php-general Digest 23 Jun 2009 08:13:02 -0000 Issue 6190
Topics (messages 294417 through 294427):
Why does simpleXML give me nested objects for blank tags?
294417 by: Daevid Vincent
294418 by: Nathan Nobbe
Re: XSS Preventing.
294419 by: Shawn McKenzie
294420 by: Caner BULUT
294422 by: Shawn McKenzie
294423 by: Caner BULUT
294424 by: Michael A. Peters
Re: Problems with APC, possible cache-corruption?
294421 by: Nathan Nobbe
294425 by: James McLean
I've some doubts if I should go with 5.2 or go already with 5.3 (for a course)
294426 by: Manuel Aude
294427 by: Per Jessen
Administrivia:
To subscribe to the digest, e-mail:
[email protected]
To unsubscribe from the digest, e-mail:
[email protected]
To post to the list, e-mail:
[email protected]
----------------------------------------------------------------------
--- Begin Message ---
Repost as I got zero replies. Does anyone know why this is? Seems like a bug
to me, or at least should be documented as such whacky behavior. Are there
any solutions to this or work-arounds?
-----Original Message-----
From: Daevid Vincent [mailto:[email protected]]
Sent: Thursday, June 18, 2009 6:04 PM
I'm trying to use
http://us2.php.net/manual/en/function.simplexml-load-string.php
$xml_url =
file_get_contents('http://myserver/cgi-bin/foo.cgi?request=c901c906e4d06a0')
;
try
{
$xml = simplexml_load_string($xml_url, 'SimpleXMLElement',
LIBXML_NOBLANKS & LIBXML_COMPACT &
LIBXML_NOEMPTYTAG);
print_r( $xml);
}
catch (Exception $e)
{
echo "bad xml";
}
If I have this XML file (note the tags I marked with --> below):
<issue>
<crstatus>i_field_submitted</crstatus>
<problem_number>151827</problem_number>
<problem_synopsis_field>title</problem_synopsis_field>
<problem_description_field>description2</problem_description_field>
<fi_priority>High</fi_priority>
--> <assignee/>
<create_time>5/12/2009 22:53:10</create_time>
--> <fi_notes_oem/>
<fi_sw_part_name>sw_part_name</fi_sw_part_name>
<fi_general_reference>general_reference</fi_general_reference>
<fi_sw_part_number>sw_part_num</fi_sw_part_number>
<fi_customer_ecd_date>1244703600</fi_customer_ecd_date>
<fi_sw_part_version>sw_part_version</fi_sw_part_version>
<fi_required_date>1243839600</fi_required_date>
--> <ac_type/>
</issue>
Why does it give me sub-objects and not just empty strings for tags that
have no values as I'd expect??!
I tried all those options above and none of them make a difference.
SimpleXMLElement Object
(
[crstatus] => i_field_submitted
[problem_number] => 151827
[problem_synopsis_field] => title
[problem_description_field] => description2
[fi_priority] => High
--> [assignee] => SimpleXMLElement Object
(
)
--> [fi_notes_oem] => SimpleXMLElement Object
(
)
[fi_sw_part_name] => sw_part_name
[fi_general_reference] => general_reference
[fi_sw_part_number] => sw_part_num
[fi_customer_ecd_date] => 1244703600
[fi_sw_part_version] => sw_part_version
[fi_required_date] => 1243839600
--> [ac_type] => SimpleXMLElement Object
(
)
)
--- End Message ---
--- Begin Message ---
On Mon, Jun 22, 2009 at 2:13 PM, Daevid Vincent <[email protected]> wrote:
> Repost as I got zero replies. Does anyone know why this is? Seems like a
> bug
> to me, or at least should be documented as such whacky behavior. Are there
> any solutions to this or work-arounds?
>
> -----Original Message-----
> From: Daevid Vincent [mailto:[email protected]]
> Sent: Thursday, June 18, 2009 6:04 PM
>
> I'm trying to use
> http://us2.php.net/manual/en/function.simplexml-load-string.php
>
> $xml_url =
> file_get_contents('http://myserver/cgi-bin/foo.cgi?request=c901c906e4d06a0
> ')
> ;
> try
> {
> $xml = simplexml_load_string($xml_url, 'SimpleXMLElement',
> LIBXML_NOBLANKS & LIBXML_COMPACT &
> LIBXML_NOEMPTYTAG);
> print_r( $xml);
> }
> catch (Exception $e)
> {
> echo "bad xml";
> }
>
> If I have this XML file (note the tags I marked with --> below):
>
> <issue>
> <crstatus>i_field_submitted</crstatus>
> <problem_number>151827</problem_number>
> <problem_synopsis_field>title</problem_synopsis_field>
> <problem_description_field>description2</problem_description_field>
> <fi_priority>High</fi_priority>
> --> <assignee/>
> <create_time>5/12/2009 22:53:10</create_time>
> --> <fi_notes_oem/>
> <fi_sw_part_name>sw_part_name</fi_sw_part_name>
> <fi_general_reference>general_reference</fi_general_reference>
> <fi_sw_part_number>sw_part_num</fi_sw_part_number>
> <fi_customer_ecd_date>1244703600</fi_customer_ecd_date>
> <fi_sw_part_version>sw_part_version</fi_sw_part_version>
> <fi_required_date>1243839600</fi_required_date>
> --> <ac_type/>
> </issue>
>
> Why does it give me sub-objects and not just empty strings for tags that
> have no values as I'd expect??!
first off, why does it matter.
second, i dont think its a bug, thats just how it works,
php > $a = simplexml_load_string('<blah/>');
php > var_dump($a);
object(SimpleXMLElement)#1 (0) {
}
> I tried all those options above and none of them make a difference.
>
> SimpleXMLElement Object
> (
> [crstatus] => i_field_submitted
> [problem_number] => 151827
> [problem_synopsis_field] => title
> [problem_description_field] => description2
> [fi_priority] => High
> --> [assignee] => SimpleXMLElement Object
> (
>
> )
>
> --> [fi_notes_oem] => SimpleXMLElement Object
> (
>
> )
>
> [fi_sw_part_name] => sw_part_name
> [fi_general_reference] => general_reference
> [fi_sw_part_number] => sw_part_num
> [fi_customer_ecd_date] => 1244703600
> [fi_sw_part_version] => sw_part_version
> [fi_required_date] => 1243839600
> --> [ac_type] => SimpleXMLElement Object
> (
>
> )
>
> )
third the documentation says var_dump() / print_r() are not supported, so i
wouldnt put much stock in the dump of the object above.
from the manual:
http://us2.php.net/manual/en/function.simplexml-element-attributes.php
"*Note*: SimpleXML has made a rule of adding iterative properties to most
methods. They cannot be viewed using
var_dump()<http://us2.php.net/manual/en/function.var-dump.php>or
anything else which can examine objects."
-nathan
--- End Message ---
--- Begin Message ---
Caner BULUT wrote:
> Hi Guys,
>
>
>
> I have a question if you have any knowledge about this please let me know.
>
>
>
> I getting data from a form with POST method like following.
>
>
>
> $x = htmlentities($_POST['y']);
>
> .
>
>
>
> After getting all form daha I save them into DB, I used
> mysql_real_escape_string.
>
>
>
> I have an page which show the information that I have save into DB. But If I
> don't use html_entity_decode, there will encodding and charset problems. I
> can't set htmlentities charset parameters because this function does not
> have Turkish Charset support.
>
>
>
> The question is that, after saving data into DB with using htmlentities, in
> the information page if I use html_entity_decode function still there is an
>
> XSS risk or not? . html_entity_decode function get back all risk again?
>
>
>
> Please help.
>
>
>
> Thanks.
>
> Caner.
>
>
Don't htmlentiies() before DB save. In general:
- mysql_real_escape_string() before DB insertion
- htmlentities() before dispaly
--
Thanks!
-Shawn
http://www.spidean.com
--- End Message ---
--- Begin Message ---
Thanks for response.
But if I use before display there is charset problems occurs. And
htmlentities does not support Turkish Charset. How can I decode data after
pass thought htmlentities.
Thanks.
-----Original Message-----
From: Shawn McKenzie [mailto:[email protected]]
Sent: 22 June 2009 23:27
To: [email protected]
Subject: [PHP] Re: XSS Preventing.
Caner BULUT wrote:
> Hi Guys,
>
>
>
> I have a question if you have any knowledge about this please let me know.
>
>
>
> I getting data from a form with POST method like following.
>
>
>
> $x = htmlentities($_POST['y']);
>
> .
>
>
>
> After getting all form daha I save them into DB, I used
> mysql_real_escape_string.
>
>
>
> I have an page which show the information that I have save into DB. But If
I
> don't use html_entity_decode, there will encodding and charset problems. I
> can't set htmlentities charset parameters because this function does not
> have Turkish Charset support.
>
>
>
> The question is that, after saving data into DB with using htmlentities,
in
> the information page if I use html_entity_decode function still there is
an
>
> XSS risk or not? . html_entity_decode function get back all risk again?
>
>
>
> Please help.
>
>
>
> Thanks.
>
> Caner.
>
>
Don't htmlentiies() before DB save. In general:
- mysql_real_escape_string() before DB insertion
- htmlentities() before dispaly
--
Thanks!
-Shawn
http://www.spidean.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--- End Message ---
--- Begin Message ---
Caner BULUT wrote:
> Thanks for response.
>
> But if I use before display there is charset problems occurs. And
> htmlentities does not support Turkish Charset. How can I decode data after
> pass thought htmlentities.
I have no idea, I was just saying that if you use it, use it for display
and not for storage. If you only use it for display, then you don't
need to decode it. Also, what do you mean it doesn't support the
Turkish charset? Does it mangle some of the chars? You are using it so
that you don't get markup <script ....> etc. in your output, so does it
do something bad with the Turkish chars?. Maybe try htmlspecialchars()
as it only converts a few specific chars.
>
> Thanks.
>
> -----Original Message-----
> From: Shawn McKenzie [mailto:[email protected]]
> Sent: 22 June 2009 23:27
> To: [email protected]
> Subject: [PHP] Re: XSS Preventing.
>
> Caner BULUT wrote:
>> Hi Guys,
>>
>>
>>
>> I have a question if you have any knowledge about this please let me know.
>>
>>
>>
>> I getting data from a form with POST method like following.
>>
>>
>>
>> $x = htmlentities($_POST['y']);
>>
>> .
>>
>>
>>
>> After getting all form daha I save them into DB, I used
>> mysql_real_escape_string.
>>
>>
>>
>> I have an page which show the information that I have save into DB. But If
> I
>> don't use html_entity_decode, there will encodding and charset problems. I
>> can't set htmlentities charset parameters because this function does not
>> have Turkish Charset support.
>>
>>
>>
>> The question is that, after saving data into DB with using htmlentities,
> in
>> the information page if I use html_entity_decode function still there is
> an
>> XSS risk or not? . html_entity_decode function get back all risk again?
>>
>>
>>
>> Please help.
>>
>>
>>
>> Thanks.
>>
>> Caner.
>>
>>
>
> Don't htmlentiies() before DB save. In general:
>
> - mysql_real_escape_string() before DB insertion
>
> - htmlentities() before dispaly
>
--
Thanks!
-Shawn
http://www.spidean.com
--- End Message ---
--- Begin Message ---
Shawm thanks,
İf you using htmlentities awere that he change the charset to ISO-8859-1. So
this is the a problem. For solving this there were some parameters.
Htmlentities($str, ENT_QUOTES, 'UTF-8')
But there is no Turkish Charset inside supportad Charset. You can see the
detail info from
http://tr.php.net/htmlentities
After using htmlentities I am getting following
Par&ccedil;anýn
&ccedil;ýkarýldýðý /
takýlacaðý ara&ccedil; modeli
Par&ccedil;anýn
&ccedil;ýkarýldýðý /
takýlacaðý ara&ccedil; modeli
Par&ccedil;anýn
&ccedil;ýkarýldýðý /
takýlacaðý ara&ccedil; modeli
Par&ccedil;anýn
After using htmlspecialchars I am getting following
Par&ccedil;anýn
&ccedil;ýkarýldýðý /
takýlacaðý ara&ccedil; modeli
Par&ccedil;anýn
&ccedil;ýkarýldýðý /
takýlacaðý ara&ccedil; modeli
Par&ccedil;anýn
&ccedil;ýkarýldýðý /
takýlacaðý ara&ccedil; modeli
Par&ccedil;anýn
&ccedil;ýkarýldýðý /
takýlacaðý ara&ccedil; modeli
I hope I can explain the problem. Thanks
-----Original Message-----
From: Shawn McKenzie [mailto:[email protected]]
Sent: 23 June 2009 00:01
To: [email protected]
Subject: Re: [PHP] Re: XSS Preventing.
Caner BULUT wrote:
> Thanks for response.
>
> But if I use before display there is charset problems occurs. And
> htmlentities does not support Turkish Charset. How can I decode data after
> pass thought htmlentities.
I have no idea, I was just saying that if you use it, use it for display
and not for storage. If you only use it for display, then you don't
need to decode it. Also, what do you mean it doesn't support the
Turkish charset? Does it mangle some of the chars? You are using it so
that you don't get markup <script ....> etc. in your output, so does it
do something bad with the Turkish chars?. Maybe try htmlspecialchars()
as it only converts a few specific chars.
>
> Thanks.
>
> -----Original Message-----
> From: Shawn McKenzie [mailto:[email protected]]
> Sent: 22 June 2009 23:27
> To: [email protected]
> Subject: [PHP] Re: XSS Preventing.
>
> Caner BULUT wrote:
>> Hi Guys,
>>
>>
>>
>> I have a question if you have any knowledge about this please let me
know.
>>
>>
>>
>> I getting data from a form with POST method like following.
>>
>>
>>
>> $x = htmlentities($_POST['y']);
>>
>> .
>>
>>
>>
>> After getting all form daha I save them into DB, I used
>> mysql_real_escape_string.
>>
>>
>>
>> I have an page which show the information that I have save into DB. But
If
> I
>> don't use html_entity_decode, there will encodding and charset problems.
I
>> can't set htmlentities charset parameters because this function does not
>> have Turkish Charset support.
>>
>>
>>
>> The question is that, after saving data into DB with using htmlentities,
> in
>> the information page if I use html_entity_decode function still there is
> an
>> XSS risk or not? . html_entity_decode function get back all risk again?
>>
>>
>>
>> Please help.
>>
>>
>>
>> Thanks.
>>
>> Caner.
>>
>>
>
> Don't htmlentiies() before DB save. In general:
>
> - mysql_real_escape_string() before DB insertion
>
> - htmlentities() before dispaly
>
--
Thanks!
-Shawn
http://www.spidean.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--- End Message ---
--- Begin Message ---
Caner BULUT wrote:
Hi Guys,
I have a question if you have any knowledge about this please let me know.
I getting data from a form with POST method like following.
$x = htmlentities($_POST['y']);
.
After getting all form daha I save them into DB, I used
mysql_real_escape_string.
Don't try to home brew your own.
You'll miss stuff.
Use an input filter class that is developed by and tested by a large
number of users.
http://htmlpurifier.org/
is what I recommend.
Also, with respect to mysql_real_escape - if you use prepared
statements, escaping isn't an issue.
Personally I recommend a database extraction later.
Pear MDB2 is a good one.
It makes your code portable to other databases as long as you stick to
standard SQL (which usually is pretty easy to do).
--- End Message ---
--- Begin Message ---
On Sun, Jun 21, 2009 at 6:17 PM, James McLean <[email protected]>wrote:
> On Mon, Jun 22, 2009 at 9:40 AM, Nathan Nobbe<[email protected]>
> wrote:
> > On Sun, Jun 21, 2009 at 5:56 PM, James McLean <[email protected]>
> > wrote:
> > did you take a look at the size of the cache you created ?
>
> Yes. Tried multiple segments and single, with cache size values
> between 128mb and 256mb. Also tried with stat on and off.
>
> > also, arent you planning to cache php opcodes, so if you load up the
> page, index.html, i
> > would expect to see a bunch of php files mentioned in the apc cache..
>
> Well, index.html wouldn't be cached because it's not parsed by the PHP
> engine. But yes, if it were index.php for example each compiled PHP
> file is then cached in the opcode cache - include files and
> everything. This is how it works on every other APC installation i've
> tried :)
>
> This installation is not doing that, even though this is the default
> behaviour.
>
> > if apc has support for output caching, ive not yet used it so im not sure
> how
> > much i could help there (sort of sounds like youre shooting for output
> > caching the way you describe things above).
>
> No, i'm not looking for output caching. Apologies if my original email
> was poorly worded.
>
> > maybe you could dump out your ini settings for apc and share them here?
>
> No need. they're all default as reccomended by PHP and APC.
hmm, 2 other thoughts i have..
. long shot, but do you have apc.php installed on a diff domain than the
moodle app (not sure but i suspect apc.php only shows cached values for the
domain in which its currently running (i know this is something eaccelerator
does).
. as a test, perhaps setup a simple test site, w/ 2 files, apc.php and one
index.php file on this rhel box. if things are working (index.php cached w/
apc.php), it would seem something goofy is going on indside the moodle app.
-nathan
--- End Message ---
--- Begin Message ---
On Tue, Jun 23, 2009 at 6:17 AM, Nathan Nobbe<[email protected]> wrote:
> hmm, 2 other thoughts i have..
>
> . long shot, but do you have apc.php installed on a diff domain than the
> moodle app (not sure but i suspect apc.php only shows cached values for the
> domain in which its currently running (i know this is something eaccelerator
> does).
No. Same domain.
> . as a test, perhaps setup a simple test site, w/ 2 files, apc.php and one
> index.php file on this rhel box. if things are working (index.php cached w/
> apc.php), it would seem something goofy is going on indside the moodle app.
The RHEL box works flawlessly, as has almost every other APC install
i've ever done. I simply used it as an example that Moodle likely
wasn't at fault, and I have since further proved this by grepping the
source - it isn't setting any of it's own apc filters as suggested
before.
On the APC install that is not working correctly, when I switch
between my info.php and apc.php files - the counter on the cached file
(apc.php) resets, and info.php is not cached. That was all outlined in
the original email.
I guess this is not a common issue, no one seems to have experienced it before..
Cheers
--- End Message ---
--- Begin Message ---
I'm giving a PHP course next semester (3 hours all saturdays for 22 weeks)
and I just realized that PHP 5.3 is coming very soon (2 days now!). So, my
plans of teaching PHP 5.2 are starting to change, and I think it's a good
idea to teach them 5.3 already.
While the majority of the students use Windows, I'm aware that a vast amount
will be using Ubuntu/Debian (and some use Gentoo, Fedora and Arch)
distributions of Linux, so I'm hoping there won't be too many problems on
installation. I don't want to waste the entire first class fixing
installation problems, because that kills the student's motivation.
The course starts on August, but I'm preparing it during the last two weeks
of July. You think that installation packages will be bulletproof by then?
Or should I just teach 5.2 and wait for another semester before starting on
5.3? I mean, most hosts will remain with PHP 5.2 for the rest of the year,
so I'm a bit confused on what I should do.
I'm just a university student that wants to spread PHP, for I've been using
it for many years now =)
Thanks for the advices,
Mamsaac
--- End Message ---
--- Begin Message ---
Manuel Aude wrote:
> I'm giving a PHP course next semester (3 hours all saturdays for 22
> weeks) and I just realized that PHP 5.3 is coming very soon (2 days
> now!). So, my plans of teaching PHP 5.2 are starting to change, and I
> think it's a good idea to teach them 5.3 already.
Does it _really_ matter which one? I can't imagine there are that many
revolutionary changes in a dot-release.
/Per
--
Per Jessen, Zürich (12.2°C)
--- End Message ---
