[solved] undefined & parse error

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
m2babaey
Forum Contributor
Posts: 364
Joined: Sun May 20, 2007 9:26 am

[solved] undefined & parse error

Post by m2babaey »

Hi
2 questions. ( they may be non-related)
1.the code below lists the articles in a specific section ( part of the site ):

Code: Select all

<?
include 'global.php';
if (isset($_GET['id'])) {
$section_id = $_GET['id'];
$sql = "SELECT * FROM articles WHERE section = '$section_id' ORDER BY id";
$results = mysql_query($sql) or die (mysql_error());
$row = mysql_fetch_array($results);
include 'page.php';
}
?>
when I enter the url "http://127.0.0.1/Takfekr/htdocs/section.php?id=0" it sends a parse error like this:
Parse error: parse error in g:\programs(2)\easyphp1-8\www\takfekr\htdocs\section.php on line 10
do you think it's because there is no "else" for the if statement?
2. I am using a code that will include a page for 2 different purposes. I mean section.php includes it and read.php does as well. I named the result of the sql queries related to each of them different, $result for read.php and $results for section.php
Then I used if statement like this:

Code: Select all

if ($result){
//now the codes related for read.php goes here
} else{
//this means no sql query has been done named $result, so it assumes the page has been called for section.php
}
Of course using the code above will send a Notice like this:
Notice: Undefined variable: result in g:\programs(2)\easyphp1-8\www\takfekr\htdocs\articlecontent.php on line 3
I can use different pages to solve it, but is there another solution (except turning off notices)
thanks
Last edited by m2babaey on Wed Jul 04, 2007 9:22 am, edited 1 time in total.
miro_igov
Forum Contributor
Posts: 485
Joined: Fri Mar 31, 2006 5:06 am
Location: Bulgaria

Post by miro_igov »

to prevent the notice use

Code: Select all

if(isset($result)) ..................
For the other error you need to post section.php
User avatar
aceconcepts
DevNet Resident
Posts: 1424
Joined: Mon Feb 06, 2006 11:26 am
Location: London

Post by aceconcepts »

have you tried alternate urls as the value submitted?
m2babaey
Forum Contributor
Posts: 364
Joined: Sun May 20, 2007 9:26 am

Post by m2babaey »

Thanks
section.php was the first code
that problem does not happen for id=50 ( if you meant this by alternate url)
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

I would suggest reading up on SQL injection.
m2babaey
Forum Contributor
Posts: 364
Joined: Sun May 20, 2007 9:26 am

Post by m2babaey »

problem got solved
feyd wrote:I would suggest reading up on SQL injection.
why?
is that related and how?
thanks :P
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Currently, your script has a gaping hole allowing it.
m2babaey
Forum Contributor
Posts: 364
Joined: Sun May 20, 2007 9:26 am

Post by m2babaey »

Thanks.
I have started studying more on sql injection.
But could you please be more specific because I'm going to upload my site in the next few days and need to act faster. I thought PHP is safe when there is no session and login
User avatar
volka
DevNet Evangelist
Posts: 8391
Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger

Post by volka »

e.g. someone calls your script with ?id=%27+or+%27%27%3D%27, then $section_id is ' or ''=' and your sql statement becomes
SELECT * FROM articles WHERE section = '' or ''='' ORDER BY id
which matches all records.
mysql_real_escape_string() marks characters like ' as beeing payload data by prepending them with \

see http://de2.php.net/security.database.sql-injection and http://de2.php.net/mysql_real_escape_string
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Post by superdezign »

Code: Select all

page.php?id='; DROP DATABASE dbName; SELECT * FROM articles WHERE ''='
m2babaey
Forum Contributor
Posts: 364
Joined: Sun May 20, 2007 9:26 am

Post by m2babaey »

Oh yes. I didn't pay enough attention at first.:oops: I remembered I am querying the database then though :P
How about using this function:

Code: Select all

strip_tags($_GET['id']);
will that work as well as mysql_real_scape_string or works better? :?:
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

strip_tags() won't protect you much. mysql_real_escape_string() protects you a fair bit more, but it can't protect you against data differences or poor SQL.
m2babaey
Forum Contributor
Posts: 364
Joined: Sun May 20, 2007 9:26 am

Post by m2babaey »

I think I should use a combination of strip_tags, get_magic_quotes, addslashes
what more in your opinion?
what will happen about:
but it can't protect you against data differences or poor SQL.
then?
thanks
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

m2babaey wrote:I think I should use a combination of strip_tags, get_magic_quotes, addslashes
Generally, no.
m2babaey wrote:what more in your opinion?
what will happen about:
but it can't protect you against data differences or poor SQL.
then?
You need to apply filtering, cleaning, and so forth, specific to the field types. Numbers need to be forced to numbers, dates need to be in the proper format, etc etc.
Post Reply