php-general Digest 21 Oct 2007 08:27:00 -0000 Issue 5083
Topics (messages 263452 through 263460):
Runkit / Parsekit & good practices
263452 by: 131
Securing PHP
263453 by: Grant
263456 by: Nathan Hawks
Multi-table pager sorted by date
263454 by: Nathan Hawks
263458 by: Nathan Hawks
Re: This, then that. [solved?]
263455 by: Instruct ICC
Re: This, then that.
263457 by: Instruct ICC
newbie questions
263459 by: Ravi
263460 by: M. Sokolewicz
Administrivia:
To subscribe to the digest, e-mail:
[EMAIL PROTECTED]
To unsubscribe from the digest, e-mail:
[EMAIL PROTECTED]
To post to the list, e-mail:
[EMAIL PROTECTED]
----------------------------------------------------------------------
--- Begin Message ---
I was asking myself if the super-possibilities offered by the runkit
extension could be used in a "good" way
I'll like to use runkit to define superglobals like $config, for example./
I'll like to use runkit to modify Class extension & implementation, making
it more "Javascript" like.
I'm very frustated in not beeing able to extend an existing classes
For example, i'll like to use, in every one of my script "sql" static
classe, regardless the database system. - i know about PDO, that's just an
example -
I'll like to use
class sql {
//noting here
}
And in mysql.php
modify sql {
function connect(){
}
}
and in mysql/plugin/superlinks
modify sql {
function fetch(){
$tmp=before:fetch();
return $tmp=str_replace("<a href=....","<a href='FOO',..);
}
}
That's not a great post, my true question is
"Might we use the supergodpower runkit offers", or - not
PS : that's just an evolution of the EXISTING "Overload" process
--- End Message ---
--- Begin Message ---
Hi all,
You've all likely heard this before...."I was hacked..." , "Had register
globals on..." etc etc.
Well, this is true of me as well.
Does anyone know of a site that would help a semi professional lock down
php, i.e.
Perhaps how to install phpsuexec,
Jail users to only have the ability to read/write to thier own files and
directories,
php.ini directives that have simiar affect as mentioned above.
Any help appreciated.
-Grant
--- End Message ---
--- Begin Message ---
Are you running a multi-user hosting service?
If so you can create include files on a per-user or per-domain basis.
Use the Apache config directive php_value to set your include_path and
open_basedir appropriately for each account; and other options as
desired.
I don't know of a particular site, but that is the config framework that
Plesk uses.
As for building PHP, make sure you run the testing battery ('make test'
after you 'make' and before you 'make install') in order to see how
'hardened' your build is.
On Sat, 2007-10-20 at 21:00 -0400, Grant wrote:
> Hi all,
>
> You've all likely heard this before...."I was hacked..." , "Had register
> globals on..." etc etc.
>
> Well, this is true of me as well.
>
> Does anyone know of a site that would help a semi professional lock down
> php, i.e.
>
> Perhaps how to install phpsuexec,
>
> Jail users to only have the ability to read/write to thier own files and
> directories,
>
> php.ini directives that have simiar affect as mentioned above.
>
> Any help appreciated.
>
> -Grant
>
--- End Message ---
--- Begin Message ---
I'm doing a project where the database was designed before me and they
don't have a budget for a database re-design. There are two entity
tables which /should/ have been the same model with some meta-fields
keyed off a type field, but it's not. It's two tables, which should be
displayed intermixed, paged, and sorted by date.
The solution I thought up didn't do the trick. I:
- made two pagers, one for each table
- got the current page's set
- intermixed them by making an array of references, keyed off the
datetime string, refering to items in both result sets
- krsort()ed the intermixed array
The result is probably obvious, but I'll explain it anyway... there is
nowhere near an equal density in entries-per-date between the two
tables, and so, each page shows results from both tables, but the dates
for the two models on the same page are very different; on page 1, i'll
get items from tableA with dates ranging 10/5/2007-10/9/2007 and tableB
with dates ranging from 10/13/2007 12:00:00 to 10/13/2007 at 15:00:00.
So I'm thinking I need to find a way to align the results, and it needs
to happen somehow in the pagers themselves (this being symfony, the
pager grabs the query criteria object and sets limit and offset for
you.) I am already generating pager links based on the resultset with
the most pages; so artificially generating page links won't be a far
step.
The only solution I've thought up, I don't want to do, which is to break
the query into dates e.g. if the date range is 2007-10-01 to 2007-10-31,
I do not want a separate pager link for each date which then subpages
the results or shows all results for that date; the date range might
span years and there might be hundreds of entries for a date. I need a
single pager which aligns the two tables' entries' dates in each page of
results throughout the span.
I am very open to a ready-made class that can do this, especially if
it's based on Propel, or if it can take raw sql queries.
Thoughts?
Nathan
--- End Message ---
--- Begin Message ---
Nevermind. Just because they can't afford a database redesign doesn't
mean they can't afford a new index table containing date-indexed links
to both tables entities.
On Sat, 2007-10-20 at 21:39 -0400, Nathan Hawks wrote:
> I'm doing a project where the database was designed before me and they
> don't have a budget for a database re-design. There are two entity
> tables which /should/ have been the same model with some meta-fields
> keyed off a type field, but it's not. It's two tables, which should be
> displayed intermixed, paged, and sorted by date.
--- End Message ---
--- Begin Message ---
> >> I think I found a solution.
> >>
> >> Here's the url:
> >>
> >> http://www.webbytedd.com/bbb/image-test1/
> >>
> >> The point is that the image is only accessible via this script, is
> >> this correct?
> >
> >I can access it without a script:
> >http://www.webbytedd.com/bbb/image-test1/images/a.jpg
>
> I think what you were seeing was a cached image.
Yes, it seems I was accessing a cached image.
If I am allowed to see this picture, but not another, you may still have a
security issue.
If I am allowed to see this picture, and thereby am also allowed to see any
other, then you probably don't need to secure it more.
I just don't like the actual image filename in the HTML view source. I prefer
to hand off an id to a display_image.php script which checks credentials for
the specific picture.
_________________________________________________________________
Peek-a-boo FREE Tricks & Treats for You!
http://www.reallivemoms.com?ocid=TXT_TAGHM&loc=us
--- End Message ---
--- Begin Message ---
> > >> > I want to prohibit an image from being shown to anyone who is not
> > >> > permitted (i.e., logged in).
> > >> >
> > >> > The way I want to do this is to:
> > >> >
> > >> > 1. Set [file] permissions...
> > >>
> > >>
> > >>
> > >> What if 2 or more users access the application at the same time?
> > >>
> > >> Set the permissions so only the PHP application can access it.
> > >> Have the PHP application decide if this present user running this
> > >>instance should see the image.
> > >> If approved, display image.
> > >
> > >One idea that has always been REALLY popular around here... stuff your
> > >image in a database. *MUHAWHAWHAWHAWHAW* *Ducks from the flying rocks*.
> > >
> > >Cheers,
> > >Rob.
> > >--
> >
> > Rob:
> >
> > That's really not a bad idea, but in this experiment I'm using images
> > as a stand-in for larger files (CD's, Videos, etc).
> >
> > Side note to everyone else (Rob knows this) Storing images in a dB
> > has some advantages, but the concept has been beat to death on this
> > list and no need to repeat it -- everything that could be said
> > pro/con has been said -- just review the archives.
>
> I use the db for images sometimes. I don't really care what some people
> think since I've thought it out for myself and like th epros versus the
> cons sometimes. At any rate, y our problem appears to be related to
> safe_mode for not putting images outside the web tree. Most likely
> though, you have access to .htaccess and so you could create a locked
> images directory that exists within the web tree but which can't be
> accessed by a browser. This would give you what you need to be within
> the confines of safe mode.
>
> Cheers,
> Rob.
Regardless, I said from your file or db when I gave more of an example. And in
this thread I merely said "display image". Haha?
_________________________________________________________________
Boo! Scare away worms, viruses and so much more! Try Windows Live OneCare!
http://onecare.live.com/standard/en-us/purchase/trial.aspx?s_cid=wl_hotmailnews
--- End Message ---
--- Begin Message ---
Guys, I am fairly new to PHP. Here are a few questions, if anybody can
answer it will help me get started. Thanks
I am trying to build a website and I would like to do the following in
my scripts
1. I want to return response to the browser and AFTERWARDS make a log
entry in to a database. I need this so user can experience a fast response.
2. If the database update fails, I want to ignore it (since it is just
log entry). Something like try-catch construct in Java. This is more
important if item1 mentioned above is not possible. Essentially whether
I make a database entry or not, I must return a valid response to user.
3. Is there something like connection pool in php? Do usually people
open/close database connection for every request (I doubt that, it
sounds really slow).
Some code samples or pointers to documentation for the above would also
be very helpful.
Thanks
Ravi
--- End Message ---
--- Begin Message ---
Ravi wrote:
Guys, I am fairly new to PHP. Here are a few questions, if anybody can
answer it will help me get started. Thanks
I am trying to build a website and I would like to do the following in
my scripts
1. I want to return response to the browser and AFTERWARDS make a log
entry in to a database. I need this so user can experience a fast response.
There is no "before and after". Everything you do happens during (part
of) the response. But you can just output your data, whatever it may be,
flush() it and then log it via the same script. Your user won't notice a
thing (Hell, even without the flush your user won't notice it probably).
2. If the database update fails, I want to ignore it (since it is just
log entry). Something like try-catch construct in Java. This is more
important if item1 mentioned above is not possible. Essentially whether
I make a database entry or not, I must return a valid response to user.
So ignore it :) If you don't check for errors, you won't see them...
Makes debugging very annoying, but you won't see em nevertheless. If
your output is not based on anything from your database-update, then
there apparently is no need to worry about it.
3. Is there something like connection pool in php? Do usually people
open/close database connection for every request (I doubt that, it
sounds really slow).
There is something like that, the persistent connections (ie. via
mysql_pconnect), but generally people DO open/close connections via the
same script each and every time the script is executed (this might sound
very slow, but it's actually not too bad). Using persistent connections
is not always the best option (and usually doesn't even make much
sense); there's a good bit of documentation about it in the php docs:
http://www.php.net/manual/en/features.persistent-connections.php
Some code samples or pointers to documentation for the above would also
be very helpful.
code samples of what exactly ?
Thanks
Ravi
--- End Message ---
