Re: [PHP] Re: PHP does not work??
I forgot to point out another disadvantage of turning on register_globals apart from that of security is that when you are sending a page with a form to the same page, e.g: form name=whatever action=$PHP_SELF method=post there is a tendency to lose info.. E.g. If you are sending text separated by spaces you only manage to send the first word this can be overcome by using the htmlspecialchars('value') method to evaluate value... turning on globals is to make the coding easier but has a good deal of disadvantages... register_globals on or off is completely irrelevant to using urlencode (GET) or htmlentities (POST) to send properly formatted strings to the browser. If you want to delude yourself the register_globals off significantly increases security, go ahead, but don't claim that it somehow fixes badly-encoded HTML. It doesn't. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: PHP does not work??
Not a problem, I can make some code modification. Sometime it is better to do it now and not have so much headache later on when more features are being added. Scott Kondwani Spike Mkandawire [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I forgot to point out another disadvantage of turning on register_globals apart from that of security is that when you are sending a page with a form to the same page, e.g: form name=whatever action=$PHP_SELF method=post there is a tendency to lose info.. E.g. If you are sending text separated by spaces you only manage to send the first word this can be overcome by using the htmlspecialchars('value') method to evaluate value... turning on globals is to make the coding easier but has a good deal of disadvantages... Spike... Scott Fletcher [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Um, alright, I'll just leave the code in the hyperlink the way it is. It is not possible to use the form or post of some sort for the hyperlink. form will work with the submit button where we can use post or hidden. Hyperlink meant words or sentences that have underline underneath it, when clicked will go to a different webpage. Thanks, Scott Erik Price [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... On Wednesday, June 26, 2002, at 02:56 PM, Scott Fletcher wrote: I tried that and it worked. I have one question, what about the hyperlink? People will see the option in the hyperlink. You know. Is there a way around it to hid that in the hyperlink? If by hyperlink you mean the URL in the URL bar of their browser, correct -- people will see it. That GET data is part of the URL, sort of. Most browsers will not display POST data to their users (easily) but it's never truly hidden from view. Any data that your users are sending to you, whether it's GET, POST, or COOKIE, is data that they can see. Erik Erik Price Web Developer Temp Media Lab, H.H. Brown [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: PHP does not work??
Not a problem! I can make some adjustment to the $user_detail[''] (session_id()) to make it work as $_SESSION['']. Scott Erik Price [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... On Wednesday, June 26, 2002, at 02:37 PM, Scott Fletcher wrote: I didn't know that. Thanks for the info. I think it would be best that I not use php.ini. On the contrary, I think it would be best if you read through it and read about it at http://www.php.net/manual/en/configuration.php . Putting it off will only cause you trouble in the long run. I can write the script to register the variable. What would be a demo script that would work? I'm having a little trouble understanding that on the php.net website. Most of the script that use global variables came from hyperlinks. I have no form method like post or get. If it doesn't have post or get, then your data is probably in the $_GET array. But you should always use the method attribute of the form tag. I have one website that use session. Like session_start(), session_register(), etc. How would this be affected and what is the work around to this one. You now refer to a session variable as $_SESSION['variablename']. Erik Erik Price Web Developer Temp Media Lab, H.H. Brown [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: PHP does not work??
I forgot to point out another disadvantage of turning on register_globals apart from that of security is that when you are sending a page with a form to the same page, e.g: form name=whatever action=$PHP_SELF method=post there is a tendency to lose info.. E.g. If you are sending text separated by spaces you only manage to send the first word this can be overcome by using the htmlspecialchars('value') method to evaluate value... turning on globals is to make the coding easier but has a good deal of disadvantages... Spike... Scott Fletcher [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Um, alright, I'll just leave the code in the hyperlink the way it is. It is not possible to use the form or post of some sort for the hyperlink. form will work with the submit button where we can use post or hidden. Hyperlink meant words or sentences that have underline underneath it, when clicked will go to a different webpage. Thanks, Scott Erik Price [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... On Wednesday, June 26, 2002, at 02:56 PM, Scott Fletcher wrote: I tried that and it worked. I have one question, what about the hyperlink? People will see the option in the hyperlink. You know. Is there a way around it to hid that in the hyperlink? If by hyperlink you mean the URL in the URL bar of their browser, correct -- people will see it. That GET data is part of the URL, sort of. Most browsers will not display POST data to their users (easily) but it's never truly hidden from view. Any data that your users are sending to you, whether it's GET, POST, or COOKIE, is data that they can see. Erik Erik Price Web Developer Temp Media Lab, H.H. Brown [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: PHP does not work??
I'm using UNIX, not windows, so there is no php.ini in UNIX. I only use the ./configure command which is -- snip -- ./configure --with-apache=../apache_1.3.26 --with-ibm-db2=/usr/lpp/db2_06_01 --with-openssl=../openssl-0.9.6d --with-mcrypt=../../lib --without-mysql --with-config-file-path=/etc --enable-track-vars --with-curl=../../lib --with-xml --snip-- Then I went on to compile the PHP, then Apache, etc. Since from recent post, there was some talk about register_globals. I'm not familiar with that so I will find out what that is, and what that is use for. If anyone know, can anyone tell me what it does? Thanks. Scott Scott Fletcher [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi! I downloaded the newer version of PHP and compiled it. The php is working great! But there is one problem. When I use the hyperlink, test.php?data=yes and I go to this page, test.php but there is no data in this variable, $data. So, the web page I have, most of them are all thrown off becuase of this. I use PHP version 4.2.1. Is there a bug in this PHP version??? Or some changes in PHP that I'm not aware of? Let me know! Thanks, Scott -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Re: PHP does not work??
[snip] I'm using UNIX, not windows, so there is no php.ini in UNIX. [/snip] Look here /etc/apache/php.ini-dist or /etc/apache/php.ini. There is an ini file for PHP, and you may have to rename php.ini-dist to php.ini. Once done, look for ; You should do your best to write your scripts so that they do not require ; register_globals to be on; Using form variables as globals can easily lead ; to possible security problems, if the code is not very well thought of. register_globals = Off Setting Off to On will let your scripts continue to work, once you have restarted your server of course. You really should, due to security considerations leave this set of Off and reconfigure your variables as stated in other e-mails. Since this will probably take some time you can leave register_globals on until you're finished with that project. HTH! Jay -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: PHP does not work??
On Wednesday, June 26, 2002, at 02:13 PM, Scott Fletcher wrote: I'm using UNIX, not windows, so there is no php.ini in UNIX. Sorry, don't take offense if I ask if you've been living under a rock -- I only use Linux, and there is definitely a php.ini file that you use. I put mine in /usr/local/lib/ . If you follow the source install instructions, you will see that the last step is: $ cp php.ini-dist /usr/local/lib/php.ini Yep, that means you're supposed to copy php.ini-dist to a dir on your server. This is your configuration file, where register_globals and a million other configuration directives are decided... ? Erik Erik Price Web Developer Temp Media Lab, H.H. Brown [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: PHP does not work??
I didn't know that. Thanks for the info. I think it would be best that I not use php.ini. I can write the script to register the variable. What would be a demo script that would work? I'm having a little trouble understanding that on the php.net website. Most of the script that use global variables came from hyperlinks. I have no form method like post or get. I have one website that use session. Like session_start(), session_register(), etc. How would this be affected and what is the work around to this one. Thanks, Scott Jay Blanchard [EMAIL PROTECTED] wrote in message 002901c21d3e$0bba45d0$8102a8c0@niigziuo4ohhdt">news:002901c21d3e$0bba45d0$8102a8c0@niigziuo4ohhdt... [snip] I'm using UNIX, not windows, so there is no php.ini in UNIX. [/snip] Look here /etc/apache/php.ini-dist or /etc/apache/php.ini. There is an ini file for PHP, and you may have to rename php.ini-dist to php.ini. Once done, look for ; You should do your best to write your scripts so that they do not require ; register_globals to be on; Using form variables as globals can easily lead ; to possible security problems, if the code is not very well thought of. register_globals = Off Setting Off to On will let your scripts continue to work, once you have restarted your server of course. You really should, due to security considerations leave this set of Off and reconfigure your variables as stated in other e-mails. Since this will probably take some time you can leave register_globals on until you're finished with that project. HTH! Jay -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: PHP does not work??
Hi Erik! This is my 2nd posting, not sure what happened to my first one. Sorry about not seeing your previous posting before. Windows crashed on me. My fault. I didn't know we can use php.ini in UNIX or Linux. Cool! Haven't been using it on UNIX for a long time. I think I can leave it out for now and make some changes to the scripts instead. When I saw the php.ini on Windows, I couldn't believe of so many configuration. So, I think it will be helpful to make some changes to teh website and keep it simple for someone who will take my place as webmaster. Saw your comments about _GET['data']. I tried that and it worked. I have one question, what about the hyperlink? People will see the option in the hyperlink. You know. Is there a way around it to hid that in the hyperlink? Just curious. Thanks, Scott Erik Price [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... On Wednesday, June 26, 2002, at 02:13 PM, Scott Fletcher wrote: I'm using UNIX, not windows, so there is no php.ini in UNIX. Sorry, don't take offense if I ask if you've been living under a rock -- I only use Linux, and there is definitely a php.ini file that you use. I put mine in /usr/local/lib/ . If you follow the source install instructions, you will see that the last step is: $ cp php.ini-dist /usr/local/lib/php.ini Yep, that means you're supposed to copy php.ini-dist to a dir on your server. This is your configuration file, where register_globals and a million other configuration directives are decided... ? Erik Erik Price Web Developer Temp Media Lab, H.H. Brown [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: PHP does not work??
There is no feasable way to hide data being submitted to your website. Anything that a user's browser can send, the user can telnet to port 80 of your server and spoof. You can try POSTing data, which will not appear in the URL, but dont even waste time trying to hide submitted data, rather, build a stronger backend. -- Scott Hurring Systems Programmer EAC Corporation scott (*) eac.com -- Scott Fletcher [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi Erik! This is my 2nd posting, not sure what happened to my first one. Sorry about not seeing your previous posting before. Windows crashed on me. My fault. I didn't know we can use php.ini in UNIX or Linux. Cool! Haven't been using it on UNIX for a long time. I think I can leave it out for now and make some changes to the scripts instead. When I saw the php.ini on Windows, I couldn't believe of so many configuration. So, I think it will be helpful to make some changes to teh website and keep it simple for someone who will take my place as webmaster. Saw your comments about _GET['data']. I tried that and it worked. I have one question, what about the hyperlink? People will see the option in the hyperlink. You know. Is there a way around it to hid that in the hyperlink? Just curious. Thanks, Scott Erik Price [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... On Wednesday, June 26, 2002, at 02:13 PM, Scott Fletcher wrote: I'm using UNIX, not windows, so there is no php.ini in UNIX. Sorry, don't take offense if I ask if you've been living under a rock -- I only use Linux, and there is definitely a php.ini file that you use. I put mine in /usr/local/lib/ . If you follow the source install instructions, you will see that the last step is: $ cp php.ini-dist /usr/local/lib/php.ini Yep, that means you're supposed to copy php.ini-dist to a dir on your server. This is your configuration file, where register_globals and a million other configuration directives are decided... ? Erik Erik Price Web Developer Temp Media Lab, H.H. Brown [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: PHP does not work??
On Wednesday, June 26, 2002, at 02:56 PM, Scott Fletcher wrote: I tried that and it worked. I have one question, what about the hyperlink? People will see the option in the hyperlink. You know. Is there a way around it to hid that in the hyperlink? If by hyperlink you mean the URL in the URL bar of their browser, correct -- people will see it. That GET data is part of the URL, sort of. Most browsers will not display POST data to their users (easily) but it's never truly hidden from view. Any data that your users are sending to you, whether it's GET, POST, or COOKIE, is data that they can see. Erik Erik Price Web Developer Temp Media Lab, H.H. Brown [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: PHP does not work??
On Wednesday, June 26, 2002, at 02:37 PM, Scott Fletcher wrote: I didn't know that. Thanks for the info. I think it would be best that I not use php.ini. On the contrary, I think it would be best if you read through it and read about it at http://www.php.net/manual/en/configuration.php . Putting it off will only cause you trouble in the long run. I can write the script to register the variable. What would be a demo script that would work? I'm having a little trouble understanding that on the php.net website. Most of the script that use global variables came from hyperlinks. I have no form method like post or get. If it doesn't have post or get, then your data is probably in the $_GET array. But you should always use the method attribute of the form tag. I have one website that use session. Like session_start(), session_register(), etc. How would this be affected and what is the work around to this one. You now refer to a session variable as $_SESSION['variablename']. Erik Erik Price Web Developer Temp Media Lab, H.H. Brown [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: PHP does not work??
Um, alright, I'll just leave the code in the hyperlink the way it is. It is not possible to use the form or post of some sort for the hyperlink. form will work with the submit button where we can use post or hidden. Hyperlink meant words or sentences that have underline underneath it, when clicked will go to a different webpage. Thanks, Scott Erik Price [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... On Wednesday, June 26, 2002, at 02:56 PM, Scott Fletcher wrote: I tried that and it worked. I have one question, what about the hyperlink? People will see the option in the hyperlink. You know. Is there a way around it to hid that in the hyperlink? If by hyperlink you mean the URL in the URL bar of their browser, correct -- people will see it. That GET data is part of the URL, sort of. Most browsers will not display POST data to their users (easily) but it's never truly hidden from view. Any data that your users are sending to you, whether it's GET, POST, or COOKIE, is data that they can see. Erik Erik Price Web Developer Temp Media Lab, H.H. Brown [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php