GoFuckYourself.com - Adult Webmaster Forum

- Fucking Around & Business Discussion (https://gfy.com/forumdisplay.php?f=26)

- - Php Help Please (https://gfy.com/showthread.php?t=854918)

I keep getting parsing errors on this script on line 20. I was told it is because the quotes are not being escaped.. so when you have a " or a ' you need to escape the quote with a / but not the first and end quotes..something like that I think. I cant figure it out

can anybody help please

Code:

        <div align=left><?php 



$getinfo = mysql_query("SELECT username,email,gameplays,avatar,comments,location,gender,favgame,joined,im,status,id FROM users WHERE username='$_REQUEST[user]'") or die(mysql_error());

$get = @mysql_fetch_array($getinfo);

if(@mysql_num_rows($getinfo) == '0') {

?> 

<h1>No User To View Profile</h1> 

<br> 

<br> 

<?php

}else{

?> 

<?php echo"$top_games";?> <?php echo"$latest_games";?> <?php echo"$affiliates";?> <br> 

<h1> 

  <?=$_REQUEST[user]?> 

  's Profile</h1> 

<br> 

<br>

 <?php if($get[avatar] == '') {

  print "<img src=http://$site_url/avatars/non.gif width=/"80" height=/"80">";

}else{ print "<img src=$get[avatar] width=/"80" height=/"80">"; } ?> 

<br> 

<br> 

<strong> 

<?php if($get[status] == '0') {

  print "<font color=red>I am currently offline</font>";

}elseif($get[status] == '1'){

  print "<font color=green>I am currently online</font>";

}

?> 

</strong><br> 

<strong>Total Video Plays:</strong> 

</h3> 

<?=$get[gameplays]?> 

<br> 

<br> 

<strong>Location:</strong> 

</h3> 

<?=$get[location]?> 

<br> 

<br> 

<strong>IM:</strong> 

</h3> 

<?=$get[im]?> 

<br> 

<br> 

<strong>Gender:</strong> 

</h3> 

<?=$get[gender]?> 

<br> 

<br> 

<strong>Favorite Game:</strong> 

</h3> 

<?=$get[favgame]?> 

<br> 

<br> 

<strong>Date Joined:</strong> 

<?=$get[joined]?> 

<br> 

<br> 

<strong>Comments:</strong> <?php 

$comments = stripslashes($get[comments]);

print wordwrap($comments); ?><br> 

<br> 

<a href="page.php?page=pms&compose=1&to=<?=$_REQUEST[user]?>">Send this user a PM</a><br> 

<br> 

<br> 

<br> 

<center> 

 <?php if ($adult ==1 || $porn_setting==1){ include("cache/ad-1-468x60.php"); } else{ include("cache/ad-0-468x60.php"); } ?> 

</center> 

<?php 



$query4 = "SELECT gid,gname FROM favoritegames WHERE uid='$_REQUEST[user]'";

$result4 = mysql_query($query4) or die(mysql_error());



if(@mysql_num_rows($result4) == '0') {

}else{

?> 

<h1>My Favorite Games:</h1> 

<?php 

while (list ($id, $name) = mysql_fetch_row($result4)) {



echo "<br><a href=./play.php?action=play&id=$id>$name</a>";



} } ?> 

<?php } ?> <br><br><br><br><br><br><br><br><br><br>

</div>

print "<img src='http://$site_url/avatars/non.gif' width='80' height='80'>";
}else{ print "<img src='$get[avatar]' width='80' height='80'>"; } ?>

Quote:

Originally Posted by k0nr4d (Post 14753350)

print "<img src='http://$site_url/avatars/non.gif' width='80' height='80'>";
}else{ print "<img src='$get[avatar]' width='80' height='80'>"; } ?>

thank you :)

change the " to \", not to /" and it should work fine

Quote:

Originally Posted by StariaDaniel (Post 14753352)

change the " to \", not to /" and it should work fine

that wouldn't have worked, because he was only escaping 1 of the " not the second one
width=\"80\" would have worked, but he had it as width=/"80"

oh, didn't notice that at first sight, but you're right of course every in the print " ... "; has to be escaped

Quote:

Originally Posted by k0nr4d (Post 14753350)

print "<img src='http://$site_url/avatars/non.gif' width='80' height='80'>";
}else{ print "<img src='$get[avatar]' width='80' height='80'>"; } ?>

used this peice of code and it work ..thanks :) I love you, :winkwink: this has been driving me mad

thanks again

Why the inconsistency between the use of echo and print?

It's not going to affect your script's performance, but just so you know echo is marginally faster, because it doesn't return a value ^_^

$query4 = "SELECT gid,gname FROM favoritegames WHERE uid='$_REQUEST[user]'";

This is bad.. everyone can hack your database with query injection.

Solve this with one off the folowing examples.

1: (If uid is numeric)
$query4 = "SELECT gid,gname FROM favoritegames WHERE uid=".(int)$_REQUEST[user];

2: (if uid is an text/varchar)
$query4 = "SELECT gid,gname FROM favoritegames WHERE uid='".mysql_real_escape_string($_REQUEST[user]).'";

Its always better to do this via an public checkfunction as below

$query4 = "SELECT gid,gname FROM favoritegames WHERE uid=".dbcheck($_REQUEST[user]);

function dbcheck($dbValue,$dbType="s"){
$dbTemp = $dbValue;
$dbTemp = str_Replace("'","''",$dbTemp);

$dbTemp = stripslashes($dbTemp);
$dbTemp = str_Replace("\\","\\\\",$dbTemp);
switch(strtolower($dbType)){
case "i":
// Numbers
if (is_Numeric($dbTemp)){
$check = $dbTemp;
} else {
$check = "0";
}
break;
case "b":
// Boolean
if ( $dbTemp>0 ){
$check = 1;
} else {
$check = 0;
}
break;
default:
// String
//if (strlen($dbTemp)>0) {
$check = "'" . $dbTemp . "'";
//} else {
//$check = "Null";
//}
break;
}
return $check;
}

Quote:

Originally Posted by Janh (Post 14754563)

Thanks for that I will change it right now

I fucking LOVE PHP...

Just a shame I still need to learn it... But I LOVE IT :)