#1
  1. No Profile Picture
    competitions at lottos.com.au
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jun 2003
    Posts
    252
    Rep Power
    12

    Parse error in array assignment


    I'm getting an 'Parse error: syntax error, unexpected T_ENCAPSED_AND_WHITESPACE, expecting T_STRING or T_VARIABLE or T_NUM_STRING' error on this line when assigning in an array - any clues please:


    'W' => "<a href=\"somesite.com/directory/typesw.php?action=webtype\">$lang['text*​typew']</a>",
    Best website for competitions online to win anything and everything.
  2. #2
  3. Did you steal it?
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    14,068
    Rep Power
    9398
    PHP Code:
    "<a href=\"somesite.com/directory/typesw.php?action=webtype\">$lang['text*​typew']</a>" 
    When putting array values into a string you have three options:
    PHP Code:
    "<a href=\"somesite.com/directory/typesw.php?action=webtype\">$lang[text&#8204;​typew]</a>" // ignore the *&amp;&amp;#35;8204;
    "<a href=\"somesite.com/directory/typesw.php?action=webtype\">{$lang['text*​typew']}</a>" // or $lang["texttypew"]
    "<a href=\"somesite.com/directory/typesw.php?action=webtype\">${lang['text*​typew']}</a>" // or lang["texttypew"] 
    Can't mix-and-match.

    Comments on this post

    • Jacques1 disagrees : No escaping. :-(
    Last edited by requinix; February 25th, 2013 at 06:14 PM.
  4. #3
  5. No Profile Picture
    competitions at lottos.com.au
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jun 2003
    Posts
    252
    Rep Power
    12
    Originally Posted by requinix
    PHP Code:
    "<a href=\"somesite.com/directory/typesw.php?action=webtype\">$lang['text*​typew']</a>" 
    When putting array values into a string you have three options:
    PHP Code:
    "<a href=\"somesite.com/directory/typesw.php?action=webtype\">$lang[text&#8204;​typew]</a>" // ignore the *&amp;&amp;#35;8204;
    "<a href=\"somesite.com/directory/typesw.php?action=webtype\">{$lang['text*​typew']}</a>" // or $lang["texttypew"]
    "<a href=\"somesite.com/directory/typesw.php?action=webtype\">${lang['text*​typew']}</a>" // or lang["texttypew"] 
    Can't mix-and-match.

    Thank you requinix!
    Best website for competitions online to win anything and everything.
  6. #4
  7. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Hi,

    unfortunately, all three options are wrong. You need to escape stuff before you can use it safely:

    PHP Code:
    <?php 

    function html_escape($raw_input) { 
        return 
    htmlspecialchars($raw_inputENT_QUOTES ENT_HTML401'UTF-8');     // set the correct encoding!
    }

    echo 
    '<a href="somesite.com/directory/typesw.php?action=webtype">' html_escape($lang['texttypew']) . '</a>';

    Comments on this post

    • requinix disagrees : sometimes yes, sometimes no
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  8. #5
  9. Did you steal it?
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    14,068
    Rep Power
    9398
    You don't always need to.

    Also, you completely missed the point of the question.
    Last edited by requinix; February 26th, 2013 at 11:01 AM.
  10. #6
  11. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Originally Posted by requinix
    You don't always need to.
    Trust me, that doesn't work. When you start to distinguish between "safe" values and "unsafe" values, that's the first thing you'll get wrong -- either from the beginning or during refactoring. I've seen it, and I've done it myself.

    And how do you know that $lang['text*​typew'] is safe? We know nothing about the source.

    Given the many, many security holes we see daily, I think the best approach is to always escape everything. Whether or not it's actually necessary in a particular case just doesn't matter in my opinion. I mean, why should it? To save a few characters or nanoseconds?



    Originally Posted by requinix
    Also, you completely missed the point of the question.
    Yeah? How does knowing the exact syntax for double quoted strings help him when the whole approach is wrong?

    When somebody is about to shoot himself in the foot, you don't need to explain how to properly pull the trigger.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  12. #7
  13. Did you steal it?
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    14,068
    Rep Power
    9398

    /me feeds the troll


    Originally Posted by Jacques1
    Trust me, that doesn't work. When you start to distinguish between "safe" values and "unsafe" values, that's the first thing you'll get wrong -- either from the beginning or during refactoring.
    Works fine for me. Probably because I know exactly where my data is coming from. If you don't know where your data is coming from then (a) that's a problem and (b) it makes sense that you'd want to escape everything. I guess you just keep your fingers crossed that you don't escape something twice.

    Originally Posted by Jacques1
    And how do you know that $lang['text*​typew'] is safe? We know nothing about the source.
    Indeed. Maybe there's already a function s/he should be using that's better than what you provided. Maybe the value is already escaped. Maybe s/he learns the moral is to escape everything, everywhere and now there's tons of ampersands and backslashes everywhere.

    Originally Posted by Jacques1
    Whether or not it's actually necessary in a particular case just doesn't matter in my opinion.
    This particular case is about putting an array value in a string. What you posted did nothing to solve that.

    [edit] Well actually you did present a fourth option relating to putting variables in strings (ie, concatenation), but that's clearly only a secondary and surely accidental consequence of what else you presented. [/edit]

    Originally Posted by Jacques1
    Yeah? How does knowing the exact syntax for double quoted strings help him when the whole approach is wrong?
    You're asking how knowing the syntax of the language helps?

    Originally Posted by Jacques1
    When somebody is about to shoot himself in the foot, you don't need to explain how to properly pull the trigger.
    And you don't need to go around tell everybody they're doing things wrong when, in fact, you don't know that.
    Last edited by requinix; February 26th, 2013 at 04:01 PM.
  14. #8
  15. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Sometimes your intentions are a mystery, requinix.

    But enough of that. I think the problem has been solved either way.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".

IMN logo majestic logo threadwatch logo seochat tools logo