homepage Welcome to WebmasterWorld Guest from 54.234.0.85
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
Forum Library, Charter, Moderators: coopster & jatar k

PHP Server Side Scripting Forum

    
Hehe, need some more help!
Sorry about all these threads
L33t_J0rdan




msg:4156988
 5:44 pm on Jun 22, 2010 (gmt 0)

I'm getting the error:
Parse error: syntax error, unexpected T_ENCAPSED_AND_WHITESPACE, expecting T_STRING or T_VARIABLE or T_NUM_STRING in C:\xampp\xampplite\htdocs\staffPanel\backEnd\functions.php on line 64

With the code:


<?php

$function = new functions();

class functions {

var $secured;
var $unsecured;
var $randomUnsecured;
var $randomSecured;
var $staffPanelOn = 'On';
var $username;
var $password;
var $changePassTo;

function secure($unsecured) {
$secured = addslashes(strip_tags(hash('sha512', hash('sha384',$unsecured))));
return $secured;
}

function randomUnsecured() {
for($i = 0; $i < 11; $i++) {
$d = rand(1,30)%2;
$this->randomUnsecured = $d ? chr(rand(65,90)) : chr(rand(48,57));
}
}

function randomSecured() {
for($i = 0; $i < 11; $i++) {
$d = rand(1,30)%2;
$this->randomSecured = addslashes(strip_tags(hash('sha512', hash('sha384',($d ? chr(rand(65,90)) : chr(rand(48,57)))))));
}
}

function staffPanelOn() {
if($this->staffPanelOn == "On") {
return $this->staffPanelOn;
} else if($this->staffPanelOn == "Off") {
return $this->staffPanelOn;
} else {
$this->staffPanelOn = "On";
return $this->staffPanelOn;
}
}

function switchStaffPanel() {
if($this->staffPanelOn == "On") {
$this->staffPanelOn = "Off";
echo 'Sucessfully Turned Off!';
} else if($this->staffPanelOn == "Off") {
$this->staffPanelOn = "On";
echo 'Sucessfully Turned On!';
}
}

function logon($username, $password) {
$username = addslashes(strip_tags($username)); //AntiHack
$password = addslashes(strip_tags(hash('sha512', hash('sha384',$password)))); //AntiHack
// Password strip tags un-needed but maybe they try to disable encryption?
}

function changePass($changePassTo) {
if(isset($_COOKIE['panel_username'])) {
mysql_query("UPDATE `users` SET password='$changePassTo' WHERE username='$_COOKIE['panel_username']'");
} else {
if(isset($_SESSION['session_username'])) {
mysql_query("UPDATE `users` SET password='$changePassTo' WHERE username='$_SESSION['session_username']'");
}
}

}
?>


I think the error is somewhere around here:


function changePass($changePassTo) {
if(isset($_COOKIE['panel_username'])) {
mysql_query("UPDATE `users` SET password='$changePassTo' WHERE username='$_COOKIE['panel_username']'");
} else {
if(isset($_SESSION['session_username'])) {
mysql_query("UPDATE `users` SET password='$changePassTo' WHERE username='$_SESSION['session_username']'");
}
}


I've tried:
$_COOKIE[\'panel_username\']

and

$_COOKIE[\"panel_username\"]

to no avail, can someone help please?

 

Readie




msg:4156992
 5:56 pm on Jun 22, 2010 (gmt 0)

mysql_query("UPDATE `users` SET password='$changePassTo' WHERE username='$_COOKIE['panel_username']'");

You have another one similar to this, so apply this there too.

Concatonation is the way to go methinks:

mysql_query("UPDATE `users` SET password='$changePassTo' WHERE username='" . $_COOKIE['panel_username'] . "'");

By the way, I strongly recommend looking into this function when passing user-inputted variables (This includes cookies) to a SQL string:

[uk2.php.net...]

L33t_J0rdan




msg:4157003
 6:04 pm on Jun 22, 2010 (gmt 0)

There is no need to strip anything I don't think as I've SHA512 and SHA384 it in the login file:


session_start();
include('backend/dbconfig.php');
if($_GET['main'] == "login") {
$function->login($_POST['username'], $_POST['password']);
$usernamePosted = $function->username;
$passwordPosted = $function->password;
if($usernamePosted == "" or $_POST['password'] == "") { echo "<b>Error: You Did Not Enter A Password</b>"; exit; }
list($realUsername) = mysql_fetch_array(mysql_query("SELECT `username` FROM `staff` WHERE username='$usernamePosted'"));
list($realPassword) = mysql_fetch_array(mysql_query("SELECT `password` FROM `staff` WHERE password='$passwordPosted'"));
if($user1_post == "$user" and $pass1_post == "$pass") {
$sql = mysql_query("SELECT * FROM `staff` WHERE username='$username' AND password='$password'");
if(mysql_num_rows($sql)!= 1) { echo 'Error in your userfile, please contact server admin to fix this, give error code: 1'; exit; }
$result = mysql_fetch_array($sql);
if($_POST['session']) {
$_SESSION['session_username'] = $result['username'];
$_SESSION['session_level'] = $result['level'];
$_SESSION['session_ip'] = $_SERVER['REMOTE_ADDR'];
echo "Logged in using sessions, please wait 5 seconds 'til you redirect...<meta http-equiv=\"refresh\" content=\"5;url=main.php\">";
exit;
} else if($_POST['cookie']) {
setcookie('panel_username', $result['username'], time() + (86400* 7));
setcookie('panel_level', $result['level'], time() + (86400* 7));
setcookie('panel_ip', $_SERVER['REMOTE_ADDR'], time() + (86400* 7));
echo "Logged in using cookies, please wait 5 seconds 'til you redirect...<meta http-equiv=\"refresh\" content=\"5;url=main.php\">";
exit;
}
} else { echo 'Username or password invalid'; }
} else {


But I've now got a new error:


Parse error: syntax error, unexpected ';', expecting T_FUNCTION in C:\xampp\xampplite\htdocs\staffPanel\backEnd\functions.php on line 72


But line 72 is the end of the file (?>)

Matthew1980




msg:4157072
 7:31 pm on Jun 22, 2010 (gmt 0)

Hi there L33t_J0rdan,

That sounds like a matching '{' or '}' is missing, check over the parenthesis have their counterparts, and like Readie, I agree with the concatenation's are correct, but I think, at least from a debug point of view, you need to have the queries attached to a var, so that if needs be you can echo that var, then kill the script to see if the sql queries are populated as they are meant to. Just an offer of advice there ;)

Readie: Not picking fault here but if you concat one, do the other too - makes for easier reading later:-

$sqlQuery = "UPDATE `users` SET `password` = '".$changePassTo."' WHERE `username` = '".$_COOKIE['panel_username']."' ";
mysql_query($sqlQuery) or die(mysql_error());//remove the error handler when going live


The idea there is just to help you be able to debug ;)

Also this line could be made easier to read too:-

if(($user1_post == "$user") and ($pass1_post == "$pass"))


And to protect the DB, you should use mysql_real_escape_string() around anything that has come from a form - again, just advising :)

Don't worry about posting, that's what this place is for, then if someone else has problems, it is here to help others too :)

Cheers,
MRb

Readie




msg:4157116
 8:21 pm on Jun 22, 2010 (gmt 0)

There is no need to strip anything I don't think as I've SHA512 and SHA384 it in the login file:

mysql_real_escape_string() doesn't strip anything - it santitizes user input to prevent it from intefering with the SQL string (by adding backslashes to certain characters) - you may find you need to run the data you retrieve from the database through stripslashes() when you use it during an INSERT statement.

Furthermore, cookies can be modified by the end user with a little know how, so don't say "I set this cookie as this and only this, so it can't be anything else" - it can.

L33t_J0rdan




msg:4157381
 5:58 am on Jun 23, 2010 (gmt 0)

I've now secured the cookie that little bit more by using:
$sucuringCookie = urlencode( $result['username'] );
setcookie('panel_username', $sucuringCookie, time() + (86400* 7));
setcookie('panel_level', $result['level'], time() + (86400* 7));
setcookie('panel_ip', $_SERVER['REMOTE_ADDR'], time() + (86400* 7));


(level and ip don't matter, because the IP checks against each other every page.)

I'm just deciding against using
addslashes(strip_tags(hash('sha512', hash('sha384',$unsecured))));

on it because I need to read the name on some of the pages.

Matthew1980




msg:4157408
 7:18 am on Jun 23, 2010 (gmt 0)

Hi there l33t_jordan,

Using urlencode in this context will just destort the string if there are int's/numbers used in the user name simply by adding % percent chars, so in essence it won't really 'encrypt' the username for use in the cookie.

From php dot net:-

Returns a string in which all non-alphanumeric characters except -_. have been replaced with a percent (%) sign followed by two hex digits and spaces encoded as plus (+) signs.


My personal preferred way (not necessarily the best but it works ;)) is to generate a random 7-10 digit string, and attach that to the first 3 letters of the username (that's optional, though, whatever floats your boat) Then using that 7-10 digit string in the cookie value & placing a copy of that in the database so that you check the 'unique' cookie data against the db.

Again, just my preferred way - negates the need for encryption, but if I do use raw username or something, I just SHA1 encrypt, but since learning of the hash('sha512', $input); function via readie, I'm seriously considering changing the way I do that to the hash('sha512', $ipnut); purely as it offers varying degrees of encryption ;)

To recap then: Simple way is to store a random generated string and save that as the cookie data, and place a copy of that string in the db, then check the two values as a method of validity, just my opinion..

Cheers,
MRB

L33t_J0rdan




msg:4157659
 3:31 pm on Jun 23, 2010 (gmt 0)

The thing is I need to read the username on the page, so I don't think the SHAing will help - unless I get my other project to work.

TheMadScientist




msg:4157853
 8:01 pm on Jun 23, 2010 (gmt 0)

If you want to use something 'decodeable' so you don't have to connect to a DB to get the user name, you could base64_encode() it and append a custom string to the beginning, end or both to add a bit of security... It's not 'secure' because it's fairly easy to decode, but you don't have to store the user name in plain text that way, and it will make someone work for a few minutes if they want to decode it and don't know exactly where the encoding starts and stops.

SomethingInteresting




msg:4158540
 4:27 pm on Jun 24, 2010 (gmt 0)

One general note:

Add the following line to the top of your .php file:

error_reporting(E_ALL);

Will make PHP display ALL errors..

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved