Re: [PHP] Novice question

2011-10-30 Thread Rico Secada 
On Sun, 30 Oct 2011 17:24:07 -
John Allsopp j...@johnallsopp.co.uk wrote:

 Hi
 
 I'm afraid I've fallen a little out of touch with PHP dev, so a stupid
 question for you.
 
 I want to write a script that requests a URL and then reads that
 website .. I'm interested to map web structures. My web host is
 saying I'll need URL file access enabled but that it's a) a security
 risk and b) deprecated.
 
 So .. what's the good / proper / acceptable / secure way of reading in
 URLs in PHP or .. isn't there one?

cURL is the best one in my experience, but you have to manage security
yourself. Meaning: Remember to escape/encode data.

http://php.net/manual/en/book.curl.php

 Cheers
 J
 
 -- 
 01723 376477
 
 Cost-free marketing: http://www.flowmarketing.co.uk/
 
 Affordable marketing guidance for small businesses:
 http://www.amilliontweaks.co.uk/
 
 Effective marketing services for SMEs: coming soon at
 http://www.surgemarketing.co.uk
 
 Professional Internet marketing consultancy:
 http://www.johnallsopp.co.uk
 
 
 -- 
 PHP General Mailing List (http://www.php.net/)
 To unsubscribe, visit: http://www.php.net/unsub.php
 

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] Code should be selv-maintaining!

2011-08-29 Thread Rico Secada 
Dont get me wrong, I love programming! But what an absolute pain in the
ass it is when you re-use old code only to discover something less well
made.

You all know about this right?

You go into your homemade library of code to re-use some piece that you
already are using 12 other places in production. Now, last time you
worked on the code you thought it was almost perfect. While working on
the code this time you find an undiscovered bug or some part of the
code that looks like you where on drugs when you made it.

Of course we develop experience and more skills all the time, and as a
good programmer we never stop doing that, but what a pain it is when
the above happens and you have to patch the code being used those 12
other places too, and each place maybe has a slightly different usage,
so minor changes affect other stuff. And this goes on while your head
is spinning around trying to stay focused on the very task at hand that
originated the need for a quick re-usage of old code in the first place.

Why the hell can't code be self-maintaining!? :))

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] PDO Prepared Statements and stripslashes

2010-12-21 Thread Rico Secada 
On Tue, 21 Dec 2010 10:32:21 -0500
Adam Richardson simples...@gmail.com wrote:

 1. Turn off magic_quotes_gpc if on, as its use has been deprecated.
 2. Use prepared statements.
 3. Don't worry about stripping slashes ever again :)

Thank you for a very enlightening answer. I guess I misunderstood
the PDO automatically quotes.. and the slashes part! :-) 
 Adam
 
 -- 
 Nephtali:  A simple, flexible, fast, and security-focused PHP
 framework http://nephtaliproject.com
 

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] PDO Prepared Statements and stripslashes

2010-12-20 Thread Rico Secada 
Hi.

In an article about SQL Injection by Chris Shiflett he mentions the
following in a comment: The process of escaping should preserve data,
so it should never be necessary to reverse it. When I'm auditing an
application, things like stripslashes() alert me to design problems.

Now, I'm always using PHP PDO with prepared statements and as such data
with quotes gets slashed automatically by PDO when inserted into the
database.

When I need to pull out the data something might be slashed and I need
to use stripslashes() or some str_replace() to make sure that the
slashes are removed.

So what's the mistake here and what's the correct way to do it?

Kind regards

Rico

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] PDO Prepared Statements and stripslashes

2010-12-20 Thread Rico Secada 
On Tue, 21 Dec 2010 00:32:19 -0500
Paul M Foster pa...@quillandmouse.com wrote:

 On Tue, Dec 21, 2010 at 05:31:15AM +0100, Rico Secada wrote:
 
  Hi.
  
  In an article about SQL Injection by Chris Shiflett he mentions the
  following in a comment: The process of escaping should preserve
  data, so it should never be necessary to reverse it. When I'm
  auditing an application, things like stripslashes() alert me to
  design problems.
  
  Now, I'm always using PHP PDO with prepared statements and as such
  data with quotes gets slashed automatically by PDO when inserted
  into the database.
 
 Just out of idle curiosity, are you using MySQL? PDO shouldn't be
 backslashing quotes for PostgreSQL, as the PostgreSQL convention for
 values containing single quotes is to double the quotes, as: ''.

Currently I'm working with MySQL, but I have just tested PDO with
PostgreSQL 8.3 and in this case PDO backslashes PostgreSQL as well.
 
  When I need to pull out the data something might be slashed and I
  need to use stripslashes() or some str_replace() to make sure that
  the slashes are removed.
  
  So what's the mistake here and what's the correct way to do it?
 
 I don't see a mistake. If the values come out of the database
 backslashed, then you need to remove them to work with the data. My
 only question would be whether you're sure the data is backslashed
 before PDO ever sees it. In which case, yes, you have a problem.

No, the data is not slashed before PDO sees them.

I didn't see a mistake either, but then what does Chris mean? Stripping
slashes from output from the DB alerts him to a design problem, and
I'm just wondering if there another way of doing things I just haven't
heard of then. 

 Paul
 
 -- 
 Paul M. Foster
 
 -- 
 PHP General Mailing List (http://www.php.net/)
 To unsubscribe, visit: http://www.php.net/unsub.php
 

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] No errors gets displayed, just a blank page

2010-12-07 Thread Rico Secada 
Hi.

What can cause that no parse error gets displayed (blank page/no output
at all) even though error reporting is set to -1? 

I have run the script through php lint on the console and it comes up
with no errors.

I have run into this problem the last couple of days making debugging a
nightmare.

Anyone with experience in this behavior?

Thanks and best regards

Rico

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Is it possible to install PHP on IIS?

2010-11-16 Thread Rico Secada 
On Tue, 16 Nov 2010 12:16:25 +0530
Himani Aggarwal incrediblehim...@gmail.com wrote:

 Hi Folks, is it possible to install PHP on IIS? If yes, can someone
 please guide me on how to go about doing it? Thanks

Now, why would you wanna do something crazy like that?! :)
 

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Documentation

2010-10-27 Thread Rico Secada 
On Wed, 27 Oct 2010 10:52:58 +0200
Jordan Jovanov jovanovj...@gmail.com wrote:

 Hello All,
 
 I finished with coding and now I am on the part when need to write 
 documentation. But I don't know how to write correct documentation.
 Does have some rules or standard for writing documentation for PHP?
 Or maybe have some programs for writing documentations?

You should consider who is going to read the documentation. Are we
talking about end users and/or other coders?

Other coders benefit from code comments and as some suggests
phpDocumentor has some nice features if you want to automate some of it.

End users on the other hand need hand written documentation and in most
cases non-technical explanations.

 Best Regards,
 Jordan JOVANOV
 
 -- 
 PHP General Mailing List (http://www.php.net/)
 To unsubscribe, visit: http://www.php.net/unsub.php
 

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Best practice for if (!$stmt-execute())

2010-10-25 Thread Rico Secada 
On Mon, 25 Oct 2010 00:26:23 -0700
Tommy Pham tommy...@gmail.com wrote:

  -Original Message-
  From: Rico Secada [mailto:coolz...@it.dk]
  Sent: Sunday, October 24, 2010 9:06 PM
  To: php-general@lists.php.net
  Subject: [PHP] Best practice for if (!$stmt-execute())
  
  Hi.
  
  I have been doing like this:
  
  if (!$stmt-execute()) {
  return false;
  } else {
  
  ... some code
  
  return true;
  OR
  return $foo; // Some int, string, whatever.
  
  }
  
  I am thinking about changing the return false with a:
  
  if (!$stmt-execute()) {
  die(DB_ERROR);
  
  This way making sure that every single db execute gets a valid
  check and
 at
  the same time return some kind of valuable db error to the user and
  end
 the
  script.
  
  How do you deal with db execution checks?
  
  Thanks in advance!
  
  Best regards.
  
  Rico.
  
 
 Rico,
 
 Shouldn't you consider this as what happens, while in production,
 should the script fails?, whether its DB related or not.  In that
 case, how would you want to handle the error?   Do you, or the system
 admin, want to be notified one way or another of the failure?  Do
 want to implement a backup in case that failure happens as an
 'automatic recovery' mechanism?  As a system/network admin, I go by 3
 guidelines:
 1) Prevent failure as much as I can (either system hardware, software
 applications, hacks/exploits/vulnerabilities, etc.).
 2) In the event that 1 fails, what's the recovery process?  How fast
 can I recover from it?
 3) If 2 fails, then there's something wrong with the whole process,
 which I need to expand my knowledge  skillset.
 
 In my past experiences, I haven't yet got to stage 2 because there
 precautions you can take to detect when a failure is about to happen
 so that stage 2 will never happens.  What you need to consider is how
 important is this?  Is it mission critical?
 
 Regards,
 Tommy

Thank you for some very important thoughts! Creating an extended error
handling function seems appropriate.

Regards,
Rico 

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Best practice for if (!$stmt-execute())

2010-10-25 Thread Rico Secada 
On Mon, 25 Oct 2010 22:56:37 -0400
Paul M Foster pa...@quillandmouse.com wrote:

 Bear in mind, an error is *never* that a query returned no data or
 data the user might consider bad.

This is an important point. When is an error an actual error? When is
it something that *needs* to be logged and mailed?
 
 Paul
 
 -- 
 Paul M. Foster
 
 -- 
 PHP General Mailing List (http://www.php.net/)
 To unsubscribe, visit: http://www.php.net/unsub.php
 

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] I need some thoughts on code duplication and separation

2010-10-24 Thread Rico Secada 
On Thu, 21 Oct 2010 10:55:14 -0400
Paul M Foster pa...@quillandmouse.com wrote:

 On Thu, Oct 21, 2010 at 04:05:50AM +0200, Rico Secada wrote:
 
  Hi.
  
  I am working on a small system where I am both trying to avoid code
  duplication and at the same time I am trying to keep the
  presentation logic separated from the application logic.
  
  I am using sessions and are avoiding headers already sent problem
  by keeping the HTML out of the application.
  
  For example, I would like to have a common header.php file, but it
  is difficult to create this since one file needs to have some
  specific Javascript located in the head /head tags, but the
  other files doesn't need this.
  
  Another file needs to have a specific onload call in the body
  tag, while yet another file also needs to have an onload call,
  but with different attributes.
  
  I have been looking around in other systems to see what kinds of
  solutions are being used - as inspiration.
  
  I have been thinking about the following solutions:
  
  1. Create only ONE header.php file that contains a lot of
  conditionals depending on what file is including it - the output of
  HTML/Javascript changes.
  
  I believe this would turn into a very ugly hack. Difficult to
  maintain.
 
 Not really. Here's what I do. I have a page controller which defines
 variables and such, and then calls the header.php file. The page
 controller will contain something like this:
 
 $meta['jsfiles'] = 'onload.js';
 
 The header.php will contain code like this:
 
 ?php if (!empty($meta['jsfiles'])): ?
 ?php include $meta['jsfiles']; ?
 ?php endif; ?
 
 The page controller can also contain a variety of other settings,
 like:
 
 $meta['content'] = 'cust_add.php';
 
 and the header.php will contain:
 
 ?php include $meta['content']; ?
 
 This directs the proper internal content for the header.php, which is
 really like a template file.
 
 Also remember that at the bottom of the page controller, you do a like
 like this:
 
 include 'header.php';
 
 You can change this as you like for any given page controller.
 
 Paul
 
 -- 
 Paul M. Foster

Thanks Paul! It's a nice way to do it.

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] Best practice for if (!$stmt-execute())

2010-10-24 Thread Rico Secada 
Hi.

I have been doing like this:

if (!$stmt-execute()) {
return false;
} else {

... some code

return true;
OR
return $foo; // Some int, string, whatever.

}

I am thinking about changing the return false with a:

if (!$stmt-execute()) {
die(DB_ERROR);

This way making sure that every single db execute gets a valid check
and at the same time return some kind of valuable db error to the user
and end the script.

How do you deal with db execution checks?

Thanks in advance!

Best regards.

Rico.


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] I need some thoughts on code duplication and separation

2010-10-20 Thread Rico Secada 
Hi.

I am working on a small system where I am both trying to avoid code
duplication and at the same time I am trying to keep the presentation
logic separated from the application logic.

I am using sessions and are avoiding headers already sent problem by
keeping the HTML out of the application.

For example, I would like to have a common header.php file, but it is
difficult to create this since one file needs to have some specific
Javascript located in the head /head tags, but the other files
doesn't need this.

Another file needs to have a specific onload call in the body tag,
while yet another file also needs to have an onload call, but with
different attributes.

I have been looking around in other systems to see what kinds of
solutions are being used - as inspiration.

I have been thinking about the following solutions:

1. Create only ONE header.php file that contains a lot of conditionals
depending on what file is including it - the output of HTML/Javascript
changes.

I believe this would turn into a very ugly hack. Difficult to maintain.

2. Create a HTML generating class with a set of methods that each
contains an adequate amount of parameters. Each method maintains its
own HTML tag. For example, docType($type) would generate the doctype
specification.

I believe this is a cleaner solution, but the problem with code
duplication isn't avoided.

Some of the presentation logic contains conditionals and the HTML
changes when the conditional changes, hence the header content changes,
but the doctype, html, and head doesn't necessarily change and
they would get duplicated a couple of times in some files.

3. Avoid the problem all together, use output buffering and completely
forget about separation between application and presentation.

I hope I make sense.

Any thoughts on these kinds of problems?

Best regards.


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Fixing the path

2009-09-13 Thread Rico Secada 
On Sat, 12 Sep 2009 00:43:50 -0400
Paul M Foster pa...@quillandmouse.com wrote:

 (Or maybe I've completely misread what you're trying to do.)

Yes you did, but never mind :)
 
 Paul
 
 -- 
 Paul M. Foster
 
 -- 
 PHP General Mailing List (http://www.php.net/)
 To unsubscribe, visit: http://www.php.net/unsub.php
 



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] Fixing the path

2009-09-11 Thread Rico Secada 
Hi.

Some time ago I developed a small web application that a bunch of users
has installed.

I have always used the DOCUMENT_ROOT for my includes, but the other day
I installed the application in a subdirectory, and as you've guessed a
lot of the includes didn't work.

I have been reading up on the subject of absolute vs. relative paths
etc. And on the subject of defining your own document root.

I need the application to be as user friendly as possible, and I would
like to avoid having users enter path details in the configuration.

What is the best way to solve this problem?

Best regards.

Rico.

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] Memcached is driving me nuts

2008-11-24 Thread Rico Secada 
Hi.

This post has also been posted on the Debian list.

I have two different Debian Etch machines running with the exact same
packages installed, when I use PHP memcached with compression (zlib) it
works at one machine but not the other. No errors are thrown. 

I need to know why it is only working on one machine and not the other.

I am talking about the MEMCACHE_COMPRESSED flag if anyone knows about
this.

I am using this small script to test with:

?php
error_reporting(E_ALL);

$memcached = new Memcache;

$memcached-connect('localhost', 11211);

$version = $memcached-getVersion();
print (pMemcached version: .$version./p);

//  $memcached-flush();

$output = $memcached-get('var_key');

if (empty($output)) {

$memcached-set('var_key', 'Hello I am Memcached',
MEMCACHE_COMPRESSED, 3600);

print (Memcached has just been set!);

} else {

print (Memcached is already set with this value:
$output);

}
?

If I disable the compression flag (using the 'false' value or zero
value) on the failing machine, all works correctly, but when I enable
it like in the above script it fails without error.

I have also tried running memcached with -vv options, and checked the
log, but no errors show up.

I am suspecting that zlib isn't working right on the failing machine,
but using phpinfo() it shows that zlib is enabled.

On both machines the following packages are installed:

ii  libcompress-zlib-perl   1.42-2  
ii libio-zlib-perl  1.04-1
ii zlib1g   1.2.3-13

ii  libapache2-mod-php5 5.2.0-8+etch13
ii php5 5.2.0-8+etch13
ii php5-common  5.2.0-8+etch13
ii php5-gd  5.2.0-8+etch13
ii  php5-imagick0.9.11+1-4.1
ii php5-memcache2.0.1-1.1
ii  php5-mysql  5.2.0-8
+etch13 
ii php5-pgsql   5.2.0-8+etch13

Any help in understanding what is going on would be greatly
appreciated.

Best regards.

Rico






-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Re: Memcached is driving me nuts

2008-11-24 Thread Rico Secada 
On Mon, 24 Nov 2008 15:13:32 -0500
Al [EMAIL PROTECTED] wrote:

 Try debug_backtrace()

Thanks for your reply.

I get an empty array:

array(0) { } 
 
 Rico Secada wrote:
  Hi.
  
  This post has also been posted on the Debian list.
  
  I have two different Debian Etch machines running with the exact
  same packages installed, when I use PHP memcached with compression
  (zlib) it works at one machine but not the other. No errors are
  thrown. 
  
  I need to know why it is only working on one machine and not the
  other.
  
  I am talking about the MEMCACHE_COMPRESSED flag if anyone knows
  about this.
  
  I am using this small script to test with:
  
  ?php
  error_reporting(E_ALL);
  
  $memcached = new Memcache;
  
  $memcached-connect('localhost', 11211);
  
  $version = $memcached-getVersion();
  print (pMemcached version: .$version./p);
  
  //  $memcached-flush();
  
  $output = $memcached-get('var_key');
  
  if (empty($output)) {
  
  $memcached-set('var_key', 'Hello I am Memcached',
  MEMCACHE_COMPRESSED, 3600);
  
  print (Memcached has just been set!);
  
  } else {
  
  print (Memcached is already set with this value:
  $output);
  
  }
  ?
  
  If I disable the compression flag (using the 'false' value or zero
  value) on the failing machine, all works correctly, but when I
  enable it like in the above script it fails without error.
  
  I have also tried running memcached with -vv options, and checked
  the log, but no errors show up.
  
  I am suspecting that zlib isn't working right on the failing
  machine, but using phpinfo() it shows that zlib is enabled.
  
  On both machines the following packages are installed:
  
  ii  libcompress-zlib-perl   1.42-2  
  ii libio-zlib-perl  1.04-1
  ii zlib1g   1.2.3-13
  
  ii  libapache2-mod-php5 5.2.0-8+etch13
  ii php5 5.2.0-8+etch13
  ii php5-common  5.2.0-8+etch13
  ii php5-gd  5.2.0-8+etch13
  ii  php5-imagick0.9.11+1-4.1
  ii php5-memcache2.0.1-1.1
  ii  php5-mysql  5.2.0-8
  +etch13 
  ii php5-pgsql   5.2.0-8+etch13
  
  Any help in understanding what is going on would be greatly
  appreciated.
  
  Best regards.
  
  Rico
  
  
  
  
  
 
 -- 
 PHP General Mailing List (http://www.php.net/)
 To unsubscribe, visit: http://www.php.net/unsub.php
 
 



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php