[PHP-DEV] Warnings in HEAD
I still get these warnings: glob.c(506): warning C4090: 'function': different 'const' qualifiers glob.c(506): warning C4028: formal parameter 1 different from declaration glob.c(506): warning C4090: 'function': different 'const' qualifiers glob.c(506): warning C4028: formal parameter 2 different from declaration filestat.c(556): warning C4090: 'function': different 'const' qualifiers mbstring.c(1541): warning C4133: 'function': incompatible types - from 'int *' to 'mbfl_no_encoding *' mbstring.c(2263): warning C4133: 'function': incompatible types - from 'int *' to 'mbfl_no_encoding *' mbstring.c(2436): warning C4133: '=': incompatible types - from 'int *' to 'mbfl_no_encoding *' mbstring.c(2438): warning C4133: '=': incompatible types - from 'int *' to 'mbfl_no_encoding *' mbstring.c(2745): warning C4133: 'function': incompatible types - from 'int *' to 'mbfl_no_encoding *' mbstring.c(3068): warning C4133: 'function': incompatible types - from 'int *' to 'mbfl_no_encoding *' mbstring.c(3090): warning C4133: 'function': incompatible types - from 'int *' to 'mbfl_no_encoding *' mbregex.c(2207): warning C4018: '=': signed/unsigned mismatch mbregex.c(2390): warning C4018: '=': signed/unsigned mismatch mbregex.c(3870): warning C4018: '=': signed/unsigned mismatch -- Sebastian Bergmann http://sebastian-bergmann.de/ http://phpOpenTracker.de/ Did I help you? Consider a gift: http://wishlist.sebastian-bergmann.de/ -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] Re: [Zend Engine 2] RE: [PHP-DEV] REPOST: Class Autoloading [PATCH]
At 07:00 PM 6/13/2002 +0100, Ivan Ristic wrote: The second problem is that I don't see it working with nested classes. Is it good enough to only have this work with classes in the global scope? I am not really familiar with nested classes; is it because you don't know the name of the file in which a nested class is located? If so, I would say that trying to accommodate that would be an overkill. In any case, the programmer using nested classes can always write the __autoload() function that will be smart enough. The problem is that if you have MyClass1::MyClass2::MyClass3 then MyClass3 is looked up in the result of MyClass2 being looked up in MyClass1. If the lookup fails I can't tell __autoload() the path. The only think I could do is possibly pass it the result of MyClass2 being looked up in MyClass1 and MyClass3. The question is if people will manage to handle this. I think it might be complicated and it might be best not to go in this direction. I see the problem. But I would also like to play with it to understand it better. Why don't you add the feature so that we can test it, and we will remove it later if it prooves unusable? Well I usually don't like putting stuff into the CVS which I might remove later on. The most permanent things are temporary ones. In any case, I'll look it over again on the weekend. It might make sense to commit it and people will have to know that it only is meant for globally scoped classes (which kind of makes sense anyway). Andi -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DEV] Embedded libmysql update
Hello All, Upgrading the embedded libmysql is taking me far too long. I have asked for the core MySQL devs to take care of it. A rather tired and frustrated, --zak -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DEV] ext/xslt is not working in php 4.3-dev
Hi ext/xslt seems not to work anymore. I get Warning: Sablotron error on line 1: XML parser error 3: no element found in /usr/local/apache/htdocs/test/sab.php on line 21 or Warning: Sablotron error on line 1: unknown encoding '' in /usr/local/apache/htdocs/test/sab.php on line 21 (on the same file, if i hit Reload a few times, both messages appear from time to time) I'm not sure, if it's a bug (there is a bug report about that at http://bugs.php.net/bug.php?id=16193), but as the last entries in the changelog are: revision 1.46 date: 2002/04/21 00:41:37; author: sterling; state: Exp; lines: +7 -3 expletives deleted. revision 1.45 date: 2002/04/21 00:27:04; author: sterling; state: Exp; lines: +6 -6 some more fixes towards making it work again It looks like, sterling knows, that it's not working, but the last commit is 7 weeks old... Had a quick check over the source files, but couldn't figure out, what is going wrong. Anybody knows more about the state of this extension? chregu -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DEV] PHP 4.3.0-dev-zend2-alpha segfaulting
Hi, following script segfaults at in doubleloop 10/22 Segmentation fault ?php class benchmark { var $index; function benchmark($num) { for ($i = 0; $i $num; $i++) { $this-index = $i; } } } for ($i = 0; $i 100; $i++) { for ($j = 0; $j 100; $j++) { $arr[$i][$j] = new benchmark(100); echo in doubleloop . $i . / . $j . \n; } } ? with php 4.2.1 everything is fine here is a bt: #0 0x7059c7e8 in realloc () from /lib/libc.so.6 #1 0x7059c758 in realloc () from /lib/libc.so.6 #2 0x001940ac in _erealloc (ptr=0x313dd8, size=40960, allow_failure=0, __zend_filename=0x21ba50 /usr/local/php-4.3.0-dev-zend2-alpha1/Zend/zend_objects_API.c, __zend_lineno=51, __zend_orig_filename=0x0, __zend_orig_lineno=0) at /usr/local/php-4.3.0-dev-zend2-alpha1/Zend/zend_alloc.c:298 #3 0x001c5254 in zend_objects_store_put (object=0x3a7c00, dtor=0x1c4440 zend_objects_destroy_object, clone=0) at /usr/local/php-4.3.0-dev-zend2-alpha1/Zend/zend_objects_API.c:51 #4 0x001c3f5c in zend_objects_new (object=0xefffdcc0, class_type=0x320ce8) at /usr/local/php-4.3.0-dev-zend2-alpha1/Zend/zend_objects.c:58 #5 0x001b3aa0 in _object_and_properties_init (arg=0x3a7560, class_type=0x320ce8, properties=0x0, __zend_filename=0x21bc10 /usr/local/php-4.3.0-dev-zend2-alpha1/Zend/zend_execute.c, __zend_lineno=2516) at /usr/local/php-4.3.0-dev-zend2-alpha1/Zend/zend_API.c:594 #6 0x001b3b9c in _object_init_ex (arg=0x3a7560, class_type=0x320ce8, __zend_filename=0x21bc10 /usr/local/php-4.3.0-dev-zend2-alpha1/Zend/zend_execute.c, __zend_lineno=2516) at /usr/local/php-4.3.0-dev-zend2-alpha1/Zend/zend_API.c:610 #7 0x001cf42c in execute (op_array=0x31b4a0) at /usr/local/php-4.3.0-dev-zend2-alpha1/Zend/zend_execute.c:2516 #8 0x001b1b18 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /usr/local/php-4.3.0-dev-zend2-alpha1/Zend/zend.c:833 #9 0x001641fc in php_execute_script (primary_file=0xe8b8) at /usr/local/php-4.3.0-dev-zend2-alpha1/main/main.c:1373 #10 0x001d6008 in main (argc=2, argv=0xe9a4) at /usr/local/php-4.3.0-dev-zend2-alpha1/sapi/cli/php_cli.c:674 regards -- Hakan Kuecuekyilmaz, University of Applied Sciences Esslingen, Germany [EMAIL PROTECTED] | [EMAIL PROTECTED] | [EMAIL PROTECTED] -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DEV] CVS Account Request: dmitry83
translating PHP documentation into russian -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] Instantiating Objects ?
On Thu, 13 Jun 2002, brad lafountain wrote: There is no transpartent way of creating a c++ object from php. What you can do is create a php extension that will proxy the calls to your c++ object. Once you do that you can pass anything into your c++ class (querystring). take a look at ext/* in the souce distribution. - brad You may also want to look at the Universe CORBA extension: http://universe.2good.nu --- Kevin Caporaso [EMAIL PROTECTED] wrote: Is it possible to instantiate an object from one of my c++ shared libraries (goo.so) and then call methods on that object? How efficient is PHP's way of doing it? (if possible) Also, can I pass things like the querystring and form data into that instantiated object? Thanks for any response! $Kevin -\- David Eriksson -/- I personally refuse to use inferior tools because of ideology. - Linus Torvalds -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DEV] regarding bug #12647 - should sprintf(%f, ...) be locale-aware?
it is in C, using the decimal point settings from current locale instead of just always '.' i have patched formatted_print.c to be aware of this but i'm not yet sure about the BC consequences ... -- Hartmut Holzgraefe [EMAIL PROTECTED] http://www.six.de/ +49-711-99091-77 -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] ZEND_MODULE_API_NO in HEAD
I _think_ it's supposed to be same now..or maybe a bit higher in HEAD (don't remember if there were any such changes in Zend which breaks the compatibility). --Jani On Fri, 14 Jun 2002, Stefan Livieratos wrote: Hi, the ZEND_MODULE_API_NO (zend_modules.h) is different in the php_4_2_1 and the HEAD branches. Is that supposed to be so? Regards Stefan Livieratos -- -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DEV] CVS Account Request: lboshell
I want to help translating PHP documentation (the manual, basically) into Spanish. Thanks. -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] Any chance of php_pear.dll?
On Mon, 2002-06-03 at 21:35, Michael Dransfield wrote: Is there any chance of including php_pear into the latest snap at snaps.php.net ?? I know it is very beta... but id at least like to experiment on my windows machine I notice you have included dotnet stuff, but not your own Pleea ;) php_pear.dll is outdated and unsupported. - Stig -- Stig Sæther Bakken, Fast Search Transfer ASA, Trondheim, Norway http://pear.php.net/wishlist.php/ssb -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] Patch-tastic!
On Wed, 2002-06-05 at 10:44, Ilker Cetinkaya wrote: Sebastian Bergmann [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Andrei Zmievski wrote: The latest one changes some operators. Nice, but why not overload + for strings to do the concatenation? i totally agree, overloading + for string concat is really desireable. imho using - for member object access is ok. i see php more likely to be a c++ derivate than java or c#. just my .02c I guess you should have been here when PHP 3 came out and + suddenly no longer did string concatenation. There has been consensus on not overloading operators since then. Don't expect this to change. - Stig -- Stig Sæther Bakken, Fast Search Transfer ASA, Trondheim, Norway http://pear.php.net/wishlist.php/ssb -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] Registering classes in PHP extension
On Fri, 2002-06-07 at 14:21, Eunsoo Seo wrote: Hi. Any manual about registering classes in PHP extension? I found that the function zend_register_internal_class can do that. And I read some code in ext/ that contaings that function, but I can hardly understand that code. Any manual or tutorial about that topic? There is some example code in pear/PEAR/pear.c. - Stig -- Stig Sæther Bakken, Fast Search Transfer ASA, Trondheim, Norway http://pear.php.net/wishlist.php/ssb -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] PECL != Siberia
Okay, one problem seems to be solved: go-pear supports Windows now. Download http://pear.php.net/go-pear and do php -q go-pear. Next issue is prebuilt extensions. I really want to have package signatures (with pgp/gpg) before going there, but again I'm not sure what the most feasible approach would be on Windows. Anyway, here's what I have in mind: Today packages have a layout like this: package.xml pkg-version/file1 pkg-version/file2 pkg-version/file3 ... During pear package, the package.xml file is re-created including md5 checksums of all the files. By just adding a package.sig file during packaging that contains package.xml's signature, the entire package is in practice signed. By default, the pear installer should only install prebuilt extensions signed by a trusted key (we have to bootstrap this trust network somehow too). As an option, you may add trusted keys or disable the signing requirement for prebuild extensions and pre/post install/uninstall scripts. Some advice on how to verify pgp signatures on Windows would be appreciated though. :-) - Stig On Mon, 2002-06-10 at 22:05, Shane Caraveo wrote: It's a tough one :) Well, being able to build like on unix shouldn't be too hard to do, just have to call nmake on the dsp, but that wont work for the vast majority of users. Someone needs to provide prebuilt extensions that can be downloaded via pear, and unfortunately, I don't see any way other than having a build per version of PHP. So the built extensions would have to have a filename like: extname-phpversion-extversion.zip. Another idea would be to have the extensions built for windows on the server side, and cached if one was already built. Shane Stig S. Bakken wrote: You tell me :) We currently have no nice way of bootstrapping PEAR on Windows like we have on Unix (with make install-pear-installer and go-pear). What would be the most sensible way of giving Windows users something ala go-pear? - Stig On Sun, 2002-06-09 at 18:49, Shane Caraveo wrote: Hmm, what is happening for win32? Stig S. Bakken wrote: With the latest PEAR installer (version 0.90), PECL extensions are now built and installed during pear install/upgrade on Unix systems. First: upgrade PEAR to 0.9 with pear upgrade PEAR. If you have the xmms libraries and php_gtk installed, you can see it in action by doing simply pear install xmms. The output is like this: -- Stig Sæther Bakken, Fast Search Transfer ASA, Trondheim, Norway http://pear.php.net/wishlist.php/ssb -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] Zend 2 const class members private?
On Mon, 2002-06-10 at 22:37, Leendert Brouwer wrote: I have just started experimenting with the Zend 2 engine, and totally love the new OO features. I'm not sure whether this has been discussed or not (I couldn't find it in the archives, anyway), but I ran into a few things: Constant class members seem to be private by default. I cannot access them by doing $instance-CONSTNAME Is this expected behaviour? I'd expect constants to be public by default, just like regular variables, unless specified otherwise (when I try doing: private const FOO = bar; I get a parse error). Same for private static. Is this all going to change? It seems a bit illogical now. Thanks Constants belong to the class, not the instance. Try Class::CONSTNAME instead. - Stig -- Stig Sæther Bakken, Fast Search Transfer ASA, Trondheim, Norway http://pear.php.net/wishlist.php/ssb -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] html tokenizer to add to tokenizer?
Good idea. I assume you want this for WidgetHTML.php? ;-) - Stig On Wed, 2002-06-12 at 14:26, Alan Knowles wrote: Attached hopefully is the re2c source for a html tokenizer - I added it to tokenizer.c - any thoughts on inclusion? regards alan enum { STATE_PLAIN = 0, STATE_TAG, STATE_NEXT_ARG, STATE_ARG, STATE_BEFORE_VAL, STATE_VAL }; /*!re2c any = [\000-\377]; N = (any\[]); alpha = [a-zA-Z]; alphanumeric = [a-zA-Z0-9]; */ #define YYFILL(n) goto stop #define YYCTYPE unsigned char #define YYCURSOR xp #define YYLIMIT end #define YYMARKER q #define STATE state PHP_FUNCTION(token_html) { char *source = NULL; int argc = ZEND_NUM_ARGS(); int source_len; int state; char *end, *q; char *xp; char *start; zval *tag, *attribute; if (zend_parse_parameters(argc TSRMLS_CC, s, source, source_len) == FAILURE) return; YYCURSOR = source; YYLIMIT = source + source_len; STATE = STATE_PLAIN; array_init(return_value); switch (STATE) { case STATE_PLAIN: goto state_plain; case STATE_TAG: goto state_tag; case STATE_NEXT_ARG:goto state_next_arg; case STATE_ARG: goto state_arg; case STATE_BEFORE_VAL: goto state_before_val; case STATE_VAL: goto state_val; } /* I need to split the stuff into: array ( TAG, array(name=value,name=value)) or string add_next_index_zval(return_value, tag);handle_tag(STD_ARGS); */ state_plain_begin: STATE = STATE_PLAIN; state_plain: start = YYCURSOR; /*!re2c { STATE = STATE_TAG; goto state_tag; } N+ { add_next_index_stringl(return_value, start , xp - start , 1); goto state_plain; } */ state_tag: start = YYCURSOR; // start - xp contains currunt pos, // needs to deal with comments !-- and ?xml or php etc. /*!re2c [/!]? alphanumeric+ { MAKE_STD_ZVAL(tag); array_init(tag); add_next_index_stringl(tag, start, xp - start, 1); goto state_next_arg_begin; } ! - - { MAKE_STD_ZVAL(tag); array_init(tag); add_next_index_stringl(tag, start, xp - start, 1); goto state_comment_begin; } any{ add_next_index_stringl(return_value, ,1 , 1); --YYCURSOR; goto state_plain_begin; } */ state_comment_begin: start = YYCURSOR; state_comment_next: /*!re2c - -{ add_next_index_stringl(tag, start, xp - start -3, 1); add_next_index_zval(return_value, tag); goto state_plain_begin; } any { goto state_comment_next; } */ state_next_arg_begin: STATE = STATE_NEXT_ARG; // at first bit after or just after a name or name='' state_next_arg: start = YYCURSOR; /*!re2c { add_next_index_zval(return_value, tag); goto state_plain_begin; } [ \v\t\n]+ { goto state_next_arg; } alpha { --YYCURSOR; STATE = STATE_ARG; goto state_arg; } / { MAKE_STD_ZVAL(attribute); array_init(attribute); add_next_index_stringl(attribute, start, xp - start, 1);add_next_index_zval(tag, attribute); goto state_next_arg; } [] (any\[])* [] { MAKE_STD_ZVAL(attribute); array_init(attribute); add_next_index_stringl(attribute, start + 1, xp - start -2, 1); add_next_index_stringl(attribute, \, 1, 1); add_next_index_zval(tag, attribute); goto state_next_arg_begin; } ['] (any\['])* ['] { MAKE_STD_ZVAL(attribute); array_init(attribute); add_next_index_stringl(attribute, start + 1, xp - start -2, 1); add_next_index_stringl(attribute, ', 1, 1); add_next_index_zval(tag, attribute); goto state_next_arg_begin; } any { add_next_index_zval(return_value, tag); goto state_plain_begin; } */ state_arg: start = YYCURSOR; /*!re2c alpha+ { MAKE_STD_ZVAL(attribute); array_init(attribute); add_next_index_stringl(attribute, start, xp - start, 1); STATE = STATE_BEFORE_VAL; goto state_before_val; } any { --YYCURSOR; STATE = STATE_ARG; goto state_next_arg; } */ state_before_val: start = YYCURSOR; /*!re2c [ ]* = [ ]* { STATE = STATE_VAL; goto state_val; } any { add_next_index_zval(tag, attribute); --YYCURSOR; goto state_next_arg_begin; } */ state_val: start = YYCURSOR; /*!re2c [] (any\[])* [] { add_next_index_stringl(attribute, start + 1, xp - start -2, 1); add_next_index_stringl(attribute, \, 1, 1); add_next_index_zval(tag, attribute); goto state_next_arg_begin; } ['] (any\['])* ['] { add_next_index_stringl(attribute, start + 1, xp - start -2, 1); add_next_index_stringl(attribute,
Re: [PHP-DEV] html tokenizer to add to tokenizer?
Stig S. Bakken wrote: Good idea. I assume you want this for WidgetHTML.php? ;-) Yeah, I hopefully it would remove the need for preg_matching in there.. Will get back to this in a few days - want to clear off some other stuff... regards alan - Stig On Wed, 2002-06-12 at 14:26, Alan Knowles wrote: Attached hopefully is the re2c source for a html tokenizer - I added it to tokenizer.c - any thoughts on inclusion? regards alan enum { STATE_PLAIN = 0, STATE_TAG, STATE_NEXT_ARG, STATE_ARG, STATE_BEFORE_VAL, STATE_VAL }; /*!re2c any = [\000-\377]; N = (any\[]); alpha = [a-zA-Z]; alphanumeric = [a-zA-Z0-9]; */ #define YYFILL(n) goto stop #define YYCTYPE unsigned char #define YYCURSOR xp #define YYLIMIT end #define YYMARKER q #define STATE state PHP_FUNCTION(token_html) { char *source = NULL; int argc = ZEND_NUM_ARGS(); int source_len; int state; char *end, *q; char *xp; char *start; zval *tag, *attribute; if (zend_parse_parameters(argc TSRMLS_CC, s, source, source_len) == FAILURE) return; YYCURSOR = source; YYLIMIT = source + source_len; STATE = STATE_PLAIN; array_init(return_value); switch (STATE) { case STATE_PLAIN: goto state_plain; case STATE_TAG: goto state_tag; case STATE_NEXT_ARG:goto state_next_arg; case STATE_ARG: goto state_arg; case STATE_BEFORE_VAL: goto state_before_val; case STATE_VAL: goto state_val; } /* I need to split the stuff into: array ( TAG, array(name=value,name=value)) or string add_next_index_zval(return_value, tag);handle_tag(STD_ARGS); */ state_plain_begin: STATE = STATE_PLAIN; state_plain: start = YYCURSOR; /*!re2c { STATE = STATE_TAG; goto state_tag; } N+ { add_next_index_stringl(return_value, start , xp - start , 1); goto state_plain; } */ state_tag: start = YYCURSOR; // start - xp contains currunt pos, // needs to deal with comments !-- and ?xml or php etc. /*!re2c [/!]? alphanumeric+ { MAKE_STD_ZVAL(tag); array_init(tag); add_next_index_stringl(tag, start, xp - start, 1); goto state_next_arg_begin; } ! - - { MAKE_STD_ZVAL(tag); array_init(tag); add_next_index_stringl(tag, start, xp - start, 1); goto state_comment_begin; } any{ add_next_index_stringl(return_value, ,1 , 1); --YYCURSOR; goto state_plain_begin; } */ state_comment_begin: start = YYCURSOR; state_comment_next: /*!re2c - -{ add_next_index_stringl(tag, start, xp - start -3, 1); add_next_index_zval(return_value, tag); goto state_plain_begin; } any { goto state_comment_next; } */ state_next_arg_begin: STATE = STATE_NEXT_ARG; // at first bit after or just after a name or name='' state_next_arg: start = YYCURSOR; /*!re2c { add_next_index_zval(return_value, tag); goto state_plain_begin; } [ \v\t\n]+ { goto state_next_arg; } alpha { --YYCURSOR; STATE = STATE_ARG; goto state_arg; } / { MAKE_STD_ZVAL(attribute); array_init(attribute); add_next_index_stringl(attribute, start, xp - start, 1);add_next_index_zval(tag, attribute); goto state_next_arg; } [] (any\[])* [] { MAKE_STD_ZVAL(attribute); array_init(attribute); add_next_index_stringl(attribute, start + 1, xp - start -2, 1); add_next_index_stringl(attribute, \, 1, 1); add_next_index_zval(tag, attribute); goto state_next_arg_begin; } ['] (any\['])* ['] { MAKE_STD_ZVAL(attribute); array_init(attribute); add_next_index_stringl(attribute, start + 1, xp - start -2, 1); add_next_index_stringl(attribute, ', 1, 1); add_next_index_zval(tag, attribute); goto state_next_arg_begin; } any { add_next_index_zval(return_value, tag); goto state_plain_begin; } */ state_arg: start = YYCURSOR; /*!re2c alpha+ { MAKE_STD_ZVAL(attribute); array_init(attribute); add_next_index_stringl(attribute, start, xp - start, 1); STATE = STATE_BEFORE_VAL; goto state_before_val; } any { --YYCURSOR; STATE = STATE_ARG; goto state_next_arg; } */ state_before_val: start = YYCURSOR; /*!re2c [ ]* = [ ]* { STATE = STATE_VAL; goto state_val; } any { add_next_index_zval(tag, attribute); --YYCURSOR; goto state_next_arg_begin; } */ state_val: start = YYCURSOR; /*!re2c [] (any\[])* [] { add_next_index_stringl(attribute, start + 1, xp - start -2, 1); add_next_index_stringl(attribute, \, 1, 1); add_next_index_zval(tag, attribute); goto state_next_arg_begin; } ['] (any\['])* ['] { add_next_index_stringl(attribute, start +
[PHP-DEV] register_globals vs session.force_nocookie
Hi. Last here, same period, I found that nasty thing in ?_PHPLIB[libdir]=http:// It was the nefarious start of the register_globals=off saga. Now Sascha has agreed to add a session.use_only_cookie directive, because session.use_cookie wasn't doing it really all the times. In fact, contrary to what advertised, session.use_cookie doesn't uses cookies if a SID is found in the URL, and can so be forced to use a user_provided variable when it should not. The winning argument, for the new session.use_only_cookies, has been that, with the actual settings, there cannot exist a situation in which PHP would discard the ID in the URL, and go cookie_or_nothing, as the banks do. It is forceable. Even if the client has cookies enabled. You know, really secure sites use *only cookies* propagation, or you don't do your home banking. Because cookies are the closest thing that can assure that we are speaking to the same client, that noone can takeover a session. The basis for this behavior of session.use_cookie is that we may not know when coookies are enabled, not on the very first hit, when I suppose a redirect to self is made and the cookie is then checked for presence. The aim to use cookies, if available, is because cookie is an acronym of 'not transferrable among clients that support cookies', that is it goes as close as possible to identify a single client. My interpretation of session.use_cookie is: if cookies are enabled, try to use them as a propagation because they cannot be transferred among clients (see the acronym above). If this is the aim, and on coming back from the redirect we found a cookie, still the presence of a user-provided SID in the url should make us suspicious. If we want to prevent session takeovers, here we are in presence of a transfer. We couldn't know that cookies were enabled the very first hit, but now we know it, and there is a SID in the URL... someone is forcing a transfer. Discard the sid and issue a new cookie. Once we know cookies are enabled we should stick to them, not because they are a better way of storage, but because tey guarantee uniqness of the client. So why should we allow a transfer from outside? All this is apart from other concerns, as the possibility to create session_id at will, with pleasing and easy-to-remember values, to be offered around for those 'social engineering' attacks, with no hope for the poor cookie-enabled victim to avoid it. Isn't his similar to the register_globals=on problem, where untrusted user provided values can make their way inside the script? Isn't this variable even more important, to let it in? Giancarlo Pinerolo -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] register_globals vs session.force_nocookie
I was wondering (I'm propably wrong, it's almost 6am here :) that wouldn't the real fix for this without having to add yet-another-ini-option have been to fix this so that logic with session.use_cookies and session_use_trans_sid worked like it was (?) meant to work. ie. session.use_cookies=1 and session_use_trans_sid=0 would not use any other session id but the one provided by the cookie? btw. Cookies can be forged too.. --Jani On Sat, 15 Jun 2002, Giancarlo Pinerolo wrote: Hi. Last here, same period, I found that nasty thing in ?_PHPLIB[libdir]=http:// It was the nefarious start of the register_globals=off saga. Now Sascha has agreed to add a session.use_only_cookie directive, because session.use_cookie wasn't doing it really all the times. In fact, contrary to what advertised, session.use_cookie doesn't uses cookies if a SID is found in the URL, and can so be forced to use a user_provided variable when it should not. The winning argument, for the new session.use_only_cookies, has been that, with the actual settings, there cannot exist a situation in which PHP would discard the ID in the URL, and go cookie_or_nothing, as the banks do. It is forceable. Even if the client has cookies enabled. You know, really secure sites use *only cookies* propagation, or you don't do your home banking. Because cookies are the closest thing that can assure that we are speaking to the same client, that noone can takeover a session. The basis for this behavior of session.use_cookie is that we may not know when coookies are enabled, not on the very first hit, when I suppose a redirect to self is made and the cookie is then checked for presence. The aim to use cookies, if available, is because cookie is an acronym of 'not transferrable among clients that support cookies', that is it goes as close as possible to identify a single client. My interpretation of session.use_cookie is: if cookies are enabled, try to use them as a propagation because they cannot be transferred among clients (see the acronym above). If this is the aim, and on coming back from the redirect we found a cookie, still the presence of a user-provided SID in the url should make us suspicious. If we want to prevent session takeovers, here we are in presence of a transfer. We couldn't know that cookies were enabled the very first hit, but now we know it, and there is a SID in the URL... someone is forcing a transfer. Discard the sid and issue a new cookie. Once we know cookies are enabled we should stick to them, not because they are a better way of storage, but because tey guarantee uniqness of the client. So why should we allow a transfer from outside? All this is apart from other concerns, as the possibility to create session_id at will, with pleasing and easy-to-remember values, to be offered around for those 'social engineering' attacks, with no hope for the poor cookie-enabled victim to avoid it. Isn't his similar to the register_globals=on problem, where untrusted user provided values can make their way inside the script? Isn't this variable even more important, to let it in? Giancarlo Pinerolo -- -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php