AzeS Posted August 5, 2016 Share Posted August 5, 2016 i tried to declare a var and it throw out following: Parse error: syntax error, unexpected '' (T_ENCAPSED_AND_WHITESPACE), expecting identifier (T_STRING) or variable (T_VARIABLE) or number (T_NUM_STRING) in D:\XAMPPmm\htdocs\***\USM\Help.php on line 17 $msg = "Your Blocked for this service <?php echo $userRow['UzRI']; ?>, <br>why dont you check on your emails and see the reason why; for taking some further aktions and getting around, faced to this fact? <br>or maybe you contact us via email at: support@(NAME_).com for some help to get arround this problem."; any suggestions ? Quote Link to comment Share on other sites More sharing options...
Jacques1 Posted August 5, 2016 Share Posted August 5, 2016 This doesn't make any sense. You cannot switch into PHP mode within a string, because a string isn't a script. It's a bunch of text. You can theoretically insert variables into strings, but then you'll quickly end up with cross-site scripting vulnerabilities (or in less technical terms: people will inject malicious JavaScript code into your page). Use HTML-escaping and string concatenation: <?php function html_escape($raw_input, $encoding) { return htmlspecialchars($raw_input, ENT_QUOTES | ENT_SUBSTITUTE, $encoding); } $name = 'Joe'; $msg = 'Hello '.html_escape($name, 'UTF-8').', welcome to my site.'; echo $msg; 1 Quote Link to comment Share on other sites More sharing options...
AzeS Posted August 5, 2016 Author Share Posted August 5, 2016 $msg = "Your Blocked for this service " . $userRow['UzRI'] . " <br>why dont you check on your emails and see the reason why; for taking some further aktions and getting around, faced to this fact? <br>or maybe you contact us via email at: support@(NAME_).com for some help to get arround this problem."; Like this ? or is this still vurn ? Quote Link to comment Share on other sites More sharing options...
AzeS Posted August 5, 2016 Author Share Posted August 5, 2016 because if this is vurn i have a lot of work to do Quote Link to comment Share on other sites More sharing options...
Solution Jacques1 Posted August 5, 2016 Solution Share Posted August 5, 2016 When you skip the HTML-escaping, then, yes, the code is vulnerable. Never insert input directly into an executable context, be it an SQL query, an HTML document, a shell command or whatever. Quote Link to comment Share on other sites More sharing options...
AzeS Posted August 5, 2016 Author Share Posted August 5, 2016 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.