php-general Digest 1 Jun 2007 12:25:25 -0000 Issue 4823
Topics (messages 255937 through 255964):
Re: Removing PHPSESSID - CGI Install
255937 by: Richard Lynch
Re: uploading really big files
255938 by: Richard Lynch
Re: local v remote
255939 by: Richard Lynch
255940 by: Richard Lynch
Re: Streaming download to IE doesn't work
255941 by: Richard Lynch
Re: using mysql_escape_string with implode() !!
255942 by: Richard Lynch
255949 by: Jim Lucas
Re: exec dont work for svn
255943 by: Richard Lynch
Re: preg_match() returns false but no documentation why
255944 by: Richard Lynch
255945 by: Richard Lynch
255946 by: Richard Lynch
255950 by: Stut
Re: find (matching) person in other table
255947 by: Richard Lynch
255948 by: Daevid Vincent
Re: How do YOU initialize the form variables?
255951 by: Richard Lynch
ZIP it :o)
255952 by: Auto-Deppe, C. Haensel
255953 by: Stut
255954 by: Jim Lucas
255955 by: Chris
255958 by: Tijnema
255959 by: Auto-Deppe, C. Haensel
PCRE Error/Issue...
255956 by: bruce
Strange Warning, PHP sessions
255957 by: Sachin mahajan
linking to an image with document_root
255960 by: blueboy
255961 by: Chris
255962 by: Shafiq Rehman
255963 by: clive
Re: [SPAM] Re: [PHP] Attempting to search a MySQL database from PHP not working
255964 by: Jason Pruim
Administrivia:
To subscribe to the digest, e-mail:
[EMAIL PROTECTED]
To unsubscribe from the digest, e-mail:
[EMAIL PROTECTED]
To post to the list, e-mail:
[EMAIL PROTECTED]
----------------------------------------------------------------------
--- Begin Message ---
On Thu, May 31, 2007 5:55 am, Shaun wrote:
> I have PHP installed as a CGI module on my server. I want to stop
> PHPSESSID
> from appearing in the URL when a users cookies are turned for just one
> account. My hosting company says that this is impossible - they would
> have
> to change php.ini and that would affect every account on the server.
> Also if
> PHP is changed to an Apache module then they won't support it. Is
> there no
> other way around this?
Perhaps you can turn it off in .htaccess
Does CGI utilize .htaccess???
Perhaps you could get them to use suExec and run your CGI with a
different user and environment (i.e., different php.ini) if they don't
want to use Module.
> Removing PHPSESSID is very important for SEO
> purposes...
Really?
I'd expect that the search engine authors are smart enough to not be
messed up by something as common as PHPSESSID in a URL.
Can you provide any objective independent study reference to support
such a claim?
Much SEO information out there is utter crap...
--
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some indie artist.
http://cdbaby.com/browse/from/lynch
Yeah, I get a buck. So?
--- End Message ---
--- Begin Message ---
On Thu, May 31, 2007 5:07 am, Angelo Zanetti wrote:
> thanks for the replies. But how does a site like:
> http://www.yousendit.com/ do the upload of really huge files?
> Normal upload?
I guess they've already worked through all the issues, assuming their
service actually works...
Or, perhaps, they don't really care about users on slow/flaky
connections, and simply refund anybody who is unhappy.
I dunno.
Ask them. :-)
--
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some indie artist.
http://cdbaby.com/browse/from/lynch
Yeah, I get a buck. So?
--- End Message ---
--- Begin Message ---
On Thu, May 31, 2007 4:50 am, blueboy wrote:
> On my localhost this works fine
>
> $result= mysql_query("SELECT date_format(date, '%d/%m/%Y') as date,
> title,
> id, display FROM NEWS");
> while ($row = mysql_fetch_assoc($result)) {
>
> but on my remote i get a mysql_fetch_assoc(): supplied argument is not
> a
> valid MySQL result resource
>
> Can someone expalin the problem? PHP version problem?
The problem is probably that you never even managed to connect to the
MySQL database in the first place...
But it could be something else entirely.
We can't tell you, but you can find out by using the mysql_error()
function a lot.
--
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some indie artist.
http://cdbaby.com/browse/from/lynch
Yeah, I get a buck. So?
--- End Message ---
--- Begin Message ---
On Thu, May 31, 2007 8:07 am, M. Sokolewicz wrote:
> In case you didn't know, 99% of code on this planet using mysql_query
> does not supply the secondary argument as most code-bases don't use >
> 1
> connection in the same script.
That does not make it a Good Practice...
I spent days fixing somebody else's code who thought they were opening
a second connection (not) and then were closing it (yep) but they were
actually closing *MY* database connection, because they were too lazy
to type that second arg.
I personally think you should never, ever, ever, write code that
relies on the default open connection.
Sooner or later, the project will grow, morph or merge into something
where you'll get your wires crossed.
It costs only a few keystrokes in a few places to do it right.
YMMV
--
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some indie artist.
http://cdbaby.com/browse/from/lynch
Yeah, I get a buck. So?
--- End Message ---
--- Begin Message ---
On Wed, May 30, 2007 9:16 pm, Daniel Kasak wrote:
> On Wed, 2007-05-30 at 13:40 -0500, Richard Lynch wrote:
>
>> On Tue, May 29, 2007 6:37 pm, Daniel Kasak wrote:
>> > Actually, that blog had absolutely nothing to do with my problem
>> > ( thanks for RTFP!). Not only that, but the recommendation that I
>> > construct URLs:
>> >
>> > http://address.com/script/thing=2/this=3/that=4/download.txt
>> >
>> > is patently ridiculous.
>>
>> Why?
>
> It's excessively complex for no actual benefit. It means you have to
> have extra code to 'explode' out the various parts of the URL. Even
> after reading your description of the code that handles this, it was
> non-obvious what it was for. If I returned to this 2 years later ( or
> God forbid, someone else had to look at it ), they wouldn't have a
> clue
> what it was doing, or why. But also, as I noted, this 'solution' is to
> a
> different problem - the problem of IE not naming downloads properly.
> IE
> names them properly for me ... it just doesn't download them ( if over
> SSL ).
Actually, it solves more than just IE not naming them properly.
It also solves some versions of IE not opening PDF from FDF links when
the user has chosen to not embed PDF reader in browser bug.
It also solved a host of other IE bugs over the years.
It would not surprise me in the least if it didn't solve your bug as
well, actually.
IE is just plain flaky with its stupid attempts to "guess" about
content type and intent from URL analysis.
I'm sorry you found a simple loop to look at the URL and pull the
values into an array confusing... :-v
TETO
--
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some indie artist.
http://cdbaby.com/browse/from/lynch
Yeah, I get a buck. So?
--- End Message ---
--- Begin Message ---
On Wed, May 30, 2007 9:55 pm, Jim Lucas wrote:
> Greg Donald wrote:
>> On 5/30/07, Richard Lynch <[EMAIL PROTECTED]> wrote:
>>> You want to use mysql_escape_string, and NOT addslashes and NOT
>>> Magic
>>> Quotes.
>>
>> function slashes( $var )
>> {
>> if( is_array( $var ) )
>> {
>> return array_map( 'slashes', $var );
>> }
>> else
>> {
>> return mysql_real_escape_string( $var );
>> }
>> }
>
> Say I wanted to use this on something other than $_GET, $_POST, &
> $_COOKIE?
>
> Would it not be better practice to do this the other way around?
>
> function slashes ( $var ) {
> if ( is_scalar($var) ) {
> return mysql_real_escape_string( $var );
> } else {
> return array_map( 'slashes', $var );
> }
> }
>
> This way, even if someone passes something that is not an array, but
> still not processable by mysql_real_escape_string(), it won't foul up
> the processor.
>
>>
>> set_magic_quotes_runtime( 0 );
>>
>> if( get_magic_quotes_gpc() == 0 )
>> {
>> $_GET = isset( $_GET )
>> ? array_map( 'slashes', $_GET )
>> : array();
>>
>> $_POST = isset( $_POST )
>> ? array_map( 'slashes', $_POST )
>> : array();
>>
>> $_COOKIE = isset( $_COOKIE )
>> ? array_map( 'slashes', $_COOKIE )
>> : array();
>> }
Well, if it's not a scalar, and it's not an array, and you call
array_map on it, things could get very ugly very fast...
I'm not sure what other datatypes you might try to pass in, that PHP
won't type-juggle to a string when it goes to
mysql_real_escape_string...
Exactly what "other" data are you planning on calling 'slashes' on?
--
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some indie artist.
http://cdbaby.com/browse/from/lynch
Yeah, I get a buck. So?
--- End Message ---
--- Begin Message ---
Richard Lynch wrote:
On Wed, May 30, 2007 9:55 pm, Jim Lucas wrote:
Greg Donald wrote:
On 5/30/07, Richard Lynch <[EMAIL PROTECTED]> wrote:
You want to use mysql_escape_string, and NOT addslashes and NOT
Magic
Quotes.
function slashes( $var )
{
if( is_array( $var ) )
{
return array_map( 'slashes', $var );
}
else
{
return mysql_real_escape_string( $var );
}
}
Say I wanted to use this on something other than $_GET, $_POST, &
$_COOKIE?
Would it not be better practice to do this the other way around?
function slashes ( $var ) {
if ( is_scalar($var) ) {
return mysql_real_escape_string( $var );
} else {
return array_map( 'slashes', $var );
}
}
This way, even if someone passes something that is not an array, but
still not processable by mysql_real_escape_string(), it won't foul up
the processor.
set_magic_quotes_runtime( 0 );
if( get_magic_quotes_gpc() == 0 )
{
$_GET = isset( $_GET )
? array_map( 'slashes', $_GET )
: array();
$_POST = isset( $_POST )
? array_map( 'slashes', $_POST )
: array();
$_COOKIE = isset( $_COOKIE )
? array_map( 'slashes', $_COOKIE )
: array();
}
Well, if it's not a scalar, and it's not an array, and you call
array_map on it, things could get very ugly very fast...
I'm not sure what other datatypes you might try to pass in, that PHP
won't type-juggle to a string when it goes to
mysql_real_escape_string...
Exactly what "other" data are you planning on calling 'slashes' on?
Things that will work with mysql_real_escape_string()
boolean, integer, double, float, string, NULL
Things that won't work with mysql_real_escape_string()
array, object, resource id
--
Jim Lucas
"Some men are born to greatness, some achieve greatness,
and some have greatness thrust upon them."
Unknown
--- End Message ---
--- Begin Message ---
On Wed, May 30, 2007 4:30 pm, Manolet Gmail wrote:
> 2007/5/30, Richard Lynch <[EMAIL PROTECTED]>:
>>
>>
>> On Tue, May 29, 2007 10:44 am, Manolet Gmail wrote:
>> > 2007/5/28, Greg Donald <[EMAIL PROTECTED]>:
>> >> On 5/28/07, Manolet Gmail <[EMAIL PROTECTED]> wrote:
>> >> > but this doesnt work:
>> >> >
>> >> > exec("svn update",$out);
>>
>> exec("svn update", $out, $error);
>> if ($error) echo "OS Error: $error. Use perror $error in shell to
>> get
>> message";
>
> give me error 1:
> OS error code 1: Operation not permitted
>
> also, the checkout was did by other user. but i do chmod -R 777 * as
> root.
>
> so what i can do ?
[shudder] Having a bunch of root owned files set to 777 is definitely
the wrong way to go... Think about it for awhile.
As far as the OS Error goes, we don't even know exactly what is wrong
here...
Maybe the PHP user can't run svn
maybe the PHP user can run svn, but can't alter the hidden .svn files
that you probably didn't chmod.
Maybe...
I'd suggest doing an 'su' to the PHP User and trying to do svn update
on the command line, before you put PHP into the mix.
You also should use a full path to 'svn' and you need to be in the
right directory before you do 'svn', so I'd put a 'cd /whatever; svn
up' instead.
--
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some indie artist.
http://cdbaby.com/browse/from/lynch
Yeah, I get a buck. So?
--- End Message ---
--- Begin Message ---
On Wed, May 30, 2007 4:25 pm, Jared Farrish wrote:
> On 5/30/07, Richard Lynch <[EMAIL PROTECTED]> wrote:
>>
>> If you can't find them documented, print them out:
>>
>> echo "PREG_NO_ERROR: '", PREG_NO_ERROR, '";
>>
>
> Doh!
>
> PREG_NO_ERROR: 0
> PREG_INTERNAL_ERROR: 1
> PREG_BACKTRACK_LIMIT_ERROR: 2
> PREG_RECURSION_LIMIT_ERROR: 3
> PREG_BAD_UTF8_ERROR: 4
>
> So apparently, "PREG_NO_ERROR" is synonymous for "you need delimiters,
> egghead."
I think the error mechanism you are checking never even had a chance
to kick in...
It's kind of like an in-flight warning system for an airplane that
never got off the ground... It's going to keep saying "no error"
while the plane burns to a cinder if it never got turned on in the
first place as it never got in the air.
preg_match("/^ldap(s)?:\/\/([a-zA-Z0-9-])+\.[a-zA-Z.]{2,5}$/",$this->server)
>>
>> Try using | instead of / for your delimiter, so that you don't have
>> to
>> dink around with escaping the / in the pattern...
>
>
> You only have to escape "/" if it's part if it's the pattern
> delimiter?
>
> Makes the code less cluttered and more clear.
>
>
> Fo' sho'.
Yup.
You only need to escape the delimiter you chose if it's in the pattern.
Or, looking at it from the pattern point of view: Pick a delimiter
you are unlikely to ever need in the pattern, so you won't need to
escape it.
--
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some indie artist.
http://cdbaby.com/browse/from/lynch
Yeah, I get a buck. So?
--- End Message ---
--- Begin Message ---
On Wed, May 30, 2007 5:04 pm, Jim Lucas wrote:
> btw: why is there a period in the second pattern? Also, why are you
> allowing for uppercase letters
> when the RFC's don't allow them?
LDAP URL domain can't be ALL CAPS?!
Last I heard, domain names were case-insensitive in every other URL...
--
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some indie artist.
http://cdbaby.com/browse/from/lynch
Yeah, I get a buck. So?
--- End Message ---
--- Begin Message ---
On Thu, May 31, 2007 7:26 am, Jared Farrish wrote:
>> That's what the 'period' is called in British English.
>> http://google.ca/search?q=define%3Afull+stop
>>
>> In English syntax "period" and "full stop" are synonymous, and the
>> RegEx manual is throwing "dot" into the same bag.
>
> That's very confusing to call it 'Full Stop' when it doesn't seem to
> actually correlate to the regex meaning it identifies, don't you
> think?
> Maybe to a Brit or someone who understands Commonwealth English would
> know
> (I was aware of what it meant in CE, I just woudn't have imagined to
> apply
> it here, since it looks to be descriptive).
>
> Kind've like an elephant trainer calling her elephant's trunk a boot.
@Brits: So is a comma or semi-colon called a Half Stop :-)
PS
Nitpik: Regex Coach also runs very nicely on Linux, not just Windows,
thank goodness. :-)
--
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some indie artist.
http://cdbaby.com/browse/from/lynch
Yeah, I get a buck. So?
--- End Message ---
--- Begin Message ---
Richard Lynch wrote:
On Thu, May 31, 2007 7:26 am, Jared Farrish wrote:
That's what the 'period' is called in British English.
http://google.ca/search?q=define%3Afull+stop
In English syntax "period" and "full stop" are synonymous, and the
RegEx manual is throwing "dot" into the same bag.
That's very confusing to call it 'Full Stop' when it doesn't seem to
actually correlate to the regex meaning it identifies, don't you
think?
Maybe to a Brit or someone who understands Commonwealth English would
know
(I was aware of what it meant in CE, I just woudn't have imagined to
apply
it here, since it looks to be descriptive).
Kind've like an elephant trainer calling her elephant's trunk a boot.
@Brits: So is a comma or semi-colon called a Half Stop :-)
No.
@Americans: What did the letters s and u ever do to you?
-Stut
--- End Message ---
--- Begin Message ---
MySQL doesn't let you use the calculated values (score) in the where
clause.
PostgreSQL does, as I recall.
Sorry.
You may be able to get around that with:
Do a GROUP BY on something unique, so the GROUP BY is pointless, but
then you can use HAVING score > 0
Use a sub-query in MySQL 4.mumble or higher, and the outer query can
use 'score' to get rid of the 0-point non-matches
Build up the expression for $score and $where at the same time like:
$where = ' 0 ';
$score = ' 0 ';
$where .= " OR lastname = '$lastname';
$score .= " + 5 * (lastname = '$lastame' ) ";
$where .= " OR firstname = '$firstname' ";
$score .= " + 2 * (firstname = '$firstname' ) ";
This gets tiresome to type, but is least confusing to non-programmers...
On Thu, May 31, 2007 9:36 am, Afan Pasalic wrote:
>
>
> Jared Farrish wrote:
>> On 5/30/07, Afan Pasalic <[EMAIL PROTECTED]> wrote:
>> email has to match "in total". [EMAIL PROTECTED] and
>> [EMAIL PROTECTED]
>>> are NOT the same in my case.
>>>
>>> thanks jared,
>>
>> If you can match a person by their email, why not just SELECT by
>> email
>> only
>> (and return the persons information)?
> 'cause some members can be added to database by administrator and
> maybe
> they don't have email address at all. or several memebers can use the
> same email address ([EMAIL PROTECTED]) and then macthing last name
> is
> kind of "required". that's how it works now and can't change it.
>
>> Consider, as well, that each time you're calling a database, you're
>> slowing
>> down the response of the page. So, while making a bunch of small
>> calls
>> might
>> not seem like that much, consider:
>>
>> ||||||| x |||||||
>> ||||||| a |||||||
>> ||||||| b |||||||
>>
>> Versus
>>
>> ||||||| x, a, b |||||||
>>
>> The letters represent the request/response data (what you're giving
>> to
>> get,
>> then get back), and the pipes (|) are the overhead to process, send,
>> receive
>> (on DB), process (on DB), send (on DB), receive, process, return to
>> code.
>>
>> The overhead and latency used to complete one request makes it a
>> quicker,
>> less "heavy" operation. If you did the first a couple hundred or
>> thousand
>> times, I would bet your page would drag to a halt while it loads...
> agree. now, I have to figure it out HOW? :-)
>
> I was looking at levenshtein, though, I think the richard's solution
> is
> just enough:
>
> select member_id, first_name, last_name, email, ...,
> (5*(first_name='$first_name) + 2*(first_name='$first_name')) as score
> from members
> where score > 0
>
> though, I'm getting error: "Unknown column 'score' in where clause"?!?
>
> thanks jared.
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
--
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some indie artist.
http://cdbaby.com/browse/from/lynch
Yeah, I get a buck. So?
--- End Message ---
--- Begin Message ---
Jumping in late so forgive if I'm mistaken, but can't you just use
"HAVING" in place of "WHERE"
> > select member_id, first_name, last_name, email, ...,
> > (5*(first_name='$first_name) +
> 2*(first_name='$first_name')) as score
> > from members
HAVING score > 0
> -----Original Message-----
> From: Richard Lynch [mailto:[EMAIL PROTECTED]
> Sent: Thursday, May 31, 2007 3:42 PM
> To: Afan Pasalic
> Cc: Jared Farrish; [EMAIL PROTECTED]
> Subject: Re: [PHP] Re: find (matching) person in other table
>
> MySQL doesn't let you use the calculated values (score) in the where
> clause.
>
> PostgreSQL does, as I recall.
>
> Sorry.
>
> You may be able to get around that with:
>
> Do a GROUP BY on something unique, so the GROUP BY is pointless, but
> then you can use HAVING score > 0
>
> Use a sub-query in MySQL 4.mumble or higher, and the outer query can
> use 'score' to get rid of the 0-point non-matches
>
> Build up the expression for $score and $where at the same time like:
>
> $where = ' 0 ';
> $score = ' 0 ';
> $where .= " OR lastname = '$lastname';
> $score .= " + 5 * (lastname = '$lastame' ) ";
> $where .= " OR firstname = '$firstname' ";
> $score .= " + 2 * (firstname = '$firstname' ) ";
>
> This gets tiresome to type, but is least confusing to
> non-programmers...
>
> On Thu, May 31, 2007 9:36 am, Afan Pasalic wrote:
> >
> >
> > Jared Farrish wrote:
> >> On 5/30/07, Afan Pasalic <[EMAIL PROTECTED]> wrote:
> >> email has to match "in total". [EMAIL PROTECTED] and
> >> [EMAIL PROTECTED]
> >>> are NOT the same in my case.
> >>>
> >>> thanks jared,
> >>
> >> If you can match a person by their email, why not just SELECT by
> >> email
> >> only
> >> (and return the persons information)?
> > 'cause some members can be added to database by administrator and
> > maybe
> > they don't have email address at all. or several memebers
> can use the
> > same email address ([EMAIL PROTECTED]) and then macthing
> last name
> > is
> > kind of "required". that's how it works now and can't change it.
> >
> >> Consider, as well, that each time you're calling a database, you're
> >> slowing
> >> down the response of the page. So, while making a bunch of small
> >> calls
> >> might
> >> not seem like that much, consider:
> >>
> >> ||||||| x |||||||
> >> ||||||| a |||||||
> >> ||||||| b |||||||
> >>
> >> Versus
> >>
> >> ||||||| x, a, b |||||||
> >>
> >> The letters represent the request/response data (what you're giving
> >> to
> >> get,
> >> then get back), and the pipes (|) are the overhead to
> process, send,
> >> receive
> >> (on DB), process (on DB), send (on DB), receive, process, return to
> >> code.
> >>
> >> The overhead and latency used to complete one request makes it a
> >> quicker,
> >> less "heavy" operation. If you did the first a couple hundred or
> >> thousand
> >> times, I would bet your page would drag to a halt while it loads...
> > agree. now, I have to figure it out HOW? :-)
> >
> > I was looking at levenshtein, though, I think the richard's solution
> > is
> > just enough:
> >
> > select member_id, first_name, last_name, email, ...,
> > (5*(first_name='$first_name) +
> 2*(first_name='$first_name')) as score
> > from members
> > where score > 0
> >
> > though, I'm getting error: "Unknown column 'score' in where
> clause"?!?
> >
> > thanks jared.
> >
> > --
> > PHP General Mailing List (http://www.php.net/)
> > To unsubscribe, visit: http://www.php.net/unsub.php
> >
> >
>
>
> --
> Some people have a "gift" link here.
> Know what I want?
> I want you to buy a CD from some indie artist.
> http://cdbaby.com/browse/from/lynch
> Yeah, I get a buck. So?
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
--- End Message ---
--- Begin Message ---
On Thu, May 31, 2007 5:39 pm, [EMAIL PROTECTED] wrote:
> Thank you. Will use of your initialization method protect one from sql
> injection? It isn't clear from reading this:
>
> http://ca.php.net/htmlentities
>
> ???
htmlentities has absolutely ZERO protection against SQL Injection.
None. Nada. Zip. Zilch.
It only "protects", if that, against XSS attack, in that it converts
any funky character into its HTML Entity to be rendered as "data" in
the browser, rather than as a "code" (where "code" means JavaScript
and/or HTML).
A clever XSS attacker might craft a stirng that after htmlentities
turns into Bad Things, but it's a bit tougher.
In fact, if I understood Rasmus' keynote at the php|tek correctly, an
HTML-entity of ' is actually a valid apostrophe in JS, so that:
var foo = 'This is an XSS attack'
is actually VALID JavaScript code!
[shudder]
Which means that htmlentities won't always be "enough" to protect
against XSS attacks, I don't think...
But it was early in the morning for me, and I was freaking out about
the dang microphone (grrr!) so wasn't 100% focused on what he was
saying...
Anyway, if the incoming data is also bound for SQL, as well as for
output to the browser, I might also do like this at the top:
$messages[] = array();
require 'connect.inc'; //sets up $connection
$username = isset($_POST['username']) ? $_POST['username'] : '';
$username_html = htmlentities($username);
$username_sql = mysql_real_escape_string($username, $connection);
//validate username:
//the code to put here is CUSTOM
//it depends on YOUR business needs for a username
//that, in turn, depends on YOUR potential user base
//beware any kind of "generic" code for this
//it might be "close" to what you want
//but it will rarely really really be what you want...
//That said, here are some tests you might consider modifying:
$valid = true;
if (!strlen($username)){
//this probably is always gonna need to be there...
$messages[] = "Username cannot be blank";
$valid = false;
}
if (!ctype_graph($username)){
//maybe you WANT to allow control characters in your username?
$messages[] = "Username cannot contain "invisible" charactes or
whitespace";
$valid = false;
}
if (preg_match('|^[a-z]*$|i', $username)){
//all alpha usernames are usually not so good...
$messages[] = "Username must contain at least one character that's
not A to Z";
$valid = false;
}
if (preg_match('|^[0-9]*$', $username)){
//all digit usernames are probably also not so good...
$messages[] = "Username cannot be only digits 0-9. Add at least one
A-Z character.";
$valid = false;
}
if (is_dictionary_word($username)){
//perhaps more appropriate for a password in general
//but on higher-level security systems
//even a username shouldn't be in Websters' dictionary
$messages[] = "Username must not be a single dictionary word.
Consider using two unrelated words.";
$valid = false;
//NOTE: Websters' 2nd Edition is available in Public Doamin
//and is often available as rpm/package
//quite handy to check for this kind of stuff
}
You could, of course, go on at length in this way, and even more so
for passwords.
But once you reach this point, if $valid is still true, you have an
SQL-injection safe username in $username_sql, so use that in the
queries.
$query = "select user_id from user where username = '$username_sql' ";
Use the HTML one for HTML:
<input name="username" value="<?php echo $username_html?>" />
NOTE: The "filter" extension available since (??? 5.2.2 ???) looks
like it will make this all a LOT easier.
--
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some indie artist.
http://cdbaby.com/browse/from/lynch
Yeah, I get a buck. So?
--- End Message ---
--- Begin Message ---
Morning guys,
I have been trying to find an easy to use way to zip an archive on a linux
box running PHP5. Now I've tried the zip-lib.php and others, but they always
throw an error msg.... But that is not the question.
I am looking to use exec("zip archive.zip $directory"); $directory has been
tried with both full path and relative path ... but that doesn't work. I
don't get an error, it just doesn't create the zip-file...
So, after a day of Google-ing and trying, I thought I might ask you for
help.
Cheers for any answers and hints.
Regards,
Chris
--- End Message ---
--- Begin Message ---
Auto-Deppe, C. Haensel wrote:
I have been trying to find an easy to use way to zip an archive on a linux
box running PHP5. Now I've tried the zip-lib.php and others, but they
always
throw an error msg.... But that is not the question.
I am looking to use exec("zip archive.zip $directory"); $directory has
been
tried with both full path and relative path ... but that doesn't work. I
don't get an error, it just doesn't create the zip-file...
So, after a day of Google-ing and trying, I thought I might ask you for
help.
Most likely a permissions problem. Does the PHP user have write access
to the place where archive.zip will be created?
-Stut
--- End Message ---
--- Begin Message ---
Auto-Deppe, C. Haensel wrote:
Morning guys,
I have been trying to find an easy to use way to zip an archive on a linux
box running PHP5. Now I've tried the zip-lib.php and others, but they
always
throw an error msg.... But that is not the question.
I am looking to use exec("zip archive.zip $directory"); $directory has
been
tried with both full path and relative path ... but that doesn't work. I
don't get an error, it just doesn't create the zip-file...
So, after a day of Google-ing and trying, I thought I might ask you for
help.
Cheers for any answers and hints.
Regards,
Chris
Read up on this page
http://us2.php.net/manual/en/function.exec.php
Then try this instead
<?php
exec("zip archive.zip {$directory} 2>&1", $output);
echo $output;
?>
--- End Message ---
--- Begin Message ---
Auto-Deppe, C. Haensel wrote:
Morning guys,
I have been trying to find an easy to use way to zip an archive on a linux
box running PHP5. Now I've tried the zip-lib.php and others, but they
always
throw an error msg.... But that is not the question.
I am looking to use exec("zip archive.zip $directory"); $directory has
been
tried with both full path and relative path ... but that doesn't work. I
don't get an error, it just doesn't create the zip-file...
So, after a day of Google-ing and trying, I thought I might ask you for
help.
Cheers for any answers and hints.
http://pear.php.net/package/Archive_Zip and/or
http://pear.php.net/package/File_Archive
and please create a *new* message instead of replying to an existing one
and changing the topic. It screws up message threading (in email clients
and in the archives).
--
Postgresql & php tutorials
http://www.designmagick.com/
--- End Message ---
--- Begin Message ---
On 6/1/07, Chris <[EMAIL PROTECTED]> wrote:
Auto-Deppe, C. Haensel wrote:
> Morning guys,
>
> I have been trying to find an easy to use way to zip an archive on a linux
> box running PHP5. Now I've tried the zip-lib.php and others, but they
> always
> throw an error msg.... But that is not the question.
>
> I am looking to use exec("zip archive.zip $directory"); $directory has
> been
> tried with both full path and relative path ... but that doesn't work. I
> don't get an error, it just doesn't create the zip-file...
>
> So, after a day of Google-ing and trying, I thought I might ask you for
> help.
>
> Cheers for any answers and hints.
http://pear.php.net/package/Archive_Zip and/or
http://pear.php.net/package/File_Archive
and please create a *new* message instead of replying to an existing one
and changing the topic. It screws up message threading (in email clients
and in the archives).
Not in gmail :)
I had same problem lately, wanted also to create zip files from PHP, i
tried various build in functions, but i ended up with the exec way.
It has been said before, but PHP probably doesn't have the right
permissions to write the .zip file, so i would recommend you to write
to /tmp first.
Tijnema
--- End Message ---
--- Begin Message ---
Hi guys,
thanks to Jim, I made it :o) Here's the source I'm using for testing now...
it works. I just need to make it less vulnerable ;o)
----- SNIP -----
<?
$nr = $_GET['nr'];
if(eregi("../", $nr)) {
die("Hier wird nicht rumgehackt");
}
$directory = '_kfz_images/'.$nr.'/full/';
$dir = opendir($directory);
$i = 1;
while($file = readdir($dir)) {
$dest = "temp/Auto-Deppe-".$nr."_".$i.".jpg";
if(eregi("jpg", $file)) {
copy($directory.$file, $dest);
$i++;
}
}
$now = time();
header("Content-Type: application/force-download");
header('Content-Disposition: attachment;
filename="Auto-Deppe-'.$now.'_Download.zip"');
exec("zip ".$now."_archive.zip temp/* 2>&1", $output);
readfile($now."_archive.zip");
$tempdir = opendir("temp");
while($tempfile = readdir($tempdir)) {
if(eregi("jpg", $tempfile)) {
unlink("temp/".$tempfile);
}
}
?>
----- SNAP -----
So I am copying the files to a temp dir, and then zip em up, delete them
afterwards. I copy them to the dir so I wouldn't have the whole
/kfz_images/number/full/ structure in the zip).
Aaaanyhow, it works, it does work fast enough, and I am happy :o)
Thanks a bunch, guys, and have a great day!
This is Christian Haensel live from Extertal, Germany. Back to you.
-:oD)=
----- Original Message -----
From: "Tijnema" <[EMAIL PROTECTED]>
To: "Chris" <[EMAIL PROTECTED]>
Cc: "Auto-Deppe, C. Haensel" <[EMAIL PROTECTED]>;
<[EMAIL PROTECTED]>
Sent: Friday, June 01, 2007 9:27 AM
Subject: Re: [PHP] ZIP it :o)
On 6/1/07, Chris <[EMAIL PROTECTED]> wrote:
Auto-Deppe, C. Haensel wrote:
> Morning guys,
>
> I have been trying to find an easy to use way to zip an archive on a
> linux
> box running PHP5. Now I've tried the zip-lib.php and others, but they
> always
> throw an error msg.... But that is not the question.
>
> I am looking to use exec("zip archive.zip $directory"); $directory has
> been
> tried with both full path and relative path ... but that doesn't work.
> I
> don't get an error, it just doesn't create the zip-file...
>
> So, after a day of Google-ing and trying, I thought I might ask you for
> help.
>
> Cheers for any answers and hints.
http://pear.php.net/package/Archive_Zip and/or
http://pear.php.net/package/File_Archive
and please create a *new* message instead of replying to an existing one
and changing the topic. It screws up message threading (in email clients
and in the archives).
Not in gmail :)
I had same problem lately, wanted also to create zip files from PHP, i
tried various build in functions, but i ended up with the exec way.
It has been said before, but PHP probably doesn't have the right
permissions to write the .zip file, so i would recommend you to write
to /tmp first.
Tijnema
--- End Message ---
--- Begin Message ---
Hi...
Trying to install/test a php app, and I get the following error'/issue...
"Compilation failed: this version of PCRE is not compiled with PCRE_UTF8
support..."
I'm not sure if this is an OS issue, a PHP issue, or from the app. I'd
prefer to not have to build php from source/scratch, as I might screw up
other apps/apache/etc...
Looking over the 'net hasn't really shed any light on this.
I have:
Fedora 5
PHP 5.1.6
Thanks for any thoughts/pointers/etc...
-bruce
--- End Message ---
--- Begin Message ---
Can anyone clarify this..
<?php
/* Warning: Unknown: Your script possibly relies on a session side-effect which
existed until PHP 4.2.3. Please be advised that the session extension does not
consider global variables as a source of data, unless register_globals is
enabled. You can disable this functionality and this warning by setting
session.bug_compat_42 or session.bug_compat_warn to off, respectively. in
Unknown on line 0 */
//CAN ANYONE HELP ME FINDOUT WHERES THE PROBLEM??!??
//WHEN I COMMENT EITHER LINE 2 OR 3, THERE IS NO WARNING
session_start();
$arrFormData = $_POST;
$_SESSION['arrFormData'] = $arr;//$arrFormData;//phpinfo();
?>
<form id="frmUser" method="post">
First Name: <input type="text" name="fName" /> <br/>
Last Name: <input type="text" name="lName" /> <br/>
<input type="submit" name="btnAdd" value="add" />
</form>
Regards,
Sachin
([EMAIL PROTECTED])
--- End Message ---
--- Begin Message ---
May be a stupid question but can I link to images with doscument root
$img_url= $_SERVER['DOCUMENT_ROOT'].'/images/holder.gif';
echo "<img src=\"$img_url\" width=\"250\" height=\"163\"/>";
I am certain the path is correct,
If not what are my alternatives?
R.
--- End Message ---
--- Begin Message ---
blueboy wrote:
May be a stupid question but can I link to images with doscument root
$img_url= $_SERVER['DOCUMENT_ROOT'].'/images/holder.gif';
echo "<img src=\"$img_url\" width=\"250\" height=\"163\"/>";
An image source is the URL to that image.
The server document root is the local location of that file (eg
/home/user/file.gif) - which is never going to work as a URL.
--
Postgresql & php tutorials
http://www.designmagick.com/
--- End Message ---
--- Begin Message ---
Hi,
You cannot use document_root to get the paths for images. You can write a
function to get the images url in your application.
function imageServer()
{
return "/images/";
}
--
Shafiq Rehman (ZCE)
http://www.phpgurru.com | http://shafiq.pk
Cell: +92 300 423 9385
On 6/1/07, Chris <[EMAIL PROTECTED]> wrote:
blueboy wrote:
> May be a stupid question but can I link to images with doscument root
>
> $img_url= $_SERVER['DOCUMENT_ROOT'].'/images/holder.gif';
>
> echo "<img src=\"$img_url\" width=\"250\" height=\"163\"/>";
An image source is the URL to that image.
The server document root is the local location of that file (eg
/home/user/file.gif) - which is never going to work as a URL.
--
Postgresql & php tutorials
http://www.designmagick.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--- End Message ---
--- Begin Message ---
blueboy wrote:
May be a stupid question but can I link to images with doscument root
there are no stupid questions, only stupid answers.
$img_url= $_SERVER['DOCUMENT_ROOT'].'/images/holder.gif';
no you cant;
do this in a script on your server:
echo "<pre>";
print_r($_SERVER);
and have look at the variables you can make use of, I would imagine
$_SERVER[SERVER_NAME] might be the ones you want.
clive
echo "<img src=\"$img_url\" width=\"250\" height=\"163\"/>";
I am certain the path is correct,
If not what are my alternatives?
R.
--
Regards,
Clive.
Real Time Travel Connections
{No electrons were harmed in the creation, transmission or reading of
this email. However, many were excited and some may well have enjoyed
the experience.}
--- End Message ---
--- Begin Message ---
On May 31, 2007, at 5:43 PM, Richard Lynch wrote:
On Thu, May 31, 2007 2:25 pm, Jason Pruim wrote:
Hi Everyone, I am attempting to setup a search field on a database
application I'm dinking around with and running into problems that
I'm hoping someone might be able to shed some light on.
Here is the code I am using to display the results of the search:
echo ('<table border="1">');
echo "<tr><th>First Name</th><th>Author</th><th>Pages</th></tr>";
$result_row[] = mysql_query($query) or die(mysql_error());
I also have to wonder why you are building an array of query result
resources...
You probably could do this with just one SQL query and some order by
clauses to get what you want, without hitting the DB so much.
To use the newbie scape goat, I don't know how else to do it, and it
seems to work :)
What would you recommend?
I am always open to find ways to make my code better/faster/more secure.
--- End Message ---
