2009/8/27 Paul Gardiner <li...@glidos.net>:
> Torben Wilson wrote:
>> 2009/8/26 Paul Gardiner <li...@glidos.net>:
>>> Paul Gardiner wrote:
>>>> I want to write a simple indexing script to display a
>>>> directory full of photos as a gallery of thumbnails.
>>>> (There are various solutions out there for this, but
>>>> they're all a bit more complicated than I need).
>>>> I've added a file in /etc/apache2/conf.d that
>>>> looks like this:
>>>> Alias /photos /home/public/photos
>>>> <Directory "/home/public/photos">
>>>>   AllowOverride None
>>>>   Order allow,deny
>>>>   Allow from all
>>>>   DirectoryIndex /cgi-bin/index.php
>>>> </Directory>
>>>> I use "Alias" so that I can leave the photos where they are
>>>> and not have to move them to DocumentRoot. I use "DirectoryIndex"
>>>> so that the script doesn't have to be in with the photos. My
>>>> problem is that the running script seems to have no way to
>>>> work out the photos are in /home/public/photos.
>>>> $_SERVER[REQUEST_URI] is "/photos/", but I can't see how to
>>>> derive the server path from that, since $_SERVER[DOCUMENT_ROOT]
>>>> is "/srv/www/htdocs".
>>>> $_SERVER[PHP_SELF] is "/cgi-bin/index.php", so no use either.
>>>> How can I do this? Is there a way to interrogate the alias,
>>>> or can I set a variable in the conf file that PHP can pick up?
>>> I've sussed it. If I use this apache2 conf file, where I
>>> tag the server path onto the end of the index url:
>>> Alias /photos /home/public/photos
>>> <Directory "/home/public/photos">
>>>   AllowOverride None
>>>   Order allow,deny
>>>   Allow from all
>>>   DirectoryIndex /cgi-bin/index.php/home/public/photos
>>> </Directory>
>>> then the script can pick up the path as $_SERVER[PATH_INFO]
>>> P.
>> Hi Paul,
>> Glad you got it working.
> Actually, since posting, I've given up on that method,
> partly because I realised that in doing so I was opening up
> a security hole and being close to allowing enumeration of
> any apache-readable directory on my server, via direct use
> of the url http:/<host>/cgi-bin/index.php/<path>/.  I've
> found a much better way (using SetEnv):
> Alias /photos /home/public/photos
> <Directory "/home/public/photos">
>   AllowOverride None
>   Order allow,deny
>   Allow from all
>   SetEnv GalleryPath /home/public/photos
>   DirectoryIndex /cgi-bin/index.php
> </Directory>
> And then the script can pick up the path as $_SERVER['GalleryPath']
>> I would add one note: I don't know if this is
>> what your actual code contains or if it's just in your emails, but not
>> quoting string indices in arrays is a Bad Idea (TM). i.e. I'd
>> recommend avoiding the use of something like $_SERVER[PATH_INFO] and
>> instead use $_SERVER['PATH_INFO']. While the unquoted version will
>> work much of the time, it's untrustworthy. In this case, PHP sees the
>> label PATH_INFO and looks for a constant named PATH_INFO.
> Thanks for the advice. I've always been a little uncertain of that. I
> don't generally leave the quotes out, but I had been tending to, just
> for accessing $_SERVER (not sure why - some example code I must have
> read I think). Anyway, I'll put the quotes in.
> What about the case of including an array within a string, e.g.,
>  $line = "<tr><td>$array['name']<td>$array['address']";

Hi Paul,

For that, you use curly braces inside strings:

$line = "<tr><td>{$array['name']}<td>{$array['address']}";




> I've read something about that not working with the quotes in place.
> Is that best avoided too?
> Cheers,
>        Paul.

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to