Something Wrong With This Script? Unexpected T_SRING

FirefoxRocks · September 22, 2007

Here is the code that I have:

<?php$con = mysql_connect("localhost","user","password");if (!$con)  {die('<p>Could not connect: ' . mysql_error() . '</p>');}mysql_select_db("database", $con);$ip=$_SERVER['REMOTE_ADDR'];echo "Adding MXP info...";mysql_query (INSERT INTO mxp (date, user, victim, turns, side, gold, lost, killed, mxp, points_b, points_a, type, power, ip) VALUES ('$_POST[date]','$_POST[user]','$_POST[victim]','$_POST[turns]','$_POST[side]','$_POST[gold]','$_POST[lost]','$_POST[killed]','$_POST[mxp]','$_POST[points_b]','$_POST[points_a]','$_POST[battle]','$_POST[power]','$ip');echo "<h3>Your MXP information record has been added to the database.</h3>";?>

Here is the error I am receiving:

Parse error: syntax error, unexpected T_STRING in /home/portal/public_html/xkingdom/post_mxp.php on line 13

Is there a semicolon I missed somewhere? What is wrong?

Sten · September 22, 2007

ok well first, im not what youd call any good at php and i dont no anything about mysql... but... there isnt 13 lines of code, lolbut, just looking at it with the semicolons, do you need to put a semicolon after the bracket where it ends with "ip)"does a semicolon need to go there maybe possibly probably not? LOLjust thought id say, although i can guarantee im wrong :blink:

iGuest · September 22, 2007

<?php$con = mysql_connect("localhost","user","password");if (!$con){  die('<p>Could not connect: ' . mysql_error() . '</p>');}mysql_select_db("database", $con);$ip = $_SERVER['REMOTE_ADDR'];echo "Adding MXP info...";mysql_query ("INSERT INTO mxp (date, user, victim, turns, side, gold, lost, killed, mxp, points_b, points_a, type, power, ip) VALUES ('$_POST[date]','$_POST[user]','$_POST[victim]','$_POST[turns]','$_POST[side]','$_POST[gold]','$_POST[lost]','$_POST[killed]','$_POST[mxp]','$_POST[points_b]','$_POST[points_a]','$_POST[battle]','$_POST[power]','$ip');");echo "<h3>Your MXP information record has been added to the database.</h3>";?>

Try That. You'd forgotten to put quotation marks around the query, and had forgotten to end the parentheses (You only ended the VALUES set)

TavoxPeru · September 22, 2007

Here is the code that I have:

<?php$con = mysql_connect("localhost","user","password");if (!$con)  {die('<p>Could not connect: ' . mysql_error() . '</p>');}mysql_select_db("database", $con);$ip=$_SERVER['REMOTE_ADDR'];echo "Adding MXP info...";mysql_query (INSERT INTO mxp (date, user, victim, turns, side, gold, lost, killed, mxp, points_b, points_a, type, power, ip) VALUES ('$_POST[date]','$_POST[user]','$_POST[victim]','$_POST[turns]','$_POST[side]','$_POST[gold]','$_POST[lost]','$_POST[killed]','$_POST[mxp]','$_POST[points_b]','$_POST[points_a]','$_POST[battle]','$_POST[power]','$ip');echo "<h3>Your MXP information record has been added to the database.</h3>";?>

Here is the error I am receiving:
Is there a semicolon I missed somewhere? What is wrong?

You forgot the quotation marks in your query and i recommend to cast your data to the correct type of your table columns.

Best regards,

FirefoxRocks · September 22, 2007

You forgot the quotation marks in your query and i recommend to cast your data to the correct type of your table columns.
Best regards,

Cast the data to the correct type of your table columns? What does that mean?

TavoxPeru · September 23, 2007

Cast the data to the correct type of your table columns? What does that mean?

This mean to force a variable to be evaluated as a certain type, for example, if one of your table column is an integer -tinyint, smallint, int, longint- you can force that your submited data evaluates as an integer by casting it:

<?php$integer_value = (int) $_POST["integer_value"];?>

The casts allowed are:

(int), (integer) - cast to integer

(bool), (boolean) - cast to boolean

(float), (double), (real) - cast to float

(string) - cast to string

(array) - cast to array

(object) - cast to object

For string variables you can achieve the same behavior simply by enclosing it in double quotes, and also is recommended that you use the mysql_real_escape_string for security reasons.

For a complete explanation check the Type Casting and the mysql_real_escape_string() sections of the manual at the php website.

Best regards,

pyost · September 23, 2007

As I am not sure what will happen if you try to cast a non-numeric string into an integer (i.e. whether it will produce an error or return zero), I would advise you to use intval instead. It will always return an integer - number zero if the input is invalid

vujsa · September 23, 2007

Yeah, these are difficult query strings to get working. Anytime your values are from an array (in this case, the $_POST superglobal) and you use a non-numeric key, you'll have trouble since you'll have so many quotes that'll be impossible to escaped.

Here is how I usually get it to work:

mysql_query ("INSERT INTO mxp ("		. "\n 'date',"		. "\n 'user',"		. "\n 'victim',"		. "\n 'turns',"		. "\n 'side',"		. "\n 'gold',"		. "\n 'lost',"		. "\n 'killed',"		. "\n 'mxp',"		. "\n 'points_b',"		. "\n 'points_a',"		. "\n 'type',"		. "\n 'power',"		. "\n 'ip',"		. "\n ) VALUES ("		. "\n '". $_POST['date'] . "',"		. "\n '". $_POST['user'] . "',"		. "\n '". $_POST['victim'] . "',"		. "\n '". $_POST['turns'] . "',"		. "\n '". $_POST['side'] . "',"		. "\n '". $_POST['gold'] . "',"		. "\n '". $_POST['lost'] . "',"		. "\n '". $_POST['killed'] . "',"		. "\n '". $_POST['mxp'] . "',"		. "\n '". $_POST['points_b'] . "',"		. "\n '". $_POST['points_a'] . "',"		. "\n '". $_POST['battle'] . "',"		. "\n '". $_POST['power'] . "',"		. "\n '$ip'"		. "\n  ) ");

That is how I usually write such queries but I guess you could do it linear like this:

mysql_query ("INSERT INTO mxp ( 'date', 'user', 'victim', 'turns', 'side', 'gold', 'lost', 'killed', 'mxp', 'points_b', 'points_a', 'type', 'power', 'ip', ) VALUES ( '". $_POST['date'] . "', '". $_POST['user'] . "', '". $_POST['victim'] . "', '". $_POST['turns'] . "', '". $_POST['side'] . "', '". $_POST['gold'] . "', '". $_POST['lost'] . "', '". $_POST['killed'] . "', '". $_POST['mxp'] . "', '". $_POST['points_b'] . "', '". $_POST['points_a'] . "', '". $_POST['battle'] . "', '". $_POST['power'] . "', '$ip'  ) ");

I prefer the column form since it is easier to see everything at once.

Notice how I used the concatenation character "period" to put string and non-string values together. There is also a concatenation function in MySQL that you can use.

Remember, there are three quotes you can use in queries:
(`)(')(")
The slanted single quote is good inside of MySQL queries but don't affect PHP so you could, I believe, also do it like this:

mysql_query (	"INSERT INTO mxp ("		. "\n `date`,"		. "\n `user`,"		. "\n `victim`,"		. "\n `turns`,"		. "\n `side`,"		. "\n `gold`,"		. "\n `lost`,"		. "\n `killed`,"		. "\n `mxp`,"		. "\n `points_b`,"		. "\n `points_a`,"		. "\n `type`,"		. "\n `power`,"		. "\n `ip`,"		. "\n ) VALUES ("		. "\n `$_POST['date']`,"		. "\n `$_POST['user']`,"		. "\n `$_POST['victim']`,"		. "\n `$_POST['turns']`,"		. "\n `$_POST['side']`,"		. "\n `$_POST['gold']`,"		. "\n `$_POST['lost']`,"		. "\n `$_POST['killed']`,"		. "\n `$_POST['mxp']`,"		. "\n `$_POST['points_b']`,"		. "\n `$_POST['points_a']`,"		. "\n `$_POST['battle']`,"		. "\n `$_POST['power']`,"		. "\n `$ip`"	. "\n )");

Or in linear form:

mysql_query ( 	"INSERT INTO mxp ( `date`, `user`, `victim`, `turns`, `side`, `gold`, `lost`, `killed`, `mxp`, `points_b`, `points_a`, `type`, `power`, `ip`, ) VALUES ( `$_POST['date']`, `$_POST['user']`, `$_POST['victim']`, `$_POST['turns']`, `$_POST['side']`, `$_POST['gold']`, `$_POST['lost']`, `$_POST['killed']`, `$_POST['mxp']`, `$_POST['points_b']`, `$_POST['points_a']`, `$_POST['battle']`, `$_POST['power']`, `$ip`)" );

Just remember, you should use the single quotes around your array key name if it isn't a numeric value. You can't escape the single quotes that you use for the array key either. You can, I suppose, escape the single quote used in the query since PHP would as a result ignore it but it would then be available for MySQL to see. like so:

mysql_query ( 	"INSERT INTO mxp ( \'date\', \'user\', \'victim\', \'turns\', \'side\', \'gold\', \'lost\', \'killed\', \'mxp\', \'points_b\', \'points_a\', \'type\', \'power\', \'ip`, ) VALUES ( \'$_POST['date']\', \'$_POST['user']\', \'$_POST['victim']\', \'$_POST['turns']\', \'$_POST['side']\', \'$_POST['gold']\', \'$_POST['lost']\', \'$_POST['killed']\', \'$_POST['mxp']\', \'$_POST['points_b']\', \'$_POST['points_a']\', \'$_POST['battle']\', \'$_POST['power']\', \'$ip\')" );

The only method I am sure will work, is the first one I showed you. You might give the others a try sometime. I don't feel like writing a whole script just to test each option.

However, I do have another concern with your script!
Your script is attempting to directly input any data from your form to your database. This is not a very good method. If the user has a malicious intent, they could inject code into your database creating a serious security risk to your website. Prior to insertion into the database, you really should screen the data.

For example, you could convert HTML Entities into something a little less problematic if it contains malicious code:

$date = htmlentities($_POST['date']);$user = htmlentities($_POST['user']);$victim = htmlentities($_POST['victim']);$turns = htmlentities($_POST['turns']);$side = htmlentities($_POST['side']);$gold = htmlentities($_POST['gold']);$lost = htmlentities($_POST['lost']);$killed = htmlentities($_POST['killed']);$mxp = htmlentities($_POST['mxp']);$points_b = htmlentities($_POST['points_b']);$points_a = htmlentities($_POST['points_a']);$battle = htmlentities($_POST['battle']);$power = htmlentities($_POST['power']);

In your case, this suggestion actually makes your query a lot easier to write.

Hope this helps,
vujsa

FirefoxRocks · September 24, 2007

So if I use the variables in the script immediately above, what will happen to the HTML entities when they are inserted into the MySQL database?

vujsa · September 24, 2007

So if I use the variables in the script immediately above, what will happen to the HTML entities when they are inserted into the MySQL database?

Basically, < and > become < and >
You can use html_entity_decode() to revert back to actual HTML tags. It is something to consider doing I think.
But, if you are expecting HTML in one of the input fields, then you could skip the htmlentities() function and just insert the data. But, you should investigate some security protocols for this as well. What hackers tend to do is use the eval() function along with a long string which is actually an include(), require, or file_get_contents() command to load script from their server to manipulate your database or file system.
This usually results in an upload to your website where they can show their hacker friends what they did but they could run a database query to add an Admin account for their username, add a file system program to you system which allows them to browse and manipulate your files which could result in total deletion or replacement.

they usually look something like this:

eval(char(118)char(117)char(106)char(115)char(97))

In this case, it just says vujsa but it could have been malicious.

vujsa

Sign In

Something Wrong With This Script? Unexpected T_SRING

Recommended Posts

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Create an account or sign in to comment

Create an account

Sign in

Important Information