Jump to content

Archived

This topic is now archived and is closed to further replies.

bobleny

[SOLVED] parse error, unexpected T_ENCAPSED_AND_WHITESPACE??????

Recommended Posts

I don't see anything wrong with it, but there is obviuslly an error.

The Error:
[code]Parse error: parse error, unexpected T_ENCAPSED_AND_WHITESPACE, expecting T_STRING or T_VARIABLE or T_NUM_STRING in C:\Documents and Settings\All Users\Desktop\Keep\Data\Server\crow\index.php on line 67[/code]

Line 67:
[code]$query = "UPDATE `$_POST['table']` SET message = '".$_POST['text']."' WHERE `id` = '".$_POST['id']."'";[/code]

line 64 to line 72:
[code]mysql_connect($database_hostname,$database_username,$database_password) or die("Unable to Connect to the MYSQL Database!");
mysql_select_db("crow") or die("Unable to Select the Database!");

$query = "UPDATE `$_POST['table']` SET message = '".$_POST['text']."' WHERE `id` = '".$_POST['id']."'";
mysql_query($query);

mysql_close();

echo "<META HTTP-EQUIV='Refresh' CONTENT= '.1; URL=index.php'>";[/code]

And the whole document:
[code]<?php
session_start();
$database_hostname = "localhost";
$database_username = "root";
$database_password = "";

$_SESSION['logged'] = TRUE;

if (!isset($_GET['page']))
{
$_GET['page'] = "home";
$page = "home";
}
else
{
$page = $_GET['page'];
}

if ($page == "home")
{
$title = "Home - Welcome To Environmental Class!";
}
elseif ($page == "mad")
{
$title = "M.A.D. - Makeing A Diffrence";
}
elseif ($page == "edit_1")
{
$title = "Whatch Ya Editing?";
}
elseif ($page == "joke")
{
$title = "Jokes - HA, HA, I Laugh At You!";
}
elseif ($page == "ge")
{
$title = "Gory Glory Games Galore";
}
?>
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<link href="css.css" rel="stylesheet" type="text/css" />
<title><?php echo $title; ?></title>
</head>
<body>
<div id="outer_shell">
<div id="inner_left_shell">
<div id="top_banner"></div>
<?php
if($page == "edit_1")
{ ?>
<form action="index.php?page=edit_2.php" method="post">
<textarea name="text" cols="55" rows="30" wrap="soft"><?php echo $_POST['text']; ?></textarea>
<input type="hidden" name="id" value="<?php echo $_POST['id']; ?>" />
<input type="hidden" name="table" value="<?php echo $_POST['home']; ?>" />
<br />
<input type="submit" value="Save & Update" />
</form>
<?php }
elseif ($page == "edit_2")
{
mysql_connect($database_hostname,$database_username,$database_password) or die("Unable to Connect to the MYSQL Database!");
mysql_select_db("crow") or die("Unable to Select the Database!");

$query = "UPDATE `$_POST['table']` SET message = '".$_POST['text']."' WHERE `id` = '".$_POST['id']."'";
mysql_query($query);

mysql_close();

echo "<META HTTP-EQUIV='Refresh' CONTENT= '.1; URL=index.php'>";
}
else
{
mysql_connect($database_hostname,$database_username,$database_password) or die("Unable to Connect to the MYSQL Database!");
mysql_select_db("crow") or die("Unable to Select the Database!");
$query = "SELECT * FROM ".$page." ORDER BY id ASC" or die("Unable to query!");
$result = mysql_query($query) or die("Error ". mysql_error(). " with query ". $query);
$num = mysql_numrows($result) or die("2");
mysql_close();

for ($i = "0"; $i < $num; $i++)
{
$text = mysql_result($result, $i, "text");
$id = mysql_result($result, $i, "id");
echo $text;
}
if ($_SESSION['logged'] == TRUE)
{
echo "<form action='index.php?page=edit_1' method='post'>\r\n";
echo "<input type='hidden' name='text' value='".$text."'>\r\n";
echo "<input type='hidden' name='id' value='".$id."'>\r\n";
echo "<input type='hidden' name='table' value='home'>\r\n";
echo "<input type='Submit' value='Edit Text'>\r\n";
echo "</form>\r\n";
}
}
?>
</div>
<div id="inner_right_shell">
<div id="second_links">Related Links</div>
</div>
</div>
</body>
</html>[/code]

I'm sure it's something stupid that I can't point out....

Thanks!

Share this post


Link to post
Share on other sites
Try this as the query:
[code=php:0]$query = "UPDATE `{$_POST['table']}` SET message = '".$_POST['text']."' WHERE `id` = '".$_POST['id']."'";[/code]

Notice the curly braces around $_POST['table']

Also I suggest you validate and try to secure the user input too ehn using it in an SQL query. Never trust raw user input.

Share this post


Link to post
Share on other sites
Thanks that worked...

[quote author=wildteen88 link=topic=109387.msg440789#msg440789 date=1159181796]Also I suggest you validate and try to secure the user input too ehn using it in an SQL query. Never trust raw user input.
[/quote]

I'm not to worried about it. I doubt it will break anything. Me and one other person are the only people who will use it, and he doesn't know anything about PHP, HTML, or MySQL....

Share this post


Link to post
Share on other sites
Don't doubt it... assume that it will.

Share this post


Link to post
Share on other sites
[quote author=fenway link=topic=109387.msg441285#msg441285 date=1159217330]
Don't doubt it... assume that it will.
[/quote]

lol, good point. Did you want to explain to me how to insert text into a query safelly?

Share this post


Link to post
Share on other sites
We're just being cautious... if you expect a string with some length, make sure it has some; same goes for a numerical field.

Share this post


Link to post
Share on other sites
Well, no, I'm serius, could you explain? Now that you menchion it, I'm working on a profesinal forum. I'm calling it "Easy Forums". The idea is to make an extreamlly easy, comprehensive forum, that any one can use with ease! I'm also makeing it with pure CSS and XHTML. I'm working on it slowlly doing other projects that will teach me stuff...

Anyways, the forum has to be hacker proof, or rather hacker resistant...

So, yeah, please do explain.

Thanks!

Share this post


Link to post
Share on other sites
You're taking user input and just dumping it into a DB call... check the values explicitly... I'm not sure how else I can explain it.

Share this post


Link to post
Share on other sites
[quote author=bobleny link=topic=109387.msg441277#msg441277 date=1159217065]
Thanks that worked...

[quote author=wildteen88 link=topic=109387.msg440789#msg440789 date=1159181796]Also I suggest you validate and try to secure the user input too ehn using it in an SQL query. Never trust raw user input.
[/quote]

I'm not to worried about it. I doubt it will break anything. Me and one other person are the only people who will use it, and he doesn't know anything about PHP, HTML, or MySQL....

[/quote]
You dont need to know any PHP, HTML or SQL. All it takes is for you to add a quote (') in to the textfiled. When you go to submit the form. You'll probably get an error or your query will fail to work. As the quote is breaking the SQL query.

Look into the following functions:
mysql_real_escape_string - help prevent SQL Injection attacks.

Help to prevent XSS attacks:
htmlentites
hmlspecialchars

Other function
is_numeric - check that a variable is of a numeric value, use this when you ONLY want a numeric value
is_boolean - check that a variable is of a boolean value, use this when you ONLY want a boolean value (eg TRUE or FALSE, 1 or 0 etc).

Search the following terms:
SQL Injection
XSS

Share this post


Link to post
Share on other sites

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.