unidox Posted May 30, 2008 Share Posted May 30, 2008 Here is my code: class functions { // Vars var $user; var $lvl; var $group; var $table; var $table_id; var $check; function mysql_conn() { $db_user = "user"; // Username $db_pass = "*****"; // Password $db_database = "dbname"; // Database Name $db_host = "localhost"; // Server Hostname $db_connect = mysql_connect ($db_host, $db_user, $db_pass); $db_select = mysql_select_db ($db_database); } function lvl () { $this->mysql_conn(); $user = $this->user; $q = mysql_query("SELECT * FROM `pcp_users` WHERE `username` = '$user'") or die (mysql_error()); $r = mysql_fetch_array($q); $this->lvl = $r['level']; // Find the users level. $this->group = $r['group']; } function chklvl ($name) { $this->mysql_conn(); $q = mysql_query("SELECT * FROM `pcp_groups` WHERE `name` = '$name'") or die(mysql_error()); $r = mysql_fetch_array($q); $name = $r['level']; return $name; } function check() { $this->mysql_conn(); if ($this->lvl == 1) { $this->check = true; } else { $this->check = false; } } function create_log($string, $user_name) { $file = "beta/admin/logs/log.txt"; $open = fopen($file, "ab"); $ip = $_SERVER["REMOTE_ADDR"]; $time = date("F j, Y, g:i a"); $write = "Username: \"" . $user_name . "\" | IP: " . $ip . " | Date: " . $time . " | Action: " . $string . "\n"; fwrite($open, $write); fclose($open); } function activeate_num() { // Generates 8 Digit Activation Number $allow = "abcdefghijkmnpqrstuvwxyz23456789"; srand((double)microtime()*1000000); for($i=0; $i<8; $i++) { $activation .= $allow[rand()%strlen($allow)]; } return $activation; } function escape_data($data) { // Prevents SQL Injection $this->mysql_conn(); global $db_connect; if (ini_get('magic_quotes_gpc')) { $data = stripslashes($data); } $data = ereg_replace("[\'\")(;|`,<>]", "", $data); $data = mysql_real_escape_string(trim($data)); return stripslashes($data); } function delete($id, $link, $log, $name) { $this->mysql_conn(); if (!is_numeric($id)) { header("Location: index.php?p=error&h=" . $link . "&e=" . $link . "_1" . ""); exit(); } $table = $this->table; $table_id = $this->table_id; $lvl = $this->lvl; $q = mysql_query("SELECT * FROM `" . $table . "` WHERE `" . $table_id . "` = '$id'") or die (mysql_error()); $r = mysql_fetch_array($q); if ($lvl > $r['level']) { header("Location: index.php?p=error&h=" . $link . "&e=" . $link . "_2" . "&user=" . $r[$name] . ""); exit(); } if ($lvl == $r['level']) { header("Location: index.php?p=error&h=" . $link . "&e=" . $link . "_3" . "&user=" . $r[$name] . ""); exit(); } $q = mysql_query("SELECT * FROM `" . $table . "` WHERE `" . $table_id . "` = '$id'") or die(mysql_error()); $r = mysql_fetch_array($q); //$this->create_log("Deleted " . $log . ": \"" . $r[$name] . "\"", $this->user); mysql_query("DELETE FROM `" . $table . "` WHERE `" . $table_id . "` = '$id'"); header("Location: index.php?p=success&h=" . $link . "&e=" . $link . "_1" . "&user=" . $r[$name] . ""); exit(); } function add($array, $link, $log) { $this->mysql_conn(); foreach ($array as $v) { if (preg_match("/password/i", $v)) { eval("$" . $v . " = " . md5($_POST[$v]) . ";"); if ($password == "") { header("Location: index.php?p=error&h=" . $link . "&e=" . $link . "_4"); exit(); } } elseif (preg_match("/url/i", $v)) { eval("$" . $v . " = " . url($_POST[$v]) . ";"); if ($url == "") { header("Location: index.php?p=error&h=" . $link . "&e=" . $link . "_7"); exit(); } } elseif (preg_match("/level/i", $v)) { if ($this->check == true) { eval("$" . $v . " = " . $this->escape_data($_POST[$v]) . ";"); if ($level == 1) { $level = $this->chklvl("Users"); } if (!is_numeric($level)) { header("Location: index.php?p=error&h=" . $link . "&e=" . $link . "_8"); exit(); } elseif ($level == "") { $level = $this->chklvl("Users"); } $q = mysql_query("SELECT * FROM `pcp_groups` WHERE `level` = '$level'") or die(mysql_error()); $r = mysql_fetch_array($q); $group = $r['name']; } else { $level = $this->chklvl("Users"); } } elseif (preg_match("/active/i", $v)) { eval("$" . $v . " = " . $this->escape_data($_POST[$v]) . ";"); if (!is_numeric($active)) { header("Location: index.php?p=error&h=" . $link . "&e=" . $link . "_9"); exit(); } elseif ($active == "") { $active = 2; } } else { eval("$" . $v . " = " . $this->escape_data($_POST[$v]) . ";"); if (preg_match("/_required/i", $v)) { if ("$" . $v . "" == "") { header("Location: index.php?p=error&h=" . $link . "&e=" . $link . "_10&field=" . $v . ""); exit(); } eval("$" . $v . " = " . str_replace("_required", "", "$" . $v . "") . ";"); } } } if (($username != "") || ($email != "")) { $q = mysql_query("SELECT * FROM `pcp_users` WHERE `username` = '$username' || `email` = '$email'"); $r = mysql_fetch_array($q); if (($r['username'] == $username_required)) { // If there is already a member in the db header("Location: index.php?p=users&s=add_user&e=6"); // Redirects to error "Sorry, that username/email is already in use, please use forget password to retrieve your account.". exit(); } elseif (($r['email'] == $email_required)) { // If there is already a member in the db header("Location: index.php?p=users&s=add_user&e=7"); // Redirects to error "Sorry, that username/email is already in use, please use forget password to retrieve your account.". } } $this->create_log("Added " . $log . ": \"" . $username . "\"", $user_name); $sql = "INSERT INTO `" . $this->table . "` ("; $count = count($array); $i = 0; while ($i < $count) { $sql .= $array[$i]; $i++; } $sql .= ") VALUES ("; $i = 0; while ($i < $count) { $sql .= "'$" . $array[$i] . "',"; $i++; } $sql = substr($sql, 0, -1); $sql .= ")"; mysql_query($sql) or die(mysql_error()); header("Location: index.php?p=success&h=users&e=" . md5("user_3") . "&user=" . $username . ""); exit(); } } But everytime I try an submit form data to it, i get the following errors: Parse error: syntax error, unexpected ';' in /home/purecp/public_html/class.php(149) : eval()'d code on line 1 Parse error: syntax error, unexpected ';' in /home/purecp/public_html/class.php(149) : eval()'d code on line 1 Parse error: syntax error, unexpected ';' in /home/purecp/public_html/class.php(149) : eval()'d code on line 1 Parse error: syntax error, unexpected T_STRING in /home/purecp/public_html/class.php(111) : eval()'d code on line 1 Warning: Cannot modify header information - headers already sent by (output started at /home/purecp/public_html/class.php(149) : eval()'d code:1) in /home/purecp/public_html/class.php on line 113 Line 149 is: eval("$" . $v . " = " . $this->escape_data($_POST[$v]) . ";"); Line 111 is: eval("$" . $v . " = " . md5($_POST[$v]) . ";"); Line 113 is: header("Location: index.php?p=error&h=" . $link . "&e=" . $link . "_4"); Whats wrong? Thanks Quote Link to comment Share on other sites More sharing options...
joquius Posted May 31, 2008 Share Posted May 31, 2008 Man unless you are actually referencing a string you need to escape the $ at the beginning of the eval. What this has to do with OOP is beyond me. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.