RE: [PHP] Error(Newbie)
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > Sent: 22 June 2002 15:19 > when I try and view stat.php I get this error: > > Parse error: parse error, expecting `T_STRING' or > `T_VARIABLE' or `T_NUM_STRING' in C:\TecEco(Converting To > PHP)\includes\stat.php on line 7 > > What does the error mean and how can I correct my code? > setcookie ("tececo_stats", 1); The 2nd argument to setcookie needs to be a string. Make it so. Cheers! Mike - Mike Ford, Electronic Information Services Adviser, Learning Support Services, Learning & Information Services, JG125, James Graham Building, Leeds Metropolitan University, Beckett Park, LEEDS, LS6 3QS, United Kingdom Email: [EMAIL PROTECTED] Tel: +44 113 283 2600 extn 4730 Fax: +44 113 283 3211 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Error(Newbie)
> The only data returned by a browser in a "Cookie" header is the > name/value pairs. So, your example would not pose a threat of any sort. > The "Referer" and "User-Agent" are separate headers, but like all data > from the client, they should also not be trusted. > > If you have magic quotes enabled, you're probably safe. It is actually > best not to just addslashes() again "to be sure" for any data. Rather, > echo the value of your data to the screen during development, and test > to be sure that your single quotes are escaped like you think they > should be. Exactly... the name would be "tececo_stats" and the value would be "bad_data','bad_time','bad_host','bad_referrer','bad_agent')#" If slashes are not getting added to that data, either by magic quotes or by addslashes(), then he's open to getting bad data inserted into his table... If magic_quotes_gpc is ON, then you're fine... ---John Holmes... > Chris > > 1LT John W. Holmes wrote: > > >Yeah, magic_quotes will be enough, but it only handles GET, POST, and > COOKIE > >data. I'm not sure what SERVER variables can be trusted, so it wouldn't > hurt > >to addslash them... > > > >There isn't much of a risk to your query, but someone could still mess > >things up. If they formatted a cookie like > > > >$_COOKIE['tececo_stats'] = > >"bad_data','bad_time','bad_host','bad_referrer','bad_agent')#"; > > > >it would allow them to insert bad data into your table... > > > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Error(Newbie)
The only data returned by a browser in a "Cookie" header is the name/value pairs. So, your example would not pose a threat of any sort. The "Referer" and "User-Agent" are separate headers, but like all data from the client, they should also not be trusted. If you have magic quotes enabled, you're probably safe. It is actually best not to just addslashes() again "to be sure" for any data. Rather, echo the value of your data to the screen during development, and test to be sure that your single quotes are escaped like you think they should be. Chris 1LT John W. Holmes wrote: >Yeah, magic_quotes will be enough, but it only handles GET, POST, and COOKIE >data. I'm not sure what SERVER variables can be trusted, so it wouldn't hurt >to addslash them... > >There isn't much of a risk to your query, but someone could still mess >things up. If they formatted a cookie like > >$_COOKIE['tececo_stats'] = >"bad_data','bad_time','bad_host','bad_referrer','bad_agent')#"; > >it would allow them to insert bad data into your table... > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Error(Newbie)
Yeah, magic_quotes will be enough, but it only handles GET, POST, and COOKIE data. I'm not sure what SERVER variables can be trusted, so it wouldn't hurt to addslash them... There isn't much of a risk to your query, but someone could still mess things up. If they formatted a cookie like $_COOKIE['tececo_stats'] = "bad_data','bad_time','bad_host','bad_referrer','bad_agent')#"; it would allow them to insert bad data into your table... ---John Holmes... - Original Message - From: <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Sunday, June 23, 2002 2:50 AM Subject: Re: [PHP] Error(Newbie) > I got that auto add slashes thing on. is it enough? > > If not how should I go about adding them? > > like this? > > $_SERVER['REMOTE_HOST'] = addslashes($_SERVER['REMOTE_HOST']); > > What sort of effects could an attack have? > > I am intergrating stats into a site. What other vars could I gather info > from? > > Thanks, > > JJ Harrison > [EMAIL PROTECTED] > www.tececo.com > > BTW I have fixed the error now. > > ----- Original Message - > From: "1LT John W. Holmes" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> > Sent: Sunday, June 23, 2002 2:11 PM > Subject: Re: [PHP] Error(Newbie) > > > >$query = "INSERT INTO `stats` (`vid`, `id`, `vn`, `time`, `host`, > `referrer`, `browser`) VALUES ('', '$id', '$_COOKIE > >['tececo_stats']', '$time', '$_SERVER['REMOTE_HOST']', > '$_SERVER['HTTP_REFERER']', '$_SERVER > >['HTTP_USER_AGENT']'); "; > > I hope you are using addslashes on your $_COOKIE and $_SERVER vars, too, > otherwise your query is wide open to some attacks... > > ---John Holmes... > > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Error(Newbie)
I got that auto add slashes thing on. is it enough? If not how should I go about adding them? like this? $_SERVER['REMOTE_HOST'] = addslashes($_SERVER['REMOTE_HOST']); What sort of effects could an attack have? I am intergrating stats into a site. What other vars could I gather info from? Thanks, JJ Harrison [EMAIL PROTECTED] www.tececo.com BTW I have fixed the error now. - Original Message - From: "1LT John W. Holmes" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Sunday, June 23, 2002 2:11 PM Subject: Re: [PHP] Error(Newbie) >$query = "INSERT INTO `stats` (`vid`, `id`, `vn`, `time`, `host`, `referrer`, `browser`) VALUES ('', '$id', '$_COOKIE >['tececo_stats']', '$time', '$_SERVER['REMOTE_HOST']', '$_SERVER['HTTP_REFERER']', '$_SERVER >['HTTP_USER_AGENT']'); "; I hope you are using addslashes on your $_COOKIE and $_SERVER vars, too, otherwise your query is wide open to some attacks... ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Error(Newbie)
Do NOT do it that way! That may work now, but it may not in the future! The correct way is to append. Like ".$_COOKIE['tececo_stats']." (include the quotes). Do it the same way for the others. 1LT John W. Holmes wrote > >Try using $_COOKIE[tececo_stats] instead...without the single quotes (for the other >vars, too). > >
Re: [PHP] Error(Newbie)
>$query = "INSERT INTO `stats` (`vid`, `id`, `vn`, `time`, `host`, `referrer`, >`browser`) VALUES ('', '$id', '$_COOKIE >['tececo_stats']', '$time', '$_SERVER['REMOTE_HOST']', '$_SERVER['HTTP_REFERER']', >'$_SERVER >['HTTP_USER_AGENT']'); "; I hope you are using addslashes on your $_COOKIE and $_SERVER vars, too, otherwise your query is wide open to some attacks... ---John Holmes...
Re: [PHP] Error(Newbie)
>$query = "INSERT INTO `stats` (`vid`, `id`, `vn`, `time`, `host`, `referrer`, >`browser`) VALUES ('', '$id', '$_COOKIE >['tececo_stats']', '$time', '$_SERVER['REMOTE_HOST']', '$_SERVER['HTTP_REFERER']', >'$_SERVER >['HTTP_USER_AGENT']'); "; Try using $_COOKIE[tececo_stats] instead...without the single quotes (for the other vars, too). You don't need all of those backticks in your query, either... ---John Holmes... - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, June 22, 2002 10:19 AM Subject: [PHP] Error(Newbie) Both the below are in the same dir. The meta.array_create.php file works fine elsewhere when I try and view stat.php I get this error: Parse error: parse error, expecting `T_STRING' or `T_VARIABLE' or `T_NUM_STRING' in C:\TecEco(Converting To PHP)\includes\stat.php on line 7 What does the error mean and how can I correct my code? File meta.array_create.php --- file stat.php - -- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Error(Newbie)
Both the below are in the same dir. The meta.array_create.php file works fine elsewhere when I try and view stat.php I get this error: Parse error: parse error, expecting `T_STRING' or `T_VARIABLE' or `T_NUM_STRING' in C:\TecEco(Converting To PHP)\includes\stat.php on line 7 What does the error mean and how can I correct my code? File meta.array_create.php --- $fn = explode("/", $_SERVER['PHP_SELF']); $num_of_s = count($fn) - 1; $fn = "$fn[$num_of_s]"; $query = "SELECT * FROM meta_data WHERE page_name = '$fn'"; $result = mysql_query($query); $num_results = mysql_num_rows($result); $row = mysql_fetch_array($result); $id = $row['id']; $pid = $row['pid']; $title = $row['title']; $description = $row['description']; $keywords = $row['keywords'];?> file stat.php - include "meta.array_create.php";if(!isset($_COOKIE['tececo_stats'])){setcookie ("tececo_stats", 1);}$query = "INSERT INTO `stats` (`vid`, `id`, `vn`, `time`, `host`, `referrer`, `browser`) VALUES ('', '$id', '$_COOKIE['tececo_stats']', '$time', '$_SERVER['REMOTE_HOST']', '$_SERVER['HTTP_REFERER']', '$_SERVER['HTTP_USER_AGENT']'); ";$insert = mysql_query($query);?> -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php