I have the follow code:
onclick=" <?php echo 'postwith(\''.$_SERVER['PHP_SELF'].'\',{export:\'export\',date:\''.$_POST['date'].'\'})'; ?>"
while postwith is a function.
in ie i have an error: Expected identifier, string or number
in firefox it's ok and the link is:
postwith('/page/page.php',{export:'export',date:'Yesterday'})
so where is my mistake?
thank you!
As warrenm pointed out export
is a keyword and needs to be quoted.
That is, alter the PHP so the result output is:
postwith('/page/page.php',{'export':'export','date':'Yesterday'});
Your PHP would look like this:
onclick="<?php echo "postwith('{$_SERVER['PHP_SELF']}',
{'export':'export','date':'{$_POST['date']}'})"; ?>"
(Thanks, Peter for the improved syntax).
Also, you may wish to remove the space after onclick:
onclick=" <?php
will become:
onclick="<?php
export
is a keyword, so it appears that the IE Javascript engine is getting confused with you using it in that context. You could put it in quotes to make it clear that it's a key.
For future reference, you might find it easier to proof read if you use double quotes for your PHP string and curly bracket notation for array elements inside the string:
onclick="<?php echo "postwith('{$_SERVER['PHP_SELF']}',
{'export':'export','date':'{$_POST['date']}'})"; ?>"
simplified example of using curly bracket notation inside double quotes
(note that you do not need to escape literally rendered curly brackets)
Additionally, you should make use of json_encode() to make sure your JSON is in the right format:
(note the single quotes after onclick to accommodate the double quote JSON)
onclick='<?php
echo "postwith(\"{$_SERVER['PHP_SELF']}\"," .
json_encode(array("export" => "export", "date" => $_POST['date']),
JSON_FORCE_OBJECT|JSON_HEX_TAG|JSON_HEX_AMP|JSON_HEX_QUOT) .
")";
?>'
See bobince, post about the JSON encoding options.
This is sloppy coding, IMO. Keep your template formatting separate from your processing.
<?php
// do processing of information
$var = (((PSEUDOCODED DATA OUTPUT)));
processtemplate($var);
-------------
//new file that is included by processtemplate()
?>
... blah ... blah ... blah ... blah
onclick="[[_KEYNAME_]]"
... blah ... blah ... blah ... blah ... blah
+1 warrenm, it's export
that needs to be quoted.
But this sort of thing isn't good form. With all that nested quoting it's barely readable, and because you've not JavaScript-string-literal-escaped or HTML-escaped either date
or PHP_SELF
, you've got HTML-injection bugs which may lead to cross-site-scripting security holes.
Never output a text string to HTML text content or attribute values without htmlspecialchars()
, and when you're building JS objects use json_encode()
to create the output because it will cope with string escaping problems and quoting object literal names for you.
From PHP 5.3, the JSON_HEX
options allow you to ensure all HTML-special characters are encoded as JavaScript string literal escapes, so you don't have to HTML-encode on top of JSON-encoding, which means you can use the same output function in both event handler attributes and <script>
blocks (which, being CDATA, have no HTML-escaping).
<?php
function j($o) {
echo json_encode($o, JSON_HEX_TAG|JSON_HEX_AMP|JSON_HEX_QUOT);
};
$pars= array("export"=>"export", "date"=>$_POST['date']);
?>
onclick="postwith(<?php j($_SERVER['PHP_SELF']); ?>, <?php j($pars); ?>);"
Also consider breaking out the onclick
handler and assigning it from <script>
instead of using inline event handler attributes. This tends to be more readable.