[PHP] Intelligent session_destroy()
I'm writing a bunch of scripts that will all use a common session and am a bit confused about when to manually destroy sessions and/or when php automatically destroys them for me. For example: If a user starts a session, leaves their computer on and goes home for the weekend, when they come back on Monday will their session still exist on the server? Could they pick right up where they left off? Thanks Ken -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Mail-format...
I was having the same issue with one of my clients just today in fact. We just filtered the email addresses to ensure they're valid. There's a million regex's out there to do this for you.. Cheers Josh Gustav Wiberg wrote: Hi there! I wonder why I get get these kind of mails (look down below in this mail) I recieve them sometimes... ...I have a code like this... $name = $_POST[frmNamn]; $email = $_POST[frmEpost]; //Send mail that there is a new member // mail([EMAIL PROTECTED],Ny medlem - Stammis Internet,Namn: $name, Epost:$email); /G http://www.varupiraten.se/ Namn: [EMAIL PROTECTED] Content-Type: multipart/mixed; boundary=\===0158601545==\ MIME-Version: 1.0 Subject: c1805938 To: [EMAIL PROTECTED] bcc: [EMAIL PROTECTED] From: [EMAIL PROTECTED] This is a multi-part message in MIME format. --===0158601545== Content-Type: text/plain; charset=\us-ascii\ MIME-Version: 1.0 Content-Transfer-Encoding: 7bit aienglpcm --===0158601545==-- , Epost:[EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Intelligent session_destroy()
Ken Tozier wrote: I'm writing a bunch of scripts that will all use a common session and am a bit confused about when to manually destroy sessions and/or when php automatically destroys them for me. For example: If a user starts a session, leaves their computer on and goes home for the weekend, when they come back on Monday will their session still exist on the server? Could they pick right up where they left off? don't care and only sets session.gc_maxlifetime session.gc_divisor session.gc_probability to correct values. When you call session_start php sometimes runs garbage collector which remove old sessions. Probability is calculated by using gc_probability/gc_divisor e.g. 1/100 means there is a 1% chance that the GC process starts on each session_start(). If you set probability to 100% GC will run on every session_start(). This is good for testing but not for production environment (default value (1%) is enough). Sessions which is last modified (before php 4.2.? was used last access time) before current time minus gc_maxlifetime is a old session and will be deleted. -- Ondrej Ivanic ([EMAIL PROTECTED]) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Problem with Internet Explorer when downloading / viewing dynamically generated PDF files
Hello list-members I have written a script which dynamically generates PDF documents (with PDFlib). The link to the PDF file is presented as a static link (thanks btw to Richard Lynch and his previous contributions to this list on the subject force download). It is redirected to the script via a htaccess file. If the name of the PDF document matches a certain pattern, than the script will output the document, if not, a 404 error page will pop up. Everything works very well with all kinds of browsers, except Microsoft Explorer (tested with Windows Explorer 6 SP1, Internet Explorer 5.2 for Macintosh). And I want to know why. Explorer shows the PDF document as plain text only. Trying to save the linked document to the computer (right click) gives something like The server can not be reached or the document does not exist. I know that explorer is a real p.i.t.a. when it comes to all kinds of web standards. And my best guess is that this could have to do with headers, or? Google was not my friend this time, I might say. /frank -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Problems with headers
Graham Anderson wrote: ?php $quote = \; $xml = ''; $xml .= '?xml version=1.0?'.\n; $xml .= '?quicktime type=application/x-qtskin?'.\n; $xml .= 'skin'.\n; $xml .= 'movie src=' . $quote. ../../fonovisa.mov . $quote. '/'.\n; $xml .= 'contentregion src=' .$quote. ../images/mask.gif . $quote. '/'.\n; $xml .= 'dragregion src=' . $quote. ../images/drag.gif . $quote. '/'.\n; $xml .= '/skin'; header('Content-Type: video/quicktime'); //took out a space header (Content-Length: .strlen($xml)); // added a space echo $xml; ? Wow, that is nasty. There is probably a syntax error in there. Use a heredoc in cases like this. Something like this: $xml = EOB ?xml version=1.0? ?quicktime type=... ... EOB; Much less likely to make mistakes this way since you don't need to escape anything (except $) and you can still use variables in the block of text. -Rasmus -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Problems with headers
On Thursday 22 September 2005 12:10 am, David Robley wrote: Not sure if you can attach files however to make 100% sure I'm attaching a working copy of your script. I did modify it just a bit. However the code that you gave us initially worked flawlessly under CLI PHP. Graham Anderson wrote: I checked that too :( No spaces in the ?php line I am running PHP Version 4.4.0 Out of curiosity, I removed the line: $xml .= '?quicktime type=application/x-qtskin?'.\n; and got the same error message Is this one of those situations for ob_start ? Kind of bizarre to my Newbie mind ?php $quote = \; $xml = ''; $xml .= '?xml version=1.0?'.\n; $xml .= '?quicktime type=application/x-qtskin?'.\n; $xml .= 'skin'.\n; $xml .= 'movie src=' . $quote. ../../fonovisa.mov . $quote. '/'.\n; $xml .= 'contentregion src=' .$quote. ../images/mask.gif . $quote. '/'.\n; $xml .= 'dragregion src=' . $quote. ../images/drag.gif . $quote. '/'.\n; $xml .= '/skin'; header('Content-Type: video/quicktime'); header (Content-Length: .strlen($xml)); echo $xml; ? I am still getting the : bWarning/b: Cannot modify header information - headers already sent by (output started at /home/www/siren/siren/fonovisa/skintest/Library/php/ fonovisa_simple.php:1) in b/home/www/siren/siren/fonovisa/skintest/Library/php/ fonovisa_simple.php/b on line b12/bbr / Actually, I think it might be something quite unexpected. Try commenting out the two calls to header, then run the script and do a 'view source'. My guess is there is a syntax error message being output which will of course cause header to bleat. My second guess is that the syntax error will be caused by line 2 (but won't appear in that line) $quote = \; which may not be doing what you hope it is. The solution for this is left as an exercise for the student :-) Cheers -- David Robley The most expensive component is the one that breaks. a.php Description: application/php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] newbie questionsession and cookie by javascript
Hi! I there a way I can get the cookie data stored by javascript(client side) in php(server side) and vice versa? Thanks.
Re: [PHP] Retrieving variable name?
Sure. Use debug_backtrace to figure out what line and what file the caller is in, then read that file, find that line, find the function call within that line, and read what ever is between the parentheses. Something like this: ?php function myTest($input) { $backtrace = debug_backtrace(); $file = file($backtrace[0]['file']); $linenum = $backtrace[0]['line']; $function = $backtrace[0]['function']; $line = $file[$linenum-1]; preg_match(/{$function}\((.*)\);/, $line, $matches); echo This function called with '{$matches[1]}'; } $a = 5; myTest($a); ? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Re: email validation (no regex)
J B wrote: On 9/21/05, Michael Sims [EMAIL PROTECTED] wrote: Additionally, some mail servers unconditionally accept mail addressed to ANY username at their domain, whether that user actually exists or not. This is very bad practice, because it usually means the accepting MTA is a dumb host that has to forward all incoming mail to an internal mail server which knows which accounts exist, and if that server ends up rejecting the message, the dumb MTA creates a DSN and sends it back to the envelope sender (which is quite often forged). This causes the so-called backscatter which results in innocent people getting bounces for messages they didn't send. Nevertheless, lots of mail servers are configured this way, so you cannot simply assume that an account is real just because you didn't get a 5xx on RCPT TO. Just as a side note, and I do agree that this behaviour is bad practice in principle, but I imagine they (the MTAs) do this for the same reason that login prompts don't tell you when you enter a bogus username and still prompt for the password and give a generic access denied error...it prevents username fishing. There probably are a few people who accept mail to any address at their domain to foil dictionary attacks, but IMHO the vast majority of servers that are set up this way are due to mail admins who just don't know any better. It's not always easy to set up a border MTA so that it knows about the accounts that exist on an internal machine...it usually involves custom scripting or real-time callouts to the internal server and it takes a relatively knowledgeable admin to implement it (at least that has been my experience). I had someone else email me privately saying that they did the above precisely to foil dictionary attacks, but this person configured his server to simply discard email to nonexistent accounts. That has it's disadvantages (since it could make legit senders believe their messages are being delivered when they aren't) but it least it doesn't create any backscatter. In the default case, accepting all email unconditionally then later rejecting it is just irresponsible, since it makes you a vector for abuse, and could eventually get you blacklisted if other mail servers get sick of receiving bogus bounces from your domain... (As a side note, apparently the list software doesn't like the offtopic nature of this sub-thread (I just received a 550 on this message), so this will be my last post on the matter. But since I've gone to the trouble of typing it up let me throw in the words PHP, web, and Apache, so this will make it through. :) ) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Unique ID on 5.0.4 (Windows)
Jasper Bryant-Greene wrote: Chris wrote: David Robley wrote: Chris wrote: Pretty soon I'm going to be needing to generate a unique identifier in a script. I'm looking into how to go about doing it now. Have you looked at uniqid() ? http://php.net/uniqid If two requests generate and ID at the same microsecond then the ID will duplicate, and that will not work for me. $unique_id = sha1( uniqid( mt_rand(), true ) ); That unique ID will be based on the current time in microseconds prefixed by a random number generated by the Mersenne Twister. That is *extremely* unlikely to duplicate, even at the same microsecond. Ok, thanks, That looks like it will work for me. Any particular reason why you used sha1() in there? Thanks alot, Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Mail-format...
- Original Message - From: joshua may [EMAIL PROTECTED] To: php-general@lists.php.net Sent: Thursday, September 22, 2005 9:50 AM Subject: [PHP] Re: Mail-format... I was having the same issue with one of my clients just today in fact. We just filtered the email addresses to ensure they're valid. There's a million regex's out there to do this for you.. Cheers Josh Gustav Wiberg wrote: Hi there! I wonder why I get get these kind of mails (look down below in this mail) I recieve them sometimes... ...I have a code like this... $name = $_POST[frmNamn]; $email = $_POST[frmEpost]; //Send mail that there is a new member // mail([EMAIL PROTECTED],Ny medlem - Stammis Internet,Namn: $name, Epost:$email); /G http://www.varupiraten.se/ Namn: [EMAIL PROTECTED] Content-Type: multipart/mixed; boundary=\===0158601545==\ MIME-Version: 1.0 Subject: c1805938 To: [EMAIL PROTECTED] bcc: [EMAIL PROTECTED] From: [EMAIL PROTECTED] This is a multi-part message in MIME format. --===0158601545== Content-Type: text/plain; charset=\us-ascii\ MIME-Version: 1.0 Content-Transfer-Encoding: 7bit aienglpcm --===0158601545==-- , Epost:[EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.0.344 / Virus Database: 267.11.4/109 - Release Date: 2005-09-21 Hi there! A million? Have you done the count? ;-) *just joking* Thanx! /G http://www.varupiraten.se/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Mail-format...
Gustav Wiberg wrote: - Original Message - From: joshua may [EMAIL PROTECTED] To: php-general@lists.php.net Sent: Thursday, September 22, 2005 9:50 AM Subject: [PHP] Re: Mail-format... I was having the same issue with one of my clients just today in fact. We just filtered the email addresses to ensure they're valid. There's a million regex's out there to do this for you.. Cheers Josh Gustav Wiberg wrote: Hi there! I wonder why I get get these kind of mails (look down below in this mail) I recieve them sometimes... ...I have a code like this... $name = $_POST[frmNamn]; $email = $_POST[frmEpost]; //Send mail that there is a new member // mail([EMAIL PROTECTED],Ny medlem - Stammis Internet,Namn: $name, Epost:$email); /G http://www.varupiraten.se/ Namn: [EMAIL PROTECTED] Content-Type: multipart/mixed; boundary=\===0158601545==\ MIME-Version: 1.0 Subject: c1805938 To: [EMAIL PROTECTED] bcc: [EMAIL PROTECTED] From: [EMAIL PROTECTED] This is a multi-part message in MIME format. --===0158601545== Content-Type: text/plain; charset=\us-ascii\ MIME-Version: 1.0 Content-Transfer-Encoding: 7bit aienglpcm --===0158601545==-- , Epost:[EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.0.344 / Virus Database: 267.11.4/109 - Release Date: 2005-09-21 Hi there! A million? Have you done the count? ;-) *just joking* Thanx! /G http://www.varupiraten.se/ No counting, but I'm pretty sure there's more than a million ;p Every php (wanna-be) dev creates a regexp for email-validation at some point (or even more than one). So I'm pretty sure there's *tons* of them (and that means billions, and probably more). Unless you want unique regexps, which brings it down to quite a lot less ;p - tul -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] PHP based MySQL report generators?
Has anyone encountered an open-source PHP-based report generator for MySQL? I haven't been able to find one yet. We have several people in our company that need to create reports from a master database (consisting of several tables). Ideally I'd like a similar functionality that MS Access or Navicat (navicat.com) offer. We don't need a huge number of features, but we do at least need the ability to select the fields deemed necessary, and correlate them into a report. We are currently using Access for this, but would like to move away from Microsoft (including Office). I'm sure it's not out of reach to write this from scratch, but if I don't need to... -- Aaron Gould Programmer/Systems Administrator PARTS CANADA -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Curl problems
Here is my problem. I need to post an XML file to someone else's server. I'm trying to do this with the curl package. Once I post the XML file to the other server one of two things will happen. The server will either take the info in the XML file and forward the user along to some other page or the page will return some errors, if for example there is something wrong with the XML i send. What I would like to do is post the data to the other server and if everything is OK just allow the user to be forwarded along, otherwise Id like to catch whatever errors the server spits back. Setting this up on two of my development boxes seems to work fine. However when I try to send this to the other server (which i have no control over) it doesnt work. It's seems like it is having trouble redirecting my request. When I send the request I get a Server Error in '/' Application which looks to be like a generic ASP error( I guess). If I comment out the FOLLOWLOCATION curl_setopt line all I get in response, other than headers, is Object moved message with a link, the link however seems like a relative link because if i click on it tries to find the linked page on my server. I'm wondering if something in my request is breaking whatever forwarding goes on internally. Stiped to the basics this is my script: ?Php $url = https://somebody.else.com/this/some_script.aspx;; $postfields = array(); $postfields['some_xml'] = urlencode($some_xml_ive_generated); $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_POST, 1); curl_setopt($ch, CURLOPT_POSTFIELDS, $postfields); $output = curl_exec($ch); curl_close($ch); print $output; ? A couple of things: -I'm pretty new to curl so i could easily be overlooking something. -The https:// doesn't seem to be the problem -Generating a form that submits itself with javascript when loaded seems to work fine. -The url in my location bar never seems to change even when i post between my two development boxes and my simple response test script works. -I have no idea what happens nor any control over the other box. I've e-mailed my contact there with no response. -The other box is running IIS6 with ASP (or at least that is what headers from it claim). -The https://somebody.else.com/this/some_script.aspx link (the actual one not the one used here is definitely correct). -Am i screwing up the headers or something? -Is what Im doing even possible? Any suggestions for things to try? Or simple things Ive overlooked? Ive googled around and read a few basic curl tutorials but they havent helped me sort this out. -k. __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: newbie questionsession and cookie by javascript
Alex Andrew Mosqueda said the following on 09/22/05 06:28: Hi! I there a way I can get the cookie data stored by javascript(client side) in php(server side) and vice versa? Thanks. It never hurts to check php.net, plenty of useful information there... $_cookie['cookie name'] http://ca3.php.net/manual/en/features.cookies.php - Ben -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Problem with Internet Explorer when downloading / viewing dynamically generated PDF files
I have written a script which dynamically generates PDF documents (with PDFlib). The link to the PDF file is presented as a static link (thanks btw to Richard Lynch and his previous contributions to this list on the subject force download). It is redirected to the script via a htaccess file. If the name of the PDF document matches a certain pattern, than the script will output the document, if not, a 404 error page will pop up. Everything works very well with all kinds of browsers, except Microsoft Explorer (tested with Windows Explorer 6 SP1, Internet Explorer 5.2 for Macintosh). And I want to know why. Explorer shows the PDF document as plain text only. Trying to save the linked document to the computer (right click) gives something like The server can not be reached or the document does not exist. I know that explorer is a real p.i.t.a. when it comes to all kinds of web standards. And my best guess is that this could have to do with headers, or? A long time ago I helped out a buddy who had a problem with dynamically generated PDFs, but only certain ones. I don't remember all of the specifics, but this is what I do remember. What I remember is that it ended up only being a problem on PDF's that were larger than about 1mb -- but only for IE. We finally figured out that IE was beginning the download of the PDF itself, but if it downloaded more than about 1mb, it would pass it off to a helper application to do the rest. The thing was the helper application remade the request. But it wasn't passing along the form parameters used to generate the PDF so he was always getting a blank PDF (blank in the sense of generically empty). My memory is that the PDF was the result of a form POST submission and that changing it to GET fixed it, but he eventually kept the POST submission, generated the PDF, stored it on disk, and redirected to that. I don't know... maybe that helps, maybe it doesn't... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Problem with Internet Explorer when downloading / viewing dynamically generated PDF files
Frank Arensmeier said the following on 09/22/05 03:59: Explorer shows the PDF document as plain text only. Trying to save the linked document to the computer (right click) gives something like The server can not be reached or the document does not exist. I know that explorer is a real p.i.t.a. when it comes to all kinds of web standards. And my best guess is that this could have to do with headers, or? I've been down this road... The following works for me. Note that it will cause IE to open the PDF via the acrobat reader plugin, if you want to force IE to download the PDF you'll need to change the header (look at the header page from php.net for info). // Dump the PDf to the browser $filename=FileNumber.$_SESSION['fileNumber']._ReportNumber.$_SESSION['reportNumber']..pdf; $len=strlen($reportPDF); if(isset($_SERVER['HTTP_USER_AGENT']) preg_match(/MSIE/, $_SERVER['HTTP_USER_AGENT'])) { // IE Bug in download name workaround ini_set( 'zlib.output_compression','Off' ); } header(Content-type: application/pdf); header(Content-Length: $len); header(Content-Disposition: inline; filename=.$filename); print $reportPDF; Let me know if this doesn't solve your problem. - Ben -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Problem with Internet Explorer when downloading / viewing dynamically generated PDF files
Philip Hallstrom wrote: We finally figured out that IE was beginning the download of the PDF itself, but if it downloaded more than about 1mb, it would pass it off to a helper application to do the rest. The thing was the helper application remade the request. But it wasn't passing along the form parameters used to generate the PDF so he was always getting a blank PDF (blank in the sense of generically empty). If that is what's happening here, I can offer a solution -- I am using ROS ( www.ros.co.nz/*pdf*/ ) to dynamically generate pdfs, which I first write to the server, and then I have just a regular link available to the user. That solved a lot of issues for me. Steve Lefevre -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Problems with headers
Thanks Rasmus :) that is an incredibly cool tip: EOB Surprised I did not see you at the Digital Rights [hollywood digital] conference in LA early this week. Upside: Free sushi and an ocean view. Downside: Lots of 'agency' types and sales folk when I access a straight movie file with no php, fonovisa.mov, everything looks good when I curl it HTTP/1.1 200 OK Date: Thu, 22 Sep 2005 16:52:45 GMT Server: Apache/1.3.33 (Unix) PHP/4.4.0 FrontPage/5.0.2.2510 Last-Modified: Tue, 20 Sep 2005 17:58:39 GMT ETag: 1b28dcc-e3-43304dcf Accept-Ranges: bytes Content-Length: 227 Content-Type: video/quicktime * Connection #0 left intact * Closing connection #0 ?xml version=1.0? ?quicktime type=application/x-qtskin? skin movie src=../../fonovisa.mov/ contentregion src=../images/mask.gif/ dragregion src=../images/drag.gif/ /skin If I use PHP to generate the same output, I get the error: can not modify the headers. Could the file extension, .php, somehow be preventing the php script from outputting properly ? ?php $xml = EOB ?xml version=1.0? ?quicktime type=application/x-qtskin ? skin movie src=../../fonovisa.mov/ contentregion src=../images/mask.gif/ dragregion src=../images/drag.gif/ /skin EOB; header(Accept-Ranges: bytes); header (Content-Length: .strlen($xml)); header('Content-Type: video/quicktime'); echo $xml; ? The above php version gives me the below when I curl it * About to connect() to www.siren.cc:80 * Connected to www.siren.cc (64.182.20.154) port 80 GET /siren/fonovisa/skintest/Library/php/fonovisa_simplev2.php HTTP/1.1 User-Agent: curl/7.10.2 (powerpc-apple-darwin7.0) libcurl/7.10.2 OpenSSL/0.9.7g zlib/1.1.4 Host: www.siren.cc Pragma: no-cache Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */* HTTP/1.1 200 OK Date: Thu, 22 Sep 2005 17:01:17 GMT Server: Apache/1.3.33 (Unix) PHP/4.4.0 FrontPage/5.0.2.2510 X-Powered-By: PHP/4.4.0 Transfer-Encoding: chunked Content-Type: text/html br / bWarning/b: Cannot modify header information - headers already sent by (output started at xxx) in bxxx/b on line b11/bbr / br / bWarning/b: Cannot modify header information - headers already sent by (output started at xx) in bxx/b on line b12/bbr / br / bWarning/b: Cannot modify header information - headers already sent by (output started at xxx) in b//b on line b13/bbr / ?xml version=1.0? ?quicktime type=application/x-qtskin ? skin movie src=../../fonovisa.mov/ contentregion src=../images/mask.gif/ dragregion src=../images/drag.gif/ * Connection #0 left intact * Closing connection #0 /skin know what it could be ? g On Sep 22, 2005, at 5:18 AM, Rasmus Lerdorf wrote: Graham Anderson wrote: ?php $quote = \; $xml = ''; $xml .= '?xml version=1.0?'.\n; $xml .= '?quicktime type=application/x-qtskin?'.\n; $xml .= 'skin'.\n; $xml .= 'movie src=' . $quote. ../../fonovisa.mov . $quote. '/'.\n; $xml .= 'contentregion src=' .$quote. ../images/mask.gif . $quote. '/'.\n; $xml .= 'dragregion src=' . $quote. ../images/drag.gif . $quote. '/'.\n; $xml .= '/skin'; header('Content-Type: video/quicktime'); //took out a space header (Content-Length: .strlen($xml)); // added a space echo $xml; ? Wow, that is nasty. There is probably a syntax error in there. Use a heredoc in cases like this. Something like this: $xml = EOB ?xml version=1.0? ?quicktime type=... ... EOB; Much less likely to make mistakes this way since you don't need to escape anything (except $) and you can still use variables in the block of text. -Rasmus -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Problems with headers
Graham Anderson wrote: Thanks Rasmus :) that is an incredibly cool tip: EOB Surprised I did not see you at the Digital Rights [hollywood digital] conference in LA early this week. Upside: Free sushi and an ocean view. Downside: Lots of 'agency' types and sales folk when I access a straight movie file with no php, fonovisa.mov, everything looks good when I curl it HTTP/1.1 200 OK Date: Thu, 22 Sep 2005 16:52:45 GMT Server: Apache/1.3.33 (Unix) PHP/4.4.0 FrontPage/5.0.2.2510 Last-Modified: Tue, 20 Sep 2005 17:58:39 GMT ETag: 1b28dcc-e3-43304dcf Accept-Ranges: bytes Content-Length: 227 Content-Type: video/quicktime * Connection #0 left intact * Closing connection #0 ?xml version=1.0? ?quicktime type=application/x-qtskin? skin movie src=../../fonovisa.mov/ contentregion src=../images/mask.gif/ dragregion src=../images/drag.gif/ /skin If I use PHP to generate the same output, I get the error: can not modify the headers. Could the file extension, .php, somehow be preventing the php script from outputting properly ? Do this: od -c filename.php And send us the output. If it is really long, put it online somewhere. You have a stray carriage return or some other weird character in there somewhere. -Rasmus -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] basic user/input form questions... more validation!
hi... forgive me!!! continuing the thread from yesterday regarding filtering. (and thanks to all the msgs) for simplicity. let's deal wit a simple user input form, that's going to place the information in a db. if the app allows the user to enter the input (call it 'foo') and then submits the form via a POST, where the data is then written to the db, what kind of validation should occur? and where should the validation take place? for my $0.02 worth, there should be be validation of the 'foo' var, to determine if the var is legitimate. there should also be validation/filterin of the var when it's placed in the db_sql command... my question (and it's basic), what validation should be performed on the 'foo' var, and why? i've seen htmlspecialchars/magic_quotes/etc.. in varius articles, but i can't find a definitive answer!! also, when inserting/updating a db item, what is the 'correct' process for data? should all data that gets inserted into a db be quoted? if it should, what's the 'standard' practice? psuedo examples of this stuff would be really helpful! thanks for clarifying some of these issues... -bruce [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Problems with headers
Ok, I think I figured it out . I had to convert my BBedit text editor file to plain text and then copy/paste that text directly into a new server text file So, I guess my $100+ text editor is screwing up the file ? Is there some way to prevent this ? My text encoding is in UTF-8 because I have been working with non-Latin languages of late... Is there some bullet proof way to prevent this...or some filtering script I should run ? These 3 ?'s do not appear in BBedit file when I turn invisibles on... I am working in OS X. This is the output from my BBedit [my text editor] file on the server, my main text editor Notice the 3 Question Marks at the beginning 000 ? ? ? ? p h p \n $ x m l = 020E O B \n ? x m l v e 040 r s i o n = 1 . 0 ? \n ? 060 q u i c k t i m e t y p e = 100 a p p l i c a t i o n / x - q t 120 s k i n ? \n s k i n \n 140 m o v i e s r c = . . / . . 160 / f o n o v i s a . m o v / 200 \n c o n t e n t r e g i o n 220 s r c = . . / i m a g e s / m 240 a s k . g i f / \n d r a g 260 r e g i o n s r c = . . / i 300 m a g e s / d r a g . g i f / 320 \n / s k i n \n E O B ; \n h 340 e a d e r ( A c c e p t - R a 360 n g e s : b y t e s ) ; \n h 400 e a d e r ( C o n t e n t - 420 L e n g t h : . s t r l e n 440 ( $ x m l ) ) ; \n h e a d e r ( 460 ' C o n t e n t - T y p e : v 500 i d e o / q u i c k t i m e ' ) 520 ; \n e c h o $ x m l ; \n ? \n 540 the script is encoded as utf-8 in BBedit fonovisa_simplev2.php Description: application/php Plain Text File output The plain text version does output properly :) If I od-c the the plain text, I do not get the 3 Question Marks at the beginning 000 ? p h p \n $ x m l = 020 E O B \n ? x m l v e r s i 040 o n = 1 . 0 ? \n ? q u i 060 c k t i m e t y p e = a p p 100 l i c a t i o n / x - q t s k i 120 n ? \n s k i n \n m o v 140 i e s r c = . . / . . / f o 160 n o v i s a . m o v / \n c 200 o n t e n t r e g i o n s r c 220 = . . / i m a g e s / m a s k 240 . g i f / \n d r a g r e g 260 i o n s r c = . . / i m a g 300 e s / d r a g . g i f / \n 320 / s k i n \n E O B ; \n h e a d 340 e r ( A c c e p t - R a n g e 360 s : b y t e s ) ; \n h e a d 400 e r ( C o n t e n t - L e n 420 g t h : . s t r l e n ( $ x 440 m l ) ) ; \n h e a d e r ( ' C o 460 n t e n t - T y p e : v i d e 500 o / q u i c k t i m e ' ) ; \n e 520 c h o $ x m l ; \n ? 534 many thanks :) g On Sep 22, 2005, at 10:15 AM, Rasmus Lerdorf wrote: Graham Anderson wrote: Thanks Rasmus :) that is an incredibly cool tip: EOB Surprised I did not see you at the Digital Rights [hollywood digital] conference in LA early this week. Upside: Free sushi and an ocean view. Downside: Lots of 'agency' types and sales folk when I access a straight movie file with no php, fonovisa.mov, everything looks good when I curl it HTTP/1.1 200 OK Date: Thu, 22 Sep 2005 16:52:45 GMT Server: Apache/1.3.33 (Unix) PHP/4.4.0 FrontPage/5.0.2.2510 Last-Modified: Tue, 20 Sep 2005 17:58:39 GMT ETag: 1b28dcc-e3-43304dcf Accept-Ranges: bytes Content-Length: 227 Content-Type: video/quicktime * Connection #0 left intact * Closing connection #0 ?xml version=1.0? ?quicktime type=application/x-qtskin? skin movie src=../../fonovisa.mov/ contentregion src=../images/mask.gif/ dragregion src=../images/drag.gif/ /skin If I use PHP
Re: [PHP] Problems with headers
Graham Anderson wrote: Ok, I think I figured it out . I had to convert my BBedit text editor file to plain text and then copy/paste that text directly into a new server text file So, I guess my $100+ text editor is screwing up the file ? Is there some way to prevent this ? Tell your editor to not send a BOM. If it won't let you configure that, throw it away. -Rasmus -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Mail-format...
- Original Message - From: M. Sokolewicz [EMAIL PROTECTED] To: Gustav Wiberg [EMAIL PROTECTED] Cc: php-general@lists.php.net; joshua may [EMAIL PROTECTED] Sent: Thursday, September 22, 2005 5:24 PM Subject: Re: [PHP] Re: Mail-format... Gustav Wiberg wrote: - Original Message - From: joshua may [EMAIL PROTECTED] To: php-general@lists.php.net Sent: Thursday, September 22, 2005 9:50 AM Subject: [PHP] Re: Mail-format... I was having the same issue with one of my clients just today in fact. We just filtered the email addresses to ensure they're valid. There's a million regex's out there to do this for you.. Cheers Josh Gustav Wiberg wrote: Hi there! I wonder why I get get these kind of mails (look down below in this mail) I recieve them sometimes... ...I have a code like this... $name = $_POST[frmNamn]; $email = $_POST[frmEpost]; //Send mail that there is a new member // mail([EMAIL PROTECTED],Ny medlem - Stammis Internet,Namn: $name, Epost:$email); /G http://www.varupiraten.se/ Namn: [EMAIL PROTECTED] Content-Type: multipart/mixed; boundary=\===0158601545==\ MIME-Version: 1.0 Subject: c1805938 To: [EMAIL PROTECTED] bcc: [EMAIL PROTECTED] From: [EMAIL PROTECTED] This is a multi-part message in MIME format. --===0158601545== Content-Type: text/plain; charset=\us-ascii\ MIME-Version: 1.0 Content-Transfer-Encoding: 7bit aienglpcm --===0158601545==-- , Epost:[EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.0.344 / Virus Database: 267.11.4/109 - Release Date: 2005-09-21 Hi there! A million? Have you done the count? ;-) *just joking* Thanx! /G http://www.varupiraten.se/ No counting, but I'm pretty sure there's more than a million ;p Every php (wanna-be) dev creates a regexp for email-validation at some point (or even more than one). So I'm pretty sure there's *tons* of them (and that means billions, and probably more). Unless you want unique regexps, which brings it down to quite a lot less ;p - tul *lol* Guess it's hard to find a unique solution when there's tons out there.. What search-string should be applied in google? (regexp + mail ?) /G http://www.varupiraten.se/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Max execution time while doing DB queries
Hi, I was wondering how i can limit a script from waiting too long for a database query to return. The problem is that it will wait an infinite time while performing a query on a database when there is for example a lock on a table. I want it to exit/fail when a set amount of time has passed. set_time_limit() will not work because it does not have any affect on input. Am i overlooking a function? -- Jeroen -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Problems with headers
Set BBEdit to use Mac OS Roman. From the main window, choose the file icon (5th from left). Graham Anderson wrote: --Apple-Mail-15-928383921 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII; format=flowed Ok, I think I figured it out . I had to convert my BBedit text editor file to plain text and then copy/paste that text directly into a new server text file So, I guess my $100+ text editor is screwing up the file ? Is there some way to prevent this ? My text encoding is in UTF-8 because I have been working with non-Latin languages of late... Is there some bullet proof way to prevent this...or some filtering script I should run ? These 3 ?'s do not appear in BBedit file when I turn invisibles on... I am working in OS X. This is the output from my BBedit [my text editor] file on the server, my main text editor Notice the 3 Question Marks at the beginning 000 ? ? ? ? p h p \n $ x m l = 020E O B \n ? x m l v e 040 r s i o n = 1 . 0 ? \n ? 060 q u i c k t i m e t y p e = 100 a p p l i c a t i o n / x - q t 120 s k i n ? \n s k i n \n 140 m o v i e s r c = . . / . . 160 / f o n o v i s a . m o v / 200 \n c o n t e n t r e g i o n 220 s r c = . . / i m a g e s / m 240 a s k . g i f / \n d r a g 260 r e g i o n s r c = . . / i 300 m a g e s / d r a g . g i f / 320 \n / s k i n \n E O B ; \n h 340 e a d e r ( A c c e p t - R a 360 n g e s : b y t e s ) ; \n h 400 e a d e r ( C o n t e n t - 420 L e n g t h : . s t r l e n 440 ( $ x m l ) ) ; \n h e a d e r ( 460 ' C o n t e n t - T y p e : v 500 i d e o / q u i c k t i m e ' ) 520 ; \n e c h o $ x m l ; \n ? \n 540 the script is encoded as utf-8 in BBedit --Apple-Mail-15-928383921 Content-Transfer-Encoding: quoted-printable Content-Type: application/x-php; x-mac-type=54455854; x-unix-mode=0644; x-mac-creator=522A6368; name=fonovisa_simplev2.php Content-Disposition: attachment; filename=fonovisa_simplev2.php =EF=BB=BF?php=0A=20$xml=20=3D=20EOB=0A?xml=20version=3D1.0?=0A= ?quicktime=20type=3Dapplication/x-qtskin?=0Askin=0Amovie=20= src=3D../../fonovisa.mov/=0Acontentregion=20= src=3D../images/mask.gif/=0Adragregion=20src=3D../images/drag.gif/=0A= /skin=0AEOB;=0Aheader(Accept-Ranges:=20bytes);=0Aheader=20= (Content-Length:=20.strlen($xml));=0Aheader('Content-Type:=20= video/quicktime');=0Aecho=20$xml;=0A?=0A= --Apple-Mail-15-928383921 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII; format=flowed Plain Text File output The plain text version does output properly :) If I od-c the the plain text, I do not get the 3 Question Marks at the beginning 000 ? p h p \n $ x m l = 020 E O B \n ? x m l v e r s i 040 o n = 1 . 0 ? \n ? q u i 060 c k t i m e t y p e = a p p 100 l i c a t i o n / x - q t s k i 120 n ? \n s k i n \n m o v 140 i e s r c = . . / . . / f o 160 n o v i s a . m o v / \n c 200 o n t e n t r e g i o n s r c 220 = . . / i m a g e s / m a s k 240 . g i f / \n d r a g r e g 260 i o n s r c = . . / i m a g 300 e s / d r a g . g i f / \n 320 / s k i n \n E O B ; \n h e a d 340 e r ( A c c e p t - R a n g e 360 s : b y t e s ) ; \n h e a d 400 e r ( C o n t e n t - L e n 420 g t h : . s t r l e n ( $ x 440 m l ) ) ; \n h e a d e r ( ' C o 460 n t e n t - T
Re: [PHP] basic user/input form questions... more validation!
- Original Message - From: bruce [EMAIL PROTECTED] To: php-general@lists.php.net Sent: Thursday, September 22, 2005 8:05 PM Subject: [PHP] basic user/input form questions... more validation! hi... forgive me!!! Ok; -) Why? You're just asking... :-) continuing the thread from yesterday regarding filtering. (and thanks to all the msgs) for simplicity. let's deal wit a simple user input form, that's going to place the information in a db. if the app allows the user to enter the input (call it 'foo') and then submits the form via a POST, where the data is then written to the db, what kind of validation should occur? and where should the validation take place? What kind of validation depends on your application. If the foo variable must be an integer, then you'll have to check if foo is numeric with is_numberic(). If foo is a string and the length matters, then you would have to validate so the length isn't more than expected with strlen()-function But in all cases you'll have to check if the foo-variable is set with isset. for my $0.02 worth, there should be be validation of the 'foo' var, to determine if the var is legitimate. there should also be validation/filterin of the var when it's placed in the db_sql command... my question (and it's basic), what validation should be performed on the 'foo' var, and why? i've seen htmlspecialchars/magic_quotes/etc.. in varius articles, but i can't find a definitive answer!! You'll have to quote only the variables inside a sql-string. You must use mysql_real_escape_string for creating a safe db-string.. Example: $sql = SELECT ID from Table WHERE Foo= . safeQuote($foo); and the function safeQuote is like this... function safeQuote($value) { // Stripslashes if (get_magic_quotes_gpc()) { $foo = stripslashes($foo); } // Quote if not integer if (!is_numeric($value)) { $value = ' . mysql_real_escape_string($foo) . '; } } I hope this helps a little... /G http://www.varupiraten.se/ also, when inserting/updating a db item, what is the 'correct' process for data? should all data that gets inserted into a db be quoted? if it should, what's the 'standard' practice? psuedo examples of this stuff would be really helpful! thanks for clarifying some of these issues... -bruce [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.0.344 / Virus Database: 267.11.4/109 - Release Date: 2005-09-21 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Problems with headers
thanks guys :) encoding in utf-8 NO BOM seems to do the trick g On Sep 22, 2005, at 11:05 AM, Jim Jagielski wrote: Set BBEdit to use Mac OS Roman. From the main window, choose the file icon (5th from left). Graham Anderson wrote: --Apple-Mail-15-928383921 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII; format=flowed Ok, I think I figured it out . I had to convert my BBedit text editor file to plain text and then copy/paste that text directly into a new server text file So, I guess my $100+ text editor is screwing up the file ? Is there some way to prevent this ? My text encoding is in UTF-8 because I have been working with non-Latin languages of late... Is there some bullet proof way to prevent this...or some filtering script I should run ? These 3 ?'s do not appear in BBedit file when I turn invisibles on... I am working in OS X. This is the output from my BBedit [my text editor] file on the server, my main text editor Notice the 3 Question Marks at the beginning 000 ? ? ? ? p h p \n $ x m l = 020E O B \n ? x m l v e 040 r s i o n = 1 . 0 ? \n ? 060 q u i c k t i m e t y p e = 100 a p p l i c a t i o n / x - q t 120 s k i n ? \n s k i n \n 140 m o v i e s r c = . . / . . 160 / f o n o v i s a . m o v / 200 \n c o n t e n t r e g i o n 220 s r c = . . / i m a g e s / m 240 a s k . g i f / \n d r a g 260 r e g i o n s r c = . . / i 300 m a g e s / d r a g . g i f / 320 \n / s k i n \n E O B ; \n h 340 e a d e r ( A c c e p t - R a 360 n g e s : b y t e s ) ; \n h 400 e a d e r ( C o n t e n t - 420 L e n g t h : . s t r l e n 440 ( $ x m l ) ) ; \n h e a d e r ( 460 ' C o n t e n t - T y p e : v 500 i d e o / q u i c k t i m e ' ) 520 ; \n e c h o $ x m l ; \n ? \n 540 the script is encoded as utf-8 in BBedit --Apple-Mail-15-928383921 Content-Transfer-Encoding: quoted-printable Content-Type: application/x-php; x-mac-type=54455854; x-unix-mode=0644; x-mac-creator=522A6368; name=fonovisa_simplev2.php Content-Disposition: attachment; filename=fonovisa_simplev2.php =EF=BB=BF?php=0A=20$xml=20=3D=20EOB=0A?xml=20version=3D1.0? =0A= ?quicktime=20type=3Dapplication/x-qtskin?=0Askin=0Amovie=20= src=3D../../fonovisa.mov/=0Acontentregion=20= src=3D../images/mask.gif/=0Adragregion=20src=3D../images/ drag.gif/=0A= /skin=0AEOB;=0Aheader(Accept-Ranges:=20bytes);=0Aheader=20= (Content-Length:=20.strlen($xml));=0Aheader('Content-Type:=20= video/quicktime');=0Aecho=20$xml;=0A?=0A= --Apple-Mail-15-928383921 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII; format=flowed Plain Text File output The plain text version does output properly :) If I od-c the the plain text, I do not get the 3 Question Marks at the beginning 000 ? p h p \n $ x m l = 020 E O B \n ? x m l v e r s i 040 o n = 1 . 0 ? \n ? q u i 060 c k t i m e t y p e = a p p 100 l i c a t i o n / x - q t s k i 120 n ? \n s k i n \n m o v 140 i e s r c = . . / . . / f o 160 n o v i s a . m o v / \n c 200 o n t e n t r e g i o n s r c 220 = . . / i m a g e s / m a s k 240 . g i f / \n d r a g r e g 260 i o n s r c = . . / i m a g 300 e s / d r a g . g i f / \n 320 / s k i n \n E O B ; \n h e a d 340 e r ( A c c e p t - R a n g e 360 s : b y t e s ) ; \n h e a d 400 e r ( C o n t e n t - L e n 420 g t h : . s t r l e n
RE: [PHP] Max execution time while doing DB queries
Jeroen Geusebroek wrote: I was wondering how i can limit a script from waiting too long for a database query to return. The problem is that it will wait an infinite time while performing a query on a database when there is for example a lock on a table. I want it to exit/fail when a set amount of time has passed. What RDBMS are you using? If you are using Postgres you can use pg_send_query() which is non-blocking. I don't think the other database backends/php drivers support such functionality, but I could be wrong... Maybe someone else knows of another way to accomplish this with the other backends... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] basic user/input form questions... more validation!
bruce mailto:[EMAIL PROTECTED] on Thursday, September 22, 2005 11:05 AM said: if the app allows the user to enter the input (call it 'foo') and then submits the form via a POST, where the data is then written to the db, what kind of validation should occur? Depends on what kind of a form field 'foo' is. Is it a name? A zip code? A phone number? If it's a zip code you can do a simple regex \d{5}(-\d{4})? to make sure it follows the correct (US) format. If it passes the test you know it's safe to be put into the database. This kind of data does not need to be escaped. On the other hand if it's a name you'll first want to make sure it's the correct length and contains only the characters you want it to. If the data passes all the tests you'll definitely want to escape the string before you insert it into the db because some names might have an apostrophe in them which will cause an error during insertion. No need to run htmlspecialchars() in this case since a name that has or (or similar characters) should fail the test anyway. and where should the validation take place? Validation should take place before the value is used. ?php // include files // instantiate any objects if necessary // define default values for page specific variables if necessary // validate incoming data // deal with invalid data by displaying error messages or redirecting // to another page // if data is all clean continue processing like normal ? for my $0.02 worth, there should be be validation of the 'foo' var, to determine if the var is legitimate. there should also be validation/filterin of the var when it's placed in the db_sql command... No need to validate data twice. As stated above, validation should happen before the data is used at all and I would do the escaping just before the data is inserted into the db. my question (and it's basic), what validation should be performed on the 'foo' var, and why? i've seen htmlspecialchars/magic_quotes/etc.. in varius articles, but i can't find a definitive answer!! See above. also, when inserting/updating a db item, what is the 'correct' process for data? should all data that gets inserted into a db be quoted? if it should, what's the 'standard' practice? Again, if the data requires escaping, escape it. If not, there's no need. If the data falls outside the realm of a-zA-Z0-9 it has a high potential for escaping. psuedo examples of this stuff would be really helpful! thanks for clarifying some of these issues... hth, Chris. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] FTP
Hi all! I took this code directly from PHP.net but I don't get it to work correctly...I've never worked with ftp-connections with PHP before... ?php $ftp_server = ftp.example.com; $ftp_user = foo; $ftp_pass = bar; // set up a connection or die $conn_id = ftp_connect($ftp_server) or die(Couldn't connect to $ftp_server); // try to login if (@ftp_login($conn_id, $ftp_user, $ftp_pass)) { echo Connected as [EMAIL PROTECTED]; } else { echo Couldn't connect as $ftp_user\n; } // close the connection ftp_close($conn_id); ? It seems to work fine when I'm trying on my testmachiner (WIndows XP + Apache) , but when I put the file on the webserver at my webhost (b-one), then I just get a blank page and showing source-code like this: !DOCTYPE HTML PUBLIC -//W3C//DTD HTML 4.0 Transitional//EN HTMLHEAD META http-equiv=Content-Type content=text/html; charset=windows-1252/HEAD BODY/BODY/HTML What could be the problem? /G http://www.varupiraten.se/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] basic user/input form questions... more validation!
here's psuedo of what i envision now, in my psuedo code, i don't use the stripslashes/quotes/etc... so, i'm still trying to understand why these functions are needed/required? thoughts/comments/etc thanks -bruce -- index.php if isset($REQUEST['submit']) { if (isset($_REQUEST['foo']) { get the 'foo' var $foo = $_REQUEST['foo'] validate the foo var... $valid_chars = preg_match('valid char vars', $foo) $len = str_len($foo) max_str_len if(valid_chars len) { we have a valid 'foo' var!!! go ahead and add to the db... } else { 'foo' is invalid, set err msg and return to login } } else { gen err and redirect to login page } } else { form php_self post input name=foo submit /form } function add_to_db($var) { assume that 'var' is valid, but it hasn't been quoted.. $test_sql = insert into TestTBL name values (%s); $test_sql = sprintf($test_sql, $var); mysql_query($test_sql); } -Original Message- From: Gustav Wiberg [mailto:[EMAIL PROTECTED] Sent: Thursday, September 22, 2005 11:14 AM To: [EMAIL PROTECTED]; php-general@lists.php.net Subject: Re: [PHP] basic user/input form questions... more validation! - Original Message - From: bruce [EMAIL PROTECTED] To: php-general@lists.php.net Sent: Thursday, September 22, 2005 8:05 PM Subject: [PHP] basic user/input form questions... more validation! hi... forgive me!!! Ok; -) Why? You're just asking... :-) continuing the thread from yesterday regarding filtering. (and thanks to all the msgs) for simplicity. let's deal wit a simple user input form, that's going to place the information in a db. if the app allows the user to enter the input (call it 'foo') and then submits the form via a POST, where the data is then written to the db, what kind of validation should occur? and where should the validation take place? What kind of validation depends on your application. If the foo variable must be an integer, then you'll have to check if foo is numeric with is_numberic(). If foo is a string and the length matters, then you would have to validate so the length isn't more than expected with strlen()-function But in all cases you'll have to check if the foo-variable is set with isset. for my $0.02 worth, there should be be validation of the 'foo' var, to determine if the var is legitimate. there should also be validation/filterin of the var when it's placed in the db_sql command... my question (and it's basic), what validation should be performed on the 'foo' var, and why? i've seen htmlspecialchars/magic_quotes/etc.. in varius articles, but i can't find a definitive answer!! You'll have to quote only the variables inside a sql-string. You must use mysql_real_escape_string for creating a safe db-string.. Example: $sql = SELECT ID from Table WHERE Foo= . safeQuote($foo); and the function safeQuote is like this... function safeQuote($value) { // Stripslashes if (get_magic_quotes_gpc()) { $foo = stripslashes($foo); } // Quote if not integer if (!is_numeric($value)) { $value = ' . mysql_real_escape_string($foo) . '; } } I hope this helps a little... /G http://www.varupiraten.se/ also, when inserting/updating a db item, what is the 'correct' process for data? should all data that gets inserted into a db be quoted? if it should, what's the 'standard' practice? psuedo examples of this stuff would be really helpful! thanks for clarifying some of these issues... -bruce [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.0.344 / Virus Database: 267.11.4/109 - Release Date: 2005-09-21 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] basic user/input form questions... more validation!
hey chris... so you're sayng that if data is outside of a-zA-Z0-9 ' then it should probably fail the regex anyway.. and it should error out.. if i understnad you, you're also saying that if the information has an ' in it, then it should be escaped, but you didn't say how.! also, what's the function of the 'addslashes', and when is it used?! -bruce -Original Message- From: Chris W. Parker [mailto:[EMAIL PROTECTED] Sent: Thursday, September 22, 2005 11:38 AM To: php-general@lists.php.net Subject: RE: [PHP] basic user/input form questions... more validation! bruce mailto:[EMAIL PROTECTED] on Thursday, September 22, 2005 11:05 AM said: if the app allows the user to enter the input (call it 'foo') and then submits the form via a POST, where the data is then written to the db, what kind of validation should occur? Depends on what kind of a form field 'foo' is. Is it a name? A zip code? A phone number? If it's a zip code you can do a simple regex \d{5}(-\d{4})? to make sure it follows the correct (US) format. If it passes the test you know it's safe to be put into the database. This kind of data does not need to be escaped. On the other hand if it's a name you'll first want to make sure it's the correct length and contains only the characters you want it to. If the data passes all the tests you'll definitely want to escape the string before you insert it into the db because some names might have an apostrophe in them which will cause an error during insertion. No need to run htmlspecialchars() in this case since a name that has or (or similar characters) should fail the test anyway. and where should the validation take place? Validation should take place before the value is used. ?php // include files // instantiate any objects if necessary // define default values for page specific variables if necessary // validate incoming data // deal with invalid data by displaying error messages or redirecting // to another page // if data is all clean continue processing like normal ? for my $0.02 worth, there should be be validation of the 'foo' var, to determine if the var is legitimate. there should also be validation/filterin of the var when it's placed in the db_sql command... No need to validate data twice. As stated above, validation should happen before the data is used at all and I would do the escaping just before the data is inserted into the db. my question (and it's basic), what validation should be performed on the 'foo' var, and why? i've seen htmlspecialchars/magic_quotes/etc.. in varius articles, but i can't find a definitive answer!! See above. also, when inserting/updating a db item, what is the 'correct' process for data? should all data that gets inserted into a db be quoted? if it should, what's the 'standard' practice? Again, if the data requires escaping, escape it. If not, there's no need. If the data falls outside the realm of a-zA-Z0-9 it has a high potential for escaping. psuedo examples of this stuff would be really helpful! thanks for clarifying some of these issues... hth, Chris. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] FTP
Gustav Wiberg wrote: Hi all! I took this code directly from PHP.net but I don't get it to work correctly...I've never worked with ftp-connections with PHP before... ?php $ftp_server = ftp.example.com; $ftp_user = foo; $ftp_pass = bar; // set up a connection or die $conn_id = ftp_connect($ftp_server) or die(Couldn't connect to $ftp_server); // try to login if (@ftp_login($conn_id, $ftp_user, $ftp_pass)) { echo Connected as [EMAIL PROTECTED]; } else { echo Couldn't connect as $ftp_user\n; } // close the connection ftp_close($conn_id); ? It seems to work fine when I'm trying on my testmachiner (WIndows XP + Apache) , but when I put the file on the webserver at my webhost (b-one), then I just get a blank page and showing source-code like this: !DOCTYPE HTML PUBLIC -//W3C//DTD HTML 4.0 Transitional//EN HTMLHEAD META http-equiv=Content-Type content=text/html; charset=windows-1252/HEAD BODY/BODY/HTML What could be the problem? Is your web host running something other than Windows? Does it have the ftp functions enabled? Make a phpinfo page, and access that in your browser to see if the ftp functions are enabled. You are more than likely not seeing the error on your host because they have error reporting turned off. You can use ini_set to switch this if you want. -- John C. Nichel ÜberGeek KegWorks.com 716.856.9675 [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] FTP
- Original Message - From: John Nichel [EMAIL PROTECTED] To: PHP Mailing Lists php-general@lists.php.net Sent: Thursday, September 22, 2005 8:53 PM Subject: Re: [PHP] FTP Gustav Wiberg wrote: Hi all! I took this code directly from PHP.net but I don't get it to work correctly...I've never worked with ftp-connections with PHP before... ?php $ftp_server = ftp.example.com; $ftp_user = foo; $ftp_pass = bar; // set up a connection or die $conn_id = ftp_connect($ftp_server) or die(Couldn't connect to $ftp_server); // try to login if (@ftp_login($conn_id, $ftp_user, $ftp_pass)) { echo Connected as [EMAIL PROTECTED]; } else { echo Couldn't connect as $ftp_user\n; } // close the connection ftp_close($conn_id); ? It seems to work fine when I'm trying on my testmachiner (WIndows XP + Apache) , but when I put the file on the webserver at my webhost (b-one), then I just get a blank page and showing source-code like this: !DOCTYPE HTML PUBLIC -//W3C//DTD HTML 4.0 Transitional//EN HTMLHEAD META http-equiv=Content-Type content=text/html; charset=windows-1252/HEAD BODY/BODY/HTML What could be the problem? Is your web host running something other than Windows? Does it have the ftp functions enabled? Make a phpinfo page, and access that in your browser to see if the ftp functions are enabled. You are more than likely not seeing the error on your host because they have error reporting turned off. You can use ini_set to switch this if you want. -- John C. Nichel ÜberGeek KegWorks.com 716.856.9675 [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.0.344 / Virus Database: 267.11.4/109 - Release Date: 2005-09-21 Hi again! Yes, you're right... I get this error now... Fatal error: Call to undefined function: ftp_connect() in /customers/varupiraten.se/varupiraten.se/httpd.www/web/do_ftp.php on line 8 Isn't it enough to ftp to be a registred stream? Here is the info of PHP... http://www.varupiraten.se/web/phpinfo.php /G http://www.varupiraten.se/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Max execution time while doing DB queries
On 9/22/05, Michael Sims [EMAIL PROTECTED] wrote: What RDBMS are you using? If you are using Postgres you can use pg_send_query() which is non-blocking. I don't think the other database backends/php drivers support such functionality, but I could be wrong... Maybe someone else knows of another way to accomplish this with the other backends... For this application i'm using a MSSQL database. There is an ini setting (mssql.timeout) which should do what i want but afiak doesn't work. It defaults to 60 which i assume are seconds. My app has had times that it was waiting way longer then that before it died without any error message. (6 hours and more). -- Jeroen -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] FTP
Gustav Wiberg wrote: Hi again! Yes, you're right... I get this error now... Fatal error: Call to undefined function: ftp_connect() in /customers/varupiraten.se/varupiraten.se/httpd.www/web/do_ftp.php on line 8 Isn't it enough to ftp to be a registred stream? Here is the info of PHP... http://www.varupiraten.se/web/phpinfo.php I don't think so. According to the manual, it has to be configured/compiled in. -- John C. Nichel ÜberGeek KegWorks.com 716.856.9675 [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] FTP
- Original Message - From: John Nichel [EMAIL PROTECTED] To: PHP Mailing Lists php-general@lists.php.net Sent: Thursday, September 22, 2005 9:08 PM Subject: Re: [PHP] FTP Gustav Wiberg wrote: Hi again! Yes, you're right... I get this error now... Fatal error: Call to undefined function: ftp_connect() in /customers/varupiraten.se/varupiraten.se/httpd.www/web/do_ftp.php on line 8 Isn't it enough to ftp to be a registred stream? Here is the info of PHP... http://www.varupiraten.se/web/phpinfo.php I don't think so. According to the manual, it has to be configured/compiled in. -- John C. Nichel ÜberGeek KegWorks.com 716.856.9675 [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.0.344 / Virus Database: 267.11.4/109 - Release Date: 2005-09-21 Hi I thought that was the answer... *sigh* Thanx! :-) /G http://www.varupiraten.se/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] basic user/input form questions... more validation!
bruce mailto:[EMAIL PROTECTED] on Thursday, September 22, 2005 11:58 AM said: hey chris... Hi. so you're sayng that if data is outside of a-zA-Z0-9 ' then it should probably fail the regex anyway.. and it should error out.. (Where did that apostrophe come from? That wasn't in my list on purpose.) Yes and no. It all depends on what kind of data you're expecting. Here are some quick assumptions. (Assuming US style data.) A zip code should only contain: 0-9 - A zip code does not need to be escaped because it doesn't have any special db characters in it like the apostrophe. A name should only contain: a-z A-Z 0-9 - ' A name should be escaped because it might possibly have an apostrophe in it. A phone number should only contain: 0-9 ( ) - . A phone number does not need to be escaped because it doesn't have any special db characters in it like the apostrophe. A paragraph (or rather, very general input) on the other hand is more complicated because it's very application specific. If your paragraph could possibly have some HTML in it and still be valid then of course you would not be using simply a-z A-Z 0-9 for validation. But at the same time you would definitely want to escape the string. if i understnad you, you're also saying that if the information has an ' in it, then it should be escaped, but you didn't say how.! Yes that's correct. Google is your friend. But in any case you can do mysql_escape_string(). (Note: You don't have to deslash your data on the way out, it only happens on the way in.) also, what's the function of the 'addslashes', and when is it used?! I don't use addslahes() much. A good place to start reading would be www.php.net/addslahes hth, Chris. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Max execution time while doing DB queries
Jeroen Geusebroek wrote: For this application i'm using a MSSQL database. There is an ini setting (mssql.timeout) which should do what i want but afiak doesn't work. It defaults to 60 which i assume are seconds. My app has had times that it was waiting way longer then that before it died without any error message. (6 hours and more). What platform/driver? If Linux, are you using FreeTDS and if so what version? It looks like the timeout is handled in the TDS library, not at the PHP level. I did some poking through the FreeTDS mailing list archives and it seems that PHP calls dbsettime() which was unimplemented in FreeTDS in earlier versions, so you may need a bleeding edge version of FreeTDS to use it. If you are using FreeTDS you may want to ask for help on the their mailing list. If you're using Windows with the SQL Client Tools DLL then I'm not sure why the queries aren't timing out... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Max execution time while doing DB queries
On 9/22/05, Michael Sims [EMAIL PROTECTED] wrote: What platform/driver? If Linux, are you using FreeTDS and if so what version? It looks like the timeout is handled in the TDS library, not at the PHP level. I did some poking through the FreeTDS mailing list archives and it seems that PHP calls dbsettime() which was unimplemented in FreeTDS in earlier versions, so you may need a bleeding edge version of FreeTDS to use it. If you are using FreeTDS you may want to ask for help on the their mailing list. If you're using Windows with the SQL Client Tools DLL then I'm not sure why the queries aren't timing out... I'm using PHP 5.03 (cli) on linux with freetds-0.63. Just before your last email i checked the freetds.conf and i found a timeout option. But unfortunatly that didn't help either. It's quite easy to reproduce. Just create a idiotic long query and see what happens ;) I have the limit now at 10 (which i presume are seconds) But thanks for the tip, i'll have a look at the beedling edge versions of freetds. Thanks! -- Jeroen -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] File complete check (FTP)
Hello, i want to check if a file (jpg image) is completely uploaded on a server. If checked für the to last bytes (ffd9), but these method is not save. Anybody know how it works?? -- Mit freundlichem Gruß, | Johannes Tyra | --- | BrainData - InterNet Services | --- | Tel: +49.209.8181788 | Fax: +49.209.8181789 | --- | www.BrainData.de | mailto:[EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] IIS E-Mail
Okie dokie, I am losing it I am surebut that's not important now. I finally configured the IIS Virtual SMTP server as my MTA. No errors are being thrown, but no mail is being sent either. Well, it may being sent, but it is not arriving at its destination. Can someone clue me into some things to check with the IIS Vistrual SMTP Server as MTA for PHP? Any help would be greatly appreciated. Thanks! P.S. I miss *nix -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] File complete check (FTP)
Hello, i want to check if a file (jpg image) is completely uploaded on a server. If checked für the to last bytes (ffd9), but these method is not save. Anybody know how it works?? -- Mit freundlichem Gruß, | Johannes Tyra | --- | BrainData - InterNet Services | --- | Tel: +49.209.8181788 | Fax: +49.209.8181789 | --- | www.BrainData.de | mailto:[EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Max execution time while doing DB queries
On 9/22/05, Michael Sims [EMAIL PROTECTED] wrote: http://lists.ibiblio.org/pipermail/freetds/2005q3/018774.html According to that it's in 0.64 I'll have it a go tomorrow. Looks hopeful! Will let you know. -- Jeroen -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] IIS E-Mail
[snip] Okie dokie, I am losing it I am surebut that's not important now. I finally configured the IIS Virtual SMTP server as my MTA. No errors are being thrown, but no mail is being sent either. Well, it may being sent, but it is not arriving at its destination. Can someone clue me into some things to check with the IIS Vistrual SMTP Server as MTA for PHP? Any help would be greatly appreciated. [/snip] Furthermore, I just found the e-mail messages sitting in the Queue for IIS c:\Inetpub\mailroot\Queue -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Opensource webshop
Hi there! I'm just beginning to test if there is some interest in an opensource-webshop... The admin-part is not opensource.. Interested? http://www.varupiraten.se/doc.php /G -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Unique ID on 5.0.4 (Windows)
Chris wrote: Jasper Bryant-Greene wrote: $unique_id = sha1( uniqid( mt_rand(), true ) ); That unique ID will be based on the current time in microseconds prefixed by a random number generated by the Mersenne Twister. That is *extremely* unlikely to duplicate, even at the same microsecond. Ok, thanks, That looks like it will work for me. Any particular reason why you used sha1() in there? Because if you take a look at the output of uniqid( mt_rand(), true ) you will see that it changes in length each time it is run, whereas after running through sha1() it is always 40 characters I just find that the output of sha1() looks tidier anyway. -- Jasper Bryant-Greene Freelance web developer http://jasper.bryant-greene.name/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Opensource webshop
Gustav Wiberg mailto:[EMAIL PROTECTED] on Thursday, September 22, 2005 1:21 PM said: Hi there! Hi. I'm just beginning to test if there is some interest in an opensource-webshop... Do you mean a shopping cart? The admin-part is not opensource.. Hmm... why not? And do I have to pay for it? Is it web based? If so, is it encoded or something? Interested? http://www.varupiraten.se/doc.php The site doesn't seem to work. It's just not loading. Chris. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Opensource webshop
I'm just beginning to test if there is some interest in an opensource-webshop... The admin-part is not opensource.. Surely if the admin isnt opensource then its not an opensource solution? You cant run a store without the admin part ;-) Regards Mark -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Opensource webshop
On 9/22/05, Gustav Wiberg [EMAIL PROTECTED] wrote: I'm just beginning to test if there is some interest in an opensource-webshop... The admin-part is not opensource.. Interested? http://www.varupiraten.se/doc.php There are probably dozens of free open source PHP carts already out there. Not to mention the ones written in Perl. -- Greg Donald Zend Certified Engineer MySQL Core Certification http://destiney.com/
Re: [PHP] Problem with Internet Explorer when downloading / viewing dynamically generated PDF files
These were all good suggestions, unfortunately none of them was able to solve my problem. I did a rather simple test to eliminate at least some of the possible causes. I changed the script in order to do three simple things: send a Content-type header, read an existing PDF document into a string, output the content and exit. This is working in Safari, Firefox and many other browsers. Explorer (both Mac and Windows) says 'no'! 'The file could not be found' Could it be that Explorer in some way don't accept redirects? But redirects are made on the webserver, right? I tried to figure out if some header information was send during the redirection. But echoing apache_request_headers and apache_response_headers gave no result. So, the question remains: what is causing Microsoft Explorer to fail on the download? Maybe the idea with static links isn't so good after all. I mean, if I do the same thing with a usual GET request, even Explorer won't make any trouble. But on the other hand, the PDF-generating-thing is supposed to be on an other server than the webserver. And I don't like to expose this server to the Internet. Any ideas are still welcome! /frank 2005-09-22 kl. 18.55 skrev Steve Lefevre: Philip Hallstrom wrote: We finally figured out that IE was beginning the download of the PDF itself, but if it downloaded more than about 1mb, it would pass it off to a helper application to do the rest. The thing was the helper application remade the request. But it wasn't passing along the form parameters used to generate the PDF so he was always getting a blank PDF (blank in the sense of generically empty). If that is what's happening here, I can offer a solution -- I am using ROS ( www.ros.co.nz/*pdf*/ ) to dynamically generate pdfs, which I first write to the server, and then I have just a regular link available to the user. That solved a lot of issues for me. Steve Lefevre -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php - - - - - - - - - - - - - - - - - - - - - - - - - - - - - NIKE HYDRAULICS AB Frank Arensmeier Marknadssupport / Webmaster tel 016 - 16 82 34 fax 016 - 13 93 16 [EMAIL PROTECTED] www.nikehydraulics.se - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: elegant way to convert relative to absolute urls
need to clarify :) I found the 'realpath' function I need to convert: ../../myfile.php to http://www.myserver.com/dir/myfile.php many thanks g On Sep 22, 2005, at 2:08 PM, Graham Anderson wrote: is there a simple function out there that converts relative urls like ../../myfile.php to an absolute url ? g -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] elegant way to convert relative to absolute urls
is there a simple function out there that converts relative urls like ../../myfile.php to an absolute url ? g -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Problem with Internet Explorer when downloading / viewing dynamically generated PDF files
These were all good suggestions, unfortunately none of them was able to solve my problem. I did a rather simple test to eliminate at least some of the possible causes. I changed the script in order to do three simple things: send a Content-type header, read an existing PDF document into a string, output the content and exit. This is working in Safari, Firefox and many other browsers. Explorer (both Mac and Windows) says 'no'! 'The file could not be found' Could it be that Explorer in some way don't accept redirects? But redirects are made on the webserver, right? I tried to figure out if some header information was Do you mean Header(Location: )? Those happen on the *client*. -philip send during the redirection. But echoing apache_request_headers and apache_response_headers gave no result. So, the question remains: what is causing Microsoft Explorer to fail on the download? Maybe the idea with static links isn't so good after all. I mean, if I do the same thing with a usual GET request, even Explorer won't make any trouble. But on the other hand, the PDF-generating-thing is supposed to be on an other server than the webserver. And I don't like to expose this server to the Internet. Any ideas are still welcome! /frank 2005-09-22 kl. 18.55 skrev Steve Lefevre: Philip Hallstrom wrote: We finally figured out that IE was beginning the download of the PDF itself, but if it downloaded more than about 1mb, it would pass it off to a helper application to do the rest. The thing was the helper application remade the request. But it wasn't passing along the form parameters used to generate the PDF so he was always getting a blank PDF (blank in the sense of generically empty). If that is what's happening here, I can offer a solution -- I am using ROS ( www.ros.co.nz/*pdf*/ ) to dynamically generate pdfs, which I first write to the server, and then I have just a regular link available to the user. That solved a lot of issues for me. Steve Lefevre -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php - - - - - - - - - - - - - - - - - - - - - - - - - - - - - NIKE HYDRAULICS AB Frank Arensmeier Marknadssupport / Webmaster tel 016 - 16 82 34 fax 016 - 13 93 16 [EMAIL PROTECTED] www.nikehydraulics.se - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] basic user/input form questions... more validation!
further investigation seems to imply that 'strings' that are to be inserted into the mysql db should be 'backslashed' for the chars \x00, \n, \r, \,', and \x1a. this implies that i can have a simple function to accomplish this. the mysql_real_escape_string function requires a db connection and the app might not have opened up a connection to the db at this point in the code.. (or i could rewrite the code!!) the other issue is with 'quoting' items to be inserted in the db. articles that i've seen indicate that the following should be used: numeric data: -doesn't need quoting, but it shouldn't hurt to quote anyway.. (quote all numeric values inserted in the db...) -but wouldn't this require the app to detect numeric vals in the db, and to convert the 'type'!!) -how does this affect date/float vars... string/char data: -backslash all data that's going to be added in the db extracting data from the db: numeric data -get the data/val from the db -check the type/convert the db to int/float/date/etc... string data -get the vals from the db, -strip any slashes that were added to the data/vars -process/use accordingly... have i left anything out..?? thoughts/comments/etc. -bruce -Original Message- From: bruce [mailto:[EMAIL PROTECTED] Sent: Thursday, September 22, 2005 11:52 AM To: 'Gustav Wiberg'; php-general@lists.php.net Subject: RE: [PHP] basic user/input form questions... more validation! here's psuedo of what i envision now, in my psuedo code, i don't use the stripslashes/quotes/etc... so, i'm still trying to understand why these functions are needed/required? thoughts/comments/etc thanks -bruce -- index.php if isset($REQUEST['submit']) { if (isset($_REQUEST['foo']) { get the 'foo' var $foo = $_REQUEST['foo'] validate the foo var... $valid_chars = preg_match('valid char vars', $foo) $len = str_len($foo) max_str_len if(valid_chars len) { we have a valid 'foo' var!!! go ahead and add to the db... } else { 'foo' is invalid, set err msg and return to login } } else { gen err and redirect to login page } } else { form php_self post input name=foo submit /form } function add_to_db($var) { assume that 'var' is valid, but it hasn't been quoted.. $test_sql = insert into TestTBL name values (%s); $test_sql = sprintf($test_sql, $var); mysql_query($test_sql); } -Original Message- From: Gustav Wiberg [mailto:[EMAIL PROTECTED] Sent: Thursday, September 22, 2005 11:14 AM To: [EMAIL PROTECTED]; php-general@lists.php.net Subject: Re: [PHP] basic user/input form questions... more validation! - Original Message - From: bruce [EMAIL PROTECTED] To: php-general@lists.php.net Sent: Thursday, September 22, 2005 8:05 PM Subject: [PHP] basic user/input form questions... more validation! hi... forgive me!!! Ok; -) Why? You're just asking... :-) continuing the thread from yesterday regarding filtering. (and thanks to all the msgs) for simplicity. let's deal wit a simple user input form, that's going to place the information in a db. if the app allows the user to enter the input (call it 'foo') and then submits the form via a POST, where the data is then written to the db, what kind of validation should occur? and where should the validation take place? What kind of validation depends on your application. If the foo variable must be an integer, then you'll have to check if foo is numeric with is_numberic(). If foo is a string and the length matters, then you would have to validate so the length isn't more than expected with strlen()-function But in all cases you'll have to check if the foo-variable is set with isset. for my $0.02 worth, there should be be validation of the 'foo' var, to determine if the var is legitimate. there should also be validation/filterin of the var when it's placed in the db_sql command... my question (and it's basic), what validation should be performed on the 'foo' var, and why? i've seen htmlspecialchars/magic_quotes/etc.. in varius articles, but i can't find a definitive answer!! You'll have to quote only the variables inside a sql-string. You must use mysql_real_escape_string for creating a safe db-string.. Example: $sql = SELECT ID from Table WHERE Foo= . safeQuote($foo); and the function safeQuote is like this... function safeQuote($value) { // Stripslashes if (get_magic_quotes_gpc()) { $foo = stripslashes($foo); } // Quote if not integer if (!is_numeric($value)) { $value = ' . mysql_real_escape_string($foo) . '; } } I hope this helps a little... /G http://www.varupiraten.se/ also, when inserting/updating a db item, what is the 'correct' process for data? should all data that gets inserted into a db be quoted? if it should, what's the 'standard' practice? psuedo examples of this stuff
Re: [PHP] basic user/input form questions... more validation!
bruce wrote: further investigation seems to imply that 'strings' that are to be inserted into the mysql db should be 'backslashed' for the chars \x00, \n, \r, \,', and \x1a. this implies that i can have a simple function to accomplish this. the mysql_real_escape_string function requires a db connection and the app might not have opened up a connection to the db at this point in the code.. (or i could rewrite the code!!) That would indicate that your code needs rewriting. You should use mysql_real_escape_string as it takes into account the character set in use on your MySQL connection (which is why it needs a DB connection). -- Jasper Bryant-Greene Freelance web developer http://jasper.bryant-greene.name/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: IIS E-Mail
Hello, on 09/22/2005 05:03 PM Jay Blanchard said the following: I finally configured the IIS Virtual SMTP server as my MTA. No errors are being thrown, but no mail is being sent either. Well, it may being sent, but it is not arriving at its destination. Can someone clue me into some things to check with the IIS Vistrual SMTP Server as MTA for PHP? Any help would be greatly appreciated. If you set the return path address correctly, you will get a bounce soon or later explaining why the messages are not being delivered. -- Regards, Manuel Lemos PHP Classes - Free ready to use OOP components written in PHP http://www.phpclasses.org/ PHP Reviews - Reviews of PHP books and other products http://www.phpclasses.org/reviews/ Metastorage - Data object relational mapping layer generator http://www.meta-language.net/metastorage.html -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] basic user/input form questions... more validation!
bruce mailto:[EMAIL PROTECTED] on Thursday, September 22, 2005 3:33 PM said: further investigation seems to imply that 'strings' that are to be inserted into the mysql db should be 'backslashed' for the chars \x00, \n, \r, \,', and \x1a. That's what escaping is. the mysql_real_escape_string function requires a db connection and the app might not have opened up a connection to the db at this point in the code.. (or i could rewrite the code!!) Unless you have warnings print to the screen you should be fine. Or you could just suppress the errors on that one function. numeric data: -doesn't need quoting, but it shouldn't hurt to quote anyway.. (quote all numeric values inserted in the db...) -but wouldn't this require the app to detect numeric vals in the db, and to convert the 'type'!!) No. Why would it? If you quote everything then there's no need to check for type. -how does this affect date/float vars... I'm not sure. Check the MySQL manual on column types. extracting data from the db: numeric data -get the data/val from the db -check the type/convert the db to int/float/date/etc... No type conversion is necessary. PHP is a loose typed language. string data -get the vals from the db, -strip any slashes that were added to the data/vars -process/use accordingly... As I said in my previous email, stripping of slashes is not necessary. The reason data is escaped before it's put into the database is so that you don't confuse the engine. $string_data = Hello I'm a string.; $sql = INSERT INTO table (thestring) VALUES ('$string_data'); That would be the same as: INSERT INTO table (thestring) VALUES 'Hello I'm a string' The engine is going to choke on the apostrophe in I'm. With escaping it would be ... VALUES 'Hello I\'m a string'. When you retrieve that data you'll get exactly Hello I'm a string. There will be no backslash. It also prevents SQL injection attacks. have i left anything out..?? I don't know. hth, Chris. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: basic user/input form questions... more validation!
Hello Bruce on 09/22/2005 03:05 PM bruce said the following: for simplicity. let's deal wit a simple user input form, that's going to place the information in a db. if the app allows the user to enter the input (call it 'foo') and then submits the form via a POST, where the data is then written to the db, what kind of validation should occur? and where should the validation take place? for my $0.02 worth, there should be be validation of the 'foo' var, to determine if the var is legitimate. there should also be validation/filterin of the var when it's placed in the db_sql command... my question (and it's basic), what validation should be performed on the 'foo' var, and why? i've seen htmlspecialchars/magic_quotes/etc.. in varius articles, but i can't find a definitive answer!! Have you tried the forms validation class that you asked me and I sent you? http://www.phpclasses.org/formsvalidation It does what you need. Namely it uses HtmlEntities() to escape special characteres in input values and so it prevents cross-site scripting (XSS) exploits. It also performs additional checks for values passed on hidden fields that could be used to exploit your sites. As for magic_quotes, that class also remove them automatically in case any values are passed with that enabled. Generally you should disable magic_quotes if you can because it is not an useful feature. also, when inserting/updating a db item, what is the 'correct' process for data? should all data that gets inserted into a db be quoted? if it should, what's the 'standard' practice? In general you should perform rigorous form validation to prevent accepting malicious values and then escape string values to prevent SQL injection attacks or other SQL errors. That depends on the database you are using. I use Metabase, which is a database independent abstraction package to access SQL databases that performs the correct quoting and escaping according to the databse you use. http://www.phpclasses.org/metabase -- Regards, Manuel Lemos PHP Classes - Free ready to use OOP components written in PHP http://www.phpclasses.org/ PHP Reviews - Reviews of PHP books and other products http://www.phpclasses.org/reviews/ Metastorage - Data object relational mapping layer generator http://www.meta-language.net/metastorage.html -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] basic user/input form questions... more validation!
hey... regarding .. $string_data = Hello I'm a string.; $sql = INSERT INTO table (thestring) VALUES ('$string_data'); That would be the same as: INSERT INTO table (thestring) VALUES 'Hello I'm a string' The engine is going to choke on the apostrophe in I'm. With escaping it would be ... VALUES 'Hello I\'m a string'. When you retrieve that data you'll get exactly Hello I'm a string. There will be no backslash. It also prevents SQL injection attacks. not sure i agree with this one.. if i put foo \' cat in a db tbl... i expect that i'll get the same out... which is what some of the articles i've seen have stated.. are you telling me, and are you sure, that i'd get foo ' cat out instead!! the articles i've seen imply that if you addslashes, you also need to stripslashes on the backend... comments/thoughts/etc... -bruce -Original Message- From: Chris W. Parker [mailto:[EMAIL PROTECTED] Sent: Thursday, September 22, 2005 3:42 PM To: php-general@lists.php.net Subject: RE: [PHP] basic user/input form questions... more validation! bruce mailto:[EMAIL PROTECTED] on Thursday, September 22, 2005 3:33 PM said: further investigation seems to imply that 'strings' that are to be inserted into the mysql db should be 'backslashed' for the chars \x00, \n, \r, \,', and \x1a. That's what escaping is. the mysql_real_escape_string function requires a db connection and the app might not have opened up a connection to the db at this point in the code.. (or i could rewrite the code!!) Unless you have warnings print to the screen you should be fine. Or you could just suppress the errors on that one function. numeric data: -doesn't need quoting, but it shouldn't hurt to quote anyway.. (quote all numeric values inserted in the db...) -but wouldn't this require the app to detect numeric vals in the db, and to convert the 'type'!!) No. Why would it? If you quote everything then there's no need to check for type. -how does this affect date/float vars... I'm not sure. Check the MySQL manual on column types. extracting data from the db: numeric data -get the data/val from the db -check the type/convert the db to int/float/date/etc... No type conversion is necessary. PHP is a loose typed language. string data -get the vals from the db, -strip any slashes that were added to the data/vars -process/use accordingly... As I said in my previous email, stripping of slashes is not necessary. The reason data is escaped before it's put into the database is so that you don't confuse the engine. $string_data = Hello I'm a string.; $sql = INSERT INTO table (thestring) VALUES ('$string_data'); That would be the same as: INSERT INTO table (thestring) VALUES 'Hello I'm a string' The engine is going to choke on the apostrophe in I'm. With escaping it would be ... VALUES 'Hello I\'m a string'. When you retrieve that data you'll get exactly Hello I'm a string. There will be no backslash. It also prevents SQL injection attacks. have i left anything out..?? I don't know. hth, Chris. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] basic user/input form questions... more validation!
bruce wrote: not sure i agree with this one.. if i put foo \' cat in a db tbl... i expect that i'll get the same out... which is what some of the articles i've seen have stated.. are you telling me, and are you sure, that i'd get foo ' cat out instead!! the articles i've seen imply that if you addslashes, you also need to stripslashes on the backend... With all due respect, you are demonstrating a fundamental lack of understanding of the principle of escaping anything... The point of escaping the quote mark is so that it looks *exactly like a quote mark* to MySQL, rather than like the delimiter for a string value. MySQL treats the character sequence \' as ' when inside a string value. When you SELECT the data at the other end, MySQL will not give you the slashes, because the slashes are not stored in the database table. If you do run stripslashes() on the output, you will lose data in some situations. So don't. Hope that made sense and helped... -- Jasper Bryant-Greene Freelance web developer http://jasper.bryant-greene.name/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Suggestions for class design
Hello, on 09/20/2005 01:51 PM Murray @ PlanetThoughtful said the following: I do not understand why this could bother you or anybody else. If you have a better solution, nothing stops you to make your recommendations. Hi Manuel, I did make my recommendation. To you. It went something like (and I'm paraphrasing), Your proposed solution doesn't solve the original poster's conceptual problem with abstracting classes that deal with collections of objects in conjunction with classes that abstract single objects. In other words, and I realize I'm stretching out on a limb with this metaphor, I saw in your post an attempt to treat the symptoms without offering a cure for the disease. That is your impression because you really do not know how Metastorage generated code works. It provides several types of functions that retrieve and manipulate collection. Retrieval is done by storing all collection objects in an array that is returned by those functions. There is no need for a separate class to abstract collections. And your perception of bias may or may not be accurate. I don't recall delivering wrath-of-god denunciation of your suggestion to use a project you developed, just acknowledged a desire to promote a project you're probably (and perhaps justifiably) proud of. You say that wasn't a component of your recommendation. I'm willing to accept that, not that I expect you to be losing any sleep over whether or not I believe you. The problem is that I am not promoting Metastorage because I am proud of it. Actually I do not promote any of my projects because of pride or any other ego related reasons. I wish some people did not guess that wrong, but I admit that sometimes it is hard to make certain intentions clear. I let others know about my projects because that helps maximizing the chance of getting valuable feedback from potential users like bug reports and feature suggestions. This is good for me because ultimately I also benefit from any improvements done on my projects due to user feedback. Anyway, it would be pointless for me to let other people know about projects of mine that do not address their needs, as that would not raise their interest. What I am trying to tell you is that while I may not be clear enough, I was trying to tell the original poster how Metastorage solves the problem he wants to solve. That does not mean he will be interested to use Metastorage, but at least it may raise his interest in studying how Metastorage solve his problem. If he will become interested in Metastorage later, I am not concerned. If he will, fine, if he doesn't, no problem either. Thank you for the extra explanation. I still don't understand the comment's relevancy to the actual question being asked by the original poster, but I will explain, in case it's of interest, why that comment caused me some confusion: - The original poster outlined that he had created a class that represented a customer. - He told the list he was having difficulties with the concept of abstracting a collection of customers - He received some helpful suggestions from the list about how to approach that task - None of which would have meant he was 'trying to retrieve objects into memory before they exist.' I don't know about anyone else, but what that comment implied to me was that the original poster was attempting to instantiate a class as an object before including the file that contained the class definition. No, that was not my point. My point is that if you want to get a collection of customers, you want a list of objects that may contain more than one. Therefore what represents better a list of objects of some class, is not an object of a class, but rather an array eventually created by a factory object. I do not think it does not make much sense that the factory object be of the same class of the list of objects that you want to retrieve. So, first you create the factory class object and then it will retrieve the customer objects into an array. What he was doing is to make the customer class a factory for a collection of its own objects. I am not sure if my comment is clearer now. -- Regards, Manuel Lemos PHP Classes - Free ready to use OOP components written in PHP http://www.phpclasses.org/ PHP Reviews - Reviews of PHP books and other products http://www.phpclasses.org/reviews/ Metastorage - Data object relational mapping layer generator http://www.meta-language.net/metastorage.html -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Opensource webshop
On 9/22/05, Greg Donald [EMAIL PROTECTED] wrote: Not to mention the ones written in Perl. I think you just did ;) -- Chris Martin Web Developer Open Source Web Standards Advocate http://www.chriscodes.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] basic user/input form questions... more validation!
one more question/issue... the mysql_real_escape function escapes with a'\' which works for mysql, but isn't standard ansi... is there another function that does the same thing, but uses the ansi standard '. also, if there is another function, does it also work with mysql?? thanks -bruce -Original Message- From: Jasper Bryant-Greene [mailto:[EMAIL PROTECTED] Sent: Thursday, September 22, 2005 4:39 PM To: php-general@lists.php.net Subject: Re: [PHP] basic user/input form questions... more validation! bruce wrote: not sure i agree with this one.. if i put foo \' cat in a db tbl... i expect that i'll get the same out... which is what some of the articles i've seen have stated.. are you telling me, and are you sure, that i'd get foo ' cat out instead!! the articles i've seen imply that if you addslashes, you also need to stripslashes on the backend... With all due respect, you are demonstrating a fundamental lack of understanding of the principle of escaping anything... The point of escaping the quote mark is so that it looks *exactly like a quote mark* to MySQL, rather than like the delimiter for a string value. MySQL treats the character sequence \' as ' when inside a string value. When you SELECT the data at the other end, MySQL will not give you the slashes, because the slashes are not stored in the database table. If you do run stripslashes() on the output, you will lose data in some situations. So don't. Hope that made sense and helped... -- Jasper Bryant-Greene Freelance web developer http://jasper.bryant-greene.name/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] basic user/input form questions... more validation!
bruce wrote: the mysql_real_escape function escapes with a'\' which works for mysql, but isn't standard ansi... is there another function that does the same thing, but uses the ansi standard '. also, if there is another function, does it also work with mysql?? Well, you could just use str_replace. But what's the point? A whole lot of MySQL deviates from the standards, often for good reason, and often in ways that makes it easier to use or simply better. There's no functional difference that I know of (correct me if I'm wrong, please), so why bother? -- Jasper Bryant-Greene Freelance web developer http://jasper.bryant-greene.name/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Posting variables from one php script to another
I am using GET to send variables from one php script to another php script How would I POST the same variables ? This is the php script I am sending GET variables to... $movieBuilder = ./movieBuilder.php?mask=mask.gifdrag=drag.gifmovie=fonovisa.mov; I am placing $movieBuilder in the src = attribute Is it possible to POST these same variables to movieBuilder.php ? The below generates a Quicktime movie: $xml = EOB ?xml version=1.0? ?quicktime type=application/x-quicktime-media-link? embed autoplay=$autoplay cache=$cache kioskmode=$kioskmode quitwhendone=$quitwhendone movieid=$movieid moviename=$moviename src=$movieBuilder/ EOB; many thanks -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] basic user/input form questions... more validation!
-Original Message- From: bruce [mailto:[EMAIL PROTECTED] Sent: Friday, 23 September 2005 10:23 AM To: 'Jasper Bryant-Greene'; php-general@lists.php.net Subject: RE: [PHP] basic user/input form questions... more validation! one more question/issue... the mysql_real_escape function escapes with a'\' which works for mysql, but isn't standard ansi... is there another function that does the same thing, but uses the ansi standard '. also, if there is another function, does it also work with mysql?? The important thing here is that escaping with a \ is MySQL's standard for escaping, so should be used when using MySQL as your storage backend. Much warmth, Murray --- Lost in thought... http://www.planetthoughtful.org -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] ftp_site problem
I can't get ftp_site() to chmod a file. WS_FTP utility changes them OK. I can connect and log-in via ftp OK Then I send if(ftp_site($conn_id, chmod 0777 /public_html/EditPage/cd_ef_W.txt)) echo 'successful'; else 'failed'; And get successful OK But, the file's permissions don't change. Have tried 777 as well as 0777. Any suggestions? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Posting variables from one php script to another
Graham Anderson wrote: I am using GET to send variables from one php script to another php script How would I POST the same variables ? http://php.net/curl You can use the CURL functions to send a POST request. -- Jasper Bryant-Greene Freelance web developer http://jasper.bryant-greene.name/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Posting variables from one php script to another
so is it like this? ? CURL is not quite working yet In a GET request: $movieBuilder would be: $movieBuilder = ./movieBuilder.php?mask=mask.gifdrag=drag.gifmovie=fonovisa.mov; putting $movieBuilder in the src attribute does work. In a POST request: $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, ./movieBuilder.php); curl_setopt ($ch, CURLOPT_POST, 1); curl_setopt ($ch, CURLOPT_POSTFIELDS, 'mask=mask.gifdrag=drag.gifmovie=fonovisa.mov'); $movieBuilder = curl_exec ($ch); And, now put $movieBuilder in the 'src' attribute in the embed tag: //Generate the Quicktime movie $xml = EOB ?xml version=1.0? ?quicktime type=application/x-quicktime-media-link? embed src=$movieBuilder/ EOB; many thanks :) g On Sep 22, 2005, at 5:31 PM, Jasper Bryant-Greene wrote: Graham Anderson wrote: I am using GET to send variables from one php script to another php script How would I POST the same variables ? http://php.net/curl You can use the CURL functions to send a POST request. -- Jasper Bryant-Greene Freelance web developer http://jasper.bryant-greene.name/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Posting variables from one php script to another
Graham Anderson wrote: In a POST request: $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, ./movieBuilder.php); I think you may need to put the full URL here. I don't do a lot with CURL, though, so someone else may be able to help you more here. -- Jasper Bryant-Greene Freelance web developer http://jasper.bryant-greene.name/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] basic user/input form questions... more validation!
bruce wrote: not sure i agree with this one.. if i put foo \' cat in a db tbl... i expect that i'll get the same out... which is what some of the articles i've seen have stated.. are you telling me, and are you sure, that i'd get foo ' cat out instead!! the articles i've seen imply that if you addslashes, you also need to stripslashes on the backend... You're reading the wrong articles. :-) Escaping is something you do to preserve data, period. If you have data that is going to enter a context where it can be considered anything other than data, it needs to be escaped. I often simplify this by suggesting that you always escape output. I did a podcast about this topic a few weeks ago: http://pro-php.com/index.php?post_id=10 I also wrote a small followup blog entry: http://shiflett.org/archive/133 Hope that helps. Chris -- Chris Shiflett Brain Bulb, The PHP Consultancy http://brainbulb.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] basic user/input form questions... more validation!
hey chris... thanks!! but what do you mean by ...escape output!! is that output of the query, which is input to the db? as i understand it, you escape the query vars, after filtering/validation, that you're going to touch the db with... (insert/update/select) am i on your same wavelength?? -bruce -Original Message- From: Chris Shiflett [mailto:[EMAIL PROTECTED] Sent: Thursday, September 22, 2005 7:15 PM To: [EMAIL PROTECTED] Cc: 'Chris W. Parker'; php-general@lists.php.net Subject: Re: [PHP] basic user/input form questions... more validation! bruce wrote: not sure i agree with this one.. if i put foo \' cat in a db tbl... i expect that i'll get the same out... which is what some of the articles i've seen have stated.. are you telling me, and are you sure, that i'd get foo ' cat out instead!! the articles i've seen imply that if you addslashes, you also need to stripslashes on the backend... You're reading the wrong articles. :-) Escaping is something you do to preserve data, period. If you have data that is going to enter a context where it can be considered anything other than data, it needs to be escaped. I often simplify this by suggesting that you always escape output. I did a podcast about this topic a few weeks ago: http://pro-php.com/index.php?post_id=10 I also wrote a small followup blog entry: http://shiflett.org/archive/133 Hope that helps. Chris -- Chris Shiflett Brain Bulb, The PHP Consultancy http://brainbulb.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] File complete check (FTP)
How about check file size? Crom - Original Message - From: Johannes Tyra [EMAIL PROTECTED] To: php-general@lists.php.net Sent: Thursday, September 22, 2005 5:04 PM Subject: [PHP] File complete check (FTP) Hello, i want to check if a file (jpg image) is completely uploaded on a server. If checked für the to last bytes (ffd9), but these method is not save. Anybody know how it works?? -- Mit freundlichem Gruß, | Johannes Tyra | --- | BrainData - InterNet Services | --- | Tel: +49.209.8181788 | Fax: +49.209.8181789 | --- | www.BrainData.de | mailto:[EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ftp_site problem
try: if(ftp_site($conn_id, SITE chmod 0777 /public_html/EditPage/cd_ef_W.txt)) echo 'successful'; else 'failed'; it works for me Crom - Original Message - From: Al [EMAIL PROTECTED] To: php-general@lists.php.net Sent: Thursday, September 22, 2005 9:34 PM Subject: [PHP] ftp_site problem I can't get ftp_site() to chmod a file. WS_FTP utility changes them OK. I can connect and log-in via ftp OK Then I send if(ftp_site($conn_id, chmod 0777 /public_html/EditPage/cd_ef_W.txt)) echo 'successful'; else 'failed'; And get successful OK But, the file's permissions don't change. Have tried 777 as well as 0777. Any suggestions? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] basic user/input form questions... more validation!
bruce wrote: but what do you mean by ...escape output!! Output is data that you send somewhere else. In other words, if it leaves your application, it is output. This is explained a bit further (with some code) near the start of this talk: http://brainbulb.com/talks/php-security-audit-howto.pdf Hope that helps. Chris -- Chris Shiflett Brain Bulb, The PHP Consultancy http://brainbulb.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Posting variables from one php script to another
I tried this test: //CURL $ch = curl_init ($myURL/movieBuilder.php); curl_setopt ($ch, CURLOPT_HEADER, 0); curl_setopt($ch, CURLOPT_POST,1); curl_setopt ($ch, CURLOPT_POSTFIELDS, mask=mask.gifdrag=drag.gifmovie=fonovisa.mov); curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1); $buffer = curl_exec($ch); // execute the post echo $buffer; curl_close ($ch); for some reason it is not sending the posted variables the script is curling the other php script as it is echoing. Unfortunately, it is not passing along the Posted variables anyone know ? On Sep 22, 2005, at 6:52 PM, Jasper Bryant-Greene wrote: Graham Anderson wrote: In a POST request: $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, ./movieBuilder.php); I think you may need to put the full URL here. I don't do a lot with CURL, though, so someone else may be able to help you more here. -- Jasper Bryant-Greene Freelance web developer http://jasper.bryant-greene.name/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Opensource webshop
- Original Message - From: Chris W. Parker [EMAIL PROTECTED] To: PHP General php-general@lists.php.net Sent: Thursday, September 22, 2005 10:28 PM Subject: RE: [PHP] Opensource webshop Gustav Wiberg mailto:[EMAIL PROTECTED] on Thursday, September 22, 2005 1:21 PM said: Hi there! Hi. I'm just beginning to test if there is some interest in an opensource-webshop... Do you mean a shopping cart? Yes. The admin-part is not opensource.. Hmm... why not? And do I have to pay for it? Is it web based? If so, is it encoded or something? Now it's mainly because of we don't want to show prices which we use to buy products, but if there is an interest of this, we'll have to reconsider. No it shouldn't cost anything! It's webbased Interested? http://www.varupiraten.se/doc.php The site doesn't seem to work. It's just not loading. I think it's to much information on the site, so it doesn't seem to be loading. I'll reconsider the layout to... :-) /G http://www.varupiraten.se/ Chris. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.0.344 / Virus Database: 267.11.4/109 - Release Date: 2005-09-21 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Opensource webshop
- Original Message - From: Mark Evans [EMAIL PROTECTED] To: php-general@lists.php.net Sent: Thursday, September 22, 2005 10:47 PM Subject: [PHP] Re: Opensource webshop I'm just beginning to test if there is some interest in an opensource-webshop... The admin-part is not opensource.. Surely if the admin isnt opensource then its not an opensource solution? Of course, there is opensource-solutions where not ALL the code is opensource. You cant run a store without the admin part ;-) Yes, you can but it's harder... ;-) We're reconsidering if admin should be a part of opensource to. Thanx for feedback! /G http://www.varupiraten.se/ Regards Mark -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.0.344 / Virus Database: 267.11.4/109 - Release Date: 2005-09-21 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Opensource webshop
- Original Message - From: Greg Donald [EMAIL PROTECTED] To: php-general@lists.php.net Sent: Thursday, September 22, 2005 11:03 PM Subject: Re: [PHP] Opensource webshop On 9/22/05, Gustav Wiberg [EMAIL PROTECTED] wrote: I'm just beginning to test if there is some interest in an opensource-webshop... The admin-part is not opensource.. Interested? http://www.varupiraten.se/doc.php There are probably dozens of free open source PHP carts already out there. Not to mention the ones written in Perl. Are there many in just PHP to? /G http://www.varupiraten.se/ -- Greg Donald Zend Certified Engineer MySQL Core Certification http://destiney.com/ No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.0.344 / Virus Database: 267.11.4/109 - Release Date: 2005-09-21 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Opensource webshop
There are probably dozens of free open source PHP carts already out there. Not to mention the ones written in Perl. Are there many in just PHP to? As he said, there are probably dozens. Four of the PHP-based ones are listed under e-Commerce on this website: http://www.opensourcecms.com/ -- Jasper Bryant-Greene Freelance web developer http://jasper.bryant-greene.name/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Opensource webshop
- Original Message - From: Jasper Bryant-Greene [EMAIL PROTECTED] To: php-general@lists.php.net Sent: Friday, September 23, 2005 6:41 AM Subject: Re: [PHP] Opensource webshop There are probably dozens of free open source PHP carts already out there. Not to mention the ones written in Perl. Are there many in just PHP to? As he said, there are probably dozens. Four of the PHP-based ones are listed under e-Commerce on this website: http://www.opensourcecms.com/ Ok, thanx! Is there opensource PHP webshop out there for the swedish market? /G http://www.varupiraten.se/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Opensource webshop
On Fri, 23 Sep 2005, Jasper Bryant-Greene wrote: } There are probably dozens of free open source PHP carts already out } there. Not to mention the ones written in Perl. } } Are there many in just PHP to? } } As he said, there are probably dozens. Four of the PHP-based ones are listed } under e-Commerce on this website: } } http://www.opensourcecms.com/ A few more PHP ones [including the 4 at the above URL]: http://www.shop-script.com/php-shopping-cart-software-1.html http://www.zen-cart.com/ http://www.oscommerce.com/ http://www.x-cart.com/articles/x-cart_open_source.html http://creloaded.com/index.php http://www.osc2nuke.com/ http://cpcommerce.org/ http://www.cubecart.com/site/home/ [not OSS, but free if (c) is not modified] http://siliconsys.com/content/applications/phpcatalog/ http://www.terraserver.de/terraserver.php3 http://www.ecommerceshoppingcartsoftware.org/ http://open.appideas.com/MyCart/ http://cosmicphp.com/freescripts_cosmicshoppingcart.php http://www.affcommerce.com/ http://developer.berlios.de/projects/oos/ http://www.soft4e.com/loadshop.html https://sourceforge.net/project/showfiles.php?group_id=83355release_id=166221 http://scripts.justwilliams.com/amazon/index.htm And more can be found via google and php.resourceindex.com /vjl/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] session clustering
guys, do you recommend session clustering within php application itself or going with higher level, maybe database sessions and then database clustering? -- Regards Jad madi Blog http://EasyHTTP.com/jad/ Web standards Planet http://W3planet.net/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php