I have the follow code:
onclick=" <?php echo 'postwith(\''.$_SERVER['PHP_SELF'].'\',{export:\'export\',date:\''.$_POST['date'].'\'})'; ?>"
while postwith is a function.
in ie i have an error: Expected identifier, string or number
in firefox it's ok and the link is:
postwith('/page/page.php',{export:'export',date:'Yesterday'})
so where is my mistake?
thank you!
export
is a keyword, so it appears that the IE Javascript engine is getting confused with you using it in that context. You could put it in quotes to make it clear that it's a key.
+1 warrenm, it's export
that needs to be quoted.
But this sort of thing isn't good form. With all that nested quoting it's barely readable, and because you've not JavaScript-string-literal-escaped or HTML-escaped either date
or PHP_SELF
, you've got HTML-injection bugs which may lead to cross-site-scripting security holes.
Never output a text string to HTML text content or attribute values without htmlspecialchars()
, and when you're building JS objects use json_encode()
to create the output because it will cope with string escaping problems and quoting object literal names for you.
From PHP 5.3, the JSON_HEX
options allow you to ensure all HTML-special characters are encoded as JavaScript string literal escapes, so you don't have to HTML-encode on top of JSON-encoding, which means you can use the same output function in both event handler attributes and <script>
blocks (which, being CDATA, have no HTML-escaping).
<?php
function j($o) {
echo json_encode($o, JSON_HEX_TAG|JSON_HEX_AMP|JSON_HEX_QUOT);
};
$pars= array("export"=>"export", "date"=>$_POST['date']);
?>
onclick="postwith(<?php j($_SERVER['PHP_SELF']); ?>, <?php j($pars); ?>);"
Also consider breaking out the onclick
handler and assigning it from <script>
instead of using inline event handler attributes. This tends to be more readable.
As warrenm pointed out export
is a keyword and needs to be quoted.
That is, alter the PHP so the result output is:
postwith('/page/page.php',{'export':'export','date':'Yesterday'});
Your PHP would look like this:
onclick="<?php echo "postwith('{$_SERVER['PHP_SELF']}',
{'export':'export','date':'{$_POST['date']}'})"; ?>"
(Thanks, Peter for the improved syntax).
Also, you may wish to remove the space after onclick:
onclick=" <?php
will become:
onclick="<?php
For future reference, you might find it easier to proof read if you use double quotes for your PHP string and curly bracket notation for array elements inside the string:
onclick="<?php echo "postwith('{$_SERVER['PHP_SELF']}',
{'export':'export','date':'{$_POST['date']}'})"; ?>"
simplified example of using curly bracket notation inside double quotes
(note that you do not need to escape literally rendered curly brackets)
Additionally, you should make use of json_encode() to make sure your JSON is in the right format:
(note the single quotes after onclick to accommodate the double quote JSON)
onclick='<?php
echo "postwith(\"{$_SERVER['PHP_SELF']}\"," .
json_encode(array("export" => "export", "date" => $_POST['date']),
JSON_FORCE_OBJECT|JSON_HEX_TAG|JSON_HEX_AMP|JSON_HEX_QUOT) .
")";
?>'
See bobince , post about the JSON encoding options.
This is sloppy coding, IMO. Keep your template formatting separate from your processing.
<?php
// do processing of information
$var = (((PSEUDOCODED DATA OUTPUT)));
processtemplate($var);
-------------
//new file that is included by processtemplate()
?>
... blah ... blah ... blah ... blah
onclick="[[_KEYNAME_]]"
... blah ... blah ... blah ... blah ... blah
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.