0

Possible Duplicate:
PHP: How should I escape a string that will be going into a Javascript String?

I have a situation with a characters. If I type in a piece of text (a question) which multiple characters such as:

!\"�$%^&()-=\'.,:;/?#~/\\><

Then I suddenly receive an error stating:

Syntax error: unterminated string literal

Then it displays this in the console:

parent.addwindow('!/;

My question is that can I change anything in the code below to allow these characters for the question?

Below is the code:

if (!empty($_GET['searchQuestion']) && ($terms = preg_split('/\s+/', $_GET['questioncontent'], -1, PREG_SPLIT_NO_EMPTY))) {

    // A temp array to hold the terms after they have been constructed
    $termArray = array();

    // We'll need to use this a few times so we'll cache it
    $numTerms = count($terms);

    // Loop $terms and create an array of strings that can be used with LIKE clauses
    foreach ($terms as $term) {
      // The str_replace() allows users to include literal % and _ in the search terms
      $termArray[] = '%'.str_replace(array('%', '_'), array('\%', '\_'), $term).'%';
    }

    // Build the query
    $questionquery = "
SELECT DISTINCT q.QuestionContent, o.OptionType, q.NoofAnswers, GROUP_CONCAT(an.Answer ORDER BY an.Answer SEPARATOR ' ') AS Answer, r.ReplyType, 
       q.QuestionMarks 
  FROM Answer an 
  INNER JOIN Question q ON q.AnswerId = an.AnswerId
  JOIN Reply r ON q.ReplyId = r.ReplyId 
  JOIN Option_Table o ON q.OptionId = o.OptionId 
      WHERE ".implode(" AND ", array_fill(0, $numTerms, "q.QuestionContent LIKE ?"))."
      GROUP BY q.QuestionId, q.SessionId
      ORDER BY ".implode(", ", array_fill(0, $numTerms, "IF(q.QuestionContent LIKE ?, 1, 0) DESC"))."
    ";

    // Make the referenced array
    $referencedArray = make_values_referenced(array_merge(
      array(str_repeat("ss", $numTerms)), // types
      $termArray,                         // where
      $termArray                          // order by
    ));

    // ...or die() is evil in production but I shall assume we are debuggin so I won't complain
    if (!$stmt = $mysqli->prepare($questionquery)) {
      die("Error preparing statement: $mysqli->error"); 
    }

    // Bind parameters
    if (!call_user_func_array(array($stmt, 'bind_param'), make_values_referenced($referencedArray))) {
      die("Error binding parameters: $stmt->error"); 
    }

    // Execute
    if (!$stmt->execute()) {
      die("Error executing statement: $stmt->error"); 
    }

    // This will hold the search results
    $searchResults = array();
    $searchOption = array();
    $searchNoofAnswers = array();
    $searchAnswer = array();
    $searchReply = array();
    $searchMarks = array();

    // Fetch the results into an array
    if (!$stmt->num_rows()) {
      $stmt->bind_result($dbQuestionContent,$dbOptionType,$dbNoofAnswers,$dbAnswer,$dbReplyType,$dbQuestionMarks); 
      while ($stmt->fetch()) {
        $searchResults[] = $dbQuestionContent;
        $searchOption[] = $dbOptionType;
        $searchNoofAnswers[] = $dbNoofAnswers;
        $searchAnswer[] = $dbAnswer;
        $searchReply[] = $dbReplyType;
        $searchMarks[] = $dbQuestionMarks;
      }
    }

  }

if (isset($_GET['searchQuestion'])) {

  // If $terms is not empty we did a query
  if (!empty($terms)) {

      $questionnum = sizeof($searchResults);

      foreach ($searchResults as $key=>$question) {

        echo '<tr class="questiontd"><td>'.json_encode($question).'</td>';
        echo '<td class="optiontypetd">'.json_encode($searchOption[$key]).'</td>';
        echo '<td class="noofanswerstd">'.json_encode($searchNoofAnswers[$key]).'</td>';
        echo '<td class="answertd">'.json_encode($searchAnswer[$key]).'</td>';
        echo '<td class="noofrepliestd">'.json_encode($searchReply[$key]).'</td>';
        echo '<td class="noofmarkstd">'.json_encode($searchMarks[$key]).'</td>';
        echo "<td class='addtd'><button type='button' class='add' onclick=\"parent.addwindow('$question','$searchMarks[$key]','$searchNoofAnswers[$key]','$searchOption[$key]','$searchReply[$key]','$searchAnswer[$key]');\">Add</button></td></tr>";

}
      echo "</table>";


}

You can view the application here: Application

When you open the app, simply click on the green plus button on the left hand side, when the modal window appears.

Enter in ? in the search bar and enter the search. You will see a bunch of results.

Now all the rows look fine except for the row which contains >!\"�$%^&*()-=\'.,:;/?#~*/\\\\><, The "Add" button in that row is messed up and if you try clicking on that add button, then you get the error which already mentioned in top of the question.

Community
  • 1
  • 1
user1701484
  • 233
  • 1
  • 2
  • 12

1 Answers1

0

Your last echo should be encoded with json_encode (the relevant parts that act as javascript)

echo "<td class='addtd'><button type='button' class='add' onclick=\"parent.addwindow('$question','$searchMarks[$key]','$searchNoofAnswers[$key]','$searchOption[$key]','$searchReply[$key]','$searchAnswer[$key]');\">Add</button></td></tr>";

Example:

... parent.addwindow('".json_encode($question)."', ....
epoch
  • 16,396
  • 4
  • 43
  • 71
  • `htmlspecialchars` is inadequate for values that will be used in a Javascript string. – lanzz Oct 08 '12 at 13:47
  • Hi, I will updated code above, you sorted out the add button problem but if you use the app and follow the steps, you can see that instead of saying `>!\"�$%^&*()-=\'.,:;/?#~*/\\\\><` it instead just displays `null` and if I click on the "Add" button for that row, I receive this syntax error: `unterminated string literal: parent.addwindow('`. – user1701484 Oct 08 '12 at 14:50