Re: [PHP] Some Advice
Putting your session-ID into post will require you to POST every page, rather then GET it. And every anchor user clicks will have to POST, not GET. On Tue, Jun 25, 2013 at 4:32 PM, p...@nobswolf.info wrote: You should at least check the IP of the client additionally to have some prove it is the same client you gave the session-ID. And it is better to put the session-ID in a POST-field than in GET. So it es very unlikely someone passes a session ID around accidently. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] array_map() with multiple callback functions
Something like: $cleanData = array_map(function($str){return strtolower(trim($str));}, $passedData); -- The trouble with programmers is that you can never tell what a programmer is doing until it’s too late. ~Seymour Cray On Tue, May 7, 2013 at 4:29 PM, George Langley george.lang...@shaw.ca wrote: Hi all. I want to apply strtolower() AND trim() to all items in an array. But I don't see a way to call multiple callbacks with the array_map() function. Are my two choices the following: // 1) nesting two array_map() calls $cleanData = array_map('trim',(array_map('strtolower',$rawData))); // 2) call my own function with array_walk() $cleanData = array_walk('myCleaner',$rawData); function myCleaner($passedData){ $cleanData = array_map('strtolower',$passedData); $cleanData = array_map('trim',$cleanData); } //(Of course, wouldn't bother with a function, just to call array_map twice...) Just seeing if there's a better way than having to go through the array twice to apply each callback separately. Thanks, -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Web User Management
Hey. Depends on your customisation needs. If you need something robust and don't need anything very specific - you should be ok with Drupal, Joomla or something similar. If you are going to need a lot of complex internals that are not in these engines - you may want to try some lightweight flexible framework like CodeIgniter or Kohana. On Jan 30, 2013 4:19 PM, Adolfo Olivera olivera.ado...@gmail.com wrote: Hi, I'm about to start a little project using PHP and MySQL. It involves some basic user management. Like most web systems. Users would need to be able to: 1 Create Accounts. 2 Update and recover passwords. 3 Maintain a session to operate. 4 Something else I might be forgetting. My questions are 1 Is there some kind of library, framework I could utilize to save me some work? 2 Any thoughts, lessons learned from more senior programmers, I'm fairly new with PHP.
[PHP] Patch: Specify temp directory
Hi, some time ago I created a small patch to make it possible to specify the temp dir by the php.ini. It can be found here: https://bugs.php.net/bug.php?id=60524 (my latest patch (against 5.4.3) also works for 5.4.11 and 5.5.0a3) Now I do wonder if anything will happen or if that's it? I would really appreciate if the patch would be included and hopefully also some other people. Regards, ALeX. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Multithreading for OOP PHP
Threading doesn't increase complexity? Spoken truly like somebody who has not had to actually write, test and debug proper, high performance threaded code. Please tell me how threading doesn't increase complexity of any data structure? I may agree if you talk about php running in cli, but then the very choice of using php is arguable, you want to thread your console apps, write them in a language that is threaded. That once again brings up the point that that is not the market that is meant to be addressed. As far as your phone goes, again why would you want to run even more threads, if you have 24 threads on your system, you will configure Apache to run 24 threads, each of you which will serve a request in parallel which will make your server capable of handling significant load. As far as php side goes, it's a problem of design of the apps. Just because people decided to go through hoops to use the threaded model doesn't mean that it is any faster than writing to the same thing in event driven model, event driven way is sometimes much faster than threads. Don't blame the language, blame the poor dev who made it harder on themselves... There are plenty of big and well performing systems online that pull data from many a locations on the back end and still manage to serve it to you in less than 2 hundredth of a second without the need for threading server side code. That's because they are designed well and implemented well as a system. Finally another thing to consider is how the operating systems deal with high amounts of threads, how different architectures deal with them, while Linux is pretty good about threads, other systems have significant problems. Php is meant to run on all of them so you choose the model that works for all. Lastly I am sorry, but massively parallel architecture for general computing is still about 10 years out. That's where parallel processing design will be bore efficient and beneficial. When we have that, and programmers learn massively parallel design, maybe then we will have a need for parallel php (pphp?) for now, there is no need, only poor design.
Re: [PHP] Re: Multithreading for OOP PHP
Hey guys (and/or gals), I have heard this question entirely too many times, I think at some point Rasmus just stopped responding to it. The real reason that PHP is not threaded has nothing to do with PHP internal or extension thread safety, the reason is more to the extent that it doesn't make sense to add threading to PHP, it will only increase code and model complexity and create more points of failure, but again the reason is not this, the reason is that it doesn't make sense in PHP's native environment to add threading in the first place. Natively PHP is summoned by a web server, yes you can call PHP in CLI, but that's not it's point market, PHP is first and foremost a server-side language for the web and it is ran by a web server such as Apache or Nginx or IIS(i wouldn't know why you would use IIS, but it could be). All of these web servers (maybe with exception of IIS, i wouldn't know) work pretty much on the same principal, you have the main process that spawns a bunch of worker threads (this is adjustable in configuration, but is typically 1 per cpu thread). These threads are what actually process the requests and call PHP, meaning that if multiple threads are processing multiple requests, multiple instances of PHP will be called. This is why adding threading to PHP makes absolutely no sense, why would you spawn threads in something that is already being called by a thread? Don't get me wrong, threads spawning other threads is a solution, but it is a solution on massively parallel architectures, such as the GPGPUs that can handle over a thousand threads, and it is a solution for an entirely different problem, namely costly conditional statements; PHP on the other hand runs on a general purpose processor that already cache thrashes and runs into issues with instruction pipelines in parallel execution, adding more threads to it would do nothing for performance (or make it worse), make for more complex code and introduce new issues, like for example how do you test threaded code, debugging, messaging, etc, which will introduce new places where php apps fail, new security concerns, etc, and I think we are far from having current issues fixed... Want to parallelize your PHP execution? Learn to love curl_multi :) In this case, fix the program, not the programming language. Just my $0.02 -- Alex -- The trouble with programmers is that you can never tell what a programmer is doing until it’s too late. ~Seymour Cray
Re: [PHP] Re: Multithreading for OOP PHP
That's all understood but there are times when that one request from the visitor requires many sub-requests like connection to DB and making SOAP calls. I would say it's more than just there are times, that's how a typical script lives, it imports libraries, queries the database, and talks to other systems. Sure, it can much faster do you think the response time for the visitor when the sub requests are done in child threads? I am not so sure of that. Let's make it a mental exercise really quickly. So let's say we have a website, lets say that we want to query the database and make 2 soap calls at the same time, so for every request we spawn 3 threads to do this. Now, ofcourse for every single request, if they were not concurrent, we would run faster, but what happens when we add a little load to this, say 300 requests per second (and i have built wordpress instances that do 360 on a small ec2 instance). You have say 4 cores @ 1 thread/core, so your web server has 4 threads that are continuously running + 1 for dispatch, and then you have 900 threads that you now have to spawn, process, transfer execution to other threads (context switch in and out, maybe a few time) and terminate per second. The problem is that modern CPUs are not very good at doing this, you are context switching between threads, you are context switching between cores, because your network stack runs on a different core or for any other reason, etc, which is very expensive computationally, on top of which you have to spawn new threads and then kill them. And on a say 4 requests per second system, you may win a few miliseconds on parallelizing your data aggregation, but any real load will see that benefit turn in a negative direction. Curl multi is not necessarily a hack, in context of soap, i can build my soap queries, which is always a serial process anyways, and then use curl multi to run the soap requests in parallel, so there, one part already solved. Database is even easier, since you are usually using a persistent connection, you are already relying on the mysql driver to thread your calls while maintaining a single instance of your connection (eliminating the need for three way hand shakes every time you want to talk to your database, which saves you at least 3 round trips, plus auth (which is 3 more round trips and crypto on both sides)), so even there this problem is already solved for you. And if you are saying that you can run multiple parallel queries for the same PHP process, you really need to fix your database and queries first :) Then shouldn't that be fixed in PHP at the core rather than a hack after? Nope, no need to needlessly complicate PHP especially if there is no need or performance gain in doing it. There are plenty of other areas where PHP can be fixed where it does matter, i mean have a look at a month of PHP bugs if you want to get depressed :) -- The trouble with programmers is that you can never tell what a programmer is doing until it’s too late. ~Seymour Cray
Re: [PHP] Re: Multithreading for OOP PHP
You do all that in the context of a single PHP instance and linear code, calling curl_multi handles its own threading, you just get back results, you dont have to store it anywhere outside PHP memory space, and you can configure timeouts and all that stuff, or you can regulate it yourself. The database connector is already doing what it is doing and doing it darn well, and you are still in the same execution context just a few lines down; call out to db, call out to multi for soap requests, handle the results, no syncing issues, no ITC issues, fast, linearly salable. Thread communication, sync, messaging, thread-safe storage, that you would be introduced with threads, and is one that is not there now. Since nothing is shared, you'll need some place store that information (ie memached or DB). No idea what you are asking about... -- The trouble with programmers is that you can never tell what a programmer is doing until it’s too late. ~Seymour Cray
Re: [PHP] How to write and read serial or parallel port
On Thu, Jul 26, 2012 at 6:24 AM, Lester Caine les...@lsces.co.uk wrote: viper wrote: is it possible to write and read data on a COM or LPT port? is there any function or class in PHP? anyone has already done something similar? Talking in and out of the serial port is not too difficult but is OS dependent, so what are you wanting to run on? Most of the time you are just copying files in and out, although one can use the control signals as simple I/O if you only need a couple of controls. Parallel port is a minefield on Windows as access is specifically blocked in XP onwards. You need a modified device driver to bypass the blocks windows puts in. I've not tried that with PHP as I'm normally accessing the parallel port direct from other windows programs. Linux is lot easier, and most of the examples you will find via google are geared towards that. It works like DOS used to :) -- Lester Caine - G8HFL - Contact - http://lsces.co.uk/wiki/?page=contact L.S.Caine Electronic Services - http://lsces.co.uk EnquirySolve - http://enquirysolve.com/ Model Engineers Digital Workshop - http://medw.co.uk Rainbow Digital Media - http://rainbowdigitalmedia.co.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php So for serial for example, you can just open the port up and work with it like a socket; read/write binary data. As far as parallel port goes, trickier, you may need to call out to an external program, or write a module if you need direct interaction in php. Real question is why in the world would you want to use PHP for this to begin with. I mean sure you can write your own vfat implementation in PHP, etc, etc, but it doesn't mean that it's a good idea to do so. -- Alex -- The trouble with programmers is that you can never tell what a programmer is doing until it’s too late. ~Seymour Cray -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Dynamic open_basedir and mod_vhost_alias
Maybe anyone can point me in the right direction. I need to modify this patch http://www.phpbuilder.com/lists/php-developer-list/2000101/0994.php and replace VIRTUAL_DOCUMENT_ROOT with real path. As described in patch note - When using mod_vhost_alias the DOCUMENT_ROOT = PATH_TRANSLATED - SCRIPT_NAME(request_uri) But in fact this is not always true. If we used any redirection (mod_rewrite) for example, in the request_uri would be modified uri For example 1. Without any redirects url - http://project.domain.com/subdir1/test.php SG(request_info).path_translated=/var/www/vhosts/project/subdir1/test.php SG(request_info).request_uri=/subdir1/test.php Looks everything is ok. doc_root = strncpy( real_open_basedir_path, SG(request_info).path_translated, strlen(SG(request_info).path_translated) - strlen(SG(request_info).request_uri) ); 2. With some kind of redirects url - http://magento.domain.com/index.php SG(request_info).path_translated=/var/www/vhosts/magento/index.php SG(request_info).request_uri=/index.php/install And that is a BIG problem. So my question. Could we get in php, maybe through apache API original uri or doc_root? So latter we can replace VIRTUAL_DOCUMENT_ROOT in PG(open_basedir) with the real path? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] including PHP code from another server..
Now, as the issue adressed and script removed, can you please explain what exactly are the issues of using such approach? I mean security ones, not performance. 2012/3/26 Lester Caine les...@lsces.co.uk: Curtis Maurand wrote: rsync is your friend. and is even available for windows machines ... -- Lester Caine - G8HFL - Contact - http://lsces.co.uk/wiki/?page=contact L.S.Caine Electronic Services - http://lsces.co.uk EnquirySolve - http://enquirysolve.com/ Model Engineers Digital Workshop - http://medw.co.uk// Firebird - http://www.firebirdsql.org/index.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] including PHP code from another server..
I understand what performance issues this brings, but as for security was just a bit curious. You have just showed me what I was thinking about, but you wrote it much better, clear and structured. Thank you. 2012/3/26 Stuart Dallas stu...@3ft9.com: On 26 Mar 2012, at 17:41, Alex Pojarsky wrote: Now, as the issue adressed and script removed, can you please explain what exactly are the issues of using such approach? I mean security ones, not performance. It's the wrong solution to a process and organisation problem. Ultimately it's not really a problem IF you control every part of the infrastructure. Rene clearly doesn't so it has implications for everyone sharing that infrastructure, and anyone using the applications hosted there. * It requires the host to enable allow_url_fopen which means every single script on the server is then able to include/require URLs. It just needs one of them to have a related vulnerability and suddenly people can execute arbitrary PHP code on the server. * Rene mentioned that the code is open source. This implies that the security risk is lessened because the code that is being made publicly accessible is already publicly accessible, so the opportunity for someone to find vulnerabilities already exists. It gets an order of magnitude worse if other people start ignorantly using his code because they're essentially giving him the ability to execute arbitrary PHP code on their server. Not good no matter how much he protests that he won't be evil. * You specifically wished to exclude performance from the discussion, but scalability is potentially a big issue here and should not be completely ignored. I think the real issue for Rene is that of perceived complexity. The idea of having to manually keep many copies of the same code in sync is what leads to finding solutions like this one. This solution leads to unnecessary network traffic and introduces potential security risks that go way beyond your own code, and even if it's not a big issue now it has the potential to become catastrophic! I'd put a fair amount of cash on my guess that Rene is not using any form of source control. To me that is the best solution to this problem. Curtis mentioned rsync which will also do the job, but in my view you're nuts if you're not using some form of source control already, and building a largely automated process around that is trivial and automatically audited. Rene: please read a book / website / something on PHP security. Some things are important whether you believe they are or not. -Stuart -- Stuart Dallas 3ft9 Ltd http://3ft9.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] basic captcha
Just a few notes on the previous responses. Delaying with JavaScript, like validating with JavaScript is a rather pointless endeavor. Think about it, you are putting your limiting mechanism, on the hackers' computer... You can still post to your server as fast as you want. With regards to using external APIs and slow-downs, in my experience it's because the coders of the website have no idea how browsers work, as a result they will throw in a blocking action at the top of their list and then you have to wait for google to serve you content before you get the rest of your page. With regards to capchas, somewhere around 80% if capcha software are easily bypassed by current OCR software, another maybe another 15% would be in the works 70-80% of time category, leaving only about 5% of capcha software that is hard to impossible to crack with current freely-available OCR technology. I am of the idea that if it annoys users, and still doesn't work, it's not the best of solutions. Honeypots, they will help against some robots, as those become more advanced, honeypots like extra fields will begin to fail, especially if you put easily parsable comments to help me them :P. Also doesn't do anything about people who actually read your page code. Tokens, tokens are something that really hasn't been discussed here yet, but they can act just as well as a honeypot, actually in part just like a honeypot, and probably offer a better protection. For example consider registrations (part pseudo code): 1. You send me a request 2. I send you back a page, with a 2-part token, one in html input type=hidden class=token name=token value=S0mETOk3n/ one in JS, $('.token').val( $('.token').val() + b64d(SOM3B64==)) perhaps even a temp cookie or something 3. You then fill in the form and press submit 3.5. Submit posts the data without refreshing the whole page (increasing the level of complexity of a system needed to exploit this) 4. I send you an email and a page asking to not close out your page, and for you to go check your email 4.5 i send you another bit of a token with my response 5. You go and check your email and have a short bit of text to paste back into the new input on the page 6. You paste the text and press finish 7. I take your html token part, 2 js parts and email part (6 alphanumeric characters will do fine), combine them and send them back Why i prefer that to a typical honeypot? One of the biggest reasons, is state, you would have to maintain state through the process you get a bit of a token every time you do something Another one is that it uses multiple pieces that are typically available in full-fledged browsers For registration scenario, there is an inherent time out in email delivery, meaning that you have a built-in limit to the amount of requests anyone who has bypassed your honeypot, can make. -- The trouble with programmers is that you can never tell what a programmer is doing until it’s too late. ~Seymour Cray -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: sql injection protection
question 1 If you use the PHP filters sanitizations, and you plan on using PDO with binded params, are you absolutely safe? And if not, why? What are the other ways for them to still make it in - even with PD0 and binded params properly in place? Just curious. There are no known exploits or techniques on injecting into parameterized queries. question 2 If you use the PHP filters sanitizations, and for some reason, you CANNOT use PDO, what do you do against those situations where the user input is expected to be coming as a string and it's perfectly OK for it to be in say, around 1000 chars! For example, you are receiving a guest book comment. Use b64? But isn't with b64 search capability go down the drain? So we basically give up on search? Can we not come up with a solution which allows the search but yet still safe? What do we do? Search depends on your search, for example if i have 1000 chars, i may not want to search on all the words, only some key words, in which case b64 doesn't mean that you can't search. Doing full text index on a 1000char field in a decently large database can be quite hazardous to performance... On another note, you can still insert as clear text: insert into foo (bar, pub) values(b64d(c2hvdHM=), b64d(YmVlcg==)) it doesnt matter what is encoded in the b64, what matters is that it is NOT code that SQL will execute, you see what i'm saying? You can be decently secure with escaping, but again, it fails as a security solution. If you can do neither, then set the default char set on the page, database and even in php do a utf8_decode or something, validate, check, escape and you will be reasonably secure. question 3 is there really no way to stop the user input's if char set is not utf8? Can we not enforce the userinput to be in UTF8 only and reject all input? If there is such a way, wouldn't we better of using mysq-_real_escape to allow both search and be safe? Or is there really no way to understand the incoming user input char set by PHP? Set the default encoding on page and db, check in php question 4 do you have any white paper or any article that covers your most recommended solution against lengthy user input while you still want the search to work? you seem to know a lot and I think you should have at at least an article where we people can discuss the article at the bottom? It's always useful. If you don't have one, I strongly recommend you come up with one cause I'm sure it will be useful. I do not, however i am thinking about talking to Rasmus, to see if maybe i can get him to see the same issue with regards to the language that i am seeing, I'll go from w/e comes out of that. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: sql injection protection
You don't need to store it in the database as b64, just undo the encoding into your inputs for the purpose of the explanation, this is language independent b64e - encoding function b64d - decoding function pseudo code given: bad_num = ') union select * from foo --' bad_str = good_num = 123456 good_str = some searchable text the b64 way: bad_num=b64e(bad_num) ... good_str=b64e(good_str) inserts: query(insert into foo (num, str) values (b64d(\+bad_num+\), b64d(\+bad_str+\))); query(insert into foo (num, str) values (b64d(\+good_num+\), b64d(\+good_str+\))); Can you see that this will safely insert clear text into the database? This is because when you convert anything from b64, it will return from the function as a string and will not be executed as code... Now let's try a search: bad_num= '1 or 2 not like 5' bad_str = ' or \40oz\ like \40oz\ again we: bad_num=b64e(bad_num) bad_str=b64e(bad_str) then we can do a full text search: query(select * from foo where match(str) against(b64d(\+bad_str+\))) or even a number search query(select * from foo where num=b64d(\+bad_num+\)) again this is possible because no matter what you put in bad num, it will never be able to make post b64e bad_num look like code, just looks like junk, until b64d converts it to a string (which by definition can not be executed) make sense now? by check i mean, run utf8_decode for example... Problem is, that i can tell you how to write the most secure code, but if it's hard, or worse yet creates more problems than it solves (seemingly), nobody other than a few individuals with some passion for security will ever find the code useful. We need to fix this on the language level, then we can go around and tell programmers how to do it right. I mean imagine telling a programmer, that something that takes them 2 lines of code now, can be done much more securely in 5-7, and it creates code that doesn't read linearly... Most programmers will just ignore you. I want to say, hey programmer, what you do in 2 lines of code, you can do in 1 and make it impossible to inject into, then, then people will listen, maybe... This is where inline string interpolation syntax comes in, but it is not implemented in any programming languages, sadly actually. This is what i want to talk to Rasmus about. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: sql injection protection
There is so much no, answers are in line. At the top of each php page which interacts with a database, just have this one liner This has already been mentioned, but again, no, no connection if you are not actually interacting with the database. $DBH = safe_connection(database_name_here); //$DBH stands for database handle Another no, obfuscating away the user/pass doesn't make it a safe function. Not saying there is no benefit to it, but where i would say you would benefit is from making this into a singleton object for example... obviously the safe_connection is not a built-in PHP function so we have to come up with it... The idea behind this safe_connection function is this; It takes the dbname, uses it in looking up to retrieve the database username, the password, the host name and the hostname, and the host type ( whether the host is mysql or mssql etc) - for the specified database. Shouldn't it also accept access type, for example i don't want to use a user with input privileges if i am just looking stuff up in the database... Also what year are we in? You do this, at least make it an object so i dont need to remember what prefix i need to call... Then it uses all this data to establish a db connection and thus get the $DBHandle. Yeah with an unknown type... Once the $DBHandle is obtained, then mysql_real_escape_string ( or the mysqli_real_escape_string version ) can be used (However, the mentioned mysql_real_escape_string function here would be the right choice **only if** the hosttype is mysql! ) So, that;s where we use the hosttype. Microsoft SQL may require a different escaping mechanism. Did you not read anything i wrote above? Escape=fail... use a PDO prepare and exec methods... Now, the question is where do we use this mysql_real_escape_string function? You DON'T! Well, on the usual suspects! the dirty 5 arrays; namely _GET, _POST, _COOKIE, _REQUEST and the _SERVER. Yes, the _SERVER too. ( that's due to the http_referer, remote_addr etc spoofing ). Here is a basic example handling the _GET array! foreach ($_GET as $k = $v) { $_GET[$k] = mysql_real_escape_string($v); // this is good if host type is mysql... } So, the basic idea is to clean up the entire GET array and be safe and thorough. And do this across all global arrays where a user input can possible come from. No, no, owies, no... you don't want to escape everything, for one thing, i can pass you anything i want to in get or post, including 100, or 10 8 meg files. You only use what you need out of the arrays, ignore everything else So, with this one liner function, called right at the beginning of your script, you not only get a DBHandle to do your queries but also get the assurance that the userinput is safe so you can get into busines instantly as follows; $safe_firstname = $_GET['firstname']; How easy is that! tail -n 1 | sed -i s/easy/horribly\sinefficient/ (To keep the basic idea short, I did not get into the magic_quotes_gpc and stripslashes() matter. But I assume people reading this message know whey are and how they get used. So, if you just focus on the basic idea, what do you say? ARE WE STILL NOT OK? Yes, All Your Base still Are Belong To Pen-testers! Do we still need PDO? If you haven't gotten it yet from my last 2 replies, YES My answer to this question is ABSOLUTELY NO. But this NO is as far as the SQLInjection woes. PDO may offer other advantages warranting its use but as far as the SQLInjection is concerned and when we know that the data has been thoroughly escaped like this, using PDO will not make it any safer. Absolutely NOT. Did you not read my last 2 replies, yes PDO will make it safer, because escaping still FAILS! Another failure of your pseudo-code is that it fails to go through a data-validation cycle Do we all agree on that? It's a plain YES or NO question right here. NO As far as the C. Shifflet's article and Ilia's follow up post ( http://ilia.ws/archives/103-mysql_real_escape_string-versus-Prepared-Statements.html ) is concerned, the only thing we need to worry about is whether we are working with GBK character code, Chinese character set that is. If we got nothing to do with GBK char set, then the technique I covered above will suffice and cover us safely, conveniently and effortlessly. But if you do work with GBK and you do that in your script by actually running this ( mysql_query(SET CHARACTER SET 'gbk', $c); ), then the above technique will doom you. Then PDO is your only bet, but otherwise, we are OK. no, no you are not... As far as the escaping, I know you were against that. Here is what you said about the escaping. Oh hey, look, after many countless hours of researching the topic and testing, and talking to other people who have done similar research, and testing, and attending security conferences and writing papers for developers of ISP-grade solutions, writing frameworks and
Re: [PHP] php.net problems?
Can't get to doc at all here... -- The trouble with programmers is that you can never tell what a programmer is doing until it’s too late. ~Seymour Cray -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Reading only RGB portion of an image, file_get_conents minus file headers etc
If you don't mind me asking, if you want performance, which is kind of essential if you are processing a large number of files, why are you doing it in PHP? -- The trouble with programmers is that you can never tell what a programmer is doing until it’s too late. ~Seymour Cray -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] php.net problems?
Rasmus confirmed that they are having issues with php.net: You can use the sk.php.net mirror while they fix their problems, as well as docs.php.net. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: sql injection protection
Start off with the fact that that article is from 2006, and its written by a programmer... I was simply asking expert opinion with the intention to learn. There is so much docs out there (I mean not just out there but at top security sites like owasp ) that recommends database specific escape solution as one of the viable alternatives. Escaping can work with a very specific set of circumstances, and it can be secure, however it fails as a security practice, and thus fails as a security solution. You make it seem like anyone who does not use PDO ( for one reason or another ), and rely on the mysql_real_escape_string can be by passed and SQL injected. I can't tell you for sure, however any project that uses it as their sole mean of sql injection protection can be exploited, yes. Just because OWASP says that it is a solution, doesn't mean that it's a good solution. Sometimes it's the only solution, yes, but it should not be the only security practice. So you're saying the mysql_real_escape_string() isn't 100% secure either? Crikey, if that's true, then I'm willing to bet A LOT of scripts are vulnerable to this problem. Any script that uses escaping as the sole means of protection, or doesn't do good checking, which is a lot of scripts. But i mean i hope it's no surprise, a lot of the web is vulnerable... Is there a fix that doesn't involve perpared statements? Perhaps a function that checks for this problem, and filters it? My charset/encoding knowledge is a bit limited, so I'd very much appreciate an answer. Thanks! Sure, i have already mentioned it... The glorious base 64 hack... Is it really that simple? It's hard to believe that all these implementations out there that honors the recommended filter database specific escape mechanisms would *easily* be vulnerable by simply someone sending ut7, is that what you are saying? A lot are... likewise UTF16, and even UTF8 can often be an issue. The issue with escaping is knowing what characters are bad, if you think you can escape a ' - tick and be safe, think again, in utf there are dozens if not hundreds of characters that can represent a tick in various circumstances. Again escaping fails as a security practice. Yes it can work and make your code uninjectable, but it still fails as a solution, even if secure... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Reading only RGB portion of an image, file_get_conents minus file headers etc
Have you done image processing? In my experience, with image generation, photography and processing, typically you are bound by resources when processing large amount of files than your connection, or sometimes even disk io. -- The trouble with programmers is that you can never tell what a programmer is doing until it’s too late. ~Seymour Cray On Mon, Jan 23, 2012 at 7:51 PM, Robert Cummings rob...@interjinn.com wrote: On 12-01-23 01:32 PM, Alex Nikitin wrote: If you don't mind me asking, if you want performance, which is kind of essential if you are processing a large number of files, why are you doing it in PHP? -- The trouble with programmers is that you can never tell what a programmer is doing until it’s too late. ~Seymour Cray Hi Alex, If you're processing a large number of files, the bottleneck could just as likely be the hard drive read/write and not so much PHP. And what's a large number of files? 50? 100? 1000? 100? Remember, PHP internal functions are usually wrappers around compiled C code... the shuffling around in the PHP engine itself can be quite tiny. Cheers, Rob. -- E-Mail Disclaimer: Information contained in this message and any attached documents is considered confidential and legally protected. This message is intended solely for the addressee(s). Disclosure, copying, and distribution are prohibited unless authorized. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Reading only RGB portion of an image, file_get_conents minus file headers etc
Absolutely agreed. A part of what i was asking deals with what he is actually doing... -- The trouble with programmers is that you can never tell what a programmer is doing until it’s too late. ~Seymour Cray On Mon, Jan 23, 2012 at 9:37 PM, Robert Cummings rob...@interjinn.com wrote: On 12-01-23 09:29 PM, Alex Nikitin wrote: Have you done image processing? In my experience, with image generation, photography and processing, typically you are bound by resources when processing large amount of files than your connection, or sometimes even disk io. It really depends on what you're doing with images, if it's intensive processing that's already implemented in the gd or imagick library to which you can just punt, then how much overhead do you think PHP is really going to add since these are C implemented libraries? Sure, if you are manipulating pixels one by one within your PHP code you may be running into resource issues, but for scaling images, or cropping, or even clipping and overlaying... you're not usually doing a whole lot within PHP itself. The love is happening in the C code in these cases. This is why when working with these libs you get a resource handle and not a string. The resource handle almost certainly maps to a native GD or imagick structure. Cheers, Rob. -- E-Mail Disclaimer: Information contained in this message and any attached documents is considered confidential and legally protected. This message is intended solely for the addressee(s). Disclosure, copying, and distribution are prohibited unless authorized. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] if http_referer is not reliable then how do we ...
Capchas can't hold off any decently smart robots, anyone doing their research can find at least 3 tools that will defeat various capchas. For example pwntcha is one, Dan Kaminsky did a talk at black hat and defcon 16 on pwning audio capchas (and a lot of even good ones will offer audio as an option) bottom line is capchas don't really hold off determined robots. As far as referrer goes, yes it can be easily spoofed, no there is no really built-in way to test it, yes the script can still be made pretty secure. But here are two ways i can think of to help prevent bots from taking over your email script (ideally use them together): Tokenize your URL, build a token based on the http_referrer amongst other things, just make sure you use something that would identify a normal user consistently, and say only allow one token say 5 emails a day. When referrer and token don't match, dont send an email. Use a strong hash algorithm, like sha to generate the token, and salt it, and add a something at every level. For example, use http_referrer for user piece, some random string of 32 characters hard coded into your script, and if you touch a DB, something you pull when you validate the email, from your db (not the email itself, something randomly generated when that email was added). This way, having even 2 bits of information, you still can't reverse the hashes. Note to not use a random value, you want a consistent hash that you can check. Set a timeout for your script, that is pause your server side script for 10 seconds before sending an email, and pop back a confirmation before actually sending the email after that (use a session to make sure they are not bypassing that bit). This forces any script to confirm their action, meaning they will have to execute for at least 10 seconds, meaning that they can only send 10 emails a minute, and for anyone who wants to do mass spamming with your script, that's unacceptable. By the way, don't set this time in JS, set an ajax request that actually needs data that gets pulled from the server to continue (like a secret random password stored in the session), just a simple time-out won't solve the issue. Both used together should provide for a good way to stop any useful spamming done with your script. ~ Alex -- The trouble with programmers is that you can never tell what a programmer is doing until it’s too late. ~Seymour Cray -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: sql injection protection
Haluk, don't listen to Ross, escaping fails, it was and is a bad solution to an old and still largely unresolved problem. The problem is and has been that of language interoperability, and we have been and continue failing at making a good way for languages to talk to each other, but because this is so needed, especially on the web, where you blink and you are in another language; php, css, html, throw in some javascript, and here is some SQL, oh i need some python, now let's throw in some C, but none of these languages talk to each other, so we have had to make it work and we do it with strings... This is why we have SQL injection and XSS, and the only, i will repeat that, the ONLY way to fix this issue is to have a clear way to say from language to language that this is a programmer string, run it, and this is user input, don't run it. The only right solution is to pass your code as code and the user input as user input, this way you are guaranteed that no execution of user input is possible via usual SQL injection or XSS means. Of course you still need to check and sanitize your input, there are still typical issues, buffer and heap overflows, etc, but simple inclusion of some special character and user input code that just gets ran just like programmer code is simply not possible. Escaping is a bad and many times failed attempt at saying that it's ok to pass user input as code, we just escape the characters we think are bad, to tell the interpreter not to execute them as it normally would. But what does it mean to be a character? Well back when all these languages were designed there was ASCII, and life was easy, now, however we have utf7, utf8, utf16, with tens of thousands of characters, many of which are the same symbol. Oh and they morph, if you don't know what best-fit matching is, look it up, but at the end of the day, if you think that you know what characters you need to escape, you are wrong, i'm sorry. This is why in javascript there are 3 escape functions: escape, escapeURI and escapeURIComponent. Which roughly translate to we failed, we failed again and we failed the third time. So in short, no, mysqli_real_escape_string is not a good solution to SQL injection, PDO (as far as i can tell, though i haven't poured over the code yet) or prepared statements, are. And neither negate the need to check your input, as other, more traditional exploits would still be possible (potentially) Oh Haluk, drop the idea of occurrences of words, it may stop someone who is just testing your code for fun, someone determined to get in will still do plenty of bad with whatever words you allow, and you have to allow certain words for your queries to run ;) Anyways, hopefully this is something for you guys to think about and hopefully enough to stop suggesting escaping as a viable option to stop any sort of simple code injection... ~ Alex -- The trouble with programmers is that you can never tell what a programmer is doing until it’s too late. ~Seymour Cray -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] OOP problems
I'm not sure I've understood you correctly, but you may try something like the following primitive autoloader (I didn't debug it, it's just an example): class Base { protected $_path = ''; public function construct($base_path) { $this-_path = $base_path; } public function __get($name) { $requested_path = $this-_path . DIRECTORY_SEPARATOR . $name; if (is_dir($requested_path)) { return new Base($requested_path); } else if (is_file($requested_path . '.php')) { include ($requested_path . '.php'); $classname = ucfirst($name); return new $clasname(); } } } // Assuming you have Mysql class in /home/user/project/classes/db/mysql.php // you may try $base = new Base(/home/user/project/classes/); $base-db-mysql-someFunctionOfMysqlClass(); 2011/12/15 Dominik Halvoník dominik.halvo...@gmail.com: Hello, I would like to ask you for help. This days I am trying to build one of my applications. But I have problem which stopped me. I have folder whit php files like connect.php, delete.php etc. These files contains classes named the same as files. So in file connect.php is class Connect. These files are placed in folder named mysql and this folder is inside folder named db. In folder db is a php file named mysql.php, in this file I include classes from folder mysql, after include I declare class MySQL and in it I have method __construct(). In this method I create dynamic objects from included classes. And this is the problem that I can not solve, I have more then one of this files(mysql.php[whit class MySQL], oracle.php[whit class Oracle] etc.) and I need to include them to file called db.php that is in the main folder of my app. In db.php is an class called db, how can I add classes MySQL, Oracle etc. to class db? I try to use abstract class whit __set and __get methods but I also need to include class db to main class application. I am really sorry for my English, so please be indulgent. So I need to connect classes like this: application-db-mysql-connect, but I can not use extends because in php you can have only one parent class. The reason why I am trying to do something like this is because I want to call methods like this: $test = new application(); $test-db-connect(); If it is mysql or othet database I set in config.php file. I need to achieve this schema( - is something like ../ it means that it is one level up folder): connec.php(class Connect MySql)- select.php(class Select MySql) - - mysql.php(class MySQL include all classes, Connect...)- - ... - - db.php(class db include all classes, MySQL, Oracle..) connec.php(class Connect Oracle)- select.php(class Select Oracle ) - - oracle .php(class Oracle include all classes, Connect...)- - ... - download.php(class Download)- unzip.php(class Unzip) - - files.php(class Files include all classes, Download...) - file.php(class file include class Files) - ... - hash.php(class Hash)- capcha.php(class Capcha) - - secure.php(class Secure include all classes, Hash...) - security.php(class security include class Secure) - ... - ect. ect. ect. ect. ect. ect. ect. ect. ect. ect. ect. ect. ect. ect. ect. And in the end, in the same folder as db.php and security.php I will have file application.php which will contain class application and in its __construct() method I will make link classes db, security, file ect. ect. So I will just include file application.php make object from class application and then just do $object-db-connect()(of course if it will by MySql or other database will be stored in some config.php file). Thanks, Dominik -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: PHP Download Of Application Question?
I am looking for a way to download a C based application binary, from an Apache / PHP server, via a client side Web Browser, and execute it seamlessly on the client side PC without storing it permanently on the client side hard disk drive. Temporary storage would be ok. I know this can be done because I have observed it operation in various applications. This concept allows a authorized customer to have the use of an application via the web without being able to keep or share the application binary. I am open to other approaches beyond Apache and PHP. So any ideas out there? Thanks for the help Thomas Dineen That sounds like the kind of thing Java Web Start does. There's lots on Google about it. http://download.oracle.com/javase/6/docs/technotes/guides/javaws/ -Alex
Re: [PHP] Stop PHP execution on client connection closed
On Wed, Sep 14, 2011 at 4:04 AM, Marco Lanzotti ma...@lanzotti.com wrote: Il 13/09/2011 20:58, Alex Nikitin ha scritto: Correction on Marco's post. You can absolutely stop a mysql query I know I can stop a query, but I don't know how to realize HTTP client has closed connection during query execution. My query count how many records match selected fields in a 50M records table. Any query field is indexed and innodb uses 20GB of RAM to store data and indexes, but some queries take about 30 seconds to run. When user changes filters and asks for a new count, the old queries continue to run using DB resurces unnecessarily. Bye, Marco Marco, I ran queries on a table that had 12M rows added to it each month with a year+ worth of data going back, pulling 80-90 thousand records with over a dozen columns on an older dual dual core box with 8gb ram (so 6 for MySQL) joining multiple tables for various criteria, matching on various values with query execution in a second range (depending on load, from under a second, to under 2 seconds). I think, and i am not trying to sound like pompous buffoon or to put anyone down or say that you or anyone here don't know what they are talking about or anything like that, but i think that you should first look into how you can optimize your database and your query, as well as maybe the access to this information (volume of information that you are presenting vs getting, also how you filter it, etc). Sometimes it's a very simple thing that can make or brake query execution time, and it's not immediately apparent. I was once tasked to fix a process in which about 2-300 queries were ran against the database in periodic ajax calls, they took about a 1/4 second to execute for each query. This ofcourse means that the refresh took almost a minute to run, which was getting very annoying, so i glimpsed over the queries and the tables at hand and 5 minutes later issued 2 queries, one to delete a useless index that was created for the main table, and another to create a new index on the database that reduced the execution time of those queries from 1/4 sec for each to 1.4 or 1.6 sec for all 2-300. And most of that time was actually caused by the network lag for the 2-300 queries, since they were individually executed from php, i wanted to reduce that whole thing to one query, but wasn't allowed to. Other times its a lot more complex, and sometimes blowing a query up from something simple or straight forward to something more complex can wield similar increases in performance, this ofcourse has to be with thorough understanding of how the database works. Perhaps if I, or we can understand your application a little better, we could suggest better solutions, just remember that you are not the first person to have to solve these similar issues. I can help you if you want, glimpse over your database design and queries for a fresh look, i have fairly extensive php (and many other languages) programming experience, as well as database design and administration, system development and administration, optimization, security, caching (many other things, that don't directly pertain to this) though we should probably keep it off the list. - Alex -- The trouble with programmers is that you can never tell what a programmer is doing until it’s too late. ~Seymour Cray
Re: [PHP] Querying a database for 50 users' information: 50 queries or a WHERE array?
You can use a limit with a nested select, you just can't use it in some cases, like inside an IN statement, but something like this should work: SELECT id, data, etc FROM table JOIN (SELECT special_id as id FROM special_table ORDER BY special_id LIMIT 0, 1000) AS table2 USING (id) Note: syntax may not be valid, but should be fairly straight forward to fix, have no time to play with it though... -- The trouble with programmers is that you can never tell what a programmer is doing until it’s too late. ~Seymour Cray On Wed, Sep 14, 2011 at 4:12 AM, Dotan Cohen dotanco...@gmail.com wrote: On Wed, Sep 14, 2011 at 06:05, chetan rane chetan.d.r...@gmail.com wrote: Hi, There are 2 peoblems with subselect 1. You cant use a limit on the nested select 2. Id the number of elements in the in clause exceeds the subselect buffer you will run into performance issues ans eventually you query will be doomed. Inner joins in,this is the best option for this . You can use a temp table for this Thanks Chetan. I will keep that in mind if I ever get around to learning about subselects. Have a great day! -- Dotan Cohen http://gibberish.co.il http://what-is-what.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Querying a database for 50 users' information: 50 queries or a WHERE array?
rant from=tired of constantly having to explain it, developer MySQL real escape string doesn't work, it's a bad solution to the problem that has been with the internets since the very beginning, and if people program like they are taught to by books, doesn't look like it's going away any time soon. The problem of course is that various programming languages don't know how to talk to other languages, and we as devs see no better way to do this then concatenate strings. Basically this is the core reason why XSS and SQL injection is rampant on the interwebs. Escaping only seems like it's a good idea to you, but if you analyze what it does and compare it to today's technology, you quickly realize how wrong of a concept it actually is. Escaping looks for certain characters, and if found escapes them in some form. The problem here is that rather then say defining all safe characters, it defines what the developers believe to be bad characters, and the affect that you get is not dissimilar to creating a firewall rule set where the bottom rule is accept all, as long as my character doesn't match what they thought was a bad character, it is allowed. This was fine in the days of ASCII, but the tubes are hardly ASCII anymore, with Unicode, UTF-16, i have 1,112,064 code points, they are not even called characters anymore, because they really aren't. And if you are familiar with best-fit mapping, you would know that there are now dozens of characters that can represent any single symbol in ASCII, meaning that using the above type of blocking mechanisms is silly and technically insecure. Another problem with it is the fact that security-wise this again is a bad solution from another perspective. A programmer comes in, and starts debugging code, the first thing they always seem to do is to turn off the security and comment out the escape line, and you know what happens, the bug gets found and fixed completely else-where, but the security never gets re-enabled. This is called failing open, and it again goes with the concept above where the escape in itself fails open as well. So if you look into the problem at the core, what you have are two types of code, code that you know is good, and crap data that you have to somehow make safe. So you know how you do it in the same language? Right, you assign that data to a storage container called a variable, and the interpreter knows that this data here, i execute, and that data there i use as data and don't execute. Well what happens when you add another language into the mix? Well language a passes known good code that it string concatenates to bad code, and what you get as a result is the second language parser thinking hey, all of this stuff is good code, let me execute it!... This is why a stringent delimiter between known good and not good data needs to be portrayed to the second language. How do we do it with SQL? There are a few ways, one of the more common ones is to use a prepared statement, this clearly separates the code from the data for the SQL interpreter on the other side. This works really well, with one HUGE down-side, it can be a REAL pain in the butt to use, the more complex your query gets, the more pain in the butt it is to use prepared statements. Another way, and this works for mostly any language is to use an in-common function that jumbles the known-bad data on one end, and unjumbles it as data on the other. For example base64. It works extremely well, you take any data on the PHP side, base 64 encode it, and send it to SQL or JS or whatever. you can string concatenate the b64'd data, because you know what b64'd data looks like? Yep, data, its not JS, it's not SQL, bunch of garbled junk. You can then use b64decode on that data, and by the design of the function the result will be just that, data. So with this you keep the code/data separation even with string concatenation... Base 64 performs really well, and is well worth the few extra cycles for the above-mentioned guaranteed code/data separation barrier, it's easy to implement. More importantly, this by default fails closed. You would have to disable at least 4 security points and change 2 queries to disable this (and if you are using a stored procedure this is even harder), and that's beyond what you want to do during troubleshooting usually, and if you disable one point, your application fails to work all together and it fails closed. More over you can make this completely transparent to your devs by changing your data access libraries (for SQL, or Ajax functions for JS for example). They can pass in crap data, and the first thing your data access library does before doing anything else is it encodes the data into a bunch of gibberish... And when they pull the data back, your library gets the data and unencodes it. the devs don't have to worry about SQL injection, you don't have to worry about their competence, you win ;) /rant sources: Dan Kaminsky - HOPE keynote -
Re: [PHP] Dereferencing an array.
it's only marginally faster, but it does look a bit cleaner, and is a bit more memory efficient: $records[] = unserialize(serialize($boundParams)); -- The trouble with programmers is that you can never tell what a programmer is doing until it’s too late. ~Seymour Cray On Wed, Sep 14, 2011 at 6:36 PM, Richard Quadling rquadl...@gmail.com wrote: Hi. Based upon ... ?php $name = Null; $age = Null; $boundParams = array('name' = $name, 'age' = $age); $records = array(); $name = 'Richard'; $age = 43; $records[] = $boundParams; $name = 'Sally'; $age = 37; $records[] = $boundParams; print_r($records); ? outputs Sally twice. Whilst that is the correct output based upon the code, it is undesired. I want the boundParams to have the references (the actual data from my mysqli_stmt::fetch() with bound results), but I want to be able to copy the values and not maintain the references. The best I've come up with is ... ?php $name = Null; $age = Null; $boundParams = array('name' = $name, 'age' = $age); $records = array(); $columns = array_keys($boundParams); $name = 'Richard'; $age = 43; //$records[] = $boundParams; $records[] = array_combine($columns, array_map(function($m_Value){return $m_Value;}, $boundParams)); $name = 'Sally'; $age = 37; //$records[] = $boundParams; $records[] = array_combine($columns, array_map(function($m_Value){return $m_Value;}, $boundParams)); print_r($records); ? Is there a more efficient way? -- Richard Quadling Twitter : EE : Zend : PHPDoc @RQuadling : e-e.com/M_248814.html : bit.ly/9O8vFY : bit.ly/lFnVea -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Querying a database for 50 users' information: 50 queries or a WHERE array?
On Tue, Sep 13, 2011 at 2:06 PM, Steve Staples sstap...@mnsi.net wrote: On Tue, 2011-09-13 at 09:48 -0700, David Harkness wrote: On Tue, Sep 13, 2011 at 7:29 AM, Ashley Sheridan a...@ashleysheridan.co.ukwrote: SELECT * FROM table WHERE userID IN (1,2,3,4,5,etc) +1. And this is a great place to use implode(): $sql = 'select ... where userID in (' . implode(',', $ids) . ')'; David I mentioned that implode earlier, but there is also the underlying question (which I also asked earlier)... how is he getting the 50 id's to populate? here are 2 other ways of skinning the cat: using an inner join: select table.* from table inner join othertable on (table.userid = othertable.userid) where (use the way your getting the 50 id's here); OR by using a subselect, select * from table where userid IN (select group_concat(userid, separator ', ') FROM othertable where (using logic here)); guess it all depends on how you want to do it... but that would make it 1 db query good luck! -- Steve Staples Web Application Developer -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php And this will be faster or at least more efficient with a limit (e.g. limit 50) this way when you have found the 50 users in the in statement, you don't continue iterating through the rest of your data set... -- The trouble with programmers is that you can never tell what a programmer is doing until it’s too late. ~Seymour Cray
Re: [PHP] Stop PHP execution on client connection closed
On Tue, Sep 13, 2011 at 11:44 AM, Jim Lucas li...@cmsws.com wrote: On 9/12/2011 7:40 AM, Marco Lanzotti wrote: Hi all, I'm new in the list and I already have a question for you. I'm running an heavy query on my DB in a PHP script called by AJAX. Because client often abort AJAX connection to ask a new query, I need to stop query because DB will be too loaded. When AJAX connection is aborted, PHP script doesn't stop until it send some output to client, so I need to wait query execution to know client aborted connection. How can I abort query (or script) when AJAX connection is aborted? Thank you, Marco You cannot stop a DB query. What this means is PHP will not be able to do anything else until the db has finished its step and handed data back to the processing script. At that point, you can check to see if the connection is still active and take appropriate action. Jim Lucas -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php Correction on Marco's post. You can absolutely stop a mysql query, it is done with a large amount of success at Facebook for example, where they have very strict query execution rules, e.g. if your query takes too long to run, it is killed. However unless you are dealing with enormous data sets, or very very slow mysql server, this is not worth the tremendous amount of trouble you would have to go through. And if you are dealing with enormous data sets or slow servers, it would be far more beneficial to address those issue then to implement the query killing thing. MySQL commands in question are: SHOW PROCESSLIST; KILL [thread]; You can also hook into if you really wanted to with some C through the API, but again, it is far more trouble than most people need, and problems often lay else-where (for example inefficient query or bad database design or matching on non-indexed cols etc...) A query that ties together 3 tables and pulls 80-90k rows @10 columns shouldn't take more than 0.25 sec to execute, maybe a second for the whole operation from connect to result, if your mysql server is one hop away (i.e. they are on the same switch), the tcp hand shake can take up to 100ms, plus you need to get the process list, traverse it for your query, and send a kill command. I'm going to guess that the kill process will take longer to connect, list, parse and kill, then it will take the query to finish and return data... What is your data set like, what are you trying to accomplish by this other than complicating your code? Also yes, AJAX is your friend (avoid pulling large or any data sets if you can), as well as some query and database optimization, and caching ;) -- The trouble with programmers is that you can never tell what a programmer is doing until it’s too late. ~Seymour Cray
Re: [PHP] PHP FPM and OCI crashes
On Tue, Sep 13, 2011 at 10:40 AM, linuxsupport lin.supp...@gmail.comwrote: I enabled debug in log and found this in the log file [13-Sep-2011 17:03:19.966801] DEBUG: pid 16974, fpm_got_signal(), line 76: received SIGCHLD [13-Sep-2011 17:03:19.966832] WARNING: pid 16974, fpm_children_bury(), line 252: [pool www] child 16992 exited on signal 11 (SIGSEGV) after 58.213448 seconds from start [13-Sep-2011 17:03:19.967678] NOTICE: pid 16974, fpm_children_make(), line 404: [pool www] child 16996 started Anyone can suggest me to fix this. On Tue, Sep 13, 2011 at 5:41 PM, linuxsupport lin.supp...@gmail.com wrote: Could you please tell me how to use GDB here? On Tue, Sep 13, 2011 at 4:07 PM, Negin Nickparsa nickpa...@gmail.com wrote: use gdb Regarding gdb backtrace: https://bugs.php.net/bugs-generating-backtrace.php -- The trouble with programmers is that you can never tell what a programmer is doing until it’s too late. ~Seymour Cray
Re: [PHP] Stop PHP execution on client connection closed
Absolutely, it was only a minor correction of a sub-point. -- The trouble with programmers is that you can never tell what a programmer is doing until it’s too late. ~Seymour Cray On Tue, Sep 13, 2011 at 3:20 PM, Jim Lucas li...@cmsws.com wrote: On 9/13/2011 11:58 AM, Alex Nikitin wrote: On Tue, Sep 13, 2011 at 11:44 AM, Jim Lucas li...@cmsws.com wrote: On 9/12/2011 7:40 AM, Marco Lanzotti wrote: Hi all, I'm new in the list and I already have a question for you. I'm running an heavy query on my DB in a PHP script called by AJAX. Because client often abort AJAX connection to ask a new query, I need to stop query because DB will be too loaded. When AJAX connection is aborted, PHP script doesn't stop until it send some output to client, so I need to wait query execution to know client aborted connection. How can I abort query (or script) when AJAX connection is aborted? Thank you, Marco You cannot stop a DB query. What this means is PHP will not be able to do anything else until the db has finished its step and handed data back to the processing script. At that point, you can check to see if the connection is still active and take appropriate action. Jim Lucas -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php Correction on Marco's post. You can absolutely stop a mysql query, it is done with a large amount of success at Facebook for example, where they have very strict query execution rules, e.g. if your query takes too long to run, it is killed. However unless you are dealing with enormous data sets, or very very slow mysql server, this is not worth the tremendous amount of trouble you would have to go through. And if you are dealing with enormous data sets or slow servers, it would be far more beneficial to address those issue then to implement the query killing thing. MySQL commands in question are: SHOW PROCESSLIST; KILL [thread]; You can also hook into if you really wanted to with some C through the API, but again, it is far more trouble than most people need, and problems often lay else-where (for example inefficient query or bad database design or matching on non-indexed cols etc...) A query that ties together 3 tables and pulls 80-90k rows @10 columns shouldn't take more than 0.25 sec to execute, maybe a second for the whole operation from connect to result, if your mysql server is one hop away (i.e. they are on the same switch), the tcp hand shake can take up to 100ms, plus you need to get the process list, traverse it for your query, and send a kill command. I'm going to guess that the kill process will take longer to connect, list, parse and kill, then it will take the query to finish and return data... What is your data set like, what are you trying to accomplish by this other than complicating your code? Also yes, AJAX is your friend (avoid pulling large or any data sets if you can), as well as some query and database optimization, and caching ;) -- The trouble with programmers is that you can never tell what a programmer is doing until it’s too late. ~Seymour Cray My statement still stands. What this means is PHP will not be able to do anything else until the db has finished its step and handed data back to the processing script.
Re: [PHP] Querying a database for 50 users' information: 50 queries or a WHERE array?
On Tue, Sep 13, 2011 at 3:45 PM, Dotan Cohen dotanco...@gmail.com wrote: On Tue, Sep 13, 2011 at 21:34, Alex Nikitin niks...@gmail.com wrote: And this will be faster or at least more efficient with a limit (e.g. limit 50) this way when you have found the 50 users in the in statement, you don't continue iterating through the rest of your data set... The number is never exactly 50 but rather some arbitrary large number. But there is no need for LIMIT, that is the purpose of the _INNER_ JOIN. INNER means to only return the matching rows. -- Dotan Cohen http://gibberish.co.il http://what-is-what.com Dotan, IN (the function used in all of the queries above) is not the same as an INNER_JOIN, inner join joins 2 tables, as you have already described, IN however is a function that return 1 if the value being searched for is in the array of its values or 0 if it is not, thus IN is not an inner join, but a comparator function, thus if you are using IN, limit will indeed be more efficient than it's omission for exactly the reason i have stated in my previous post. Because your user array seems to be in php, and implode has been a topic of discussion above as well, setting an adequate limit is a simple task with the php's count function. This is all ofcourse void if the user array being pulled from mysql, in which case you could simply join the two tables to get your resulting data set. The trick there is to use the USING clause which seems to run a lot faster than any ON clause, or work on an optimized subselect, especially if you are running a cluster. -- The trouble with programmers is that you can never tell what a programmer is doing until it’s too late. ~Seymour Cray
Re: [PHP] What would you like to see in most in a text editor?
+1 on terminal. For gui-based ones, i like to be able to syntax check my code and run it from within the editor window, tabs for dozens of files i usually have open at once, highlight that supports many languages as i can be working on many at once (php, css, js, ruby, python, C, lua, sql, for the ones i have open in geany atm), shortcuts are essential for things like find or replace in a selected area or what have you, regex support in search, and something that can be themed with white on black. For web-based ones, i never want to have to physically press anything to save my work, and i expect it to be within a few words if i just closed the browser and came back. It can't use any more resources than a usual web-page and has to be responsive. For other features to think about, built in version control system, ability to sync with github or really any cvs/svn/git repo, diff tool integrated into the editor, collaboration. Essential 1: utmost security, if they pwn your servers, they should not be able to have my data, this means that some part of what i pass to you in my credentials needs to not even reside on your servers (for example you can use the salted hash to check my the password, but the clear text version is still needed to decrypt that user's data store) and for the ultra paranoid, i should be able to further protect my data store with another password the hash for which you don't store, but rather store the md5 of the hash. Essential 2: reliability, i would like to be in an N+N+1 where the service and my data are both highly available without performance degradation when one of the services/servers goes kablewey (technical term) Enjoy. -- The trouble with programmers is that you can never tell what a programmer is doing until it’s too late. ~Seymour Cray On Tue, Sep 13, 2011 at 4:35 PM, Robert Cummings rob...@interjinn.comwrote: On 11-09-13 03:56 PM, Brad Huskins wrote: Hello all you php coders out there, I'm doing an Open Source text editor (just a hobby) that's designed for PHP developers and is accessible through the web. This has been stewing for a while, and has gotten to the point where I can use it for my own work. I would like any feedback on things that people really like/dislike about their current editors, as I believe some of these things could be resolved in mine. I currently have username/password protection (with Salted-Hash passwords), a file-system browser, file loading/saving, and syntax highlighting -- and these things seem to work reasonably well. As well, most things about the editor are scriptable with JavaScript. This would seem to imply that in a few weeks I would have something useful. So I would like to get some feedback on what features people would most want, since I am still at a very flexible stage in development. If you would like to see what I have, you can go to un1tware.wordpress.com. You can also peruse the code at github.com/bhus/scriptr. In particular, the README on github gives a little bit better rationality for why something like this might be useful, and how things are currently structured. I'm a big fan of editors that work in the terminal. Cheers, Rob. -- E-Mail Disclaimer: Information contained in this message and any attached documents is considered confidential and legally protected. This message is intended solely for the addressee(s). Disclosure, copying, and distribution are prohibited unless authorized. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Opening Multiple Files
On Wed, Sep 7, 2011 at 10:21 AM, Ron Piggott ron.pigg...@actsministries.org wrote: Hi Everyone I am trying to load an HTML book into mySQL. The book was distributed with each chapter being it’s own HTML file. The only way I know how to open a file is by specifying the file name. Such as: $myFile = B01C001.htm; $lines = file($myFile); foreach ($lines as $line_num = $theData) { Is there a way PHP will open each file in the directory ending in “.htm”, one file at a time, without me specifying the file name? When the file is open I need the FOREACH (above) to parse the content which ends with an “INSERT INTO” for a mySQL table. Thank you in advance for any help you are able to give me. Ron The Verse of the Day “Encouragement from God’s Word” http://www.TheVerseOfTheDay.info opendir/closedir and readdir/rewinddir functions come to mind, you can easily iterate through files in a directory that way... -- The trouble with programmers is that you can never tell what a programmer is doing until it’s too late. ~Seymour Cray
Re: [PHP] dev to production server
If you have to ask these questions, i don't think you should be the person to do it, i'm sorry. I wouldn't recommend doing it on a mac, or even one single box, i wouldnt recommend doig it on non-server hardware, infact most of the time i would recommend you just buy already pre-sertup servers so that all you have to do is set up your database, upload your application and be done with it, VPS or a ded box will serve the purpose quite nicely depending on your needs. It's not rocket science, but building a production server requires some know-how and a bit of experience. You need to know each component to configure it well, you need to know the OS, you need to secure it, and you may need to tweak it to perform better and you need to know your application to maximize performance of all of the components, and you need to be up to date on current trends and technology to again, maximize your throughput. You need to know systems and you need to think solutions, unless you really dont care, but that's how you end up with a 5rps website that's about as secure as a taped carboard box. Infact, in my practice, i took a poorly implemented box that could only serve 5rps at 128M mem usage (and climbing) and 100% cpu utilization, and got it to serve 340rps using 14MB memory with no visible cpu load (like sub 2% spikes) and with no code modifications; and i could take it farther, infact i did on the testing server where i got it to over 600rps, but i only had 4 hours to find, tweak and test before pushing to production and i wasn't allowed to tweak the bone-stock OS or build anything (held true for the 600+ mark)... Some day i wanna take the smallest ec2 instance and see how far i can really push it, though the people i did the above for found it pretty impressive that they could click on any page on the site (it was a social media experiment and so parts were constantly updated) and have it loaded instantly, even when i was pounding on the server... Anyways not trying to stroke my ego by any means, or tell you that you shouldn't do it, infact you should do it, its a lot of fun and great perplexing headache for a while, all i'm trying to say is that you should think about either buying a production environment, or you should really start learning yourself some advanced OS and lots of layer 7... Just my $.02 -- The trouble with programmers is that you can never tell what a programmer is doing until it’s too late. ~Seymour Cray On Wed, Sep 7, 2011 at 12:24 AM, Chris Stinemetz chrisstinem...@gmail.comwrote: Does anyone have a procedure or know of any tutorials that explain how to take a mac/apache/php/mysql dev environment and converting it to production environment? Basically I want to host my own web site on my local machine now that I have finished developing it. Thanks in advance! -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Struggling with MySQL query
It would be easier and faster to convert your string to lower case, than perform the upper operation on every entry in the database. Also, just to point it out, your code is very vulnerable to SQL injection. But the suggestion is right, dump the query to make sure its correct, and check for mysql errors post query execution. Also num results its helpful :) On Aug 9, 2011 10:22 AM, Dajka Tamas vi...@vipernet.hu wrote: Why not trying this: $q = SELECT * FROM news_items WHERE upper('headline') LIKE '%.$find.%'; echo $q; $data = mysql_query($q); ... And try running the echoed query in phpmyadmin, etc. Cheers, Tamas -Original Message- From: David Green [mailto:simp...@gmail.com] Sent: Tuesday, August 09, 2011 4:14 PM To: php-general@lists.php.net Subject: [PHP] Struggling with MySQL query Hi I have a simple from which uses the post method to get to my page script results.php in results.php I have $find=$_POST[find]; //this works perfectly, echo $find gives me the search term as entered I then connect to mysql and select the db successfully. After that, I have the following: $find = strtoupper($find); $find = strip_tags($find); $find = trim($find); $data = mysql_query(SELECT * FROM news_items WHERE upper('headline') LIKE '%$find%'); while($result = mysql_fetch_array($data)) { //etc I get no error messages, but no results to work with either. It returns a no results message that I put in further on in the script. A casual look at the db shows that I should be getting results. I'm pretty sure that the problem is in the query, but for the life of me I can't see the problem. Kind regards David -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Struggling with MySQL query
Sorry but escaping doesnt protect against mysql injection either, it is not a good answer, nor does it really work, its an effort, yes, buuut in unicode world we pretty much have the ability to override what it means to be a character through best guess matching, etc, iiit just doesnt quite work; either pass data and code on different paths (i.e. prepared statement) or set up a b64encrypt and decrypt modules in mysql, and wrap your vars in that (i.e. select * from somewhere were `foo`=b64d('.{$b64_foo}.') ... etc) Please refer any question about why it escaping doesnt work to a talk that Dan Kaminsky gave at the HOPE conference, i'd rather not have to restate, and it's an excellent talk... On Aug 9, 2011 4:21 PM, Ashley Sheridan a...@ashleysheridan.co.uk wrote: David Green simp...@gmail.com wrote: Thank you all for the various suggestions. It now works with this: $find = strip_tags($find); $find = trim($find); $data = mysql_query(SELECT * FROM news_items WHERE headline LIKE '%$find%'); Another newb question: does strip_tags() help at all in preventing SQL injection attacks? Kind regards David strip_tags() doesn't prevent against sql injection. At best, it can protect slightly against xss attacks. Use mysql_real_escape_string() for sql injection. Thanks, Ash http://www.ashleysheridan.co.uk -- Sent from my Android phone with K-9 Mail. Please excuse my brevity. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login with Remember me Feature
On Sun, Aug 7, 2011 at 10:03 PM, Donovan Brooke li...@euca.us wrote: alekto wrote: Hi, I have implemented a remember me feature in my login-script, but I can't get it to function! If I might be so bold... then you haven't implemented the feature yet, right? ;-) I want to make it possible for the users to stay logged in for 30 days. This is what I got this far: You have a logic problem... If I were you, I would write it out more simplistically first... something like: if session cookie keep logged in else, if remember me if verifiable set session cookie and redirect Of course, that is not an example of exact logic to use, and is just a method example of how you can solve your problem. As others have suggested, I would first start reading about ob_start,ob_end_clean(which works well before a header redirect), and ob_end_flush. I agree about only needing to store the user ID in your cookie's (session and rememberme) (hashed perhaps), and not the password. My last comment would be a kind request to strip out all unnecessary html etc.. when posting questions to the list. I usually would not take the time to look through a mess like that. ;-) Donovan -- D Brooke -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php I'm going to play the third side of this thread and ask if anyone other than me sees any clear security issues with code like that, even if username and password were taken out of the cookie, and it was hashed in the DB, there is still a security issue with thinking this way which in today's world should not be an overlooked practice. And i mean i see that the person here is a newbie, the code looks pretty bad, but i think it's worth mentioning that looking at best security practices for the situation is as trivial as figuring out your classes and methods. Knowing how to prevent people like, well even me, from running sql scripts from your website via forms, or stealing user sessions is essential in today's web world... You're writing some client-facing code, maybe you should look at how to write it and keep the client secure? You could at least add session and request tokens to make the persistent sessions at least a bit more secure, that's of course on top of hashing passwords (with a salt), and not storing user names and passwords in the cookie. Also escaping doesn't work, if you don't believe me, listen to the keynote that Dan Kaminsky gave at the last HOPE conference, he gives a good overview of why... Please either use parameterized queries, or the awesome hack that is base 64, don't assume that just because the function is called mysql_real_escape_string, that it actually knows what it is doing; unicode is a powerful weapon in the wrong hands! Also use === for string comparison as 42 == test! ~Alex -- The trouble with programmers is that you can never tell what a programmer is doing until it’s too late. ~Seymour Cray
Re: [PHP] Studying mcrypt
On Thu, Aug 4, 2011 at 10:31 AM, Donovan Brooke li...@euca.us wrote: Alex Nikitin wrote: [snip] Also you shouldn't actually encrypt passwords, the proper way to store them is hashed, so that if someone grabs your database, they dont have your passwords, even if they have the key. Hello, since this thread is about studying mcrypt... In another language, for a top security with the ability to retrieve data situation, I use a method that stores an encrypted key, but then also, the entire pages are encrypted as well, with a separate utility, where I only know the key. Think of it as compiling your software, only it is not compiling, it's encrypting, and it's then able to run as if it were compiled. The end result is that the key to any encrypted sensitive info does not reside on the server, it resides with me on my local system... thus the passwords are safely encrypted, yet I can retrieve them manually. I don't know that PHP has the ability to run in compiled or encrypted form.. does it? If not, I guess a 1 way, non-key encryption would be the only way to be absolutely secure with saved data in PHP (such as a hash). Donovan -- D Brooke -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php You can have multiple ways to encrypt data and store it pretty securely. For example i had a system that would encrypt passwords for other services and store them in the database along with an iv, the key was hard coded into the application and salt came from the user and was never stored, this way even if someone got my database and code which would be a feat not for the faint of heart, they still wont be able to get the data decrypted... What makes your local system any less vulnerable of a point than your server, of anything, its more vulnerable and failure-prone, so unless i'm not getting something, that seems like a poor design decision (i'm sorry) There is code obfuscation with PHP, and you can compile it into C++ with HipHop for php for example... -- The trouble with programmers is that you can never tell what a programmer is doing until it’s too late. ~Seymour Cray
Re: [PHP] Studying mcrypt
On Thu, Aug 4, 2011 at 12:23 PM, Donovan Brooke li...@euca.us wrote: Alex Nikitin wrote: [snip] There is code obfuscation with PHP, and you can compile it into C++ with HipHop for php for example... [snip] Of course, obfuscation is never a great security solution. Compiling it into C++ is interesting... the question would be if the code could be de-compiled.. if so, then probably not a great solution either. Donovan -- D Brooke -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php It's never a good idea to store all your keys in code, that is why we have an iv, and a salt that you can use... neither is program encryption, since i can dump it in it's executing form out of memory fairly easily; this is why hard drive encryption without a controller that does crypto off the main system is fairly pointless... -- The trouble with programmers is that you can never tell what a programmer is doing until it’s too late. ~Seymour Cray
Re: [PHP] Studying mcrypt
Yes, since it's trying to represent in characters some purely binary data, it is not unlikely that you will get VERY weird characters (and you do). Also you shouldn't actually encrypt passwords, the proper way to store them is hashed, so that if someone grabs your database, they dont have your passwords, even if they have the key. Best way to check is to decrypt it and verify... -- The trouble with programmers is that you can never tell what a programmer is doing until it’s too late. ~Seymour Cray On Wed, Aug 3, 2011 at 12:40 PM, Andre Polykanine an...@oire.org wrote: Hello Php, It's my first time I use mcrypt. I've done everything like it's written in the php manuals, here is the code: ?php $d=mcrypt_module_open(rijndael-256, , ofb, ); $iv=mcrypt_create_iv(mcrypt_enc_get_iv_size($d), MCRYPT_DEV_RANDOM); $ks=mcrypt_enc_get_key_size($d); $key=substr(md5(Secret key), 0, $ks); mcrypt_generic_init($d, $key, $iv); $cpass=mcrypt_generic($d, $_POST['opass']); mcrypt_generic_deinit($d); mcrypt_module_close($d); ? And here's what I get: Original password: asdfasdfasdf Encrypted password: Q� j�* Question: Is it normal to have such strange characters in the encrypted string? I'm hosted at http://godaddy.com/, shared hosting, if it does matter. Thanks! -- With best regards from Ukraine, Andre Skype: Francophile Twitter: http://twitter.com/m_elensule Facebook: http://facebook.com/menelion -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Studying mcrypt
I have a neat class you can play with... -- The trouble with programmers is that you can never tell what a programmer is doing until it’s too late. ~Seymour Cray On Wed, Aug 3, 2011 at 2:27 PM, Alex Nikitin niks...@gmail.com wrote: Yes, since it's trying to represent in characters some purely binary data, it is not unlikely that you will get VERY weird characters (and you do). Also you shouldn't actually encrypt passwords, the proper way to store them is hashed, so that if someone grabs your database, they dont have your passwords, even if they have the key. Best way to check is to decrypt it and verify... -- The trouble with programmers is that you can never tell what a programmer is doing until it’s too late. ~Seymour Cray On Wed, Aug 3, 2011 at 12:40 PM, Andre Polykanine an...@oire.org wrote: Hello Php, It's my first time I use mcrypt. I've done everything like it's written in the php manuals, here is the code: ?php $d=mcrypt_module_open(rijndael-256, , ofb, ); $iv=mcrypt_create_iv(mcrypt_enc_get_iv_size($d), MCRYPT_DEV_RANDOM); $ks=mcrypt_enc_get_key_size($d); $key=substr(md5(Secret key), 0, $ks); mcrypt_generic_init($d, $key, $iv); $cpass=mcrypt_generic($d, $_POST['opass']); mcrypt_generic_deinit($d); mcrypt_module_close($d); ? And here's what I get: Original password: asdfasdfasdf Encrypted password: Q� j�* Question: Is it normal to have such strange characters in the encrypted string? I'm hosted at http://godaddy.com/, shared hosting, if it does matter. Thanks! -- With best regards from Ukraine, Andre Skype: Francophile Twitter: http://twitter.com/m_elensule Facebook: http://facebook.com/menelion -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Studying mcrypt
On Wed, Aug 3, 2011 at 3:08 PM, Ashley Sheridan a...@ashleysheridan.co.ukwrote: ** On Wed, 2011-08-03 at 22:02 +0300, Andre Polykanine wrote: Hello Alex, Thanks for the tip. I'm not storing it in the database (you see, it's asdfasdf and the key string is secret key), I'm just studying mcrypt's possibilities :-). -- With best regards from Ukraine, Andre Skype: Francophile My blog: http://oire.org/menelion (mostly in Russian) Twitter: http://twitter.com/m_elensule Facebook: http://facebook.com/menelion Original message From: Alex Nikitin niks...@gmail.com To: Andre Polykanine Date created: , 9:27:42 PM Subject: [PHP] Studying mcrypt Yes, since it's trying to represent in characters some purely binary data, it is not unlikely that you will get VERY weird characters (and you do). Also you shouldn't actually encrypt passwords, the proper way to store them is hashed, so that if someone grabs your database, they dont have your passwords, even if they have the key. Best way to check is to decrypt it and verify... -- The trouble with programmers is that you can never tell what a programmer is doing until it’s too late. ~Seymour Cray On Wed, Aug 3, 2011 at 12:40 PM, Andre Polykanine an...@oire.org wrote: Hello Php, It's my first time I use mcrypt. I've done everything like it's written in the php manuals, here is the code: ?php $d=mcrypt_module_open(rijndael-256, , ofb, ); $iv=mcrypt_create_iv(mcrypt_enc_get_iv_size($d), MCRYPT_DEV_RANDOM); $ks=mcrypt_enc_get_key_size($d); $key=substr(md5(Secret key), 0, $ks); mcrypt_generic_init($d, $key, $iv); $cpass=mcrypt_generic($d, $_POST['opass']); mcrypt_generic_deinit($d); mcrypt_module_close($d); ? And here's what I get: Original password: asdfasdfasdf Encrypted password: Q� j�* Question: Is it normal to have such strange characters in the encrypted string? I'm hosted at http://godaddy.com/, shared hosting, if it does matter. Thanks! -- With best regards from Ukraine, Andre Skype: Francophile Twitter: http://twitter.com/m_elensule Facebook: http://facebook.com/menelion -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php Please don't top-post :) You can use base64_encode() on it to convert it into something that's printable and storable in the DB without having to resort to a binary blob -- Thanks, Ash http://www.ashleysheridan.co.uk Isn't that a bit counterproductive though, storing it in binary? Purely storage-related: Say we are storing a 128byte result of encryption. Storing it in a varbin would mean that you would use up 128+1 bytes of storage, where as if you were to base64 encode it, data length would be 170 or so bytes, +1byte or 171bytes... 42 bytes difference... This was a crypto class i wrote for something, i cant even recall exactly what project it was for, it is making it's way into the framework, but for now, i've changed it to be normal again Hopefully it should be pretty straight forward: http://pastebin.com/TFn468dM -- The trouble with programmers is that you can never tell what a programmer is doing until it’s too late. ~Seymour Cray
Re: [PHP] Studying mcrypt
On Wed, Aug 3, 2011 at 4:05 PM, Ashley Sheridan a...@ashleysheridan.co.ukwrote: ** On Wed, 2011-08-03 at 15:35 -0400, Alex Nikitin wrote: On Wed, Aug 3, 2011 at 3:08 PM, Ashley Sheridan a...@ashleysheridan.co.ukwrote: ** On Wed, 2011-08-03 at 22:02 +0300, Andre Polykanine wrote: Hello Alex, Thanks for the tip. I'm not storing it in the database (you see, it's asdfasdf and the key string is secret key), I'm just studying mcrypt's possibilities :-). -- With best regards from Ukraine, Andre Skype: Francophile My blog: http://oire.org/menelion (mostly in Russian) Twitter: http://twitter.com/m_elensule Facebook: http://facebook.com/menelion Original message From: Alex Nikitin niks...@gmail.com To: Andre Polykanine Date created: , 9:27:42 PM Subject: [PHP] Studying mcrypt Yes, since it's trying to represent in characters some purely binary data, it is not unlikely that you will get VERY weird characters (and you do). Also you shouldn't actually encrypt passwords, the proper way to store them is hashed, so that if someone grabs your database, they dont have your passwords, even if they have the key. Best way to check is to decrypt it and verify... -- The trouble with programmers is that you can never tell what a programmer is doing until it’s too late. ~Seymour Cray On Wed, Aug 3, 2011 at 12:40 PM, Andre Polykanine an...@oire.org wrote: Hello Php, It's my first time I use mcrypt. I've done everything like it's written in the php manuals, here is the code: ?php $d=mcrypt_module_open(rijndael-256, , ofb, ); $iv=mcrypt_create_iv(mcrypt_enc_get_iv_size($d), MCRYPT_DEV_RANDOM); $ks=mcrypt_enc_get_key_size($d); $key=substr(md5(Secret key), 0, $ks); mcrypt_generic_init($d, $key, $iv); $cpass=mcrypt_generic($d, $_POST['opass']); mcrypt_generic_deinit($d); mcrypt_module_close($d); ? And here's what I get: Original password: asdfasdfasdf Encrypted password: Q� j�* Question: Is it normal to have such strange characters in the encrypted string? I'm hosted at http://godaddy.com/, shared hosting, if it does matter. Thanks! -- With best regards from Ukraine, Andre Skype: Francophile Twitter: http://twitter.com/m_elensule Facebook: http://facebook.com/menelion -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php Please don't top-post :) You can use base64_encode() on it to convert it into something that's printable and storable in the DB without having to resort to a binary blob -- Thanks, Ash http://www.ashleysheridan.co.uk Isn't that a bit counterproductive though, storing it in binary? Purely storage-related: Say we are storing a 128byte result of encryption. Storing it in a varbin would mean that you would use up 128+1 bytes of storage, where as if you were to base64 encode it, data length would be 170 or so bytes, +1byte or 171bytes... 42 bytes difference... This was a crypto class i wrote for something, i cant even recall exactly what project it was for, it is making it's way into the framework, but for now, i've changed it to be normal again Hopefully it should be pretty straight forward: http://pastebin.com/TFn468dM -- The trouble with programmers is that you can never tell what a programmer is doing until it’s too late. ~Seymour Cray The beauty of encoding something into base64 is that you can then easily move that data around to systems that can't handle binary. You can pass a base64 image down to the browser to display, without requiring a second script to create the image used in the img tag. Javascript can manipulate base64 data making it an alternative to json where json won't work. Command line environments won't be able to deal with binary arguments, but base64 is fine. It all depends on what you want to do with it at the end of the day. -- Thanks, Ash http://www.ashleysheridan.co.uk That's why i prefaced it with purely storage-related. base64 is awesome, i use it as a hack to get around xss and sql injection, it works beautifully :) -- The trouble with programmers is that you can never tell what a programmer is doing until it’s too late. ~Seymour Cray
Re: [PHP] Phone numbers....
There are databases with area codes for the first 3, so you only have to generate 1 million. Why do you need to store all of them again? On Jul 31, 2011 4:06 PM, Jason Pruim li...@pruimphotography.com wrote: No I'm not looking for your phone number... Or for the guy/girl whose number you thought you got last night at the bar but turned out to be the information number... I'm working on a project for a client that I need to represent all the possible phone numbers in the US and Canada... Which thankfully use the same format (10 digits) but if my math and searching are correct... I'm looking at a possibility of 10 BILLION possible numbers... I can think of away to program the insert of all 10 billion possible entries, but not really formatted properly... Does any one have a database that they could send me like that? :) Or any tips on phone numbers? Thanks again! :) Jason Pruim li...@pruimphotography.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Membership site
Just as a word of caution to everyone on this list, mcrypt version of blowfish (which is implemented by php) (in linux) has an 8bit bug in it, and thus should not be used for hashing passwords even as backup. Basically if you use a character such as say a British pound in your password, blowfish with php will generate, a wrong hash and allow for some extensive collisions. For example a hash for ac followed by a pound or euro or any of those extended chars (that are present on European keyboards and such) and a hash for just that char, would be the same! If you want I can show you with some demo code. But until fixed, don't use blowfish with php on linux at least, if you can. On Jul 28, 2011 5:14 AM, John Black s...@network-technologies.org wrote: I would like to add some info about storing the password hash in the database. I recently tested how quickly one can brute force a simple md5('foo') hash with a modern GPU. The results have been truly eye opening I have been able to break hundreds of hashes with my ATI 6870 in a couple of days. Even with passwords in the 8 char length range ... and even salted ones. The problem is that md5 is optimized for speed. Which is nice if you want to hash a file but it offers an attacker the option to brute force your password. The solution is to hash multiple times and if possible using a different hashing algorithm. http://php.net/crypt can help you here. I wrote a new password class for my own projects which will use crypt() with sha512, sha256, blowfish if available or fall back to a 3000 round md5(). This approach makes it impractical to bruteforce the hash because every single test will have to run md5() 3000 times before it can validate a single hash. This also adds a delay to the login process but the hash is only checked once The code is released under the BSD license so you may use it in a commercial application as well. The zip contains the class file and two sample pages demonstrating how to use the class. Here is a download link, let me know if you like it or have any questions. http://www.2shared.com/file/kocAJ2HO/class_password.html md5: 4ee41496a9d1bc147e5025699e2b764e class_password.zip -- John -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Tree menu list in php
That would be so extreemely inefficient both resources and bandwidth-wise, however an interesting thought... On Jul 27, 2011 4:02 AM, Pete Ford p...@justcroft.com wrote: On 26/07/11 18:20, alekto wrote: Hi, is there a way to create a tree menu list only by using php/html/css? I found some, but they are all in JavaScript, do I have to make them by using JavaScript or is there a way in php as well? This is how I imagine the tree menu should look like: v First level Second level Second level v Second level Third level Third level Third level Second level Second level ( = menu is closed, v = menu is open ) Cheers! Look, I know this is loopy and I haven't tried it (for the protection of my sanity, mainly), but how about the tree being an image generated using PHP, and then used as an image map to submit the page every time a click is made on the image - you could then use the coordinates of the click to determine the new state of the tree and render an appropriate image for it... I'll get my coat... Pete -- Peter Ford, Developer phone: 01580 89 fax: 01580 893399 Justcroft International Ltd. www.justcroft.com Justcroft House, High Street, Staplehurst, Kent TN12 0AH United Kingdom Registered in England and Wales: 2297906 Registered office: Stag Gates House, 63/64 The Avenue, Southampton SO17 1XS -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] dependency check
On Fri, Jul 22, 2011 at 8:17 AM, Nilesh Govindarajan cont...@nileshgr.comwrote: On 07/22/2011 11:21 AM, Andreas Moroder wrote: Hallo, I have a PHP application made of many files ( php, images etc. ) I have a strong suspicion that many of the files in the application directory are no more in use, because of changes made on the application. Is there a tool that, starting from the entry point of the application, scans the files recursively for included/used files and lists them ? With this list I could delete the remaining files. Thanks Andreas You could write a python or even php script to do that, storing all the files an array/list and then finding files (regex) which are not included in any of the php files. Of course, this applies if and only if you haven't used __autoload() magic. -- Regards, Nilesh Govindarajan @nileshgr on twitter/identica -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php Or you could just grep the directory, not saying you have to do this, but this was kind of fun to write anyways, if i spent more time on it, i could perfect it, but i dont have that kind of time, so this will still give you a few doubles, but it shouldn't give you false-positives as long as you have all the extensions in that grep regex (and you cant make it more generic without introducing false-positives)... grep -oiPR [a-zA-Z0-9]+\.(php|js|png| jpg|css|htm|html) directory | awk 'function getfiles(input, files, i, n, file) {result = ; n=split(input, files, :); for(i=0; i=n; i++) { if(files[i] !~ /^\s*$/) print files[i];}} {getfiles($0)}' | sort -biu This should give you all the files that reference files and the files they reference. -- The trouble with programmers is that you can never tell what a programmer is doing until it’s too late. ~Seymour Cray
Re: [PHP] dependency check
It would still be quicker with shell tools, imho, granted that some command line elitistry would be required... Also if you are going to be doing string parsing and manipulation, and string parsing here is all that you are doing, there would be no better language than perl to do it with, granted i dont like perl and prefer python or php or ruby to it, but when you have a lot of string manipulation, perl has no rival i have used yet, though i guess if awk were combined with sed, there would be some potential... -- The trouble with programmers is that you can never tell what a programmer is doing until it’s too late. ~Seymour Cray On Fri, Jul 22, 2011 at 9:33 AM, Nilesh Govindarajan cont...@nileshgr.comwrote: On 07/22/2011 06:56 PM, Alex Nikitin wrote: Or you could just grep the directory, not saying you have to do this, but this was kind of fun to write anyways, if i spent more time on it, i could perfect it, but i dont have that kind of time, so this will still give you a few doubles, but it shouldn't give you false-positives as long as you have all the extensions in that grep regex (and you cant make it more generic without introducing false-positives)... grep -oiPR [a-zA-Z0-9]+\.(php|js|png| jpg|css|htm|html) directory | awk 'function getfiles(input, files, i, n, file) {result = ; n=split(input, files, :); for(i=0; i=n; i++) { if(files[i] !~ /^\s*$/) print files[i];}} {getfiles($0)}' | sort -biu This should give you all the files that reference files and the files they reference. -- The trouble with programmers is that you can never tell what a programmer is doing until it’s too late. ~Seymour Cray It is possible to use the shell tools, but it is a big trouble to handle spaces and special characters in shell scripting if your filenames have them, quite rare with self created applications, but you can't say, and hence I suggested python/php script method. -- Regards, Nilesh Govindarajan @nileshgr on twitter/identica
Re: [PHP] dependency check
On Fri, Jul 22, 2011 at 3:09 PM, Ashley Sheridan a...@ashleysheridan.co.ukwrote: ** On Fri, 2011-07-22 at 09:51 -0400, Alex Nikitin wrote: It would still be quicker with shell tools, imho, granted that some command line elitistry would be required... Also if you are going to be doing string parsing and manipulation, and string parsing here is all that you are doing, there would be no better language than perl to do it with, granted i dont like perl and prefer python or php or ruby to it, but when you have a lot of string manipulation, perl has no rival i have used yet, though i guess if awk were combined with sed, there would be some potential... -- The trouble with programmers is that you can never tell what a programmer is doing until it’s too late. ~Seymour Cray On Fri, Jul 22, 2011 at 9:33 AM, Nilesh Govindarajan cont...@nileshgr.comwrote: On 07/22/2011 06:56 PM, Alex Nikitin wrote: Or you could just grep the directory, not saying you have to do this, but this was kind of fun to write anyways, if i spent more time on it, i could perfect it, but i dont have that kind of time, so this will still give you a few doubles, but it shouldn't give you false-positives as long as you have all the extensions in that grep regex (and you cant make it more generic without introducing false-positives)... grep -oiPR [a-zA-Z0-9]+\.(php|js|png| jpg|css|htm|html) directory | awk 'function getfiles(input, files, i, n, file) {result = ; n=split(input, files, :); for(i=0; i=n; i++) { if(files[i] !~ /^\s*$/) print files[i];}} {getfiles($0)}' | sort -biu This should give you all the files that reference files and the files they reference. -- The trouble with programmers is that you can never tell what a programmer is doing until it’s too late. ~Seymour Cray It is possible to use the shell tools, but it is a big trouble to handle spaces and special characters in shell scripting if your filenames have them, quite rare with self created applications, but you can't say, and hence I suggested python/php script method. -- Regards, Nilesh Govindarajan @nileshgr on twitter/identica The only problem you may run into is an include that's part of a logic branch in your code that never gets called under any circumstance (maybe the logic changed and you no longer require a certain set of functions for example) It's also possible that your bigger problem isn't rogue files that aren't being used but files with lots of unused functions, unused class methods, etc. Sometimes the only way to find those is by tracing back all the way from each function/method in turn. -- Thanks, Ash http://www.ashleysheridan.co.uk You could actually automate that as well, all your functions are defined with a function definition, you would build a table of functions and then traverse the code searching for these functions. Chances are you would have the majority of functions traced. This leaves out dynamic functions, eval and some magic methods, dynamic functions and eval are not the best of ideas to begin with, though i admit, i have had to use them before. But it's not to say that this would be impossible to solve. There are other ways to do this too which would be a bit more involved... -- The trouble with programmers is that you can never tell what a programmer is doing until it’s too late. ~Seymour Cray
RE: [PHP] Your language sucks because...
I'm actually interested in finding out if there are any languages that don't suck in any way... I know and have programmed in about 29, i have yet to find a language that makes 100% sense and i have no complaints about. However i still choose PHP over many, many other languages and i implement php apis because its such an easy to learn, versatile, and as advanced as you want to make it language; i mean i've written vfat in php for fun, as well as self-documenting or self-correcting libraries with reflection, advanced sorting algorithms (like a pimped radix sort that did positive, and negative integers and floats), and yet teach people how to write stuff in php in minutes, people never exposed to programming... In short, PHP does suck, but so do all languages, so when compared, php actually doesn't suck anywhere near as much as some other oftenly used languages. Anyways, just my $.02 With Regards... --Alex On Jul 13, 2011 9:15 PM, Florian Müller florip...@hotmail.com wrote:
Re: [PHP] IF stream lining
if( $val !== with $val !== from) simple comparison = faster solution... also you want type-safe you could do something like if(!in_array($val, array(from,with))) but its neither elegant nor fast On Jul 14, 2011 12:22 AM, Ron Piggott ron.pigg...@actsministries.org wrote:
Re: [PHP] mysqli_query() returns NULL?
If you were to use the proper object form of it, you'd spot the mistake, as it will tell you that you are trying to perform an action on a non-object. It might be a bug, or the developers might not have cared figuring that if you threw it in an if(!...) it would validate as false anyways. But it.might be a bug or an oversight. It might actually be falling through some ifs and returning the result that was instantiated as null, I dunno... Sent from my Verizon Wireless 4GLTE smartphone - Reply message - From: James Colannino ja...@colannino.org To: php-general@lists.php.net Subject: [PHP] mysqli_query() returns NULL? Date: Fri, Jun 17, 2011 4:40 pm Hey everyone, After reading the documentation for mysqli_query(), I was lead to believe that on any error it would return false. However, through a stupid mistake, I discovered that when I specify an invalid value for the database link identifier (in my case, I accidentally passed an integer), instead of false I get a return value of NULL. Does anyone know why? Thanks! James -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] trying to combine two forms into a single form
On Thu, Jun 9, 2011 at 8:37 AM, matty jones urlu...@gmail.com wrote: I have a mediawiki extension that allows me to design a form in the wiki to facilitate data entry into the wiki and it works good except that I also want to be able to up load images and take the file location/name and enter that into the wiki so that the image displays on the page as well. I found code online that works well for uploading an image to a site and it works good in my mediawiki but when I combined the forms on a single page and click on the upload button it wipes the other textarea fields clean and doesn't submit the text data but it does upload the image and return the path and filename. I know this is supposed to happen but I don't totally understand why. If I just click on the save form button the image isn't upload, but the text data is saved, again I understand something having to do with two different forms/form handlers but I have been trying to combine them with no luck. My line of thinking was to write a function to submit the second form and call it when the first form is submitted but this doesn't seem to be working or I am doing it wrong. The ultimate goal is to have a form that submits issues into a knowledge base and allows screenshots of error messages. Here is the code for the page. ?php //define a maxim size for the uploaded images in Kb define (MAX_SIZE,1024); //This function reads the extension of the file. It is used to determine if the file is an image by checking the extension. function getExtension($str) { $i = strrpos($str,.); if (!$i) { return ; } $l = strlen($str) - $i; $ext = substr($str,$i+1,$l); return $ext; } //This variable is used as a flag. The value is initialized with 0 (meaning no error found) //and it will be changed to 1 if an errro occures. //If the error occures the file will not be uploaded. $errors=0; //checks if the form has been submitted // if(isset($_POST['Submit'])) //{ //reads the name of the file the user submitted for uploading $image=$_FILES['image']['name']; //if it is not empty if ($image) { //get the original name of the file from the clients machine $filename = stripslashes($_FILES['image']['name']); //get the extension of the file in a lower case format $extension = getExtension($filename); $extension = strtolower($extension); //if it is not a known extension, we will suppose it is an error and will not upload the file, //otherwise we will do more tests if (($extension != jpg) ($extension != jpeg) ($extension != png) ($extension != gif)) { //print error message echo 'h1Unknown extension!/h1'; $errors=1; } else { //get the size of the image in bytes //$_FILES['image']['tmp_name'] is the temporary filename of the file //in which the uploaded file was stored on the server $size=filesize($_FILES['image']['tmp_name']); //compare the size with the maxim size we defined and print error if bigger if ($size MAX_SIZE*1024) { echo 'h1You have exceeded the size limit!/h1'; $errors=1; } //we will give an unique name, for example the time in unix time format $image_name=time().'.'.$extension; //the new name will be containing the full path where will be stored (images folder) $newname=images/.$image_name; //we verify if the image has been uploaded, and print error instead $copied = copy($_FILES['image']['tmp_name'], $newname); if (!$copied) { echo 'h1Copy unsuccessfull!/h1'; $errors=1; }}} //If no errors registred, print the success message if(isset($_POST['Submit']) !$errors) { echo h1File Uploaded Successfully! Try again!/h1; echo $newname=images/.$image_name; } function wfSpecialAddactivity() { global $wgOut, $wgScriptPath; $mine = $wgScriptPath.'/index.php?action=submit'; if (!empty($_GET['id'])) { $data = StructuredInput::getStructuredData($_GET['id']); } else { $data = array(); } $html = TEMPLATE h2Add Issue/h2 script function setAction(formEl) { if (formEl['_title'].value) { formEl.action += 'title=' + formEl['_title'].value; return true; } else { return false; } } /script form name=text method=post enctype=multipart/form-data action=$mine onsubmit=return setAction(this) input type=hidden name=_type value=addactivity / !-- input type=hidden name=wpPreview value=Show preview / -- !-- This is the title of the page being created -- label for=_titleIssue Title:/label input id=_title name=_title value={$data['_title']} / br /br / !-- This is the Software Product -- label for=softwareSoftware:/label select id=software name=software option value={$data['software']}/option option value=Server For Windows{$data['software']}Server For Windows/option option value=Suite For Windows{$data['software']}Suite For Windows/option option value=Job{$data['software']}Job/option
Re: [PHP] trying to combine two forms into a single form
Actually if you want a very simple way, with a little JS, you can b64 encode the file and fill in the file field in the form with it (you can hide it or dynamically tack it on or something), so that you get everything when you submit the form including the file (you just gotta make a file back out of it, but thats simple :) )...? I think that would be by far the easiest solution, then you can do the shiny ajax stuff later if you feel like it. -- The trouble with programmers is that you can never tell what a programmer is doing until it’s too late. ~Seymour Cray On Thu, Jun 9, 2011 at 11:10 AM, Jim Lucas li...@cmsws.com wrote: On 6/9/2011 8:07 AM, matty jones wrote: The two forms work fine by themselves, my issue is getting to two of them to work with together, I don't even care if you need to upload the image seperately from submitting the text data as long as it is all on the same page. Thanks for the thoughts on jQuerry, I will look into it. On Thu, Jun 9, 2011 at 10:53 AM, Jim Lucas li...@cmsws.com wrote: On 6/9/2011 5:37 AM, matty jones wrote: formEl.action += 'title=' + formEl['_title'].value; The only thing I see inconsistent is the above line. But then again, it could be right. You might be looking for $_GET['title'] in your processing page instead of $_GET['_title'] Can you show the PHP code that you use to process the form data text fields? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Fuzzy Array Search
What do you mean by fuzzy search? Like an approximate search, and instead of you stepping through the array, you guesstimate where to start, or search for approximate string value in an array of strings? -- The trouble with programmers is that you can never tell what a programmer is doing until it’s too late. ~Seymour Cray On Tue, Jun 7, 2011 at 1:45 PM, Floyd Resler fres...@adex-intl.com wrote: What would be the easiest way to do a fuzzy array search? Can I do this without having to step through the array? Thanks! Floyd -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Fuzzy Array Search
If you don't need the location, you can implode the array and use preg match, quickly testing it, that gives you about 4.5 times performance increase, but it wont give you the location, only if a certain value exists within the array... You can kind of do some really clever math to get your search parameters from there, which would be feasible on really large data sets, but if you want location, you will have to iterate at some point... (sorry i keep on hitting reply instead of reply to all) -- The trouble with programmers is that you can never tell what a programmer is doing until it’s too late. ~Seymour Cray On Tue, Jun 7, 2011 at 2:57 PM, Shawn McKenzie nos...@mckenzies.net wrote: On 06/07/2011 12:45 PM, Floyd Resler wrote: What would be the easiest way to do a fuzzy array search? Can I do this without having to step through the array? Thanks! Floyd I use preg_grep() -- Thanks! -Shawn http://www.spidean.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Fuzzy Array Search
It runs fast on my 2.33 core 2, and about as fast on this small data set, on the dual 6 core with 96GB ram, or the 8 core 9GB box, it depends on the size of your data set, memory speed and latency, and miniscule amount of processing power (once again assuming small data set). That said, you could probably do some clever stuff to minimize the range you are looking for. For example, you could use the average record size with imploding the array and searching, capturing the offset, you could potentially cut out a lot of records that you are, within a certain probability sure that the result is not in, making your search execute faster by not even looking in the majority of data in most cases, this would be interesting to test out actually. You could sort the array to further narrow down the search by some criteria, what have you. This would all apply if you are searching very large data sets, i am talking about multiple billion data points. And all that said, arrays are not really a good data-structure for searching anyways, that's why they are rarely used in file systems or as memory data structures ;) Shawn, == is not good for string comparison, its a bad habit that one should get out of, use ===, its much safer . Also try the same algorithm on 10 arrays of some number of values 10-1000 perhaps, that would give you better performance statistics :) -- Alex -- The trouble with programmers is that you can never tell what a programmer is doing until it’s too late. ~Seymour Cray On Tue, Jun 7, 2011 at 5:25 PM, Shawn McKenzie nos...@mckenzies.net wrote: On 06/07/2011 03:57 PM, Floyd Resler wrote: On Jun 7, 2011, at 4:42 PM, Alex Nikitin wrote: If you don't need the location, you can implode the array and use preg match, quickly testing it, that gives you about 4.5 times performance increase, but it wont give you the location, only if a certain value exists within the array... You can kind of do some really clever math to get your search parameters from there, which would be feasible on really large data sets, but if you want location, you will have to iterate at some point... (sorry i keep on hitting reply instead of reply to all) -- The trouble with programmers is that you can never tell what a programmer is doing until it’s too late. ~Seymour Cray On Tue, Jun 7, 2011 at 2:57 PM, Shawn McKenzie nos...@mckenzies.net wrote: On 06/07/2011 12:45 PM, Floyd Resler wrote: What would be the easiest way to do a fuzzy array search? Can I do this without having to step through the array? Thanks! Floyd I use preg_grep() -- Thanks! -Shawn http://www.spidean.com I actually do need the location since I need to get the resulting match. I went ahead and tried to iterate the array and it was MUCH faster than I expected it to be! Of course, considering the machine I'm running this on is a monster (2.66 GHz 8 cores, 24GB of RAM) it shouldn't have surprised me! Thanks! Floyd If you are using a straight equality comparison then the loop would be faster (but then array search would probably be better), however if you need to use a preg_match() in the loop (fuzzy search), then preg_grep() will be much faster than the loop. LOOP WITH PREG_MATCH: 10 0.435957 seconds PREG_GREP: 10 0.085604 seconds LOOP WITH IF ==: 10 0.044594 seconds PREG_GREP: 10 0.091519 seconds -- Thanks! -Shawn http://www.spidean.com
Re: [PHP] strcmp()?
On Mon, May 23, 2011 at 9:32 AM, Joshua Kehn josh.k...@gmail.com wrote: On May 23, 2011, at 9:28 AM, Alex Nikitin wrote: There is an interesting note in the comments for strcmp: Well, I am using PHP 4.0 and both strcmp and strcasecmp appear to be giving me very arbitrary and incomprehensible results. When I input strings, it appears that equal strings return 1, as well as some unequal strings, and that if the first argument is smaller then I *tend* to get negative numbers, but sometimes I get 1, and if larger I *tend* to get numbers larger than 1.. Guessing that earlier versions of php 4 and before would give the results that would have values other then 1, 0, -1, i looked through the change log, but nothing immediately jumped out, there was a lot of mbstring work done, and they did add the nat comparison functions, and play with the pcre engine a bit, which could have caused this as an unintended result for a few versions, i think though it was a bug at some point, so, maybe a php dev would chime in if they remember...? -- Alex -- -- The trouble with programmers is that you can never tell what a programmer is doing until it’s too late. ~Seymour Cray All this confusion makes me glad that I'm using === for equality checks instead of strcmp. Regards, -Josh Joshua Kehn | josh.k...@gmail.com http://joshuakehn.com It depends on what you need to check, josh :) If you wanted to say find an anagram, or do a search with some typo correction, strcmp can be many times more helpful then a ===, that said comparing 2 strings to be equal === works about 20% quicker, so it works better for comparing two strings for equality (or unequality) anyways. There is no confusion, strcmp has a documented way in which it is to work in posix-compliant languages, ISO/IEC 9899:1999, 7.21.4.2, so as long as you follow the ISO guidelines for the scrcmp checking, your code should work correctly... -- The trouble with programmers is that you can never tell what a programmer is doing until it’s too late. ~Seymour Cray
Re: [PHP] htaccess question
On Mon, May 23, 2011 at 11:52 AM, Al n...@ridersite.org wrote: How can I prevent access to all files in a directory except one with an htaccess file. I've tried several approaches found with Googling; but, none seem to work. e.g., FilesMatch ^(makeScodeImg.php) Order Allow,Deny Deny from all /FilesMatch This seems to me as it should deny to all except makeScodeImg.php Thanks -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php Also don't forget to enable override on the directory, otherwise .htaccess wont be read at all... http://httpd.apache.org/docs/2.0/mod/core.html -- The trouble with programmers is that you can never tell what a programmer is doing until it’s too late. ~Seymour Cray
Re: [PHP] A Review Request
Yep, and it comes in handy, especially in school, lol, in advanced algorithms and datastructures, I once submitted a project assignment that was 5 lines long, and instead of figuring out anagrams, strcmp was very helpful :) Sent from my Verizon Wireless 4GLTE smartphone - Reply message - From: tedd tedd.sperl...@gmail.com To: Joshua Kehn josh.k...@gmail.com, PHP General php-general@lists.php.net Subject: [PHP] A Review Request Date: Sat, May 21, 2011 9:26 am At 2:49 PM -0400 5/19/11, Joshua Kehn wrote: On May 19, 2011, at 2:44 PM, Andre Polykanine wrote: Hello Alex, Two (stupid?) questions: 1. Why PHP_SELF is better than SCRIPT_NAME? 2. Why strcmp() is better than just comparing? -- With best regards from Ukraine, Andre Skype: Francophile My blog: http://oire.org/menelion (mostly in Russian) Twitter: http://twitter.com/m_elensule Facebook: http://facebook.com/menelion No idea about the first, and I've never used strcmp() before for an equality check. If there is something I'm missing I would love to know. Regards, -Josh -Josh: The function strcmp() simply evaluates two strings and reports back -1, 0, or 1 depending upon their alphabetical relationship. Cheers, tedd -- --- http://sperling.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] A Review Request
Absolutely agree with logging function or class (i ofcourse prefer the latter) for persistent logging that is to be present in the end product; however its is not the best of ideas to spend time developing logging code and using it for debug purposes that will only be used during the initial development cycle of the said code. I can define debug just before or in the beginning of a method or class, say one that i suspect is using up too much memory, and throw a couple of these debug lines in there to avoid further obfuscating code. Needless to say that there is only one line to remove before publishing that code to production, say i do this 15 times in a block of code, the oh this is much more clean version would mean that i would have to go back through and remove 60 lines of code, and I, for one, am lazy and dont like to do extra work. I never said it was a good coding practice to use this kind of logic, infact the if is on average about 20% faster, so i would recommend an inline if, all i said is that it reads much quicker and cleaner, that said i would normally write it as: if(DEBUG) ... Works just as well, actually better, i just like to improvise, figure out new ways to do something, that kind of spans my approach to thinking about programming in general, but i wont go into that as i doubt its interesting to anyone, and certainly to some extent, i like to confuse people with crazy code so that they dont stare over my shoulder, especially code that i know i am going to remove. Oh and in terms of performance, a callout to a function is about 40% slower then my crazy code, and about 75% slower then an if check. Calling out to a logging class is about 2 times slower then my logic, and almost 3 times slower then an if. Actually i accidentally left the debugs spanning from tracing through memory use issues in someone else's code *caugh*PHPExcel*/caugh* in my class linked above, so Adam (and/or others if you were looking at it) new pastebin link: http://pastebin.com/2qg4qJRh Also to tedd, i would say that you should make it a series of tutorials of how to make simple user auth progressively more and more secure, i would say that would be a good learning experience for someone. Start with your basic code, introduce new concepts that will teach novice a little bit more about how the internet works, how sessions work, how it can all be exploited conceptually, and introduce ways to fix those issues with progressively more hardened code...? I think that that would be a great way of learning for a novice, i would say maybe 3 more tutorials, each progressively more secure; suggesting next one to introduce hashing, cleaning the code, and some of the initial concepts outlined above, then a system setup for https, going over tls renegotiation, setting up rewriting rules, etc, and changing the code with securing the session code and introducing login limits, and finally perhaps how to take make all of this system a bit more web 2.0 with jquery, ajax, and perhaps use that as the introduction of the next set of tuts of how to do this same thing with a database back end with references back to this auth system? I would have certainly liked to read a tutorial like that when i was starting out... And, i'm up to help, i'm sure others as well would not mind chiming in their $.02 :) P.S. I like to play around with programming concepts, actually just gave up of playing with a radix sort implementation in PHP, that deals with both positive and negative numbers as well as floats, which are a pain in the butt in php when you are dealing with binary operations, amongst other things i had to write my own dec2bin that deals with float. It's mostly working, still a couple of quirks that would need to be fixed, but its slow in PHP as opposed to C++, where it can be many times faster then library-provided sorting functions, so it's not really worth any more of my time, but it was kind of fun to figure out how to do all of that, especially converting signed ints and floats to positive ints and back :) -- Alex -- -- The trouble with programmers is that you can never tell what a programmer is doing until it’s too late. ~Seymour Cray On Fri, May 20, 2011 at 9:14 AM, Joshua Kehn josh.k...@gmail.com wrote: On May 20, 2011, at 4:41 AM, Tim Streater wrote: On 20 May 2011 at 04:03, Alex Nikitin niks...@gmail.com wrote: but here is a brief example: (!DEBUG) || error_log(Fetch Data: .memory_get_usage()/1048576); reads and writes a lot better and faster then: if(DEBUG) { $memory = memory_get_usage()/1048576; error_log(Fetch Data: .$memory); } Not to me it doesn't. I find such usage incomprehensible. tim I understand what you're doing, and I think it's a bad shortcut to be taking. Make a dedicated class for logging and handle all this there. Regards, -Josh Joshua Kehn | josh.k...@gmail.com http://joshuakehn.com
Re: [PHP] PHP Brainteasers 2011
what's the scope? I have some brain-teasing functions i've been working on, but they are far from bulletproof, but here is an example function float_int($significand) { $sign = ($significand0) ? true : false; $significand = abs($significand); $drep = (decbin( (int) $significand)); $frep = ; for($i = 0; $i = 22; $i++) { $significand = ($significand - (int) $significand)*2; if($significand == 0) break; $frep .= ($significand = 1) ? 1 : 0; } $significand = preg_replace(/^0*1/, , $drep.$frep); $significand = (strlen($significand) 23) ? str_pad($significand, 23, 0) : substr($significand, 0, 23); if($drep) { $exponent = decbin(126+strlen($drep)); } else { $tmp = preg_split('/1/', $drep.$frep, 2, PREG_SPLIT_OFFSET_CAPTURE); $exponent = decbin((-$tmp[1][1])+127); } $f = bindec($exponent.$significand); return (!$sign) ? $f : $f^0x; } I guess the function name and variable names will offer some assistance in determining what this does, but i think its an interesting brain-bender, not very useful, because its pretty slow, but still :) -- Alex -- -- The trouble with programmers is that you can never tell what a programmer is doing until it’s too late. ~Seymour Cray On Fri, May 20, 2011 at 12:49 PM, Steve Staples sstap...@mnsi.net wrote: Just wondering if anyone has done anything for this? I personally haven't had any ideas come to mind yet... Looking forward to seeing them!!! (once they come) Steve -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] A Review Request
Just a comment on the building a house, a house is a page, but as programmers (at least decent ones) we are no longer building single pages, we build a house template and fill it with various elements to define what the house is and what it does, so in essense you actually are not building just one house, you are building a city, some of which needs to be protected by a fortress, a fortress to protect the houses that need to be accessible to a few, but not everyone. If you teach people to build houses, they will have no idea how to build a fortress, and actually vise-versa if you teach people to build the fortress, they will not know how to build a house. If you are building a website (completely or as an extension), you have to do everything, you have to think about the UI, you have to think about security, you have to think about performance, you have to think about function, without knowing how to do either one, you can not make a whole, but without knowing how the whole works, you can not build efficient ones, and pull them together... Also you left out a database, your basement/foundation (html is really only the flooring, the walls and the roof, the stuff that you can see), avoiding to tell people how to deal and build a proper basement (and oh god how many times have i dealt with horribly designed databases, i have nightmares sometimes) doesn't prepare web developers for any real-world tasks any more then negating to explain to soldiers how to reload their weapons prepares them for the battlefield... Alex -- The trouble with programmers is that you can never tell what a programmer is doing until it’s too late. ~Seymour Cray On Fri, May 20, 2011 at 2:12 PM, tedd tedd.sperl...@gmail.com wrote: At 11:11 AM -0400 5/20/11, Alex Nikitin wrote: Also to tedd, i would say that you should make it a series of tutorials of how to make simple user auth progressively more and more secure, i would say that would be a good learning experience for someone. Start with your basic code, introduce new concepts that will teach novice a little bit more about how the internet works, how sessions work, how it can all be exploited conceptually, and introduce ways to fix those issues with progressively more hardened code...? I think that that would be a great way of learning for a novice, i would say maybe 3 more tutorials, each progressively more secure; suggesting next one to introduce hashing, cleaning the code, and some of the initial concepts outlined above, then a system setup for https, going over tls renegotiation, setting up rewriting rules, etc, and changing the code with securing the session code and introducing login limits, and finally perhaps how to take make all of this system a bit more web 2.0 with jquery, ajax, and perhaps use that as the introduction of the next set of tuts of how to do this same thing with a database back end with references back to this auth system? I would have certainly liked to read a tutorial like that when i was starting out... And, i'm up to help, i'm sure others as well would not mind chiming in their $.02 :) Well... that's where I intend to go, namely, start with the basics and continue with progressive disclosure. However, there is lot to address here. As I often explain to my students, a web site is like a house: 1. There's the foundation, flooring, walls, and roof, which is the structure -- that's HTML; 2. There's the outside covering (paint, bricks, siding) and the inside covering (paint, carpet, wallpaper), which makes the presentation -- that's CSS; 3. There's the inside works, such as the plumbing, furnace, air conditioning, and electrical, which provides functionality -- that's PHP; 4. And there's the light-switches that turn on/off, doors and windows that open/close, rheostats that go up/down, faucets that turn on/off, and door bells that remain silent or ring, which allows behavior -- that's JavaScript. You put all of these items together and the entire house can do more than any one of them can do by themselves, namely make a home. Additionally, how you arrange and combine these things together and have them interact with each other is a topic of study that far exceeds the knowledge of any one of them. Furthermore, if you include these things with how people react with web sites (what makes people do things) then you'll have an excellent introduction into problems in creating a good web site -- and that's my ultimate goal. However, my first step is to put various things up for peer review and listen/adapt to the feedback. That's what I'm doing. Cheers, tedd -- --- http://sperling.com/
Re: [PHP] A Review Request
@David Fair enough, then i have seen so many badly designed sewage systems, that the backed up sewage monsters come to me in my dreams... :) wait no the other one :( @Paul And my girlfriend, apparently -- The trouble with programmers is that you can never tell what a programmer is doing until it’s too late. ~Seymour Cray On Fri, May 20, 2011 at 4:00 PM, Paul M Foster pa...@quillandmouse.comwrote: On Fri, May 20, 2011 at 02:32:42PM -0400, tedd wrote: [snip] And I agree with the majority that your bracing style is horrid. But I long ago despaired of turning you from the Dark Side(tm). ;-} I understand, but like my wife often says Bite me :-) OMG! She must be related to *my* wife! ;-} Paul -- Paul M. Foster http://noferblatz.com http://quillandmouse.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] A Review Request
I will try to respond to the original question. Note: this is constructive criticism, so i wont do much in terms of praising the good parts It works, its very primitive, in some ways its pretty insecure, for example it provides no session hijacking protection, it's not written with the better of standards in mind, for one if you do store your password in code, you shouldn't store your password in clear text, that way if say i was able to bypass php execution and dumped that file out, i would still not have a useable password, so use a hash. There is no timing out or attempt management, for example i can write a 5 line-long brute script that will just pound your script with user ids and passwords, you should make it at least somewhat difficult for me to do that ;) Also don't declare a bunch of needless variables for their one-time use, don't compare unsanitized strings with a binary unsafe operator, server variables contain link to current script, here are examples of what i mean: -$self = basename($_SERVER['SCRIPT_NAME']); +$self = $_SERVER['PHP_SELF']; -$submit = isset($_POST['submit']) ? $_POST['submit'] : null; -if($submit == 'Submit') +if($_POST) -$pw = 'pw'; // define your password here -$user_id = isset($_POST['user_id']) ? $_POST['user_id'] : null; -$password = isset($_POST['password']) ? $_POST['password'] : null; -if (($user_id == $id) AND ($password== $pw)) +$pw='1a91d62f7ca67399625a4368a6ab5d4a3baa6073'; //sha1 hash of the password: php -r echo sha1(\pw\); +if (@strcmp($id, $_POST['user_id']) == 0 strcmp($pw, sha1($_POST['password'])) == 0) -- Alex -- -- The trouble with programmers is that you can never tell what a programmer is doing until it’s too late. ~Seymour Cray On Wed, May 18, 2011 at 3:22 PM, tedd t...@sperling.com wrote: Hi gang: I am considering providing PHP code to the general public via my website This is my first attempt: http://sperling.com/php/authorization/ What do you people think? Cheers, tedd -- --- http://sperling.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Filtering data not with mysql...
For input sanitizing, and this will be helpful to anyone who writes code, listen to dan kaminsky's keynote at The Next Hope. He did a very good job at explaining the landscape of web programming and the essence of SQL injection and XSS, as well as proposed pretty neat ways to fix these. If you are writing the app from scratch, to prevent SQL injection, use Mysqli + prepared statements... or implement the base64 hack, or i am working on a library to simplify and secure mysql in php for some of my work, though it's got a few implementation quirks it does fail by default, it does not allow you to insecurely interpolate, and it does use prepared statements for everything, i am sharing it with anyone who wants to look at it... Anyways, here's a direct link: http://c2047862.cdn.cloudfiles.rackspacecloud.com/Friday%20Keynote%20-%20Dan%20Kaminsky.mp3 Enjoy, Alex -- The trouble with programmers is that you can never tell what a programmer is doing until it’s too late. ~Seymour Cray On Wed, May 18, 2011 at 9:18 PM, Jason Pruim li...@pruimphotography.comwrote: Hey Everyone, Probably a simple question but I wanted to make sure I was right before I got to far ahead of my self I have a form that I am working on and this form will be emailed to the recipient for processing (Not stored in a database). When I store in a database, I simply run all the data through mysql_real_escape_string() and it's all good... Without the database, is it just as easy as addslashes($var)? or is there more that needs to be done? In the end, the info will be echoed back out to the user to be viewed but not edited and emailed to someone to add the registration collect money, etc etc. Am I on the right track or do I need to rethink my whole process? :) Thanks Everyone! -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] A Review Request
PHP_SELF requires no processing (i.e. there is no need to do basename()) strcmp is binary-safe, i prefer and recommend using string-safe comparison functions for strings... here is an example of why: $value = 0; if($value==not zero) { echo oopsie, how did this happen, lets see how this works with strcmp (or === which i would advise); if(strcmp($value, not zero) == 0) { echo You wont see this; } else { echo Because strcmp works correctly; } } you can also use the exact comparator ===, as it compares types, it would work well as well. Infact if you dont need to determing anything about the string, i would suggest using the === operator as it is significantly faster: timed: 0m0.724s ?php for($i=0; $i=1000; $i++){ if(1 === submit) { continue; } } timed: 0m4.785s ?php for($i=0; $i=1000; $i++){ if(strcmp(1, submit)==0) { continue; } } -- The trouble with programmers is that you can never tell what a programmer is doing until it’s too late. ~Seymour Cray On Thu, May 19, 2011 at 2:44 PM, Andre Polykanine an...@oire.org wrote: Hello Alex, Two (stupid?) questions: 1. Why PHP_SELF is better than SCRIPT_NAME? 2. Why strcmp() is better than just comparing? -- With best regards from Ukraine, Andre Skype: Francophile My blog: http://oire.org/menelion (mostly in Russian) Twitter: http://twitter.com/m_elensule Facebook: http://facebook.com/menelion Original message From: Alex Nikitin niks...@gmail.com To: PHP General Date created: , 9:29:35 PM Subject: [PHP] A Review Request I will try to respond to the original question. Note: this is constructive criticism, so i wont do much in terms of praising the good parts It works, its very primitive, in some ways its pretty insecure, for example it provides no session hijacking protection, it's not written with the better of standards in mind, for one if you do store your password in code, you shouldn't store your password in clear text, that way if say i was able to bypass php execution and dumped that file out, i would still not have a useable password, so use a hash. There is no timing out or attempt management, for example i can write a 5 line-long brute script that will just pound your script with user ids and passwords, you should make it at least somewhat difficult for me to do that ;) Also don't declare a bunch of needless variables for their one-time use, don't compare unsanitized strings with a binary unsafe operator, server variables contain link to current script, here are examples of what i mean: -$self = basename($_SERVER['SCRIPT_NAME']); +$self = $_SERVER['PHP_SELF']; -$submit = isset($_POST['submit']) ? $_POST['submit'] : null; -if($submit == 'Submit') +if($_POST) -$pw = 'pw'; // define your password here -$user_id = isset($_POST['user_id']) ? $_POST['user_id'] : null; -$password = isset($_POST['password']) ? $_POST['password'] : null; -if (($user_id == $id) AND ($password== $pw)) +$pw='1a91d62f7ca67399625a4368a6ab5d4a3baa6073'; //sha1 hash of the password: php -r echo sha1(\pw\); +if (@strcmp($id, $_POST['user_id']) == 0 strcmp($pw, sha1($_POST['password'])) == 0) -- Alex -- -- The trouble with programmers is that you can never tell what a programmer is doing until it’s too late. ~Seymour Cray On Wed, May 18, 2011 at 3:22 PM, tedd t...@sperling.com wrote: Hi gang: I am considering providing PHP code to the general public via my website This is my first attempt: http://sperling.com/php/authorization/ What do you people think? Cheers, tedd -- --- http://sperling.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] A Review Request
=== or preg_match for me, lol, unless its all just math :) -- The trouble with programmers is that you can never tell what a programmer is doing until it’s too late. ~Seymour Cray On Thu, May 19, 2011 at 3:26 PM, Joshua Kehn josh.k...@gmail.com wrote: On May 19, 2011, at 3:16 PM, Alex Nikitin wrote: PHP_SELF requires no processing (i.e. there is no need to do basename()) strcmp is binary-safe, i prefer and recommend using string-safe comparison functions for strings... here is an example of why: $value = 0; if($value==not zero) { echo oopsie, how did this happen, lets see how this works with strcmp (or === which i would advise); if(strcmp($value, not zero) == 0) { echo You wont see this; } else { echo Because strcmp works correctly; } } you can also use the exact comparator ===, as it compares types, it would work well as well. Infact if you dont need to determing anything about the string, i would suggest using the === operator as it is significantly faster: timed: 0m0.724s ?php for($i=0; $i=1000; $i++){ if(1 === submit) { continue; } } timed: 0m4.785s ?php for($i=0; $i=1000; $i++){ if(strcmp(1, submit)==0) { continue; } } -- The trouble with programmers is that you can never tell what a programmer is doing until it’s too late. ~Seymour Cray I almost exclusively use ===. Regards, -Josh Joshua Kehn | josh.k...@gmail.com http://joshuakehn.com
Re: [PHP] A Review Request
Hey Adam :) I devoted entire 3 minutes to glimpsing over the code and showing simple ways to fix them, you make excellent points, i simply didnt even look into them. You are absolutely correct in saying that sha1 a weak way to do this (though it is wy better then md5), ofcourse the propper way to go about this is a sha256 hash with a solid salt, however if the salt is stored in clear text in code, and it would have to be in this case, granted someone gets the said code, the having used the salt adds no security to the hash. The whole idea behind is to add a little bit more at each level, so for example on your typical php/database setup, salt may be stored in code while the hash is stored in mysql, having the hash from the database and not having the salt makes it nearly impossible to reverse the hash, but if you could get both the salt and hash out of the database or in our case the code, it is no more secure then a hash by itself. Hmm that is an interesting bit about php_self, while my implementations (while still using php_self) are not exploitable in this fashion, its still an interesting concept, no this has not been locked down, as far as i can see from a couple of tests just did (briefly). Hmm, i have to reconsider how i approach PHP_SELF now, i will have to wrap it in htmlentities or something, i'll ponder that for now... In the meanwhile, i think it would be interesting to bounce some of this code to have someone else look at it, especially security-wise, it's been a bit of a project of mine when i get a few mins, i had to do something about it for our Amazon boxes that use rds, as you cant just use b64d, because you cant add any mysql modules, so i came up with this idea, but i'm not 100% satisfied with it atm: http://pastebin.com/tK5tBuiU Yeah https was going to be my next suggestion, actually why i got back into email before heading home and possibly forgetting, however you have to make sure you set up the server to be decently secure with it too, disable weak crypto there, fix tls renegotiation, etc. To be honest, at least with session fixation, i didnt look at the secured page code at all, but yes, a very good suggestion, i usually make a point of making it when someone asks me to glimpse at their code that uses sessions too, bah, it's been a long day at work, lol. Also i figured that Tedd would hopefully start by addressing the first set of things i threw at him, and then we can progress into more and more secure solution :) Tedd, yes you do have to worry about xss, yes with unescaped PHP_SELF you can inject code into the form here form name=my_form action=?php echo($self);? method=post Also a bit of a pep talk. You can make your code a lot more secure with a little bit more work. It would be wrong to stop and not worry about security, simply because code splits into two categories, secure and owned, there is no grey area, if someone can bypass your security, then no matter how simple your code was, it did nothing to stop the attacker, and thus did not fulfil its primary duty, in today's web world some security is not any better then no security, protecting against regular users is pointless as they are not the ones who will try to break your system ;) Just my $.02 -- Alex The trouble with programmers is that you can never tell what a programmer is doing until it’s too late. ~Seymour Cray On Thu, May 19, 2011 at 8:18 PM, tedd tedd.sperl...@gmail.com wrote: At 2:29 PM -0400 5/19/11, Alex Nikitin wrote: I will try to respond to the original question. Note: this is constructive criticism, so i wont do much in terms of praising the good parts It works, its very primitive, in some ways its pretty insecure, for example it provides no session hijacking protection, it's not written with the better of standards in mind, for one if you do store your password in code, you shouldn't store your password in clear text, that way if say i was able to bypass php execution and dumped that file out, i would still not have a useable password, so use a hash. There is no timing out or attempt management, for example i can write a 5 line-long brute script that will just pound your script with user ids and passwords, you should make it at least somewhat difficult for me to do that ;) I agree if I was creating a more secure script. I have scripts where the user enters a user id and password and the password is immediately hashed and stored in a database. The next time in, the user's input password is hashed again and compared with the stored encrypted password. That way the raw password is never stored anywhere. I even have people who ask me Look at your records and tell me what's my password? and I say that I can't answer them because the data has been one-way hashed. Instead, I have them use the forgot password routines. I also have a script that monitors how many times a user (via their IP) tries to log on and restricts those attempts to a certain number
Re: [PHP] A Review Request
My general rule of thumb regarding variables from post and/or get, is such: if you use it once, dont throw it into a variable, if you use it more than once, then put it in a variable. If you name things consistently and well, regardless of how long from now you are reading the code, $_POST['password'] will be just that, and it's not any less obscure then $pass, especially if used just once, and cleaner... Regardless of the cost of performance decreasing, performance is an overall thing, if you dont care for performance in any one place, you don't really care for performance, and in the instant world that we live in, performance should be as serious of a consideration as security, that is actually why Facebook wrote their PHP interpreter, they understand that users want FAST. And performance means you should consider things, even overly extensive commenting, even if something is better done one way, doesnt mean it is the best way to do it. For example i LOVE recursive functions, but i never write them in scripting languages, because they run a lot slower then a for loop, however more elegant any such function would be, it just doesn't perform... And i understand it's a simple example, those two variables don't really matter, and wont use much more space, but constantly thinking consistency, security, performance, will help you achieve better code in the end, even if puristically-speaking it's worse. Another reason is overall clarity and clenliness of the code, counting lines is a bad practice, but avoiding unnecessary lines helps, and it adds up, sometimes using inline logic and avoiding declaring unnecessary variables goes a long way to make your code much more concise and readable actually, especially if you have a lot of it. That said, i always initialize my arrays, because it avoids notices... but here is a brief example: (!DEBUG) || error_log(Fetch Data: .memory_get_usage()/1048576); reads and writes a lot better and faster then: if(DEBUG) { $memory = memory_get_usage()/1048576; error_log(Fetch Data: .$memory); } if($_POST) is just that, that will check if someone/thing used POST to POST data to your script. You don't post anything else, and you check for existence of other variables, you are not any better with checking for submit. And your browser will most certainly never send a post request just for the kick of it, so... not sure what your objection to a cleaner if statement is exactly..? (It's as easy to pass a submit as it is to pass a username and a password, you dont gain any security by checking for submit) You want the path of the script as well, if i put it in my test folder under doc root, your action will never execute because it will be a level off. $self=htmlentities($_SERVER['PHP_SELF']); Servers occasionally mess up, and it can not even be their fault, php messes up, stuff happens. If you use security in layers, then code with a hashed password will not reveal your password, where as if i am able to dump your source, i have the keys to your kingdom otherwise. And you comment and document ways to get the hash, or provide a utility to generate that hash, through say an install script or something that will fill in the password. That code and the fact that apache should execute it, is currently your only layer of security, so make it two... Your scenario: server messes up or i change htaccess to dump your code i look at code i own keys to your kingdom, and you dont know about it My scenario: server messes up i look at code i'm still SOL... no keys, so your protected area is still protected -- The trouble with programmers is that you can never tell what a programmer is doing until it’s too late. ~Seymour Cray On Thu, May 19, 2011 at 8:57 PM, tedd tedd.sperl...@gmail.com wrote: At 2:29 PM -0400 5/19/11, Alex Nikitin wrote: Also don't declare a bunch of needless variables for their one-time use, don't compare unsanitized strings with a binary unsafe operator, server variables contain link to current script, here are examples of what i mean: I object. First of all 'needless' is in the eye of the beholder. I've seen ton's of 'needless' comments about how programmers waste precious space by declaring needless variables because they can do things more cryptic. I've also heard in the past how programmers should be cryptic and even shorten their variable names, not use indenting, and do all sorts of other nonsense to save space and make their code run quicker. However, they forget a couple of important considerations. 1. Code running tomorrow will run-faster and cost-less to store than today. That's a fact and while we can argue, the argument becomes less important as time passes. If I don't win this argument today, I will win it tomorrow. 2. I also claim that if I can make my code more readable and easier to maintain by adding a 'needless variable now and then, then it's well worth the cost. And as I said before, that cost is reducing
RE: [PHP] Security Question
Best way to learn about security of something is to learn how to break it... On Apr 8, 2011 3:55 PM, Jay Blanchard jblanch...@pocket.com wrote: [snip] whats the best way to learn about security in php? [/snip] Study, study, study! Chris Shiflett is a recognized expert on PHP security - http://shiflett.org/ He has a great book on PHP Security - http://www.amazon.com/exec/obidos/ASIN/059600656X/ref=nosim/chrisshiflet t-20 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] newbie - function is undefined
JavaScript is a browser-side language, browsers have cache, cache sticks around, meaning that you can tell the browser to cache the JS file and not download it from the server (every time) if its being included on the browser end (which js is). All means faster page load times post initial load, and less bandwidth. If you include the JS file with php, every time you request the page the javascript will be pulled from your hard drive by php and sent back as a part of the server response (your end web page). ~ Alex On Fri, Apr 1, 2011 at 5:32 PM, Jim Giner jim.gi...@albanyhandball.comwrote: function. Try something like: ... echo 'heaading contains: scriptgetText(h2)/script'; ... I tried it - no better. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] String eval assistance
I'm not sure as to why strpos does what it does here, at least its not immediately obvious, but, a solution to this would be to use a regular expression search, it would be more exact, it has never failed me, and it will be faster; I recall reading that preg functions were faster at then str ones, though I can't recall where... -- Sent from my Android phone with K-9 Mail. Please excuse my brevity. Richard Quadling rquadl...@gmail.com wrote: On 16 March 2011 00:25, Jack jacklistm...@gmail.com wrote: Here you're trying to access it as an array, which it's not, so the 'response' key doesn't exist. In addition, you're looking for UPPER-CASE, whereas that's not the case in your example variable. Finally, you're checking to make sure that the string IS INDEED found, but then printing that it was declined (!== false). Instead, you may want: ?php $results['response'] = '3434approd34'; if (stripos($results['response'],'APPROVED') !== false) { // It's been found } else { // Oh, crap. } ? maybe I should do this some other way because I'm getting false positives. I was using if(strpos($results['response'], 'APPROVED') !== false) { And its found if the value of $results = 3434APPROVED34 and it also is found if its $results = 3434APPOVED34, so this may not be the best way to accomplish this.-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php Can you create a small list of actual values and their results. What version of PHP are you using? -- Richard Quadling Twitter : EE : Zend @RQuadling : e-e.com/M_248814.html : bit.ly/9O8vFY -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] imap_search ?
Imap remains open after you search and doesn't close until you call imap_close. Firstly the code shouldn't be written like that, while should not operate on a fail condition of a function exec, that's just bad coding practice and that's what causes a loop here. If there are no messages in the email box, imap search will return false, and you will have a loop until it gets a message... Here is what your scrip does: First run: Get all messages Gets array of messages Fails while condition Fetch Print Delete all Exit Next time: Get messages Gets false (no messages) Hits while loop where by it will continue to send imap requests until a message hits the mail box (your almost infinite loop) . -- Sent from my Android phone with K-9 Mail. Please excuse my brevity. Tontonq Tontonq root...@gmail.com wrote: hi ! it works if there is / are emails in the box before script run (i use cli not web based) but after it works 1 time it doesnt work again it enters to infinite loop , at that line while(!$emails) { $emails = imap_search($inbox,'ALL'); echo email yok\n; print_r($emails); } imap_search($inbox,'ALL'); it doesn't try to research emails in $inbox, doesn't it stay as connected or it's just for 1 time use :S ? should i reuse imap_open everytime when i need to use imap_search ? $inbox = imap_open($hostname,$usernamex,$password) or die('Cannot connect to domain:' . imap_last_error()); function onayla() { global $inbox; $emails = imap_search($inbox,'ALL'); while(!$emails) { $emails = imap_search($inbox,'ALL'); echo email yok\n; print_r($emails); } echo \nyeaah; print_r($emails); if($emails) { rsort($emails); echo Number of email:.imap_num_msg($inbox); foreach($emails as $email_number) { $overview = imap_fetch_overview($inbox,$email_number,0); if(stristr($overview[0]-subject,Test)) { $message = imap_fetchbody($inbox,$email_number,1); echo $message\n\r; //$link=arasi('activate:','-- The',$message); //echo \n\r.$link; #fwrite(fopen(deneme.txt,w),file_get_contents($link)); //imap_delete($inbox,'1:*'); //imap_expunge($inbox); } } } imap_delete($inbox,'1:*'); imap_expunge($inbox); }
Re: [PHP] Double method access (Hi everyone! :))
On 03/04/2011 09:25 PM, Paola Alvarez wrote: Hi there!, I have been reading this list before but this is my first post. Reading some code from Symfony I got this: $this-getTable()-getColumns() ...when you can use this double method access?, I used before the regular $this-getTable(), but two?. I mean I have been trying but I got an error* * Fatal error: Call to a member function ... on a non-object in ... I think the problem is $this-getTable() returns non-object. There is nothing wrong with using multiply - as long as return-value from previous call is an object. Alex -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] something about dates in mysql
Just a correction, dates in mysql are not strings by any means, they are stored in 3 bytes (date and time or 8 bytes for datetime) and that's nowhere enough for a string, however the representation of the date is a formatted string, so for all intents and purposes any comparison to a date field should be using quotes like mentioned already. -- Sent from my Android phone with K-9 Mail. Please excuse my brevity. Nathan Rixham nrix...@gmail.com wrote: Richard Quadling wrote: On 3 March 2011 10:09, Webforlaget.dk i...@web-forlaget.dk wrote: I need help to know Why this dont work ? _ $thisdate =date(Y-m-d,mktime(0,0,0,$mth, $day, $year)); $sql = SELECT id,case,startdate,enddate FROM table WHERE startdate=$thisdate AND enddate=$thisdate ORDER BY startdate; _ The result should be an array whith open cases at $thisdate, but nothing appear. Is it something about dates in mysql ? Thanks for any advice. Best regards, Venlige hilsner Rolf Brejner I think that dates in SQL statements need to be in the quotes as they are strings and not integers. So, try ... $sql = SELECT id,case,startdate,enddate FROM table WHERE startdate='$thisdate' AND enddate='$thisdate' ORDER BY startdate; I'm surprised you don't get an error Ah. As it stands, the SQL is something like ... WHERE startdate = 2010 - 3 - 3 So, probably the actual test that is being executed is WHERE startdate = 2004 Which, for a date stamp will never return anything sensible. yes, and remember the DATE and FROM_UNIXTIME mysql functions too. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] executing external php script
The exec function should help you there -- Sent from my Android phone with K-9 Mail. Please excuse my brevity. ƒAƒ‹ƒxƒ‹ƒg dziu...@kdl.co.jp wrote: hi! what I want to do is execute php script and don't wait for output. found something like this_ ?php `php /var/www/secend.php /dev/null 21 `; ? html body text /body /html_ it works but I 'm curious about php syntax ,is it correct way to do that? or maybe there is better solution. Thanks for any advice. Best regards, Albert -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Help needed with mysql import
You shouldn't have a default value in an auto increment field. You can set AUTO_INCREMENT to 0 and start with 1, but as auto increment is a unique field and its automagically incremented, you should not set a default value on it... -- Sent from my Android phone with K-9 Mail. Please excuse my brevity. Thijs Lensselink d...@lenss.nl wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 03/02/2011 07:56 AM, Ashim Kapoor wrote: Dear all, I am trying to make a website with php and I found the following code in a book and I am trying to import it. The following are the beginning of the file i am trying to import with the command mysql -u root -pmypassword certainty dump I get the following error : ERROR 1067 (42000) at line 9: Invalid default value for 'id' but when I see line 9 i see the value '0' for id which seems ok to me, I also tried removing the quotes but same error. Can someone guide me ? Thank you, Ashim # MySQL dump 7.1 # # Host: [host deleted] Database: certainty #_ # Server version 3.22.32 # # Table structure for table 'high_scores' # CREATE TABLE high_scores ( id int(11) DEFAULT '0' NOT NULL auto_increment, name varchar(30), answer_count int(11), credit double(16,4), PRIMARY KEY (id) ); It's not really a PHP question. But here goes. Your first field id is an auto_increment field this means the counter goes up by every insert. Normally this will start at 1 not 0. So either change the 0 to a higher number or remove the auto_increment part before you import change the 0 after and alter the table to put back auto_increment -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQIcBAEBAgAGBQJNbfOvAAoJEMffsHAOnubXC7UP/1k5qA4TDxDnUKrYZLV/rl9s bLRPTQ21riFMIzt0ne14No4+MTwjNtfVAdSnjpCWEZP+Y2MEixaiz8gIcOt9GIOD f9QPJZFEIcVADs3lqeS88eqdgRBNiYy3x2PHyslR3jtuaeFrRvxOLBTgBISq6Ih4 Dd5nRCbo6WObQ5e26HhbDeMJDAnOw4iQMjpoxc6UD9syxkJrORYw6XFvEmJA/QNF RDTNIO7P62ROamGor8urmPdfIemFLyqjD5YAQ64O6aWVHp0ehjO4l1xPWCeI84sV 2g8C3yqi06UjYOE8NHrf64VYcQtvLFkJbzGT6mmPwEP0gBdqX6o2YDwnudv7+APN F5zoVBv/7wygFaP+P0zgJ+EWVML35VfJFuq5VCH3CUk1hROS4X/JtsNXdVkAbaFA BpEhQ4jN0x/34HrI1cWjEUwaUuU6m9XoMIuO+1tQRLFatEW9I5z1c3hrJsPUNImX qSxEGLAZyA7tex++4YFn8DZXWz4mdllI7yejRe0nl1vl4Nn1+t2se/vF0TfZAGdB HgDeUWTdY/N2KeT4z9gPjGEDlRp8Wqo13Sv1yVhzWDdAJQdWaH8+Kk0GCI0jBrgT Pthmjr0e4bKCW19SJtL7/mTRU12qX/kbjMG5JqIh1ixn72qgqcvkTjgvEeQ1Y0DM xBBFUUedwoKevRJI05/2 =mdri -END PGP SIGNATURE- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Sorting an array
That or do it in mysql before you get the data back, its also pretty good at sorting, you know ;) -- Sent from my Android phone with K-9 Mail. Please excuse my brevity. FeIn aci...@gmail.com wrote: Also check http://www.php.net/manual/en/function.natsort.php On Tue, Mar 1, 2011 at 1:39 PM, David Robley robl...@aapt.net.au wrote: Ron Piggott wrote: I need help to know how to sort the words / phrases in my array. Variable name: $words_used print_r( $words_used ); Current output: Array ( [187] = Sin [249] = Punished [98] = Sanctuary [596] = Sing [362] = Anointing Oil ) Desired result: Alphabetical sort: Array ( [362] = Anointing Oil [249] = Punished [98] = Sanctuary [187] = Sin [596] = Sing ) The #?s are the auto_increment value of the word in the mySQL database. The number is not representative of alphabetical order, but the order it was added to the database. Thank you for your assistance. Ron Like the man said - asort. May I recommend you to http://php.net where you will find the answer to most of your queries, simply by looking under a generic area, such as array (http://php.net/array) for this particular problem. Surely you have been around here long enough to be able to find things in the documentation, or at least try there first, by now? Cheers -- David Robley Do fish get thirsty? Today is Setting Orange, the 60th day of Chaos in the YOLD 3177.-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] improve speed of PHP answers
- xcache - memcache ?- mysql performance went from 12 requests/sec @ 100% cpu utilisation to 1600 requests/sec @ ~2% cpu utilisation page load times went from 1.2-1.5s to 0.125 - 0.3s interestingly memory utilisation went from hogging over 800meg at full load, to about 64 meg pretty constant, but invariant of the load. The same content is served, the page looks exactly the same, nobody had to really change any code (there was a change in one of our framework modules that one of the plug-ins calls, but it was small enough (5 lines)), minus the wait... a lot of it :) Hopefully this gives you ideas that work out, if not, well, I tried anyway, ~Alex This work as well as my thinking in general, is licensed under a Creative Commons Attribution-Noncommercial 3.0 License. On Thu, Feb 10, 2011 at 1:49 AM, Ashley Sheridan a...@ashleysheridan.co.ukwrote: On Wed, 2011-02-09 at 18:57 +0100, Alain Roger wrote: it's a php component for joomla so it is written in PHP. it access to DB as also the whole site root structure to backup database structure , data as also web site folders and files. due to slow freeing ressources (php pointers, memory, andso on...) the backup process fails each time... A. On Wed, Feb 9, 2011 at 6:47 PM, Alexis Antonakis ad...@antonakis.co.uk wrote: But what is the webpage trying to do? Is it straight html? Are you accessing data from a database? What exactly? On 09/02/11 10:45, Alain Roger wrote: yes i understand however even Linux has bugs and issues... i'm currently installing Fedora 14 as web server and joomla has big issues on fedora 14 with right permissions and writable configuration.php file... everybody raises issue about that and till now none of their solution worked... :-( basically web page needs between 1 to 2 s to load, but as it is a testing computer it is not a huge problem... main problem is that component for joomla as akeeba backup fails to backup web site while under Windows XP it worked perfectly... A. On Wed, Feb 9, 2011 at 6:41 PM, Alexis Antonakis ad...@antonakis.co.uk wrote: The Operating System :) It could be a million and one things...how long does it currently take to load a page and what is that page trying to do? Alexis On 09/02/11 10:36, Alain Roger wrote: Hi, i have apache/PHP server installed on Windows 7. my computer is a quad-core CPU with 6 GB RAM and i would like to speed up PHP answer to requests. how can i do that ? which parameter should i tune ? thx. Surely there are already plenty of backup modules for Joomla? If you're writing it as a module for that CMS, don't forget that you're inheriting the whole memory footprint of Joomla at the same time. I recently ran into such a problem on a project written on the CodeIgniter framework. Now CodeIgniter isn't that heavy on resources, but even it struggled with the default memory available to it. If you're trying to speed up any PHP script, generally you need to step through it and see what code you can remove entirely, or alter to have less of an impact. For example, PHP code that grabs a set of results from the DB and then filters that down is far slower and uses more memory than if you left the filtering in MySQL. Also, look at freeing up resources when you don't need them. Avoid large global variables (if they are global the garbage collection can't work until the script has ended). Perhaps split the task into several smaller ones that are more manageable at once for the server. Finally, you can increase the memory that can be allocated to a PHP script, but address this last, as the other factors are more important in my opinion. Thanks, Ash http://www.ashleysheridan.co.uk
Re: [PHP] Memcache problems
There could be many a reasons for this, and it really depends on your setup. For example, is php and memcache on the same server, if they are not what is the network topology like, it could be a piece of hardware starting to malfunction, it could be an issue with the networking driver, on the other hand it could be neither; but to help you figure out where to look, one should hope to see a little bit more info... ~Alex On Thu, Feb 3, 2011 at 3:10 PM, Jostein Eriksen php-l...@morits.net wrote: Hi, I've been having some problems with memcache lately. It seems to me that php is dropping connection to the memcache server mid way through the scripts. I've sat the failure_callback to log failures. And I'm getting a lot of them. Several every minute. I'm quite stuck now and realy dont know where to go from here. I've tried to telnet into the server. And there is no problem with either set nor get commands. I've started the memcached daemon with -vvv to see if I can dig anything interesting from the logs, but I can find no errors of any kind in them. There is also no errors that I can find in the php_error log. I would appreciate some help, if anyone have any ideas of what is going on. thanks. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Memcache problems
Short of some process going crazy, which you should check for, some psing, top and netstat, i cant think of any reason you should ever get a connection drop, short of a hardware failure (memory perhaps), or an experimental kernel settings or modules or something... i cant think of any way that a connection to 127.0.0.1 would ever possibly get dropped, loopback device never hits your network hardware... ~Alex On Thu, Feb 3, 2011 at 5:00 PM, Jostein Eriksen php-l...@morits.net wrote: On 02/03/2011 10:49 PM, Adam Richardson wrote: On Thu, Feb 3, 2011 at 4:19 PM, Jostein Eriksenphp-l...@morits.net wrote: Both php and memcached is running on the same server. memcached version 1.2.2 php5-memcache version 2.2.0 php version 5.2.4 here is a snippet from my code that may be of interest $cfg['serverList'] = array('127.0.0.1', 11211, 1, 1); ... $this-memcache = new Memcache(); foreach($cfg['serverList'] as $value){ /** host, port, persistent, weight, timeout, retry interval, status, failure callback */ $this-memcache-addServer($value[0], $value[1], false, $value[2], $value[3], 2, true, array($this, 'fail')); } Are you sure you copied this correctly? In the code above, you set the array key 'serverList' to an array containing ('127.0.0.1', 11211, 1, 1); Then, you foreach through the values of the 'serverList' array (first iteration, value would equal '127.0.0.1', second, value would equal 11211, etc.) Then, you use array notation to access the first position of $value. In the first iteration of the foreach, $value would equal '127.0.0.1', so $value[0] would give you '1', $value[1] would give you '2', etc. Do you see what I'm saying? Did you forget or omit other relevant code? Or, I'm just having a really bad code day (in this case, I'll likely see my error just after sending this email.) Adam My bad. it should be: 'serverList' = array( /** host, port, weight, timeout */ 'default' = array('127.0.0.1', 11211, 1, 1), )), Didn't copy/paste the $cfg = line, so it got messed up. /Jostein -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] preg_replace question
$internal_links=array(); I prefer to init arrays, it also avoids unnecessary notices, and sometimes weird results, but either one of those while loops should make the desired array while($row = mysql_fetch_array($result, MYSQL_ASSOC)) { array_push($internal_links, array('phrase'=$row['phrase'], 'link'=$row['link'])); } or while($row = mysql_fetch_array($result, MYSQL_ASSOC)) { $internal_links[] = array('phrase'=$row['phrase'], 'link'=$row['link']); } or while($row = mysql_fetch_object($result)) { $internal_links[] = array('phrase'=$row-phrase, 'link'=$row-link); } (you can figure out how to do it with array_push if you choose to, but you get the general idea) ~ Alex On Jan 25, 2011 6:35 AM, Merlin Morgenstern merli...@fastmail.fm wrote: Am 24.01.2011 18:08, schrieb Alex Nikitin: If you declare your arrays, and set k to 0 first, put quotes around array values and use the correct limit (you can default to -1), you will get results, here is code and example (hopefully this helps you) ?php function internal_links($str, $links, $limit=-1) { $pattern=array(); $replace=array(); $k=0; foreach($links AS $link){ $pattern[$k] = ~\b({$link['phrase']})\b~i; $replace[$k] = 'a href='.$link['link'].'\\1/a'; $k++; } return preg_replace($pattern,$replace,$str, $limit); } echo internal_links(süße knuffige Beagle Welpen ab sofort, array(array('phrase'=beagle, 'link'=http://google.com;),array('phrase'=welpen, 'link'=http://wolframalpha.com;)), -1); Output: süße knuffigea href=http://google.com;Beagle/a a href= http://wolframalpha.com;Welpen/a ab ~Alex Hello, thank you all for your help. It seems that I am building the array wrong. Your code works with that array: $internal_links = array(array('phrase'=beagle, 'link'=http://google.com;),array('phrase'=welpen, 'link'=http://wolframalpha.com;)); I am pulling the data out of a DB and am using this code: while ($row = mysql_fetch_object($result)){ $internal_links[$row-ID]['phrase'] = $row-phrase; $internal_links[$row-ID]['link'] = $row-link; } You build the array different, could you help me to adapt this on my code? I tried $internal_links['phrase'][] as well, but that did not help either. Thank you for any help, Merlin -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] preg_replace question
If you declare your arrays, and set k to 0 first, put quotes around array values and use the correct limit (you can default to -1), you will get results, here is code and example (hopefully this helps you) ?php function internal_links($str, $links, $limit=-1) { $pattern=array(); $replace=array(); $k=0; foreach($links AS $link){ $pattern[$k] = ~\b({$link['phrase']})\b~i; $replace[$k] = 'a href='.$link['link'].'\\1/a'; $k++; } return preg_replace($pattern,$replace,$str, $limit); } echo internal_links(süße knuffige Beagle Welpen ab sofort, array(array('phrase'=beagle, 'link'=http://google.com;),array('phrase'=welpen, 'link'=http://wolframalpha.com;)), -1); Output: süße knuffige a href=http://google.com;Beagle/a a href= http://wolframalpha.com;Welpen/a ab ~Alex
[PHP] Weird preg issue
Hi, I'm kind of new to this list, and so if there have been discussions about this, i am not quite aware of them (i tried searching), but i ran across this issue and i figured it would be interesting enough to show you guys here: I was looking for a way to replace all the text in a string that doesn't match a pattern with nothing (therefore string in, only part of the string that matches my pattern out), one line with no arrays in the middle; and i guess there is a way to do this with temp variables, well i know there is, but i kind of wanted a more elegant solution, so i came up with this match line $str = 'And the cow says Mooo'; preg_match('/(?:(?![a-zA-Z\s]*).)*/', $str, $matches); print_r($matches); output: Array ( [0] = And the cow says ) so i was pretty happy to see that, so if i pass that expression to preg_replace it should, hopefully, replace that text with nothing, and i theoretically should be left with Mooo, which was my goal originally, so i run print_r(preg_replace('/(?:(?![a-zA-Z\s]*).)*/', '', $str)); output: ... Hardly what i was expecting... Any ideas? bug, something i'm not getting, something in the way preg works? Thanks in advance, ~ Alex
[PHP] Re: Weird preg issue
Ah, i seem to have figured out the problem here... if you run a preg_match_all it will return [0] = Array ( [0] = And the cow says [1] = [2] = Moo [3] = ) And preg_replace is global by default, so in order for this to work correctly, not sure about the elegantly part, but you can just limit preg_replace preg_replace('/(?:(?![a-zA-Z\s]*).)*/', '', $str, 1); and that seems to work correctly... Neat... kinda... On Thu, Nov 4, 2010 at 3:47 PM, Alex Nikitin niks...@gmail.com wrote: Hi, I'm kind of new to this list, and so if there have been discussions about this, i am not quite aware of them (i tried searching), but i ran across this issue and i figured it would be interesting enough to show you guys here: I was looking for a way to replace all the text in a string that doesn't match a pattern with nothing (therefore string in, only part of the string that matches my pattern out), one line with no arrays in the middle; and i guess there is a way to do this with temp variables, well i know there is, but i kind of wanted a more elegant solution, so i came up with this match line $str = 'And the cow says Mooo'; preg_match('/(?:(?![a-zA-Z\s]*).)*/', $str, $matches); print_r($matches); output: Array ( [0] = And the cow says ) so i was pretty happy to see that, so if i pass that expression to preg_replace it should, hopefully, replace that text with nothing, and i theoretically should be left with Mooo, which was my goal originally, so i run print_r(preg_replace('/(?:(?![a-zA-Z\s]*).)*/', '', $str)); output: ... Hardly what i was expecting... Any ideas? bug, something i'm not getting, something in the way preg works? Thanks in advance, ~ Alex
[PHP] Re: Weird preg issue
but that doesnt work if you add something after the Mooo *sigh*. well it gets kept On Thu, Nov 4, 2010 at 3:47 PM, Alex Nikitin niks...@gmail.com wrote: Hi, I'm kind of new to this list, and so if there have been discussions about this, i am not quite aware of them (i tried searching), but i ran across this issue and i figured it would be interesting enough to show you guys here: I was looking for a way to replace all the text in a string that doesn't match a pattern with nothing (therefore string in, only part of the string that matches my pattern out), one line with no arrays in the middle; and i guess there is a way to do this with temp variables, well i know there is, but i kind of wanted a more elegant solution, so i came up with this match line $str = 'And the cow says Mooo'; preg_match('/(?:(?![a-zA-Z\s]*).)*/', $str, $matches); print_r($matches); output: Array ( [0] = And the cow says ) so i was pretty happy to see that, so if i pass that expression to preg_replace it should, hopefully, replace that text with nothing, and i theoretically should be left with Mooo, which was my goal originally, so i run print_r(preg_replace('/(?:(?![a-zA-Z\s]*).)*/', '', $str)); output: ... Hardly what i was expecting... Any ideas? bug, something i'm not getting, something in the way preg works? Thanks in advance, ~ Alex
Re: [PHP] Pros/Cons of using mysqli prepared statments
One thing to remember is that dealing with results from prepared statements is different then getting results from queries, so if you are using both, confusion can easily set in (and lets face it, prepared statements arent always the best thing to use)... if its of any help, i have written a class to work around that, instantiate it with a query or result object from a statement and you get a uniform way to get the result array... http://pastebin.com/sAhZJcNX ~ Alex On Thu, Nov 4, 2010 at 5:38 PM, Jay Blanchard jblanch...@pocket.com wrote: [snip] Just don't go too far. [/snip] I absolutely agree! Doing SP's for SP sake is not desired and be truly careful about cascading the procedures. And always, ALWAYS document your code and put copious comments in the SP's. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] multi thread work?
-Original Message- From: Tontonq Tontonq [mailto:root...@gmail.com] Sent: 04 August 2010 18:21 To: PHP General Mailing List Subject: [PHP] multi thread work? Hi how to make a script multi task based like this ? for($i=1;$i=100;$i++) { $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, 'http://www.facebook.com/ajax/reqs.php?__a=1' ); curl_setopt($ch, CURLOPT_POST, 1); curl_setopt($ch, CURLOPT_USERAGENT, Opera/9.80 (Windows NT 5.1; U; tr) Presto/2.6.22 Version/10.50); curl_setopt($ch, CURLOPT_HTTPHEADER, $headers); curl_setopt($ch, CURLOPT_REFERER, http://www.facebook.com/reqs.php;); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1); //curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0); curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0); curl_setopt($ch, CURLOPT_PROXY, 127.0.0.1:); curl_exec($ch); } ? lets say this takes 1000 seconds and it doesnt focus to another curl process before it finish the previous one is it possible to let the script focus another curl process without wait answer of the previous one i hope if u could understand me ^^ This question has been asked several times over the last week, have a look over the archive ;). You need to be looking at something like process forking ( http://php.net/manual/en/function.pcntl-fork.php ). Alex. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] GD - import a PNG image and make transparant
Hi Ash, Thanks for your suggestion. I think this is where my confusion is. I understand how to use imagecolorallocatealpha() to for example create a 50% transparant colour, and apply it to a new rectangle for example. I dont understand how to apply it to a new source image, for example $src = imagecreatefrompng('test.png'); // Something here (maybe imagecolorallocatealpha()) to make this 50% transparent- either on its own, or make it 50% transparent as part of a copy onto a new image I had thought that imagecopymerge would help me with this, but it seems not. I'm currently looking through Karl's example to see if I can work it out, but if anyone can point out a super-simple way of achieving the pseudo-code above, i'd be very grateful! Cheers, Alex On Thu, May 13, 2010 at 1:34 AM, Ashley Sheridan a...@ashleysheridan.co.ukwrote: On Thu, 2010-05-13 at 00:12 +0100, Alex Davies wrote: Hi, I am trying to import a PNG image from disk, place it on top of a transparant image created in GD and output it to the browser. In the case of a low opacity setting, I would expect to see the background colour from the HTML page. If I set the opacity to 0, everything works - I end up with a transparant image. However, if I set it for any value 0 (even 1) instead of a very-faint-image the whole thing goes black. As the opacity level goes up from 0, the amount of black reduces and the amount of imported image increases - but this is not what I want. I am using this code: ?php $src = imagecreatefrompng('test.png'); $img_width = imagesx($src); $img_height = imagesy($src); // Create trans image $dest = imagecreatetruecolor($img_width, $img_height); //imagesavealpha($dest, true); // This has no effect it appears $trans_colour = imagecolorallocatealpha($dest, 0, 255, 0, 128); // Make the background transparent imagecolortransparent($dest, $trans_colour); //imagefill($dest, 0, 0, $trans_colour); // This does not work // Merge src on top of dest, with opacity of 1 in this case imagecopymerge($dest, $src, 0, 0, 0, 0, $img_width, $img_height, 1); // Output and free from memory header('Content-Type: image/png'); imagepng($dest); ? The images that this outputs, at opacity levels 0,1 and 80 on a red and green background (screenshots of a HTML page) can be downloaded fromhttp://www.box.net/shared/h9zn4tjgro Any help appreciated! Cheers, Alex How exactly are you setting the opacity for the image? The traditional way is to use imagecolorallocatealpha() on the source. Thanks, Ash http://www.ashleysheridan.co.uk -- Alex Davies This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender immediately by e-mail and delete this e-mail permanently.
[PHP] GD - import a PNG image and make transparant
Hi, I am trying to import a PNG image from disk, place it on top of a transparant image created in GD and output it to the browser. In the case of a low opacity setting, I would expect to see the background colour from the HTML page. If I set the opacity to 0, everything works - I end up with a transparant image. However, if I set it for any value 0 (even 1) instead of a very-faint-image the whole thing goes black. As the opacity level goes up from 0, the amount of black reduces and the amount of imported image increases - but this is not what I want. I am using this code: ?php $src = imagecreatefrompng('test.png'); $img_width = imagesx($src); $img_height = imagesy($src); // Create trans image $dest = imagecreatetruecolor($img_width, $img_height); //imagesavealpha($dest, true); // This has no effect it appears $trans_colour = imagecolorallocatealpha($dest, 0, 255, 0, 128); // Make the background transparent imagecolortransparent($dest, $trans_colour); //imagefill($dest, 0, 0, $trans_colour); // This does not work // Merge src on top of dest, with opacity of 1 in this case imagecopymerge($dest, $src, 0, 0, 0, 0, $img_width, $img_height, 1); // Output and free from memory header('Content-Type: image/png'); imagepng($dest); ? The images that this outputs, at opacity levels 0,1 and 80 on a red and green background (screenshots of a HTML page) can be downloaded from http://www.box.net/shared/h9zn4tjgro Any help appreciated! Cheers, Alex
[PHP] PHP Application Structre
Greetings all, This question basically surrounds how you structure your PHP applications, whether it changes depending on what you're doing and which you'd favour. I have a feeling it'll come down to a question of personal taste, but on the off-chance there's a best practice I'll ask anyways. From what I've seen and used, there seem to be three distinct ways of going about it. 1) Using a 'core' class which has a request handler in it. All pages in the site are accessed through that one page, e.g. http://www.somesite.com/index.php?page=ViewUser http://www.somesite.com/index.php?page=ViewProduct This is one that I've personally used most after becoming familiar with a bulletin board system several years ago. It means that pages are easily created as all the template/session/database handling is done by the central class. 2) Using SE friendly URL's like: http://www.somesite.com/products/22012/cool-game/ http://www.somesite.com/products/22013/other-game/ This approach seems to be becoming more common on the sites I frequent, however by accounts I've read it seems to be more intensive on apache as it requires a mod-rewrite function. 3) Using different PHP files for each page: http://www.somesite.com/viewproduct.php?product= http://www.somesite.com/viewuser.php?user=... This would appear to be the least developer friendly option? Hopefully someone can shed some insight into which is the recommended approach and why. I've been building bigger and bigger sites so having a solid foundation is becoming more and more important. Thanks for any help/feedback, I hope I've been clear. Alex.
RE: [PHP] Still searching for a bugtracking system
Surely if it's not suitable for your situation, it's not the best? :) Mantis is what I'd recommend and believe has already been recommend to you. Runs using PHP and MySQL, it's flexible for public or private projects, multiple projects etc. I do agree with you that Bugzilla seems heavy, I know it has its supporters but I've always found it to be overkill for the projects I've worked on. Alex. -Original Message- From: Andre Polykanine [mailto:an...@oire.org] Sent: 30 March 2010 14:14 To: php-general@lists.php.net Subject: [PHP] Still searching for a bugtracking system Hello everyone, The best of all suggested bugtrackers is JotBug, on my opinion. But it works only with SQLite databases, and I have no access to such one (only MySql). Any solutions? P.S. I'd use Trac, but since I have no own server yet, we have no access to Python, either... Only Php, MySql, Perl. I have looked at Bugzilla... seems to heavy for our service). -- With best regards from Ukraine, Andre Http://oire.org/ - The Fantasy blogs of Oire Skype: Francophile; WlmMSN: arthaelon @ yandex.ru; Jabber: arthaelon @ jabber.org Yahoo! messenger: andre.polykanine; ICQ: 191749952 Twitter: http://twitter.com/m_elensule -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Event Handling
Greetings all, I'm currently looking at building a web application, however I've run into an area of development I've not come across before. The web site in its basic form allows users to send cars from a point and then the car will arrive at another point. When the car is set on its way, the start time, travel duration and end time are all known and stored in a MySQL database, what I would like to happen is that an event is triggered on the server at the end time and then an e-mail is sent to the user. This should happen regardless of whether someone is browsing the website or not. I don't believe that I'll be able to solely use PHP, I have spent the afternoon trying to look at potential solutions but I have to admit I've drawn a blank. Google hasn't been helpful (64 pages so far), as any searches related to event handling bring up a load of JavaScript tutorials/help for 'onclick' events etc. I have searched through the PHP documentation and found libevent (http://www.php.net/manual/en/book.libevent.php ), I don't believe that is what I require (although in all honesty the lack of documentation on it means I'm quite in the dark as to its purpose). Another potential candidate I came across was a PHP/Java bridge (http://php-java-bridge.sourceforge.net/pjb/ ), whereby I could use the java virtual machine, register events with it and then callback PHP scripts, although this seems extremely long winded. I was hoping that someone might have some experience with this kind of issue and could point me in the right direction. I'm sure I've missed something right in front of me. Alex.
RE: [PHP] Event Handling
Thanks to all for your help on this, it's been very interesting for me to read. The system needs to check arrivals in real time (give or take a second or two), using a cron job every minute doesn't provide the real time checking I would like. However, when I then got to thinking about it, wouldn't this be an ideal solution? I create a PHP script that loops for 60 seconds, checking the database each second for new entries and processing them (meaning I get near real time monitoring), and then have that PHP script called by a cron job every minute. The reason I think that could be a good solution for me, is that if the PHP script crashed (for any reason), then at most it's 59 seconds before the system kicks in again and begins processing all the queued arrivals. If I coded a PHP script to loop infinitely processing things every second, it's possible I wouldn't notice a crash for a considerable amount of time. The proposed solution provides a good fail-safe, I think. Does that solution seem sensible? Or overkill? Thanks again for your help in this, it's quite novel for me. -Original Message- From: Ashley Sheridan [mailto:a...@ashleysheridan.co.uk] Sent: 15 March 2010 12:56 To: Midhun Girish Cc: Jochem Maas; David Hutto; php-general@lists.php.net; Alex Major Subject: Re: [PHP] Event Handling On Mon, 2010-03-15 at 18:28 +0530, Midhun Girish wrote: rene a page with an ajax script that kicks off the check-for-recent-events script on the server.. but that method is highly non reliable i dont think anyone will take that risk especially for an important web app cron or any equivalent which runs on the server must be used instead of that.. Midhun Girish Development Lead MobAlive Technologies On Mon, Mar 15, 2010 at 6:08 PM, Jochem Maas joc...@iamjochem.com wrote: Op 3/15/10 12:00 PM, David Hutto schreef: On Mon, Mar 15, 2010 at 7:31 AM, Jochem Maas joc...@iamjochem.com wrote: Op 3/15/10 8:24 AM, Midhun Girish schreef: Hi , Just as David Hutto has said,What you need is the cronjob... Make a script say check.php which checks the db to see if any new entries are made... and if yes send the mail ... now using the cronjob feature in linux os(which will be provided as a service in your linux hosting cpanel), set a cronjob which calls the http://www.yoursite.com/check.php; URL every minute now a trigger will be there every minute to the script and the emails will be send irrespective of whether anyone is browsing the site or not hope it is clear... use cron - yes have cron call a web URL - no, instead just call the script via the php CLI sapi, e.g. a cmdline as follows in cron: /usr/env php /path/to/your/check.php /dev/null I do believe removing the /dev/null will send error messages during the building of the script, correct? the ' /dev/null' redirects all output - I kind of make the assumption that the script would be logging stuff to a file or something when in production. so, yes, remove the redirection when your developing/testing the script. I agree. Even setting a cron on a local computer to call home to a server script would be preferable to Ajax calls. Thanks, Ash http://www.ashleysheridan.co.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Why does CURLOPT_FOLLOWLOCATION require open_basedir to be turned off?
I was wondering why CURLOPT_FOLLOWLOCATION requires open_basedir and safe_mode to be turned off. The following was found in the changelog(http://www.php.net/ChangeLog-5.php): Disabled CURLOPT_FOLLOWLOCATION in curl when open_basedir or safe_mode are enabled. (Stefan E., Ilia) Also I read some forum posts about security restrictions blah-blah but didn't find anything specific, unfortunately. Can anybody explain the reasons of such a strange restriction or tell what security issues raises CURLOPT_FOLLOWLOCATION when open_basedir is set? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php