Prevent Invalid Variable

[seventheyejosh]

Hello again, all.

 

I have this javascript function that inserts the value of a textarea into a javascript variable, then inserts that into a url.

 

My problem lies in that some users are naming it like "1fav" or "2pretzel" and the number in the front is breaking my code, as var cant start with a number. is there a way to strip the first character, or characters until there are only text characters? here is my code:

 

function addfavorite(){

 

var foodname=encodeURI(document.getElementById('newfav').value);

 

if(foodname==''){ foodname='Favorites'; }

 

var url='/index.php?direct=modules/fav/fav.php&action=management&subaction=AddFavorite&fav='+foodname+'&1=1';

sndReqList(url);

 

setTimeout("updatefavopts()",500);

 

}

 

and my input

 

echo "<th bgcolor=#89dcfe><input type=text name=add id=newfav><input type=button value=Add onclick=\"addfavorite()\"></th></tr>\n";

 

i was thinking about maybe just putting an "a" or w/e on the front of every variable, then stripping the first one off in my php save... i was just wondering if there was a proper way, for future instances.

 

thanks in advance

[darkfreaks]

http://www.webmasterworld.com/forum91/504.htm

[Floydian]

I am not seeing where any variables are being named using the value from the input.

 

I do hope that your php script isn't taking the $_GET['fav'] and storing that using a variable variable name...

 

Since you didn't say where your code is breaking, and I don't see where that would be, it's impossible to give an exact fix, but I can tell you that allowing user input to determine the name of a variable is a horrible idea. And if the variable is a php variable, and not just a javascript variable, you're in for some serious security problems down the road.