php-general Digest 15 Jan 2005 05:23:17 -0000 Issue 3228
Topics (messages 206376 through 206393):
Re: Preventing execution without inclusion
206376 by: David Green
206377 by: Marek Kilimajer
206381 by: Ford, Mike
206384 by: Josh Whiting
206389 by: Richard Lynch
Re: [suspicious - maybe spam] [PHP] [suspicious - maybe spam] strange in MySQL
Query.
206378 by: Jay Blanchard
206379 by: David Green
206383 by: Marek Kilimajer
206388 by: Richard Lynch
Re: php editor
206380 by: David Green
Re: Help please!!
206382 by: Brent Baisley
Re: regex help
206385 by: Robinson, Matthew
206391 by: Richard Lynch
404 custom handler on a cgi-wrap PHP - No input specified error
206386 by: Luke Barker
Re: mysql improved extensions affected_rows
206387 by: Richard Lynch
sending attachment by email - can't find a bug?
206390 by: Afan Pasalic
Re: Persistent PHP web application?
206392 by: Al
Re: calling php functions as library or cmd line
206393 by: Cere Davis
Administrivia:
To subscribe to the digest, e-mail:
[EMAIL PROTECTED]
To unsubscribe from the digest, e-mail:
[EMAIL PROTECTED]
To post to the list, e-mail:
[email protected]
----------------------------------------------------------------------
--- Begin Message ---
How about setting a variable before calling the include (eg
$fromIndex=true)?
In class.join.php you could include, for example, at the top of the file
<?php
if (!isset($fromIndex))
{
die("ERROR MESSAGE");
}
?>
Adam Hubscher wrote:
From within the application, I use one page to include
classes/variables and so on. Is there a way (I may have been missing
it in the documentation for PHP, however I didnt see anything related)
to prevent a user from directly accessing/executing *.php by the file
making sure taht it was only included by index.php?
For example:
config.php defines:
function __autoload($class_name) {
$class_name = strtolower($class_name);
include_once('class.'.$class_name.'.php');
}
as per PHP5 example
1 (the preferred way): user accesses
http://www.example.org/index.php?function=Join, this loads the class
NewUser and begins its implementation. Because of the __autoload, it
includes class.join.php, in order to utilize the class.
2 (the wrong way): user accesses
http://www.example.org/includes/class.join.php without going through
index.php.
I am trying to prevent 2 from even occuring, utilizing a piece of code
that would check if index.php had included it, or not. This code would
be in the beginning of all the class files, at the top, before any
other code was to be executed.
As of yet, it has eluded me...
--
------------------------------------------------------
David Green
Information Centre, Central Science Laboratory
Sand Hutton, York, YO41 1LZ
Phone: +44 (0)1904 462388 (GTN: 5129 2388)
Fax: +44 (0)1904 462111
E-Mail: [EMAIL PROTECTED]
------------------------------------------------------
CSL email disclaimer: http://www.csl.gov.uk/email.htm
--- End Message ---
--- Begin Message ---
Adam Hubscher wrote:
From within the application, I use one page to include
classes/variables and so on. Is there a way (I may have been missing it
in the documentation for PHP, however I didnt see anything related) to
prevent a user from directly accessing/executing *.php by the file
making sure taht it was only included by index.php?
For example:
config.php defines:
function __autoload($class_name) {
$class_name = strtolower($class_name);
include_once('class.'.$class_name.'.php');
}
as per PHP5 example
1 (the preferred way): user accesses
http://www.example.org/index.php?function=Join, this loads the class
NewUser and begins its implementation. Because of the __autoload, it
includes class.join.php, in order to utilize the class.
2 (the wrong way): user accesses
http://www.example.org/includes/class.join.php without going through
index.php.
I am trying to prevent 2 from even occuring, utilizing a piece of code
that would check if index.php had included it, or not. This code would
be in the beginning of all the class files, at the top, before any other
code was to be executed.
As of yet, it has eluded me...
If includes/class.join.php only defines the class (as it should) direct
access is completely harmless.
Anyway, you can:
1. put includes/ directory outside of the web root
2. use .htaccess to forbid access to all files in includes/ directory
3. use this code at the beginning of every "direct access forbidden" file:
if(basename($_SERVER['REQUEST_URI']) == __FILE__) {
die('Direct access forbidden!');
}
(does not work if you give included files the same name as the main files)
4. You can test for a defined constant. Let's say all main files include
includes/config.php that defines constant DB_HOSTNAME, then you can:
if(!defined('DB_HOSTNAME')) {
die('Direct access forbidden!');
}
HTH
--- End Message ---
--- Begin Message ---
To view the terms under which this email is distributed, please go to
http://disclaimer.leedsmet.ac.uk/email.htm
> -----Original Message-----
> From: Adam Hubscher
> Sent: 13/01/05 22:25
>
> From within the application, I use one page to include
> classes/variables and so on. Is there a way (I may have been missing it
> in the documentation for PHP, however I didnt see anything related) to
> prevent a user from directly accessing/executing *.php by the file
> making sure taht it was only included by index.php?
All include files should be placed in a separate directory which is outside
the Web server's document root. This makes them completely inaccessible
from the client browser, but they are still available to scripts running on
the server.
Cheers!
Mike
--- End Message ---
--- Begin Message ---
> as per PHP5 example
>
> 1 (the preferred way): user accesses
> http://www.example.org/index.php?function=Join, this loads the class
> NewUser and begins its implementation. Because of the __autoload, it
> includes class.join.php, in order to utilize the class.
>
> 2 (the wrong way): user accesses
> http://www.example.org/includes/class.join.php without going through
> index.php.
>
> I am trying to prevent 2 from even occuring, utilizing a piece of code
> that would check if index.php had included it, or not. This code would
> be in the beginning of all the class files, at the top, before any other
> code was to be executed.
>
> As of yet, it has eluded me...
Put the include file outside the web directory tree.
/jw
--- End Message ---
--- Begin Message ---
Adam Hubscher wrote:
> From within the application, I use one page to include
> classes/variables and so on. Is there a way (I may have been missing it
> in the documentation for PHP, however I didnt see anything related) to
> prevent a user from directly accessing/executing *.php by the file
> making sure taht it was only included by index.php?
>
> For example:
>
> config.php defines:
>
> function __autoload($class_name) {
>
> $class_name = strtolower($class_name);
> include_once('class.'.$class_name.'.php');
> }
>
> as per PHP5 example
>
> 1 (the preferred way): user accesses
> http://www.example.org/index.php?function=Join, this loads the class
> NewUser and begins its implementation. Because of the __autoload, it
> includes class.join.php, in order to utilize the class.
>
> 2 (the wrong way): user accesses
> http://www.example.org/includes/class.join.php without going through
> index.php.
>
> I am trying to prevent 2 from even occuring, utilizing a piece of code
> that would check if index.php had included it, or not. This code would
> be in the beginning of all the class files, at the top, before any other
> code was to be executed.
>
> As of yet, it has eluded me...
Just *MOVE* your include files to a directory that is not in the web tree.
It would then be very difficult for people to surf to them, no?
You can set *ANY* directory you want in include_path in php.ini,
.htaccess, or using ini_set to get that directory to be searched by PHP
for include files.
--
Like Music?
http://l-i-e.com/artists.htm
--- End Message ---
--- Begin Message ---
[snip]
I have an query for mysql that looks like:
SELECT "group" as type FROM mytable WHERE id ="101010"
UNION
SELECT "individual" as type FROM myothertable WHERE id="101010"
The strange result if only one result displayed from myothertable, so
the "type" will become "indiv" instead of individual.
But when I tried to switch the query become :
SELECT "individual" as type FROM myothertable WHERE id="101010"
UNION
SELECT "group" as type FROM mytable WHERE id ="101010"
it could displaye the result correctly. I dont know why .. is this mysql
bug ?
[/snip]
This should probably be asked on the MySQL list.
--- End Message ---
--- Begin Message ---
Why not ask a MySQL mailing list?
[snip]
.. is this mysql bug ?
[/snip]
--
------------------------------------------------------
David Green
Information Centre, Central Science Laboratory
Sand Hutton, York, YO41 1LZ
Phone: +44 (0)1904 462388 (GTN: 5129 2388)
Fax: +44 (0)1904 462111
E-Mail: [EMAIL PROTECTED]
------------------------------------------------------
CSL email disclaimer: http://www.csl.gov.uk/email.htm
--- End Message ---
--- Begin Message ---
adwin wijaya wrote:
Hi...
I have an query for mysql that looks like:
SELECT "group" as type FROM mytable WHERE id ="101010"
UNION
SELECT "individual" as type FROM myothertable WHERE id="101010"
The strange result if only one result displayed from myothertable, so
the "type" will become "indiv" instead of individual.
But when I tried to switch the query become :
SELECT "individual" as type FROM myothertable WHERE id="101010"
UNION
SELECT "group" as type FROM mytable WHERE id ="101010"
it could displaye the result correctly. I dont know why .. is this mysql
bug ?
http://dev.mysql.com/doc/mysql/en/UNION.html
The types and lengths of the columns in the result set of a UNION take
into account the values retrieved by all the SELECT statements. Before
MySQL 4.1.1, a limitation of UNION is that only the values from the
first SELECT are used to determine result column types and lengths. This
could result in value truncation if, for example, the first SELECT
retrieves shorter values than the second SELECT:
mysql> SELECT REPEAT('a',1) UNION SELECT REPEAT('b',10);
+---------------+
| REPEAT('a',1) |
+---------------+
| a |
| b |
+---------------+
That limitation has been removed as of MySQL 4.1.1:
mysql> SELECT REPEAT('a',1) UNION SELECT REPEAT('b',10);
+---------------+
| REPEAT('a',1) |
+---------------+
| a |
| bbbbbbbbbb |
+---------------+
--- End Message ---
--- Begin Message ---
adwin wijaya wrote:
> SELECT "group" as type FROM mytable WHERE id ="101010"
> UNION
> SELECT "individual" as type FROM myothertable WHERE id="101010"
>
> The strange result if only one result displayed from myothertable, so
> the "type" will become "indiv" instead of individual.
>
> But when I tried to switch the query become :
>
> SELECT "individual" as type FROM myothertable WHERE id="101010"
> UNION
> SELECT "group" as type FROM mytable WHERE id ="101010"
>
> it could displaye the result correctly. I dont know why .. is this mysql
> bug ?
Where's the PHP part?
The data type of your return columns MUST MATCH in a UNION.
The data type of "group" would be... char(5) since it has no inherent
data type.
So when you put "group" first, MySQL uses char(5)
When you put "individual" first, MySQL uses char(10)
You can play with this some more with longer/short strings to verify.
If you force the type of 'group' to be, say, varchar(255) the discrepency
will disappear.
--
Like Music?
http://l-i-e.com/artists.htm
--- End Message ---
--- Begin Message ---
I've been using Dreamweaver (currently MX) since I started writing PHP
and I would defintiely recommend it if you can get hold of it.
You can download a trial from
http://www.macromedia.com/cfusion/tdrc/index.cfm?product=dreamweaver
William Stokes wrote:
Hello,
I'm quite new with writing php code. I was considering of using some kind of
php editor program to help with the syntax. Know any goog ones?
Thanks
-Will
--
------------------------------------------------------
David Green
Information Centre, Central Science Laboratory
Sand Hutton, York, YO41 1LZ
Phone: +44 (0)1904 462388 (GTN: 5129 2388)
Fax: +44 (0)1904 462111
E-Mail: [EMAIL PROTECTED]
------------------------------------------------------
CSL email disclaimer: http://www.csl.gov.uk/email.htm
--- End Message ---
--- Begin Message ---
I would check what hitting the machine from the network. At the most
basic level, just try "netstat 1" on the command line. Also try iostat
1 to see what load the machine has. It may not be PHP or Apache but
something else, maybe a denial of service attack.
On Jan 13, 2005, at 10:02 PM, Brent Clements wrote:
Having a very frustrating problem and I can't seem to figure out why
it's happening.
1. As of last week, all of our applications have started to work
intermittingly. The codebase has not changed.
2. Sometimes the application will display, sometimes it won't. The
browsers "loading progress bar" will move for about 25% then just
stop. No timeout or 401 errors occur.
3. There are no errors message in any of the logs files.
To test if it's our application we have done the following in our main
php file which runs the rest of the application
<?php
echo "Step 0 <br>";
--Segment of our code is here--
echo "Step 1 <br>";
--Segment of our code is here--
echo "Step 2 <br>";
?>
Sometimes it doesn't even get to the first line of php code which is
the first echo statement, sometimes it gets to step 0 and step 1 and
sometimes it gets to all steps.
The code between each of these steps is nothing major, nothing calls
mysql or anything like that. It's mainly just variable initialization.
Again, the entire application runs fine every couple of refreshes.
Then sometimes it'll just stop completely. I have turned on all sorts
of debugging and nothing.
I have reinstalled apache, mysql, and php 2 times. We have also
optimize both apache and mysql for for than enough client connections
as well are using persistant db connections. But like I said, the
application works sometimes, sometimes it doesn't. And the data is
pretty static.
I am running RHEL 3 U3 with RH php version php-4.3.2-19.ent, RH mysql
server version mysql-server-3.23.58-2.3, and RH apache version
httpd-2.0.46-44.ent
Thanks guys for any help troubleshooting this.
-Brent
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
Brent Baisley
Systems Architect
Landover Associates, Inc.
Search & Advisory Services for Advanced Technology Environments
p: 212.759.6400/800.759.0577
--- End Message ---
--- Begin Message ---
Do you have the example regex so far?
I'd suggest maybe <b[^r] might just do what you want
-----Original Message-----
From: Jason Morehouse [mailto:[EMAIL PROTECTED]
Sent: 13 January 2005 21:07
To: [email protected]
Subject: [PHP] regex help
Hello,
I normally can take a bit of regex fun, but not this time.
Simple enough, in theory... I need to match (count) all of the bold tags
in a string, including ones with embedded styles (or whatever else can
go in there). <b> and <b style="color:red">. My attempts keep matching
<br> as well.
Thanks!
--
Jason Morehouse
Vendorama - Create your own online store http://www.vendorama.com
--
PHP General Mailing List (http://www.php.net/) To unsubscribe, visit:
http://www.php.net/unsub.php
________________________________________________________________________
This message has been checked for all known viruses by the
CitC Virus Scanning Service powered by SkyLabs. For further information
visit
http://www.citc.it
___
________________________________________________________________________
This message has been checked for all known viruses by the
CitC Virus Scanning Service powered by SkyLabs. For further information visit
http://www.citc.it
___
--- End Message ---
--- Begin Message ---
Jason Morehouse wrote:
> Simple enough, in theory... I need to match (count) all of the bold tags
> in a string, including ones with embedded styles (or whatever else can
> go in there). <b> and <b style="color:red">. My attempts keep matching
> <br> as well.
I think something not unlike:
'/<b( .*>|>)/'
The point being that you either have JUST '>' OR you have a SPACE and
whatever and '>'
I leave the capitalization and 'greedy' settings up to you.
The previous solution using '<b[^r]' will work only until the goofball
browser wars give us some other <bX> tag where X is a single character in
the alphabet.
There's a pretty cool Windows/Linux product a colleague swears by that's
called RegexCoach (?) which will not only let you try out
expressions/values and tell you which ones pass/fail, but you can
highlight sub-sections of the expression/values and see what it matches
piece by piece.
It's donationware -- try it out and donate the $20 (oooh, hurt me) if you
like it.
http://www.weitz.de/regex-coach/
--
Like Music?
http://l-i-e.com/artists.htm
--- End Message ---
--- Begin Message ---
Hi,
This maybe a PHP problem, but is associated with Apache too - so my
apologies if it is slightly off topic. My web hosts use a CGI wrap
version of PHP 4.3.10
I have made a 404 custom error handler, using .htaccess in a directory
- it is usppoed to route all unfound pages to error.php, and works as
expected for .htm and .html pages as well as gifs etc. But ofr .php
scripts, e.g /path/to/wrongurl.php it doesnt show my page -
instead it shows No Input file specified.. After some Googling I have
only found people witht eh similar problem without solutions.
Can any one help me on this? I should say that in IE it just gets the
default 404 ( I think this is windows own one responding to the
particular http response header) - in firefox you get the 'No input '
error
thanks for any advice
Luke
--
[EMAIL PROTECTED]
--- End Message ---
--- Begin Message ---
Tom wrote:
> Richard Lynch wrote:
>
>>Tom wrote:
>>
>>
>>>I've just started playing with the php5 improved mysqli extensions.
>>>
>>>I have the following code:-
>>>
>>><?php
>>>$mysqlim = new mysqli("localhost", "myUser", "myPassword","myDB");
>>>
>>>$updateQuery = "UPDATE client SET status = 'INACTIVE' WHERE clientName =
>>>'Tom'";
>>>
>>>if ($mysqli->query($updateQuery))
>>>{
>>> $updateCount = $mysqli->affected_rows;
>>> echo "<br>updateCount = $updateCount";
>>>}
>>>else
>>>{
>>> excpetionHandler("updateFailed: ".$updateQuery);
>>>}
>>>?>
>>>
>>>
>>>This returns "updateCount = 1"
>>>However, when I check the underlying table, there are actually 4 rows
>>>updated (and yes, before anyone asks, I have repeated this several
>>>times, correctly resetting the data before each run)
>>>
>>>Is this a known bug, or am I doing something stupid?
>>>(php 5.0.2, apache 2.0.49)
>>>
>>>
>>
>>How many rows actually had 'Tom' for their clientName?...
>>
>>I mean, is the '1' wrong because it should be 4, or is it changing
>> records
>>it shouldn't?
>>
>>
>>
> It correctly updates 4 rows, but returns 1 as the count.
>
> I think that this may actually be a mysql issue - I've put the same
> php/apache configs onto another similar box, the only difference being
> that the second box is mysql 5.0.1, whereas the problem is reported
> against 5.0.0 (both alpha's!). The correct value is returned from the
> second box.
Were the other three all "ACTIVE" before the update on both boxes?
Cuz http://php.net/mysql_affected_rows sez:
"Note: When using UPDATE, MySQL will not update columns where the new
value is the same as the old value. This creates the possibility that
mysql_affected_rows() may not actually equal the number of rows matched,
only the number of rows that were literally affected by the query."
--
Like Music?
http://l-i-e.com/artists.htm
--- End Message ---
--- Begin Message ---
I have a form and once the form is submitted, php code build csv file
with entered information and store it on server in temp file. Then send
this file as an attachment to me. Code to send an attachment is included
in main code.
The code to store csv file works fine.
I'm getting the attachment in email but can't open the file: "Alert:
Unable to read the file".
Then I tried to create txt file and got the same result. Actually, I was
able to open attached file but the file was empty?!?
Then accidentally, I changed the code back to create csv file but didn't
change in code to send an attachment. after submitting the csv file was
created but got by email earlier created txt file - and it works fine. I
was able to open it?!?
My conclusion: I can't send just created file, but later, as a second
process - it works just fine. And that means, code to send an attachment
works as well.
Any ideas?
--- End Message ---
--- Begin Message ---
George Schlossnagle addresses exactly your requirement in his book "Advanced PHP
Programming".
Josh Whiting wrote:
Dear list,
My web application (an online classifieds server) requires a set of
fairly large global arrays which contain vital information that most all
the page scripts rely upon for information such as the category list,
which fields belong to each category, and so on. Additionally, there are
a large number of function definitions (more than 13,000 lines of code
in all just for these global definitions).
These global arrays and functions never change between requests.
However, the PHP engine destroys and recreates them every time. After
having spent some serious time doing benchmarking (using Apache Bench),
I have found that this code takes at least 7ms to parse per request on
my dual Xeon 2.4ghz server (Zend Accelerator in use*). This seriously
cuts into my server's peak capacity, reducing it by more than half.
My question is: is there a way to define a global set of variables and
functions ONCE per Apache process, allowing each incoming hit to run a
handler function that runs within a persistent namespace? OR, is it
possible to create some form of shared variable and function namespace
that each script can tap?
AFAIK, mod_python, mod_perl, Java, etc. all allow you to create a
persistent, long-running application with hooks/handlers for individual
Apache requests. I'm surprised I haven't found a similar solution for
PHP.
In fact, according to my work in the past few days, if an application
has a large set of global functions and variable definitions, mod_python
FAR exceeds the performance of mod_php, even though Python code runs
significantly slower than PHP code (because in mod_python you can put
all these definitions in a module that is loaded only once per Apache
process).
The most promising prospect I've come across is FastCGI, which for Perl
and other languages, allows you to run a while loop that sits and
receives incoming requests (e.g. "while(FCGI::accept() >= 0) {..}").
However, the PHP/FastCGI modality seems to basically compare to mod_php:
every request still creates and destroys the entire application
(although the PHP interpreter itself does persist).
Essentially I want to go beyond a persistent PHP *interpreter* (mod_php,
PHP/FastCGI) and create a persistent PHP *application*... any
suggestions?
Thanks in advance for any help!
Regards,
J. Whiting
* - Please note that I am using the Zend Accelerator (on Redhat
Enterprise with Apache 1.3) to cache the intermediate compiled PHP code.
My benchmarks (7ms+) are after the dramatic speedup provided by the
accelerator. I wouldn't even bother benchmarking this without the
compiler cache, but it is clear that a compiler cache does not prevent
PHP from still having to run the (ableit precompiled) array and function
definition code itself.
--- End Message ---
--- Begin Message ---
Geeze,
That was obnoxious.
Luckily google helped me out eventually:
if (basename($argv[0]) == basename(__FILE__)) {
Robert Cummings wrote:
> On Thu, 2005-01-13 at 09:46, Cere Davis wrote:
>> Does anyone know how to write php libraries in a modular way so that you
>> can both test the libraries/functions on the command line with arguments
>> and/or use the php library as a part of your web code with
>> 'require_once()'
>> syntax? Sort of like how Python or Ruby works?
>
> Yes.
>
> Cheers,
> Rob.
--- End Message ---
