tags:

views:

279

answers:

4
Q: 

Proper use of quotes for output of JavaScript in a variable

I am creating a chunk of HTML/JavaScript with the below code:

$result = mysql_query("SELECT * FROM posts WHERE userid = '$user_id' ORDER BY DATE desc LIMIT 5")or die (mysql_error());

while ($row = mysql_fetch_array($result))
{

    $source = $row[source];
    $source = "'$source'";

    $p = $p.'<div id="red-div"><div id="smartass"><div id="image"><img src="thumbs/'.$user_image.'" /></div><div id="playsong"><a href="#" onclick="playsong(';
    $p = p.$source;
    $p = $p.'); return false;"><img src="play.png" width="16" height="16" border="0" /></a>'.$row[artist].' - '.$row[title].'</div></div><div id="post-comment">'.$row[comment].'</div><div id="post-date">'.$row[date].'</div></div><div id="dotted-line"></div>';

}

I then update a part of my page with the following code:

parent.document.getElementById('posts').innerHTML = '<?php echo $p; ?>';

For some reason no matter how I quote or enter $source into playsong(''); I loose the '' in playsong(); resulting in something like playsong(theSongVariable); and that of course does not work.

How do I properly quote or output the '' to make sure they stay in playsong('');?

+1  A: 

Have you tried using the addslashes function on your $p string. I think its primary purpose relates to building queries for databases, but it may work for in your case as well.

Egil Hansen  2009-05-28 15:26:36
no luck with that but good to know...
ian  2009-05-28 15:35:10
A: 

edit: also, shouldn't

$p = p.$source;

be

$p = $p.$source;

btw, don't forget you can use the .= operator. like

$p .= $source;

edit2: try outputting your $p for analysis using (will change < to &lt;

echo htmlspecialchars($p);

Edited to remove JS line. clearly not outputted from within a <?php ?> block. (should've had my coffee first)

Jonathan Fingland  2009-05-28 15:26:40
When I take out the one line that causes missing '' it works...
ian  2009-05-28 15:31:21
Of course its a missing $... Thanks that fixed it. And the JavaScript does work because the <?php echo $p; ?> is processed then sent back and put into the JavaScript and then the JavaScript executes when the page loads yea?
ian  2009-05-28 15:41:15
+3  A: 

If possible you should use json_encode to build a JavaScript string declaration and htmlspialchars to use it as a HTML attribute value:

$onclick = 'playsong('.json_encode($row['source']).'); return false';
$p .= '<div id="red-div"><div id="smartass"><div id="image"><img src="thumbs/'.htmlspecialchars($user_image).'" /></div>';
$p .= '<div id="playsong"><a href="#" onclick="'.htmlspecialchars($onclick).'"><img src="play.png" width="16" height="16" border="0" /></a>';
$p .= htmlspecialchars($row[artist].' - '.$row[title]).'</div></div>';
$p .= '<div id="post-comment">'.htmlspecialchars($row['comment']).'</div>';
$p .= '<div id="post-date">'.$row['date'].'</div></div><div id="dotted-line"></div>';

Oh, and IDs must be unique in documents.

Gumbo  2009-05-28 15:29:22
Not savvy with json but will read up on htmlspecialchars() thanks.
ian  2009-05-28 15:42:09
I think json_export() should be json_encode() in your example
Tom Haigh  2009-05-28 16:05:45
+1  A: 

There are different ways to escape strings depending the context in which you use them.

In your specific case you should use:

echo json_encode(htmlspecialchars($p, ENT_QUOTES, *your charset*));

htmlspecialchars helps you to escape HTML sequences so that you don't have funky things such as </script> in the Javascript part.

json_encode makes sure that your string is valid as a JavaScript sequence.

These are very important security concepts because otherwise there are serious issues such as XSS or even XSRF if you give users special permissions on your site.

As we're on the topic, make sure that your $user_id is a validated value because otherwise you are vulnerable for SQL injection. For example, $user_id could be "1' OR '1'='1".

Hth

Sorin Mocanu  2009-05-28 15:48:59
Is mysql_real_escape_string() the best way to secure my $user_id variable and others like it?
ian  2009-05-28 17:17:35
That is an option. I did not actively use PHP for more than one year now but as I remember they were discussing the newer slower mysqli interface which allowed placeholders in queries. I'd give that a shot.
Sorin Mocanu  2009-05-29 16:13:13

related questions

Autosizing Textarea
Regular expression for parsing links from a webpage?
What are good tools for creating compiled HTML help files (.chm)?
Looking for WYSIWYG HTML editor
Any reason not to start using the HTML 5 doctype?
HTML comments break down
HTML Comments Markup
Setting a div's height in HTML with CSS
Wrapping lists into columns
Is a "Confirm Email" input good practice when user changes email address?
<XMP> Tag
HTML version choice
Options for HTML scraping?
How do you disable browser Autocomplete on web form field / input tag?
How do I make a checkbox toggle from clicking on the text label as well?
Html CSS Editor
Wordpress theme development offline tools
How do I give my web sites an icon for iPhone?
In HTML, how to word-break on a dash?
Detecting font in JavaScript
How do you test layout design across multiple browsers/OSs?
How do I print an HTML document from a web service?
Multiple submit buttons on a HTML form
How can I determine a web user's time zone?
Why doesn't the percentage width child in absolutely positioned parent work in IE7?