php-general Digest 17 Jul 2008 08:21:49 -0000 Issue 5573
php-general Digest 17 Jul 2008 08:21:49 - Issue 5573 Topics (messages 276931 through 276946): Copy Function Errors 276931 by: Wei, Alice J. 276932 by: Robert Cummings 276934 by: Wei, Alice J. 276935 by: Daniel Brown 276936 by: Robert Cummings 276937 by: Robert Cummings 276938 by: Boyd, Todd M. 276941 by: bruce 276944 by: Wei, Alice J. Child PID exit signal Illegal instruction (4) 276933 by: Schiz0 Re: is there a problem with php script pulling HTML out of database as it writes the page?? 276939 by: Stut 276940 by: Daniel Brown Corrupted ZIP files (downloaded via a php script) : Internext Explorer 7 276942 by: robert mena 276946 by: Peter Ford Soap Call Error 276943 by: VamVan 276945 by: Jason Norwood-Young Administrivia: To subscribe to the digest, e-mail: [EMAIL PROTECTED] To unsubscribe from the digest, e-mail: [EMAIL PROTECTED] To post to the list, e-mail: [EMAIL PROTECTED] -- ---BeginMessage--- Hi, I have a snippet of code here: shell_exec(tar cvf /var/www/html/test/$id/data.tar /var/www/html/test/$id/data); $file1=http:/www.mysite.com/test/$id/data.tar; $file2=http://www.mysite2.com/test/$id/.tar;; copy($file1,$file2); I got the following error in the access log of the server: [Wed Jul 16 15:45:57 2008] [error] PHP Warning: copy(http://www.mysite.com/test/145/data.tar) [a href='function.copy'function.copy/a]: failed to open stream: HTTP wrapper does not support writeable connections. in /var/www/html/beam_calculation.php on line 20 Is there something I could do here to allow my file be copied to the remote server? Anything is appreciated. Alice == Alice Wei MIS 2009 School of Library and Information Science Indiana University Bloomington [EMAIL PROTECTED] ---End Message--- ---BeginMessage--- On Wed, 2008-07-16 at 15:58 -0400, Wei, Alice J. wrote: Hi, I have a snippet of code here: shell_exec(tar cvf /var/www/html/test/$id/data.tar /var/www/html/test/$id/data); $file1=http:/www.mysite.com/test/$id/data.tar; $file2=http://www.mysite2.com/test/$id/.tar;; copy($file1,$file2); I got the following error in the access log of the server: [Wed Jul 16 15:45:57 2008] [error] PHP Warning: copy(http://www.mysite.com/test/145/data.tar) [a href='function.copy'function.copy/a]: failed to open stream: HTTP wrapper does not support writeable connections. in /var/www/html/beam_calculation.php on line 20 Is there something I could do here to allow my file be copied to the remote server? Use the ftp functions. Cheers, Rob. -- http://www.interjinn.com Application and Templating Framework for PHP ---End Message--- ---BeginMessage--- Hi, I have a snippet of code here: shell_exec(tar cvf /var/www/html/test/$id/data.tar /var/www/html/test/$id/data); $file1=http:/www.mysite.com/test/$id/data.tar; $file2=http://www.mysite2.com/test/$id/.tar;; copy($file1,$file2); I got the following error in the access log of the server: [Wed Jul 16 15:45:57 2008] [error] PHP Warning: copy(http://www.mysite.com/test/145/data.tar) [a href='function.copy'function.copy/a]: failed to open stream: HTTP wrapper does not support writeable connections. in /var/www/html/beam_calculation.php on line 20 Is there something I could do here to allow my file be copied to the remote server? Use the ftp functions. Thanks for the tip. I have revised my code to: // define some variables $local_file = C:/Inetpub/wwwroot/test/$id/beamdata.tar; $server_file = http://192.168.10.63/test/$id/beamdata.tar;; // set up basic connection $ftp_server=http://192.168.10.63;; $conn_id = ftp_connect($ftp_server); // login with username and password $ftp_user_name=apache; $ftp_user_pass=x; $login_result = ftp_login($conn_id, $ftp_user_name, $ftp_user_pass); // try to download $server_file and save to $local_file if (ftp_get($conn_id, $local_file, $server_file, FTP_BINARY)) { echo Successfully written to $local_file\n; } else { echo There was a problem\n; } // close the connection ftp_close($conn_id); I have put this snippet in the local server of where I want the files to be copied to. However, I see this on my remote server in the logs: 192.168.10.62 - - [16/Jul/2008:16:40:24 -0400] GET /beam_calculation.php?id=145no=16 HTTP/1.1 200 22 - Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727) Is there something I have missed here? Alice ---End Message--- ---BeginMessage--- On Wed, Jul 16, 2008 at 4:45 PM, Wei, Alice J. [EMAIL PROTECTED] wrote: Hi, I have a snippet of code here: shell_exec(tar cvf /var/www/html/test/$id/data.tar /var/www/html/test/$id/data); $file1=http:/www.mysite.com/test/$id/data.tar;
Re: [PHP] Soap Call Error
On Wed, 2008-07-16 at 17:44 -0700, VamVan wrote: Hello Guys, I have been getting a wierd soap exception lately [faultstring] = looks like we got no XML document [faultcode] = Client [faultcodens] = http://schemas.xmlsoap.org/soap/envelope/ What does that mean? The call gets properly called and it does what it needs to do, but the response xml is always a $fault? Did anyone have this problem? I am using php 5.2.6 for the info. This is usually a malformed XML document - I had the problem recently when fetching an XML document that wasn't complete (no /xml). Check what you're *actually* getting with something like: } catch(SoapFault $exception) { $request_xml = $client-__getLastRequestHeaders() . $client-__getLastRequest(); $response_xml = $client-__getLastResponseHeaders() . $client-__getLastResponse(); print Response:.$response_xml; print Request:.$request_xml; print $exception; } -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Corrupted ZIP files (downloaded via a php script) : Internext Explorer 7
robert mena wrote: Hi, I have a set of files stored in a directory and I need to serve those via a php script (in order to protect, control access etc). The problem is that zip files (exe also) get corrupted when I try from IE7. I've read the posts from this list and google etc with no idea of how to solve it. The stored files are ok (tested from firefox or direct copy). When I use IE7 the file size is smaller. In my test a config.zip with 248 bytes ends up with 214 bytes. This is the code used header(Pragma: public); header('Expires: '.gmdate('D, d M Y H:i:s').' GMT'); header(Cache-Control: must-revalidate, post-check=0, pre-check=0); header(Cache-Control: private,false); header(Content-Type: .$type); if($remove_date_from_file == false) header('Content-Disposition: attachment; filename='.basename($file).''); else { $name_ = substr(basename($file),0,strrpos(basename($file),.)); $ext_ = substr(basename($file),strrpos(basename($file),.)); $new_name_ = substr($name_,0,strlen($name_)-15).$ext_; header('Content-Disposition: attachment; filename='.$new_name_.''); } header(Content-Transfer-Encoding: binary); header('Content-Length: '.filesize($file)); while(!feof($fp)) { echo fgets($fp) ; } fclose($fp); I've added a debug to send me a message with the header and it comes the same way no matter what browser. Pragma: public Expires: Wed, 16 Jul 2008 23:12:00 GMT Cache-Control: must-revalidate, post-check=0, pre-check=0 Cache-Control: private Content-Type: application/zip Content-Disposition: attachment; filename=config.zip Content-Transfer-Encoding: binary Content-Length: 248 Am I doing something wrong or do I have to start looking to the server's configuration (like mod_deflate)? Instead of that looping through every byte, have you tried just using the readfile() function? In fact, in that code you posted I don't see you opening the file (where does $fp come from?) Also in your code, you don't flush the file before closing (fflush($fp)), which might make a difference, especially since your result seems to be a few bytes short. Oh, and make VERY sure that there is *nothing* output to the client before you start pushing the ZIP file out - that definitely leads to corruption of such things, although if you were sending data before changing the headers you would get an error message about that. What I can't understand is why is might work with one browser and not another... -- Peter Ford phone: 01580 89 Developer fax: 01580 893399 Justcroft International Ltd., Staplehurst, Kent -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] is there a problem with php script pulling HTML out of database as it writes the page??
On Jul 16, 2008, at 5:28 PM, Stut wrote: On 16 Jul 2008, at 19:18, Daniel Brown wrote: On Tue, Jul 15, 2008 at 5:43 PM, Stut [EMAIL PROTECTED] wrote: Code please, we're not mind readers! I sensed you would say that, Stuart. ;-P Can you sense what I'm thinking right now? BTW, if anyone is looking for a PHP5/MySQL dev job in or around Camberley, Surrey, England please drop me your CV. Looking for all levels to join a small team (me + 2 non-devs). Contact me personally for more info. Sorry, remote working is not an option. We will consider both perm and contract but perm is preferred. Oh, and you'd be working for me so bear that in mind ;) So would that be a plus or a negative? :P -- Jason Pruim Raoset Inc. Technology Manager MQC Specialist 11287 James St Holland, MI 49424 www.raoset.com [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Floats and avoid exponential notation - How?
Hi, From http://www.php.net/manual/en/language.types.float.php (second comment in that page, from kjohnson at zootweb dot com): PHP switches from the standard decimal notation to exponential notation for certain special floats. You can see a partial list of such special values with this: Then he goes on about it and finishes with: I have to be honest: this is one of the strangest things I have seen in any language in over 20 years of coding, and it is a colossal pain to work around. I have the same problem. I have a big number I have to represent, it's usually 1 followed by 10 zeros, the biggest value I'll have for it is 199, never more than this. I only make one operation with it, (+), most of the time I need that number as a string, and never need it's float representation, only the absolute value (in fact, it's never going to have a fractional part). I cannot use integers because it's bigger than the integer range. If it goes to it's exponential representation, breaks my code. Users are identified by that number. I wrote a small function, but cannot be sure if it's going to work (report error when the exponential notation is used by php), mostly because on my tests, I can't precise when and to which of these numbers php chooses to use the exponential notation: --- code function checkFloat($float_var) { $ar_empty = ; $string_var = (string)$float_var; $pattern = '/[0-9]|\./'; // From zero to nine and dots $match_found = preg_match_all($pattern, $string_var, $ar_empty); unset($ar_empty); if ($match_found != strlen($string_var)) { return false; } else { return true; } } --- code So, any suggestions/thoughts? Is there a way to prevent php from using the exponential notation for a float? thanks = -- Powered by Outblaze -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] CONFIGURE IONCUBE LOADER WITH SELINUX
Hi! Do anybody have any idea - how to configure ioncubeloader with SELinux on linux? Currently SELinux logs says - SELinux is preventing /usr/sbin/httpd (httpd_t) execmem access to Unknown (httpd_t). apache error log says permission denied. Thanks Kapil
Re: [PHP] is there a problem with php script pulling HTML out of database as it writes the page??
On 17 Jul 2008, at 11:31, Jason Pruim wrote: On Jul 16, 2008, at 5:28 PM, Stut wrote: On 16 Jul 2008, at 19:18, Daniel Brown wrote: On Tue, Jul 15, 2008 at 5:43 PM, Stut [EMAIL PROTECTED] wrote: Code please, we're not mind readers! I sensed you would say that, Stuart. ;-P Can you sense what I'm thinking right now? BTW, if anyone is looking for a PHP5/MySQL dev job in or around Camberley, Surrey, England please drop me your CV. Looking for all levels to join a small team (me + 2 non-devs). Contact me personally for more info. Sorry, remote working is not an option. We will consider both perm and contract but perm is preferred. Oh, and you'd be working for me so bear that in mind ;) So would that be a plus or a negative? :P That's up to you to decide based on my activity on this list. IOW I have no idea! -Stut -- http://stut.net/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Corrupted ZIP files (downloaded via a php script) : Internext Explorer 7
At 7:42 PM -0400 7/16/08, robert mena wrote: Am I doing something wrong or do I have to start looking to the server's configuration (like mod_deflate)? I use this -- it seems to work: $file=test.zip; header(Content-type: application/octet-stream); header(Content-Transfer-Encoding: Binary); header(Content-length: .filesize($file)); header(Content-disposition: attachment; filename=\.basename($file).\); readfile($file); Anyone see a problem with it? Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] CONFIGURE IONCUBE LOADER WITH SELINUX
Kapil Kapil [EMAIL PROTECTED] wrote: Hi! Do anybody have any idea - how to configure ioncubeloader with SELinux on linux? Currently SELinux logs says - SELinux is preventing /usr/sbin/httpd (httpd_t) execmem access to Unknown (httpd_t). apache error log says permission denied. Thanks Kapil Sure we do! It's even in the manual on how to fix it! Ohhh, and Google has info on it too! RTFM and STFW and you should be fine. Wolf -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] is there a problem with php script pulling HTML out of database as it writes the page??
At 10:28 PM +0100 7/16/08, Stut wrote: Oh, and you'd be working for me so bear that in mind ;) -Stut It's no wonder why you haven't found anyone. :-) Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Floats and avoid exponential notation - How?
On Thu, Jul 17, 2008 at 7:23 AM, k bah [EMAIL PROTECTED] wrote: Hi, From http://www.php.net/manual/en/language.types.float.php (second comment in that page, from kjohnson at zootweb dot com): PHP switches from the standard decimal notation to exponential notation for certain special floats. You can see a partial list of such special values with this: Then he goes on about it and finishes with: I have to be honest: this is one of the strangest things I have seen in any language in over 20 years of coding, and it is a colossal pain to work around. I have the same problem. I have a big number I have to represent, it's usually 1 followed by 10 zeros, the biggest value I'll have for it is 199, never more than this. I only make one operation with it, (+), most of the time I need that number as a string, and never need it's float representation, only the absolute value (in fact, it's never going to have a fractional part). I cannot use integers because it's bigger than the integer range. If it goes to it's exponential representation, breaks my code. Users are identified by that number. I wrote a small function, but cannot be sure if it's going to work (report error when the exponential notation is used by php), mostly because on my tests, I can't precise when and to which of these numbers php chooses to use the exponential notation: --- code function checkFloat($float_var) { $ar_empty = ; $string_var = (string)$float_var; $pattern = '/[0-9]|\./'; // From zero to nine and dots $match_found = preg_match_all($pattern, $string_var, $ar_empty); unset($ar_empty); if ($match_found != strlen($string_var)) { return false; } else { return true; } } --- code So, any suggestions/thoughts? Is there a way to prevent php from using the exponential notation for a float? thanks = -- Powered by Outblaze -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php Does changing the value of 'precision' in php.ini make a difference? Mine is set to 14, and had no problem rendering that number in standard notation. I'm not sure what kind of problems you're having with this format, but I think this might fix them. (Even if you pass the number in exponential notation to a database, most databases I've worked with will recognize it and handle it correctly.) If it's just a display issue, will number_format($float_value, 0, '', '') work? Andrew -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Copy Function Errors
Hi Alice... I just caught/saw this thread. I'm asuming you haven't found/solved what you're trying to do. So, What exactly are you trying to accomplish? What OS are you running on both the client/server machine? Are you trying to copy from a directory on one box, to a directory on another box? Is this a one time thing? Are the boxes on the same network (physically close together)? Are you able to login to the remote box from your initial server? Let me know what you're looking to do, and I can probably get you going. -regards... All I wanted to do is to copy the file that is sitting on a remote machine to have it copied it over to another remote machine. Since I put the code snippet below on the server that is supposed to accept the files, I would say I am downloading the file here from a remote server to a local server. It is weird, because I followed Robert's advice and cut out the http:// snippet in my ftp server address, and I have tried both the apache and root password of the actual log in of the FTP, which neither of them worked. Both of the servers have the firewall DNS set up properly, and in my PHP info page, it appears that my FTP is enabled. Is there something else I have missed? // define some variables $local_file = C:/Inetpub/wwwroot/test/$id/data.tar; $server_file = http://192.168.10.63/test/$id/data.tar;; // set up basic connection $ftp_server=192.168.10.63; $conn_id = ftp_connect($ftp_server); // login with username and password $ftp_user_name=root; $ftp_user_pass=xx!; $login_result = ftp_login($conn_id, $ftp_user_name, $ftp_user_pass); // try to download $server_file and save to $local_file if (ftp_get($conn_id, $local_file, $server_file, FTP_BINARY)) { echo Successfully written to $local_file\n; } else { echo There was a problem\n; } // close the connection ftp_close($conn_id); Thanks in advance. Alice -Original Message- From: Boyd, Todd M. [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 16, 2008 2:28 PM To: Wei, Alice J. Cc: php-general@lists.php.net Subject: RE: [PHP] Copy Function Errors -Original Message- From: Wei, Alice J. [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 16, 2008 3:46 PM To: Robert Cummings Cc: php-general@lists.php.net Subject: RE: [PHP] Copy Function Errors ---8--- snip Is there something I could do here to allow my file be copied to the remote server? Use the ftp functions. Thanks for the tip. I have revised my code to: // define some variables $local_file = C:/Inetpub/wwwroot/test/$id/beamdata.tar; $server_file = http://192.168.10.63/test/$id/beamdata.tar;; // set up basic connection $ftp_server=http://192.168.10.63;; $conn_id = ftp_connect($ftp_server); // login with username and password $ftp_user_name=apache; $ftp_user_pass=x; $login_result = ftp_login($conn_id, $ftp_user_name, $ftp_user_pass); // try to download $server_file and save to $local_file if (ftp_get($conn_id, $local_file, $server_file, FTP_BINARY)) { echo Successfully written to $local_file\n; } else { echo There was a problem\n; } // close the connection ftp_close($conn_id); I have put this snippet in the local server of where I want the files to be copied to. However, I see this on my remote server in the logs: 192.168.10.62 - - [16/Jul/2008:16:40:24 -0400] GET /beam_calculation.php?id=145no=16 HTTP/1.1 200 22 - Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727) Is there something I have missed here? Alice, Here are some Wikipedia articles that should give you a good start on understanding the fundamental differences between the two protocols you are confusing with each other: http://en.wikipedia.org/wiki/FTP http://en.wikipedia.org/wiki/HTTP HTTP itself does not intrinsically handle file uploads in a server/client relationship. Web forms that include file uploads generally have a handler function on the other end, and post files via a form element. FTP's main function is the transfer of files (hence [F]ile [T]ransfer [P]rotocol), and is more in line with what you're trying to do here. HTH, Todd Boyd Web Programmer -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] is there a problem with php script pulling HTML out of database as it writes the page??
On 17 Jul 2008, at 14:10, tedd wrote: At 10:28 PM +0100 7/16/08, Stut wrote: Oh, and you'd be working for me so bear that in mind ;) -Stut It's no wonder why you haven't found anyone. :-) Thanks for that tedd. Seriously though, I'm wondering if my expectations are too high... I expect them to know that addslashes is not adequate protection against SQL injection. I even had one tell me SQL injection? I can't remember but I'm sure I've used it before. And I won't even go into the guy who asserted that he's always worked with DB administrators who've dealt with security issues so he'd never needed to learn about it. Am I expecting too much?!? -Stut -- http://stut.net/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] is there a problem with php script pulling HTML out of database as it writes the page??
On Thu, Jul 17, 2008 at 9:10 AM, tedd [EMAIL PROTECTED] wrote: At 10:28 PM +0100 7/16/08, Stut wrote: Oh, and you'd be working for me so bear that in mind ;) -Stut It's no wonder why you haven't found anyone. :-) I'm just surprised that Manuel Lemos hasn't been in here touting his phpclasses.org professionals site. -- /Daniel P. Brown Better prices on dedicated servers: Intel 2.4GHz/60GB/512MB/2TB $49.99/mo. Intel 3.06GHz/80GB/1GB/2TB $59.99/mo. Dedicated servers, VPS, and hosting from $2.50/mo. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] is there a problem with php script pulling HTML out of database as it writes the page??
On Jul 17, 2008, at 9:55 AM, Stut wrote: On 17 Jul 2008, at 14:10, tedd wrote: At 10:28 PM +0100 7/16/08, Stut wrote: Oh, and you'd be working for me so bear that in mind ;) -Stut It's no wonder why you haven't found anyone. :-) Thanks for that tedd. Seriously though, I'm wondering if my expectations are too high... I expect them to know that addslashes is not adequate protection against SQL injection. I even had one tell me SQL injection? I can't remember but I'm sure I've used it before. And I won't even go into the guy who asserted that he's always worked with DB administrators who've dealt with security issues so he'd never needed to learn about it. Am I expecting too much?!? From a professional? No... From someone who has taught him self as he went, and has added to his arsenal along the way? Not really that either... Only if you take a total newbie would that be expecting too much... If I was willing to move I'd apply :) I don't know it all but I'm a quick learner hehe :) -- Jason Pruim Raoset Inc. Technology Manager MQC Specialist 11287 James St Holland, MI 49424 www.raoset.com [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Copy Function Errors
It sounds to me like your problem is now about the authentication. By default most linux distributions do not give apache a password. I personally think using apache would be a bad idea. How about creating a user on the linux box your trying to put the files on to make it's primary group apache (make sure the group can write to the folder you are putting the files in) and give it a password that is a random string of 20 characters (http://www.goodpassword.com) that only your script knows. Try testing to make sure you can ftp to the server using a normal ftp client (ftp for the linux command line or http://filezilla-project.org/ is a good one if your using windows) using the account you created. Make sure you can put files in the directory you will be with the script. If this all works and your script using the new account is not, I'm sure we can help you debug it further :). Good luck! Wei, Alice J. wrote: Hi Alice... I just caught/saw this thread. I'm asuming you haven't found/solved what you're trying to do. So, What exactly are you trying to accomplish? What OS are you running on both the client/server machine? Are you trying to copy from a directory on one box, to a directory on another box? Is this a one time thing? Are the boxes on the same network (physically close together)? Are you able to login to the remote box from your initial server? Let me know what you're looking to do, and I can probably get you going. -regards... All I wanted to do is to copy the file that is sitting on a remote machine to have it copied it over to another remote machine. Since I put the code snippet below on the server that is supposed to accept the files, I would say I am downloading the file here from a remote server to a local server. It is weird, because I followed Robert's advice and cut out the http:// snippet in my ftp server address, and I have tried both the apache and root password of the actual log in of the FTP, which neither of them worked. Both of the servers have the firewall DNS set up properly, and in my PHP info page, it appears that my FTP is enabled. Is there something else I have missed? // define some variables $local_file = C:/Inetpub/wwwroot/test/$id/data.tar; $server_file = http://192.168.10.63/test/$id/data.tar;; // set up basic connection $ftp_server=192.168.10.63; $conn_id = ftp_connect($ftp_server); // login with username and password $ftp_user_name=root; $ftp_user_pass=xx!; $login_result = ftp_login($conn_id, $ftp_user_name, $ftp_user_pass); // try to download $server_file and save to $local_file if (ftp_get($conn_id, $local_file, $server_file, FTP_BINARY)) { echo Successfully written to $local_file\n; } else { echo There was a problem\n; } // close the connection ftp_close($conn_id); Thanks in advance. Alice -Original Message- From: Boyd, Todd M. [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 16, 2008 2:28 PM To: Wei, Alice J. Cc: php-general@lists.php.net Subject: RE: [PHP] Copy Function Errors -Original Message- From: Wei, Alice J. [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 16, 2008 3:46 PM To: Robert Cummings Cc: php-general@lists.php.net Subject: RE: [PHP] Copy Function Errors ---8--- snip Is there something I could do here to allow my file be copied to the remote server? Use the ftp functions. Thanks for the tip. I have revised my code to: // define some variables $local_file = C:/Inetpub/wwwroot/test/$id/beamdata.tar; $server_file = http://192.168.10.63/test/$id/beamdata.tar;; // set up basic connection $ftp_server=http://192.168.10.63;; $conn_id = ftp_connect($ftp_server); // login with username and password $ftp_user_name=apache; $ftp_user_pass=x; $login_result = ftp_login($conn_id, $ftp_user_name, $ftp_user_pass); // try to download $server_file and save to $local_file if (ftp_get($conn_id, $local_file, $server_file, FTP_BINARY)) { echo Successfully written to $local_file\n; } else { echo There was a problem\n; } // close the connection ftp_close($conn_id); I have put this snippet in the local server of where I want the files to be copied to. However, I see this on my remote server in the logs: 192.168.10.62 - - [16/Jul/2008:16:40:24 -0400] GET /beam_calculation.php?id=145no=16 HTTP/1.1 200 22 - Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727) Is there something I have missed here? Alice, Here are some Wikipedia articles that should give you a good start on understanding the fundamental differences between the two protocols you are confusing with each other: http://en.wikipedia.org/wiki/FTP http://en.wikipedia.org/wiki/HTTP HTTP itself does not intrinsically handle file uploads in a server/client relationship. Web forms that include file uploads generally have a handler function on the other end, and post files via a form
Re: [PHP] CONFIGURE IONCUBE LOADER WITH SELINUX
On Thu, Jul 17, 2008 at 9:05 AM, Wolf [EMAIL PROTECTED] wrote: Sure we do! It's even in the manual on how to fix it! Ohhh, and Google has info on it too! RTFM and STFW and you should be fine. What Wolf meant to say was that it's not a PHP issue, and thus, this forum won't be of as much help to you as an appropriate avenue. ;-P As suggested, STFW: http://google.com/search?q=SELinux+is+preventing+execmem+access+to+Unknown+(httpd_t) And the very first link appears to have the solution: http://www.linuxquestions.org/questions/red-hat-31/selinux-help-651520/ In the future, though, please write to the appropriate list(s). -- /Daniel P. Brown Better prices on dedicated servers: Intel 2.4GHz/60GB/512MB/2TB $49.99/mo. Intel 3.06GHz/80GB/1GB/2TB $59.99/mo. Dedicated servers, VPS, and hosting from $2.50/mo. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] is there a problem with php script pulling HTML out of database as it writes the page??
On 7/17/08, Stut [EMAIL PROTECTED] wrote: On 17 Jul 2008, at 14:10, tedd wrote: At 10:28 PM +0100 7/16/08, Stut wrote: Oh, and you'd be working for me so bear that in mind ;) -Stut It's no wonder why you haven't found anyone. :-) Thanks for that tedd. Seriously though, I'm wondering if my expectations are too high... I expect them to know that addslashes is not adequate protection against SQL injection. I even had one tell me SQL injection? I can't remember but I'm sure I've used it before. And I won't even go into the guy who asserted that he's always worked with DB administrators who've dealt with security issues so he'd never needed to learn about it. Am I expecting too much?!? -Stut Surely you're being rhetorical, Stut, but no, you're not expecting too much. However the guy(s) who worked in a larger organization likely did have a very clear delineation of roles and responsibilities, as I am experiencing in a new position, and therefore may not be current on best practices in areas outside of their role. When my group leader instituted the current policy regarding job functions, a number of the open source guys decided their unused skills were eroding and/or they were not being exposed to new learning, and they left the company. --David.
Re: [PHP] is there a problem with php script pulling HTML out of database as it writes the page??
On Thu, Jul 17, 2008 at 9:55 AM, Stut [EMAIL PROTECTED] wrote: Seriously though, I'm wondering if my expectations are too high... I expect them to know that addslashes is not adequate protection against SQL injection. I even had one tell me SQL injection? I can't remember but I'm sure I've used it before. And I won't even go into the guy who asserted that he's always worked with DB administrators who've dealt with security issues so he'd never needed to learn about it. 1.) It's obvious that addslashes() is not protection against SQL injection attacks. That's why God invented htmlentities() and flatfile databases. 2.) No PHP programmer should ever be required to know anything about databases, server management, mail, or anything. This is because we all know that we'll someday all work in a Google-like atmosphere with enough funding to hire other people to work with databases, servers, HTML, and even a Senior JavaScript Engineer. 3.) SQL injection is just a buzzphrase. I already know where baby databases come from. 4.) Any web programmer worth his or her salt knows that PHP, while a great language, is not compatible with all browsers. Especially Microsoft. For people using Windows, you'll need to have an ASP website. 5.) Never sanitize input. It takes too long, and unless you're dealing with credit cards, no one will ever want to hack your website. If you are taking credit cards, store them in a firewalled database. 6.) If you need to copy files from one server to another, make sure you use FTP over HTTP. It's more secure. 7.) register_globals is your friend. 8.) The best, most-scalable way to create an expandable website is to use a switch page. Just tack on a ?page=faq.php query to your GET request, and have PHP automatically `include($page)` (see point #7) in your switch file. 9.) NEVER store passwords in a PHP script. Instead, store them in a file named `inc/config.inc` in the web directory, and include them. 10.) If running a picture- or file-sharing website, make things easier on your users and yourself. Allow users to delete their files by using a simple link like: http://www.example.com/delete.php?file=images/mygraphic.jpg. Then, in delete.php, have only one line: ?php unlink($file); ? (again, see point #7 --- see how much that's coming in handy now?) 11.) The most important rule EVER: if you ever have the slightest problem, DO NOT bother to search the [EMAIL PROTECTED] web (STFW) or read the [EMAIL PROTECTED] manual (RTFM). There is a mailing list for that. Please ask any and all questions there, including why your MP3's aren't streaming on your AnalogX webserver from your home PC to your buddies in Antarctica after you turn your computer off. But when I turn my computer off, the rest of the Internet still works! Hlp me pls!!!1! We are here only to serve you. People on mailing lists are paid to write your code and do your homework for you, and you should expect nothing but the best, immediate answers, 24/7/365. If they don't respond within 90 seconds, please repost your message every 90 seconds until someone does. When in doubt, hijack a thread. -- /Daniel P. Brown Better prices on dedicated servers: Intel 2.4GHz/60GB/512MB/2TB $49.99/mo. Intel 3.06GHz/80GB/1GB/2TB $59.99/mo. Dedicated servers, VPS, and hosting from $2.50/mo. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] is there a problem with php script pulling HTML out of database as it writes the page??
On Thu, Jul 17, 2008 at 10:41 AM, Daniel Brown [EMAIL PROTECTED] wrote: On Thu, Jul 17, 2008 at 9:55 AM, Stut [EMAIL PROTECTED] wrote: Seriously though, I'm wondering if my expectations are too high... I expect them to know that addslashes is not adequate protection against SQL injection. I even had one tell me SQL injection? I can't remember but I'm sure I've used it before. And I won't even go into the guy who asserted that he's always worked with DB administrators who've dealt with security issues so he'd never needed to learn about it. 1.) It's obvious that addslashes() is not protection against SQL injection attacks. That's why God invented htmlentities() and flatfile databases. 2.) No PHP programmer should ever be required to know anything about databases, server management, mail, or anything. This is because we all know that we'll someday all work in a Google-like atmosphere with enough funding to hire other people to work with databases, servers, HTML, and even a Senior JavaScript Engineer. 3.) SQL injection is just a buzzphrase. I already know where baby databases come from. 4.) Any web programmer worth his or her salt knows that PHP, while a great language, is not compatible with all browsers. Especially Microsoft. For people using Windows, you'll need to have an ASP website. 5.) Never sanitize input. It takes too long, and unless you're dealing with credit cards, no one will ever want to hack your website. If you are taking credit cards, store them in a firewalled database. 6.) If you need to copy files from one server to another, make sure you use FTP over HTTP. It's more secure. 7.) register_globals is your friend. 8.) The best, most-scalable way to create an expandable website is to use a switch page. Just tack on a ?page=faq.php query to your GET request, and have PHP automatically `include($page)` (see point #7) in your switch file. 9.) NEVER store passwords in a PHP script. Instead, store them in a file named `inc/config.inc` in the web directory, and include them. 10.) If running a picture- or file-sharing website, make things easier on your users and yourself. Allow users to delete their files by using a simple link like: http://www.example.com/delete.php?file=images/mygraphic.jpg. Then, in delete.php, have only one line: ?php unlink($file); ? (again, see point #7 --- see how much that's coming in handy now?) 11.) The most important rule EVER: if you ever have the slightest problem, DO NOT bother to search the [EMAIL PROTECTED] web (STFW) or read the [EMAIL PROTECTED] manual (RTFM). There is a mailing list for that. Please ask any and all questions there, including why your MP3's aren't streaming on your AnalogX webserver from your home PC to your buddies in Antarctica after you turn your computer off. But when I turn my computer off, the rest of the Internet still works! Hlp me pls!!!1! We are here only to serve you. People on mailing lists are paid to write your code and do your homework for you, and you should expect nothing but the best, immediate answers, 24/7/365. If they don't respond within 90 seconds, please repost your message every 90 seconds until someone does. When in doubt, hijack a thread. -- /Daniel P. Brown Better prices on dedicated servers: Intel 2.4GHz/60GB/512MB/2TB $49.99/mo. Intel 3.06GHz/80GB/1GB/2TB $59.99/mo. Dedicated servers, VPS, and hosting from $2.50/mo. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php Bad day Dan? :-) Andrew -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Copy Function Errors
It sounds to me like your problem is now about the authentication. By default most linux distributions do not give apache a password. I personally think using apache would be a bad idea. How about creating a user on the linux box your trying to put the files on to make it's primary group apache (make sure the group can write to the folder you are putting the files in) and give it a password that is a random string of 20 characters (http://www.goodpassword.com) that only your script knows. Try testing to make sure you can ftp to the server using a normal ftp client (ftp for the linux command line or http://filezilla-project.org/ is a good one if your using windows) using the account you created. Make sure you can put files in the directory you will be with the script. If this all works and your script using the new account is not, I'm sure we can help you debug it further :). Good luck! You are right, there is something terribly wrong with my authentication. I have added one user called test and gave it a fixed password. Since the information where I intend to extract from is a Linux machine, and the location where it is meant to copy to is the Windows server. I tested it using the SSH Shell from the Windows machine to make sure it is working. It does. I have modified the script where it does the authentication to the following: // set up basic connection $ftp_server=192.168.10.63; $conn_id = ftp_connect($ftp_server) or die (Failed to Connect); // login with username and password $ftp_user_name=somename; $ftp_user_pass=somepass; $login_result = ftp_login($conn_id, $ftp_user_name, $ftp_user_pass) or die (Failed to Login); // try to download $server_file and save to $local_file if (ftp_get($conn_id, $local_file, $server_file, FTP_BINARY)) { echo Successfully written to $local_file\n; } else { echo There was a problem\n; } When I executed the script, it now prompts me back Failed to Connect as in the first die statement. I am confused because when I use the SSH with Filezilla or other SFTP clients, I used the same user and passwords here and have received no errors. I don't know if I should put the user_name and user_pass from this file to the httpd.conf, though. Currently, this is not set. Thanks in advance. Alice Wei, Alice J. wrote: Hi Alice... I just caught/saw this thread. I'm asuming you haven't found/solved what you're trying to do. So, What exactly are you trying to accomplish? What OS are you running on both the client/server machine? Are you trying to copy from a directory on one box, to a directory on another box? Is this a one time thing? Are the boxes on the same network (physically close together)? Are you able to login to the remote box from your initial server? Let me know what you're looking to do, and I can probably get you going. -regards... All I wanted to do is to copy the file that is sitting on a remote machine to have it copied it over to another remote machine. Since I put the code snippet below on the server that is supposed to accept the files, I would say I am downloading the file here from a remote server to a local server. It is weird, because I followed Robert's advice and cut out the http:// snippet in my ftp server address, and I have tried both the apache and root password of the actual log in of the FTP, which neither of them worked. Both of the servers have the firewall DNS set up properly, and in my PHP info page, it appears that my FTP is enabled. Is there something else I have missed? // define some variables $local_file = C:/Inetpub/wwwroot/test/$id/data.tar; $server_file = http://192.168.10.63/test/$id/data.tar;; // set up basic connection $ftp_server=192.168.10.63; $conn_id = ftp_connect($ftp_server); // login with username and password $ftp_user_name=root; $ftp_user_pass=xx!; $login_result = ftp_login($conn_id, $ftp_user_name, $ftp_user_pass); // try to download $server_file and save to $local_file if (ftp_get($conn_id, $local_file, $server_file, FTP_BINARY)) { echo Successfully written to $local_file\n; } else { echo There was a problem\n; } // close the connection ftp_close($conn_id); Thanks in advance. Alice -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Corrupted ZIP files (downloaded via a php script) : Internext Explorer 7
tedd wrote: At 7:42 PM -0400 7/16/08, robert mena wrote: Am I doing something wrong or do I have to start looking to the server's configuration (like mod_deflate)? I use this -- it seems to work: $file=test.zip; header(Content-type: application/octet-stream); header(Content-Transfer-Encoding: Binary); header(Content-length: .filesize($file)); header(Content-disposition: attachment; filename=\.basename($file).\); readfile($file); Anyone see a problem with it? looks good to me - in Roberts case I would check if anything is adding output _before_ the readfile(). I have just today had such an issue with a zip-file. /Per Jessen, Zürich -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Copy Function Errors
Is there some reason that you can't use a simple samba server from the linux, to windows box? Or just do a scp copy, or just a simple ftp transfer. All of these can be done from the cmd line. Is this an exercise in creating a client app/script to accomplish this? just trying to understand a little more about what you're trying to do in transferring the files... -Original Message- From: Wei, Alice J. [mailto:[EMAIL PROTECTED] Sent: Thursday, July 17, 2008 7:50 AM To: Sam Stelfox Cc: php-general@lists.php.net Subject: RE: [PHP] Copy Function Errors It sounds to me like your problem is now about the authentication. By default most linux distributions do not give apache a password. I personally think using apache would be a bad idea. How about creating a user on the linux box your trying to put the files on to make it's primary group apache (make sure the group can write to the folder you are putting the files in) and give it a password that is a random string of 20 characters (http://www.goodpassword.com) that only your script knows. Try testing to make sure you can ftp to the server using a normal ftp client (ftp for the linux command line or http://filezilla-project.org/ is a good one if your using windows) using the account you created. Make sure you can put files in the directory you will be with the script. If this all works and your script using the new account is not, I'm sure we can help you debug it further :). Good luck! You are right, there is something terribly wrong with my authentication. I have added one user called test and gave it a fixed password. Since the information where I intend to extract from is a Linux machine, and the location where it is meant to copy to is the Windows server. I tested it using the SSH Shell from the Windows machine to make sure it is working. It does. I have modified the script where it does the authentication to the following: // set up basic connection $ftp_server=192.168.10.63; $conn_id = ftp_connect($ftp_server) or die (Failed to Connect); // login with username and password $ftp_user_name=somename; $ftp_user_pass=somepass; $login_result = ftp_login($conn_id, $ftp_user_name, $ftp_user_pass) or die (Failed to Login); // try to download $server_file and save to $local_file if (ftp_get($conn_id, $local_file, $server_file, FTP_BINARY)) { echo Successfully written to $local_file\n; } else { echo There was a problem\n; } When I executed the script, it now prompts me back Failed to Connect as in the first die statement. I am confused because when I use the SSH with Filezilla or other SFTP clients, I used the same user and passwords here and have received no errors. I don't know if I should put the user_name and user_pass from this file to the httpd.conf, though. Currently, this is not set. Thanks in advance. Alice Wei, Alice J. wrote: Hi Alice... I just caught/saw this thread. I'm asuming you haven't found/solved what you're trying to do. So, What exactly are you trying to accomplish? What OS are you running on both the client/server machine? Are you trying to copy from a directory on one box, to a directory on another box? Is this a one time thing? Are the boxes on the same network (physically close together)? Are you able to login to the remote box from your initial server? Let me know what you're looking to do, and I can probably get you going. -regards... All I wanted to do is to copy the file that is sitting on a remote machine to have it copied it over to another remote machine. Since I put the code snippet below on the server that is supposed to accept the files, I would say I am downloading the file here from a remote server to a local server. It is weird, because I followed Robert's advice and cut out the http:// snippet in my ftp server address, and I have tried both the apache and root password of the actual log in of the FTP, which neither of them worked. Both of the servers have the firewall DNS set up properly, and in my PHP info page, it appears that my FTP is enabled. Is there something else I have missed? // define some variables $local_file = C:/Inetpub/wwwroot/test/$id/data.tar; $server_file = http://192.168.10.63/test/$id/data.tar;; // set up basic connection $ftp_server=192.168.10.63; $conn_id = ftp_connect($ftp_server); // login with username and password $ftp_user_name=root; $ftp_user_pass=xx!; $login_result = ftp_login($conn_id, $ftp_user_name, $ftp_user_pass); // try to download $server_file and save to $local_file if (ftp_get($conn_id, $local_file, $server_file, FTP_BINARY)) { echo Successfully written to $local_file\n; } else { echo There was a problem\n; } // close the connection ftp_close($conn_id); Thanks in advance. Alice -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] is there a problem with php script pulling HTML out of database as it writes the page??
On Thu, Jul 17, 2008 at 10:56 AM, Andrew Ballard [EMAIL PROTECTED] wrote: Bad day Dan? :-) No, but I have faith. The day is still young. ;-P -- /Daniel P. Brown Better prices on dedicated servers: Intel 2.4GHz/60GB/512MB/2TB $49.99/mo. Intel 3.06GHz/80GB/1GB/2TB $59.99/mo. Dedicated servers, VPS, and hosting from $2.50/mo. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Copy Function Errors
Is there some reason that you can't use a simple samba server from the linux, to windows box? Or just do a scp copy, or just a simple ftp transfer. All of these can be done from the cmd line. It is funny, because I first started off writing this using shell_exec. I started off doing something like a sftp some_server in the commands within shell_exec() before I got to what I have now, but I stopped that because I don't seem to find any commands that can allow me put passwords and user to the actual client to do it. If there is such a thing as allowing me to feed in all this in one line without using FTP commands, this would be perfect. So far, I have not seen anything like it. I even tried doing an ftp:// on the url of the server, and it gives me this DNS error. I consider that it is easier for me to tar up everything using the command line and transfer that to another server, and then I can do the rest of the untar and other processes without problem. My problem now is that I cannot even transfer the files because I am not able to come up with the suitable commands. Is this an exercise in creating a client app/script to accomplish this? My client wants to have on the client end have all the files transferred back to the different user directories after the back end has some data processing. The client side only sees what is on the server, and not anything from the Linux from my understanding. Alice -Original Message- From: Wei, Alice J. [mailto:[EMAIL PROTECTED] Sent: Thursday, July 17, 2008 7:50 AM To: Sam Stelfox Cc: php-general@lists.php.net Subject: RE: [PHP] Copy Function Errors It sounds to me like your problem is now about the authentication. By default most linux distributions do not give apache a password. I personally think using apache would be a bad idea. How about creating a user on the linux box your trying to put the files on to make it's primary group apache (make sure the group can write to the folder you are putting the files in) and give it a password that is a random string of 20 characters (http://www.goodpassword.com) that only your script knows. Try testing to make sure you can ftp to the server using a normal ftp client (ftp for the linux command line or http://filezilla-project.org/ is a good one if your using windows) using the account you created. Make sure you can put files in the directory you will be with the script. If this all works and your script using the new account is not, I'm sure we can help you debug it further :). Good luck! You are right, there is something terribly wrong with my authentication. I have added one user called test and gave it a fixed password. Since the information where I intend to extract from is a Linux machine, and the location where it is meant to copy to is the Windows server. I tested it using the SSH Shell from the Windows machine to make sure it is working. It does. I have modified the script where it does the authentication to the following: // set up basic connection $ftp_server=192.168.10.63; $conn_id = ftp_connect($ftp_server) or die (Failed to Connect); // login with username and password $ftp_user_name=somename; $ftp_user_pass=somepass; $login_result = ftp_login($conn_id, $ftp_user_name, $ftp_user_pass) or die (Failed to Login); // try to download $server_file and save to $local_file if (ftp_get($conn_id, $local_file, $server_file, FTP_BINARY)) { echo Successfully written to $local_file\n; } else { echo There was a problem\n; } When I executed the script, it now prompts me back Failed to Connect as in the first die statement. I am confused because when I use the SSH with Filezilla or other SFTP clients, I used the same user and passwords here and have received no errors. I don't know if I should put the user_name and user_pass from this file to the httpd.conf, though. Currently, this is not set. Thanks in advance. Alice Wei, Alice J. wrote: Hi Alice... I just caught/saw this thread. I'm asuming you haven't found/solved what you're trying to do. So, What exactly are you trying to accomplish? What OS are you running on both the client/server machine? Are you trying to copy from a directory on one box, to a directory on another box? Is this a one time thing? Are the boxes on the same network (physically close together)? Are you able to login to the remote box from your initial server? Let me know what you're looking to do, and I can probably get you going. -regards... All I wanted to do is to copy the file that is sitting on a remote machine to have it copied it over to another remote machine. Since I put the code snippet below on the server that is supposed to accept the files, I would say I am downloading the file here from a remote server to a local server. It is weird, because I followed Robert's advice and cut out the http:// snippet in my ftp server address, and I have tried both the apache and root password of the actual log in of the
Re: [PHP] Copy Function Errors
You need to test using regular FTP, SFTP goes over SSH, while the PHP script your trying to use is making use of regular old FTP. Make sure that the linux machine has the ports open for FTP and that you have an FTP server running on it (SSH is not one). Wei, Alice J. wrote: It sounds to me like your problem is now about the authentication. By default most linux distributions do not give apache a password. I personally think using apache would be a bad idea. How about creating a user on the linux box your trying to put the files on to make it's primary group apache (make sure the group can write to the folder you are putting the files in) and give it a password that is a random string of 20 characters (http://www.goodpassword.com) that only your script knows. Try testing to make sure you can ftp to the server using a normal ftp client (ftp for the linux command line or http://filezilla-project.org/ is a good one if your using windows) using the account you created. Make sure you can put files in the directory you will be with the script. If this all works and your script using the new account is not, I'm sure we can help you debug it further :). Good luck! You are right, there is something terribly wrong with my authentication. I have added one user called test and gave it a fixed password. Since the information where I intend to extract from is a Linux machine, and the location where it is meant to copy to is the Windows server. I tested it using the SSH Shell from the Windows machine to make sure it is working. It does. I have modified the script where it does the authentication to the following: // set up basic connection $ftp_server=192.168.10.63; $conn_id = ftp_connect($ftp_server) or die (Failed to Connect); // login with username and password $ftp_user_name=somename; $ftp_user_pass=somepass; $login_result = ftp_login($conn_id, $ftp_user_name, $ftp_user_pass) or die (Failed to Login); // try to download $server_file and save to $local_file if (ftp_get($conn_id, $local_file, $server_file, FTP_BINARY)) { echo Successfully written to $local_file\n; } else { echo There was a problem\n; } When I executed the script, it now prompts me back Failed to Connect as in the first die statement. I am confused because when I use the SSH with Filezilla or other SFTP clients, I used the same user and passwords here and have received no errors. I don't know if I should put the user_name and user_pass from this file to the httpd.conf, though. Currently, this is not set. Thanks in advance. Alice Wei, Alice J. wrote: Hi Alice... I just caught/saw this thread. I'm asuming you haven't found/solved what you're trying to do. So, What exactly are you trying to accomplish? What OS are you running on both the client/server machine? Are you trying to copy from a directory on one box, to a directory on another box? Is this a one time thing? Are the boxes on the same network (physically close together)? Are you able to login to the remote box from your initial server? Let me know what you're looking to do, and I can probably get you going. -regards... All I wanted to do is to copy the file that is sitting on a remote machine to have it copied it over to another remote machine. Since I put the code snippet below on the server that is supposed to accept the files, I would say I am downloading the file here from a remote server to a local server. It is weird, because I followed Robert's advice and cut out the http:// snippet in my ftp server address, and I have tried both the apache and root password of the actual log in of the FTP, which neither of them worked. Both of the servers have the firewall DNS set up properly, and in my PHP info page, it appears that my FTP is enabled. Is there something else I have missed? // define some variables $local_file = C:/Inetpub/wwwroot/test/$id/data.tar; $server_file = http://192.168.10.63/test/$id/data.tar;; // set up basic connection $ftp_server=192.168.10.63; $conn_id = ftp_connect($ftp_server); // login with username and password $ftp_user_name=root; $ftp_user_pass=xx!; $login_result = ftp_login($conn_id, $ftp_user_name, $ftp_user_pass); // try to download $server_file and save to $local_file if (ftp_get($conn_id, $local_file, $server_file, FTP_BINARY)) { echo Successfully written to $local_file\n; } else { echo There was a problem\n; } // close the connection ftp_close($conn_id); Thanks in advance. Alice -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] is there a problem with php script pulling HTML out of database as it writes the page??
On 17 Jul 2008, at 15:31, David Giragosian wrote: On 7/17/08, Stut [EMAIL PROTECTED] wrote: On 17 Jul 2008, at 14:10, tedd wrote: At 10:28 PM +0100 7/16/08, Stut wrote: Oh, and you'd be working for me so bear that in mind ;) -Stut It's no wonder why you haven't found anyone. :-) Thanks for that tedd. Seriously though, I'm wondering if my expectations are too high... I expect them to know that addslashes is not adequate protection against SQL injection. I even had one tell me SQL injection? I can't remember but I'm sure I've used it before. And I won't even go into the guy who asserted that he's always worked with DB administrators who've dealt with security issues so he'd never needed to learn about it. Am I expecting too much?!? -Stut Surely you're being rhetorical, Stut, but no, you're not expecting too much. However the guy(s) who worked in a larger organization likely did have a very clear delineation of roles and responsibilities, as I am experiencing in a new position, and therefore may not be current on best practices in areas outside of their role. When my group leader instituted the current policy regarding job functions, a number of the open source guys decided their unused skills were eroding and/or they were not being exposed to new learning, and they left the company. There's no way I would ever hire anyone who says security was somebody else's responsibility. I don't care what their previous managers have said, that's never a valid statement in my book. When you then add the fact that no DB admin no matter how good they are can implement adequate security to prevent SQL injection you get a developer who doesn't care about security issues much less know anything about them. -Stut -- http://stut.net/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] is there a problem with php script pulling HTML out of database as it writes the page??
On Thu, Jul 17, 2008 at 12:02 PM, Stut [EMAIL PROTECTED] wrote: There's no way I would ever hire anyone who says security was somebody else's responsibility. I don't care what their previous managers have said, that's never a valid statement in my book. When you then add the fact that no DB admin no matter how good they are can implement adequate security to prevent SQL injection you get a developer who doesn't care about security issues much less know anything about them. Ignorance is bliss. It may not make you a good programmer, but it'll make you a fantastic executive. -- /Daniel P. Brown Better prices on dedicated servers: Intel 2.4GHz/60GB/512MB/2TB $49.99/mo. Intel 3.06GHz/80GB/1GB/2TB $59.99/mo. Dedicated servers, VPS, and hosting from $2.50/mo. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] is there a problem with php script pulling HTML out of database as it writes the page??
On Thu, Jul 17, 2008 at 12:07 PM, Daniel Brown [EMAIL PROTECTED] wrote: [snip] Ignorance is bliss. It may not make you a good programmer, but it'll make you a fantastic executive. [/snip] ROFL, that describes my VP to a T -- Bastien Cat, the other other white meat
Re: [PHP] is there a problem with php script pulling HTML out of database as it writes the page??
On 17 Jul 2008, at 15:41, Daniel Brown wrote: On Thu, Jul 17, 2008 at 9:55 AM, Stut [EMAIL PROTECTED] wrote: Seriously though, I'm wondering if my expectations are too high... I expect them to know that addslashes is not adequate protection against SQL injection. I even had one tell me SQL injection? I can't remember but I'm sure I've used it before. And I won't even go into the guy who asserted that he's always worked with DB administrators who've dealt with security issues so he'd never needed to learn about it. 1.) It's obvious that addslashes() is not protection against SQL injection attacks. That's why God invented htmlentities() and flatfile databases. Yup, had that one. 2.) No PHP programmer should ever be required to know anything about databases, server management, mail, or anything. This is because we all know that we'll someday all work in a Google-like atmosphere with enough funding to hire other people to work with databases, servers, HTML, and even a Senior JavaScript Engineer. I have a ghostwriter who keeps me active on the mailing lists. Best 50p I spend every week! 3.) SQL injection is just a buzzphrase. I already know where baby databases come from. The big Daddy database spends lots of CPU cycles on the big Momma database and she eventually lets him put his SQL client into her console and their SQL statements intermingle until something magic happens. At least that's what my Daddy told me when I was a little regex. 4.) Any web programmer worth his or her salt knows that PHP, while a great language, is not compatible with all browsers. Especially Microsoft. For people using Windows, you'll need to have an ASP website. Indeed. And PHP can't be used for foreign language sites, only US English. It makes a complete mess of British English sites. 5.) Never sanitize input. It takes too long, and unless you're dealing with credit cards, no one will ever want to hack your website. If you are taking credit cards, store them in a firewalled database. You say this, but the person I just did a phone interview with did tell me that security is a cost-benefit calculation in terms of both development time and runtime resources. He said he never bothers escaping input in Intranet sites. True story! 6.) If you need to copy files from one server to another, make sure you use FTP over HTTP. It's more secure. I use an Oompa-Loompas - much more reliable! 7.) register_globals is your friend. And I hug her, and kiss her and squeeze her tight. *pop* 8.) The best, most-scalable way to create an expandable website is to use a switch page. Just tack on a ?page=faq.php query to your GET request, and have PHP automatically `include($page)` (see point #7) in your switch file. Ooh, dangerous. I worry about relative paths, so when I do this it's always with an absolute path... i.e. ?page=/var/www/mywebsite.com/ somedir/faq.php 9.) NEVER store passwords in a PHP script. Instead, store them in a file named `inc/config.inc` in the web directory, and include them. I prefer to use .txt as the extension. Makes opening them in Notepad so much easier. 10.) If running a picture- or file-sharing website, make things easier on your users and yourself. Allow users to delete their files by using a simple link like: http://www.example.com/delete.php?file=images/mygraphic.jpg. Then, in delete.php, have only one line: ?php unlink($file); ? (again, see point #7 --- see how much that's coming in handy now?) This works best if the web server is running as root. None of those annoying error messages about not being able to open files that I know are there! 11.) The most important rule EVER: if you ever have the slightest problem, DO NOT bother to search the [EMAIL PROTECTED] web (STFW) or read the [EMAIL PROTECTED] manual (RTFM). There is a mailing list for that. Please ask any and all questions there, including why your MP3's aren't streaming on your AnalogX webserver from your home PC to your buddies in Antarctica after you turn your computer off. But when I turn my computer off, the rest of the Internet still works! Hlp me pls!!!1! We are here only to serve you. People on mailing lists are paid to write your code and do your homework for you, and you should expect nothing but the best, immediate answers, 24/7/365. If they don't respond within 90 seconds, please repost your message every 90 seconds until someone does. When in doubt, hijack a thread. Why do birds suddenly go *poof*, every time, you are near? -Stut -- http://stut.net/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] is there a problem with php script pulling HTML out of database as it writes the page??
On 7/17/08, Stut [EMAIL PROTECTED] wrote: On 17 Jul 2008, at 15:31, David Giragosian wrote: On 7/17/08, Stut [EMAIL PROTECTED] wrote: On 17 Jul 2008, at 14:10, tedd wrote: At 10:28 PM +0100 7/16/08, Stut wrote: Oh, and you'd be working for me so bear that in mind ;) -Stut It's no wonder why you haven't found anyone. :-) Thanks for that tedd. Seriously though, I'm wondering if my expectations are too high... I expect them to know that addslashes is not adequate protection against SQL injection. I even had one tell me SQL injection? I can't remember but I'm sure I've used it before. And I won't even go into the guy who asserted that he's always worked with DB administrators who've dealt with security issues so he'd never needed to learn about it. Am I expecting too much?!? -Stut Surely you're being rhetorical, Stut, but no, you're not expecting too much. However the guy(s) who worked in a larger organization likely did have a very clear delineation of roles and responsibilities, as I am experiencing in a new position, and therefore may not be current on best practices in areas outside of their role. When my group leader instituted the current policy regarding job functions, a number of the open source guys decided their unused skills were eroding and/or they were not being exposed to new learning, and they left the company. There's no way I would ever hire anyone who says security was somebody else's responsibility. I don't care what their previous managers have said, that's never a valid statement in my book. When you then add the fact that no DB admin no matter how good they are can implement adequate security to prevent SQL injection you get a developer who doesn't care about security issues much less know anything about them. -Stut Saying security was someone else's responsibility is not the smartest statement to make in a job interview. Whether that correlates to someone not caring about security is a different matter, I think. Of course, if the applicant said, Security was somebody else's responsibility in a flip and/or arrogant manner and clearly showed no concern about it, then sure, on to the next candidate. But I can imagine an exchange where somebody said that, but then followed up with, But here's how I would handle it... It sounds like the guy you interviewed was in the former category. --David.
Re: [PHP] is there a problem with php script pulling HTML out of database as it writes the page??
On Thu, Jul 17, 2008 at 12:02 PM, Stut [EMAIL PROTECTED] wrote: On 17 Jul 2008, at 15:31, David Giragosian wrote: On 7/17/08, Stut [EMAIL PROTECTED] wrote: On 17 Jul 2008, at 14:10, tedd wrote: At 10:28 PM +0100 7/16/08, Stut wrote: Oh, and you'd be working for me so bear that in mind ;) -Stut It's no wonder why you haven't found anyone. :-) Thanks for that tedd. Seriously though, I'm wondering if my expectations are too high... I expect them to know that addslashes is not adequate protection against SQL injection. I even had one tell me SQL injection? I can't remember but I'm sure I've used it before. And I won't even go into the guy who asserted that he's always worked with DB administrators who've dealt with security issues so he'd never needed to learn about it. Am I expecting too much?!? -Stut Surely you're being rhetorical, Stut, but no, you're not expecting too much. However the guy(s) who worked in a larger organization likely did have a very clear delineation of roles and responsibilities, as I am experiencing in a new position, and therefore may not be current on best practices in areas outside of their role. When my group leader instituted the current policy regarding job functions, a number of the open source guys decided their unused skills were eroding and/or they were not being exposed to new learning, and they left the company. There's no way I would ever hire anyone who says security was somebody else's responsibility. I don't care what their previous managers have said, that's never a valid statement in my book. When you then add the fact that no DB admin no matter how good they are can implement adequate security to prevent SQL injection you get a developer who doesn't care about security issues much less know anything about them. -Stut A DBA can go pretty far to prevent SQL injection by setting appropriate rights on the accounts that applications will use to interact with the database: denying direct access to tables, allowing access to only the necessary stored procedures, thereby forcing developers to design products using only those procedures for all data access. Of course, a lot of developers would complain under this level of security, and I suspect a lot of frameworks that are out there would be much less useful to lazy programmers. Andrew -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Floats and avoid exponential notation - How?
k bah [EMAIL PROTECTED] wrote on 07/17/2008 05:23:40 AM: Hi, From http://www.php.net/manual/en/language.types.float.php (second comment in that page, from kjohnson at zootweb dot com): PHP switches from the standard decimal notation to exponential notation for certain special floats. I have the same problem. I have a big number I have to represent, it's usually 1 followed by 10 zeros, the biggest value I'll have for it is 199, never more than this. I only make one operation with it, (+), most of the time I need that number as a string, and never need it's float representation, only the absolute value (in fact, it's never going to have a fractional part). I cannot use integers because it's bigger than the integer range. If it goes to it's exponential representation, breaks my code. Users are identified by that number. So, any suggestions/thoughts? Is there a way to prevent php from using the exponential notation for a float? I don't know of any way to modify PHP's behavior with regard to this. That's not to say there isn't a way, but I don't know of one. This might be a brute force way to address it. You'll want to add additional checks so you don't end up in any infinite loops. You should definitely test with larger numbers in the range that you are actuallly using. Hope this gets you what you need: // example: one of the special ones, prints in exponential notation, 1.4E+6 $num = 140.; if(strstr($num, 'E')) { echo yep, exp notationbr; list($significand, $exp) = explode('E', $num); list($void, $decimal) = explode('.', $significand); $decimal_len = strlen($decimal); $exp = str_replace('+', '', $exp); $exp -= $decimal_len; $append = ''; for($i = 1; $i = $exp; $i++) { $append .= '0'; } $tmp = str_replace('.', '', $significand); $reconsctructed = $tmp . $append; echo 'prereconstructed: ', $reconsctructed, '/pre'; } kjohnson at zootweb dot com :) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] is there a problem with php script pulling HTML out of database as it writes the page??
On Thu, 2008-07-17 at 13:46 +0100, Stut wrote: On 17 Jul 2008, at 11:31, Jason Pruim wrote: On Jul 16, 2008, at 5:28 PM, Stut wrote: On 16 Jul 2008, at 19:18, Daniel Brown wrote: On Tue, Jul 15, 2008 at 5:43 PM, Stut [EMAIL PROTECTED] wrote: Code please, we're not mind readers! I sensed you would say that, Stuart. ;-P Can you sense what I'm thinking right now? BTW, if anyone is looking for a PHP5/MySQL dev job in or around Camberley, Surrey, England please drop me your CV. Looking for all levels to join a small team (me + 2 non-devs). Contact me personally for more info. Sorry, remote working is not an option. We will consider both perm and contract but perm is preferred. Oh, and you'd be working for me so bear that in mind ;) So would that be a plus or a negative? :P That's up to you to decide based on my activity on this list. IOW I have no idea! I don't think it would be a bad experience. I'd have to say as a list contributor you've always had good posts and an even temperament. Anyways, I already telecommute 20 or so hours a week to Sheffield, England from Ottawa, Canada :D Cheers, Rob. -- http://www.interjinn.com Application and Templating Framework for PHP -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] is there a problem with php script pulling HTML out of database as it writes the page??
On Thu, 2008-07-17 at 17:02 +0100, Stut wrote: On 17 Jul 2008, at 15:31, David Giragosian wrote: On 7/17/08, Stut [EMAIL PROTECTED] wrote: On 17 Jul 2008, at 14:10, tedd wrote: At 10:28 PM +0100 7/16/08, Stut wrote: Oh, and you'd be working for me so bear that in mind ;) -Stut It's no wonder why you haven't found anyone. :-) Thanks for that tedd. Seriously though, I'm wondering if my expectations are too high... I expect them to know that addslashes is not adequate protection against SQL injection. I even had one tell me SQL injection? I can't remember but I'm sure I've used it before. And I won't even go into the guy who asserted that he's always worked with DB administrators who've dealt with security issues so he'd never needed to learn about it. Am I expecting too much?!? I've heard the NEDs are winning in the U.K. Cheers, Rob. -- http://www.interjinn.com Application and Templating Framework for PHP -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] is there a problem with php script pulling HTML out of database as it writes the page??
On Thu, 2008-07-17 at 12:07 -0400, Daniel Brown wrote: On Thu, Jul 17, 2008 at 12:02 PM, Stut [EMAIL PROTECTED] wrote: There's no way I would ever hire anyone who says security was somebody else's responsibility. I don't care what their previous managers have said, that's never a valid statement in my book. When you then add the fact that no DB admin no matter how good they are can implement adequate security to prevent SQL injection you get a developer who doesn't care about security issues much less know anything about them. Ignorance is bliss. It may not make you a good programmer, but it'll make you a fantastic executive. No, it'll probably make you an executive if you keep your mouth shut and follow orders... but not a good executive. You still need brains to be a good executive, otherwise you're just a leech on the system. Look at all those executives dragging companies down while they happily deposit their millions in salary/bonuses every year. Cheers, Rob. -- http://www.interjinn.com Application and Templating Framework for PHP -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] is there a problem with php script pulling HTML out of database as it writes the page??
On Thu, Jul 17, 2008 at 2:27 PM, Robert Cummings [EMAIL PROTECTED] wrote: Look at all those executives dragging companies down while they happily deposit their millions in salary/bonuses every year. Tell me about it. IndyMac threw a divide by zero exception as a result. -- /Daniel P. Brown Better prices on dedicated servers: Intel 2.4GHz/60GB/512MB/2TB $49.99/mo. Intel 3.06GHz/80GB/1GB/2TB $59.99/mo. Dedicated servers, VPS, and hosting from $2.50/mo. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Soap Call Error
I tried that this is what i get Response:HTTP/1.1 200 OK Date: Thu, 17 Jul 2008 18:27:23 GMT Server: Apache/2.2.6 (Unix) Set-Cookie: JSESSIONID=DF4D15B8D0A0610B4832C3A708874672; Path=/ Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: multipart/related; type=application/xop+xml; start= [EMAIL PROTECTED]; start-info=text/xml; boundary==_Part_281_1620393832.1216319243198 --=_Part_281_1620393832.1216319243198 Content-Type: application/xop+xml; charset=UTF-8; type=text/xml Content-Transfer-Encoding: 8bit Content-ID: [EMAIL PROTECTED] --=_Part_281_1620393832.1216319243198-- Request:POST /rpc/soap/ForumService HTTP/1.1 Host: Connection: Keep-Alive User-Agent: PHP-SOAP/5.2.0 Content-Type: text/xml; charset=utf-8 SOAPAction: Content-Length: 850soap:Envelope xmlns:soap= http://schemas.xmlsoap.org/soap/envelope/; xmlns:xsd= http://www.w3.org/2001/XMLSchema; xmlns:xsi= http://www.w3.org/2001/XMLSchema-instance;soap:BodycreateThreadResponse xmlns=http://jivesoftware.com/webservices;out xmlns= http://jivesoftware.com/webservices;ID xmlns= http://webservices.community.jivesoftware.com;xx/IDcommunityID xmlns=http://webservices.community.jivesoftware.com;x/communityIDcreationDate xmlns=http://webservices.community.jivesoftware.com;-07-17T11:27:23.078-07:00/creationDatelatestMessageID xmlns=http://webservices.community.jivesoftware.com;x/latestMessageIDmessageCount xmlns=http://webservices.community.jivesoftware.com;1/messageCountmoderationValue xmlns=http://webservices.community.jivesoftware.com;1/moderationValuemodificationDate xmlns=http://webservices.community.jivesoftware.com;2008-07-17T11:27:23.078-07:00/modificationDatename xmlns=http://webservices.community.jivesoftware.com;new appliance 108/nameobjectType xmlns=http://webservices.community.jivesoftware.com;0/objectTyperootMessage xmlns=http://webservices.community.jivesoftware.com;ID989430/IDanonymousfalse/anonymousattachmentCount0/attachmentCountbodyhello/bodycommunityID2352/communityIDcommunityIndex1538/communityIndexcreationDate2008-07-17T11:27:23.078-07:00/creationDateforumThreadID155479/forumThreadIDimageCount0/imageCountmoderationValue1/moderationValuemodificationDate2008-07-17T11:27:23.078-07:00/modificationDateparentMessageID0/parentMessageIDsubjectnew appliance 108/subjectunfilteredBodyhello/unfilteredBodyunfilteredSubjectnew appliance 108/unfilteredSubjectuserID135558/IDcreationDate2006-05-10T11:55:27.114-07:00/creationDateemailasdadasd/emailemailVisiblefalse/emailVisiblemodificationDate2006-05-10T11:55:27.114-07:00/modificationDatename /namenameVisibletrue/nameVisiblepassword xsi:nil=true /passwordHash/passwordHashusername /username/user/rootMessage/out/createThreadResponse/soap:Body/soap:Envelope ?xml version=1.0 encoding=UTF-8? SOAP-ENV:Envelope xmlns:SOAP-ENV=http://schemas.xmlsoap.org/soap/envelope/; xmlns:ns1=http://jivesoftware.com/webservices; xmlns:ns2= http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd SOAP-ENV:Header wsse:Security xmlns:wsse= http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd wsse:UsernameToken wsse:Usernamexxx/wsse:Username wsse:Passwordx/wsse:Password /wsse:UsernameToken /wsse:Security /SOAP-ENV:HeaderSOAP-ENV:Bodyns1:createThreadns1:subjectnew appliance 108/ns1:subjectns1:bodyhello/ns1:bodyns1:communityIDx/ns1:communityIDns1:userID/ns1:userID/ns1:createThread/SOAP-ENV:Body/SOAP-ENV:Envelope I dont know what can I infer from this. I still get the same error. On Wed, Jul 16, 2008 at 11:26 PM, Jason Norwood-Young [EMAIL PROTECTED] wrote: On Wed, 2008-07-16 at 17:44 -0700, VamVan wrote: Hello Guys, I have been getting a wierd soap exception lately [faultstring] = looks like we got no XML document [faultcode] = Client [faultcodens] = http://schemas.xmlsoap.org/soap/envelope/ What does that mean? The call gets properly called and it does what it needs to do, but the response xml is always a $fault? Did anyone have this problem? I am using php 5.2.6 for the info. This is usually a malformed XML document - I had the problem recently when fetching an XML document that wasn't complete (no /xml). Check what you're *actually* getting with something like: } catch(SoapFault $exception) { $request_xml = $client-__getLastRequestHeaders() . $client-__getLastRequest(); $response_xml = $client-__getLastResponseHeaders() . $client-__getLastResponse(); print Response:.$response_xml; print Request:.$request_xml; print $exception; }
Re: [PHP] is there a problem with php script pulling HTML out of database as it writes the page??
On Thu, 2008-07-17 at 17:32 +0100, Stut wrote: On 17 Jul 2008, at 15:41, Daniel Brown wrote: On Thu, Jul 17, 2008 at 9:55 AM, Stut [EMAIL PROTECTED] wrote: Seriously though, I'm wondering if my expectations are too high... I expect them to know that addslashes is not adequate protection against SQL injection. I even had one tell me SQL injection? I can't remember but I'm sure I've used it before. And I won't even go into the guy who asserted that he's always worked with DB administrators who've dealt with security issues so he'd never needed to learn about it. 1.) It's obvious that addslashes() is not protection against SQL injection attacks. That's why God invented htmlentities() and flatfile databases. Yup, had that one. While we're talking about God here... why bother escaping your data. For he who believeth in the Lordeth could telleth thisith mountain hereth to moveth over thereth... Then again nevermind. 2.) No PHP programmer should ever be required to know anything about databases, server management, mail, or anything. This is because we all know that we'll someday all work in a Google-like atmosphere with enough funding to hire other people to work with databases, servers, HTML, and even a Senior JavaScript Engineer. I have a ghostwriter who keeps me active on the mailing lists. Best 50p I spend every week! 3.) SQL injection is just a buzzphrase. I already know where baby databases come from. The big Daddy database spends lots of CPU cycles on the big Momma database and she eventually lets him put his SQL client into her console and their SQL statements intermingle until something magic happens. At least that's what my Daddy told me when I was a little regex. No, no, no... you got the semantics wrong... SQL injection is when an imposter performs an insert on Momma database thus corrupting the data. Sometimes big daddy doesn't know about the corruption until he performs a select query on baby database. Unfortunately we're not yet technologically advanced enough to perform a repair under these circumstances. 4.) Any web programmer worth his or her salt knows that PHP, while a great language, is not compatible with all browsers. Especially Microsoft. For people using Windows, you'll need to have an ASP website. Indeed. And PHP can't be used for foreign language sites, only US English. It makes a complete mess of British English sites. You should see what happens when you have to manage Canadian English and Canadian French on the same site. PHP is the 5ux0r5. 5.) Never sanitize input. It takes too long, and unless you're dealing with credit cards, no one will ever want to hack your website. If you are taking credit cards, store them in a firewalled database. You say this, but the person I just did a phone interview with did tell me that security is a cost-benefit calculation in terms of both development time and runtime resources. He said he never bothers escaping input in Intranet sites. True story! I've been reading your email... hope you don't mind. 6.) If you need to copy files from one server to another, make sure you use FTP over HTTP. It's more secure. I use an Oompa-Loompas - much more reliable! 7.) register_globals is your friend. And I hug her, and kiss her and squeeze her tight. *pop* 8.) The best, most-scalable way to create an expandable website is to use a switch page. Just tack on a ?page=faq.php query to your GET request, and have PHP automatically `include($page)` (see point #7) in your switch file. *hahahahaahah* What a clever person... what other sites did he/she work on? Post links please :) Ooh, dangerous. I worry about relative paths, so when I do this it's always with an absolute path... i.e. ?page=/var/www/mywebsite.com/ somedir/faq.php Absolute paths are much faster to resolve. Good for him, efficiency is paramount on a heavy traffic payment gateway where every cycle can contributes to squeezing in another credit card payment. 9.) NEVER store passwords in a PHP script. Instead, store them in a file named `inc/config.inc` in the web directory, and include them. I prefer to use .txt as the extension. Makes opening them in Notepad so much easier. Don't use a .htaccess file either to secure the directory. Apache needs to read that... cycles, cycles, cycles... things of the baby databases. 10.) If running a picture- or file-sharing website, make things easier on your users and yourself. Allow users to delete their files by using a simple link like: http://www.example.com/delete.php?file=images/mygraphic.jpg. Then, in delete.php, have only one line: ?php unlink($file); ? (again, see point #7 --- see how much that's coming in handy now?) Wow, that's handy. You can practically create a clean-site web service using: wget -r This works best if the web server is
RE: [PHP] is there a problem with php script pulling HTML out of database as it writes the page??
-Original Message- From: Andrew Ballard [mailto:[EMAIL PROTECTED] Sent: Thursday, July 17, 2008 11:33 AM To: PHP General list Subject: Re: [PHP] is there a problem with php script pulling HTML out of database as it writes the page?? On Thu, Jul 17, 2008 at 12:02 PM, Stut [EMAIL PROTECTED] wrote: On 17 Jul 2008, at 15:31, David Giragosian wrote: On 7/17/08, Stut [EMAIL PROTECTED] wrote: On 17 Jul 2008, at 14:10, tedd wrote: At 10:28 PM +0100 7/16/08, Stut wrote: Oh, and you'd be working for me so bear that in mind ;) -Stut It's no wonder why you haven't found anyone. :-) Thanks for that tedd. Seriously though, I'm wondering if my expectations are too high... I expect them to know that addslashes is not adequate protection against SQL injection. I even had one tell me SQL injection? I can't remember but I'm sure I've used it before. And I won't even go into the guy who asserted that he's always worked with DB administrators who've dealt with security issues so he'd never needed to learn about it. Am I expecting too much?!? -Stut Surely you're being rhetorical, Stut, but no, you're not expecting too much. However the guy(s) who worked in a larger organization likely did have a very clear delineation of roles and responsibilities, as I am experiencing in a new position, and therefore may not be current on best practices in areas outside of their role. When my group leader instituted the current policy regarding job functions, a number of the open source guys decided their unused skills were eroding and/or they were not being exposed to new learning, and they left the company. There's no way I would ever hire anyone who says security was somebody else's responsibility. I don't care what their previous managers have said, that's never a valid statement in my book. When you then add the fact that no DB admin no matter how good they are can implement adequate security to prevent SQL injection you get a developer who doesn't care about security issues much less know anything about them. -Stut A DBA can go pretty far to prevent SQL injection by setting appropriate rights on the accounts that applications will use to interact with the database: denying direct access to tables, allowing access to only the necessary stored procedures, thereby forcing developers to design products using only those procedures for all data access. Of course, a lot of developers would complain under this level of security, and I suspect a lot of frameworks that are out there would be much less useful to lazy programmers. ...and giving procedures that only need read access--wait for it--only read access! I have seen so many pages from work I've done on crowd-sourcing websites that use one (practically) super-user DBMS account to read one or two columns from one or two rows and display them. It boggles the mind. Todd Boyd Web Programmer
Re: [PHP] is there a problem with php script pulling HTML out of database as it writes the page??
On Thu, 2008-07-17 at 12:32 -0400, Andrew Ballard wrote: On Thu, Jul 17, 2008 at 12:02 PM, Stut [EMAIL PROTECTED] wrote: On 17 Jul 2008, at 15:31, David Giragosian wrote: On 7/17/08, Stut [EMAIL PROTECTED] wrote: On 17 Jul 2008, at 14:10, tedd wrote: At 10:28 PM +0100 7/16/08, Stut wrote: Oh, and you'd be working for me so bear that in mind ;) -Stut It's no wonder why you haven't found anyone. :-) Thanks for that tedd. Seriously though, I'm wondering if my expectations are too high... I expect them to know that addslashes is not adequate protection against SQL injection. I even had one tell me SQL injection? I can't remember but I'm sure I've used it before. And I won't even go into the guy who asserted that he's always worked with DB administrators who've dealt with security issues so he'd never needed to learn about it. Am I expecting too much?!? -Stut Surely you're being rhetorical, Stut, but no, you're not expecting too much. However the guy(s) who worked in a larger organization likely did have a very clear delineation of roles and responsibilities, as I am experiencing in a new position, and therefore may not be current on best practices in areas outside of their role. When my group leader instituted the current policy regarding job functions, a number of the open source guys decided their unused skills were eroding and/or they were not being exposed to new learning, and they left the company. There's no way I would ever hire anyone who says security was somebody else's responsibility. I don't care what their previous managers have said, that's never a valid statement in my book. When you then add the fact that no DB admin no matter how good they are can implement adequate security to prevent SQL injection you get a developer who doesn't care about security issues much less know anything about them. -Stut A DBA can go pretty far to prevent SQL injection by setting appropriate rights on the accounts that applications will use to interact with the database: denying direct access to tables, allowing access to only the necessary stored procedures, thereby forcing developers to design products using only those procedures for all data access. Of course, a lot of developers would complain under this level of security, and I suspect a lot of frameworks that are out there would be much less useful to lazy programmers. So are you suggesting a web app make multiple different user account connections to the SQL server depending on whether it wants to SELECT, INSERT, DELETE, ETC.? I means that's a fair proposition... just seems a tad heavy duty. Once again though... there's a programmer responsibility here to implement the application with such a scenario in mind. most applications need access to SEELCT, INSERT, and DELETE. In such a case, a single account with restricted access permissions that allow all three isn't going to do anything for the application if a programmer let's an SQL injection through. Cheers, Rob. -- http://www.interjinn.com Application and Templating Framework for PHP -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Randomly missing a function
An online signup script is randomly missing part of the task. These scripts are involved: sub_signup.php include/cc_proc.php - does the CC (credit card) processing include/user_maint.php - inserts the new subscriber into the database When the CC processing finishes, with the success flag, user_maint.php is included, and a few lines later the createUser($params) function therein is called to create the user. Every mysql_ function in user_maint.php is backstopped with a die() if it fails. But sometimes it appears that the call to this script, or the createUser() function just isn't made. What seems to happen, randomly, is that the script charges on so to speak, sending an advisory email to the office manager that there is a new subscriber, and calling sub_signup_thanks.php, which displays a completion message, etc. In all of these cases the credit card processing has succeeded. Sometimes people have tried to sign up two or three times, the card processes, but no addition is made to the database. It's driving us nuts! Any thoughts? Regards - Miles Infrastructure: Apache 2.2, PHP 5.x, MySQL 5 Code: switch ($ret) { case CC_SUCCESS: require 'include/user_maint.php'; $cctype = cc_getCardType($cc); if ($cctype == 'Visa') $cctype = 'VISA'; elseif ($cctype == 'MasterCard') $cctype = 'M-C'; //Shouldn't happen in case CC_SUCCESS, but better safe than sorry else die('We don\'t support this credit card'); $params = array( 'firstname' = $first, // various fields 'postal_code' = $postal_code, 'pay_method' = $cctype ); // createUser is a function in user_maint createUser($params); // sendEmail is func in user_maint, advises office manager sendEmail('New subscriber!!!', Already paid $amount by credit card, $fields); require 'sub_signup_thanks.php';//Grabs authCode from $result return; } //other situations dealt with, and properly closed
Re: [PHP] is there a problem with php script pulling HTML out of database as it writes the page??
2008/7/17 Daniel Brown [EMAIL PROTECTED]: 11.) The most important rule EVER: if you ever have the slightest problem, DO NOT bother to search the [EMAIL PROTECTED] web (STFW) or read the [EMAIL PROTECTED] manual (RTFM). There is a mailing list for that. Please ask any and all questions there, including why your MP3's aren't streaming on your AnalogX webserver from your home PC to your buddies in Antarctica after you turn your computer off. But when I turn my computer off, the rest of the Internet still works! Hlp me pls!!!1! We are here only to serve you. People on mailing lists are paid to write your code and do your homework for you, and you should expect nothing but the best, immediate answers, 24/7/365. If they don't respond within 90 seconds, please repost your message every 90 seconds until someone does. When in doubt, hijack a thread. You do realize, of course, that this is posted in a hijacked thread? Dotan Cohen http://what-is-what.com http://gibberish.co.il א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
Re: [PHP] is there a problem with php script pulling HTML out of database as it writes the page??
On Thu, Jul 17, 2008 at 2:48 PM, Robert Cummings [EMAIL PROTECTED] wrote: On Thu, 2008-07-17 at 12:32 -0400, Andrew Ballard wrote: On Thu, Jul 17, 2008 at 12:02 PM, Stut [EMAIL PROTECTED] wrote: On 17 Jul 2008, at 15:31, David Giragosian wrote: On 7/17/08, Stut [EMAIL PROTECTED] wrote: On 17 Jul 2008, at 14:10, tedd wrote: At 10:28 PM +0100 7/16/08, Stut wrote: Oh, and you'd be working for me so bear that in mind ;) -Stut It's no wonder why you haven't found anyone. :-) Thanks for that tedd. Seriously though, I'm wondering if my expectations are too high... I expect them to know that addslashes is not adequate protection against SQL injection. I even had one tell me SQL injection? I can't remember but I'm sure I've used it before. And I won't even go into the guy who asserted that he's always worked with DB administrators who've dealt with security issues so he'd never needed to learn about it. Am I expecting too much?!? -Stut Surely you're being rhetorical, Stut, but no, you're not expecting too much. However the guy(s) who worked in a larger organization likely did have a very clear delineation of roles and responsibilities, as I am experiencing in a new position, and therefore may not be current on best practices in areas outside of their role. When my group leader instituted the current policy regarding job functions, a number of the open source guys decided their unused skills were eroding and/or they were not being exposed to new learning, and they left the company. There's no way I would ever hire anyone who says security was somebody else's responsibility. I don't care what their previous managers have said, that's never a valid statement in my book. When you then add the fact that no DB admin no matter how good they are can implement adequate security to prevent SQL injection you get a developer who doesn't care about security issues much less know anything about them. -Stut A DBA can go pretty far to prevent SQL injection by setting appropriate rights on the accounts that applications will use to interact with the database: denying direct access to tables, allowing access to only the necessary stored procedures, thereby forcing developers to design products using only those procedures for all data access. Of course, a lot of developers would complain under this level of security, and I suspect a lot of frameworks that are out there would be much less useful to lazy programmers. So are you suggesting a web app make multiple different user account connections to the SQL server depending on whether it wants to SELECT, INSERT, DELETE, ETC.? I means that's a fair proposition... just seems a tad heavy duty. Once again though... there's a programmer responsibility here to implement the application with such a scenario in mind. most applications need access to SEELCT, INSERT, and DELETE. In such a case, a single account with restricted access permissions that allow all three isn't going to do anything for the application if a programmer let's an SQL injection through. Cheers, Rob. No, not unless you really need that level of security. Simply by creating procedures and granting execute permissions only to a single web user account would go a long way to eliminating SQL injection. The query will fail if a malicious user tries to insert anything that doesn't fit into the parameter. Even if someone tried to truncate your SQL statement by sending something like ; DELETE * FROM users it would fail because that account would not have permission to run the ad hoc statement. I know there are some cases where the number of possible permutations of search parameters means you pretty much have to allow ad hoc queries, but you can make that the exception rather than the rule. Andrew -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] is there a problem with php script pulling HTML out of database as it writes the page??
On Thu, Jul 17, 2008 at 3:07 PM, Dotan Cohen [EMAIL PROTECTED] wrote: 2008/7/17 Daniel Brown [EMAIL PROTECTED]: 11.) The most important rule EVER: if you ever have the slightest problem, DO NOT bother to search the [EMAIL PROTECTED] web (STFW) or read the [EMAIL PROTECTED] manual (RTFM). There is a mailing list for that. Please ask any and all questions there, including why your MP3's aren't streaming on your AnalogX webserver from your home PC to your buddies in Antarctica after you turn your computer off. But when I turn my computer off, the rest of the Internet still works! Hlp me pls!!!1! We are here only to serve you. People on mailing lists are paid to write your code and do your homework for you, and you should expect nothing but the best, immediate answers, 24/7/365. If they don't respond within 90 seconds, please repost your message every 90 seconds until someone does. When in doubt, hijack a thread. You do realize, of course, that this is posted in a hijacked thread? Most times, people use the word ironic when they really mean coincidental. This, on the other hand, is the correct definition of irony, and was purposeful. -- /Daniel P. Brown Better prices on dedicated servers: Intel 2.4GHz/60GB/512MB/2TB $49.99/mo. Intel 3.06GHz/80GB/1GB/2TB $59.99/mo. Dedicated servers, VPS, and hosting from $2.50/mo. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] is there a problem with php script pulling HTML out of database as it writes the page??
2008/7/17 Stut [EMAIL PROTECTED]: 3.) SQL injection is just a buzzphrase. I already know where baby databases come from. The big Daddy database spends lots of CPU cycles on the big Momma database and she eventually lets him put his SQL client into her console and their SQL statements intermingle until something magic happens. At least that's what my Daddy told me when I was a little regex. No, no, you've got it all wrong: http://www.zoitz.com/archives/14 Dotan Cohen http://what-is-what.com http://gibberish.co.il א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
Re: [PHP] is there a problem with php script pulling HTML out of database as it writes the page??
On Jul 17, 2008, at 2:44 PM, Robert Cummings wrote: On Thu, 2008-07-17 at 17:32 +0100, Stut wrote: On 17 Jul 2008, at 15:41, Daniel Brown wrote: On Thu, Jul 17, 2008 at 9:55 AM, Stut [EMAIL PROTECTED] wrote: Seriously though, I'm wondering if my expectations are too high... I expect them to know that addslashes is not adequate protection against SQL injection. I even had one tell me SQL injection? I can't remember but I'm sure I've used it before. And I won't even go into the guy who asserted that he's always worked with DB administrators who've dealt with security issues so he'd never needed to learn about it. 1.) It's obvious that addslashes() is not protection against SQL injection attacks. That's why God invented htmlentities() and flatfile databases. Yup, had that one. While we're talking about God here... why bother escaping your data. For he who believeth in the Lordeth could telleth thisith mountain hereth to moveth over thereth... Then again nevermind. 2.) No PHP programmer should ever be required to know anything about databases, server management, mail, or anything. This is because we all know that we'll someday all work in a Google-like atmosphere with enough funding to hire other people to work with databases, servers, HTML, and even a Senior JavaScript Engineer. I have a ghostwriter who keeps me active on the mailing lists. Best 50p I spend every week! 3.) SQL injection is just a buzzphrase. I already know where baby databases come from. The big Daddy database spends lots of CPU cycles on the big Momma database and she eventually lets him put his SQL client into her console and their SQL statements intermingle until something magic happens. At least that's what my Daddy told me when I was a little regex. No, no, no... you got the semantics wrong... SQL injection is when an imposter performs an insert on Momma database thus corrupting the data. Sometimes big daddy doesn't know about the corruption until he performs a select query on baby database. Unfortunately we're not yet technologically advanced enough to perform a repair under these circumstances. 4.) Any web programmer worth his or her salt knows that PHP, while a great language, is not compatible with all browsers. Especially Microsoft. For people using Windows, you'll need to have an ASP website. Indeed. And PHP can't be used for foreign language sites, only US English. It makes a complete mess of British English sites. You should see what happens when you have to manage Canadian English and Canadian French on the same site. PHP is the 5ux0r5. 5.) Never sanitize input. It takes too long, and unless you're dealing with credit cards, no one will ever want to hack your website. If you are taking credit cards, store them in a firewalled database. You say this, but the person I just did a phone interview with did tell me that security is a cost-benefit calculation in terms of both development time and runtime resources. He said he never bothers escaping input in Intranet sites. True story! I've been reading your email... hope you don't mind. 6.) If you need to copy files from one server to another, make sure you use FTP over HTTP. It's more secure. I use an Oompa-Loompas - much more reliable! 7.) register_globals is your friend. And I hug her, and kiss her and squeeze her tight. *pop* 8.) The best, most-scalable way to create an expandable website is to use a switch page. Just tack on a ?page=faq.php query to your GET request, and have PHP automatically `include($page)` (see point #7) in your switch file. *hahahahaahah* What a clever person... what other sites did he/she work on? Post links please :) Ooh, dangerous. I worry about relative paths, so when I do this it's always with an absolute path... i.e. ?page=/var/www/mywebsite.com/ somedir/faq.php Absolute paths are much faster to resolve. Good for him, efficiency is paramount on a heavy traffic payment gateway where every cycle can contributes to squeezing in another credit card payment. 9.) NEVER store passwords in a PHP script. Instead, store them in a file named `inc/config.inc` in the web directory, and include them. I prefer to use .txt as the extension. Makes opening them in Notepad so much easier. Don't use a .htaccess file either to secure the directory. Apache needs to read that... cycles, cycles, cycles... things of the baby databases. 10.) If running a picture- or file-sharing website, make things easier on your users and yourself. Allow users to delete their files by using a simple link like: http://www.example.com/delete.php?file=images/mygraphic.jpg. Then, in delete.php, have only one line: ?php unlink($file); ? (again, see point #7 --- see how much that's coming in handy now?) Wow, that's handy. You can practically create a clean-site web service using: wget -r This works best if the web server is running as root. None of those annoying
Re: [PHP] is there a problem with php script pulling HTML out of database as it writes the page??
At 10:41 AM -0400 7/17/08, Daniel Brown wrote: -snip- You're point? :-) tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] is there a problem with php script pulling HTML out of database as it writes the page??
On Thu, 2008-07-17 at 15:32 -0400, tedd wrote: At 10:41 AM -0400 7/17/08, Daniel Brown wrote: -snip- You're point? :-) I'm a circle... Tedd's a square? *runs away cackling* Cheers, Rob. -- http://www.interjinn.com Application and Templating Framework for PHP -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] is there a problem with php script pulling HTML out of database as it writes the page??
At 3:47 PM -0400 7/17/08, Robert Cummings wrote: On Thu, 2008-07-17 at 15:32 -0400, tedd wrote: At 10:41 AM -0400 7/17/08, Daniel Brown wrote: -snip- You're point? :-) I'm a circle... Tedd's a square? I've been called worse. I'm really more of a oblate spheroid. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] is there a problem with php script pulling HTML out of database as it writes the page??
On Thu, 2008-07-17 at 15:53 -0400, tedd wrote: At 3:47 PM -0400 7/17/08, Robert Cummings wrote: On Thu, 2008-07-17 at 15:32 -0400, tedd wrote: At 10:41 AM -0400 7/17/08, Daniel Brown wrote: -snip- You're point? :-) I'm a circle... Tedd's a square? I've been called worse. I'm really more of a oblate spheroid. Naw... you're just a diamond on it's side :B Cheers, Rob. -- http://www.interjinn.com Application and Templating Framework for PHP -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] OpenID
Hi, Has anybody had any success implementing an OpenID server in PHP?? Alex -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Randomly missing a function
Try returning a value from CreateUser and checking it before sending the E-Mail. Thank you, Micah Gersten onShore Networks Internal Developer http://www.onshore.com Miles Thompson wrote: An online signup script is randomly missing part of the task. These scripts are involved: sub_signup.php include/cc_proc.php - does the CC (credit card) processing include/user_maint.php - inserts the new subscriber into the database When the CC processing finishes, with the success flag, user_maint.php is included, and a few lines later the createUser($params) function therein is called to create the user. Every mysql_ function in user_maint.php is backstopped with a die() if it fails. But sometimes it appears that the call to this script, or the createUser() function just isn't made. What seems to happen, randomly, is that the script charges on so to speak, sending an advisory email to the office manager that there is a new subscriber, and calling sub_signup_thanks.php, which displays a completion message, etc. In all of these cases the credit card processing has succeeded. Sometimes people have tried to sign up two or three times, the card processes, but no addition is made to the database. It's driving us nuts! Any thoughts? Regards - Miles Infrastructure: Apache 2.2, PHP 5.x, MySQL 5 Code: switch ($ret) { case CC_SUCCESS: require 'include/user_maint.php'; $cctype = cc_getCardType($cc); if ($cctype == 'Visa') $cctype = 'VISA'; elseif ($cctype == 'MasterCard') $cctype = 'M-C'; //Shouldn't happen in case CC_SUCCESS, but better safe than sorry else die('We don\'t support this credit card'); $params = array( 'firstname' = $first, // various fields 'postal_code' = $postal_code, 'pay_method' = $cctype ); // createUser is a function in user_maint createUser($params); // sendEmail is func in user_maint, advises office manager sendEmail('New subscriber!!!', Already paid $amount by credit card, $fields); require 'sub_signup_thanks.php';//Grabs authCode from $result return; } //other situations dealt with, and properly closed -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] is there a problem with php script pulling HTML out of database as it writes the page??
On Thu, 2008-07-17 at 15:46 -0500, Micah Gersten wrote: What can help is if one app only has access to it's own DB. Also, for mysql, there is the mysql_real_escape_string function for a reason. Well I agree with that of course... but the post by Stut indicated the interviewee thought he could punt all DB security to the DBA. Obviously it's important that the app developer use appropriate programming techniques to achieve security in conjunction with the DBA. Cheers, Rob. -- http://www.interjinn.com Application and Templating Framework for PHP -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Randomly missing a function
Micah Gersten wrote: Try returning a value from CreateUser and checking it before sending the E-Mail. Thank you, Micah Gersten onShore Networks Internal Developer http://www.onshore.com Exactly! You'll find that CreateUser() is called, however for whatever reason the user isn't created. Do as Micah suggests and also add so error checking to CreateUser() to find out why the user isn't created. -Shawn -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] is there a problem with php script pulling HTML out of database as it writes the page??
What can help is if one app only has access to it's own DB. Also, for mysql, there is the mysql_real_escape_string function for a reason. Also, for the web app, you can usually disable Administrative functions and grant a minimal set of permissions. Thank you, Micah Gersten onShore Networks Internal Developer http://www.onshore.com Robert Cummings wrote: On Thu, 2008-07-17 at 12:32 -0400, Andrew Ballard wrote: On Thu, Jul 17, 2008 at 12:02 PM, Stut [EMAIL PROTECTED] wrote: On 17 Jul 2008, at 15:31, David Giragosian wrote: On 7/17/08, Stut [EMAIL PROTECTED] wrote: On 17 Jul 2008, at 14:10, tedd wrote: At 10:28 PM +0100 7/16/08, Stut wrote: Oh, and you'd be working for me so bear that in mind ;) -Stut It's no wonder why you haven't found anyone. :-) Thanks for that tedd. Seriously though, I'm wondering if my expectations are too high... I expect them to know that addslashes is not adequate protection against SQL injection. I even had one tell me SQL injection? I can't remember but I'm sure I've used it before. And I won't even go into the guy who asserted that he's always worked with DB administrators who've dealt with security issues so he'd never needed to learn about it. Am I expecting too much?!? -Stut Surely you're being rhetorical, Stut, but no, you're not expecting too much. However the guy(s) who worked in a larger organization likely did have a very clear delineation of roles and responsibilities, as I am experiencing in a new position, and therefore may not be current on best practices in areas outside of their role. When my group leader instituted the current policy regarding job functions, a number of the open source guys decided their unused skills were eroding and/or they were not being exposed to new learning, and they left the company. There's no way I would ever hire anyone who says security was somebody else's responsibility. I don't care what their previous managers have said, that's never a valid statement in my book. When you then add the fact that no DB admin no matter how good they are can implement adequate security to prevent SQL injection you get a developer who doesn't care about security issues much less know anything about them. -Stut A DBA can go pretty far to prevent SQL injection by setting appropriate rights on the accounts that applications will use to interact with the database: denying direct access to tables, allowing access to only the necessary stored procedures, thereby forcing developers to design products using only those procedures for all data access. Of course, a lot of developers would complain under this level of security, and I suspect a lot of frameworks that are out there would be much less useful to lazy programmers. So are you suggesting a web app make multiple different user account connections to the SQL server depending on whether it wants to SELECT, INSERT, DELETE, ETC.? I means that's a fair proposition... just seems a tad heavy duty. Once again though... there's a programmer responsibility here to implement the application with such a scenario in mind. most applications need access to SEELCT, INSERT, and DELETE. In such a case, a single account with restricted access permissions that allow all three isn't going to do anything for the application if a programmer let's an SQL injection through. Cheers, Rob. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] is there a problem with php script pulling HTML out of database as it writes the page??
On 17 Jul 2008, at 21:56, Robert Cummings wrote: On Thu, 2008-07-17 at 15:46 -0500, Micah Gersten wrote: What can help is if one app only has access to it's own DB. Also, for mysql, there is the mysql_real_escape_string function for a reason. Well I agree with that of course... but the post by Stut indicated the interviewee thought he could punt all DB security to the DBA. Obviously it's important that the app developer use appropriate programming techniques to achieve security in conjunction with the DBA. My main point was that security is the responsibility of everyone on the team whether it's explicitly part of their job spec or not. A candidate who doesn't see that without prompting will not be getting any further in my interview process. -Stut -- http://stut.net/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] is there a problem with php script pulling HTML out of database as it writes the page??
For anyone interested, here's a nice book to get anyone started on PHP Security: http://oreilly.com/catalog/9780596006563/index.html Thank you, Micah Gersten onShore Networks Internal Developer http://www.onshore.com Stut wrote: On 17 Jul 2008, at 21:56, Robert Cummings wrote: On Thu, 2008-07-17 at 15:46 -0500, Micah Gersten wrote: What can help is if one app only has access to it's own DB. Also, for mysql, there is the mysql_real_escape_string function for a reason. Well I agree with that of course... but the post by Stut indicated the interviewee thought he could punt all DB security to the DBA. Obviously it's important that the app developer use appropriate programming techniques to achieve security in conjunction with the DBA. My main point was that security is the responsibility of everyone on the team whether it's explicitly part of their job spec or not. A candidate who doesn't see that without prompting will not be getting any further in my interview process. -Stut -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] OpenID
This one time, at band camp, Alex Chamberlain [EMAIL PROTECTED] wrote: Has anybody had any success implementing an OpenID server in PHP?? Sure, I had mine all set up on oceania.net and then the domain got stolen. So, all my OpenID info went with it.. not as good an idea as it first seems. Kevin -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Randomly missing a function
MIcah, Duh!! So damned obvious. We'll try that. Thanks - Miles On Thu, Jul 17, 2008 at 5:42 PM, Micah Gersten [EMAIL PROTECTED] wrote: Try returning a value from CreateUser and checking it before sending the E-Mail. Thank you, Micah Gersten onShore Networks Internal Developer http://www.onshore.com Miles Thompson wrote: An online signup script is randomly missing part of the task. These scripts are involved: sub_signup.php include/cc_proc.php - does the CC (credit card) processing include/user_maint.php - inserts the new subscriber into the database When the CC processing finishes, with the success flag, user_maint.php is included, and a few lines later the createUser($params) function therein is called to create the user. Every mysql_ function in user_maint.php is backstopped with a die() if it fails. But sometimes it appears that the call to this script, or the createUser() function just isn't made. What seems to happen, randomly, is that the script charges on so to speak, sending an advisory email to the office manager that there is a new subscriber, and calling sub_signup_thanks.php, which displays a completion message, etc. In all of these cases the credit card processing has succeeded. Sometimes people have tried to sign up two or three times, the card processes, but no addition is made to the database. It's driving us nuts! Any thoughts? Regards - Miles Infrastructure: Apache 2.2, PHP 5.x, MySQL 5 Code: switch ($ret) { case CC_SUCCESS: require 'include/user_maint.php'; $cctype = cc_getCardType($cc); if ($cctype == 'Visa') $cctype = 'VISA'; elseif ($cctype == 'MasterCard') $cctype = 'M-C'; //Shouldn't happen in case CC_SUCCESS, but better safe than sorry else die('We don\'t support this credit card'); $params = array( 'firstname' = $first, // various fields 'postal_code' = $postal_code, 'pay_method' = $cctype ); // createUser is a function in user_maint createUser($params); // sendEmail is func in user_maint, advises office manager sendEmail('New subscriber!!!', Already paid $amount by credit card, $fields); require 'sub_signup_thanks.php';//Grabs authCode from $result return; } //other situations dealt with, and properly closed
Re: [PHP] Re: What font/size do you use for programming?
On Sat, Jul 12, 2008 at 12:40 AM, Eric Butera [EMAIL PROTECTED] wrote: On Thu, Jul 10, 2008 at 5:29 PM, Philip Thompson [EMAIL PROTECTED] wrote: On Jul 10, 2008, at 3:35 PM, Omar Noppe wrote: Is there any reason to pick a black background en white fonts in your editor (for example writability)? I think a black background is much easier on the eyes I use a big font on a black background because it doesn't strain my eyes as much. I started out with Monaco 9pt (or bitstream vera sans mono 9pt on linux) on white. Slowly though I kept getting more frequent headaches. Now I use black with big fonts and I'm fine. I have really good vision and all that, but just hours of coding will get to me. As a side bonus, using a bigger font also helps me adhere to wrapping at the 80 character margin too. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php Consolas 14pt editplus on server 2008 -- Regards, Wang Yi -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Class 'PDO' not found in .... PHP 5.2.5
I am with a new host and just tried to upload new files that use PHP and the class PDO for database access. I get the error in the subject. I thought PDO was in the base code of PHP 5* My host is on 5.2.5 according to PHP info I have created a ticket I fear that this is one of those not supported things. So I am asking for any advise. Thanks Stephen -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Class 'PDO' not found in .... PHP 5.2.5
PDO is distributed with PHP 5.1 and higher by default, but it can still be excluded during the compile stage. This may be the case for your installation. Run php_info() to find out, and if PDO is not listed, ask your host to install it. http://ca3.php.net/manual/en/pdo.installation.php ~Ted On 17-Jul-08, at 8:07 PM, Stephen wrote: I am with a new host and just tried to upload new files that use PHP and the class PDO for database access. I get the error in the subject. I thought PDO was in the base code of PHP 5* My host is on 5.2.5 according to PHP info I have created a ticket I fear that this is one of those not supported things. So I am asking for any advise. Thanks Stephen -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] PHP Development Team
We represent an established team of 15 PHP developers, with extensive experience in OOP Lamp development, including multiyear projects with thousand of total programming hours. They have also worked on numerous customized Content Management Systems (CMS) for various websites, including E-Commerce sites, websites for startup companies and sites for large firms. The team is in South America, so the rates are substantially below typical US standards while the developers are vertically below US time zones, making communication much easier than with India. They can work with both Agile and Waterfall development methodologies. The team is fluent in Spanish and has excellent written English with good spoken English. If desired, DreamStaffing can also supplement this team with a fluent bi-lingual project manager, HTML/CSS developers, user interface designers, or any other skill sets that are needed for a project. Please contact us at [EMAIL PROTECTED] for more information. -- View this message in context: http://www.nabble.com/PHP-Development-Team-tp18522291p18522291.html Sent from the PHP - General mailing list archive at Nabble.com. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP Development Team
On Thu, Jul 17, 2008 at 10:11 PM, AvPHP [EMAIL PROTECTED] wrote: We represent an established team of 15 PHP developers, with extensive experience in OOP Lamp development, including multiyear projects with thousand of total programming hours. They have also worked on numerous customized Content Management Systems (CMS) for various websites, including E-Commerce sites, websites for startup companies and sites for large firms. The team is in South America, so the rates are substantially below typical US standards while the developers are vertically below US time zones, making communication much easier than with India. They can work with both Agile and Waterfall development methodologies. The team is fluent in Spanish and has excellent written English with good spoken English. If desired, DreamStaffing can also supplement this team with a fluent bi-lingual project manager, HTML/CSS developers, user interface designers, or any other skill sets that are needed for a project. Please contact us at [EMAIL PROTECTED] for more information. nice pitch ;) -nathan