php passing longtext to javascript

[thescientist]

Hey everyone, hopefully one of you fine members can help me out.I have a database for my music website that stores information about artists, their music, pictures, etc. For the artists table, one of the fields is an artistBio field, which i have set to longtext. I'm guessing this could be the root of my problem. And, so my issues is this:Within the page that calls the artists info and spits out their name, list of albums, list of pictures, etc from the database, I have a drop down which links you to page when you click on the the drop down, like so:

if(mysql_numrows($artistMusic) > 0){  echo "<form id='music_dropdown' action=''>";  echo "<select name='music_albums'>";  while($row = mysql_fetch_array($artistMusic)){	$aN = urlencode($row['albumName']);	echo '<option value="" onclick=\'getContent("view_music_album.php","albumName","' . $aN . '")\'>' . $row['albumName'] . '</option>';  };  echo "</select><img src='images/arrow_right.png'/>";  echo "</form>";};

this works fine, it passes $aN (the artists name) to my (externally included) javascript function getContent, which builds a query string and opens in the current page on the right via AJAX. So far so good.Now I would like to do the same thing, minus the need for AJAX, by just changing the innerHTML of the same div. I am able to pass the artist bio to the getContent function, (on the same page), like so:

echo '<a onclick=\'getBio("' . urlencode($aBio) . '")\'>';

which works....but returns the string looking like this:

Dave+Flamand+is+talented+singer-songwriter+from+the+Block+Island+area.++Dave+is+well+known+on+the+island+for+his+fun+and+energetic+open+mics%2C+where+he+plays+originals+as+well+as+covering+great+acts+like+Neil+Young%2C+the+Beatles%2C+Oasis%2C+Blur%2C+and+Radiohead.++Dave+is+also+the+frontman+for+the+rock+band+Analog+and+records+for+both+himself+and+his+band.++Check+him+out+live+on+Block+Island+or+around+Providence%2C+RI.++You+can+keep+up+with+his+schedule+by+following+our+events+page+and+following+Analog+Studios%27+social+networking+sites.

now the only reason I did the urlencode was because this

echo '<a onclick=\'getBio("' . $aBio . '")\'>';

doesn't work; it returns unterminated string literal in the firebug console, probably because of certain characters in the returned text form the DB. So is there some sort of string function that would help me out, or is it the length of the text? Any thoughts would be great. I swear if its just because of an apostrophe I'm missing... :)EDIT: for what its worth, the value of $aBio is what shows up on the page first, so I know its coming through fine, it's just that when I click on Bio while something else being displayed on the right via innerHTML, I want $aBio to appear again.

[thescientist]

also, would there be any issue with passing an array from PHP to Javascript?

[justsomeguy]

You don't need to use urlencode, you just need to escape the quotes. If you want to pass data structures like arrays and objects between PHP and Javascript, the best way is to use the JSON format. json.org has links to code for both languages to encode and decode.

[thescientist]

You don't need to use urlencode, you just need to escape the quotes. If you want to pass data structures like arrays and objects between PHP and Javascript, the best way is to use the JSON format. json.org has links to code for both languages to encode and decode.

Yeah, I figured that wasn't the right function, its just that I couldn't think of what PHP function I would need. I've been exposed to a lot of JSON here at work, so that hopefully should be pretty easy. For escaping quotes, would this be the right function?http://us.php.net/manual/en/function.mysql...cape-string.phplooking at the page source, its just because I have an apostrophe at the end of a word. All of this stuff coming from the DB is manually entered, so I can just sanitize this stuff myself if need be, but it would be handy to have something catch this in case I inadvertently make this kind of mistake again without realizing it.

[justsomeguy]

If you're inserting text into this:<a onclick='getBio("...")'>You'll need to escape all double-quotes so that it doesn't break out of the inner string, and you'll either need to escape single quotes or replace the single quotes with another character, and then replace them back in Javascript. You could use str_replace to do that, or addslashes will escape several characters at once.

[thescientist]

gotcha, will do! Thanks for your time. :)edit: could I just use string replace to find ' or " and replace them all with \' or \" all in PHP?

[justsomeguy]

Yeah, you would need to replace that in PHP so that when you print the Javascript code it doesn't break the quotes.

[thescientist]

alright, so I think I'm getting it. No matter what information goes into the database (in my case by manual entry) all quotes, apostrophes, forward slashes, etc should be escaped on input? with \?The if I want to use this text in a page, say using echo, I would just want to use say string replace on the /'s?Or should I put the text in as normal, and then use real_escape_string? I'm still having difficulties using it to be displayed as text or to be passed in a function call, and I'm just not sure if the way the information going into the database is making things difficult.I'm trying to work on using JSON to pass an array made in PHP to a javascript function, but having much luck with that either. Do I have to use JSON in conjunction with an AJAX call, or can I just I just pass it as an argument in a function call? Maybe I'm just tired, buy I'm starting to get a bit confused with all this.

[justsomeguy]

No matter what information goes into the database (in my case by manual entry) all quotes, apostrophes, forward slashes, etc should be escaped on input? with \?

You need to escape characters when you write the string out. This is just the regular escaping characters in strings, it's just on more than one level. Usually you're only escaping one level, where you have a double-quoted string so you need to escape the double-quotes in the string. When you're printing Javascript code into an HTML attribute, you're escaping several levels:<a onclick='getBio("<?php echo $str; ?>")'>First, you need to escape the double-quotes surrounding the argument to getBio. So, that adds a slash before each double-quote. You also need to add a slash to each existing slash, so you've got 2 characters that need to be escaped. Then, you need to escape the single-quotes around the value of the onclick attribute. So, now you probably need to add another slash to each existing slash, plus a slash before each single-quote. It's the same concept as just escaping a string, you're just escaping several levels of it because you're printing a string inside several other quoted strings. Sometimes it takes some trial and error to get right, just look at the output code to make sure it's what it needs to be.

I'm trying to work on using JSON to pass an array made in PHP to a javascript function, but having much luck with that either. Do I have to use JSON in conjunction with an AJAX call, or can I just I just pass it as an argument in a function call?

You can send JSON data wherever you want, but keep in mind that it's a string of text, not an array. If you want to turn the JSON string back into a data structure you need to use a decode function. It's possible to just use eval in Javascript to turn the thing into a data structure, but for the sake of security it's better to use a library that includes validation of the data to make sure it's just a data structure. If you're defining the JSON structure, where it would never include malicious Javascript code, then eval is fine to use in Javascript to turn it back into a data structure. Ext Core is one library which will automate all of the ajax and JSON tasks, for example:http://www.extjs.com/products/core/manual/index.php

[thescientist]

thanks for the help JSG, I think I'm finally getting the hang of it relative to escaping strings and passing them properly in javascript functions and all that jazz. Now on to the JSON part of the adventure! Thanks for your patience too.