system() error ?

Hello all,

Thank you, I'm not very knowledgeable on PHP.

when I go to my page I get
Parse error: parse error, expecting `T_STRING' or `T_VARIABLE' or
`T_NUM_STRING' in /srv/www/htdocs/htdocs-new/metabo_info_cp.php on line
47

line 47 is :
<?php
system("babel $data['mol'] -oxyz:struct.xyz -h");
?>
babel is a program and the variable is some text I want to give to it
the rest is the output from the script.

Thank you for any help,

PB

Message-ID: <1169190542.208330.212020@s34g2000cwa.googlegroups .com> from
PB contained the following:

>
>when I go to my page I get
>Parse error: parse error, expecting `T_STRING' or `T_VARIABLE' or
>`T_NUM_STRING' in /srv/www/htdocs/htdocs-new/metabo_info_cp.php on line
>47

Check the lines above too.
--
Geoff Berrow (put thecat out to email)
It's only Usenet, no one dies.
My opinions, not the committee's, mine.
Simple RFDs http://www.ckdog.co.uk/rfdmaker/

PB wrote:

> Hello all,
>
> Thank you, I'm not very knowledgeable on PHP.
>
> when I go to my page I get
> Parse error: parse error, expecting `T_STRING' or `T_VARIABLE' or
> `T_NUM_STRING' in /srv/www/htdocs/htdocs-new/metabo_info_cp.php on
> line 47
>
> line 47 is :
> <?php
> system("babel $data['mol'] -oxyz:struct.xyz -h");
> ?>
> babel is a program and the variable is some text I want to give to it
> the rest is the output from the script.

You might also want to try it like this:
<?php
system("babel ".$data['mol']." -oxyz:struct.xyz -h");
?>

But, as Geoff mentioned, I'd check the line preceding line 47, it might
be missing a quote and/or semicolon.

--
Kim André Akerø
- kimandre@NOSPAMbetadome.com
(remove NOSPAM to contact me directly)

PB wrote:

> <?php
> system("babel $data['mol'] -oxyz:struct.xyz -h");
> ?>

Where does the value for $data['mol'] come from? A database? A user? Can
you trust it? What happens if a nasty user finds out a way of setting:

$data['mol'] = '; rm -fr ~; echo';

Then your command becomes:

system("babel ; rm -fr ~; echo -oxyz:struct.xyz -h");

Which is equivalent to running the following:

system("babel");
system("rm -fr ~");
system("echo -oxyz:struct.xyz -h");

Note that the middle command here deletes all your files. I repeat,
DELETES ALL YOUR FILES. It would be possible to substitute in pretty much
any command -- rather than deleting your files, the attacker could do
something less obvious, but equally nasty, such as hijacking your site,
considered trustworthy by its regular visitors, to distribute viruses.

To protect against this, you should use addslashes() to escape the value
of $data['mol'] and then surround it with quote marks. For example:

$cmd = sprintf("babel '%s' -oxyz:struct.xyz -h",
addslashes($data['mol']));
system($cmd);

This will also fix your error, which was caused by trying to interpolate
an array member into a string. When you do that, you must use the curly
brace notation. For example:

<?php
$array['animal'] = 'cat';
echo "It was a $array['animal']."; // Doesn't work
echo "It was a ${array['animal']}."; // Works
echo "It was a {$array['animal']}."; // Works

// printf() is another option:
printf('It was a %s.', $array['animal']);
?>

--
Toby A Inkster BSc (Hons) ARCS
Contact Me ~ http://tobyinkster.co.uk/contact

Toby,

Thanks. My input is coming from a database. I should be ok, I've made
sure most of the stuff is hidden by using functions referenced on other
pages outside the htdocs dir. However, point taken and thank you, it
now works.

Cheers,

PB

Toby Inkster wrote:
> PB wrote:
>
> > <?php
> > system("babel $data['mol'] -oxyz:struct.xyz -h");
> > ?>
>
> Where does the value for $data['mol'] come from? A database? A user? Can
> you trust it? What happens if a nasty user finds out a way of setting:
>
> $data['mol'] = '; rm -fr ~; echo';
>
> Then your command becomes:
>
> system("babel ; rm -fr ~; echo -oxyz:struct.xyz -h");
>
> Which is equivalent to running the following:
>
> system("babel");
> system("rm -fr ~");
> system("echo -oxyz:struct.xyz -h");
>
> Note that the middle command here deletes all your files. I repeat,
> DELETES ALL YOUR FILES. It would be possible to substitute in pretty much
> any command -- rather than deleting your files, the attacker could do
> something less obvious, but equally nasty, such as hijacking your site,
> considered trustworthy by its regular visitors, to distribute viruses.
>
> To protect against this, you should use addslashes() to escape the value
> of $data['mol'] and then surround it with quote marks. For example:
>
> $cmd = sprintf("babel '%s' -oxyz:struct.xyz -h",
> addslashes($data['mol']));
> system($cmd);
>
> This will also fix your error, which was caused by trying to interpolate
> an array member into a string. When you do that, you must use the curly
> brace notation. For example:
>
> <?php
> $array['animal'] = 'cat';
> echo "It was a $array['animal']."; // Doesn't work
> echo "It was a ${array['animal']}."; // Works
> echo "It was a {$array['animal']}."; // Works
>
> // printf() is another option:
> printf('It was a %s.', $array['animal']);
> ?>
>
> --
> Toby A Inkster BSc (Hons) ARCS
> Contact Me ~ http://tobyinkster.co.uk/contact

PB wrote:

> Thanks. My input is coming from a database.

And who fills the database? Unless it's you, and you alone, then my advice
still applies.

--
Toby A Inkster BSc (Hons) ARCS
Contact Me ~ http://tobyinkster.co.uk/contact