Parse error by declaring a var

[AzeS]

i tried to declare a var and it throw out following:

Parse error: syntax error, unexpected '' (T_ENCAPSED_AND_WHITESPACE), expecting identifier (T_STRING) or variable (T_VARIABLE) or number (T_NUM_STRING) in D:\XAMPPmm\htdocs\***\USM\Help.php on line 17
 

  $msg = "Your Blocked for this service <?php echo $userRow['UzRI']; ?>, <br>why dont you check on your emails and see the reason why; for taking some further aktions and getting around, faced to this fact? <br>or maybe you contact us via email at: support@(NAME_).com for some help to get arround this problem.";

any suggestions ?

 

[Jacques1]

This doesn't make any sense. You cannot switch into PHP mode within a string, because a string isn't a script. It's a bunch of text. You can theoretically insert variables into strings, but then you'll quickly end up with cross-site scripting vulnerabilities (or in less technical terms: people will inject malicious JavaScript code into your page).

 

Use HTML-escaping and string concatenation:

<?php

function html_escape($raw_input, $encoding)
{
    return htmlspecialchars($raw_input, ENT_QUOTES | ENT_SUBSTITUTE, $encoding);
}



$name = 'Joe';
$msg = 'Hello '.html_escape($name, 'UTF-8').', welcome to my site.';

echo $msg;

[AzeS]

$msg = "Your Blocked for this service " . $userRow['UzRI'] . " <br>why dont you check on your emails and see the reason why; for taking some further aktions and getting around, faced to this fact? <br>or maybe you contact us via email at: support@(NAME_).com for some help to get arround this problem."; 

Like this ? or is this still vurn ?

[AzeS]

because if this is vurn i have a lot of work to do 

[Jacques1]

When you skip the HTML-escaping, then, yes, the code is vulnerable.

 

Never insert input directly into an executable context, be it an SQL query, an HTML document, a shell command or whatever.

[AzeS]