php-general Digest 26 Oct 2010 14:24:31 -0000 Issue 7007
Topics (messages 309067 through 309079):
Re: Check for existence of mail address
309067 by: fakessh.fakessh.eu
309071 by: Gary
309072 by: Per Jessen
309073 by: Gary
309075 by: TR Shaw
309076 by: TR Shaw
309077 by: Bob McConnell
309078 by: Daniel P. Brown
Re: Best practice for if (!$stmt->execute())
309068 by: Paul M Foster
309069 by: Rico Secada
309070 by: Paul M Foster
objects and $_SESSION access control
309074 by: Lorenzo Marussi
309079 by: Nathan Rixham
Administrivia:
To subscribe to the digest, e-mail:
php-general-digest-subscr...@lists.php.net
To unsubscribe from the digest, e-mail:
php-general-digest-unsubscr...@lists.php.net
To post to the list, e-mail:
php-gene...@lists.php.net
----------------------------------------------------------------------
--- Begin Message ---
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Le 26.10.2010 04:24, Sharl.Jimh.Tsin a écrit :
> You can try the smtpvalidate class provided by Jonathan Tapicer,But
> maybe it is impossible in my opinion.
>
> PS:send test mail and check the fail-report by MTA server may be a
> idea,but no good :)
>
> Best regards,
> Sharl.Jimh.Tsin (From China)
>
>
it is my opinion for me . send illegal mail and i a spammeur not send a mail
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iD8DBQFMxj2UtXI/OwkhZKcRAvSiAJsEFaxFBhXYVuvqc8iHLZ8j2TWNpwCfbRqC
4lleoOIqNACn45vnh/6Tb4Q=
=KtMy
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
Jonathan Tapicer wrote:
> You can use this class:
> http://www.webdigi.co.uk/blog/wp-content/uploads/2009/01/smtpvalidateclassphp.txt
>
> It may not work for some SMTPs.
>
> It uses the concepts explained here:
> http://www.webdigi.co.uk/blog/2009/how-to-check-if-an-email-address-exists-without-sending-an-email/
Please stop top-posting.
The above idea is sound - it will work - but uses *others'* systems to
solve *your* problem, which is rude IMO. @OP: Why do you need to know if
the address really exists?
--- End Message ---
--- Begin Message ---
Gary wrote:
> Jonathan Tapicer wrote:
>> You can use this class:
>>
http://www.webdigi.co.uk/blog/wp-content/uploads/2009/01/smtpvalidateclassphp.txt
>>
>> It may not work for some SMTPs.
>>
>> It uses the concepts explained here:
>>
http://www.webdigi.co.uk/blog/2009/how-to-check-if-an-email-address-exists-without-sending-an-email/
>
> Please stop top-posting.
>
> The above idea is sound - it will work - but uses *others'* systems to
> solve *your* problem, which is rude IMO.
There is no other way. The SMTP protocol provides VRFY for exactly
this purpose, but it is disabled on most servers.
The closest approximation of "email address exists" is "MX will accept
mail for it".
--
Per Jessen, Zürich (5.4°C)
--- End Message ---
--- Begin Message ---
Per Jessen wrote:
> Gary wrote:
>> The above idea is sound - it will work - but uses *others'* systems to
>> solve *your* problem, which is rude IMO.
>
> There is no other way.
I know, that's why I asked why the OP thinks he needs to know if the
address really exists (which is true only at the point in time that the
code checks, anyway, it isn't like email addresses are permanent
fixtures).
--- End Message ---
--- Begin Message ---
On Oct 25, 2010, at 6:46 PM, Daniel P. Brown wrote:
> On Mon, Oct 25, 2010 at 18:38, <web...@blaettner.com> wrote:
>>
>> Is there any other function which checks whether this
>> address really exists?
>
> Of course not! Can you imagine the implications, insecurities,
> and privacy concerns that would be associated with that? Some
> mailservers will confirm or deny if a local address exists, but not
> most --- thankfully.
Not true or else you would never get mail. What you mean is that most
mailservers have VRFY disabled
--- End Message ---
--- Begin Message ---
On Oct 25, 2010, at 6:38 PM, web...@blaettner.com wrote:
> Hi, folks,
>
> I'm wondering how to checking existence of a given
> mail address like f...@bar.com .
>
> At 1st I tried:
>
> if f (filter_var ($maddr, FILTER_VALIDATE_EMAIL) === false) {
> /* some sort of error handling code here */
> }
>
> where $maddr is the address to be checked.
> But this checks only syntax.. :-(
>
> Is there any other function which checks whether this
> address really exists?
>
> And, of course, I want to avoid sending a test mail just
> for checking :-)
>
> Many THX in advance for suggestions, pointers...
>
Rolf,
Since most mailservers have disabled VRFY long ago due to spammers and other
miscreants.
Easiest way is to use class.smtp.php form phpmailer using the following:
$smtp = new SMTP
if (empty($smtp->Connect())) return false; // Connect failure
if (empty($smtp->Hello("yourmailerver.com")) return false; //Maybe not a
mailserve
if(empty($smtp->Recipient($to))) return false; //No such user
$smtp->Close(); // Found user so abort transaction.
return true;
Tom
--- End Message ---
--- Begin Message ---
From: TR Shaw
> On Oct 25, 2010, at 6:46 PM, Daniel P. Brown wrote:
>> On Mon, Oct 25, 2010 at 18:38, <web...@blaettner.com> wrote:
>>>
>>> Is there any other function which checks whether this
>>> address really exists?
>>
>> Of course not! Can you imagine the implications, insecurities,
>> and privacy concerns that would be associated with that? Some
>> mailservers will confirm or deny if a local address exists, but not
>> most --- thankfully.
> Not true or else you would never get mail.
Of course it's true. Most servers will accept any email sent to a valid
domain name, then silently discard all messages that don't have valid
user names, expecting that set to be mostly SPAM. This created a new
problem where the legitimate senders no longer know when their mail
didn't get delivered due to a typo in the address.
Bob McConnell
--- End Message ---
--- Begin Message ---
On Tue, Oct 26, 2010 at 08:49, TR Shaw <ts...@oitc.com> wrote:
>
> On Oct 25, 2010, at 6:46 PM, Daniel P. Brown wrote:
>>
>> Of course not! Can you imagine the implications, insecurities,
>> and privacy concerns that would be associated with that? Some
>> mailservers will confirm or deny if a local address exists, but not
>> most --- thankfully.
> Not true or else you would never get mail. What you mean is that most
> mailservers have VRFY disabled
Read what I said before saying it's not true: "Some mailservers
will confirm or deny if a local address exists, but not most."
Believe me, I know what I mean. (No matter how surprising that may
seem. ;-P)
--
</Daniel P. Brown>
Dedicated Servers, Cloud and Cloud Hybrid Solutions, VPS, Hosting
(866-) 725-4321
http://www.parasane.net/
--- End Message ---
--- Begin Message ---
On Mon, Oct 25, 2010 at 06:06:24AM +0200, Rico Secada wrote:
> Hi.
>
> I have been doing like this:
>
> if (!$stmt->execute()) {
> return false;
> } else {
>
> ... some code
>
> return true;
> OR
> return $foo; // Some int, string, whatever.
>
> }
>
> I am thinking about changing the "return false" with a:
>
> if (!$stmt->execute()) {
> die(DB_ERROR);
>
> This way making sure that every single db execute gets a valid check
> and at the same time return some kind of valuable db error to the user
> and end the script.
>
> How do you deal with db execution checks?
>
> Thanks in advance!
>
> Best regards.
>
> Rico.
First, there are only a few ways a *true* error can occur with my
database. 1) Bad syntax from the programmer (me). 2) Bad input from the
user (which should never happen). 3) A catastrophic failure on the
database back end.
In all three cases, there is no recovery unless the programmer (me) digs
into the problem. Therefore, I have an error routine used for
everything, which dies and sends the programmer an email with a trace in
the case of a catastrophic error, like the above. And I have a database
wrapper class which checks for errors like this and fires the error
handler if the error is this bad. That means the script will abort and
the programmer will get an email.
Bear in mind, an "error" is *never* that a query returned no data or
data the user might consider bad.
Paul
--
Paul M. Foster
--- End Message ---
--- Begin Message ---
On Mon, 25 Oct 2010 22:56:37 -0400
Paul M Foster <pa...@quillandmouse.com> wrote:
> Bear in mind, an "error" is *never* that a query returned no data or
> data the user might consider bad.
This is an important point. When is an "error" an actual error? When is
it something that *needs* to be logged and mailed?
> Paul
>
> --
> Paul M. Foster
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
--- End Message ---
--- Begin Message ---
On Tue, Oct 26, 2010 at 06:27:33AM +0200, Rico Secada wrote:
> On Mon, 25 Oct 2010 22:56:37 -0400
> Paul M Foster <pa...@quillandmouse.com> wrote:
>
> > Bear in mind, an "error" is *never* that a query returned no data or
> > data the user might consider bad.
>
> This is an important point. When is an "error" an actual error? When is
> it something that *needs* to be logged and mailed?
When it's a programmer/DBA error and cannot be recovered from. For
example, the statement:
SELECT * WHERE custno = 'BOBSMITH';
contains a syntax error (no table reference). That should generate a
fatal error, because no such statement should ever be fired at the DBMS.
The programmer should ensure his statements don't contain errors like
that. And if they do, there's no way to fix it from a user's
perspective.
There are any of a number of other PHP errors which will generate
"error" level messages which should lead to fatal errors. The code
should now allow such errors.
And no user input should create such errors. The programmer has to
filter the user's input so that whatever he enters, it doesn't cause PHP
or the DBMS to error out that way.
These are just definitions of "fatal" errors from my perspective.
Opinions may vary.
Paul
--
Paul M. Foster
--- End Message ---
--- Begin Message ---
hi List,
I have written a library of php classes to manage database objects.
So my application now access to this library instead of accessing
directly to the database.
Now, I need to add an access control to my classes, like a check to a
$_SESSION variable.
A solution can be add this lines in first rows in every method:
" session_start();if(!isset($_SESSION['user'])) { return 999; } "
ex:
class sysAccess{
.....
function getName()
{
session_start();if(!isset($_SESSION['user'])) { return
999; }
..
}
}
In this way, I am sure that only trusted users have an access to the
methods.
But, If I forget to "protect" a single method, there will be a serious
vulnerability ..and this task will be long (and boring..)
Is there a better solution to protect access to publics object's methods
only to granted accounts?
Thanks in advance
Lorenzo Marussi
--- End Message ---
--- Begin Message ---
Lorenzo Marussi wrote:
hi List,
I have written a library of php classes to manage database objects.
So my application now access to this library instead of accessing
directly to the database.
Now, I need to add an access control to my classes, like a check to a
$_SESSION variable.
A solution can be add this lines in first rows in every method:
" session_start();if(!isset($_SESSION['user'])) { return 999; } "
ex:
class sysAccess{
.....
function getName()
{
session_start();if(!isset($_SESSION['user'])) { return
999; }
..
}
}
In this way, I am sure that only trusted users have an access to the
methods.
But, If I forget to "protect" a single method, there will be a serious
vulnerability ..and this task will be long (and boring..)
Is there a better solution to protect access to publics object's methods
only to granted accounts?
I'm missing something here, how would a user (I assume a of website)
manage to run methods on classes which are part of server side code?
Regardless of your answer to the above question, this all points to
something being wrong in the architecture of the application - perhaps
if you give more details (show us the interfaces, the code, or PHP doc
the system to expose the API) we could help find where the problems are.
Best,
Nathan
--- End Message ---
