0

I have already read a lot of responses about this issue, and I didn't found the 100% correct.

The code I expect to create in php looks like this: 

<a href="#" onclick="a_js_function('moduleSee.php','sql_restriction','popup')">See</a>

a_js_function() is an internal javascript function, it receives some arguments and will be called simply like this

$str = '<a href="#" onclick="';
$str .= " a_js_function('moduleSee.php','sql_restriction','popup')";
$str .='">See</a>';

But the sql_restriction argument contains a quote : 

concat('000000',table_id)

And the NOT 100%-working solution is putting \' instead of ' => this allows to SQL query doing properly but creates a javascript error that blocks part of the page.

$str = '<a href="#" onclick="';
$str .= " a_js_function('moduleSee.php','concat(\'000000\',table.id)','popup')";
$str .='">See</a>';

See what chrome says:

Uncaught SyntaxError: Unexpected number -> point the numbers of received argument: concat('000000',table.id)

because with the \' receive ' between the 000, the argument of the js function make error, not SQL. Avoiding this quotes in the number make that SQL query doesn't work

putting ' or \" or \\' or '' doesn't work too, addslashes() neither

Any ideas?

Improve this question
6
  • 3
    Can you give us exactly what the Chrome error is? And are you sending your sql_restriction directly to the database? If you are then you are wide open to SQL injection. Commented Jan 17, 2012 at 18:57
  • Include your js-function as well. Commented Jan 17, 2012 at 19:04
  • @nikc.org: how is the function important? The question is just about escaping quotes in JS embedded in HTML Commented Jan 17, 2012 at 19:07
  • the js function make filters and show other page, is part of a cms Commented Jan 18, 2012 at 8:09
  • isn't a chrome error, ie, firefox blok too; Commented Jan 18, 2012 at 8:13

4 Answers 4

Reset to default
3

The problem isn't how you are escaping your quotes - backslashes are correct. What's happening though is that you aren't escaping enough, as each time the code passes through a language, the escaping is done and the next language won't see it anymore. The code

$str = '<a href="#" onclick="';
$str .= " a_js_function('moduleSee.php','concat(\'000000\',table.id)','popup')";
$str .='">See</a>';

is output from php as 

<a href="#" onclick="
 a_js_function('moduleSee.php','concat('000000',table.id)','popup')
">See</a>

Javascript sees the single quotes in the concat and tries to end the string, and then gets confused by the 0s, which aren't a javascript keyword. You need the javascript to see the following

<a href="#" onclick="
 a_js_function('moduleSee.php','concat(\'000000\',table.id)','popup')
">See</a>

which is accomplished by escaping both the \ and ' characters in php, meaning your php needs to look like

$str = '<a href="#" onclick="';
$str .= " a_js_function('moduleSee.php','concat(\\\'000000\\\',table.id)','popup')";
$str .='">See</a>';
Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

I just tried put \\\ and make other error, query doesn't work:
Uncaught SyntaxError: Unexpected token ILLEGAL -> they receive concat\\'000\\'
@Albert: This is the correct solution, when you give the query to the server, you need to make sure you escape slashes again. You cannot escape them only once for the view. You escape it once so it displays properly in the view, then you escape it again when you need to pass it to your database as SQL
0

I agree that you should be doing some processing of the input on your SQL server. You could correct the input at that stage.

You could also tries using escaped double-quotes instead in your PHP. E.g.:

$str = '<a href="#" onclick="';
$str .= " a_js_function('moduleSee.php','concat(\"000000\",table.id)','popup')";
$str .='">See</a>';
Improve this answer

3 Comments

But that will be double quotes inside a double quoted HTML attribute.
Thanks for the answer, but adding " cuts the HTML argument, the web page show Uncaught SyntaxError: Unexpected token ILLEGAL because in the <a onclik=" foo "> and puntin a " in the middle broke the sentence
Thanks all for the answers, finally my boss solve changing the core of the cms, filtering after use \'00000\' $_POST['fix'] = str_replace('\'','"', $_POST['fix'])); $_POST['fix'] = str_replace('\\','', $_POST['fix']);
0

Javascript can concatenate without using a concat function, so this should work:

a_js_function('moduleSee.php', '000000' + table.id, 'popup');

I'm not sure if your code is doing anything special to prevent the above code from working, but that works for me. I have table.id set to 25, so the result comes out as: 00000025

Improve this answer

1 Comment

it would be work in js, but it's php generating a thml/js sentence, if put + they receibe a + and query doesn't work; I tried casting the 000 in SQL as unsigned and char and the 000 -> 0 and I need this 0's for other reasons
0

Thanks all for the answers, finally my boss solved changing the core of the CMS, filtering after use \'00000\' , use replace() to change \' to "

$_POST['fix'] = str_replace('\'','"', $_POST['fix']));

Query works good and no js errors

Improve this answer

1 Comment

You were under the impression that you only needed to escape it for JS. As your boss figured out, you need to escape on the trip from the server and to the server. A better solution would be to use a prepared statement in your SQL, that way your user input (from JS) is automatically escaped. You should credit

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.