[PHP] Re: Example of good PHP coding

[Geir Pedersen - Activio AS]

Terence,

do a search for "php coding standard" in Google and you'll find
documents describing coding guidlines suitable for projects.

---

Geir Pedersen
http://www.activio.com/

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Example of good PHP coding

[Filip de Waard]

On Mar 24, 2004, at 6:43 AM, Terence wrote:

Hi All,

Apologies if this has been asked before, but can someone out there 
point out
an example of good PHP coding in an open source application?
I am currently looking at:
PHPNuke
Mambo

(the most recent versions).

Can these two pieces of software be considered good PHP coding 
practice and
serve as an example on how to write PHP *in general*?
No. Especially PHP Nuke is famous because of it's many (security 
related) bugs and Mambo isn't perfect either. It is a very bad idea to 
use them, let alone learn PHP out of them.

You could take a look at the PEAR classes: http://pear.php.net

Regards,

Filip de Waard

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] Session variables as array

[Joseph Ross Lee]

Hello... Is there any example that I can look at that does a session
variable as an array? thanks

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] Example of good PHP coding

[Terence]

Hi All,

Apologies if this has been asked before, but can someone out there point out
an example of good PHP coding in an open source application?
I am currently looking at:
PHPNuke
Mambo

(the most recent versions).

Can these two pieces of software be considered good PHP coding practice and
serve as an example on how to write PHP *in general*?

Thanks for any advice,

Terence

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] session.bug_compat_42

[James E Hicks III]

Thanks to all who helped, I think I got it figured out now. 

James Hicks



On Tuesday 23 March 2004 12:11 pm, Rasmus Lerdorf wrote:
> This has nothing to do with the browser.  Instead of using
> session_register("last_time") and setting $last_time, do this:
>
>   $_SESSION['last_time'] = time();
>
> It's shorter and it will make the warning go away.
>
> -Rasmus
>
> On Tue, 23 Mar 2004, James E Hicks III wrote:
> > What does the code look like that is causing this error? I know I can
> > turn the error off but how do I fix the code that is causing it?
> >
> > Warning: Unknown(): Your script possibly relies on a session side-effect
> > which existed until PHP 4.2.3. Please be advised that the session
> > extension does not consider global variables as a source of data, unless
> > register_globals is enabled. You can disable this functionality and this
> > warning by setting session.bug_compat_42 or session.bug_compat_warn to
> > off, respectively. in Unknown on line 0
> >
> > It only seems to appear when viewed using MSIE, Konqueror and Mozilla do
> > not display this error, why?
> >
> > Here is some example code that I am using.
> >  > if (!session_is_registered('U_SI')) {
> > #do some stuff.
> > }
> > session_register("last_time");
> > $last_time = time();
> > echo $_SESSION['last_time'];
> > ?>
> >
> > Here are some settings from php.ini from the server that is giving the
> > error.
> >
> > /etc/php4/php.ini
> >
> > register_globals = Off
> > [Session]
> > session.save_handler = files
> > session.save_path = /tmp
> > session.use_cookies = 1
> > session.name = PHPSESSID
> > session.auto_start = 1
> > session.cookie_lifetime = 0
> > session.cookie_path = /
> > session.cookie_domain =
> > session.serialize_handler = php
> > session.gc_probability = 1
> > session.gc_divisor = 100
> > session.gc_maxlifetime = 1440
> > session.bug_compat_42 = 1
> > session.bug_compat_warn = 1
> > session.referer_check =
> > session.entropy_length = 0
> > session.entropy_file =
> > session.cache_limiter = nocache
> > session.cache_expire = 180
> > session.use_trans_sid = 0
> > url_rewriter.tags =
> > "a=href,area=href,frame=src,input=src,form=,fieldset="
> >
> >
> > PHP 4.3.2 (cli) (built: Aug 12 2003 14:25:22)
> > Copyright (c) 1997-2003 The PHP Group
> > Zend Engine v1.3.0, Copyright (c) 1998-2003 Zend Technologies
> > with Turck MMCache v2.3.20, Copyright (c) 2002-2003 TurckSoft, St.
> > Petersburg, by Dmitry Stogov
> >
> >
> > James Hicks
> >
> > --
> > PHP General Mailing List (http://www.php.net/)
> > To unsubscribe, visit: http://www.php.net/unsub.php

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] login scripts not secure?? help!

[Pushpinder Singh]

I am using PHP with register_globals ON... since I don't have access to  
the host environment.

The way I use sessions is:

session_start();

 do some database connection and checking here.

   if (condition is met) {
 $_SESSION['valid_user'] = $_POST['login'];
  }
Is this approach safe ?? Pl let me know. Also I use if  
(isset($_SESSION['valid_user'] ) ) to check if the user is logged in on  
secure pages.
Please comment.

Thanks in advance
Pushpinder Singh
___
Web Dev
On Tuesday, March 23, 2004, at 08:56 AM, Red Wingate wrote:

hi,

securepage.php?_SESSION[username]=admin&_SESSION[pwd]=password

would not register 'username' and 'pwd' to the $_SESSION array but
to the $_GET and $_REQUEST-Array like:
   $_GET['_SESSION']['username'] => 'admin'

There is no way to inject any kind of data to the super-global Arrays  
at all

Hope this helps,
   red
Am Dienstag, 23. März 2004 14:45 schrieb Andy B:
hi

in an attempt to create a login system for site administrators on a  
website
i come into the following problem that bothers me because i cant find  
any
way to fix it.

problem:
most login scripts/systems i look at for examples on how to make a  
login
section from sessions (allow the administrator to go between login  
required
pages and also be able to go to public pages) without having to login  
again
(the only way an administrator has to "login again" is if they close  
the
browser on that site)...

i run into the deal where most login scripts check to see if
$_SESSION[username] or a $_SESSION var has been set or is valid.  i  
noticed
this could be a very bad thing because there is nothing stopping an  
outside
link from doing something like: 
href="securepage.php?_SESSION[username]=admin&_SESSION[pwd]=password"> 
go to
secure page and being valid (that is if they manage to hack the
user/pwd)...

any ideas how to create such a system?

any ways around that?? i need a system that will not do that
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] $_POST not working with str_replace

[PHP Email List]

> -Original Message-
> From: John W. Holmes [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, March 23, 2004 7:59 PM
>
> Like someone else said, you need to whittle your code down to a minimum
> and do a lot of variable checking along the way. Slowly add code back
> until you find what's causing the problem. There's no reason using $_GET
> over $_POST should matter, since you're assigning it to a holding
> variable, anyhow. What version of PHP are you using?


Alright I'll try it from start, but again, it doesn't make any sense when
all I'm doing is changing the action="GET" to action="POST" and on the
script side, changing all my $_GET['items'] to $_POST['items'].  I'm just
wondering if the RTF format is being screwed up cuz it can't "read" the
variables from the URL like you do with GET.  I don't know just guessing,
but from my experience GET/POST are interchangeable as long as everything in
my GET form is received with $_GET['something'].

I let everyone know what I come up with. I'm hoping it's something stupid
and little like missing punctuation or some easy parse error that maybe
isn't showing up under the rtf conversion.

Thanks
Wolf

PS, "this reply better Chris?" :)

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] RE:[PHP] session_register vs. $_SESSION superglobal

[Pushpinder Singh]

I am using PHP with register_globals ON... since I don't have access to 
the host environment.

The way I use sessions is:

session_start();

 do some database connection and checking here.

   if (condition is met) {
 $_SESSION['valid_user'] = $_POST['login'];
  }
Is this approach safe ?? Pl let me know. Also I use if 
(isset($_SESSION['valid_user'] ) ) to check if the user is logged in on 
secure pages.
Please comment.

Thanks in advance
Pushpinder Singh
___
Web Dev


On Tuesday, March 23, 2004, at 10:38 AM, Andy B wrote:

first $_SESSION works like this:

session_start();
$_session[user]=$_POST[user];//if using register_globals=off
$_SESSION[user]=$user;//if register_globals=on..unsafe though

[PHP] Local sysadmin DFW needed

[Frank Tudor]

Hi folks,

Sorry for the inturruption.

I'm looking for a part time sysadmin in the DFW area.

If anyone wants to pick up some hours drop me your resume.

Here is what I need, someone who can do:

Redhat, PHP, Mysql, Perl, sendmail, creating and maintaining users and
permissions, virtual hosts, samba, round robin or hot backup server setup,
dns, running backups to our dlt drive, and maintaining raid on compaq (4U)
servers.

SSL certs and online payment processing tool experience helpful! 

also creating and printing forms via php/fpdf would be useful.

we are colocating soon and need someone hands on for the transition.

Our group is: one programmer, one designer(me), one boss.

So let me know or pass on the good word to friends, pay is $20 an hour
(contract) max 5 to 10 hours a week. This could translate into something
more permanent and more hours.

We are a good group and friendly we are also deadline oriented/success
driven.  

Thanks,
Frank









__
Do you Yahoo!?
Yahoo! Finance Tax Center - File online. File on time.
http://taxes.yahoo.com/filing.html

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] $_POST not working with str_replace

[John W. Holmes]

PHP Email List wrote:

Ok I tried the print_r($_POST) and received...

Array ( [FNAME] => test [LNAME] => t [ADDRESS] => t [CITY] => t [STATE] => t
[ZIP] => t [DATE] => t [PARAGRAPH1]=> t [PARAGRAPH2] => t [FROM] => t
[SUBMIT] => TEST ME )
So they array isn't empty for my post. Obviously the values don't matter for
this array, but the array is still not being brought into the str_replace
function.  Is it possible that str_replace requires "GET" opposed to "POST"
for it to work? This is becoming very odd! Possible bug? I hate throwing
that out there but it doesn't make sense why one would work and the other
wouldn't since all any of them are doing is holding "strings".  Any other
ideas?
Like someone else said, you need to whittle your code down to a minimum 
and do a lot of variable checking along the way. Slowly add code back 
until you find what's causing the problem. There's no reason using $_GET 
over $_POST should matter, since you're assigning it to a holding 
variable, anyhow. What version of PHP are you using?

--
---John Holmes...
Amazon Wishlist: www.amazon.com/o/registry/3BEXC84AB3A5E/

php|architect: The Magazine for PHP Professionals – www.phparch.com

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] something like __URL__ (analogous to __FILE__)

[motorpsychkill]

> -Original Message-
> From: Chris W. Parker [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, March 23, 2004 5:03 PM
> To: Evan Nemerson; motorpsychkill; Php General List
> Subject: RE: [PHP] something like __URL__ (analogous to __FILE__)
> 
> 
> Evan Nemerson 
> on Tuesday, March 23, 2004 5:00 PM said:
> 
> > Take a look at $_SERVER['REQUEST_URI']
> 
> the problem with that is that the value REQUEST_URI will contain is that
> of the page in the address bar (i think) and not the location of an
> included file (which is what i took the op to want).
> 
> for example, config.php is likely not a file someone access directly,
> yet the op still wants that files URI.
> 
> 
> chris.

You've interpreted my question correctly Chris, thanks for the suggestion.

-m

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] something like __URL__ (analogous to __FILE__)

[Chris W. Parker]

Evan Nemerson 
on Tuesday, March 23, 2004 5:00 PM said:

> Take a look at $_SERVER['REQUEST_URI']

the problem with that is that the value REQUEST_URI will contain is that
of the page in the address bar (i think) and not the location of an
included file (which is what i took the op to want).

for example, config.php is likely not a file someone access directly,
yet the op still wants that files URI.


chris.

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] something like __URL__ (analogous to __FILE__)

[Chris W. Parker]

motorpsychkill 
on Tuesday, March 23, 2004 4:51 PM said:

> So no matter what file I use (like rabbits.php) and I include
> config.php, CONFIG_FILE_URL will always return the url for the config
> file and NOT the file doing the calling (rabbits.php).

hmm... the only thing i can think of is to build it myself.

http://localhost/";;
$server_base = "c:\htdocs\";

  return str_replace($server_base, $url_base, $file);
}

echo file_url(__FILE__);

?>

untested but i think you get the picture.



chris.

p.s. i would define $url_base and $server_base within a constants file
that is included somewhere.

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] something like __URL__ (analogous to __FILE__)

[Evan Nemerson]

Take a look at $_SERVER['REQUEST_URI']


On Tuesday 23 March 2004 04:50 pm, motorpsychkill wrote:
> This is tricky to explain, so bear with me please.  I have a file like:
>
> c:\htdocs\project_bunny\includes\config.php
>
> In my browser address bar, this would look like:
>
> http://localhost/project_bunny/includes/config.php
>
>
>
>
> If within this document (i.e. config.php), I had:
>
>  //config.php
>
> define("CONFIG_FILE", __FILE__);
>
> echo CONFIG_FILE; //this will return
> "c:\htdocs\project_bunny\includes\config.php"
>
> ?>
>
> Now, if I have another file (e.g. rabbits.php):
>
>  //rabbits.php
>
> include("config.php");
>
> echo CONFIG_FILE; //this will also return
> "c:\htdocs\project_bunny\includes\config.php"
>
> ?>
>
> This is all great up to this point.  What I'm trying to do is:
>
>  //config.php
>
> define("CONFIG_FILE_URL", __URL__);
>
> echo CONFIG_FILE_URL; //would return
> "http://localhost/project_bunny/includes/config.php";
>
> ?>
>
> So no matter what file I use (like rabbits.php) and I include config.php,
> CONFIG_FILE_URL will always return the url for the config file and NOT the
> file doing the calling (rabbits.php).
>
> Sorry for the longwinded explanation.  I hope someone can help!  Thank you.
>
> -m

-- 
Evan Nemerson
[EMAIL PROTECTED]
http://coeusgroup.com/en

--
"There is a certain right by which we may deprive a man of life, but none by 
which we may deprive him of death."

-Nietzsche

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Re: Domain & Sub-domain Handling with PHP

[Galen]

Yeah, I'm aware PHP doesn't do DNS stuff, at least not directly. But I 
am curious as to how people handle subdomains. The 404 error seems like 
an interesting option, how does anyone else handle this?

-Galen

On Mar 23, 2004, at 10:58 AM, Justin Patrin wrote:

Galen wrote:

Hi,
I've done loads and loads with PHP and MySQL and stuff like that... 
but never had to really deal with actually creating new domains and 
subdomains with PHP. Especially with subdomains, I've seen lots of 
sites create subdomains automatically.
What is the "best" technique for doing all this (if there is one)? 
I'm sure I could hack something together (I always have) but I'd 
really like the "best" way - cleanest, fastest, whatever the 
technique may be.
Thanks,
Galen
You're confusing a couple of concepts I think. PHP cannot create 
subdomains and such (unless you alter your DNS records with PHP, but I 
don't think that's what you're talking about.)

Some other people have suggested having your DNS set up to resolve all 
sub-domains to your main web server, then using a custom 404 script 
(or index on the site) to look at the requested URL and redirect 
accordingly.

--
paperCrane 
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] something like __URL__ (analogous to __FILE__)

[motorpsychkill]

This is tricky to explain, so bear with me please.  I have a file like:

c:\htdocs\project_bunny\includes\config.php

In my browser address bar, this would look like:

http://localhost/project_bunny/includes/config.php




If within this document (i.e. config.php), I had:



Now, if I have another file (e.g. rabbits.php):



This is all great up to this point.  What I'm trying to do is:

http://localhost/project_bunny/includes/config.php";

?>

So no matter what file I use (like rabbits.php) and I include config.php,
CONFIG_FILE_URL will always return the url for the config file and NOT the
file doing the calling (rabbits.php).

Sorry for the longwinded explanation.  I hope someone can help!  Thank you.

-m

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] another "everyone getting this?" post!

[Chris W. Parker]

ok hi.

just today i started getting a message from:

[IM_T-EXCH] Panda Antivirus for Exchange Server
[EMAIL PROTECTED]

...stating that my messages have been deleted. is this happening to
everyone or am i sending out a virus all of a sudden?



thanks!
chris.

p.s. no facts please! just theories! and they have to be wrong! oh also,
please everyone laugh at me. i enjoy it. :(


;)

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] $_POST not working with str_replace

[Chris W. Parker]

PHP Email List 
on Tuesday, March 23, 2004 4:13 PM said:

> I tried that, but I know I can get the values from the $_POST array
> as per John's email about using print_r($_POST) to see what was
> showing. And yes I get the value I wanted in between the :: ::.

hhhm!!! very strange.

have you tried making a simple test page that cuts out everything except
for the operations in question?



chris.

p.s. please quote your replies as your emails are sometimes very
difficult to follow. (there's a reason people do it. ;)

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] $_POST not working with str_replace

[PHP Email List]

what happens if you do the following?

>", $name, $output);

?>

??

I tried that, but I know I can get the values from the $_POST array as per
John's email about using print_r($_POST) to see what was showing. And yes I
get the value I wanted in between the :: ::.

Thanks for trying though,

Anyone else have any ideas on this problem?
Thanks!
Wolf

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Clearing Post Data with IE

[Chris Thomas]

I tried using the Header('location: ') but it seems the posted data
follows the redirection
Im going from my main page to a processing page then back to my main page.
i printed $_POST on the main page and it still has the values that were
originally posted to the
processing page.  Also after the redirection the address in the address bar
is that of the processing page

Here is some code to help explain:

--index.php
print_r($_POST);
...
echo "";
echo "\n";
echo "\n";
foreach($poll->choices as $id => $choice) {
echo "id
>$choice->choice\n";
}
echo "";
echo "";


--poll.php
$poll_id = $_POST['poll_id'];
$poll_choice = $_POST['poll_choice'];
$calling = $_POST['calling'];

if (isset($poll_id)) {
unset($_POST);
Header("Location: $calling");
exit();
}


When poll.php loads up index.php the Posted data is still there.

Chris


"Chris Boget" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
> > Is there a way to get it so that i can clear _post and get it so they
> arent
> > in the header??
>
> After you've finished all of the processing, just do:
>
> header( 'location: ' . $_SERVER['PHP_SELF'] );
> exit();
>
> Chris

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] string concatination

[Chris W. Parker]

Matthew Oatham 
on Tuesday, March 23, 2004 3:59 PM said:

> Hi,

hi.

> What is the correct way, using php to join to strings, vars or other
> wise. 

[snip]

> i.e. how do I join
> 
> $string1 = "hello";
> $string2 = "world";
> 
> do i do
> 
> $string1 . $string2;

[snip]

> Is that correct?

that's correct except that the result won't go anywhere (but maybe you
already knew this?).

$string3 = $string1.$string2;



chris.

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] string concatination

[Matthew Oatham]

Hi, 

What is the correct way, using php to join to strings, vars or other wise.

i.e. how do I join

$string1 = "hello";
$string2 = "world";

do i do

$string1 . $string2;

and what about ..

$string2 = $string1 . "world";

Is that correct?

Re: [PHP] Re: Null Variables after session_register() ( Radio Inputs Problem )

[gohaku]

Thanks.
Below is what I changed to session.php.
Are there any possible problems with my changes?

On Mar 23, 2004, at 4:28 PM, Justin Patrin wrote:





--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] $_POST not working with str_replace

[Chris W. Parker]

PHP Email List 
on Tuesday, March 23, 2004 3:08 PM said:

> This is becoming very odd!
> Possible bug? I hate throwing that out there but it doesn't make
> sense why one would work and the other wouldn't since all any of them
> are doing is holding "strings".  Any other ideas?

sorry, jumping in late. hopefully this hasn't already been covered.

using some code from a previous email:

>> why. [snip] $name = $_POST['FNAME'];
> [snip]
>> $output = str_replace("<>",$name,$output);

what happens if you do the following?

>", $name, $output);

?>

??

Do you get the expected value betwee the two ::'s? If you aren't getting
what you're expecting that's where your problem is. If the contrary is
true, I have no idea. ;)


chris.

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] REGISTER_GLOBALS set to off and other issues

[Alisa Davis]

I have REGISTER_GLOBALS set to off. I have read and read, but cannot figure out what I 
need to do code wise to keep from getting the following message:

Warning: Unknown(): Your script possibly relies on a session side-effect which existed 
until PHP 4.2.3. Please be advised that the session extension does not consider global 
variables as a source of data, unless register_globals is enabled. You can disable 
this functionality and this warning by setting session.bug_compat_42 or 
session.bug_compat_warn to off, respectively. in Unknown on line 0

We upgrade from 4.1.1 about a month ago and since then several things are now broken. 
I need to know how to code around this problem so I don't get this WARNING.

I am also having another problem since the upgrade. This seems to be a javascript 
problem, but it's weird that it's happened on two different servers just after a PHP 
upgrade. 

I have static page tops and bottoms that I call with an include for each page. 
Currently, I have all the javascripts that I use for my entire site in the header:

 etc...

If use script1.js on page 1 but don't use script2.js, then I get a javascript error on 
script1.js. The reason I know this is that if I strip out all but what is essential to 
page 1, then the javascript runs error free, but if not, I get errors. 

I don't know if this is a php problem or not, but like I said above, I do know it 
started with the upgrades. I can deal with this though, because I know how to fix it. 
I will just take a while.

This is a school site and they are on spring break right now. I have until Monday 
3/29/2004 to get this fixed. The school's website, which includes homework 
assignments, lunch menu, etc... will be dead in the water until I do.


--
Thanks,
Alisa Davis - Madison Academy webmaster
--

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] $_POST not working with str_replace

[PHP Email List]

PHP Email List wrote:

> Ok here's my problem, I'm in the midst of creating a string replace to
work
> on a rtf file that is on the server, this fuctionallity works perfect with
> "GET" but not "POST", I guess I don't understand why.
[snip]
> $name = $_POST['FNAME'];
[snip]
> $output = str_replace("<>",$name,$output);

There's no reason why something would work with $_GET['FNAME'] and not
with $_POST['FNAME'], so I can understand why you're confused. Are you
sure there are even any values in $_POST? Right at the beginning of
rtf.php, put a print_r($_POST) to see what the values are. If $_POST is
empty even when you put values in the form, then it must be an issue
with your web browser or server not allowing POST values (that would be
very odd, though).

::John,

Ok I tried the print_r($_POST) and received...

Array ( [FNAME] => test [LNAME] => t [ADDRESS] => t [CITY] => t [STATE] => t
[ZIP] => t [DATE] => t [PARAGRAPH1]=> t [PARAGRAPH2] => t [FROM] => t
[SUBMIT] => TEST ME )

So they array isn't empty for my post. Obviously the values don't matter for
this array, but the array is still not being brought into the str_replace
function.  Is it possible that str_replace requires "GET" opposed to "POST"
for it to work? This is becoming very odd! Possible bug? I hate throwing
that out there but it doesn't make sense why one would work and the other
wouldn't since all any of them are doing is holding "strings".  Any other
ideas?

Thanks,
Wolf

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Storing encrypted data in a database with

[Evan Nemerson]

What version of mysql are you using? IIRC, there is support for AES in newer 
(4+?) versions. If I were you, I'd handle are the encryption and decryption 
in the database, if possible.

Yep, http://www.mysql.com/doc/en/Encryption_functions.html


On Tuesday 23 March 2004 02:04 pm, Jay Blanchard wrote:
> Good afternoon!
>
> I am storing some encrypted data using PHP to do the encryption and a MySQL
> database. I have encountered a couple of times where I get back a query
> sytax error.
>
> INSERT INTO `test`.`tblEncTest` (`encAlg`, `encMode`, `encIV`, `reqName`,
> `reqSSN`, `reqEMail`) VALUES ( 'blowfish', 'cbc', 'â3IÂÂ}ÃÃ', 'Ã ÃpÃ_9',
> 'âËkÃÂfÃÃ?QÂÃgÃÂ', '-â%ÂÂ+AÂÅÂÃR'âHXâÃÃÃppT ÃÃÃ7 
> GHÂÅÅÃÃÃ' )
>
> You have an error in your SQL syntax near 'HXâÃÃÃppT ÃÃÃ7 GHÂÅÅÃÃÃ' ) '
> at line 1
>
> Now, if you look closely you can see and additional single quote in
> ÃR'âHXâ. I cannot use addslashes() here can I? Or should I base64_encode
> each item and then decode on the way back out. Any thoughts would be
> appreciated.
>
> TVMIA!

-- 
Evan Nemerson
[EMAIL PROTECTED]
http://coeusgroup.com/en

--
"Only the other day, historically speaking, the 'holy inquisition' burned or 
silenced scientists. The discovery of the microscope and telescope, for 
instance, was delayed for a long time because the inventor, in fear of 
priestly persecution, was afraid to write his scientific discoveries in plain 
language. He had to write them in cipher- a fact discovered only a few years 
ago. Those afflicted with diseases can easily realize where our science in 
general, and medical science in particular, might be today if not for the 
holy zeal of powerful enemies of science who vehemently and ruthlessly 
sponsored ignorance, old s.r, and so disease."

-Alfred Korzybski

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] $_POST not working with str_replace

[John W. Holmes]

PHP Email List wrote:

Ok here's my problem, I'm in the midst of creating a string replace to work
on a rtf file that is on the server, this fuctionallity works perfect with
"GET" but not "POST", I guess I don't understand why.  
[snip]
$name = $_POST['FNAME'];
[snip]
$output = str_replace("<>",$name,$output);
There's no reason why something would work with $_GET['FNAME'] and not 
with $_POST['FNAME'], so I can understand why you're confused. Are you 
sure there are even any values in $_POST? Right at the beginning of 
rtf.php, put a print_r($_POST) to see what the values are. If $_POST is 
empty even when you put values in the form, then it must be an issue 
with your web browser or server not allowing POST values (that would be 
very odd, though).

--
---John Holmes...
Amazon Wishlist: www.amazon.com/o/registry/3BEXC84AB3A5E/

php|architect: The Magazine for PHP Professionals – www.phparch.com

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Re: RE:[PHP] login scripts not secure?? help!

[John W. Holmes]

Scott Fletcher wrote:

Also remember to keep in mind, some user's browser had the cookie disabled.
Once that happen then it wouldn't work.
Very true. If that was the case, you'd have to maintain the session ID 
in every URL/form for the "private" area and also provide it in any URLs 
that go from the "public" area _back into_ the "private" area. You 
wouldn't need to maintain the session ID on every link that goes from 
public to public areas or private to public areas, though.

--
---John Holmes...
Amazon Wishlist: www.amazon.com/o/registry/3BEXC84AB3A5E/

php|architect: The Magazine for PHP Professionals – www.phparch.com

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Storing encrypted data in a database with

[John W. Holmes]

Jay Blanchard wrote:

You have an error in your SQL syntax near 'HXâÃÃÃppT ÃÃÃ7 GHÂÅÅÃÃÃ' ) ' at line 1 

Now, if you look closely you can see and additional single quote in ÃR'âHXâ. I cannot use addslashes() here can I? Or should I base64_encode each item and then decode on the way back out. Any thoughts would be appreciated.
Yes, you still need to use addslashes() or mysql_escape_string() on the 
encrypted data string. It will not mess up the encryption. Encrypted or 
not, it's still a string and special characters need to be escaped.

--
---John Holmes...
Amazon Wishlist: www.amazon.com/o/registry/3BEXC84AB3A5E/

php|architect: The Magazine for PHP Professionals â www.phparch.com

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Can i get all content for list box in $_POST

[Sheeraz fazal]

My Mistake. I over looked :(

"Pablo Gosse" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
Sheeraz fazal wrote:
> Hi All,
>
> I have a list box in a page (html  tag with multiple
> selection option). Items are added dynamically in list box, using
> javascript. Can i get all elements of listbox in my php code.
>
> If i do $_POST['select_tag_name']. I get a variable not an array.
> Thus getting only one item.
>
> Comments?

http://www.php.net/manual/en/faq.html.php#faq.html.select-multiple

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Can i get all content for list box in $_POST

[Sheeraz fazal]

Thanks.
As same  element is used in PHP and JavaScript. Naming a tag ending
in sqare brackets [] is JavaScript error. Till now either PHP will not
produce desired results or JavaScript will give me error :(

"Pablo Gosse" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
Sheeraz fazal wrote:
> Hi All,
>
> I have a list box in a page (html  tag with multiple
> selection option). Items are added dynamically in list box, using
> javascript. Can i get all elements of listbox in my php code.
>
> If i do $_POST['select_tag_name']. I get a variable not an array.
> Thus getting only one item.
>
> Comments?

http://www.php.net/manual/en/faq.html.php#faq.html.select-multiple

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] PHP 4.3.4 EAPI

[Jordan S. Jones]

Hello all..

For some odd reason, I am having a very very difficult time compiling 
PHP with EAPI support.. Here is my configure line:

CFLAGS=" -DEAPI" \
./configure \
--with-apxs \
--with-config-file-path=/etc \
--disable-short-tags \
--with-zlib \
--with-bz2 \
--with-curl \
--with-mcrypt \
--with-mhash \
--with-mysql \
--enable-xslt \
--without-pear \
--with-pgsql \
--with-gd \
--enable-gd-native-ttf \
--with-xslt-sablot \
--disable-debug \
--enable-bcmath \
--enable-calendar \
--enable-inline-optimization \
--enable-memory-limit \
--enable-rule=EAPI
Any help on the matter would be greatly appreciated..

Thanks,
Jordan S. Jones
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] $_POST not working with str_replace

[PHP Email List]

Hey gang,

Ok here's my problem, I'm in the midst of creating a string replace to work
on a rtf file that is on the server, this fuctionallity works perfect with
"GET" but not "POST", I guess I don't understand why.  The reason I don't
want to use GET over POST is due to the character restrictions. I need to be
able to place more characters than what are allowed in the URL. I created a
test script to have a person fill in the form fields and it would write a
detailed letter for them. This was just an idea I was using to test the
replacement functions within a rtf document.  My main project that I'm going
for, is to allow our on-site techs to enter in what they have done for a
client, lay it out perfect for our stationary and then hand the client their
spec sheet and invoice straight from the printer without having to come back
to the office.

The overall end of this will more than likely be database driven and maybe I
should place these items into the database then turn around and pull them
out assigning them to the given replace functions.  But my problem still
lies in the fact that I don't understand why the "GET" functionallity works
with this form and "POST" will not.

After some rough testing, the template is being displayed as it fills in the
static parts of the form by itself and then replaces all of my <>
<> with "" (blank spaces).

Code is below, any help would be wonderful!

rtfform.html::
Testing RTF Input


FIRST NAME: 
...
Rest of form elements
...



>>>end rtfform


rtf.php::
$name = $_POST['FNAME'];
... rest of post variable conversions

$filename = "Lettertest.rtf";

header('Content-type: application/msword');
header('Content-Disposition: "Rtftest.rtf"');
$fp = fopen($filename, "r");

$output = fread($fp, filesize($filename));

$output = str_replace("<>",$name,$output);
... rest of output str_replace items

echo $output;
>>>end rtf.php

Thanks in advanced
Wolf

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] Storing encrypted data in a database with

[Jay Blanchard]

Good afternoon!

I am storing some encrypted data using PHP to do the encryption and a MySQL database. 
I have encountered a couple of times where I get back a query sytax error.

INSERT INTO `test`.`tblEncTest` (`encAlg`, `encMode`, `encIV`, `reqName`, `reqSSN`, 
`reqEMail`) VALUES ( 'blowfish', 'cbc', 'â3IÂÂ}ÃÃ', 'Ã ÃpÃ_9', 
'âËkÃÂfÃÃ?QÂÃgÃÂ', '-â%ÂÂ+AÂÅÂÃR'âHXâÃÃÃppT ÃÃÃ7 
GHÂÅÅÃÃÃ' ) 

You have an error in your SQL syntax near 'HXâÃÃÃppT ÃÃÃ7 GHÂÅÅÃÃÃ' ) 
' at line 1 

Now, if you look closely you can see and additional single quote in ÃR'âHXâ. I 
cannot use addslashes() here can I? Or should I base64_encode each item and then 
decode on the way back out. Any thoughts would be appreciated.

TVMIA!

Re: [PHP] Image Storage

[David T-G]

Matt --

...and then Matt Palermo said...
% 
% I am creating a system to allow users to upload images to the site.  Would
% it be better to store the images in a MySQL table, or having it save the
% images to a directory on the server?  Anyone have any suggestions on this?
% Pros? Cons?

This has been debated to death; check the archives.  Although there are
passionate arguments for both approaches, I *think* that the consensus
for general applications where you don't have a specific reason to put
them in the DB is to go with the filesystem -- but, then, I'm also a
subscriber of that camp :-)


% 
% Thanks,
% 
% Matt
% http://sweetphp.com/


HTH & HAND

:-D
-- 
David T-G  * There is too much animal courage in 
(play) [EMAIL PROTECTED] * society and not sufficient moral courage.
(work) [EMAIL PROTECTED]  -- Mary Baker Eddy, "Science and Health"
http://justpickone.org/davidtg/  Shpx gur Pbzzhavpngvbaf Qrprapl Npg!



pgp0.pgp
Description: PGP signature

RE: [PHP] Can i get all content for list box in $_POST

[Pablo Gosse]

Sheeraz fazal wrote:
> Hi All,
> 
> I have a list box in a page (html  tag with multiple
> selection option). Items are added dynamically in list box, using
> javascript. Can i get all elements of listbox in my php code.  
> 
> If i do $_POST['select_tag_name']. I get a variable not an array.
> Thus getting only one item. 
> 
> Comments?

http://www.php.net/manual/en/faq.html.php#faq.html.select-multiple

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Re: replacing chars in input

[David T-G]

Justin, et al --

...and then Justin Patrin said...
% 
% David T-G wrote:
% 
% >I would like to make things easier for my users and replace all of the
% >garbage characters
% >
% >  `'";:[EMAIL PROTECTED]&*()[]{}<>/?\|+=
% >
% >plus white space (\s) with underscores in the input.  I am, however,
% >having trouble getting my regexp to work.
...
% >
% >If there isn't a handy character class waiting for me, what must I do to
% >get those chars replaced?
% 
% $i = preg_replace('/[^A-Za-z0-9_-]/', '_', $i);
% 
% That means anything that is not in that class should be replaced with '_'.

*duh*  Of course!  Brilliant in its simplicity.  I can't wait to try it.


% 
% -- 
% paperCrane 


Thanks & HAND

:-D
-- 
David T-G  * There is too much animal courage in 
(play) [EMAIL PROTECTED] * society and not sufficient moral courage.
(work) [EMAIL PROTECTED]  -- Mary Baker Eddy, "Science and Health"
http://justpickone.org/davidtg/  Shpx gur Pbzzhavpngvbaf Qrprapl Npg!



pgp0.pgp
Description: PGP signature

[PHP] Can i get all content for list box in $_POST

[Sheeraz fazal]

Hi All,

I have a list box in a page (html  tag with multiple selection
option). Items are added dynamically in list box, using javascript. Can i
get all elements of listbox in my php code.

If i do $_POST['select_tag_name']. I get a variable not an array. Thus
getting only one item.

Comments?

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] CGI Error

[Alex Hogan]

Hi All,

I am getting this error when I trying to pass some url params;

CGI Error
The specified CGI application misbehaved by not returning a complete set of
HTTP headers. The headers it did return are:

And nothing

Has anybody seen this before?  I did a search and it seems that there are a
few references to it, but nobody seems to have an explanation.

alex hogan


** 
The contents of this e-mail and any files transmitted with it are 
confidential and intended solely for the use of the individual or 
entity to whom it is addressed.  The views stated herein do not 
necessarily represent the view of the company.  If you are not the 
intended recipient of this e-mail you may not copy, forward, 
disclose, or otherwise use it or any part of it in any form 
whatsoever.  If you have received this e-mail in error please 
e-mail the sender. 
** 

Re: [PHP] Re: RE:[PHP] login scripts not secure?? help!

[Scott Fletcher]

Also remember to keep in mind, some user's browser had the cookie disabled.
Once that happen then it wouldn't work.

"John W. Holmes" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
> Scott Fletcher wrote:
> > Um, you would be able to jump out of the admin area (logged in area) to
> > public/free area and back to the admin area (logged in area) only if
either
> > one of these two, not necessnary both is maintained on every webpage of
that
> > website, 1) session_start() or 2) session_id via links/form.  But if the
> > person go to a website like Google or something and back then no, it
would
> > not be possible unless there is a known way for the web browser to hold
the
> > token like cookie for example.
>
> By default the session id (token) _is_ maintained in a cookie, so it
> wouldn't matter where you go, the cookie would still be present. That
> means your user can go back and forth between areas without any problem.
> You only need the session_start() in the "admin" areas to start and
> retrieve the existing session. The cookie will be maintained whether
> session_start() is encountered or not so long as the browser window
> stays open.
>
> -- 
> ---John Holmes...
>
> Amazon Wishlist: www.amazon.com/o/registry/3BEXC84AB3A5E/
>
> php|architect: The Magazine for PHP Professionals – www.phparch.com

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] Re: Null Variables after session_register() ( Radio Inputs Problem )

[Justin Patrin]

Gohaku wrote:

Apologies if this has been asked before,

I'm experiencing problems with Session Variables and Radio Inputs values.
For some reason, after I use session_register("number") where
$number has 3 possible values { 1,2,3 }, $number IS NULL.
If I don't use session_register("number"), $number IS NOT NULL.
I did not see any difference with checkbox inputs either.
Any help would be greatly appreciated.

Thank you.
-gohaku


Name: 
1
2
3





You may want to look into using the superglobal $_SESSION instead of 
using session_register and global variables. It's far more secure and 
generally works without so many problems.

--
paperCrane 
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] Re: http webmail problems.

[Justin Patrin]

Tom Reed wrote:

On some webmail programs, when I send them an email from php, they appear as
being "blank" emails.
Here's the code I am using:

  $headers .= "From: \"$WEBSITE_name\" <$ADMIN_email>\n";
  $headers .= "X-Sender: <$ADMIN_email>\n";
  $headers .= "X-Mailer: $WEBSITE_name Mailer\n"; // mailer
  $headers .= "X-Priority: 1\n"; // Urgent message!
  $headers .= "Return-Path: <$ADMIN_email>\n";  // Return path for errors
  $headers .= "MIME-version: 1.0\n";
  $headers .= "Content-type: multipart/mixed; ";
  $headers .= "boundary=\"Message-Boundary\"\n";
  $headers .= "Content-transfer-encoding: 7BIT\n";
  $message = "--Message-Boundary\n";
  $message .= "Content-Type: text/html; charset=iso-8859-1\n"; // Mime type
  $message .= "Content-transfer-encoding: 7BIT\n";
  $message .= "Content-description: Mail message body\n\n";
  $message .= "Test message with html";

  mail($email, "Test HTML message.", $message, $headers);
Try using PEAR's Mail_MIME class. It will do this kind of thing for you.
http://pear.php.net/package/Mail_MIME
--
paperCrane 
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] Null Variables after session_register() ( Radio Inputs Problem )

[gohaku]

Apologies if this has been asked before,

I'm experiencing problems with Session Variables and Radio Inputs 
values.
For some reason, after I use session_register("number") where
$number has 3 possible values { 1,2,3 }, $number IS NULL.

If I don't use session_register("number"), $number IS NOT NULL.
I did not see any difference with checkbox inputs either.
Any help would be greatly appreciated.

Thank you.
-gohaku


Name: 
1
2
3





--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] http webmail problems.

[Tom Reed]

On some webmail programs, when I send them an email from php, they appear as
being "blank" emails.

Here's the code I am using:

  $headers .= "From: \"$WEBSITE_name\" <$ADMIN_email>\n";
  $headers .= "X-Sender: <$ADMIN_email>\n";
  $headers .= "X-Mailer: $WEBSITE_name Mailer\n"; // mailer
  $headers .= "X-Priority: 1\n"; // Urgent message!
  $headers .= "Return-Path: <$ADMIN_email>\n";  // Return path for errors

  $headers .= "MIME-version: 1.0\n";
  $headers .= "Content-type: multipart/mixed; ";
  $headers .= "boundary=\"Message-Boundary\"\n";
  $headers .= "Content-transfer-encoding: 7BIT\n";

  $message = "--Message-Boundary\n";
  $message .= "Content-Type: text/html; charset=iso-8859-1\n"; // Mime type
  $message .= "Content-transfer-encoding: 7BIT\n";
  $message .= "Content-description: Mail message body\n\n";

  $message .= "Test message with html";

  mail($email, "Test HTML message.", $message, $headers);

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] fsockopen to spit out the HTTP's Location...

[Chris Shiflett]

--- Scott Fletcher <[EMAIL PROTECTED]> wrote:
> Application --> Web Browser/Web Server
> Presentation --> HTTP/HTTPS/SSL and language (HTML/JavaScript, etc).
> Session --> Browser-Server connection, etc.
> Transport --> Port 80/Port 443, packet transfer control, etc.
> Network --> IP Address/Internet/Router
> Data Link --> Network card driver/binding
> Physical --> Media stuffs (Network cable, wireless, etc).

In this case, fsockopen() basically handles everything from the Transport
layer down, and whatever you write needs to handle everything from the
Session layer up.

> > So, use header().
>
> Yea, working on it  Wish can make the 3rd party software come after
> the header()..

You don't have to. All you have to do is make sure no output comes before
your 3rd party software. If you can't avoid this, you can put ob_start()
at the very top, and PHP will buffer the output for you, so that headers
aren't sent until the script terminates. Whatever works best for you.

Hope that helps.

Chris

=
Chris Shiflett - http://shiflett.org/

PHP Security - O'Reilly
 Coming Fall 2004
HTTP Developer's Handbook - Sams
 http://httphandbook.org/
PHP Community Site
 http://phpcommunity.org/

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] fsockopen to spit out the HTTP's Location...

[Scott Fletcher]

> Why not delete that part of the 3rd party code then? Or send your Location
> header before you call it? Curl won't help you here, for the same reasons
> that fsockopen won't work.
Not sure about deleting the part of the 3rd party code though, I had thought
about it alot and I had been itching for it.  Can't say that I would
remember this 2 months from now with the upgrading parting.  Location
header, it wouldn't hurt to move it around in the script.

FletchSOD

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] fsockopen to spit out the HTTP's Location...

[Scott Fletcher]

> > Sigh!  Well, I guess all web browsers suck at it by the way!
> Suck at what exactly?
Not suck at receiving the HTTP commands from the webserver but suck at not
receiving the HTTP commands from the PHP.  :-)  I understand how the
browser/webserver communication work so no wonder why it doesn't work.  Kind
of make you jealous of the flash player that are both client and server side
on the web-browser

> What do you consider to be the network layer? This figure might be helpful
> to you: http://shiflett.org/images/18fig06.jpg

Application --> Web Browser/Web Server
Presentation --> HTTP/HTTPS/SSL and language (HTML/JavaScript, etc).
Session --> Browser-Server connection, etc.
Transport --> Port 80/Port 443, packet transfer control, etc.
Network --> IP Address/Internet/Router
Data Link --> Network card driver/binding
Physical --> Media stuffs (Network cable, wireless, etc).

> Yeah, this is why everyone was interested - you're wrong. :-)
Me wrong?  Really!  :-)

> That code will throw an error is headers have already been sent. Headers
> are sent as soon as output begins, so you can either set all of your
> headers prior to any output or use output buffering with ob_start().
>
> So, use header().
Yea, working on it  Wish can make the 3rd party software come after the
header()..

FletchSOD

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] SQL Injection check (mysql)

[Pablo Gosse]

PG A RARE case, in the world of web applications??? Hardly!
PG 
PG I agree that in an optimal situation queries will not be based on
PG user input, but in the world of the web this is a pipe dream.  In
PG 99.99% of the cases there will be some dynamic element to a query. 
PG The only safeguard is to validate the hell out of the data.

> I don't know which web applications you develop, but the ones I have
> be developing the last 10 years all user interaction was done thrue
> forms where users where asked specific question, and the input to
> these specific questions where used as input in prepared statements.
> Eg. "select tuple1.table1, tuple1.table2, tuple3.table1 from table1,
> table2 where tuple1.table1 = tuple1.table2 and tuple1.table1=? and
> tuple3.table3>?" and so forth.  
> 
> In any case the users input where to be used in queries defined by
> the design of the application! 
> 
> I think you have misunderstod the concepts of making queries based on
> user input. It is not the users who should create the query, all to
> should do is provide the input to narrow down the queries.  


I have not misunderstood the concepts of making queries based on user
input.

I think the issue here is we all need to clarify what we're referring to
as user input, because ultimately we are all saying the same thing.

1)  Hard coding a query into an application is good, if the situation
permits it;

2)  Letting a user select (or enter) a value(s) to be used in a query is
good, as long as you validate the hell out of said value(s);

3)  Letting a user arbitrarily enter unvalidated value(s) to be used in
a query is very very stupid and very very bad, and done far too often.

In a broader scope I would here consider to be user input ANY input
which is not hard coded into the application, and any input which is not
hard coded should be thoroughly examined before being used.

I've not misunderstood the concept, we're all saying the same thing,
just in different ways.

Cheers,
Pablo

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] SQL Injection check (mysql)

[Chris Shiflett]

--- Michael Rasmussen <[EMAIL PROTECTED]> wrote:
> I think you have misunderstod the concepts of making queries based
> on user input. It is not the users who should create the query, all
> to should do is provide the input to narrow down the queries.

To be honest, I think Pablo understands the concepts quite well, and you
seem to have the misunderstanding. I'm happy to be wrong about this, but
you'll need to explain yourself more instead of making these types of
vague statements. As it is, I just don't buy your argument at all.

How can user input only narrow down queries? Are you telling me that
you've never had to write an application that had to store data
originating from a foreign source? If so, that's fine, but don't use your
inexperience to try to convince others that data filtering is unnecessary.

If you're only talking about SELECT statements, that's also fine, but it's
also rather irrelevant to the topic at hand (which might explain the
confusion).

Chris

=
Chris Shiflett - http://shiflett.org/

PHP Security - O'Reilly
 Coming Fall 2004
HTTP Developer's Handbook - Sams
 http://httphandbook.org/
PHP Community Site
 http://phpcommunity.org/

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] SQL Injection check (mysql)

[Michael Rasmussen]

On Tue, 23 Mar 2004 09:27:29 -0800, Chris Shiflett wrote:

> 
> This argument still makes no sense to me. Originally, you stated that a
> better option to filtering and escaping data was to use a prepared
> statement. Some of us have decided that you are referring to stored
> procedures.
> 
> You still have yet to defend your original statement in my mind. If there
> is no foreign data of any kind in a query, it doesn't really matter how
> the query is processed. For every other case (not as rare as you seem to
> think), data filtering is a must.
> 
See my reply to Pablo Gosse.
-- 
Hilsen/Regards
Michael Rasmussen
--
It was all so different before everything changed.

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] SQL Injection check (mysql)

[Michael Rasmussen]

On Tue, 23 Mar 2004 08:25:32 -0800, Pablo Gosse wrote:

> 
> A RARE case, in the world of web applications??? Hardly!
> 
> I agree that in an optimal situation queries will not be based on user
> input, but in the world of the web this is a pipe dream.  In 99.99% of the
> cases there will be some dynamic element to a query.  The only safeguard
> is to validate the hell out of the data.
> 
I don't know which web applications you develop, but the ones I have be
developing the last 10 years all user interaction was done thrue forms
where users where asked specific question, and the input to these specific
questions where used as input in prepared statements. Eg. "select
tuple1.table1, tuple1.table2, tuple3.table1 from table1, table2 where
tuple1.table1 = tuple1.table2 and tuple1.table1=? and tuple3.table3>?" and
so forth.

In any case the users input where to be used in queries defined by the
design of the application!

I think you have misunderstod the concepts of making queries based on
user input. It is not the users who should create the query, all to should
do is provide the input to narrow down the queries.

-- 
Hilsen/Regards
Michael Rasmussen
--
Beauty and harmony are as necessary to you as the very breath of life.

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] Re: Domain & Sub-domain Handling with PHP

[Justin Patrin]

Galen wrote:

Hi,

I've done loads and loads with PHP and MySQL and stuff like that... but 
never had to really deal with actually creating new domains and 
subdomains with PHP. Especially with subdomains, I've seen lots of sites 
create subdomains automatically.

What is the "best" technique for doing all this (if there is one)? I'm 
sure I could hack something together (I always have) but I'd really like 
the "best" way - cleanest, fastest, whatever the technique may be.

Thanks,
Galen
You're confusing a couple of concepts I think. PHP cannot create 
subdomains and such (unless you alter your DNS records with PHP, but I 
don't think that's what you're talking about.)

Some other people have suggested having your DNS set up to resolve all 
sub-domains to your main web server, then using a custom 404 script (or 
index on the site) to look at the requested URL and redirect accordingly.

--
paperCrane 
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Clearing Post Data with IE

[Chris Boget]

> Is there a way to get it so that i can clear _post and get it so they
arent
> in the header??

After you've finished all of the processing, just do:

header( 'location: ' . $_SERVER['PHP_SELF'] );
exit();

Chris

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] Oracle 8i -- execution stops

[Matthew Hillebrand]

When I make a complex query to a table with 500,000 rows via PHP, my web 
browser thinks for a minute and then stops the execution of the script with 
no error messages at all.

I have set the max_execution_time to 400 and called error_reporting(E_ALL) 
with the same results. I'm using PHP 4.3.1 and Oracle 8i with Solaris 5.8.

I'm using the ORA functions because my sysadmin has not enabled the OCI 
functions. Oh, I'm also calling ora_commiton($conn) at the start of every 
script.

What's really strange is that I can often hit Refresh after a halt like 
this, and the script will then work perfectly. I don't understand why that 
is because I examine the $_REQUEST and $_SESSION variables each time, and 
nothing is changing.

Any advice would be greatly appreciated. I normaly use MySQL or SQL Server, 
so I'm assuming my Oracle ignorance is to blame.

Thanks!
Matt
_
Check out MSN PC Safety & Security to help ensure your PC is protected and 
safe. http://specials.msn.com/msn/security.asp

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] fsockopen to spit out the HTTP's Location...

[Chris Shiflett]

--- Scott Fletcher <[EMAIL PROTECTED]> wrote:
> Sigh!  Well, I guess all web browsers suck at it by the way!

Suck at what exactly?

> Michal Migurski from other posting had explained that fsockopen()
> do the TCP stuff or the Transport Layer. So, no wonder fsockopen()
> can't get to the Network layer, like the IP Address stuff.

What do you consider to be the network layer? This figure might be helpful
to you:

http://shiflett.org/images/18fig06.jpg

> I don't want to use cURL because it take more time.

A better reason is that it also cannot make a connection to a remote
client.

> And finally, for those of you who are dying to know the answer to
> why I can't use the header(). It's the 3rd party coding that contain
> the code,
> 
> --snip--
> if(headers_sent())
> $this->Error('  ');
> --snip--

Yeah, this is why everyone was interested - you're wrong. :-)

That code will throw an error is headers have already been sent. Headers
are sent as soon as output begins, so you can either set all of your
headers prior to any output or use output buffering with ob_start().

So, use header().

Hope that helps.

Chris

=
Chris Shiflett - http://shiflett.org/

PHP Security - O'Reilly
 Coming Fall 2004
HTTP Developer's Handbook - Sams
 http://httphandbook.org/
PHP Community Site
 http://phpcommunity.org/

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] fsockopen to spit out the HTTP's Location...

[Michal Migurski]

>And finally, for those of you who are dying to know the answer to why I
>can't use the header().  It's the 3rd party coding that contain the code,
>
>--snip--
>if(headers_sent())
>$this->Error('  ');
>--snip--

Why not delete that part of the 3rd party code then? Or send your Location
header before you call it? Curl won't help you here, for the same reasons
that fsockopen won't work.

-
michal migurski- contact info and pgp key:
sf/cahttp://mike.teczno.com/contact.html

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Re: RE:[PHP] login scripts not secure?? help!

[John W. Holmes]

Scott Fletcher wrote:
Um, you would be able to jump out of the admin area (logged in area) to
public/free area and back to the admin area (logged in area) only if either
one of these two, not necessnary both is maintained on every webpage of that
website, 1) session_start() or 2) session_id via links/form.  But if the
person go to a website like Google or something and back then no, it would
not be possible unless there is a known way for the web browser to hold the
token like cookie for example.
By default the session id (token) _is_ maintained in a cookie, so it 
wouldn't matter where you go, the cookie would still be present. That 
means your user can go back and forth between areas without any problem. 
You only need the session_start() in the "admin" areas to start and 
retrieve the existing session. The cookie will be maintained whether 
session_start() is encountered or not so long as the browser window 
stays open.

--
---John Holmes...
Amazon Wishlist: www.amazon.com/o/registry/3BEXC84AB3A5E/

php|architect: The Magazine for PHP Professionals – www.phparch.com

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] Domain & Sub-domain Handling with PHP

[Galen]

Hi,

I've done loads and loads with PHP and MySQL and stuff like that... but 
never had to really deal with actually creating new domains and 
subdomains with PHP. Especially with subdomains, I've seen lots of 
sites create subdomains automatically.

What is the "best" technique for doing all this (if there is one)? I'm 
sure I could hack something together (I always have) but I'd really 
like the "best" way - cleanest, fastest, whatever the technique may be.

Thanks,
Galen
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] fsockopen to spit out the HTTP's Location...

[Scott Fletcher]

See the reply to the Chris Shiflett's reply...

"Michal Migurski" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
> >In plain english, can't use the header("Location: "), so have to use
> >the fsockopen() instead.  Just that header() is not allowed, don't ask me
> >why. Just couldn't get the browser perform the HTTP LOCATION event.
> >--snip--
> >$host = "192.168.0.2";
> >$port = 443;
> >$url_str = "ssl://www.whatever.com?str1=true&str2=false&str3=true";
> >
> >$fp = fsockopen("ssl://".$host, $port, $errno, $errstr, $timeout = 30);
> >--snip--
> >  //send out to the browser.
> >  fputs($fp, "Location: ".$url_str."\r\n");
>
> That won't get sent to the browser, it will get sent to 192.168.0.2, which
> is (I guess) some machine behind your router. You can't initiate a TCP
> connection -- what fsockopen does -- with the client's machine.
>
> I'll ask even though you said not to - Why doesn't header() work?
>
> -
> michal migurski- contact info and pgp key:
> sf/cahttp://mike.teczno.com/contact.html

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] Re: replacing chars in input

[Justin Patrin]

David T-G wrote:

Hi, all --

I would like to make things easier for my users and replace all of the
garbage characters
  `'";:[EMAIL PROTECTED]&*()[]{}<>/?\|+=

plus white space (\s) with underscores in the input.  I am, however,
having trouble getting my regexp to work.
I can comfortably do

  $i = preg_replace("/[\s]/","_",$i) ;

but trying to add other chars doesn't do a thing.

I want to end up with

  A-Za-z0-9_-

(letters, numbers, underscore and dash).

If there isn't a handy character class waiting for me, what must I do to
get those chars replaced?
TIA & HAND

:-D
$i = preg_replace('/[^A-Za-z0-9_-]/', '_', $i);

That means anything that is not in that class should be replaced with '_'.

--
paperCrane 
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] fsockopen to spit out the HTTP's Location...

[Scott Fletcher]

Boy!  Everyone here is itching for an answer!!!  :-)  Sigh!  Well, I guess
all web browsers suck at it by the way!!  Michal Migurski from other posting
had explained that fsockopen() do the TCP stuff or the Transport Layer.  So,
no wonder fsockopen() can't get to the Network layer, like the IP Address
stuff.  I'll think of a workaround to the header() instead.  I don't want to
use cURL because it take more time.  And finally, for those of you who are
dying to know the answer to why I can't use the header().  It's the 3rd
party coding that contain the code,

--snip--
if(headers_sent())
$this->Error('  ');
--snip--

FletchSOD

"Chris Shiflett" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
> --- Scott Fletcher <[EMAIL PROTECTED]> wrote:
> > In plain english, can't use the header("Location: "), so have to
> > use the fsockopen() instead. Just that header() is not allowed, don't
> > ask me why.
>
> I'm asking anyway. :-)
>
> You cannot (thank goodness) connect to a remote client with fsockopen(),
> so you can probably save yourself some trouble by forgetting this whole
> approach. You need to focus on why header() is not working for you,
> because this is the way to send HTTP headers to the client.
>
> Chris
>
> =
> Chris Shiflett - http://shiflett.org/
>
> PHP Security - O'Reilly
>  Coming Fall 2004
> HTTP Developer's Handbook - Sams
>  http://httphandbook.org/
> PHP Community Site
>  http://phpcommunity.org/

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] session_register vs. $_SESSION superglobal

[Justin Patrin]

Kim L. Laage wrote:

(This msg. may arrive twice, with two different senders, I've had a little
trouble with the news server)
Hi, thanks for your reply.


first $_SESSION works like this:

session_start();
$_session[user]=$_POST[user];//if using register_globals=off
$_SESSION[user]=$user;//if register_globals=on..unsafe though
$_SESSION superglobal is an array (usually associative) meaning that the
element of the array (the part in the []) is either a variable name or
some

custom name instead of the element number

$_POST[user] and $user are 2 different variables if
register_globals=off...

Just a couple of questions.
1. I tried adding the lines as you wrote them, but then I got a "Notice: Use
of undefined constant user - assumed 'user' in [FILENAME]", I assume I need
to add quotation marks around "user" on both sides of the equal sign, that
at least removes that notice.
2. I also get a "Notice: Undefined index: user in [FILENAME]", do I need to
declare the $_SESSION variable before populating it?
This is due to using this syntax:
$_SESSION[user]
You want to do this instead:
$_SESSION['user'] = $_POST['user'];
Whenever you index into an associative array, you should use strings for 
the key/index (i.e. use quotation marks). That is, unless you're using 
define(), but that's out of scope for this thread. ;-)

--
paperCrane 
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] Re: session.bug_compat_42

[Justin Patrin]

James E Hicks III wrote:

What does the code look like that is causing this error? I know I can turn the 
error off but how do I fix the code that is causing it?

Warning: Unknown(): Your script possibly relies on a session side-effect which 
existed until PHP 4.2.3. Please be advised that the session extension does 
not consider global variables as a source of data, unless register_globals is 
enabled. You can disable this functionality and this warning by setting 
session.bug_compat_42 or session.bug_compat_warn to off, respectively. in 
Unknown on line 0

It only seems to appear when viewed using MSIE, Konqueror and Mozilla do not 
display this error, why?

Here is some example code that I am using.

Here are some settings from php.ini from the server that is giving the error.

/etc/php4/php.ini

register_globals = Off
[Session]
session.save_handler = files
session.save_path = /tmp
session.use_cookies = 1
session.name = PHPSESSID
session.auto_start = 1
session.cookie_lifetime = 0
session.cookie_path = /
session.cookie_domain =
session.serialize_handler = php
session.gc_probability = 1
session.gc_divisor = 100
session.gc_maxlifetime = 1440
session.bug_compat_42 = 1
session.bug_compat_warn = 1
session.referer_check =
session.entropy_length = 0
session.entropy_file =
session.cache_limiter = nocache
session.cache_expire = 180
session.use_trans_sid = 0
url_rewriter.tags = "a=href,area=href,frame=src,input=src,form=,fieldset="
PHP 4.3.2 (cli) (built: Aug 12 2003 14:25:22)
Copyright (c) 1997-2003 The PHP Group
Zend Engine v1.3.0, Copyright (c) 1998-2003 Zend Technologies
with Turck MMCache v2.3.20, Copyright (c) 2002-2003 TurckSoft, St. 
Petersburg, by Dmitry Stogov

James Hicks
It's complaining because you're registering "last_time" then using the 
global $last_time to set the value. You should be using 
$_SESSION['last_time'] = 'value'.

In addition, you also don't need to use the session_ functions. All you 
need is $_SESSION. For session_is_registered() just use 
isset($_SESSION['key']). For session_register() use $_SESSION['key'] = 
'value'. For session_unregister() use unset($_SESSION['key']).

--
paperCrane 
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Re: RE:[PHP] login scripts not secure?? help!

[Scott Fletcher]

Um, you would be able to jump out of the admin area (logged in area) to
public/free area and back to the admin area (logged in area) only if either
one of these two, not necessnary both is maintained on every webpage of that
website, 1) session_start() or 2) session_id via links/form.  But if the
person go to a website like Google or something and back then no, it would
not be possible unless there is a known way for the web browser to hold the
token like cookie for example.

FletchSOD

"Andy B" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
> [snip]
> Then do what I did, the script below is only an example..
>
> --snip--
>  if ($_REQUEST['dw'] == 0) {
>session_start()
>$_SESSION['username'] = ; //Wherever you got the userid from
>$_SESSION['password'] = ; //Wherever you got the password from
>
>//if successful
>header("Location: *");
> } else if ($_REQUEST['dw'] == 1) {
>//blah blah blah
> }
> ?>
> [/snip]
>
> will test it and play with it a little but will it let the admin go from a
> login required part of the site to a public/free access part of the site
> i.e. jump out of the session without losing any currently open sessions??
>
> they need to be able to go from the login section (admin only part) to the
> public part and back to the admin part again without having to login again
> unless the browser is closed from that site...

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] fsockopen to spit out the HTTP's Location...

[Chris Shiflett]

--- Scott Fletcher <[EMAIL PROTECTED]> wrote:
> In plain english, can't use the header("Location: "), so have to
> use the fsockopen() instead. Just that header() is not allowed, don't
> ask me why.

I'm asking anyway. :-)

You cannot (thank goodness) connect to a remote client with fsockopen(),
so you can probably save yourself some trouble by forgetting this whole
approach. You need to focus on why header() is not working for you,
because this is the way to send HTTP headers to the client.

Chris

=
Chris Shiflett - http://shiflett.org/

PHP Security - O'Reilly
 Coming Fall 2004
HTTP Developer's Handbook - Sams
 http://httphandbook.org/
PHP Community Site
 http://phpcommunity.org/

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] SQL Injection check (mysql)

[Chris Shiflett]

--- Michael Rasmussen <[EMAIL PROTECTED]> wrote:
> The idea is exactly not to do any queries dynamically generated based
> on user input!

This argument still makes no sense to me. Originally, you stated that a
better option to filtering and escaping data was to use a prepared
statement. Some of us have decided that you are referring to stored
procedures.

You still have yet to defend your original statement in my mind. If there
is no foreign data of any kind in a query, it doesn't really matter how
the query is processed. For every other case (not as rare as you seem to
think), data filtering is a must.

Chris

=
Chris Shiflett - http://shiflett.org/

PHP Security - O'Reilly
 Coming Fall 2004
HTTP Developer's Handbook - Sams
 http://httphandbook.org/
PHP Community Site
 http://phpcommunity.org/

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] Re: RE:[PHP] login scripts not secure?? help!

[Andy B]

[snip]
Then do what I did, the script below is only an example..

--snip--

[/snip]

will test it and play with it a little but will it let the admin go from a
login required part of the site to a public/free access part of the site
i.e. jump out of the session without losing any currently open sessions??

they need to be able to go from the login section (admin only part) to the
public part and back to the admin part again without having to login again
unless the browser is closed from that site...

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] login scripts not secure?? help!

[Chris Shiflett]

--- Andy B <[EMAIL PROTECTED]> wrote:
> i run into the deal where most login scripts check to see if
> $_SESSION[username] or a $_SESSION var has been set or is valid.
> i noticed this could be a very bad thing because there is nothing
> stopping an outside link from doing something like:
>  href="securepage.php?_SESSION[username]=admin&_SESSION[pwd]=password">go
> to secure page
> and being valid (that is if they manage to hack the user/pwd)...

Not to be rude, but it looks like you're just making stuff up. Did you try
this? The $_SESSION array is "safe" in the sense that a user cannot
directly manipulate it.

Chris

=
Chris Shiflett - http://shiflett.org/

PHP Security - O'Reilly
 Coming Fall 2004
HTTP Developer's Handbook - Sams
 http://httphandbook.org/
PHP Community Site
 http://phpcommunity.org/

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] receiving ndr for each email sent to list

[Chris W. Parker]

Jay Blanchard 
on Tuesday, March 23, 2004 5:27 AM said:

> [snip]
> (no theories please. unless it's correct. in which case it's ok. :)
> [/snip]
> 
> ROFLMFAO! If it is correct then it is no longer theory! Sorry Chris,
> maybe I should go lay down.

exactly! that's what i'm saying!

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] session.bug_compat_42

[Rasmus Lerdorf]

This has nothing to do with the browser.  Instead of using 
session_register("last_time") and setting $last_time, do this:

  $_SESSION['last_time'] = time();

It's shorter and it will make the warning go away.

-Rasmus

On Tue, 23 Mar 2004, James E Hicks III wrote:

> What does the code look like that is causing this error? I know I can turn the 
> error off but how do I fix the code that is causing it?
> 
> Warning: Unknown(): Your script possibly relies on a session side-effect which 
> existed until PHP 4.2.3. Please be advised that the session extension does 
> not consider global variables as a source of data, unless register_globals is 
> enabled. You can disable this functionality and this warning by setting 
> session.bug_compat_42 or session.bug_compat_warn to off, respectively. in 
> Unknown on line 0
> 
> It only seems to appear when viewed using MSIE, Konqueror and Mozilla do not 
> display this error, why?
> 
> Here is some example code that I am using.
>  if (!session_is_registered('U_SI')) {
>   #do some stuff.
> }
> session_register("last_time");
> $last_time = time();
> echo $_SESSION['last_time'];
> ?>
> 
> Here are some settings from php.ini from the server that is giving the error.
> 
> /etc/php4/php.ini
> 
> register_globals = Off
> [Session]
> session.save_handler = files
> session.save_path = /tmp
> session.use_cookies = 1
> session.name = PHPSESSID
> session.auto_start = 1
> session.cookie_lifetime = 0
> session.cookie_path = /
> session.cookie_domain =
> session.serialize_handler = php
> session.gc_probability = 1
> session.gc_divisor = 100
> session.gc_maxlifetime = 1440
> session.bug_compat_42 = 1
> session.bug_compat_warn = 1
> session.referer_check =
> session.entropy_length = 0
> session.entropy_file =
> session.cache_limiter = nocache
> session.cache_expire = 180
> session.use_trans_sid = 0
> url_rewriter.tags = "a=href,area=href,frame=src,input=src,form=,fieldset="
> 
> 
> PHP 4.3.2 (cli) (built: Aug 12 2003 14:25:22)
> Copyright (c) 1997-2003 The PHP Group
> Zend Engine v1.3.0, Copyright (c) 1998-2003 Zend Technologies
> with Turck MMCache v2.3.20, Copyright (c) 2002-2003 TurckSoft, St. 
> Petersburg, by Dmitry Stogov
> 
> 
> James Hicks
> 
> -- 
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
> 

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] replacing chars in input

[Michal Migurski]

>I want to end up with
>
>  A-Za-z0-9_-
>
>(letters, numbers, underscore and dash).
>
>If there isn't a handy character class waiting for me, what must I do to
>get those chars replaced?

$out = preg_replace('/\W+/', '', $in);

-
michal migurski- contact info and pgp key:
sf/cahttp://mike.teczno.com/contact.html

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] fsockopen to spit out the HTTP's Location...

[Michal Migurski]

>In plain english, can't use the header("Location: "), so have to use
>the fsockopen() instead.  Just that header() is not allowed, don't ask me
>why. Just couldn't get the browser perform the HTTP LOCATION event.
>--snip--
>$host = "192.168.0.2";
>$port = 443;
>$url_str = "ssl://www.whatever.com?str1=true&str2=false&str3=true";
>
>$fp = fsockopen("ssl://".$host, $port, $errno, $errstr, $timeout = 30);
>--snip--
>  //send out to the browser.
>  fputs($fp, "Location: ".$url_str."\r\n");

That won't get sent to the browser, it will get sent to 192.168.0.2, which
is (I guess) some machine behind your router. You can't initiate a TCP
connection -- what fsockopen does -- with the client's machine.

I'll ask even though you said not to - Why doesn't header() work?

-
michal migurski- contact info and pgp key:
sf/cahttp://mike.teczno.com/contact.html

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] Re: RE:[PHP] session_register vs. $_SESSION superglobal

[Kim L. Laage]

(This msg. may arrive twice, with two different senders, I've had a little
trouble with the news server)

Hi, thanks for your reply.

> first $_SESSION works like this:
>
> session_start();
> $_session[user]=$_POST[user];//if using register_globals=off
> $_SESSION[user]=$user;//if register_globals=on..unsafe though
>
> $_SESSION superglobal is an array (usually associative) meaning that the
> element of the array (the part in the []) is either a variable name or
some
> custom name instead of the element number
>
> $_POST[user] and $user are 2 different variables if
register_globals=off...

Just a couple of questions.
1. I tried adding the lines as you wrote them, but then I got a "Notice: Use
of undefined constant user - assumed 'user' in [FILENAME]", I assume I need
to add quotation marks around "user" on both sides of the equal sign, that
at least removes that notice.
2. I also get a "Notice: Undefined index: user in [FILENAME]", do I need to
declare the $_SESSION variable before populating it?


> to answer the second question about user/password names in scripts...if at
> all possible avoid it at any cost to yourself...even in an include file...
> use some other way to store/retrieve the user/password (mysql or something
> like that). and for me if its a password i usually encrypt it before
storing
> it..

This was what I thought too
The code we got from this person seems all messed up, I'm starting to wonder
if it wouldn't be easier for me to build things from scratch rather than try
to fix this *sigh*.
>
> hope that helps..

I'm pretty sure that it will, once I get my head around this 8-)

/KLL

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] replacing chars in input

[David T-G]

Hi, all --

I would like to make things easier for my users and replace all of the
garbage characters

  `'";:[EMAIL PROTECTED]&*()[]{}<>/?\|+=

plus white space (\s) with underscores in the input.  I am, however,
having trouble getting my regexp to work.

I can comfortably do

  $i = preg_replace("/[\s]/","_",$i) ;

but trying to add other chars doesn't do a thing.

I want to end up with

  A-Za-z0-9_-

(letters, numbers, underscore and dash).

If there isn't a handy character class waiting for me, what must I do to
get those chars replaced?


TIA & HAND

:-D
-- 
David T-G  * There is too much animal courage in 
(play) [EMAIL PROTECTED] * society and not sufficient moral courage.
(work) [EMAIL PROTECTED]  -- Mary Baker Eddy, "Science and Health"
http://justpickone.org/davidtg/  Shpx gur Pbzzhavpngvbaf Qrprapl Npg!



pgp0.pgp
Description: PGP signature

RE: [PHP] SQL Injection check (mysql)

[Pablo Gosse]

> The idea is exactly not to do any queries dynamically generated based
> on user input! In the rare cases where this is needed you should not
> allow any unparsed input.  


A RARE case, in the world of web applications??? Hardly!

I agree that in an optimal situation queries will not be based on user
input, but in the world of the web this is a pipe dream.  In 99.99% of
the cases there will be some dynamic element to a query.  The only
safeguard is to validate the hell out of the data.

P.

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Re: RE:[PHP] login scripts not secure?? help!

[Scott Fletcher]

Here's what I do, maybe this will help to give you an idea...

--snip--



--snip--
"Andy B" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
> [snip]
> You can use the HTTP Authentication instead for username and password.
> [/snip]
>
> no i cant this time because the people want the login form to follow their
> color setup and stuff and with www-authenticate: box you cant do that...so
> for this project its out of the question...

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Re: RE:[PHP] login scripts not secure?? help!

[Scott Fletcher]

Then do what I did, the script below is only an example..

--snip--


page1
--snip--

That way, no one see the hidden code in html stuff like  or  for example.  Hope that will give you an idea...  :-)

FletchSOD

"Andy B" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
> [snip]
> You can use the HTTP Authentication instead for username and password.
> [/snip]
>
> no i cant this time because the people want the login form to follow their
> color setup and stuff and with www-authenticate: box you cant do that...so
> for this project its out of the question...

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] Re: RE:[PHP] session_register vs. $_SESSION superglobal

[Scott Fletcher]

> $_session[user]=$_POST[user];//if using register_globals=off
Actually, $_SESSION with a capital letters does work...

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] RE:[PHP] session_register vs. $_SESSION superglobal

[Andy B]

[snip]
session_start();
$_SESSION = "user";
$_SESSION = "pass";

This doesn't work of course, but as I said I'm unsure of how the $_SESSION
superglobal is used, and the info I've found about it didn't shed much
light... I hope I'm just tired today 8-)

Another semi-related question is, is it common to include the username and
password for a site directly in the PHP code on a site... even if it is in
an include file?
[/snip]

first $_SESSION works like this:

session_start();
$_session[user]=$_POST[user];//if using register_globals=off
$_SESSION[user]=$user;//if register_globals=on..unsafe though

$_SESSION superglobal is an array (usually associative) meaning that the
element of the array (the part in the []) is either a variable name or some
custom name instead of the element number

$_POST[user] and $user are 2 different variables if register_globals=off...

to answer the second question about user/password names in scripts...if at
all possible avoid it at any cost to yourself...even in an include file...
use some other way to store/retrieve the user/password (mysql or something
like that). and for me if its a password i usually encrypt it before storing
it..

hope that helps..

grin

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] session_register vs. $_SESSION superglobal

[Kim L. Laage]

Hi,

Newbie warning - this may be extremely simple.

I've been given a bit of code to get to work on our test machines, but at
the moment I'm drawing a blank. As far as I can tell the problem lies in the
dev. using a server environment with "register_globals = On", while we use
the default setting of "register_globals = Off".

The culprit in this seems to be this bit of code:

session_start();
session_register("user");
session_register("pass");


Which probably works with "register_globals = On", however I'd like to go
with the default and more safe setting of "register_globals = Off".

As far as I understand it I need to replace the two "session_register("*")"
lines with the superglobal $_SESSION, but I'm not sure of the syntax, at
first I tried this:

session_start();
$_SESSION = "user";
$_SESSION = "pass";

This doesn't work of course, but as I said I'm unsure of how the $_SESSION
superglobal is used, and the info I've found about it didn't shed much
light... I hope I'm just tired today 8-)


Another semi-related question is, is it common to include the username and
password for a site directly in the PHP code on a site... even if it is in
an include file?

-- 
/KLL



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] PHPSESSID in passthru

[Raditha Dissanayake]

Guillouet Nicolas wrote:

Hi,
I discover a surprising thing with PHPSESSID, I try something like this
: 

$var="htmldoc -t html --quiet ''
'https://login:[EMAIL 
PROTECTED]/file.php?documentIdent=157&typeAffiche=3&PHPSESSID=068dd351a106bb6ead80e11a27f75100'";
echo 'var='.$var;
passthru($var);
passthru is waiting for and don't give the result.

In the other hand, if I use an other word than PHPSESSID it works. It
seems to be a security constraint, how can I do to forcing PHP to use it
?
 

Could be that your sessions are set up to work with cookies, this 
mechanism that you are using will not send the cookie to the browser and 
thus it causes the wait state.





--
Raditha Dissanayake.
-
http://www.radinks.com/print/upload.php
SFTP, FTP and HTTP File Upload solutions 

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] Re: RE:[PHP] login scripts not secure?? help!

[Andy B]

[snip]
You can use the HTTP Authentication instead for username and password.
[/snip]

no i cant this time because the people want the login form to follow their
color setup and stuff and with www-authenticate: box you cant do that...so
for this project its out of the question...

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Bogus headers returned by firewalls

[Christophe Chisogne]

Pablo Gosse a écrit :
munging up the HTTP_REFERER for a page?
In HTTP, "Referer" is an OPTIONAL field in the HTTP/1.1 spec
(see rfc 2616). I saw many strange referers
(like 'Empty', 'bookmarks' 'XXX++', 'Removed by YYY', etc)
sent or modified by security assistants, browsers, spiders...
You can throw away many referers because of this (perhaps 20%)
Some user agent (ex browsers) are broken and send bad referers
(some mozilla, some browsers on Mac did this, from my memory).
Relying on the referer is not the best solution
- can be faked (using scripts, not std browser, well, ok)
- referer is not mandatory and not reliable
- pblm will only rise (privacy concerns is main reason,
  thousands of companies use systems 'cleaning' the referers)
Hope this helps

Christophe

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Constants

[Jakes]

Thanks, will do.

"Red Wingate" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
Give this a read:

http://marc.theaimsgroup.com/?l=php-dev&m=107936530102181&w=2

Am Dienstag, 23. März 2004 15:16 schrieb Red Wingate:
> IIRC it was changed to
>   self::CONST_NAME recently
>
> interface Settings {
>const UNAME = "somename";
>const PWORD = "password";
>const SERVER = "localhost";
> }
>
> class Conn implements Settings {
>public function  __construct(){
>$dbConn = mysql_connect(self::SERVER, self::UNAME,
self::PWORD);
>   }
> }
>
>  -- red

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] Re: RE:[PHP] login scripts not secure?? help!

[Scott Fletcher]

You can use the HTTP Authentication instead for username and password.

"Andy B" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
> [snip]
> There is no way to inject any kind of data to the super-global Arrays at
all
> [snip]
>
> duhhh...how come i didnt think of that... well..guess its long nights
> without coffee.. tnx...

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] fsockopen to spit out the HTTP's Location...

[Scott Fletcher]

In plain english, can't use the header("Location: "), so have to use the
fsockopen() instead.  Just that header() is not allowed, don't ask me why.
Just couldn't get the browser perform the HTTP LOCATION event.  It does work
when using fsockopen() for HTTP POST or GET as stated in the
http://us2.php.net/manual/en/function.fsockopen.php with the user's comment.
What could be more difficult than this?

--snip--
$host = "192.168.0.2";
$port = 443;
$url_str = "ssl://www.whatever.com?str1=true&str2=false&str3=true";

$fp = fsockopen("ssl://".$host, $port, $errno, $errstr, $timeout = 30);

if(!$fp){
  echo "$errstr ($errno)\n";
}else{
  //send out to the browser.
  fputs($fp, "Location: ".$url_str."\r\n");

  fclose($fp);
}

FletchSOD

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] fsockopen to spit out the HTTP's Location...

[Scott Fletcher]

In plain english, can't use the header("Location: "), so have to use the
fsockopen() instead.  Just that header() is not allowed, don't ask me why.
Just couldn't get the browser perform the HTTP LOCATION event.  It does work
when using fsockopen() for HTTP POST or GET as stated in the
http://us2.php.net/manual/en/function.fsockopen.php with the user's comment.
What could be more difficult than this?

--snip--
$host = "192.168.0.2";
$port = 443;
$url_str = "ssl://www.whatever.com?str1=true&str2=false&str3=true";

$fp = fsockopen("ssl://".$host, $port, $errno, $errstr, $timeout = 30);

if(!$fp){
  echo "$errstr ($errno)\n";
}else{
  //send out to the browser.
  fputs($fp, "Location: ".$url_str."\r\n");

  fclose($fp);
}

FletchSOD

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Constants

[Red Wingate]

Give this a read:

http://marc.theaimsgroup.com/?l=php-dev&m=107936530102181&w=2

Am Dienstag, 23. März 2004 15:16 schrieb Red Wingate:
> IIRC it was changed to
>   self::CONST_NAME recently
>
> interface Settings {
>const UNAME = "somename";
>const PWORD = "password";
>const SERVER = "localhost";
> }
>
> class Conn implements Settings {
>public function  __construct(){
>$dbConn = mysql_connect(self::SERVER, self::UNAME, self::PWORD);
>   }
> }
>
>  -- red

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Constants

[Red Wingate]

IIRC it was changed to
  self::CONST_NAME recently

interface Settings {
   const UNAME = "somename";
   const PWORD = "password";
   const SERVER = "localhost";
}

class Conn implements Settings {
   public function  __construct(){
   $dbConn = mysql_connect(self::SERVER, self::UNAME, self::PWORD);
  }
}

 -- red

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Constants

[Jakes]

If you define constants with in a interface and then implement that
interface
it does not work on 5RC1

This should work, but it displays the constant name rather than value it
references

interface Settings {
   const UNAME = "somename";
   const PWORD = "password";
   const SERVER = "localhost";
}

class Conn implements Settings {
   public function  __construct(){
   $dbConn = mysql_connect(SERVER, UNAME, PWORD);
  }
}




"Jay Blanchard" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
[snip]
Not too fast.

>From http://www.php.net/zend-engine-2.php


PHP 5 introduces per-class constants:


[/snip]

My bad. Still not a bug.

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] RE:[PHP] login scripts not secure?? help!

[Andy B]

[snip]
There is no way to inject any kind of data to the super-global Arrays at all
[snip]

duhhh...how come i didnt think of that... well..guess its long nights
without coffee.. tnx...

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] session.bug_compat_42

[James E Hicks III]

What does the code look like that is causing this error? I know I can turn the 
error off but how do I fix the code that is causing it?

Warning: Unknown(): Your script possibly relies on a session side-effect which 
existed until PHP 4.2.3. Please be advised that the session extension does 
not consider global variables as a source of data, unless register_globals is 
enabled. You can disable this functionality and this warning by setting 
session.bug_compat_42 or session.bug_compat_warn to off, respectively. in 
Unknown on line 0

It only seems to appear when viewed using MSIE, Konqueror and Mozilla do not 
display this error, why?

Here is some example code that I am using.


Here are some settings from php.ini from the server that is giving the error.

/etc/php4/php.ini

register_globals = Off
[Session]
session.save_handler = files
session.save_path = /tmp
session.use_cookies = 1
session.name = PHPSESSID
session.auto_start = 1
session.cookie_lifetime = 0
session.cookie_path = /
session.cookie_domain =
session.serialize_handler = php
session.gc_probability = 1
session.gc_divisor = 100
session.gc_maxlifetime = 1440
session.bug_compat_42 = 1
session.bug_compat_warn = 1
session.referer_check =
session.entropy_length = 0
session.entropy_file =
session.cache_limiter = nocache
session.cache_expire = 180
session.use_trans_sid = 0
url_rewriter.tags = "a=href,area=href,frame=src,input=src,form=,fieldset="


PHP 4.3.2 (cli) (built: Aug 12 2003 14:25:22)
Copyright (c) 1997-2003 The PHP Group
Zend Engine v1.3.0, Copyright (c) 1998-2003 Zend Technologies
with Turck MMCache v2.3.20, Copyright (c) 2002-2003 TurckSoft, St. 
Petersburg, by Dmitry Stogov


James Hicks

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] Re: Constants

[Jakes]

You can keep constant variables in an interface, because thay are
static and do not change. Trust me, it is a bug.

"Gerben" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
> this is probably because Foo is an interface instead of a class.
interfaces
> can't contain any data as far as I know.
>
> "Jakes" <[EMAIL PROTECTED]> wrote in message
> news:[EMAIL PROTECTED]
> > The bug server looks like its down, so I will just post the bug here,
and
> > hopefully someone
> > will spot it
> >
> > PHP version: 5RC1
> >
> >  >interface Foo {
> >   const MY_FOO = "hello world";
> >  }
> > class Bar implements Foo  {
> > public function displayFoo(){
> >print MY_FOO;
> > }
> > }
> > $obj = new Bar;
> >   $obj->displayFoo();
> > ?>
> >
> > The results should display "hello world", but it prints out MY_FOO.
> >
> > Thanks
> >
> > Jakes

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] login scripts not secure?? help!

[Red Wingate]

hi,

securepage.php?_SESSION[username]=admin&_SESSION[pwd]=password

would not register 'username' and 'pwd' to the $_SESSION array but
to the $_GET and $_REQUEST-Array like:

   $_GET['_SESSION']['username'] => 'admin'

There is no way to inject any kind of data to the super-global Arrays at all

Hope this helps,
   red

Am Dienstag, 23. März 2004 14:45 schrieb Andy B:
> hi
>
> in an attempt to create a login system for site administrators on a website
> i come into the following problem that bothers me because i cant find any
> way to fix it.
>
> problem:
> most login scripts/systems i look at for examples on how to make a login
> section from sessions (allow the administrator to go between login required
> pages and also be able to go to public pages) without having to login again
> (the only way an administrator has to "login again" is if they close the
> browser on that site)...
>
> i run into the deal where most login scripts check to see if
> $_SESSION[username] or a $_SESSION var has been set or is valid.  i noticed
> this could be a very bad thing because there is nothing stopping an outside
> link from doing something like:  href="securepage.php?_SESSION[username]=admin&_SESSION[pwd]=password">go to
> secure page and being valid (that is if they manage to hack the
> user/pwd)...
>
> any ideas how to create such a system?
>
> any ways around that?? i need a system that will not do that

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] login scripts not secure?? help!

[Matt Matijevich]

go
to secure page


Turn off register globals.

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] Re: login scripts not secure?? help!

[Gerben]

try using $HTTP_SESSION_VARS[]

by the way. if hacks can find out the user-pass combination they can just
use the normal way of logging in ;-)

"Andy B" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
hi

in an attempt to create a login system for site administrators on a website
i come into the following problem that bothers me because i cant find any
way to fix it.

problem:
most login scripts/systems i look at for examples on how to make a login
section from sessions (allow the administrator to go between login required
pages and also be able to go to public pages) without having to login again
(the only way an administrator has to "login again" is if they close the
browser on that site)...

i run into the deal where most login scripts check to see if
$_SESSION[username] or a $_SESSION var has been set or is valid.  i noticed
this could be a very bad thing because there is nothing stopping an outside
link from doing something like:
go
to secure page
and being valid (that is if they manage to hack the user/pwd)...

any ideas how to create such a system?

any ways around that?? i need a system that will not do that

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] Re: php and email

[Gerben]

try using '  instead of "


"Steven Mac Intye" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
> Hi all,
>
> Im wondering if anyone can help me with this "problem"
>
> I have a form with the following line of code;
>
> $message .= "
href=\"http://127.0.0.1/devsite/activate.php?member=$realname&hash=$initPass
\">Click
> here to activate\n";
>
> What I actually get is the following output;
>
>  Intyre&hash95aea7a8aee0fdcc90d7e9893c75bb3">Click here to activate
>
> You will see it is missing the "h" out of http and the "=" out of hash=
> ... also the first charactor of the hash variable is missing.
>
> Has anyone else seen this ? Know how to fix it ?
>
> PLEASE HELP
>
> Steven

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] Re: Constants

[Gerben]

this is probably because Foo is an interface instead of a class. interfaces
can't contain any data as far as I know.

"Jakes" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
> The bug server looks like its down, so I will just post the bug here, and
> hopefully someone
> will spot it
>
> PHP version: 5RC1
>
> interface Foo {
>   const MY_FOO = "hello world";
>  }
> class Bar implements Foo  {
> public function displayFoo(){
>print MY_FOO;
> }
> }
> $obj = new Bar;
>   $obj->displayFoo();
> ?>
>
> The results should display "hello world", but it prints out MY_FOO.
>
> Thanks
>
> Jakes

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] login scripts not secure?? help!

[Andy B]

hi

in an attempt to create a login system for site administrators on a website i come 
into the following problem that bothers me because i cant find any way to fix it.

problem:
most login scripts/systems i look at for examples on how to make a login section from 
sessions (allow the administrator to go between login required pages and also be able 
to go to public pages) without having to login again (the only way an administrator 
has to "login again" is if they close the browser on that site)...

i run into the deal where most login scripts check to see if $_SESSION[username] or a 
$_SESSION var has been set or is valid.  i noticed this could be a very bad thing 
because there is nothing stopping an outside link from doing something like:
go to secure 
page
and being valid (that is if they manage to hack the user/pwd)...

any ideas how to create such a system?

any ways around that?? i need a system that will not do that