php-general Digest 18 Feb 2003 11:24:19 -0000 Issue 1890
Topics (messages 135917 through 135978):
Re: Protecting files
135917 by: Luke Woollard
135918 by: Bryan Lipscy
135919 by: Bryan Lipscy
135920 by: Luke Woollard
135921 by: Ray Hunter
135927 by: Justin French
135950 by: Peter Janett
135956 by: Nate
135957 by: Bryan Lipscy
135958 by: Nate
Re: What happened to phpEdit???
135922 by: Al
135923 by: Chase Urich
135926 by: John Nichel
135928 by: John Wells
135959 by: Ernest E Vogelsinger
Re: pro-rated date
135924 by: Tom Rogers
Re: session cookie that never expires
135925 by: Jason Sheets
135933 by: Justin French
135936 by: Jason Sheets
135938 by: Justin French
Re: MD5 Password Login Driving me Crazy
135929 by: Justin French
Counter has gremlins
135930 by: Brian V Bonini
135932 by: Jason Sheets
135934 by: Andrew Brampton
Re: MD5 Passwords (How it works?)
135931 by: Justin French
135935 by: Jason Sheets
135937 by: Justin French
135952 by: Jason Wong
Getting around the LOAD DATA LOCAL with MySQL 3.23.49 + using PHP?
135939 by: Peter Janett
file-upload.errors
135940 by: Nate
135942 by: Marco Tabini
135946 by: Jason Wong
135949 by: Nate
Re: image creation error
135941 by: Michael P. Carel
135944 by: Jason Wong
135953 by: Hugh Danaher
Sessions and phplib.
135943 by: Vincent M.
135948 by: Jason Sheets
invalid argument supplied for foreach()
135945 by: Lynn
135947 by: Jason Wong
135960 by: Ernest E Vogelsinger
Re: browser identification problem
135951 by: Jason Wong
135961 by: Ernest E Vogelsinger
Re: mail function - using remote smtp in php.ini
135954 by: Jason Wong
vni -> unicode
135955 by: Jimmy Brake
Array not working
135962 by: Chris Blake
135965 by: Ernest E Vogelsinger
Re: [PHP-DOC] Urgent....plz]
135963 by: didou.keliglia.com
135966 by: Ernest E Vogelsinger
Problem with array variables in forms
135964 by: Chris Pudney
Re: Text data truncated after first blank character in form fields
135967 by: rentAweek support
135968 by: rentAweek support
135973 by: Ernest E Vogelsinger
diksha's problem
135969 by: DIKSHA NEEL
inserting <BR>
135970 by: Michael P. Carel
135972 by: Kevin Waterson
135974 by: Ernest E Vogelsinger
$_SESSIONS and printing off..
135971 by: Frank Keessen
135976 by: Rich Gray
Re: safe mode
135975 by: Nenad Djordjevic
What are the functions to copy a directory structure & then renam e?
135977 by: Rea_David.emc.com
is "http://username:[EMAIL PROTECTED]/secure_area/"; secure ?
135978 by: Shams
Administrivia:
To subscribe to the digest, e-mail:
[EMAIL PROTECTED]
To unsubscribe from the digest, e-mail:
[EMAIL PROTECTED]
To post to the list, e-mail:
[EMAIL PROTECTED]
----------------------------------------------------------------------
--- Begin Message ---
If you want to hide the content of an .inc or other file that contains PHP
code simply rename it with a .php
ie: config.inc becomes config.inc.php
the server will parse the file as PHP now and not allow users to download
it...
Alternatively you can protect a directory with a .htaccess file if you are
using apache.
See: http://httpd.apache.org/docs/howto/htaccess.html
-----Original Message-----
From: PR [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, 18 February 2003 8:18 AM
To:
Subject: [PHP] Protecting files
Hello,
How can I protect my php files among other files like templates
(.inc) and mysql config (config.inc) files being copied/read/imported
(front
page)/used by other applications other than my
site...
can this be done by htaccess? is so , could anyone point me into right
direction?
--
Thank you,
Paul
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--- End Message ---
--- Begin Message ---
>How can I protect my php files among other files like templates
>(.inc) and mysql config (config.inc) files being copied/read/imported
>(front page)/used by other applications other than my site...
>can this be done by htaccess? is so , could anyone point me into right
>direction?
I have renamed my sensitive (those containing l/p for mail and mysql)
files to .php and constructed them to render a blank page if ever
directly called.
Something like this:
<?
All the sensitive code
$db_login = "user";
$db_pwd = "password";
$mail_login = "mail";
$mail_pwd = "pass";
?>
<html><head></head><body></body></html>
I do not think that -r to everyone would work in that Apache still needs
to read the file when included by another script.
Still looking for a better way. What concerns me the most is if a code
disclosure bug is later discovered in 4.3.0 or another version.
Bryan
--- End Message ---
--- Begin Message ---
>How can I protect my php files among other files like templates
>(.inc) and mysql config (config.inc) files being copied/read/imported
>(front page)/used by other applications other than my site...
>can this be done by htaccess? is so , could anyone point me into right
>direction?
I have renamed my sensitive (those containing l/p for mail and mysql)
files to .php and constructed them to render a blank page if ever
directly called.
Something like this:
<?
All the sensitive code
$db_login = "user";
$db_pwd = "password";
$mail_login = "mail";
$mail_pwd = "pass";
?>
<html><head></head><body></body></html>
I do not think that -r to everyone would work in that Apache still needs
to read the file when included by another script.
Still looking for a better way. What concerns me the most is if a code
disclosure bug is later discovered in 4.3.0 or another version.
Bryan
--- End Message ---
--- Begin Message ---
CAPS
>How can I protect my php files among other files like templates
>(.inc) and mysql config (config.inc) files being copied/read/imported
>(front page)/used by other applications other than my site...
>can this be done by htaccess? is so , could anyone point me into right
>direction?
I have renamed my sensitive (those containing l/p for mail and mysql)
files to .php and constructed them to render a blank page if ever
directly called.
Something like this:
<?
All the sensitive code
$db_login = "user";
$db_pwd = "password";
$mail_login = "mail";
$mail_pwd = "pass";
?>
<html><head></head><body></body></html>
NO NEED TO PUT THE HTML TAGS IN..
I do not think that -r to everyone would work in that Apache still needs
to read the file when included by another script.
Still looking for a better way. What concerns me the most is if a code
disclosure bug is later discovered in 4.3.0 or another version.
I WOULDNT WORRY TOO MUCH - THIS IS PRETTY BASIC.
BTW: IF YOU PROTECT FILES WITH HTACCESS AND YOU NEED TO INCLUDE SOME OF THEM
TO SERVE PAGES (IE: CONNECT TO DB,ETC) THEN THE USER WILL BE PROMPTED FOR A
PASSWORD. YOU WONT WANT THIS.
Bryan
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--- End Message ---
--- Begin Message ---
Try putting your files config files in a directory outside of the root
web directory and access the files via the include_path directive in the
php.ini file.
If you dont have access you can add create a .htaccess file or set the
configuration in a php script that is run before your other scripts.
http://www.php.net/manual/en/configuration.changes.php
http://www.php.net/manual/en/function.ini-set.php
That should help you out.
Ray
On Mon, 2003-02-17 at 14:17, PR wrote:
> Hello,
>
> How can I protect my php files among other files like templates
> (.inc) and mysql config (config.inc) files being copied/read/imported (front
> page)/used by other applications other than my
> site...
>
> can this be done by htaccess? is so , could anyone point me into right
> direction?
>
> --
> Thank you,
> Paul
>
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
--- End Message ---
--- Begin Message ---
My preference
1. if possible, store the files above your public_html directory (doc
root)... this means they cannot be over http:// by apache, if that isn't
possible:
2. use .htaccess to either block the entire directory of includes, or all
*.inc files, or whatever you think is best. Personally, I block *.inc
across all my sites, via a .htaccess file in the doc root:
<Files ~ "\.inc$">
Order Allow,Deny
Deny from all
</Files>
3. I don't think permissions (chmod) of the file will help much, since
apache needs to read the files for them to be included... you should make
sure that other users on the server cannot include() your .inc files from
their account... if they can, find a new ISP ASAP, because they're obviously
DUMB.
I personally don't like the idea of naming all inc files *.php, because
there is a CHANCE that they might be executed out of context (imagine if you
had an include file which (stupidly) worked fine within the context of your
whole site, but accidentally deleted a whole table of data if executed on
it's own... YUK!!).
The upside of naming them .php is that if the server's sys admin accidently
takes away permission for .htaccess files, or you accidentally delete your
own .htaccess file, you're still protected.
Perhaps you could consider BOTH:
<Files ~ "\.inc.php$">
Order Allow,Deny
Deny from all
</Files>
... this will prevent them being served at all... in the event that the
.htaccess is deleted or disabled, you can rest easy that PHP will parse
them, so that they cannot see the raw file.
By the way, this has been discussed in the archives MANY times, so do some
background research first... or even right now :)
Justin
on 18/02/03 8:17 AM, PR ([EMAIL PROTECTED]) wrote:
> Hello,
>
> How can I protect my php files among other files like templates
> (.inc) and mysql config (config.inc) files being copied/read/imported (front
> page)/used by other applications other than my
> site...
>
> can this be done by htaccess? is so , could anyone point me into right
> direction?
--- End Message ---
--- Begin Message ---
The issue here is that Apache is running as a single user, so that single
user must be able to read all php scripts it wants to parse. So, putting
the files in non htdocs directory can help a little, but Apache still can
read them, if anyone else on the server asks apache to.
The real way to protect files is with permissions, AND using some sort of
CGI wrapper or SuExe. That allows each virtual host in Apache to run as the
user that owns the files. That way you can say "Only my apache user can
read my files" so all the other hosts on the site can't have apache reading
your files.
The problem is, although I'm still foggy on this, is that these cgi wrappers
and SuExe ONLY work with cgi application. So, if you run php as an Apache
module, the wrappers won't work. If I'm wrong about that, please let me
know.
There are some user notes about this here:
http://www.php.net/manual/sl/function.fopen.php
HTH,
Peter Janett
New Media One Web Services
http://www.newmediaone.net
[EMAIL PROTECTED]
(303)828-9882
----- Original Message -----
From: "Justin French" <[EMAIL PROTECTED]>
To: "Pax" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Monday, February 17, 2003 5:40 PM
Subject: Re: [PHP] Protecting files
> My preference
>
> 1. if possible, store the files above your public_html directory (doc
> root)... this means they cannot be over http:// by apache, if that isn't
> possible:
>
> 2. use .htaccess to either block the entire directory of includes, or all
> *.inc files, or whatever you think is best. Personally, I block *.inc
> across all my sites, via a .htaccess file in the doc root:
>
> <Files ~ "\.inc$">
> Order Allow,Deny
> Deny from all
> </Files>
>
> 3. I don't think permissions (chmod) of the file will help much, since
> apache needs to read the files for them to be included... you should make
> sure that other users on the server cannot include() your .inc files from
> their account... if they can, find a new ISP ASAP, because they're
obviously
> DUMB.
>
>
> I personally don't like the idea of naming all inc files *.php, because
> there is a CHANCE that they might be executed out of context (imagine if
you
> had an include file which (stupidly) worked fine within the context of
your
> whole site, but accidentally deleted a whole table of data if executed on
> it's own... YUK!!).
>
> The upside of naming them .php is that if the server's sys admin
accidently
> takes away permission for .htaccess files, or you accidentally delete your
> own .htaccess file, you're still protected.
>
>
> Perhaps you could consider BOTH:
>
> <Files ~ "\.inc.php$">
> Order Allow,Deny
> Deny from all
> </Files>
>
> ... this will prevent them being served at all... in the event that the
> .htaccess is deleted or disabled, you can rest easy that PHP will parse
> them, so that they cannot see the raw file.
>
>
> By the way, this has been discussed in the archives MANY times, so do some
> background research first... or even right now :)
>
>
> Justin
>
>
>
> on 18/02/03 8:17 AM, PR ([EMAIL PROTECTED]) wrote:
>
> > Hello,
> >
> > How can I protect my php files among other files like templates
> > (.inc) and mysql config (config.inc) files being copied/read/imported
(front
> > page)/used by other applications other than my
> > site...
> >
> > can this be done by htaccess? is so , could anyone point me into right
> > direction?
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
--- End Message ---
--- Begin Message ---
Just something that crossed my mind a few times. What if another website
includes this file in their own php page. That site can't access those
variables can they? (I'm sure PHP wouldn't allow that but I need to put this
curiousity to rest)
Nate
"Bryan Lipscy" <[EMAIL PROTECTED]> wrote in message
005301c2d6dd$47a11250$6301a8c0@ukiuki">news:005301c2d6dd$47a11250$6301a8c0@ukiuki...
>
> >How can I protect my php files among other files like templates
> >(.inc) and mysql config (config.inc) files being copied/read/imported
> >(front page)/used by other applications other than my site...
> >can this be done by htaccess? is so , could anyone point me into right
> >direction?
>
>
> I have renamed my sensitive (those containing l/p for mail and mysql)
> files to .php and constructed them to render a blank page if ever
> directly called.
>
> Something like this:
> <?
> All the sensitive code
> $db_login = "user";
> $db_pwd = "password";
> $mail_login = "mail";
> $mail_pwd = "pass";
> ?>
>
> <html><head></head><body></body></html>
>
>
> I do not think that -r to everyone would work in that Apache still needs
> to read the file when included by another script.
>
> Still looking for a better way. What concerns me the most is if a code
> disclosure bug is later discovered in 4.3.0 or another version.
>
> Bryan
>
>
--- End Message ---
--- Begin Message ---
That is called Cross-Site Scripting (XSS).
I have not been able to get access to the variables via an XSS exploit.
It appears that Apache renders the php code before sending off the
requesting include function.
I also like the .htaccess way of preventing user access to the scripts.
This is also worthy of further investigation.
Bryan
--- End Message ---
--- Begin Message ---
I wonder though, if they're on a the same server but different sites. Like a
shared host environment. Aw the things the bewilder the mind.
Nate
"Bryan Lipscy" <[EMAIL PROTECTED]> wrote in message
000001c2d710$81a68e20$6301a8c0@ukiuki">news:000001c2d710$81a68e20$6301a8c0@ukiuki...
> That is called Cross-Site Scripting (XSS).
> I have not been able to get access to the variables via an XSS exploit.
> It appears that Apache renders the php code before sending off the
> requesting include function.
>
> I also like the .htaccess way of preventing user access to the scripts.
> This is also worthy of further investigation.
>
> Bryan
>
--- End Message ---
--- Begin Message ---
Did you try the URL you posted?
I tried that one and several others listed for phpEdit.
All say the site is not responding.
Bryan Lipscy wrote:
Did you check google?
http://ozu.arecom-sa.com/~marms/phpedit.net/
-----Original Message-----
From: Al [mailto:[EMAIL PROTECTED]]
Sent: Sunday, February 16, 2003 8:39 AM
To: [EMAIL PROTECTED]
Subject: [PHP] What happened to phpEdit???
Their site no longer responds.
Surely, we haven't lost one of the best php editors.
--- End Message ---
--- Begin Message ---
It worked just fine for me, even just phpedit.net worked.
Cahse
On Mon, 2003-02-17 at 18:21, Al wrote:
> Did you try the URL you posted?
>
> I tried that one and several others listed for phpEdit.
>
> All say the site is not responding.
>
> Bryan Lipscy wrote:
> > Did you check google?
> > http://ozu.arecom-sa.com/~marms/phpedit.net/
> >
> > -----Original Message-----
> > From: Al [mailto:[EMAIL PROTECTED]]
> > Sent: Sunday, February 16, 2003 8:39 AM
> > To: [EMAIL PROTECTED]
> > Subject: [PHP] What happened to phpEdit???
> >
> >
> > Their site no longer responds.
> >
> > Surely, we haven't lost one of the best php editors.
> >
> >
>
--- End Message ---
--- Begin Message ---
It works fine for me. So does www.phpedit.net
Al wrote:
Did you try the URL you posted?
I tried that one and several others listed for phpEdit.
All say the site is not responding.
Bryan Lipscy wrote:
Did you check google?
http://ozu.arecom-sa.com/~marms/phpedit.net/
-----Original Message-----
From: Al [mailto:[EMAIL PROTECTED]] Sent: Sunday, February 16, 2003
8:39 AM
To: [EMAIL PROTECTED]
Subject: [PHP] What happened to phpEdit???
Their site no longer responds.
Surely, we haven't lost one of the best php editors.
--- End Message ---
--- Begin Message ---
Hmm...doesn't work here. Interesting. Partial blackout?
John Nichel said:
> It works fine for me. So does www.phpedit.net
>
> Al wrote:
>> Did you try the URL you posted?
>>
>> I tried that one and several others listed for phpEdit.
>>
>> All say the site is not responding.
>>
>> Bryan Lipscy wrote:
>>
>>> Did you check google?
>>> http://ozu.arecom-sa.com/~marms/phpedit.net/
>>>
>>> -----Original Message-----
>>> From: Al [mailto:[EMAIL PROTECTED]] Sent: Sunday, February 16, 2003
>>> 8:39 AM
>>> To: [EMAIL PROTECTED]
>>> Subject: [PHP] What happened to phpEdit???
>>>
>>>
>>> Their site no longer responds.
>>>
>>> Surely, we haven't lost one of the best php editors.
>>>
>>>
>>
>>
>
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
--- End Message ---
--- Begin Message ---
At 01:38 18.02.2003, John Wells said:
--------------------[snip]--------------------
>Hmm...doesn't work here. Interesting. Partial blackout?
--------------------[snip]--------------------
The site is up, but there's a note that reads
A HARD DISK CRASH MADE ME LOOSE ALL MAILS SENDED TO [EMAIL PROTECTED]
BETWEEN 24th May 2002 and 10th January 2003. PLEASE RE-SEND THE MAILS OF
THIS PERIOD.
--
>O Ernest E. Vogelsinger
(\) ICQ #13394035
^ http://www.vogelsinger.at/
--- End Message ---
--- Begin Message ---
Hi,
Tuesday, February 18, 2003, 7:03:37 AM, you wrote:
PC> Anybody have a quick way of determining the number of days remaining in
PC> the current month?
PC> I'm currently using:
PC> $nextmonth = strftime("%Y-%m-01",strtotime("+1 month"))
PC> $monthdays = strftime("%d",strtotime($nextmonth)-86400);
PC> $daysleft = $monthdays - strftime("%d",time());
PC> I can obviously compact things into a single line, but it's enormous and
PC> offends my sense of esthetics. I was hoping I might be able to feed
PC> something funky like "first day of next month" to strtotime, but the gnu
PC> date input format isn't quite that flexible.
PC> Any advice? Is there an *elegant* way of doing this?
PC> --
PC> Paul Chvostek <[EMAIL PROTECTED]>
PC> Operations / Abuse / Whatever
PC> it.canada, hosting and development http://www.it.ca/
This might get what you want, but to be accurate you will have to decide what to
do with the odd hours mins left over
$days = (strtotime("+1 month") - (date("d")* 86400) - time()) / 86400;
--
regards,
Tom
--- End Message ---
--- Begin Message ---
Making your session never expire is a bad idea, by doing this you are
most likely going to be using the same session id forever which gives
attackers a much longer amount of time to guess or brute force a session
id AND you will continue to use hard drive space and inodes on your
server because gc will never clean them up.
Also that means that anyone on any of these computers will be able to
access the user's information whether they really are that user or not.
Rather than making the session last forever you should force your users
to login and then load their session information, if you are putting
information into sessions that needs to be persistent between sessions
you should either store it in files or in a database and then load it
when you need it.
Jason
On Mon, 2003-02-17 at 07:40, Altug Sahin wrote:
> Hi there,
>
> I have setup a site with session management but even the browser is closed
> or after the default time expiration of the session, the user should be able
> to see his/her personalized settings. I am nor using any cookies.
>
> How can I make this happen without changing my session related code? Should
> I combine cookies with sessions or can I make my sessions never expire even
> the browser is closed?
>
> Thanks
> -Al
>
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
--- End Message ---
--- Begin Message ---
on 18/02/03 1:40 AM, Altug Sahin ([EMAIL PROTECTED]) wrote:
> Hi there,
>
> I have setup a site with session management but even the browser is closed
> or after the default time expiration of the session, the user should be able
> to see his/her personalized settings. I am nor using any cookies.
>
> How can I make this happen without changing my session related code? Should
> I combine cookies with sessions or can I make my sessions never expire even
> the browser is closed?
Sessions are just that -- a single session, so no, a session cannot live
forever. However a cookie can. You *could* set a cookie with the users uid
and pwd, and check for the cookie before asking the user to login, but
obviously there are some vulnerabilities to this, so it should be an OPTION
for users, rather than FORCED upon them... they should also be aware of the
risks.
One of many risks is the fact that if they're on a shared computer (library,
net cafe, work, school), others will"
a) be able to see their password and username by viewing the cookie
b) be able to login as the user to your site, and possibly many others using
those credentials
Justin
--- End Message ---
--- Begin Message ---
You shouldn't store user password in cookies on a browser, instead a
more secure method for the user is:
On your login form offer the ability to be remembered, if they click the
"Remember Me" box generate a unique random ID (or 2 and combine them),
now store this ID in your database attached to their user account and
set a cookie on their browser with this ID. Now when they come to your
website if they are not logged in your website checks for this unique id
in the cookie, if the cookie exists it references it against their user
account, if the unique id matches the system logs them in. This method
is also nice because you can invalidate all automatic logins by clearing
the column in your database.
Please note the unique ID will still be sent in the clear so someone
sniffing the traffic could still pick it up, if you force them to login
once every n days it can help reduce this, also prompt for the password
for any critical events like changing their profile.
If you pass this over SSL you make it more secure because the traffic is
encrypted.
Jason
On Mon, 2003-02-17 at 17:55, Justin French wrote:
> on 18/02/03 1:40 AM, Altug Sahin ([EMAIL PROTECTED]) wrote:
>
> > Hi there,
> >
> > I have setup a site with session management but even the browser is closed
> > or after the default time expiration of the session, the user should be able
> > to see his/her personalized settings. I am nor using any cookies.
> >
> > How can I make this happen without changing my session related code? Should
> > I combine cookies with sessions or can I make my sessions never expire even
> > the browser is closed?
>
> Sessions are just that -- a single session, so no, a session cannot live
> forever. However a cookie can. You *could* set a cookie with the users uid
> and pwd, and check for the cookie before asking the user to login, but
> obviously there are some vulnerabilities to this, so it should be an OPTION
> for users, rather than FORCED upon them... they should also be aware of the
> risks.
>
> One of many risks is the fact that if they're on a shared computer (library,
> net cafe, work, school), others will"
>
> a) be able to see their password and username by viewing the cookie
>
> b) be able to login as the user to your site, and possibly many others using
> those credentials
>
>
>
> Justin
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
--- End Message ---
--- Begin Message ---
Nice!!
Justin French
on 18/02/03 12:54 PM, Jason Sheets ([EMAIL PROTECTED]) wrote:
> You shouldn't store user password in cookies on a browser, instead a
> more secure method for the user is:
>
> On your login form offer the ability to be remembered, if they click the
> "Remember Me" box generate a unique random ID (or 2 and combine them),
> now store this ID in your database attached to their user account and
> set a cookie on their browser with this ID. Now when they come to your
> website if they are not logged in your website checks for this unique id
> in the cookie, if the cookie exists it references it against their user
> account, if the unique id matches the system logs them in. This method
> is also nice because you can invalidate all automatic logins by clearing
> the column in your database.
>
> Please note the unique ID will still be sent in the clear so someone
> sniffing the traffic could still pick it up, if you force them to login
> once every n days it can help reduce this, also prompt for the password
> for any critical events like changing their profile.
>
> If you pass this over SSL you make it more secure because the traffic is
> encrypted.
>
> Jason
> On Mon, 2003-02-17 at 17:55, Justin French wrote:
>> on 18/02/03 1:40 AM, Altug Sahin ([EMAIL PROTECTED]) wrote:
>>
>>> Hi there,
>>>
>>> I have setup a site with session management but even the browser is closed
>>> or after the default time expiration of the session, the user should be able
>>> to see his/her personalized settings. I am nor using any cookies.
>>>
>>> How can I make this happen without changing my session related code? Should
>>> I combine cookies with sessions or can I make my sessions never expire even
>>> the browser is closed?
>>
>> Sessions are just that -- a single session, so no, a session cannot live
>> forever. However a cookie can. You *could* set a cookie with the users uid
>> and pwd, and check for the cookie before asking the user to login, but
>> obviously there are some vulnerabilities to this, so it should be an OPTION
>> for users, rather than FORCED upon them... they should also be aware of the
>> risks.
>>
>> One of many risks is the fact that if they're on a shared computer (library,
>> net cafe, work, school), others will"
>>
>> a) be able to see their password and username by viewing the cookie
>>
>> b) be able to login as the user to your site, and possibly many others using
>> those credentials
>>
>>
>>
>> Justin
>>
>>
>> --
>> PHP General Mailing List (http://www.php.net/)
>> To unsubscribe, visit: http://www.php.net/unsub.php
>
> ---
> [This E-mail scanned for viruses]
>
>
--- End Message ---
--- Begin Message ---
on 18/02/03 6:42 AM, Vernon ([EMAIL PROTECTED]) wrote:
> When the user goes to login into the page though I have the encrypted
> password echo to the page and they match except a 52 on the end of it which
> I am assuming is a space or something being picked up on submit or
> something. I recall there is a way to trim the field so that it doesn't pick
> up spaces but can't recall what it is. Anyone know what it is and if it
> could be that?
SEARCH THE MANUAL!!!
http://php.net/trim
Justin French
--- End Message ---
--- Begin Message ---
I have this basic counter:
<?php
$counterFile = "./counter.txt";
function displayCounter($counterFile) {
global $counted;
$fp = fopen($counterFile, 'rw');
$num = fgets($fp,7);
if (!$counted) {
$num += 1;
unlink("$counterFile");
exec("echo $num > $counterFile");
}
print "Visitor #$num";
}
if (!file_exists($counterFile)) {
exec("echo 1 > $counterFile");
}
displayCounter($counterFile);
?>
Works like a charm but every so often for no apparent reason it resets
to 0.
Anyone see anything wrong here to cause that?
--- End Message ---
--- Begin Message ---
You could be having problems with multiple users, if two visitors come
at the same time file locking problems come into play, one script could
unlink the file at the same time another script tries to open it
resulting in an empty file.
A database would be a better way to do this, but assuming you want to
stick with a text based counter instead of using rw and incrementing the
count you might consider opening the file in append mode and writing a
character to the file, then when you want to find out how many people
have visited count the lines in the file.
Using file based operations where you may have more than one user
operating on one file at the same time can get tricky so like I said
consider a database.
Jason
Mon, 2003-02-17 at 17:45, Brian V Bonini wrote:
> I have this basic counter:
>
> <?php
> $counterFile = "./counter.txt";
> function displayCounter($counterFile) {
> global $counted;
> $fp = fopen($counterFile, 'rw');
> $num = fgets($fp,7);
> if (!$counted) {
> $num += 1;
> unlink("$counterFile");
> exec("echo $num > $counterFile");
> }
> print "Visitor #$num";
> }
> if (!file_exists($counterFile)) {
> exec("echo 1 > $counterFile");
> }
> displayCounter($counterFile);
>
> ?>
>
> Works like a charm but every so often for no apparent reason it resets
> to 0.
>
> Anyone see anything wrong here to cause that?
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
--- End Message ---
--- Begin Message ---
I believe this is a concurrency problem...
2 PHP scripts can run at the same time and the problem is that your first
script gets as far as the unlink thus deleting the file. Then the 2nd script
is ran (at the same time) and trys to open the file which doesn't exist,
therefore it reads a num of 0. Then control returns to script 1 which saves
the number num (which is a valid count), and finish... Script 2 continues
and saves the num 0, and therefore your counter gets reset.
Its all a problem of concurrency and the fact that more than one thing can
happen at a time.
There are a few solutions.
1) Use MySQL or another database which limits reading/writing to the data so
that problems like this do not occur.
2) Use a flocking method which locks the file between the reading and
writing so that no other script can interfeare... I'm unsure on how good
this method is with PHP, so I suggest the first.
Andrew
----- Original Message -----
From: "Brian V Bonini" <[EMAIL PROTECTED]>
To: "PHP Lists" <[EMAIL PROTECTED]>
Sent: Tuesday, February 18, 2003 12:45 AM
Subject: [PHP] Counter has gremlins
> I have this basic counter:
>
> <?php
> $counterFile = "./counter.txt";
> function displayCounter($counterFile) {
> global $counted;
> $fp = fopen($counterFile, 'rw');
> $num = fgets($fp,7);
> if (!$counted) {
> $num += 1;
> unlink("$counterFile");
> exec("echo $num > $counterFile");
> }
> print "Visitor #$num";
> }
> if (!file_exists($counterFile)) {
> exec("echo 1 > $counterFile");
> }
> displayCounter($counterFile);
>
> ?>
>
> Works like a charm but every so often for no apparent reason it resets
> to 0.
>
> Anyone see anything wrong here to cause that?
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
--- End Message ---
--- Begin Message ---
on 18/02/03 3:59 AM, Vernon ([EMAIL PROTECTED]) wrote:
> I'm thinking that the MD5 function more than likely encrypts a password to
> store into a database, and when you log in using the MD5 function it will
> simply encrypt the value being passed along again the same way. Now I'm
> wondering what happens when I user has lost there password and needs to
> retrieve it, there is no way to reverse the process is there?
No, there isn't -- md5() is NOT encryption (a 1 meg file and a 5 character
password will both have the same length md5 value).
You would need to write a script which resets their password, and sends it
to them via email.
If they've fogotten what password they set, then they're obviously not too
precious about it being the same password. Reset it to something random,
send it to them via email (handy for confirming their email address is still
valid), and let them login with that password, and change it to something
else if they wish.
Justin French
--- End Message ---
--- Begin Message ---
If you do a password reset system please remember not to reset the
password before they confirm who they are.
This means instead of having them entering their login and email address
and immediatly resetting their password send the account owner an e-mail
with a link that will reset their password, if you have SSL make the
link go over SSL that way the traffic is secure. The link should
contain a unique id that was randomly generated and stored in the
database, when they click the link validate the account name, email
address and the unique id, if they match reset the password and remove
the unique id from the list of approved id's, this prevents someone from
replaying the URL and resetting the password again.
Jason
On Mon, 2003-02-17 at 17:48, Justin French wrote:
> on 18/02/03 3:59 AM, Vernon ([EMAIL PROTECTED]) wrote:
>
> > I'm thinking that the MD5 function more than likely encrypts a password to
> > store into a database, and when you log in using the MD5 function it will
> > simply encrypt the value being passed along again the same way. Now I'm
> > wondering what happens when I user has lost there password and needs to
> > retrieve it, there is no way to reverse the process is there?
>
> No, there isn't -- md5() is NOT encryption (a 1 meg file and a 5 character
> password will both have the same length md5 value).
>
> You would need to write a script which resets their password, and sends it
> to them via email.
>
> If they've fogotten what password they set, then they're obviously not too
> precious about it being the same password. Reset it to something random,
> send it to them via email (handy for confirming their email address is still
> valid), and let them login with that password, and change it to something
> else if they wish.
>
> Justin French
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
--- End Message ---
--- Begin Message ---
Very true -- forgot to mention that step :)
Thanks for the reminder!!
Justin
on 18/02/03 12:49 PM, Jason Sheets ([EMAIL PROTECTED]) wrote:
> If you do a password reset system please remember not to reset the
> password before they confirm who they are.
>
> This means instead of having them entering their login and email address
> and immediatly resetting their password send the account owner an e-mail
> with a link that will reset their password, if you have SSL make the
> link go over SSL that way the traffic is secure. The link should
> contain a unique id that was randomly generated and stored in the
> database, when they click the link validate the account name, email
> address and the unique id, if they match reset the password and remove
> the unique id from the list of approved id's, this prevents someone from
> replaying the URL and resetting the password again.
>
> Jason
>
> On Mon, 2003-02-17 at 17:48, Justin French wrote:
>> on 18/02/03 3:59 AM, Vernon ([EMAIL PROTECTED]) wrote:
>>
>>> I'm thinking that the MD5 function more than likely encrypts a password to
>>> store into a database, and when you log in using the MD5 function it will
>>> simply encrypt the value being passed along again the same way. Now I'm
>>> wondering what happens when I user has lost there password and needs to
>>> retrieve it, there is no way to reverse the process is there?
>>
>> No, there isn't -- md5() is NOT encryption (a 1 meg file and a 5 character
>> password will both have the same length md5 value).
>>
>> You would need to write a script which resets their password, and sends it
>> to them via email.
>>
>> If they've fogotten what password they set, then they're obviously not too
>> precious about it being the same password. Reset it to something random,
>> send it to them via email (handy for confirming their email address is still
>> valid), and let them login with that password, and change it to something
>> else if they wish.
>>
>> Justin French
>>
>>
>> --
>> PHP General Mailing List (http://www.php.net/)
>> To unsubscribe, visit: http://www.php.net/unsub.php
>
--- End Message ---
--- Begin Message ---
On Tuesday 18 February 2003 01:03, Greg Donald wrote:
> md5 is one-way encryption. I use a password 'hint' field in conjunction
> with md5.
It is not an encryption at all -- it's a hash. Encryption implies a
corresponding decryption, so a one-way encryption is either useless or an
oxymoron.
--
Jason Wong -> Gremlins Associates -> www.gremlins.biz
Open Source Software Systems Integrators
* Web Design & Hosting * Internet & Intranet Applications Development *
------------------------------------------
Search the list archives before you post
http://marc.theaimsgroup.com/?l=php-general
------------------------------------------
/*
The Angels want to wear my red shoes.
-- E. Costello
*/
--- End Message ---
--- Begin Message ---
I upgraded my MySQL on my web server, and the upgrade broke some PHP code
that loaded a file. The reason this is a PHP questions is that I need to
get my old PHP code to work with the new MySQL server, and I hope someone
here can help.
Here's the details on the fact that newer versions of MySQL disable the LOAD
DATA LOCAL function:
http://www.mysql.com/doc/en/LOAD_DATA_LOCAL.html
I've read that, as well as:
http://www.mysql.com/doc/en/mysql_options.html
But I'm not sure how to get my code to work.
I tried adding --local-infile=1 to my MySQL server startup script, but that
didn't seem to do it:
<Start snip of mysql.server in init.d>
case "$mode" in
'start')
# Start daemon
if test -x $bindir/safe_mysqld
then
# Give extra arguments to mysqld with the my.cnf file. This script may
# be overwritten at next upgrade.
$bindir/safe_mysqld --datadir=$datadir --pid-file=$pid_file --local-infile=1
&
# Make lock for RedHat / SuSE
if test -w /var/lock/subsys
then
touch /var/lock/subsys/mysql
fi
else
echo "Can't execute $bindir/safe_mysqld"
fi
;;
<End snip>
Here's my php code that is dieing (I'm sure email will add line breaks):
$load_file_sql = 'LOAD DATA LOCAL INFILE
\'/usr/web/htdocs/uploaded_data.txt\' REPLACE INTO TABLE
`staging_player_tracker` FIELDS TERMINATED BY \'\t\' OPTIONALLY ENCLOSED BY
\'"\' LINES TERMINATED BY \'\n\' (`First_Name`, `Last_Name`,
`Player_Tracker_Number`, `Last_Visit`, `Point_Balance`)';
$load_file_result = @mysql_query($load_file_sql, $connection) or
die("$load_file_sql failed Error #". mysql_errno() . ": " . mysql_error());
And, the error returned by the php script (again, email client will word
wrap I'm sure):
LOAD DATA LOCAL INFILE '/usr/web/htdocs/uploaded_data.txt' REPLACE INTO
TABLE `staging_player_tracker` FIELDS TERMINATED BY '\t' OPTIONALLY ENCLOSED
BY '"' LINES TERMINATED BY '\n' (`First_Name`, `Last_Name`,
`Player_Tracker_Number`, `Last_Visit`, `Point_Balance`) failed Error #1148:
The used command is not allowed with this MySQL version
I'm running Red Hat Linux, Apache (Stronghold 3.x), and MySQL 3.23.52
Any help or hints most appreciated.
Thanks,
Peter Janett
New Media One Web Services
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
New Upgrades Are Now Live!!!
Windows 2000 accounts - Cold Fusion 5.0 and Imail 7.1
Sun Solaris (UNIX) accounts - PHP 4.1.2, mod_perl/1.25,
Stronghold/3.0 (Apache/1.3.22), MySQL 3.23.43
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
PostgreSQL coming soon!
http://www.newmediaone.net
[EMAIL PROTECTED]
(303)828-9882
--- End Message ---
--- Begin Message ---
Hi guys,
I'm curious about a couple things
regarding: $_FILES['userfile']['error']
(On page: http://www.php.net/manual/tw/features.file-upload.errors.php )
and also
<input type="hidden" name="MAX_FILE_SIZE" value="500">
The manual says "Since PHP 4.2.0, PHP returns an appropriate error code
along with the file array. The error code can be found in the ['error']
segment of the file array that is created during the file upload by PHP. In
otherwords, the error might be found in $_FILES['userfile']['error']."
So if I get error: Value: 2; The uploaded file exceeds the MAX_FILE_SIZE
directive that was specified in the html form.
Does this mean the file was examined by the browser and it determined it was
too large OR does it have to upload the file temporarily and then check to
see if its too large?
It sounds like browser would first examine the file before it gets uploaded,
however, if I try to upload a 1mb file it takes noticably longer to produce
an error than say a 501 byte file.
Please anyone that can help me with this I would really appreciate it.
Thanks,
Nate
--- End Message ---
--- Begin Message ---
On Mon, 2003-02-17 at 21:44, Nate wrote:
> Does this mean the file was examined by the browser and it determined it was
> too large OR does it have to upload the file temporarily and then check to
> see if its too large?
>
> It sounds like browser would first examine the file before it gets uploaded,
> however, if I try to upload a 1mb file it takes noticably longer to produce
> an error than say a 501 byte file.
>
> Please anyone that can help me with this I would really appreciate it.
The browser *should* check but it doesn't. In fact, the limit that's
being exceeded is probably the one set in your php.ini configuration
file. In any case, it's generally a bad idea to trust the client with
performing any checks for anything other than the convenience of the
user, because it's very easy for a malicious user to send out a request
that contains completely arbitrary data ignoring completely all the
controls that are built into your HTML file.
Cheers,
Marco
--
----------------
php|architect - The Monthly Magazine for PHP Professionals
Come check us out on the web at http://www.phparch.com!
--- End Message ---
--- Begin Message ---
On Tuesday 18 February 2003 10:44, Nate wrote:
> It sounds like browser would first examine the file before it gets
> uploaded, however, if I try to upload a 1mb file it takes noticably longer
> to produce an error than say a 501 byte file.
Some browsers do:
http://marc.theaimsgroup.com/?l=php-general&m=102079018906224&w=2
--
Jason Wong -> Gremlins Associates -> www.gremlins.biz
Open Source Software Systems Integrators
* Web Design & Hosting * Internet & Intranet Applications Development *
------------------------------------------
Search the list archives before you post
http://marc.theaimsgroup.com/?l=php-general
------------------------------------------
/*
Somebody ought to cross ball point pens with coat hangers so that the
pens will multiply instead of disappear.
*/
--- End Message ---
--- Begin Message ---
So something like my below function isn't going to work because the file HAS
to be uploaded temporarily for it to fopen? The ONLY possible way to check
it is with javascript then? Anyone know where I could find some code to do
that?
$maxbytes=500;
function ImageSizeCheck($img,$maxbytes,&$arewegood,&$size) {
$fp = fopen($img, "r");
$first_file_size_read = fread($fp, $maxbytes + 1);
fclose($fp);
if(strlen($first_file_size_read) > $maxbytes) {
$arewegood="0";
$size=strlen($first_file_size_read)-1;
} else {
$arewegood="1";
$size=strlen($first_file_size_read)-1;
}
}
"Marco Tabini" <[EMAIL PROTECTED]> wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> On Mon, 2003-02-17 at 21:44, Nate wrote:
> > Does this mean the file was examined by the browser and it determined it
was
> > too large OR does it have to upload the file temporarily and then check
to
> > see if its too large?
> >
> > It sounds like browser would first examine the file before it gets
uploaded,
> > however, if I try to upload a 1mb file it takes noticably longer to
produce
> > an error than say a 501 byte file.
> >
> > Please anyone that can help me with this I would really appreciate it.
>
> The browser *should* check but it doesn't. In fact, the limit that's
> being exceeded is probably the one set in your php.ini configuration
> file. In any case, it's generally a bad idea to trust the client with
> performing any checks for anything other than the convenience of the
> user, because it's very easy for a malicious user to send out a request
> that contains completely arbitrary data ignoring completely all the
> controls that are built into your HTML file.
>
> Cheers,
>
>
> Marco
> --
> ----------------
> php|architect - The Monthly Magazine for PHP Professionals
> Come check us out on the web at http://www.phparch.com!
>
--- End Message ---
--- Begin Message ---
i've already compiled my PHP4 with imagejpeg support but now im loosing my
imagegif function. Image jpeg function is now working but for the gif im
receiving this error:
Fatal error: Call to undefined function: imagegif()
Here's my php info after my re-compilation :
Configure Command './configure' '--with-mysql'
'--with-apache=../apache_1.3.24' '--with-gd'
'--with-jpeg-dir=/php-4.3.0/ext/gd/libgd' '--with-zlib'
GD Support enabled
GD Version bundled (2.0 compatible)
GIF Read Support enabled
JPG Support enabled
PNG Support enabled
WBMP Support enabled
Any idea why?
Mike
--- End Message ---
--- Begin Message ---
On Tuesday 18 February 2003 10:51, Michael P. Carel wrote:
> i've already compiled my PHP4 with imagejpeg support but now im loosing my
> imagegif function. Image jpeg function is now working but for the gif im
> receiving this error:
> Fatal error: Call to undefined function: imagegif()
>
> Here's my php info after my re-compilation :
>
> Configure Command './configure' '--with-mysql'
> '--with-apache=../apache_1.3.24' '--with-gd'
> '--with-jpeg-dir=/php-4.3.0/ext/gd/libgd' '--with-zlib'
> GD Support enabled
> GD Version bundled (2.0 compatible)
> GIF Read Support enabled
> JPG Support enabled
> PNG Support enabled
> WBMP Support enabled
>
>
> Any idea why?
You need GIF write support in the GD library, which isn't officially supported
anymore. Google for non-official GD library with GIF support.
--
Jason Wong -> Gremlins Associates -> www.gremlins.biz
Open Source Software Systems Integrators
* Web Design & Hosting * Internet & Intranet Applications Development *
------------------------------------------
Search the list archives before you post
http://marc.theaimsgroup.com/?l=php-general
------------------------------------------
/*
Civilization is fun! Anyway, it keeps me busy!!
*/
--- End Message ---
--- Begin Message ---
General builds of the GD library don't contain gif support. Visit the GD
site to see what they say about gif support. If you're building a graph
then use png; if an image use jpg.
Hugh
----- Original Message -----
From: "Michael P. Carel" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, February 17, 2003 6:51 PM
Subject: Re: [PHP] image creation error
> i've already compiled my PHP4 with imagejpeg support but now im loosing my
> imagegif function. Image jpeg function is now working but for the gif im
> receiving this error:
> Fatal error: Call to undefined function: imagegif()
>
> Here's my php info after my re-compilation :
>
> Configure Command './configure' '--with-mysql'
> '--with-apache=../apache_1.3.24' '--with-gd'
> '--with-jpeg-dir=/php-4.3.0/ext/gd/libgd' '--with-zlib'
> GD Support enabled
> GD Version bundled (2.0 compatible)
> GIF Read Support enabled
> JPG Support enabled
> PNG Support enabled
> WBMP Support enabled
>
>
> Any idea why?
>
>
> Mike
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
--- End Message ---
--- Begin Message ---
Hello,
I am using the phplib just for the sessions management and unfortunately
this projects seems dead (no?), no official realise using the php4
session support.
What's more, i am looking for a sessions library which could check the
IP adress of users not only the cookie. In case of bad hats steal cookies...
What I use in my current code is:
page_open(array("sess" => "SIOVA_Session", "auth" =>
"SIOVA_Challenge_Auth", "perm" => "SIOVA_Perm"));
$perm->check("user");
page_close() ;
$auth->auth["perm"] == "admin" ;// and others privilege checks...
$sess->delete() ;
$auth->unauth();
$auth->logout();
etc...
What do you think I should use instead of the phplib, do you think I
should change what I use at this time which works full well :-/
I do want to use a library checking the cookies AND the IP adresses...to
do something more secure.
Thanks for you advises,
Vincent.
--- End Message ---
--- Begin Message ---
Using the built in PHP 4 session support you can do IP checking on the
sessions, in fact you should be able to do IP checking with any session
library as long as you do it in your application.
Checking the IP when using sessions might give you some additional
security but many ISPS use web proxies and caches, while some of these
proxies allow you to see the original IP many do not. Additionally the
user may be routed through a different proxy depending on the ISP setup
which would result in their session being dropped.
You might consider using your existing session system over an SSL
connection, it would provided increased security without changing your
code.
The only time I have needed to use anything other than the standard PHP
session support was when I needed my sessions to be encrypted on the
server, even in this case I just wrote my own session handler and used
the PHP 4 functions.
If your code is working well there may be little reason to change it, it
may be a more responsible decision to wait until your application is
undergoing a re-design to change your session handling or it may not be,
it all depends on how much time you have, and features you need and are
not getting now.
If you do decide to go ahead with the IP checking one way to do it is to
store the session id and IP address in a database, then add logic to
your application that checks the session id against the IP address in
the database before the session is started, if they don't match it
clears the session variables and starts a blank session. I've done this
in the past but found it provided only limited security advantages
compared to other things like SSL.
Jason
On Mon, 2003-02-17 at 21:21, Vincent M. wrote:
> Hello,
>
> I am using the phplib just for the sessions management and unfortunately
> this projects seems dead (no?), no official realise using the php4
> session support.
> What's more, i am looking for a sessions library which could check the
> IP adress of users not only the cookie. In case of bad hats steal cookies...
> What I use in my current code is:
> page_open(array("sess" => "SIOVA_Session", "auth" =>
> "SIOVA_Challenge_Auth", "perm" => "SIOVA_Perm"));
> $perm->check("user");
> page_close() ;
> $auth->auth["perm"] == "admin" ;// and others privilege checks...
> $sess->delete() ;
> $auth->unauth();
> $auth->logout();
> etc...
>
> What do you think I should use instead of the phplib, do you think I
> should change what I use at this time which works full well :-/
> I do want to use a library checking the cookies AND the IP adresses...to
> do something more secure.
>
>
> Thanks for you advises,
> Vincent.
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
--- End Message ---
--- Begin Message ---
Could anyone please tell me what a valid argument would be in this script?
error message
Warning: Invalid argument supplied for foreach() in
/home1/domains/$domain/htdocs/image.php on line 334
line 323-343
$dg = opendir("$thumb");
echo "<HTML><HEAD><TITLE>$title</TITLE><META NAME=Description CONTENT='Page Generated
with ScriptCoders AutoThumbs V2.01 http://www.scriptcoders.com'></HEAD>";
PrintHeader();
echo "<center><br><img src=/content/images/br.gif><br><br>";
echo "<center><table border=0 width=90% ALIGN=CENTER VALIGN=CENTER><tr ALIGN=CENTER
VALIGN=CENTER><td ALIGN=CENTER VALIGN=CENTER>";
while ( gettype($file = readdir($dg)) != boolean )
{
if (! is_dir("$file"))
$retVal[count($retVal)] = $file;
}
closedir($dg);
foreach ($retVal as $newFile)
if ($newFile != ".htaccess")
{
$li = ($li + 1);
/*if (!isset($user)) {
echo "<a href=$PHP_SELF?image=$newFile><img src=\"$thumb/$newFile\" width=\"50\"
height=\"50\" border=1 ALIGN=CENTER VALIGN=CENTER></a> ";
}
else if (isset($user)) {*/
echo "<a href=$PHP_SELF?image=$newFile><img src=\"$thumb/$newFile\" border=1
ALIGN=CENTER VALIGN=CENTER></a> ";
//}
--- End Message ---
--- Begin Message ---
On Tuesday 18 February 2003 12:27, Lynn wrote:
> Could anyone please tell me what a valid argument would be in this script?
>
>
> error message
> Warning: Invalid argument supplied for foreach() in
> /home1/domains/$domain/htdocs/image.php on line 334
foreach needs an array.
var_dump($retVal) to see what you really have.
--
Jason Wong -> Gremlins Associates -> www.gremlins.biz
Open Source Software Systems Integrators
* Web Design & Hosting * Internet & Intranet Applications Development *
------------------------------------------
Search the list archives before you post
http://marc.theaimsgroup.com/?l=php-general
------------------------------------------
/*
Do your part to help preserve life on Earth -- by trying to preserve your own.
*/
--- End Message ---
--- Begin Message ---
At 05:27 18.02.2003, Lynn said:
--------------------[snip]--------------------
>Could anyone please tell me what a valid argument would be in this script?
>
>
>error message
>Warning: Invalid argument supplied for foreach() in
>/home1/domains/$domain/htdocs/image.php on line 334
>
>
>line 323-343
>
>
>$dg = opendir("$thumb");
>echo "<HTML><HEAD><TITLE>$title</TITLE><META NAME=Description CONTENT='Page
>Generated with ScriptCoders AutoThumbs V2.01
>http://www.scriptcoders.com'></HEAD>";
>PrintHeader();
>echo "<center><br><img src=/content/images/br.gif><br><br>";
>echo "<center><table border=0 width=90% ALIGN=CENTER VALIGN=CENTER><tr
>ALIGN=CENTER VALIGN=CENTER><td ALIGN=CENTER VALIGN=CENTER>";
>while ( gettype($file = readdir($dg)) != boolean )
> {
> if (! is_dir("$file"))
>$retVal[count($retVal)] = $file;
>}
>closedir($dg);
>foreach ($retVal as $newFile)
--------------------[snip]--------------------
You never explicitly "declare" $retval here. In case the while-loop is
executed, $retval is implicitly initialized as an array, but if the
while-loop fails to run, $retval is undefined, hence the error.
--
>O Ernest E. Vogelsinger
(\) ICQ #13394035
^ http://www.vogelsinger.at/
--- End Message ---
--- Begin Message ---
On Tuesday 18 February 2003 01:18, [EMAIL PROTECTED] wrote:
> > then set 'user_agent' in
> > php.ini to match that of one of the compatible browsers.
>
> I don't see any user_agent entry in my php.ini file. I did a search on the
> php.net site and didn't find any info on this. What would be the proper
> way
> to set this in php.ini, and in which section of php.ini?
Anywhere in php.ini I suppose. Or it can be set at run-time using ini_set().
--
Jason Wong -> Gremlins Associates -> www.gremlins.biz
Open Source Software Systems Integrators
* Web Design & Hosting * Internet & Intranet Applications Development *
------------------------------------------
Search the list archives before you post
http://marc.theaimsgroup.com/?l=php-general
------------------------------------------
/*
Your computer account is overdrawn. Please reauthorize.
*/
--- End Message ---
--- Begin Message ---
At 06:05 18.02.2003, Jason Wong said:
--------------------[snip]--------------------
>On Tuesday 18 February 2003 01:18, [EMAIL PROTECTED] wrote:
>
>> > then set 'user_agent' in
>> > php.ini to match that of one of the compatible browsers.
>>
>> I don't see any user_agent entry in my php.ini file. I did a search on the
>> php.net site and didn't find any info on this. What would be the proper
>> way
>> to set this in php.ini, and in which section of php.ini?
>
>Anywhere in php.ini I suppose. Or it can be set at run-time using ini_set().
--------------------[snip]--------------------
http://www.php.net/manual/en/ref.filesystem.php#ini.user-agent
--
>O Ernest E. Vogelsinger
(\) ICQ #13394035
^ http://www.vogelsinger.at/
--- End Message ---
--- Begin Message ---
On Tuesday 18 February 2003 01:44, Robin Mordasiewicz wrote:
> IS there a way to tell php to use a remote smtp daemon for its mta under
> UNIX. I see in the example it looks like windows can be configured to use
> a remote smtp. If so what is the syntax.
>
>
> [mail function]
> ; For Win32 only.
> SMTP = localhost
>
> ; For Win32 only.
> sendmail_from = [EMAIL PROTECTED]
>
> ; For Unix only. You may supply arguments as well (default: "sendmail -t
> -i").
> ;sendmail_path =
Checkout www.phpclasses.org for a/some mailing class(es) that allows this.
--
Jason Wong -> Gremlins Associates -> www.gremlins.biz
Open Source Software Systems Integrators
* Web Design & Hosting * Internet & Intranet Applications Development *
------------------------------------------
Search the list archives before you post
http://marc.theaimsgroup.com/?l=php-general
------------------------------------------
/*
Machines take me by surprise with great frequency.
- Alan Turing
*/
--- End Message ---
--- Begin Message ---
Hi!
I was wondering if anyone has vni -> unicode conversion script.
Thanks Jimmy
--- End Message ---
--- Begin Message ---
Greetings all,
My database has one table with three fields i.e. ClientID, ClientName
and Distance .
I`m trying to get all the field data printed to a form but whenever I
try to add the "ClientID" and "Distance" fields to the code below it
bombs out with the following error :
Parse error: parse error in /home/data/ClientWebs/chrisplay/main.php on
line 27
Full code is below :
<?php
//Connect to DB
include("inc_ConnectDB.php") ;
//Make SQL Statement
$SqlGetClient = "Select * from Client" ;
$ResGetClient = mysql_query($SqlGetClient) ;
//If any errors then print `em out
if (!$ResGetClient)
{
echo("<P>Error performing query: " . mysql_error() . "</P>");
exit();
}
//While there are records to fetch.....
while ( $row = mysql_fetch_array($ResGetClient) )
{
// THIS IS LINE 27
//....print them out to page
echo $row['ClientID'].['ClientName'].['Distance']. '<hr>';
}
?>
Muchos grassy-arse for any assistance......
--
Chris Blake
Office : (011) 782-0840
Cell : 083 985 0379
It is reported that somewhere in the world, every 15 seconds, a woman
gives birth to a child. She must be found and stopped.
--- End Message ---
--- Begin Message ---
At 08:45 18.02.2003, Chris Blake said:
--------------------[snip]--------------------
> // THIS IS LINE 27
> //....print them out to page
> echo $row['ClientID'].['ClientName'].['Distance']. '<hr>';
--------------------[snip]--------------------
Try
echo $row['ClientID'].$row['ClientName'].$row['Distance']. '<hr>';
--
>O Ernest E. Vogelsinger
(\) ICQ #13394035
^ http://www.vogelsinger.at/
--- End Message ---
--- Begin Message ---
-------- Message original --------
Sujet: [PHP-DOC] Urgent....plz
De: [EMAIL PROTECTED]
Date: Mar, 18 Février 2003, 4:17
A: [EMAIL PROTECTED] <[EMAIL PROTECTED]>
Hi...
I'm Wardi from Malaysia.I'm working in the private company which is
involved in developing and integrate software solutions.Currently we are
using Oracle in develop the products to our customers.Right now we're
trying to provide the new solutions to our customer by using the PHP and
MySql.So there are few questions I would like to ask about PHP.
1. Is PHP support or can do the "Single Sign On" features like Oracle
do?Plz explain to me OK!!!
2. Is PHP support the "Multiple Logons"?
3. Can we create the environment like this using PHP:
"Different user logon in the portal and the are using different
interface/different portals but still under the same URL/address?"
That's all for now....plz reply ASAP...urgent
Thanks
--
PHP Documentation Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--- End Message ---
--- Begin Message ---
At 08:54 18.02.2003, [EMAIL PROTECTED] said:
--------------------[snip]--------------------
>trying to provide the new solutions to our customer by using the PHP and
>MySql.So there are few questions I would like to ask about PHP.
Upfront - PHP is a programming language, not a ready-to-use environment
(although there may be a couple of application frameworks ready that
already implement stuff you want to achieve). Thus said: you can implement
virtually all and everything using PHP.
>1. Is PHP support or can do the "Single Sign On" features like Oracle
>do?Plz explain to me OK!!!
Yes, it can (you can ;->). Upon login, you create something like a user
authentication token that is stored at the server side. As long as your
scripts pass that token around, the user remains logged in, with the
credentials you assigned at login time. See
http://www.php.net/manual/en/ref.session.php for session handling functions.
>2. Is PHP support the "Multiple Logons"?
Same holds true here - it depends on your application logic.
>3. Can we create the environment like this using PHP:
> "Different user logon in the portal and the are using different
>interface/different portals but still under the same URL/address?"
Sure you can - make a good application design, separating content from
presentation. After identifying the user, decide which content you want to
display, then decide which presentation you want to use. Check out some
template scripts, a lot of people seem to favor the Smarty template engine
(http://smarty.php.net/).
--
>O Ernest E. Vogelsinger
(\) ICQ #13394035
^ http://www.vogelsinger.at/
--- End Message ---
--- Begin Message ---
G'day,
Our web-host just upgraded to PHP v4.2.3 (from v4.1.2) and broke all of our
forms that use array variables.
It appears that when the URL contains square brackets (i.e. %5B and %5D
instead of [ and ]) then PHP doesn't parse the variables correctly.
For example,
<http://www.offloadonline.com/test.php?personal[name]=john&personal[email]=john%40blah.com>
works (you might need to paste the URL into your browser) but
<http://www.offloadonline.com/test.php?personal%5Bname%5D=john&personal%5Bemail%5D=john%40blah.com>
fails.
Can anyone suggest a workaround?
Thanks,
Chris.
--- End Message ---
--- Begin Message ---
Errnest
Thanks. I used htlmentities and still have the truncation.
Mike
---
Ernest E Vogelsinger wrote:
At 22:04 17.02.2003, Michael Eacott said:
--------------------[snip]--------------------
When I have the following in a form:
<?php $testvar = "a b c"; ?>
<input type="text" size=20 name=testvar value=<?php echo $testvar; ?>>
the value shown in the form field is a and not a b c
why?
and how can I get to see the untrucated text, please?
--------------------[snip]--------------------
You should always place quotes around the "Value" parameter;
<input type="text" size=20 name=testvar value="<?php echo $testvar; ?>">
Additionally you should always htmlencode the value parameter:
<input type="text" size=20 name=testvar
value="<?php echo htmlentities($testvar); ?>">
--- End Message ---
--- Begin Message ---
Kevin
I tried flushing and also IE 6 and Netscape 6.2. Still getting truncation.
Mike
---
Kevin Stone wrote:
Hmm. Don't know what to tell ya. It works on my computer. Have you tried
pressing CTRL+F5 to flush your browser cache?
- Kevin
----- Original Message -----
From: "rentAweek support" <[EMAIL PROTECTED]>
To: "Kevin Stone" <[EMAIL PROTECTED]>
Cc: "Michael Eacott" <[EMAIL PROTECTED]>;
<[EMAIL PROTECTED]>
Sent: Monday, February 17, 2003 3:12 PM
Subject: Re: [PHP] Text data truncated after first blank character in form
fields
Thanks
I tried our your suggestion sic:
<input type="text" size="20" name="testvar" value="<?php echo $testvar;
?>">
Still truncation
Mike
---
Kevin Stone wrote:
It's your HTML Failing to enclose the value in quotes may lead to
truncation. Your output looks like this...
<input type="text" size=20 name=testvar value=a b c>
You should always quote every parmeter in the tag just to avoid such
problems. This should work..
<input type="text" size="20" name="testvar" value="<?php echo
$testvar;?>">
- Kevin
--- End Message ---
--- Begin Message ---
At 09:27 18.02.2003, rentAweek support said:
--------------------[snip]--------------------
>Errnest
>
>Thanks. I used htlmentities and still have the truncation.
>
--------------------[snip]--------------------
Have a look at the HTML source the server transmits.
--
>O Ernest E. Vogelsinger
(\) ICQ #13394035
^ http://www.vogelsinger.at/
--- End Message ---
--- Begin Message ---
hi everybody,
i am a b.tech final year student and as a part of
the requirement of the degree, i have to do a
software project.
the project that i am doing is "E-SHOPPING PORTAL DEVELOPMENT"
and it uses php.
i have started learning php 10 days back.
today i have the following problem:
i have a directory called "bdoi_change" in which
i have an html registration form called "regist.html".
i am attaching "filecheck.php" to regist.html so that
when i click on the "submit" button on regist.html,
i get connected to filecheck.php.
in "filecheck.php" i have opened a file "andar.html"
and have written "i have solved an error today" in it
through "filecheck.php".
and when filecheck.php is run, it shows me " i have
solved an error today" .
but in "bdoi_change" i cannot see "andar.html"
nor can i open it by internet explorer.
if anybody can solve my problem, please reply back.
thanks a lot,
diksha.
--- End Message ---
--- Begin Message ---
hi to all,
I'm having problem posting messages that have paragraph. It's doesnt appear
to have one when being viewd in the page?
Any idea on how to post this properly without manually inserting a <BR> tags
in the text box before it is being store in the database.
Thanks in advance.
mike
--- End Message ---
--- Begin Message ---
This one time, at band camp,
"Michael P. Carel" <[EMAIL PROTECTED]> wrote:
> hi to all,
>
> I'm having problem posting messages that have paragraph. It's doesnt appear
> to have one when being viewd in the page?
>
> Any idea on how to post this properly without manually inserting a <BR> tags
> in the text box before it is being store in the database.
nl2br()
http://www.php.net/nl2br
Kevin
--
______
(_____ \
_____) ) ____ ____ ____ ____
| ____/ / _ ) / _ | / ___) / _ )
| | ( (/ / ( ( | |( (___ ( (/ /
|_| \____) \_||_| \____) \____)
Kevin Waterson
Port Macquarie, Australia
--- End Message ---
--- Begin Message ---
At 09:36 18.02.2003, Michael P. Carel said:
--------------------[snip]--------------------
>I'm having problem posting messages that have paragraph. It's doesnt appear
>to have one when being viewd in the page?
>
>Any idea on how to post this properly without manually inserting a <BR> tags
>in the text box before it is being store in the database.
--------------------[snip]--------------------
echo nl2br($text_to_send);
--
>O Ernest E. Vogelsinger
(\) ICQ #13394035
^ http://www.vogelsinger.at/
--- End Message ---
--- Begin Message ---
Hi All,
I'm a little bit confused and it's maybe a newbie question but maybe you can help me
out;
A user is login in and after username password check it will redirects to this page
<?php
session_start();
if (isset($_SESSION['username'])){
$username = $_SESSION['username'];
echo 'Welcome, you are still loged in.';
echo $username;
}
else{
header ( "Location: login.htm" );
}
?>
Question is; is this the way to print of his username?
$username = $_SESSION['username'];
Echo $username
Or has anyone some alternatives..
This is working o.k. but in my opinion it's a little bit quick and dirty?
Thanks for the comments and suggestions!
Frank
--- End Message ---
--- Begin Message ---
Er... well I've seen a lot worse code than that but maybe you could use ...
if (isset($_SESSION['username']) && !empty($_SESSION['username'])) {
echo 'Welcome '.$_SESSION['username'].', you are still logged in.';
}
else {
header... etc etc
}
Rich
> -----Original Message-----
> From: Frank Keessen [mailto:[EMAIL PROTECTED]]
> Sent: 18 February 2003 09:00
> To: [EMAIL PROTECTED]
> Subject: [PHP] $_SESSIONS and printing off..
>
>
> Hi All,
>
> I'm a little bit confused and it's maybe a newbie question but
> maybe you can help me out;
>
> A user is login in and after username password check it will
> redirects to this page
>
> <?php
> session_start();
> if (isset($_SESSION['username'])){
> $username = $_SESSION['username'];
> echo 'Welcome, you are still loged in.';
> echo $username;
> }
> else{
> header ( "Location: login.htm" );
> }
> ?>
>
> Question is; is this the way to print of his username?
>
> $username = $_SESSION['username'];
> Echo $username
>
> Or has anyone some alternatives..
>
> This is working o.k. but in my opinion it's a little bit quick and dirty?
>
> Thanks for the comments and suggestions!
>
> Frank
--- End Message ---
--- Begin Message ---
Hello Wilbert,
I had same problem and I do not have good news for you.
Problem is caused by different owner of script file and file (or
folder) which need to be manipulated by this script file. To change
owner from script (chown) you must have `root` privilege.
I download files which have different owner (usually those files are
generated by some script). Then I upload those files again and owner
is same like other uploaded files.
________________________
Best regards,
Nenad Djordjevic mailto:[EMAIL PROTECTED]
Diyomi Soft
http://www.diyomisoft.com/
Monday, February 17, 2003, 12:50:40 PM, you wrote:
WE> Hi all
WE> I'm having troubles with the safe mode. My ISP has safe mode ON.
WE> Now i'm busy accessing files, deleting uploaded files, moving them and so
WE> on. Different actions are performed by different scripts.
WE> I want to make use of functions like stat() and so on, but each time I get
WE> the warning:
WE> Warning: file_exists() [function.file-exists]: SAFE MODE Restriction in
WE> effect. The script whose uid is 884 is not allowed to access
WE> /opt/guide/www.company.com.nl/HTML/myDir owned by uid 99
WE> Since safe mode is ON and I can't change it in php.ini of my ISP I am
WE> wondering what to do now?
WE> There is this whole lot of file functions which I wanna use, but each time
WE> I'm getting the warning or warnings that look like the one above.
WE> I already tried ini_set("safe_mode",0) but since the script is already
WE> accessed this action comes too late and even more important, according to
WE> the manual this entry can be set only in php.ini or httpd.conf
WE> (PHP_INI_SYSTEM) .
WE> Does anybody know a safe workaround for this phenomenon? Any tips are most
WE> welcome!
WE> Regards Wilbert Enserink
WE> -------------------------
WE> Pas de Deux
WE> Van Mierisstraat 25
WE> 2526 NM Den Haag
WE> tel 070 4450855
WE> fax 070 4450852
WE> http://www.pdd.nl
WE> [EMAIL PROTECTED]
WE> -------------------------
--- End Message ---
--- Begin Message ---
Hi all,
I want to copy an already existing directory structure with generic
files & then rename it while keeping it's permissions, but I was unable to
find a suitable function in the manual to carry out this operation. Can
anyone help me with this please.
Thank you
Dave
--- End Message ---
--- Begin Message ---
Hi,
I have a PHP login scripts that takes the "username" and "password" and
stores it in a session.
Once verified as a valid user against a mySQL database, the user is
redirected to a members area ( "/secure_area" ), using:
http://username:[EMAIL PROTECTED]/secure_area/
This is so that .htaccess (which is in "/secure_area" won't pop up its own
"login/password" box).
However, i am having a couple of problems,
first, once the user is redirected to the /secure_area folder, EVERY link on
that page (and onwards) is prefixed with
http://username:[EMAIL PROTECTED]...... for everyone to see !!! and
thus the password has been exposed.
How can I stop it displaying the username and password ?
And also, is this a secure way of logging in?
(it is the only way I can figure out how to do it, so that PHP logs u in and
passes username and password to .htaccess quietly).
Many Thanks for any help!
Shams
--- End Message ---
