1

I am trying to pass two variables in a JavaScript function that pop up a confirmation box before deleting a record from the database MySQL, but I think there is something wrong in the syntax.

Below is the code of the link that fires the confirmation box when it is clicked but it doesn't work and I am not sure if I am passing the parameters in a right way:

echo"<td><a href='javascript:promptbox(" . $myemail . "," . $appNo .")'>cancel</a></td>";

Can someone please let me know whether its a syntax error or is there any other problem?

Thanks

Improve this question
1
  • You have an XSS hole. Commented Sep 2, 2013 at 3:11

1 Answer 1

Reset to default
2

Strings in Javascript needs to be enclosed by quotes.

echo"<td><a href='javascript:promptbox(\"" . $myemail . "\",\"" . $appNo ."\")'>cancel</a></td>";
Improve this answer
3
  • If those two variables are coming from users, please consider using htmlspecialchars to avoid XSS attacks! Commented Sep 2, 2013 at 3:31
  • @SLaks He may have to use it twice but it will prevent it! of course, NOT allowing dangerous chars would be much better and safer! Commented Sep 2, 2013 at 3:48
  • @undone: No. HTML-escaping text does not help when concatenating Javascript. Commented Sep 2, 2013 at 15:17

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.