Passing php variable onclick gives error

Question

Please see the scripts below. Onclick of Add gives an error when a php variable ($var)is used, however it will work with a number - i.e. if the line in index.php:

echo '<button id="1" onclick="company_add(\''.$var.'\');">Add</button>';

Is changed to something like:

echo '<button id="1" onclick="company_add(',57776,');">Add</button>';

What am I missing please?

Index.php:

<html>
<head>
<script type ="text/javascript">
function company_add(company_name) {
$.post('company_add.php', {company_name:company_name}, function(data) {
   if (data == 'success'){
    alert("Cool");
   } else{
       alert(data);
   }
});
}
</script>
<script type="text/javascript" 
src="http://ajax.googleapis.com/ajax/libs/jquery/1.7.2/jquery.min.js">      
</script>

<?php
include 'connect.php'; //Generic connect file
$var = 'Name';

echo '<button id="1" onclick="company_add(\''.$var.'\');">Add</button>  
<br/>';
?>
</body>
</html>

company_add.php:

<?php
include 'connect.php';

function company_exists($company_name) {
return (mysql_result(mysql_query("SELECT COUNT(`company_name`) FROM   
`company` WHERE `company_name` = $company_name"), 0) == 0 ) ? false :    
 true;
 }

function add_company($company_name){
mysql_query("INSERT INTO `company` (`id`, `company_name`) values ('', 
".$company_name.")");
}

$company_name = $_POST['company_name'];

if (company_exists($company_name) === true) {
echo 'Company already added';
} else {
add_company($company_name);
echo 'success';
}
?>

You're missing quotes around `$company_name` and `".$company_name."` since we're more than likely dealing with string values. Add `or die(mysql_error())` to `mysql_query()` and you will see the errors you're not checking for. — Funk Forty Niner, Jan 21 '15 at 14:46
**Please, [stop using `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php).** They are no longer maintained and are [officially deprecated](https://wiki.php.net/rfc/mysql_deprecation). **Learn about [prepared statements](http://en.wikipedia.org/wiki/Prepared_statement)** instead, and **use [PDO](http://us1.php.net/pdo).** and a @StevieWonder song is actually playing on Pandora as I type this. — Jay Blanchard, Jan 21 '15 at 14:47
"Is changed to something like:" — how about viewing the source in the browser and showing us what it actually is instead of just something vaguely like it in some nebulous way? — Quentin, Jan 21 '15 at 14:51
The problem you describe at the beginning of the question doesn't make a lot of sense. There are clearly escaped quotes in the string literals. The "becomes" part looks like what something would become after it renders client-side, but it doesn't look like what it would "become" *server-side* (still in an `echo` statement). How are you debugging that? Additionally, what is the *specific* error you're seeing? — David, Jan 21 '15 at 14:51
@JayBlanchard Stevie's (SRV) playing "Superstition" right now ;-) — Funk Forty Niner, Jan 21 '15 at 14:53
*"Onclick of Add gives an error when a php variable ($var)is used, however it will work with a number"* - [As per my first comment](http://stackoverflow.com/questions/28069985/passing-php-variable-onclick-gives-error#comment44519324_28069985) — Funk Forty Niner, Jan 21 '15 at 14:59

TipuZaynSultan · Answer 1 · 2015-01-21T15:14:20.500

Use that line like this:

echo "<button id='1' onclick='company_add('" . $var . "');'>Add</button>";

In case if you already have commas after and before the value of the $var you should trim it. So use it like this:

$var = ltrim(",", $var);
$var = rtrim(", ", $var);
echo "<button id='1' onclick='company_add('" . $var . "');'>Add</button>";

And for your information yes you can even use a String instead of a Number too.

And UPDATE the functions:

function company_exists($company_name) {
  $company_name = mysql_real_escape_string($company_name);
  $query = "SELECT * FROM company WHERE company_name = '{$company}'";
  $result = mysql_query($query);
  if(mysql_num_rows($result) > 0) {
    return true;
  }else{
    return false;
  }
}

function add_company($company_name){
  $company_name = mysql_real_escape_string($company_name);
  $query = "INSERT INTO company (id, company_name) VALUES ('', '{$company_name}')";
  return mysql_query($query);
}

If you are using id field of that company table as AUTO_INCREMENT then you can leave the id field NAME & VALUE in the INSERT Statement. Like This in the add_company Function:

$query = "INSERT INTO company (company_name) VALUES ('{$company_name}')"

*"And for your information yes you can even use a String instead of a Number too."* - Not as per OP's SQL statement. OP: *"Onclick of Add gives an error when a php variable ($var)is used, however it will work with a number"* - it's the SQL, not the button. — Funk Forty Niner, Jan 21 '15 at 15:03

Passing php variable onclick gives error

1 Answers1