[PHP] Re: Re: Getting the process ID
> But a double-submit is likely to come from separate Apache processes, so > I don't see where the pid comes into the picture. If I reload a page and > resend the post data, that POST request is going to be processed a second > time most likely by a different httpd process. What you need to do is > put a unique (you can use the uniqid function) in the actual transaction > data and not allow the transaction if that token is already present in > your datastore. I'm with you so far, but here is the problem I am having. Let me preface this by saying that, in retrospect, I did not solve this problem as elegantly as I should have. At any rate, let P1 and P2 represent separate parallel transactions. $key is the same in both processes. P1: "Does token.status = 'locked' WHERE key=$key ?" P2: "Does token.status = 'locked' WHERE key=$key ?" P1: {Receives negative response} P2: {Receives negative response} P1: Updates token.status. = 'locked' WHERE key=$key P2: Updates token.status. = 'locked' WHERE key=$key P1: Processes transaction P2: Processes transaction Now in retrospect this was not the simplest way to do it, but it worked (and here is where PID comes in): After P1 inserts the token in the database, it checks again to see that it is inserted *and* that it is the owner (token has a field for "owner"). Like this: P1: Updates token.status = 'locked' && owner=getmypid() WHERE key=$key && owner = '' P2: Updates token.status = 'locked' && owner=getmypid() WHERE key=$key && owner = '' P1: Checks to see if token is locked and P1 is owner. If not, abort. P2: Checks to see if token is locked and P2 is owner. If not, abort. Now, whichever one of these exectues first will get the token. The other will abort. But you see that I need the PID (or some other unique identifier) so that the script can identify itself, otherwise P1 and P2 might both in parallel attempt to lock the token, and both would appear to have received the lock. At any rate, I am realizing now as I talk this through that there were other simpler methods for doing what I needed. Oh well. But for now I solved the problem as described above. Thanks for the input. When I got in to PHP I didn't anticipate carrying on a casual conversation with the guy who invented it! -Josh -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Storing data structires in DB
"Joshua Beall" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > You should look into the WDDX functions - http://php.net/wddx/ - they give > you an XML document that you can edit by hand much more easily than the > bytestream you get from serialize. However it is not as compact as > serialize, and not only that it suffers from what I consider a showstopped > bug. er, make that "showstopper..." -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Getting the process ID
"Rasmus Lerdorf" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > Joshua Beall wrote: >> I am doing some work where I want to do locking, and prevent scripts from >> running in parallel. I see that I could use the semaphore mechanism, but >> I'd like for my code to be portable, and that extension is not enabled in >> many places. > > Sort of defeats the whole concept of a web server, but to answer just your > process id question, use getmypid() http://php.net/manual/en/function.getmypid.php It says "Process IDs are not unique" I really only need it to be unique at any given instant. I can do sha1(microtime().getmypid()) to generate a unique ID. But of course it is only guaranteed to be unique if indeed the process ID is not shared. The problem I am having is that people are double-submitting certain transactions. My first attempt to prevent this was to store a flag in the session record indicating whether or not certain transactions had been completed, but this turned out to be insufficient at times because users could try and initiate a second transaction before the first transaction had finished (and thus the system had not yet flagged the transaction completed in the session record). They then both completed in parallel, and voila, duplicate transactions again. I realized that this sort of problem would always exist unless I had some sort of semaphore mechanism. Once a user has *started* a transaction, they need to be prevented from initiating a second transaction until the first transaction has been completed. I am open to suggestions on how to do this. What is the best way? -Josh -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Storing data structires in DB
"GamblerZG" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > Output of serialize() is barely readable and definetely is not suited for > manual editing. > > It is quite simple to create var_export() clone that does not add junk to > it's output. But then I would need to exec() the string to get a data > structure back, which is bad security practice. > > Is there any good way to store/retrieve data structures (multidimetional > arrays) to/from database? You should look into the WDDX functions - http://php.net/wddx/ - they give you an XML document that you can edit by hand much more easily than the bytestream you get from serialize. However it is not as compact as serialize, and not only that it suffers from what I consider a showstopped bug. This bug in the WDDX serialization causes you to run into trouble if you have a numerically indexed array that does not start at 0. For instance: //$data[0] = 'uncomment me and things will work'; $data[1] = "foo"; $data[2] = "bar"; $serialized = wddx_serialize_value($data); $result = wddx_deserialize($serialized); echo gettype($result[1]); The output is "NULL" - it is now impossible directly access anything in the $result array. It is still there - you can see this if you var_dump($result) or iterate through it with foreach($result as $entry). HTH, -Josh -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Getting the process ID
Hi All, I am doing some work where I want to do locking, and prevent scripts from running in parallel. I see that I could use the semaphore mechanism, but I'd like for my code to be portable, and that extension is not enabled in many places. I need some way for a process to uniquely identify itself. It can then look at the storage container (flat file, DB, whatever is appropriate in context), check to see if the requested semaphore is available, and if it is, acquire it and then mark itself as the owner. It can then check that it did in fact get ownership (as opposed to another process which attempted to acquire it at the exact same moment) before proceeding. However I am stumped at the point where it needs to indicate ownership. How does the PHP script identify itself? It can't use the script name, obviously - lots of instances of the script may be running. It can't use session ID - the user might submit duplicate requests, and they would both have the same session ID. The best I have been able to think of is to use the sha1(microtime()) to generate a unique key. But this isn't quite foolproof, as it is theoretically possible, though unlikely, for two requests to be at the exact same instant. The answer that comes to my mind would be to use the process ID. This is necessarily unique across the entire server, correct? It seems to be exactly what I need. But I can't seem to figure out how to determine the current process ID from within PHP. Is this even possible? Apache 1.3.x/PHP5.0.3 Any ideas? -Josh p.s. Please forgive me if I have misused the term "semaphore" - I know it only from the context I have seen/heard it used in, I don't know the textbook definition. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: PHP Security
"Greg Donald" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > The other day a post came across one of those mailing lists discussing > PHP security. One of the posters was describing how insecure PHP's > file upload functionality is and went on to explain a simple method of > attaching exploit code to the end of a jpeg or other image format, > then proceeding in uploading the image to the target site that > accepted image uploads. The code would be executed as PHP in spite of > the file type detection. Chris already gave a good response to all this, but I am curious myself - can this mystery antagonist provide an example exploit? What he is suggesting seems impossible, unless for some strange reason you have set Apache to execute .jpg files at PHP code. In which case the security hole is the admin who set things up like that, not PHP! Can you also provide a link to the relevant message in the mailing list archive? I would like to read this myself. -Josh -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: PEAR performance/overhead
"David Dickson" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] >I was told that PEAR has too much overhead to be considered for a large >scale site. Does any one feel the same? Is this an outrageous comment? I >would like to hear comments from people who are using PEAR, or people who >have considered PEAR but decided not to use it and your reasons. I wound up taking a hybrid approach, rolling my own DB abstraction layer that was more efficient than PEAR DB (and less full featured, as well), but suited our needs nicely. By doing this I was able to reduce each page's memory footprint by about 50%, and execution time by about 40%. I still use other components of PEAR, however, and I think it is a great resource. Anyone who dismisses PEAR out of hand, without giving it a serious look, is insane. > The packages I am particularly interested in are HTML_QuickForm and DB. You'll have to write some tests and do some benchmarks to decide what the best answer is. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Re: $_POST getting lost, $GLOBALS['HTTP_RAW_POST_DATA']isstill set
"Adam Bregenzer" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > Honestly, I didn't see anything glaringly wrong so I deftly skirted your > problem by posting code that I find works. :) Hmm, I would probably have done the same :-) > One part that may be an issue is you are using each() on $data then > re-assigning the stripped code to $data, maybe that is exposing some > bug/issue with php? Try making a new array by assigning the stripped > output to $data2 and returning $data2, maybe that will solve it. Interesting idea. The only problem is testing it... since it seems to work fine for me except for this one error report I got, I am not sure what to do. Guess it is worth a shot to change it anyway. Could not hurt, right? And assuming garbage collection works ok in PHP, it should not be really be a memory hit, since both $data and $data2 should both be reclaimed when they go out of scope. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: $_POST getting lost, $GLOBALS['HTTP_RAW_POST_DATA'] isstill set
"Adam Bregenzer" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > Having a function to undo magic quotes can be very useful if you > distribute your application. Here is what I use, just call > disable_magic_quotes(). It should not do any damage if magic_quotes is > already disabled. Looks pretty good to me, and it is a little more robust than my solution since it checks for the existence of objects, and also sets the magic_quotes_gpc ini setting to 0 after escaping them. However, I am still interested in knowing if my code is broken in any way. It seems to work fine for me, but as per my original post, I did get this one odd behavior, with HTTP_RAW_POST_DATA being set, but _POST being an empty array. Any thoughts? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] $_POST getting lost, $GLOBALS['HTTP_RAW_POST_DATA'] is still set
Hi All, I originally posted this on 2004-02-09, to alt.comp.lang.php, alt.php, and comp.lang.php, with the followup-to header set to comp.lang.php. Nobody had any thoughts, so I thought I would post here, just in case. I want to turn off magic quotes. I realize in retrospect that using a .htaccess file to turn magic quotes would probably be better than this code, and I am going to switch to that solution, but I am still trying to figure out what is causing my current problem: I am using the following code to automatically strip out any slashes that were added automagically by gpc_magic_quotes: $_POST = array_stripslashes($_POST); // Takes the passed array, and strips and escaping slashes out of any strings in the array. // This is a recursive function capable of handling multidimensional arrays function array_stripslashes($data) { do{ $pair = each($data);// Get the next key-value pair from the array if($pair === false) break; $key = $pair[0];// This is just for readability $val = $pair[1]; if(is_array($val)) $val = Utility::array_stripslashes($val); elseif(is_string($val)) $val = stripslashes($val); $data[$key] = $val; }while(true); return $data; } Now, I test it several times and it appears to be working fine. But, I just got an error report from a user, with agent "Mozilla/4.0 (compatible; MSIE 5.0; CS 2000 6.0; Windows 98; DigExt)", and when they clicked on a submit button, all the POST data was lost. Interestingly enough, $GLOBALS['HTTP_RAW_POST_DATA'] was populated with all the form fields I would have expected to be in $_POST (although raw, of course, not parsed into variables). Is my code broken? Or is this a bug in PHP? Or what? Sincerely, -Josh -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php