Php Help Please - GoFuckYourself.com

halfpint · 09-14-2008, 03:54 AM

I keep getting parsing errors on this script on line 20. I was told it is because the quotes are not being escaped.. so when you have a " or a ' you need to escape the quote with a / but not the first and end quotes..something like that I think. I cant figure it out

can anybody help please

Code:

        <div align=left><?php 

$getinfo = mysql_query("SELECT username,email,gameplays,avatar,comments,location,gender,favgame,joined,im,status,id FROM users WHERE username='$_REQUEST[user]'") or die(mysql_error());
$get = @mysql_fetch_array($getinfo);
if(@mysql_num_rows($getinfo) == '0') {
?> 
<h1>No User To View Profile</h1> 
<br> 
<br> 
<?php
}else{
?> 
<?php echo"$top_games";?> <?php echo"$latest_games";?> <?php echo"$affiliates";?> <br> 
<h1> 
  <?=$_REQUEST[user]?> 
  's Profile</h1> 
<br> 
<br>
 <?php if($get[avatar] == '') {
  print "<img src=http://$site_url/avatars/non.gif width=/"80" height=/"80">";
}else{ print "<img src=$get[avatar] width=/"80" height=/"80">"; } ?> 
<br> 
<br> 
<strong> 
<?php if($get[status] == '0') {
  print "<font color=red>I am currently offline</font>";
}elseif($get[status] == '1'){
  print "<font color=green>I am currently online</font>";
}
?> 
</strong><br> 
<strong>Total Video Plays:</strong> 
</h3> 
<?=$get[gameplays]?> 
<br> 
<br> 
<strong>Location:</strong> 
</h3> 
<?=$get[location]?> 
<br> 
<br> 
<strong>IM:</strong> 
</h3> 
<?=$get[im]?> 
<br> 
<br> 
<strong>Gender:</strong> 
</h3> 
<?=$get[gender]?> 
<br> 
<br> 
<strong>Favorite Game:</strong> 
</h3> 
<?=$get[favgame]?> 
<br> 
<br> 
<strong>Date Joined:</strong> 
<?=$get[joined]?> 
<br> 
<br> 
<strong>Comments:</strong> <?php 
$comments = stripslashes($get[comments]);
print wordwrap($comments); ?><br> 
<br> 
<a href="page.php?page=pms&compose=1&to=<?=$_REQUEST[user]?>">Send this user a PM</a><br> 
<br> 
<br> 
<br> 
<center> 
 <?php if ($adult ==1 || $porn_setting==1){ include("cache/ad-1-468x60.php"); } else{ include("cache/ad-0-468x60.php"); } ?> 
</center> 
<?php 

$query4 = "SELECT gid,gname FROM favoritegames WHERE uid='$_REQUEST[user]'";
$result4 = mysql_query($query4) or die(mysql_error());

if(@mysql_num_rows($result4) == '0') {
}else{
?> 
<h1>My Favorite Games:</h1> 
<?php 
while (list ($id, $name) = mysql_fetch_row($result4)) {

echo "<br><a href=./play.php?action=play&id=$id>$name</a>";

} } ?> 
<?php } ?> <br><br><br><br><br><br><br><br><br><br>
</div>

k0nr4d · 09-14-2008, 03:55 AM

print "<img src='http://$site_url/avatars/non.gif' width='80' height='80'>";
}else{ print "<img src='$get[avatar]' width='80' height='80'>"; } ?>

halfpint · 09-14-2008, 03:58 AM

Quote:

Originally Posted by k0nr4d

print "<img src='http://$site_url/avatars/non.gif' width='80' height='80'>";
}else{ print "<img src='$get[avatar]' width='80' height='80'>"; } ?>

thank you

StariaDaniel · 09-14-2008, 03:59 AM

change the " to \", not to /" and it should work fine

k0nr4d · 09-14-2008, 04:01 AM

Quote:

Originally Posted by StariaDaniel

change the " to \", not to /" and it should work fine

that wouldn't have worked, because he was only escaping 1 of the " not the second one
width=\"80\" would have worked, but he had it as width=/"80"

StariaDaniel · 09-14-2008, 04:02 AM

oh, didn't notice that at first sight, but you're right of course every in the print " ... "; has to be escaped

halfpint · 09-14-2008, 04:03 AM

Quote:

Originally Posted by k0nr4d

print "<img src='http://$site_url/avatars/non.gif' width='80' height='80'>";
}else{ print "<img src='$get[avatar]' width='80' height='80'>"; } ?>

used this peice of code and it work ..thanks

I love you,

this has been driving me mad

thanks again

calmlikeabomb · 09-14-2008, 06:35 AM

Why the inconsistency between the use of echo and print?

It's not going to affect your script's performance, but just so you know echo is marginally faster, because it doesn't return a value ^_^

Janh · 09-14-2008, 11:24 AM

$query4 = "SELECT gid,gname FROM favoritegames WHERE uid='$_REQUEST[user]'";

This is bad.. everyone can hack your database with query injection.

Solve this with one off the folowing examples.

1: (If uid is numeric)
$query4 = "SELECT gid,gname FROM favoritegames WHERE uid=".(int)$_REQUEST[user];

2: (if uid is an text/varchar)
$query4 = "SELECT gid,gname FROM favoritegames WHERE uid='".mysql_real_escape_string($_REQUEST[user]).'";

Its always better to do this via an public checkfunction as below

$query4 = "SELECT gid,gname FROM favoritegames WHERE uid=".dbcheck($_REQUEST[user]);

function dbcheck($dbValue,$dbType="s"){
$dbTemp = $dbValue;
$dbTemp = str_Replace("'","''",$dbTemp);

$dbTemp = stripslashes($dbTemp);
$dbTemp = str_Replace("\\","\\\\",$dbTemp);
switch(strtolower($dbType)){
case "i":
// Numbers
if (is_Numeric($dbTemp)){
$check = $dbTemp;
} else {
$check = "0";
}
break;
case "b":
// Boolean
if ( $dbTemp>0 ){
$check = 1;
} else {
$check = 0;
}
break;
default:
// String
//if (strlen($dbTemp)>0) {
$check = "'" . $dbTemp . "'";
//} else {
//$check = "Null";
//}
break;
}
return $check;
}

halfpint · 09-14-2008, 12:12 PM

Quote:

Originally Posted by Janh

$query4 = "SELECT gid,gname FROM favoritegames WHERE uid='$_REQUEST[user]'";

This is bad.. everyone can hack your database with query injection.

Solve this with one off the folowing examples.

1: (If uid is numeric)
$query4 = "SELECT gid,gname FROM favoritegames WHERE uid=".(int)$_REQUEST[user];

2: (if uid is an text/varchar)
$query4 = "SELECT gid,gname FROM favoritegames WHERE uid='".mysql_real_escape_string($_REQUEST[user]).'";

Its always better to do this via an public checkfunction as below

$query4 = "SELECT gid,gname FROM favoritegames WHERE uid=".dbcheck($_REQUEST[user]);

function dbcheck($dbValue,$dbType="s"){
$dbTemp = $dbValue;
$dbTemp = str_Replace("'","''",$dbTemp);

$dbTemp = stripslashes($dbTemp);
$dbTemp = str_Replace("\\","\\\\",$dbTemp);
switch(strtolower($dbType)){
case "i":
// Numbers
if (is_Numeric($dbTemp)){
$check = $dbTemp;
} else {
$check = "0";
}
break;
case "b":
// Boolean
if ( $dbTemp>0 ){
$check = 1;
} else {
$check = 0;
}
break;
default:
// String
//if (strlen($dbTemp)>0) {
$check = "'" . $dbTemp . "'";
//} else {
//$check = "Null";
//}
break;
}
return $check;
}

Thanks for that I will change it right now

CurrentlySober · 09-14-2008, 12:12 PM

I fucking LOVE PHP...

Just a shame I still need to learn it... But I LOVE IT

09-14-2008, 03:55 AM	#2
k0nr4d Confirmed User Industry Role: Join Date: Aug 2006 Location: Poland Posts: 9,229	print "<img src='http://$site_url/avatars/non.gif' width='80' height='80'>"; }else{ print "<img src='$get[avatar]' width='80' height='80'>"; } ?> __________________ Mechanical Bunny Media Mechbunny Tube Script \| Mechbunny Webcam Aggregator Script \| Custom Web Development

09-14-2008, 03:59 AM	#4
StariaDaniel Confirmed User Join Date: Oct 2007 Location: Netherlands Posts: 415	change the " to \", not to /" and it should work fine __________________ YezzClips.com - Sell your clips and photosets - Promote YezzClips Clipstores and get 20% revshare for life YooGirls.com - Sell your non-nude content - Promote Yoogirls Clipstores and get 20% revshare for life [email protected] • ICQ #464114379

09-14-2008, 04:02 AM	#6
StariaDaniel Confirmed User Join Date: Oct 2007 Location: Netherlands Posts: 415	oh, didn't notice that at first sight, but you're right of course every in the print " ... "; has to be escaped __________________ YezzClips.com - Sell your clips and photosets - Promote YezzClips Clipstores and get 20% revshare for life YooGirls.com - Sell your non-nude content - Promote Yoogirls Clipstores and get 20% revshare for life [email protected] • ICQ #464114379

09-14-2008, 06:35 AM	#8
calmlikeabomb Confirmed User Join Date: May 2004 Location: SW Palm Bay, Florida Posts: 1,323	Why the inconsistency between the use of echo and print? It's not going to affect your script's performance, but just so you know echo is marginally faster, because it doesn't return a value ^_^ __________________ subarus.

09-14-2008, 11:24 AM	#9
Janh Confirmed User Join Date: Sep 2006 Location: NL Posts: 332	$query4 = "SELECT gid,gname FROM favoritegames WHERE uid='$_REQUEST[user]'"; This is bad.. everyone can hack your database with query injection. Solve this with one off the folowing examples. 1: (If uid is numeric) $query4 = "SELECT gid,gname FROM favoritegames WHERE uid=".(int)$_REQUEST[user]; 2: (if uid is an text/varchar) $query4 = "SELECT gid,gname FROM favoritegames WHERE uid='".mysql_real_escape_string($_REQUEST[user]).'"; Its always better to do this via an public checkfunction as below $query4 = "SELECT gid,gname FROM favoritegames WHERE uid=".dbcheck($_REQUEST[user]); function dbcheck($dbValue,$dbType="s"){ $dbTemp = $dbValue; $dbTemp = str_Replace("'","''",$dbTemp); $dbTemp = stripslashes($dbTemp); $dbTemp = str_Replace("\\","\\\\",$dbTemp); switch(strtolower($dbType)){ case "i": // Numbers if (is_Numeric($dbTemp)){ $check = $dbTemp; } else { $check = "0"; } break; case "b": // Boolean if ( $dbTemp>0 ){ $check = 1; } else { $check = 0; } break; default: // String //if (strlen($dbTemp)>0) { $check = "'" . $dbTemp . "'"; //} else { //$check = "Null"; //} break; } return $check; } __________________ Contact me for buy/sell traffic or visit www.ero-advertising.com Advertise with Text ads, Thumb ads, Banners, Video ads, Layer ads or AdSpaces (fixed spots at fixed prices). All traffic is GEO-IP & country filtered (and anti-fraud checked). Last edited by Janh; 09-14-2008 at 11:28 AM.. Reason: Update

09-14-2008, 12:12 PM	#11
CurrentlySober Too lazy to wipe my ass Industry Role: Join Date: Aug 2002 Location: A Public Bathroom Posts: 38,644	I fucking LOVE PHP... Just a shame I still need to learn it... But I LOVE IT __________________ My AI Handywork... My Dream Gal... XXX 👁️ 👍️ 💩