Jump to content

[SOLVED] parse error, unexpected T_ENCAPSED_AND_WHITESPACE??????

bobleny

By bobleny
in MySQL Help

 Share

Recommended Posts

bobleny Regular Member

bobleny

Posted
Posted
I don't see anything wrong with it, but there is obviuslly an error.

The Error:
[code]Parse error: parse error, unexpected T_ENCAPSED_AND_WHITESPACE, expecting T_STRING or T_VARIABLE or T_NUM_STRING in C:\Documents and Settings\All Users\Desktop\Keep\Data\Server\crow\index.php on line 67[/code]

Line 67:
[code]$query = "UPDATE `$_POST['table']` SET message = '".$_POST['text']."' WHERE `id` = '".$_POST['id']."'";[/code]

line 64 to line 72:
[code]mysql_connect($database_hostname,$database_username,$database_password) or die("Unable to Connect to the MYSQL Database!");
mysql_select_db("crow") or die("Unable to Select the Database!");

$query = "UPDATE `$_POST['table']` SET message = '".$_POST['text']."' WHERE `id` = '".$_POST['id']."'";
mysql_query($query);

mysql_close();

echo "<META HTTP-EQUIV='Refresh' CONTENT= '.1; URL=index.php'>";[/code]

And the whole document:
[code]<?php
session_start();
$database_hostname = "localhost";
$database_username = "root";
$database_password = "";

$_SESSION['logged'] = TRUE;

if (!isset($_GET['page']))
{
$_GET['page'] = "home";
$page = "home";
}
else
{
$page = $_GET['page'];
}

if ($page == "home")
{
$title = "Home - Welcome To Environmental Class!";
}
elseif ($page == "mad")
{
$title = "M.A.D. - Makeing A Diffrence";
}
elseif ($page == "edit_1")
{
$title = "Whatch Ya Editing?";
}
elseif ($page == "joke")
{
$title = "Jokes - HA, HA, I Laugh At You!";
}
elseif ($page == "ge")
{
$title = "Gory Glory Games Galore";
}
?>
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<link href="css.css" rel="stylesheet" type="text/css" />
<title><?php echo $title; ?></title>
</head>
<body>
<div id="outer_shell">
<div id="inner_left_shell">
<div id="top_banner"></div>
<?php
if($page == "edit_1")
{ ?>
<form action="index.php?page=edit_2.php" method="post">
<textarea name="text" cols="55" rows="30" wrap="soft"><?php echo $_POST['text']; ?></textarea>
<input type="hidden" name="id" value="<?php echo $_POST['id']; ?>" />
<input type="hidden" name="table" value="<?php echo $_POST['home']; ?>" />
<br />
<input type="submit" value="Save & Update" />
</form>
<?php }
elseif ($page == "edit_2")
{
mysql_connect($database_hostname,$database_username,$database_password) or die("Unable to Connect to the MYSQL Database!");
mysql_select_db("crow") or die("Unable to Select the Database!");

$query = "UPDATE `$_POST['table']` SET message = '".$_POST['text']."' WHERE `id` = '".$_POST['id']."'";
mysql_query($query);

mysql_close();

echo "<META HTTP-EQUIV='Refresh' CONTENT= '.1; URL=index.php'>";
}
else
{
mysql_connect($database_hostname,$database_username,$database_password) or die("Unable to Connect to the MYSQL Database!");
mysql_select_db("crow") or die("Unable to Select the Database!");
$query = "SELECT * FROM ".$page." ORDER BY id ASC" or die("Unable to query!");
$result = mysql_query($query) or die("Error ". mysql_error(). " with query ". $query);
$num = mysql_numrows($result) or die("2");
mysql_close();

for ($i = "0"; $i < $num; $i++)
{
$text = mysql_result($result, $i, "text");
$id = mysql_result($result, $i, "id");
echo $text;
}
if ($_SESSION['logged'] == TRUE)
{
echo "<form action='index.php?page=edit_1' method='post'>\r\n";
echo "<input type='hidden' name='text' value='".$text."'>\r\n";
echo "<input type='hidden' name='id' value='".$id."'>\r\n";
echo "<input type='hidden' name='table' value='home'>\r\n";
echo "<input type='Submit' value='Edit Text'>\r\n";
echo "</form>\r\n";
}
}
?>
</div>
<div id="inner_right_shell">
<div id="second_links">Related Links</div>
</div>
</div>
</body>
</html>[/code]

I'm sure it's something stupid that I can't point out....

Thanks!
Link to comment
Share on other sites
wildteen88 Regular Member

wildteen88

Posted
Posted
Try this as the query:
[code=php:0]$query = "UPDATE `{$_POST['table']}` SET message = '".$_POST['text']."' WHERE `id` = '".$_POST['id']."'";[/code]

Notice the curly braces around $_POST['table']

Also I suggest you validate and try to secure the user input too ehn using it in an SQL query. Never trust raw user input.
Link to comment
Share on other sites
bobleny Regular Member

bobleny

Posted
  • Author
Posted
Thanks that worked...

[quote author=wildteen88 link=topic=109387.msg440789#msg440789 date=1159181796]Also I suggest you validate and try to secure the user input too ehn using it in an SQL query. Never trust raw user input.
[/quote]

I'm not to worried about it. I doubt it will break anything. Me and one other person are the only people who will use it, and he doesn't know anything about PHP, HTML, or MySQL....
Link to comment
Share on other sites
bobleny Regular Member

bobleny

Posted
  • Author
Posted
Well, no, I'm serius, could you explain? Now that you menchion it, I'm working on a profesinal forum. I'm calling it "Easy Forums". The idea is to make an extreamlly easy, comprehensive forum, that any one can use with ease! I'm also makeing it with pure CSS and XHTML. I'm working on it slowlly doing other projects that will teach me stuff...

Anyways, the forum has to be hacker proof, or rather hacker resistant...

So, yeah, please do explain.

Thanks!
Link to comment
Share on other sites
wildteen88 Regular Member

wildteen88

Posted
Posted
[quote author=bobleny link=topic=109387.msg441277#msg441277 date=1159217065]
Thanks that worked...

[quote author=wildteen88 link=topic=109387.msg440789#msg440789 date=1159181796]Also I suggest you validate and try to secure the user input too ehn using it in an SQL query. Never trust raw user input.
[/quote]

I'm not to worried about it. I doubt it will break anything. Me and one other person are the only people who will use it, and he doesn't know anything about PHP, HTML, or MySQL....

[/quote]
You dont need to know any PHP, HTML or SQL. All it takes is for you to add a quote (') in to the textfiled. When you go to submit the form. You'll probably get an error or your query will fail to work. As the quote is breaking the SQL query.

Look into the following functions:
mysql_real_escape_string - help prevent SQL Injection attacks.

Help to prevent XSS attacks:
htmlentites
hmlspecialchars

Other function
is_numeric - check that a variable is of a numeric value, use this when you ONLY want a numeric value
is_boolean - check that a variable is of a boolean value, use this when you ONLY want a boolean value (eg TRUE or FALSE, 1 or 0 etc).

Search the following terms:
SQL Injection
XSS
Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.