php-general Digest 17 Aug 2009 17:52:21 -0000 Issue 6290
Topics (messages 296866 through 296891):
Re: <link> to a css file requires .css ???
296866 by: Devendra Jadhav
296871 by: kranthi
is there a better way to know from which php file the request comes from ??
296867 by: nashrul
296868 by: Ashley Sheridan
296870 by: kranthi
296889 by: Ralph Deffke
Re: running str_replace, it misbehaves!
296869 by: Ford, Mike
Re: Another date exercise
296872 by: kranthi
296881 by: tedd
296884 by: tedd
296885 by: Luke
296886 by: tedd
296887 by: Luke
296888 by: Luke
296890 by: Shawn McKenzie
Re: Cannot exec in my own directory
296873 by: kranthi
296874 by: Dotan Cohen
296875 by: kranthi
296876 by: Ashley Sheridan
296877 by: Dotan Cohen
296878 by: Dotan Cohen
296879 by: Ashley Sheridan
296880 by: Dotan Cohen
296882 by: kranthi
296883 by: Ashley Sheridan
Re: Sanitizing mysql inserts of user data
296891 by: Ben Dunlap
Administrivia:
To subscribe to the digest, e-mail:
php-general-digest-subscr...@lists.php.net
To unsubscribe from the digest, e-mail:
php-general-digest-unsubscr...@lists.php.net
To post to the list, e-mail:
php-gene...@lists.php.net
----------------------------------------------------------------------
--- Begin Message ---
Just use following .htaccess rewrite rule
RewriteRule ^some.css$ some.php
and this is the perfect solution.
On Mon, Aug 17, 2009 at 3:14 AM, Adam Shannon <a...@ashannon.us> wrote:
> On Sun, Aug 16, 2009 at 4:37 PM, Daniel Kolbo <kolb0...@umn.edu> wrote:
>
> > Hello,
> >
> > I realize this is more of an html question than a php, but I was hoping
> > someone here would know what's going on.
> >
> > I am linking to a stylesheet and it is requiring me to use *.css
> > extension. I want to use a .php extension (and have the php engine
> > generate css). However, whenever i use a .php extension the link tag
> > does not seem to work.
> >
> > This works!
> > <link rel="stylesheet" type="text/css"
> > href="http://localhost:8080/some.css"; />
> >
> > This doesn't work but I don't understand why not???
> > <link rel="stylesheet" type="text/css"
> > href="http://localhost:8080/some.php"; />
> >
> > The page http://localhost:8080/some.php displays the css exactly the
> > same as http://localhost:8080/some.css
> >
> > Why can't I link to a css file by using a different extension?
> >
> > Thanks in advance,
> > dK
> > `
> >
> > --
> > PHP General Mailing List (http://www.php.net/)
> > To unsubscribe, visit: http://www.php.net/unsub.php
> >
> >
> Oh, I think it's part of the spec. You could always use .htaccess rules to
> parse .css files as .php, this will keep search engines happy and browsers
> happy as well.
>
> --
> - Adam Shannon ( http://ashannon.us )
>
--
Devendra Jadhav
--- End Message ---
--- Begin Message ---
A browser will always parse <link ..> tag regard less of the
extension. the only condition is that the file should provide a mine
type 'text/css' for css files.
https://developer.mozilla.org/en/Incorrect_MIME_Type_for_CSS_Files
--- End Message ---
--- Begin Message ---
This is a newbie question...
Let's say there are 3 php files, page1.php, page2.php and page3.php. Form
submission from page1.php or page2.php will take user to page3.php.
I know that we can use parameter that is appended in the action attribute of
the form (e.g <FORM METHOD=POST ACTION="tes.php?var1=val1">)
But I think, appending this parameter is transparent to the user, since it's
visible in the url.
And I think we can also use the hidden field or (form name ??.).
So which one is most secured and better ??
Thanks..
--
View this message in context:
http://www.nabble.com/is-there-a-better-way-to-know-from-which-php-file-the-request-comes-from----tp25003587p25003587.html
Sent from the PHP - General mailing list archive at Nabble.com.
--- End Message ---
--- Begin Message ---
On Mon, 2009-08-17 at 02:17 -0700, nashrul wrote:
> This is a newbie question...
> Let's say there are 3 php files, page1.php, page2.php and page3.php. Form
> submission from page1.php or page2.php will take user to page3.php.
> I know that we can use parameter that is appended in the action attribute of
> the form (e.g <FORM METHOD=POST ACTION="tes.php?var1=val1">)
> But I think, appending this parameter is transparent to the user, since it's
> visible in the url.
> And I think we can also use the hidden field or (form name ??.).
> So which one is most secured and better ??
> Thanks..
> --
> View this message in context:
> http://www.nabble.com/is-there-a-better-way-to-know-from-which-php-file-the-request-comes-from----tp25003587p25003587.html
> Sent from the PHP - General mailing list archive at Nabble.com.
>
>
Neither GET or POST is more secure, it's just that POST requires a tiny
bit more work to see what's being sent. You can use the
$_SERVER['HTTP_REFERER'] variable to detect where a request has come
from. The documentation for this particular variable mentions that it
can't be trusted, as it can be changed by the client browser, but then,
so can hidden form fields, etc. Personally, I'd go with the HTTP_REFERER
route, because it is completely transparent, and the majority of users
aren't going to bother changing it.
Thanks,
Ash
http://www.ashleysheridan.co.uk
--- End Message ---
--- Begin Message ---
HTTP_REFERRER is transparent, but if can be messed with very easily. I
prefer use of $_SESSION vars if security is needed in my application
(epically when a page is shown after a POST request)
--- End Message ---
--- Begin Message ---
If u need a solution to know where the request comes from on a certain
secure level u can use cookies.
u might also have run into pages on the web giving u hard readable images u
have to put into a form field. toghether with cookies these design gives u
1000% from where the form data come.
depends what security level u whant to implement
regards
ralph_def...@yahoo.de
"nashrul" <anas_a...@yahoo.com> wrote in message
news:25003587.p...@talk.nabble.com...
>
> This is a newbie question...
> Let's say there are 3 php files, page1.php, page2.php and page3.php. Form
> submission from page1.php or page2.php will take user to page3.php.
> I know that we can use parameter that is appended in the action attribute
of
> the form (e.g <FORM METHOD=POST ACTION="tes.php?var1=val1">)
> But I think, appending this parameter is transparent to the user, since
it's
> visible in the url.
> And I think we can also use the hidden field or (form name ??.).
> So which one is most secured and better ??
> Thanks..
> --
> View this message in context:
http://www.nabble.com/is-there-a-better-way-to-know-from-which-php-file-the-request-comes-from----tp25003587p25003587.html
> Sent from the PHP - General mailing list archive at Nabble.com.
>
--- End Message ---
--- Begin Message ---
> -----Original Message-----
> From: Allen McCabe [mailto:allenmcc...@gmail.com]
> Sent: 16 August 2009 22:07
[...]
> Here is an example of my code:
>
> [code]
>
> <?php
> //ENCRYPT FUNCTIONS
> function format_string($string,$functions)
> { $funcs = explode(",",$functions);
> foreach ($funcs as $func)
> {
> if (function_exists($func)) $string = $func($string);
> }
> return $string;
> }
> function enc_string($string)
> { $search =
> array("a","b","c","d","e","f","g","h","i",".........."); //62
> values
> $replace = array("j9","k8","q7","v6","..........."); //62 values
> $string = str_replace($search, $replace, $string);
> $search2 =
> array("9k","8q","7v","6w","5x","4y","3z","2j","................");
> // 126
> values
> $string = str_replace($search2, $replace2, $string);
> return $string;
> }
When you feed array search and replace values to str_replace, it runs them in
sequence, not in parallel
As you haven't given us a full input alphabet above (and, incidentally, you've
left out the value of $replace2!), I can't give an example using your encoding,
so let's just take, for example:
$string = 'word';
and feed it through
str_replace(array('d','o','r','w'), array('w9', 'r8', 'o7', 'd6'), $string);
This proceeds as follows:
d -> w9 = worw9
o -> r8 = wr8rw9
r -> o7 = wo78o7w9 // Note how TWO r->o7 replaces were made here!
w -> d6 = d6o78o7d69 // and similarly w->d6 twice!
I think this gives you a clue as to what is happening -- the same effect will
occur on your second str_replace, as well, giving you your apparent "multiple
encode" problem. If you must do this kind of translation, then you need a
function that doesn't have this re-replace effect, such as strtr()
http://php.net/strtr.
But, I have to wonder, why aren't you just using one of the encoding functions
readily available in PHP, such as md5() or sha1(), or hash()?
Cheers!
Mike
--
Mike Ford,
Electronic Information Developer, Libraries and Learning Innovation,
Leeds Metropolitan University, C507, Civic Quarter Campus,
Woodhouse Lane, LEEDS, LS1 3HE, United Kingdom
Email: m.f...@leedsmet.ac.uk
Tel: +44 113 812 4730
To view the terms under which this email is distributed, please go to
http://disclaimer.leedsmet.ac.uk/email.htm
--- End Message ---
--- Begin Message ---
dont you think http://in3.php.net/strtotime is a solution to your problem ?
--- End Message ---
--- Begin Message ---
At 3:40 PM +0530 8/17/09, kranthi wrote:
dont you think http://in3.php.net/strtotime is a solution to your problem ?
No, it's not a solution to my problem -- I have he problem solved.
I was just asking if anyone wanted to submit their php solution. It
was only an exercise.
I know there are numerous javascript solutions (some good, some bad),
but ALL of their data has to be accepted and scrubbed by a php script
anyway, so I was suggesting creating a php script to do it.
If it's not a good exercise, then don't do it.
Cheers,
tedd
--
-------
http://sperling.com http://ancientstones.com http://earthstones.com
--- End Message ---
--- Begin Message ---
At 4:22 PM -0400 8/16/09, Paul M Foster wrote:
On Sun, Aug 16, 2009 at 08:36:17AM +0100, Lester Caine wrote:
-snip-
> But as has been said, the real solution is a date picker.
I *hate* date pickers. They slow down input. I can type 082309<Enter>
faster than I can ever do it with a date picker. The date class knows
I'm in America and since it's a six-digit date, it must be mmddyy. (Yes,
for those of you *not* in America, I agree our dates are goofy. I think
we all ought to be on the metic system, too, but America and the UK seem
intent on sticking to Imperial measure.)
Paul
Paul:
Yes, that's part of the problem. I was suggesting an exercise where
people could put their collective heads together and create a php
solution.
I realize that US has DD, MM, YYYY and the Euros have YYYY, MM, DD
and others have other things (i.e., Year of the York).
Not addressing the "other things" -- to me, if one uses a character
for a month, then there's no problem in deciphering any entry
regardless of format.
For example, 2009 Aug 23, or Aug 23 2009, or Aug 2009 23, or 23 2009
Aug, -- they could all be entered in whatever order you want and
deciphered correctly. The rules of course are:
Year must be in thousands -- 1000-5000.
Month must be a character -- D for December, May for May, Jun for
June and so on.
Day must be in ones or tens -- 1 or 09, or 31.
It's certainly not a problem to write such code, I only suggested the
exercise to get people to expound on the problems they encountered.
Instead, I received "use javascript". Okay... but that's not a php
solution, right?
Cheers,
tedd
--
-------
http://sperling.com http://ancientstones.com http://earthstones.com
--- End Message ---
--- Begin Message ---
2009/8/17 tedd <tedd.sperl...@gmail.com>
> At 4:22 PM -0400 8/16/09, Paul M Foster wrote:
>
>> On Sun, Aug 16, 2009 at 08:36:17AM +0100, Lester Caine wrote:
>> -snip-
>> > But as has been said, the real solution is a date picker.
>>
>> I *hate* date pickers. They slow down input. I can type 082309<Enter>
>> faster than I can ever do it with a date picker. The date class knows
>> I'm in America and since it's a six-digit date, it must be mmddyy. (Yes,
>> for those of you *not* in America, I agree our dates are goofy. I think
>> we all ought to be on the metic system, too, but America and the UK seem
>> intent on sticking to Imperial measure.)
>>
>> Paul
>>
>
>
> Paul:
>
> Yes, that's part of the problem. I was suggesting an exercise where people
> could put their collective heads together and create a php solution.
>
> I realize that US has DD, MM, YYYY and the Euros have YYYY, MM, DD and
> others have other things (i.e., Year of the York).
>
> Not addressing the "other things" -- to me, if one uses a character for a
> month, then there's no problem in deciphering any entry regardless of
> format.
>
> For example, 2009 Aug 23, or Aug 23 2009, or Aug 2009 23, or 23 2009 Aug,
> -- they could all be entered in whatever order you want and deciphered
> correctly. The rules of course are:
>
> Year must be in thousands -- 1000-5000.
> Month must be a character -- D for December, May for May, Jun for June and
> so on.
> Day must be in ones or tens -- 1 or 09, or 31.
>
> It's certainly not a problem to write such code, I only suggested the
> exercise to get people to expound on the problems they encountered. Instead,
> I received "use javascript". Okay... but that's not a php solution, right?
>
> Cheers,
>
> tedd
>
> --
> -------
> http://sperling.com http://ancientstones.com http://earthstones.com
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
What would be really cool is if someone wrote a PHP script that generates
some Javascript code that could do this.
I mean while we're on the subject of complicating things ;)
--
Luke Slater
:O)
this text is protected by international copyright. it is illegal for
anybody apart from the recipient to keep a copy of this text.
dieser text wird von internationalem urheberrecht geschuetzt. allen
ausser dem/der empfaenger/-in ist untersagt, eine kopie dieses textes
zu behalten.
--- End Message ---
--- Begin Message ---
At 4:10 PM +0100 8/17/09, Luke wrote:
What would be really cool is if someone wrote a PHP script that
generates some Javascript code that could do this.
I mean while we're on the subject of complicating things ;)
--
Luke Slater
:O)
While writing/creating javascript from php can be done, that's not the problem.
The problem is that the data provided from a javascript program that
cannot be trusted. All data taken from javascript routines must be
sanitized.
So if you want to talk about complicating things, start accepting
data from javascript routines without sanitizing and see how that
works out for you.
Cheers,
tedd
--
-------
http://sperling.com http://ancientstones.com http://earthstones.com
--- End Message ---
--- Begin Message ---
2009/8/17 tedd <tedd.sperl...@gmail.com>
> At 4:10 PM +0100 8/17/09, Luke wrote:
>
>> What would be really cool is if someone wrote a PHP script that generates
>> some Javascript code that could do this.
>>
>> I mean while we're on the subject of complicating things ;)
>>
>> --
>> Luke Slater
>> :O)
>>
>
> While writing/creating javascript from php can be done, that's not the
> problem.
>
> The problem is that the data provided from a javascript program that cannot
> be trusted. All data taken from javascript routines must be sanitized.
>
> So if you want to talk about complicating things, start accepting data from
> javascript routines without sanitizing and see how that works out for you.
>
>
> Cheers,
>
> tedd
>
> --
> -------
> http://sperling.com http://ancientstones.com http://earthstones.com
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
I didn't say anything about accepting unsanitized data now did I?
--
Luke Slater
:O)
this text is protected by international copyright. it is illegal for
anybody apart from the recipient to keep a copy of this text.
dieser text wird von internationalem urheberrecht geschuetzt. allen
ausser dem/der empfaenger/-in ist untersagt, eine kopie dieses textes
zu behalten.
--- End Message ---
--- Begin Message ---
2009/8/17 Luke <l...@blog-thing.com>
>
>
> 2009/8/17 tedd <tedd.sperl...@gmail.com>
>
>> At 4:10 PM +0100 8/17/09, Luke wrote:
>>
>> What would be really cool is if someone wrote a PHP script that generates
>>> some Javascript code that could do this.
>>>
>>> I mean while we're on the subject of complicating things ;)
>>>
>>> --
>>> Luke Slater
>>> :O)
>>>
>>
>> While writing/creating javascript from php can be done, that's not the
>> problem.
>>
>> The problem is that the data provided from a javascript program that
>> cannot be trusted. All data taken from javascript routines must be
>> sanitized.
>>
>> So if you want to talk about complicating things, start accepting data
>> from javascript routines without sanitizing and see how that works out for
>> you.
>>
>>
>> Cheers,
>>
>> tedd
>>
>> --
>> -------
>> http://sperling.com http://ancientstones.com http://earthstones.com
>>
>> --
>> PHP General Mailing List (http://www.php.net/)
>> To unsubscribe, visit: http://www.php.net/unsub.php
>>
>>
> I didn't say anything about accepting unsanitized data now did I?
>
>
> --
> Luke Slater
> :O)
>
> this text is protected by international copyright. it is illegal for
> anybody apart from the recipient to keep a copy of this text.
> dieser text wird von internationalem urheberrecht geschuetzt. allen
> ausser dem/der empfaenger/-in ist untersagt, eine kopie dieses textes
> zu behalten.
>
Sorry to annoy you Tedd,
I guess stage one would be something like
$date = $_GET['datestring'];
$exploded_date = explode(' ', $date);
foreach($exploded_date as $constituent)
{
if(preg_match('/^{1,31}$/', $constituent))
{
$sane_date["day"] = $constituent;
}
}
Then in the foreach loop would also be something that would check for months
and years, setting the constituent to $sane_date["month"] and
$sane_date["year"] respectively.
Something like that?
I would try it out but I'm at work ;)
--
Luke Slater
:O)
this text is protected by international copyright. it is illegal for
anybody apart from the recipient to keep a copy of this text.
dieser text wird von internationalem urheberrecht geschuetzt. allen
ausser dem/der empfaenger/-in ist untersagt, eine kopie dieses textes
zu behalten.
--- End Message ---
--- Begin Message ---
tedd wrote:
> At 3:40 PM +0530 8/17/09, kranthi wrote:
>> dont you think http://in3.php.net/strtotime is a solution to your
>> problem ?
>
> No, it's not a solution to my problem -- I have he problem solved.
>
> I was just asking if anyone wanted to submit their php solution. It was
> only an exercise.
>
> I know there are numerous javascript solutions (some good, some bad),
> but ALL of their data has to be accepted and scrubbed by a php script
> anyway, so I was suggesting creating a php script to do it.
>
> If it's not a good exercise, then don't do it.
First stab at it. Of course it needs US date ordering (month day year).
You can't do euro type dates or any other format because there is no
way to tell the difference between 1/2/2009 (January) and 1/2/2009
(February):
<?php
$dates = array(
'August 5, 2009',
'Aug 05 2009',
'Aug 5, 9',
'08/05/09',
'8-5-9',
'8 05 2009',
'8,5,9',);
foreach($dates as $date) {
$date = preg_replace("#([\d])+[^/\d]+([\d]+)[^/\d]+([\d]+)#",
"$1/$2/$3", $date);
echo date("M j, Y", strtotime($date)) ."\n";
}
?>
--
Thanks!
-Shawn
http://www.spidean.com
--- End Message ---
--- Begin Message ---
see if can run the same php file via CLI. does script.sh run without
any problems ? then, probably something linke SELinux is preventing
httpd from running scripts. you have to contact your system
administrator to get this fixed.
--- End Message ---
--- Begin Message ---
> see if can run the same php file via CLI. does script.sh run without
> any problems ? then, probably something linke SELinux is preventing
> httpd from running scripts. you have to contact your system
> administrator to get this fixed.
>
You are right. Running the php script from the CLI in an SSH session
results in the expected behaviour: the script specified in the exec
command is run. Not so if I call the php script from a web browser.
Thanks for the tipoff.
--
Dotan Cohen
http://what-is-what.com
http://gibberish.co.il
--- End Message ---
--- Begin Message ---
Did you check SELinux options ??
I have a similar problem. For some unknown reason scan_dir() is not
able to read /home/user when run as Apache module. but the CLI is
giving expected results. I did not find any work around, but had to
read /var/www which is the home directory of 'apache' (this is the
user under which apache runs by default. hence you script needs 777 to
execute)
So if every thing else fails I'll recommend you to move the script to
/var/ww (usually your server root) instead of /home/user
--- End Message ---
--- Begin Message ---
On Mon, 2009-08-17 at 19:23 +0530, kranthi wrote:
> Did you check SELinux options ??
>
> I have a similar problem. For some unknown reason scan_dir() is not
> able to read /home/user when run as Apache module. but the CLI is
> giving expected results. I did not find any work around, but had to
> read /var/www which is the home directory of 'apache' (this is the
> user under which apache runs by default. hence you script needs 777 to
> execute)
>
> So if every thing else fails I'll recommend you to move the script to
> /var/ww (usually your server root) instead of /home/user
>
That's a potential security flaw waiting to happen. A script like this
shouldn't be kept in a web-accessible directory.
Thanks,
Ash
http://www.ashleysheridan.co.uk
--- End Message ---
--- Begin Message ---
> Did you check SELinux options ??
>
I do not have root access to that server.
> I have a similar problem. For some unknown reason scan_dir() is not
> able to read /home/user when run as Apache module. but the CLI is
> giving expected results. I did not find any work around, but had to
> read /var/www which is the home directory of 'apache' (this is the
> user under which apache runs by default. hence you script needs 777 to
> execute)
>
Actually, it currently is 777. I thought it might be a permissions
problem so I 777ed it as a troubleshooting measure.
> So if every thing else fails I'll recommend you to move the script to
> /var/ww (usually your server root) instead of /home/user
>
I have no access to that directory.
--
Dotan Cohen
http://what-is-what.com
http://gibberish.co.il
--- End Message ---
--- Begin Message ---
> That's a potential security flaw waiting to happen. A script like this
> shouldn't be kept in a web-accessible directory.
>
Thanks, Ash. That directory is HTTP-password protected.
--
Dotan Cohen
http://what-is-what.com
http://gibberish.co.il
--- End Message ---
--- Begin Message ---
On Mon, 2009-08-17 at 17:01 +0300, Dotan Cohen wrote:
> > Did you check SELinux options ??
> >
>
> I do not have root access to that server.
>
> > I have a similar problem. For some unknown reason scan_dir() is not
> > able to read /home/user when run as Apache module. but the CLI is
> > giving expected results. I did not find any work around, but had to
> > read /var/www which is the home directory of 'apache' (this is the
> > user under which apache runs by default. hence you script needs 777 to
> > execute)
> >
>
> Actually, it currently is 777. I thought it might be a permissions
> problem so I 777ed it as a troubleshooting measure.
>
>
> > So if every thing else fails I'll recommend you to move the script to
> > /var/ww (usually your server root) instead of /home/user
> >
>
> I have no access to that directory.
>
>
> --
> Dotan Cohen
>
> http://what-is-what.com
> http://gibberish.co.il
>
Just out of curiosity, have you been able to run even the most basic of
scripts from PHP, like a plain old BASH 'echo' statement or something? I
only ask, because sometimes within the shell scripts themselves are
calls to other command line programs (even something as simple as 'ls')
which need to be called using their full path because Apache has a
different path for shell scripts. Also, you said you used include files
in that same area. Is it possible that you are also trying to use one of
them inside your shell script, but because the paths are different, the
system cannot find the things you expect it to?
Thanks,
Ash
http://www.ashleysheridan.co.uk
--- End Message ---
--- Begin Message ---
> Just out of curiosity, have you been able to run even the most basic of
> scripts from PHP, like a plain old BASH 'echo' statement or something? I
> only ask, because sometimes within the shell scripts themselves are
> calls to other command line programs (even something as simple as 'ls')
> which need to be called using their full path because Apache has a
> different path for shell scripts.
ls, pwd, and other commands run fine. The only command in the called
shell script is /usr/bin/mysqldump which for some reason out of habit
I always type with the full path!
> Also, you said you used include files
> in that same area. Is it possible that you are also trying to use one of
> them inside your shell script, but because the paths are different, the
> system cannot find the things you expect it to?
>
No, there are no other files included in this instance. I only
mentioned it to show that PHP can read from that directory.
Thanks.
--
Dotan Cohen
http://what-is-what.com
http://gibberish.co.il
--- End Message ---
--- Begin Message ---
>> That's a potential security flaw waiting to happen. A script like this
>> shouldn't be kept in a web-accessible directory.
/var/www is not the document root. document root is /var/www/html so I
dont think there's a problem.
>> /var/www (usually your server root)
I am mistaken regarding this.
for details (the location of httpd.conf may vary depending on your
distro, but it is definitely located in /etc/)
$ cat /etc/passwd | grep apache
$ cat /etc/httpd/conf/httpd.conf | grep ^ServerRoot
$ cat /etc/httpd/conf/httpd.conf | grep ^DocumentRoot
$ cat /etc/httpd/conf/httpd.conf | grep ^User
>> I have no access to that directory.
seems you do not have access to any directory other than /home/user.
but i dont think there's a work around, you'll have to request your
administrator to move that file to /var/www directory (and retain
777).
>> ls, pwd, and other commands run fine.
i dont think "ls /home/user" will work fine.
--- End Message ---
--- Begin Message ---
On Mon, 2009-08-17 at 20:16 +0530, kranthi wrote:
> >> That's a potential security flaw waiting to happen. A script like this
> >> shouldn't be kept in a web-accessible directory.
> /var/www is not the document root. document root is /var/www/html so I
> dont think there's a problem.
>
> >> /var/www (usually your server root)
> I am mistaken regarding this.
>
> for details (the location of httpd.conf may vary depending on your
> distro, but it is definitely located in /etc/)
> $ cat /etc/passwd | grep apache
> $ cat /etc/httpd/conf/httpd.conf | grep ^ServerRoot
> $ cat /etc/httpd/conf/httpd.conf | grep ^DocumentRoot
> $ cat /etc/httpd/conf/httpd.conf | grep ^User
>
> >> I have no access to that directory.
> seems you do not have access to any directory other than /home/user.
> but i dont think there's a work around, you'll have to request your
> administrator to move that file to /var/www directory (and retain
> 777).
>
> >> ls, pwd, and other commands run fine.
> i dont think "ls /home/user" will work fine.
Why move the script to somewhere that he can't access? If the existing
PHP scripts are all in /home/user then Apache is set up to allow the
local user filespace to be used as a web server area. As such, there
wouldn't be much point in trying to put the script in /var/www (assuming
that Apache is set up to use /var/www at all, on Suse for example it
uses /srv/www/)
Thanks,
Ash
http://www.ashleysheridan.co.uk
--- End Message ---
--- Begin Message ---
> "Note: If this function is not used to escape data, the query is
> vulnerable to SQL Injection Attacks."
>
> Does that necessarily imply this:
> "If this function is used to escape data, the query is not vulnerable
> to SQL Injection Attacks."?
>
> Logically, it does _not_ mean the same thing.
Definitely not -- it would be a bit presumptuous to claim "If you do
X, the query is not vulnerable to SQL injection attacks" for just
about any value of X.
That said, I would recommend binding parameters if you can. It's a
cleaner way of separating the logic of a query from its data, and
theoretically more reliable than mysql_real_escape_string():
http://en.wikipedia.org/wiki/SQL_injection#Parameterized_statements
Ben
--- End Message ---
