[英]php syntax for echo javascript function
I hope somebody can help me with this little problem. 我希望有人可以帮助我解决这个小问题。 The problem is that I still get confused with the syntax
问题是我仍然对语法感到困惑
The php line echo's a javascript function that takes one parameter, the database value. php行echo是一个javascript函数,它带有一个参数,即数据库值。
It needs to be corrected, to get it to work. 需要对其进行纠正,以使其正常工作。 extra comma's??escaping??
多余的逗号?转义? I never know where exactly.
我永远不知道确切在哪里。
while($row=mysql_fetch_array($r)){
echo '<li onclick="fill(\''.$row["value"].'\');">'.$row["value"].'</li>';
}
EDIT BECAUSE I just found out that my syntax is correct. 编辑,因为我刚刚发现我的语法是正确的。 I just needed to include the backslashes.
我只需要包含反斜杠。 It seems the javascript function is causing problems.
看来javascript函数引起了问题。 In particular the line that hides the list
特别是隐藏列表的行
Does anyone has a solution for this? 有人对此有解决方案吗?
function fill(thisValue) {
$('#inputString').val(thisValue);
//$('#suggesties').hide();
}
EDIT I finally came up with this: a callback 编辑我终于想到了:回调
function fill(thisValue) {
$('#suggesties').fadeOut('fast',function(){
$('#inputString').val(thisValue);
});
}
thanks, Richard 谢谢,理查德
I'd recommend also escape the string for use in javascript. 我建议也将字符串转义以用于javascript。
json_encode
does the trick. json_encode
可以解决问题。 And the html part too, if it's not supposed to contain html : 还有html部分, 如果它不应该包含html :
echo '<li onclick="fill('.htmlentities(json_encode($row["value"])).');">'.htmlspecialchars($row["value"]).'</li>';
You could keep the PHP within PHP Tags. 您可以将PHP保留在PHP标记内。 Sometimes it's easier than escaping numerous places:
有时,它比转义许多地方容易:
<?php while($row=mysql_fetch_array($r)) { ?>
<li onclick="fill('<?php print $row["value"]; ?>');">
<?php print $row["value"]; ?>
</li>
<?php } ?>
echo '<li onclick="fill(\''.$row["value"].'\');">'.$row["value"].'</li>';
Ouch. 哎哟。 You've got a JavaScript string literal, inside an HTML-encoded attribute, inside a PHP string literal.
您已经在HTML编码的属性和HTML字符串的内部包含了JavaScript字符串。 No wonder the escaping is confusing you.
难怪逃脱使您感到困惑。
Well, first: you're outputting $row['value']
in the list item's text without escaping. 好吧,首先:您要在列表项的文本中输出
$row['value']
而不进行转义。 This means trouble (potentially security trouble) when that value contains special characters like <
, &
and "
. This needs to be wrapped in htmlspecialchars()
. 当该值包含特殊字符(例如
<
, &
和"
)时,就意味着麻烦(可能是安全问题)。需要将其包装在htmlspecialchars()
。
Next, you're putting something in a JavaScript string literal. 接下来,将某些内容放入JavaScript字符串文字中。 That means if the string delimiter character
'
or the escaping backslash \\
is used in the value, it can break out of the string and inject JavaScript code into the page: again, a potential security issue. 这意味着,如果在值中使用字符串定界符
'
或转义的反斜杠\\
,则它可能会脱离字符串并将JavaScript代码注入页面:再次,这是潜在的安全问题。 addslashes()
can be used to escape a string for inclusion in a JS string literal; addslashes()
可用于转义包含在JS字符串文字中的字符串; note you still have to htmlspecialchars()
it afterwards because the string literal is itself inside an HTML-encoded attribute. 请注意,之后您仍然必须对其进行
htmlspecialchars()
,因为字符串文字本身位于HTML编码的属性内。
So we're looking at: 所以我们在看:
echo "<li onclick=\"fill('".htmlspecialchars(addslashes($row['value']), ENT_QUOTES)."');\">".htmlspecialchars($row['value']).'</li>';
Not very readable, is it? 不是很可读,是吗? Well, we can improve that:
好吧,我们可以改善这一点:
We can lose the PHP string literal by using PHP itself to interpolate strings (as demonstrated by Jonathan). 我们可以通过使用PHP本身对字符串进行插值来丢失PHP字符串文字(如Jonathan所示)。 PHP is a templating language, take advantage of that!
PHP是一种模板语言,请利用它!
We can define a function with a shorter name than htmlspecialchars
, which is a good idea since we need to use that function a lot in a typical template. 我们可以定义一个名称比
htmlspecialchars
短的函数,这是一个好主意,因为我们需要在典型的模板中大量使用该函数。
We can avoid the JavaScript string literal by having the JavaScript side read the data it needs from the contents of the list item ( text()
, in jQuery, since that's what you seem to be using), rather than having to wrap it inside an ugly inline event handler. 我们可以通过让JavaScript端从列表项(jQuery中的
text()
的内容中读取所需的数据来避免JavaScript字符串,而不必将其包装在丑陋的内联事件处理程序。
For example: 例如:
<?php
function h($text) {
echo(htmlspecialchars($text, ENT_QUOTES));
}
?>
<ul id="suggesties">
<?php while ($row= mysql_fetch_array($r)) { ?>
<li><?php h($row['value']); ?></li>
<?php } ?>
</ul>
<script type="text/javascript">
$('#suggesties>li').click(function() {
$('#inputString').val($(this).text());
$('#suggesties').hide();
});
</script>
Try escaping like this: 尝试像这样转义:
while($row=mysql_fetch_array($r)){
echo '<li onclick="fill(\''.$row["value"].'\');">'.$row["value"].'</li>';
}
删除value周围的引号,使您拥有$row[value]
而不是$row["value"]
。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.