php-general Digest 18 Apr 2011 17:06:22 -0000 Issue 7278
php-general Digest 18 Apr 2011 17:06:22 - Issue 7278 Topics (messages 312428 through 312433): ²É.¹ºÁ÷.³ÌÓÅ»¯¼°¹©.Ó¦ÉÌÆÀ.¹ÀÓë¹Ü.Àí 312428 by: smxphbsxp Re: email w/attachments 312429 by: Richard Quadling 312430 by: Steve Staples 312431 by: João Cândido de Souza Neto 312432 by: Paul M Foster JavaScript Injection ??? 312433 by: tedd Administrivia: To subscribe to the digest, e-mail: php-general-digest-subscr...@lists.php.net To unsubscribe from the digest, e-mail: php-general-digest-unsubscr...@lists.php.net To post to the list, e-mail: php-gene...@lists.php.net -- ---BeginMessage--- 相#关+资$料#请查^收%附#件 ---End Message--- ---BeginMessage--- On 18 April 2011 04:38, Bastien phps...@gmail.com wrote: On 2011-04-17, at 10:26 PM, tedd t...@sperling.com wrote: Hi gang: Anyone have an email script that allows attachments they would share? I've been trying to figure this out and everything I've tried has failed. I've looked at over a dozen scripts that don't work. I'm about to pull out what hair I have left. Cheers (I think), tedd -- --- http://sperling.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php I use phpmailer for that. Great class and easy to do Bastien Koert When I started out, I used the HtmlMimeMail class from Richard Heyes at phpguru.org. It is now called RMail. I found this very easy to use. Extending the main class to include logging of mail is very easy (this year, I've sent 33,500 emails using it). I send email with a plain text part as well as a HTML part. With embedded images and PDF attachments. The recipients use a combination of Outlook (2003 and later), GoogleMail and YahooMail. All of the clients so far can read the messages sent and get the attachments. If you intend to send HTML mail, you will have to go back to using tables with inline CSS if you want to be halfway readable on Outlook 2007+. Outlook 2003 was very good with HTML mail. Outlook 2007+, not so good. But that is fine for me, as the data was all tables. But for those sending out pretty mails, I believe it is a harder job that expected. Richard. -- Richard Quadling Twitter : EE : Zend @RQuadling : e-e.com/M_248814.html : bit.ly/9O8vFY ---End Message--- ---BeginMessage--- On Mon, 2011-04-18 at 11:05 +0100, Richard Quadling wrote: On 18 April 2011 04:38, Bastien phps...@gmail.com wrote: On 2011-04-17, at 10:26 PM, tedd t...@sperling.com wrote: Hi gang: Anyone have an email script that allows attachments they would share? I've been trying to figure this out and everything I've tried has failed. I've looked at over a dozen scripts that don't work. I'm about to pull out what hair I have left. Cheers (I think), tedd -- --- http://sperling.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php I use phpmailer for that. Great class and easy to do Bastien Koert When I started out, I used the HtmlMimeMail class from Richard Heyes at phpguru.org. It is now called RMail. I found this very easy to use. Extending the main class to include logging of mail is very easy (this year, I've sent 33,500 emails using it). I send email with a plain text part as well as a HTML part. With embedded images and PDF attachments. The recipients use a combination of Outlook (2003 and later), GoogleMail and YahooMail. All of the clients so far can read the messages sent and get the attachments. If you intend to send HTML mail, you will have to go back to using tables with inline CSS if you want to be halfway readable on Outlook 2007+. Outlook 2003 was very good with HTML mail. Outlook 2007+, not so good. But that is fine for me, as the data was all tables. But for those sending out pretty mails, I believe it is a harder job that expected. Richard. -- Richard Quadling Twitter : EE : Zend @RQuadling : e-e.com/M_248814.html : bit.ly/9O8vFY I use phpmailer[1], and even though most people dont like it, Pear MAILER as well. With both, I've sent both HTML and plain text, as well as attachments without any issues. phpmailer[1] is my mailer script of choice. Steve. [1] http://phpmailer.worxware.com/index.php ---End Message--- ---BeginMessage--- I use Zend_Mail (from Zend Framework) works perfectly. -- João Cândido de Souza Neto tedd t...@sperling.com escreveu na mensagem news:p06240806c9d150fea24d@[192.168.1.2]... Hi gang: Anyone have an email script that allows attachments they would share? I've been trying to figure this out and everything I've tried has failed. I've looked at over a dozen scripts that don't work. I'm about to pull out what hair I have left. Cheers (I think), tedd -- --- http://sperling.com/ ---End
Re: [PHP] email w/attachments
On 18 April 2011 04:38, Bastien phps...@gmail.com wrote: On 2011-04-17, at 10:26 PM, tedd t...@sperling.com wrote: Hi gang: Anyone have an email script that allows attachments they would share? I've been trying to figure this out and everything I've tried has failed. I've looked at over a dozen scripts that don't work. I'm about to pull out what hair I have left. Cheers (I think), tedd -- --- http://sperling.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php I use phpmailer for that. Great class and easy to do Bastien Koert When I started out, I used the HtmlMimeMail class from Richard Heyes at phpguru.org. It is now called RMail. I found this very easy to use. Extending the main class to include logging of mail is very easy (this year, I've sent 33,500 emails using it). I send email with a plain text part as well as a HTML part. With embedded images and PDF attachments. The recipients use a combination of Outlook (2003 and later), GoogleMail and YahooMail. All of the clients so far can read the messages sent and get the attachments. If you intend to send HTML mail, you will have to go back to using tables with inline CSS if you want to be halfway readable on Outlook 2007+. Outlook 2003 was very good with HTML mail. Outlook 2007+, not so good. But that is fine for me, as the data was all tables. But for those sending out pretty mails, I believe it is a harder job that expected. Richard. -- Richard Quadling Twitter : EE : Zend @RQuadling : e-e.com/M_248814.html : bit.ly/9O8vFY -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] email w/attachments
On Mon, 2011-04-18 at 11:05 +0100, Richard Quadling wrote: On 18 April 2011 04:38, Bastien phps...@gmail.com wrote: On 2011-04-17, at 10:26 PM, tedd t...@sperling.com wrote: Hi gang: Anyone have an email script that allows attachments they would share? I've been trying to figure this out and everything I've tried has failed. I've looked at over a dozen scripts that don't work. I'm about to pull out what hair I have left. Cheers (I think), tedd -- --- http://sperling.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php I use phpmailer for that. Great class and easy to do Bastien Koert When I started out, I used the HtmlMimeMail class from Richard Heyes at phpguru.org. It is now called RMail. I found this very easy to use. Extending the main class to include logging of mail is very easy (this year, I've sent 33,500 emails using it). I send email with a plain text part as well as a HTML part. With embedded images and PDF attachments. The recipients use a combination of Outlook (2003 and later), GoogleMail and YahooMail. All of the clients so far can read the messages sent and get the attachments. If you intend to send HTML mail, you will have to go back to using tables with inline CSS if you want to be halfway readable on Outlook 2007+. Outlook 2003 was very good with HTML mail. Outlook 2007+, not so good. But that is fine for me, as the data was all tables. But for those sending out pretty mails, I believe it is a harder job that expected. Richard. -- Richard Quadling Twitter : EE : Zend @RQuadling : e-e.com/M_248814.html : bit.ly/9O8vFY I use phpmailer[1], and even though most people dont like it, Pear MAILER as well. With both, I've sent both HTML and plain text, as well as attachments without any issues. phpmailer[1] is my mailer script of choice. Steve. [1] http://phpmailer.worxware.com/index.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] JavaScript Injection ???
Hi gang: Quite some time ago I had a demo that showed Javascript injection. It was where a user could type in: script alert(Evil Code);/script and a JavaScript alert would be shown. But now my demo no longer works. So, what happened? Was there a php update that prohibited that sort of behavior or did hosts start setting something to OFF, or what? If you know, please explain. Thanks, tedd -- --- http://sperling.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] JavaScript Injection ???
On Monday, April 18, 2011 at 1:06 PM, tedd wrote: Hi gang: Quite some time ago I had a demo that showed Javascript injection. It was where a user could type in: script alert(Evil Code);/script and a JavaScript alert would be shown. But now my demo no longer works. So, what happened? Was there a php update that prohibited that sort of behavior or did hosts start setting something to OFF, or what? If you know, please explain. Thanks, tedd -- --- http://sperling.com/ Not that I know of. Are you talking about on-page injection, like comments and such? Normally JS injection would be that (bad scripts inserted by the user on a comment form or review page) or where you are using eval() and they dump bad code into there. Regards, -Josh___ Joshua Kehn | josh.k...@gmail.com http://joshuakehn.com
RE: [PHP] JavaScript Injection ???
Javascript:alert(Hello World); The browsers have had many updates since last I seen this work. PHP Server side. JavaScript Client/Browser Side. Richard L. Buskirk You can't grow your business with systems that are on life support... -Original Message- From: tedd [mailto:t...@sperling.com] Sent: Monday, April 18, 2011 1:06 PM To: php-general@lists.php.net Subject: [PHP] JavaScript Injection ??? Hi gang: Quite some time ago I had a demo that showed Javascript injection. It was where a user could type in: script alert(Evil Code);/script and a JavaScript alert would be shown. But now my demo no longer works. So, what happened? Was there a php update that prohibited that sort of behavior or did hosts start setting something to OFF, or what? If you know, please explain. Thanks, tedd -- --- http://sperling.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] JavaScript Injection ???
Is someone up to Cross Site Scripting? ;) --Shreyas On Mon, Apr 18, 2011 at 10:39 PM, Joshua Kehn josh.k...@gmail.com wrote: On Monday, April 18, 2011 at 1:06 PM, tedd wrote: Hi gang: Quite some time ago I had a demo that showed Javascript injection. It was where a user could type in: script alert(Evil Code);/script and a JavaScript alert would be shown. But now my demo no longer works. So, what happened? Was there a php update that prohibited that sort of behavior or did hosts start setting something to OFF, or what? If you know, please explain. Thanks, tedd -- --- http://sperling.com/ Not that I know of. Are you talking about on-page injection, like comments and such? Normally JS injection would be that (bad scripts inserted by the user on a comment form or review page) or where you are using eval() and they dump bad code into there. Regards, -Josh___ Joshua Kehn | josh.k...@gmail.com http://joshuakehn.com -- Regards, Shreyas Agasthya
Re: [PHP] JavaScript Injection ???
On Mon, 2011-04-18 at 22:43 +0530, Shreyas Agasthya wrote: Is someone up to Cross Site Scripting? ;) --Shreyas On Mon, Apr 18, 2011 at 10:39 PM, Joshua Kehn josh.k...@gmail.com wrote: On Monday, April 18, 2011 at 1:06 PM, tedd wrote: Hi gang: Quite some time ago I had a demo that showed Javascript injection. It was where a user could type in: script alert(Evil Code);/script and a JavaScript alert would be shown. But now my demo no longer works. So, what happened? Was there a php update that prohibited that sort of behavior or did hosts start setting something to OFF, or what? If you know, please explain. Thanks, tedd -- --- http://sperling.com/ Not that I know of. Are you talking about on-page injection, like comments and such? Normally JS injection would be that (bad scripts inserted by the user on a comment form or review page) or where you are using eval() and they dump bad code into there. Regards, -Josh___ Joshua Kehn | josh.k...@gmail.com http://joshuakehn.com I believe the reason for it not working now is because most browsers won't pop up an alert without being triggered by something, i.e. a mouse event, page load, etc. You might be able to change the code to do something else like output to the firebug console, use document.write, or change the status bar text (although for that to work you'll need to change browser settings in most modern browsers like Opera, Fx, Chrome, etc) -- Thanks, Ash http://www.ashleysheridan.co.uk
Re: [PHP] JavaScript Injection ???
ad...@buskirkgraphics.com wrote in message news:005501cbfdeb$457839c0$d068ad40$@com... Javascript:alert(Hello World); The browsers have had many updates since last I seen this work. ?? You're saying that alert doesn't work on your browse? Gee - it works on mine. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] JavaScript Injection ???
Yes Alert works fine on my browsers but the hack to change the alert on someone else's website has been fixed from browser updates. Richard L. Buskirk You can't grow your business with systems that are on life support... -Original Message- From: Jim Giner [mailto:jim.gi...@albanyhandball.com] Sent: Monday, April 18, 2011 2:03 PM To: php-general@lists.php.net Subject: Re: [PHP] JavaScript Injection ??? ad...@buskirkgraphics.com wrote in message news:005501cbfdeb$457839c0$d068ad40$@com... Javascript:alert(Hello World); The browsers have had many updates since last I seen this work. ?? You're saying that alert doesn't work on your browse? Gee - it works on mine. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] JavaScript Injection ???
On Mon, 2011-04-18 at 14:11 -0400, ad...@buskirkgraphics.com wrote: Yes Alert works fine on my browsers but the hack to change the alert on someone else's website has been fixed from browser updates. Richard L. Buskirk You can't grow your business with systems that are on life support... -Original Message- From: Jim Giner [mailto:jim.gi...@albanyhandball.com] Sent: Monday, April 18, 2011 2:03 PM To: php-general@lists.php.net Subject: Re: [PHP] JavaScript Injection ??? ad...@buskirkgraphics.com wrote in message news:005501cbfdeb$457839c0$d068ad40$@com... Javascript:alert(Hello World); The browsers have had many updates since last I seen this work. ?? You're saying that alert doesn't work on your browse? Gee - it works on mine. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php I think it might have something to do with the origin of the data, as running a quick example file works fine in Fx, Opera, Konqueror and SeaMonkey on my computer, and even seem to work OK when run from my local server (same machine but served from Apache instead of through the local file:// protocol) One other thing it could be is some sort of security mod (in PHP or Apache) that is altering the actual HTML and isn't outputting what you expect. -- Thanks, Ash http://www.ashleysheridan.co.uk
Re: [PHP] JavaScript Injection ???
At 1:09 PM -0400 4/18/11, Joshua Kehn wrote: On Monday, April 18, 2011 at 1:06 PM, tedd wrote: Hi gang: Quite some time ago I had a demo that showed Javascript injection. It was where a user could type in: script alert(Evil Code);/script and a JavaScript alert would be shown. But now my demo no longer works. So, what happened? Was there a php update that prohibited that sort of behavior or did hosts start setting something to OFF, or what? If you know, please explain. Thanks, tedd -- --- http://sperling.comhttp://sperling.com/ Not that I know of. Are you talking about on-page injection, like comments and such? Normally JS injection would be that (bad scripts inserted by the user on a comment form or review page) or where you are using eval() and they dump bad code into there. Regards, -Josh No, I had a simple form where IF the user entered: script alert(Evil Code);/script -- into the form's text field (i.e., $_POST['text'] ) AND clicked Submit, the form would echo( $_POST['text'] ); -- and that would produce a JavaScript Alert. Here's the form: http://php1.net/a/insecure-form/index.php It was a simple working example of JavaScript Injection. But it no longer works and I want to find out why. The most popular reason thus far is Browsers have changed, but I'm not sure as to what did change. Cheers, tedd -- --- http://sperling.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] JavaScript Injection ???
On Mon, Apr 18, 2011 at 14:42, tedd t...@sperling.com wrote: No, I had a simple form where IF the user entered: script alert(Evil Code);/script -- into the form's text field (i.e., $_POST['text'] ) AND clicked Submit, the form would echo( $_POST['text'] ); -- and that would produce a JavaScript Alert. Here's the form: http://php1.net/a/insecure-form/index.php It was a simple working example of JavaScript Injection. But it no longer works and I want to find out why. The most popular reason thus far is Browsers have changed, but I'm not sure as to what did change. Look at the post-processing source --- note the slashes. Apply stripslashes() to the output on the PHP side and all should be right again with the world. -- /Daniel P. Brown Network Infrastructure Manager http://www.php.net/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] JavaScript Injection ???
On Mon, 2011-04-18 at 14:42 -0400, tedd wrote: At 1:09 PM -0400 4/18/11, Joshua Kehn wrote: On Monday, April 18, 2011 at 1:06 PM, tedd wrote: Hi gang: Quite some time ago I had a demo that showed Javascript injection. It was where a user could type in: script alert(Evil Code);/script and a JavaScript alert would be shown. But now my demo no longer works. So, what happened? Was there a php update that prohibited that sort of behavior or did hosts start setting something to OFF, or what? If you know, please explain. Thanks, tedd -- --- http://sperling.comhttp://sperling.com/ Not that I know of. Are you talking about on-page injection, like comments and such? Normally JS injection would be that (bad scripts inserted by the user on a comment form or review page) or where you are using eval() and they dump bad code into there. Regards, -Josh No, I had a simple form where IF the user entered: script alert(Evil Code);/script -- into the form's text field (i.e., $_POST['text'] ) AND clicked Submit, the form would echo( $_POST['text'] ); -- and that would produce a JavaScript Alert. Here's the form: http://php1.net/a/insecure-form/index.php It was a simple working example of JavaScript Injection. But it no longer works and I want to find out why. The most popular reason thus far is Browsers have changed, but I'm not sure as to what did change. Cheers, tedd -- --- http://sperling.com/ From the looks of it you're only outputting the htmlentities version of it, so it's outputting those script tags as lt;scriptgt; so the browser would think the whole thing is text. -- Thanks, Ash http://www.ashleysheridan.co.uk
Re: [PHP] JavaScript Injection ???
At 2:46 PM -0400 4/18/11, Daniel Brown wrote: On Mon, Apr 18, 2011 at 14:42, tedd t...@sperling.com wrote: No, I had a simple form where IF the user entered: script alert(Evil Code);/script -- into the form's text field (i.e., $_POST['text'] ) AND clicked Submit, the form would echo( $_POST['text'] ); -- and that would produce a JavaScript Alert. Here's the form: http://php1.net/a/insecure-form/index.php It was a simple working example of JavaScript Injection. But it no longer works and I want to find out why. The most popular reason thus far is Browsers have changed, but I'm not sure as to what did change. Look at the post-processing source --- note the slashes. Apply stripslashes() to the output on the PHP side and all should be right again with the world. -- /Daniel P. Brown Daniel et al: Sorry -- I'm not making myself clear. The form as-is produced a javascript alert() and now it doesn't. It doesn't make any difference if I use stripslashes() or not, it still will NOT produce a javascript alert as it used to do. Seriously, try this: ?php $insecure = $_POST['insecure']; //$insecure = stripslashes($insecure); ? h1tedd's Secure v Insecure form demo/h1 p Enter (cut/paste the red) br/span class=red lt;script alert(Evil Code); lt;/script/spanbr/ in the field below and see what happens. The red is javascript code. /p form method=post action=index.php p Field: input type=text size=60 name=insecure /p p input type=submit value=Submit Post /p /form ?php if ($insecure != null) { echo(pThis is what you entered:/p); echo(Input: $insecure); echo(br); $insecure = htmlentities($insecure); echo(Input after htmlentites: $insecure); echo(br); } ? ?php include('../includes/footer.php'); ? You can un-comment the stripslashes() function and it will still not produce a javascript alert. Cheers, tedd -- --- http://sperling.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] JavaScript Injection ???
On Monday, 18 April 2011 at 20:50, tedd wrote: Daniel et al: Sorry -- I'm not making myself clear. The form as-is produced a javascript alert() and now it doesn't. It doesn't make any difference if I use stripslashes() or not, it still will NOT produce a javascript alert as it used to do. Seriously, try this: ?php $insecure = $_POST['insecure']; //$insecure = stripslashes($insecure); ? h1tedd's Secure v Insecure form demo/h1 p Enter (cut/paste the red) br/span class=red lt;script alert(Evil Code); lt;/script/spanbr/ in the field below and see what happens. The red is javascript code. /p form method=post action=index.php p Field: input type=text size=60 name=insecure /p p input type=submit value=Submit Post /p /form ?php if ($insecure != null) { echo(pThis is what you entered:/p); echo(Input: $insecure); echo(br); $insecure = htmlentities($insecure); echo(Input after htmlentites: $insecure); echo(br); } ? ?php include('../includes/footer.php'); ? You can un-comment the stripslashes() function and it will still not produce a javascript alert. Looks like some form of variable tainting. There was a proposal and a patch a while back, but all it did was emit a warning. I've looked at the PHP5 changelog to see if this was added but can't find any reference to it being merged in. This is not a browser change because it's happening before the browser sees the response (try it with curl). -Stuart -- Stuart Dallas 3ft9 Ltd http://3ft9.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: JavaScript Injection ???
On 04/18/2011 12:06 PM, tedd wrote: Hi gang: Quite some time ago I had a demo that showed Javascript injection. It was where a user could type in: script alert(Evil Code);/script and a JavaScript alert would be shown. But now my demo no longer works. So, what happened? Was there a php update that prohibited that sort of behavior or did hosts start setting something to OFF, or what? If you know, please explain. Thanks, tedd Most likely like magic_quotes_gpc. Suhosin-Patch may protect against this as well (can't remember). -- Thanks! -Shawn http://www.spidean.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] usort within a class
On Monday, 18 April 2011 at 21:27, Ashley Sheridan wrote: I'm trying to get the usort function working inside of a class, but am having some issues. Basically, the compare function which is the second parameter isn't recognised, but I'm not really sure how to indicate exactly where it is. I've gone over the usort() docs and read the user comments, and the only thing I've found so far which looked like it was the same issue gave this example: bo at erichsen dot com 20-Mar-2001 01:16 when using usort to refer to a function inside a class i have succesfully used: ?php usort($myarray,array($this,cmp)); ? Unfortunately, that doesn't work either. A basic example is as follows: class Search_model extends Model { function get_results($q) { if(strlen($q)) { $results = array(); $words = explode(' ', $q); sort($words); // build the basic match query parts to be used for the content and blog tables if(substr($words[0], 0, 1) == '+' || substr($words[0], 0, 1) == '-' || substr($words[0], 0, 1) == '') { $queryP1 = SELECT *, MATCH(`content`) AGAINST('$q' IN BOOLEAN MODE) AS `score` FROM; $queryP2 = WHERE MATCH(`content`) AGAINST('$q' IN BOOLEAN MODE); } else { $queryP1 = SELECT *, MATCH(`content`) AGAINST('$q') AS `score` FROM; $queryP2 = WHERE `display`='yes' AND MATCH(`content`) AGAINST('$q'); } $sql = $queryP1 `content` $queryP2; $query = $this-db-query($sql); foreach($query-result() as $row) { $results[] = $row; $results[count($result)-1]-content_type = 'content'; } usort($results, array($this, content_score_sort)); } } function content_score_sort($a, $b) { // custom sort function to sort pages based on their score, which is an array value within each page if($a['score'] == $b['score']) return 0; else return ($a['score'] $b['score']) ? -1 : 1; } } I know it's probably something very simple, but for the life of me I can't find what I'm missing. I think in part it's that the normal way I know of calling that sort function from within the class is $this-content_score_sort(), but that isn't recognised either. If anyone can shed any light on this it'd be very welcome! That is the correct way to specify it. Works fine for me: http://dev.stut.net/php/usort.php What makes you think it's not being recognised? I note that your get_results method doesn't actually return anything, so how do you know the sort isn't working? -Stuart -- Stuart Dallas 3ft9 Ltd http://3ft9.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] JavaScript Injection ???
On Mon, Apr 18, 2011 at 15:50, tedd t...@sperling.com wrote: It doesn't make any difference if I use stripslashes() or not, it still will NOT produce a javascript alert as it used to do. Interestingly enough, I copied your index.php file to index2.php on the server and modified it to use stripslashes() and, as you said, it didn't work for me, regardless of how many times I tried. In Chrome. Switched over to Firefox and - wouldn't you know? - it worked like a charm, exactly as expected, when stripslashes() was employed. Of course, without the call, it wouldn't work in any browser, but this is now confirmed to be a browser issue. Are you using Safari on your Mac? If so, give it a shot with Firefox and/or Internet Exploder. -- /Daniel P. Brown Network Infrastructure Manager http://www.php.net/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] usort within a class
On Mon, 2011-04-18 at 21:41 +0100, Stuart Dallas wrote: On Monday, 18 April 2011 at 21:27, Ashley Sheridan wrote: I'm trying to get the usort function working inside of a class, but am having some issues. Basically, the compare function which is the second parameter isn't recognised, but I'm not really sure how to indicate exactly where it is. I've gone over the usort() docs and read the user comments, and the only thing I've found so far which looked like it was the same issue gave this example: bo at erichsen dot com 20-Mar-2001 01:16 when using usort to refer to a function inside a class i have succesfully used: ?php usort($myarray,array($this,cmp)); ? Unfortunately, that doesn't work either. A basic example is as follows: class Search_model extends Model { function get_results($q) { if(strlen($q)) { $results = array(); $words = explode(' ', $q); sort($words); // build the basic match query parts to be used for the content and blog tables if(substr($words[0], 0, 1) == '+' || substr($words[0], 0, 1) == '-' || substr($words[0], 0, 1) == '') { $queryP1 = SELECT *, MATCH(`content`) AGAINST('$q' IN BOOLEAN MODE) AS `score` FROM; $queryP2 = WHERE MATCH(`content`) AGAINST('$q' IN BOOLEAN MODE); } else { $queryP1 = SELECT *, MATCH(`content`) AGAINST('$q') AS `score` FROM; $queryP2 = WHERE `display`='yes' AND MATCH(`content`) AGAINST('$q'); } $sql = $queryP1 `content` $queryP2; $query = $this-db-query($sql); foreach($query-result() as $row) { $results[] = $row; $results[count($result)-1]-content_type = 'content'; } usort($results, array($this, content_score_sort)); } } function content_score_sort($a, $b) { // custom sort function to sort pages based on their score, which is an array value within each page if($a['score'] == $b['score']) return 0; else return ($a['score'] $b['score']) ? -1 : 1; } } I know it's probably something very simple, but for the life of me I can't find what I'm missing. I think in part it's that the normal way I know of calling that sort function from within the class is $this-content_score_sort(), but that isn't recognised either. If anyone can shed any light on this it'd be very welcome! That is the correct way to specify it. Works fine for me: http://dev.stut.net/php/usort.php What makes you think it's not being recognised? I note that your get_results method doesn't actually return anything, so how do you know the sort isn't working? -Stuart -- Stuart Dallas 3ft9 Ltd http://3ft9.com/ Because I don't need it to return anything at that point, the usort call is within the get_results() method itself. Also, as I keep getting a variety of errors with the usort call I'm taking a wild guess that it doesn't work. With usort($results, array($this, content_score_sort)); I get 'Fatal error: Cannot use object of type stdClass as array' usort($this-results, array($this, content_score_sort)); gives 'Message: usort() expects parameter 1 to be array, null given' This is all built around a CodeIgniter class, but I figured this isn't really a CI question but a PHP one, however I'm still at a loss :-/ -- Thanks, Ash http://www.ashleysheridan.co.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] usort within a class
On Monday, 18 April 2011 at 21:52, Ashley Sheridan wrote: On Mon, 2011-04-18 at 21:41 +0100, Stuart Dallas wrote: On Monday, 18 April 2011 at 21:27, Ashley Sheridan wrote: I'm trying to get the usort function working inside of a class, but am having some issues. Basically, the compare function which is the second parameter isn't recognised, but I'm not really sure how to indicate exactly where it is. I've gone over the usort() docs and read the user comments, and the only thing I've found so far which looked like it was the same issue gave this example: bo at erichsen dot com 20-Mar-2001 01:16 when using usort to refer to a function inside a class i have succesfully used: ?php usort($myarray,array($this,cmp)); ? Unfortunately, that doesn't work either. A basic example is as follows: class Search_model extends Model { function get_results($q) { if(strlen($q)) { $results = array(); $words = explode(' ', $q); sort($words); // build the basic match query parts to be used for the content and blog tables if(substr($words[0], 0, 1) == '+' || substr($words[0], 0, 1) == '-' || substr($words[0], 0, 1) == '') { $queryP1 = SELECT *, MATCH(`content`) AGAINST('$q' IN BOOLEAN MODE) AS `score` FROM; $queryP2 = WHERE MATCH(`content`) AGAINST('$q' IN BOOLEAN MODE); } else { $queryP1 = SELECT *, MATCH(`content`) AGAINST('$q') AS `score` FROM; $queryP2 = WHERE `display`='yes' AND MATCH(`content`) AGAINST('$q'); } $sql = $queryP1 `content` $queryP2; $query = $this-db-query($sql); foreach($query-result() as $row) { $results[] = $row; $results[count($result)-1]-content_type = 'content'; } usort($results, array($this, content_score_sort)); } } function content_score_sort($a, $b) { // custom sort function to sort pages based on their score, which is an array value within each page if($a['score'] == $b['score']) return 0; else return ($a['score'] $b['score']) ? -1 : 1; } } I know it's probably something very simple, but for the life of me I can't find what I'm missing. I think in part it's that the normal way I know of calling that sort function from within the class is $this-content_score_sort(), but that isn't recognised either. If anyone can shed any light on this it'd be very welcome! That is the correct way to specify it. Works fine for me: http://dev.stut.net/php/usort.php What makes you think it's not being recognised? I note that your get_results method doesn't actually return anything, so how do you know the sort isn't working? -Stuart Because I don't need it to return anything at that point, the usort call is within the get_results() method itself. Also, as I keep getting a variety of errors with the usort call I'm taking a wild guess that it doesn't work. With usort($results, array($this, content_score_sort)); I get 'Fatal error: Cannot use object of type stdClass as array' usort($this-results, array($this, content_score_sort)); gives 'Message: usort() expects parameter 1 to be array, null given' This is all built around a CodeIgniter class, but I figured this isn't really a CI question but a PHP one, however I'm still at a loss :-/ The usort call is at the end of the get_results method, and $results is local. If you want it to be a member of the class you need to set it as such. I think you'll find your issue is that each element of $results will be an object, but in content_score_sort you're treating them as arrays. Change $a['score'] to $a-score and modify $b in the same way. -Stuart -- Stuart Dallas 3ft9 Ltd http://3ft9.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: JavaScript Injection ???
At 3:10 PM -0500 4/18/11, Shawn McKenzie wrote: On 04/18/2011 12:06 PM, tedd wrote: Hi gang: Quite some time ago I had a demo that showed Javascript injection. It was where a user could type in: script alert(Evil Code);/script and a JavaScript alert would be shown. But now my demo no longer works. So, what happened? Was there a php update that prohibited that sort of behavior or did hosts start setting something to OFF, or what? If you know, please explain. Thanks, tedd Most likely like magic_quotes_gpc. Suhosin-Patch may protect against this as well (can't remember). -- Thanks! -Shawn Shawn: Thanks, but it's something else. Cheers, tedd -- --- http://sperling.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] JavaScript Injection ???
At 4:44 PM -0400 4/18/11, Daniel Brown wrote: On Mon, Apr 18, 2011 at 15:50, tedd t...@sperling.com wrote: It doesn't make any difference if I use stripslashes() or not, it still will NOT produce a javascript alert as it used to do. Interestingly enough, I copied your index.php file to index2.php on the server and modified it to use stripslashes() and, as you said, it didn't work for me, regardless of how many times I tried. In Chrome. Switched over to Firefox and - wouldn't you know? - it worked like a charm, exactly as expected, when stripslashes() was employed. Of course, without the call, it wouldn't work in any browser, but this is now confirmed to be a browser issue. Are you using Safari on your Mac? If so, give it a shot with Firefox and/or Internet Exploder. -- /Daniel P. Brown Bingo! That did it! You see, I'm writing a report for my student showing them the security hazards of forms. I figured it would be nice if I could show them and example of JavaScript injection. Now, iF FF for windows does the same thing, then that will be great. You know, this teaching thing is a lot of work -- I'm below minimum wage now. Cheers, tedd -- --- http://sperling.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] openssl question
On Wed, Apr 6, 2011 at 3:41 PM, Kai Renz writeme...@googlemail.com wrote: Hi, i try to create a self signed certificate using this code: snip I'm using a windows box with xampp installed. regards. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php http://us3.php.net/manual/en/function.openssl-csr-new.php Check out this page, especially the second comment (by user AA). It seems that $csr = openssl_csr_new($dn, $privkey); will generate its own private key, and $privkey should be set to null initially. I don't know for sure, though. I've never done this before. -- --Zootboy Sent from my PC.