我需要帮助使用PHP转义javascript函数的字符串参数

Let's examine your first example

onclick="alert('<?echo $row['username']?>')" 

The important part here is, that everything outside of <? … ?> is pure HTML and never looked at by the PHP interpreter. Therefore, the only part that is relevant for PHP is the code inside <? … ?>, namely echo $row['username']. Here, one does not need to do any escaping.

Your second example, in contrast

echo('<button type="button" id="button'.$ctr.'"onClick="showMapsInfo(\''.str_replace("'", "\\'", $maps_name).'\', \''.str_replace("'", "\\'", $ctr).'\');"><img src="img/maps_logo.gif"></button><br/>');

is written purely in PHP, no surrounding HTML. Therefore, you have to be careful with the quotes. Let's build this up from scratch to see what happens here. When you build something like this, you would probably start with

echo('<button type="button" id="button1" onClick="showMapsInfo(\'...\');"><img src="img/maps_logo.gif"></button><br/>');

Because the single quotes were already used as string delimiters, they must be escaped inside the string with \'. Now for the part inside the javascript function. Put even simpler, the above code boils down to

echo('showMapsInfo(\'...\');');

which results in

showMapsInfo('...');

when we want to insert some dynamic parts instead of the '...' part, we need to end the string with ' and concatenate it back together with .. Suppose you wanted to insert a variable $foobar in there, then you would write:

echo('showMapsInfo(\''.$foobar.'\');');

which results in

showMapsInfo('<VALUE OF $foobar>');

Your example does not insert $foobar into this string, but rather the following expression:

str_replace("'", "\\'", $maps_name).'\', \''.str_replace("'", "\\'", $ctr)

Which uses str_replace in order to again escape the content, but with a little twist: It is not escaped for PHP, but for the resulting Javascript! Every single quote ' becomes an escaped single quote \' in the output, but you need to write \\' because the backslash needs to be escaped itself, in order to produce a backslash as output.

You could use json_encode function for the javascript variable.

echo sprintf(
  '<button type="button" id="button%s" onClick="showMapsInfo(%s, %s);">
   <img src="img/maps_logo.gif"></button><br/>',
    htmlspecialchars($ctr), json_encode($maps_name), json_encode($ctr));

1. The single quotes around username do not have to be escaped because it is part of the PHP variable, not the JavaScript.

2. Information on injecting PHP variables into JavaScript can be found here and more info here.

   You only need to enclose the PHP variables in quotes if the variable is a string.

I think you dont have problem in escaping single quote as the function is working when you are

calling it using one parameter only.

Check if you are creating the whole parameter sting correctly, if the comma is added properly and in javascript if single quote comes around bot the parameters.

finally the parameter string should look like

'param1', 'param2'

You can replace the quotes and then use heredoc, it is more legible and easier to understand.

$maps_name = str_replace("'", "\\'", $maps_name);
$ctr       = str_replace("'", "\\'", $ctr);

echo <<<HTML

<button type="button" id="button$ctr" onClick="showMapsInfo('$maps_name', '$ctr');"><img src="img/maps_logo.gif"></button><br/>

HTML;