0

I have a file with the following php code:

<?php
session_start();
include_once("config.php");
include_once("functions.php");
include_once("class/db.class.php");
$config = new config($db_host, $db_user, $db_pass, $db_name);
$db = new db($config);
$db->openConnection();

switch ($_POST['mode']) {
    case 'update':
        if(mysql_query("UPDATE table_name SET id_negozio = '".$_POST['negid']."', nome='".mysql_real_escape_string(strtolower($_POST['nome']))."', cognome='".mysql_real_escape_string(strtolower($_POST['cognome']))."', indirizzo='".mysql_real_escape_string($_POST['indirizzo'])."', CAP='".$_POST['cap']."', city='".mysql_real_escape_string($_POST['city'])."', tel='".$_POST['tel']."', email='".strtolower($_POST['email'])."', provincia='".strtoupper($_POST['provincia'])."', data_nascita = '".$_POST['datanascita']."', luogo_nascita='".mysql_real_escape_string($_POST['luogonascita'])."', doc_number='".strtoupper($_POST['docnum'])."', doc_type='".$_POST['doctype']."', doc_data='".$_POST['docdata']."', cf='".strtoupper($_POST['cf'])."', doc_exp='".$_POST['doc_exp']."', doc_rilascio='".$_POST['doc_rilascio']."' WHERE id = ".$_POST['id']." ")){
            echo "ok";
        }
    break;

    case 'salvataggio_finale':
        if(mysql_query("UPDATE table_name SET salvato = 1 WHERE id = ".$_POST['id']." ")){
            logit("Creato nuovo cliente.", $_POST['idneg']);
            echo "ok";
        }
    break;

    case 'del':
        if(mysql_query("DELETE FROM table_name WHERE id = ".$_POST['id']." ")){
            logit("Eliminato cliente con id ".$_POST['id']."", $_POST['idneg']);
            echo "deleted";
        }
    break;
}
unset($db);
?>

On my server i have the error_log that shows 38 entries giving this error:

[..] PHP Parse error:  syntax error, unexpected '{' in /home/.../filename.php on line 12

Where line 12 is the if statement after case 'update' I don't see why I should not put the bracket or what the real error is.

Improve this question
5
  • 2
    Well, your database is gonna be pwned :D Escape the input. Commented Jul 2, 2013 at 23:29
  • Just tell me why some of your $_POST values are escaped and some are not? Commented Jul 2, 2013 at 23:32
  • What is the code of your include files? Your code seems to be correct. Commented Jul 2, 2013 at 23:33
  • @Jari because in Italy we have people name like D'Agostino Antonio and I have to do that so they can put the ' where they want Commented Jul 2, 2013 at 23:34
  • I can say one thing then: GG Commented Jul 2, 2013 at 23:36

1 Answer 1

Reset to default
1

Did you check if class/db.class.php has a unclosed quotemark (") ?

Also be aware of possible sql injections when concatenating a POST variable into the query.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Ok, what shall I do then in order not the get injections?
I checked and can't see any error. I also opened it in NetBeans so that is catches errors, but... nothing.
mysql_real_escape_string() on all $_POST[...] variables should be enougth... Yes, it's probably not a quotemark problem, since then it should complaint about an invalid UPDATE keyword... but stilll it must be something in the includes, maybe you can post them here too

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.