Why don't you just use the existing ini options:
; String to output before an error message.
;error_prepend_string = font color=ff
; String to output after an error message.
;error_append_string = /font
??
--Jani
On Tue, 5 Aug 2003,
Moriyoshi,
I forgot to say that examples most probably will be available soon
written by Ed Luschei. He uses GD for visualisation.
Andrey
- Original Message -
From: Moriyoshi Koizumi [EMAIL PROTECTED]
To: Andrey Hristov [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Sent: Monday, August 11,
No :)
If you are really worried about these kind of attacks, I suggest you
read one of the many articles that explains how to write a secure
PHP application.
You can also take it further and write a user input filter using the
framework that Rasmus added for this purpose (mostly from a XSS point
On Wednesday 13 August 2003 20:13, Moriyoshi Koizumi wrote:
304 Not Modified
r--
Since we're looking at simple http access I don't think this should return
readable. Normally you would not be able to set headers when using
fopen('http://') (right?), so technically, you would not be able to
As far as I can tell your patch would not have any affect on existing *nix
based code. So, the only possibility is either a working pspell extension for
windows or a broken one. The latter would not be an issue since we didn't
have such an extension before anyway.
I'll talk to Edin who is our
Hi all,
SK Maybe it will be better to have this method in all classes and define
SK default behavior such as existing ( string )$object cast?
I guess that using an interface is better. But if the guys here think
different I would revert to the patch with no interfaces.
AK According to the
On Thursday, Aug 14, 2003, at 00:45 US/Pacific, Steven Brown wrote:
On Thu, 14 Aug 2003, moshe doron wrote:
What about hacking somehow the sqlite library to disallow chained
queries (or at least do it optionally)?
This behavior is *huge* security hole, allow to the cracker drop ur
database using
do you use any shared php extensions by any chance?
Yes, I'm developing an extension to wrap Apple's OpenDirectory API (reffer
to my first post). Thats the only shared extension that I'm using.
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit:
Here is a patch, it is actually two lines that need changed.
Thanks,
Brian
On Thu, 14 Aug 2003 00:17:11 +0200 (CEST), Sascha Schumann wrote:
Did something change recently to cause this? If nobody sees a
problem with the change I am going to check it in.
There are some translit
Vald,
If you want it to be part of the 4.3.3 release, you need to backport your
changed to PHP_4_3 branch.
Ilia
On August 13, 2003 03:19 pm, Vlad Krupin wrote:
Ok, looks like all win32 experts are on vacation, or have no opinion.
I've implemented win32 build to the best of my knowledge, and
Just FYI,
I've committed the new COM and .Net extension for php5. Although it
doesn't yet have all the features of the php4 extension, it should be as
usable (perhaps better than?) what you have been used to with php4.
The .Net support requires the mscoree.h header file from the .Net SDK to
be
Sorry:
That code should have been:
$id = some_escape_string_function( intval( 0; drop bar ) );
if( $id 0 )
{
lamesql_query( select foo from bar where id = '$id' ) );
}
else
{
// Error?
}
Just wanted
I am having problem building extension with long names. As an example say my
extension name is f_name_bar and
F_NAME_BAR_SHARED_LIBADD is used to link libraries.
The problem is when the Makefile is generated I get
F_NAME_BAR_SHARED_LIBADD at the top of the
Ilia Alshanetsky wrote:
Do we really need this function? I see 2 ways of 'implementing' this
functionality in PHP without having to add another function. For example:
(isset($var) || is_null($var)) or gettype($var).
Ilia
I for one would like to see something like variable_exists(), as I am
I wasn't really intending for it to be there since it is in RC stage,
and this is technically new functionality. I thought it is too late,
but, if not, I'll do that. There are only a few lines of code to backport.
My big question is how to get the code to be in win32 snapshots and
ultimately
On Thu, Aug 14, 2003 at 08:35:47AM -0400, Justin Hannus wrote:
Rasmus Lerdorf [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
Can't you get a line number and the actual address being accessed to cause
that crash?
Here is a more detailed backtrace. In my original post I was
Ard Biesheuvel wrote:
Disallowing chained
queries will prevent *every* developer from ever using it.
thats why i suggested earlier to maybe make it a runtime
configurable feature that defaults to 'off'
--
Hartmut Holzgraefe [EMAIL PROTECTED]
--
PHP Internals - PHP Runtime Development Mailing List
Sara Golemon [EMAIL PROTECTED] wrote:
http:// wrapper:
is_writable() would always return false.
is_readable() would return true *IF* a HEAD request returned 2xx or 3xx
is_executable() would always return false.
file_exists() would return true if a HEAD request returned 2xx, 3xx, or
Checkout binaryphp at sourceforge... It's quite cool really...
--
// DvDmanDT
MSN: [EMAIL PROTECTED]
Mail: [EMAIL PROTECTED]
Jeremy S. Johnstone [EMAIL PROTECTED] skrev i meddelandet
news:[EMAIL PROTECTED]
After seeing the conversation on the PHP archive idea (having a PHP
equivalent of a jar
Translate PHP Manual to Bahasa
Indonesia
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
Hi,
There is a problem in the MySQL extension when trying to get the errno, if
the connection failed, if a prior mysql_connect() call already succeeded:
mysql_connect('host', 'user', 'pw');
mysql_connect('host2', 'user2', 'pw2');
echo mysql_errno();
echo mysql_error();
Assuming the first call
Edin Kadribasic wrote:
Hi Vlad,
1. Where can I get includes and libs for MSVC++?
http://aspell.net/win32/files/aspell-dev-0-50-3-3.zip
It has both the headers and the library. Just uncompress it into the
same directory where 'php-src' is located, and then rename the directory
to 'aspell' (I
On Thu, Aug 14, 2003 at 11:15:51AM -0700, walt boring wrote:
I for one would like to see something like variable_exists(), as I am
very annoyed with
the logic of isset() returning false if the variable exists and has a
value of null.
[snip]
I for one would much rather do
if (
Hello.
In regex/utils.h there is a definition for DUPMAX:
#ifdef _POSIX2_RE_DUP_MAX
#define DUPMAX _POSIX2_RE_DUP_MAX
#else
#define DUPMAX 255
#endif
On Linux with glibc this effectively sets the DUPMAX count to 255. But I
think that this
number is too low, so there is no way to use a regex
Thanks, it's fixed now...
Zeev
At 02:43 06/08/2003, Vesselin Atanasov wrote:
Hello.
The lastest CVS fails to compile under Linux. An error occurs because the
linker cannot find the empty_fcall_info_cache symbol.
diff -ruN php5-200308051930.orig/Zend/zend_execute_API.c
Hi,
sometimes STDIN, STDOUT and STDERR are not defined in cli mode:
~/cvs/php/php-src# ./sapi/cli/php -r 'var_dump (STDERR);'
resource(3) of type (stream)
~/cvs/php/php-src# echo '?php var_dump(STDERR); ? ' | ./sapi/cli/php
string(6) STDERR
The attached patch removes the check for the scripts
Ilia Alshanetsky wrote:
On August 7, 2003 04:35 pm, Davey wrote:
You've hit the nail on the head! By literally copying and pasting the
$_SESSION code over, s/_SESSION/_APPLICATION and forcing the SID to be a
certain thing, you pretty much implement what I want. The reasons you
cannot just wrap
I'm writing an ext for Apples OpenDirectory (directory services) API and it
makes heavy use of registering resources in the zend internal list. I'm also
new to the Zend API.
As of now I have about 4 resource types so far. In Short, my resource life
span goes like:
1.
As I can imagine some examples that demonstrate dynamic graph drawing with
ming or gd, I think it'd be cool to have.
However, I looked at dcdflib.c and only found it was coded not in C but in
pseudo Fortran. That's worth a glance :) So the last concern is its
stability, since it simply uses
Hello Antony,
Wednesday, August 6, 2003, 8:43:13 PM, you wrote:
AD If archive is all what you want to get, then what prevents you to write your own
class to load files from such package?
The performance. Such class in PHP will be much, much slower than
language-level support of archives.
If
On Thu, 2003-08-14 at 13:18, [EMAIL PROTECTED] wrote:
[...]
Hmm, I thought a variable is set even if its value is NULL?
Unfortunately it is not:
[EMAIL PROTECTED]:~ php -r '$a= NULL; var_dump(isset($a));'
bool(false)
- Timm
--
PHP Internals - PHP Runtime Development Mailing List
To
Hello.
Here is a patch for the command-line version of PHP which makes it chdir()
to the
script directory just like the web version of PHP does. It also implements
the -C
option which has been a NOOP up to now.
diff -ruN php5-200308051930.orig/sapi/cli/php_cli.c
After seeing the conversation on the PHP archive idea (having a PHP
equivalent of a jar file), it reminded me of an idea I had a long time
ago. Has anyone ever thought of writing a PHP compiler which would
compile a PHP script into native machine code? If you have thought of
it, what stopped you
Can't you get a line number and the actual address being accessed to cause
that crash?
On Mon, 11 Aug 2003, Justin Hannus wrote:
I'm writing an ext for Apples OpenDirectory (directory services) API and it
makes heavy use of registering resources in the zend internal list. I'm also
new to the
From: Andrey Hristov [mailto:[EMAIL PROTECTED]
Sent: Thursday, August 07, 2003 6:35 PM
Nope,
the data should be shared amongst all running processes of
the application disregarding the web user who invokes them.
This may partly do what you need?
http://pwee.sourceforge.net/
never used it
PS: I am one of the last people you should be complaining at about php
isn't intended for that; perhaps you should study your PHP history
before you make your next post.
That is why I apologized if I came off rude. I snapped back without
realizing who had actually made the post I was responding
Hello Cristiano,
Wednesday, August 6, 2003, 6:15:39 AM, you wrote:
It would be much better if user will have to put method's throws in
method's declaration imho( see my reply to Marcus ).
--
Best regards,
Simeonmailto:[EMAIL PROTECTED]
--
PHP Internals - PHP
On Wednesday, August 6, 2003, at 11:54 AM, Jeremy S. Johnstone wrote:
I apologize if I sounded rude at all, it's just that I am sick of
people
telling me php isn't intended for that, when I come up with new
ideas.
I ask those same people what they think PHP is for, and inevitably I
get
some
Alan Knowles [EMAIL PROTECTED] escreveu na mensagem
news:[EMAIL PROTECTED]
What about __construct, __destruct and __clone ?
AK these are built in. - and done to avoid conflicts.
All right.
Shouldn't it be named
__to_string() or __tostring() ?
AK since you implicitly make this available by
http:// wrapper:
is_writable() would always return false.
is_readable() would return true *IF* a HEAD request returned 2xx or
3xx is_executable() would always return false.
file_exists() would return true if a HEAD request returned 2xx, 3xx,
or
4xx (not including 404)
I wouldn't
Timm Friebe wrote:
On Thu, 2003-08-14 at 13:18, [EMAIL PROTECTED] wrote:
[...]
Hmm, I thought a variable is set even if its value is NULL?
Unfortunately it is not:
[EMAIL PROTECTED]:~ php -r '$a= NULL; var_dump(isset($a));'
bool(false)
- Timm
exactly why isset() is either
1) a bad
Moriyoshi,
so maybe I should modify the libs and make them not to use static vars
in the functions?
Andrey
- Original Message -
From: Moriyoshi Koizumi [EMAIL PROTECTED]
To: Andrey Hristov [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Sent: Monday, August 11, 2003 10:08 PM
Subject: Re:
On August 12, 2003 02:27 am, Zeev Suraski wrote:
At 05:16 11/08/2003, Ilia Alshanetsky wrote:
+1
This patch not only fixes the above mentioned bugs, but also serveral
backwards compatibility issues that occured due to the fix for bug #18140.
Can you provide an example?
Original Bugs that
Rasmus Lerdorf [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
Can't you get a line number and the actual address being accessed to cause
that crash?
Sorry about that, I'll have to recompile a version with --enable-debug which
I might not get a chance to until later tonight.
On Thu, 14 Aug 2003, Steven Brown wrote:
E.g.,
$id = 0; drop bar;
lamesql_query(select foo from bar where id = $id);
Well Do'h, how is this a security problem?
Derick
--
Interpreting what the GPL actually means is a job best left to those
that read the future by
On Thu, Aug 14, 2003 at 09:03:05AM -0400, Justin Hannus wrote:
do you use any shared php extensions by any chance?
Yes, I'm developing an extension to wrap Apple's OpenDirectory API (reffer
to my first post). Thats the only shared extension that I'm using.
if you have a mem-leak
Hello Marcus,
Did you think of a better interface name instead of Printable ?
Do you think Zeev or Andi will accept this patch ?
Cristiano.
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
Ok,
I've been using the php_imlib module for some time now (it's nice and fast),
the only problem is, nobody can seem to get it to work with php-4.3.x.
This is a *nix only extension as far as I'm concerned, and I'm happy to chuck
it into PEAR or wherever when it's a bit more stable.
We seem to
Wez Furlong wrote:
more technical issues actually related to the internals of PHP ? :-)
Like how to use the Streams API to implement the JAR-like functionality?
SCNR,
Sebastian
--
Sebastian Bergmann
http://sebastian-bergmann.de/ http://phpOpenTracker.de/
Das Buch zu PHP
The streams API has, since early in its introduction had the capacity to
perform stat() family calls on files under any wrapper.
In theory.
What's preventing wrapper-wops-url_stat from being useful is that the code
in ext/standard/filestat.c has never been routed through this layer.
I've put
Correct, it appears my php work around may not work as a undefined variable
would gain a NULL value as soon as it's used, making is_null() always return
true. That said, I still do not see a situation where such a function would
be useful.
Ilia
--
PHP Internals - PHP Runtime Development
Hi out there,
A few weeks ago I submitted a patch in the bug db for a
variable_exists() construct, which parallels the function_exists()
one but for variables. In short, it returns TRUE if a variable
exists, regardless of its value. In other words, it's an isset()
which doesn't care if the
Hartmut Holzgraefe [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
Steven Brown wrote:
How is this a security hole?
E.g.,
$id = 0; drop bar;
lamesql_query(select foo from bar where id = $id);
this is also possible with oracle, oci8 and other database extensions,
mysql
Ilia Alshanetsky wrote:
On August 14, 2003 03:11 pm, walt boring wrote:
exactly why isset() is either
1) a bad name for the function or
2) 'broken'
Wrong. isset() has a very proper name is-set, which to me and other people
says that it will see if a variable is set (has a value). It does
On Thu, 14 Aug 2003, walt boring wrote:
Then please explain the logic of why
$var = null
isset($var) returns false.
In your words it will see if a variable is set (has a value).
$var IS set and DOES have a value, it just happens to be a value of null.
I've done a fair deal of PHP
this is old subject everyone is tired of i'm sure. but since large changes
have been made to call_user_func[_array] recently, i want to confirm:
if an object calls one of its methods ($thing-foo()), any static-type
method calls made inside there - self::a(), parent::a(), fezbar::a() -
will have
semi-related: __call is somewhat reversed. it will catch
call_user_func(array('self','fake')), but not self::fake()
(same for parent vs parent:: or randomclass vs randomclass::)
the visibility of $this is not changed, so you end up with
no $this inside __call. it can be a surprise.
--
PHP
On Thu, 2003-08-14 at 08:42, Andi Gutmans wrote:
I am not really convinced either that variable_exists() is
function_exists() parallel.
Under what circumstances is this needed?
Andi
The followup I sent to Ilia gives examples of how this patch can be
used to determine whether, for instance,
On Thu, 2003-08-14 at 12:59, Ilia Alshanetsky wrote:
On August 14, 2003 03:33 pm, Robert Cummings wrote:
Actually isset() doesn't behave as it should:
$foo = null;
echo isset( $foo );
Not quite. To understand the nature of NULL you must consider the following.
Suppose you
Hi Vlad,
1. Where can I get includes and libs for MSVC++?
2. Snap builder compiles everything it can automatically :)
3. We'll do that once we get the extension building on the snaps box.
Edin
- Original Message -
From: Vlad Krupin [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent:
Marcus Börger wrote:
It is very simple:
uh oh. :)
If this is defined in a static method it is a language error. However when
mentioning this problem the acronym BC often gets used for what ever reason. I
mean the idea of the new OO model was to have OO in php at least, wasn't it ?
i can't say.
Hi,
I've done extensive work on fixing some bugs in PEAR, and have received
permission from the core PEAR developers to commit them myself. Could
someone please add cellog to the list of users with karma in
php-src/pear? PEAR 1.2 will be released by Tomas by the end of this
week, and these
Ilia Alshanetsky [EMAIL PROTECTED] a écrit dans le message de
news:[EMAIL PROTECTED]
Do we really need this function? I see 2 ways of 'implementing' this
functionality in PHP without having to add another function. For example:
(isset($var) || is_null($var)) or gettype($var).
Sure its really
On Fri, 8 Aug 2003, Mehdi Achour wrote:
Hi there,
What should I do when I find bad protos in the php-src files while I'm
looking at them for documentation purpose ? Should I throw a mail here,
an unified diff to the source files correcting protos, or should I just
cose my eyes and
The patch was applied, thanks.
ilia
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
Utility is in the eye of the beholder... you may not see where it would
be useful, but I'd argue that many others do.
Cheers,
Rob.
On Thu, 2003-08-14 at 15:42, Ilia Alshanetsky wrote:
Correct, it appears my php work around may not work as a undefined variable
would gain a NULL value as soon
Hi
PHP5 should support a standardized oo way to access databases of any
type. I heard that mysqli will include a oo way to access the
database. This api should be the standard for all other database
extensions. All future extensions should have their native functions
as it is now and have to
The storage, just like $_SESSION can be any of the pre-defined settings
(mm, files or SQLite (php5)) or user and can then be stored in a
database or whatever system the user wants. (This would indeed mean that
an application_set_save_handler() will also need to be there)
I think that the
On Thu, 2003-08-14 at 13:17, Mårten Gustafson wrote:
Lars Torben Wilson ([EMAIL PROTECTED]) wrote:
unset($foo) is not the same as $foo = NULL, which is one way this
According to the manual, it is.
http://www.php.net/manual/en/language.types.null.php
/mårten.
According to the behaviour of
Ilia Alshanetsky [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]...
I would like to ask that all developers refrain from making commits to
the 4_3 tree until 4.3.3 final is released, unless a patch addresses a
critical issue. Critical issues are defined as the following:
1)
Wez Furlong wrote:
Please, take it off this list.
Excuse me? What's the matter?
Cristiano Duarte.
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
Hello Brad,
Wednesday, August 13, 2003, 8:40:37 AM, you wrote:
BB this is old subject everyone is tired of i'm sure. but since large changes
BB have been made to call_user_func[_array] recently, i want to confirm:
BB if an object calls one of its methods ($thing-foo()), any static-type
BB
Do we really need this function? I see 2 ways of 'implementing' this
functionality in PHP without having to add another function. For example:
(isset($var) || is_null($var)) or gettype($var).
Ilia
On August 13, 2003 06:25 pm, Lars Torben Wilson wrote:
Hi out there,
A few weeks ago I
- Original Message -
From: Andi Gutmans [EMAIL PROTECTED]
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Sent: Thursday, August 14, 2003 5:42 PM
Subject: Re: [PHP-DEV] Re: variable_exists() patch
snip
Yes in fact I'm not either. I'm not sure this is needed at all.
Regards.
M.CHAILLAN
On Thu, 2003-08-14 at 12:41, Derick Rethans wrote:
On Thu, 14 Aug 2003, walt boring wrote:
Then please explain the logic of why
$var = null
isset($var) returns false.
In your words it will see if a variable is set (has a value).
$var IS set and DOES have a value, it just
Hi Ted,
Where is the e-mail forwarding maintenance page? I need to change the destination of mail forwarded through php.net.
Click here http://master.php.net/manage/users.php?id=37 :)
Mehdi
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit:
Translate manual php to Indonesian
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
Steven Brown wrote:
How is this a security hole?
E.g.,
$id = 0; drop bar;
lamesql_query(select foo from bar where id = $id);
this is also possible with oracle, oci8 and other database extensions,
mysql ist the only one where i'm sure about that chaining is *not*
supported
so the actual security
Where is the e-mail forwarding maintenance page? I need to change the destination of
mail forwarded through php.net.
Please cc: this to [EMAIL PROTECTED] and [EMAIL PROTECTED] I'll (probably) get one of
these. :-(
The userid is one I use on other projects -- no need to create the account.
On Thu, 14 Aug 2003, moshe doron wrote:
the question is what is the common php programing habit.
sinse there is no public recommendation on the manual (fix me here) or
someware else, i assume thats the hebit is not always do verify the data
and u can't blame the php users.
Well, that's not
translating PHP Documentation to indonesian language
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
On August 14, 2003 03:11 pm, walt boring wrote:
exactly why isset() is either
1) a bad name for the function or
2) 'broken'
Wrong. isset() has a very proper name is-set, which to me and other people
says that it will see if a variable is set (has a value). It does this job
admirably and it
The only problem with that approach is that you have to distribute the
php executable and your program is loaded using a command line similar
to:
Php -par someapp.par
Instead of simply:
./someapp
I know this is a small difference, but it makes a big difference when
you are dealing with
originally this mail was sent to php-dev@
Bye,
Gergely Czuczy
mailto: [EMAIL PROTECTED]
PGP pubkey: http://phoemix.harmless.hu/phoemix.pgp
iRCNet: #demoscene ICQ: 8067175
The point is, that geeks are not necessarily the outcasts
society often believes they are. The fact is that society
isn't
[EMAIL PROTECTED] wrote:
The ugliest part of this patch is that it requires special treatment
for the plainfiles wrapper in order to deal with symlink stat calls.
An alternative (and it wouldn't take much to convince me to go the
other way) would be to add a parameter to the url_stat()
I am not really convinced either that variable_exists() is
function_exists() parallel.
Under what circumstances is this needed?
Andi
At 03:18 PM 8/14/2003 +0200, [EMAIL PROTECTED] wrote:
Lars Torben Wilson [EMAIL PROTECTED] a écrit dans le message de
news:[EMAIL PROTECTED]
Hi out there,
A
On Thu, Aug 14, 2003 at 12:00:26PM -0700, walt boring wrote:
It can happen quite easily. I always develop with full warnings/errors on.
So do I.
So if for example a var isn't set for whatever reason, then trying to
access the
variable will throw a php Notice. variable_exists() would
First of all this discussion bares to relevance to the 4.3.3 release as sqlite
is NOT part of this release. Secondly this is just plain silly. PHP is not
and is not responsible for validating input. If the user chooses not to and
consequently leaves their scripts vulnreable to SQL injection it
On Thu, 14 Aug 2003 [EMAIL PROTECTED] wrote:
Greg Beaver [EMAIL PROTECTED] a écrit dans le message de
news:[EMAIL PROTECTED]
Hi,
I've done extensive work on fixing some bugs in PEAR, and have received
permission from the core PEAR developers to commit them myself. Could
someone
I am sure this has been asked dozens of times so please forgive if this is
repetitive.
I have an application from which I would like to incorporate running
scripts. I saw that I can pass files to php.exe but this is more for a batch
process and so my application wouldn't have access to any script
On Thu, 2003-08-14 at 14:01, Stefan Walk wrote:
On Thu, Aug 14, 2003 at 12:00:26PM -0700, walt boring wrote:
It can happen quite easily. I always develop with full warnings/errors on.
So do I.
So if for example a var isn't set for whatever reason, then trying to
access the
Derick Rethans [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
On Thu, 14 Aug 2003, moshe doron wrote:
the question is what is the common php programing habit.
sinse there is no public recommendation on the manual (fix me here) or
someware else, i assume thats the hebit is not
-Original Message-
From: Derick Rethans [mailto:[EMAIL PROTECTED]
Sent: Thursday, August 14, 2003 12:33 AM
To: moshe doron
Cc: [EMAIL PROTECTED]
Subject: Re: [PHP-DEV] Re: PHP 4.3.3RC3 Released
On Thu, 14 Aug 2003, moshe doron wrote:
What about hacking somehow the sqlite
On Thu, 14 Aug 2003, moshe doron wrote:
E.g.,
$id = 0; drop bar;
lamesql_query(select foo from bar where id = $id);
that's the mysql way
with sybase style (used by sqlite), the is no need to separator, makes the
detection even harded.
uhm? SQLite definitely needs a seperator
I'm writing an Apache module and I'd like to be able to dynamically change some of
PHP's settings from within this module.
Mainly I need to be able to change the current open_basedir value, although there
are others as well.
Is there a function call or code sequence that will let me change
Cesare D'Amico wrote:
joke
Why not stopping support for forms then? Drop $_GET, $_POST and
$_REQUEST! They're EVIL!
That way everyone is *really* safe from sql injection :-)
/joke
thats what PERLs TAINT mode is for ;)
(see for http://gunther.web66.com/FAQS/taintmode.html)
--
Hartmut
Alle 11:18, giovedì 14 agosto 2003, moshe doron ha scritto:
How about a form of dos:
'...where id = '.$id
with $id = '23129 or 1'
this will select all entries in the table which could result in
DoS...
So, ultimately this problem is the coders responsibility.
DoS are not
Steven Brown [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
-Original Message-
From: Derick Rethans [mailto:[EMAIL PROTECTED]
Sent: Thursday, August 14, 2003 12:33 AM
To: moshe doron
Cc: [EMAIL PROTECTED]
Subject: Re: [PHP-DEV] Re: PHP 4.3.3RC3 Released
On
Am Donnerstag, 14.08.03 um 07:14 Uhr schrieb Mark Morley:
I'm writing an Apache module and I'd like to be able to dynamically
change some of
PHP's settings from within this module.
Mainly I need to be able to change the current open_basedir value,
although there
are others as well.
Marc Boeren [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
that's the point. if the cracker can change only the end of
the query, it's not so usefull for him (he can maximum get other id)
How about a form of dos:
'...where id = '.$id
with $id = '23129 or 1'
this will
1 - 100 of 125 matches
Mail list logo
