php-general Digest 26 Mar 2012 19:16:14 -0000 Issue 7746
Topics (messages 317263 through 317277):
Re: foreach weirdness
317263 by: Arno Kuhl
including PHP code from another server..
317264 by: rene7705
317265 by: Stuart Dallas
317266 by: Simon Schick
317267 by: Stuart Dallas
317268 by: Stuart Dallas
317269 by: Curtis Maurand
317270 by: rene7705
317272 by: Lester Caine
317273 by: Alex Pojarsky
317277 by: Stuart Dallas
CURL -d
317271 by: QI.VOLMAR QI
Re: Thinking out loud - a continuation...
317274 by: Jay Blanchard
317275 by: Stuart Dallas
317276 by: Jay Blanchard
Administrivia:
To subscribe to the digest, e-mail:
[email protected]
To unsubscribe from the digest, e-mail:
[email protected]
To post to the list, e-mail:
[email protected]
----------------------------------------------------------------------
--- Begin Message ---
Note that somewhat similar error was discussed on this list a few months
ago[1]. You could probably have solved it yourself if you searched the mailing
list archives.
- Matijn
[1] http://www.mail-archive.com/[email protected]/msg269552.html
---
Thanks Matijn, I missed that discussion, not following the list that actively.
I'll try search next time before raising an issue.
Cheers
Arno
--- End Message ---
--- Begin Message ---
Hi.
My last thread got derailed into a javascript and even photoshop
discussion, and while I can't blame myself for that really, this time I
would like to bring a pure PHP issue to your scrutiny.
I run several sites now, on the same shared hoster, but with such a setup
that I cannot let PHP require() or include() code from a central place
located on another domain name on the same shared hosting account, not the
normal way at least.
$_SERVER['DOCUMENT_ROOT'] is a completely different path for each of the
domains on the same hosting account, and obviously you can't access one
domain's directory from another domain.
Hoster support's reply is A) I dont know code, B) You can't include code
from one domain on another and C) use multiple copies, 1 for each domain
But that directory (my opensourced /code in the zip on
http://mediabeez.wsbtw), takes a while to update to my hoster, many
files.
Plus, as I add more domains that use the same code base, my overhead and
waiting time increases lineary at a steep incline.
So.. Since all of this code is my own, and tested and trusted, I can just
eval(file_get_contents('
http://sitewithwantedcode.com/code/get_php.php?file=/code/sitewide_rv/autorun.php'))
hehe
And get_php.php takes care of the nested includes by massaging what it
retrieves. Or so is my thinking.
The problem I'm facing, and for which I'm asking your most scrutinous
feedback, is:
How would you transform _nested_ require(_once) and include(_once)? I
haven't figured out yet how to transform a relative path include/require.
What about for instance a require_once($fileIwantNow)?
I do both in my /code tree atm.
For my own purposes, I could massage my own PHP in /code/libraries_rv and
/code/sitewide_rv manually, but I'd also like to be able to include a
single copy of the 3rd party free libs that I use in
/code/libraries(/adodb-5.10 for instance). And god knows how they might
include and require.
Plus, I'd like to turn this into another free how-to blog entry on
http://mediabeez.ws, plus accompanying code, so I think I might find some
free tips here again.
Greetings,
from spring sun soaked amsterdam.nl,
Rene
--- End Message ---
--- Begin Message ---
REMOVE THAT SCRIPT FROM YOUR SERVER RIGHT NOW!!!!!
See follow-up email direct to you for the reason!
On 26 Mar 2012, at 14:53, rene7705 wrote:
> Hi.
>
> My last thread got derailed into a javascript and even photoshop
> discussion, and while I can't blame myself for that really, this time I
> would like to bring a pure PHP issue to your scrutiny.
>
> I run several sites now, on the same shared hoster, but with such a setup
> that I cannot let PHP require() or include() code from a central place
> located on another domain name on the same shared hosting account, not the
> normal way at least.
> $_SERVER['DOCUMENT_ROOT'] is a completely different path for each of the
> domains on the same hosting account, and obviously you can't access one
> domain's directory from another domain.
>
> Hoster support's reply is A) I dont know code, B) You can't include code
> from one domain on another and C) use multiple copies, 1 for each domain
>
> But that directory (my opensourced /code in the zip on
> http://mediabeez.wsbtw), takes a while to update to my hoster, many
> files.
> Plus, as I add more domains that use the same code base, my overhead and
> waiting time increases lineary at a steep incline.
>
> So.. Since all of this code is my own, and tested and trusted, I can just
> eval(file_get_contents('
> http://sitewithwantedcode.com/code/get_php.php?file=/code/sitewide_rv/autorun.php'))
> hehe
> And get_php.php takes care of the nested includes by massaging what it
> retrieves. Or so is my thinking.
>
> The problem I'm facing, and for which I'm asking your most scrutinous
> feedback, is:
> How would you transform _nested_ require(_once) and include(_once)? I
> haven't figured out yet how to transform a relative path include/require.
> What about for instance a require_once($fileIwantNow)?
> I do both in my /code tree atm.
>
> For my own purposes, I could massage my own PHP in /code/libraries_rv and
> /code/sitewide_rv manually, but I'd also like to be able to include a
> single copy of the 3rd party free libs that I use in
> /code/libraries(/adodb-5.10 for instance). And god knows how they might
> include and require.
>
> Plus, I'd like to turn this into another free how-to blog entry on
> http://mediabeez.ws, plus accompanying code, so I think I might find some
> free tips here again.
>
> Greetings,
> from spring sun soaked amsterdam.nl,
> Rene
--- End Message ---
--- Begin Message ---
Hi, Rene
I just want to say the same ... whatever you're trying to do here - it
will end up in a major security-isse that (I think) you won't fix that
soon as someone has hacked your server.
That sounds like you don't wanna pay 10$ per month for a good
multiple-domain-hosting solution.
If you're searching for something cheap for multi-domains, take a look
at providers like DreamHost or something similar.
Bye
Simon
2012/3/26 Stuart Dallas <[email protected]>:
> REMOVE THAT SCRIPT FROM YOUR SERVER RIGHT NOW!!!!!
>
> See follow-up email direct to you for the reason!
>
> On 26 Mar 2012, at 14:53, rene7705 wrote:
>
>> Hi.
>>
>> My last thread got derailed into a javascript and even photoshop
>> discussion, and while I can't blame myself for that really, this time I
>> would like to bring a pure PHP issue to your scrutiny.
>>
>> I run several sites now, on the same shared hoster, but with such a setup
>> that I cannot let PHP require() or include() code from a central place
>> located on another domain name on the same shared hosting account, not the
>> normal way at least.
>> $_SERVER['DOCUMENT_ROOT'] is a completely different path for each of the
>> domains on the same hosting account, and obviously you can't access one
>> domain's directory from another domain.
>>
>> Hoster support's reply is A) I dont know code, B) You can't include code
>> from one domain on another and C) use multiple copies, 1 for each domain
>>
>> But that directory (my opensourced /code in the zip on
>> http://mediabeez.wsbtw), takes a while to update to my hoster, many
>> files.
>> Plus, as I add more domains that use the same code base, my overhead and
>> waiting time increases lineary at a steep incline.
>>
>> So.. Since all of this code is my own, and tested and trusted, I can just
>> eval(file_get_contents('
>> http://sitewithwantedcode.com/code/get_php.php?file=/code/sitewide_rv/autorun.php'))
>> hehe
>> And get_php.php takes care of the nested includes by massaging what it
>> retrieves. Or so is my thinking.
>>
>> The problem I'm facing, and for which I'm asking your most scrutinous
>> feedback, is:
>> How would you transform _nested_ require(_once) and include(_once)? I
>> haven't figured out yet how to transform a relative path include/require.
>> What about for instance a require_once($fileIwantNow)?
>> I do both in my /code tree atm.
>>
>> For my own purposes, I could massage my own PHP in /code/libraries_rv and
>> /code/sitewide_rv manually, but I'd also like to be able to include a
>> single copy of the 3rd party free libs that I use in
>> /code/libraries(/adodb-5.10 for instance). And god knows how they might
>> include and require.
>>
>> Plus, I'd like to turn this into another free how-to blog entry on
>> http://mediabeez.ws, plus accompanying code, so I think I might find some
>> free tips here again.
>>
>> Greetings,
>> from spring sun soaked amsterdam.nl,
>> Rene
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
--- End Message ---
--- Begin Message ---
On 26 Mar 2012, at 15:17, Simon Schick wrote:
> Hi, Rene
>
> I just want to say the same ... whatever you're trying to do here - it
> will end up in a major security-isse that (I think) you won't fix that
> soon as someone has hacked your server.
I couldn't care less about Rene's stuff. It's compromising the security of
every customer on that server, and that's not acceptable. Security is arguably
more important when using shared servers because your lack of focus on security
issues has consequences for everyone else on that server, and potentially on
that network.
-Stuart
--
Stuart Dallas
3ft9 Ltd
http://3ft9.com/
--- End Message ---
--- Begin Message ---
On 26 Mar 2012, at 14:53, rene7705 wrote:
> My last thread got derailed into a javascript and even photoshop
> discussion, and while I can't blame myself for that really, this time I
> would like to bring a pure PHP issue to your scrutiny.
>
> I run several sites now, on the same shared hoster, but with such a setup
> that I cannot let PHP require() or include() code from a central place
> located on another domain name on the same shared hosting account, not the
> normal way at least.
> $_SERVER['DOCUMENT_ROOT'] is a completely different path for each of the
> domains on the same hosting account, and obviously you can't access one
> domain's directory from another domain.
>
> Hoster support's reply is A) I dont know code, B) You can't include code
> from one domain on another and C) use multiple copies, 1 for each domain
>
> But that directory (my opensourced /code in the zip on
> http://mediabeez.wsbtw), takes a while to update to my hoster, many
> files.
> Plus, as I add more domains that use the same code base, my overhead and
> waiting time increases lineary at a steep incline.
>
> So.. Since all of this code is my own, and tested and trusted, I can just
> eval(file_get_contents('
> http://sitewithwantedcode.com/code/get_php.php?file=/code/sitewide_rv/autorun.php'))
> hehe
> And get_php.php takes care of the nested includes by massaging what it
> retrieves. Or so is my thinking.
>
> The problem I'm facing, and for which I'm asking your most scrutinous
> feedback, is:
> How would you transform _nested_ require(_once) and include(_once)? I
> haven't figured out yet how to transform a relative path include/require.
> What about for instance a require_once($fileIwantNow)?
> I do both in my /code tree atm.
>
> For my own purposes, I could massage my own PHP in /code/libraries_rv and
> /code/sitewide_rv manually, but I'd also like to be able to include a
> single copy of the 3rd party free libs that I use in
> /code/libraries(/adodb-5.10 for instance). And god knows how they might
> include and require.
>
> Plus, I'd like to turn this into another free how-to blog entry on
> http://mediabeez.ws, plus accompanying code, so I think I might find some
> free tips here again.
Don't do this. Use a central source to host your code by all means, but create
constantly updated copies on every server that uses it. Since I use git for
source control I make use of the submodule feature to make this simplicity
itself. It's worth investing time in building the processes that ensure
consistency between your various environments. The best ops strategy is the
lazy op's strategy!
Set up cron scripts on each server to update that code periodically so
everything is always up to date. I wouldn't recommend that unless you have good
testing procedures in place before your code hits production, but from what
I've seen I find the highly doubtful. However, sharing code at runtime over
http is a very very very bad idea.
Even farms with hundreds or thousands of servers, all running the same
application on a fast local network, don't share code in this way. Each server
has its own copy of the code, and it's the deployment processes that ensure
they're kept up to date.
-Stuart
--
Stuart Dallas
3ft9 Ltd
http://3ft9.com/
--- End Message ---
--- Begin Message ---
rsync is your friend.
--C
Stuart Dallas
wrote:
> On 26 Mar 2012, at 14:53, rene7705 wrote:
>
>> My last thread got derailed into a javascript and even
photoshop
>> discussion, and while I can't blame myself for
that really, this time I
>> would like to bring a pure PHP
issue to your scrutiny.
>>
>> I run several sites
now, on the same shared hoster, but with such a
>> setup
>> that I cannot let PHP require() or include() code from a
central place
>> located on another domain name on the same
shared hosting account, not
>> the
>> normal way at
least.
>> $_SERVER['DOCUMENT_ROOT'] is a completely different
path for each of the
>> domains on the same hosting account,
and obviously you can't access one
>> domain's directory from
another domain.
>>
>> Hoster support's reply is A) I
dont know code, B) You can't include code
>> from one domain on
another and C) use multiple copies, 1 for each domain
>>
>> But that directory (my opensourced /code in the zip on
>> http://mediabeez.wsbtw), takes a while to update to my hoster,
many
>> files.
>> Plus, as I add more domains that
use the same code base, my overhead and
>> waiting time
increases lineary at a steep incline.
>>
>> So..
Since all of this code is my own, and tested and trusted, I can
>> just
>> eval(file_get_contents('
>>
http://sitewithwantedcode.com/code/get_php.php?file=/code/sitewide_rv/autorun.php'))
>> hehe
>> And get_php.php takes care of the nested
includes by massaging what it
>> retrieves. Or so is my
thinking.
>>
>> The problem I'm facing, and for
which I'm asking your most scrutinous
>> feedback, is:
>> How would you transform _nested_ require(_once) and
include(_once)? I
>> haven't figured out yet how to transform a
relative path
>> include/require.
>> What about for
instance a require_once($fileIwantNow)?
>> I do both in my
/code tree atm.
>>
>> For my own purposes, I could
massage my own PHP in /code/libraries_rv
>> and
>>
/code/sitewide_rv manually, but I'd also like to be able to include a
>> single copy of the 3rd party free libs that I use in
>> /code/libraries(/adodb-5.10 for instance). And god knows how
they might
>> include and require.
>>
>>
Plus, I'd like to turn this into another free how-to blog entry on
>> http://mediabeez.ws, plus accompanying code, so I think I might
find
>> some
>> free tips here again.
>
> Don't do this. Use a central source to host your code by all means,
but
> create constantly updated copies on every server that uses
it. Since I use
> git for source control I make use of the
submodule feature to make this
> simplicity itself. It's worth
investing time in building the processes
> that ensure consistency
between your various environments. The best ops
> strategy is the
lazy op's strategy!
>
> Set up cron scripts on each
server to update that code periodically so
> everything is always
up to date. I wouldn't recommend that unless you have
> good
testing procedures in place before your code hits production, but
> from what I've seen I find the highly doubtful. However, sharing
code at
> runtime over http is a very very very bad idea.
>
> Even farms with hundreds or thousands of servers, all
running the same
> application on a fast local network, don't
share code in this way. Each
> server has its own copy of the
code, and it's the deployment processes
> that ensure they're kept
up to date.
>
> -Stuart
>
> --
>
Stuart Dallas
> 3ft9 Ltd
> http://3ft9.com/
--- End Message ---
--- Begin Message ---
Ok, removed the script, and will do something else instead.
Thanks for the tip.
--- End Message ---
--- Begin Message ---
Curtis Maurand wrote:
rsync is your friend.
and is even available for windows machines ...
--
Lester Caine - G8HFL
-----------------------------
Contact - http://lsces.co.uk/wiki/?page=contact
L.S.Caine Electronic Services - http://lsces.co.uk
EnquirySolve - http://enquirysolve.com/
Model Engineers Digital Workshop - http://medw.co.uk//
Firebird - http://www.firebirdsql.org/index.php
--- End Message ---
--- Begin Message ---
Now, as the issue adressed and script removed, can you please explain
what exactly are the issues of using such approach? I mean security
ones, not performance.
2012/3/26 Lester Caine <[email protected]>:
> Curtis Maurand wrote:
>>
>> rsync is your friend.
>
> and is even available for windows machines ...
>
> --
> Lester Caine - G8HFL
> -----------------------------
> Contact - http://lsces.co.uk/wiki/?page=contact
> L.S.Caine Electronic Services - http://lsces.co.uk
> EnquirySolve - http://enquirysolve.com/
> Model Engineers Digital Workshop - http://medw.co.uk//
> Firebird - http://www.firebirdsql.org/index.php
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
--- End Message ---
--- Begin Message ---
On 26 Mar 2012, at 17:41, Alex Pojarsky wrote:
> Now, as the issue adressed and script removed, can you please explain
> what exactly are the issues of using such approach? I mean security
> ones, not performance.
It's the wrong solution to a process and organisation problem. Ultimately it's
not really a problem IF you control every part of the infrastructure. Rene
clearly doesn't so it has implications for everyone sharing that
infrastructure, and anyone using the applications hosted there.
* It requires the host to enable allow_url_fopen which means every single
script on the server is then able to include/require URLs. It just needs one of
them to have a related vulnerability and suddenly people can execute arbitrary
PHP code on the server.
* Rene mentioned that the code is open source. This implies that the security
risk is lessened because the code that is being made publicly accessible is
already publicly accessible, so the opportunity for someone to find
vulnerabilities already exists. It gets an order of magnitude worse if other
people start ignorantly using his code because they're essentially giving him
the ability to execute arbitrary PHP code on their server. Not good no matter
how much he protests that he won't "be evil."
* You specifically wished to exclude performance from the discussion, but
scalability is potentially a big issue here and should not be completely
ignored.
I think the real issue for Rene is that of perceived complexity. The idea of
having to manually keep many copies of the same code in sync is what leads to
finding solutions like this one. This solution leads to unnecessary network
traffic and introduces potential security risks that go way beyond your own
code, and even if it's not a big issue now it has the potential to become
catastrophic!
I'd put a fair amount of cash on my guess that Rene is not using any form of
source control. To me that is the best solution to this problem. Curtis
mentioned rsync which will also do the job, but in my view you're nuts if
you're not using some form of source control already, and building a largely
automated process around that is trivial and automatically audited.
Rene: please read a book / website / something on PHP security. Some things are
important whether you believe they are or not.
-Stuart
--
Stuart Dallas
3ft9 Ltd
http://3ft9.com/
--- End Message ---
--- Begin Message ---
I have this lines:
curl -H "Content-Type: application/json" -d "hello world" \
"http://api.pusherapp.com/apps/17331/channels/test_channel/events?"\
The option -d is for data. But How I can set it on the PHP CURL extension?
I have found that if I set something like array('Hello Word', 'name'
=> 'my_name'), for the POST data may occurs. Can you give me a little
help?
--- End Message ---
--- Begin Message ---
[snip]
This is one of "those" projects. It is apparently going to be trying every step
of the way.
[/snip]
I was proven right this morning after all of Robert's good work and what I had
added to make this work. It turns out that the one service who was anxious to
consume the JSON output expects that the JSON be a certain format. When I run
their format through jslint it does not validate unless I add quotes around the
name portion of the name:value pairs. In addition they use (perfectly valid)
square brackets around the children groups that the output from json_encode()
does not contain.
I am ready to take a loss on this one but I really didn't lose - Robert gave me
a great way to retrieve the data with one query and create valid JSON from it.
Thanks again Robert!
--- End Message ---
--- Begin Message ---
On 26 Mar 2012, at 19:12, Jay Blanchard wrote:
> [snip]
> This is one of "those" projects. It is apparently going to be trying every
> step of the way.
> [/snip]
>
> I was proven right this morning after all of Robert's good work and what I
> had added to make this work. It turns out that the one service who was
> anxious to consume the JSON output expects that the JSON be a certain format.
> When I run their format through jslint it does not validate unless I add
> quotes around the name portion of the name:value pairs. In addition they use
> (perfectly valid) square brackets around the children groups that the output
> from json_encode() does not contain.
>
> I am ready to take a loss on this one but I really didn't lose - Robert gave
> me a great way to retrieve the data with one query and create valid JSON from
> it. Thanks again Robert!
Square brackets in JSON represent arrays. Take their JSON, run it through
json_decode, and assuming it decodes correctly compare the structure to what
you already have. You should then be able to modify what you have so it
generates JSON in the format they are expecting.
-Stuart
--
Stuart Dallas
3ft9 Ltd
http://3ft9.com/
--- End Message ---
--- Begin Message ---
[snip]
> Square brackets in JSON represent arrays. Take their JSON, run it through
> json_decode, and assuming it decodes correctly compare the structure to what
> you already have. You should then be able to modify what you have so it
> generates JSON in the format they are expecting.
[/snip]
Done. I knew about the square brackets. In the code being used the array, if
blank, gets square brackets. For some reason an array containing actual data
does not.
--- End Message ---
