it's deprecated You should instead use prepared statements for maximum portability, safety and speed php.net/manual/en/pdo.prepare.php
As Ende Neu said you can use single quotes like this '<?php ... ?>'
Since 5.2... but 5.2 is 8 years old. At that point, it's border line irresponsible not to upgrade! stackoverflow.com/questions/11684442/…
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.