I hope somebody can help me with this little problem. The problem is that I still get confused with the syntax
The php line echo's a javascript function that takes one parameter, the database value.
It needs to be corrected, to get it to work. extra comma's??escaping?? I never know where exactly.
while($row=mysql_fetch_array($r)){
echo '<li onclick="fill(\''.$row["value"].'\');">'.$row["value"].'</li>';
}
EDIT BECAUSE I just found out that my syntax is correct. I just needed to include the backslashes. It seems the javascript function is causing problems. In particular the line that hides the list
Does anyone has a solution for this?
function fill(thisValue) {
$('#inputString').val(thisValue);
//$('#suggesties').hide();
}
EDIT I finally came up with this: a callback
function fill(thisValue) {
$('#suggesties').fadeOut('fast',function(){
$('#inputString').val(thisValue);
});
}
thanks, Richard
-
Not sure I quite understand the "edit" part you added...Michael Krelin - hacker– Michael Krelin - hacker2009年09月20日 15:26:28 +00:00Commented Sep 20, 2009 at 15:26
-
the function should fill the textbox with the value from the list ----the onclick function calls the fill function-- It seems that the hide function is faster then it can put the value in the textbox. I found out, when I commented out that lineRichard– Richard2009年09月21日 08:21:24 +00:00Commented Sep 21, 2009 at 8:21
5 Answers 5
echo '<li onclick="fill(\''.$row["value"].'\');">'.$row["value"].'</li>';
Ouch. You've got a JavaScript string literal, inside an HTML-encoded attribute, inside a PHP string literal. No wonder the escaping is confusing you.
Well, first: you're outputting $row['value'] in the list item's text without escaping. This means trouble (potentially security trouble) when that value contains special characters like <, & and ". This needs to be wrapped in htmlspecialchars().
Next, you're putting something in a JavaScript string literal. That means if the string delimiter character ' or the escaping backslash \ is used in the value, it can break out of the string and inject JavaScript code into the page: again, a potential security issue. addslashes() can be used to escape a string for inclusion in a JS string literal; note you still have to htmlspecialchars() it afterwards because the string literal is itself inside an HTML-encoded attribute.
So we're looking at:
echo "<li onclick=\"fill('".htmlspecialchars(addslashes($row['value']), ENT_QUOTES)."');\">".htmlspecialchars($row['value']).'</li>';
Not very readable, is it? Well, we can improve that:
We can lose the PHP string literal by using PHP itself to interpolate strings (as demonstrated by Jonathan). PHP is a templating language, take advantage of that!
We can define a function with a shorter name than
htmlspecialchars, which is a good idea since we need to use that function a lot in a typical template.We can avoid the JavaScript string literal by having the JavaScript side read the data it needs from the contents of the list item (
text(), in jQuery, since that's what you seem to be using), rather than having to wrap it inside an ugly inline event handler.
For example:
<?php
function h($text) {
echo(htmlspecialchars($text, ENT_QUOTES));
}
?>
<ul id="suggesties">
<?php while ($row= mysql_fetch_array($r)) { ?>
<li><?php h($row['value']); ?></li>
<?php } ?>
</ul>
<script type="text/javascript">
$('#suggesties>li').click(function() {
$('#inputString').val($(this).text());
$('#suggesties').hide();
});
</script>
3 Comments
id="inputString" right? (And it is an id and not a name.) Post complete non-working HTML page?I'd recommend also escape the string for use in javascript. json_encode does the trick. And the html part too, if it's not supposed to contain html:
echo '<li onclick="fill('.htmlentities(json_encode($row["value"])).');">'.htmlspecialchars($row["value"]).'</li>';
5 Comments
htmlspecialchars suffices in both cases.htmlspecialchars replaces &, <, > and ". And when the third parameter for quote style is set to ENT_QUOTES, ' is also replaced. Only if the quote style is set to ENT_NOQUOTES, " is not replaced.fill("a"b").htmlentities doesn’t solve that issue neither.You could keep the PHP within PHP Tags. Sometimes it's easier than escaping numerous places:
<?php while($row=mysql_fetch_array($r)) { ?>
<li onclick="fill('<?php print $row["value"]; ?>');">
<?php print $row["value"]; ?>
</li>
<?php } ?>
Comments
Try escaping like this:
while($row=mysql_fetch_array($r)){
echo '<li onclick="fill(\''.$row["value"].'\');">'.$row["value"].'</li>';
}
1 Comment
Remove the quotes around value so that you have $row[value] instead of $row["value"].