[英]can't find what is wrong in the syntax
I have the follow code: 我有以下代码:
onclick=" <?php echo 'postwith(\''.$_SERVER['PHP_SELF'].'\',{export:\'export\',date:\''.$_POST['date'].'\'})'; ?>"
while postwith is a function. 而postwith是一个函数。
in ie i have an error: Expected identifier, string or number
在即我有一个错误: Expected identifier, string or number
in firefox it's ok and the link is: 在Firefox中可以,链接是:
postwith('/page/page.php',{export:'export',date:'Yesterday'})
so where is my mistake? 那我的错误在哪里?
thank you! 谢谢!
export
is a keyword, so it appears that the IE Javascript engine is getting confused with you using it in that context. export
是一个关键字,因此看来IE Javascript引擎与您在该上下文中使用它感到困惑。 You could put it in quotes to make it clear that it's a key. 您可以将其括在引号中以明确表明它是关键。
+1 warrenm, it's export
that needs to be quoted. +1 warrenm,需要引用export
。
But this sort of thing isn't good form. 但是这种事情不是好形式。 With all that nested quoting it's barely readable, and because you've not JavaScript-string-literal-escaped or HTML-escaped either date
or PHP_SELF
, you've got HTML-injection bugs which may lead to cross-site-scripting security holes. 使用所有嵌套的引用几乎是不可读的,并且因为您没有date
或PHP_SELF
转义JavaScript字符串,文字转义或HTML来转义,所以您有HTML注入错误,这可能会导致跨站点脚本安全漏洞。
Never output a text string to HTML text content or attribute values without htmlspecialchars()
, and when you're building JS objects use json_encode()
to create the output because it will cope with string escaping problems and quoting object literal names for you. 切勿在没有htmlspecialchars()
情况下将文本字符串输出到HTML文本内容或属性值,并且在构建JS对象时,请使用json_encode()
创建输出,因为它将解决字符串转义问题并为您引用对象文字名称。
From PHP 5.3, the JSON_HEX
options allow you to ensure all HTML-special characters are encoded as JavaScript string literal escapes, so you don't have to HTML-encode on top of JSON-encoding, which means you can use the same output function in both event handler attributes and <script>
blocks (which, being CDATA, have no HTML-escaping). 从PHP 5.3开始, JSON_HEX
选项可确保将所有HTML特殊字符编码为JavaScript字符串文字转义符,因此您不必在JSON编码之上进行HTML编码,这意味着您可以使用相同的输出函数在事件处理程序属性和<script>
块中(它们都是CDATA,没有HTML转义)。
<?php
function j($o) {
echo json_encode($o, JSON_HEX_TAG|JSON_HEX_AMP|JSON_HEX_QUOT);
};
$pars= array("export"=>"export", "date"=>$_POST['date']);
?>
onclick="postwith(<?php j($_SERVER['PHP_SELF']); ?>, <?php j($pars); ?>);"
Also consider breaking out the onclick
handler and assigning it from <script>
instead of using inline event handler attributes. 还可以考虑打破onclick
处理程序并从<script>
分配它,而不要使用嵌入式事件处理程序属性。 This tends to be more readable. 这往往更具可读性。
As warrenm pointed out export
is a keyword and needs to be quoted. 正如warrenm所指出的, export
是一个关键字,需要用引号引起来。
That is, alter the PHP so the result output is: 也就是说,更改PHP,使结果输出为:
postwith('/page/page.php',{'export':'export','date':'Yesterday'});
Your PHP would look like this: 您的PHP如下所示:
onclick="<?php echo "postwith('{$_SERVER['PHP_SELF']}',
{'export':'export','date':'{$_POST['date']}'})"; ?>"
(Thanks, Peter for the improved syntax). (感谢Peter改进了语法)。
Also, you may wish to remove the space after onclick: 另外,您可能希望在单击后删除空格:
onclick=" <?php
will become: 会变成:
onclick="<?php
For future reference, you might find it easier to proof read if you use double quotes for your PHP string and curly bracket notation for array elements inside the string: 为了将来参考,如果对PHP字符串使用双引号,并对字符串内部的数组元素使用大括号表示法,则可能会更易于校对:
onclick="<?php echo "postwith('{$_SERVER['PHP_SELF']}',
{'export':'export','date':'{$_POST['date']}'})"; ?>"
simplified example of using curly bracket notation inside double quotes 在双引号内使用大括号表示法的简化示例
(note that you do not need to escape literally rendered curly brackets) (请注意,您无需转义按字面显示的大括号)
Additionally, you should make use of json_encode() to make sure your JSON is in the right format: 此外,您应该使用json_encode()来确保JSON格式正确:
(note the single quotes after onclick to accommodate the double quote JSON) (请注意onclick之后的单引号以容纳双引号JSON)
onclick='<?php
echo "postwith(\"{$_SERVER['PHP_SELF']}\"," .
json_encode(array("export" => "export", "date" => $_POST['date']),
JSON_FORCE_OBJECT|JSON_HEX_TAG|JSON_HEX_AMP|JSON_HEX_QUOT) .
")";
?>'
See bobince , post about the JSON encoding options. 参见bobince ,发布有关JSON编码选项的信息。
This is sloppy coding, IMO. 这是草率的编码,IMO。 Keep your template formatting separate from your processing. 使模板格式与处理分开。
<?php
// do processing of information
$var = (((PSEUDOCODED DATA OUTPUT)));
processtemplate($var);
-------------
//new file that is included by processtemplate()
?>
... blah ... blah ... blah ... blah
onclick="[[_KEYNAME_]]"
... blah ... blah ... blah ... blah ... blah
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.