php-general Digest 21 Oct 2006 11:02:46 -0000 Issue 4413
php-general Digest 21 Oct 2006 11:02:46 - Issue 4413
Topics (messages 243415 through 243420):
Daylight saving time
243415 by: Raphael Chasse
Re: User question for PHP
243416 by: chris smith
243418 by: Jochem Maas
243419 by: chris smith
Re: Creating Tree Structure from associative array
243417 by: Jochem Maas
Re: Weird stack trace in error_log from PDOException
243420 by: Roman Neuhauser
Administrivia:
To subscribe to the digest, e-mail:
[EMAIL PROTECTED]
To unsubscribe from the digest, e-mail:
[EMAIL PROTECTED]
To post to the list, e-mail:
php-general@lists.php.net
--
---BeginMessage---
Hello,
Regarding PHP5 bug #35296, http://bugs.php.net/bug.php?id=35296
I assume that it has been fixed in PHP5 for a while now (any version higher
than PHP 5.0.5 ).
Could someone tell me if PHP4 has been corrected as well ? in other word, what
is the oldest version of PHP4 that contains the bug fix ?
Thank you,
--
Raphaël Chassé
---End Message---
---BeginMessage---
On 10/21/06, Ivo F.A.C. Fokkema [EMAIL PROTECTED] wrote:
On Fri, 20 Oct 2006 23:24:14 +1000, chris smith wrote:
On 10/20/06, Ivo F.A.C. Fokkema [EMAIL PROTECTED] wrote:
On Fri, 20 Oct 2006 15:49:14 +1000, Chris wrote:
Andy Hultgren wrote:
To whoever was asking this (sorry didn't see the original email):
Is it possible to have a PHP script execute as the user of the domain
instead of the webserver? So when I upload files through a PHP script
they are owned by me and not wwwrun or nobody?
I was recently exchanging on this list about that very topic. It's in the
archives for this list. Go to www.php.net and set the dropdown menu in
the
upper right corner of the page to general mailing list, then type File
Upload Security and chmod into the search field and hit enter. The
conversation is within the first few hits on this search.
The server hosting my site runs with php executing as me (the owner of
the
domain), and we covered some of the potential security pitfalls of such a
situation (mainly centered on the fact that this makes any php script far
too powerful). In my situation I couldn't change how the server was set
up;
however, the general consensus was that this situation created a number of
serious security concerns that had to be very carefully addressed. I
would
avoid this configuration if you have the choice, based purely on the
advice
I received.
Actually you have that the wrong way around.
If php is running as www or nobody then any files or directories
that a php script creates will be done as the web server user.
That means (potentially) that if domain 'a' creates a file, domain 'b'
can read and write to that file and even delete it.
If php is running as you instead, you can control this with appropriate
chmod commands (at least removing the risk of deleting of files /
updating of files).
A shared user (like www or nobody) is a *much* bigger risk than
separate users.
Unless those separate users have a little more access than just SSH
and FTP access to the machine... I guess that if anyone with special
rights carelessly activates suPHP and leaves the PHP files owned by him,
you'd have PHP scripts capable of reading out special log files and
whatnot.
To my experience, apache (with PHP running as www-data or nobody or
whatever) will not be able to create files or folders without user
intervention (chmod, chown), thus no updating and removing is possible
either by default.
php running through apache:
?php
mkdir('/path/to/dir');
?
Making that in a shared location will allow *any* domain to write to
it, read from it or delete it (forget about possible open_basedir
restrictions).
I see your point and I agree this is an issue, but given the
relatively small incidence of such a situation, I personally would not say
this is a much bigger problem than a PHP file being able to remove all
other files owned by the same owner (i.e. usually the whole site at least)...
Running it as separate users removes safe-mode problems (the file
uploaded will be as www or nobody, the script trying to access it
is user), stops you having to have '777' type permissions on temp
or data directories, user a can't do anything to user bs files
and so on. Plus if your domain gets hacked through php, they can
*only* do damage to your domain. They'd have to hack the other domains
on the server because they are owned by different users...
--
Postgresql php tutorials
http://www.designmagick.com/
---End Message---
---BeginMessage---
chris smith wrote:
On 10/21/06, Ivo F.A.C. Fokkema [EMAIL PROTECTED] wrote:
On Fri, 20 Oct 2006 23:24:14 +1000, chris smith wrote:
On 10/20/06, Ivo F.A.C. Fokkema [EMAIL PROTECTED] wrote:
To my experience, apache (with PHP running as www-data or nobody or
whatever)
php-general Digest 21 Oct 2006 23:25:55 -0000 Issue 4414
php-general Digest 21 Oct 2006 23:25:55 - Issue 4414
Topics (messages 243421 through 243429):
Re: How to recognise url in a block of text
243421 by: AYSERVE.NET
Berger table algorithm?
243422 by: Szymon
Re: Weird stack trace in error_log from PDOException
243423 by: Russ Brown
Re: Check HTML style sheet?
243424 by: Rafael
243428 by: Al
Re: A problem with dates
243425 by: David Robley
One-page password-protected file
243426 by: Dotan Cohen
243427 by: Dotan Cohen
Parsing serialized PHP arrays in C
243429 by: Kevin Wilcox
Administrivia:
To subscribe to the digest, e-mail:
[EMAIL PROTECTED]
To unsubscribe from the digest, e-mail:
[EMAIL PROTECTED]
To post to the list, e-mail:
php-general@lists.php.net
--
---BeginMessage---
Wow, that was deep but I'll try to see to what you're saying.
Bunmi
www.ayserve.net
www.budelak.com
Robin Vickery wrote:
On 18/10/06, AYSERVE.NET [EMAIL PROTECTED] wrote:
Hello Guys,
I thought I was home and dry when the program worked fine on my windows
but when I ran from my Linus server, I keep getting a url like:
http://www.website.com/pdf/ED1.pdf%A0 instead of
http://www.website.com/pdf/ED1.pdf.
I'd look at the text that you're working on rather than the regexp. It
looks like some characterset conversion is going wrong - 0xA0 is the
latin-1 non-breaking space character. I'm expect that on your linux
machine that it's being converted to %0A at some point which is
perfectly valid in a URL.
But I'm just guessing.
-robin
---End Message---
---BeginMessage---
Hello,
I'm looking for Berger table generation solution in PHP, for any (parity)
number of teams. I'm working on it couple of hours, but haven't made anything
useful. Please help! :)
--
Szymon
---End Message---
---BeginMessage---
Roman Neuhauser wrote:
# [EMAIL PROTECTED] / 2006-10-19 16:05:58 -0500:
try
{
$objStatement-execute($arrParams);
$intID = $objStatement-fetchColumn();
$objStatement-closeCursor();
}
catch (PDOException $objEx)
{
error_log(get_class($objEx));
// Actually handle the exception
}
The query runs a stored procedure which sometimes results in an
(expected) error condition which the catch block handles. It all works
perfectly, with one exception: Inbetween the call to fetchColumn and the
catch block being invoked, PHP dumps a stack trace to the error log
complaining about the exception, and I can't for the life of me figure
out why or how to stop it.
A wild guess: do you have xdebug enabled?
BINGO!
Excellent, thanks for that. I'd never even considered xdebug.
I only really have it installed for coverage in phing. I suppose I
really should check out what else xdebug can do as it might be handy.
Thanks again!
---End Message---
---BeginMessage---
For PHP, the HTML is pretty much a bunch of chars (a string) and
nothing more, which that lets with one (initial) option: search the HTML
for a given string.
Marc Roberts wrote:
Is it possible to use php to check that the .css file in the html of a
web page is the correct one e.g. check if the file included in the html
is new.css.
I think I will have to write a regex but if anyone has any ideas (or
already has a regex to do this), it would be much appreciated.
Thanks,
Marc
--
Atentamente / Sincerely,
J. Rafael Salazar Magaña
---End Message---
---BeginMessage---
Marc Roberts wrote:
Is it possible to use php to check that the .css file in the html of a
web page is the correct one e.g. check if the file included in the html
is new.css.
I think I will have to write a regex but if anyone has any ideas (or
already has a regex to do this), it would be much appreciated.
Thanks,
Marc
Be more specific. What determines the correct one?
Is there a list of the correct ones some place?
Do you want to see if the css file name in the html header exist in the
directory?
What?
---End Message---
---BeginMessage---
Dave Goodchild wrote:
Hi all. I have an online events directory and am having some issues with
date calculations. I have a table of dates (next year) and an events table
- which have a many to many relationship and so use an intermediary
mapping table called dates_events. All good - when the user enters a
single, multi-day, daily or monthly event the event is entered into its
table and some calculations done to enter values in the mapping table.
When I perform a search all the events fall on their specified dates.
Apart from weekly events that is. When a user enters a weekly event, the
system looks at the start and end dates, finds out the ids of all the
dates in the date table in increments of 7, and adds the mappings.
When the weekly events are viewed, every 4 weeks they shift forward by one
day over the week. There is some kind of ominous pattern here, but the
maths is very simple (increment by 7)
Re: [PHP] Weird stack trace in error_log from PDOException
# [EMAIL PROTECTED] / 2006-10-19 16:05:58 -0500:
try
{
$objStatement-execute($arrParams);
$intID = $objStatement-fetchColumn();
$objStatement-closeCursor();
}
catch (PDOException $objEx)
{
error_log(get_class($objEx));
// Actually handle the exception
}
The query runs a stored procedure which sometimes results in an
(expected) error condition which the catch block handles. It all works
perfectly, with one exception: Inbetween the call to fetchColumn and the
catch block being invoked, PHP dumps a stack trace to the error log
complaining about the exception, and I can't for the life of me figure
out why or how to stop it.
A wild guess: do you have xdebug enabled?
--
How many Vietnam vets does it take to screw in a light bulb?
You don't know, man. You don't KNOW.
Cause you weren't THERE. http://bash.org/?255991
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: How to recognise url in a block of text
Wow, that was deep but I'll try to see to what you're saying. Bunmi www.ayserve.net www.budelak.com Robin Vickery wrote: On 18/10/06, AYSERVE.NET [EMAIL PROTECTED] wrote: Hello Guys, I thought I was home and dry when the program worked fine on my windows but when I ran from my Linus server, I keep getting a url like: http://www.website.com/pdf/ED1.pdf%A0 instead of http://www.website.com/pdf/ED1.pdf. I'd look at the text that you're working on rather than the regexp. It looks like some characterset conversion is going wrong - 0xA0 is the latin-1 non-breaking space character. I'm expect that on your linux machine that it's being converted to %0A at some point which is perfectly valid in a URL. But I'm just guessing. -robin -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Berger table algorithm?
Hello, I'm looking for Berger table generation solution in PHP, for any (parity) number of teams. I'm working on it couple of hours, but haven't made anything useful. Please help! :) -- Szymon -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Weird stack trace in error_log from PDOException
Roman Neuhauser wrote:
# [EMAIL PROTECTED] / 2006-10-19 16:05:58 -0500:
try
{
$objStatement-execute($arrParams);
$intID = $objStatement-fetchColumn();
$objStatement-closeCursor();
}
catch (PDOException $objEx)
{
error_log(get_class($objEx));
// Actually handle the exception
}
The query runs a stored procedure which sometimes results in an
(expected) error condition which the catch block handles. It all works
perfectly, with one exception: Inbetween the call to fetchColumn and the
catch block being invoked, PHP dumps a stack trace to the error log
complaining about the exception, and I can't for the life of me figure
out why or how to stop it.
A wild guess: do you have xdebug enabled?
BINGO!
Excellent, thanks for that. I'd never even considered xdebug.
I only really have it installed for coverage in phing. I suppose I
really should check out what else xdebug can do as it might be handy.
Thanks again!
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Check HTML style sheet?
For PHP, the HTML is pretty much a bunch of chars (a string) and nothing more, which that lets with one (initial) option: search the HTML for a given string. Marc Roberts wrote: Is it possible to use php to check that the .css file in the html of a web page is the correct one e.g. check if the file included in the html is new.css. I think I will have to write a regex but if anyone has any ideas (or already has a regex to do this), it would be much appreciated. Thanks, Marc -- Atentamente / Sincerely, J. Rafael Salazar Magaña -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: A problem with dates
Dave Goodchild wrote: Hi all. I have an online events directory and am having some issues with date calculations. I have a table of dates (next year) and an events table - which have a many to many relationship and so use an intermediary mapping table called dates_events. All good - when the user enters a single, multi-day, daily or monthly event the event is entered into its table and some calculations done to enter values in the mapping table. When I perform a search all the events fall on their specified dates. Apart from weekly events that is. When a user enters a weekly event, the system looks at the start and end dates, finds out the ids of all the dates in the date table in increments of 7, and adds the mappings. When the weekly events are viewed, every 4 weeks they shift forward by one day over the week. There is some kind of ominous pattern here, but the maths is very simple (increment by 7) and so i thought I'd see if anyone can spot this right away before I dedicate my weekend to poring through PHP and mySQL date maths. Thanks in advance! Have you checked that daylight saving times changes don't interfere with your calculations? Cheers -- David Robley It's not the principle of the thing, it's the money Today is Setting Orange, the 3rd day of The Aftermath in the YOLD 3172. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] One-page password-protected file
I'm in the horrible situation where I need a one-page script to hold
it's own password and validate itself. I coded this together, I want
this lists opinion as to whether or not it holds water, considering
the circumstance:
?php
$sha1_pw=5218lm849l394k1396dip4'2561lq19k967e'30;
if ( $_COOKIE[password] != sha1($sha1_pw) ) {
$varis=explode(/,$PATH_INFO);
$pre_password=explode(,$varis[1]);
if ( sha1( substr($pre_password[0],0) ) == $sha1_pw ) {
setcookie(password, sha1($sha1_pw) );
header(Location: .$_SERVER[SCRIPT_NAME]./.rand(999,9));
exit;
} else {
print Fvck Off;
exit;
}
}
// REST OF PAGE
?
The idea is that the user could call the page like this:
http://server.com/directory/page.php/MyPassword
and the page would refresh to not show his password, yet keep him logged in.
Thanks for any and all input.
Dotan Cohen
http://nanir.com
http://what-is-what.com/what_is/html.html
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: One-page password-protected file
On 21/10/06, Dotan Cohen [EMAIL PROTECTED] wrote:
I'm in the horrible situation where I need a one-page script to hold
it's own password and validate itself. I coded this together, I want
this lists opinion as to whether or not it holds water, considering
the circumstance:
?php
$sha1_pw=5218lm849l394k1396dip4'2561lq19k967e'30;
if ( $_COOKIE[password] != sha1($sha1_pw) ) {
$varis=explode(/,$PATH_INFO);
$pre_password=explode(,$varis[1]);
if ( sha1( substr($pre_password[0],0) ) == $sha1_pw ) {
setcookie(password, sha1($sha1_pw) );
header(Location: .$_SERVER[SCRIPT_NAME]./.rand(999,9));
exit;
} else {
print Fvck Off;
exit;
}
}
// REST OF PAGE
?
The idea is that the user could call the page like this:
http://server.com/directory/page.php/MyPassword
and the page would refresh to not show his password, yet keep him logged in.
Thanks for any and all input.
I should probably add more detail. I didn't want even the sha1 hashed
password stored on in the cookie, so the sha1 hash is sha1 hashed
again. That way, the password is not stored in plain text anywhere,
and the sha1 hash of the password is stored only on the server.
Like said, the file must be self-contained. What do the list memebers
think of this solution? Thanks.
Dotan Cohen
http://lahes.com
http://what-is-what.com/what_is/open_office.html
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Check HTML style sheet?
Marc Roberts wrote: Is it possible to use php to check that the .css file in the html of a web page is the correct one e.g. check if the file included in the html is new.css. I think I will have to write a regex but if anyone has any ideas (or already has a regex to do this), it would be much appreciated. Thanks, Marc Be more specific. What determines the correct one? Is there a list of the correct ones some place? Do you want to see if the css file name in the html header exist in the directory? What? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Parsing serialized PHP arrays in C
I have a feeling this may be the wrong group to ask this question, but I thought that if it is, someone can point me in the right direction. I'm working on a application written in C that needs to parse and understand php arrays that have been serialized and stored in a MySQL table. I started writing the parser and realized its not a trivial task. I'm wondering if there is any source code in C to do what I'm looking for? I googled many different combinations of keywords and nothing useful came up. I even looked at the code in ext/standard/var_unserializer.c, and I don't think what will port to a stand alone application without extensive modifications. Any help would be greatly appreciated. Thanks, Kevin -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] IP Address
Is there a function which returns the IP address of the requestor of the current page? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] IP Address
On Sat, 21 Oct 2006 19:55:17 -0400 Fred Moses [EMAIL PROTECTED] wrote: Is there a function which returns the IP address of the requestor of the current page? -- Don't think so but there is a superglobal that contains it: $_SERVER['REMOTE_ADDR'] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Parsing serialized PHP arrays in C
Kevin Wilcox wrote: I have a feeling this may be the wrong group to ask this question, but I thought that if it is, someone can point me in the right direction. I'm working on a application written in C that needs to parse and understand php arrays that have been serialized and stored in a MySQL table. I started writing the parser and realized its not a trivial task. I'm wondering if there is any source code in C to do what I'm looking for? I googled many different combinations of keywords and nothing useful came up. I even looked at the code in ext/standard/var_unserializer.c, and I don't think what will port to a stand alone application without extensive modifications. Why not? It is a rather simple re2c parser. Don't look at var_unserializer.c, look at var_unserializer.re and read up on re2c. http://re2c.org/ You would obviously want to replace the creation of internal PHP data types with whatever you want to unserialize to in your app, but I don't see how you would find any code somewhere else where you wouldn't need to yank out the destination code from since that is going to be the unique part in each implementation. And if you use the same re2c grammar that PHP uses, it will be correct. Using any other implementation likely wouldn't be. Of course, I also wouldn't suggest using serialized PHP for a target that wasn't PHP. Why don't you look at json or perhaps wddx instead? -Rasmus -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
