Jump to content

use of single and double quotes in building a print string...


ack

Recommended Posts

I am having trouble building an executable print string from text and table fields.  I suspect it involves the use of single and double quotes used in building the string.

 

Here are the variables and the assignment line:

 

        /* build the URL string */
        $linkstr1 = '<A href="'JavaScript:newPopup("';       <-- error occurs here (line 183)
             $linkstr2 = $link;
        $linkstr3 = ') ;)">';                                <-- another error probably happening here...
             $linkstr4 = $title;
            $linkstr5 = '</A> &nbsp ';
         $linkstr6 = $id_no;
             $w_icona ='<img src = "' ;
           $w_iconb = $icon ;
        $w_iconc = '">';

        $strall = $linkstr1.$linkstr2.$linkstr3.$linkstr4.$linkstr5.$linkstr6.$w_icona.$w_iconb.$w_iconc ;
        echo $strall."\n";
        echo"<BR>";
        break;

 

 

The error message:

 

Parse Error: syntax error, unexpected T_String in........ on line 183

 

The code I am trying to dynamically create in the string variable $strall is:

 

<a href="JavaScript:newPopup('http://www.URL_NameVariable.htm');">Title_variable</a>

 

I am pretty sure the problem is with the second single-quote in the error line - I just don't know what I need to do to resolve the problem.

 

Thank you in advance!

Link to comment
Share on other sites

Side note: are you familiar with string concatenation? Instead of creating dozens of variables to hold different pieces of a string, you could do something like this:

$link  = '';
$link .= '<A href="JavaScript:newPopup(';
$link .= "'$link'";
$link .= ');">';
$link .= $title;
$link .= '</A>';
 
Or this
$link  = '<A href="JavaScript:newPopup(' . "'$link'" . ');">' . "$title</A>";
 
More information about concatenation can be found here:
Link to comment
Share on other sites

The real problem here is the spaghetti code. You have PHP within JavaScript within HTML within PHP, and now you cannot understand your own code. At the same time, you massively increase the risk of injection attacks -- in fact, you aren't even doing basic escaping.

 

Untangle the mess. Keep your JavaScript code in external files and away from your HTML markup. No inline scripting. Use a template engine like Twig to separate the HTML markup from the PHP code. While it's theoretically possible to use PHP itself for templating, this sucks and requires a lot more discipline than the average programmer has.

 

Once you have sane code, a lot of your syntax and security problems will just disappear. For example, this is how your template could look like:

<a href="{{ your_link|url_encode }}">{{ your_title }}</a><img src="{{ icon|url_encode }}" alt="an image description goes here">

If you want to enhance the link with fancy pop-ups, do that in your external JavaScript files. In any case, you should provide a real link for users who have disabilities or simply restrict JavaScript for security or privacy reasons.

Link to comment
Share on other sites

I'm not saying this works all the time (quotes chasing), nor am I recommending it (even  thou I do it A LOT), but it is an idea for you.

 

For mercy on those who follow, I try to keep things very regular.  These are the things I do - I'd love to hear the scold comment on this.  ... always learning you-know.

 

I deference all my values into simple php variables; _REQUEST arrays, $row->id, .... blah blah

 

I then build a simple report.

 

$html = "

    <a href='$href_val' >Hey buddy</a>

";

within a double quoted string.  Simple variables interpolate with out crazy/confusing escapes.  This really helps when it comes to the single/double quote  accounting.  It also simplifies maintenance. You can make it look pretty.  Since I don't see other doing it this way, there must be a very good reason why it's not done.  And yes, it doesn't always work.

 

And then there are frame works (above) - I'm leaning laravel/blade right now.  But that's project isn't it.

 

Good luck.

Link to comment
Share on other sites

...and the winner is:

 

cyberRobot (with honorable mention to Jacues1)

 

cyberRobot's 2nd suggestion worked perfectly.  His first suggestion did not - mainly because of the "spaghetti coding"  Jacues1 mentioned.

 

I tried to embed the HTML by jumping from php to HTML and back to php inside a data record display loop  using the php escape characters "<?php" and  "?>".

 

That was a massive failure...

 

Keeping everything as a php script allowed proper execution of the database search without errors.

 

This has been a very educational process!

 

Thanks to all that responded!

Link to comment
Share on other sites

I tried to embed the HTML by jumping from php to HTML and back to php inside a data record display loop  using the php escape characters "<?php" and  "?>".

 

When you used PHP tags (<?php and ?>), did you also include "echo".

<A href="JavaScript:newPopup('<?php echo $link; ?>');"><?php echo $title; ?></A> &nbsp <?php echo $id_no; ?>
<img src="<?php echo $icon; ?>"><BR>
 
I should have mentioned in my earlier post that I used a shortcut syntax for PHP. More information can be found in the Description section here:
 

 

cyberRobot's 2nd suggestion worked perfectly.  His first suggestion did not - mainly because of the "spaghetti coding"  Jacues1 mentioned.

 

To clarify, neither of my suggestions fix the "spaghetti code" problem. If you're interested in fixing that, you'll need to start by externalizing the JavaScript code.

Link to comment
Share on other sites

Spaghetti code or not -- dumping raw PHP variables into JavaScript contexts is suicidal. If you're really, really lucky, this will "only" lead to bugs. More realistically, you've created a cross-site scripting vulnerability on steroids.

 

I really wonder why this is so hard to understand for so many programmers. Surely you know that it's a bad idea to put raw variables into SQL queries (if you don't, look up "Bobby Tables"). It's the same thing with JavaScript and HTML. In all cases, you need to carefully prepare the input string for the specific context, so that there won't be any interferences.

 

Don't just assume that the input string will be compatible with the context. Even if everybody on the Internet was nice (which we know isn't the case), you'd still run into problems, because apostrophes and other special characters can appear in perfectly legitimate input.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.