Simple quote in PHP inside a JS function call

Question

I have already read a lot of responses about this issue, and I didn't found the 100% correct.

The code I expect to create in php looks like this:

<a href="#" onclick="a_js_function('moduleSee.php','sql_restriction','popup')">See</a>

a_js_function() is an internal javascript function, it receives some arguments and will be called simply like this

$str = '<a href="#" onclick="';
$str .= " a_js_function('moduleSee.php','sql_restriction','popup')";
$str .='">See</a>';

But the sql_restriction argument contains a quote :

concat('000000',table_id)

And the NOT 100%-working solution is putting \\' instead of ' => this allows to SQL query doing properly but creates a javascript error that blocks part of the page.

$str = '<a href="#" onclick="';
$str .= " a_js_function('moduleSee.php','concat(\'000000\',table.id)','popup')";
$str .='">See</a>';

See what chrome says:

Uncaught SyntaxError: Unexpected number -> point the numbers of received argument: concat('000000',table.id)

because with the \\' receive ' between the 000, the argument of the js function make error, not SQL. Avoiding this quotes in the number make that SQL query doesn't work

putting ' or \\" or \\\\' or '' doesn't work too, addslashes() neither

Any ideas?

Answer 1

The problem isn't how you are escaping your quotes - backslashes are correct. What's happening though is that you aren't escaping enough, as each time the code passes through a language, the escaping is done and the next language won't see it anymore. The code

$str = '<a href="#" onclick="';
$str .= " a_js_function('moduleSee.php','concat(\'000000\',table.id)','popup')";
$str .='">See</a>';

is output from php as

<a href="#" onclick="
 a_js_function('moduleSee.php','concat('000000',table.id)','popup')
">See</a>

Javascript sees the single quotes in the concat and tries to end the string, and then gets confused by the 0s, which aren't a javascript keyword. You need the javascript to see the following

<a href="#" onclick="
 a_js_function('moduleSee.php','concat(\'000000\',table.id)','popup')
">See</a>

which is accomplished by escaping both the \\ and ' characters in php, meaning your php needs to look like

$str = '<a href="#" onclick="';
$str .= " a_js_function('moduleSee.php','concat(\\\'000000\\\',table.id)','popup')";
$str .='">See</a>';

Answer 2

I agree that you should be doing some processing of the input on your SQL server. You could correct the input at that stage.

You could also tries using escaped double-quotes instead in your PHP. Eg:

$str = '<a href="#" onclick="';
$str .= " a_js_function('moduleSee.php','concat(\"000000\",table.id)','popup')";
$str .='">See</a>';

Answer 3

Javascript can concatenate without using a concat function, so this should work:

a_js_function('moduleSee.php', '000000' + table.id, 'popup');

I'm not sure if your code is doing anything special to prevent the above code from working, but that works for me. I have table.id set to 25 , so the result comes out as: 00000025

Answer 4

Thanks all for the answers, finally my boss solved changing the core of the CMS, filtering after use \\'00000\\' , use replace() to change \\' to "

$_POST['fix'] = str_replace('\'','"', $_POST['fix'])); 

Query works good and no js errors