• Welcome to Valhalla Legends Archive.
 

PHP Error

Started by hismajesty, April 13, 2004, 05:04 PM

Previous topic - Next topic

hismajesty

A friend and I are in the process of extending the features of a clan manegement system we're developing, while adding a feature to allow members to request to be allowed to go inactive I've run into a problem.

Here is the outputed error:
QuoteParse error: parse error, expecting `','' or `';'' in /home/digitald/public_html/e1/members/requestia.php on line 36

Here is the code, and I don't beleive a ; is needed online 36 or anywhere near it, since all that does is end the echo statement.

<link rel="stylesheet" href="index.css">
<?php   @include_once("functions.php");   SQLConnect();   if(USERNAME == "") {      echo "You must be logged in to access this area.";   } else {      echo "      <form action=\"\" method=post>      <table width=75% align=center>   <input type=hidden name=username value=\" . USERNAME . \">   <tr>      <td id=header-footer colspan=2> Inactive Request </td>   </tr>   <tr>      <td> Username </td>      <td width=70%>" . USERNAME . "</td>   </tr>   <tr>      <td> Time Needed Off </td>      <td> <input type=text name=time value="" id=def_input> </td>   </tr>   <tr>      <td> Describe Your Reason </td>      <td> <textarea name=reason id=def_inputw rows=15></textarea> </td>   </tr>   <tr>      <center>         <td> <input type=submit name=submit value\"Submit\" /> </td>         <td> <input type=reset> </td>      </center>      </tr></table></form>";   }   $submit = $HTTP_POST_VARS[submit];   $username = $HTTP_POST_VARS[username];   $time = $HTTP_POST_VARS[time];   $reason = $HTTP_POST_VARS[reason];   $date2 = date("K j, Y");   $time2 = date("h:i:s T")         if($submit != "" && (USERNAME != "")) {      if($time != "" && $reason != "") {         $query = "" .          "INSERT INTO iareq VALUES (         '0',         '$username',         '$time',         '$reason',         '$date2',         '$time2',         );";      mysql_query($query) or die("Could not submit IA request - " . mysql_error());      echo "Your request of inactivity has been submitted.";      }   }?>


Thanks

Akamas

#1
Quoteif($submit != "" && (USERNAME != "")) {

Should be $username, remember variables are case-sencitive $uSerName is not $username.

Quote
$submit = $HTTP_POST_VARS[submit];
$username = $HTTP_POST_VARS[username];
$time = $HTTP_POST_VARS[time];
$reason = $HTTP_POST_VARS[reason];

You have to put ['submit'], ['username'] etc.

I could screw up your table because you are not verifying the content of the post vars for example for username I could put '; DELETE FROM iareq; and your sql query would turn into


INSERT INTO iareq VALUES (
        '0',
        ''; DELETE FROM iaereq;',
        '$time',
        '$reason',
        '$date2',
        '$time2',
        );


You gotta make sure they dont put ' to mess your query up. Just...


$username = addslashes($HTTP_POST...


it turns ' into \'



There is WAY too many errors and bugs in your script. you have a SQL injection bug in your script... the list goes on.
Quote from: Arta[vL] on August 14, 2006, 04:57 PM
Well, I want some too. Greedy Yoni should stop hogging it.

hismajesty

I use 'USERNAME' throughout my entire project, I'm not going to change it now. And with the stuff you listed, nothing is even remotely close to the error given. Thanks though, I'll look into some of that stuff.

Akamas

#3
Yah, well it might not be close to the error. But like I said in the channel people can TOTALLY kill your mysql, and I explained it in the channel. No offense but that's actually the worst I've seen a PHP script, biggest mess. Your error is just the beginning of your prolbems.
Quote from: Arta[vL] on August 14, 2006, 04:57 PM
Well, I want some too. Greedy Yoni should stop hogging it.

hismajesty

hmm ok, I'll just rewrite it then.

hismajesty

For reference:

I fixed the errors
<td> <input type=text name=time value="" id=def_input> </td>
should have had value=\"\"

and $time2 = date("h:i:s T") was missing a semi-colon