php-general Digest 22 Oct 2005 11:36:58 -0000 Issue 3751
Topics (messages 224436 through 224447):
Re: SCRIPT_NAME
224436 by: Minuk Choi
224437 by: Robert Cummings
224438 by: Jasper Bryant-Greene
224441 by: Robert Cummings
rtrim Null characters
224439 by: Richard Lynch
224440 by: Jasper Bryant-Greene
Email Validation built-in? RFC
224442 by: Richard Lynch
Re: Ugh, w32 anything is making me want to drink!
224443 by: Tom Rogers
Pear File_Archive examples or _good_ documentation?
224444 by: Tim Rupp
Re: Login is not working. Please help....
224445 by: Andy Pieters
file_exists()
224446 by: Jonny Bergström
Re: How can I count the usage of mail function in scripts?
224447 by: Oliver Grätz
Administrivia:
To subscribe to the digest, e-mail:
[EMAIL PROTECTED]
To unsubscribe from the digest, e-mail:
[EMAIL PROTECTED]
To post to the list, e-mail:
[email protected]
----------------------------------------------------------------------
--- Begin Message ---
... what, the off by one error?
Hey, I was just providing suggestion off the top of my head. :-P
-Minuk
Robert Cummings wrote:
On Thu, 2005-10-20 at 23:27, Minuk Choi wrote:
Off the top of my head...
$filename = $_SERVER['PHP_SELF'];
$strippedFilename = substr($filename, strrpos($filename, '/'));
Won't work, I'll leave the reason as an exercise :B
Cheers,
Rob.
--- End Message ---
--- Begin Message ---
On Fri, 2005-10-21 at 19:58, Minuk Choi wrote:
> ... what, the off by one error?
>
> Hey, I was just providing suggestion off the top of my head. :-P
Oh I know, I was just pointing out that it won't work :) Doesn't work
because it only strips off the first path segment (assuming no off by
one error also ;). For instance:
/a/b/c/d/foo.php
becomes:
a/b/c/d/foo.php
but the OP wanted:
foo.php
:)
Cheers,
Rob.
--
.------------------------------------------------------------.
| InterJinn Application Framework - http://www.interjinn.com |
:------------------------------------------------------------:
| An application and templating framework for PHP. Boasting |
| a powerful, scalable system for accessing system services |
| such as forms, properties, sessions, and caches. InterJinn |
| also provides an extremely flexible architecture for |
| creating re-usable components quickly and easily. |
`------------------------------------------------------------'
--- End Message ---
--- Begin Message ---
On Fri, 2005-10-21 at 21:01 -0400, Robert Cummings wrote:
> Oh I know, I was just pointing out that it won't work :) Doesn't work
> because it only strips off the first path segment (assuming no off by
> one error also ;). For instance:
>
> /a/b/c/d/foo.php
>
> becomes:
>
> a/b/c/d/foo.php
>
> but the OP wanted:
>
> foo.php
It will actually work... Did you not notice that he was using
strrpos() ? Note the extra 'r' in there :) http://php.net/strrpos
--
Jasper Bryant-Greene
General Manager
Album Limited
e: [EMAIL PROTECTED]
w: http://www.album.co.nz/
p: 0800 4 ALBUM (0800 425 286) or +64 21 232 3303
a: PO Box 579, Christchurch 8015, New Zealand
--- End Message ---
--- Begin Message ---
On Sat, 2005-10-22 at 10:02, Jasper Bryant-Greene wrote:
> On Fri, 2005-10-21 at 21:01 -0400, Robert Cummings wrote:
> > Oh I know, I was just pointing out that it won't work :) Doesn't work
> > because it only strips off the first path segment (assuming no off by
> > one error also ;). For instance:
> >
> > /a/b/c/d/foo.php
> >
> > becomes:
> >
> > a/b/c/d/foo.php
> >
> > but the OP wanted:
> >
> > foo.php
>
> It will actually work... Did you not notice that he was using
> strrpos() ? Note the extra 'r' in there :) http://php.net/strrpos
Yep I stand corrected :) Didn't notice the extra 'r' at all *heheh*.
Cheers,
Rob.
--
.------------------------------------------------------------.
| InterJinn Application Framework - http://www.interjinn.com |
:------------------------------------------------------------:
| An application and templating framework for PHP. Boasting |
| a powerful, scalable system for accessing system services |
| such as forms, properties, sessions, and caches. InterJinn |
| also provides an extremely flexible architecture for |
| creating re-usable components quickly and easily. |
`------------------------------------------------------------'
--- End Message ---
--- Begin Message ---
So, for fun, (well, *MY* idea of fun) I implemented a dirt-simple
CAPTCHA.
The image is totally OCR-able, but anybody wants to work that hard at
it can have at it. That's modular enough to (really) fix later
anyway/
After lots of encryption/decryption with urlencoding, htmlentities,
and base64_encoding, to keep all the data kosher over HTTP et al...
I end up with a string with a bunch of NUL characters (ord($char) ==
0) tacked on the end, but otherwise correctly decoded.
I'm not really sure if it's base64 or the encryption itself that pads
the string, and don't really care, to tell you the truth...
Anyway, my question is, what is the morally correct function to use to
remove these null characters from the end of my string?
I'm guessing 'rtrim' would work, but is a NUL char really whitespace?
I suppose I could do str_replace(), but if things go bad some day, I
don't want to confuse myself by removing NUL characters in the middle
of the messed up string.
A second related question:
Given that the string to be encrypted is a single word and thus very
short, the PHP manual makes it quite clear that encrypt_mode of ECB is
the right choice. YAY!
What is not readily apparent, and what I can't figure out from my
research is if any of the algorithms available is better suited to
this usage.
To be clear: I'm mcrypt_encrypt()ing the secret word into the URL and
a hidden form element, along with the IV, ditto, and so both are
available to the potentical malicious user. So if exposure of IV is
an issue in any suggested answer, keep that in mind.
The following options are available in my webhost's install:
cast-128
gost
rijndael-128
twofish
arcfour
cast-256
loki97
rijndael-192
saferplus
wake
blowfish-compat
des
rijndael-256
serpent
xtea
blowfish
enigma
rc2
tripledes
We can safely eliminate any hypothetical "best" which is not in that
list.
--
Like Music?
http://l-i-e.com/artists.htm
--- End Message ---
--- Begin Message ---
On Fri, 2005-10-21 at 20:45 -0500, Richard Lynch wrote:
> Anyway, my question is, what is the morally correct function to use to
> remove these null characters from the end of my string?
>
> I'm guessing 'rtrim' would work, but is a NUL char really whitespace?
I think rtrim() is probably your best bet. Haven't tried, though.
> To be clear: I'm mcrypt_encrypt()ing the secret word into the URL and
> a hidden form element, along with the IV, ditto, and so both are
> available to the potentical malicious user. So if exposure of IV is
> an issue in any suggested answer, keep that in mind.
To be honest, I think you're going about it the wrong way. Put the
secret word into $_SESSION. Point the <img> tag at a PHP script which
pulls it out of $_SESSION and renders it as an image. Then you don't
need to send it to the client in any form.
--
Jasper Bryant-Greene
General Manager
Album Limited
e: [EMAIL PROTECTED]
w: http://www.album.co.nz/
p: 0800 4 ALBUM (0800 425 286) or +64 21 232 3303
a: PO Box 579, Christchurch 8015, New Zealand
--- End Message ---
--- Begin Message ---
Given:
It is unacceptable to reject perfectly valid email addresses, no
matter how arcane. [Like mine. :-)]
The CORRECT RegEx for validating an email is 3 pages long, and
performance in PHP would probably not be so good...
In today's Security-conscious world, data validation is a requirement.
The (relatively) recent changes in domain names that allow UTF
(Unicode?) characters.
Checking MX records is not reliable at all.
Forcing users to respond to email is A) burdensome to real users in
many cases, and B) no real barrier to halfway intelligent fake users.
... would it not make sense for there to be a BUILT-IN PHP function of
a TRUE email syntactic validation?
So at least one KNOWS that the email is a valid construct, before you
even try (if you try at all) to make sure that a person actually
checks it at least once in their life.
Currently, email syntax validation is being done in very limited
fashion, if not outright "wrong" by rejecting what actually ARE valid
email addresses in about 10,000,000 PHP scripts by users who don't
have any realistic options to truly "do it right" because who can
really live with that 3-page Regex in their PHP code?
Yes, in the past, I may have come down squarely on the opposite side
of this topic, but I've changed my mind.
I believe PHP needs a built-in syntactically CORRECT email validation
function, vetted and tested by professionals, instead of the mess we
now have.
PLEASE do not point me to any existing email validation code unless
you believe it is not only 100% correct and complete with RFC
definitions of syntactically valid email. Not interested. I've
already seen them, and been burned by them.
--
Like Music?
http://l-i-e.com/artists.htm
--- End Message ---
--- Begin Message ---
Hi,
Saturday, October 22, 2005, 6:26:57 AM, you wrote:
JB> [snip]
>> I just noticed that extension_dir in phpinfo is c:\php4 THAT AIN'T RIGHT!
>> Why is PHP not loading the proper ini file? This is probably the source of
>> my problems all along! ACK!!!!!
>>
JB> This is what happens when you go over to the dark side.
JB> [/snip]
JB> It's not my fault! How do I fix this?
I always put the php.ini file where the .exe file is, so for apache put it
where apache.exe is if loading as a module or where php.exe is if
using cgi
--
regards,
Tom
--- End Message ---
--- Begin Message ---
The authors site is unreachable so I cant check it for examples, but
last I remember he didnt have very good examples to begin with. Does
anyone, who's used this package have decent examples that showcase how
to use it and use it well? In particular I'm looking for info on how to
extract archives that meet the criteria below.
- one folder with multiple items (including other folders) in it
- multiple items(files or folders) at first level of the archive
Reading the inline docs for the Pear class is less than useful for me
because there's no concrete examples I can work off of...unless I'm
blind and am completely missing something.
Help anyone?
Thanks,
Tim
--- End Message ---
--- Begin Message ---
You do know your code is open for sql injection attacks.
php.net search for sql injection and session spoofing
HTH
Andy
On Friday 14 October 2005 09:25, Jochem Maas wrote:
> try some code indentation to make it more readable.
>
> someone else pointed you to the 'user' 'name' mismatch already I see.
>
> twistednetadmin wrote:
> ...
>
> > session_start();
> > switch (@$_GET['action']) // Gets set by the form action
> > {
> > case "login":
> > $sql = "SELECT name FROM DB
> > WHERE name='$_POST[user]'";
> > $result = mysql_query($sql) or die("Couldn't execute query.");
> > $num = mysql_num_rows($result);
> > if ($num ==1) // loginname found
> > {
> > $sql = "SELECT name FROM DB
> > WHERE name='$_POST[user]'
> > AND pass=password('$_POST[pass]')";
> > $result2 = mysql_query($sql) or die("Couldn't execute query 2.");
> > $num2 = mysql_num_rows($result2);
> > if ($num2 > 0) // password is correct
> > {
> > $_SESSION['auth']="yes";
> > $logname=$_POST['user'];
> > $_SESSION['logname'] = $logname;
> > header("Location: page1.php");
> > }
> > else // password is not correct
> > {
> > unset($action);
> > header("Location: loginerror.php");
> > }
> > }
> > elseif ($num == 0) // Wrong name. Name not in db
> > {
> > unset($action);
> > header("Location: loginerror.php");
> > }
> >
> > }
>
> ...
--
Now listening to on amaroK
Geek code: www.vlaamse-kern.com/geek
Registered Linux User No 379093
If life was for sale, what would be its price?
www.vlaamse-kern.com/sas/ for free php utilities
--
pgpMa7oTNcznv.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
Hi
file_exists('字.gif') always returns false.
Can anyone help me find out a way to make it work also for these kind of
filenames?
--- End Message ---
--- Begin Message ---
Andy Pieters schrieb:
> While it *is* possible to do what you ask for, it would be worthless.
>
> I can write from scratch a php script that
> * looks up the mx record for a given email address
> * connects to the mail server looked up
> * send the message.
>
> Since the SMTP protocol is fairly simple, I am sure many others can and will
> use this to circumvent your limitations.
And with PHPMailer there's a package that does this work for you ;-)
As I said: What I do with my traffic is none of the hoster's business.
OLLi
--- End Message ---
