PHP: Trouble composing strings

Question

I'm using this php code

echo " onclick='myFunction(" . $row['username'] . ")'"

that give me this result

onclick="myFunction(Francis88)"

But I want this:

onclick="myFunction('Francis88')"

How should I change my php code for obtain this?

Because you are mixing you HTML with you JavaScript. This ends up as an unmaintainable mess. [This](http://jsfiddle.net/teresko/KfBvt/) example should serve a simplified illustration of a better way. Google "event delegation" or "event bubbling" for more info. — tereško, May 04 '13 at 17:25

score 3 · Answer 1 · answered May 04 '13 at 16:54

3

Use a \ to escape a character within a string, so for example:

echo " onclick=\"myFunction('" . $row['username'] . "')\""

answered May 04 '13 at 16:54

Nick

6,316
2
29
47

1

This doesn't mitigate XSS attacks. – Ja͢ck May 04 '13 at 16:59

score 2 · Answer 2 · edited May 23 '17 at 12:04

2

I would use json_encode() for this to make sure it doesn't mess up with names such as O'Reilly; then, apply htmlspecialchars() to make sure the resulting string doesn't cause issues in HTML attributes:

printf(' onclick="myFunction(%s)"', 
    htmlspecialchars(json_encode($row['username']), ENT_QUOTES, 'UTF-8')
);

I'm also using single quotes here, so that the HTML attribute values can be enclosed in double quotes; arguable, but I hate single quoted attributes ;-)

See also my previous answer to find out the disadvantages of using inline JavaScript.

edited May 23 '17 at 12:04

Community

1
1

answered May 04 '13 at 16:57

Ja͢ck

170,779
38
263
309

1

`echo sprintf` -> `printf` :) You should also HTML encode the data. – deceze May 04 '13 at 16:59
@deceze Good points! Fixed :) – Ja͢ck May 04 '13 at 17:05

PHP: Trouble composing strings

2 Answers2