#1
  1. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Oct 2012
    Posts
    60
    Rep Power
    2

    I'm left with error message. Please someone help me.


    Hi there.
    I need some help with my php code that makes the webpage go away and leaves me with error message.
    The error message always points out wherever "$i++;" is in the code below after multiple times of changes I made. But I couldn't find any problem above it..
    Does anyone see any problem with the code below, please?
    Without this code inserted below connection-establishing php code and above <!DOCTYPE html>, the page show itself with no problems.
    Did I put the code wrong place to begin with and is that why the code leaves me error messages?
    I tried to debug this and I found there is some problem detected around the beginning part of WHILE loop. But I don't know what exactly the problem is.
    What I'm trying to do is to let a user select a category of product info so that, according to the user selection, php will bring up the product info that corresponds to selected category. I'm trying to make everything happen in one page. For the record, I have another set of PHP script on the same page interacting with DB and that is working fine. So I'm assuming there is no problem with DB-connection script.

    PHP code
    PHP Code:

    if(isset($_POST['category'])&&$_POST['category']!=='all')
     {
         echo 
    $_POST['category'];
        
         
    $selection $_POST['category'];
         
         
    $sql "SELECT * FROM Products WHERE Category = $selection";
        
        
    $rs $conn->query($sql) or die ("Connection Failed");
        
         
    $i 0;
            while(
    $row $rs->fetch_assoc())
            &
    #65371;
            
    $i++;
                      
    //$conditionalLineBreak is used to have line break on every 4th product info so that the list keeps adding itself downward without going over the width of contents area on the web page.
                 
    $conditionalLineBreak = (($i 4) == "last" "");
                     
    // $nameBroken is used to have line break after every 15th character.
             
    $nameBroken wordwrap($row['Name'], 15"<br/>"true); 
            
    // This line is to check the current product info has its image info under the URL column in the database table.(URL to referred to an image)
                      
    if($row['URL']== false)
                 {
                     
    $URL='no-image.jpg';
                 }
                 else
                 {
                     
    $URL=$row['URL'];
                 }
                       
    //$listedProduct stores actual html output to be echoed within <body> area.
            
    &#12288; $listedProduct = $listedProduct."<div class=\"product_list {$conditionalLineBreak}\">
                                        
    <ul class=\"vertical_list_for_products\">
                                           <li><a href=\"each_product.php?pid=
    {$row['pid']}\"><img src=\"product_images/$URL\" alt=\"No Image\" style=\"width: 100px;\"></a></li>
                                           <li><a href=\"each_product.php?pid=
    {$row['pid']}\"><b>$nameBroken</b></a></li>
                                           <li><a href=\"each_product.php?pid=
    {$row['pid']}\"><b>{$row['Category']}</b></a></li>   
                                           <li>$<a href=\"each_product.php?pid=
    {$row['pid']}\">{$row['Price']}</a></li>      
                                        </ul>\n"
    ;
              
    $listedProduct $listedProduct."<br/><br/><br/></div>\n";
            &
    #65373;
            
        
     



    HTML code for user to select a category.
    Code:
    <form method="post" action="#">
    	<select id="select" name="category">
    			<option value='all'>All</option>
    			<option value="category1">cateogry1</option>
                            <option value="category2">cateogry2</option>
    	</select>
    </form>
    Last edited by ManiacDan; April 8th, 2013 at 08:18 AM.
  2. #2
  3. No Profile Picture
    Lost in code
    Devshed Supreme Being (6500+ posts)

    Join Date
    Dec 2004
    Posts
    8,301
    Rep Power
    7170
    What error message?

    Your SQL query is syntactically invalid because you have a string in it that isn't enclosed in quotation marks. Additionally, it contains a SQL injection vulnerability.
    PHP FAQ

    Originally Posted by Spad
    Ah USB, the only rectangular connector where you have to make 3 attempts before you get it the right way around
  4. #3
  5. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Oct 2012
    Posts
    60
    Rep Power
    2
    Originally Posted by E-Oreo
    What error message?

    Your SQL query is syntactically invalid because you have a string in it that isn't enclosed in quotation marks. Additionally, it contains a SQL injection vulnerability.

    Thank you for your reply.

    The error message comes out like this
    "syntax error, unexpected T_VARIABLE~~"

    And exactly which part are you talking about for syntax error with a string that isn't enclosed, please??

    And how can I protect SQL injection, please?
    I was thinking SQL injection needs to be done through text box or some kind of interface that let users actually type in something so that they can rewrite the code or something..
    Can you point out and fix where I'm wrong about SQL injections?
  6. #4
  7. Sarcky
    Devshed Supreme Being (6500+ posts)

    Join Date
    Oct 2006
    Location
    Pennsylvania, USA
    Posts
    10,696
    Rep Power
    6351
    I've colored your code using [ PHP ] tags instead of [ CODE ] tags. That shows me a number of things:

    1) Something aside from curly braces are showing up as your containing characters for the blocks (like your WHILE loop). Could be coincidence, could be that you're programming in an editor which isn't using the correct plaintext { } characters.

    2) As Oreo said, your SQL is wrong two different ways, but that won't even matter until your fix the syntax error.
    HEY! YOU! Read the New User Guide and Forum Rules

    "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin

    "The greatest tragedy of this changing society is that people who never knew what it was like before will simply assume that this is the way things are supposed to be." -2600 Magazine, Fall 2002

    Think we're being rude? Maybe you asked a bad question or you're a Help Vampire. Trying to argue intelligently? Please read this.
  8. #5
  9. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Oct 2012
    Posts
    60
    Rep Power
    2
    Originally Posted by ManiacDan
    I've colored your code using [ PHP ] tags instead of [ CODE ] tags. That shows me a number of things:

    1) Something aside from curly braces are showing up as your containing characters for the blocks (like your WHILE loop). Could be coincidence, could be that you're programming in an editor which isn't using the correct plaintext { } characters.

    2) As Oreo said, your SQL is wrong two different ways, but that won't even matter until your fix the syntax error.

    Thanks for your reply. But I'm sorry I don't understand what you mean by "containing characters" and "an editor which isn't using the correct plaintext { } characters".

    What do you exactly mean, please??

    And I would also like to know how the SQL statement was supposed to be, please.
  10. #6
  11. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,938
    Rep Power
    1045
    Originally Posted by Ihatephp
    Thanks for your reply. But I'm sorry I don't understand what you mean by "containing characters" and "an editor which isn't using the correct plaintext { } characters".
    In the code above, you have the character &#65371 (called "fullwidth curly brace") instead of a standard curly brace. That fullwidth stuff seems to be used in asian character sets.

    I don't know how this character came into your code, but you need to check the configuration of your editor -- or switch to a better one. You don't happen to use an asian locale on your computer?



    Originally Posted by Ihatephp
    And I would also like to know how the SQL statement was supposed to be, please.
    First of all: No, it's not enough to protect yourself against URL parameters or text fields or something. You don't seem to understand how the www works. Anybody can send any HTTP request to your server. I don't need to visit your website in my browser and click on some buttons. I can open a raw TCP connection in the console and send you any data I want (which is also the reason why JavaScript "validations" don't have any effect beyond notifying the user of errors).

    Any request data -- the URL, the request body and the headers (including the cookies) -- are under full control of the user and can contain anything. This means you cannot trust this data. You must not insert it into query strings (this can lead to SQL injections), you must not include it in the HTML document (this can lead to cross-site scripting), you must not put it into any executable context.

    For database queries, there's a simple solution to prevent SQL injections: prepared statements. Simply pass all external values to the parameters of a prepared statement, and there's never any risk of them being interpreted as actual SQL.

    Theoretically, it's also possible to escape the values by hand like in the old database extensions (that "real escape" stuff). But in my experience, this is extremely error-prone. It's very easy to mess up the escaping -- maybe you forget it, maybe you think it's not necessary when it is, maybe you messed up the character encoding (the infamous "SET NAMES") etc.

    Don't take this risk, use prepared statements. Also, check the security tutorial in my signature.

    PHP Code:
    // create the prepared statement; don't insert any variables into the query string!
    $products_stmt $conn->prepare('
        SELECT
            *
        FROM
            Products
        WHERE
            Category = ?        -- the question mark is a parameter
    '
    );

    // pass $selection to the prepared statement (in a secure way)
    $products_stmt->bind_param('s'$selection);

    // execute the prepared statement
    $products_stmt->execute();

    // fetch the rows (you can also use "bind_result" and repeated "fetch" calls, but this is shorter)
    foreach ($products_stmt->get_result() as $product)
    {
        
    var_dump($product);

    Last edited by Jacques1; April 9th, 2013 at 05:45 AM.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  12. #7
  13. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Oct 2012
    Posts
    60
    Rep Power
    2
    Originally Posted by Jacques1
    In the code above, you have the character &#65371 (called "fullwidth curly brace") instead of a standard curly brace. That fullwidth stuff seems to be used in asian character sets.

    I don't know how this character came into your code, but you need to check the configuration of your editor -- or switch to a better one. You don't happen to use an asian locale on your computer?





    First of all: No, it's not enough to protect yourself against URL parameters or text fields or something. You don't seem to understand how the www works. Anybody can send any HTTP request to your server. I don't need to visit your website in my browser and click on some buttons. I can open a raw TCP connection in the console and send you any data I want (which is also the reason why JavaScript "validations" don't have any effect beyond notifying the user of errors).

    Any request data -- the URL, the request body and the headers (including the cookies) -- are under full control of the user and can contain anything. This means you cannot trust this data. You must not insert it into query strings (this can lead to SQL injections), you must not include it in the HTML document (this can lead to cross-site scripting), you must not put it into any executable context.

    For database queries, there's a simple solution to prevent SQL injections: prepared statements. Simply pass all external values to the parameters of a prepared statement, and there's never any risk of them being interpreted as actual SQL.

    Theoretically, it's also possible to escape the values by hand like in the old database extensions (that "real escape" stuff). But in my experience, this is extremely error-prone. It's very easy to mess up the escaping -- maybe you forget it, maybe you think it's not necessary when it is, maybe you messed up the character encoding (the infamous "SET NAMES") etc.

    Don't take this risk, use prepared statements. Also, check the security tutorial in my signature.

    PHP Code:
    // create the prepared statement; don't insert any variables into the query string!
    $products_stmt $conn->prepare('
        SELECT
            *
        FROM
            Products
        WHERE
            Category = ?        -- the question mark is a parameter
    '
    );

    // pass $selection to the prepared statement (in a secure way)
    $products_stmt->bind_param('s'$selection);

    // execute the prepared statement
    $products_stmt->execute();

    // fetch the rows (you can also use "bind_result" and repeated "fetch" calls, but this is shorter)
    foreach ($products_stmt->get_result() as $product)
    {
        
    var_dump($product);



    Thank you very much. You pointed out exactly how I was wrong with the syntax. I really needed that. BTW I'm asian and that's why I accidentally used the character type. But I'm enough of having this type of small tiny problem delaying my work by 3 days..
    Now which PHP editor would you recommend that is free and also tells me this type of problem in a nice way, please? I want my text editor to tell me the problem by, maybe, highlighting with some message that isn't vague at all. I also want this type of problem to be shown in the way the [code] area shows it in the Dev Shed but, you know, I don't want to bother posting some code every time I have a small problem with my code. Or how can I change my Aptana3's configuration. I use this editor because it's free. Or how can I find a text editor that meets my need. I googled with words like "php editor debugging" but I'm lacking in knowledge to understand what google tells me.
    No, I don't understand WWW at all. Thank you for your advice but many of your words didn't just make sense to me.
    I have to do some research about prepared statement and so on, too.
    And how come "real_escape_string" or whatever that has real escape~ is error-prone?? I can't really imagine a situation where the real_escape_string causes any error..
  14. #8
  15. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,938
    Rep Power
    1045
    Originally Posted by Ihatephp
    Now which PHP editor would you recommend that is free and also tells me this type of problem in a nice way, please? I want my text editor to tell me the problem by, maybe, highlighting with some message that isn't vague at all. I also want this type of problem to be shown in the way the [code] area shows it in the Dev Shed but, you know, I don't want to bother posting some code every time I have a small problem with my code. Or how can I change my Aptana3's configuration.
    You mean Aptana Studio, right? I don't know that program, but I'm surprised you're having those problems with it. It should do syntax highlighting, error reporting etc. by default.

    Otherwise, try one of the mainstream IDEs (integrated development environments) like Netbeans or Eclipse.



    Originally Posted by Ihatephp
    No, I don't understand WWW at all. Thank you for your advice but many of your words didn't just make sense to me.
    Then I strongly suggest learning the basics of HTTP and networks. There's a great book called "HTTP: The Definite Guide" by Gourley and Totty, which covers pretty much any aspect you'll ever need. But it's quite huge.

    You should also get familiar with the developer tools of your browser, because they let you inspect HTTP messages in real life. You can see the request sent by your browser and the response sent by the remote server.

    In any case, learn the basics. You won't be able to write good applications without knowing what they actually do.



    Originally Posted by Ihatephp
    And how come "real_escape_string" or whatever that has real escape~ is error-prone?? I can't really imagine a situation where the real_escape_string causes any error..
    The functions itself work exactly like they should. So if you use them correctly and never make any mistake, they'll prevent any SQL injection.

    Unfortunately, people do make mistakes. Otherwise we wouldn't even have to discuss SQL injections. Some people don't do any escaping at all, some don't escape certain values due to a misunderstanding, some simply forget it from time to time.

    Another huge problem is that escaping depends on the character encoding -- which again many people struggle with. If you mess up the character encoding (with SET NAMES, for example), the escaping functions may no longer detect "dangerous" characters and simply have no effect.

    So obviously escaping doesn't work too well in reality. Every SQL injection is yet another proof of that. That's why it's a good idea to switch to a more foolproof approach -- prepared statements.

    Why do pilots go through the same checklist again and again? Why do guns have locks? It's because humans make mistakes, and an important part of security is to prevent those mistakes.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  16. #9
  17. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Oct 2012
    Posts
    60
    Rep Power
    2
    Originally Posted by Jacques1
    You mean Aptana Studio, right? I don't know that program, but I'm surprised you're having those problems with it. It should do syntax highlighting, error reporting etc. by default.

    Otherwise, try one of the mainstream IDEs (integrated development environments) like Netbeans or Eclipse.





    Then I strongly suggest learning the basics of HTTP and networks. There's a great book called "HTTP: The Definite Guide" by Gourley and Totty, which covers pretty much any aspect you'll ever need. But it's quite huge.

    You should also get familiar with the developer tools of your browser, because they let you inspect HTTP messages in real life. You can see the request sent by your browser and the response sent by the remote server.

    In any case, learn the basics. You won't be able to write good applications without knowing what they actually do.





    The functions itself work exactly like they should. So if you use them correctly and never make any mistake, they'll prevent any SQL injection.

    Unfortunately, people do make mistakes. Otherwise we wouldn't even have to discuss SQL injections. Some people don't do any escaping at all, some don't escape certain values due to a misunderstanding, some simply forget it from time to time.

    Another huge problem is that escaping depends on the character encoding -- which again many people struggle with. If you mess up the character encoding (with SET NAMES, for example), the escaping functions may no longer detect "dangerous" characters and simply have no effect.

    So obviously escaping doesn't work too well in reality. Every SQL injection is yet another proof of that. That's why it's a good idea to switch to a more foolproof approach -- prepared statements.

    Why do pilots go through the same checklist again and again? Why do guns have locks? It's because humans make mistakes, and an important part of security is to prevent those mistakes.




    Okay thank you. no that text editor doesn't tell me error code in the way Dev Shed's[code] does. I will check out the IDEs.
    I use firefox now and which developer tool inspects http request and so on, please?

    Thank you for recommending the book. I will check that out.
    I will have to study escaping and prepared statement so I will be able to understand difference.
  18. #10
  19. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,938
    Rep Power
    1045
    Please don't fullquote every reply. It's right above your post, so no need to repeat it.



    Originally Posted by Ihatephp
    I use firefox now and which developer tool inspects http request and so on, please?
    Firebug

    The other browsers have similar tools already built in.



    Originally Posted by Ihatephp
    I will have to study escaping and prepared statement so I will be able to understand difference.
    Great. Roughly speaking, a prepared statement is a query template with placeholders for values. It's sent to the database and gets parsed. Then you send the values separately and execute the whole thing.

    As you can see, this is very different from the "traditional" approach, which consists of constructing an actual query and directly inserting the values into the query string. The old approach obviously comes with the risk of the values "leaking" into the SQL part, allowing attackers to manipulate the query. Escaping tries to prevent that by masking certain characters.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".

IMN logo majestic logo threadwatch logo seochat tools logo