php-windows Digest 29 Oct 2002 07:22:18 -0000 Issue 1412
Topics (messages 16597 through 16605):
PHP require() circumvents IIS security? Please help.
16597 by: Jack Kelly Dobson
16598 by: Mikey
16600 by: Jack Kelly Dobson
16601 by: Mikey
Extension Load Error
16599 by: Brett Curtiss
16604 by: Brett Curtiss
configuraton of mail server with PHP/Apache
16602 by: Dorothy Vankoughnett
How to prevent error email from being sent?
16603 by: Noah Spitzer-Williams
Re: <Script language=php???
16605 by: Steve Yates
Administrivia:
To subscribe to the digest, e-mail:
[EMAIL PROTECTED]
To unsubscribe from the digest, e-mail:
[EMAIL PROTECTED]
To post to the list, e-mail:
[EMAIL PROTECTED]
----------------------------------------------------------------------
--- Begin Message ---
Hello,
I just noticed something very concerning and hope someone has some
answers...
I'm running php 4.2.3 under W2k IIS as a .dll.
I have a directory set up with no anonymous access to it and security set to
"Integrated Windows Authentication".
If I try to load the page directly from the browser
"/my_site/my_secure_directory/password_protected_file.php" I get the
password dialog from Windows asking me to log in.
On the other hand:
If I require the file from a non-protected file; say "/index.php" has the
line:
"require('/my_site/my_secure_directory/password_protected_file.php');" in
it, I'm not asked for a password and the page is included in the output.
Is there something I'm missing here, or is this a bug?
Thanks in advance.
j-
--- End Message ---
--- Begin Message ---
> Hello,
>
> I just noticed something very concerning and hope someone has some
> answers...
>
> I'm running php 4.2.3 under W2k IIS as a .dll.
>
> I have a directory set up with no anonymous access to it and
> security set to
> "Integrated Windows Authentication".
>
> If I try to load the page directly from the browser
> "/my_site/my_secure_directory/password_protected_file.php" I get the
> password dialog from Windows asking me to log in.
>
> On the other hand:
>
> If I require the file from a non-protected file; say "/index.php" has the
> line:
> "require('/my_site/my_secure_directory/password_protected_file.php');" in
> it, I'm not asked for a password and the page is included in the output.
>
> Is there something I'm missing here, or is this a bug?
It's not a bug - just a mis-understanding of what the authentication
mechanism is for...
The directory security you have set is for users trying to access your files
via HTTP (the web), whereas require is a tool for the developer to easily
re-use code, accessing the files directly from disk rather than via HTTP.
HTH,
Mikey
<-- Insert stream of consciousness here!
--- End Message ---
--- Begin Message ---
> -----Original Message-----
> From: Mikey [mailto:mikey@;splatted.net]
> Sent: Monday, October 28, 2002 1:18 PM
> To: Jack Kelly Dobson; [EMAIL PROTECTED]
> Subject: RE: [PHP-WIN] PHP require() circumvents IIS security? Please
> help.
>
>
> > Hello,
> >
> > I just noticed something very concerning and hope someone has some
> > answers...
> >
> > I'm running php 4.2.3 under W2k IIS as a .dll.
> >
> > I have a directory set up with no anonymous access to it and
> > security set to
> > "Integrated Windows Authentication".
> >
> > If I try to load the page directly from the browser
> > "/my_site/my_secure_directory/password_protected_file.php" I get the
> > password dialog from Windows asking me to log in.
> >
> > On the other hand:
> >
> > If I require the file from a non-protected file; say
> "/index.php" has the
> > line:
> >
> "require('/my_site/my_secure_directory/password_protected_file.php');" in
> > it, I'm not asked for a password and the page is included in the output.
> >
> > Is there something I'm missing here, or is this a bug?
>
> It's not a bug - just a mis-understanding of what the authentication
> mechanism is for...
>
> The directory security you have set is for users trying to access
> your files
> via HTTP (the web), whereas require is a tool for the developer to easily
> re-use code, accessing the files directly from disk rather than via HTTP.
>
> HTH,
>
> Mikey
> <-- Insert stream of consciousness here!
>
Actually a misunderstanding of how require() works, but the answer I was
looking for.
Can I assume by this that all of the PHP functions that access files work
outside of the scope of the webserver? I'm suffering from "just enough
knowledge to get myself in trouble" syndrome.
Thanks for the quick response.
j-
--- End Message ---
--- Begin Message ---
> Actually a misunderstanding of how require() works, but the answer I was
> looking for.
Cool.
> Can I assume by this that all of the PHP functions that access files work
> outside of the scope of the webserver? I'm suffering from "just enough
> knowledge to get myself in trouble" syndrome.
Yes, you can - although the files will be accessed as the user that the
web-server runs as (IUSR_MACHINENAME by default with IIS) and will be
restricted by whatever security policies that are in effect for it.
regards,
Mikey
"Stone circles were common enough... Druids built them as weather computers
and since it was always cheaper to build a new 33-MegaLith circle than
upgrade an old slow one there were generally plenty of ancient ones
round." - T. Pratchett, Lords & Ladies
--- End Message ---
--- Begin Message ---
Ok, here is another extension problem. This one has me stumped. I have the
4.2.3 (Sept. 6) binary release. I have it installed and working properly
with Apache 1.3.24. All the DLLs are in the correct directories, phpinfo()
works, ect. But, when I try to load an extension it returns the error: (For
example the imap extension):
----------------------------------------------------------------------------
--
imap: Unable to initialize module
Module compiled with debug=0, thread-safety=1 module API=20020429
PHP compiled with debug=0, thread-safety=1 API=20010901
These options need to match.
----------------------------------------------------------------------------
--
Obviously, the APIs don't match, but they were included in the release. Am I
the only person getting this error, if so I would assume that I have done
something wrong, if not it must be the dist. Any ideas? Should I just try an
older distribution?
BTW: The OS is WinXP SP1
--- End Message ---
--- Begin Message ---
Fixed. There was a version conflict between an old version of php_ts.dll and
php.exe in System32.
"Brett Curtiss" <[EMAIL PROTECTED]> wrote in message
news:20021028201638.11446.qmail@;pb1.pair.com...
> Ok, here is another extension problem. This one has me stumped. I have the
> 4.2.3 (Sept. 6) binary release. I have it installed and working properly
> with Apache 1.3.24. All the DLLs are in the correct directories, phpinfo()
> works, ect. But, when I try to load an extension it returns the error:
(For
> example the imap extension):
> --------------------------------------------------------------------------
--
> --
> imap: Unable to initialize module
> Module compiled with debug=0, thread-safety=1 module API=20020429
> PHP compiled with debug=0, thread-safety=1 API=20010901
> These options need to match.
> --------------------------------------------------------------------------
--
> --
>
> Obviously, the APIs don't match, but they were included in the release. Am
I
> the only person getting this error, if so I would assume that I have done
> something wrong, if not it must be the dist. Any ideas? Should I just try
an
> older distribution?
> BTW: The OS is WinXP SP1
>
>
--- End Message ---
--- Begin Message ---
HI
not sure if anyone can help on this but am learning the basics of PHP with
Apache .. am getting errors and pinpointed to this line:
mail($to, $subject, $msg, $mailheaders);
I've looked at Apache set up and cant seem to find any errors in the setup
..
Any help with this would be appreciated!
Dorothy VK
--- End Message ---
--- Begin Message ---
Hey guys,
My service sends out emails every few days to members who wish to have
stats sent to them. The problem is once an email becomes inactive, I the
webmaster gets a failure email sent to me. This is starting to add up and I
can get upwards of 20 of these a day. It just seems likea waste of space
and bandwidth... is there anyway I can prevent this?
If i delete the webmaster email key in php.ini will my emails not have a
reply address?
Thanks!
- Noah
[EMAIL PROTECTED]
--- End Message ---
--- Begin Message ---
"Jason Porembski" <[EMAIL PROTECTED]> wrote in message
news:000001c27d5c$0487d830$6401a8c0@;HOMEPC...
> page refuses to use PHP and is in love with ASP. I need to run some PHP
> code from within ASP. How can this be done?
Have you tried using fopen()?
- Steve Yates
- Why is it called "rush hour" if it's so damn slow?
~ Do you like my taglines? Add them to your messages and
~ laugh through hundreds more by downloading Taglinator
~ at www.srtware.com today!
--- End Message ---
