php-general Digest 23 May 2011 08:14:00 -0000 Issue 7324
php-general Digest 23 May 2011 08:14:00 - Issue 7324 Topics (messages 313072 through 313087): Re: Script ID? 313072 by: tedd Re: Queries and Common Practices 313073 by: tedd 313074 by: Dotan Cohen Re: context when calling non static method of class in a static way 313075 by: Mike Mackintosh 313076 by: admin.buskirkgraphics.com 313078 by: Simon Hilz 313079 by: Simon Hilz 313080 by: admin.buskirkgraphics.com 313081 by: admin.buskirkgraphics.com 313082 by: Simon Hilz 313083 by: Peter Lind 313085 by: Simon Hilz 313086 by: Richard Quadling Re: A Review Request 313077 by: Nisse Engström 313084 by: tedd 313087 by: Ford, Mike Administrivia: To subscribe to the digest, e-mail: php-general-digest-subscr...@lists.php.net To unsubscribe from the digest, e-mail: php-general-digest-unsubscr...@lists.php.net To post to the list, e-mail: php-gene...@lists.php.net -- ---BeginMessage--- At 1:47 PM -0400 5/21/11, Adam Richardson wrote: On Sat, May 21, 2011 at 10:11 AM, tedd mailto:t...@sperling.comt...@sperling.com wrote: Hi gang: Okay, so,what's the best (i.e., most secure) way for your script to identify itself *IF* you plan on using that information later, such as the value in an action attribute in a form? For example, I was using: $self = basename($_SERVER['SCRIPT_NAME']); form name=my_form action=?php echo($self); ? method=post However, that was susceptible to XSS. http://www.mc2design.com/blog/php_self-safe-alternativeshttp://www.mc2design.com/blog/php_self-safe-alternatives says a simple action=# would work. But is there a better way? What would do you do solve this? Cheers, tedd Tedd, I'm sorry for the confusion. When I referenced that article, I was speaking to Alex as to why it wouldn't be prudent for you to use PHP_SELF (as he had suggested to avoid an additional function call) as opposed to what you were currently using, basename($_SERVER['SCRIPT_FILENAME']). My point, and the point of the article, was that PHP_SELF requires special precautions. However, script_filename is not susceptible to this type of attack, as it does not include data from the user: http://php.about.com/od/learnphp/qt/_SERVER_PHP.htmhttp://php.about.com/od/learnphp/qt/_SERVER_PHP.htm In fact, basename($_SERVER['SCRIPT_FILENAME']), and basename(__FILE__) were two of the mitigation methods mentioned in the closing of the article. http://php.about.com/od/learnphp/qt/_SERVER_PHP.htmTry it out on your server: h1PHP_SELF (dangerous)/h1 p?php echo $_SERVER['PHP_SELF']; ?/p h1$_SERVER['SCRIPT_FILENAME']/h1 p?php echo $_SERVER['SCRIPT_FILENAME']; ?/p h1$_SERVER['REQUEST_URI'] (dangerous)/h1 p?php echo $_SERVER['REQUEST_URI']; ?/p h1__FILE__/h1 p?php echo __FILE__; ?/p h1basename(__FILE__)/h1 p?php echo basename(__FILE__); ?/p h1basename($_SERVER['SCRIPT_NAME'])/h1 p?php echo basename($_SERVER['SCRIPT_NAME']); ?/p Try to enter the attack vector and you'll see PHP_SELF could be terrible, but the basename option for script_filename and __FILE__ are immune. Again, sorry for the confusion. Adam Adam: Very interesting. As I understand things, to remove a XSS threat from the method, you have to get the script name from something other than a SuperGlobal because SuperGlobals are subject to XXS attacks, right? As such, using a predefined constant should be safe. I don't know how, nor where, PHP gets the value, but I'm assuming it's not from something that can be altered by someone outside the server. So, is that the reason why you say that using __FILE__ is better at getting the running script's name than using $_SERVER['PHP_SELF']? Cheers, tedd -- --- http://sperling.com/ ---End Message--- ---BeginMessage--- At 10:50 AM +0100 5/22/11, Ashley Sheridan wrote: -snip- but I also give the table a moniker which lets me shorten the queries as I type: SELECT p.id, p.name FROM people p WHERE p.gender = 'male' This way, I can easily join in other tables, my typing is kept to a minimum as I do it also. Ash: Whenever I see p.id (or similar) I think there is a join coming. So, I always use: SELECT id, name FROM people WHERE gender = 'male' Unless there a join, such as: SELECT p.id, p.name, a.total FROM people p, accounts.a WHERE gender = 'male' Cheers, tedd -- --- http://sperling.com/ ---End Message--- ---BeginMessage--- On Sun, May 22, 2011 at 17:38, tedd tedd.sperl...@gmail.com wrote: SELECT p.id, p.name, a.total FROM people p, accounts.a WHERE gender = 'male' Finding the error in the above code is fun. I'm surprised I spotted, it shows how sensitive one gets to debugging. For that matter, I like the OP's practice of redundancy in the name of consistency. If nothing at the least, it gets us used to looking at the code to debug as above. --
RE: [PHP] A Review Request
-Original Message- From: tedd [mailto:tedd.sperl...@gmail.com] Sent: 22 May 2011 22:33 At 5:50 PM +0200 5/22/11, Nisse =?utf-8?Q?Engstr=C3=B6m?= wrote: On Sat, 21 May 2011 09:26:02 -0400, tedd wrote: The function strcmp() simply evaluates two strings and reports back -1, 0, or 1 depending upon their alphabetical relationship. It might do that, but don't bet your horse on it. http://se.php.net/manual/en/function.strcmp.php /Nisse It works that way for me. Are you absolutely certain about that? echo strcmp('These are nearly equal', 'These are almost equal'), \n; echo strcmp('different', 'unequal'), \n; echo strcmp('b', 'a'), br /\n; Result: 13 -17 1 The description of the function merely says that the result is 0, 0 or 0 -- it makes no promises about the actual value when it is non-zero. Cheers! Mike -- Mike Ford, Electronic Information Developer, Libraries and Learning Innovation, Leeds Metropolitan University, C507 City Campus, Woodhouse Lane, LEEDS, LS1 3HE, United Kingdom Email: m.f...@leedsmet.ac.uk Tel: +44 113 812 4730 To view the terms under which this email is distributed, please go to http://disclaimer.leedsmet.ac.uk/email.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Closing Session (Revisited)
On 22/05/11 06:46, Roger Riordan wrote: On Thu, 05 May 2011 08:28:53 -0400, sstap...@mnsi.net (Steve Staples) wrote: On Thu, 2011-05-05 at 21:41 +1000, Roger Riordan wrote: I have developed a common engine which I use for several different websites. I had been using PHP 5.2.? and IE6 (yes; I know!), and had been able to have multiple sessions open at once, displaying the same or different websites, without them interfering with each other. This was incredibly useful; I could be looking at, or even edit, different parts of the same, or different, websites simultaneously without any problems. But I recently had a hard disk crash and had to re-install all the system software. Now I have PHP 5.3 and IE 8, and find that if I try to do this the various sessions interfere with each other. From the above comment I gather that this is because IE 8 combines all the instances, whereas previously each instance was treated as a different user. Is there any simple way to make IE 8 treat each instance as a new user, or should I switch to Chrome and use the Incognito feature? Roger Riordan AM http://www.corybas.com/ The Incognito feature wont give you the results you're looking for. From my experience, the incognito window(s) and tab(s) share the same memory/cookie/session space, which is different from the main window... which means you will run into the same issue. Once you close all your incognito windows/tabs, you will release those cookies/sessions/memory space and if you open a new one afterwards, then you will be fine, but if one tabs stays open, no go :( Have you looked at the http://ca3.php.net/session_name function, and putting that into your site just after your session_start() ? I believe that will fix your issues (as long as your session names are unique), but i am not 100% sure. Steve Thank you for this suggestion. This has solved the more serious half of my problems; I can easily generate a different session name for each website, so that the various websites don't interfere with each other, but I have not been able to devise a way to differentiate between multiple sessions of the same website. For example, if I open one copy of a website as a visitor I am shown as Visitor, but if I then open another window, and log in as Manager, then go back to the first window I am shown as Manager (with appropriate privileges) there also. The only way I can think of to overcome this would be to generate a new named session every time I log in, and then to pass the session name as a parameter every time I load a new page. Unfortunately my program is sufficiently complicated that this is effectively impractical, as it would involve tracking down and modifying every point in the program at which a new page can be launched. It also has a theoretical disadvantage that if someone bookmarks a page they will book mark the session name, but this can fairly readily be overcome. Is there any alternative way in which a different session name (or equivalent flag) can be attached to each instance of the browser? (Effectively these problems only affect the developer, as they only apply to multiple instances of the same browser on the same PC.) PS. At this stage I devised a really nasty kludge, which enables me to run multiple copies without them interfering. In my program new pages are always launched by a command of the general type: http://localhost/cypalda.com/index.php?level=1item=22 This loads the file index.php, which is a very brief file in the public directory (cypalda.com in this case). It sets a couple of constants and then transfers control to a file Begin.php, in a private directory. This in turn sets up a whole lot more constants, and then transfers control to the main program, which is common to 5 different websites. I realised that if I specify the session name in index.php, I can make several copies of this file, e.g. index.php, index1.php, index2.php, each of which specified a different session name. I thought this still left me the problem of modifying all the points at which a new page was launched, but then I found that by great good fortune (or foresight!) I had defined a constant $home_page = index.php, and always launched a new page with the basic command echo ('a href='.$home_page.'?ident=' ...'); So all I had to do to achieve the desired outcome was to specify a different $homepage in each copy of index.php. Then, once I had launched a particular copy of index.php, that instance of the browser would always load the session appropriate to that copy. Even better, if I upload the various versions of index.php, I can run multiple copies of the public website on the same PC without them interfering. Roger Riordan AM http://www.corybas.com/ Depending upon how your session persistence works, can you not just specify a different location to store session data for each possible mode of login? I have an application which does something similar,
[PHP] Re: Date validation
On 20/05/11 16:29, Geoff Lane wrote: On Friday, May 20, 2011, Peter Lind wrote: Try: $date = new DateTime($date_string_to_validate); echo $date-format('Y-m-d'); Many thanks. Unfortunately, as I mentioned in my OP, the DateTime class seems to be 'broken' for my purposes because it uses strtotime() to convert input strings to date/time. Rather than fail when presented with an invalid date, strtotime() returns the 'best fit' if possible. This can be seen from: $date = new DateTime('30 Feb 1999'); echo $date-format('Y-m-d'); which results in 1999-03-02 even though 30 Feb is an invalid date. If you could programmatically determine the format of the input, you could parse the date using DateTime and then rewrite it using the same format as the input, and compare those. Now that starts to work if you can *control* the format of the input, or at least limit it to some familiar options. So maybe: $userInput = '30 Feb 1999'; $dateTest = new DateTime($userInput); if ($userInput===$dateTest-format('Y-m-d') || $userInput===$dateTest-format('d M Y')) { echo 'Date is valid'; } else { echo 'Not valid'; } It starts to get logn-winded after a while, and doesn't rule out ambiguous cases... Or split the date input into pieces in the form (if possible) and then you can validate the date how you like $userInput = $_POST['year'].'-'.$_POST['month'].'-'.$_POST['day']; $dateTest = new DateTime($userInput); if ($userInput===$dateTest-format('Y-m-d')) { echo 'Date is valid'; } else { echo 'Not valid'; } Finally, for some applications I have made an AJAX (javascript + PHP) implementation which provides feedback to the user as they type in the date field: every time a character is typed in the box, the backend is asked to parse it and then format it in an unambiguous way and send it back to the client. That way the user can *see* if what they are typing is valid... Of course, you *still* have to validate it when it's posted (and the network overhead might be too much). -- Peter Ford, Developer phone: 01580 89 fax: 01580 893399 Justcroft International Ltd. www.justcroft.com Justcroft House, High Street, Staplehurst, Kent TN12 0AH United Kingdom Registered in England and Wales: 2297906 Registered office: Stag Gates House, 63/64 The Avenue, Southampton SO17 1XS -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] strcmp()?
At 8:13 AM + 5/23/11, Ford, Mike wrote: -Original Message- From: tedd [mailto:tedd.sperl...@gmail.com] On Sat, 21 May 2011 09:26:02 -0400, tedd wrote: The function strcmp() simply evaluates two strings and reports back -1, 0, or 1 depending upon their alphabetical relationship. It might do that, but don't bet your horse on it. http://se.php.net/manual/en/function.strcmp.php /Nisse It works that way for me. Are you absolutely certain about that? echo strcmp('These are nearly equal', 'These are almost equal'), \n; echo strcmp('different', 'unequal'), \n; echo strcmp('b', 'a'), br /\n; Result: 13 -17 1 The description of the function merely says that the result is 0, 0 or 0 -- it makes no promises about the actual value when it is non-zero. Mike Mike: That's interesting. Try the same comparisons here: http://www.webbytedd.com/lcc/citw229/string-compare.php For me they are 1, -1, and 1. Someone with more smarts than me* will have to figure this one out. Cheers, tedd PS: * I can hear the peanut gallery saying That won't be hard. :-) -- --- http://sperling.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] strcmp()?
On May 23, 2011, at 8:00 AM, tedd wrote: At 8:13 AM + 5/23/11, Ford, Mike wrote: -Original Message- From: tedd [mailto:tedd.sperl...@gmail.com] On Sat, 21 May 2011 09:26:02 -0400, tedd wrote: The function strcmp() simply evaluates two strings and reports back -1, 0, or 1 depending upon their alphabetical relationship. It might do that, but don't bet your horse on it. http://se.php.net/manual/en/function.strcmp.php /Nisse It works that way for me. Are you absolutely certain about that? echo strcmp('These are nearly equal', 'These are almost equal'), \n; echo strcmp('different', 'unequal'), \n; echo strcmp('b', 'a'), br /\n; Result: 13 -17 1 The description of the function merely says that the result is 0, 0 or 0 -- it makes no promises about the actual value when it is non-zero. Mike Mike: That's interesting. Try the same comparisons here: http://www.webbytedd.com/lcc/citw229/string-compare.php For me they are 1, -1, and 1. Someone with more smarts than me* will have to figure this one out. Cheers, tedd PS: * I can hear the peanut gallery saying That won't be hard. :-) -- --- http://sperling.com/ Might that have something to do with the version of PHP running? Regards, -Josh Joshua Kehn | josh.k...@gmail.com http://joshuakehn.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Date validation
At 9:47 AM +0100 5/23/11, Pete Ford wrote: Finally, for some applications I have made an AJAX (javascript + PHP) implementation which provides feedback to the user as they type in the date field: every time a character is typed in the box, the backend is asked to parse it and then format it in an unambiguous way and send it back to the client. That way the user can *see* if what they are typing is valid... Of course, you *still* have to validate it when it's posted (and the network overhead might be too much). That would be interesting to see. With a little work, I envision a way to alleviate the Europe/US date format difference. (i.e., day/month/year : Europe vs month/day/year : US). As the user typed in the date, the day/month problem could be shown via string-month (i.e., Jan... ). How does yours work? Cheers, tedd -- --- http://sperling.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] strcmp()?
Mike: That's interesting. Try the same comparisons here: http://www.webbytedd.com/lcc/citw229/string-compare.php For me they are 1, -1, and 1. Might that have something to do with the version of PHP running? -Josh -Josh: I've written this on two different servers. One is Version 5.2.15 and the other is version 5.2.5 and they both report the same results. Cheers, tedd -- --- http://sperling.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] strcmp()?
On May 23, 2011, at 8:17 AM, tedd wrote: Mike: That's interesting. Try the same comparisons here: http://www.webbytedd.com/lcc/citw229/string-compare.php For me they are 1, -1, and 1. Might that have something to do with the version of PHP running? -Josh -Josh: I've written this on two different servers. One is Version 5.2.15 and the other is version 5.2.5 and they both report the same results. Cheers, tedd I just checked under 5.3.2 and it gives the same -1, 0, 1 results. Regards, -Josh Joshua Kehn | josh.k...@gmail.com http://joshuakehn.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] strcmp()?
[snip][/snip] 5.2.9 yields -1, 0, 1 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] strcmp()?
-Original Message- From: Joshua Kehn [mailto:josh.k...@gmail.com] Sent: 23 May 2011 13:04 On May 23, 2011, at 8:00 AM, tedd wrote: At 8:13 AM + 5/23/11, Ford, Mike wrote: echo strcmp('These are nearly equal', 'These are almost equal'), \n; echo strcmp('different', 'unequal'), \n; echo strcmp('b', 'a'), br /\n; Result: 13 -17 1 The description of the function merely says that the result is 0, 0 or 0 -- it makes no promises about the actual value when it is non- zero. Mike Mike: That's interesting. Try the same comparisons here: http://www.webbytedd.com/lcc/citw229/string-compare.php For me they are 1, -1, and 1. Someone with more smarts than me* will have to figure this one out. Cheers, tedd PS: * I can hear the peanut gallery saying That won't be hard. :-) -- --- http://sperling.com/ Might that have something to do with the version of PHP running? Possibly -- or even the result returned by the underlying C strcmp() for any given architecture/compiler combination, which would like as not be even more variable. I think the lesson is, if writing portable code, always allow for results which might be outside of the [-1, 0, 1] set. (Incidentally, tedd, your test script has the signs the wrong way round in the output; plus which they should be lt; gt; anyway; plus plus which, you are not applying htmlspecialchars() or whatever to your echoed user input, so values such as !-- break your page, and I'm sure something more malicious could be cooked up were I so inclined... :( .) Cheers! Mike -- Mike Ford, Electronic Information Developer, Libraries and Learning Innovation, Leeds Metropolitan University, C507 City Campus, Portland Way, LEEDS, LS1 3HE, United Kingdom Email: m.f...@leedsmet.ac.uk Tel: +44 113 812 4730 To view the terms under which this email is distributed, please go to http://disclaimer.leedsmet.ac.uk/email.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] strcmp()?
On 23 May 2011 13:24, Joshua Kehn josh.k...@gmail.com wrote: On May 23, 2011, at 8:17 AM, tedd wrote: Mike: That's interesting. Try the same comparisons here: http://www.webbytedd.com/lcc/citw229/string-compare.php For me they are 1, -1, and 1. Might that have something to do with the version of PHP running? -Josh -Josh: I've written this on two different servers. One is Version 5.2.15 and the other is version 5.2.5 and they both report the same results. Cheers, tedd I just checked under 5.3.2 and it gives the same -1, 0, 1 results. Regards, -Josh Joshua Kehn | josh.k...@gmail.com http://joshuakehn.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php Just tested the code below on Windows, using official releases (and some RCs also). ?php echo PHP_VERSION, ' ', strcmp('These are nearly equal', 'These are almost equal'), ' ', strcmp('different', 'unequal'), ' ', strcmp('b', 'a'); ? And for all of the V4 and V5 releases I've got, the result is the same... -1 1 -1 -- Richard Quadling Twitter : EE : Zend : PHPDoc @RQuadling : e-e.com/M_248814.html : bit.ly/9O8vFY : bit.ly/lFnVea -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] strcmp()?
I checked on php 5.2.4-2 (ubuntu5.12). It returns 1,-1,1 On Mon, May 23, 2011 at 4:00 PM, tedd t...@sperling.com wrote: At 8:13 AM + 5/23/11, Ford, Mike wrote: -Original Message- From: tedd [mailto:tedd.sperl...@gmail.com] On Sat, 21 May 2011 09:26:02 -0400, tedd wrote: The function strcmp() simply evaluates two strings and reports back -1, 0, or 1 depending upon their alphabetical relationship. It might do that, but don't bet your horse on it. http://se.php.net/manual/en/function.strcmp.php /Nisse It works that way for me. Are you absolutely certain about that? echo strcmp('These are nearly equal', 'These are almost equal'), \n; echo strcmp('different', 'unequal'), \n; echo strcmp('b', 'a'), br /\n; Result: 13 -17 1 The description of the function merely says that the result is 0, 0 or 0 -- it makes no promises about the actual value when it is non-zero. Mike Mike: That's interesting. Try the same comparisons here: http://www.webbytedd.com/lcc/citw229/string-compare.php For me they are 1, -1, and 1. Someone with more smarts than me* will have to figure this one out. Cheers, tedd PS: * I can hear the peanut gallery saying That won't be hard. :-) -- --- http://sperling.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- With regards, Alexei Bovanenko
Re: [PHP] context when calling non static method of class in a static way
ah i forgot e_all doesnt include e_strict. with error_reporting(-1 / E_ALL | E_STRICT) i see the errors. so i think i am right that the use of that special behavior of php is not a good idea. thank you guys! Am 23.05.2011 00:32, schrieb Richard Quadling: On 22 May 2011 22:44, Simon Hilzsimon.h...@gmx.de wrote: i cant reproduce that error. which php version do you use? i've coded an example for a behavior-pattern: Try with ... ?php error_reporting(-1); ini_set('display_errors', 1); class Car { ... I get output of ... Fuel of my new BMW with consumption 7.2l/100km: 0brcall TankUpBehavior::tankUp (100)br Strict Standards: Non-static method TankUpBehavior::tankUp() should not be called statically, assuming $this from incompatible context in D:\Work\t1.php on line 50 Fuel after tank up 100 l: 100brcall DriveBehavior::drive (24)br Strict Standards: Non-static method DriveBehavior::drive() should not be called statically, assuming $this from incompatible context in D:\Work\t1.php on line 50 Fuel after driving 24 km: 98.272br -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Date validation
On 23/05/11 13:12, tedd wrote: At 9:47 AM +0100 5/23/11, Pete Ford wrote: Finally, for some applications I have made an AJAX (javascript + PHP) implementation which provides feedback to the user as they type in the date field: every time a character is typed in the box, the backend is asked to parse it and then format it in an unambiguous way and send it back to the client. That way the user can *see* if what they are typing is valid... Of course, you *still* have to validate it when it's posted (and the network overhead might be too much). That would be interesting to see. With a little work, I envision a way to alleviate the Europe/US date format difference. (i.e., day/month/year : Europe vs month/day/year : US). As the user typed in the date, the day/month problem could be shown via string-month (i.e., Jan... ). How does yours work? Cheers, tedd Ah, now you're asking. I'll have to try and extract the code into a sanitised form for public consumption: give me a little time... But yes, the string fed back to the user gives the month as a string, to avoid confusion with numeric months. -- Peter Ford, Developer phone: 01580 89 fax: 01580 893399 Justcroft International Ltd. www.justcroft.com Justcroft House, High Street, Staplehurst, Kent TN12 0AH United Kingdom Registered in England and Wales: 2297906 Registered office: Stag Gates House, 63/64 The Avenue, Southampton SO17 1XS -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] best practise accessing object's attributes from objects itself
hi, i was wondering if there is any best practise known how one should access the attributes of an object from the object itself. i mean, it is a good practise to write getters and setters for the attributes of an object to its interface. but is it common to modify the attributes from the object itself directly or also through the interface methods? i use the interface methods in my own classes at most times but recently i dived into zend framework and there it seems not to be usual. as zend framework is more or less a showpiece-software in php programming i'm not sure if my practises are good. are there any discussions by really focused php programmers about that? Simon -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] strcmp()?
On May 23, 2011, at 9:28 AM, Alex Nikitin wrote: There is an interesting note in the comments for strcmp: Well, I am using PHP 4.0 and both strcmp and strcasecmp appear to be giving me very arbitrary and incomprehensible results. When I input strings, it appears that equal strings return 1, as well as some unequal strings, and that if the first argument is smaller then I *tend* to get negative numbers, but sometimes I get 1, and if larger I *tend* to get numbers larger than 1.. Guessing that earlier versions of php 4 and before would give the results that would have values other then 1, 0, -1, i looked through the change log, but nothing immediately jumped out, there was a lot of mbstring work done, and they did add the nat comparison functions, and play with the pcre engine a bit, which could have caused this as an unintended result for a few versions, i think though it was a bug at some point, so, maybe a php dev would chime in if they remember...? -- Alex -- -- The trouble with programmers is that you can never tell what a programmer is doing until it’s too late. ~Seymour Cray All this confusion makes me glad that I'm using === for equality checks instead of strcmp. Regards, -Josh Joshua Kehn | josh.k...@gmail.com http://joshuakehn.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] strcmp()?
At 1:06 PM + 5/23/11, Ford, Mike wrote: (Incidentally, tedd, your test script has the signs the wrong way round in the output; plus which they should be lt; gt; anyway; plus plus which, you are not applying htmlspecialchars() or whatever to your echoed user input, so values such as !-- break your page, and I'm sure something more malicious could be cooked up were I so inclined... :( .) Mike Mike: Thanks. The which way the arrows point thing is because I'm dyslexic. While I know that a appears before b, it's difficult for me to think of 'a' being less than 'b' -- UNLESS -- I think in terms of their ASCII values and then everything makes sense -- but that's a step away from deciding or . IOW, it's a two step process for me to realize which way the arrows point. As for the htmlspecialchars(), you are absolutely right. The demo was for my students and I didn't want to confuse them. However, I have changed the code to htmlentities(). They probably should start learning basic security from the get-go (as should I). Cheers, tedd -- --- http://sperling.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] strcmp()?
At 9:32 AM -0400 5/23/11, Joshua Kehn wrote: All this confusion makes me glad that I'm using === for equality checks instead of strcmp. -Josh -Josh: Yes, but what if you were sorting? I know you could use sort(), but there might be logic where a strcmp() would better solve the problem. Cheers, tedd -- --- http://sperling.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] strcmp()?
On Mon, May 23, 2011 at 9:32 AM, Joshua Kehn josh.k...@gmail.com wrote: On May 23, 2011, at 9:28 AM, Alex Nikitin wrote: There is an interesting note in the comments for strcmp: Well, I am using PHP 4.0 and both strcmp and strcasecmp appear to be giving me very arbitrary and incomprehensible results. When I input strings, it appears that equal strings return 1, as well as some unequal strings, and that if the first argument is smaller then I *tend* to get negative numbers, but sometimes I get 1, and if larger I *tend* to get numbers larger than 1.. Guessing that earlier versions of php 4 and before would give the results that would have values other then 1, 0, -1, i looked through the change log, but nothing immediately jumped out, there was a lot of mbstring work done, and they did add the nat comparison functions, and play with the pcre engine a bit, which could have caused this as an unintended result for a few versions, i think though it was a bug at some point, so, maybe a php dev would chime in if they remember...? -- Alex -- -- The trouble with programmers is that you can never tell what a programmer is doing until it’s too late. ~Seymour Cray All this confusion makes me glad that I'm using === for equality checks instead of strcmp. Regards, -Josh Joshua Kehn | josh.k...@gmail.com http://joshuakehn.com It depends on what you need to check, josh :) If you wanted to say find an anagram, or do a search with some typo correction, strcmp can be many times more helpful then a ===, that said comparing 2 strings to be equal === works about 20% quicker, so it works better for comparing two strings for equality (or unequality) anyways. There is no confusion, strcmp has a documented way in which it is to work in posix-compliant languages, ISO/IEC 9899:1999, 7.21.4.2, so as long as you follow the ISO guidelines for the scrcmp checking, your code should work correctly... -- The trouble with programmers is that you can never tell what a programmer is doing until it’s too late. ~Seymour Cray
RE: [PHP] strcmp()?
-Original Message- From: tedd [mailto:tedd.sperl...@gmail.com] Sent: 23 May 2011 14:41 The which way the arrows point thing is because I'm dyslexic. While I know that a appears before b, it's difficult for me to think of 'a' being less than 'b' -- UNLESS -- I think in terms of their ASCII values and then everything makes sense -- but that's a step away from deciding or . IOW, it's a two step process for me to realize which way the arrows point. Yes, I remember you mentioning being dyslexic a few times on this list before, which is partly why it was only an incidentally at the end. We have a pretty hot disability and dyslexia unit here who don't shrink from telling me what's good and what's bad about our website! And, just for the record re the strcmp() debate, I'm on PHP 5.2.5, SunOS 5.10. Cheers! Mike -- Mike Ford, Electronic Information Developer, Libraries and Learning Innovation, Leeds Metropolitan University, C507 City Campus, Portland Way, LEEDS, LS1 3HE, United Kingdom E: m.f...@leedsmet.ac.uk T: +44 113 812 4730 To view the terms under which this email is distributed, please go to http://disclaimer.leedsmet.ac.uk/email.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] strcmp()?
On May 23, 2011, at 9:45 AM, tedd wrote: At 9:32 AM -0400 5/23/11, Joshua Kehn wrote: All this confusion makes me glad that I'm using === for equality checks instead of strcmp. -Josh -Josh: Yes, but what if you were sorting? I know you could use sort(), but there might be logic where a strcmp() would better solve the problem. Cheers, tedd -- --- http://sperling.com/ Never encountered an issue using sort() as-is. Regards, -Josh Joshua Kehn | josh.k...@gmail.com http://joshuakehn.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Date validation
Isn't this typically why date selectors are used on the front end? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] strcmp()?
On May 23, 2011, at 9:47 AM, Alex Nikitin wrote: It depends on what you need to check, josh :) If you wanted to say find an anagram, or do a search with some typo correction, strcmp can be many times more helpful then a ===, that said comparing 2 strings to be equal === works about 20% quicker, so it works better for comparing two strings for equality (or unequality) anyways. There is no confusion, strcmp has a documented way in which it is to work in posix-compliant languages, ISO/IEC 9899:1999, 7.21.4.2, so as long as you follow the ISO guidelines for the scrcmp checking, your code should work correctly... -- The trouble with programmers is that you can never tell what a programmer is doing until it’s too late. ~Seymour Cray It's good to know it's functionality is available in the case that I ever need it. Regards, -Josh Joshua Kehn | josh.k...@gmail.com http://joshuakehn.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Date validation
On Mon, May 23, 2011 at 9:55 AM, Tamara Temple tamouse.li...@gmail.com wrote: Isn't this typically why date selectors are used on the front end? Not really. Date selectors are intended to make data entry easier on the front end while allowing only valid date selections, but you can't really rely on them. * Most date selectors rely on Javascript, which may not be available on the client. * From a usability perspective, using a date selector is slower than typing the date into a text field. Accessibility is also a concern. * Above all, your code should still validate the correctness of input on the server regardless of anything you are doing to make things easier in the client. There are ways around using date selectors. Andrew -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Contract Example
I landed my first big PHP contract (yeah!) and am need of a contract or agreement example. Does anyone have, or know of a good source for, contract/agreement examples? Thanks! Floyd -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] strcmp()?
On 23 May 2011 14:28, Alex Nikitin niks...@gmail.com wrote: There is an interesting note in the comments for strcmp: Well, I am using PHP 4.0 and both strcmp and strcasecmp appear to be giving me very arbitrary and incomprehensible results. When I input strings, it appears that equal strings return 1, as well as some unequal strings, and that if the first argument is smaller then I *tend* to get negative numbers, but sometimes I get 1, and if larger I *tend* to get numbers larger than 1.. Guessing that earlier versions of php 4 and before would give the results that would have values other then 1, 0, -1, i looked through the change log, but nothing immediately jumped out, there was a lot of mbstring work done, and they did add the nat comparison functions, and play with the pcre engine a bit, which could have caused this as an unintended result for a few versions, i think though it was a bug at some point, so, maybe a php dev would chime in if they remember...? 4.0.0 1 -1 1 4.0.1 1 -1 1 4.0.1 1 -1 1 4.0.2 1 -1 1 4.0.3 1 -1 1 4.0.4 1 -1 1 4.0.4pl1 1 -1 1 4.0.5 1 -1 1 4.0.6 1 -1 1 4.1.0 1 -1 1 4.1.1 1 -1 1 4.1.2 1 -1 1 4.2.0 1 -1 1 4.2.1 1 -1 1 4.2.2 1 -1 1 4.2.3RC1 1 -1 1 4.2.3RC2 1 -1 1 4.2.3 1 -1 1 4.3.0-pre2 1 -1 1 4.3.0RC1 1 -1 1 4.3.0RC2 1 -1 1 4.3.0RC3 1 -1 1 4.3.0RC4 1 -1 1 4.3.0 1 -1 1 4.3.1 1 -1 1 4.3.10 1 -1 1 4.3.11 1 -1 1 4.3.2-RC1 1 -1 1 4.3.2-RC2 1 -1 1 4.3.2RC3 1 -1 1 4.3.2 1 -1 1 4.3.3RC1 1 -1 1 4.3.3RC2 1 -1 1 4.3.3RC3 1 -1 1 4.3.3RC4 1 -1 1 4.3.3 1 -1 1 4.3.4RC1 1 -1 1 4.3.4RC2 1 -1 1 4.3.4RC3 1 -1 1 4.3.4 1 -1 1 4.3.5RC1 1 -1 1 4.3.5RC2 1 -1 1 4.3.5RC3 1 -1 1 4.3.5RC4 1 -1 1 4.3.5 1 -1 1 4.3.6RC1 1 -1 1 4.3.6RC2 1 -1 1 4.3.6RC3 1 -1 1 4.3.6 1 -1 1 4.3.7RC1 1 -1 1 4.3.7 1 -1 1 4.3.8 1 -1 1 4.3.9RC1 1 -1 1 4.3.9 1 -1 1 4.4.0 1 -1 1 4.4.1 1 -1 1 4.4.2 1 -1 1 4.4.3 1 -1 1 4.4.4 1 -1 1 4.4.5 1 -1 1 4.4.6 1 -1 1 4.4.7 1 -1 1 4.4.8 1 -1 1 4.4.9 1 -1 1 All the official versions of PHP 4 (and some RCs) for Windows. All give the same response. Must me a platform issue also. -- Richard Quadling Twitter : EE : Zend : PHPDoc @RQuadling : e-e.com/M_248814.html : bit.ly/9O8vFY : bit.ly/lFnVea -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Contract Example
On Mon, 23 May 2011 10:39:10 -0400, Floyd Resler wrote: I landed my first big PHP contract (yeah!) and am need of a contract or agreement example. Does anyone have, or know of a good source for, contract/agreement examples? Thanks! Floyd Enforceable in what country/province? http://www.sloperama.com/advice/entry65.html -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Contract Example
On May 23, 2011, at 11:12 AM, Jonesy wrote: On Mon, 23 May 2011 10:39:10 -0400, Floyd Resler wrote: I landed my first big PHP contract (yeah!) and am need of a contract or agreement example. Does anyone have, or know of a good source for, contract/agreement examples? Thanks! Floyd Enforceable in what country/province? http://www.sloperama.com/advice/entry65.html -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php It's the United States, state of Ohio. And I did try to find examples on line before posting my question. All I could find were examples on how to create PHP forms. Thanks! Floyd -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Contract Example
At 10:39 AM -0400 5/23/11, Floyd Resler wrote: I landed my first big PHP contract (yeah!) and am need of a contract or agreement example. Does anyone have, or know of a good source for, contract/agreement examples? Thanks! Floyd Floyd: Here's something you may want to read: http://24ways.org/2008/contract-killer While I don't recommend using this as an actual contract, it does give you an idea of what can happen and how you may want to consider protecting yourself. Cheers, tedd -- --- http://sperling.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP Brainteasers 2011
On Fri, May 20, 2011 at 12:55, Marc Guay m...@jkcommunications.com wrote: I imagine this one's been done before, but maybe not in the same way I believe it was, but not quite the same, you're right. If at first you don't succeed, try, try again. Nice one, Marc. ?php $result = succeed(); while (!$result){ try{ $result = succeed(); } catch (Exception $e){ echo $e; } } echo hell yeah; function succeed(){ $a = rand(1,2); switch($a){ case 1: trigger_error('fml'); break; case 2: return TRUE; break; } } ? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- /Daniel P. Brown Network Infrastructure Manager http://www.php.net/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Posts that include bracket OT bracket
Hi gang: When did the list start rejecting subject lines that contain [OT]? Cheers, tedd -- --- http://sperling.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Contract Example
On May 23, 2011, at 11:29 AM, tedd wrote: At 10:39 AM -0400 5/23/11, Floyd Resler wrote: I landed my first big PHP contract (yeah!) and am need of a contract or agreement example. Does anyone have, or know of a good source for, contract/agreement examples? Thanks! Floyd Floyd: Here's something you may want to read: http://24ways.org/2008/contract-killer While I don't recommend using this as an actual contract, it does give you an idea of what can happen and how you may want to consider protecting yourself. Cheers, tedd -- --- http://sperling.com/ Excellent! Thanks! That article gives me enough information to fashion one of my own, I think. Thanks! Floyd -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] htaccess question
How can I prevent access to all files in a directory except one with an htaccess file. I've tried several approaches found with Googling; but, none seem to work. e.g., FilesMatch ^(makeScodeImg.php) Order Allow,Deny Deny from all /FilesMatch This seems to me as it should deny to all except makeScodeImg.php Thanks -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] htaccess question
First turn your ReWriteEngine On. This can be done in the particular folder to allow them access to only the one file. You need to understand the conditions of mod_rewrite read below. http://httpd.apache.org/docs/1.3/mod/mod_rewrite.html OR you can just use the http://cooletips.de/htaccess/ from Germany. It will take you through step by step in creating an htaccess. I might suggest you do not use the password options because that to me is not safe to use someone else's website when creating htaccess screen names and passwords. Richard L. Buskirk -Original Message- From: Al [mailto:n...@ridersite.org] Sent: Monday, May 23, 2011 11:53 AM To: php-general@lists.php.net Subject: [PHP] htaccess question How can I prevent access to all files in a directory except one with an htaccess file. I've tried several approaches found with Googling; but, none seem to work. e.g., FilesMatch ^(makeScodeImg.php) Order Allow,Deny Deny from all /FilesMatch This seems to me as it should deny to all except makeScodeImg.php Thanks -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Posts that include bracket OT bracket
On Mon, May 23, 2011 at 11:33, tedd tedd.sperl...@gmail.com wrote: Hi gang: When did the list start rejecting subject lines that contain [OT]? At least several years ago. It bounces back to say that off-topic mail isn't accepted, blah, blah, blah. -- /Daniel P. Brown Network Infrastructure Manager http://www.php.net/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] htaccess question
On Mon, May 23, 2011 at 11:52 AM, Al n...@ridersite.org wrote: How can I prevent access to all files in a directory except one with an htaccess file. I've tried several approaches found with Googling; but, none seem to work. e.g., FilesMatch ^(makeScodeImg.php) Order Allow,Deny Deny from all /FilesMatch This seems to me as it should deny to all except makeScodeImg.php Thanks -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php Also don't forget to enable override on the directory, otherwise .htaccess wont be read at all... http://httpd.apache.org/docs/2.0/mod/core.html -- The trouble with programmers is that you can never tell what a programmer is doing until it’s too late. ~Seymour Cray
Re: [PHP] PHP Brainteasers 2011
At 11:29 AM -0400 5/23/11, Daniel Brown wrote: On Fri, May 20, 2011 at 12:55, Marc Guay m...@jkcommunications.com wrote: I imagine this one's been done before, but maybe not in the same way I believe it was, but not quite the same, you're right. If at first you don't succeed, try, try again. If at first you don't succeed, eat a donut -- the urge will pass. Cheers, tedd -- --- http://sperling.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Posts that include bracket OT bracket
-Original Message- From: paras...@gmail.com [mailto:paras...@gmail.com] On Behalf Of Daniel Brown Sent: Monday, May 23, 2011 11:20 AM To: tedd Cc: php-general@lists.php.net Subject: Re: [PHP] Posts that include bracket OT bracket On Mon, May 23, 2011 at 11:33, tedd tedd.sperl...@gmail.com wrote: Hi gang: When did the list start rejecting subject lines that contain [OT]? At least several years ago. It bounces back to say that off-topic mail isn't accepted, blah, blah, blah. It's kind of silly if you ask me as it doesn't prevent anything since any mildly intelligent person will just omit the [OT] and re-submit (case in point), and it prevents other users from doing any kind of email filtering on [OT]. It's basically punishing the sender for trying to do the right thing. *sigh* -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] best practise accessing object's attributes from objects itself
On Mon, May 23, 2011 at 6:29 AM, Simon Hilz simon.h...@gmx.de wrote: i was wondering if there is any best practise known how one should access the attributes of an object from the object itself. For most properties I use $this-property within the object because nine times out of ten no work ever needs to be done with them. Usually they are set by the constructor and optionally changed externally using a setter. As long as only the class and subclasses access properties in this manner, it's easy to change them to use an accessor later if necessary. I never access the properties directly from unrelated classes. When a property needs to have logic applied--either during get or set--I'll use accessors even inside the class to ensure that work is done consistently and avoid repetition. In some rare cases (testing framework) I use __get() and __set() so subclasses can use $this-property but get redirected through the accessor. This isn't possible inside the class, however, because the magic functions are only invoked when the caller cannot directly access the property. David
RE: [PHP] observer pattern
-Original Message- From: Eric Butera [mailto:eric.but...@gmail.com] Sent: Friday, May 20, 2011 2:25 PM To: PHP Subject: Re: [PHP] observer pattern [whoops didn't hit reply-all] On Wed, May 18, 2011 at 5:18 AM, Ken Guest k...@linux.ie wrote: Lo, so, I'm wondering - how many of you use the observer pattern in php; and if so, do you implement it 'standalone' or with the spl classes? Is there any particular advantage to doing it your way; whichever your way is? Ken -- http://blogs.linux.ie/kenguest/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php I use it quite a bit over the various projects I maintain. It allows subjects to trigger events that observers can process if they're interested, or better yet, completely ignore. This allows standardized code bases to create nice hooks that allow extensibility without needing to place one-off code inside the main project. A quick example might be on saving a record in your code, it triggers an event, then an observer in a custom site watches for said event and injects/updates a search entry in Lucene. This way one site can have a custom search engine that another site might not need. I started off with the concepts I found in http://examples.stubbles.net/docroot/events/ but created my own because I wanted something stand-alone. Well, you (or in this case, *I*) learn something new every day. I had no idea PHP could do observers. How very Java (and neat!) Granted, it is just a design pattern, but to have the SplObserver stuff built in is pretty cool. What version of PHP is this available from? The web page doesn't say. http://www.labelmedia.co.uk/blog/posts/php-design-patterns-observer-pattern.html http://cormacscode.wordpress.com/2010/10/12/practical-example-php-implementation-of-the-observer-pattern/ http://www.php.net/manual/en/book.spl.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] observer pattern
On Mon, May 23, 2011 at 5:14 PM, Daevid Vincent dae...@daevid.com wrote: -Original Message- From: Eric Butera [mailto:eric.but...@gmail.com] Sent: Friday, May 20, 2011 2:25 PM To: PHP Subject: Re: [PHP] observer pattern [whoops didn't hit reply-all] On Wed, May 18, 2011 at 5:18 AM, Ken Guest k...@linux.ie wrote: Lo, so, I'm wondering - how many of you use the observer pattern in php; and if so, do you implement it 'standalone' or with the spl classes? Is there any particular advantage to doing it your way; whichever your way is? Ken -- http://blogs.linux.ie/kenguest/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php I use it quite a bit over the various projects I maintain. It allows subjects to trigger events that observers can process if they're interested, or better yet, completely ignore. This allows standardized code bases to create nice hooks that allow extensibility without needing to place one-off code inside the main project. A quick example might be on saving a record in your code, it triggers an event, then an observer in a custom site watches for said event and injects/updates a search entry in Lucene. This way one site can have a custom search engine that another site might not need. I started off with the concepts I found in http://examples.stubbles.net/docroot/events/ but created my own because I wanted something stand-alone. Well, you (or in this case, *I*) learn something new every day. I had no idea PHP could do observers. How very Java (and neat!) Granted, it is just a design pattern, but to have the SplObserver stuff built in is pretty cool. What version of PHP is this available from? The web page doesn't say. http://www.labelmedia.co.uk/blog/posts/php-design-patterns-observer-pattern.html http://cormacscode.wordpress.com/2010/10/12/practical-example-php-implementation-of-the-observer-pattern/ http://www.php.net/manual/en/book.spl.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php Hi Daevid, According to http://us3.php.net/manual/en/splobserver.update.php, (PHP 5 = 5.1.0) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php