This parse error is bananas

Im getting

Parse error: syntax error, unexpected '' (T_ENCAPSED_AND_WHITESPACE), expecting '-' or identifier (T_STRING) or variable (T_VARIABLE) or number (T_NUM_STRING) in C:\xampp\htdocs\DCT\2\devices\move_device.php on line 108

and am having a heck of s time diagnosing it, if I comment out some php

		if(isset($_GET['Search']) || isset($_GET['to_rack'])) {
		  
		  $sql = 'SELECT rack_id,room_id,row,bay,title,width,height,depth,slots FROM racks WHERE title LIKE "%'.$_GET['Search'].'%"';
	
		  //echo $sql;
				
 		  $to_rack = mysqli_query($conn, $sql);	 
		
			if (mysqli_num_rows($to_rack) > 0) {

/* 
				while($row2 = mysqli_fetch_assoc($to_rack)) {
					  $to_rack_id = $row2['rack_id'];
					  $to_rack_slots = $row2['slots'];
					  $to_rack_width = $row2['width'];
					  $to_rack_title = $row2['title'];
					  $to_rack_bay = $row2['bay'];
					  $to_rack_row = $row2['row'];

					switch($row2['room_id']) {
						case 1:
						  $room2 = "<a href='' style='cursor:not-allowed' class='jqeasytooltip' data-tiptheme='tipthemewhite' data-tipcontent='Room'>Comms Room</a>";
						  break;
						case 2:
						  $room2 = "<a href='' style='cursor:not-allowed' class='jqeasytooltip' data-tiptheme='tipthemewhite' data-tipcontent='Room'>Crypto Room</a>";
						  break;
						case 3:
						  $room2 = "<a href='' style='cursor:not-allowed' class='jqeasytooltip' data-tiptheme='tipthemewhite' data-tipcontent='Room'>Data Center</a>";
						  break;
						case 4:
						  $room2 = "<a href='' style='cursor:not-allowed' class='jqeasytooltip' data-tiptheme='tipthemewhite' data-tipcontent='Room'>Server Room</a>";
						  break;
						case 5:
						  $room2 = "<a href='' style='cursor:not-allowed' class='jqeasytooltip' data-tiptheme='tipthemewhite' data-tipcontent='Room'>Tech Control</a>";
						  break;
						case 6:
						  $room2 = "<a href='' style='cursor:not-allowed' class='jqeasytooltip' data-tiptheme='tipthemewhite' data-tipcontent='Room'>Watch Floor</a>";
						  break;
						default:
						  $room2 = "N/A";
					}

	`			}
	*/
			}
		}

the error goes away, what source of trickery is this?
Line 108 is the last }

Check out the function fred(…) in the following topic:

Add the function to your script then test the following:

$_GET
$sql
$to_rack
$row2

Edit:

I hope you temporarily set error_reporting and display_errors on

ok, did

fred($_GET);
fred($sql);
fred($to_rack);
fred($row2);

and

image1920×1080 111 KB

does that help

Is there a problem with $row2?
I get
Fatal error : Uncaught TypeError: ini_set() expects parameter 2 to be string, int given in C:\xampp\htdocs\DCT\2\devices\move_device.php:2 Stack trace: #0 C:\xampp\htdocs\DCT\2\devices\move_device.php(2): ini_set(‘display_errors’, 1) #1 {main} thrown in C:\xampp\htdocs\DCT\2\devices\move_device.php on line 2
when I

ini_set('display_errors', 1);
ini_set('display_startup_errors', 1);
error_reporting(E_ALL);

I’m hoping this is just a mistake on this forum. Look at this line closely.

dang, i gots to clean my screen. Thanks

I hate to be that guy, but if you plan to use this online, be sure to look into preparing your statements, as this is vulnerable to SQL injections.

@RiversideRocks, Please supply an example of how this search could be a security risk.

/?search=dog'%DROP%20TABLE%20racks;--

Haven’t tried out, might or might not work, but thats the general idea. In theory the above search would wipe everything in the racks table.

Sql injection would allow you to close the existing query and tack on a UNION SELECT … query to grab the complete contents of any table, such as a user table, with usernames, email addresses, and (hopefully hashed) passwords and get the code to output it onto the web page. Don’t try to pick and choose when to make a query safe, make them all safe all the time.

John, I think you already know about never trusting user supplied data. Neverthless, try this…

<?php

//Url: localhost/yourfile.php?Search=<script>alert('Hacked')</script>
$sql = 'SELECT rack_id,room_id,row,bay,title,width,height,depth,slots FROM racks WHERE title LIKE "%'.$_GET['Search'].'%"';
echo $sql;

@benanamen, @mabismad, @RiversideRocks

I have been using user input to search MySql tables for about ten years and may have been fortunate in that nobody has corrupted of deleted any tables.

I did a quick search and found the following statement which I have never tried and from the write up apparently will delete the table:

database.execute(“INSERT INTO students (name) VALUES ('” + name + “');”);

The search string I use is similar to Post: #1 and I think that using LIKE %…% will not cause any harm.

If I am incorrect then I would be grateful for an example that I could try and if it does delete tables then I will revise my code and report back here with the revised script.

When unchecked user input is concatenated with a string used in a query the intention of the query can be altered. Is that not a fair statement?

@cyman,

Perhaps but it is not an example that will cause harm when inserted into a LIKE statement.

I am still open to examples.

What is a security vulnerability if not the ability for the intent of code, logic to be changed. Measures should be taken to guard against any type of hack that change intent of logic. Leaving a SQL statement open to alteration is no different than leaving application code open to the same.

@cyman,

As mentioned, Searching using LIKE %…% searches for a string in at least one column of a table. If the string does not exist then no harm is done.

In order for injected sql to be able to append a completely different type of sql statement to what the base query is, requires multiple semi-colon ; separated queries to be supported. Most, but not all, of php’s non-multiple query methods specifically parse the sql statement and prevent this. However, there are some databases that ‘automatically’ convert a hex encoded string found in a non-string context, back to the original string, which can contain any type of injected sql, including the ; needed for executing multiple queries on the database server.

No. You do understand how sql injection is accomplished? It breaks/escapes out of the current sql context, appends its own sql syntax, then finally converts the remainder of your original sql syntax into a comment. All it has to do is supply some arbitrary value to satisfy the current syntax, supply a single-quote, to break/escape out of the string context, then it can do whatever it wants.

Are you certain that the ; terminates the search string? Please supply a link.

I have tried it with the following search and it treats ; as a character value and finds about 42 occurrences.

https://dasabookcafe.tk

I didn’t state that it does. I did state that it separates multiple sql queries in those cases where they are permitted. Are you actually reading what has been written?

It breaks/escapes out of the current sql context, appends its own sql syntax, then finally converts the remainder of your original sql syntax into a comment.

I misunderstood.

When you said “it breaks/escapes out of the current sql context” I thought the current sql context was the LIKE %…% statement and the ; would break out of that statement.

It looks as though the search script is safe and I will continue to use it… unless somebody can supply a search string that breaks the search.

LOL! Just how bad would you like your site Jacked? How bout we start here…
https://dasabookcafe.tk/index.php/JACKED/