PHP Error

[hismajesty]

A friend and I are in the process of extending the features of a clan manegement system we're developing, while adding a feature to allow members to request to be allowed to go inactive I've run into a problem.

Here is the outputed error:

Parse error: parse error, expecting `','' or `';'' in /home/digitald/public_html/e1/members/requestia.php on line 36

Here is the code, and I don't beleive a ; is needed online 36 or anywhere near it, since all that does is end the echo statement.

Code Select Expand

<link rel="stylesheet" href="index.css">
<?php
   @include_once("functions.php");

   SQLConnect();

   if(USERNAME == "") {
      echo "You must be logged in to access this area.";
   } else {
      echo "
      <form action=\"\" method=post>
      <table width=75% align=center>
   <input type=hidden name=username value=\" . USERNAME . \">
   <tr>
      <td id=header-footer colspan=2> Inactive Request </td>
   </tr>
   <tr>
      <td> Username </td>
      <td width=70%>" . USERNAME . "</td>
   </tr>
   <tr>
      <td> Time Needed Off </td>
      <td> <input type=text name=time value="" id=def_input> </td>
   </tr>
   <tr>
      <td> Describe Your Reason </td>
      <td> <textarea name=reason id=def_inputw rows=15></textarea> </td>
   </tr>
   <tr>
      <center>
         <td> <input type=submit name=submit value\"Submit\" /> </td>
         <td> <input type=reset> </td>
      </center>   
   </tr>
</table>
</form>";
   }

   $submit = $HTTP_POST_VARS[submit];
   $username = $HTTP_POST_VARS[username];
   $time = $HTTP_POST_VARS[time];
   $reason = $HTTP_POST_VARS[reason];
   $date2 = date("K j, Y");
   $time2 = date("h:i:s T")
      
   if($submit != "" && (USERNAME != "")) {
      if($time != "" && $reason != "") {
         $query = "" . 
         "INSERT INTO iareq VALUES (
         '0',
         '$username',
         '$time',
         '$reason',
         '$date2',
         '$time2',
         );";
      mysql_query($query) or die("Could not submit IA request - " . mysql_error());
      echo "Your request of inactivity has been submitted.";
      }
   }

?>

Thanks

[Akamas]

if($submit != "" && (USERNAME != "")) {

Should be $username, remember variables are case-sencitive $uSerName is not $username.

$submit = $HTTP_POST_VARS[submit];
$username = $HTTP_POST_VARS[username];
$time = $HTTP_POST_VARS[time];
$reason = $HTTP_POST_VARS[reason];

You have to put ['submit'], ['username'] etc.

I could screw up your table because you are not verifying the content of the post vars for example for username I could put '; DELETE FROM iareq; and your sql query would turn into

Code Select Expand


INSERT INTO iareq VALUES (
        '0',
        ''; DELETE FROM iaereq;',
        '$time',
        '$reason',
        '$date2',
        '$time2',
        );


You gotta make sure they dont put ' to mess your query up. Just...

Code Select Expand


$username = addslashes($HTTP_POST...


it turns ' into \'



There is WAY too many errors and bugs in your script. you have a SQL injection bug in your script... the list goes on.

[hismajesty]

I use 'USERNAME' throughout my entire project, I'm not going to change it now. And with the stuff you listed, nothing is even remotely close to the error given. Thanks though, I'll look into some of that stuff.

[Akamas]

Yah, well it might not be close to the error. But like I said in the channel people can TOTALLY kill your mysql, and I explained it in the channel. No offense but that's actually the worst I've seen a PHP script, biggest mess. Your error is just the beginning of your prolbems.

[hismajesty]

hmm ok, I'll just rewrite it then.

[hismajesty]

For reference:

I fixed the errors

Code Select Expand

<td> <input type=text name=time value="" id=def_input> </td>
should have had value=\"\"

and $time2 = date("h:i:s T") was missing a semi-colon