Re: [PHP] Apache
De: Ashley Sheridan a...@ashleysheridan.co.uk
Para: m...@nikha.org; Domain nikha.org m...@nikha.org
Cc: php-general@lists.php.net
Enviadas: Quarta-feira, 25 de Setembro de 2013 2:22
Assunto: Re: [PHP] Apache
Domain nikha.org m...@nikha.org wrote:
Ashley Sheridan am Montag, 23. September 2013 - 21:35:
No, no, no! That is not a good stand-in for fundamental security
principles!
This is a better method for ensuring an image is really an image:
?php
if(isset($_FILES['file']))
{
list($width, $height) = getimagesize($_FILES['file']['tmp_name']);
if($width $height)
{
$source = imagecreatefromjpeg($_FILES['file']['tmp_name']);
$dest = imagecreatetruecolor($width, $height);
imagecopyresampled($dest, $source,
0, 0, 0, 0,
$width, $height, $width, $height);
imagejpeg($dest, basename($_FILES['file']['tmp_name']));
}
else
echo {$_FILES['file']['name']} is not a jpeg;
}
?
form enctype=multipart/form-data method=post
input type=file name=file/
input type=submit name=submit value=submit/
/form
Obviously it's only rough, and checks only for jpeg images, but
that's
easy to alter. I've just tested this with a regular jpeg, the same
jpeg
with PHP code concatenated onto the end (which still appears to be a
valid image to viewing/editing software) and a pure PHP file with a
.jpg
extension. In the case of the first 2, a new jpeg is generated with
the
same image and without the code. The third example just echoes out an
error.
Dear Ashley, nice, but useless for this problem!
The problem was to do with an image upload, so no, not useless.
First, because users may upload other things than images! PDF's, audio
files, videos etc!
In an earlier email I detailed some methods for validating other types, such as
DomDocument for HTML, XML, svg, etc, or fpdf for PDF.
And on behalf images: GD you are using handles only
jpeg, gif and png. There are about hunderd other image types on the
way,
At the moment those are the 3 raster formats you can use on the web, so those
are the ones that pose an issue. If you're using anything else, it's not for
web and doesn't need to be in a publicly accessible location.
users can upload! How to detect them, if the extension is missleading?
The extension comes from the user. Never trust the user, ever.
And even if we succeed: As your script demonstrates very well,
malicious
code does not affect the rendering of the image.
My script does effectively strip out malicious code though, even if it can't
easily be seen.
The hacker says: Hi,
this is a nice picture, play it, and then, please do this--follows his
code, that can be a desaster for the whole system.
Social engineering is a whole different issue.
Yes, your script seems to purge the image file, simply because GD does
not copy the malware code. But why are you sure about that? You cannot
see that code, OK, but may be it was executed in the plain GD
environement?
GD isn't a PHP parser, and PHP doesn't execute the image before GD touches it.
Infact, Apache isn't even involved between GD and the image at that point, so
it won't suffer from this bad config.
What you are doing is dangerous, because you force the
execution of things that should be never executed!
Erm, no, the image isn't being executed.
no no no forget it. After all we cannot exclude that users come in
with malware.
If you think it's fine that a user be able to upload malware, then you're going
to have a very bad time.
But we MUST exclude, it is executed on the web server.
This is important too, but in this profession belt and braces is best I
believe.
That is the Apache chainsaw massacre as Steward whould say. And
probably
it can be avoided by purging the filenames (not the files!).
Nevertheless, the standard configuration of the Apache servers is
basically unacceptable. It must execute user requests and never ever
user files! Period.
Have nice days,
Niklaus
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Thanks,
Ash
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Sorry for this late post but I'm amazed nobody consulted the doco.
The php.net site has a whole section titled Handling File Uploads.
Also check out finfo_open and finfo_file.
If your are a windoze user you need a dll.
If you want Apache to handle PUT requests you MUST tell it to run a script as
it cannot write to web root.
HTH
Robert
Re: [PHP] Creating an Advanced Form
Hi Jonathan,
Haven't used MySql for ages. More used to Oracle and PostgreSql.
Your table nmc_cd contains foreign keys pointing to nmc_category and
nmc_publisher. Create a view containing all the data from those three tables
using implicit joins as the data in table nmc_cd should NOT contain any
dangling foreign keys. (You can always write a test routine to verify the
cleaniless of your data).
Thus you have a single query SELECT * FROM my_nmc_view WHERE ($x IS NOT NULL
AND $x = some colum name in the view) AND ($y IS NOT NULL . . . etc.
You can append an ORDER BY clause at the end reflecting the desired display
sequence.
If all of your search criteria is null, then the select should return every row
in the view.
I don't understand code such as if($searchCDID=1){ . Comparing for
equality requires == or ===. How does this work if the user enters 345
for example?
Apropos other comments, this select statement ought to be in the controller (or
action controller) depending on how your application is structured.
Hope this helps.
Cheers,
Rob
[PHP] Free LAPP stack
Hello, There are several sites offering free LAMP stacks but does anybody know of a site that has free LAPP stacks available? Please don't flame me for preferring PostgreSql. It's to set-up a thin client application. Disk space required approx. 1.5Mb. I need it to facilitate testing. Any suggestions welcome. TIA, Robert
Re: [PHP] Bug?
De: Igor Escobar titiolin...@gmail.com Para: php-general@lists.php.net php-general@lists.php.net Enviadas: Sexta-feira, 16 de Setembro de 2011 7:07 Assunto: [PHP] Bug? Anyone can explain this? https://gist.github.com/1220404 Part of the code are in portuguese so... iguais = equal diferentes = different Regards, Igor Escobar *Software Engineer * + http://blog.igorescobar.com + http://www.igorescobar.com + @igorescobar http://www.twitter.com/igorescobar The person who posted this (andersonfraga) has set up four string comparison tests. It was commented by augustohp who said:- float_a.php Existe uma configuração no php.ini da precisão de números de ponto flutuante. Acima desse número, todos são arredondados. There is a configuration setting in php.ini that determines the precision of floating point numbers. A number greater than that setting causes rounding. float_b.php Com a bcmath você não está comparando tipos especializados de dados, mas sim dados binários. É mais demorado, mas é extremamente preciso, sempre. With bcmath you are doing a binary comparison. It is slower but precise, always. string_a.php Quando você usa == você não compara os tipos, e não força o interpretador a respeitar o tipo de dado fornecido. O que acontece então!? O PHP converte o tipo para o tipo de dado mais apropriado em uma condição: boolean, inteiro, etc ... Se você converter para inteiro, vai ver que os números são iguais. When you use the == operator you don't compare data types and don't force the interpreter to respect the data type supplied. What happens then? PHP converts the type to the most appropriate data type and returns a boolean. (I assume he means casting. I always thought that you had to cast the variables implicitly in order to use ==.) I think he is saying in the next sentence that if you cast them to integers, you'll see that the numbers are equal. Doesn't make any sense to me, but then, I'm no expert. string_b.php Aqui sim você compara strings, garante que elas não sofram cast para outro tipo de dado. Você pode atingir isso usando === também, sem essa função de comparação de strings. Here you compare strings, and guarantee that they don't suffer casting to another data type. You can achieve the same thing by using the === operator also, without (using) this string comparison function. Hope this helps. Cheers, Robert
Re: [PHP] Last Name extraction in query
Hi Jim,
I think that you'll find that ' ' is treated as a NULL and as such will always
return zero.
You are no catering for multiple spaces in the column race_winner.
If you were using Oracle, their INSTR function has an optional argument that
allows you to search backwards from the end of a string, but you're not, so my
guess is that you'll have to extract the results into an array, manipulate the
race_winner column, sort the array, then do whatever is coming next.
I'm not a MySql expert, just putting in my two bob's worth.
Don't forget to LTRIM(RTRIM(race_winner)).
Cheers,
--- Em seg, 4/4/11, Jim Giner jim.gi...@albanyhandball.com escreveu:
De: Jim Giner jim.gi...@albanyhandball.com
Assunto: [PHP] Last Name extraction in query
Para: php-general@lists.php.net
Data: Segunda-feira, 4 de Abril de 2011, 12:50
having a problem posting this message - forgive any duplication please.
Hi,
I'm trying to use sql to extract the last name from a person's name field in
my table. Here's my Select:
$q = SELECT race_winner,count(race_date) as wins,
substr(race_winner,FIELD(' ',race_winner)) as last_name
etc.,,,
My result keeps coming up with a 0 for the FIELD portion I assume
since my output shows a blank last_name. From the docs I believe it should
be giving me the right-most portion of the 'race_winner' field beginning
where the first space char is found.
Am I not using this correctly? Is there a better way to do this? I'm
trying to have my results sorted by last name and since the table was not
built with separate first/last name fields, I'm stuck with figuring
somethign out.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Looking for Tool to read JSON format
Have you looked at http://pecl.php.net/package/json Might help. Package php-services-json is at version 1.0.2-1 on my Debian install. Bon soir, Robert --- Em sáb, 2/4/11, Michelle Konzack linux4miche...@tamay-dogan.net escreveu: De: Michelle Konzack linux4miche...@tamay-dogan.net Assunto: [PHP] Re: Looking for Tool to read JSON format Para: php-general@lists.php.net Data: Sábado, 2 de Abril de 2011, 15:25 Hello Me, Am 2011-04-01 17:34:39, hacktest Du folgendes herunter: http://www.php.net/manual/en/book.json.php Was using Debian/Lenny and have not found any JSON/PHP stuff but under Squeeze the package php-services-json and what I dslike is, that there is NO documentation with the Package, exspecialy if I install Squeeze from DVD and have from time to time no Intenet connection and wehre I live, I can not get ADSL only GSM and if the whether is good, UMTS/HSPA. So, software without documentation is only worse... Thanks, Greetings and nice Day/Evening Michelle Konzack -- # Debian GNU/Linux Consultant ## Development of Intranet and Embedded Systems with Debian GNU/Linux itsystems@tdnet France EURL itsystems@tdnet UG (limited liability) Owner Michelle Konzack Owner Michelle Konzack Apt. 917 (homeoffice) 50, rue de Soultz Kinzigstraße 17 67100 Strasbourg/France 77694 Kehl/Germany Tel: +33-6-61925193 mobil Tel: +49-177-9351947 mobil Tel: +33-9-52705884 fix http://www.itsystems.tamay-dogan.net/ http://www.flexray4linux.org/ http://www.debian.tamay-dogan.net/ http://www.can4linux.org/ Jabber linux4miche...@jabber.ccc.de ICQ #328449886 Linux-User #280138 with the Linux Counter, http://counter.li.org/
