php-general Digest 5 Dec 2006 09:15:00 -0000 Issue 4497
Topics (messages 245497 through 245509):
Re: Distinguishing between a mouse click and a refresh?
245497 by: Jay Blanchard
245498 by: Pawe³ Stradomski
245499 by: Russell Jones
245500 by: Paul Novitski
245505 by: Casey Chu
Re: hiding passwd in cmdlines that appear in the process list
245501 by: Chris
Re: problem with register globals on new server
245502 by: Chris
erratic bounced message notices
245503 by: jekillen
Pass a relative path [with slashes] into a 'clean' url
245504 by: Graham Anderson
LDAP & Active Directory Authentication
245506 by: sendsomemailtome.gmail.com
Problems with Zip+IE6
245507 by: Javier Ruiz
Send emails from PHP ... in a secure way
245508 by: Ruben Rubio
245509 by: clive
Administrivia:
To subscribe to the digest, e-mail:
[EMAIL PROTECTED]
To unsubscribe from the digest, e-mail:
[EMAIL PROTECTED]
To post to the list, e-mail:
[email protected]
----------------------------------------------------------------------
--- Begin Message ---
[snip]
Is there any way for PHP to know whether it is being called due to a
browser refresh versus a mouse click? I think the answer is no but I
just want to be sure. Thanks.
[/snip]
Not unless you specifically capture and send a JavaScript onClick event.
A mouse click typically takes you somewhere else, so if you are using
for a page refresh you could capture and send a JavaScript variable to
the PHP script.
--- End Message ---
--- Begin Message ---
W liście Mark London z dnia poniedziałek 04 grudnia 2006 22:03:
> Is there any way for PHP to know whether it is being called due to a
> browser refresh versus a mouse click? I think the answer is no but I
> just want to be sure. Thanks.
Perhaps looking at REFERER HTTP header could give you some information, but
you cannot fully trust this header, as it might not be sent, or be malformed.
--
Paweł Stradomski
--- End Message ---
--- Begin Message ---
Yes, sort of. lets say that your page is 'http://www.php.net' and you want
to make sure your visitor got there with a click, and not a refresh...
first, get the referer...
$_SERVER['HTTP_REFERER'];
then do something like this...
$refsite = file_get_contents($_SERVER['HTTP_REFERER']);
$refsite = str_replace('"','',$refsite);
$refsite = str_replace('"','',$refsite);
if(stristr($refsite,'href=http://www.php.net') && !stristr($refsite,"url=
http://www.php.net";)) {
// it came from a click
}
else {
// maybe not a click
}
On 12/4/06, Mark London <[EMAIL PROTECTED]> wrote:
Is there any way for PHP to know whether it is being called due to a
browser refresh versus a mouse click? I think the answer is no but I
just want to be sure. Thanks.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--- End Message ---
--- Begin Message ---
At 12/4/2006 01:08 PM, Jay Blanchard wrote:
[snip]
Is there any way for PHP to know whether it is being called due to a
browser refresh versus a mouse click? I think the answer is no but I
just want to be sure. Thanks.
[/snip]
Not unless you specifically capture and send a JavaScript onClick event.
A mouse click typically takes you somewhere else, so if you are using
for a page refresh you could capture and send a JavaScript variable to
the PHP script.
The tricky bit would be distinguishing between a page loaded with a
mouse-click and a subsequent reload of that same page, as they would
share the same querystring. One way would be to use javascript to
supply the current absolute time in the querystring at the moment of
click (you could do the same sort of thing with submit using a hidden
field or a querystring appended to the form action), then PHP could
compare that time with its own current time to see if the querystring
represented a current or old rendering.
That would fail with javascript disabled, of course.
A server-side-only solution could pre-populate all the links on the
site that point to this page with a special querystring. When the
script/page is invoked with that querystring, PHP does the necessary
processing and then redirects to itself (the same page) but without
the special querystring. Therefore reloading the page that's
downloaded to the client won't reinvoke the post-click process.
Regards,
Paul
--- End Message ---
--- Begin Message ---
Oooh... now that I think about it, it doesn't work. Sorry =(
On 12/4/06, Paul Novitski <[EMAIL PROTECTED]> wrote:
Hi Casey,
Yes, I can see that your javascript function adds a random number to
the href of a clicked link, but how does that help PHP distinguish
between a page loaded that way and that same page reloaded with the
refresh button in the browser's chrome? That was the OP's problem.
Regards,
Paul
At 12/4/2006 09:30 PM, you wrote:
><script>
>// NOT TESTED
>document.onclick = function(e) {
> var targ;
>if (!e) var e = window.event;
>if (e.target) targ = e.target;
>else if (e.srcElement) targ = e.srcElement;
>if (targ.nodeType == 3) // defeat Safari bug
>targ = targ.parentNode;
>query = Math.floor(Math.random()*10000);
>if (undefined !== targ.href)
>targ.href=targ.href.indexOf("?")!=-1?targ.href+"&"+query:targ.href+"?"+query;
>}
></script>
>
>On 12/4/06, Paul Novitski <[EMAIL PROTECTED]> wrote:
>>At 12/4/2006 01:08 PM, Jay Blanchard wrote:
>> >[snip]
>> >Is there any way for PHP to know whether it is being called due to a
>> >browser refresh versus a mouse click? I think the answer is no but I
>> >just want to be sure. Thanks.
>> >[/snip]
>> >
>> >Not unless you specifically capture and send a JavaScript onClick event.
>> >A mouse click typically takes you somewhere else, so if you are using
>> >for a page refresh you could capture and send a JavaScript variable to
>> >the PHP script.
>>
>>
>>The tricky bit would be distinguishing between a page loaded with a
>>mouse-click and a subsequent reload of that same page, as they would
>>share the same querystring. One way would be to use javascript to
>>supply the current absolute time in the querystring at the moment of
>>click (you could do the same sort of thing with submit using a hidden
>>field or a querystring appended to the form action), then PHP could
>>compare that time with its own current time to see if the querystring
>>represented a current or old rendering.
>>
>>That would fail with javascript disabled, of course.
>>
>>A server-side-only solution could pre-populate all the links on the
>>site that point to this page with a special querystring. When the
>>script/page is invoked with that querystring, PHP does the necessary
>>processing and then redirects to itself (the same page) but without
>>the special querystring. Therefore reloading the page that's
>>downloaded to the client won't reinvoke the post-click process.
>>
>>Regards,
>>Paul
>>
>>--
>>PHP General Mailing List (http://www.php.net/)
>>To unsubscribe, visit: http://www.php.net/unsub.php
>>
--- End Message ---
--- Begin Message ---
Jochem Maas wrote:
[EMAIL PROTECTED] wrote:
You'd assume those ENV variables are secure.. or secure "enough". I know
there's no such thing as perfect security, but I still wonder if there's a better way.
Although at this point, if there was a way to read other process/subprocess ENV
variables, it'd most likely be something an attacker would have to get at by
being fairly close to the system (trojan installed as root and exploiting an OS
bug that allowed access to ENV variables from other processes for example). So
I'm guessing this is about as secure as you're going to get for now.
thanks - nice to have a few extra brains executing this 'thought experiment'
The problem still bugs me though.. hah.
yeah it niggles a bit. I keep hunting about now and again to see if I can learn
how
seasoned shell scripters tackle such security issues - undoubtedly I'm not the
first to come
accross these issues, I am after a very small hobbit standing on the shoulders
of very tall ents.
Modifying your $ENV will only affect that session in bash (I'm sure the
other shells work the same).
Try modifying your $PATH in one session, start another and you will get
the original $PATH in the new session..
I guess the underlying apps (mysql, postgres) do something to hide the
password in the process list. How? No idea ;)
Actually thinking about it you can have a .my.cnf stored somewhere and
point to that..
[client]
user = XXX
password = XXXXX
mysql --defaults-file=~/.my.cnf
but then it shows the path to your .my.cnf file instead, which is
equally as bad..
maybe you can use this as an idea:
Default options are read from the following files in the given order:
/etc/my.cnf /var/lib/mysql/my.cnf ~/.my.cnf
--
Postgresql & php tutorials
http://www.designmagick.com/
--- End Message ---
--- Begin Message ---
Tony Marston wrote:
""Richard Lynch"" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
On Sun, December 3, 2006 5:22 am, Tony Marston wrote:
""Richard Lynch"" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
On Sat, December 2, 2006 5:31 am, Tony Marston wrote:
I think it is quite possible for a sysAdmin to configure
AllowOverride
and .htaccess in such a way that "too much" latitude is granted to
their clients to access each others' data...
I disagree. What directives can give you access to other people's
data?
I believe I once managed to track down a bit of data using
FollowSymlink for a client that wasn't available otherwise.
In our case, it was data they actually had a legal/moral right to see,
but technical snafus were in the way.
Presumably all the other combinations of AllowOverride are not there
just for the sheer fun of complexity by the Apache team.
I'm betting that at least some of them have security trade-offs in
mind, and are not just about random features nor performance.
And there is alleged to be a significant performance loss to
.htaccess, so a hurried sysAdmin may have over-simplified their
decision process...
"Alleged" is the word. Where are the figures to support this? While
there is
"some" performance loss, with the speed of today;'s PCs can this
really be
considered as "significant"?
I don't have benchmarks.
Do you?
No, otherwise I would have quoted them. Generally speaking when people say
that "X is inefficient or bad for performance" all they can prove is that if
something extra is done then it takes extra processing time to perform that
extra work, and they usually quote from an out-of-date source. While the
time taken for Apace to process an htaccess file may have been significant
on a 1Mhz processor it is barely noticeable on a 3Ghz processor.
If the time taken to process an htaccess file on one of today's processors
adds 0.000001 seconds to a page's load time, would that be regarded as
"significant"? Would this be a small price to pay for the advantage of being
able to change Apache's configuration with an htaccess file?
It would depend on your site as well. If you have a lot of directories,
apache has to go from the bottom to the top of the site to see if there
are any htaccess files along the way..
Whether that causes a noticeable performance difference I doubt it (but
then again I'd argue that a site with a huge directory structure would
need a bit of a redesign anyway).
--
Postgresql & php tutorials
http://www.designmagick.com/
--- End Message ---
--- Begin Message ---
The following is a response to a message I sent to the link in a
bounced e-mail notice from this list:
This is an automated response to your message to
"[EMAIL PROTECTED]"
If you are trying to post to one of the PHP mailing lists, the correct
address looks something like [EMAIL PROTECTED]
If you are having problems unsubscribing, follow the directions
located online at http://php.net/unsub
Thanks!
And this is the reply that I sent to that address:
("[EMAIL PROTECTED]")
Please be advised that this erratic behavior
is not within my control. I do not have filters
to block messages from this list. These may
be intercepted by a server and bounced as
a proxy, I also get lots of spam that is not
addressed to me. Since SBC Yahoo has
become mixed up with AT&T again, I am
not even sure who has my e-mail account
info and I dread trying to find out from them,
let alone complain about spam or bounced
email problems.
JK
[EMAIL PROTECTED]
why is this list is set up to solicit responses to
messages like this and then responds
as if I am doing something wrong by following
the indicated link?
--- End Message ---
--- Begin Message ---
What is a good/accepted way to pass a relative or absolute path
into a clean url ?
I could replace the relative url's slashes with another character,
but would love to know a cleaner less confusing way...if it exists
example url:
http://localhost/testscript/../image.png/jpeg/420000/0/
example php:
list($dummy,$relative_path,$type, $color, $cache) = explode('/',
$_SERVER['PATH_INFO']);
where:
$relative_path=../image.png
$type=jpeg
$color=420000
$cache=0
many thanks in advance
--- End Message ---
--- Begin Message ---
Hello list,
I am going to need to build LDAP and AD modules for a project that I'm
working on. Could any of you who have delt with PHP/LDAP/AD point me in the
direction of some decent resources/papers/books?
Thanks.
--- End Message ---
--- Begin Message ---
Hi all!
I have a problem with zip files and Internet Explorer 6. I try to send to
the user a dinamically generated zip file writting the http headers and
using file_put_contents for the zip content. It works fine when downloading
the file with firefox, opera, etc... even it works well if I download the
file with internet explorer and then open it with any zip tool. The problem
comes when I try to directly open the file from the URL using IE6.
I found this is a known bug of IE (several versions) in windows XP:
http://support.microsoft.com/kb/308090
Does anybody know any way to workaround this problem? I found a couple
workarounds in forums over there and I tried them, but unfortunately they
didn't work:
1 - To change the mimetype (when writting http headers) from
"application/zip" that I used before to "application/x-zip-compressed"
2 - To not use MOD_DEFLATE in apache2 (I was not using it really...)
Any idea??
Thanks a lot!
--- End Message ---
--- Begin Message ---
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
I have a question sending mails from PHP. Actually I am using phpmailer
(is good!!) but when this class sends an email and there is an error
(Mail server is not ready) It just reports error and email is lost.
Is out there any way to save failed emails, and resend if is it possible?
Thanks in advance
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFFdSs8Io1XmbAXRboRAozTAJ9OScgvOYrALnuFo+JQaSXL1KBRSwCeJ+So
/uiRgT6xPeKNV4mosGWQYRw=
=sD5W
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
Ruben Rubio wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
I have a question sending mails from PHP. Actually I am using phpmailer
(is good!!) but when this class sends an email and there is an error
(Mail server is not ready) It just reports error and email is lost.
how are you sending the email , via smtp or sendmail or what ever mta is
on the system. With the MTA it should be que'd. Id you get an error with
the MTA then something is very wrong
Why cant you save the email in a file or a database and then send it
later your self?
clive
--- End Message ---
