php-general Digest 29 Aug 2006 06:54:50 -0000 Issue 4318
Topics (messages 241159 through 241171):
Re: getting there- just need to output the data
241159 by: João Cândido de Souza Neto
Re: Comparing strings... need advice. :)
241160 by: Robert Cummings
241164 by: Micky Hulse
241165 by: Robert Cummings
241166 by: Robert Cummings
241167 by: Micky Hulse
241168 by: Robert Cummings
241170 by: Micky Hulse
Problems with UTF
241161 by: mbneto
241162 by: Michael B Allen
241169 by: Peter Lauri
Re: display a single thumb per gallery
241163 by: Frank Arensmeier
QUARANTINED: Mail System Error - Returned Mail
241171 by: WorkgroupMail Content Filter
Administrivia:
To subscribe to the digest, e-mail:
[EMAIL PROTECTED]
To unsubscribe from the digest, e-mail:
[EMAIL PROTECTED]
To post to the list, e-mail:
[email protected]
----------------------------------------------------------------------
--- Begin Message ---
echo "<img src=\"".$row["img"]."\">";
But you must change one of the row variable, there are two while one inside
the other using the same var name.
""Ross"" <[EMAIL PROTECTED]> escreveu na mensagem
news:[EMAIL PROTECTED]
>I have retireved the unique gallery and all the data from the row. I now
>need to output the data ($row['bin_data']) as a jpg.
>
> <?
> include("includes/config.php");
>
> $link = mysql_connect($host, $user, $password) or die ('somethng went
> wrong:' .mysql_error() );
> mysql_select_db($dbname, $link) or die ('somethng went wrong, DB error:'
> .mysql_error() );
>
> $query = "SELECT DISTINCT gallery FROM thumbnails";
> $result = @mysql_query( $query,$link );
>
> while ($row = @mysql_fetch_assoc($result) ) {
>
> $gallery_id=$row['gallery'];
>
> $query2 = "SELECT * FROM thumbnails WHERE gallery ='$gallery_id' LIMIT 1";
> $result2 = @mysql_query($query2);
>
> while ($row = @mysql_fetch_array($result2, MYSQL_ASSOC)){
> echo $id=$row['id'];
>
> //i want to output the jpeg here
>
>
> }
>
> }
--- End Message ---
--- Begin Message ---
On Mon, 2006-08-28 at 09:47 +0100, Stut wrote:
> Micky Hulse wrote:
> > I am looking for the most secure/efficient way to compare these two
> > strings:
> >
> > /folder1/folder2/folder3/folder4/
> > /folder1/folder2/folder3/folder4/file.php
> >
> > Basically I am trying to setup as many security features as possible for
> > a simplistic (home-grown/hand-coded) CMS...
> >
> > This appears to work:
> >
> > $haystack = '/folder1/folder2/folder3/folder4/someFileName.php';
> > $needle = '/folder1/folder2/folder3/folder4/';
> > if(substr_count($haystack, $needle) === 1) echo "yea";
> >
> > Before making changes to "someFileName.php" I want to make sure it is
> > within the allowed path ($needle).
>
> First of all make sure you are sending both strings through realpath
> (http://php.net/realpath) to remove any symbolic links and relative
> references. Then you can compare the two strings. The way you're doing
> it will work but it's probably not very efficient. This is what I use...
>
> $valid = (strcmp($needle, substr($haystack, 0, strlen($needle))) == 0);
<?php
function isAllowedPath( $needle, $haystack )
{
$needle = realpath( $needle ).'/';
$haystack = realpath( $haystack );
return (strpos( $haystack, $needle ) === 0);
}
?>
It is VERY important that you append the trailing slash onto the needle
path returned by realpath otherwise it will match more than you expect.
Stut didn't point that out so I thought I'd make sure you caught it.
Also I'm not sure why Stut used 3 function calls when one suffices >:)
Cheers,
Rob.
--
.------------------------------------------------------------.
| InterJinn Application Framework - http://www.interjinn.com |
:------------------------------------------------------------:
| An application and templating framework for PHP. Boasting |
| a powerful, scalable system for accessing system services |
| such as forms, properties, sessions, and caches. InterJinn |
| also provides an extremely flexible architecture for |
| creating re-usable components quickly and easily. |
`------------------------------------------------------------'
--- End Message ---
--- Begin Message ---
Wow, thanks for all the great information folks (Stut, Ivo, Rob, and David.)
I really appreciate all of the top-notch advice and expert information. :D
Looks like I have a lot to think about...
Currently, I hard-code the paths to the folders that house the files I
want my CMS to edit (via a config file.) The script then iterates
through the directory and adds all files of a specific type to a
dropdown menu. The user can then choose one of the files to edit and
load that file into a textarea... After changes are made, the
content/code gets saved back to the same file/location.
I do have an uploads folder, but it is in a different location on the
server. I do not allow the user to create new files (I would have to do
that manually)... it is a /very/ basic CMS.
Anyway, looks like I have some great info to work with. Thanks again
everyone for sharing your expertise.
Much appreciated all. Have an excellent day.
Cheers,
Micky
--- End Message ---
--- Begin Message ---
On Mon, 2006-08-28 at 16:50 +0200, Ivo F.A.C. Fokkema wrote:
> On Mon, 28 Aug 2006 09:47:02 +0100, Stut wrote:
>
> > Micky Hulse wrote:
> >> I am looking for the most secure/efficient way to compare these two
> >> strings:
> >>
> >> /folder1/folder2/folder3/folder4/
> >> /folder1/folder2/folder3/folder4/file.php
> >>
> >> Basically I am trying to setup as many security features as possible for
> >> a simplistic (home-grown/hand-coded) CMS...
> >>
> >> This appears to work:
> >>
> >> $haystack = '/folder1/folder2/folder3/folder4/someFileName.php';
> >> $needle = '/folder1/folder2/folder3/folder4/';
> >> if(substr_count($haystack, $needle) === 1) echo "yea";
> >>
> >> Before making changes to "someFileName.php" I want to make sure it is
> >> within the allowed path ($needle).
> >
> > First of all make sure you are sending both strings through realpath
> > (http://php.net/realpath) to remove any symbolic links and relative
> > references. Then you can compare the two strings. The way you're doing
> > it will work but it's probably not very efficient. This is what I use...
> >
> > $valid = (strcmp($needle, substr($haystack, 0, strlen($needle))) == 0);
> >
>
> Personally, this seems simpler to me:
>
> $valid = (dirname($haystack) == $needle);
>
> But the way the above folders are presented, it should become
>
> $valid = (dirname($haystack) == rtrim($needle, '/'));
>
> less simple already... Possibly, this is not the best solution for some
> reason I don't know. If so, I would like to know :)
The above technique doesn't allow for sub-directories. It only allows
for files within the needle directory.
Cheers,
Rob.
--
.------------------------------------------------------------.
| InterJinn Application Framework - http://www.interjinn.com |
:------------------------------------------------------------:
| An application and templating framework for PHP. Boasting |
| a powerful, scalable system for accessing system services |
| such as forms, properties, sessions, and caches. InterJinn |
| also provides an extremely flexible architecture for |
| creating re-usable components quickly and easily. |
`------------------------------------------------------------'
--- End Message ---
--- Begin Message ---
On Mon, 2006-08-28 at 16:28 -0700, Micky Hulse wrote:
> Wow, thanks for all the great information folks (Stut, Ivo, Rob, and David.)
>
> I really appreciate all of the top-notch advice and expert information. :D
>
> Looks like I have a lot to think about...
>
> Currently, I hard-code the paths to the folders that house the files I
> want my CMS to edit (via a config file.) The script then iterates
> through the directory and adds all files of a specific type to a
> dropdown menu. The user can then choose one of the files to edit and
> load that file into a textarea... After changes are made, the
> content/code gets saved back to the same file/location.
>
> I do have an uploads folder, but it is in a different location on the
> server. I do not allow the user to create new files (I would have to do
> that manually)... it is a /very/ basic CMS.
>
> Anyway, looks like I have some great info to work with. Thanks again
> everyone for sharing your expertise.
How are these saved files then imported into the content? Are they
included or do you retrieve the contents using something like file(),
file_get_contents(), or fread() and then echo it? If you are using
include or require on a file whose contents are based on web input
content then you are opening up a can of security worms since anyone
with access tot he CMS could embed PHP code in the content and do
anything for which the webserver has permissions.
Cheers,
Rob.
--
.------------------------------------------------------------.
| InterJinn Application Framework - http://www.interjinn.com |
:------------------------------------------------------------:
| An application and templating framework for PHP. Boasting |
| a powerful, scalable system for accessing system services |
| such as forms, properties, sessions, and caches. InterJinn |
| also provides an extremely flexible architecture for |
| creating re-usable components quickly and easily. |
`------------------------------------------------------------'
--- End Message ---
--- Begin Message ---
Hi Robert,
Robert Cummings wrote:
How are these saved files then imported into the content? Are they
included or do you retrieve the contents using something like file(),
file_get_contents(), or fread() and then echo it? If you are using
Currently I am using readfile() (plus some other security checking) to
display the contents of the edited files. I setup my script to only
allow specific file types (txt, html, htm).
include or require on a file whose contents are based on web input
content then you are opening up a can of security worms since anyone
with access tot he CMS could embed PHP code in the content and do
anything for which the webserver has permissions.
Thanks for pointing that out. Now that you mention it, I should probably
re-work my code to use a different method of page inclusion. I am pretty
concerned about security breaches... what are your thoughts on
readfile()? Would you suggest I use file(), file_get_contents(), or
fread() instead?
Thanks for the help Robert, I really appreciate your time. :)
Cheers,
Micky
--- End Message ---
--- Begin Message ---
On Mon, 2006-08-28 at 17:07 -0700, Micky Hulse wrote:
> Hi Robert,
>
> Robert Cummings wrote:
> > How are these saved files then imported into the content? Are they
> > included or do you retrieve the contents using something like file(),
> > file_get_contents(), or fread() and then echo it? If you are using
>
> Currently I am using readfile() (plus some other security checking) to
> display the contents of the edited files. I setup my script to only
> allow specific file types (txt, html, htm).
>
> > include or require on a file whose contents are based on web input
> > content then you are opening up a can of security worms since anyone
> > with access tot he CMS could embed PHP code in the content and do
> > anything for which the webserver has permissions.
>
> Thanks for pointing that out. Now that you mention it, I should probably
> re-work my code to use a different method of page inclusion. I am pretty
> concerned about security breaches... what are your thoughts on
> readfile()? Would you suggest I use file(), file_get_contents(), or
> fread() instead?
Readfile works great, it's the same as file_get_contents() and then
issuing an echo. You may want to also stored content generated by web
users outside of the web tree. There may not be any issue with how you
have things now, but imagine down the road someone using your system
enables PHP processing on .html files and then someone created content
with PHP tags and accesses it directly from their browser... boom, same
security hole.
> Thanks for the help Robert, I really appreciate your time. :)
No problem :)
Cheers,
Rob.
--
.------------------------------------------------------------.
| InterJinn Application Framework - http://www.interjinn.com |
:------------------------------------------------------------:
| An application and templating framework for PHP. Boasting |
| a powerful, scalable system for accessing system services |
| such as forms, properties, sessions, and caches. InterJinn |
| also provides an extremely flexible architecture for |
| creating re-usable components quickly and easily. |
`------------------------------------------------------------'
--- End Message ---
--- Begin Message ---
Robert Cummings wrote:
Readfile works great, it's the same as file_get_contents() and then
Ah, good to hear. :D
issuing an echo. You may want to also stored content generated by web
users outside of the web tree. There may not be any issue with how you
[...]
with PHP tags and accesses it directly from their browser... boom, same
security hole.
Ah! Yes, good idea. :)
I think I will work this in to my script/system. Like I said, I am very
concerned about security. I would have used a pre-built CMS like
Textpattern or Wordpress, but the server I am on does not have database
support. :(
Anyway, many thanks for the tips Rob and all! You guys/gals rock!
Cheers,
Micky
--- End Message ---
--- Begin Message ---
Hi,
I have a php based script that is called from a html page via ajax.
Everything runs fine except when I use characters such as á that ends up
like A!
After searching and testing I found that if I remove the
encodeURIComponentfrom the javascript and replace with
escape everything works fine.
So the question is what can I do from PHP side to make it play nice with
those UTF encoded chars generated from encodeURIComponent? Since escape is
deprecated I'd like to find out before I have tons of files to change....
tks.
--- End Message ---
--- Begin Message ---
On Mon, 28 Aug 2006 15:57:17 -0400
mbneto <[EMAIL PROTECTED]> wrote:
> Hi,
>
> I have a php based script that is called from a html page via ajax.
> Everything runs fine except when I use characters such as á that ends up
> like A!
A browser will display text according the the charset specified in the
HTTP response Content-Type header. That is usually set by the HTTP server
(e.g. Apache AddDefaultCharset and AddCharset). So I suspect that in
your case, your HTTP server is sending charset=ISO-8859-1 whereas the
content is in fact UTF-8 (when one non-ascii character is rendered as
two or three usually garbled characters it's an indication that UTF-8
is being rendered as some 8 bit codepage like ISO-8859-1).
Note that the charset specified in the META tag within an HTML document
is ignored when served over a network. I'm not certain what the charset
in the META tag is for. I suspect it's for caching or when you open an
HTML file from disk perhaps.
Mike
--
Michael B Allen
PHP Active Directory SSO
http://www.ioplex.com/
--- End Message ---
--- Begin Message ---
Hi,
Have you set
header('Content-Type: text/html; charset=utf-8');
in your php script that you call via AJAX?
Best regards,
Peter
PS! I assumed you were not sending any variables with the AJAX request? If
so, you would need to do an utf-8 encoding of the variables and then a
base64 encoding to make sure the arrive correctly. Of course you would after
that need to decode the variables with base64_decode in your PHP script DS!
-----Original Message-----
From: mbneto [mailto:[EMAIL PROTECTED]
Sent: Tuesday, August 29, 2006 2:57 AM
To: [email protected]
Subject: [PHP] Problems with UTF
Hi,
I have a php based script that is called from a html page via ajax.
Everything runs fine except when I use characters such as á that ends up
like A!
After searching and testing I found that if I remove the
encodeURIComponentfrom the javascript and replace with
escape everything works fine.
So the question is what can I do from PHP side to make it play nice with
those UTF encoded chars generated from encodeURIComponent? Since escape is
deprecated I'd like to find out before I have tons of files to change....
tks.
--- End Message ---
--- Begin Message ---
http://dev.mysql.com/doc/refman/5.0/en/join.html
you could use something like this:
SELECT DISTINCT thumbnails.gallery, thumbnails.id,
thumbnails.binary_data FROM thumbnails
you can insert everything you want from your table after the DISTINCT
by writing:
table.colName
/frank
27 aug 2006 kl. 21.39 skrev <[EMAIL PROTECTED]> <[EMAIL PROTECTED]>:
$query = "SELECT distinct gallery FROM thumbnails";
that only returns the numbers 7 & 8. I need the all the info from
the rows - id, binary data etc....something like
$query = "SELECT * FROM DISTINCT gallery FROM thumbnails";
any ideas?
--- End Message ---
--- Begin Message ---
The message "Mail System Error - Returned Mail" from , sent on 8/29/2006 06:01
was quarantined because it contained either an executable file, a batch file or
a screen saver file. All of these types of attachments are considered security
risks. Please consult your mail administrator who can release the message.
This message was checked by MailScan for WorkgroupMail.
www.workgroupmail.com
--- End Message ---
