Re: [PHP] help out a noob w/ include switch?
Hi All,
My very first post to this group as I'm a freshly spanked new born php
baby. Hope I have the correct stop for noob tech questions. Please
re-direct me if I have it wrong. I've been doing web dev for a quite while
with a variety of methods (html, xhtml/css, cfml, flash/as, on and on...).
I work mainly for non-profit organizations and thought it was about time to
get away from commercial software. I'm doing my first site now w/ a
XHTML/CSS template that uses PHP to insert data from a switch container and
from a MySQL db.
My problem occurs only on the server (NT 5 b.2195, PHP 4.3.10, IIS 5.0) but
works great on my dev rig (XAMPP 1.4.15, VectorLinux).
My template index.php uses 'include' to get '$vars' from two files. one
for the body text and title, and the other for the navigation. Click on a
link in the navbar and index.php reloads with the new navbar and the
associated content each into it's div. Works great on my test rig but the
server the site will be hosted from ignores the urlencoded vars and just
loads the switch defaults. For whatever reason I tried return() instead of
break. Again, it worked on my rig but not the server. I know i'm missing
some dumb little thing but I have not figured out what yet. I also tried
session_unset() at the beginning of the index.php in case the problem was
with caching. Didn't work either but may be due to incorrect usage. Any
help or advice is very greatly appreciated!!
I'm guessing that register_globals is set to On on your dev box and Off on
your NT server. Check the manual for register_globals along with $_GET.
or if that fails, create a simple phpinfo() page on both servers and
compare the output to see what settings are different.
jt.
index.php:
?php
include 'content.php'; //sets the section title
echo $title;
?
?php
include 'navigate.php'; //sets appropriate navigation menu
echo $navigate;
?
?php
echo $content; //loads body text
?
content.php:
?php
switch ($cont)
{
case artist1:
$title = 'event title';
$content = 'psome text/p
psome more text/p
p class=sig- artist name/p';
break;
case artist2,3,4:
[...]
break;
default:
$title = 'event title';
$content = 'psome text/p
psome more text/p
p class=sig- artist name/p';
break;
}
?
navigate.php:
?php
switch ($nav)
{
case 1:
$navigate = 'ullia
href=index.php?nav=1amp;cont=artist1Link
titlebr /by artist1/a/lilia
href=index.php?nav=2amp;cont=artist2link titlebr /by
artist2/a/lilia href=some more stuff/a/lilia
href=Contact/a/li/ul';
break;
case 2,3,4:
[...]
break;
default:
$navigate = 'ullia
href=index.php?nav=1amp;cont=artist1Link
titlebr /by artist1/a/lilia
href=index.php?nav=2amp;cont=artist2link titlebr /by
artist2/a/lilia href=some more stuff/a/lilia
href=Contact/a/li/ul';
break;
}
?
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Php logging into online bank to get details automatically
Thanks, Jasper I looked at my banks TCs and it says don't use software that stores your password unless it is used by a specific banking service. I am going to look into the curl functions, but I am pretty sure that the bank won't let it work unless it thinks it is a proper browser like IE or Firefox, so can I change the useragent for this? If so, how do I do that? My other concern is storing my password details. I could store them on a MYSQL database and encrypt it, but I just want to make sure that it is as secure as poss. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Php logging into online bank to get details automatically
I. Gray wrote: I looked at my banks TCs and it says don't use software that stores your password unless it is used by a specific banking service. You might like to send them an email to clarify; as a general rule your bank manager is the kind of person you least want to piss off ;) I am going to look into the curl functions, but I am pretty sure that the bank won't let it work unless it thinks it is a proper browser like IE or Firefox, so can I change the useragent for this? If so, how do I do that? Send the User-Agent header using the CURL function for setting a header ( not sure exactly what it is, but it's in the curl docs http://php.net/curl ) containing whatever User-Agent string you wanted; just copy-pasting a Firefox or IE one would usually work fine. My other concern is storing my password details. I could store them on a MYSQL database and encrypt it, but I just want to make sure that it is as secure as poss. If you encrypt the password then your script has to know the key to decrypt it and the place to find the encrypted password, so it might as well just know the password... If it's run by a cronjob then you could run it as root, chown it to root and chmod it to 700 which would only allow root to read it. Then the password should be safe inside the script. Doesn't this mean you'll be storing your password, just as their TCs prohibit? :) -- Jasper Bryant-Greene Freelance web developer http://jasper.bryant-greene.name/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Bytecode
Hi all I came across some text that sais PHP compiles the script to bytecode prior to running it. Is this true, and is it possible to instead of .php source files, use those bytecodes files in distribution? With kind regards Andy -- Registered Linux User Number 379093 Now listening to Radio Stream amaroK::the Coolest Media Player in the known Universe! Cockroaches and socialites are the only things that can stay up all night and eat anything. Herb Caen -- -- --BEGIN GEEK CODE BLOCK- Version: 3.1 GAT/O/E$ d-(---)+ s:(+): a--(-)? C$(+++) UL$ P-(+)++ L+++$ E---(-)@ W++$ !N@ o? !K? W--(---) !O !M- V-- PS++(+++) PE--(-) Y+ PGP++(+++) t+(++) 5-- X++ R*(+)@ !tv b-() DI(+) D+(+++) G(+) e$@ h++(*) r--++ y--() -- ---END GEEK CODE BLOCK-- -- Check out these few php utilities that I released under the GPL2 and that are meant for use with a php cli binary: http://www.vlaamse-kern.com/sas/ -- pgpLmbnKwqjkp.pgp Description: PGP signature
Re: [PHP] Bytecode
Andy Pieters wrote: I came across some text that sais PHP compiles the script to bytecode prior to running it. Is this true, and is it possible to instead of .php source files, use those bytecodes files in distribution? http://php.net/bcompiler -- Jasper Bryant-Greene Freelance web developer http://jasper.bryant-greene.name/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Bytecode
I came across some text that sais PHP compiles the script to bytecode prior to running it. PHP compilies the source to OPCodes. Is this true, and is it possible to instead of .php source files, use those bytecodes files in distribution? With kind regards Andy -- Registered Linux User Number 379093 Now listening to Radio Stream amaroK::the Coolest Media Player in the known Universe! Cockroaches and socialites are the only things that can stay up all night and eat anything. Herb Caen -- -- --BEGIN GEEK CODE BLOCK- Version: 3.1 GAT/O/E$ d-(---)+ s:(+): a--(-)? C$(+++) UL$ P-(+)++ L+++$ E---(-)@ W++$ !N@ o? !K? W--(---) !O !M- V-- PS++(+++) PE--(-) Y+ PGP++(+++) t+(++) 5-- X++ R*(+)@ !tv b-() DI(+) D+(+++) G(+) e$@ h++(*) r--++ y--() -- ---END GEEK CODE BLOCK-- -- Check out these few php utilities that I released under the GPL2 and that are meant for use with a php cli binary: http://www.vlaamse-kern.com/sas/ -- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Bytecode
On 9/21/05, Andy Pieters [EMAIL PROTECTED] wrote: Hi all I came across some text that sais PHP compiles the script to bytecode prior to running it. Is this true, and is it possible to instead of .php source files, use those bytecodes files in distribution? There are no bytecode files. PHP simply creates an instruction line (opcode array) of what it wants to do. Some projects such as Zend Encoder(or did they change its name), bcompiler, ioncube encoder, or MMCache, convert these opcodes into a format that can be written to and read from a file. Check their websites for a better description. With kind regards Andy -- Registered Linux User Number 379093 Now listening to Radio Stream amaroK::the Coolest Media Player in the known Universe! Cockroaches and socialites are the only things that can stay up all night and eat anything. Herb Caen -- -- --BEGIN GEEK CODE BLOCK- Version: 3.1 GAT/O/E$ d-(---)+ s:(+): a--(-)? C$(+++) UL$ P-(+)++ L+++$ E---(-)@ W++$ !N@ o? !K? W--(---) !O !M- V-- PS++(+++) PE--(-) Y+ PGP++(+++) t+(++) 5-- X++ R*(+)@ !tv b-() DI(+) D+(+++) G(+) e$@ h++(*) r--++ y--() -- ---END GEEK CODE BLOCK-- -- Check out these few php utilities that I released under the GPL2 and that are meant for use with a php cli binary: http://www.vlaamse-kern.com/sas/ -- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] BOOKING SYSTEM
Got the solution finally!!! The code is not optimised yet but here it is:
(The accomodation holds total availability and the accomodation1 the
bookings...)
function
checkspecificdate($thespecificdatefrom,$thespecificdateto,$productid) {
list($dd1,$mm1,$1) = split(/, $thespecificdatefrom);
list($dd2,$mm2,$2) = split(/, $thespecificdateto);
$thespecificdateto = $2 . - . $mm2 . - . $dd2;
$thespecificdatefrom = $1 . - . $mm1 . - . $dd1;
$i=0;
$z=0;
while ($aday_later $thespecificdateto) {
$aday_later = date(Y-m-d,mktime(0,0,0,$mm1,$dd1+$i,$1));
$theas = 0;
$thead = 0;
$theat = 0;
$theaq = 0;
$thequery01 = SELECT *;
$thequery01 .= FROM accomodation;
$thequery01 .= WHERE accomodation_products_id= . $productid . AND
accomodation_from=' . $aday_later . ' AND accomodation_to=' .
$aday_later . ';
$result01 = mysql_query($thequery01);
if ($result01) {
while ($thes = mysql_fetch_array($result01)) {
$theas = stripslashes($thes[accomodation_single]);
$thead = stripslashes($thes[accomodation_double]);
$theat = stripslashes($thes[accomodation_triple]);
$theaq = stripslashes($thes[accomodation_quadriple]);
}
}
$theas3 = 0;
$thead3 = 0;
$theat3 = 0;
$theaq3 = 0;
$thequery01 = SELECT SUM(accomodation1_single) AS theas3,
SUM(accomodation1_double) AS thead3, SUM(accomodation1_triple) AS theat3,
SUM(accomodation1_quadriple) AS theaq3;
$thequery01 .= FROM accomodation1;
$thequery01 .= WHERE accomodation1_products_id= . $productid . AND
accomodation1_from=' . $aday_later . ' AND accomodation1_to=' .
$aday_later . ';
$result01 = mysql_query($thequery01);
if ($result01) {
while ($thes = mysql_fetch_array($result01)) {
$theas3 = stripslashes($thes[theas3]);
$thead3 = stripslashes($thes[thead3]);
$theat3 = stripslashes($thes[theat3]);
$theaq3 = stripslashes($thes[theaq3]);
}
}
if (($theas - $theas3=0) || ($thead - $thead3=0) || ($theat -
$theat3=0) || ($theaq - $theaq3=0)) {
$z++;
}
$i++;
}
return $z;
}
if (checkspecificdate($thedate1,$thedate2,$productid)==0) {
//ALLOW BOOKING
} else {
//DO NOT ALLOW BOOKING
}
- Original Message -
From: adriano ghezzi [EMAIL PROTECTED]
To: php-general@lists.php.net
Sent: Wednesday, September 21, 2005 2:09 AM
Subject: Re: [PHP] BOOKING SYSTEM
well I did it in the past, at the end after a lot of tests and
simulation i decided for
warehouse table
id_hotel, date, num_total_rooms, num_booked_rooms
this is day by day handling it is really flexible you can satisfy each
kind of request with very
simple queries
you also gain more flexibility in period definition you canalso easily
handling dsingle day workout and so on
2005/9/20, php @ net mines [EMAIL PROTECTED]:
Hi all
I have a hotel booking system where for sppecific periods we have
specific
availability
e.g. hotel_id, hotel_name, hotel_fromperiod, hotel_toperiod,
hotel_availablesinglerooms
1, Hilton, 20/06/05, 20/08/05, 20
We have a second table for recording the bookings
e.g.hotel1_id, hotel1_name, hotel1_fromperiod, hotel1_toperiod,
hotel1_availablesinglerooms
1, Hilton, 01/07/05, 20/07/05, 1
2, Hilton, 20/06/05, 25/07/05, 1
3, Hilton, 25/06/05, 27/06/05, 19
4, Hilton, 05/07/05, 05/08/05, 2
Let's say that someone wants to book from the 25/06/05 - 29/06/05 what
kind
of function-SQL do I have to run to check whether there is availability?
(in this example there should be availability between 27 and 29 but not
between 25 and 27).
Is this way of structuring the easiest and more efficient?
Thank you
Mario
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Tidying code for PHP5.0.5/PHP4.4.0
Michael Sims wrote: Jochem Maas wrote: Michael Sims wrote: So, as far as foo() knows: foo($a = 5); and foo(5); are exactly the same... I don't think they are, and you're examples don't prove it. Anyone care to come up with the proof. No, I was wrong, Rasmus corrected me. That's my one allowed mistake for the day. well if you're going to get corrected it might as well be by the man himself ;-) I promise to wait until tomorrow before making another one. ;) and tomorrow it is, what red herring do you have fgor us today? :-) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Fwd: Code Optimization Help
Joseph Crawford wrote:
Ok so finally i implemented my logging class into my mail merge object, this
is the results
Word - Application Opened.
Word - Document1 Document Added.
Word - header.doc Document Saved.
Word - header.doc Document Closed.
Word - Document2 Document Added.
Word - ds.doc Document Saved.
Word - ds.doc Document Closed.
Word - Has_Site.dot Document Opened.
Word - Opening Header Source.
F:/htdocs/csaf/data/mailmerge/header.doc File Exists
I threw in a file_exists check to make sure the script was actually seeing
the file and had the correct path. It does. This is very strange because
nothing happens, it's like i hit a never ending loop but php never times out
either. I have my php timeout to 30 seconds yet this has run in excess of 5
minutes now.
if you run php on the cmdline there will be no timeout.
I am helping you blind here btw (I know nothing about COM) but I suggest
you try is_readable() as well as file_exists() - maybe the current user
(that php/Word is running at) is not allowed to read the file?
The expected results for the log would look something like this
Word - Application Opened.
Word - Document1 Document Added.
Word - header.doc Document Saved.
Word - header.doc Document Closed.
Word - Document2 Document Added.
Word - ds.doc Document Saved.
Word - ds.doc Document Closed.
Word - Has_Site.dot Document Opened.
Word - Opening Header Source.
F:/htdocs/csaf/data/mailmerge/header.doc File Exists
Word - Opening Data Source.
Word - Executing Merge.
Word - Has_Site.doc Document Saved.
Word - Has_Site.doc Document Closed.
Word - Merge Successful.
The code that is hanging is below
private function CreateDocument($template) {
$this-obj-Documents-Open($this-mm_data_dir.'/'.$template.'.dot');
Logger::log('Word - '.$this-obj-ActiveDocument-Name().' Document
Opened.');
Logger::log('Word - Opening Header Source.');
if(file_exists($this-mm_data_dir.'/header.doc')) {
Logger::log($this-mm_data_dir.'/header.doc File Exists');
}
// THIS IS THE LINE THAT HANGS, THE FILE EXISTS AND IS POPULATED THE FILE
CONTENTS CAN BE SEEN HERE
http://codebowl.dontexist.net/bugs/MailMerge/3.jpg$this-obj-ActiveDocument-MailMerge-OpenHeaderSource($this-mm_data_dir.'/header.doc');
Logger::log('Word - Opening Data Source.');
$this-obj-ActiveDocument-MailMerge-OpenDataSource($this-mm_data_dir.'/ds.doc');
Logger::log('Word - Executing Merge.');
$this-obj-ActiveDocument-MailMerge-Execute();
$this-obj-ActiveDocument-SaveAs($this-mm_data_dir.'/'.$template.'.doc');
Logger::log('Word - '.$this-obj-ActiveDocument-Name().' Saved.');
Logger::log('Word - '.$this-obj-ActiveDocument-Name().' Document
Closed.');
$this-obj-ActiveDocument-Close();
}
Any help with this would be appreciated. I am not sure why it is choosing to
hang today ;( I have been going through the COM object API documentation and
i dont see myself doing anything i shouldnt be doing.
You can see the full code here
http://pastebin.com/369068
that is if it hasnt expired, if so send a reply and i will post again ;)
Thanks in advance
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Php logging into online bank to get details automatically
Jasper Bryant-Greene wrote: John Nichel wrote: I. Gray wrote: I thought I may of read of this somewhere- but I may be wrong. I am also not sure whether this is allowed by banks, so please let me know- I want to stay on the right side of the law! Your account...I can't see where it would be a problem with how you access it. Here in New Zealand most banks have a clause in their Internet Banking terms of use saying that you may not use automated systems to access the banking system. Many of them include those silly CAPTCHA things to try and prevent them too. So you can't use things like MS Money, Quickbooks, etc to access your account? That sucks. -- John C. Nichel ÜberGeek KegWorks.com 716.856.9675 [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] security/sql issues with php
hi.. i've been searching/researching the areas of security regarding url input, form input, as well as database input (mysql). while there are plenty of articles that touch on the topic, i'm looking for a given site/package/lib (open source) that is pretty much the standard that i could use for my website/app... basically, i don't want to recreate the wheel, if there is already a serious/good solution to this area. given the importance of this area, i'm assuming that there is a lib/package that already exists to handle these issues. i've looked through google, as well as various open source web apps to see how some of this is handled, and it appears the level of sophistication for handling this is all over the place!! i want to stress, i'm looking for the package/lib that's strong enough/valid enough to be used in a serious commercial app.. a lot of what i've seen/suggestions on various sites arent' complete/strong.. (this stuff has got to be around/available, i mean google/ebay/1000's of sites are up/running without having issues!!!) URL Issues/Thoughts... -Should Handle basic regex filtering of POST/GET/REQUEST Querystring data -Filtering of basic mysql commands/functions/characters (Insert/Drop/etc...) Query Array Thoughts/Issues -Should filter the arrays (GET/POST/REQUEST) -Filtering of basic mysql commands/functions/characters (Insert/Drop/etc...) -Check for datatype -Set Datatype -Log all errors/issues Mysql DB Issues -Parsing/inspection of all data prior to insertion in sql_query_string -Use of 'datatype' arg in the query to insure that the correct datatype val is used in the sql_string -Regex comparison of the vals prior to use in the sql_string -Proper usage of slashes/quotations around variables/sql_strings -Logging of all db interactions any other things that should be handled (yeah.. i know, i haven't even gotten into the issue of having separate db/app servers, and security of the overall hardware/app environment...) -thanks -bruce [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: security/sql issues with php
Bruce, If you're looking for commercial-grade open-source packages, I think you're going to have a pretty hard time finding much. Most commercial-grade software is...commercial. The truly robust open-source packages, i.e. Mozilla, MySQL, JBoss, BerkeleyDB, etc., are backed by some sort of commercial, or at the very least, corporate, entity. The rest, more often than not, are not commercial-grade; the support structures that companies require just don't exist for those packages. I've offered to help you before via our commercial framework, Lampshade, which handles I'd say 98% of everything you want, and can be easily customized or added to in order to handle the remaining 2%. It's not open-source, but it also doesn't need to be since the documentation is so extensive. It's used in applications for all sorts of organizations from Harvard University to companies traded on the NYSE. There may be other open frameworks that are used just as widely--I would venture to guess phpNuke and the-CMS-formerly-known-as-Mambo--but as you've discovered, they don't do half of the things you'd like to see all in one place. Also, Mambo's political machinations are a good example of what you don't want to see in a commercial-grade product. If you want to keep searching, I suppose no one's going to stop you. I'm just afraid it's not out there. Anyone, correct me if I'm wrong. Best of luck, Aaron Aaron Greenspan President CEO Think Computer Corporation http://www.thinkcomputer.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Re: security/sql issues with php
i would have thought (perhaps wrongly) that someone would have created a series of functions/routines and wrapped them in a package/lib to deal with the security issues that i've raised!! but i have to tell you. i've looked at some open source classess/apps that aren't that strong. in fact, some simply have no real checks on the data types/structure of the data being inserted into the db at all... and aaron, your app is a commercial app. for now, we're looking in the open source area where we can get to the underlying source. -bruce -Original Message- From: Aaron Greenspan [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 21, 2005 7:18 AM To: php-general@lists.php.net Subject: [PHP] Re: security/sql issues with php Bruce, If you're looking for commercial-grade open-source packages, I think you're going to have a pretty hard time finding much. Most commercial-grade software is...commercial. The truly robust open-source packages, i.e. Mozilla, MySQL, JBoss, BerkeleyDB, etc., are backed by some sort of commercial, or at the very least, corporate, entity. The rest, more often than not, are not commercial-grade; the support structures that companies require just don't exist for those packages. I've offered to help you before via our commercial framework, Lampshade, which handles I'd say 98% of everything you want, and can be easily customized or added to in order to handle the remaining 2%. It's not open-source, but it also doesn't need to be since the documentation is so extensive. It's used in applications for all sorts of organizations from Harvard University to companies traded on the NYSE. There may be other open frameworks that are used just as widely--I would venture to guess phpNuke and the-CMS-formerly-known-as-Mambo--but as you've discovered, they don't do half of the things you'd like to see all in one place. Also, Mambo's political machinations are a good example of what you don't want to see in a commercial-grade product. If you want to keep searching, I suppose no one's going to stop you. I'm just afraid it's not out there. Anyone, correct me if I'm wrong. Best of luck, Aaron Aaron Greenspan President CEO Think Computer Corporation http://www.thinkcomputer.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] exec command fails in php, works in the command line
I have two programs on two servers, and they both have similar problems. In each one, I use 'exec' to call a helper program. In one case, it is ecasound, which I use to resample an mp3. In the other, it is convert, which creates a thumbnail of a very large image the user has uploaded. In both cases, the exec command fails. Not all the time, but some times. In both cases, the command that is being called by exec will work fine at the command line. I assume that there is some memory / resource limit that is being breached when this happens, but I don't know what it is, or how to tell php to allow my programs to run. Any ideas? -Ernst Schoen-Rene New Disorder Records - ten years of something: Coming soon, new Power Struggle CD. * Free Email with 5 megs, no ads * Internet Radio Station - upload your music, we'll put it in rotation * 100's of CDs for sale * videos, message board, byofl http://www.newdisorder.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] exec command fails in php, works in the command line
[EMAIL PROTECTED] wrote: I have two programs on two servers, and they both have similar problems. In each one, I use 'exec' to call a helper program. In one case, it is ecasound, which I use to resample an mp3. In the other, it is convert, which creates a thumbnail of a very large image the user has uploaded. In both cases, the exec command fails. Not all the time, but some times. In both cases, the command that is being called by exec will work fine at the command line. I assume that there is some memory / resource limit that is being breached when this happens, but I don't know what it is, or how to tell php to allow my programs to run. Any ideas? Is it a disallowed function you your php.ini? -- John C. Nichel ÜberGeek KegWorks.com 716.856.9675 [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] exec command fails in php, works in the command line
[EMAIL PROTECTED] wrote: I have two programs on two servers, and they both have similar problems. In each one, I use 'exec' to call a helper program. In one case, it is ecasound, which I use to resample an mp3. In the other, it is convert, which creates a thumbnail of a very large image the user has uploaded. In both cases, the exec command fails. Not all the time, but some times. In both cases, the command that is being called by exec will work fine at the command line. I assume that there is some memory / resource limit that is being breached when this happens, but I don't know what it is, or how to tell php to allow my programs to run. Any ideas? Or is save mode on? -- John C. Nichel ÜberGeek KegWorks.com 716.856.9675 [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: security/sql issues with php
have you tried googling on +application framework +php.. that seems like what you're looking for and several of these projects are commercial-grade and open source. i use dbasis as my application framework and highly recommend it -- its a component of the syntaxCMS project. i have also used blueshoes and mambo before on other sites here's an o'reilly article to get you started http://www.oreillynet.com/pub/wlg/6029 - schnippy On 9/21/05, bruce [EMAIL PROTECTED] wrote: i would have thought (perhaps wrongly) that someone would have created a series of functions/routines and wrapped them in a package/lib to deal with the security issues that i've raised!! but i have to tell you. i've looked at some open source classess/apps that aren't that strong. in fact, some simply have no real checks on the data types/structure of the data being inserted into the db at all... and aaron, your app is a commercial app. for now, we're looking in the open source area where we can get to the underlying source. -bruce -Original Message- From: Aaron Greenspan [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 21, 2005 7:18 AM To: php-general@lists.php.net Subject: [PHP] Re: security/sql issues with php Bruce, If you're looking for commercial-grade open-source packages, I think you're going to have a pretty hard time finding much. Most commercial-grade software is...commercial. The truly robust open-source packages, i.e. Mozilla, MySQL, JBoss, BerkeleyDB, etc., are backed by some sort of commercial, or at the very least, corporate, entity. The rest, more often than not, are not commercial-grade; the support structures that companies require just don't exist for those packages. I've offered to help you before via our commercial framework, Lampshade, which handles I'd say 98% of everything you want, and can be easily customized or added to in order to handle the remaining 2%. It's not open-source, but it also doesn't need to be since the documentation is so extensive. It's used in applications for all sorts of organizations from Harvard University to companies traded on the NYSE. There may be other open frameworks that are used just as widely--I would venture to guess phpNuke and the-CMS-formerly-known-as-Mambo--but as you've discovered, they don't do half of the things you'd like to see all in one place. Also, Mambo's political machinations are a good example of what you don't want to see in a commercial-grade product. If you want to keep searching, I suppose no one's going to stop you. I'm just afraid it's not out there. Anyone, correct me if I'm wrong. Best of luck, Aaron Aaron Greenspan President CEO Think Computer Corporation http://www.thinkcomputer.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] exec command fails in php, works in the command line
Please reply to the list. [EMAIL PROTECTED] wrote: No, all of these things your are bringing up would cause the programs to NEVER work, not work some of the time or when the data they are processing is small. Depends on the install. My cli uses a different php.ini than the web one. Did you check permissions? Does the user which your web server is running as have execute permission on the app? On Wed, 21 Sep 2005, John Nichel wrote: [EMAIL PROTECTED] wrote: I have two programs on two servers, and they both have similar problems. In each one, I use 'exec' to call a helper program. In one case, it is ecasound, which I use to resample an mp3. In the other, it is convert, which creates a thumbnail of a very large image the user has uploaded. In both cases, the exec command fails. Not all the time, but some times. In both cases, the command that is being called by exec will work fine at the command line. I assume that there is some memory / resource limit that is being breached when this happens, but I don't know what it is, or how to tell php to allow my programs to run. Any ideas? Or is save mode on? -- John C. Nichel ÜberGeek KegWorks.com 716.856.9675 [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php New Disorder Records - ten years of something: Coming soon, new Power Struggle CD. * Free Email with 5 megs, no ads * Internet Radio Station - upload your music, we'll put it in rotation * 100's of CDs for sale * videos, message board, byofl http://www.newdisorder.com -- John C. Nichel ÜberGeek KegWorks.com 716.856.9675 [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] exec command fails in php, works in the command line
I don't want to crowd the list up with dead ends, so I was trying to
respond only to you.
I'm not calling a php program from exec, I'm calling ecasound and
convert. For example, in the php code:
exec(convert $internalpath/$filename -resize
{$thumbWidth}x{$thumbHeight} $internalpath/$thumbname, $out, $err);
doesn't always work, but with variables substituted on the command line:
bash:~ convert futon.jpg -resize 240x180 futon_thumb.jpg
will always work.
The same is true, on a different server, of my exec that calls ecasound,
an mp3 processing utility. Both of these could conceivably use a lot of
resources, which is why I think php is killing them off some of the time.
On Wed, 21 Sep 2005, John Nichel wrote:
Please reply to the list.
[EMAIL PROTECTED] wrote:
No, all of these things your are bringing up would cause the programs to
NEVER work, not work some of the time or when the data they are processing
is small.
Depends on the install. My cli uses a different php.ini than the web one.
Did you check permissions? Does the user which your web server is running as
have execute permission on the app?
On Wed, 21 Sep 2005, John Nichel wrote:
[EMAIL PROTECTED] wrote:
I have two programs on two servers, and they both have similar problems.
In each one, I use 'exec' to call a helper program. In one case, it is
ecasound, which I use to resample an mp3. In the other, it is convert,
which creates a thumbnail of a very large image the user has uploaded.
In both cases, the exec command fails. Not all the time, but some times.
In both cases, the command that is being called by exec will work fine at
the command line. I assume that there is some memory / resource limit
that is being breached when this happens, but I don't know what it is, or
how to tell php to allow my programs to run. Any ideas?
Or is save mode on?
--
John C. Nichel
ÜberGeek
KegWorks.com
716.856.9675
[EMAIL PROTECTED]
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
New Disorder Records - ten years of something:
Coming soon, new Power Struggle CD.
* Free Email with 5 megs, no ads
* Internet Radio Station - upload your music, we'll put it in rotation
* 100's of CDs for sale
* videos, message board, byofl
http://www.newdisorder.com
--
John C. Nichel
ÜberGeek
KegWorks.com
716.856.9675
[EMAIL PROTECTED]
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
New Disorder Records - ten years of something:
Coming soon, new Power Struggle CD.
* Free Email with 5 megs, no ads
* Internet Radio Station - upload your music, we'll put it in rotation
* 100's of CDs for sale
* videos, message board, byofl
http://www.newdisorder.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] exec command fails in php, works in the command line
[EMAIL PROTECTED] wrote:
I don't want to crowd the list up with dead ends, so I was trying to
respond only to you.
snip
You'll get more chances at finding the solution to this with the list's
eyes on it rather than just myself. Plus, it provides an archive of the
problem and the (if we find it) solution to the next person who comes along.
/snip
I'm not calling a php program from exec, I'm calling ecasound and
convert. For example, in the php code:
snip
Understood, but if the web server doesn't have permission to execute the
app, it won't.
/snip
exec(convert $internalpath/$filename -resize
{$thumbWidth}x{$thumbHeight} $internalpath/$thumbname, $out, $err);
doesn't always work, but with variables substituted on the command line:
snip
Are you sure that the variables have value, and it is the value you
want? What is stored in $err when you try to execute this? Echo that
out, and it may tell you exactly what's going wrong.
/snip
bash:~ convert futon.jpg -resize 240x180 futon_thumb.jpg
will always work.
The same is true, on a different server, of my exec that calls ecasound,
an mp3 processing utility. Both of these could conceivably use a lot of
resources, which is why I think php is killing them off some of the time.
snip
Try increasing the memory limit in your script with ini_set.
--
John C. Nichel
ÜberGeek
KegWorks.com
716.856.9675
[EMAIL PROTECTED]
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] exec command fails in php, works in the command line
If the web server didn't have permission to execute the app, it would
NEVER execute the app, not execute it some of the time. In fact, it
ALWAYS executes the app, it just doesn't always allow it to finish.
I log all attempts to run these apps in order to debug, so I know that
the command as passed from php will work in the command line. I copy and
paste the command from the log and it runs, even though it didn't complete
execution when called from php.
I have increased several parameters in php.ini, including memory limit
and allowed execution time. Nothing has helped. The only thing that
helps is if I wrap the app I want to run in a perl script and call the
perl script from php. That works more of the time, though it still often
breaks.
On
Wed, 21 Sep 2005, John Nichel wrote:
[EMAIL PROTECTED] wrote:
I don't want to crowd the list up with dead ends, so I was trying to
respond only to you.
snip
You'll get more chances at finding the solution to this with the list's eyes
on it rather than just myself. Plus, it provides an archive of the problem
and the (if we find it) solution to the next person who comes along.
/snip
I'm not calling a php program from exec, I'm calling ecasound and
convert. For example, in the php code:
snip
Understood, but if the web server doesn't have permission to execute the app,
it won't.
/snip
exec(convert $internalpath/$filename -resize {$thumbWidth}x{$thumbHeight}
$internalpath/$thumbname, $out, $err);
doesn't always work, but with variables substituted on the command line:
snip
Are you sure that the variables have value, and it is the value you want?
What is stored in $err when you try to execute this? Echo that out, and it
may tell you exactly what's going wrong.
/snip
bash:~ convert futon.jpg -resize 240x180 futon_thumb.jpg
will always work.
The same is true, on a different server, of my exec that calls ecasound, an
mp3 processing utility. Both of these could conceivably use a lot of
resources, which is why I think php is killing them off some of the time.
snip
Try increasing the memory limit in your script with ini_set.
--
John C. Nichel
ÜberGeek
KegWorks.com
716.856.9675
[EMAIL PROTECTED]
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
New Disorder Records - ten years of something:
Coming soon, new Power Struggle CD.
* Free Email with 5 megs, no ads
* Internet Radio Station - upload your music, we'll put it in rotation
* 100's of CDs for sale
* videos, message board, byofl
http://www.newdisorder.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] exec command fails in php, works in the command line
[EMAIL PROTECTED] wrote: If the web server didn't have permission to execute the app, it would NEVER execute the app, not execute it some of the time. In fact, it ALWAYS executes the app, it just doesn't always allow it to finish. I log all attempts to run these apps in order to debug, so I know that the command as passed from php will work in the command line. I copy and paste the command from the log and it runs, even though it didn't complete execution when called from php. What do the logs say?? I have increased several parameters in php.ini, including memory limit and allowed execution time. Nothing has helped. The only thing that helps is if I wrap the app I want to run in a perl script and call the perl script from php. That works more of the time, though it still often breaks. Maybe the problem's not php but Apache (or whatever webserver you're using), as it has limits in place for these items too. -- John C. Nichel ÜberGeek KegWorks.com 716.856.9675 [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] exec command fails in php, works in the command line
the logs say things like: /kunden/homepages/12/d117065027/htdocs/software/ImageMagick-6.2.3/utilities/convert ib_images/Other_Spices_Basic_004.jpg -resize 180x120 ib_images/Other_Spices_Basic_004_thumb.jpg this is a command I'm trying to get php to run. I then cut and paste it to the command line, and it works fine. the paths are fine too, otherwise it would never run, not run some of the time. Can you give me an example of an apache directive that would restrict php? On Wed, 21 Sep 2005, John Nichel wrote: [EMAIL PROTECTED] wrote: If the web server didn't have permission to execute the app, it would NEVER execute the app, not execute it some of the time. In fact, it ALWAYS executes the app, it just doesn't always allow it to finish. I log all attempts to run these apps in order to debug, so I know that the command as passed from php will work in the command line. I copy and paste the command from the log and it runs, even though it didn't complete execution when called from php. What do the logs say?? I have increased several parameters in php.ini, including memory limit and allowed execution time. Nothing has helped. The only thing that helps is if I wrap the app I want to run in a perl script and call the perl script from php. That works more of the time, though it still often breaks. Maybe the problem's not php but Apache (or whatever webserver you're using), as it has limits in place for these items too. -- John C. Nichel ÜberGeek KegWorks.com 716.856.9675 [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php New Disorder Records - ten years of something: Coming soon, new Power Struggle CD. * Free Email with 5 megs, no ads * Internet Radio Station - upload your music, we'll put it in rotation * 100's of CDs for sale * videos, message board, byofl http://www.newdisorder.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] exec command fails in php, works in the command line
[EMAIL PROTECTED] wrote: the logs say things like: /kunden/homepages/12/d117065027/htdocs/software/ImageMagick-6.2.3/utilities/convert ib_images/Other_Spices_Basic_004.jpg -resize 180x120 ib_images/Other_Spices_Basic_004_thumb.jpg this is a command I'm trying to get php to run. I then cut and paste it to the command line, and it works fine. the paths are fine too, otherwise it would never run, not run some of the time. Can you give me an example of an apache directive that would restrict php? Timeout On Wed, 21 Sep 2005, John Nichel wrote: [EMAIL PROTECTED] wrote: If the web server didn't have permission to execute the app, it would NEVER execute the app, not execute it some of the time. In fact, it ALWAYS executes the app, it just doesn't always allow it to finish. I log all attempts to run these apps in order to debug, so I know that the command as passed from php will work in the command line. I copy and paste the command from the log and it runs, even though it didn't complete execution when called from php. What do the logs say?? I have increased several parameters in php.ini, including memory limit and allowed execution time. Nothing has helped. The only thing that helps is if I wrap the app I want to run in a perl script and call the perl script from php. That works more of the time, though it still often breaks. Maybe the problem's not php but Apache (or whatever webserver you're using), as it has limits in place for these items too. -- John C. Nichel ÜberGeek KegWorks.com 716.856.9675 [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php New Disorder Records - ten years of something: Coming soon, new Power Struggle CD. * Free Email with 5 megs, no ads * Internet Radio Station - upload your music, we'll put it in rotation * 100's of CDs for sale * videos, message board, byofl http://www.newdisorder.com -- John C. Nichel ÜberGeek KegWorks.com 716.856.9675 [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] exec command fails in php, works in the command line
timeout isn't being used on either of these machines, and as far as I read it, the timeout directive would make the web server fail, producing an apache error or some strange behaviour on the client end. Neither of these happens, the php script completes normally, but the exec command (and only these exec commands, I'm using others in the script that work fine) doesn't always complete. Even if timeout was set to its normal default of 300 seconds, this all happens way before 300 seconds have passed. The whole process takes about 20 or 30 seconds. On Wed, 21 Sep 2005, John Nichel wrote: [EMAIL PROTECTED] wrote: the logs say things like: /kunden/homepages/12/d117065027/htdocs/software/ImageMagick-6.2.3/utilities/convert ib_images/Other_Spices_Basic_004.jpg -resize 180x120 ib_images/Other_Spices_Basic_004_thumb.jpg this is a command I'm trying to get php to run. I then cut and paste it to the command line, and it works fine. the paths are fine too, otherwise it would never run, not run some of the time. Can you give me an example of an apache directive that would restrict php? Timeout On Wed, 21 Sep 2005, John Nichel wrote: [EMAIL PROTECTED] wrote: If the web server didn't have permission to execute the app, it would NEVER execute the app, not execute it some of the time. In fact, it ALWAYS executes the app, it just doesn't always allow it to finish. I log all attempts to run these apps in order to debug, so I know that the command as passed from php will work in the command line. I copy and paste the command from the log and it runs, even though it didn't complete execution when called from php. What do the logs say?? I have increased several parameters in php.ini, including memory limit and allowed execution time. Nothing has helped. The only thing that helps is if I wrap the app I want to run in a perl script and call the perl script from php. That works more of the time, though it still often breaks. Maybe the problem's not php but Apache (or whatever webserver you're using), as it has limits in place for these items too. -- John C. Nichel ÜberGeek KegWorks.com 716.856.9675 [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php New Disorder Records - ten years of something: Coming soon, new Power Struggle CD. * Free Email with 5 megs, no ads * Internet Radio Station - upload your music, we'll put it in rotation * 100's of CDs for sale * videos, message board, byofl http://www.newdisorder.com -- John C. Nichel ÜberGeek KegWorks.com 716.856.9675 [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php New Disorder Records - ten years of something: Coming soon, new Power Struggle CD. * Free Email with 5 megs, no ads * Internet Radio Station - upload your music, we'll put it in rotation * 100's of CDs for sale * videos, message board, byofl http://www.newdisorder.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] exec command fails in php, works in the command line
[EMAIL PROTECTED] wrote: timeout isn't being used on either of these machines, and as far as I read it, the timeout directive would make the web server fail, producing an apache error or some strange behaviour on the client end. Neither of How is timeout _not_ being used? It's a core directive. If the timeout is reached, the thread dies, along with anything running with it. these happens, the php script completes normally, but the exec command (and only these exec commands, I'm using others in the script that work fine) doesn't always complete. Even if timeout was set to its normal default of 300 seconds, this all happens way before 300 seconds have passed. The whole process takes about 20 or 30 seconds. Just to make sure I'm understanding you, you're hitting the php page in a browser, right? Like you're going to http://www.yourhost.com/page.php where page.php contains somthing like... ?php exec ( '/path/myapp', $out, $res ); ? Right? -- John C. Nichel ÜberGeek KegWorks.com 716.856.9675 [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] exec command fails in php, works in the command line
as I said, the default timout is 300 seconds, a lot longer than my program takes to run, and I am pretty certain that if timeout were triggered, I'd see it in the client. Yeah, I'm using a browser on the php page, and everything seems to function fine from the browser to the server, it's after the server gets the uploaded file and begins to play with it that things become weird. On Wed, 21 Sep 2005, John Nichel wrote: [EMAIL PROTECTED] wrote: timeout isn't being used on either of these machines, and as far as I read it, the timeout directive would make the web server fail, producing an apache error or some strange behaviour on the client end. Neither of How is timeout _not_ being used? It's a core directive. If the timeout is reached, the thread dies, along with anything running with it. these happens, the php script completes normally, but the exec command (and only these exec commands, I'm using others in the script that work fine) doesn't always complete. Even if timeout was set to its normal default of 300 seconds, this all happens way before 300 seconds have passed. The whole process takes about 20 or 30 seconds. Just to make sure I'm understanding you, you're hitting the php page in a browser, right? Like you're going to http://www.yourhost.com/page.php where page.php contains somthing like... ?php exec ( '/path/myapp', $out, $res ); ? Right? -- John C. Nichel ÜberGeek KegWorks.com 716.856.9675 [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php New Disorder Records - ten years of something: Coming soon, new Power Struggle CD. * Free Email with 5 megs, no ads * Internet Radio Station - upload your music, we'll put it in rotation * 100's of CDs for sale * videos, message board, byofl http://www.newdisorder.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] why memory limit is still being complained about?
Hi, I'm installing and configuring Gallery 2.0. One system check is check memory limit. The warning is: Warning: Your PHP is configured to limit the memory to 8Mb (memory_limit parameter in php.ini). You should raise this limit to at least 16MB for proper Gallery operation. I've already changed it to 30M in /etc/php.ini and restarted the web server (Apache/2.0.48 on RHEL 3). And phpinfo() shows /etc/php.ini is the right config file that php uses. Anybody have any clue what I missed here? Bing -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] exec command fails in php, works in the command line
[EMAIL PROTECTED] wrote: as I said, the default timout is 300 seconds, a lot longer than my program takes to run, and I am pretty certain that if timeout were triggered, I'd see it in the client. Yeah, I'm using a browser on the php page, and everything seems to function fine from the browser to the server, it's after the server gets the uploaded file and begins to play with it that things become weird. What's the output of... $output = shell_exec ( '/path/to/your/app' ); echo ( pre . $output . /pre ); ...when it doesn't work? On Wed, 21 Sep 2005, John Nichel wrote: [EMAIL PROTECTED] wrote: timeout isn't being used on either of these machines, and as far as I read it, the timeout directive would make the web server fail, producing an apache error or some strange behaviour on the client end. Neither of How is timeout _not_ being used? It's a core directive. If the timeout is reached, the thread dies, along with anything running with it. these happens, the php script completes normally, but the exec command (and only these exec commands, I'm using others in the script that work fine) doesn't always complete. Even if timeout was set to its normal default of 300 seconds, this all happens way before 300 seconds have passed. The whole process takes about 20 or 30 seconds. Just to make sure I'm understanding you, you're hitting the php page in a browser, right? Like you're going to http://www.yourhost.com/page.php where page.php contains somthing like... ?php exec ( '/path/myapp', $out, $res ); ? Right? -- John C. Nichel ÜberGeek KegWorks.com 716.856.9675 [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php New Disorder Records - ten years of something: Coming soon, new Power Struggle CD. * Free Email with 5 megs, no ads * Internet Radio Station - upload your music, we'll put it in rotation * 100's of CDs for sale * videos, message board, byofl http://www.newdisorder.com -- John C. Nichel ÜberGeek KegWorks.com 716.856.9675 [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] exec command fails in php, works in the command line
convert doesn't produce any output regardless of whether it works or not. Ecasound produces output when it works, but when it doesn't, it produces no output. Using php tricks to capture standard error also produces no output. On Wed, 21 Sep 2005, John Nichel wrote: [EMAIL PROTECTED] wrote: as I said, the default timout is 300 seconds, a lot longer than my program takes to run, and I am pretty certain that if timeout were triggered, I'd see it in the client. Yeah, I'm using a browser on the php page, and everything seems to function fine from the browser to the server, it's after the server gets the uploaded file and begins to play with it that things become weird. What's the output of... $output = shell_exec ( '/path/to/your/app' ); echo ( pre . $output . /pre ); ...when it doesn't work? On Wed, 21 Sep 2005, John Nichel wrote: [EMAIL PROTECTED] wrote: timeout isn't being used on either of these machines, and as far as I read it, the timeout directive would make the web server fail, producing an apache error or some strange behaviour on the client end. Neither of How is timeout _not_ being used? It's a core directive. If the timeout is reached, the thread dies, along with anything running with it. these happens, the php script completes normally, but the exec command (and only these exec commands, I'm using others in the script that work fine) doesn't always complete. Even if timeout was set to its normal default of 300 seconds, this all happens way before 300 seconds have passed. The whole process takes about 20 or 30 seconds. Just to make sure I'm understanding you, you're hitting the php page in a browser, right? Like you're going to http://www.yourhost.com/page.php where page.php contains somthing like... ?php exec ( '/path/myapp', $out, $res ); ? Right? -- John C. Nichel ÜberGeek KegWorks.com 716.856.9675 [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php New Disorder Records - ten years of something: Coming soon, new Power Struggle CD. * Free Email with 5 megs, no ads * Internet Radio Station - upload your music, we'll put it in rotation * 100's of CDs for sale * videos, message board, byofl http://www.newdisorder.com -- John C. Nichel ÜberGeek KegWorks.com 716.856.9675 [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php New Disorder Records - ten years of something: Coming soon, new Power Struggle CD. * Free Email with 5 megs, no ads * Internet Radio Station - upload your music, we'll put it in rotation * 100's of CDs for sale * videos, message board, byofl http://www.newdisorder.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Local session.gc_maxlifetime not always being respected
Hi, I have a rather peculiar problem with session.gc_maxlifetime local settings not being respected under certain circumstances. In order to ensure that sessions created for our application would have a max lifetime longer than the default 24 minutes, we cranked session.gc_maxlifetime in an .htaccess file to 4 hours (local value). However, our sessions where still being clean up after 24 minutes. I validated through phpinfo() that it was actually picking up the local setting, which it was. I also noticed in my testing that if I reduced the session.gc_maxlifetime local value to less than the master value, my sessions would be cleaned up in accordance to the local value. When we changed the master value to 4 hours, we are no longer having our sessions cleaned up within 24 minutes. So, it appears that the local value of session.gc_maxlifetime is only being respected if it is less than that of the master value. Has anyone else come across this problem as well? FYI, we are running PHP 4.4 on debian sarge. Thanks, Michael -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] security/sql issues with php
got it!!
if i could find docs/methods/etc.. i'd gladly share...
two questions:
1) css scripting. how can it be prevented?? what are some of the methods
that you guys use?
2) what are some of the actual code methods used in real sites to deal with
URL/Query (GET/POST) parsing?
what do you guys say about putting together a list of what should be done
for the different aspects of a web site/app...??
as an example, i'd really like to know what should be done when you have a
POST/GET item. should it always be checked? how should it be checked? what's
the best method? etc i would hope that it wouldn't be hard for
gurus/experts to agree on these kinds of issues...
-bruce
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
Sent: Wednesday, September 21, 2005 8:29 AM
To: [EMAIL PROTECTED]
Subject: RE: [PHP] security/sql issues with php
no proble, Bruce. I know you're looking for something more, but if you
ended up building your own, thought I'd toss my 2cents worth of code into
the mix. hah
And yeah, I'm suprised, but not suprised, at the lack of a decent solution.
I have some friends who work in high computer security and from what I've
seen of that end of the business, it seems that people are more interested
in selling GIANT systems with GIANT (frequently hands-on by contracted
techs) maintenance aggreements or companies want to do the consulting thing
so they can bill hourly or something.
The problem with security products is that they need fairly constant
maintenance. Nobody wants to make a good solid package/etc that covers 99%
of the issues and then have someone bitch at them when it doesn't cover
something brand new, or when some advanced technique is used..etc.
To me it sees a combination of lack of desire to maintain something robust
AND free as well as the greed factor of being able to milk support contracts
out of people for doing hands-on security work.
I'm still suprised at the lack of good packages that would cover the
mid-level security needs. At least when I was looking, I didn't find
anything that I felt was stable enough to use. I prefer simple and tight
to massive and possibly flawed. I'll keep building mine as I learn new
things and develop new requirements, but for now it does exactly what it
needs to do.
Best of luck! And if you find something noteworthy, please post it to the
list.
Thanks!
-TG
= = = Original message = = =
trevor...
appreciate the reply!!
we've seen alot of homegrown solutions!! but we're hoping that we can find
something that's robust/tested/used in the industry/etc...
the issue of security is widespread, but you'd be surprised (maybe not) at
how poorly it appears to be implemented in various apps!!!
-bruce
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
Sent: Wednesday, September 21, 2005 7:54 AM
To: [EMAIL PROTECTED]
Subject: Re: [PHP] security/sql issues with php
I know you're looking for something bigger and more complete, but in the
meantime maybe this will give you something of a foundation to build on to
make your own sanitizer. I wrote this function that I include() into my
code to try to make data somewhat safer before using it in a SQL statement.
The reason I used so many 'case' statements is so I don't have to change my
main PHP code when I figure out a better way (or just new criteria) for
fixing/cleansing one type of data. For instance, you'll see money and
percent and float do the same cleaning right now. Maybe later I'll
decide I want to handle money different, all I need to do is change this
function and not all my code. You get the idea. This code is specific to
MySQL but you can substitute any DB's escape function at the end to
customize it.
Anyway, something to play with at least, since I didn't find any good
classes, packages, etc when I was looking either. Let me know if you have
any questions:
-TG
?php
~/**
~*~DBSanitizeData() prepares data for inserting/updating into or selecting
from
~* MySQL by making sure that string data is properly escaped so as not to
allow
~* 'SQL injection' type security issues from happening. No direct $_POST or
$_GET data
~* should ever be used in a SQL string.
~*
~* Returns sanitized copy of data sent to it.
~*
~* Example: $result = mysql_query('INSERT INTO TableName (SomeColumn) VALUES
(' . DBSanitizeData($_POST['somevar'], datatype) . ')');
~*
~* pre
~* Modification Log:
~* --
~* Created: ~~Trevor Gryffyn - 03/28/2005
~* Modified: Trevor Gryffyn - 08/25/2005
~* Updated comments, changed mysql_escape_string() to
mysql_real_escape_string()
~*
~* /pre
~*
~* @author Trevor Gryffyn [EMAIL PROTECTED]
~* @category Database Functions
~*
~*/
function DBSanitizeData($dbdata, $datatype = alpha)
switch (strtolower($datatype))
case binary:
case truefalse:
$trues = array(YES, Y, 1, ON, TRUE, T);
$falses = array(NO, N, 0, OFF, FALSE, F);
Re: [PHP] security/sql issues with php
bruce wrote: i've been searching/researching the areas of security regarding url input, form input, as well as database input (mysql). while there are plenty of articles that touch on the topic, i'm looking for a given site/package/lib (open source) that is pretty much the standard that i could use for my website/app... The standard for what? basically, i don't want to recreate the wheel, if there is already a serious/good solution to this area. given the importance of this area, i'm assuming that there is a lib/package that already exists to handle these issues. i've looked through google, as well as various open source web apps to see how some of this is handled, and it appears the level of sophistication for handling this is all over the place!! i want to stress, i'm looking for the package/lib that's strong enough/valid enough to be used in a serious commercial app.. a lot of what i've seen/suggestions on various sites arent' complete/strong.. (this stuff has got to be around/available, i mean google/ebay/1000's of sites are up/running without having issues!!!) It looks like you give details below. Just to offer a friendly suggestion, you want less (almost none) of the stuff above and more of the stuff below if you want more people to read your email. I'm surprised I made it this far. :-) -Should Handle basic regex filtering of POST/GET/REQUEST There is a new input filtering extension in the works. However, it's important to realize that filtering is very application-specific. While many applications accept the same types of data (names, credit card numbers, addresses, etc.), there is almost always something unique or uncommon. No matter how easy the new filtering extension makes this process, you're still going to have to do some work. -Filtering of basic mysql commands/functions/characters (Insert/Drop/etc...) I can't understand what you mean by this, but it sounds like a bad idea. If you inspect input and consider anything with an SQL keyword in it to be invalid, you have some problems with your filtering: 1. With a blacklist approach, there is an increased risk of missing something, thereby creating a vulnerability. 2. Legitimate data may contain an SQL keyword. 3. Relying on this suggests that you're mishandling data when you create SQL statements. Otherwise, it shouldn't be a concern. -Should filter the arrays (GET/POST/REQUEST) See above. -Filtering of basic mysql commands/functions/characters (Insert/Drop/etc...) ... -Check for datatype Everything in $_GET and $_POST is a string. -Set Datatype Set it to what? -Parsing/inspection of all data prior to insertion in sql_query_string Assuming your data is filtered, you just need to escape it. Most databases have a simple function call for this, and addslashes() works for most of the ones that don't. Better yet, use bound parameters or placeholders, which are available in PDO, many database abstraction libraries, and some database clients. -Use of 'datatype' arg in the query to insure that the correct datatype val is used in the sql_string This could be useful in the sense of not trying to insert a string into an integer field, but each column already has a type defined in the database. If you filter your data, which you should, this isn't an issue. -Regex comparison of the vals prior to use in the sql_string How is this different from the last few times you've mentioned filtering? I'm a big fan of Defense in Depth, but not to the point of inspecting my data several times before I use it. -Proper usage of slashes/quotations around variables/sql_strings If this is a problem for you, just use a database abstraction layer or PDO. It sounds like almost all of your needs can be reduced to filtering input and escaping output. If you take a step back and think of your needs in terms of tracking data through your application, I think you'll see that your needs aren't as complex as they might have seemed. If your question is whether there are good open source projects that adhere to all of these best practices, then the answer is yes, but I agree that it's often difficult to distinguish between them if you're not sure what to look for. If you're just looking for a secure CMS (which I doubt, because I think your email would have been one line), then I don't have any good suggestions. Hope that helps. Chris -- Chris Shiflett Brain Bulb, The PHP Consultancy http://brainbulb.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] exec command fails in php, works in the command line
[EMAIL PROTECTED] wrote: convert doesn't produce any output regardless of whether it works or not. Ecasound produces output when it works, but when it doesn't, it produces no output. Using php tricks to capture standard error also produces no output. Hopefully somebody else on the list can help. Without any output/error messages, it's kind of hard to know what the problem is. -- John C. Nichel ÜberGeek KegWorks.com 716.856.9675 [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Local session.gc_maxlifetime not always being respected
Hi, I have a rather peculiar problem with session.gc_maxlifetime local settings not being respected under certain circumstances. In order to ensure that sessions created for our application would have a max lifetime longer than the default 24 minutes, we cranked session.gc_maxlifetime in an .htaccess file to 4 hours (local value). However, our sessions where still being clean up after 24 minutes. I validated through phpinfo() that it was actually picking up the local setting, which it was. I also noticed in my testing that if I reduced the session.gc_maxlifetime local value to less than the master value, my sessions would be cleaned up in accordance to the local value. When we changed the master value to 4 hours, we are no longer having our sessions cleaned up within 24 minutes. So, it appears that the local value of session.gc_maxlifetime is only being respected if it is less than that of the master value. Has anyone else come across this problem as well? FYI, we are running PHP 4.4 on debian sarge. Thanks, Michael -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] exec command fails in php, works in the command line
You're telling me. That's why I think php or apache kills it. On Wed, 21 Sep 2005, John Nichel wrote: [EMAIL PROTECTED] wrote: convert doesn't produce any output regardless of whether it works or not. Ecasound produces output when it works, but when it doesn't, it produces no output. Using php tricks to capture standard error also produces no output. Hopefully somebody else on the list can help. Without any output/error messages, it's kind of hard to know what the problem is. -- John C. Nichel ÜberGeek KegWorks.com 716.856.9675 [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php New Disorder Records - ten years of something: Coming soon, new Power Struggle CD. * Free Email with 5 megs, no ads * Internet Radio Station - upload your music, we'll put it in rotation * 100's of CDs for sale * videos, message board, byofl http://www.newdisorder.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] losing session data with cross-site scripting
Steve Lefevre wrote: I have a php site on a production server. The production server doesn't have the spell libraries, and rather than migrate the site, we setup spell checking functions on the development site, and shuttled the users back and forth with specially crafted get links and forms. This sounds ugly, and you're leaving out some important details. My first question is whether the domain name of the development (well, not anymore) server is a subdomain of the production server. The POST form or GET link on the production site contains the string to be spellchecked. Once the user is at the development site, the string is spellcheck, and corrected if necessary. The development site checks the http referrer to make sure it's not just anybody, and the only thing it does is spell checking, anyway. Checking Referer is useless, because everyone knows what you expect it to be. After the spell checking is done, we then create links that bring the user back to the development site. On the development site, I have an include at the beginning of each page that checks for a session, and either takes them to the proper page, or throws an error if they are not on the login page and have no session. This sounds confusing, but I think it's because you meant to say production instead of development. Did you? Most of the time, no problem. When a user is returning from the production site, their session is still set when they load the page on the production server, and they get the appropriate page. However, for a few users, they are somehow losing session data, and they get the error when they try to return from the development server. Maybe their session is timing out? You're sending them to a different site, after all. I think we acn help more if you offer some details, such as how you're handling sessions. It also sounds like you could avoid all of this confusion by simply having your production server communicate directly with your development server. Using the user as a data transport seems very ugly. (Also, you didn't mention how cross-site scripting fits in.) Hope that helps. Chris -- Chris Shiflett Brain Bulb, The PHP Consultancy http://brainbulb.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] exec command fails in php, works in the command line
[EMAIL PROTECTED] wrote: You're telling me. That's why I think php or apache kills it. I didn't really follow this, but typically you can debug exec problems from the command line by switching to the web server user id and running the exact same command. -Rasmus -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Bytecode
Andy Pieters wrote: I came across some text that sais PHP compiles the script to bytecode prior to running it. Is this true, and is it possible to instead of .php source files, use those bytecodes files in distribution? It sounds like you're looking for APC: http://php.net/apc Hope that helps. Chris -- Chris Shiflett Brain Bulb, The PHP Consultancy http://brainbulb.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] exec command fails in php, works in the command line
Yes, but that's been done. Since these are shared servers, on one I am logged in as the user the web server is running as, on the other I can't su to nobody, but were there permissions errors, I would have been able to capture them. If permissions caused this, it would fail every time, since I'm always writing to the same directory. Instead it only fails some of the time. On Wed, 21 Sep 2005, Rasmus Lerdorf wrote: [EMAIL PROTECTED] wrote: You're telling me. That's why I think php or apache kills it. I didn't really follow this, but typically you can debug exec problems from the command line by switching to the web server user id and running the exact same command. -Rasmus New Disorder Records - ten years of something: Coming soon, new Power Struggle CD. * Free Email with 5 megs, no ads * Internet Radio Station - upload your music, we'll put it in rotation * 100's of CDs for sale * videos, message board, byofl http://www.newdisorder.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] exec command fails in php, works in the command line
I am assuming that you get hold of the file through uploading it, correct? So, when it fails maybe another upload (i.e. script invocation) is happening and the previous file gets lost/corrupted/whatever. Try to move the file to another dir (maybe /tmp) with a random name and see what happens. Anyway, I think that this kind of thing should really be delegated to a cronjob. -Stathis On Wednesday 21 September 2005 20:45, [EMAIL PROTECTED] wrote: Yes, but that's been done. Since these are shared servers, on one I am logged in as the user the web server is running as, on the other I can't su to nobody, but were there permissions errors, I would have been able to capture them. If permissions caused this, it would fail every time, since I'm always writing to the same directory. Instead it only fails some of the time. On Wed, 21 Sep 2005, Rasmus Lerdorf wrote: [EMAIL PROTECTED] wrote: You're telling me. That's why I think php or apache kills it. I didn't really follow this, but typically you can debug exec problems from the command line by switching to the web server user id and running the exact same command. -Rasmus New Disorder Records - ten years of something: Coming soon, new Power Struggle CD. * Free Email with 5 megs, no ads * Internet Radio Station - upload your music, we'll put it in rotation * 100's of CDs for sale * videos, message board, byofl http://www.newdisorder.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] exec command fails in php, works in the command line
php places uploaded files in the /tmp directory with a unique name, and when I copy them to my directory, I also guarantee a unique name for them. I have verified that this is all working. I've patched this with a cron job that runs every minute, but it really should happen in php, so that the user can get immediate feedback on how the thumbnail looks or how the mp3 file sounds. On Wed, 21 Sep 2005, rouvas wrote: I am assuming that you get hold of the file through uploading it, correct? So, when it fails maybe another upload (i.e. script invocation) is happening and the previous file gets lost/corrupted/whatever. Try to move the file to another dir (maybe /tmp) with a random name and see what happens. Anyway, I think that this kind of thing should really be delegated to a cronjob. -Stathis On Wednesday 21 September 2005 20:45, [EMAIL PROTECTED] wrote: Yes, but that's been done. Since these are shared servers, on one I am logged in as the user the web server is running as, on the other I can't su to nobody, but were there permissions errors, I would have been able to capture them. If permissions caused this, it would fail every time, since I'm always writing to the same directory. Instead it only fails some of the time. On Wed, 21 Sep 2005, Rasmus Lerdorf wrote: [EMAIL PROTECTED] wrote: You're telling me. That's why I think php or apache kills it. I didn't really follow this, but typically you can debug exec problems from the command line by switching to the web server user id and running the exact same command. -Rasmus New Disorder Records - ten years of something: Coming soon, new Power Struggle CD. * Free Email with 5 megs, no ads * Internet Radio Station - upload your music, we'll put it in rotation * 100's of CDs for sale * videos, message board, byofl http://www.newdisorder.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php New Disorder Records - ten years of something: Coming soon, new Power Struggle CD. * Free Email with 5 megs, no ads * Internet Radio Station - upload your music, we'll put it in rotation * 100's of CDs for sale * videos, message board, byofl http://www.newdisorder.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] email validation (no regex)
I threw together this totally untested and unreliable code to solicit
comments on whether or not this is a good way to validate emails. Consider
the following:
pseudocode
function validate_email($email){
if (str_word_count($email,'@')!=1){return('Not a proper email address');}
$parts=explode('@',$email);
$name=$parts[0];
$domain=$parts[1];
$mxconnect=FALSE;
if (!getmxrr($domain,$mxhosts)){
return('Invalid domain');
}//if
foreach($mxhosts as $mxhost){
if($fp=fsockopen($mxhost,25)){
$mxconnect=TRUE;
fwrite($fp,EHLO test);
$response=fread($fp,256);
fwrite($fp, Mail From: [EMAIL PROTECTED].chr(13));
$response=fread($fp,256);
fwrite($fp, 'RCPT To: '.$email.chr(13));
$response=fread($fp,256);
$parts=explode(' ',$response);
if ($parts[0]!='250'){
fwrite($fp,'QUIT'.chr(13));
fclose($fp);
return('Unknown Recipient');
}//if
}//if
}//foreach
if (!$mxconnect){return('Could not connect to MX');}
fwrite($fp,'QUIT'.chr(13));
fclose($fp);
return('OK');
}//function validate_email
/pseudocode
So, what is the general thought about validating email addresses in this
manner?
JM
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: email validation (no regex)
Jim Moseby wrote:
I threw together this totally untested and unreliable code to solicit
comments on whether or not this is a good way to validate emails. Consider
the following:
pseudocode
function validate_email($email){
if (str_word_count($email,'@')!=1){return('Not a proper email address');}
$parts=explode('@',$email);
$name=$parts[0];
$domain=$parts[1];
$mxconnect=FALSE;
if (!getmxrr($domain,$mxhosts)){
return('Invalid domain');
}//if
foreach($mxhosts as $mxhost){
if($fp=fsockopen($mxhost,25)){
$mxconnect=TRUE;
fwrite($fp,EHLO test);
$response=fread($fp,256);
fwrite($fp, Mail From: [EMAIL PROTECTED].chr(13));
$response=fread($fp,256);
fwrite($fp, 'RCPT To: '.$email.chr(13));
$response=fread($fp,256);
$parts=explode(' ',$response);
if ($parts[0]!='250'){
fwrite($fp,'QUIT'.chr(13));
fclose($fp);
return('Unknown Recipient');
}//if
}//if
}//foreach
if (!$mxconnect){return('Could not connect to MX');}
fwrite($fp,'QUIT'.chr(13));
fclose($fp);
return('OK');
}//function validate_email
/pseudocode
So, what is the general thought about validating email addresses in this
manner?
JM
Thre is a good reason why virtually everyone uses regex patterns for email
validating.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Re: email validation (no regex)
So, what is the general thought about validating email addresses in this manner? JM Thre is a good reason why virtually everyone uses regex patterns for email validating. Excellent start! And that good reason is...? How can regex ensure that the email address that is submitted is a valid (ie working, able to receive email) address? Why is regex a better way? JM -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Re: email validation (no regex)
jim... validating email means different things to different people... but there's no way you're going to be able to 'throw' together something in 2-3 days that others have taken years to create/refine... if you only want to determine if an email address is valid, what does that mean to you? are you following the current/latest rfc 2822 (i think) standard? or are you just trying to get a quick halfway ok function... as an example, i was looking at a way of using a regex/function for email validation for a user input form... i decided that it was simply too tough to deal with the various nuances, and chickened out, using a combination perl/php approach... but you could do what you want to do. however, it's going to be painful if you want it to match the rfc spec... good luck... -bruce ps. take a look at perl's email::valid function if you want to get a feel for how extensive this task can get... -Original Message- From: Jim Moseby [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 21, 2005 11:01 AM To: 'Al'; php-general@lists.php.net Subject: RE: [PHP] Re: email validation (no regex) So, what is the general thought about validating email addresses in this manner? JM Thre is a good reason why virtually everyone uses regex patterns for email validating. Excellent start! And that good reason is...? How can regex ensure that the email address that is submitted is a valid (ie working, able to receive email) address? Why is regex a better way? JM -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: email validation (no regex)
Jim Moseby said the following on 09/21/05 11:00:
So, what is the general thought about validating email
addresses in this
manner?
JM
Thre is a good reason why virtually everyone uses regex
patterns for email validating.
Excellent start! And that good reason is...?
How can regex ensure that the email address that is submitted is a valid (ie
working, able to receive email) address?
Why is regex a better way?
Personally I would go for a combination. Regex is much faster so if you
can eliminate fake addresses with regex you won't have to waste your
time attempting to look up MX records or connect to mail servers that
don't exist.
My apologies for the line wrapping, but the following is a slightly
modified function I found online and have been using for a while. It
doesn't actually connect to the remote server and try sending to the
address provided like your function does, it merely checks for a valid
MX for the domain. The extra time spent attempting a fake send to an
address was deemed not worth the bother as some mail servers (especially
qmail) do not, by default or without patching, block messages from being
sent to non-existant email addresses. Instead the message is accepted
and bounced. Your method will not detect this.
- Ben
function isValidEmail($address, $checkMX = false) {
// Return true or false depending on whether the email address is valid
$valid_tlds = array(arpa, biz, com, edu, gov, int,
mil, net, org, aero,
ad, ae, af, ag, ai, al, am, an, ao, aq,
ar, as, at, au,
aw, az, ba, bb, bd, be, bf, bg, bh, bi,
bj, bm, bn, bo,
br, bs, bt, bv, bw, by, bz, ca, cc, cf,
cd, cg, ch, ci,
ck, cl, cm, cn, co, cr, cs, cu, cv, cx,
cy, cz, de, dj,
dk, dm, do, dz, ec, ee, eg, eh, er, es,
et, fi, fj, fk,
fm, fo, fr, fx, ga, gb, gd, ge, gf, gh,
gi, gl, gm, gn,
gp, gq, gr, gs, gt, gu, gw, gy, hk, hm,
hn, hr, ht, hu,
id, ie, il, in, io, iq, ir, is, it, jm,
jo, jp, ke, kg,
kh, ki, km, kn, kp, kr, kw, ky, kz, la,
lb, lc, li, lk,
lr, ls, lt, lu, lv, ly, ma, mc, md, mg,
mh, mk, ml, mm,
mn, mo, mp, mq, mr, ms, mt, mu, mv, mw,
mx, my, mz, na,
nc, ne, nf, ng, ni, nl, no, np, nr, nt,
nu, nz, om, pa,
pe, pf, pg, ph, pk, pl, pm, pn, pr, pt,
pw, py, qa, re,
ro, ru, rw, sa, sb, sc, sd, se, sg, sh,
si, sj, sk, sl,
sm, sn, so, sr, st, su, sv, sy, sz, tc,
td, tf, tg, th,
tj, tk, tm, tn, to, tp, tr, tt, tv, tw,
tz, ua, ug, uk,
um, us, uy, uz, va, vc, ve, vg, vi, vn,
vu, wf, ws, ye,
yt, yu, za, zm, zr, zw, coop, info,
museum, name, pro);
// Rough email address validation using POSIX-style regular expressions
if (!eregi([EMAIL PROTECTED],}\.[a-z0-9\-\.]{2,}$,
$address)) {
return false;
}
else {
$address = strtolower($address);
}
// Explode the address on name and domain parts
$name_domain = explode(@, $address);
// There can be only one ;-) I mean... the @ symbol
if (count($name_domain) != 2)
// There can be only one ;-) I mean... the @ symbol
if (count($name_domain) != 2)
return false;
// Check the domain parts
$domain_parts = explode(., $name_domain[1]);
if (count($domain_parts) 2)
return false;
// Check the TLD ($domain_parts[count($domain_parts) - 1])
if (!in_array($domain_parts[count($domain_parts) - 1], $valid_tlds))
return false;
// Search DNS for MX records corresponding to the hostname
($name_domain[0])
if ($checkMX !getmxrr($name_domain[1], $mxhosts))
return false;
return true;
}
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Re: email validation (no regex)
jim... validating email means different things to different people... True, but for the most part people just want to know whether a user has entered a real working email address into their forms. What better test than to try to send an email to it? but there's no way you're going to be able to 'throw' together something in 2-3 days that others have taken years to create/refine... I threw the example I posted together in about 10 minutes (and it shows :). Even though I'm not at a place where I can test it right now, I think it will work with some tweaking. if you only want to determine if an email address is valid, what does that mean to you? are you following the current/latest rfc 2822 (i think) standard? or are you just trying to get a quick halfway ok function... Of course the SMTP standard would have to be followed, I typed what you see from memory, just as a conceptual model. as an example, i was looking at a way of using a regex/function for email validation for a user input form... i decided that it was simply too tough to deal with the various nuances, and chickened out, using a combination perl/php approach... So what do you get from them that my function would not give you? but you could do what you want to do. however, it's going to be painful if you want it to match the rfc spec... Really? Why does it need to be painful? I just need to do a 'EHLO', 'Mail From:' and 'RCPT to:' and 'QUIT'. It's not going to actually send an email. Seems simple to me. Maybe there's something else in the spec that I don't see? good luck... Thanks. :o) ps. take a look at perl's email::valid function if you want to get a feel for how extensive this task can get... My question is why does it have to be so complicated? SMTP servers are the best email validation devices known to man. Why not let them do the dirty work? JM -- playing devils advocate :o) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Retrieving variable name?
is it possible to retrieve the name of a variable passed into a
function from within the function?
?
function example($input) {
//for example here can I determine that $input came from $a in the
previous scope?
}
example($a);
?
Jeffrey Sambells
Director of Research and Development
We-Create Inc.
519.897.2552 cell
519.745.7374 office
888.615.7374 toll free
http://www.wecreate.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] exec command fails in php, works in the command line
did you tried to run the script from the shell as www-data user ? (if not su www-data) an then run the script may be something regarding permission hth 2005/9/21, John Nichel [EMAIL PROTECTED]: [EMAIL PROTECTED] wrote: I have two programs on two servers, and they both have similar problems. In each one, I use 'exec' to call a helper program. In one case, it is ecasound, which I use to resample an mp3. In the other, it is convert, which creates a thumbnail of a very large image the user has uploaded. In both cases, the exec command fails. Not all the time, but some times. In both cases, the command that is being called by exec will work fine at the command line. I assume that there is some memory / resource limit that is being breached when this happens, but I don't know what it is, or how to tell php to allow my programs to run. Any ideas? Or is save mode on? -- John C. Nichel ÜberGeek KegWorks.com 716.856.9675 [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: email validation (no regex)
Hello, on 09/21/2005 02:49 PM Jim Moseby said the following: I threw together this totally untested and unreliable code to solicit comments on whether or not this is a good way to validate emails. Consider the following: So, what is the general thought about validating email addresses in this manner? This may work but your code has several problems like not handling long lines, multiline SMTP responses and grey listing. That may cause your code to break with some SMTP servers or give false negatives. Instead of re-inventing the wheel, you may want to try this popular class for validation of e-mail addresses that can check the destination SMTP server but it handles correctly the problems I mentioned above: http://www.phpclasses.org/emailvalidation -- Regards, Manuel Lemos PHP Classes - Free ready to use OOP components written in PHP http://www.phpclasses.org/ PHP Reviews - Reviews of PHP books and other products http://www.phpclasses.org/reviews/ Metastorage - Data object relational mapping layer generator http://www.meta-language.net/metastorage.html -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] exec command fails in php, works in the command line
yeah, if you look at the thread you will see that I've already done this. On Wed, 21 Sep 2005, adriano ghezzi wrote: did you tried to run the script from the shell as www-data user ? (if not su www-data) an then run the script may be something regarding permission hth 2005/9/21, John Nichel [EMAIL PROTECTED]: [EMAIL PROTECTED] wrote: I have two programs on two servers, and they both have similar problems. In each one, I use 'exec' to call a helper program. In one case, it is ecasound, which I use to resample an mp3. In the other, it is convert, which creates a thumbnail of a very large image the user has uploaded. In both cases, the exec command fails. Not all the time, but some times. In both cases, the command that is being called by exec will work fine at the command line. I assume that there is some memory / resource limit that is being breached when this happens, but I don't know what it is, or how to tell php to allow my programs to run. Any ideas? Or is save mode on? -- John C. Nichel ÜberGeek KegWorks.com 716.856.9675 [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php New Disorder Records - ten years of something: Coming soon, new Power Struggle CD. * Free Email with 5 megs, no ads * Internet Radio Station - upload your music, we'll put it in rotation * 100's of CDs for sale * videos, message board, byofl http://www.newdisorder.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
FW: [PHP] Re: email validation (no regex)
(Forwarding private reply to the list) -Original Message- From: Al Rider Sent: Wednesday, September 21, 2005 2:19 PM To: Jim Moseby Subject: Re: [PHP] Re: email validation (no regex) What you have is virtually impossible to determine if all legitimate possibilities are covered. email validation using regex is a very heavily analyzed subject Google regex email validate and you'll find loads of expressions. Look at the Zend article, it provides some insight. I fully understand about the almost limitless possibilities. Googling the subject returns results more mind boggling than the regex itself. :o) Do ANY of the regex examples you have found cover all those possibilities? If so, why are there so many different approaches? For most applications, where you will only be validating a small number of emails in a given day, why put yourself to all the regex pain, still to not have covered all the possibilities? In the end, with regards to email validation, all most people need is to know that a given email has a proper username, just 1 '@' in the middle, and a valid domain. If it doesn't, its a bogus email address. JM -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Re: email validation (no regex)
What you have is virtually impossible to determine if all legitimate possibilities are covered. email validation using regex is a very heavily analyzed subject Google regex email validate and you'll find loads of expressions. Look at the Zend article, it provides some insight. I fully understand about the almost limitless possibilities. Googling the subject returns results more mind boggling than the regex itself. :o) Do ANY of the regex examples you have found cover all those possibilities? If so, why are there so many different approaches? For most applications, where you will only be validating a small number of emails in a given day, why put yourself to all the regex pain, still to not have covered all the possibilities? In the end, with regards to email validation, all most people need is to know that a given email has a proper username, just 1 '@' in the middle, and a valid domain. If it doesn't, its a bogus email address. As to that, why not validate the email address by sending an automated message to the supplied account, requiring the person to click on a validation link? Easy, simple, works better than either method currently being discussed, purely for its simplicity, if nothing else. Much warmth, Murray --- Lost in thought... http://www.planetthoughtful.org -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
FW: [PHP] email validation (no regex)
(private email forwarded to list) -Original Message- From: [EMAIL PROTECTED] Sent: Wednesday, September 21, 2005 2:19 PM To: Jim Moseby Subject: Re: [PHP] email validation (no regex) There's no requirement for an MX-record, so you'd need to check the A-record ($domain) too. This approach is likely extremely resource and time intensive. So, in my view, not something that you'd really want to do while the user is holding on the line. - Rick -- End Original Message -- Excellent answer. No requirement for MX record? [showing my ignorance] How does email routing happen if there is no mail exchanger in the zonefile for a particular domain? [/ignorance] Time and resource intensive is the only down-side I have been able to think of. Even though it should run very quickly, I have no control over internet lag, load on the SMTP server, etc. Doing it this way places all those variables out of my control. A definate downside. JM -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Re: email validation (no regex)
because you should want/need to validate that the address is correct prior to determining if the email server is up running... the regex function simply allows you to quickly determine if the address is valid... doens't mean that it's going to go to an actual live user...!! btw simply checking for a single '@' with a domain doesn't do it... what if the user has '[EMAIL PROTECTED]' or '[EMAIL PROTECTED]'. will your regex accept/deny this??? welcome to the world of email validation -bruce -Original Message- From: Murray @ PlanetThoughtful [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 21, 2005 12:01 PM To: 'Jim Moseby'; php-general@lists.php.net Subject: RE: [PHP] Re: email validation (no regex) What you have is virtually impossible to determine if all legitimate possibilities are covered. email validation using regex is a very heavily analyzed subject Google regex email validate and you'll find loads of expressions. Look at the Zend article, it provides some insight. I fully understand about the almost limitless possibilities. Googling the subject returns results more mind boggling than the regex itself. :o) Do ANY of the regex examples you have found cover all those possibilities? If so, why are there so many different approaches? For most applications, where you will only be validating a small number of emails in a given day, why put yourself to all the regex pain, still to not have covered all the possibilities? In the end, with regards to email validation, all most people need is to know that a given email has a proper username, just 1 '@' in the middle, and a valid domain. If it doesn't, its a bogus email address. As to that, why not validate the email address by sending an automated message to the supplied account, requiring the person to click on a validation link? Easy, simple, works better than either method currently being discussed, purely for its simplicity, if nothing else. Much warmth, Murray --- Lost in thought... http://www.planetthoughtful.org -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Re: email validation (no regex)
because you should want/need to validate that the address is correct prior to determining if the email server is up running... the regex function simply allows you to quickly determine if the address is valid... doens't mean that it's going to go to an actual live user...!! btw simply checking for a single '@' with a domain doesn't do it... what if the user has '[EMAIL PROTECTED]' or '[EMAIL PROTECTED]'. will your regex accept/deny this??? welcome to the world of email validation -bruce As to that, why not validate the email address by sending an automated message to the supplied account, requiring the person to click on a validation link? Easy, simple, works better than either method currently being discussed, purely for its simplicity, if nothing else. I agree, so basic validation is A Good Thing. However, the most desirable form of validation would have to be, can I send a legitimate email to that account and receive acknowledgement that it's working by having the user click on a validation link. Much warmth, Murray --- Lost in thought... http://www.planetthoughtful.org -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Re: email validation (no regex)
btw simply checking for a single '@' with a domain doesn't do it... what if the user has '[EMAIL PROTECTED]' or '[EMAIL PROTECTED]'. will your regex accept/deny this??? My function will quickly deny those because the DNS lookup for them will immediately fail. Will your regex deny '[EMAIL PROTECTED]'? Should it? welcome to the world of email validation That's your world. Mine is much simpler. :o) Seriously, I think Ben and Manuel have it right. A combination approach is probably most effective (and complex). I was hoping for a simple solution for the regex challenged. Of course the old tried and true validation email that requires the user to validate himself is the most fool-proof method, but thats not an on-the-fly solution. JM -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Re: email validation (no regex)
because you should want/need to validate that the address is correct prior to determining if the email server is up running... the regex function simply allows you to quickly determine if the address is valid... doens't mean that it's going to go to an actual live user...!! btw simply checking for a single '@' with a domain doesn't do it... what if the user has '[EMAIL PROTECTED]' or '[EMAIL PROTECTED]'. will your regex accept/deny this??? welcome to the world of email validation -bruce As to that, why not validate the email address by sending an automated message to the supplied account, requiring the person to click on a validation link? Easy, simple, works better than either method currently being discussed, purely for its simplicity, if nothing else. I agree, so basic validation is A Good Thing. However, the most desirable form of validation would have to be, can I send a legitimate email to that account and receive acknowledgement that it's working by having the user click on a validation link. After all, for all the regex / interrogation you perform, you still can't be certain that the user entered an account *they own*. See? Sending a validation email is *also* A Good Thing! Much warmth, Murray --- Lost in thought... http://www.planetthoughtful.org -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] email validation (no regex)
Jim Moseby wrote: There's no requirement for an MX-record, so you'd need to check the A-record ($domain) too. Excellent answer. No requirement for MX record? [showing my ignorance] How does email routing happen if there is no mail exchanger in the zonefile for a particular domain? [/ignorance] Most all mail transfer agents will fall back to looking for an A record if an MX record doesn't exist. It's good practice to define an MX record but it isn't required... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Re: email validation (no regex)
but you could do what you want to do. however, it's going to be painful if you want it to match the rfc spec... Really? Why does it need to be painful? I just need to do a 'EHLO', 'Mail From:' and 'RCPT to:' and 'QUIT'. It's not going to actually send an email. Seems simple to me. Maybe there's something else in the spec that I don't see? Some mail servers can be configured to not reject the email until the end of DATA. I know you can do this in postfix. Although if the user is invalid, why you'd wait I don't know, but it is possible. -philip -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] why memory limit is still being complained about?
Not sure about Gallery or Apache 2 but Apache 1 uses different php.ini files for cli, cgi and mod_php. It could be that gallery checks using the command line version of php which has a different setting for memory limit? Seems silly but it's a thought. Jeff Jeffrey Sambells Director of Research and Development We-Create Inc. 519.897.2552 cell 519.745.7374 office 888.615.7374 toll free http://www.wecreate.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Re: email validation (no regex)
Philip Hallstrom wrote: but you could do what you want to do. however, it's going to be painful if you want it to match the rfc spec... Really? Why does it need to be painful? I just need to do a 'EHLO', 'Mail From:' and 'RCPT to:' and 'QUIT'. It's not going to actually send an email. Seems simple to me. Maybe there's something else in the spec that I don't see? Some mail servers can be configured to not reject the email until the end of DATA. I know you can do this in postfix. Although if the user is invalid, why you'd wait I don't know, but it is possible. Additionally, some mail servers unconditionally accept mail addressed to ANY username at their domain, whether that user actually exists or not. This is very bad practice, because it usually means the accepting MTA is a dumb host that has to forward all incoming mail to an internal mail server which knows which accounts exist, and if that server ends up rejecting the message, the dumb MTA creates a DSN and sends it back to the envelope sender (which is quite often forged). This causes the so-called backscatter which results in innocent people getting bounces for messages they didn't send. Nevertheless, lots of mail servers are configured this way, so you cannot simply assume that an account is real just because you didn't get a 5xx on RCPT TO. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Re: email validation (no regex)
-Original Message- From: Jim Moseby [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 21, 2005 12:21 PM To: php-general@lists.php.net Subject: RE: [PHP] Re: email validation (no regex) btw simply checking for a single '@' with a domain doesn't do it... what if the user has '[EMAIL PROTECTED]' or '[EMAIL PROTECTED]'. will your regex accept/deny this??? My function will quickly deny those because the DNS lookup for them will immediately fail. Will your regex deny '[EMAIL PROTECTED]'? Should it? welcome to the world of email validation That's your world. Mine is much simpler. :o) Seriously, I think Ben and Manuel have it right. A combination approach is probably most effective (and complex). I was hoping for a simple solution for the regex challenged. Of course the old tried and true validation email that requires the user to validate himself is the most fool-proof method, but thats not an on-the-fly solution. jim... these are valid emails... as defined by the rfc.. so your function would be in error.. This is where I think you and I are not connecting. I don't care if they are valid according to the RFC. I want to know if they are likely to be *WORKING* email addresses. And so, from that perspective, my function would not necessarily be in error, but working as designed. Others have brought up truly valid points with regards to the reliability of it though. Different quirks of MTA configuration and function are difficult to overcome. I have learned you cannot rely on 'RCPT To:' responding with a '250' as verification that it is a valid user. I have learned that a domain need not have an MX record at all, to receive mail. Learning is why I'm here, and why I posted this question. Thank you for your input. JM -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] losing session data with cross-site scripting
Chris Shiflett wrote: Steve Lefevre wrote: I have a php site on a production server. The production server doesn't have the spell libraries, and rather than migrate the site, we setup spell checking functions on the development site, and shuttled the users back and forth with specially crafted get links and forms. This sounds ugly, and you're leaving out some important details. My first question is whether the domain name of the development (well, not anymore) server is a subdomain of the production server. No, it's not. They're totally separate machines at different ISPs. The POST form or GET link on the production site contains the string to be spellchecked. Once the user is at the development site, the string is spellcheck, and corrected if necessary. The development site checks the http referrer to make sure it's not just anybody, and the only thing it does is spell checking, anyway. Checking Referer is useless, because everyone knows what you expect it to be. I'm not following you. How would anyone know what it should be? Do you know what it should be? After the spell checking is done, we then create links that bring the user back to the development site. On the development site, I have an include at the beginning of each page that checks for a session, and either takes them to the proper page, or throws an error if they are not on the login page and have no session. This sounds confusing, but I think it's because you meant to say production instead of development. Did you? Yes, you are right. Here is the proper paragraph: After the spell checking is done, we then create links that bring the user back to the production site. On the production site, I have an include at the beginning of each page that checks for a session, and either takes them to the proper page, or throws an error if they are not on the login page and have no session. Most of the time, no problem. When a user is returning from the production site, their session is still set when they load the page on the production server, and they get the appropriate page. However, for a few users, they are somehow losing session data, and they get the error when they try to return from the development server. Maybe their session is timing out? You're sending them to a different site, after all. That could be, but it consistently affects only one user on her home computer, but not on her work. If the session was timing out, I would expect it to affect all users, who probably would report it as 'random' -- they may not make the connection between how long it takes them to complete the spell checking. I think we acn help more if you offer some details, such as how you're handling sessions. It also sounds like you could avoid all of this confusion by simply having your production server communicate directly with your development server. Using the user as a data transport seems very ugly. (Also, you didn't mention how cross-site scripting fits in.) I'm handling sessions by having an include at the beginning of each page on the production site do the following: - session_start(); - check for certain session variables - if the variables exist, display page appropriately, - else show a blank page. There is one special page, the login page, where they enter the username and password, and if they are correct, that page sets the session variables and re-directs the user. Is the above what you are asking for? I guess I'm confused about what cross-site scripting is; what I was referring to was having a form on a page in the production site actually submit the information to a page on the production site. Users aren't aware they are traversing sites because this happens within a frame. Hope that helps. Chris Thanks, Chris. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Retrieving variable name?
Jeffrey Sambells [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] is it possible to retrieve the name of a variable passed into a function from within the function? Short Answer : No Longer Answer : Maybe, if you have knowledge of PHP internals and a willingness to write an extension. Even then it may not work.. g l0t3k -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] security/sql issues with php
bruce wrote: two questions: 1) css scripting. how can it be prevented?? what are some of the methods that you guys use? Before outputting anything user-sourced to the browser, htmlspecialchars() it, preferably with the ENT_QUOTES option. If you want to allow some HTML, only then parse the string to un-escape certain HTML tags. If you're outputting user-sourced data into an inline script tag, you will want to be even more careful; use the type functions to check that it is the correct type or force it into the correct type. Personally, I *never* output user-sourced data into script tags. It can always be avoided in my experience. 2) what are some of the actual code methods used in real sites to deal with URL/Query (GET/POST) parsing? I'm not going to give you some real code because it will be very dependent on your specific needs. Here's some pointers, though: Check the types if it's a problem for you (using PHP's many type functions); otherwise just run them through mysql_real_escape_string (or your DBMS's equivalent) before putting them in the database. Putting an integer into a string field (or vice-versa with non-strict DBMSs like MySQL) won't be a problem in terms of security, but could confuse you when someone's name is 8752 or their phone number is 0. You need to weigh up whether the accuracy of your data is important enough to throw an error in those situations. If it is then also consider doing simple checking to fix common errors without bothering the user again. -- Jasper Bryant-Greene Freelance web developer http://jasper.bryant-greene.name/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Retrieving variable name?
Short Answer : No Longer Answer : Maybe, if you have knowledge of PHP internals and a willingness to write an extension. Even then it may not work.. g Well, PHP5's magic methods __get()/ __set() could be used to resolve the variable's name... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] security/sql issues with php
ok... i'm confused regarding XSS. Cross-Site Scripting appears to be due to somehow allowing a user to insert 'html'/data/etc into the URL that you as the app are expecting? is this correct? wouldn't this be easy enough to solve in most cases, if the app did the proper validation/data checking? also, i've seen security articles that seem to imply that one could somehow insert a redirected web site into a URL for a user to link, which would thn send the user to a potentially malicious page... here again, wouldn't this issue be easy enough to deal with if one did data validation? -bruce -Original Message- From: Jasper Bryant-Greene [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 21, 2005 2:35 PM To: 'PHP Mailing Lists' Subject: Re: [PHP] security/sql issues with php bruce wrote: two questions: 1) css scripting. how can it be prevented?? what are some of the methods that you guys use? Before outputting anything user-sourced to the browser, htmlspecialchars() it, preferably with the ENT_QUOTES option. If you want to allow some HTML, only then parse the string to un-escape certain HTML tags. If you're outputting user-sourced data into an inline script tag, you will want to be even more careful; use the type functions to check that it is the correct type or force it into the correct type. Personally, I *never* output user-sourced data into script tags. It can always be avoided in my experience. 2) what are some of the actual code methods used in real sites to deal with URL/Query (GET/POST) parsing? I'm not going to give you some real code because it will be very dependent on your specific needs. Here's some pointers, though: Check the types if it's a problem for you (using PHP's many type functions); otherwise just run them through mysql_real_escape_string (or your DBMS's equivalent) before putting them in the database. Putting an integer into a string field (or vice-versa with non-strict DBMSs like MySQL) won't be a problem in terms of security, but could confuse you when someone's name is 8752 or their phone number is 0. You need to weigh up whether the accuracy of your data is important enough to throw an error in those situations. If it is then also consider doing simple checking to fix common errors without bothering the user again. -- Jasper Bryant-Greene Freelance web developer http://jasper.bryant-greene.name/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Retrieving variable name?
is it possible to retrieve the name of a variable passed into a function from within the function? Sure. Use debug_backtrace to figure out what line and what file the caller is in, then read that file, find that line, find the function call within that line, and read what ever is between the parentheses. Can't think of why you'd want to do this, though... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] security/sql issues with php
followup... i just read an article that described how someone could have a url of 'http://foo.com/' and have the URL in an img in their website. the website could be cat.com. the article implied that if a user would select the img, the link to the foo.com would be initiated, thereby fooling the user... i'm lost. i was under the impression that any interaction between the user and foo.com was essentially between the user and 'foo.com'. so that even though 'cat.com' may have caused the user to hit the link, the communication still occurs between the user and 'foo.com', not 'cat.com' anybody who can clarify this for me... thanks... -bruce ok... i'm confused regarding XSS. Cross-Site Scripting appears to be due to somehow allowing a user to insert 'html'/data/etc into the URL that you as the app are expecting? is this correct? wouldn't this be easy enough to solve in most cases, if the app did the proper validation/data checking? also, i've seen security articles that seem to imply that one could somehow insert a redirected web site into a URL for a user to link, which would thn send the user to a potentially malicious page... here again, wouldn't this issue be easy enough to deal with if one did data validation? -bruce -Original Message- From: Jasper Bryant-Greene [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 21, 2005 2:35 PM To: 'PHP Mailing Lists' Subject: Re: [PHP] security/sql issues with php bruce wrote: two questions: 1) css scripting. how can it be prevented?? what are some of the methods that you guys use? Before outputting anything user-sourced to the browser, htmlspecialchars() it, preferably with the ENT_QUOTES option. If you want to allow some HTML, only then parse the string to un-escape certain HTML tags. If you're outputting user-sourced data into an inline script tag, you will want to be even more careful; use the type functions to check that it is the correct type or force it into the correct type. Personally, I *never* output user-sourced data into script tags. It can always be avoided in my experience. 2) what are some of the actual code methods used in real sites to deal with URL/Query (GET/POST) parsing? I'm not going to give you some real code because it will be very dependent on your specific needs. Here's some pointers, though: Check the types if it's a problem for you (using PHP's many type functions); otherwise just run them through mysql_real_escape_string (or your DBMS's equivalent) before putting them in the database. Putting an integer into a string field (or vice-versa with non-strict DBMSs like MySQL) won't be a problem in terms of security, but could confuse you when someone's name is 8752 or their phone number is 0. You need to weigh up whether the accuracy of your data is important enough to throw an error in those situations. If it is then also consider doing simple checking to fix common errors without bothering the user again. -- Jasper Bryant-Greene Freelance web developer http://jasper.bryant-greene.name/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Retrieving variable name?
Maybe something fancy with references? http://us2.php.net/manual/en/language.references.php On 9/21/05, Thorsten Suckow-Homberg [EMAIL PROTECTED] wrote: Short Answer : No Longer Answer : Maybe, if you have knowledge of PHP internals and a willingness to write an extension. Even then it may not work.. g Well, PHP5's magic methods __get()/ __set() could be used to resolve the variable's name... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Retrieving variable name?
oh well, thanks for the help. Jeffrey Sambells Director of Research and Development We-Create Inc. 519.897.2552 cell 519.745.7374 office 888.615.7374 toll free http://www.wecreate.com On 21-Sep-05, at 6:02 PM, Jake Gardner wrote: Maybe something fancy with references? http://us2.php.net/manual/en/language.references.php On 9/21/05, Thorsten Suckow-Homberg [EMAIL PROTECTED] wrote: Short Answer : No Longer Answer : Maybe, if you have knowledge of PHP internals and a willingness to write an extension. Even then it may not work.. g Well, PHP5's magic methods __get()/ __set() could be used to resolve the variable's name... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] losing session data with cross-site scripting
Steve Lefevre wrote: No, it's not. They're totally separate machines at different ISPs. In this case, a user's session is stagnant for the duration of their trip to the other server. I'm guessing that users are typically only there for a brief moment, but this is something to keep in mind. Is there a way that some of your users might spend more time than you expect at the development site? Checking Referer is useless, because everyone knows what you expect it to be. I'm not following you. How would anyone know what it should be? Do you know what it should be? Heh. :-) Sorry about the ambiguity. What I mean is that people are only likely to know where your spell-checking thing is if they use your site. These people, by using your site, are going to know what the expected Referer is. Does that make more sense? In order to highlight how useless checking the Referer is, I often point out that making the attacker choose between heads and tails offers more protection. The attacker is only going to be right about half the time instead of all the time. That could be, but it consistently affects only one user on her home computer, but not on her work. That's unfortunate. Your best bet might be to log everything you can - all HTTP headers for each request, all session activity, etc. If you can't reproduce the problem yourself, it's going to be very hard to debug (as I'm sure you've noticed). I guess I'm confused about what cross-site scripting is No problem - I thought you might have just left out something. Cross-site scripting is something else. By the way, you might consider using session_set_save_handler() to write your own session handling functions (temporarily), so that you can add more logging. I've found this to be helpful when debugging extremely sophisticated session problems. Hope that helps. Chris -- Chris Shiflett Brain Bulb, The PHP Consultancy http://brainbulb.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] security/sql issues with php
Jasper Bryant-Greene wrote: Before outputting anything user-sourced to the browser, htmlspecialchars() it, preferably with the ENT_QUOTES option. If you want to allow some HTML, only then parse the string to un-escape certain HTML tags. Jasper++ Check the types if it's a problem for you (using PHP's many type functions); Checking data types can be very misleading. I've seen many examples (even recently in a book) that use is_int() to check to see whether something in $_GET or $_POST is an integer. Because everything in $_GET and $_POST is a string, this check always fails. Chris -- Chris Shiflett Brain Bulb, The PHP Consultancy http://brainbulb.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] security/sql issues with php
bruce wrote: i'm confused regarding XSS. Cross-Site Scripting appears to be due to somehow allowing a user to insert 'html'/data/etc into the URL that you as the app are expecting? is this correct? A XSS vulnerability exists whenever you output tainted data. For example, if a user can submit data to your application, and you use this data in an echo statement without filtering it (or escaping it, as Jasper noted), you have a XSS vulnerability. Here's an example: echo $_GET['username']; Here's another example: form action=?php echo $_SERVER['PHP_SELF']; ? method=POST wouldn't this be easy enough to solve in most cases, if the app did the proper validation/data checking? Yes, but the more important point is to escape output. If you have data that you want to display in HTML without it being interpreted as HTML, use something like htmlentities() to escape it. Hope that helps. Chris -- Chris Shiflett Brain Bulb, The PHP Consultancy http://brainbulb.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] security/sql issues with php
Checking data types can be very misleading. I've seen many examples (even recently in a book) that use is_int() to check to see whether something in $_GET or $_POST is an integer. Because everything in $_GET and $_POST is a string, this check always fails. Chris I have found that adding 0 and then running is_int() usually works. Mikey -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] security/sql issues with php
bruce wrote: i just read an article that described how someone could have a url of 'http://foo.com/' and have the URL in an img in their website. the website could be cat.com. the article implied that if a user would select the img, the link to the foo.com would be initiated, thereby fooling the user... i'm lost. i was under the impression that any interaction between the user and foo.com was essentially between the user and 'foo.com'. so that even though 'cat.com' may have caused the user to hit the link, the communication still occurs between the user and 'foo.com', not 'cat.com' It sounds like you read an article about CSRF, cross-site request forgeries. This is a bit difficult to explain, and it's a vulnerability that exists in almost every PHP application I've audited. CSRF describes any attack that causes a victim to send a request of the attacker's choosing. In other words, a victim might send a request to http://books.example.org/ without knowing it and without actually visiting a web page at http://books.example.org/. Using an img tag is just one type of attack - it's the most common, but only because it's the easiest. I gave a talk recently that was a hands-on demonstration of a handful of common attacks, and CSRF was one: http://brainbulb.com/talks/php-security-by-example.pdf You can get the code for the exercises here: http://brainbulb.com/phpworks.tar.gz The second exercise is devoted to CSRF, and your first task is to exploit the vulnerability. I think exploiting vulnerabilities is a pretty good way to get a better understanding of them. Unfortunately, viewing the slides of a talk is much less helpful than the talk itself, but maybe there's enough there for you to understand the attack. Hope that helps. Chris -- Chris Shiflett Brain Bulb, The PHP Consultancy http://brainbulb.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] security/sql issues with php
Mikey wrote:
I have found that adding 0 and then running is_int() usually works.
You mean always works. :-) Casting something to an integer and then
checking to see if it's an integer doesn't tell you anything useful:
?php
$int = 'this is not an int';
$int += 0;
if (is_int($int))
{
echo '$int is an integer';
}
?
You're always going to see $int is an integer on the screen, even when
$int is clearly not. As I mentioned, ctype_digit() fits the bill nicely:
?php
if (ctype_digit($int))
{
echo '$int is an integer';
}
?
You'll find that this does what you expect.
Hope that helps.
Chris
--
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] security/sql issues with php
chris.. i'm still confused... w/r to your example, what's wrong with using the $_GET['username'] that you present. unless you're saying it should be checked/validated before using it.. in which case the app could do something like $_GET['username'] = reg_check($_GET['username'])... is this what you're driving at if this is the case, then what you're really stating is that every piece of data you get from the user/client should be checked/verified/validated... is this in essence what you're stating? thanks -bruce -Original Message- From: Chris Shiflett [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 21, 2005 4:07 PM To: [EMAIL PROTECTED] Cc: 'Jasper Bryant-Greene'; 'PHP Mailing Lists' Subject: Re: [PHP] security/sql issues with php bruce wrote: i'm confused regarding XSS. Cross-Site Scripting appears to be due to somehow allowing a user to insert 'html'/data/etc into the URL that you as the app are expecting? is this correct? A XSS vulnerability exists whenever you output tainted data. For example, if a user can submit data to your application, and you use this data in an echo statement without filtering it (or escaping it, as Jasper noted), you have a XSS vulnerability. Here's an example: echo $_GET['username']; Here's another example: form action=?php echo $_SERVER['PHP_SELF']; ? method=POST wouldn't this be easy enough to solve in most cases, if the app did the proper validation/data checking? Yes, but the more important point is to escape output. If you have data that you want to display in HTML without it being interpreted as HTML, use something like htmlentities() to escape it. Hope that helps. Chris -- Chris Shiflett Brain Bulb, The PHP Consultancy http://brainbulb.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] security/sql issues with php
chris.. thanks for the replies... i think i understand what you're stating.. but i'm still confused as to why my app/server would allow a GET/POST piece of data that would/should be originating from a form on my site to come from a 3rd party/external site/app? i would have assumed that there are relatively easy/straight-forward methods to resolve this. are you saying that my assumptions are wrong? i would have thought that it would have been simple to only accept 'data' or to restrict 'data' to forms/apps that are resident on my server/environment... comments/thoughts -bruce -Original Message- From: Chris Shiflett [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 21, 2005 4:16 PM To: [EMAIL PROTECTED] Cc: 'Jasper Bryant-Greene'; 'PHP Mailing Lists' Subject: Re: [PHP] security/sql issues with php bruce wrote: i just read an article that described how someone could have a url of 'http://foo.com/' and have the URL in an img in their website. the website could be cat.com. the article implied that if a user would select the img, the link to the foo.com would be initiated, thereby fooling the user... i'm lost. i was under the impression that any interaction between the user and foo.com was essentially between the user and 'foo.com'. so that even though 'cat.com' may have caused the user to hit the link, the communication still occurs between the user and 'foo.com', not 'cat.com' It sounds like you read an article about CSRF, cross-site request forgeries. This is a bit difficult to explain, and it's a vulnerability that exists in almost every PHP application I've audited. CSRF describes any attack that causes a victim to send a request of the attacker's choosing. In other words, a victim might send a request to http://books.example.org/ without knowing it and without actually visiting a web page at http://books.example.org/. Using an img tag is just one type of attack - it's the most common, but only because it's the easiest. I gave a talk recently that was a hands-on demonstration of a handful of common attacks, and CSRF was one: http://brainbulb.com/talks/php-security-by-example.pdf You can get the code for the exercises here: http://brainbulb.com/phpworks.tar.gz The second exercise is devoted to CSRF, and your first task is to exploit the vulnerability. I think exploiting vulnerabilities is a pretty good way to get a better understanding of them. Unfortunately, viewing the slides of a talk is much less helpful than the talk itself, but maybe there's enough there for you to understand the attack. Hope that helps. Chris -- Chris Shiflett Brain Bulb, The PHP Consultancy http://brainbulb.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] security/sql issues with php
On Wed, 2005-09-21 at 19:21, Chris Shiflett wrote:
Mikey wrote:
I have found that adding 0 and then running is_int() usually works.
You mean always works. :-) Casting something to an integer and then
checking to see if it's an integer doesn't tell you anything useful:
?php
$int = 'this is not an int';
$int += 0;
if (is_int($int))
{
echo '$int is an integer';
}
?
You're always going to see $int is an integer on the screen, even when
$int is clearly not. As I mentioned, ctype_digit() fits the bill nicely:
Not if it's a float.
?php
$int = '2.333';
$int += 0;
if (is_int($int))
{
echo '$int is an integer';
}
else
{
echo '$int is probably a float :)';
}
?
Cheers,
Rob.
--
..
| InterJinn Application Framework - http://www.interjinn.com |
::
| An application and templating framework for PHP. Boasting |
| a powerful, scalable system for accessing system services |
| such as forms, properties, sessions, and caches. InterJinn |
| also provides an extremely flexible architecture for |
| creating re-usable components quickly and easily. |
`'
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] security/sql issues with php
but now that you're talking about ints/strings/floats, aren't you now
getting into data typing issues... which gets into the correct/appropriate
archistecture of your app, variable namespace issues, etc...
-bruce
-Original Message-
From: Robert Cummings [mailto:[EMAIL PROTECTED]
Sent: Wednesday, September 21, 2005 4:44 PM
To: Chris Shiflett
Cc: Mikey; 'PHP Mailing Lists'
Subject: Re: [PHP] security/sql issues with php
On Wed, 2005-09-21 at 19:21, Chris Shiflett wrote:
Mikey wrote:
I have found that adding 0 and then running is_int() usually works.
You mean always works. :-) Casting something to an integer and then
checking to see if it's an integer doesn't tell you anything useful:
?php
$int = 'this is not an int';
$int += 0;
if (is_int($int))
{
echo '$int is an integer';
}
?
You're always going to see $int is an integer on the screen, even when
$int is clearly not. As I mentioned, ctype_digit() fits the bill nicely:
Not if it's a float.
?php
$int = '2.333';
$int += 0;
if (is_int($int))
{
echo '$int is an integer';
}
else
{
echo '$int is probably a float :)';
}
?
Cheers,
Rob.
--
..
| InterJinn Application Framework - http://www.interjinn.com |
::
| An application and templating framework for PHP. Boasting |
| a powerful, scalable system for accessing system services |
| such as forms, properties, sessions, and caches. InterJinn |
| also provides an extremely flexible architecture for |
| creating re-usable components quickly and easily. |
`'
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] security/sql issues with php
followup...
for the short term, i'm going to rip apart a few of the open source web apps
that have received funding, to get a feel for what/how these apps have
decided to handle their security issues...
the assumption/hope is that these guys have put $$$ into doing a serious
security audit on the code that they've created...
thanks
-burce
-Original Message-
From: Robert Cummings [mailto:[EMAIL PROTECTED]
Sent: Wednesday, September 21, 2005 4:44 PM
To: Chris Shiflett
Cc: Mikey; 'PHP Mailing Lists'
Subject: Re: [PHP] security/sql issues with php
On Wed, 2005-09-21 at 19:21, Chris Shiflett wrote:
Mikey wrote:
I have found that adding 0 and then running is_int() usually works.
You mean always works. :-) Casting something to an integer and then
checking to see if it's an integer doesn't tell you anything useful:
?php
$int = 'this is not an int';
$int += 0;
if (is_int($int))
{
echo '$int is an integer';
}
?
You're always going to see $int is an integer on the screen, even when
$int is clearly not. As I mentioned, ctype_digit() fits the bill nicely:
Not if it's a float.
?php
$int = '2.333';
$int += 0;
if (is_int($int))
{
echo '$int is an integer';
}
else
{
echo '$int is probably a float :)';
}
?
Cheers,
Rob.
--
..
| InterJinn Application Framework - http://www.interjinn.com |
::
| An application and templating framework for PHP. Boasting |
| a powerful, scalable system for accessing system services |
| such as forms, properties, sessions, and caches. InterJinn |
| also provides an extremely flexible architecture for |
| creating re-usable components quickly and easily. |
`'
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] security/sql issues with php
On Wed, 2005-09-21 at 19:54, bruce wrote: but now that you're talking about ints/strings/floats, aren't you now getting into data typing issues... which gets into the correct/appropriate archistecture of your app, variable namespace issues, etc... Nope, just showing that adding 0 to data retrieved from $_GET does not necessarily result in an int. Cheers, Rob. -- .. | InterJinn Application Framework - http://www.interjinn.com | :: | An application and templating framework for PHP. Boasting | | a powerful, scalable system for accessing system services | | such as forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] security/sql issues with php
recognized that... but in all honesty, if you're going to write an app, and you're going to do something with the data, it makes sense to me that you 'know'/ensure that you're dealing with the correct kind of data. as i see it, this allows you another way (low entropy) to determine that the information you're getting is correct/valid. it also allows you to know what functions you should/shouldn't preform on the data... my $0.02 worth... thoughts... -bruce -Original Message- From: Robert Cummings [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 21, 2005 5:00 PM To: [EMAIL PROTECTED] Cc: 'Chris Shiflett'; 'Mikey'; 'PHP Mailing Lists' Subject: RE: [PHP] security/sql issues with php On Wed, 2005-09-21 at 19:54, bruce wrote: but now that you're talking about ints/strings/floats, aren't you now getting into data typing issues... which gets into the correct/appropriate archistecture of your app, variable namespace issues, etc... Nope, just showing that adding 0 to data retrieved from $_GET does not necessarily result in an int. Cheers, Rob. -- .. | InterJinn Application Framework - http://www.interjinn.com | :: | An application and templating framework for PHP. Boasting | | a powerful, scalable system for accessing system services | | such as forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] security/sql issues with php
bruce wrote: thanks for the replies... i think i understand what you're stating.. but i'm still confused as to why my app/server would allow a GET/POST piece of data that would/should be originating from a form on my site to come from a 3rd party/external site/app? i would have assumed that there are relatively easy/straight-forward methods to resolve this. If you're using GET, then the URL in the user's address bar would look like this: http://www.example.com/myscript.php?myvar1=somemyvar2=value It's painfully easy for even the most novice of users to edit the values to say, for example: http://www.example.com/myscript.php?myvar1=%3Cscript%20type%3D%22text%2Fjavascript%22%3Ealert%28%27hello%27%29%3C%2Fscript%3Emyvar2=value Which, if you outputted $_GET['myvar1'] without htmlspecialchars() escaping, would happily execute a JS script on your page. That's a rather benign example (simply pops up a hello box), but it wouldn't be difficult to do something worse. Anyone else could link to your page with that URL and have the script executed on your page. You can't stop this, so you have to escape and validate the data coming in. POST is a little more difficult but it is still really easy for a slightly more clued-up user to edit the data, or another website to POST data from their form to your script. -- Jasper Bryant-Greene Freelance web developer http://jasper.bryant-greene.name/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] security/sql issues with php
Jasper Bryant-Greene wrote: Anyone else could link to your page with that URL and have the script executed on your page. You can't stop this, so you have to escape and validate the data coming in. Sorry to reply to my own message, but to clarify, I meant you can't stop others linking to your page with their own choice of GET variables. You can stop the script being executed, by using htmlspecialchars(). -- Jasper Bryant-Greene Freelance web developer http://jasper.bryant-greene.name/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] security/sql issues with php
bruce mailto:[EMAIL PROTECTED] on Wednesday, September 21, 2005 5:10 PM said: but in all honesty thanks for being honest. , if you're going to write an app, and you're going to do something with the data, it makes sense to me that you 'know'/ensure that you're dealing with the correct kind of data. i haven't read anyone even hint at the contrary. as i see it, this allows you another way (low entropy) to determine that the information you're getting is correct/valid. it also allows you to know what functions you should/shouldn't preform on the data... you are correct. that's what data validation does. thoughts... Yes. Your emails/electronic tranmissions are very/mostly hard/difficult to read/understand because of/as a result of all the alternative/choose-your-own-adventure paths each and every one/all of your sentences can take... Chris. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] security/sql issues with php
Robert Cummings wrote: Not if it's a float. True. :-) The point remains - checking data type is often misleading. Chris -- Chris Shiflett Brain Bulb, The PHP Consultancy http://brainbulb.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] security/sql issues with php
bruce wrote: but in all honesty, if you're going to write an app, and you're going to do something with the data, it makes sense to me that you 'know'/ensure that you're dealing with the correct kind of data. as i see it, this allows you another way (low entropy) to determine that the information you're getting is correct/valid. Sure, but it's easy to make a mistake. Previously, you made this statement: the app could do something like $_GET['username'] = reg_check($_GET['username']) Even if reg_check() does a perfect job of filtering the data (I'm guessing it returns FALSE if the data is invalid), this practice heightens the risk of making an error, becuse you can have code like this: echo $_GET['username']; Is that a XSS vulnerability? Any security-conscious developer should scream at such code, so by placing filtered data back into an array that contains only tainted data deteriorates a developer's suspicion of any data within $_GET, $_POST, etc. In other words, I think the sheer volume of XSS vulnerabilities out there demonstrates that it's far too easy to mistakenly trust and use tainted data. Chris -- Chris Shiflett Brain Bulb, The PHP Consultancy http://brainbulb.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] security/sql issues with php
On Wed, 2005-09-21 at 20:18, Chris Shiflett wrote: Robert Cummings wrote: Not if it's a float. True. :-) The point remains - checking data type is often misleading. Yep, I wasn't trying to remove the point, just don't want noobs getting mixed up on type juggling :) Cheers, Rob. -- .. | InterJinn Application Framework - http://www.interjinn.com | :: | An application and templating framework for PHP. Boasting | | a powerful, scalable system for accessing system services | | such as forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] security/sql issues with php
i agree with what you're saying... my primary concern was to make sure that there wasn't/isn't something going on that i haven't seen... up to know, i'm ok with what you're saying. however, i still don't have a good answer to my question regarding how easy (or hard) it is to detect if a query that should have originated with your app's form is coming from a 3rd party/external site? am i missing something here? -bruce -Original Message- From: Chris Shiflett [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 21, 2005 5:27 PM To: [EMAIL PROTECTED] Cc: 'Robert Cummings'; 'Mikey'; 'PHP Mailing Lists' Subject: Re: [PHP] security/sql issues with php bruce wrote: but in all honesty, if you're going to write an app, and you're going to do something with the data, it makes sense to me that you 'know'/ensure that you're dealing with the correct kind of data. as i see it, this allows you another way (low entropy) to determine that the information you're getting is correct/valid. Sure, but it's easy to make a mistake. Previously, you made this statement: the app could do something like $_GET['username'] = reg_check($_GET['username']) Even if reg_check() does a perfect job of filtering the data (I'm guessing it returns FALSE if the data is invalid), this practice heightens the risk of making an error, becuse you can have code like this: echo $_GET['username']; Is that a XSS vulnerability? Any security-conscious developer should scream at such code, so by placing filtered data back into an array that contains only tainted data deteriorates a developer's suspicion of any data within $_GET, $_POST, etc. In other words, I think the sheer volume of XSS vulnerabilities out there demonstrates that it's far too easy to mistakenly trust and use tainted data. Chris -- Chris Shiflett Brain Bulb, The PHP Consultancy http://brainbulb.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] colleges/schools that offer php/web development courses
hey... can you guys give the names of any schools/colleges that have formal programs to teach web development/security applications. thanks -bruce [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] colleges/schools that offer php/web development courses
followup... surprisingly, google doesn't really list alot based on my searches... thanks hey... can you guys give the names of any schools/colleges that have formal programs to teach web development/security applications. thanks -bruce [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] security/sql issues with php
right... but here again, you're talking about the server app, getting the query, and validating the information within the query. since i assume the '%x' chars traslate into something other than straight text, i assume that the html function you mention strips out these chars, or it returns a true/false if the data is valid. is this in essence what you're talking about? -bruce -Original Message- From: Jasper Bryant-Greene [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 21, 2005 5:09 PM To: 'PHP Mailing Lists' Subject: Re: [PHP] security/sql issues with php bruce wrote: thanks for the replies... i think i understand what you're stating.. but i'm still confused as to why my app/server would allow a GET/POST piece of data that would/should be originating from a form on my site to come from a 3rd party/external site/app? i would have assumed that there are relatively easy/straight-forward methods to resolve this. If you're using GET, then the URL in the user's address bar would look like this: http://www.example.com/myscript.php?myvar1=somemyvar2=value It's painfully easy for even the most novice of users to edit the values to say, for example: http://www.example.com/myscript.php?myvar1=%3Cscript%20type%3D%22text%2Fjavascript%22%3Ealert%28%27hello%27%29%3C%2Fscript%3Emyvar2=value Which, if you outputted $_GET['myvar1'] without htmlspecialchars() escaping, would happily execute a JS script on your page. That's a rather benign example (simply pops up a hello box), but it wouldn't be difficult to do something worse. Anyone else could link to your page with that URL and have the script executed on your page. You can't stop this, so you have to escape and validate the data coming in. POST is a little more difficult but it is still really easy for a slightly more clued-up user to edit the data, or another website to POST data from their form to your script. -- Jasper Bryant-Greene Freelance web developer http://jasper.bryant-greene.name/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] scanning software...
since we've long had software to scan C/C++ code for errors, are there similar 'open source' software apps for scanning web applications? more to the point, are there any good 'open source' testing apps for web sites? not just apps that test the usage load of a site, but apps that can be used to more or less test an app, putting it through it's paces so to speak... or is the action of testing a website's security/functions pretty much a manual process? -bruce [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] losing session data with cross-site scripting
Chris Shiflett wrote: Steve Lefevre wrote: In this case, a user's session is stagnant for the duration of their trip to the other server. I'm guessing that users are typically only there for a brief moment, but this is something to keep in mind. Is there a way that some of your users might spend more time than you expect at the development site? That could be, but given how it's just affecting one user on one particular machine, I'm thinking it's something on the machine, i.e. browser settings, firewall, etc. Checking Referer is useless, because everyone knows what you expect it to be. I'm not following you. How would anyone know what it should be? Do you know what it should be? Heh. :-) Sorry about the ambiguity. What I mean is that people are only likely to know where your spell-checking thing is if they use your site. These people, by using your site, are going to know what the expected Referer is. Does that make more sense? Ok, I get it. I'm not really worried about users hacking into the website -- they aren't that computer savvy (trust me) , and they just want to get their job done and stay *off* the website. I think the security is good enough. And like I said all that's on it is spell checking anyways. That could be, but it consistently affects only one user on her home computer, but not on her work. That's unfortunate. Your best bet might be to log everything you can - all HTTP headers for each request, all session activity, etc. If you can't reproduce the problem yourself, it's going to be very hard to debug (as I'm sure you've noticed). That's no joke ;) ! No problem - I thought you might have just left out something. Cross-site scripting is something else. By the way, you might consider using session_set_save_handler() to write your own session handling functions (temporarily), so that you can add more logging. I've found this to be helpful when debugging extremely sophisticated session problems. This is very helpful as I will be doing advanced logging in the near future. Can you explain what cross-site scripting is, then? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Unique ID on 5.0.4 (Windows)
Hi, Pretty soon I'm going to be needing to generate a unique identifier in a script. I'm looking into how to go about doing it now. It has to work on Apache 2 / PHP 5.0.4 (Module) / Windows 2000 Server. Any suggestions on how I might be able to do it? I've noticed the uuid PECL package, which looks like it could work for me, but I'm not sure it will work on Windows, or where to get it if it did. I have access to Visual Studio 6, so I think I could compile it if I had to. Anyone have experience compiling PECL extensions on Windows? I'd appreciate any help you could give me. Thanks, Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
