#1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Oct 2013
    Posts
    40
    Rep Power
    0

    Cant find error.


    if i search for a string-
    Jassie Gift sings 'Randaka Randaka'
    I store it in variable $searchKey

    PHP Code:
    <script type="text/javascript">
    var skey ='<?php echo $searchKey ?>';
    </script>
    it gives the following error

    SyntaxError: missing ; before statement
    var skey ='Jassie Gift sings 'Randaka Randaka' ';
  2. #2
  3. No Profile Picture
    Contributing User
    Devshed Regular (2000 - 2499 posts)

    Join Date
    Sep 2006
    Posts
    2,034
    Rep Power
    535
    Read the error. What does it say is missing?
  4. #3
  5. Confused badger
    Devshed Beginner (1000 - 1499 posts)

    Join Date
    Mar 2009
    Location
    West Yorkshire
    Posts
    1,112
    Rep Power
    487
    #goingtoshootmyselfintheface
    "For if leisure and security were enjoyed by all alike, the great mass of human beings who are normally stupefied by poverty would become literate and would learn to think for themselves; and when once they had done this, they would sooner or later realise that the privileged minority had no function and they would sweep it away"
    - George Orwell, 1984
  6. #4
  7. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Hi,

    never, ever dump unescaped strings into an executable context. In the best case, you'll merely screw up your program. In the worst case, somebody will do a code injection attack.

    Since escaping for JavaScript is incredibly difficult and error-prone, I suggest you don't do it at all. Doesn't the search term come from the URL? If not, either fetch it with an Ajax request. Or JSON-encode the data, escape it and embed it in a hidden div element.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  8. #5
  9. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Oct 2013
    Posts
    40
    Rep Power
    0

    Worked


    addslashes() worked , it escapes double and single quotes

    PHP Code:
    <script type="text/javascript">
        var db= '<?php echo $db ?>';
        var skey ='<?php echo addslashes($searchKey?>';
    </script>

    Comments on this post

    • Jacques1 disagrees : Nonsense. It might be a good idea to actually *listen* to people.
    • NotionCommotion disagrees : Did you read your original error: "SyntaxError: missing ; before statement"
  10. #6
  11. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Oct 2013
    Posts
    40
    Rep Power
    0
    #NotionCommotion disagrees : There is nothing missing, do u see some thing wrong in my code ....its giving error due to ununescaped strings .
  12. #7
  13. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Oct 2013
    Posts
    40
    Rep Power
    0
    #Jacques1 : what do u mean by "dump unescaped strings into an executable context";
  14. #8
  15. No Profile Picture
    Contributing User
    Devshed Regular (2000 - 2499 posts)

    Join Date
    Sep 2006
    Posts
    2,034
    Rep Power
    535
    sunny1234567890, Try running the following script. Let me know if you have questions.
    PHP Code:
    <?php
      error_reporting
    (E_ALL);
      echo(
    'missing semicolon')
      echo(
    'This line will error since the previous line did not end with a semicolon');
    ?>
  16. #9
  17. Confused badger
    Devshed Beginner (1000 - 1499 posts)

    Join Date
    Mar 2009
    Location
    West Yorkshire
    Posts
    1,112
    Rep Power
    487
    Originally Posted by sunny1234567890
    #NotionCommotion disagrees : There is nothing missing, do u see some thing wrong in my code ....its giving error due to ununescaped strings
    Sunny
    The error is correct, if you look at what you posted:

    var skey ='Jassie Gift sings 'Randaka Randaka' ';

    To the interpreter, it reads like this:
    var skey ='Jassie Gift sings '
    Randaka Randaka'
    ';


    So it reaches the closing ' after "sings" and thinks that's the end of the STRING, whatever comes next is a command (e.g. "echo") BUT, because there's no period (to indicate continuation) or semi-colon (to indicate an end of statement), it throws a standard error saying:

    SyntaxError: missing ; before statement

    The bit it thinks is a statement is the word "Randaka".
    This can be solved by, as Jacques1 says resolving the escaping of the string when you're inserting it into the DB.

    An example of the string escaped is:
    Jassie Gift sings \'Randaka Randaka\'

    If you're not sure what Jacques1 means, click the security link in his signature, it will explain everything.
    "For if leisure and security were enjoyed by all alike, the great mass of human beings who are normally stupefied by poverty would become literate and would learn to think for themselves; and when once they had done this, they would sooner or later realise that the privileged minority had no function and they would sweep it away"
    - George Orwell, 1984
  18. #10
  19. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    It's actually not enough to escape the quotes (which sunny did in his/her second post). This still allows an attacker to inject a </script> tag and break out of the script context:

    PHP Code:
    <?php
    $searchKey 
    '</script><script>eval(String.fromCharCode(97,108,101,114,116,40,39,88,83,83,39,41,59))</script><script>';
    ?>
    <!-- this is a cross-site scripting vulnerability despite the escaping of quotes and backslashes -->
    <script>
        var searchKey = '<?= addslashes($searchKey?>';
    </script>
    Escaping values for a JavaScript context is tricky, because script elements are parsed in a special way. I wouldn't recommend it. Instead, JSON-encode the data, HTML-escape it and then put it into a hidden div element. This is secure. To get the data, you simply fetch the JSON from the div and parse it:

    PHP Code:
    <?php
    $userData 
    = array(
        
    'search_key' => '</script><script>eval(String.fromCharCode(97,108,101,114,116,40,39,88,83,83,39,41,59))</script><script>'
    );
    ?>
    <!-- no vulnerability, because we can use standard htmlspecialchars() -->
    <div id="data" class="hidden">
        <?= htmlspecialchars(json_encode($userData), ENT_QUOTES'UTF-8'?>
    </div>

    <script src="http://code.jquery.com/jquery-1.10.2.min.js"></script>
    <script>
        var userData = JSON.parse($('#data').text());
        console.log(userData);
    </script>
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  20. #11
  21. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Oct 2013
    Posts
    40
    Rep Power
    0

    Thanks


    Thanks

IMN logo majestic logo threadwatch logo seochat tools logo