PHP-generated javascript and quote marks

https://stackoverflow.com/questions/1760325

21-09-2019
|

Question

I'm generating some javascript in my PHP code, and I need to assign some php variables to javascript variables. Unfortunately, sometimes my PHP variables contain quote marks. for instance:

$foo = "'Dis here be a \"string\"";
print "<script type='text/javascript'>var foo = '{$foo}';</script>";

will generate a javascript error because the resulting javascript will look like this:

<script type='text/javascript'>var foo = '"'Dis here be a \"string\"';

I know I can use regexp on $foo to replace all ' marks with \' but this is hard for various reasons. Is there anything I can do short of that? Something akin to the perl q() function...

Solution

Tried doing this?

$foo = "'Dis here be a \"string\"";
echo '<script type="text/javascript">var foo = "'.addslashes($foo).'";</script>';

See: http://php.net/manual/en/function.addslashes.php

OTHER TIPS

I use json_encode().

http://ie2.php.net/manual/en/function.json-encode.php

This should be a step in the right direction:

addcslashes($str, "\"\r\n\\\t/\0..\37");

Are you sure? Isn't it:

var foo = ''Dis here be a "string"'

In order to prevent the double ' try:

$foo = "\'Dis here be a \"string\"";

$foo = '\\\'Dis here be a "string"';

It's also worth noting that you can use a PHP file as a JavaScript file

<script type="text/javascript" src="js/main.php"></script>

And you're able to execute PHP code in that file, as well as output JavaScript code by echoing from PHP.

Since you are using the final value in JavaScript, I would use json_encode:

$foo = "'Dis here be a \"string\"";
print "<script type='text/javascript'>var foo = " . json_encode($foo) . ";</script>";

And it will correctly output:

<script type='text/javascript'>var foo = "'Dis here be a \"string\"";</script>

Notice I didn't put an extra set of quotes around the json_encode function. It will add the necessary quotes to make it a valid JavaScript string automatically.

Frank Farmer's answer is interesting, but it's escaping some things that don't need to be escaped, like tabs.

Try this snippet, it works just fine:

<script type="text/javascript">
    alert("Hi!\n\tHi!\n<?php echo '\tHI!',"\\n\tHI!";?>");
</script>

Since I'm always connected to a database in my PHP scripts that pass text directly into Javascript strings, I lean on real_escape_string to do my dirty work. addslashes() doesn't handle newlines and those sometimes sneak into strings I'm passing on to Javascript.

A simple $sql->real_escape_string($string) makes it all better, escaping whatever the database spits out into a Javascript-friendly form.

Licensed under: CC-BY-SA with attribution

Not affiliated with StackOverflow