Re: [PHP] Compile
From: raditha dissanayake [EMAIL PROTECTED] i think you are looking for something like turck mmcache. Do you know if Turck MMCache works with PHP 5.0? Teddy -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP templates
Hi, I took a look to Smarty and Savant templating systems, and I like a few things from both of them. However, none of them are satisfactory. I don't like Smarty because it needs another language and I find Savant more easy to use. I would like to have a templating system that: 1. Separates: - the programming part (the main programs and the modules) - the structure and main design of the site (the templates) - The content of the site, this meaning the body text, the title, keywords, and all other variables. - Other files that can be included, like Javascript, .css, images, files that can be downloaded, etc. 2. The templates should handle more languages, and all the content parts should be able to appear in every language supported. 3. The program should be able to create a cache but not one containing PHP, but one that is just simple html that can be loaded from a cached file and presenting to the client. (I don't know how to decide yet when to re-create the cached file) If someone uses this templating system, someone can modify the design by modifying the templates and this change will be reflected in every language. If a translator add a new language or modifies a certain translation, the design won't be affected. The programmer could add a new program for a new page that does something new, or new modules, etc. I couldn't find such a thing yet and I think I will have to create it. Teddy - Original Message - From: Justin French [EMAIL PROTECTED] To: Octavian Rasnita [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Monday, August 16, 2004 4:38 AM Subject: Re: [PHP] PHP templates On 15/08/2004, at 7:02 AM, Octavian Rasnita wrote: Hi all, I have seen that there are many templating systems for PHP. Which is the most used and the best you have found? Can you recommend me a free and good templating system? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Compile
I think it still works with the old one, its not yet release a stable version for 5.0 and i think for 4.3.6? only in beta. hmm, better check their site out to know the full details. thanks On Mon, 16 Aug 2004 09:32:52 +0300, Octavian Rasnita [EMAIL PROTECTED] wrote: From: raditha dissanayake [EMAIL PROTECTED] i think you are looking for something like turck mmcache. Do you know if Turck MMCache works with PHP 5.0? Teddy -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- Louie Miranda http://www.axishift.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Inline diff coded in PHP
I'm looking for PHP code that will produce diff's between two texts, and render them inline. By that I mean not the standard *nix diff output, which compares and outputs lines, but a diff that compares inline text and outputs the bits before and after in place, marked with a custom span or something. Example of *nix diff: - this is the old line + this is the new line Example of what I need: this is the span class=oldold/span span class=newnew/span line I've seen this done in the htmldiff package, which is a C program. Except I don't want to diff HTML code, but regular text. I actually need this for a wiki engine, so it can present diffs between page changes in a better way. So: * Anybody seen such code? the PEAR diff only does line diffs. * Know of any GPL'd wiki engine which has my kind of diffs already implemented (as PHP?) * Any pointers about how I should go about writing my own such diff? -- Romanian Web Developers - http://ROWD.ORG -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Failing of imagecreatefromstring function
I've been using func imagecreatefromstring for creating JPEGs obtained from MySQL database. The function sometimes fails terminating script with no error message. Has somebody reached such problem? I don't want to save images to temp files. Linux 2.4.26, PHP 4.3.8, gd 2.0 or higher -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] mail() on *nix using ssmtp or an external smtp server?
Hello all! I have a frustrating problem with PHP and am hoping someone on the list might know a solution. I need to set up an apache server with php on Linux and AIX machines, and it all has to be in a chrooted environment. Most things work very well except for the mail() function. It appears that PHP on *nix systems is hard coded so that it is incapable of using an external smtp server instead needing a locally installed sendmail, however if php is built on a windows machine, it is hardcoded so it can only use an external smtp server. There seems to be no way around this. In terms of the design of PHP, I think this is a serrious error. As a result of the above problem, I have been looking for alternatives to sendmail, postfix, exim, and qmail because I need to not have any kind of full featured MTA in the chrooted environment. I found ssmtp[1] and esmtp[2], both of which would be satisfatory alternatives to sendmail and crew. Despite having both of these working from the command line in the chrooted environment, neither works with PHP when setting them with the sendmail_path option in php.ini. So my questions: - Does anyone know of a way to make PHP on *nix use an external smtp server without having to hack around in the source code of PHP? - Has anyone got either ssmtp or esmtp working with PHP? I would greatly appreciate if someone could offer a solution to me. best reagrds Markus [1]. http://packages.debian.org/stable/mail/ssmtp.html [2]. http://esmtp.sourceforge.net/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] looking for a good FormMail PHP script
raditha dissanayake wrote: This mail probably shows how little you know about matt wright's FormMail more than anything else - just to give you an idea it's banned on all shared servers of our ISP. I'm very aware of the FormMail.pl's problems and bugs, and I'm definetely not going to use it... didn't you read in my previous mails, that I said that I wanted a similar script but that it lacked of Matt's script security and SPAM-exploitable problems?? If I liked Matt script, I'd just use it instead of looking for another different script, don't you think?? It seems like *you have obviuosly not read my previous e-mails* ;) Anyway, this is getting off-topic, so let's cut it here.. regards, Juan -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] mail() on *nix using ssmtp or an external smtp server?
Hi Markus, do I get you right, you can't invoke mail() because php can't find the sendmail executable? perhaps this does the trick: function my_mail_inject($mail) { $sendmail = ini_get(sendmail_path); if(!$sendmail) $sendmail = /var/qmail/bin/qmail-inject; $p = popen($sendmail, w); if($p) { fwrite($p, $mail); pclose($p); return 1; } return 0; } (this is something I acutally use on a beta-production-system.) $mail must contain a complete mail with all necessary headers. qmail-inject is ~ equal to sendmail -t (-i is ignored in qmail's sendmail.) this solution also helpep me out of my dilemma that php reformats mail and adds extra headers and so on. Here I have full control over all headers :o) Hope you see your qmail installation in chroot'd env. else: good luck. I know it's not an external mta to deliver. If this does not help you at all have a look at the sources and hack 'em 'till they fit your needs # Ste'reinvent the wheel'phan -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] System Tray Icon
Hi all. I just wanted to throw this message in here and get some opinions before I go off developing something So will post in the correct newsgroup later (when I find which newsgroup I need). Before I post a more thorough thread in the correct area I just wanted to find out if this was achievable and what tools I'd need. Basically: I would like to drop a system tray icon onto the user's PC that links them to a website. I'd also like to develop a separate one that flashes when a page is changed. How difficult would this be to do...? Would it mean using VB, could I use something less expensive perhaps or is it just not possible at all...? -- - Michael Mason Arras People www.arraspeople.co.uk - -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Mutual authentication with ldap_start_tls()
Hi php-general, I am trying to make my web server (Apache 2 + mod_ssl) connect to my ldap server with mutual authentication using PHP. This means I want them to exchange their certificate. For this purpose, I connect to ldap on port 389 then start TLS using ldap_start_tls(). This works perfectly as long as I do not make my ldap server require client certificate. It seems to me that the web server is not able to send its certificate. I did not find any documentation on the use of TLS with PHP. I do not even know what is used to validate my ldap server certificate! If anyone knows how to help (documentations, ideas, tips,...), I would be really grateful Thanks Steph
RE: [PHP] System Tray Icon OT
[snip] I just wanted to throw this message in here and get some opinions before I go off developing something So will post in the correct newsgroup later (when I find which newsgroup I need). Before I post a more thorough thread in the correct area I just wanted to find out if this was achievable and what tools I'd need. Basically: I would like to drop a system tray icon onto the user's PC that links them to a website. I'd also like to develop a separate one that flashes when a page is changed. How difficult would this be to do...? Would it mean using VB, could I use something less expensive perhaps or is it just not possible at all...? [/snip] Please place an OT in the subject line when you are relatively sure that your post is not PHP. Have you googled? http://www.google.com/search?hl=enie=UTF-8q=create+System+Tray+icon You can also search http://msdn.microsoft.com (M$ Developer's Network) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] looking for a good FormMail PHP script
Juan Nin wrote: raditha dissanayake wrote: This mail probably shows how little you know about matt wright's FormMail more than anything else - just to give you an idea it's banned on all shared servers of our ISP. I'm very aware of the FormMail.pl's problems and bugs, and I'm definetely not going to use it... didn't you read in my previous mails, that I said that I wanted a similar script but that it lacked of Matt's script security and SPAM-exploitable problems?? If I liked Matt script, I'd just use it instead of looking for another different script, don't you think?? It seems like *you have obviuosly not read my previous e-mails* ;) I have read your mail but didn't bother to pay attention to the details because you have so obviously not bothered to RTFM before you posted your original message. Anyway, this is getting off-topic, so let's cut it here.. yes lets. -- Raditha Dissanayake. http://www.radinks.com/sftp/ | http://www.raditha.com/megaupload Lean and mean Secure FTP applet with | Mega Upload - PHP file uploader Graphical User Inteface. Just 128 KB | with progress bar. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] System Tray Icon
Harlequin wrote: Hi all. I just wanted to throw this message in here and get some opinions before I go off developing something So will post in the correct newsgroup later (when I find which newsgroup I need). Before I post a more thorough thread in the correct area I just wanted to find out if this was achievable and what tools I'd need. Basically: I would like to drop a system tray icon onto the user's PC that links them to a website. I'd also like to develop a separate one that flashes when a page is changed. How difficult would this be to do...? Would it mean using VB, could I use something less expensive perhaps or is it just not possible at all...? Hfirst time I've ever seen this subject on this mailing list. We're charting new OT waters every day. -- John C. Nichel ÜberGeek KegWorks.com 716.856.9675 [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] mail() on *nix using ssmtp or an external smtp server?
Hi Stephan, On Monday 16 August 2004 15:16, Stephan Fiedler wrote: do I get you right, you can't invoke mail() because php can't find the sendmail executable? Indeed you get me right. As I said in my post, alternatives such as qmail, exim, postfix and similar full featured MTA's in the chrooted environment are considered not acceptable because of the extra security risk in the case of a system compromise. I have to minimise as much as possible the scope for damage in case there is some kind of compromise. Your script is nice, but seems to rely on a full MTA inside the chrooted environment which I can't have. I tried something similar where I opened sockets on the external smtp server and wrote the mail into the socket, and this worked. The main problem with this is every script that uses a mail() function call has to be changed, and given that there are a lot of people who have and are supposed to be allowed to write such scripts on the servers, it's far from an ideal solution, and difficult to make those people use such a script. Second problem is I have to be able to handle failures in delivery, meaning implementing at least part of the smtp standard in a php script. It's all rather messy. If this does not help you at all have a look at the sources and hack 'em 'till they fit your needs # I've been worried about this kind of answer. Best, and I think quite a sensible step, would be if the PHP team changed the design of PHP and allowed *nix systems to use an external smtp server. best regards Markus -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP templates
On Mon, 2004-08-16 at 02:31, Octavian Rasnita wrote: Hi, I took a look to Smarty and Savant templating systems, and I like a few things from both of them. However, none of them are satisfactory. I don't like Smarty because it needs another language and I find Savant more easy to use. I would like to have a templating system that: 1. Separates: - the programming part (the main programs and the modules) - the structure and main design of the site (the templates) - The content of the site, this meaning the body text, the title, keywords, and all other variables. - Other files that can be included, like Javascript, .css, images, files that can be downloaded, etc. 2. The templates should handle more languages, and all the content parts should be able to appear in every language supported. 3. The program should be able to create a cache but not one containing PHP, but one that is just simple html that can be loaded from a cached file and presenting to the client. (I don't know how to decide yet when to re-create the cached file) If someone uses this templating system, someone can modify the design by modifying the templates and this change will be reflected in every language. If a translator add a new language or modifies a certain translation, the design won't be affected. The programmer could add a new program for a new page that does something new, or new modules, etc. I couldn't find such a thing yet and I think I will have to create it. InterJinn. But it doesn't use caches, it compiles directly to the retrieved web pages. Cheers, Rob. -- .. | InterJinn Application Framework - http://www.interjinn.com | :: | An application and templating framework for PHP. Boasting | | a powerful, scalable system for accessing system services | | such as forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re:[PHP] Open all subdirectories in a directory
[snip] Can anybody help me to open all subdirectories in a directory, I used is_dir() to check whether it is a dir, and if yes, I recursively called it with the new dir name. But all subdirectories are not open the recursion is not working for more than 1 level. I tested it in windows server. Expecting your help, Jacob. [/snip] I use this on a slackware box. I jacked the code from the man page for filesize() and cleaned it up. It's more for finding the size of a directory, but it does recursively scan through them and I'm sure you can mod it up to fite your needs. function funcGetDirSize($dirDirectory) { $intSizeInBytes = 0; $intNumFilesScanned = 0; $intNumDirsScanned = 0; if ($handle = @opendir($dirDirectory)) { while ($file = readdir($handle)) { if($file != . $file != ..) { if(@is_dir($dirDirectory./.$file)) { $arrCurDirInfo = funcGetDirSize($dirDirectory./.$file); $intSizeInBytes += $arrCurDirInfo[2]; $intNumFilesScanned += $arrCurDirInfo[0]; $intNumDirsScanned += $arrCurDirInfo[1]; $intNumDirsScanned++; } else { $intSizeInBytes += @filesize($dirDirectory./.$file); $intNumFilesScanned++; } } } closedir($handle); } $arrDirInfo[0] = $intNumFilesScanned; $arrDirInfo[1] = $intNumDirsScanned; $arrDirInfo[2] = $intSizeInBytes; return $arrDirInfo; } -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] [OFF] - Fraudulent web orders - any ideas?
Hi all, I have a simple PHP store, and it appears that someone is using it to test credit card numbers. I'm getting a very high number of small orders every day, but a lot more declines. My merchant provider suggests blocking that person's IP address, but that's not practical since it's dynamic. I'll get a lot of orders from one IP address for a few hours, but then the address changes. I wonder if anyone has any experience with this, and if so, can you suggest a way to deal with it? - Brian -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] writing source code to file
I was wondering if there was a block of code I could place at the bottom of the file that would write the page's source code to an html file. I need this because I'm posting pages to a server sans a PHP compiler. Basically, I'd like for every time I run a page its source code to be saved in the filename of my choice, instead of me having to run the page, copy the source, and paste it into the file of my choice. I know how to use fopen, but I'm not sure what to tell it to write to file, since the source I want to write is being generated simultaneously. Any help would be greatly appreciated... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] problems with sessions!!AAH
Hi, Im running a win2k with apache and PHP 4.3.4 and I have gone through the installation readme for PHP. I have copied the necessary files to the correct directories. I have also set register_globals= Off (default) I have set my session path (it exists). Now my problem is that I cant get my sessions to work at all. I have tried everything and no luck. Ok here is what I do: $_SESSION['login']=true; if (session_is_registered($_SESSION['login'])) echo(seesion is reg); else echo(seesion not reg); I have not used the session_register function as the manual says the following: If you want your script to work regardless of register_globals, you need to instead use the $_SESSION array as $_SESSION entries are automatically registered. I seriously dont know what else to try or do. If you think I've missed something then please help. Thanks in advance Disclaimer This e-mail transmission contains confidential information, which is the property of the sender. The information in this e-mail or attachments thereto is intended for the attention and use only of the addressee. Should you have received this e-mail in error, please delete and destroy it and any attachments thereto immediately. Under no circumstances will the Cape Technikon or the sender of this e-mail be liable to any party for any direct, indirect, special or other consequential damages for any use of this e-mail. For the detailed e-mail disclaimer please refer to http://www.ctech.ac.za/polic or call +27 (0)21 460 3911 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] System Tray Icon
I think VB or some MS dev tool will do the job. John Nichel [EMAIL PROTECTED] 8/16/2004 3:48:11 PM Harlequin wrote: Hi all. I just wanted to throw this message in here and get some opinions before I go off developing something So will post in the correct newsgroup later (when I find which newsgroup I need). Before I post a more thorough thread in the correct area I just wanted to find out if this was achievable and what tools I'd need. Basically: I would like to drop a system tray icon onto the user's PC that links them to a website. I'd also like to develop a separate one that flashes when a page is changed. How difficult would this be to do...? Would it mean using VB, could I use something less expensive perhaps or is it just not possible at all...? Hfirst time I've ever seen this subject on this mailing list. We're charting new OT waters every day. -- John C. Nichel ÜberGeek KegWorks.com 716.856.9675 [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php Disclaimer This e-mail transmission contains confidential information, which is the property of the sender. The information in this e-mail or attachments thereto is intended for the attention and use only of the addressee. Should you have received this e-mail in error, please delete and destroy it and any attachments thereto immediately. Under no circumstances will the Cape Technikon or the sender of this e-mail be liable to any party for any direct, indirect, special or other consequential damages for any use of this e-mail. For the detailed e-mail disclaimer please refer to http://www.ctech.ac.za/polic or call +27 (0)21 460 3911 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] problems with sessions!!AAH
if (session_is_registered($_SESSION['login'])) echo(seesion is reg); else echo(seesion not reg); try if (isset($_SESSION['login'])) echo(seesion is reg); else echo(seesion not reg); -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] [OFF] - Fraudulent web orders - any ideas?
Brian, The best thing that I can suggest is to take a look at the actual orders themselves and find out if there are any one or two things that seem to be common about them. Once you can find some sort of pattern, you can then code against it. For example, if you find that he seems to send 20 requests under $10 from one IP within 5 minutes, you may wish to do some pre-submission processing to target this sort of behavior. You can easily create a SQL table with temp-blocked IPs that will last for 30 minutes. It'll also help keep track of this behavior. In short - the best way to protect against this sort of thing is to figure out the limitations of the other user's software and use that against them. While some things can definitely be dynamic, it typically will only be so within a particular range. Good luck -M -Original Message- From: Brian Dunning [mailto:[EMAIL PROTECTED] Sent: Monday, August 16, 2004 10:27 AM To: [EMAIL PROTECTED] Subject: [PHP] [OFF] - Fraudulent web orders - any ideas? Hi all, I have a simple PHP store, and it appears that someone is using it to test credit card numbers. I'm getting a very high number of small orders every day, but a lot more declines. My merchant provider suggests blocking that person's IP address, but that's not practical since it's dynamic. I'll get a lot of orders from one IP address for a few hours, but then the address changes. I wonder if anyone has any experience with this, and if so, can you suggest a way to deal with it? - Brian -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] problems with sessions!!AAH
[snip] Ok here is what I do: $_SESSION['login']=true; if (session_is_registered($_SESSION['login'])) echo(seesion is reg); else echo(seesion not reg); I have not used the session_register function as the manual says the following: [/snip] Have you set session_start? http://www.php.net/session_start -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] [OFF] - Fraudulent web orders - any ideas?
On Mon, 2004-08-16 at 07:26, Brian Dunning wrote: Hi all, I have a simple PHP store, and it appears that someone is using it to test credit card numbers. I'm getting a very high number of small orders every day, but a lot more declines. My merchant provider suggests blocking that person's IP address, but that's not practical since it's dynamic. I'll get a lot of orders from one IP address for a few hours, but then the address changes. I wonder if anyone has any experience with this, and if so, can you suggest a way to deal with it? - Brian Well, if they are trying multiple times you could add some logic in your code that redirects them to a We have been monitoring you type of message. ;-) Are you tracking the IP addresses in the database? Might consider building something that checks each new IP and see if the same IP has tried this a few times..and if so display a warning page. Might be enough to scare the person off. The other options is to collect a list of known IPs and contact the proper authorities with logs of this issue. -Robby -- /*** * Robby Russell | Owner.Developer.Geek * PLANET ARGON | www.planetargon.com * Portland, OR | [EMAIL PROTECTED] * 503.351.4730 | blog.planetargon.com * PHP/PostgreSQL Hosting Development / signature.asc Description: This is a digitally signed message part
[PHP] Re: problems with sessions!!AAH
Angelo Zanetti [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Hi, Im running a win2k with apache and PHP 4.3.4 and I have gone through the installation readme for PHP. I have copied the necessary files to the correct directories. I have also set register_globals= Off (default) I have set my session path (it exists). Now my problem is that I cant get my sessions to work at all. I have tried everything and no luck. Ok here is what I do: $_SESSION['login']=true; if (session_is_registered($_SESSION['login'])) echo(seesion is reg); else echo(seesion not reg); Hi Angelo, where's your session_start()? Also you can use isset() instead of session_is_registered(): if (isset($_SESSION['login'])) Regards, Torsten Roehr I have not used the session_register function as the manual says the following: If you want your script to work regardless of register_globals, you need to instead use the $_SESSION array as $_SESSION entries are automatically registered. I seriously dont know what else to try or do. If you think I've missed something then please help. Thanks in advance -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] RE: [PHP-DB] Re: Basic MySQL Query Question
[reply] Please try if those changes solve your problem. Whenever one of your values will contain a single quote you will get an SQL error - so use addslashes() or (better) mysql_real_escape_string() on all insert values. [/reply] That is my whole point though, is that it does not happen every time. I get no error when the user registers (inserting O'Neal into the table), but when I insert the same name into the tickets table, it fails. Chad, please always answer to the list. Echo out your queries and compare them, there must be a difference. Regards, Torsten -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] [OFF] - Fraudulent web orders - any ideas?
Hi Brian, One possibility is to use a MySQL database which records all failures with the credit card verifications, the IP address of the failure, and when the failure was. Write a script which looks at the failures and if it detects three or more failures from any IP in a set time frame (24 hours?), that address is blocked by the script for 24 hours from making any order. Your MySQL database should include at least the card number, time of failure, IP of failure. Then query the database based on the just attempted order, and if the count of failures from that IP address is greater than three (especially with different card numbers), refuse the order, and continue the block of that IP for 24 hours after the last failure. In particular, you could also check if the credit card numbers are different, and if they are, you know your dealing with a bad person and can take some steps to deal with them. While its maybe not an ideal solution, I can't think of anything better off hand. best regards Markus On Monday 16 August 2004 16:26, Brian Dunning wrote: I have a simple PHP store, and it appears that someone is using it to test credit card numbers. I'm getting a very high number of small [snip...] I wonder if anyone has any experience with this, and if so, can you suggest a way to deal with it? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Cache
Hi all, I want to create an html cache of a page, like when that page is saved to the disk and let the visitors download that static page and not a dynamic one. Of course, a dynamic PHP program will load that static page and display it, but without need to connect to databases, to make calculations, etc. The problem is that I don't know how to automaticly decide when it is the right moment to update the cache and this is very important. I get some data from a database and the PHP program doesn't know when the database gets updated by another program, so it cannot create the cache for that page immediately. If I let the program check the database each time it is ran, this takes some times, and it is like I would not use the cache at all. Is it possible to use that kind of cache I want? (meaning... a kind of static page saved). Thank you. Teddy -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] [OFF] - Fraudulent web orders - any ideas?
Thanks to all of you for your suggestions. Yes I have been logging IP address in my orders database. I think I may have solved it by an even simpler method: I emailed the perpetrator to thank him for all of his orders to see what he'd say. His first few orders came with real email addresses, and even a few under what appears to be his own name Abang Batax. Ever since I sent that email I haven't had a single order come through from him. That alone may have scared him off. Nevertheless, I think I will implement a few of your suggestions. I like the idea of an SQL table to store IP addresses that are blocked, though I'd make it last for a couple of days to be extra safe rather than 30 minutes. Anyone know who the proper authorities are, to whom I could give my logs? Amazingly, my CardService rep didn't know. He also didn't seem to care or think it was a very big deal. The total orders that went through are about 100 orders at $15 each. My guess is that Abang Batax is probably overseas, so it may not be worthwhile following up. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] problems with sessions!!SOLVED!!
thanks MATT it appears that the isset function worked! Jay Blanchard [EMAIL PROTECTED] 8/16/2004 4:46:16 PM [snip] Ok here is what I do: $_SESSION['login']=true; if (session_is_registered($_SESSION['login'])) echo(seesion is reg); else echo(seesion not reg); I have not used the session_register function as the manual says the following: [/snip] Have you set session_start? http://www.php.net/session_start -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php Disclaimer This e-mail transmission contains confidential information, which is the property of the sender. The information in this e-mail or attachments thereto is intended for the attention and use only of the addressee. Should you have received this e-mail in error, please delete and destroy it and any attachments thereto immediately. Under no circumstances will the Cape Technikon or the sender of this e-mail be liable to any party for any direct, indirect, special or other consequential damages for any use of this e-mail. For the detailed e-mail disclaimer please refer to http://www.ctech.ac.za/polic or call +27 (0)21 460 3911 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] [OFF] - Fraudulent web orders - any ideas?
Hi Brian, One possibility is to use a MySQL database which records all failures with the credit card verifications, the IP address of the failure, and when the failure was. Write a script which looks at the failures and if it detects three or more failures from any IP in a set time frame (24 hours?), that address is blocked by the script for 24 hours from making any order. Your MySQL database should include at least the card number, time of failure, IP of failure. Then query the database based on the just attempted order, and if the count of failures from that IP address is greater than three (especially with different card numbers), refuse the order, and continue the block of that IP for 24 hours after the last failure. In particular, you could also check if the credit card numbers are different, and if they are, you know your dealing with a bad person and can take some steps to deal with them. While its maybe not an ideal solution, I can't think of anything better off hand. best regards Markus On Monday 16 August 2004 16:26, Brian Dunning wrote: I have a simple PHP store, and it appears that someone is using it to test credit card numbers. I'm getting a very high number of small [snip...] I wonder if anyone has any experience with this, and if so, can you suggest a way to deal with it? - This is a second try, my previous mail seems to have not come through... Sorry if people get this twice - -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Cache
Octavian Rasnita [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Hi all, I want to create an html cache of a page, like when that page is saved to the disk and let the visitors download that static page and not a dynamic one. Of course, a dynamic PHP program will load that static page and display it, but without need to connect to databases, to make calculations, etc. The problem is that I don't know how to automaticly decide when it is the right moment to update the cache and this is very important. I get some data from a database and the PHP program doesn't know when the database gets updated by another program, so it cannot create the cache for that page immediately. If I let the program check the database each time it is ran, this takes some times, and it is like I would not use the cache at all. Is it possible to use that kind of cache I want? (meaning... a kind of static page saved). Thank you. Teddy Hi Teddy, take a look at PEAR's Cache_Lite: http://pear.php.net/package/Cache_Lite With this package you define a lifetime for each page. When this time has passed a new cached file will automatically be created. Cache_Lite is managing this for you. Regards, Torsten Roehr -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] php die function for MySQL connection errors
On 14 August 2004 15:50, raditha dissanayake wrote: Ford, Mike [LSS] wrote: (And, BTW, the HTTP definition says that the Location: header should specify a full absolute URL, so that should be: header(Location: http://your.server.name/path/to/errors/servererror.php;); are you sure? Yes. In fact, I was too conservative -- the HTTP RFC says it *must*. See: http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.30 and http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.2 Just because many browsers accept and process a non-standard header is no reason to write non-standard headers... ;) Cheers! Mike - Mike Ford, Electronic Information Services Adviser, Learning Support Services, Learning Information Services, JG125, James Graham Building, Leeds Metropolitan University, Headingley Campus, LEEDS, LS6 3QS, United Kingdom Email: [EMAIL PROTECTED] Tel: +44 113 283 2600 extn 4730 Fax: +44 113 283 3211 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Persistent data across page calls
Hi I have a site that uses a large number of data arrays that are nearly static (change once a week or less) they are used on almost every page in the site Currently I have them as a separate file that is included at the top of each script page. I would like a way to cache? them at the server level so that only one copy stays in memory between calls to different pages and the file doesn't get reloaded with each page call The site is running on: FreeBSD 4.9 Apache 1.3.28 PHP 4.3.4 I would prefer to be able to do this in php but I am open to an apache solution if necessary. Thanks Aaron Aaron -at- nsinetworking.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] problems with sessions!!AAH
ok I thought the problem was fixed but its not. The session variable gets registered correctly however when I go to the next page and too see if its still registered using the isset() function its not registered anymore. I do have session_start(); at the top of the new page. I cant think why its not working?!?! TIA Jay Blanchard [EMAIL PROTECTED] 8/16/2004 4:46:16 PM [snip] Ok here is what I do: $_SESSION['login']=true; if (session_is_registered($_SESSION['login'])) echo(seesion is reg); else echo(seesion not reg); I have not used the session_register function as the manual says the following: [/snip] Have you set session_start? http://www.php.net/session_start -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php Disclaimer This e-mail transmission contains confidential information, which is the property of the sender. The information in this e-mail or attachments thereto is intended for the attention and use only of the addressee. Should you have received this e-mail in error, please delete and destroy it and any attachments thereto immediately. Under no circumstances will the Cape Technikon or the sender of this e-mail be liable to any party for any direct, indirect, special or other consequential damages for any use of this e-mail. For the detailed e-mail disclaimer please refer to http://www.ctech.ac.za/polic or call +27 (0)21 460 3911 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] CURL question, cutting off custom request
Hello, I'm sending a custom request to a server using CURL, which may contain some high-ascii characters. Are there certain characters that would cause CURL not to send the complete custom request? Are there some CURL options that can help make sure the request is sent in its entirity? Here is my code: $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_HEADER, 0); curl_setopt($ch, CURLOPT_VERBOSE, 1); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0); curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0); curl_setopt($ch, CURLOPT_HTTP_VERSION, 1.0); curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $request); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $return = curl_exec ($ch); Sometimes it appears to cutoff my request with the existance of a NUL character. Any ideas? Thanks, Dominic -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] SSH Authentication using php
Hi, what my goal is is to be able to authenticate a user by they SSH acount on the system using php. I tried looking on google, but didn't see anything with ssh. What i've tried to do is use the exec() and just do: exec(ssh [EMAIL PROTECTED].escapleshellard(password)); but that didn't seem to work. Any ideas? Thanks Teren
Re: [PHP] problems with sessions!!AAH
Angelo Zanetti [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] ok I thought the problem was fixed but its not. The session variable gets registered correctly however when I go to the next page and too see if its still registered using the isset() function its not registered anymore. I do have session_start(); at the top of the new page. I cant think why its not working?!?! Are you using cookies? What are your session configuration values? Regards, Torsten TIA Jay Blanchard [EMAIL PROTECTED] 8/16/2004 4:46:16 PM [snip] Ok here is what I do: $_SESSION['login']=true; if (session_is_registered($_SESSION['login'])) echo(seesion is reg); else echo(seesion not reg); I have not used the session_register function as the manual says the following: [/snip] Have you set session_start? http://www.php.net/session_start -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php Disclaimer This e-mail transmission contains confidential information, which is the property of the sender. The information in this e-mail or attachments thereto is intended for the attention and use only of the addressee. Should you have received this e-mail in error, please delete and destroy it and any attachments thereto immediately. Under no circumstances will the Cape Technikon or the sender of this e-mail be liable to any party for any direct, indirect, special or other consequential damages for any use of this e-mail. For the detailed e-mail disclaimer please refer to http://www.ctech.ac.za/polic or call +27 (0)21 460 3911 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] problems with sessions!!AAH
On Mon, 16 Aug 2004 17:39:21 +0200, Angelo Zanetti [EMAIL PROTECTED] wrote: ok I thought the problem was fixed but its not. The session variable gets registered correctly however when I go to the next page and too see if its still registered using the isset() function its not registered anymore. I do have session_start(); at the top of the new page. I cant think why its not working?!?! make sure that the session cookie is being set. check the session_id() on both pages, make sure they are the same. If they arent, you are having a problem getting the sid passed from page to page. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] problems with sessions!!AAH
Hi Matt, The session_id() is correct on both pages. Some info I forgot to add is this: on my first page: session_write_close(); header(Location: franchise_menu.php?.SID); exit(); however on my franchise_menu.php page, no SID is displayed in the browser address. could that be a reason? Or have i misconfigured something? TIA Matt M. [EMAIL PROTECTED] 8/16/2004 5:59:26 PM On Mon, 16 Aug 2004 17:39:21 +0200, Angelo Zanetti [EMAIL PROTECTED] wrote: ok I thought the problem was fixed but its not. The session variable gets registered correctly however when I go to the next page and too see if its still registered using the isset() function its not registered anymore. I do have session_start(); at the top of the new page. I cant think why its not working?!?! make sure that the session cookie is being set. check the session_id() on both pages, make sure they are the same. If they arent, you are having a problem getting the sid passed from page to page. Disclaimer This e-mail transmission contains confidential information, which is the property of the sender. The information in this e-mail or attachments thereto is intended for the attention and use only of the addressee. Should you have received this e-mail in error, please delete and destroy it and any attachments thereto immediately. Under no circumstances will the Cape Technikon or the sender of this e-mail be liable to any party for any direct, indirect, special or other consequential damages for any use of this e-mail. For the detailed e-mail disclaimer please refer to http://www.ctech.ac.za/polic or call +27 (0)21 460 3911 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] problems with sessions!!AAH
no I'm not using cookies. Session configuration values from php.ini: session.save_handler = files session.save_path = c:\temp\sessions session.use_cookies = 0 session.name = PHPSESSID session.auto_start = 0 session.cookie_lifetime = 0 session.cookie_path = / session.cookie_domain = session.serialize_handler = php session.gc_probability = 1 session.gc_divisor = 100 session.gc_maxlifetime = 1440 session.bug_compat_42 = 1 session.bug_compat_warn = 1 session.referer_check = session.entropy_length = 0 session.entropy_file = session.cache_limiter = nocache session.cache_expire = 180 is there anything else that I am missing or is anything set incorrectly? thanks guys, really appreciate it. Torsten Roehr [EMAIL PROTECTED] 8/16/2004 6:00:01 PM Angelo Zanetti [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] ok I thought the problem was fixed but its not. The session variable gets registered correctly however when I go to the next page and too see if its still registered using the isset() function its not registered anymore. I do have session_start(); at the top of the new page. I cant think why its not working?!?! Are you using cookies? What are your session configuration values? Regards, Torsten TIA Jay Blanchard [EMAIL PROTECTED] 8/16/2004 4:46:16 PM [snip] Ok here is what I do: $_SESSION['login']=true; if (session_is_registered($_SESSION['login'])) echo(seesion is reg); else echo(seesion not reg); I have not used the session_register function as the manual says the following: [/snip] Have you set session_start? http://www.php.net/session_start -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php Disclaimer This e-mail transmission contains confidential information, which is the property of the sender. The information in this e-mail or attachments thereto is intended for the attention and use only of the addressee. Should you have received this e-mail in error, please delete and destroy it and any attachments thereto immediately. Under no circumstances will the Cape Technikon or the sender of this e-mail be liable to any party for any direct, indirect, special or other consequential damages for any use of this e-mail. For the detailed e-mail disclaimer please refer to http://www.ctech.ac.za/polic or call +27 (0)21 460 3911 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php Disclaimer This e-mail transmission contains confidential information, which is the property of the sender. The information in this e-mail or attachments thereto is intended for the attention and use only of the addressee. Should you have received this e-mail in error, please delete and destroy it and any attachments thereto immediately. Under no circumstances will the Cape Technikon or the sender of this e-mail be liable to any party for any direct, indirect, special or other consequential damages for any use of this e-mail. For the detailed e-mail disclaimer please refer to http://www.ctech.ac.za/polic or call +27 (0)21 460 3911 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] problems with sessions!!AAH
session_write_close(); header(Location: franchise_menu.php?.SID); exit(); SID will be empty if session ID was set in an appropriate session cookie if you do a print_r($_SESSION) on franchise_menu.php do you see anything? If you have access to the webserver you could just go in and look at the session file that php creates. It is pretty easy to find and you should be able to see your variables if they are being correctly written to the file. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] SSH Authentication using php
On Mon, 2004-08-16 at 08:39, Teren wrote: Hi, what my goal is is to be able to authenticate a user by they SSH acount on the system using php. I tried looking on google, but didn't see anything with ssh. What i've tried to do is use the exec() and just do: exec(ssh [EMAIL PROTECTED].escapleshellard(password)); You can try setting up authorized_keys for this. Then you don't need to pass it the password. -Robby -- /*** * Robby Russell | Owner.Developer.Geek * PLANET ARGON | www.planetargon.com * Portland, OR | [EMAIL PROTECTED] * 503.351.4730 | blog.planetargon.com * PHP/PostgreSQL Hosting Development / signature.asc Description: This is a digitally signed message part
RE: [PHP] Compile
Is it true that turck is faster than Zend? i think you are looking for something like turck mmcache. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Compile
[snip] Is it true that turck is faster than Zend? i think you are looking for something like turck mmcache. [/snip] What about something like http://www.priadoblender.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Re: Compile
Wow. I just saw the $2,880 price tag on the Zend Encoder. I guess Turck is better?! Who cares if it's a little bit slower than Zend (or even faster according to the Turck site). That's a lot of moola! -Original Message- http://www.zend.com/store/products/zend-encoder.php On Mon, 16 Aug 2004 01:12:14 +0100 [EMAIL PROTECTED] (Watty) wrote: Is it possible to compile a PHP script? And if so, how? Watty -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] [OFF] - Fraudulent web orders - any ideas?
Geesh, this sounds scary. Are you requiring account login before processing payments? -Original Message- I have a simple PHP store, and it appears that someone is using it to test credit card numbers. I'm getting a very high number of small orders every day, but a lot more declines. My merchant provider suggests blocking that person's IP address, but that's not practical since it's dynamic. I'll get a lot of orders from one IP address for a few hours, but then the address changes. I wonder if anyone has any experience with this, and if so, can you suggest a way to deal with it? - Brian -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] SSH Authentication using php
Hi, what my goal is is to be able to authenticate a user by they SSH acount on the system using php. I tried looking on google, but didn't see anything with ssh. What i've tried to do is use the exec() and just do: exec(ssh [EMAIL PROTECTED].escapleshellard(password)); You can try setting up authorized_keys for this. Then you don't need to pass it the password. ...but you'd still need to provide the ssh passphrase, or have an instance of ssh-agent running. Teren, what are you trying to do exactly? Is ssh actually necessary, or are you really just trying to authenticate users by their unix accounts? - michal migurski- contact info and pgp key: sf/cahttp://mike.teczno.com/contact.html -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: writing source code to file
http://www.php.net/manual/en/ref.outcontrol.php On Mon, 16 Aug 2004 10:35:42 -0400 [EMAIL PROTECTED] (Doug Parker) wrote: I was wondering if there was a block of code I could place at the bottom of the file that would write the page's source code to an html file. I need this because I'm posting pages to a server sans a PHP compiler. Basically, I'd like for every time I run a page its source code to be saved in the filename of my choice, instead of me having to run the page, copy the source, and paste it into the file of my choice. I know how to use fopen, but I'm not sure what to tell it to write to file, since the source I want to write is being generated simultaneously. Any help would be greatly appreciated... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] [OFF] - Fraudulent web orders - any ideas?
On Aug 16, 2004, at 10:07 AM, Ed Lazor wrote: Geesh, this sounds scary. Are you requiring account login before processing payments? Not on this store, it's a really competitive market. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] SSH Authentication using php
On Mon, 2004-08-16 at 10:15, Michal Migurski wrote: Hi, what my goal is is to be able to authenticate a user by they SSH acount on the system using php. I tried looking on google, but didn't see anything with ssh. What i've tried to do is use the exec() and just do: exec(ssh [EMAIL PROTECTED].escapleshellard(password)); You can try setting up authorized_keys for this. Then you don't need to pass it the password. ...but you'd still need to provide the ssh passphrase, or have an instance of ssh-agent running. Teren, what are you trying to do exactly? Is ssh actually necessary, or are you really just trying to authenticate users by their unix accounts? You can go without using the passphrase as well. -- /*** * Robby Russell | Owner.Developer.Geek * PLANET ARGON | www.planetargon.com * Portland, OR | [EMAIL PROTECTED] * 503.351.4730 | blog.planetargon.com * PHP/PostgreSQL Hosting Development / signature.asc Description: This is a digitally signed message part
Re: [PHP] [OFF] - Fraudulent web orders - any ideas?
Brian Dunning wrote: On Aug 16, 2004, at 10:07 AM, Ed Lazor wrote: Geesh, this sounds scary. Are you requiring account login before processing payments? Not on this store, it's a really competitive market. Requiring an account to purchase would more than likely cut down on fraud orders. -- John C. Nichel ÜberGeek KegWorks.com 716.856.9675 [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] SSH Authentication using php
Ok, here's the whole project, I have an openbsd box using authpf which uses authentication via ssh login. So, i'm trying to create a weblogin using php so people just have to enter their username/password (which would be a restricted unix account) to gain access to the internet. I have authpf all setup, but I'd like to add a web login to make it more user friendly. Thanks Teren - Original Message - From: Michal Migurski [EMAIL PROTECTED] To: Robby Russell [EMAIL PROTECTED] Cc: Teren [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Monday, August 16, 2004 1:15 PM Subject: Re: [PHP] SSH Authentication using php Hi, what my goal is is to be able to authenticate a user by they SSH acount on the system using php. I tried looking on google, but didn't see anything with ssh. What i've tried to do is use the exec() and just do: exec(ssh [EMAIL PROTECTED].escapleshellard(password)); You can try setting up authorized_keys for this. Then you don't need to pass it the password. ...but you'd still need to provide the ssh passphrase, or have an instance of ssh-agent running. Teren, what are you trying to do exactly? Is ssh actually necessary, or are you really just trying to authenticate users by their unix accounts? - michal migurski- contact info and pgp key: sf/cahttp://mike.teczno.com/contact.html -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: [OFF] - Fraudulent web orders - any ideas?
Am 2004-08-16 08:03:51, schrieb Brian Dunning: Anyone know who the proper authorities are, to whom I could give my logs? Amazingly, my CardService rep didn't know. He also didn't seem to care or think it was a very big deal. The total orders that went through are about 100 orders at $15 each. My guess is that Abang Batax is probably overseas, so it may not be worthwhile following up. For VISA ??? - You can contact VISA directly... If you have all IP's maybe they come from the same ISP and the you can get him... I had the same problem for 3 years in Kehl/Germany and I have had loged all actions including the IP. I was going to the local Police which has done the rest... Credit Card Fraud is not a local delict !!! The Police is working international on this subject. Greetings Michelle -- Linux-User #280138 with the Linux Counter, http://counter.li.org/ Michelle Konzack Apt. 917 ICQ #328449886 50, rue de Soultz MSM LinuxMichi 0033/3/8845235667100 Strasbourg/France IRC #Debian (irc.icq.com) signature.pgp Description: Digital signature
[PHP] CSRF attack not possible in I.E. 6.01 SP1?
Hello All, I am working on securing an application that uses CDSSO (Cross Domain Single Sign On). I am trying to reproduce the CSRF (Cross Site Request Forgery) attack (using img/ TAG) in I.E. 6.01, but am unable to do so. However the attack works on Mozilla and other older browsers. My question: Is I.E. 6.01 SP1 doing something to foil the CSRF attack, i.e. only allow image extensions .gif .png .jpeg? Regards, Saqib Ali http://validate.sf.net DocBook XML - XHTML / PDF Convertor
Re: [PHP] System Tray Icon
Hmm, Simply make a RSS feed or something, md5 the last changed date of all files combined every say 30 mins and put that in the rss file, have the systray icon program look at that file every 5 mins or so, if the file has changed, flash.. John Nichel [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Harlequin wrote: Hi all. I just wanted to throw this message in here and get some opinions before I go off developing something So will post in the correct newsgroup later (when I find which newsgroup I need). Before I post a more thorough thread in the correct area I just wanted to find out if this was achievable and what tools I'd need. Basically: I would like to drop a system tray icon onto the user's PC that links them to a website. I'd also like to develop a separate one that flashes when a page is changed. How difficult would this be to do...? Would it mean using VB, could I use something less expensive perhaps or is it just not possible at all...? Hfirst time I've ever seen this subject on this mailing list. We're charting new OT waters every day. -- John C. Nichel ÜberGeek KegWorks.com 716.856.9675 [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
[snip] I am working on securing an application that uses CDSSO (Cross Domain Single Sign On). I am trying to reproduce the CSRF (Cross Site Request Forgery) attack (using img/ TAG) in I.E. 6.01, but am unable to do so. However the attack works on Mozilla and other older browsers. My question: Is I.E. 6.01 SP1 doing something to foil the CSRF attack, i.e. only allow image extensions .gif .png .jpeg? [/snip] You would have to ask the Microsoft Development Group, who probably does not subscribe to this list. Crossposting is bad. Being OT during a crosspost is even worse. I can hear the falmethrowers warming up in the wings. FYI - This is (or use to be) a PHP list -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
Perhaps the question could be asked another way and be more on topic. Is there a fix in I.E. 6.01 that would interfere with PHP being able to generate different mime types on the fly, like .png or .jpg Thanks, Warren Vail -Original Message- From: Jay Blanchard [mailto:[EMAIL PROTECTED] Sent: Monday, August 16, 2004 10:57 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: [PHP] CSRF attack not possible in I.E. 6.01 SP1? [snip] I am working on securing an application that uses CDSSO (Cross Domain Single Sign On). I am trying to reproduce the CSRF (Cross Site Request Forgery) attack (using img/ TAG) in I.E. 6.01, but am unable to do so. However the attack works on Mozilla and other older browsers. My question: Is I.E. 6.01 SP1 doing something to foil the CSRF attack, i.e. only allow image extensions .gif .png .jpeg? [/snip] You would have to ask the Microsoft Development Group, who probably does not subscribe to this list. Crossposting is bad. Being OT during a crosspost is even worse. I can hear the falmethrowers warming up in the wings. FYI - This is (or use to be) a PHP list -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] CSRF attack not possible in I.E. 6.01 SP1? WOT
[snip] Perhaps the question could be asked another way and be more on topic. Is there a fix in I.E. 6.01 that would interfere with PHP being able to generate different mime types on the fly, like .png or .jpg [/snip] a. But that wasn't what he asked. 2. Top-posting === bad -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] SSH Authentication using php
Ah, you should try to authenticate differently then. You're going about this the wrong wa. :-) The PEAR::Auth package provides methods for creating an authentication system using PHP. Currently it supports the following storage containers to read/write the login data: * All databases supported by the PEAR database layer * All databases supported by the MDB database layer * All databases supported by the MDB2 database layer * Plaintext files * LDAP servers * POP3 servers * IMAP servers * vpopmail accounts * RADIUS * SAMBA password files * SOAP hth, Robby On Mon, 2004-08-16 at 10:33, Teren wrote: Ok, here's the whole project, I have an openbsd box using authpf which uses authentication via ssh login. So, i'm trying to create a weblogin using php so people just have to enter their username/password (which would be a restricted unix account) to gain access to the internet. I have authpf all setup, but I'd like to add a web login to make it more user friendly. Thanks Teren - Original Message - From: Michal Migurski [EMAIL PROTECTED] To: Robby Russell [EMAIL PROTECTED] Cc: Teren [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Monday, August 16, 2004 1:15 PM Subject: Re: [PHP] SSH Authentication using php Hi, what my goal is is to be able to authenticate a user by they SSH acount on the system using php. I tried looking on google, but didn't see anything with ssh. What i've tried to do is use the exec() and just do: exec(ssh [EMAIL PROTECTED].escapleshellard(password)); You can try setting up authorized_keys for this. Then you don't need to pass it the password. ...but you'd still need to provide the ssh passphrase, or have an instance of ssh-agent running. Teren, what are you trying to do exactly? Is ssh actually necessary, or are you really just trying to authenticate users by their unix accounts? - michal migurski- contact info and pgp key: sf/cahttp://mike.teczno.com/contact.html -- /*** * Robby Russell | Owner.Developer.Geek * PLANET ARGON | www.planetargon.com * Portland, OR | [EMAIL PROTECTED] * 503.351.4730 | blog.planetargon.com * PHP/PostgreSQL Hosting Development / signature.asc Description: This is a digitally signed message part
[PHP] Re: CURL question, cutting off custom request
Hello, On 08/16/2004 12:40 PM, Dominic Schanen wrote: I'm sending a custom request to a server using CURL, which may contain some high-ascii characters. Are there certain characters that would cause CURL not to send the complete custom request? Are there some CURL options that can help make sure the request is sent in its entirity? Here is my code: $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_HEADER, 0); curl_setopt($ch, CURLOPT_VERBOSE, 1); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0); curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0); curl_setopt($ch, CURLOPT_HTTP_VERSION, 1.0); curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $request); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $return = curl_exec ($ch); Sometimes it appears to cutoff my request with the existance of a NUL character. Any ideas? That depends on where you are using non-ASCII characters. If it is in the request headers, you need to use q-encoding to encode them as ASCII. If it is in the request body, it should not be a problem, although I think you should specify the character set in the Content-Type header. -- Regards, Manuel Lemos PHP Classes - Free ready to use OOP components written in PHP http://www.phpclasses.org/ PHP Reviews - Reviews of PHP books and other products http://www.phpclasses.org/reviews/ Metastorage - Data object relational mapping layer generator http://www.meta-language.net/metastorage.html -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] SSH Authentication using php
Ok, here's the whole project, I have an openbsd box using authpf which uses authentication via ssh login. So, i'm trying to create a weblogin using php so people just have to enter their username/password (which would be a restricted unix account) to gain access to the internet. I have authpf all setup, but I'd like to add a web login to make it more user friendly. Thanks Ah, makes sense. Authorized_keys may be a good way to go. You may wish to run an instance of ssh-agent as the Apache user, and create a single ssh key for that user - importing the PID as an environment variable before you run your exec() line ought to make it work. You may have some difficulties keeping that ssh session open directly from PHP, though. I wonder whether you aren't subverting your network security somewhat, by enacting strict controls (with authpf) and then routing around them with an insecure web login. -mike. - michal migurski- contact info and pgp key: sf/cahttp://mike.teczno.com/contact.html -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
--- Jay Blanchard [EMAIL PROTECTED] wrote: You would have to ask the Microsoft Development Group, who probably does not subscribe to this list. Crossposting is bad. Being OT during a crosspost is even worse. I can hear the falmethrowers warming up in the wings. FYI - This is (or use to be) a PHP list I won't defend cross-posting, but I think CSRF is very on-topic. Chris = Chris Shiflett - http://shiflett.org/ PHP Security - O'Reilly Coming Fall 2004 HTTP Developer's Handbook - Sams http://httphandbook.org/ PHP Community Site http://phpcommunity.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] SSH Authentication using php
Ok, here's the whole project, I have an openbsd box using authpf which uses authentication via ssh login. So, i'm trying to create a weblogin using php so people just have to enter their username/password (which would be a restricted unix account) to gain access to the internet. I have authpf all setup, but I'd like to add a web login to make it more user friendly. Thanks Ah, makes sense. Authorized_keys may be a good way to go. You may wish to run an instance of ssh-agent as the Apache user, and create a single ssh key for that user - importing the PID as an environment variable before you run your exec() line ought to make it work. You may have some difficulties keeping that ssh session open directly from PHP, though. I wonder whether you aren't subverting your network security somewhat, by enacting strict controls (with authpf) and then routing around them with an insecure web login. -mike. Adding SSL to the mix would probably fix the insecure login part. -- --Matthew Sims --http://killermookie.org -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
Jay Blanchard wrote: FYI - This is (or use to be) a PHP list If I have a web server running php, how do I change the oil in my car? -- John C. Nichel ÜberGeek KegWorks.com 716.856.9675 [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
--- [EMAIL PROTECTED] wrote: My question: Is I.E. 6.01 SP1 doing something to foil the CSRF attack, i.e. only allow image extensions .gif .png .jpeg? This seems highly unlikely. Can you show us the code you're using to test? Chris = Chris Shiflett - http://shiflett.org/ PHP Security - O'Reilly Coming Fall 2004 HTTP Developer's Handbook - Sams http://httphandbook.org/ PHP Community Site http://phpcommunity.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] CSRF attack not possible in I.E. 6.01 SP1? WOT
--- Jay Blanchard [EMAIL PROTECTED] wrote: [snip] Perhaps the question could be asked another way and be more on topic. Is there a fix in I.E. 6.01 that would interfere with PHP being able to generate different mime types on the fly, like .png or .jpg [/snip] a. But that wasn't what he asked. Actually, that's exactly what he asked, just rephrased. :-) Chris = Chris Shiflett - http://shiflett.org/ PHP Security - O'Reilly Coming Fall 2004 HTTP Developer's Handbook - Sams http://httphandbook.org/ PHP Community Site http://phpcommunity.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
Thanks Chris, Yup I think my posting is very on-topic. The application that I am working on is written in PHP. And I m sure all PHP developers check their applications for CSRF vulnerability, in various browsers (including I.E. ). As a PHP/Java developer, I would be interested to know what I.E. is doing in their browsers to prevent CSRF attacks. I m not trying to start a browser war here. Regards, Saqib Ali http://validate.sf.net DocBook XML - XHTML / PDF Convertor Chris Shiflett [EMAIL PROTECTED] No Phone Info Available 08/16/2004 11:17 AM Please respond to [EMAIL PROTECTED] To Jay Blanchard [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] cc Subject RE: [PHP] CSRF attack not possible in I.E. 6.01 SP1? --- Jay Blanchard [EMAIL PROTECTED] wrote: You would have to ask the Microsoft Development Group, who probably does not subscribe to this list. Crossposting is bad. Being OT during a crosspost is even worse. I can hear the falmethrowers warming up in the wings. FYI - This is (or use to be) a PHP list I won't defend cross-posting, but I think CSRF is very on-topic. Chris = Chris Shiflett - http://shiflett.org/ PHP Security - O'Reilly Coming Fall 2004 HTTP Developer's Handbook - Sams http://httphandbook.org/ PHP Community Site http://phpcommunity.org/
RE: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
[snip] Yup I think my posting is very on-topic. The application that I am working on is written in PHP. [/snip] Thanks for stating that in your original post.
Re: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
Hello Chris, I can't share the exact code ;) , but here is something very similar: img src=http://slashdot.org/my/logout; height=1 width=1 If I load a web page with the above code, it should log me out of slashdot. It works in Mozilla (and netscape), but not in I.E. 6.01 SP1 downloads.seagate.com Chris Shiflett [EMAIL PROTECTED] No Phone Info Available 08/16/2004 11:24 AM Please respond to [EMAIL PROTECTED] To [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] cc Subject Re: [PHP] CSRF attack not possible in I.E. 6.01 SP1? --- [EMAIL PROTECTED] wrote: My question: Is I.E. 6.01 SP1 doing something to foil the CSRF attack, i.e. only allow image extensions .gif .png .jpeg? This seems highly unlikely. Can you show us the code you're using to test? Chris = Chris Shiflett - http://shiflett.org/ PHP Security - O'Reilly Coming Fall 2004 HTTP Developer's Handbook - Sams http://httphandbook.org/ PHP Community Site http://phpcommunity.org/
[PHP] PEAR
Hi, some newbie questions about PEAR: 1. How do I know if its already installed? (via phpinfo() ? ) 2. Can I install it myself if its not already installed or do I have to contact my host? Thanks, Mag = -- - The faulty interface lies between the chair and the keyboard. - Creativity is great, but plagiarism is faster! - Smile, everyone loves a moron. :-) __ Do you Yahoo!? Yahoo! Mail - Helps protect you from nasty viruses. http://promotions.yahoo.com/new_mail -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: mail() on *nix using ssmtp or an external smtp server?
Hello, On 08/16/2004 10:00 AM, Markus Mayer wrote: - Does anyone know of a way to make PHP on *nix use an external smtp server without having to hack around in the source code of PHP? - Has anyone got either ssmtp or esmtp working with PHP? You may want to try this class that can be used to do precisely what you want. You can compose and send messages and have them delivered to an SMTP server of your choice. If you do not want to change your scripts much, it comes with a wrapper function name smtp_mail() that can be used with exactly the same arguments as the mail() function, but it lets you send messages via an SMTP server. It can even let you configure authentication credentials if you are required to authenticate to relay on the SMTP server. http://www.phpclasses.org/mimemessage -- Regards, Manuel Lemos PHP Classes - Free ready to use OOP components written in PHP http://www.phpclasses.org/ PHP Reviews - Reviews of PHP books and other products http://www.phpclasses.org/reviews/ Metastorage - Data object relational mapping layer generator http://www.meta-language.net/metastorage.html -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
--- [EMAIL PROTECTED] wrote: And I m sure all PHP developers check their applications for CSRF vulnerability, in various browsers (including I.E. ). I speak about CSRF in many of the talks I give, and I think you'd be surprised by how many people haven't even heard of it. As a PHP/Java developer, I would be interested to know what I.E. is doing in their browsers to prevent CSRF attacks. I m not trying to start a browser war here. Well, to be fair, even if it is true that IE does not request a URL referenced in an img tag unless the file extension matches a known image type, this isn't a complete or even optimal solution to the problem. Also, as Web developers, we can't assume that 100% of users are using this specific browser anyway, and that's the only way that it could eliminate the need to be mindful of CSRF attacks when we're writing our PHP code. Chris = Chris Shiflett - http://shiflett.org/ PHP Security - O'Reilly Coming Fall 2004 HTTP Developer's Handbook - Sams http://httphandbook.org/ PHP Community Site http://phpcommunity.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
--- [EMAIL PROTECTED] wrote: I can't share the exact code ;) , but here is something very similar: img src=http://slashdot.org/my/logout; height=1 width=1 If I load a web page with the above code, it should log me out of slashdot. It works in Mozilla (and netscape), but not in I.E. 6.01 SP1 The best information would be if you can capture the exact HTTP transactions involved. For example, using something like ethereal, capture the request and response for Mozilla, and then do the same for IE 6.01 SP1. Short of that, you could create a URL specifically made for testing this. You can create a PHP file called csrf.php and another called csrf.png. Make .png files be interepreted as PHP (just for the purposes of this test), and then you can log a lot of useful information in your test scripts. Hope that helps. Chris = Chris Shiflett - http://shiflett.org/ PHP Security - O'Reilly Coming Fall 2004 HTTP Developer's Handbook - Sams http://httphandbook.org/ PHP Community Site http://phpcommunity.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
-Original Message- Jay Blanchard wrote: FYI - This is (or use to be) a PHP list If I have a web server running php, how do I change the oil in my car? Have you tried the OilChange class from PHPClasses.org? ;) -Ed -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
What if you add a random seed to the URL? img src=http://slashdot.org/my/logout?fluff=?php echo rand(1,200);? height=1 width=1 -Original Message- Hello Chris, I can't share the exact code ;) , but here is something very similar: img src=http://slashdot.org/my/logout; height=1 width=1 If I load a web page with the above code, it should log me out of slashdot. It works in Mozilla (and netscape), but not in I.E. 6.01 SP1 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Compile
Watty [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Is it possible to compile a PHP script? And if so, how? there is a roadsend php compiler, but I have not used it myself. rush -- http://www.templatetamer.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
-Original Message- The best information would be if you can capture the exact HTTP transactions involved. For example, using something like ethereal, capture the request and response for Mozilla, and then do the same for IE 6.01 SP1. Short of that, you could create a URL specifically made for testing this. You can create a PHP file called csrf.php and another called csrf.png. Make .png files be interepreted as PHP (just for the purposes of this test), and then you can log a lot of useful information in your test scripts. Wouldn't it work to just make the script spit out a mime type header and a small (1x1) image when it's done to satisfy the browser's mime type requirements? -Ed -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
--- Ed Lazor [EMAIL PROTECTED] wrote: Wouldn't it work to just make the script spit out a mime type header and a small (1x1) image when it's done to satisfy the browser's mime type requirements? Definitely, but most CSRF attacks are meant to spoof a request from the legitimate user to some Web site where he/she already has privilege. Thus, the receiving site is usually as much the victim as the user. I'm not sure if that makes any sense... :-) Chris = Chris Shiflett - http://shiflett.org/ PHP Security - O'Reilly Coming Fall 2004 HTTP Developer's Handbook - Sams http://httphandbook.org/ PHP Community Site http://phpcommunity.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
-Original Message- Definitely, but most CSRF attacks are meant to spoof a request from the legitimate user to some Web site where he/she already has privilege. Thus, the receiving site is usually as much the victim as the user. I'm not sure if that makes any sense... :-) It does =) -Ed -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] problems with sessions!!AAH
Angelo Zanetti [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Hi Matt, The session_id() is correct on both pages. Some info I forgot to add is this: on my first page: session_write_close(); header(Location: franchise_menu.php?.SID); exit(); however on my franchise_menu.php page, no SID is displayed in the browser address. could that be a reason? Or have i misconfigured something? Hi Angelo, your code looks right but you should see the session id in the address bar after the redirect. Does echo SID produce any output? By the way, I don't think you need to call session_write_close(). Torsten -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] back button doesn't work with sessions?
Hi all! Can you please help me with the following; I've got a form (that comes in 'three parts' a1.php a2.php and a3.php)with sessions that refuses to go back! On A2.php and A3.php i made a back button like: input type=image src=images/back_button.jpg onClick=history.back() and input type=image src=images/back_button.jpg onclick=history.go(-1) And i've added the follwing line directly after Session_start(); header(Cache-control: private); When i'm hitting the back button it's stays on it's page!!! So no browser back for me! Can somebody help? Thanks! Frank
[PHP] Re: PEAR
Mag [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Hi, some newbie questions about PEAR: 1. How do I know if its already installed? (via phpinfo() ? ) 2. Can I install it myself if its not already installed or do I have to contact my host? Thanks, Mag You will find answers to your questions on http://pear.php.net. Or post your questions to the pear-general list. Regards, Torsten Roehr -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
Why is so important if Internet Explorer allows URLS of images where the file name is only .jpg, .png, or .gif? A url can be something like: http://www.site.com/script.php/image.jpg?logout=true Internet Explorer might think that the file is a .jpg and that script.php is a directory but only the target web server knows which is the program. Or a PHP code might be contained in a image.jpg file. Teddy Teddy - Original Message - From: Chris Shiflett [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: Jay Blanchard [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Monday, August 16, 2004 9:52 PM Subject: RE: [PHP] CSRF attack not possible in I.E. 6.01 SP1? --- [EMAIL PROTECTED] wrote: And I m sure all PHP developers check their applications for CSRF vulnerability, in various browsers (including I.E. ). I speak about CSRF in many of the talks I give, and I think you'd be surprised by how many people haven't even heard of it. As a PHP/Java developer, I would be interested to know what I.E. is doing in their browsers to prevent CSRF attacks. I m not trying to start a browser war here. Well, to be fair, even if it is true that IE does not request a URL referenced in an img tag unless the file extension matches a known image type, this isn't a complete or even optimal solution to the problem. Also, -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
Hello, I m not saying the I.E. completely fixed the CSRF attacks, by only allowing .jpg .gif .png files. But it might be one possible way to minimize CSRF attack, just like using POST vs GET can help minimize the chances of that attack. BTW, using POST instead of GET does NOT guarantee that an CSRF attack will not work, either. Thanks. Saqib Ali http://validate.sf.net XHTML/DocBook XML Validator and Transformer Octavian Rasnita [EMAIL PROTECTED] No Phone Info Available 08/16/2004 12:57 PM To [EMAIL PROTECTED], [EMAIL PROTECTED] cc Jay Blanchard [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] Subject Re: [PHP] CSRF attack not possible in I.E. 6.01 SP1? Why is so important if Internet Explorer allows URLS of images where the file name is only .jpg, .png, or .gif? A url can be something like: http://www.site.com/script.php/image.jpg?logout=true Internet Explorer might think that the file is a .jpg and that script.php is a directory but only the target web server knows which is the program. Or a PHP code might be contained in a image.jpg file. Teddy Teddy - Original Message - From: Chris Shiflett [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: Jay Blanchard [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Monday, August 16, 2004 9:52 PM Subject: RE: [PHP] CSRF attack not possible in I.E. 6.01 SP1? --- [EMAIL PROTECTED] wrote: And I m sure all PHP developers check their applications for CSRF vulnerability, in various browsers (including I.E. ). I speak about CSRF in many of the talks I give, and I think you'd be surprised by how many people haven't even heard of it. As a PHP/Java developer, I would be interested to know what I.E. is doing in their browsers to prevent CSRF attacks. I m not trying to start a browser war here. Well, to be fair, even if it is true that IE does not request a URL referenced in an img tag unless the file extension matches a known image type, this isn't a complete or even optimal solution to the problem. Also, -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
Hello Chris, Upon your suggestion, I used a sniffer to sniff traffic for the web app that I am working on. To my surprise, the data captured during the sniff for both browsers was exactly the same. Which mean my theory of limiting the img/ TAG to .gif .jpeg .png is NOT true. So now I am completely clueless as to why this particular attacks works in Mozilla but not in IE. Any ideas? Thanks. Saqib Ali http://validate.sf.net XHTML/DocBook XML Validator and Transformer Chris Shiflett [EMAIL PROTECTED] No Phone Info Available 08/16/2004 11:55 AM Please respond to [EMAIL PROTECTED] To [EMAIL PROTECTED], [EMAIL PROTECTED] cc [EMAIL PROTECTED], [EMAIL PROTECTED] Subject Re: [PHP] CSRF attack not possible in I.E. 6.01 SP1? --- [EMAIL PROTECTED] wrote: I can't share the exact code ;) , but here is something very similar: img src=http://slashdot.org/my/logout; height=1 width=1 If I load a web page with the above code, it should log me out of slashdot. It works in Mozilla (and netscape), but not in I.E. 6.01 SP1 The best information would be if you can capture the exact HTTP transactions involved. For example, using something like ethereal, capture the request and response for Mozilla, and then do the same for IE 6.01 SP1. Short of that, you could create a URL specifically made for testing this. You can create a PHP file called csrf.php and another called csrf.png. Make .png files be interepreted as PHP (just for the purposes of this test), and then you can log a lot of useful information in your test scripts. Hope that helps. Chris = Chris Shiflett - http://shiflett.org/ PHP Security - O'Reilly Coming Fall 2004 HTTP Developer's Handbook - Sams http://httphandbook.org/ PHP Community Site http://phpcommunity.org/
Re: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
--- Octavian Rasnita [EMAIL PROTECTED] wrote: Why is so important if Internet Explorer allows URLS of images where the file name is only .jpg, .png, or .gif? A url can be something like: http://www.site.com/script.php/image.jpg?logout=true This is definitely true, but as I mentionde in a previous reply, the point of most CSRF attacks is to spoof a request from a trusted user to another Web site. Thus, both the user and the other Web site are the victims. Most Web sites don't have pages that use the .png extension. The attacker isn't the receiving site; he/she is the person launching the attack that causes the spoofed request. For more information, since I fear my brief description is inadequate, you can see these resources: http://shiflett.org/articles/foiling-cross-site-attacks http://shiflett.org/talks/oscon2004/foiling-cross-site-attacks http://shiflett.org/php-security.pdf Hope that helps. Chris = Chris Shiflett - http://shiflett.org/ PHP Security - O'Reilly Coming Fall 2004 HTTP Developer's Handbook - Sams http://httphandbook.org/ PHP Community Site http://phpcommunity.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
--- [EMAIL PROTECTED] wrote: Upon your suggestion, I used a sniffer to sniff traffic for the web app that I am working on. To my surprise, the data captured during the sniff for both browsers was exactly the same. Can you elaborate or post the exact requests sent from each browser? I'm assuming the User-Agent header was different, at the very least, so I question what exactly means in this case. :-) Chris = Chris Shiflett - http://shiflett.org/ PHP Security - O'Reilly Coming Fall 2004 HTTP Developer's Handbook - Sams http://httphandbook.org/ PHP Community Site http://phpcommunity.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
Hello Curt, Yes, the /. system depends on cookies to keep the user logged in. However a CSRF attack is NOT trying to access a third party cookie. The web browser make the same GET request whether it is using img/ TAG or the user clicking on a link. So in either case the cookies are in the context of the website to which the cookies belong. Maybe Chris can correct me, if I am wrong here. Thanks. Saqib Ali http://validate.sf.net XHTML/DocBook XML Validator and Transformer Curt Zirzow [EMAIL PROTECTED] No Phone Info Available 08/16/2004 02:40 PM To [EMAIL PROTECTED] cc Subject Re: [PHP] CSRF attack not possible in I.E. 6.01 SP1? * Thus wrote [EMAIL PROTECTED]: Hello Chris, I can't share the exact code ;) , but here is something very similar: img src=http://slashdot.org/my/logout; height=1 width=1 If I load a web page with the above code, it should log me out of slashdot. It works in Mozilla (and netscape), but not in I.E. 6.01 SP1 I'm not sure how the /. logout system works, but my guess is that they rely on cookies to do this. Since that is a different site than from the originating file, those cookies would be considered third party. I know in IE you can disable third party cookie access. Curt -- First, let me assure you that this is not one of those shady pyramid schemes you've been hearing about. No, sir. Our model is the trapezoid! -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
* Thus wrote [EMAIL PROTECTED]: Hello Chris, I can't share the exact code ;) , but here is something very similar: img src=http://slashdot.org/my/logout; height=1 width=1 If I load a web page with the above code, it should log me out of slashdot. It works in Mozilla (and netscape), but not in I.E. 6.01 SP1 I'm not sure how the /. logout system works, but my guess is that they rely on cookies to do this. Since that is a different site than from the originating file, those cookies would be considered third party. I know in IE you can disable third party cookie access. Curt -- First, let me assure you that this is not one of those shady pyramid schemes you've been hearing about. No, sir. Our model is the trapezoid! -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
-Original Message- So now I am completely clueless as to why this particular attacks works in Mozilla but not in IE. Could you describe the problem again and give full detail? I think we need to better model the problem in order to present a more effective solution. The link below goes to a page I found that describes CSRF a little differently than what Chris was presenting - to give a different perspective on things. http://www.squarefree.com/securitytips/web-developers.html -Ed -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
Hello Ed, To give some details: I am unable to re-produce a CSRF attack when the victim is using a I.E. 6.01 SP1 (all patches applied). However the attack works in Mozilla and other older browsers. I can't give you the exact code for attack (for security reasons), but it is similar to the following: If you insert the following HTML code in any web page residing at any domain, it will cause you to be logged out of /. if you previously logged in the /. system: img src=http://slashdot.org/my/logout; height=1 width=1 This type of attack makes use of CSRF. Try to insert the above HTML line a web page of your choice, and then load the web page. If you are using Mozilla, it will log you off from /. However in the latest build of I.E. it doesn't work, whereas it should work. Thanks. Saqib Ali http://validate.sf.net XHTML/DocBook XML Validator and Transformer Ed Lazor [EMAIL PROTECTED] No Phone Info Available 08/16/2004 02:26 PM To [EMAIL PROTECTED] cc Subject RE: [PHP] CSRF attack not possible in I.E. 6.01 SP1? -Original Message- So now I am completely clueless as to why this particular attacks works in Mozilla but not in IE. Could you describe the problem again and give full detail? I think we need to better model the problem in order to present a more effective solution. The link below goes to a page I found that describes CSRF a little differently than what Chris was presenting - to give a different perspective on things. http://www.squarefree.com/securitytips/web-developers.html -Ed -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
--- [EMAIL PROTECTED] wrote: Hello Curt, Yes, the /. system depends on cookies to keep the user logged in. However a CSRF attack is NOT trying to access a third party cookie. The web browser make the same GET request whether it is using img/ TAG or the user clicking on a link. So in either case the cookies are in the context of the website to which the cookies belong. Maybe Chris can correct me, if I am wrong here. Well, you're not really wrong, but I think I can clarify what Curt was trying to say, and then he can correct me if I'm wrong. :-) When a browser makes a request for an embedded resource (an image is just one example), it is identical to the request it would make if the user were to browse to that same URL manually. I think we're all in agreement here. Thus, the same cookies would be included in this request. What Curt is suggesting, I believe, is that your version of IE might behave differently, by default. It might not include cookies in requests for embedded resources when those resources are located at a different domain (thus his mention of third-party cookies). For example, if you're at http://example.org/, and it has an image from http://slashdot.org/, the browser won't include it's slashdot.org cookies when making the request to Slashdot. This is an option for most browsers, but it has never been the default behavior for any, to my knowledge. Maybe that helps clarify something... :-) Chris = Chris Shiflett - http://shiflett.org/ PHP Security - O'Reilly Coming Fall 2004 HTTP Developer's Handbook - Sams http://httphandbook.org/ PHP Community Site http://phpcommunity.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
--- Curt Zirzow [EMAIL PROTECTED] wrote: I'm not sure how the /. logout system works, but my guess is that they rely on cookies to do this. Since that is a different site than from the originating file, those cookies would be considered third party. I know in IE you can disable third party cookie access. Good call, Curt. :-) You can disable this in other Web clients as well, but I don't think it's the default behavior for anything. Perhaps this particular version of IE does not send cookies in requests for embedded resources? This does seem like a plus. Chris = Chris Shiflett - http://shiflett.org/ PHP Security - O'Reilly Coming Fall 2004 HTTP Developer's Handbook - Sams http://httphandbook.org/ PHP Community Site http://phpcommunity.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
--- Ed Lazor [EMAIL PROTECTED] wrote: The link below goes to a page I found that describes CSRF a little differently than what Chris was presenting - to give a different perspective on things. http://www.squarefree.com/securitytips/web-developers.html It doesn't seem to be different, actually. It just fails to elaborate much at all. For a non-Chris description of CSRF, you can always have a look at the original description: http://www.tux.org/~peterw/csrf.txt This is at least a little more complete. I think CSRF is a bit difficult for someone to grasp at first, especially within a few sentences. :-) Chris = Chris Shiflett - http://shiflett.org/ PHP Security - O'Reilly Coming Fall 2004 HTTP Developer's Handbook - Sams http://httphandbook.org/ PHP Community Site http://phpcommunity.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
--- [EMAIL PROTECTED] wrote: To give some details: I am unable to re-produce a CSRF attack when the victim is using a I.E. 6.01 SP1 (all patches applied). However the attack works in Mozilla and other older browsers. I can't give you the exact code for attack (for security reasons), but it is similar to the following: If you insert the following HTML code in any web page residing at any domain, it will cause you to be logged out of /. if you previously logged in the /. system: img src=http://slashdot.org/my/logout; height=1 width=1 This type of attack makes use of CSRF. Try to insert the above HTML line a web page of your choice, and then load the web page. If you are using Mozilla, it will log you off from /. However in the latest build of I.E. it doesn't work, whereas it should work. Very nice description of what you've been observing. I still find it impossible to believe that the HTTP requests for http://slashdot.org/my/logout sent from Mozilla and IE are identical. :-) Can you show us the exact requests that you logged? Chris = Chris Shiflett - http://shiflett.org/ PHP Security - O'Reilly Coming Fall 2004 HTTP Developer's Handbook - Sams http://httphandbook.org/ PHP Community Site http://phpcommunity.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
I was able to confirm / reproduce what you're experiencing. I was also able to confirm that toggling IE 6's acceptance of 3rd party cookies changes the behavior. Create an HTML on your local machine with the following line: img src=http://www.atfantasy.com/test/image_status.php; It'll load an image that says the cookie is not set. Next, open a new browser and go to http://www.atfantasy.com/test/index.php It'll set the cookie. Now go back and reload the first browser. It says the cookie is still not set. Go into IE's Privacy options and set IE to accept 3rd party cookies. Do another refresh in the first browser and the image will display saying the cookie is set. The test index also has other options for setting the cookie, unsetting the cookie, and displaying the image directly (not through your local page). I think all of this confirms what Curt was saying. If IE has access to third party cookies disabled, the local page may refer to a script elsewhere, but it won't pass cookies back and forth. Squarefree.com's article (http://www.squarefree.com/securitytips/web-developers.html) recommends a few solutions. -Ed -Original Message- I am unable to re-produce a CSRF attack when the victim is using a I.E. 6.01 SP1 (all patches applied). However the attack works in Mozilla and other older browsers. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
-Original Message- However a CSRF attack is NOT trying to access a third party cookie. The web browser make the same GET request whether it is using img/ TAG or the user clicking on a link. So in either case the cookies are in the context of the website to which the cookies belong. I think Curt was correct actually. Hopefully the test I sent earlier can confirm or at least cross-reference this. -Ed -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] The ' character and Hidden (POST) form fields...
I've recently encountered a problem with hidden (POST) form fields being ignored when an html textarea (or text) tag value contains the following character: ' It seems when you paste text from outlook, to an html 'textarea', it converts the apostrophe character (') to this character ('), which then causes the 1st hidden form field (if there are more than one hidden form field), or the only hidden form field (if there is only 1 hidden form field), to be ignored in the $_POST variables collected on the page that the form submits too. A simple way to replace the string is: $str = preg_replace(/'/,',$str); But I was curious if anyone else has experienced this issue, or has a clear description of why it occurs. Thanks, SEAN O'DONNELL PROGRAMMER/ANALYST The Design People, Inc. Your Future in Site. [ phone 310.577.9111 ext. 104 | fax 310.577.9444 ] 12 WASHINGTON BLVD. | SECOND FLOOR | MARINA DEL REY | CA 90292-5124 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] The_'_character_and_Hidden_(POST)_form_fields...
--- Sean O'Donnell [EMAIL PROTECTED] wrote: I've recently encountered a problem with hidden (POST) form fields being ignored when an html textarea (or text) tag value contains the following character: ' My guess is that you're displaying this data in HTML and delimiting it with the same character, e.g. something like this: input type=text value='? echo $unescaped_data; ?' / If you don't escape your data, you not only will observe the behavior you're experiencing, but you also have a pretty major security vulnerability. You should also be filtering your data to make sure it is valid. Hope that helps. Chris = Chris Shiflett - http://shiflett.org/ PHP Security - O'Reilly Coming Fall 2004 HTTP Developer's Handbook - Sams http://httphandbook.org/ PHP Community Site http://phpcommunity.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php