Re: [PHP] Apache
De: Ashley Sheridan a...@ashleysheridan.co.uk
Para: m...@nikha.org; Domain nikha.org m...@nikha.org
Cc: php-general@lists.php.net
Enviadas: Quarta-feira, 25 de Setembro de 2013 2:22
Assunto: Re: [PHP] Apache
Domain nikha.org m...@nikha.org wrote:
Ashley Sheridan am Montag, 23. September 2013 - 21:35:
No, no, no! That is not a good stand-in for fundamental security
principles!
This is a better method for ensuring an image is really an image:
?php
if(isset($_FILES['file']))
{
list($width, $height) = getimagesize($_FILES['file']['tmp_name']);
if($width $height)
{
$source = imagecreatefromjpeg($_FILES['file']['tmp_name']);
$dest = imagecreatetruecolor($width, $height);
imagecopyresampled($dest, $source,
0, 0, 0, 0,
$width, $height, $width, $height);
imagejpeg($dest, basename($_FILES['file']['tmp_name']));
}
else
echo {$_FILES['file']['name']} is not a jpeg;
}
?
form enctype=multipart/form-data method=post
input type=file name=file/
input type=submit name=submit value=submit/
/form
Obviously it's only rough, and checks only for jpeg images, but
that's
easy to alter. I've just tested this with a regular jpeg, the same
jpeg
with PHP code concatenated onto the end (which still appears to be a
valid image to viewing/editing software) and a pure PHP file with a
.jpg
extension. In the case of the first 2, a new jpeg is generated with
the
same image and without the code. The third example just echoes out an
error.
Dear Ashley, nice, but useless for this problem!
The problem was to do with an image upload, so no, not useless.
First, because users may upload other things than images! PDF's, audio
files, videos etc!
In an earlier email I detailed some methods for validating other types, such as
DomDocument for HTML, XML, svg, etc, or fpdf for PDF.
And on behalf images: GD you are using handles only
jpeg, gif and png. There are about hunderd other image types on the
way,
At the moment those are the 3 raster formats you can use on the web, so those
are the ones that pose an issue. If you're using anything else, it's not for
web and doesn't need to be in a publicly accessible location.
users can upload! How to detect them, if the extension is missleading?
The extension comes from the user. Never trust the user, ever.
And even if we succeed: As your script demonstrates very well,
malicious
code does not affect the rendering of the image.
My script does effectively strip out malicious code though, even if it can't
easily be seen.
The hacker says: Hi,
this is a nice picture, play it, and then, please do this--follows his
code, that can be a desaster for the whole system.
Social engineering is a whole different issue.
Yes, your script seems to purge the image file, simply because GD does
not copy the malware code. But why are you sure about that? You cannot
see that code, OK, but may be it was executed in the plain GD
environement?
GD isn't a PHP parser, and PHP doesn't execute the image before GD touches it.
Infact, Apache isn't even involved between GD and the image at that point, so
it won't suffer from this bad config.
What you are doing is dangerous, because you force the
execution of things that should be never executed!
Erm, no, the image isn't being executed.
no no no forget it. After all we cannot exclude that users come in
with malware.
If you think it's fine that a user be able to upload malware, then you're going
to have a very bad time.
But we MUST exclude, it is executed on the web server.
This is important too, but in this profession belt and braces is best I
believe.
That is the Apache chainsaw massacre as Steward whould say. And
probably
it can be avoided by purging the filenames (not the files!).
Nevertheless, the standard configuration of the Apache servers is
basically unacceptable. It must execute user requests and never ever
user files! Period.
Have nice days,
Niklaus
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Thanks,
Ash
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Sorry for this late post but I'm amazed nobody consulted the doco.
The php.net site has a whole section titled Handling File Uploads.
Also check out finfo_open and finfo_file.
If your are a windoze user you need a dll.
If you want Apache to handle PUT requests you MUST tell it to run a script as
it cannot write to web root.
HTH
Robert
RE: [PHP] Apache
On 23 Sep 2013, at 11:37, Domain nikha.org m...@nikha.org wrote: Tamara Temple am Montag, 23. September 2013 - 06:49: GoDaddy's default plesk-generated configuration for FastCGI-served PHP files only looked to see if the file contained .php somewhere on it's path - i.e. it would happily execute 'malicilous.php.txt' as php code, even something ridiculous like 'malware.phpnoreallyiwantthistorun'. Yes, looks stupid. But my service prodider wrote me this, I quote: ---QUOTE--- This is because Apache offers features like language negotiation based on extensions, too -- the final extension doesn't always just specify the handler; it can specify other things. Apache can automatically pick a German-language script from these, for example: file.php.de file.php.en Whether this is a good idea or not is debatable. It's possible to set things up in a different way (using FilesMatch instead of AddHandler) to avoid this particular problem, but that breaks other things, so there's no perfect solution. More generally, the real problem is that scripts are looking at the final extension of uploaded files to decide whether they're safe or not, which is dangerous. They're simply assuming that a .gif file can't run a PHP interpreter, for example... which is usually true, but certainly not always: some people run all their files through PHP. ---END QUOTE--- This is somewhat daft. Yes, Apache offers this feature, but you don't need to configure it to work will all extensions. I'd be curious to know what their issue is with using FilesMatch, since that provides a way to disable this behaviour. And, honestly, who would have a PHP file per language? I think it's perfectly reasonable to not allow that, because duplicating PHP code across many files is an incredible stupid way to support multiple languages. Some people run all their files through PHP - true, but that doesn't mean they should, or that you, as a responsible web host, should be endorsing it. The problem is the weak PHP upload mechanism! As workaround my service provider tries to block suspicious filenames, but the PHP developpers themself should work on this severe security problem. PHP developers should absolutely validate all content coming in from users in every possible way, but I would be highly dubious about trusting a host who gives the reason above for what I consider a lax and insecure Apache configuration. It's like saying they sliced your arm off with their chainsaw because it's made for cutting things, attempting to dodge all responsibility for having swung it in your direction! -Stuart -- It seems this is the standard apache configuration, but that's no excuse. Googling returned many results where this was described as a major security threat e.g. Beware of the default Apache 2 config for PHP http://ilia.ws/archives/226-Beware-of-the-default-Apache-2-config-for-PHP.ht ml On that site the solution was to change AddHandler to AddType. My service provider is going the FilesMatch route. Cheers Arno -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Apache
Ashley Sheridan am Montag, 23. September 2013 - 21:35:
No, no, no! That is not a good stand-in for fundamental security
principles!
This is a better method for ensuring an image is really an image:
?php
if(isset($_FILES['file']))
{
list($width, $height) = getimagesize($_FILES['file']['tmp_name']);
if($width $height)
{
$source = imagecreatefromjpeg($_FILES['file']['tmp_name']);
$dest = imagecreatetruecolor($width, $height);
imagecopyresampled($dest, $source,
0, 0, 0, 0,
$width, $height, $width, $height);
imagejpeg($dest, basename($_FILES['file']['tmp_name']));
}
else
echo {$_FILES['file']['name']} is not a jpeg;
}
?
form enctype=multipart/form-data method=post
input type=file name=file/
input type=submit name=submit value=submit/
/form
Obviously it's only rough, and checks only for jpeg images, but
that's
easy to alter. I've just tested this with a regular jpeg, the same
jpeg
with PHP code concatenated onto the end (which still appears to be a
valid image to viewing/editing software) and a pure PHP file with a
.jpg
extension. In the case of the first 2, a new jpeg is generated with
the
same image and without the code. The third example just echoes out an
error.
Dear Ashley, nice, but useless for this problem!
First, because users may upload other things than images! PDF's, audio
files, videos etc! And on behalf images: GD you are using handles only
jpeg, gif and png. There are about hunderd other image types on the way,
users can upload! How to detect them, if the extension is missleading?
And even if we succeed: As your script demonstrates very well, malicious
code does not affect the rendering of the image. The hacker says: Hi,
this is a nice picture, play it, and then, please do this--follows his
code, that can be a desaster for the whole system.
Yes, your script seems to purge the image file, simply because GD does
not copy the malware code. But why are you sure about that? You cannot
see that code, OK, but may be it was executed in the plain GD
environement? What you are doing is dangerous, because you force the
execution of things that should be never executed!
no no no forget it. After all we cannot exclude that users come in
with malware. But we MUST exclude, it is executed on the web server.
That is the Apache chainsaw massacre as Steward whould say. And probably
it can be avoided by purging the filenames (not the files!).
Nevertheless, the standard configuration of the Apache servers is
basically unacceptable. It must execute user requests and never ever
user files! Period.
Have nice days,
Niklaus
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Apache
Tamara Temple am Montag, 23. September 2013 - 22:38: On Sep 23, 2013, at 1:36 PM, Domain nikha.org m...@nikha.org wrote: Better solutions? One I have used, and continue to use in Apache environments, is place uploads only in a place where they cannot be executed by turning off such options and handlers in that directory. This is *in addition* to untainting files and names of uploaded files. Good idea. I will do this right now Niklaus -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Apache
Domain nikha.org m...@nikha.org wrote:
Ashley Sheridan am Montag, 23. September 2013 - 21:35:
No, no, no! That is not a good stand-in for fundamental security
principles!
This is a better method for ensuring an image is really an image:
?php
if(isset($_FILES['file']))
{
list($width, $height) = getimagesize($_FILES['file']['tmp_name']);
if($width $height)
{
$source = imagecreatefromjpeg($_FILES['file']['tmp_name']);
$dest = imagecreatetruecolor($width, $height);
imagecopyresampled($dest, $source,
0, 0, 0, 0,
$width, $height, $width, $height);
imagejpeg($dest, basename($_FILES['file']['tmp_name']));
}
else
echo {$_FILES['file']['name']} is not a jpeg;
}
?
form enctype=multipart/form-data method=post
input type=file name=file/
input type=submit name=submit value=submit/
/form
Obviously it's only rough, and checks only for jpeg images, but
that's
easy to alter. I've just tested this with a regular jpeg, the same
jpeg
with PHP code concatenated onto the end (which still appears to be a
valid image to viewing/editing software) and a pure PHP file with a
.jpg
extension. In the case of the first 2, a new jpeg is generated with
the
same image and without the code. The third example just echoes out an
error.
Dear Ashley, nice, but useless for this problem!
The problem was to do with an image upload, so no, not useless.
First, because users may upload other things than images! PDF's, audio
files, videos etc!
In an earlier email I detailed some methods for validating other types, such as
DomDocument for HTML, XML, svg, etc, or fpdf for PDF.
And on behalf images: GD you are using handles only
jpeg, gif and png. There are about hunderd other image types on the
way,
At the moment those are the 3 raster formats you can use on the web, so those
are the ones that pose an issue. If you're using anything else, it's not for
web and doesn't need to be in a publicly accessible location.
users can upload! How to detect them, if the extension is missleading?
The extension comes from the user. Never trust the user, ever.
And even if we succeed: As your script demonstrates very well,
malicious
code does not affect the rendering of the image.
My script does effectively strip out malicious code though, even if it can't
easily be seen.
The hacker says: Hi,
this is a nice picture, play it, and then, please do this--follows his
code, that can be a desaster for the whole system.
Social engineering is a whole different issue.
Yes, your script seems to purge the image file, simply because GD does
not copy the malware code. But why are you sure about that? You cannot
see that code, OK, but may be it was executed in the plain GD
environement?
GD isn't a PHP parser, and PHP doesn't execute the image before GD touches it.
Infact, Apache isn't even involved between GD and the image at that point, so
it won't suffer from this bad config.
What you are doing is dangerous, because you force the
execution of things that should be never executed!
Erm, no, the image isn't being executed.
no no no forget it. After all we cannot exclude that users come in
with malware.
If you think it's fine that a user be able to upload malware, then you're going
to have a very bad time.
But we MUST exclude, it is executed on the web server.
This is important too, but in this profession belt and braces is best I
believe.
That is the Apache chainsaw massacre as Steward whould say. And
probably
it can be avoided by purging the filenames (not the files!).
Nevertheless, the standard configuration of the Apache servers is
basically unacceptable. It must execute user requests and never ever
user files! Period.
Have nice days,
Niklaus
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Thanks,
Ash
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Apache
Ashley Sheridan am Dienstag, 24. September 2013 - 18:22: In an earlier email I detailed some methods for validating other types, such as DomDocument for HTML, XML, svg, etc, or fpdf for PDF. Fine, gratulations! And on behalf images: GD you are using handles only jpeg, gif and png. There are about hunderd other image types on the way, At the moment those are the 3 raster formats you can use on the web, so those are the ones that pose an issue. If you're using anything else, it's not for web and doesn't need to be in a publicly accessible location. Why that???!!! Why should users only upload files, that are used for web, and what does this mean, for web? Users may store personal files on your host, because they use your website as a cloud, as it is said today. Not for web, but for personal use on everey computer connected to the internet! That is absolutly legitime and the ONLY reason to offer file uploading I can imagine! I allow it only for authenticated, subscribed users. Nevertheless those trusted users may upload (unintenionally!) infected files. And again: No virus was ever written for web, but to harm computersystems, clients and servers. They are just distributed via web. Whould be great we could block them, and I appreciate your efforts to do this. But sorry, your script shows me, that this cannot be done this way! Perhaps, if you are right and GD processing really is harmless (I'm in doubt), we have a clean jpeg (or gif or png). And then? What's about the rest? Keep in mind, that PHP is a scripting framework to create websites, certainly not a tool for virus detection! And we have a big problem with the Apache web server, not because Apache serves possibly infected files, but because all kind of files are NOT served, but passed to the script interpreter! That's awfull enough, and opens a new exploit! The hacker says: Hi, this is a nice picture, play it, and then, please do this--follows his code, that can be a desaster for the whole system. Social engineering is a whole different issue. yes, what I tried to describe is criminal. Niklaus -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Apache
Domain nikha.org m...@nikha.org wrote: Ashley Sheridan am Dienstag, 24. September 2013 - 18:22: In an earlier email I detailed some methods for validating other types, such as DomDocument for HTML, XML, svg, etc, or fpdf for PDF. Fine, gratulations! And on behalf images: GD you are using handles only jpeg, gif and png. There are about hunderd other image types on the way, At the moment those are the 3 raster formats you can use on the web, so those are the ones that pose an issue. If you're using anything else, it's not for web and doesn't need to be in a publicly accessible location. Why that???!!! Why should users only upload files, that are used for web, and what does this mean, for web? Users may store personal files on your host, because they use your website as a cloud, as it is said today. Not for web, Ok, imagine this scenario. A user uploads a .tif. this isn't a web format, so we treat it as a binary file, uploading to a non web accessible area of the site. Tell me again where the exploit is please. but for personal use on everey computer connected to the internet! That is absolutly legitime and the ONLY reason to offer file uploading I can imagine! I allow it only for authenticated, subscribed users. Nevertheless those trusted users may upload (unintenionally!) infected files. And again: No virus was ever written for web, Not exactly true, but beyond the scope of this discussion I think but to harm computersystems, clients and servers. They are just distributed via web. Whould be great we could block them, and I appreciate your efforts to do this. But sorry, your script shows me, that this cannot be done this way! Tell me how you would get a jpg past that example and I'll look into it, as I explained that was an example not a full solution. We don't tend to just write full code for people here. Perhaps, if you are right and GD processing really is harmless (I'm in doubt), Evidence? Either give some or stop saying GD isn't secure. The PHP community needs less hyperbole and more facts. we have a clean jpeg (or gif or png). And then? What's about the rest? Keep in mind, that PHP is a scripting framework to create websites, certainly not a tool for virus detection! And we have a big problem with the Apache web server, not because Apache serves possibly infected files, but because all kind of files are NOT served, but passed to the script interpreter! that's a bad Apache setup, which I'm not saying isn't a problem, but your original solution doesn't even cover validation. That's awfull enough, and opens a new exploit! The hacker says: Hi, this is a nice picture, play it, and then, please do this--follows his code, that can be a desaster for the whole system. Social engineering is a whole different issue. yes, what I tried to describe is criminal. Niklaus Thanks, Ash -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Apache
Tamara Temple am Montag, 23. September 2013 - 06:49: GoDaddy's default plesk-generated configuration for FastCGI-served PHP files only looked to see if the file contained .php somewhere on it's path - i.e. it would happily execute 'malicilous.php.txt' as php code, even something ridiculous like 'malware.phpnoreallyiwantthistorun'. Yes, looks stupid. But my service prodider wrote me this, I quote: ---QUOTE--- This is because Apache offers features like language negotiation based on extensions, too -- the final extension doesn't always just specify the handler; it can specify other things. Apache can automatically pick a German-language script from these, for example: file.php.de file.php.en Whether this is a good idea or not is debatable. It's possible to set things up in a different way (using FilesMatch instead of AddHandler) to avoid this particular problem, but that breaks other things, so there's no perfect solution. More generally, the real problem is that scripts are looking at the final extension of uploaded files to decide whether they're safe or not, which is dangerous. They're simply assuming that a .gif file can't run a PHP interpreter, for example... which is usually true, but certainly not always: some people run all their files through PHP. ---END QUOTE--- The problem is the weak PHP upload mechanism! As workaround my service provider tries to block suspicious filenames, but the PHP developpers themself should work on this severe security problem. Niklaus -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Apache
On 23 Sep 2013, at 11:37, Domain nikha.org m...@nikha.org wrote: Tamara Temple am Montag, 23. September 2013 - 06:49: GoDaddy's default plesk-generated configuration for FastCGI-served PHP files only looked to see if the file contained .php somewhere on it's path - i.e. it would happily execute 'malicilous.php.txt' as php code, even something ridiculous like 'malware.phpnoreallyiwantthistorun'. Yes, looks stupid. But my service prodider wrote me this, I quote: ---QUOTE--- This is because Apache offers features like language negotiation based on extensions, too -- the final extension doesn't always just specify the handler; it can specify other things. Apache can automatically pick a German-language script from these, for example: file.php.de file.php.en Whether this is a good idea or not is debatable. It's possible to set things up in a different way (using FilesMatch instead of AddHandler) to avoid this particular problem, but that breaks other things, so there's no perfect solution. More generally, the real problem is that scripts are looking at the final extension of uploaded files to decide whether they're safe or not, which is dangerous. They're simply assuming that a .gif file can't run a PHP interpreter, for example... which is usually true, but certainly not always: some people run all their files through PHP. ---END QUOTE--- This is somewhat daft. Yes, Apache offers this feature, but you don't need to configure it to work will all extensions. I'd be curious to know what their issue is with using FilesMatch, since that provides a way to disable this behaviour. And, honestly, who would have a PHP file per language? I think it's perfectly reasonable to not allow that, because duplicating PHP code across many files is an incredible stupid way to support multiple languages. Some people run all their files through PHP - true, but that doesn't mean they should, or that you, as a responsible web host, should be endorsing it. The problem is the weak PHP upload mechanism! As workaround my service provider tries to block suspicious filenames, but the PHP developpers themself should work on this severe security problem. PHP developers should absolutely validate all content coming in from users in every possible way, but I would be highly dubious about trusting a host who gives the reason above for what I consider a lax and insecure Apache configuration. It's like saying they sliced your arm off with their chainsaw because it's made for cutting things, attempting to dodge all responsibility for having swung it in your direction! -Stuart -- Stuart Dallas 3ft9 Ltd http://3ft9.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Apache
Stuart Dallas am Montag, 23. September 2013 - 12:58: And, honestly, who would have a PHP file per language? I think it's perfectly reasonable to not allow that, because duplicating PHP code across many files is an incredible stupid way to support multiple languages. I agree!! Didn't even know, that this kind of faked language support exists... Some people run all their files through PHP - true, but that doesn't mean they should, or that you, as a responsible web host, should be endorsing it. PHP developers should absolutely validate all content coming in from users in every possible way, but I would be highly dubious about trusting a host who gives the reason above for what I consider a lax and insecure Apache configuration. It's like saying they sliced your arm off with their chainsaw because it's made for cutting things, attempting to dodge all responsibility for having swung it in your direction! OK, in principle, I also agree. But this case is very easy to handle. I'm simply running str_replace() against dangerous parts of uploaded filenames, .php for instance. After that, Apache in every configuration will just serve, and never execute user uploaded files. Remains the risk on the clients side, I must concede. Better solutions? Nice days, Niklaus -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Apache
On Mon, 2013-09-23 at 20:36 +0200, Domain nikha.org wrote:
Stuart Dallas am Montag, 23. September 2013 - 12:58:
And, honestly, who would have a PHP file per language? I think it's
perfectly reasonable to not allow that, because duplicating PHP code
across many files is an incredible stupid way to support multiple
languages.
I agree!! Didn't even know, that this kind of faked language support
exists...
Some people run all their files through PHP - true, but that doesn't
mean they should, or that you, as a responsible web host, should be
endorsing it.
PHP developers should absolutely validate all content coming in from
users in every possible way, but I would be highly dubious about
trusting a host who gives the reason above for what I consider a lax and
insecure Apache configuration. It's like saying they sliced your arm off
with their chainsaw because it's made for cutting things, attempting to
dodge all responsibility for having swung it in your direction!
OK, in principle, I also agree. But this case is very easy to handle.
I'm simply running str_replace() against dangerous parts of uploaded
filenames, .php for instance. After that, Apache in every
configuration will just serve, and never execute user uploaded files.
Remains the risk on the clients side, I must concede. Better solutions?
Nice days,
Niklaus
No, no, no! That is not a good stand-in for fundamental security
principles!
This is a better method for ensuring an image is really an image:
?php
if(isset($_FILES['file']))
{
list($width, $height) = getimagesize($_FILES['file']['tmp_name']);
if($width $height)
{
$source = imagecreatefromjpeg($_FILES['file']['tmp_name']);
$dest = imagecreatetruecolor($width, $height);
imagecopyresampled($dest, $source,
0, 0, 0, 0,
$width, $height, $width,
$height);
imagejpeg($dest, basename($_FILES['file']['tmp_name']));
}
else
echo {$_FILES['file']['name']} is not a jpeg;
}
?
form enctype=multipart/form-data method=post
input type=file name=file/
input type=submit name=submit value=submit/
/form
Obviously it's only rough, and checks only for jpeg images, but that's
easy to alter. I've just tested this with a regular jpeg, the same jpeg
with PHP code concatenated onto the end (which still appears to be a
valid image to viewing/editing software) and a pure PHP file with a .jpg
extension. In the case of the first 2, a new jpeg is generated with the
same image and without the code. The third example just echoes out an
error.
Thanks,
Ash
http://www.ashleysheridan.co.uk
Re: [PHP] Apache
On Sep 23, 2013, at 1:36 PM, Domain nikha.org m...@nikha.org wrote: Better solutions? One I have used, and continue to use in Apache environments, is place uploads only in a place where they cannot be executed by turning off such options and handlers in that directory. This is *in addition* to untainting files and names of uploaded files. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Apache
Hi Arno!
Seems to be the standard behaviour of Apache servers all over the
world!
I was testing this way:
First I renamed a real, proper GIF-file to this.php.nice.gif, put it
in the root of my websites and called it with the browser. Result:
Error 500 Internal Server Error. The logfile tells: Premature end of
script headers: this.php.nice.gif.
Then I did infect the same GIF-file with some PHP-Code (?php echo
Hello, I'm evel; ?), renamed it to this.php.evel.gif, put it in the
root, called it with the browser. The result was exactly the same: Error
500, Premature end of script headers.
That means, wether the file is infected or not, it IS passed to the PHP
interpreter only because it contains somewehere .php in his name!
Then I renamed a real PHP script to test.php.gif. This finaly produced
the following response from my web hoster:
_QUOTE_
Files with Extra .php. Extension
If you were directed to this page, you probably tried viewing a file
that contains .php. in its name, such as image.php.jpeg or image.php.
(note the extra dot at the end).
The site you were visiting uses the Apache Web server, which will
usually attempt to run such files as PHP scripts (instead of allowing
your browser to display them as images, or completely failing to run
them, as you'd probably expect).
Allowing those files to run as a PHP script is a security vulnerability,
as seen in exploits for WordPress and Joomla. Because of that, we block
requests to these files.
If youre the owner of this site and you want to use a real image that
includes .php. as part of the name, please rename the file.
_END QUOTE_
Sounds reasonable. And means, you really must protect your uploadings.
A simple way:
$filename = str_replace('.php', '', $_FILES['userfile']['name']);
move_uploaded_file($_FILES['userfile']['tmp_name'],
'yourdirectory/'.$filename);
Hope, this helps,
Niklaus
Arno Kuhl am Donnerstag, 19. September 2013 - 16:14:
Arno: If you can request that file using a web browser, and it gets
executed
as PHP on your server then there is an error in the Apache
configuration.
Easy test: create a file in a text editor containing some PHP (?php
phpinfo(); ? would be enough) and upload it to the www root of your
site
and name it test.pgif. Then hit http://www.yourdomain.com/test.pgif in
your
browser. If you see the PHP code or an error then you're fine. If you
see
PHP's info page then you need to change web host as quickly as
possible. I
don't care if they fix it - the fact their server was configured to do
this
by default is enough for me to never trust them again.
-Stuart
--
Thanks Stuart. I just tried it now, test.php.pgif displayed the info
while
test.xyz.pgif returned the content, confirming the problem. My
service
provider finally conceded the problem is on their side and are looking
for
an urgent fix, much too complicated to consider moving service
providers in
the short term.
As a side note, the sp said the issue is new and coincided with an
upgrade
to fastcgi recently, I wonder if the hacker was exploiting a known
issue
with that scenario?
Cheers
Arno
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Apache to serve RESTful requests using PHP
On 10 Feb 2013, at 06:57, AmirBehzad Eslami behzad.esl...@gmail.com wrote: Stuart, thanks for your detailed response. I find it unlikely that Apache is your bottleneck, especially with a service involving MySQL. How have you come to this conclusion? Apache is the entry-point to our service, and I did a benchmark with AB to see how it can handle concurrent requests in a timely fashion. After a number of 50 concurrent requests, the average time per request reached from less than a second to 5 seconds. I *strongly* recommend you try the same test with nginx. Unless this is due to the way your code works I'm confident you'll see this effect disappear! As far as keep-alive goes, how frequently will individual clients be accessing the service? There are only a few clients that call the service. These clients are PHP-driven web pages. Each page has its own unique ClickID and a set of other unique parameters per user visit. These pages send these parameters to the service using php-curl, and expect a generated response to be returned. That's why I'm saying each request and response is unique. Whenever a user visits a web-page, there would be a call to the web-service. At the moment, we don't know number of concurrent visits. We're looking for a way to figure that out in Apache. Is there a way to see if the requests are using the previously keep-alived http channel? Because same client will send requests to the service, and I'm curious to know if the Apache will allocate the already-opened channel, or will create a new one? If it's making one request to your service per page request, keep-alive is pointless as it won't be able to reuse the connection. In this instance I would turn keep-alive off. If you are using joins to pull in extra data (i.e. IDs to a name or similar) look at using Memcache for those, but make sure that when they're updated in the DB they're also updated in Memcache. Memcache or Redis, I'm going to add a caching layer between MySQL and PHP, to store the de-normilized data. For simple caching I'd recommend Memcache over Redis, purely because Redis is more complex due to its support for sets, queues and other very useful stuff. The only reason I'd use Redis for simple caching is because it can periodically flush the cache to disk so if it has to restart it can start with a primed cache. However, in most cases that is not a huge advantage. If each request and response is unique you need to be careful about what you choose to cache such that you don't incur caching costs without reaping benefits that make it worthwhile. -Stuart -- Stuart Dallas 3ft9 Ltd http://3ft9.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Apache to serve RESTful requests using PHP
Bastien Koert On 2013-02-09, at 11:42 AM, AmirBehzad Eslami behzad.esl...@gmail.com wrote: Dear list, We're a developing a PHP-driven web service with a RESTful API, and we have a dedicated Linux server for that with 6GB of RAM. Since this service will be used by many clients in a concurrent manner, we'll face with a high-load on our web-server. But web-services are different from web pages, for instance they don't include images, or in this case we only serve JSON. I'm wondering what are the recommended configurations for the Apache web-server in these situations? Should we disable keep-avlie? What about other directives? Apache is our bottleneck, and we're trying to optimize it. Should we use nginx instead? Please let me know your suggestions. Thank you, -behzad How much of that data is cachable? You're likely to get bigger performance gains from caching frequent data. Keep-alive at maybe 1 second. But would need to know more about the app to be able to suggest more Bastien -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Apache to serve RESTful requests using PHP
Bastein, Response is unique per request, and not cachable. The app fetches records from MySQL (say, templates), performs a process on them, and returns the generated output as JSON. We were thinking to use Redis to reduce queries against MySQL, but still Apache will remain as our bottleneck. On Sun, Feb 10, 2013 at 1:00 AM, Bastien phps...@gmail.com wrote: Bastien Koert On 2013-02-09, at 11:42 AM, AmirBehzad Eslami behzad.esl...@gmail.com wrote: Dear list, We're a developing a PHP-driven web service with a RESTful API, and we have a dedicated Linux server for that with 6GB of RAM. Since this service will be used by many clients in a concurrent manner, we'll face with a high-load on our web-server. But web-services are different from web pages, for instance they don't include images, or in this case we only serve JSON. I'm wondering what are the recommended configurations for the Apache web-server in these situations? Should we disable keep-avlie? What about other directives? Apache is our bottleneck, and we're trying to optimize it. Should we use nginx instead? Please let me know your suggestions. Thank you, -behzad How much of that data is cachable? You're likely to get bigger performance gains from caching frequent data. Keep-alive at maybe 1 second. But would need to know more about the app to be able to suggest more Bastien
Re: [PHP] Apache to serve RESTful requests using PHP
On 9 Feb 2013, at 16:42, AmirBehzad Eslami behzad.esl...@gmail.com wrote: We're a developing a PHP-driven web service with a RESTful API, and we have a dedicated Linux server for that with 6GB of RAM. Since this service will be used by many clients in a concurrent manner, we'll face with a high-load on our web-server. But web-services are different from web pages, for instance they don't include images, or in this case we only serve JSON. I'm wondering what are the recommended configurations for the Apache web-server in these situations? Should we disable keep-avlie? What about other directives? Apache is our bottleneck, and we're trying to optimize it. Should we use nginx instead? I find it unlikely that Apache is your bottleneck, especially with a service involving MySQL. How have you come to this conclusion? I would personally recommend nginx + php-fpm over Apache + mod-php every time. The pre-request memory footprint is massively reduced and I've seen nothing but upsides since migrating most of my client's sites, and my own. As far as keep-alive goes, how frequently will individual clients be accessing the service? Are they likely to be using client software that supports keep-alive? You basically want to weigh up the cost of potentially keeping the connection open against the likelihood that the majority of clients will make use of it for multiple requests. My gut reaction based on your description would be to set it to 1 as suggested by Bastien so it has minimal impact while still allowing clients who support it to be that bit more efficient. Focus your optimisation efforts on MySQL. If the bulk of requests will be reads you'll benefit from read-only slaves. If the data can be neatly sharded then that's definitely worth investigating. When writing data get it as close to the structure that will be needed when reading, including de-normalising it if necessary. If you are using joins to pull in extra data (i.e. IDs to a name or similar) look at using Memcache for those, but make sure that when they're updated in the DB they're also updated in Memcache. Do the DB query, get all the Memcache keys you need a do a multi-get request. The other way to do this is to de-normalise as discussed above, but that makes updating the data very expensive (as every row needs to be updated). In my tests breaking it out to a Memcache instance was far more efficient. At the end of the day there will always be things you can do that are only applicable to your service, but the general rule is to need to do as little as possible to serve the data when it's requested, shifting as much of the work as possible to when it is written (assuming a mostly-read service). -Stuart -- Stuart Dallas 3ft9 Ltd http://3ft9.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Apache to serve RESTful requests using PHP
On Sat, Feb 9, 2013 at 12:21 PM, Stuart Dallas stu...@3ft9.com wrote: On 9 Feb 2013, at 16:42, AmirBehzad Eslami behzad.esl...@gmail.com wrote: We're a developing a PHP-driven web service with a RESTful API, and we have a dedicated Linux server for that with 6GB of RAM. I would personally recommend nginx + php-fpm over Apache + mod-php every time. The pre-request memory footprint is massively reduced and I've seen nothing but upsides since migrating most of my client's sites, and my own. +1 for nginx+php-fpm - the memory savings on this are incredible; while I keep using Apache as a general purpose server, nginx+php-fpm is really ideal for large scale php applications. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Apache to serve RESTful requests using PHP
Stuart, thanks for your detailed response. I find it unlikely that Apache is your bottleneck, especially with a service involving MySQL. How have you come to this conclusion? Apache is the entry-point to our service, and I did a benchmark with AB to see how it can handle concurrent requests in a timely fashion. After a number of 50 concurrent requests, the average time per request reached from less than a second to 5 seconds. On the other hand, the MySQL's slow_query_log was clear, with long_query_time = 1. Our MySQL database consists of less than 200 records, distributed in normalized tables, yes, queries are making joins, but the overall performance is OK. As far as keep-alive goes, how frequently will individual clients be accessing the service? There are only a few clients that call the service. These clients are PHP-driven web pages. Each page has its own unique ClickID and a set of other unique parameters per user visit. These pages send these parameters to the service using php-curl, and expect a generated response to be returned. That's why I'm saying each request and response is unique. Whenever a user visits a web-page, there would be a call to the web-service. At the moment, we don't know number of concurrent visits. We're looking for a way to figure that out in Apache. Is there a way to see if the requests are using the previously keep-alived http channel? Because same client will send requests to the service, and I'm curious to know if the Apache will allocate the already-opened channel, or will create a new one? If you are using joins to pull in extra data (i.e. IDs to a name or similar) look at using Memcache for those, but make sure that when they're updated in the DB they're also updated in Memcache. Memcache or Redis, I'm going to add a caching layer between MySQL and PHP, to store the de-normilized data. I'm starting to learn more about nginx + php-fpm, thanks for sharing your positive experience about this. -behzad
Re: [PHP] Apache 2.4.1 and php?
On Fri, Feb 24, 2012 at 3:58 AM, Daniel Fenn danielx...@gmail.com wrote: Hi, Just a quick question, will I be able to run Apache 2.4.1 and php 5.3.10 together? Or will I need to wait for php to be updated? I'm setting this up on CentOs 6.2 Regards, Daniel Fenn -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php you can run both. make sure you have proper configuration for each
Re: [PHP] Apache 2.4.1 and php?
Hi Daniel, You should be able to. Haven't tried it with that specific version, but generally PHP is designed to run with any version of Apache. If it doesn't work as a module you should always be able to compile it as a fastcgi application and that should work. Then you can even setup different users to run PHP, making it more controllable security-wise. Cheers, Tim Twitter: @timhheuer Blog: http://www.thheuer.com On Fri, Feb 24, 2012 at 10:24 PM, Fatih P. fatihpirist...@gmail.com wrote: On Fri, Feb 24, 2012 at 3:58 AM, Daniel Fenn danielx...@gmail.com wrote: Hi, Just a quick question, will I be able to run Apache 2.4.1 and php 5.3.10 together? Or will I need to wait for php to be updated? I'm setting this up on CentOs 6.2 Regards, Daniel Fenn -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php you can run both. make sure you have proper configuration for each
Re: [PHP] Apache 2.4.1 and php?
Hey guys, Thank-you for getting back to me. Considering that I'm building everything again from the ground up, I think I will make the change from running mod_php and go for a fastcgi setup. My only other question is, if I go with fastcgi will it work with accelerators such as APC and xcache? I heard that some setup doesn't work well with accelerators because of the fact the cache get cleared when php is not running. Regards, Daniel Fenn On Fri, Feb 24, 2012 at 9:51 PM, German Geek geek...@gmail.com wrote: Hi Daniel, You should be able to. Haven't tried it with that specific version, but generally PHP is designed to run with any version of Apache. If it doesn't work as a module you should always be able to compile it as a fastcgi application and that should work. Then you can even setup different users to run PHP, making it more controllable security-wise. Cheers, Tim Twitter: @timhheuer Blog: http://www.thheuer.com On Fri, Feb 24, 2012 at 10:24 PM, Fatih P. fatihpirist...@gmail.com wrote: On Fri, Feb 24, 2012 at 3:58 AM, Daniel Fenn danielx...@gmail.com wrote: Hi, Just a quick question, will I be able to run Apache 2.4.1 and php 5.3.10 together? Or will I need to wait for php to be updated? I'm setting this up on CentOs 6.2 Regards, Daniel Fenn -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php you can run both. make sure you have proper configuration for each -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Apache and PHP segfaults on Redhat EL5
On Thu, Jan 6, 2011 at 22:55, Jimmy Stewpot mail...@oranged.to wrote: Is there a method or way that I can enable a 'debug' mode in php which would help me track down and identify the root cause of these problems? If anyone has any suggestions on what I can do to try and get further down the track to enlightenment I would be really appreciated. Natively, no, but the de facto standard is Derick's Xdebug package (http://xdebug.org/). If you can, compile PHP from source and do away with the EL5 package. That'll most likely rid you of the segfaults, but will leave their cause as an unsolved mystery. If you're okay with giving up and not knowing, you'll probably save yourself a lot of time and headaches. -- /Daniel P. Brown Network Infrastructure Manager Documentation, Webmaster Teams http://www.php.net/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Apache and PHP segfaults on Redhat EL5
On Fri, 7 Jan 2011 16:24:13 -0500 Daniel Brown danbr...@php.net wrote: On Thu, Jan 6, 2011 at 22:55, Jimmy Stewpot mail...@oranged.to wrote: Is there a method or way that I can enable a 'debug' mode in php which would help me track down and identify the root cause of these problems? If anyone has any suggestions on what I can do to try and get further down the track to enlightenment I would be really appreciated. Natively, no, but the de facto standard is Derick's Xdebug package (http://xdebug.org/). If you can, compile PHP from source and do away with the EL5 package. That'll most likely rid you of the segfaults, but will leave their cause as an unsolved mystery. If you're okay with giving up and not knowing, you'll probably save yourself a lot of time and headaches. Also, you might try asking on a RH list or forum, this might be a known issue with a workaround. If all else fails, file a bug. -- Greg Bair PHP Developer -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Apache mod_pagespeed
Thiago, I would like to join this. Let me know how I can help you with this. Please be explicit with your requests so that we can totally test it and see if it could pose any risk to acceleration services provided by CDNs. Regards, Shreyas On Wed, Nov 3, 2010 at 11:51 PM, Thiago H. Pojda thiago.po...@gmail.comwrote: Guys, Google announced this morning http://googlewebmastercentral.blogspot.com/2010/11/make-your-websites-run-faster.html their mod_pagespeed http://code.google.com/speed/page-speed/docs/module.html to improve Apache's performance. It really looks promising, what do you guys think? Me and Daniel Brown will be running some tests with it, let us know if you'd like to join us. :) Google mentions 2x faster loading times, but they don't mention CPU cost. What do you think it will break? Cheers, Thiago Henrique Pojda +55 41 8856-7925 -- Regards, Shreyas Agasthya
Re: [PHP] Apache mod_pagespeed
On Wed, Nov 3, 2010 at 14:48, Shreyas Agasthya shreya...@gmail.com wrote: Thiago, I would like to join this. Let me know how I can help you with this. Please be explicit with your requests so that we can totally test it and see if it could pose any risk to acceleration services provided by CDNs. I've yet to read the specs behind it (I was out of the office), but from the overview I did see, it should not only be of no detriment to CDNs. In fact, Google is working with an existing company, Cotendo, to integrate the core into their CDN. -- /Daniel P. Brown Dedicated Servers, Cloud and Cloud Hybrid Solutions, VPS, Hosting (866-) 725-4321 http://www.parasane.net/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Apache mod_pagespeed
They are doing a preso about it @ ApacheCon. On Wed, Nov 03, 2010 at 03:34:01PM -0400, Daniel P. Brown wrote: On Wed, Nov 3, 2010 at 14:48, Shreyas Agasthya shreya...@gmail.com wrote: Thiago, I would like to join this. Let me know how I can help you with this. Please be explicit with your requests so that we can totally test it ?and see if it could pose any risk to acceleration services provided by CDNs. I've yet to read the specs behind it (I was out of the office), but from the overview I did see, it should not only be of no detriment to CDNs. In fact, Google is working with an existing company, Cotendo, to integrate the core into their CDN. -- /Daniel P. Brown Dedicated Servers, Cloud and Cloud Hybrid Solutions, VPS, Hosting (866-) 725-4321 http://www.parasane.net/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- === Jim Jagielski [|] j...@jagunet.com [|] http://www.jaguNET.com/ Great is the guilt of an unnecessary war ~ John Adams -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Apache rule/directive to stop serving PHP pages from /var/www/includes/
Daevid Vincent wrote: (Sorry if this is a duplicate. I sent one earlier with OT: prefixing the subject line and I think this list software kills the message despite being proper netiquette. *sigh*) I have your basic web tree setup. develo...@mypse:/var/www/dart2$ tree -d -I 'CVS' |-- UPDATES |-- ajax |-- images | |-- gui | `-- icons `-- includes |-- classes |-- css |-- functions | `-- xml |-- gui |-- js | |-- charts `-- pear |-- Auth |-- Benchmark |-- DB |-- Date |-- File |-- Spreadsheet `-- XML_RPC It's not ideal. I would normally have /includes/ in a directory outside the servable webroot directory, but for various reasons I won't go into, this is how it is. Now I have Apache configured to NOT allow directory browsing. I also have a index.html file in most all main directories to log attempts and also redirect back to the main site. What I don't know how to protect against is if someone were to KNOW the name of a .php file. Say I have /includes/foo.inc.php for example, someone can put that in their URL and apache will happily serve it up. :( Is there a directive to prevent this? I would think it should be doable since PHP reads the file directly off of disk via a command like this and isn't really served perse: require_once ROOTPATH.'/includes/functions/foo.inc.php'; Anyone? Anyone? Beuller? Beuller? LocationMatch ^/includes/ Order allow,deny Deny from all /LocationMatch Cheers, Rob. -- http://www.interjinn.com Application and Templating Framework for PHP -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Apache rule/directive to stop serving PHP pages from /var/www/includes/ [SOLVED]
-Original Message- From: Robert Cummings [mailto:rob...@interjinn.com] Sent: Thursday, April 01, 2010 7:23 PM To: Daevid Vincent Cc: php-general@lists.php.net Subject: Re: [PHP] Apache rule/directive to stop serving PHP pages from /var/www/includes/ Daevid Vincent wrote: (Sorry if this is a duplicate. I sent one earlier with OT: prefixing the subject line and I think this list software kills the message despite being proper netiquette. *sigh*) I have your basic web tree setup. develo...@mypse:/var/www/dart2$ tree -d -I 'CVS' |-- UPDATES |-- ajax |-- images | |-- gui | `-- icons `-- includes |-- classes |-- css |-- functions | `-- xml |-- gui |-- js | |-- charts `-- pear |-- Auth |-- Benchmark |-- DB |-- Date |-- File |-- Spreadsheet `-- XML_RPC It's not ideal. I would normally have /includes/ in a directory outside the servable webroot directory, but for various reasons I won't go into, this is how it is. Now I have Apache configured to NOT allow directory browsing. I also have a index.html file in most all main directories to log attempts and also redirect back to the main site. What I don't know how to protect against is if someone were to KNOW the name of a .php file. Say I have /includes/foo.inc.php for example, someone can put that in their URL and apache will happily serve it up. :( Is there a directive to prevent this? I would think it should be doable since PHP reads the file directly off of disk via a command like this and isn't really served perse: require_once ROOTPATH.'/includes/functions/foo.inc.php'; Anyone? Anyone? Beuller? Beuller? LocationMatch ^/includes/ Order allow,deny Deny from all /LocationMatch Brilliant! Thanks Rob. Here is the final that I went with (turns out I had to mind the /includes/js directory or all my jQuery stuff STB, so that's why I call each directory out like that): develo...@myvm:/etc/apache2/sites-enabled$ tail -n20 000-default # [dv] added 2010-04-01 to prevent serving include files and such LocationMatch /UPDATES/ Order allow,deny Deny from all /LocationMatch FilesMatch \.sql$ Order allow,deny Deny from all /FilesMatch LocationMatch /includes/(classes|functions|gui|pear)/ Order allow,deny Deny from all /LocationMatch FilesMatch \.(inc|class)\.php$ Order allow,deny Deny from all /FilesMatch -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: PHP+Apache suddenly not working
Jason Lixfeld wrote: I have no doubt that this is due to an update that was done on my system at some point, but unfortunately I can't pinpoint where. The upshot is that PHP is completely unresponsive for me when run from Apache and I'm not sure where to look. I recognize that this isn't an apache support list. This message is being cc'd there too. Are you sure you selected the Apache mod in make config? 1. go to /usr/ports/lang/php5 2. make deinstall 3. make config 4. select APACHE MODULES 5. select ok 6. make clean install -- Thanks! -Shawn http://www.spidean.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: PHP+Apache suddenly not working
On 2009-10-27, at 9:33 AM, Shawn McKenzie wrote: Jason Lixfeld wrote: I have no doubt that this is due to an update that was done on my system at some point, but unfortunately I can't pinpoint where. The upshot is that PHP is completely unresponsive for me when run from Apache and I'm not sure where to look. I recognize that this isn't an apache support list. This message is being cc'd there too. Are you sure you selected the Apache mod in make config? 1. go to /usr/ports/lang/php5 2. make deinstall 3. make config 4. select APACHE MODULES 5. select ok 6. make clean install Yup. Checked and double checked. It's there. Will do the make deinstall ; make clean install again though. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Apache Rewrite Issues
Hey Russell, After Going through all the threads in this post, it is correct to say, GET Rid of the space. Use - hyphen for SEO friendly URL's. Its completely OK. Other thing which is very handy is urlencode and urldecode functions. When you are sending a query string use urlencode function. This will preserve the query string variable as Test Story and not as just Test; even if there are spaces in the variable. Gaurav Kumar Tech Lead Open Source Solutions On Wed, Oct 7, 2009 at 4:22 PM, Russell Seymour russell.seym...@turtlesystems.co.uk wrote: Morning, I am trying to make my URLs more search engine friendly and I have come up against a problem. I want the following URL: mysite.example.com/articles/Test Story to be proxied to mysite.example.com/index.php?m=articlest=Test%20Story I have the following rule in my Apache conf RewriteRule ^/articles/(.*) index.php?m=articlest=$1 [P,L] Now if I run with this configuration, PHP strips the query string back at the space, so my query string ends up looking like [QUERY_STRING] = m=articlest=Test even though the log file for the rewrite shows that the full query is being passed. But if I change the RewriteRule to be a Rewrite instead of a Proxy I get [QUERY_STRING] = m=articlest=Test%20Story So something is happening when the system is proxying the request. Adding %20 into the URL does not fix the problem when proxy is enabled either. I have search around on the Internet, and people talk about using urlencode etc, this is fine when PHP is creating the URL but not when Apache is doing the rewrite. I apologise if people feel this is on the wrong list, but as far as I can tell from the rewrite logs the data is coming all the way through to PHP which is truncating it. This is purely my observation. Apache version: 2.2.11 PHP Version:5.3.0 Any help is gratefully recieved. Thanks, Russell
Re: [PHP] Apache Rewrite Issues
On Wed, 2009-10-07 at 16:49 -0400, Paul M Foster wrote: On Wed, Oct 07, 2009 at 11:52:00AM +0100, Russell Seymour wrote: Morning, I am trying to make my URLs more search engine friendly and I have come up against a problem. I want the following URL: mysite.example.com/articles/Test Story to be proxied to mysite.example.com/index.php?m=articlest=Test%20Story Aside from the solution to your problem (which I don't have), you might want to double-check on the search engine friendliness of URLs which contain query strings. I know at one time this was the case, but the latest I've heard is that URLs like your second one above are completely okay with search engines. If someone else knows different, please speak up. And oh by the way, don't *ever* store a filename with a space in it on your computer. It's Evil(tm). I curse the idiot who first came up with allowing this in filenames. I have a special voodoo doll just for that person, when I find them. As you can see, it causes all manner of odd problems, no matter what OS it's on. (My local LUG list is periodically hit with messages from people trying to overcome the problems attendant to this habit.) Paul -- Paul M. Foster I do a lot of research into SEO, and the only evidence I've found that comes close to this is where a website set up a page containing a fictional keyword in the URL, then searched for that word a week or two later. I don't know how valid the 'SEO friendly URLs' are though. How often have you searched for the answer to a question online and had the top few results turn out to be forums with dynamic query-string URLs?! Thanks, Ash http://www.ashleysheridan.co.uk
Re: [PHP] Apache Rewrite Issues
- Original Message From: Russell Seymour russell.seym...@turtlesystems.co.uk To: php-general@lists.php.net Sent: Wed, October 7, 2009 3:52:00 AM Subject: [PHP] Apache Rewrite Issues Morning, I am trying to make my URLs more search engine friendly and I have come up against a problem. I want the following URL: mysite.example.com/articles/Test Story to be proxied to mysite.example.com/index.php?m=articlest=Test%20Story Russell, Consider using a string function to replace the space with _ to be really SEF/SEO when generating the URL. Thus, your problem also disappears ;) Regards, Tommy I have the following rule in my Apache conf RewriteRule ^/articles/(.*) index.php?m=articlest=$1 [P,L] Now if I run with this configuration, PHP strips the query string back at the space, so my query string ends up looking like [QUERY_STRING] = m=articlest=Test even though the log file for the rewrite shows that the full query is being passed. But if I change the RewriteRule to be a Rewrite instead of a Proxy I get [QUERY_STRING] = m=articlest=Test%20Story So something is happening when the system is proxying the request. Adding %20 into the URL does not fix the problem when proxy is enabled either. I have search around on the Internet, and people talk about using urlencode etc, this is fine when PHP is creating the URL but not when Apache is doing the rewrite. I apologise if people feel this is on the wrong list, but as far as I can tell from the rewrite logs the data is coming all the way through to PHP which is truncating it. This is purely my observation. Apache version:2.2.11 PHP Version:5.3.0 Any help is gratefully recieved. Thanks, Russell -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Apache Rewrite Issues
On Wed, Oct 07, 2009 at 11:52:00AM +0100, Russell Seymour wrote: Morning, I am trying to make my URLs more search engine friendly and I have come up against a problem. I want the following URL: mysite.example.com/articles/Test Story to be proxied to mysite.example.com/index.php?m=articlest=Test%20Story Aside from the solution to your problem (which I don't have), you might want to double-check on the search engine friendliness of URLs which contain query strings. I know at one time this was the case, but the latest I've heard is that URLs like your second one above are completely okay with search engines. If someone else knows different, please speak up. And oh by the way, don't *ever* store a filename with a space in it on your computer. It's Evil(tm). I curse the idiot who first came up with allowing this in filenames. I have a special voodoo doll just for that person, when I find them. As you can see, it causes all manner of odd problems, no matter what OS it's on. (My local LUG list is periodically hit with messages from people trying to overcome the problems attendant to this habit.) Paul -- Paul M. Foster -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Apache module PHP 5.3 on Windows
Jonathan Tapicer wrote: What version, VC6 or VC9, TS or NTS? I use VC6 TS and the dll is there... Of cause no one has asked yet which version you use if you have to test BOTH Apache and IIS ;) -- Lester Caine - G8HFL - Contact - http://lsces.co.uk/wiki/?page=contact L.S.Caine Electronic Services - http://lsces.co.uk EnquirySolve - http://enquirysolve.com/ Model Engineers Digital Workshop - http://medw.co.uk// Firebird - http://www.firebirdsql.org/index.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Apache module PHP 5.3 on Windows
What version, VC6 or VC9, TS or NTS? I use VC6 TS and the dll is there... On Wed, Jul 1, 2009 at 7:31 PM, Pablo Viquezpviq...@pabloviquez.com wrote: Hi, I just downloaded the new stable version of PHP 5.3 and I couldnt find the php5apache2_2.dll file. Is the apache module on windows no longer supported? Thanks! -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Apache module PHP 5.3 on Windows
Yes, you need to use the V6 installer, I did the same thing with the V9 and it won't work. Only after uninstalling PHP did I see that line of text saying which one to use... On Wed, Jul 1, 2009 at 5:54 PM, Jonathan Tapicer tapi...@gmail.com wrote: What version, VC6 or VC9, TS or NTS? I use VC6 TS and the dll is there... On Wed, Jul 1, 2009 at 7:31 PM, Pablo Viquezpviq...@pabloviquez.com wrote: Hi, I just downloaded the new stable version of PHP 5.3 and I couldnt find the php5apache2_2.dll file. Is the apache module on windows no longer supported? Thanks! -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- - Adam Shannon ( http://ashannon.us )
Re: [PHP] Apache module PHP 5.3 on Windows
Sorry my mistake, I was looking in the wrong built. Thank you! - Original Message - From: Adam Shannon a...@ashannon.us Newsgroups: php.general To: Jonathan Tapicer tapi...@gmail.com Cc: Pablo Viquez pviq...@pabloviquez.com; php-general@lists.php.net Sent: Wednesday, July 01, 2009 5:50 PM Subject: Re: [PHP] Apache module PHP 5.3 on Windows Yes, you need to use the V6 installer, I did the same thing with the V9 and it won't work. Only after uninstalling PHP did I see that line of text saying which one to use... On Wed, Jul 1, 2009 at 5:54 PM, Jonathan Tapicer tapi...@gmail.com wrote: What version, VC6 or VC9, TS or NTS? I use VC6 TS and the dll is there... On Wed, Jul 1, 2009 at 7:31 PM, Pablo Viquezpviq...@pabloviquez.com wrote: Hi, I just downloaded the new stable version of PHP 5.3 and I couldnt find the php5apache2_2.dll file. Is the apache module on windows no longer supported? Thanks! -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- - Adam Shannon ( http://ashannon.us ) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] apache user cannot execute useradd via sudo :(
vuthecuong wrote: Hi all My server is centos 5.1 with php 5.1.6. In my app I want apache to add user through sudo. My sudoers file is: %apache ALL=(ALL) NOPASSWD: ALL %tony ALL=(ALL) NOPASSWD: ALL My test.php í: ?php $username=hixhix; system(/usr/bin/sudo /usr/sbin/useradd -s /sbin/nologin -M $username,$returnvalue); echo return value: $returnvalue; However, user 'hixhix' not created by apache at all, it always returned 1. how can I make my apache tu add user using sudo? Please help me. I need your help. Thanks and regards. That's not a very secure sudoers file. But you probably don't want to use sudo to this anyway. What you probably should do is write a shell script (IE w/ perl) that is suid root and executable by apache that adds the user to your system. I don't know what your sudo error is, but have you looked at your sudo log file? Make damn sure you validate the $username variable whatever solution you end up using. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] apache user cannot execute useradd via sudo :(
On Fri, 2009-05-22 at 05:01 -0700, Michael A. Peters wrote: Make damn sure you validate the $username variable whatever solution you end up using. Yeah, I have a funny story along those lines. I was doing the same sort of thing, but allowing it to change passwords for a user. Luckily it was an internal system, but I was still miffed at the smart-alec who thought it would be funny to change the root password! Needless to say, I added a lot of safeguards into the both the PHP script and the Bash script to protect the system users and enforce a strict naming policy on what was allowed to change, so that only users in the form 'prefix_joebloggs', 'prefix_simon', etc were allowed. Luckily the system was all still in testing when that little gem was found. I hit myself for being so stupid afterwards! Ash www.ashleysheridan.co.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] apache user cannot execute useradd via sudo :(
Michael A. Peters wrote: vuthecuong wrote: Hi all My server is centos 5.1 with php 5.1.6. In my app I want apache to add user through sudo. My sudoers file is: %apache ALL=(ALL) NOPASSWD: ALL %tony ALL=(ALL) NOPASSWD: ALL My test.php í: ?php $username=hixhix; system(/usr/bin/sudo /usr/sbin/useradd -s /sbin/nologin -M $username,$returnvalue); echo return value: $returnvalue; However, user 'hixhix' not created by apache at all, it always returned 1. how can I make my apache tu add user using sudo? Please help me. I need your help. Thanks and regards. That's not a very secure sudoers file. But you probably don't want to use sudo to this anyway. What you probably should do is write a shell script (IE w/ perl) that is suid root and executable by apache that adds the user to your system. I don't know what your sudo error is, but have you looked at your sudo log file? Make damn sure you validate the $username variable whatever solution you end up using. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php Yeah I know my script don't care at all about security. I'm keeping it fot the sake of simplicity. After making it 'work', I will take a look seriously about security. So, why it not create user for me? thanks and regards -- View this message in context: http://www.nabble.com/apache-user-cannot-execute-useradd-via-sudo-%3A%28-tp23668764p23680766.html Sent from the PHP - General mailing list archive at Nabble.com. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] apache user cannot execute useradd via sudo :(
vuthecuong wrote: Yeah I know my script don't care at all about security. I'm keeping it fot the sake of simplicity. After making it 'work', I will take a look seriously about security. So, why it not create user for me? thanks and regards I'm not that familiar with sudo, but I suspect it may have to do with the fact apache is a user without a shell. look in the sudo log file. If you don't see anything, look in /var/log/secure and /var/log/messages and /var/log/httpd/error_log If you don't see the problem, log into a root shell. Then run su apache to become the apache user and try the command and see what happens. Really though, this isn't a job for sudo. It's a job for a suid root shell script (I'd suggest perl or python or maybe tcl/expect). -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Apache question
On Fri, Mar 20, 2009 at 17:27, Ernie Kemp ernie.k...@sympatico.ca wrote: Please point me in the right direction with this as this is becoming a pain in the butt. Ernie, Check in with the Apache folks: http://httpd.apache.org/lists.html -- /Daniel P. Brown daniel.br...@parasane.net || danbr...@php.net http://www.parasane.net/ || http://www.pilotpig.net/ 50% Off All Shared Hosting Plans at PilotPig: Use Coupon DOW1 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: PHP/Apache: script unexpectedly invoked multiple times in parallel every 30 secs.
Marc Venturini napsal(a): Hi all, I wrote a PHP script running in Apache which takes more than 30 seconds to complete. It uses set_time_limit() to extend the time it is allowed to run. The script generates thumbnails from a list of images. Upon completion, the script redirects the browser to another page using HTTP headers. If you die() at the end of the script and don't redirect does it continue this auto-30-seconds execution? On my local machine (Windows + EasyPHP), the script runs as expected and completes after a few minutes. I observe an unexpected behavior on my production web server: - The script runs as expected for the first 30 seconds. - After 30 seconds, the same script with the same parameters starts again in a new thread/process. The initial thread/process is *not* interrupted, so 2 threads/processes run in parallel, executing the same sequence of operations with a 30 time shift. - The same scenario happens every 30 seconds (i.e.: at 030, 100, 130, and so on), multiplying the parallel threads/processes. - The browser keeps on loading while the above happens. - After some time, the browser displays a blank page and all the threads/processes stop. I assume this is due to resources exhaustion, but I have no means to check this assumption. I deduced the above reading a text file in which I log the sequence of called functions. It all seems as a redirection / unclosed loop problem. Unfortunately I have no access *at all* to my production web server configuration (shared hosting, no documentation). I cannot even read the configuration settings. While I'm considering moving to another host, I'd be extremely pleased to have an explanation of the observed behavior. I have browsed the mailing list archives and looked for an explanation in other forums to no avail. This thread may deal with the same issue but does not include any explanation or solution: http://www.networkedmediatank.com/showthread.php?tid=17140 Thanks for reading, and please do not hesitate to ask for further explanations if what I'm trying to achieve was not clear! Why it works on your local server is probably caused by different versions/settings, but I bet there's an error somewhere in your script. Consider sending it here, I'll take a look. Cheers, Marc. Martin -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: PHP/Apache: script unexpectedly invoked multiple times in parallel every 30 secs.
On Wed, Mar 11, 2009 at 10:30 AM, Martin Zvarík mzva...@gmail.com wrote: Marc Venturini napsal(a): Hi all, I wrote a PHP script running in Apache which takes more than 30 seconds to complete. It uses set_time_limit() to extend the time it is allowed to run. The script generates thumbnails from a list of images. Upon completion, the script redirects the browser to another page using HTTP headers. If you die() at the end of the script and don't redirect does it continue this auto-30-seconds execution? On my local machine (Windows + EasyPHP), the script runs as expected and completes after a few minutes. I observe an unexpected behavior on my production web server: - The script runs as expected for the first 30 seconds. - After 30 seconds, the same script with the same parameters starts again in a new thread/process. The initial thread/process is *not* interrupted, so 2 threads/processes run in parallel, executing the same sequence of operations with a 30 time shift. - The same scenario happens every 30 seconds (i.e.: at 030, 100, 130, and so on), multiplying the parallel threads/processes. - The browser keeps on loading while the above happens. - After some time, the browser displays a blank page and all the threads/processes stop. I assume this is due to resources exhaustion, but I have no means to check this assumption. I deduced the above reading a text file in which I log the sequence of called functions. It all seems as a redirection / unclosed loop problem. Unfortunately I have no access *at all* to my production web server configuration (shared hosting, no documentation). I cannot even read the configuration settings. While I'm considering moving to another host, I'd be extremely pleased to have an explanation of the observed behavior. I have browsed the mailing list archives and looked for an explanation in other forums to no avail. This thread may deal with the same issue but does not include any explanation or solution: http://www.networkedmediatank.com/showthread.php?tid=17140 Thanks for reading, and please do not hesitate to ask for further explanations if what I'm trying to achieve was not clear! Why it works on your local server is probably caused by different versions/settings, but I bet there's an error somewhere in your script. Consider sending it here, I'll take a look. A blank URL does not redirect to the directory index, IIRC... it refreshes the current page (such as a FORM tag with ACTION=). This may very well still be your problem. My 2c, -- // Todd -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: PHP/Apache: script unexpectedly invoked multiple times in parallel every 30 secs.
Hi all, Thank you all very much for your contributions. I tried to monitor the network with Wireshark: there is only one request from my browser to the server, and not any answer (redirect or otherwise). This means the problem is definitely not with unexpected browser requests. Calling die() at the end of the script and removing the redirect did not change the behavior in any way. I like to think my code is good, and that the server calls the script in an unexpected way. The main reason for this belief is that I do not use multithreading at all, while the logs report the script is running several times in parallel and the network monitor reports a single browser request. I could not find in the docs any server configuration parameter which would re-invoke a script without killing its currently running instance. Unfortunately I cannot post the code here, as everything is spread in several files. If stuck with this issue for too long, I'll consider reducing the script to the root cause of the problem and posting it, but it's toomuch overhead at this stage... Cheers, Marc. On Wed, Mar 11, 2009 at 4:40 PM, haliphax halip...@gmail.com wrote: On Wed, Mar 11, 2009 at 10:30 AM, Martin Zvarík mzva...@gmail.com wrote: Marc Venturini napsal(a): Hi all, I wrote a PHP script running in Apache which takes more than 30 seconds to complete. It uses set_time_limit() to extend the time it is allowed to run. The script generates thumbnails from a list of images. Upon completion, the script redirects the browser to another page using HTTP headers. If you die() at the end of the script and don't redirect does it continue this auto-30-seconds execution? On my local machine (Windows + EasyPHP), the script runs as expected and completes after a few minutes. I observe an unexpected behavior on my production web server: - The script runs as expected for the first 30 seconds. - After 30 seconds, the same script with the same parameters starts again in a new thread/process. The initial thread/process is *not* interrupted, so 2 threads/processes run in parallel, executing the same sequence of operations with a 30 time shift. - The same scenario happens every 30 seconds (i.e.: at 030, 100, 130, and so on), multiplying the parallel threads/processes. - The browser keeps on loading while the above happens. - After some time, the browser displays a blank page and all the threads/processes stop. I assume this is due to resources exhaustion, but I have no means to check this assumption. I deduced the above reading a text file in which I log the sequence of called functions. It all seems as a redirection / unclosed loop problem. Unfortunately I have no access *at all* to my production web server configuration (shared hosting, no documentation). I cannot even read the configuration settings. While I'm considering moving to another host, I'd be extremely pleased to have an explanation of the observed behavior. I have browsed the mailing list archives and looked for an explanation in other forums to no avail. This thread may deal with the same issue but does not include any explanation or solution: http://www.networkedmediatank.com/showthread.php?tid=17140 Thanks for reading, and please do not hesitate to ask for further explanations if what I'm trying to achieve was not clear! Why it works on your local server is probably caused by different versions/settings, but I bet there's an error somewhere in your script. Consider sending it here, I'll take a look. A blank URL does not redirect to the directory index, IIRC... it refreshes the current page (such as a FORM tag with ACTION=). This may very well still be your problem. My 2c, -- // Todd -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: PHP/Apache: script unexpectedly invoked multiple times in parallel every 30 secs.
Marc Venturini wrote: Hi all, Thank you all very much for your contributions. I tried to monitor the network with Wireshark: there is only one request from my browser to the server, and not any answer (redirect or otherwise). This means the problem is definitely not with unexpected browser requests. Calling die() at the end of the script and removing the redirect did not change the behavior in any way. I like to think my code is good, and that the server calls the script in an unexpected way. The main reason for this belief is that I do not use multithreading at all, while the logs report the script is running several times in parallel and the network monitor reports a single browser request. I could not find in the docs any server configuration parameter which would re-invoke a script without killing its currently running instance. are you forking the script at all? if so you can't unless on the cli -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: PHP/Apache: script unexpectedly invoked multiple times in parallel every 30 secs.
Nathan Rixham wrote: Marc Venturini wrote: Hi all, Thank you all very much for your contributions. I tried to monitor the network with Wireshark: there is only one request from my browser to the server, and not any answer (redirect or otherwise). This means the problem is definitely not with unexpected browser requests. Calling die() at the end of the script and removing the redirect did not change the behavior in any way. I like to think my code is good, and that the server calls the script in an unexpected way. The main reason for this belief is that I do not use multithreading at all, while the logs report the script is running several times in parallel and the network monitor reports a single browser request. I could not find in the docs any server configuration parameter which would re-invoke a script without killing its currently running instance. are you forking the script at all? if so you can't unless on the cli I don't know what is causing it, but is the site live? If so, could it be a proxy somewhere re-requesting the data when it thinks your server has timed out? I guess you ruled that out with the wireshark. If it really takes over 30 seconds to process the images, would it better to just have your script cue the images and exit, with ImageMagick running on the server to do the actual hard work? Write a shell script that cron runs every 5 minutes. The script wgets a shell script from your server with the cue of what needs to be processed and then processes it. I don't know for sure, but I suspect using ImageMagick in a shell script is going to be less resource intensive than the web server doing it. Doing it that way lets your script exit much sooner and would avoid impatient user reloads, which could be a problem even when you do figure out this issue. I almost wonder if Apache has some directive that tries to serve the data again if it thinks there was a backend problem with it's first request. What happens when you try to request your page with wget or lynx? They won't try to load any images, so if there is a image src problem that should make it obvious. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Apache odd behavior
Paul M Foster wrote: On Mon, Feb 16, 2009 at 08:34:22PM +, Stuart wrote: FWIW, I've been doing computers since before the CP/M days (pre-pre-DOS), so I do know the difference between absolute and relative paths. I'm a little doubtful about the browser specifying things like the URLs for links within a HTML page. However, this would explain why there are separate entries for image fetches in the Apache logs, occurring after the main page has been requested. Do you have some reference for this? I'd like to read more about the server-client interaction in depth. The client requests the web page. The server sends the web page. After the client gets the web page it then parses the web page and requests any inline elements, such as images, style sheets, iframes, etc. - which is why you can have images in different servers etc. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Apache odd behavior
I'm submitting a url like this: http://mysite.com/index.php/alfa/bravo/charlie/delta The index.php calls has code to decode the url segments (alfa/bravo/charlie/delta). It determines that the controller is alfa, the method is bravo, and converts charlie and delta to $_GET['charlie'] = 'delta'. It verifies that the controller and method exist, and calls the controller and method. This works fine. The right controller gets called and the right method, and the GET parameter looks like it should. The method sets some variables and then calls a render() function to render the page, which is in the doc root of the site. The page does get rendered, but without the stylesheet, and none of the graphics show up. Why? Because, according to the logs, Apache appears to be looking for the images and everything else in the directory index.php/alfa/bravo/charlie/delta, which of course doesn't exist. No, I don't have an .htaccess file with RewriteEngine on. Apache figures out that index.php is the file to look for in the original URL, but can't figure out that everything else is relative to that file, not the entire URL. This method is in use in at least one other MVC framework. What am I doing wrong? hi Paul, to make your css and images work, do something like this img src=/image.jpg / and link href=/style.css type=text/css rel=stylesheet media=screen / the slash at the start tells the browser to start looking from the root. good luck. Virgil http://www.jampmark.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Apache odd behavior
2009/2/17 Paul M Foster pa...@quillandmouse.com: On Mon, Feb 16, 2009 at 08:34:22PM +, Stuart wrote: snip This is your problem, you're not understanding where the paths are being resolved. Apache has absolutely no involvement in resolving relative paths in your HTML files to absolute URLs. The browser does this. All you need to do is use absolute URLs and everything will work fine. By absolute, in case you don't know, I mean starting with a / and being from the document root in the web server. FWIW, I've been doing computers since before the CP/M days (pre-pre-DOS), so I do know the difference between absolute and relative paths. FWIW I've been doing computers for a long time also, and am well aware of CP/M. Based on what you said it didn't appear that you did know the difference, but I apologise for the mistake. I'm sure if you look at the URLs being requested by the browser it should be pretty clear that it's simply adding the paths you have in your HTML to the end of the existing URL. The fact that you didn't appear to have seen that informed my assumption. I'm a little doubtful about the browser specifying things like the URLs for links within a HTML page. However, this would explain why there are separate entries for image fetches in the Apache logs, occurring after the main page has been requested. Do you have some reference for this? I'd like to read more about the server-client interaction in depth. I couldn't find any references so I wrote a quick overview of what the process is. Note that this is over-simplified but should get the basic process across. * Browser connects to the HTTP server on www.google.com and requests / * Server resolves / to a resource, commonly an HTML file, PHP script or whatever, processes it if necessary and sends the output back to the browser. * Browser receives the HTML content, parses it, builds a list of referenced URLs (images, scripts, stylesheets, etc) * Browser normalises each referenced URL according to a fairly simple set of rules... If the URL is not already in the form scheme://... If the URL does not start with a / // The URL is relative to the current location If current_url ends with / URL = current_url + URL Else URL = dirname(current_url) + '/' + URL Fi Else // The URL is absolute on the current domain // current_domain is everything needed to hit the same web server, so scheme://[[username]:passw...@]domain.com URL = current_domain + URL Fi Else // URL is already absolute, including the scheme, domain name, etc Fi * Browser then (usually) fires off a couple of threads to request the additional URLs, renders the page and executes any scripts it contains. The server has absolutely no involvement in resolving referenced URLs to complete URLs - this is all done by the browser. HTTP is stateless to the extreme, meaning that each request gets a single resource, even if they're done through the same connection. Hope that makes it clearer. For example, if you have a tag like a href=arse.phparse/a and arse.php is in the same directory as index.php you need to change it to a href=/arse.phparse/a. Another example... if you have a href=somedir/crack.phpcrack/a where crack.php is in the subdirectory somedir beneath where index.php is you need to change the tag to a href=/somedir/crack.phpcrack/a. You need to apply this to all URLs in your code, including stylesheets, images and javascript references. This should not be a difficult concept to grasp, so maybe I'm not explaining it right. If so please explain what you understand by what I'm saying and I can alter it to be more helpful. Here's the issue I have with this: normally I build pages on the fly with PHP. However, on this particular project, my wife is building the pages in Dreamweaver. And, as I mentioned before, while in development, the pages reside on an internal server, like this: http://pokey/example.com That is, pokey is an internal Debian machine where all our client sites reside as backups in the /var/www directory. So as far as pokey is concerned, the pages are at: /var/www/example.com but we see it as: http://pokey/example.com Dreamweaver has a very brain dead way of handling templates, resultant pages, and the internal page links. And while my wife is very savvy, her Windows-weenie-Dreamweaver way of handling links is to click on a button which opens a dialog box, in which she finds the image, and clicks Okay. This is all fine while the pages are on the development server. (Well, not really, since Dreamweaver regularly hacks up image links in non-intuitive ways.) But when they get uploaded to the production
Re: [PHP] Apache odd behavior
On Tue, Feb 17, 2009 at 12:27:58PM +, Stuart wrote: 2009/2/17 Paul M Foster pa...@quillandmouse.com: On Mon, Feb 16, 2009 at 08:34:22PM +, Stuart wrote: snip This is your problem, you're not understanding where the paths are being resolved. Apache has absolutely no involvement in resolving relative paths in your HTML files to absolute URLs. The browser does this. All you need to do is use absolute URLs and everything will work fine. By absolute, in case you don't know, I mean starting with a / and being from the document root in the web server. FWIW, I've been doing computers since before the CP/M days (pre-pre-DOS), so I do know the difference between absolute and relative paths. FWIW I've been doing computers for a long time also, and am well aware of CP/M. Based on what you said it didn't appear that you did know the difference, but I apologise for the mistake. I'm sure if you look at the URLs being requested by the browser it should be pretty clear that it's simply adding the paths you have in your HTML to the end of the existing URL. The fact that you didn't appear to have seen that informed my assumption. Well, the only way I know this is to look at the Apache logs. I was getting a lot of 3xx and 4xx errors (which don't show up directly in the browser), and looking at the requests, it appears that the browser is indeed dictating the place to find images, etc., based on the odd URL. I'm a little doubtful about the browser specifying things like the URLs for links within a HTML page. However, this would explain why there are separate entries for image fetches in the Apache logs, occurring after the main page has been requested. Do you have some reference for this? I'd like to read more about the server-client interaction in depth. I couldn't find any references so I wrote a quick overview of what the process is. Note that this is over-simplified but should get the basic process across. * Browser connects to the HTTP server on www.google.com and requests / * Server resolves / to a resource, commonly an HTML file, PHP script or whatever, processes it if necessary and sends the output back to the browser. * Browser receives the HTML content, parses it, builds a list of referenced URLs (images, scripts, stylesheets, etc) * Browser normalises each referenced URL according to a fairly simple set of rules... If the URL is not already in the form scheme://... If the URL does not start with a / // The URL is relative to the current location If current_url ends with / URL = current_url + URL Else URL = dirname(current_url) + '/' + URL Fi Else // The URL is absolute on the current domain // current_domain is everything needed to hit the same web server, so scheme://[[username]:passw...@]domain.com URL = current_domain + URL Fi Else // URL is already absolute, including the scheme, domain name, etc Fi * Browser then (usually) fires off a couple of threads to request the additional URLs, renders the page and executes any scripts it contains. The server has absolutely no involvement in resolving referenced URLs to complete URLs - this is all done by the browser. HTTP is stateless to the extreme, meaning that each request gets a single resource, even if they're done through the same connection. Hope that makes it clearer. Thanks for the summary. snip So specifying absolute links might be a bit much. I'm not happy with the way DW handles this stuff, but I have to strike a balance between my vim-handcoding-command-line method and my wife's click-and-drag-gotta-be-GUI method. We've covered this in the other thread. I can't speak for DW since I've only ever used it as a text editor, and even then only when forced, but I would be surprised if you couldn't tell it to generate absolute URLs. Something I do know is that you can set it up to automatically deploy to a separate virtual host on your development server, but based on the other thread you've already made a decision on how to solve your problem. I leave Dreamweaver issues to my wife. She maintains she can manually type in the link URLs, but that's really not a good ongoing paradigm. Now, if Dreamweaver had a config setting that said, Make all URLs absolute, I'd say that's the best resolution. Paul -- Paul M. Foster -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Apache odd behavior
2009/2/17 Paul M Foster pa...@quillandmouse.com: Well, the only way I know this is to look at the Apache logs. I was getting a lot of 3xx and 4xx errors (which don't show up directly in the browser), and looking at the requests, it appears that the browser is indeed dictating the place to find images, etc., based on the odd URL. If you don't already have it get Firefox. Once you have that google for the livehttpheaders extension. Using that you can see exactly what the browser is asking the server for, including all headers. -Stuart -- http://stut.net/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Apache odd behavior
2009/2/16 Paul M Foster pa...@quillandmouse.com: I'm submitting a url like this: http://mysite.com/index.php/alfa/bravo/charlie/delta The index.php calls has code to decode the url segments (alfa/bravo/charlie/delta). It determines that the controller is alfa, the method is bravo, and converts charlie and delta to $_GET['charlie'] = 'delta'. It verifies that the controller and method exist, and calls the controller and method. This works fine. The right controller gets called and the right method, and the GET parameter looks like it should. The method sets some variables and then calls a render() function to render the page, which is in the doc root of the site. The page does get rendered, but without the stylesheet, and none of the graphics show up. Why? Because, according to the logs, Apache appears to be looking for the images and everything else in the directory index.php/alfa/bravo/charlie/delta, which of course doesn't exist. No, I don't have an .htaccess file with RewriteEngine on. Apache figures out that index.php is the file to look for in the original URL, but can't figure out that everything else is relative to that file, not the entire URL. This method is in use in at least one other MVC framework. What am I doing wrong? You need to specify the absolute URL for all assets when using a URL scheme like this because the browser has no idea that index.php indicates the current directory so it resolves relative paths using the full URL. -Stuart -- http://stut.net/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Apache odd behavior
Paul M Foster wrote: I'm submitting a url like this: http://mysite.com/index.php/alfa/bravo/charlie/delta Why would you want to do such a thing? If you want parameters in the filename without using get, use mod_rewrite and explode the page name - and use a delimiter or than a / - IE use an underscore, dash, upper case vs lower, etc to indicate your different variables. / has a special meaning in a URL string, I don't understand the motive of wanting to use it as a delimiter in a filename. That calls all kinds of weird issues (like the one you are experiencing, which is because the browser has no way to know index.php is a page - and the browser resolves relative URL's - that's not an apache issue) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Apache odd behavior
Symfony uses exactly this method for pretty urls. Check it out. Maybe it has everything you want :). Have a look at symfony's .htaccess rewrite rules at least. You have a few possibilities here: You can make ur own rewrite for urls that contain index.php or rewrite http://mysite.com/alfa/bravo/charlie/deltahttp://mysite.com/index.php/alfa/bravo/charlie/deltaas http://mysite.com/index.php/alfa/bravo/charlie/delta and other urls... Or in your framework or cms or whatever have helper functions to get the right urls for images etc. Paths like simply putting img src=/images/myimg.png alt=my img / shouldnt be too hard either. Tim-Hinnerk Heuer http://www.ihostnz.com Mike Ditka - If God had wanted man to play soccer, he wouldn't have given us arms. 2009/2/16 Michael A. Peters mpet...@mac.com Paul M Foster wrote: I'm submitting a url like this: http://mysite.com/index.php/alfa/bravo/charlie/delta Why would you want to do such a thing? If you want parameters in the filename without using get, use mod_rewrite and explode the page name - and use a delimiter or than a / - IE use an underscore, dash, upper case vs lower, etc to indicate your different variables. / has a special meaning in a URL string, I don't understand the motive of wanting to use it as a delimiter in a filename. That calls all kinds of weird issues (like the one you are experiencing, which is because the browser has no way to know index.php is a page - and the browser resolves relative URL's - that's not an apache issue) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Apache odd behavior
I'm submitting a url like this: http://mysite.com/index.php/alfa/bravo/charlie/delta The index.php calls has code to decode the url segments (alfa/bravo/charlie/delta). It determines that the controller is alfa, the method is bravo, and converts charlie and delta to $_GET['charlie'] = 'delta'. It verifies that the controller and method exist, and calls the controller and method. This works fine. The right controller gets called and the right method, and the GET parameter looks like it should. The method sets some variables and then calls a render() function to render the page, which is in the doc root of the site. The page does get rendered, but without the stylesheet, and none of the graphics show up. Why? Because, according to the logs, Apache appears to be looking for the images and everything else in the directory index.php/alfa/bravo/charlie/delta, which of course doesn't exist. No, I don't have an .htaccess file with RewriteEngine on. Apache figures out that index.php is the file to look for in the original URL, but can't figure out that everything else is relative to that file, not the entire URL. This method is in use in at least one other MVC framework. What am I doing wrong? Paul I assume that in order for this to work you will have to use mod_rewrite for apache to work properly. Check the framework's installation instructions to see if you configured mod_rewrite correctly for this to work properly. -- Thodoris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Apache odd behavior
On Mon, Feb 16, 2009 at 07:30:57PM +0200, Thodoris wrote: I'm submitting a url like this: http://mysite.com/index.php/alfa/bravo/charlie/delta The index.php calls has code to decode the url segments (alfa/bravo/charlie/delta). It determines that the controller is alfa, the method is bravo, and converts charlie and delta to $_GET['charlie'] = 'delta'. It verifies that the controller and method exist, and calls the controller and method. This works fine. The right controller gets called and the right method, and the GET parameter looks like it should. The method sets some variables and then calls a render() function to render the page, which is in the doc root of the site. The page does get rendered, but without the stylesheet, and none of the graphics show up. Why? Because, according to the logs, Apache appears to be looking for the images and everything else in the directory index.php/alfa/bravo/charlie/delta, which of course doesn't exist. No, I don't have an .htaccess file with RewriteEngine on. Apache figures out that index.php is the file to look for in the original URL, but can't figure out that everything else is relative to that file, not the entire URL. This method is in use in at least one other MVC framework. What am I doing wrong? Paul I assume that in order for this to work you will have to use mod_rewrite for apache to work properly. Check the framework's installation instructions to see if you configured mod_rewrite correctly for this to work properly. mod_rewrite isn't involved. Apache has a lookback feature that looks back through the URL until it finds an actual file it can execute, which in this case is index.php. Unfortunately, it appears that Apache believes the directory in which linked files are found is the *whole* URL. mod_rewrite might resolve this, but it isn't allowed on all servers. So it's not a reliable solution. Paul -- Paul M. Foster -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Apache odd behavior
2009/2/16 Paul M Foster pa...@quillandmouse.com: On Mon, Feb 16, 2009 at 07:30:57PM +0200, Thodoris wrote: I'm submitting a url like this: http://mysite.com/index.php/alfa/bravo/charlie/delta The index.php calls has code to decode the url segments (alfa/bravo/charlie/delta). It determines that the controller is alfa, the method is bravo, and converts charlie and delta to $_GET['charlie'] = 'delta'. It verifies that the controller and method exist, and calls the controller and method. This works fine. The right controller gets called and the right method, and the GET parameter looks like it should. The method sets some variables and then calls a render() function to render the page, which is in the doc root of the site. The page does get rendered, but without the stylesheet, and none of the graphics show up. Why? Because, according to the logs, Apache appears to be looking for the images and everything else in the directory index.php/alfa/bravo/charlie/delta, which of course doesn't exist. No, I don't have an .htaccess file with RewriteEngine on. Apache figures out that index.php is the file to look for in the original URL, but can't figure out that everything else is relative to that file, not the entire URL. This method is in use in at least one other MVC framework. What am I doing wrong? Paul I assume that in order for this to work you will have to use mod_rewrite for apache to work properly. Check the framework's installation instructions to see if you configured mod_rewrite correctly for this to work properly. mod_rewrite isn't involved. Apache has a lookback feature that looks back through the URL until it finds an actual file it can execute, which in this case is index.php. Unfortunately, it appears that Apache believes the directory in which linked files are found is the *whole* URL. mod_rewrite might resolve this, but it isn't allowed on all servers. So it's not a reliable solution. This is your problem, you're not understanding where the paths are being resolved. Apache has absolutely no involvement in resolving relative paths in your HTML files to absolute URLs. The browser does this. All you need to do is use absolute URLs and everything will work fine. By absolute, in case you don't know, I mean starting with a / and being from the document root in the web server. For example, if you have a tag like a href=arse.phparse/a and arse.php is in the same directory as index.php you need to change it to a href=/arse.phparse/a. Another example... if you have a href=somedir/crack.phpcrack/a where crack.php is in the subdirectory somedir beneath where index.php is you need to change the tag to a href=/somedir/crack.phpcrack/a. You need to apply this to all URLs in your code, including stylesheets, images and javascript references. This should not be a difficult concept to grasp, so maybe I'm not explaining it right. If so please explain what you understand by what I'm saying and I can alter it to be more helpful. -Stuart -- http://stut.net/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Apache odd behavior
On Mon, 2009-02-16 at 20:34 +, Stuart wrote: 2009/2/16 Paul M Foster pa...@quillandmouse.com: On Mon, Feb 16, 2009 at 07:30:57PM +0200, Thodoris wrote: I'm submitting a url like this: http://mysite.com/index.php/alfa/bravo/charlie/delta The index.php calls has code to decode the url segments (alfa/bravo/charlie/delta). It determines that the controller is alfa, the method is bravo, and converts charlie and delta to $_GET['charlie'] = 'delta'. It verifies that the controller and method exist, and calls the controller and method. This works fine. The right controller gets called and the right method, and the GET parameter looks like it should. The method sets some variables and then calls a render() function to render the page, which is in the doc root of the site. The page does get rendered, but without the stylesheet, and none of the graphics show up. Why? Because, according to the logs, Apache appears to be looking for the images and everything else in the directory index.php/alfa/bravo/charlie/delta, which of course doesn't exist. No, I don't have an .htaccess file with RewriteEngine on. Apache figures out that index.php is the file to look for in the original URL, but can't figure out that everything else is relative to that file, not the entire URL. This method is in use in at least one other MVC framework. What am I doing wrong? Paul I assume that in order for this to work you will have to use mod_rewrite for apache to work properly. Check the framework's installation instructions to see if you configured mod_rewrite correctly for this to work properly. mod_rewrite isn't involved. Apache has a lookback feature that looks back through the URL until it finds an actual file it can execute, which in this case is index.php. Unfortunately, it appears that Apache believes the directory in which linked files are found is the *whole* URL. mod_rewrite might resolve this, but it isn't allowed on all servers. So it's not a reliable solution. This is your problem, you're not understanding where the paths are being resolved. Apache has absolutely no involvement in resolving relative paths in your HTML files to absolute URLs. The browser does this. All you need to do is use absolute URLs and everything will work fine. By absolute, in case you don't know, I mean starting with a / and being from the document root in the web server. For example, if you have a tag like a href=arse.phparse/a and arse.php is in the same directory as index.php you need to change it to a href=/arse.phparse/a. Another example... if you have a href=somedir/crack.phpcrack/a where crack.php is in the subdirectory somedir beneath where index.php is you need to change the tag to a href=/somedir/crack.phpcrack/a. You need to apply this to all URLs in your code, including stylesheets, images and javascript references. This should not be a difficult concept to grasp, so maybe I'm not explaining it right. If so please explain what you understand by what I'm saying and I can alter it to be more helpful. -Stuart -- http://stut.net/ I've read through this thread and not noticed anyone mention the base tag. This allows you to specify a URL to which relative ones are mapped to, which could be just what you're looking for, as I believe all the browsers support it (the tag has been around for donkeys years, so I'd be surprised if any browsers didn't support it) Ash www.ashleysheridan.co.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Apache odd behavior
2009/2/16 Ashley Sheridan a...@ashleysheridan.co.uk: On Mon, 2009-02-16 at 20:34 +, Stuart wrote: 2009/2/16 Paul M Foster pa...@quillandmouse.com: On Mon, Feb 16, 2009 at 07:30:57PM +0200, Thodoris wrote: I'm submitting a url like this: http://mysite.com/index.php/alfa/bravo/charlie/delta The index.php calls has code to decode the url segments (alfa/bravo/charlie/delta). It determines that the controller is alfa, the method is bravo, and converts charlie and delta to $_GET['charlie'] = 'delta'. It verifies that the controller and method exist, and calls the controller and method. This works fine. The right controller gets called and the right method, and the GET parameter looks like it should. The method sets some variables and then calls a render() function to render the page, which is in the doc root of the site. The page does get rendered, but without the stylesheet, and none of the graphics show up. Why? Because, according to the logs, Apache appears to be looking for the images and everything else in the directory index.php/alfa/bravo/charlie/delta, which of course doesn't exist. No, I don't have an .htaccess file with RewriteEngine on. Apache figures out that index.php is the file to look for in the original URL, but can't figure out that everything else is relative to that file, not the entire URL. This method is in use in at least one other MVC framework. What am I doing wrong? Paul I assume that in order for this to work you will have to use mod_rewrite for apache to work properly. Check the framework's installation instructions to see if you configured mod_rewrite correctly for this to work properly. mod_rewrite isn't involved. Apache has a lookback feature that looks back through the URL until it finds an actual file it can execute, which in this case is index.php. Unfortunately, it appears that Apache believes the directory in which linked files are found is the *whole* URL. mod_rewrite might resolve this, but it isn't allowed on all servers. So it's not a reliable solution. This is your problem, you're not understanding where the paths are being resolved. Apache has absolutely no involvement in resolving relative paths in your HTML files to absolute URLs. The browser does this. All you need to do is use absolute URLs and everything will work fine. By absolute, in case you don't know, I mean starting with a / and being from the document root in the web server. For example, if you have a tag like a href=arse.phparse/a and arse.php is in the same directory as index.php you need to change it to a href=/arse.phparse/a. Another example... if you have a href=somedir/crack.phpcrack/a where crack.php is in the subdirectory somedir beneath where index.php is you need to change the tag to a href=/somedir/crack.phpcrack/a. You need to apply this to all URLs in your code, including stylesheets, images and javascript references. This should not be a difficult concept to grasp, so maybe I'm not explaining it right. If so please explain what you understand by what I'm saying and I can alter it to be more helpful. -Stuart -- http://stut.net/ I've read through this thread and not noticed anyone mention the base tag. This allows you to specify a URL to which relative ones are mapped to, which could be just what you're looking for, as I believe all the browsers support it (the tag has been around for donkeys years, so I'd be surprised if any browsers didn't support it) That should also work, yes. Personally I'd use absolute URLs but each to their own. -Stuart -- http://stut.net/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Apache odd behavior
On Mon, Feb 16, 2009 at 08:53:24PM +, Ashley Sheridan wrote: snip I've read through this thread and not noticed anyone mention the base tag. This allows you to specify a URL to which relative ones are mapped to, which could be just what you're looking for, as I believe all the browsers support it (the tag has been around for donkeys years, so I'd be surprised if any browsers didn't support it) You da man! I've never heard of this tag, but it shows up on my Visibone cheatbook, and my HTML 4 reference. Moreover, it works. When the URL in the base tag is specified as: base href=http://mysite.com/; and, for example, a graphic link is done this way: img src=graphics/myportrait.gif It appears to override other considerations with regard to pathing. I've already chosen an alternative solution, but I'll definitely keep this in mind for future reference. Thanks, much. Paul -- Paul M. Foster -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Apache odd behavior
On Mon, Feb 16, 2009 at 08:34:22PM +, Stuart wrote: snip This is your problem, you're not understanding where the paths are being resolved. Apache has absolutely no involvement in resolving relative paths in your HTML files to absolute URLs. The browser does this. All you need to do is use absolute URLs and everything will work fine. By absolute, in case you don't know, I mean starting with a / and being from the document root in the web server. FWIW, I've been doing computers since before the CP/M days (pre-pre-DOS), so I do know the difference between absolute and relative paths. I'm a little doubtful about the browser specifying things like the URLs for links within a HTML page. However, this would explain why there are separate entries for image fetches in the Apache logs, occurring after the main page has been requested. Do you have some reference for this? I'd like to read more about the server-client interaction in depth. For example, if you have a tag like a href=arse.phparse/a and arse.php is in the same directory as index.php you need to change it to a href=/arse.phparse/a. Another example... if you have a href=somedir/crack.phpcrack/a where crack.php is in the subdirectory somedir beneath where index.php is you need to change the tag to a href=/somedir/crack.phpcrack/a. You need to apply this to all URLs in your code, including stylesheets, images and javascript references. This should not be a difficult concept to grasp, so maybe I'm not explaining it right. If so please explain what you understand by what I'm saying and I can alter it to be more helpful. Here's the issue I have with this: normally I build pages on the fly with PHP. However, on this particular project, my wife is building the pages in Dreamweaver. And, as I mentioned before, while in development, the pages reside on an internal server, like this: http://pokey/example.com That is, pokey is an internal Debian machine where all our client sites reside as backups in the /var/www directory. So as far as pokey is concerned, the pages are at: /var/www/example.com but we see it as: http://pokey/example.com Dreamweaver has a very brain dead way of handling templates, resultant pages, and the internal page links. And while my wife is very savvy, her Windows-weenie-Dreamweaver way of handling links is to click on a button which opens a dialog box, in which she finds the image, and clicks Okay. This is all fine while the pages are on the development server. (Well, not really, since Dreamweaver regularly hacks up image links in non-intuitive ways.) But when they get uploaded to the production server on the internet, all those absolute links have to change from: http://pokey/example.com/graphics/myportrait.gif or /example.com/graphics/myportrait.gif to http://example.com/graphics/myportrait.gif or /graphics/myportrait.gif Moreover, I'm not even sure she can specify the links absolutely when doing her Click and Search routine. She'd probably have to manually type them in, unless there's some setting in Dreamweaver I don't know about. In any case, changing absolute links in development pages to absolute links in production pages would involve a heap of (dangerous) global search-and-replace magic. So specifying absolute links might be a bit much. I'm not happy with the way DW handles this stuff, but I have to strike a balance between my vim-handcoding-command-line method and my wife's click-and-drag-gotta-be-GUI method. Paul -- Paul M. Foster -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Apache File Quesiton
Ok, not yet... If the file I want to test resides in My Documents\Sites\nameofsite, I set my Test server folder in DW to map to here...correct? Now down to URL prefix, I have tried http://localhost http://localhost/sitename C:/xampp/apache,( which btw is the Site Root as described in httpd.conf ) C:/localhost/ and a few other variations that are escaping me at this moment, but keep getting an error. Some other BG info Server Model : PHP Mysql Access : Local/Network Testing server folder: C:\Documents and Settings\myname\My Documents\sites\barrister\ (barrister is the name of the file and site) URL Prefix http://localhost/barrister/ (currently) What am I missing (besides a fundemental understanding of it). Murray planetthought...@gmail.com wrote in message news:6481f4d0901092018g31d9a08fkd0321e1532c85...@mail.gmail.com... In general, as Phpster points out, your development will take place in directories underneath your htdocs directory, which, if you installed XAMPP into the root directory on C:, would be something like C:\xampp\htdocs\yourdevdirectory. Depending on how XAMPP is configured (you can make many changes, for example, to the Apache conf files to determine Apache's behaviour), you would probably use a URL of http://localhost/yourdevdirectory/index.php etc to access your actual application. This is not to mention that you can go on to setup virtual sites, so that you could access your site as http://yourapplicationname/index.php. M is for Murray On Sat, Jan 10, 2009 at 12:13 PM, Gary gwp...@ptd.net wrote: Not sure how to word this, but I have just installed the XAMMP package with Apache, PHP for the purpose of having a testing server. My confusion is the location of the files. I am using Dreamweaver CS3, and all of my sites were in My Douments\Sites. When I was trying to set up the testing server in DW, I directed it to http://localhost. I was pretty sure it was not going to work, and I was right. I then created a folder in C:\xammp\htdocs\ and directed it to there...again no go. Part of my confusion is that if I create a page as I normally do, and it is stored in My documents\Sites\sitename, then there is no file that is then created in the C:\xammp\htdocs\. So, does it make sense for me to simply put all of my local files in the tester server root folder? Or am I going about it wrong? Thanks Gary -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Apache File Quesiton
The fundamental thing you're missing, as I understand it (I'm sure someone will speak up if I'm wrong), is that you shouldn't be storing your site outside the htdocs directory. This is where Apache looks for files it can display in your browser. So, you need to move all of the files you have in My Documents\Sites\nameofsite to \xampp\htdocs\nameofsite in your xampp installation location. I presume you can point Dreamweaver at this directory as the root of your project once you've copied / moved the files across. It sounds like My Documents\Sites\etc is simply Dreamweaver's default preference. Once you've moved your files into \xampp\htdocs\nameofsite, try going to the following in your browser: http://localhost/nameofsite (or, as you pointed out, your files will be in \xampp\htdocs\barrister and you would then go to http://localhost/barristerin your browser). M is for Murray On Sat, Jan 10, 2009 at 11:22 PM, Gary gwp...@ptd.net wrote: Ok, not yet... If the file I want to test resides in My Documents\Sites\nameofsite, I set my Test server folder in DW to map to here...correct? Now down to URL prefix, I have tried http://localhost http://localhost/sitename C:/xampp/apache,( which btw is the Site Root as described in httpd.conf ) C:/localhost/ and a few other variations that are escaping me at this moment, but keep getting an error. Some other BG info Server Model : PHP Mysql Access : Local/Network Testing server folder: C:\Documents and Settings\myname\My Documents\sites\barrister\ (barrister is the name of the file and site) URL Prefix http://localhost/barrister/ (currently) What am I missing (besides a fundemental understanding of it). Murray planetthought...@gmail.com wrote in message news:6481f4d0901092018g31d9a08fkd0321e1532c85...@mail.gmail.com... In general, as Phpster points out, your development will take place in directories underneath your htdocs directory, which, if you installed XAMPP into the root directory on C:, would be something like C:\xampp\htdocs\yourdevdirectory. Depending on how XAMPP is configured (you can make many changes, for example, to the Apache conf files to determine Apache's behaviour), you would probably use a URL of http://localhost/yourdevdirectory/index.php etc to access your actual application. This is not to mention that you can go on to setup virtual sites, so that you could access your site as http://yourapplicationname/index.php. M is for Murray On Sat, Jan 10, 2009 at 12:13 PM, Gary gwp...@ptd.net wrote: Not sure how to word this, but I have just installed the XAMMP package with Apache, PHP for the purpose of having a testing server. My confusion is the location of the files. I am using Dreamweaver CS3, and all of my sites were in My Douments\Sites. When I was trying to set up the testing server in DW, I directed it to http://localhost. I was pretty sure it was not going to work, and I was right. I then created a folder in C:\xammp\htdocs\ and directed it to there...again no go. Part of my confusion is that if I create a page as I normally do, and it is stored in My documents\Sites\sitename, then there is no file that is then created in the C:\xammp\htdocs\. So, does it make sense for me to simply put all of my local files in the tester server root folder? Or am I going about it wrong? Thanks Gary -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Apache File Quesiton
Gary wrote: Ok, not yet... If the file I want to test resides in My Documents\Sites\nameofsite, I set my Test server folder in DW to map to here...correct? Now down to URL prefix, I have tried http://localhost http://localhost/sitename C:/xampp/apache,( which btw is the Site Root as described in httpd.conf ) C:/localhost/ and a few other variations that are escaping me at this moment, but keep getting an error. Some other BG info Server Model : PHP Mysql Access : Local/Network Testing server folder: C:\Documents and Settings\myname\My Documents\sites\barrister\ (barrister is the name of the file and site) URL Prefix http://localhost/barrister/ (currently) What am I missing (besides a fundemental understanding of it). think of it as having a local and a remote server on one machine; first you have your source files in your /My Documents/sites/ then you have a directory where your web server (the apache part of xampp) looks for files to server (currently C:/xampp/apache/htdocs) now becuase everything is on the one machine you can take 3 different approaches Approach 1: Keep your site files in there current place (my documents) change testing server folder to a folder your web server can see (like c:/xampp/apache/htdocs/barrister now when you test your files will be copied to htdocs/barrister and made available to see by http://localhost/barrister Approach 2: Change the site root in httpd.conf to match your source folder (so change it to C:\Documents and Settings\myname\My Documents\sites) and change the Directory block in httpd.conf to match now you can forget the testing server bit in dreamweaver and simply load up a browser to http://localhost and all you're sites will be displayed there (http://localhost/barrister for the one in question) Approach 3: Use vhosts, but I won't mention until later on, best to get up and running the simple way first :) ps: if you want to do a quick test, simply copy your barrister folder from my documents/sites in to your htdocs folder and open up http://localhost/barrister regards -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Apache File Quesiton
Ok, I believe I have it workingmeaning when I click on Live Data View, I see the date appear in my datetest.php page But Im still confused... The succesful configuration (providing I am not suffering from premature exhuberation) is Testing server folder: c:\xampp\htdocs\barrister (the local settings remained My Documents\Sites\barrister) URL prefix : http://localhost/barrister/ How does that reconcile that in the httpd.conf, the server root is C:/xampp/apache? Gary Nathan Rixham nrix...@gmail.com wrote in message news:4968af26.4050...@gmail.com... Gary wrote: Ok, not yet... If the file I want to test resides in My Documents\Sites\nameofsite, I set my Test server folder in DW to map to here...correct? Now down to URL prefix, I have tried http://localhost http://localhost/sitename C:/xampp/apache,( which btw is the Site Root as described in httpd.conf ) C:/localhost/ and a few other variations that are escaping me at this moment, but keep getting an error. Some other BG info Server Model : PHP Mysql Access : Local/Network Testing server folder: C:\Documents and Settings\myname\My Documents\sites\barrister\ (barrister is the name of the file and site) URL Prefix http://localhost/barrister/ (currently) What am I missing (besides a fundemental understanding of it). think of it as having a local and a remote server on one machine; first you have your source files in your /My Documents/sites/ then you have a directory where your web server (the apache part of xampp) looks for files to server (currently C:/xampp/apache/htdocs) now becuase everything is on the one machine you can take 3 different approaches Approach 1: Keep your site files in there current place (my documents) change testing server folder to a folder your web server can see (like c:/xampp/apache/htdocs/barrister now when you test your files will be copied to htdocs/barrister and made available to see by http://localhost/barrister Approach 2: Change the site root in httpd.conf to match your source folder (so change it to C:\Documents and Settings\myname\My Documents\sites) and change the Directory block in httpd.conf to match now you can forget the testing server bit in dreamweaver and simply load up a browser to http://localhost and all you're sites will be displayed there (http://localhost/barrister for the one in question) Approach 3: Use vhosts, but I won't mention until later on, best to get up and running the simple way first :) ps: if you want to do a quick test, simply copy your barrister folder from my documents/sites in to your htdocs folder and open up http://localhost/barrister regards -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Apache File Quesiton
Gary wrote: Ok, I believe I have it workingmeaning when I click on Live Data View, I see the date appear in my datetest.php page But Im still confused... The succesful configuration (providing I am not suffering from premature exhuberation) is Testing server folder: c:\xampp\htdocs\barrister (the local settings remained My Documents\Sites\barrister) URL prefix : http://localhost/barrister/ How does that reconcile that in the httpd.conf, the server root is C:/xampp/apache? That's server root; what you want is DocumentRoot :) here's a bit of an httpd.conf; these are the two bits of concern to you: # # DocumentRoot: The directory out of which you will serve your # documents. By default, all requests are taken from this directory, but # symbolic links and aliases may be used to point to other locations. # DocumentRoot C:/xampp/apache/htdocs ---AND--- # # Note that from this point forward you must specifically allow # particular features to be enabled - so if something's not working as # you might expect, make sure that you have specifically enabled it # below. # # # This should be changed to whatever you set DocumentRoot to. # Directory G:/Apache/httpd/htdocs # # Possible values for the Options directive are None, All, # or any combination of: #Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews # # Note that MultiViews must be named *explicitly* --- Options All # doesn't give it to you. # # The Options directive is both complicated and important. Please see # http://httpd.apache.org/docs/2.2/mod/core.html#options # for more information. # Options Indexes FollowSymLinks # #AllowOverride controls what directives may be placed in .htaccess files # It can be All, None, or any combination of the keywords: # Options FileInfo AuthConfig Limit # AllowOverride All # # Controls who can get stuff from this server. #. Order allow,deny Allow from all /Directory --- if you read the comments aswell all should be explained :) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Apache File Quesiton
Ok...now that makes sense, I was looking for the documentroot, not the server root... Thanks to everyone ... Im sure I will be back for more... Gary Nathan Rixham nrix...@gmail.com wrote in message news:4968ba7d.5000...@gmail.com... Gary wrote: Ok, I believe I have it workingmeaning when I click on Live Data View, I see the date appear in my datetest.php page But Im still confused... The succesful configuration (providing I am not suffering from premature exhuberation) is Testing server folder: c:\xampp\htdocs\barrister (the local settings remained My Documents\Sites\barrister) URL prefix : http://localhost/barrister/ How does that reconcile that in the httpd.conf, the server root is C:/xampp/apache? That's server root; what you want is DocumentRoot :) here's a bit of an httpd.conf; these are the two bits of concern to you: # # DocumentRoot: The directory out of which you will serve your # documents. By default, all requests are taken from this directory, but # symbolic links and aliases may be used to point to other locations. # DocumentRoot C:/xampp/apache/htdocs ---AND--- # # Note that from this point forward you must specifically allow # particular features to be enabled - so if something's not working as # you might expect, make sure that you have specifically enabled it # below. # # # This should be changed to whatever you set DocumentRoot to. # Directory G:/Apache/httpd/htdocs # # Possible values for the Options directive are None, All, # or any combination of: #Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews # # Note that MultiViews must be named *explicitly* --- Options All # doesn't give it to you. # # The Options directive is both complicated and important. Please see # http://httpd.apache.org/docs/2.2/mod/core.html#options # for more information. # Options Indexes FollowSymLinks # #AllowOverride controls what directives may be placed in .htaccess files # It can be All, None, or any combination of the keywords: # Options FileInfo AuthConfig Limit # AllowOverride All # # Controls who can get stuff from this server. #. Order allow,deny Allow from all /Directory --- if you read the comments aswell all should be explained :) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Apache File Quesiton
Check the httpd.conf file for the location of the web dir. It's the documentroot directive Bastien Sent from my iPod On Jan 9, 2009, at 9:13 PM, Gary gwp...@ptd.net wrote: Not sure how to word this, but I have just installed the XAMMP package with Apache, PHP for the purpose of having a testing server. My confusion is the location of the files. I am using Dreamweaver CS3, and all of my sites were in My Douments\Sites. When I was trying to set up the testing server in DW, I directed it to http://localhost. I was pretty sure it was not going to work, and I was right. I then created a folder in C:\xammp\htdocs\ and directed it to there...again no go. Part of my confusion is that if I create a page as I normally do, and it is stored in My documents\Sites\sitename, then there is no file that is then created in the C:\xammp\htdocs\. So, does it make sense for me to simply put all of my local files in the tester server root folder? Or am I going about it wrong? Thanks Gary -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Apache File Quesiton
In general, as Phpster points out, your development will take place in directories underneath your htdocs directory, which, if you installed XAMPP into the root directory on C:, would be something like C:\xampp\htdocs\yourdevdirectory. Depending on how XAMPP is configured (you can make many changes, for example, to the Apache conf files to determine Apache's behaviour), you would probably use a URL of http://localhost/yourdevdirectory/index.php etc to access your actual application. This is not to mention that you can go on to setup virtual sites, so that you could access your site as http://yourapplicationname/index.php. M is for Murray On Sat, Jan 10, 2009 at 12:13 PM, Gary gwp...@ptd.net wrote: Not sure how to word this, but I have just installed the XAMMP package with Apache, PHP for the purpose of having a testing server. My confusion is the location of the files. I am using Dreamweaver CS3, and all of my sites were in My Douments\Sites. When I was trying to set up the testing server in DW, I directed it to http://localhost. I was pretty sure it was not going to work, and I was right. I then created a folder in C:\xammp\htdocs\ and directed it to there...again no go. Part of my confusion is that if I create a page as I normally do, and it is stored in My documents\Sites\sitename, then there is no file that is then created in the C:\xammp\htdocs\. So, does it make sense for me to simply put all of my local files in the tester server root folder? Or am I going about it wrong? Thanks Gary -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Apache blocking certain requests instead of php
I'm getting a lot of bogus requsts in the form of index.php?id=http://64.15.67.17/~babysona/logo.jpg?;, sometimes more than a hundred a day per domain. The php script catches it, logs the request, sends an email report and replies with access denied, but it takes processing which I'd rather not have php busy with. (The php script rejects anything where id=something_not_numeric.) Is there a way for apache to catch these requests before passing it to php? Is it more efficient for apache to handle this than php? Arno Yes, in Apache turn off userdir access In your httpd.conf file do this. UserDir disabled That way it will not process url that starts with a tildy ~... That should take care of it. Apache should then only report a 404 error to the error log for the given virtual host. -- Thanks for the reply. Is that correct htough? I always thought in the example http://mysite.com/index.php?id=http://64.15.67.17/~babysona/logo.jpg? the url started with index.php... Most the requests though look more like http://mysite.com/index.php?id=http://calebsbirth.pisem.su/caleb.htm? without the tilde. I was hoping there's a way to tell apache to block requests where id=non_numeric. Cheers Arno -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Apache blocking certain requests instead of php
On Thursday 24 July 2008 09:14:55 Chris wrote:
I was hoping there's a way to tell apache to block requests where
id=non_numeric.
It's trying to do a remote inclusion.
It's easy for you to fix in php:
if (isset($_GET['id'])) {
if (!is_numeric($_GET['id'])) {
die(Die hacker die!);
thats sudden! ;)
}
}
I'm sure there would be a way to do it with ModRewrite or something but
it's 5 lines of code in php so I'd do it there *shrug*.
--
Postgresql php tutorials
http://www.designmagick.com/
--
---
Børge Holen
http://www.arivene.net
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Apache blocking certain requests instead of php
Is there a way for apache to catch these requests before passing it to php? Is it more efficient for apache to handle this than php? 2 x yes. I think you could probably use LocationMatch and ban all access with Deny from all. /Per Jessen, Zürich -- Thanks for replying Per. Isn't Deny from all more to do with apache accessing local files on my server? These images aren't on my server, and the requests aren't trying to access images on my server. What I see are requests using the php script on my server to try access an image file (or html or txt or php) on someone else's server. I was hoping there's a way to tell apache to block requests where id=non_numeric. Cheers Arno -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Apache blocking certain requests instead of php
I was hoping there's a way to tell apache to block requests where
id=non_numeric.
It's trying to do a remote inclusion.
It's easy for you to fix in php:
if (isset($_GET['id'])) {
if (!is_numeric($_GET['id'])) {
die(Die hacker die!);
}
}
I'm sure there would be a way to do it with ModRewrite or something but it's
5 lines of code in php so I'd do it there *shrug*.
--
Thanks, I'm already doing something like that, but I want to stop it getting
to php.
Cheers
Arno
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Apache blocking certain requests instead of php
Børge Holen wrote:
On Thursday 24 July 2008 09:14:55 Chris wrote:
I was hoping there's a way to tell apache to block requests where
id=non_numeric.
It's trying to do a remote inclusion.
It's easy for you to fix in php:
if (isset($_GET['id'])) {
if (!is_numeric($_GET['id'])) {
die(Die hacker die!);
thats sudden! ;)
ok maybe a bit harsh :P
stop hacker stop ?
;)
--
Postgresql php tutorials
http://www.designmagick.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Apache blocking certain requests instead of php
Thanks, I'm already doing something like that, but I want to stop it getting to php. http://httpd.apache.org/docs/2.0/mod/mod_rewrite.html Ask on an apache list how to use it. -- Postgresql php tutorials http://www.designmagick.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Apache blocking certain requests instead of php
I was hoping there's a way to tell apache to block requests where
id=non_numeric.
It's trying to do a remote inclusion.
It's easy for you to fix in php:
if (isset($_GET['id'])) {
if (!is_numeric($_GET['id'])) {
die(Die hacker die!);
}
}
I'm sure there would be a way to do it with ModRewrite or something but
it's 5 lines of code in php so I'd do it there *shrug*.
--
Postgresql php tutorials
http://www.designmagick.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Apache blocking certain requests instead of php
On Thursday 24 July 2008 09:38:57 Chris wrote:
Børge Holen wrote:
On Thursday 24 July 2008 09:14:55 Chris wrote:
I was hoping there's a way to tell apache to block requests where
id=non_numeric.
It's trying to do a remote inclusion.
It's easy for you to fix in php:
if (isset($_GET['id'])) {
if (!is_numeric($_GET['id'])) {
die(Die hacker die!);
thats sudden! ;)
ok maybe a bit harsh :P
stop hacker stop ?
I prefer die();
it leaves a bit unsatisfaction for whoever generates the blank page
;)
--
Postgresql php tutorials
http://www.designmagick.com/
--
---
Børge Holen
http://www.arivene.net
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Apache blocking certain requests instead of php
Hi Arno
No, when you use Location it's not filesystem specific any more. But I've
just found out that you can't match on the query-string.
These images aren't on my server, and
the requests aren't trying to access images on my server. What I see
are requests using the php script on my server to try access an image
file (or html or txt or php) on someone else's server. I was hoping
there's a way to tell apache to block requests where id=non_numeric.
I think you'll have to use URL rewriting.
Try this:
http://jessen.ch/arnokuhl?id=nonnumeric
That should give you a 403.
http://jessen.ch/arnokuhl?id=
Should give you a print_r() output.
This is the rewrite config:
RewriteEngine on
RewriteCond %{QUERY_STRING} id=[^0-9]+
RewriteRule (/arnokuhl.*) $1 [f]
HTH
Per
Many thanks for all your effort and help Per. That's exactly what I was
trying to achieve.
Cheers
Arno
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Apache blocking certain requests instead of php
Chris wrote: I'm sure there would be a way to do it with ModRewrite or something but it's 5 lines of code in php so I'd do it there *shrug*. See my reply to Arno - in Apache it's only 2 lines of config. :-) /Per Jessen, Zürich -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Apache blocking certain requests instead of php
Arno Kuhl wrote: Is there a way for apache to catch these requests before passing it to php? Is it more efficient for apache to handle this than php? 2 x yes. I think you could probably use LocationMatch and ban all access with Deny from all. /Per Jessen, Zürich -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Apache blocking certain requests instead of php
Arno Kuhl wrote: I'm getting a lot of bogus requsts in the form of index.php?id=http://64.15.67.17/~babysona/logo.jpg?;, sometimes more than a hundred a day per domain. The php script catches it, logs the request, sends an email report and replies with access denied, but it takes processing which I'd rather not have php busy with. (The php script rejects anything where id=something_not_numeric.) Is there a way for apache to catch these requests before passing it to php? Is it more efficient for apache to handle this than php? Arno Yes, in Apache turn off userdir access In your httpd.conf file do this. UserDir disabled That way it will not process url that starts with a tildy ~... That should take care of it. Apache should then only report a 404 error to the error log for the given virtual host. -- Jim Lucas Some men are born to greatness, some achieve greatness, and some have greatness thrust upon them. Twelfth Night, Act II, Scene V by William Shakespeare -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] apache/vhosts wuestion...
bruce wrote: Hi.. I recognize that this might be off base!! I've got an apache/vhosts question that i'm grappling with. I've got a linux/apache system, and I'm trying to get multiple vhosts to work. If this is an appropriate place, I'll provide additional information on the issue. I've looked/researched via the 'net but my issues are still with me! Thanks You guess it, this isn't an appropriate place. What pieces are you struggling with as the Apache documentation works great for this stuff. I've got 6 hosts on a single server with no issues using the Apache documentation. Wolf -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] apache/vhosts wuestion...
On Fri, Jul 11, 2008 at 8:55 AM, bruce [EMAIL PROTECTED] wrote: Hi.. I recognize that this might be off base!! I've got an apache/vhosts question that i'm grappling with. I've got a linux/apache system, and I'm trying to get multiple vhosts to work. If this is an appropriate place, I'll provide additional information on the issue. Check the archives and mailing lists at http://httpd.apache.org/. To give you a pointer, though, you'll need to either do an include into the httpd.conf file or modify that file itself to include a NameVirtualHost setting and VirtualHost container. It works fine. I've worked with servers that have had hundreds of virtual hosts. The Apache folks are friendly, and don't bite *that* hard -- /Daniel P. Brown Dedicated Servers - Intel 2.4GHz w/2TB bandwidth/mo. starting at just $59.99/mo. with no contract! Dedicated servers, VPS, and hosting from $2.50/mo. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Apache RewriteRule Help!!!!
El Fri, 13 Jun 2008 10:23:29 -0400
Daniel Brown [EMAIL PROTECTED] escribió:
You can start by asking your question on an Apache list. This has
nothing to do with PHP. ;-P
To answer your question, use this in your .htaccess file:
RewriteCond %{SCRIPT_FILENAME} index
RewriteCond %{QUERY_STRING} ^[a-zA-Z0-9]
RewriteRule .* http://www.yourdomain.com/404.php [L]
Next time, though, please try to ask questions on the appropriate
lists.
I did write to the apache users list at the same time more or less and
still waiting a reply :'(
---
.-.
| Miguel J. Jiménez |
| Sector Público, ISOTROL S.A.|
| [EMAIL PROTECTED] |
:-:
| KeyID 0xFFE63EC6 hkp://pgp.rediris.es:11371 |
:-:
| Edificio BLUENET, Avda. Isaac Newton nº3, 4ª planta.|
| Parque Tecnológico Cartuja '93, 41092 Sevilla (ESP).|
| Tlfn: +34 955 036 800 (ext.1805) - Fax: +34 955 036 849 |
| http://www.isotrol.com |
:-:
| UTM ED-50 X:765205.09 Y:4144614.91 Huso: 29 |
:-:
| Me dijeron: 'instala Windows, se listo'; así que |
| instalé primero Windows y luego fui listo y lo borré|
| para instalar Linux|
'-'
signature.asc
Description: PGP signature
Re: [PHP] Apache RewriteRule Help!!!!
On Fri, Jun 13, 2008 at 4:11 AM, Miguel J. Jiménez
[EMAIL PROTECTED] wrote:
How can I make apache work fine with http://foo/INDEX/mp3; and
redirect to an error page (or moved url or wahtever)
with http://foo/INDEX/index.php?m=mp3; (from the client view)
You can start by asking your question on an Apache list. This has
nothing to do with PHP. ;-P
To answer your question, use this in your .htaccess file:
RewriteCond %{SCRIPT_FILENAME} index
RewriteCond %{QUERY_STRING} ^[a-zA-Z0-9]
RewriteRule .* http://www.yourdomain.com/404.php [L]
Next time, though, please try to ask questions on the appropriate lists.
--
/Daniel P. Brown
Dedicated Servers - Intel 2.4GHz w/2TB bandwidth/mo. starting at just
$59.99/mo. with no contract!
Dedicated servers, VPS, and hosting from $2.50/mo.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Apache child pid segfault + APD
My main problem with using xdebug was that it seemed to require KDE to interpret the traces that it took, which I don't have installed on my server. I only spent 15 minutes looking at it, though, so that could be completely unjustified... Would upgrading glibc help? On Sat, May 3, 2008 at 12:48 AM, Mario Guenterberg [EMAIL PROTECTED] wrote: On Fri, May 02, 2008 at 10:24:03PM -0700, Waynn Lue wrote: *** glibc detected *** free(): invalid pointer: 0x002a9956d000 *** Hi Waynn, try to use xdebug instead of APD to profile you app. There is a problem with your glibc version and your APD version. In my environment php 5.2.6 with suhosin/apc, apache 2.2.8 and xdebug 2.0.2 it works fine. Greetings Mario -- -BEGIN GEEK CODE BLOCK- Version: 3.12 GCS/CM d- s++: a+ C$ UBL*$ P++ L+++ E--- W+++ N+ o-- K- w O- M- V-- PS++ PE++ Y PGP+++ t--- 5 X R++ tv- b+++ DI D G++ e* h r+++ y --END GEEK CODE BLOCK-- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Apache child pid segfault + APD
Waynn Lue wrote: My main problem with using xdebug was that it seemed to require KDE to interpret the traces that it took, which I don't have installed on my server. I only spent 15 minutes looking at it, though, so that could be completely unjustified... Would upgrading glibc help? Hi, Recently there is a webinterface for interpreting the results of XDebug: http://blog.agoraproduction.com/index.php?/archives/67-XDebug-to-finally-get-a-Web-Frontend.html Maybe it is for your interest. -- Aschwin Wesselius /'What you would like to be done to you, do that to the other'/
Re: [PHP] Apache child pid segfault + APD
On Mon, May 05, 2008 at 02:41:17AM -0700, Waynn Lue wrote: My main problem with using xdebug was that it seemed to require KDE to interpret the traces that it took, which I don't have installed on my server. I only spent 15 minutes looking at it, though, so that could be completely unjustified... Would upgrading glibc help? On Sat, May 3, 2008 at 12:48 AM, Mario Guenterberg [EMAIL PROTECTED] wrote: On Fri, May 02, 2008 at 10:24:03PM -0700, Waynn Lue wrote: *** glibc detected *** free(): invalid pointer: 0x002a9956d000 *** Hi Waynn, try to use xdebug instead of APD to profile you app. There is a problem with your glibc version and your APD version. In my environment php 5.2.6 with suhosin/apc, apache 2.2.8 and xdebug 2.0.2 it works fine. Upgrading the glibc on a server is not the best choice to solve a problem with a extension for php ;-). There's a webfrontend for xdebug. Greetings guenti -- -BEGIN GEEK CODE BLOCK- Version: 3.12 GCS/CM d- s++: a+ C$ UBL*$ P++ L+++ E--- W+++ N+ o-- K- w O- M- V-- PS++ PE++ Y PGP+++ t--- 5 X R++ tv- b+++ DI D G++ e* h r+++ y --END GEEK CODE BLOCK-- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Apache child pid segfault + APD
On Fri, May 02, 2008 at 10:24:03PM -0700, Waynn Lue wrote: *** glibc detected *** free(): invalid pointer: 0x002a9956d000 *** Hi Waynn, try to use xdebug instead of APD to profile you app. There is a problem with your glibc version and your APD version. In my environment php 5.2.6 with suhosin/apc, apache 2.2.8 and xdebug 2.0.2 it works fine. Greetings Mario -- -BEGIN GEEK CODE BLOCK- Version: 3.12 GCS/CM d- s++: a+ C$ UBL*$ P++ L+++ E--- W+++ N+ o-- K- w O- M- V-- PS++ PE++ Y PGP+++ t--- 5 X R++ tv- b+++ DI D G++ e* h r+++ y --END GEEK CODE BLOCK-- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] APACHE MOD_REWRITE
On 10/31/07, Alberto García Gómez [EMAIL PROTECTED] wrote: I have this URL http://www.myserver.com/dir1/dir2/page.html and I wish to rewrite the url using mod_rewrite to add a ~ after the first dir always, eg.: http://www.myserver.com/~dir1/dir2/page.html Please it's very important to make this ASAP Then it's very important to ask the question on the right list ASAP. Apache mailing lists: http://httpd.apache.org/lists.html -- Daniel P. Brown [office] (570-) 587-7080 Ext. 272 [mobile] (570-) 766-8107 Give a man a fish, he'll eat for a day. Then you'll find out he was allergic and is hospitalized. See? No good deed goes unpunished -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] apache/php with sybase12.5
Are you sure it's not --with-apxs2 instead of --with-apx2 ??? On Fri, August 17, 2007 8:00 am, ROUKOS Michel wrote: Hi, I am integrating httpd-2.0.59 with php-5.2.1 and Sybase 12.5 on a solaris 8 machine. I followed these steps: Install apache: ./configure --prefix=/usr/local/apache2 --enable-so make make install PHP configuration: I edited this file php-5.2.1/ext/sybase_ct/ php_sybase_ct.h and changed this line: #define CTLIB_VERSION CS_VERSION_100 ...to... #define CTLIB_VERSION CS_VERSION_125 Then: ./configure --with-apx2=/usr/local/apache2/bin/apxs --with-sybase-ct=/opt/sybase/oc12.5-EBF11486/OCS-12_5/ --enable-bcmath --enable-calendar --enable-ctype --enable-exif --enable-ftp --enable-trans-sid --enable-shmop --enable-sockets --enable-sysvsem --enable-sysvshm --enable-wddx make make install then added these 2 lines in httpd.conf: AddType application/x-httpd-php .php .phtml AddType application/x-httpd-php-source .phps When I access test.php, I am asked to download the file - meaning php is not working well. I also don't see libphp5.so under modules/ directory. test.php is locate under htdocs/ and has this content: ?phpinfo()? Could you please point to me why libphp5.so was not generated? Also why php is not working well with apache and sybase? *** This e-mail contains information for the intended recipient only. It may contain proprietary material or confidential information. If you are not the intended recipient you are not authorised to distribute, copy or use this e-mail or any attachment to it. Murex cannot guarantee that it is virus free and accepts no responsibility for any loss or damage arising from its use. If you have received this e-mail in error please notify immediately the sender and delete the original email received, any attachments and all copies from your system. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- Some people have a gift link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] apache/php with sybase12.5
ROUKOS Michel wrote: Hi, I installed libtool 1.5 and tried again. The libphp.so was not created as well. I tried also to run with ./configure --with-apx2=/usr/local/apache2/bin/apxs make make install same results: libphp5.so is not created under modules/ directory. Thanks and regards, Michel -Original Message- From: Lens Development [mailto:[EMAIL PROTECTED] Sent: Friday, August 17, 2007 7:57 PM To: ROUKOS Michel Cc: php-general@lists.php.net Subject: Re: [PHP] apache/php with sybase12.5 ROUKOS Michel wrote: Hi, I am integrating httpd-2.0.59 with php-5.2.1 and Sybase 12.5 on a solaris 8 machine. I followed these steps: Install apache: ./configure --prefix=/usr/local/apache2 --enable-so make make install PHP configuration: I edited this file php-5.2.1/ext/sybase_ct/ php_sybase_ct.h and changed this line: #define CTLIB_VERSION CS_VERSION_100 ...to... #define CTLIB_VERSION CS_VERSION_125 Then: ./configure --with-apx2=/usr/local/apache2/bin/apxs --with-sybase-ct=/opt/sybase/oc12.5-EBF11486/OCS-12_5/ --enable-bcmath --enable-calendar --enable-ctype --enable-exif --enable-ftp --enable-trans-sid --enable-shmop --enable-sockets --enable-sysvsem --enable-sysvshm --enable-wddx make make install then added these 2 lines in httpd.conf: AddType application/x-httpd-php .php .phtml AddType application/x-httpd-php-source .phps When I access test.php, I am asked to download the file - meaning php is not working well. I also don't see libphp5.so under modules/ directory. test.php is locate under htdocs/ and has this content: ?phpinfo()? Could you please point to me why libphp5.so was not generated? Also why php is not working well with apache and sybase? *** This e-mail contains information for the intended recipient only. It may contain proprietary material or confidential information. If you are not the intended recipient you are not authorised to distribute, copy or use this e-mail or any attachment to it. Murex cannot guarantee that it is virus free and accepts no responsibility for any loss or damage arising from its use. If you have received this e-mail in error please notify immediately the sender and delete the original email received, any attachments and all copies from your system. What version of libtool do you use? What happens if you just run ./configure --with-apx2=/usr/local/apache2/bin/apxs make make install *** This e-mail contains information for the intended recipient only. It may contain proprietary material or confidential information. If you are not the intended recipient you are not authorised to distribute, copy or use this e-mail or any attachment to it. Murex cannot guarantee that it is virus free and accepts no responsibility for any loss or damage arising from its use. If you have received this e-mail in error please notify immediately the sender and delete the original email received, any attachments and all copies from your system. I have the feeling your build tools are hosed. Maybe somebody else on the list has a suggestion. You could try a newer version or a snapshot. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] apache/php with sybase12.5
On Fri, 17 Aug 2007 16:00:35 +0300, ROUKOS Michel [EMAIL PROTECTED] wrote: Hi, I am integrating httpd-2.0.59 with php-5.2.1 and Sybase 12.5 on a solaris 8 machine. I followed these steps: Install apache: ./configure --prefix=/usr/local/apache2 --enable-so make make install PHP configuration: I edited this file php-5.2.1/ext/sybase_ct/ php_sybase_ct.h and changed this line: #define CTLIB_VERSION CS_VERSION_100 ...to... #define CTLIB_VERSION CS_VERSION_125 Then: ./configure --with-apx2=/usr/local/apache2/bin/apxs --with-sybase-ct=/opt/sybase/oc12.5-EBF11486/OCS-12_5/ --enable-bcmath --enable-calendar --enable-ctype --enable-exif --enable-ftp --enable-trans-sid --enable-shmop --enable-sockets --enable-sysvsem --enable-sysvshm --enable-wddx make make install then added these 2 lines in httpd.conf: AddType application/x-httpd-php .php .phtml AddType application/x-httpd-php-source .phps When I access test.php, I am asked to download the file - meaning php is not working well. I also don't see libphp5.so under modules/ directory. test.php is locate under htdocs/ and has this content: ?phpinfo()? Could you please point to me why libphp5.so was not generated? Also why php is not working well with apache and sybase? *** This e-mail contains information for the intended recipient only. It may contain proprietary material or confidential information. If you are not the intended recipient you are not authorised to distribute, copy or use this e-mail or any attachment to it. Murex cannot guarantee that it is virus free and accepts no responsibility for any loss or damage arising from its use. If you have received this e-mail in error please notify immediately the sender and delete the original email received, any attachments and all copies from your system. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php Did you also place the following line in the apache config? LoadModule php5_module modules/libphp5.so If you sure there were no configure or compile errors when building PHP try and locate libphp5.so on the server. And copy it to the module dir. find / -name libphp5.so -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] apache/php with sybase12.5
Hi, If I place the following line in httpd.conf LoadModule php5_module modules/libphp5.so I receive this error: Syntax error on line 232 of /usr/local/apache2/conf/httpd.conf: Cannot load /usr/local/apache2/modules/libphp5.so into server: ld.so.1: /usr/local/apache2/bin/httpd: fatal: /usr/local/apache2/modules/libphp5.so: open failed: No such file or directory During the configure, make and make install steps, I received no errors. find / -name libphp5.so returned nothing. I did the same steps with mysql, and the libphp5.so was created. Also please note that the sybase servers are remote. I have only the client directory on that server (/opt/sybase) Thanks. *** This e-mail contains information for the intended recipient only. It may contain proprietary material or confidential information. If you are not the intended recipient you are not authorised to distribute, copy or use this e-mail or any attachment to it. Murex cannot guarantee that it is virus free and accepts no responsibility for any loss or damage arising from its use. If you have received this e-mail in error please notify immediately the sender and delete the original email received, any attachments and all copies from your system. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] apache/php with sybase12.5
ROUKOS Michel wrote: Hi, I am integrating httpd-2.0.59 with php-5.2.1 and Sybase 12.5 on a solaris 8 machine. I followed these steps: Install apache: ./configure --prefix=/usr/local/apache2 --enable-so make make install PHP configuration: I edited this file php-5.2.1/ext/sybase_ct/ php_sybase_ct.h and changed this line: #define CTLIB_VERSION CS_VERSION_100 ...to... #define CTLIB_VERSION CS_VERSION_125 Then: ./configure --with-apx2=/usr/local/apache2/bin/apxs --with-sybase-ct=/opt/sybase/oc12.5-EBF11486/OCS-12_5/ --enable-bcmath --enable-calendar --enable-ctype --enable-exif --enable-ftp --enable-trans-sid --enable-shmop --enable-sockets --enable-sysvsem --enable-sysvshm --enable-wddx make make install then added these 2 lines in httpd.conf: AddType application/x-httpd-php .php .phtml AddType application/x-httpd-php-source .phps When I access test.php, I am asked to download the file - meaning php is not working well. I also don't see libphp5.so under modules/ directory. test.php is locate under htdocs/ and has this content: ?phpinfo()? Could you please point to me why libphp5.so was not generated? Also why php is not working well with apache and sybase? *** This e-mail contains information for the intended recipient only. It may contain proprietary material or confidential information. If you are not the intended recipient you are not authorised to distribute, copy or use this e-mail or any attachment to it. Murex cannot guarantee that it is virus free and accepts no responsibility for any loss or damage arising from its use. If you have received this e-mail in error please notify immediately the sender and delete the original email received, any attachments and all copies from your system. What version of libtool do you use? What happens if you just run ./configure --with-apx2=/usr/local/apache2/bin/apxs make make install -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] apache/php with sybase12.5
Hi, I installed libtool 1.5 and tried again. The libphp.so was not created as well. I tried also to run with ./configure --with-apx2=/usr/local/apache2/bin/apxs make make install same results: libphp5.so is not created under modules/ directory. Thanks and regards, Michel -Original Message- From: Lens Development [mailto:[EMAIL PROTECTED] Sent: Friday, August 17, 2007 7:57 PM To: ROUKOS Michel Cc: php-general@lists.php.net Subject: Re: [PHP] apache/php with sybase12.5 ROUKOS Michel wrote: Hi, I am integrating httpd-2.0.59 with php-5.2.1 and Sybase 12.5 on a solaris 8 machine. I followed these steps: Install apache: ./configure --prefix=/usr/local/apache2 --enable-so make make install PHP configuration: I edited this file php-5.2.1/ext/sybase_ct/ php_sybase_ct.h and changed this line: #define CTLIB_VERSION CS_VERSION_100 ...to... #define CTLIB_VERSION CS_VERSION_125 Then: ./configure --with-apx2=/usr/local/apache2/bin/apxs --with-sybase-ct=/opt/sybase/oc12.5-EBF11486/OCS-12_5/ --enable-bcmath --enable-calendar --enable-ctype --enable-exif --enable-ftp --enable-trans-sid --enable-shmop --enable-sockets --enable-sysvsem --enable-sysvshm --enable-wddx make make install then added these 2 lines in httpd.conf: AddType application/x-httpd-php .php .phtml AddType application/x-httpd-php-source .phps When I access test.php, I am asked to download the file - meaning php is not working well. I also don't see libphp5.so under modules/ directory. test.php is locate under htdocs/ and has this content: ?phpinfo()? Could you please point to me why libphp5.so was not generated? Also why php is not working well with apache and sybase? *** This e-mail contains information for the intended recipient only. It may contain proprietary material or confidential information. If you are not the intended recipient you are not authorised to distribute, copy or use this e-mail or any attachment to it. Murex cannot guarantee that it is virus free and accepts no responsibility for any loss or damage arising from its use. If you have received this e-mail in error please notify immediately the sender and delete the original email received, any attachments and all copies from your system. What version of libtool do you use? What happens if you just run ./configure --with-apx2=/usr/local/apache2/bin/apxs make make install *** This e-mail contains information for the intended recipient only. It may contain proprietary material or confidential information. If you are not the intended recipient you are not authorised to distribute, copy or use this e-mail or any attachment to it. Murex cannot guarantee that it is virus free and accepts no responsibility for any loss or damage arising from its use. If you have received this e-mail in error please notify immediately the sender and delete the original email received, any attachments and all copies from your system. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] apache content negotiation and $_GET
Stut wrote: Actually it suggests exactly that. Apache is giving PHP the query string, and PHP does nothing to it before it puts it in the $_SERVER variable. So this basically means that when you use the type-map Apache is not populating the query string variable. In short, I'm 5-9's% certain it's Apache that's throwing it away. FYI - http://issues.apache.org/bugzilla/show_bug.cgi?id=33112 /Per -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
