can't find what is wrong in the syntax

Question

I have the follow code:

onclick=" <?php echo 'postwith(\''.$_SERVER['PHP_SELF'].'\',{export:\'export\',date:\''.$_POST['date'].'\'})'; ?>"

while postwith is a function.

in ie i have an error: Expected identifier, string or number

in firefox it's ok and the link is:

postwith('/page/page.php',{export:'export',date:'Yesterday'})

so where is my mistake?

thank you!

Answer 1

export is a keyword, so it appears that the IE Javascript engine is getting confused with you using it in that context. You could put it in quotes to make it clear that it's a key.

Answer 2

+1 warrenm, it's export that needs to be quoted.

But this sort of thing isn't good form. With all that nested quoting it's barely readable, and because you've not JavaScript-string-literal-escaped or HTML-escaped either date or PHP_SELF , you've got HTML-injection bugs which may lead to cross-site-scripting security holes.

Never output a text string to HTML text content or attribute values without htmlspecialchars() , and when you're building JS objects use json_encode() to create the output because it will cope with string escaping problems and quoting object literal names for you.

From PHP 5.3, the JSON_HEX options allow you to ensure all HTML-special characters are encoded as JavaScript string literal escapes, so you don't have to HTML-encode on top of JSON-encoding, which means you can use the same output function in both event handler attributes and <script> blocks (which, being CDATA, have no HTML-escaping).

<?php
    function j($o) {
        echo json_encode($o, JSON_HEX_TAG|JSON_HEX_AMP|JSON_HEX_QUOT);
    };
    $pars= array("export"=>"export", "date"=>$_POST['date']);
?>

onclick="postwith(<?php j($_SERVER['PHP_SELF']); ?>, <?php j($pars); ?>);"

Also consider breaking out the onclick handler and assigning it from <script> instead of using inline event handler attributes. This tends to be more readable.

Answer 3

As warrenm pointed out export is a keyword and needs to be quoted.

That is, alter the PHP so the result output is:

postwith('/page/page.php',{'export':'export','date':'Yesterday'});

Your PHP would look like this:

onclick="<?php echo "postwith('{$_SERVER['PHP_SELF']}',
     {'export':'export','date':'{$_POST['date']}'})"; ?>"

(Thanks, Peter for the improved syntax).

Also, you may wish to remove the space after onclick:

onclick=" <?php 

will become:

onclick="<?php 

Answer 4

For future reference, you might find it easier to proof read if you use double quotes for your PHP string and curly bracket notation for array elements inside the string:

onclick="<?php echo "postwith('{$_SERVER['PHP_SELF']}',
         {'export':'export','date':'{$_POST['date']}'})"; ?>"

simplified example of using curly bracket notation inside double quotes
(note that you do not need to escape literally rendered curly brackets)

Additionally, you should make use of json_encode() to make sure your JSON is in the right format:
(note the single quotes after onclick to accommodate the double quote JSON)

onclick='<?php
    echo "postwith(\"{$_SERVER['PHP_SELF']}\"," .
    json_encode(array("export" => "export", "date" => $_POST['date']),
                JSON_FORCE_OBJECT|JSON_HEX_TAG|JSON_HEX_AMP|JSON_HEX_QUOT) .
    ")";
?>'

example

See bobince , post about the JSON encoding options.

Answer 5

This is sloppy coding, IMO. Keep your template formatting separate from your processing.

    <?php
    // do processing of information

    $var = (((PSEUDOCODED DATA OUTPUT)));
    processtemplate($var);




    -------------
    //new file that is included by processtemplate()
?>
    ... blah ... blah ... blah ... blah 
    onclick="[[_KEYNAME_]]"
    ... blah ... blah ... blah ... blah ... blah