I'm generating some javascript in my PHP code, and I need to assign some php variables to javascript variables. Unfortunately, sometimes my PHP variables contain quote marks. for instance:
$foo = "'Dis here be a \"string\"";
print "<script type='text/javascript'>var foo = '{$foo}';</script>";
will generate a javascript error because the resulting javascript will look like this:
<script type='text/javascript'>var foo = '"'Dis here be a \"string\"';
I know I can use regexp on $foo to replace all '
marks with \'
but this is hard for various reasons. Is there anything I can do short of that? Something akin to the perl q()
function...
Tried doing this?
$foo = "'Dis here be a \"string\"";
echo '<script type="text/javascript">var foo = "'.addslashes($foo).'";</script>';
See: http://php.net/manual/en/function.addslashes.php
I use json_encode().
http://ie2.php.net/manual/en/function.json-encode.php
This should be a step in the right direction:
addcslashes($str, "\"\r\n\\\t/\0..\37");
Are you sure? Isn't it:
var foo = ''Dis here be a "string"'
In order to prevent the double ' try:
$foo = "\'Dis here be a \"string\"";
or
$foo = '\\\'Dis here be a "string"';
It's also worth noting that you can use a PHP file as a JavaScript file
<script type="text/javascript" src="js/main.php"></script>
And you're able to execute PHP code in that file, as well as output JavaScript code by echoing from PHP.
Since you are using the final value in JavaScript, I would use json_encode
:
$foo = "'Dis here be a \"string\"";
print "<script type='text/javascript'>var foo = " . json_encode($foo) . ";</script>";
And it will correctly output:
<script type='text/javascript'>var foo = "'Dis here be a \"string\"";</script>
Notice I didn't put an extra set of quotes around the json_encode
function. It will add the necessary quotes to make it a valid JavaScript string automatically.
Frank Farmer's answer is interesting, but it's escaping some things that don't need to be escaped, like tabs.
Try this snippet, it works just fine:
<script type="text/javascript">
alert("Hi!\n\tHi!\n<?php echo '\tHI!',"\\n\tHI!";?>");
</script>
Since I'm always connected to a database in my PHP scripts that pass text directly into Javascript strings, I lean on real_escape_string to do my dirty work. addslashes() doesn't handle newlines and those sometimes sneak into strings I'm passing on to Javascript.
A simple $sql->real_escape_string($string)
makes it all better, escaping whatever the database spits out into a Javascript-friendly form.