php-general Digest 21 Oct 2006 11:02:46 -0000 Issue 4413
php-general Digest 21 Oct 2006 11:02:46 - Issue 4413 Topics (messages 243415 through 243420): Daylight saving time 243415 by: Raphael Chasse Re: User question for PHP 243416 by: chris smith 243418 by: Jochem Maas 243419 by: chris smith Re: Creating Tree Structure from associative array 243417 by: Jochem Maas Re: Weird stack trace in error_log from PDOException 243420 by: Roman Neuhauser Administrivia: To subscribe to the digest, e-mail: [EMAIL PROTECTED] To unsubscribe from the digest, e-mail: [EMAIL PROTECTED] To post to the list, e-mail: php-general@lists.php.net -- ---BeginMessage--- Hello, Regarding PHP5 bug #35296, http://bugs.php.net/bug.php?id=35296 I assume that it has been fixed in PHP5 for a while now (any version higher than PHP 5.0.5 ). Could someone tell me if PHP4 has been corrected as well ? in other word, what is the oldest version of PHP4 that contains the bug fix ? Thank you, -- Raphaël Chassé ---End Message--- ---BeginMessage--- On 10/21/06, Ivo F.A.C. Fokkema [EMAIL PROTECTED] wrote: On Fri, 20 Oct 2006 23:24:14 +1000, chris smith wrote: On 10/20/06, Ivo F.A.C. Fokkema [EMAIL PROTECTED] wrote: On Fri, 20 Oct 2006 15:49:14 +1000, Chris wrote: Andy Hultgren wrote: To whoever was asking this (sorry didn't see the original email): Is it possible to have a PHP script execute as the user of the domain instead of the webserver? So when I upload files through a PHP script they are owned by me and not wwwrun or nobody? I was recently exchanging on this list about that very topic. It's in the archives for this list. Go to www.php.net and set the dropdown menu in the upper right corner of the page to general mailing list, then type File Upload Security and chmod into the search field and hit enter. The conversation is within the first few hits on this search. The server hosting my site runs with php executing as me (the owner of the domain), and we covered some of the potential security pitfalls of such a situation (mainly centered on the fact that this makes any php script far too powerful). In my situation I couldn't change how the server was set up; however, the general consensus was that this situation created a number of serious security concerns that had to be very carefully addressed. I would avoid this configuration if you have the choice, based purely on the advice I received. Actually you have that the wrong way around. If php is running as www or nobody then any files or directories that a php script creates will be done as the web server user. That means (potentially) that if domain 'a' creates a file, domain 'b' can read and write to that file and even delete it. If php is running as you instead, you can control this with appropriate chmod commands (at least removing the risk of deleting of files / updating of files). A shared user (like www or nobody) is a *much* bigger risk than separate users. Unless those separate users have a little more access than just SSH and FTP access to the machine... I guess that if anyone with special rights carelessly activates suPHP and leaves the PHP files owned by him, you'd have PHP scripts capable of reading out special log files and whatnot. To my experience, apache (with PHP running as www-data or nobody or whatever) will not be able to create files or folders without user intervention (chmod, chown), thus no updating and removing is possible either by default. php running through apache: ?php mkdir('/path/to/dir'); ? Making that in a shared location will allow *any* domain to write to it, read from it or delete it (forget about possible open_basedir restrictions). I see your point and I agree this is an issue, but given the relatively small incidence of such a situation, I personally would not say this is a much bigger problem than a PHP file being able to remove all other files owned by the same owner (i.e. usually the whole site at least)... Running it as separate users removes safe-mode problems (the file uploaded will be as www or nobody, the script trying to access it is user), stops you having to have '777' type permissions on temp or data directories, user a can't do anything to user bs files and so on. Plus if your domain gets hacked through php, they can *only* do damage to your domain. They'd have to hack the other domains on the server because they are owned by different users... -- Postgresql php tutorials http://www.designmagick.com/ ---End Message--- ---BeginMessage--- chris smith wrote: On 10/21/06, Ivo F.A.C. Fokkema [EMAIL PROTECTED] wrote: On Fri, 20 Oct 2006 23:24:14 +1000, chris smith wrote: On 10/20/06, Ivo F.A.C. Fokkema [EMAIL PROTECTED] wrote: To my experience, apache (with PHP running as www-data or nobody or whatever)
php-general Digest 21 Oct 2006 23:25:55 -0000 Issue 4414
php-general Digest 21 Oct 2006 23:25:55 - Issue 4414 Topics (messages 243421 through 243429): Re: How to recognise url in a block of text 243421 by: AYSERVE.NET Berger table algorithm? 243422 by: Szymon Re: Weird stack trace in error_log from PDOException 243423 by: Russ Brown Re: Check HTML style sheet? 243424 by: Rafael 243428 by: Al Re: A problem with dates 243425 by: David Robley One-page password-protected file 243426 by: Dotan Cohen 243427 by: Dotan Cohen Parsing serialized PHP arrays in C 243429 by: Kevin Wilcox Administrivia: To subscribe to the digest, e-mail: [EMAIL PROTECTED] To unsubscribe from the digest, e-mail: [EMAIL PROTECTED] To post to the list, e-mail: php-general@lists.php.net -- ---BeginMessage--- Wow, that was deep but I'll try to see to what you're saying. Bunmi www.ayserve.net www.budelak.com Robin Vickery wrote: On 18/10/06, AYSERVE.NET [EMAIL PROTECTED] wrote: Hello Guys, I thought I was home and dry when the program worked fine on my windows but when I ran from my Linus server, I keep getting a url like: http://www.website.com/pdf/ED1.pdf%A0 instead of http://www.website.com/pdf/ED1.pdf. I'd look at the text that you're working on rather than the regexp. It looks like some characterset conversion is going wrong - 0xA0 is the latin-1 non-breaking space character. I'm expect that on your linux machine that it's being converted to %0A at some point which is perfectly valid in a URL. But I'm just guessing. -robin ---End Message--- ---BeginMessage--- Hello, I'm looking for Berger table generation solution in PHP, for any (parity) number of teams. I'm working on it couple of hours, but haven't made anything useful. Please help! :) -- Szymon ---End Message--- ---BeginMessage--- Roman Neuhauser wrote: # [EMAIL PROTECTED] / 2006-10-19 16:05:58 -0500: try { $objStatement-execute($arrParams); $intID = $objStatement-fetchColumn(); $objStatement-closeCursor(); } catch (PDOException $objEx) { error_log(get_class($objEx)); // Actually handle the exception } The query runs a stored procedure which sometimes results in an (expected) error condition which the catch block handles. It all works perfectly, with one exception: Inbetween the call to fetchColumn and the catch block being invoked, PHP dumps a stack trace to the error log complaining about the exception, and I can't for the life of me figure out why or how to stop it. A wild guess: do you have xdebug enabled? BINGO! Excellent, thanks for that. I'd never even considered xdebug. I only really have it installed for coverage in phing. I suppose I really should check out what else xdebug can do as it might be handy. Thanks again! ---End Message--- ---BeginMessage--- For PHP, the HTML is pretty much a bunch of chars (a string) and nothing more, which that lets with one (initial) option: search the HTML for a given string. Marc Roberts wrote: Is it possible to use php to check that the .css file in the html of a web page is the correct one e.g. check if the file included in the html is new.css. I think I will have to write a regex but if anyone has any ideas (or already has a regex to do this), it would be much appreciated. Thanks, Marc -- Atentamente / Sincerely, J. Rafael Salazar Magaña ---End Message--- ---BeginMessage--- Marc Roberts wrote: Is it possible to use php to check that the .css file in the html of a web page is the correct one e.g. check if the file included in the html is new.css. I think I will have to write a regex but if anyone has any ideas (or already has a regex to do this), it would be much appreciated. Thanks, Marc Be more specific. What determines the correct one? Is there a list of the correct ones some place? Do you want to see if the css file name in the html header exist in the directory? What? ---End Message--- ---BeginMessage--- Dave Goodchild wrote: Hi all. I have an online events directory and am having some issues with date calculations. I have a table of dates (next year) and an events table - which have a many to many relationship and so use an intermediary mapping table called dates_events. All good - when the user enters a single, multi-day, daily or monthly event the event is entered into its table and some calculations done to enter values in the mapping table. When I perform a search all the events fall on their specified dates. Apart from weekly events that is. When a user enters a weekly event, the system looks at the start and end dates, finds out the ids of all the dates in the date table in increments of 7, and adds the mappings. When the weekly events are viewed, every 4 weeks they shift forward by one day over the week. There is some kind of ominous pattern here, but the maths is very simple (increment by 7)
Re: [PHP] Weird stack trace in error_log from PDOException
# [EMAIL PROTECTED] / 2006-10-19 16:05:58 -0500: try { $objStatement-execute($arrParams); $intID = $objStatement-fetchColumn(); $objStatement-closeCursor(); } catch (PDOException $objEx) { error_log(get_class($objEx)); // Actually handle the exception } The query runs a stored procedure which sometimes results in an (expected) error condition which the catch block handles. It all works perfectly, with one exception: Inbetween the call to fetchColumn and the catch block being invoked, PHP dumps a stack trace to the error log complaining about the exception, and I can't for the life of me figure out why or how to stop it. A wild guess: do you have xdebug enabled? -- How many Vietnam vets does it take to screw in a light bulb? You don't know, man. You don't KNOW. Cause you weren't THERE. http://bash.org/?255991 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: How to recognise url in a block of text
Wow, that was deep but I'll try to see to what you're saying. Bunmi www.ayserve.net www.budelak.com Robin Vickery wrote: On 18/10/06, AYSERVE.NET [EMAIL PROTECTED] wrote: Hello Guys, I thought I was home and dry when the program worked fine on my windows but when I ran from my Linus server, I keep getting a url like: http://www.website.com/pdf/ED1.pdf%A0 instead of http://www.website.com/pdf/ED1.pdf. I'd look at the text that you're working on rather than the regexp. It looks like some characterset conversion is going wrong - 0xA0 is the latin-1 non-breaking space character. I'm expect that on your linux machine that it's being converted to %0A at some point which is perfectly valid in a URL. But I'm just guessing. -robin -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Berger table algorithm?
Hello, I'm looking for Berger table generation solution in PHP, for any (parity) number of teams. I'm working on it couple of hours, but haven't made anything useful. Please help! :) -- Szymon -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Weird stack trace in error_log from PDOException
Roman Neuhauser wrote: # [EMAIL PROTECTED] / 2006-10-19 16:05:58 -0500: try { $objStatement-execute($arrParams); $intID = $objStatement-fetchColumn(); $objStatement-closeCursor(); } catch (PDOException $objEx) { error_log(get_class($objEx)); // Actually handle the exception } The query runs a stored procedure which sometimes results in an (expected) error condition which the catch block handles. It all works perfectly, with one exception: Inbetween the call to fetchColumn and the catch block being invoked, PHP dumps a stack trace to the error log complaining about the exception, and I can't for the life of me figure out why or how to stop it. A wild guess: do you have xdebug enabled? BINGO! Excellent, thanks for that. I'd never even considered xdebug. I only really have it installed for coverage in phing. I suppose I really should check out what else xdebug can do as it might be handy. Thanks again! -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Check HTML style sheet?
For PHP, the HTML is pretty much a bunch of chars (a string) and nothing more, which that lets with one (initial) option: search the HTML for a given string. Marc Roberts wrote: Is it possible to use php to check that the .css file in the html of a web page is the correct one e.g. check if the file included in the html is new.css. I think I will have to write a regex but if anyone has any ideas (or already has a regex to do this), it would be much appreciated. Thanks, Marc -- Atentamente / Sincerely, J. Rafael Salazar Magaña -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: A problem with dates
Dave Goodchild wrote: Hi all. I have an online events directory and am having some issues with date calculations. I have a table of dates (next year) and an events table - which have a many to many relationship and so use an intermediary mapping table called dates_events. All good - when the user enters a single, multi-day, daily or monthly event the event is entered into its table and some calculations done to enter values in the mapping table. When I perform a search all the events fall on their specified dates. Apart from weekly events that is. When a user enters a weekly event, the system looks at the start and end dates, finds out the ids of all the dates in the date table in increments of 7, and adds the mappings. When the weekly events are viewed, every 4 weeks they shift forward by one day over the week. There is some kind of ominous pattern here, but the maths is very simple (increment by 7) and so i thought I'd see if anyone can spot this right away before I dedicate my weekend to poring through PHP and mySQL date maths. Thanks in advance! Have you checked that daylight saving times changes don't interfere with your calculations? Cheers -- David Robley It's not the principle of the thing, it's the money Today is Setting Orange, the 3rd day of The Aftermath in the YOLD 3172. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] One-page password-protected file
I'm in the horrible situation where I need a one-page script to hold it's own password and validate itself. I coded this together, I want this lists opinion as to whether or not it holds water, considering the circumstance: ?php $sha1_pw=5218lm849l394k1396dip4'2561lq19k967e'30; if ( $_COOKIE[password] != sha1($sha1_pw) ) { $varis=explode(/,$PATH_INFO); $pre_password=explode(,$varis[1]); if ( sha1( substr($pre_password[0],0) ) == $sha1_pw ) { setcookie(password, sha1($sha1_pw) ); header(Location: .$_SERVER[SCRIPT_NAME]./.rand(999,9)); exit; } else { print Fvck Off; exit; } } // REST OF PAGE ? The idea is that the user could call the page like this: http://server.com/directory/page.php/MyPassword and the page would refresh to not show his password, yet keep him logged in. Thanks for any and all input. Dotan Cohen http://nanir.com http://what-is-what.com/what_is/html.html -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: One-page password-protected file
On 21/10/06, Dotan Cohen [EMAIL PROTECTED] wrote: I'm in the horrible situation where I need a one-page script to hold it's own password and validate itself. I coded this together, I want this lists opinion as to whether or not it holds water, considering the circumstance: ?php $sha1_pw=5218lm849l394k1396dip4'2561lq19k967e'30; if ( $_COOKIE[password] != sha1($sha1_pw) ) { $varis=explode(/,$PATH_INFO); $pre_password=explode(,$varis[1]); if ( sha1( substr($pre_password[0],0) ) == $sha1_pw ) { setcookie(password, sha1($sha1_pw) ); header(Location: .$_SERVER[SCRIPT_NAME]./.rand(999,9)); exit; } else { print Fvck Off; exit; } } // REST OF PAGE ? The idea is that the user could call the page like this: http://server.com/directory/page.php/MyPassword and the page would refresh to not show his password, yet keep him logged in. Thanks for any and all input. I should probably add more detail. I didn't want even the sha1 hashed password stored on in the cookie, so the sha1 hash is sha1 hashed again. That way, the password is not stored in plain text anywhere, and the sha1 hash of the password is stored only on the server. Like said, the file must be self-contained. What do the list memebers think of this solution? Thanks. Dotan Cohen http://lahes.com http://what-is-what.com/what_is/open_office.html -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Check HTML style sheet?
Marc Roberts wrote: Is it possible to use php to check that the .css file in the html of a web page is the correct one e.g. check if the file included in the html is new.css. I think I will have to write a regex but if anyone has any ideas (or already has a regex to do this), it would be much appreciated. Thanks, Marc Be more specific. What determines the correct one? Is there a list of the correct ones some place? Do you want to see if the css file name in the html header exist in the directory? What? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Parsing serialized PHP arrays in C
I have a feeling this may be the wrong group to ask this question, but I thought that if it is, someone can point me in the right direction. I'm working on a application written in C that needs to parse and understand php arrays that have been serialized and stored in a MySQL table. I started writing the parser and realized its not a trivial task. I'm wondering if there is any source code in C to do what I'm looking for? I googled many different combinations of keywords and nothing useful came up. I even looked at the code in ext/standard/var_unserializer.c, and I don't think what will port to a stand alone application without extensive modifications. Any help would be greatly appreciated. Thanks, Kevin -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] IP Address
Is there a function which returns the IP address of the requestor of the current page? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] IP Address
On Sat, 21 Oct 2006 19:55:17 -0400 Fred Moses [EMAIL PROTECTED] wrote: Is there a function which returns the IP address of the requestor of the current page? -- Don't think so but there is a superglobal that contains it: $_SERVER['REMOTE_ADDR'] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Parsing serialized PHP arrays in C
Kevin Wilcox wrote: I have a feeling this may be the wrong group to ask this question, but I thought that if it is, someone can point me in the right direction. I'm working on a application written in C that needs to parse and understand php arrays that have been serialized and stored in a MySQL table. I started writing the parser and realized its not a trivial task. I'm wondering if there is any source code in C to do what I'm looking for? I googled many different combinations of keywords and nothing useful came up. I even looked at the code in ext/standard/var_unserializer.c, and I don't think what will port to a stand alone application without extensive modifications. Why not? It is a rather simple re2c parser. Don't look at var_unserializer.c, look at var_unserializer.re and read up on re2c. http://re2c.org/ You would obviously want to replace the creation of internal PHP data types with whatever you want to unserialize to in your app, but I don't see how you would find any code somewhere else where you wouldn't need to yank out the destination code from since that is going to be the unique part in each implementation. And if you use the same re2c grammar that PHP uses, it will be correct. Using any other implementation likely wouldn't be. Of course, I also wouldn't suggest using serialized PHP for a target that wasn't PHP. Why don't you look at json or perhaps wddx instead? -Rasmus -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php