By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
454,705 Members | 1,451 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 454,705 IT Pros & Developers. It's quick & easy.

system() error ?

P: n/a
PB
Hello all,

Thank you, I'm not very knowledgeable on PHP.

when I go to my page I get
Parse error: parse error, expecting `T_STRING' or `T_VARIABLE' or
`T_NUM_STRING' in /srv/www/htdocs/htdocs-new/metabo_info_cp.php on line
47

line 47 is :
<?php
system("babel $data['mol'] -oxyz:struct.xyz -h");
?>
babel is a program and the variable is some text I want to give to it
the rest is the output from the script.

Thank you for any help,

PB

Jan 19 '07 #1
Share this Question
Share on Google+
5 Replies


P: n/a
Message-ID: <11**********************@s34g2000cwa.googlegroups .comfrom
PB contained the following:
>
when I go to my page I get
Parse error: parse error, expecting `T_STRING' or `T_VARIABLE' or
`T_NUM_STRING' in /srv/www/htdocs/htdocs-new/metabo_info_cp.php on line
47
Check the lines above too.
--
Geoff Berrow (put thecat out to email)
It's only Usenet, no one dies.
My opinions, not the committee's, mine.
Simple RFDs http://www.ckdog.co.uk/rfdmaker/
Jan 19 '07 #2

P: n/a
PB wrote:
Hello all,

Thank you, I'm not very knowledgeable on PHP.

when I go to my page I get
Parse error: parse error, expecting `T_STRING' or `T_VARIABLE' or
`T_NUM_STRING' in /srv/www/htdocs/htdocs-new/metabo_info_cp.php on
line 47

line 47 is :
<?php
system("babel $data['mol'] -oxyz:struct.xyz -h");
?>
babel is a program and the variable is some text I want to give to it
the rest is the output from the script.
You might also want to try it like this:
<?php
system("babel ".$data['mol']." -oxyz:struct.xyz -h");
?>

But, as Geoff mentioned, I'd check the line preceding line 47, it might
be missing a quote and/or semicolon.

--
Kim André Akerĝ
- ki******@NOSPAMbetadome.com
(remove NOSPAM to contact me directly)
Jan 19 '07 #3

P: n/a
PB wrote:
<?php
system("babel $data['mol'] -oxyz:struct.xyz -h");
?>
Where does the value for $data['mol'] come from? A database? A user? Can
you trust it? What happens if a nasty user finds out a way of setting:

$data['mol'] = '; rm -fr ~; echo';

Then your command becomes:

system("babel ; rm -fr ~; echo -oxyz:struct.xyz -h");

Which is equivalent to running the following:

system("babel");
system("rm -fr ~");
system("echo -oxyz:struct.xyz -h");

Note that the middle command here deletes all your files. I repeat,
DELETES ALL YOUR FILES. It would be possible to substitute in pretty much
any command -- rather than deleting your files, the attacker could do
something less obvious, but equally nasty, such as hijacking your site,
considered trustworthy by its regular visitors, to distribute viruses.

To protect against this, you should use addslashes() to escape the value
of $data['mol'] and then surround it with quote marks. For example:

$cmd = sprintf("babel '%s' -oxyz:struct.xyz -h",
addslashes($data['mol']));
system($cmd);

This will also fix your error, which was caused by trying to interpolate
an array member into a string. When you do that, you must use the curly
brace notation. For example:

<?php
$array['animal'] = 'cat';
echo "It was a $array['animal']."; // Doesn't work
echo "It was a ${array['animal']}."; // Works
echo "It was a {$array['animal']}."; // Works

// printf() is another option:
printf('It was a %s.', $array['animal']);
?>

--
Toby A Inkster BSc (Hons) ARCS
Contact Me ~ http://tobyinkster.co.uk/contact

Jan 19 '07 #4

P: n/a
PB
Toby,

Thanks. My input is coming from a database. I should be ok, I've made
sure most of the stuff is hidden by using functions referenced on other
pages outside the htdocs dir. However, point taken and thank you, it
now works.

Cheers,

PB

Toby Inkster wrote:
PB wrote:
<?php
system("babel $data['mol'] -oxyz:struct.xyz -h");
?>

Where does the value for $data['mol'] come from? A database? A user? Can
you trust it? What happens if a nasty user finds out a way of setting:

$data['mol'] = '; rm -fr ~; echo';

Then your command becomes:

system("babel ; rm -fr ~; echo -oxyz:struct.xyz -h");

Which is equivalent to running the following:

system("babel");
system("rm -fr ~");
system("echo -oxyz:struct.xyz -h");

Note that the middle command here deletes all your files. I repeat,
DELETES ALL YOUR FILES. It would be possible to substitute in pretty much
any command -- rather than deleting your files, the attacker could do
something less obvious, but equally nasty, such as hijacking your site,
considered trustworthy by its regular visitors, to distribute viruses.

To protect against this, you should use addslashes() to escape the value
of $data['mol'] and then surround it with quote marks. For example:

$cmd = sprintf("babel '%s' -oxyz:struct.xyz -h",
addslashes($data['mol']));
system($cmd);

This will also fix your error, which was caused by trying to interpolate
an array member into a string. When you do that, you must use the curly
brace notation. For example:

<?php
$array['animal'] = 'cat';
echo "It was a $array['animal']."; // Doesn't work
echo "It was a ${array['animal']}."; // Works
echo "It was a {$array['animal']}."; // Works

// printf() is another option:
printf('It was a %s.', $array['animal']);
?>

--
Toby A Inkster BSc (Hons) ARCS
Contact Me ~ http://tobyinkster.co.uk/contact
Jan 19 '07 #5

P: n/a
PB wrote:
Thanks. My input is coming from a database.
And who fills the database? Unless it's you, and you alone, then my advice
still applies.

--
Toby A Inkster BSc (Hons) ARCS
Contact Me ~ http://tobyinkster.co.uk/contact

Jan 19 '07 #6

This discussion thread is closed

Replies have been disabled for this discussion.