Jump to content


Photo

[SOLVED] parse error, unexpected T_ENCAPSED_AND_WHITESPACE??????


  • Please log in to reply
10 replies to this topic

#1 bobleny

bobleny
  • Members
  • PipPipPip
  • Advanced Member
  • 429 posts

Posted 25 September 2006 - 10:51 AM

I don't see anything wrong with it, but there is obviuslly an error.

The Error:
Parse error: parse error, unexpected T_ENCAPSED_AND_WHITESPACE, expecting T_STRING or T_VARIABLE or T_NUM_STRING in C:\Documents and Settings\All Users\Desktop\Keep\Data\Server\crow\index.php on line 67

Line 67:
$query = "UPDATE `$_POST['table']` SET message = '".$_POST['text']."' WHERE `id` = '".$_POST['id']."'";

line 64 to line 72:
mysql_connect($database_hostname,$database_username,$database_password) or die("Unable to Connect to the MYSQL Database!");
mysql_select_db("crow") or die("Unable to Select the Database!");

$query = "UPDATE `$_POST['table']` SET message = '".$_POST['text']."' WHERE `id` = '".$_POST['id']."'";
mysql_query($query);

mysql_close();

echo "<META HTTP-EQUIV='Refresh' CONTENT= '.1; URL=index.php'>";

And the whole document:
<?php
session_start();
$database_hostname = "localhost";
$database_username = "root";
$database_password = "";

$_SESSION['logged'] = TRUE;

if (!isset($_GET['page']))
{
	$_GET['page'] = "home";
	$page = "home";
}
else
{
	$page = $_GET['page'];
}

if ($page == "home")
{
	$title = "Home - Welcome To Environmental Class!";
}
elseif ($page == "mad")
{
	$title = "M.A.D. - Makeing A Diffrence";
}
elseif ($page == "edit_1")
{
	$title = "Whatch Ya Editing?";
}
elseif ($page == "joke")
{
	$title = "Jokes - HA, HA, I Laugh At You!";
}
elseif ($page == "ge")
{
	$title = "Gory Glory Games Galore";
}
?>
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'>
<html xmlns="http://www.w3.org/1999/xhtml">
	<head>
		<link href="css.css" rel="stylesheet" type="text/css" />
		<title><?php echo $title; ?></title>
	</head>
	<body>
		<div id="outer_shell">
			<div id="inner_left_shell">
				<div id="top_banner"></div>
				<?php
				if($page == "edit_1")
				{ ?>
					<form action="index.php?page=edit_2.php" method="post">
					<textarea name="text" cols="55" rows="30" wrap="soft"><?php echo $_POST['text']; ?></textarea>
					<input type="hidden" name="id" value="<?php echo $_POST['id']; ?>" />
					<input type="hidden" name="table" value="<?php echo $_POST['home']; ?>" />
					<br />
					<input type="submit" value="Save & Update" />
					</form>
				<?php }
				elseif ($page == "edit_2")
				{
					mysql_connect($database_hostname,$database_username,$database_password) or die("Unable to Connect to the MYSQL Database!");
					mysql_select_db("crow") or die("Unable to Select the Database!");
					
					$query = "UPDATE `$_POST['table']` SET message = '".$_POST['text']."' WHERE `id` = '".$_POST['id']."'";
					mysql_query($query);
					
					mysql_close();

					echo "<META HTTP-EQUIV='Refresh' CONTENT= '.1; URL=index.php'>";
				}
				else
				{
					mysql_connect($database_hostname,$database_username,$database_password) or die("Unable to Connect to the MYSQL Database!");
					mysql_select_db("crow") or die("Unable to Select the Database!");
					$query = "SELECT * FROM ".$page." ORDER BY id ASC" or die("Unable to query!");
					$result = mysql_query($query) or die("Error ". mysql_error(). " with query ". $query);
					$num = mysql_numrows($result) or die("2");
					mysql_close();
					
					for ($i = "0"; $i < $num; $i++)
					{
						$text = mysql_result($result, $i, "text");
						$id = mysql_result($result, $i, "id");
						echo $text;
					}
					if ($_SESSION['logged'] == TRUE)
					{
						echo "<form action='index.php?page=edit_1' method='post'>\r\n";
						echo "<input type='hidden' name='text' value='".$text."'>\r\n";
						echo "<input type='hidden' name='id' value='".$id."'>\r\n";
						echo "<input type='hidden' name='table' value='home'>\r\n";
						echo "<input type='Submit' value='Edit Text'>\r\n";
						echo "</form>\r\n";
					}
				}
				?>
			</div>
			<div id="inner_right_shell">
			<div id="second_links">Related Links</div>
			</div>
		</div>
	</body>
</html>

I'm sure it's something stupid that I can't point out....

Thanks!
-- www.firemelt.net --
First do me a favor and read this: JavaScript is NOT Java - Then read this: www.php.net - When your done with that, read this Topic
After that, floors open. I and anyone else will be MORE than happy to answer YOUR query! [Topic Solved]
Cheer up, the worst has yet to come...

#2 wildteen88

wildteen88
  • Staff Alumni
  • Advanced Member
  • 10,482 posts
  • LocationUK, Bournemouth

Posted 25 September 2006 - 10:56 AM

Try this as the query:
$query = "UPDATE `{$_POST['table']}` SET message = '".$_POST['text']."' WHERE `id` = '".$_POST['id']."'";

Notice the curly braces around $_POST['table']

Also I suggest you validate and try to secure the user input too ehn using it in an SQL query. Never trust raw user input.

#3 bobleny

bobleny
  • Members
  • PipPipPip
  • Advanced Member
  • 429 posts

Posted 25 September 2006 - 08:44 PM

Thanks that worked...

Also I suggest you validate and try to secure the user input too ehn using it in an SQL query. Never trust raw user input.


I'm not to worried about it. I doubt it will break anything. Me and one other person are the only people who will use it, and he doesn't know anything about PHP, HTML, or MySQL....

-- www.firemelt.net --
First do me a favor and read this: JavaScript is NOT Java - Then read this: www.php.net - When your done with that, read this Topic
After that, floors open. I and anyone else will be MORE than happy to answer YOUR query! [Topic Solved]
Cheer up, the worst has yet to come...

#4 fenway

fenway
  • Staff Alumni
  • MySQL Si-Fu / PHP Resident Alien
  • 16,199 posts
  • LocationToronto, ON

Posted 25 September 2006 - 08:48 PM

Don't doubt it... assume that it will.
Seriously... if people don't start reading this before posting, I'm going to consider not answering at all.

#5 bobleny

bobleny
  • Members
  • PipPipPip
  • Advanced Member
  • 429 posts

Posted 25 September 2006 - 09:05 PM

Don't doubt it... assume that it will.


lol, good point. Did you want to explain to me how to insert text into a query safelly?
-- www.firemelt.net --
First do me a favor and read this: JavaScript is NOT Java - Then read this: www.php.net - When your done with that, read this Topic
After that, floors open. I and anyone else will be MORE than happy to answer YOUR query! [Topic Solved]
Cheer up, the worst has yet to come...

#6 fenway

fenway
  • Staff Alumni
  • MySQL Si-Fu / PHP Resident Alien
  • 16,199 posts
  • LocationToronto, ON

Posted 25 September 2006 - 09:39 PM

We're just being cautious... if you expect a string with some length, make sure it has some; same goes for a numerical field.
Seriously... if people don't start reading this before posting, I'm going to consider not answering at all.

#7 bobleny

bobleny
  • Members
  • PipPipPip
  • Advanced Member
  • 429 posts

Posted 26 September 2006 - 12:50 AM

Well, no, I'm serius, could you explain? Now that you menchion it, I'm working on a profesinal forum. I'm calling it "Easy Forums". The idea is to make an extreamlly easy, comprehensive forum, that any one can use with ease! I'm also makeing it with pure CSS and XHTML. I'm working on it slowlly doing other projects that will teach me stuff...

Anyways, the forum has to be hacker proof, or rather hacker resistant...

So, yeah, please do explain.

Thanks!
-- www.firemelt.net --
First do me a favor and read this: JavaScript is NOT Java - Then read this: www.php.net - When your done with that, read this Topic
After that, floors open. I and anyone else will be MORE than happy to answer YOUR query! [Topic Solved]
Cheer up, the worst has yet to come...

#8 fenway

fenway
  • Staff Alumni
  • MySQL Si-Fu / PHP Resident Alien
  • 16,199 posts
  • LocationToronto, ON

Posted 26 September 2006 - 02:22 AM

You're taking user input and just dumping it into a DB call... check the values explicitly... I'm not sure how else I can explain it.
Seriously... if people don't start reading this before posting, I'm going to consider not answering at all.

#9 bobleny

bobleny
  • Members
  • PipPipPip
  • Advanced Member
  • 429 posts

Posted 26 September 2006 - 03:06 AM

Well, how do I check the values?
-- www.firemelt.net --
First do me a favor and read this: JavaScript is NOT Java - Then read this: www.php.net - When your done with that, read this Topic
After that, floors open. I and anyone else will be MORE than happy to answer YOUR query! [Topic Solved]
Cheer up, the worst has yet to come...

#10 wildteen88

wildteen88
  • Staff Alumni
  • Advanced Member
  • 10,482 posts
  • LocationUK, Bournemouth

Posted 26 September 2006 - 09:49 AM

Thanks that worked...

Also I suggest you validate and try to secure the user input too ehn using it in an SQL query. Never trust raw user input.


I'm not to worried about it. I doubt it will break anything. Me and one other person are the only people who will use it, and he doesn't know anything about PHP, HTML, or MySQL....

You dont need to know any PHP, HTML or SQL. All it takes is for you to add a quote (') in to the textfiled. When you go to submit the form. You'll probably get an error or your query will fail to work. As the quote is breaking the SQL query.

Look into the following functions:
mysql_real_escape_string - help prevent SQL Injection attacks.

Help to prevent XSS attacks:
htmlentites
hmlspecialchars

Other function
is_numeric - check that a variable is of a numeric value, use this when you ONLY want a numeric value
is_boolean - check that a variable is of a boolean value, use this when you ONLY want a boolean value (eg TRUE or FALSE, 1 or 0 etc).

Search the following terms:
SQL Injection
XSS

#11 bobleny

bobleny
  • Members
  • PipPipPip
  • Advanced Member
  • 429 posts

Posted 26 September 2006 - 11:00 AM

OOO, more helping by wildteen88! I will do That.

Thanks!
-- www.firemelt.net --
First do me a favor and read this: JavaScript is NOT Java - Then read this: www.php.net - When your done with that, read this Topic
After that, floors open. I and anyone else will be MORE than happy to answer YOUR query! [Topic Solved]
Cheer up, the worst has yet to come...




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users