Are you sure? Isn't it:

var foo = ''Dis here be a "string"'

In order to prevent the double ' try:

$foo = "\'Dis here be a \"string\"";

or

$foo = '\\\'Dis here be a "string"';

Since you are using the final value in JavaScript, I would use json_encode:

$foo = "'Dis here be a \"string\"";
print "<script type='text/javascript'>var foo = " . json_encode($foo) . ";</script>";

And it will correctly output:

<script type='text/javascript'>var foo = "'Dis here be a \"string\"";</script>

Notice I didn't put an extra set of quotes around the json_encode function. It will add the necessary quotes to make it a valid JavaScript string automatically.

It's also worth noting that you can use a PHP file as a JavaScript file

<script type="text/javascript" src="js/main.php"></script>

And you're able to execute PHP code in that file, as well as output JavaScript code by echoing from PHP.

This should be a step in the right direction:

addcslashes($str, "\"\r\n\\\t/\0..\37");

Frank Farmer's answer is interesting, but it's escaping some things that don't need to be escaped, like tabs.

Try this snippet, it works just fine:

<script type="text/javascript">
    alert("Hi!\n\tHi!\n<?php echo '\tHI!',"\\n\tHI!";?>");
</script>

Since I'm always connected to a database in my PHP scripts that pass text directly into Javascript strings, I lean on real_escape_string to do my dirty work. addslashes() doesn't handle newlines and those sometimes sneak into strings I'm passing on to Javascript.

A simple $sql->real_escape_string($string) makes it all better, escaping whatever the database spits out into a Javascript-friendly form.

I use json_encode().

http://ie2.php.net/manual/en/function.json-encode.php