Comments on: Escaping JavaScript for PHP

By: Ron Lowe

Ron Lowe — Sat, 27 Aug 2011 09:42:38 +0000

I know it is a long time after the others but I have tried the above without success.

I need to pass a mysql string output via PHP to a javascript function. I have now found (elsewhere on the net) a method that works.

$test=”'clin1cal0001'″;

echo “Click

this”;

The $test is passed to function and appears in an alert there. PHEW!!

By: Adam Backstrom

Adam Backstrom — Mon, 10 May 2010 12:38:35 +0000

Naresh, you should be using htmlentities() rather than javascript_escape() in that context, since you’re not embedding your string into JavaScript.

By: Naresh Kumar

Naresh Kumar — Thu, 06 May 2010 09:21:44 +0000

Hello There,

It is not working for me. Could anyone please in this..

Here is my code:

function javascript_escape1($str) { $new_str = 'Test';


        $str_len = strlen($str);

        for($i = 0; $i < $str_len; $i++) {

            $new_str .= '\x' . dechex(ord(substr($str, $i, 1)));

        }
        return $new_str;

    }

?>








    if ($_POST) {

        echo ""; print_r($_POST);echo "
";

    }

?>

Thanks in advance.

By: JN

JN — Fri, 13 Nov 2009 23:35:22 +0000

function js_escape($str) { for($i = 0, $l = strlen($str), $new_str=''; $i < $l; $i++) $new_str .= (ord(substr($str, $i, 1)) < 16 ? '\\x0' : '\\x') . dechex(ord(substr($str, $i, 1))); return $new_str; }

By: Nightfly

Nightfly — Fri, 22 May 2009 22:06:54 +0000

For super tidy string iteration, I always use this:

for($i = 0, $l = strlen($str); $i < $l; $i++) {
$new_str .= ‘\\x’ . dechex(ord(substr($str, $i, 1)));
}

By: Adam Backstrom

Adam Backstrom — Thu, 31 Jul 2008 20:56:45 +0000

tedivm: good point. I’ve updated the post to reflect your suggestion.

By: tedivm

tedivm — Thu, 31 Jul 2008 18:17:39 +0000

You should take the “strlen($str)” check and put it outside of the for loop. The reason is that function calls use up a lot more resources than simple variable checks, and where the strlen function currently is it will be called for each interation of the loop (so if the string has a length of 50, that function will be called fifty times).

$strLen = strlen($str);
for($i = 0; $i < $strLen; $i++) {
$new_str .= ‘\\x’ . dechex(ord(substr($str, $i, 1)));
}

By: Pascal

Pascal — Thu, 31 Jul 2008 13:23:12 +0000

I see. And I guess using htmlentities(strip_tags($myVar)) would break the javascript. Good script then.

By: Adam Backstrom

Adam Backstrom — Thu, 31 Jul 2008 12:41:44 +0000

Pascal, Here's an example of addslashes() allowing XSS. It's not sufficient to block all hack attempts. That page will load off-domain JavaScript in Firefox 3.0.1, Opera 9.51, Safari 3.1.2, and Internet Explorer 7.0.6001.18000.

By: Pascal

Pascal — Thu, 31 Jul 2008 01:38:45 +0000

Why not just use addslashes($myvar)?