Home/ Questions/Q 9009411
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-16T02:11:19+00:00

I have spent an hour or so attempting to figure out this one error..

  • 0

I have spent an hour or so attempting to figure out this one error.. It looks right to me, but I am by far no expert. So I thought I would ask the experts! I keep getting this error:

Parse error: syntax error, unexpected ” (T_ENCAPSED_AND_WHITESPACE), expecting identifier (T_STRING) or variable (T_VARIABLE) or number (T_NUM_STRING) in … on line 29

from this line of code:

eval("$var_value = $_REQUEST['{$value}']");

Here is the code around it..

function save_edits($var_name, $var_value)
{
    eval("{$var_name} = sql_safe({$var_value});");
    eval("mysql_query(\"UPDATE settings set {$var_name}='{$var_value}' where variable='{$var_name}'\") or die(mysql_error());");
}     
foreach ($_REQUEST as $key => $value)
{
    eval("$var_value = $_REQUEST['{$value}']");
    save_edits($value, $var_value);
}
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    missing a ] is appears:

    eval("$var_value = $_REQUEST['{$key}\'");
                                     ^^

    Also missing a ):

    eval("{$var_name} = sql_safe({$var_value};");
                                        ^^

    However, you should avoid eval at much cost, especially with $_REQUESTs (implying user input). As it stands, this query would be harmful to your site:

    http://your-site.com/?foo='];exec('rm%20*.*');

    So how about a refactor:

    function save_edits($var_name, $var_value)
{
    $clean_name = mysql_real_escape_string($var_name);
    $clean_value = mysql_real_escape_string($var_value);
    $sql = "UPDATE settings "
        .= "SET    value = '{$clean_value}' "
        .= "WHERE  variable = '{$clean_name}'";
    mysql_query($sql) or die(mysql_error());
}     
foreach ($_REQUEST as $key => $value)
{
    save_edits($key, $value);
}

    However you should really look in to using:

    CREATE TABLE settings
(
  id INT NOT NULL AUTO_INCREMENT PRIMARY KEY,
  name VARCHAR(50) NOT NULL,
  value VARCHAR(255)
);

    Then you can sanitize both the name and the value field. You also probably want to look in to using PDO to prevent exploits better.

    • 0