php-general Digest 26 Apr 2011 09:37:47 -0000 Issue 7284
Topics (messages 312484 through 312489):
Re: JavaScript Injection ???
312484 by: Nathan Rixham
312487 by: Daniel Brown
312488 by: tedd
Re: str_replace
312485 by: Nathan Rixham
312486 by: Nathan Rixham
Improve server HTTP GET server response - HTTP 1.1 ?
312489 by: Eli Orr (Office)
Administrivia:
To subscribe to the digest, e-mail:
[email protected]
To unsubscribe from the digest, e-mail:
[email protected]
To post to the list, e-mail:
[email protected]
----------------------------------------------------------------------
--- Begin Message ---
Stuart Dallas wrote:
On Monday, 18 April 2011 at 20:50, tedd wrote:
The form "as-is" produced a javascript alert() and now it doesn't.
This is not a browser change because it's happening before the browser sees the
response (try it with curl).
It is the browser, chrome will prevent execution because the code was
sent in the request, just check the javascript console and you'll see
something like:
"Refused to execute a JavaScript script. Source code of script found
within request."
Best,
Nathan
--- End Message ---
--- Begin Message ---
On Mon, Apr 25, 2011 at 19:12, Nathan Rixham <[email protected]> wrote:
>
> It is the browser, chrome will prevent execution because the code was sent
> in the request, just check the javascript console and you'll see something
> like:
>
> "Refused to execute a JavaScript script. Source code of script found within
> request."
Easy way to get around that, depending on where it lied and how it
was stored and accessed, is to inject it into the session. Chrome
would obviously have no notion of session data. An added step, but
proof positive that ALL data needs to be sanitized, not just GPC and
database.
--
</Daniel P. Brown>
Network Infrastructure Manager
http://www.php.net/
--- End Message ---
--- Begin Message ---
At 7:45 PM -0400 4/25/11, Daniel Brown wrote:
On Mon, Apr 25, 2011 at 19:12, Nathan Rixham <[email protected]> wrote:
It is the browser, chrome will prevent execution because the code was sent
in the request, just check the javascript console and you'll see something
like:
"Refused to execute a JavaScript script. Source code of script found within
request."
Easy way to get around that, depending on where it lied and how it
was stored and accessed, is to inject it into the session. Chrome
would obviously have no notion of session data. An added step, but
proof positive that ALL data needs to be sanitized, not just GPC and
database.
--
</Daniel P. Brown>
Most excellent point!
Cheers,
tedd
--
-------
http://sperling.com/
--- End Message ---
--- Begin Message ---
Jim Lucas wrote:
On 4/24/2011 8:44 AM, Ron Piggott wrote:
I am trying to figure out a syntax that will replace each instance of % with a
different letter chosen randomly from the string $puzzle_filler. $puzzle_filler
is populated with the letters of the alphabet, roughly in the same ratio as they
are used.
This syntax replaces each instance of % with the same letter:
$puzzle[$i] = str_replace ( "%" , ( substr ( $puzzle_filler , rand(1,98) , 1 ) )
, $puzzle[$i] );
Turning this:
%ECARBME%TIPLUP%%%%%%%E%%
Into:
uECARBMEuTIPLUPuuuuuuuEuu
Is there a way to tweak my str_replace so it will only do 1 % at a time, so a
different replacement letter is selected?
This is the syntax specific to choosing a replacement letter at random:
substr ( $puzzle_filler , rand(1,98) , 1 );
Thanks for your help.
Ron
The Verse of the Day
“Encouragement from God’s Word”
http://www.TheVerseOfTheDay.info
How about something simple like this?
<?php
$input = '%ECARBME%TIPLUP%%%%%%%E%%';
$random_chars = range('a', 'z');
echo 'Before: '.$input.PHP_EOL;
while ( ($pos = strpos($input, '%') ) !== false )
$input[$pos] = $random_chars[array_rand($random_chars)];
echo 'After: '.$input.PHP_EOL;
just for fun
$a = '%ECARBME%TIPLUP%%%%%%%E%%';
$b = 'abcdefghijklmnobqrstuvwxyz';
echo preg_replace('/%/e','substr(str_shuffle($b),-1)', $a );
--- End Message ---
--- Begin Message ---
Jim Lucas wrote:
On 4/24/2011 8:44 AM, Ron Piggott wrote:
I am trying to figure out a syntax that will replace each instance of % with a
different letter chosen randomly from the string $puzzle_filler. $puzzle_filler
is populated with the letters of the alphabet, roughly in the same ratio as they
are used.
This syntax replaces each instance of % with the same letter:
$puzzle[$i] = str_replace ( "%" , ( substr ( $puzzle_filler , rand(1,98) , 1 ) )
, $puzzle[$i] );
Turning this:
%ECARBME%TIPLUP%%%%%%%E%%
Into:
uECARBMEuTIPLUPuuuuuuuEuu
Is there a way to tweak my str_replace so it will only do 1 % at a time, so a
different replacement letter is selected?
This is the syntax specific to choosing a replacement letter at random:
substr ( $puzzle_filler , rand(1,98) , 1 );
Thanks for your help.
Ron
The Verse of the Day
“Encouragement from God’s Word”
http://www.TheVerseOfTheDay.info
How about something simple like this?
<?php
$input = '%ECARBME%TIPLUP%%%%%%%E%%';
$random_chars = range('a', 'z');
echo 'Before: '.$input.PHP_EOL;
while ( ($pos = strpos($input, '%') ) !== false )
$input[$pos] = $random_chars[array_rand($random_chars)];
echo 'After: '.$input.PHP_EOL;
just for fun
$a = '%ECARBME%TIPLUP%%%%%%%E%%';
$b = 'abcdefghijklmnobqrstuvwxyz';
echo preg_replace('/%/e','substr(str_shuffle($b),-1)', $a );
--- End Message ---
--- Begin Message ---
Dear PHP Gurus,
I have wrote a service that respond to a client HTTP GET request with
BLOB of data:
http://mimmage.com/cms/client_initialize1.php?OPERATOR=MIRS&ID=23412341234&OS=RIM
The first time I call the HTTP GET it works very slow.. next calls it
works much faster.
Please advise how can I enhance the server response in the first call.
Any method for the client to initialize a standby like service with the
server ahead of the specific request ?
Is there any way HTTP 1.1 operation fashion can speed it up ?
e.g. http://www8.org/w8-papers/5c-protocols/key/key.html
Looking forward for your wise and experienced advise for this heavy issue.
Thanks
Eli
eliorr.com
--- End Message ---
