[RESOLVED] ELSEIF issue...

ixalmida

I checked the manual page for ELSEIF, and I can't see why the following code is giving me a "parse error, unexpected T_STRING" at the first bracket after the first ELSEIF.

What am I missing here?

extract($_POST);
if(isset($asset_no) && $asset_no != "")
  {
  $field = "asset_no";
  $value = $asset_no;
  }
elseif(isset($assignee) && $assignee != "")
  {
  $field = "assignee";
  $value = $assignee;
  }
elseif(isset($serial_no) && $serial_no != "")
  {
  $field = "serial_no";
  $value = $serial_no;
  }
else
  {
  $_SESSION['errmsg'] = "You must enter some text to search for.";
  header('Location: asset_search.php');
  exit;
  }

I'm on PHP 4.1 here. Perhaps there's something I don't know about the version...?

ixalmida

Umm...never mind. I'm sick and apparently not thinking clearly today!

Hey, but feel free to give me feedback on my code. lol

I left out the reason for the code - a db search function:

$query = "SELECT asset_id, loc_code, asset_no, assignee, ".
  "DATE_FORMAT(deliv_date, '%m-%d-%y') as ddate, description, serial_no ".
  "FROM Assets WHERE $field LIKE ('%$value%')";

scrupul0us

i dont see any data validation so i will post this:

Do not use extract() on untrusted data, like user-input ($GET, $POST...). If you do, for example, if you want to run old code that relies on register_globals temporarily, make sure you use one of the non-overwriting extract_type values such as EXTR_SKIP and be aware that you should extract in the same order that's defined in variables_order within the php.ini.

esp since you are placing $value directly into your query... that's a SQL injection waiting to happen

ixalmida

Very good point. I'm not too concerned on this particular page since only 4 employees can access the page and I can walk over and give any one of them a smack in the noggin, but I do need to watch for that. Thanks for the feedback!

ixalmida

Okay, I need to know this (for my own education)...

Assuming my server automatically escapes POST quotes, and further, I use the following code to strip the slashes and replace quotes, shouldn't it produce a fully database-friendly string?

$before = $_POST['string'];
$after = htmlentities(stripslashes($before), ENT_QUOTES);

Here's the before(server-scrubbed) and after(code-scrubbed) of the output:

<!--  Injection attempt: "=* OR 1"  -->
<!-- Same thing happens with: '=* OR 1'  -->
Before string = \'=* OR 1\'
After string = & #039;=* OR 1& #039;

(Note: I had to add a space after the ampersand because the message composer kept converting it to a single-quote.)

foyer

Check this page

mysql_real_escape_string

ixalmida

I'm going to let this thread die and pick up the discussion later in code review. Thanks.