Re: [PHP] Shopping Cart, security concerns
On Fri, May 13, 2005 8:26 pm, mayo said: I'm making my first shopping cart in PHP. I'm concerned about the security of my session variables, concerned about people altering data (lowering the price). Is there anything I should pay attention to. There are approximately 247 other PHP shopping carts out there. Maybe you'd be better off just installing one of them. Certainly, you should read the source code to several. Your session variables are at-risk on a shared server, usually; And not so much on a dedicated server. Or, more properly, on a dedicated server, if your session data isn't safe, you've got MUCH bigger problems than just your session data. As far as changing the price goes, just don't take the price as an INPUT from your cart/form. The only variables you need to accept from the user in the shopping cart itself are: $product_id and $quantity. For the fulfillment, maybe some location data like $country, $region, $postal to calculate shipping, and then their credit card info. Honestly, setting up a script to accept people's credit card numbers as your very first PHP project is probably not a particularly Good Idea... You can't absorb all the ins and outs of security overnight... Just my opinion. Perhaps you would be better served to install a pre-existing PHP shopping cart, and focus on making it secure and safe, rather than trying to write your own from scratch as well. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Compiling PHP 4.3.11 on FreeBSD 5.4 amd64
Hi all, For some reason, when I compile php on my FreeBSD 5.4 machine (amd64 architecture), it is not creating the shared object file. Here is my config : ./configure --with-apxs=/usr/local/apache/bin/apxs --enable-ftp --with-mcrypt=/usr/local -with-openssl -enable-url-fopen-wrapper --enable-ftp --with-gd --with-zlib --with-jpeg-dir=/usr/local/lib --with-png-dir=/usr/local/lib --with-ttf --enable-gd-native-ttf --with-freetype-dir=/usr/local/lib --enable-shared when I use this same config on a 4.11 FreeBSD, it works fine. I will probably post this on the FreeBSD lists, but I figured I would ask here first. Everything appears to compile properly (no errors out of the usual)... Any ideas why the compilation would not create a shared object for me to install on apache ??? Apache is 1.3.33 and compiles and works fine... Thanks, Tim. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] 'Require' and 'Select' lists
On Fri, May 13, 2005 5:59 am, Andre Dubuc said: However, the behavior continues intermittently. I've duplicated it one time. If I click on the 'State' dropdown list, allow the mouse to scan through it, but do not choose a value, and then immediately go to the previous or next field and click on it, the box where 'USA or Canada' appears will be blank (despite 'option selected value=In USA or CanadaIn USA or Canada/option'). For the life of me, I cannot figure why it's doing that. This is a browser/OS bug. It's possible that it's even time-dependent -- That if you click in the popup list before it's fully formed, then you can make this happen, but after it gets completely built, you can't duplicate this. At any rate, there is nothing you can do about it. Well, okay, you can complain to the browser-makers, and be ignored by them... I guess one thing that *MIGHT* help would be to ob_start() before you send out all the option tags, and then ob_flush()/flush() after the /select closing tag. The purpose being that you want the browser to build the whole menu with as few interruptions as possible, so it will not get used while it is half-built. I would not RELY on this actually fixing the problem for sure 100% every time you betcha, but it could reduce the incidence. As a hack, I've included a new routine checking for blank or null value for $selstate that snags problems before they hit the database. However, I'd rather know why this is happening. Browsers and the data coming from them are flaky, if not downright hostile. That's just how life is. It's not a problem to solve. It's a state of being to accept and plan for. :-) Maybe it's time to just re-write the script the right way, the way you would do it today... :-) You probably have already spent more time trying to figure this out than it would have taken to just re-code it with your better experience. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Strange comparison behaviour
On Fri, May 13, 2005 1:18 am, Erwin Kerk said: Can anyone explain me why the following code: if (info == 0) echo is 0\n; else echo not 0\n; Results in: not 0 Whereas: if (inf == 0) echo is 0\n; else echo not 0\n; Results in: is 0 Notice the difference: info in the first sample, inf in the second sample. Wild Guess: PHP is interpreting inf as positive infinity which is what you would get if you managed to overflow a number in PHP. Similarly, if you use -inf you will likely get the same weird result and if you use nan (not a number) you may well get that weird result. Bottom line: You should *NOT* be comparing random arbitrary strings to numbers, even in PHP. Yeah, sure, PHP will generally do the right thing and convert 123 to 123 when it needs to. But if you really want to do it right, do the conversion yourself with: $inf = (int) inf; if ($inf == 0) echo is 0\n; else echo not 0\n; -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Same sessions / different domains
On Fri, May 13, 2005 1:06 am, Marek Kilimajer said: Richard Lynch wrote: On Thu, May 12, 2005 6:58 am, Shaun said: $_SERVER['HTTP_HOST'] Mbneto [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Hi, I need to access a website (written in php) using two different domains (www.foo.com and www.bar.com). I must see the same content. Since the site uses session and cookie variables I was wondering if (and how) it's possible to create a session id that is valid for the domains I'll be using... There is no built-in way to just tell the browser that it's okay for cookie X to work for both foo.com and bar.com You will have to write some code that passes the cookie name/value between foo.com and bar.com You might have a special script like 'propogate_cookie.php' something like: ?php $var = $_REQUEST['var']; $value = $_REQUEST['value']; setcookie($var, $value); ? Put this on both servers, and then when somebody surfs to foo.com you do: ?php session_start(); $file = file(http://bar.com/propogate_cookie.php?var=PHPSESSIDvalue=; . session_id()); ? The above will deadlock. session_start() locks the session file, then you try to read from http://bar.com/propogate_cookie.php, this script will try to use the same session file, but it will be never unlocked. Propagating session id in url when linking across domains and having common session storage is completely sufficient. If you are concerned user might browse to the other domain by other means than using a link from the first domain, you can use a 1x1 pixel image linking to the other domain with session id in url. I was actually thinking of foo and bar as totally separate machines when I typed that, mostly. But I'm not quite convinced that doing a setcookie on bar.com is going to deadlock the session from foo.com, even if they use the same file-system. It will deadlock if the user tries to have foo and bar windows open at once, or if the webmaster mixes foo and bar in a single page, but the setcookie all by itself should not deadlock, I don't think... -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Finding current PHP sessions
On Fri, May 13, 2005 1:01 am, Bogdan Stancescu said: I know I could read the session files themselves, but I'd very much rather use a proper way to retrieve the active sessions, which would work with alternate methods of storing session data, if there is any such proper way to do this. Reading the filenames is perfectly good for what you want for the default built-in sessions -- If the session file is gone, it's pretty much gone, eh? If somebody is doing custom session handling, then they have their own function for deleting a session and handling gc, and you just need to make it easy for them to call YOUR session data destroy routines. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MySql injections (related question)
On Fri, May 13, 2005 12:51 am, Marek Kilimajer said: Richard Lynch wrote: On Thu, May 12, 2005 4:43 pm, Chris Shiflett said: From me: The fact that it uses the character set of your current connection to MySQL means that what your escaping function considers to be a single quote is exactly what your database considers to be a single quote. If these things don't match, your escaping function can miss something that your database interprets, opening you up to an SQL injection attack. Under the following pre-conditions: 1. C Locale / English in MySQL data 2. No intention to ever switch natural language, nor database. is there any real benefit to spending man hours I really can't afford for legacy code to switch from Magic Quotes to mysql_real_escape_string -- and make no mistake, it would be a TON of man hours. It will take less than five minutes to write a recursive function that will stripslashes() all incoming variables and use mysql_real_escape_string() instead. Except that for integer data, I just type-cast to (int) and check the range, but for some string data, which should not have had any characters that need escaping, I'm doing a regex, and for the string data where characters that needed escaping, I'm already doing stripslashes(), then a regex, then an addslashes(), so applying stripslashes() to all incoming data will break all of those last ones pretty badly. Are we all on the same page now? :-) I'm not under-estimating the time/effort here. Honest. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Seeking decent domain registrar
On Fri, May 13, 2005 1:25 am, Marcus Bointon said: They did change the rules starting in November 2000, with RFCs (3454, 3490, 3491, 3492) finalised in 2003. See http:// www.verisign.com/products-services/naming-and-directory-services/ naming-services/internationalized-domain-names/index.html This page may be of interest too: http://www.imc.org/idna/. Also, have you tried going to www.café.com? It works just fine for me (if you're using an antique browser like IE6 it may not work, though verisign have a free plugin to enable it). http://www.1stdomain.net/ does international registrations (though does not handle .co.uk domains). From a PHP point of view, http://pear.php.net/package/Net_IDNA/ what's needed. Cool! I stand corrected. For the record, no I haven't tried to go to that URL, because I don't even know how to type that symbol. If I did know how to type that non-ASCII symbol, I don't quite understand which of the umpteen extended character sets is going to get used by all the DNS machines, so I'd be kind of surprised if it worked, but, hey, if it all works and everybody is happy, it's all good. I feel sorry for anybody who has such a domain name, however, as it's going to be a real bear to get it listed/indexed correctly by search engines, I would guess. Maybe not. Maybe all the search engines are all ready for the non-ASCII domain names. [shrug] I certainly understand that the DNS space is now much bigger, and much nicer for non-English (or, perhaps more accurately, non-ASCII/Roman-alphabet) websites who can now get their domain name in their own native language. And I think that's really great. But it's sure gonna make it hard for a lot of users to figure out how to get there... I can sorta stumble my way through reading some simple Spanish, French, and Russian websites, but that don't mean I got any idea how to make those characters come out of my keyboard. Babelfish is a real boon on the sites I can't read, of course. :-) -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] php works in IE not Firefox?
By the time a properly executed script(executed on the remote server) gets to your computer, regardless of the fact it was done in php(or any other server side language for that matter) it will just be plain html. Once it makes you computer the file/html will be the same as the same page written in ASP or even written with just plain html. Your focus needs to be on the HTML itself and any CSS(what the browser DOES receive). Looking at the emails it seems both browsers are having issues. -Original Message- From: Dustin Wish [mailto:[EMAIL PROTECTED] Sent: Friday, May 13, 2005 2:12 PM To: php-general@lists.php.net Subject: [PHP] php works in IE not Firefox? Anyone run across an issue where a php script works in IE and not Firefox? Christianboards.org is a PHP nuke site running on a Enism linux box that is having this issue. --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.859 / Virus Database: 585 - Release Date: 2/14/2005 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: [thelist] SEO
For example: mysite/sweaters/ (I think) is better than: mysite/index.php?section=1content=23style=5. It's more usable I guess. What handles that though? I'm finding it hard to organise the back end of that in my head. I don't think there's any way around that ending up looking for an index file in the sweaters directory. So then you're ending up with lots of index files. Maybe they could redirect to the one program that answers the query, but it's still quite messy. I agree however that user mess should be reduced even if it increases implementation mess. The user wins over the developer. But, in the directory method there's only one way to segment the clothes. You're predefining the routes people would take. For instance, here you're saying people will select sweaters, maybe shoes, then maybe hats in separate transactions. Personally, I know blue suits me, so I'd want to see all the blue things in the shop. I'm also 6'6 tall and take size 14 shoes, so I want to know which of those blue things fits. My way caters for that. It allows the user to get what they want from my database. The next person may want rainwear, or beachwear. The directory method gives a very lightweight version of usability. It might even be argued that it puts a straightjacket around the way people select items. Surely usability, if it gives anything, provides an understanding of the breadth of people's requirements. Or maybe I'm thinking more of functionality than usability. J -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Hello, I'm new...
|-Original Message- |From: Jason Barnett [mailto:[EMAIL PROTECTED] |Sent: 13 May 2005 21:21 |To: php-general@lists.php.net |Subject: Re: [PHP] Hello, I'm new... | [SNIP] |Based on the somewhat vague OP, you have somewhat vague (but somewhat |useful) answers. ;) I apologise for the vagueness of my original post. It was meant to be a quick hello, I'm new to php... I only really put in the bit about the community site as a sort of statement about where I would like to go in my php quest. When I recently looked at asp.net, Microsoft had a Community starter kit/framework which included all the basic modules/applications needed to get such a site up and running and detailed documentation about it's design and implementation. I have found most of the suggestions/comments to be useful, some a little to personal and insulting than was warranted. Anyway thank you for your time and suggestions, I will try to make my questions more focused and clear in the future. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] DOMDocument and html doctype
Hi, I've used loadHTML() to read a HTML file to DOM. This file starts with a string like !DOCTYPE HTML PUBLIC -//W3C//DTD HTML 4.01 Transitional//EN Do someone know how I can access this string? By reading the doctype back from DOMDocument I only found the name (HTML) but nothing more... Thanks, Claudio -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] changing php ini location
Richard Lynch wrote: On Fri, May 13, 2005 12:20 pm, Faith Emre YILMAZ said: anyone knows how to change php ini location? I m using php5, apache 1.3 on windows xp. Re-compile. Since that's not practical for most users, you just have to use whatever phpinfo says is the right directory. Add : # configure the path to php.ini PHPIniDir C:/php Change the above path in your httpd.conf file, save it, then restart Apache. From : http://www.php.net/manual/en/install.windows.apache2.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Hello, I'm new...
When I recently looked at asp.net, Microsoft had a Community starter kit/framework which included all the basic modules/applications needed to get such a site up and running and detailed documentation about it's design and implementation. I've not looked at asp, but that sounds like a completely different world. Maybe the equivalent is to find an open source application that does pretty much what you want and use that, even join in with its development. Check in sourceforge or freshmeat. AFAIK, PHP doesn't offer that kind of packaged approach. Perhaps there's a major difference between the way MS approaches things and the way PHP/open source does. J PS. there it is again, hit reply and the 'to' address is the email sender, not the list. How so? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] changing php ini location
i am not using apache 2.0 as i mentioned before i am using apache 1.3 which means that i dont have the oppurtunity to use phpnidir config parameter. since apache 1.3 doesnt support that. i cannot compile php neither, since i m using a php precompiled windows edition. - Original Message - From: Burhan Khalid [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: Faith Emre YILMAZ [EMAIL PROTECTED]; php-general@lists.php.net Sent: Saturday, May 14, 2005 1:21 PM Subject: Re: [PHP] changing php ini location Richard Lynch wrote: On Fri, May 13, 2005 12:20 pm, Faith Emre YILMAZ said: anyone knows how to change php ini location? I m using php5, apache 1.3 on windows xp. Re-compile. Since that's not practical for most users, you just have to use whatever phpinfo says is the right directory. Add : # configure the path to php.ini PHPIniDir C:/php Change the above path in your httpd.conf file, save it, then restart Apache. From : http://www.php.net/manual/en/install.windows.apache2.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Finding current PHP sessions
Ok, I went with the solution you recommended, by the way of a thank you to the list, here's the resulting function: /** * This function returns the IDs of the current PHP sessions. * At this time, it only works with * [EMAIL PROTECTED] http://www.php.net/manual/en/ref.session.php#AEN129461} * PHP session.save_handler='files' * * @author Bogdan Stancescu * @license http://opensource.org/licenses/lgpl-license.php GNU Lesser General Public License * * @return mixed false on error or the indexed array of the session IDs; * please note that the session IDs are 16-bit values represented as * 32-character long hexadecimal strings; letters are in lower caps. */ function getCurrentSessionIDs() { if (ini_get('session.save_handler')!='files') { // sorry, we only know how to handle files at this time! return(false); } $sessions=array(); $session_path=session_save_path(); $d = dir($session_path); while (false !== ($entry = $d-read())) { if ( ($entry=='.') || ($entry=='..') || (!is_file($session_path/$entry)) ) { continue; } if (preg_match(/^sess_([0-9a-f]{32})$/,$entry,$matches)) { $sessions[]=$matches[1]; } } return($sessions); } Cheers, Bogdan -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] php works in IE not Firefox?
it seems more likely that the server is having issues. On 5/14/05, Simon Allison [EMAIL PROTECTED] wrote: By the time a properly executed script(executed on the remote server) gets to your computer, regardless of the fact it was done in php(or any other server side language for that matter) it will just be plain html. Once it makes you computer the file/html will be the same as the same page written in ASP or even written with just plain html. Your focus needs to be on the HTML itself and any CSS(what the browser DOES receive). Looking at the emails it seems both browsers are having issues. -Original Message- From: Dustin Wish [mailto:[EMAIL PROTECTED] Sent: Friday, May 13, 2005 2:12 PM To: php-general@lists.php.net Subject: [PHP] php works in IE not Firefox? Anyone run across an issue where a php script works in IE and not Firefox? Christianboards.org is a PHP nuke site running on a Enism linux box that is having this issue. --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.859 / Virus Database: 585 - Release Date: 2/14/2005 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Hello, I'm new...
I only really put in the bit about the community site as a sort of statement about where I would like to go in my php quest. When I recently looked at asp.net, Microsoft had a Community starter kit/framework which included all the basic modules/applications needed to get such a site up and running and detailed documentation about it's design and implementation. If you're looking for a php equivlent of the ASP.NET framework, then the php interpreter has a lot of the ASP.NET framework functionality built in. For the remainder, of the ASP.NET framework functionality, in PHP you should take it on a case by case basis. For example if you need database abstraction(a similar set of functions for accessing different types of database) you can use PEAR::DB or ADODB. Most of what you need however is built into the php interpretor. The php documentation is Excellent. I used it to learn php from scratch, and I've yet to come across better, or easier to understand docs. I have found most of the suggestions/comments to be useful, some a little to personal and insulting than was warranted. I don't think any post on the list was meant to be personal, or insulting, and it would be a pity if you took it in that way. Perhaps you received some private replys, that we didn't see, but I think perhaps the post that could be most easly interpreted as a personal insult would have been my own, where I pointed out the Guide for new members, and ESR's smart questions guide. The new members guide is, as far as I know, sent to the list regularly(albeit not frequently), and ESR's guide is usually sent to anyone who posts to the list saying they're new, or asks for advice on how best to use the list. I assure you that none of my points were intended to insult, and apologise if you took them out of their intended scope. Anyway thank you for your time and suggestions, I will try to make my questions more focused and clear in the future. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Same sessions / different domains
Hi, They are in the same machine. My major concern is with security and the hability to make sure if a user logs in, or adds something to a shopping cart in one domain it will be available to the other domain. Can I set call setCookie twice with the same variable name but different domain ? I could set the sessionid and call session_start with the propagated id when/if a user crosses from one domain to another. - mb On 5/14/05, Richard Lynch [EMAIL PROTECTED] wrote: On Fri, May 13, 2005 1:06 am, Marek Kilimajer said: Richard Lynch wrote: On Thu, May 12, 2005 6:58 am, Shaun said: $_SERVER['HTTP_HOST'] Mbneto [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Hi, I need to access a website (written in php) using two different domains (www.foo.com and www.bar.com). I must see the same content. Since the site uses session and cookie variables I was wondering if (and how) it's possible to create a session id that is valid for the domains I'll be using... There is no built-in way to just tell the browser that it's okay for cookie X to work for both foo.com and bar.com You will have to write some code that passes the cookie name/value between foo.com and bar.com You might have a special script like 'propogate_cookie.php' something like: ?php $var = $_REQUEST['var']; $value = $_REQUEST['value']; setcookie($var, $value); ? Put this on both servers, and then when somebody surfs to foo.com you do: ?php session_start(); $file = file(http://bar.com/propogate_cookie.php?var=PHPSESSIDvalue=; . session_id()); ? The above will deadlock. session_start() locks the session file, then you try to read from http://bar.com/propogate_cookie.php, this script will try to use the same session file, but it will be never unlocked. Propagating session id in url when linking across domains and having common session storage is completely sufficient. If you are concerned user might browse to the other domain by other means than using a link from the first domain, you can use a 1x1 pixel image linking to the other domain with session id in url. I was actually thinking of foo and bar as totally separate machines when I typed that, mostly. But I'm not quite convinced that doing a setcookie on bar.com is going to deadlock the session from foo.com, even if they use the same file-system. It will deadlock if the user tries to have foo and bar windows open at once, or if the webmaster mixes foo and bar in a single page, but the setcookie all by itself should not deadlock, I don't think... -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] DOMDocument and html doctype
Hi, I've used loadHTML() to read a HTML file to DOM. This file starts with a string like !DOCTYPE HTML PUBLIC -//W3C//DTD HTML 4.01 Transitional//EN Do someone know how I can access this string? By reading the doctype back from DOMDocument I only found the name (HTML) but nothing more... Use $document-doctype, its DOMDocumentType object.. http://php.net/dom#dom.class.domdocumenttype Jared -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Same sessions / different domains
Richard Lynch wrote: On Fri, May 13, 2005 1:06 am, Marek Kilimajer said: Richard Lynch wrote: On Thu, May 12, 2005 6:58 am, Shaun said: $_SERVER['HTTP_HOST'] Mbneto [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Hi, I need to access a website (written in php) using two different domains (www.foo.com and www.bar.com). I must see the same content. Since the site uses session and cookie variables I was wondering if (and how) it's possible to create a session id that is valid for the domains I'll be using... There is no built-in way to just tell the browser that it's okay for cookie X to work for both foo.com and bar.com You will have to write some code that passes the cookie name/value between foo.com and bar.com You might have a special script like 'propogate_cookie.php' something like: ?php $var = $_REQUEST['var']; $value = $_REQUEST['value']; setcookie($var, $value); ? Put this on both servers, and then when somebody surfs to foo.com you do: ?php session_start(); $file = file(http://bar.com/propogate_cookie.php?var=PHPSESSIDvalue=; . session_id()); ? The above will deadlock. session_start() locks the session file, then you try to read from http://bar.com/propogate_cookie.php, this script will try to use the same session file, but it will be never unlocked. Propagating session id in url when linking across domains and having common session storage is completely sufficient. If you are concerned user might browse to the other domain by other means than using a link from the first domain, you can use a 1x1 pixel image linking to the other domain with session id in url. I was actually thinking of foo and bar as totally separate machines when I typed that, mostly. But I'm not quite convinced that doing a setcookie on bar.com is going to deadlock the session from foo.com, even if they use the same file-system. Now I see what you wrote :) Well, it aint gonna work, you send cookie to php's file() function, not to the browser. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MySql injections (related question)
Richard Lynch wrote: On Fri, May 13, 2005 12:51 am, Marek Kilimajer said: Richard Lynch wrote: On Thu, May 12, 2005 4:43 pm, Chris Shiflett said: From me: The fact that it uses the character set of your current connection to MySQL means that what your escaping function considers to be a single quote is exactly what your database considers to be a single quote. If these things don't match, your escaping function can miss something that your database interprets, opening you up to an SQL injection attack. Under the following pre-conditions: 1. C Locale / English in MySQL data 2. No intention to ever switch natural language, nor database. is there any real benefit to spending man hours I really can't afford for legacy code to switch from Magic Quotes to mysql_real_escape_string -- and make no mistake, it would be a TON of man hours. It will take less than five minutes to write a recursive function that will stripslashes() all incoming variables and use mysql_real_escape_string() instead. Except that for integer data, I just type-cast to (int) and check the range, but for some string data, which should not have had any characters that need escaping, I'm doing a regex, and for the string data where characters that needed escaping, I'm already doing stripslashes(), then a regex, then an addslashes(), so applying stripslashes() to all incoming data will break all of those last ones pretty badly. Are we all on the same page now? :-) If this is how your application works now then it's really only search and replace s/addslashes/mysql_real_escape_string/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Hello, I'm new...
|-Original Message- |From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] |Sent: 14 May 2005 11:35 |To: php-general@lists.php.net |Subject: RE: [PHP] Hello, I'm new... | | |PS. there it is again, hit reply and the 'to' address is the email |sender, not the list. How so? | I am on a number of lists they all behave differently, I just hit reply to all. I notice that this one forwards the delivery status requests as well (I've turned that off now). -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Finding current PHP sessions
Bogdan Stancescu wrote: Ok, I went with the solution you recommended, by the way of a thank you to the list, here's the resulting function: /** * This function returns the IDs of the current PHP sessions. * At this time, it only works with * [EMAIL PROTECTED] http://www.php.net/manual/en/ref.session.php#AEN129461} * PHP session.save_handler='files' * * @author Bogdan Stancescu * @license http://opensource.org/licenses/lgpl-license.php GNU Lesser General Public License * * @return mixed false on error or the indexed array of the session IDs; * please note that the session IDs are 16-bit values represented as 16-bit. That's not very secure ;) Should be 256-bit * 32-character long hexadecimal strings; letters are in lower caps. */ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Repost: mod_rewirte loses POST data
Hi, I'm currently developing a webapplication that uses mod_rewrite. At some point i have to post data but i't seems to get lost, checking the web and some archives i've found that normaly mod_rewrite should preserver this data, but apparently it doesn't. Could anyone help me? Im using: Apache/2.0.52 (Unix) mod_ssl/2.0.52 OpenSSL/0.9.7b PHP/4.3.11 Server at host.mydomain.com Port 80 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Shopping Cart, security concerns
I have to say it's a pretty simple project. The don't want to keep any information in a db. (!!??!!) Info will be sent to a merchant services account and to the distributor which will process the form. Info will be kept in hidden fields input type=hidden ... and in session variables then sent off. They have three products (it may rise to 5) and everything will be hardcoded as there are no size or color variations. I told them that it's not advisable to have everything hardcoded but the client insists there is no reason to pull anything from a database. The on-site graphics/web designer person will make the changes. He is competent to do that and did a good job with the basic design. This is not my very first foray into PHP but first time doing something more complicated than 1. if person has this permission then show A else show B or 2. if person is on page 1 then show page 1 as bold else show page 1 as normal Thanks -Original Message- From: Richard Lynch [mailto:[EMAIL PROTECTED] Sent: Saturday, May 14, 2005 1:54 AM To: mayo Cc: php Subject: Re: [PHP] Shopping Cart, security concerns On Fri, May 13, 2005 8:26 pm, mayo said: I'm making my first shopping cart in PHP. I'm concerned about the security of my session variables, concerned about people altering data (lowering the price). Is there anything I should pay attention to. There are approximately 247 other PHP shopping carts out there. Maybe you'd be better off just installing one of them. Certainly, you should read the source code to several. Your session variables are at-risk on a shared server, usually; And not so much on a dedicated server. Or, more properly, on a dedicated server, if your session data isn't safe, you've got MUCH bigger problems than just your session data. As far as changing the price goes, just don't take the price as an INPUT from your cart/form. The only variables you need to accept from the user in the shopping cart itself are: $product_id and $quantity. For the fulfillment, maybe some location data like $country, $region, $postal to calculate shipping, and then their credit card info. Honestly, setting up a script to accept people's credit card numbers as your very first PHP project is probably not a particularly Good Idea... You can't absorb all the ins and outs of security overnight... Just my opinion. Perhaps you would be better served to install a pre-existing PHP shopping cart, and focus on making it secure and safe, rather than trying to write your own from scratch as well. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] 'Require' and 'Select' lists
On Saturday 14 May 2005 02:14 am, you wrote: On Fri, May 13, 2005 5:59 am, Andre Dubuc said: However, the behavior continues intermittently. I've duplicated it one time. If I click on the 'State' dropdown list, allow the mouse to scan through it, but do not choose a value, and then immediately go to the previous or next field and click on it, the box where 'USA or Canada' appears will be blank (despite 'option selected value=In USA or CanadaIn USA or Canada/option'). For the life of me, I cannot figure why it's doing that. This is a browser/OS bug. It's possible that it's even time-dependent -- That if you click in the popup list before it's fully formed, then you can make this happen, but after it gets completely built, you can't duplicate this. At any rate, there is nothing you can do about it. Well, okay, you can complain to the browser-makers, and be ignored by them... I guess one thing that *MIGHT* help would be to ob_start() before you send out all the option tags, and then ob_flush()/flush() after the /select closing tag. The purpose being that you want the browser to build the whole menu with as few interruptions as possible, so it will not get used while it is half-built. I would not RELY on this actually fixing the problem for sure 100% every time you betcha, but it could reduce the incidence. As a hack, I've included a new routine checking for blank or null value for $selstate that snags problems before they hit the database. However, I'd rather know why this is happening. Browsers and the data coming from them are flaky, if not downright hostile. That's just how life is. It's not a problem to solve. It's a state of being to accept and plan for. :-) Maybe it's time to just re-write the script the right way, the way you would do it today... :-) You probably have already spent more time trying to figure this out than it would have taken to just re-code it with your better experience. Thanks Richard, Ain't life beautiful? I live for these debugging moments with *challenged* browsers! So, I'll stick with the hack. I've thrown the whole mess back at the browser and will let the user correct the *problem*. Re-write the code? Yup, sometime in the near future - around July 2020 - I believe I have a few days available : Regards, Andre -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Hello, I'm new...
AFAIK, PHP doesn't offer that kind of packaged approach. Perhaps there's a major difference between the way MS approaches things and the way PHP/open source does. Traditional ASP, and PHP, were fairly similar. ASP.NET and PHP are two very different solutions, to what is possibly the same problem. With microsofts changing direction to a Java design(which is basicly what dotNET is), ASP.NET is taking a lot of ideas from JSP. JSP is based on the ideas of packages that it inherited from Java. You'll see a lot of arguments as to whether ASP is better than PHP, or visa-vearsa, containing ASP.NET arguments. The fact of the matter is that PHP is better than ASP, and different from ASP.NET. PS. there it is again, hit reply and the 'to' address is the email sender, not the list. How so? Is there a 'reply to all' button on your mail client. Some mailing lists add a 'Reply-to' header asking all clients to redirect replys to the list. PHP-general doesn't have such a feature. I know it gets annoying at times. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] CASE tool
Hello, can anybody here tell me if there is a (open souce) CASE tool which supports PHP code generation? I could not find anything like this yet. What's the best way designing PHP applikations? I guess anybody knows a whitepaper or tutorial URI ?! Thanks Krid -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] DOMDocument and html doctype
On Sat, 2005-05-14 at 06:00, Claudio wrote: Hi, I've used loadHTML() to read a HTML file to DOM. This file starts with a string like !DOCTYPE HTML PUBLIC -//W3C//DTD HTML 4.01 Transitional//EN Do someone know how I can access this string? By reading the doctype back from DOMDocument I only found the name (HTML) but nothing more... ?php $html = EOS !DOCTYPE HTML PUBLIC -//W3C//DTD HTML 4.01 Transitional//EN htmlbodyTestbr/body/html EOS; $pattern = '!DOCTYPE HTML PUBLIC -//W3C//DTD HTML 4.01 Transitional//EN'; $doc = new DOMDocument(); $doc-loadHTML($html); preg_match($pattern, $doc-saveHTML(), $matches); echo 'lt;' . $matches[0] . 'gt;'; ? -- s/:-[(/]/:-)/g BrianGnuPG - KeyID: 0x04A4F0DC | Key Server: pgp.mit.edu == gpg --keyserver pgp.mit.edu --recv-keys 04A4F0DC Key Info: http://gfx-design.com/keys Linux Registered User #339825 at http://counter.li.org -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Hello, I'm new...
PS. there it is again, hit reply and the 'to' address is the email sender, not the list. How so? Is there a 'reply to all' button on your mail client. Some mailing lists add a 'Reply-to' header asking all clients to redirect replys to the list. PHP-general doesn't have such a feature. I know it gets annoying at times. Oh yers. I don't think I've ever used that before. How irritating :-) J -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: why are session only working with cookies?
On Fri, 2005-05-13 at 23:31, Jason Wong wrote: On Saturday 14 May 2005 09:42, Brian V Bonini wrote: Yeah, I know session support is there and I DO NOT have it set to use ONLY cookies. But if I disable cookies in the browser stuff relying on sessions stops working. I'm using 5.0.3 session.use_trans_sid 0 0 Set that to 1. Sessions *are* cookies, they're cookies that have been set to expire when the browsing session finishes (ie when the browser is closed). I thought the idea was; cookies if available otherwise the session data gets serialized and propagated in the URL? The later of which appears to not work, for me, if applicable -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] DOMDocument and html doctype
On Sat, 2005-05-14 at 07:57, Jared Williams wrote: Hi, I've used loadHTML() to read a HTML file to DOM. This file starts with a string like !DOCTYPE HTML PUBLIC -//W3C//DTD HTML 4.01 Transitional//EN Do someone know how I can access this string? By reading the doctype back from DOMDocument I only found the name (HTML) but nothing more... Use $document-doctype, its DOMDocumentType object.. That's part of DOM XML isn't it? I think he's referring to the newer DOM extension since 'loadHTML() is cited...??? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] using require
hi all, i have my web site working something like this: in every php script i have require(auth.php). this auth.php has my connection to my postgresql server and database along with some other stuff i need for the user to be authenticated to my web site. when i log on, this auth.php connects to the dbserver and checks if my username and password are stored and then i go to a home page. my connection is stored in $dbh. what happens when i start moving through all these web pages (php scripts), each requires auth.php, with respect to the connection? is a new connection established for every web page i go into that uses my $dbh for querying purposes or is it the same connection i originally made when i first logged into the web site? any info will be highly appreciated!! thanx.
RE: [PHP] DOMDocument and html doctype
On Sat, 2005-05-14 at 07:57, Jared Williams wrote: Hi, I've used loadHTML() to read a HTML file to DOM. This file starts with a string like !DOCTYPE HTML PUBLIC -//W3C//DTD HTML 4.01 Transitional//EN Do someone know how I can access this string? By reading the doctype back from DOMDocument I only found the name (HTML) but nothing more... Use $document-doctype, its DOMDocumentType object.. That's part of DOM XML isn't it? I think he's referring to the newer DOM extension since 'loadHTML() is cited...??? I was referring to the new PHP5 DOM extension. Jared -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] DOMDocument and html doctype
On Saturday 14 May 2005 16:25, Brian V Bonini wrote: ?php $html = EOS !DOCTYPE HTML PUBLIC -//W3C//DTD HTML 4.01 Transitional//EN htmlbodyTestbr/body/html EOS; $pattern = '!DOCTYPE HTML PUBLIC -//W3C//DTD HTML 4.01 Transitional//EN'; $doc = new DOMDocument(); $doc-loadHTML($html); preg_match($pattern, $doc-saveHTML(), $matches); echo 'lt;' . $matches[0] . 'gt;'; ? Well, that ist a very crazy idea... If Claudio knows the doctype allready, he not needs to access this doc type string. A preg_match is the wrong function at this place or will you write a switch/case block that knows every doctype definition? This only is usefull to see if the string exists or not. Regards -- Johannes Findeisen -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Repost: mod_rewirte loses POST data
Evert from collan thouht it wy have to do with the rewrite rules or the script and asked to post both of them this are the rewrite rules i use: RewriteEngine On RewriteRule ^/(.*[^/])/Admin/(.*)$ https://my.domain.com/$1/Admin/$2 [R,L,NS] RewriteCond %{DOCUMENT_ROOT}%{REQUEST_URI} -d [OR] RewriteCond %{DOCUMENT_ROOT}%{REQUEST_URI} -f RewriteRule ^(.*)$ - [L,NS] RewriteCond %{QUERY_STRING} !^$ RewriteRule ^/(.*)/(.*)/$ /index.php?shopid=$1page=$2%{QUERY_STRING} [L,NS] RewriteRule ^/(.*)/(.*)/$ /index.php?shopid=$1page=$2 [L,NS] RewriteCond %{QUERY_STRING} !^$ RewriteRule ^/(.*)/$ /index.php?shopid=$1%{QUERY_STRING} [L,NS] RewriteRule ^/(.*)/$ /index.php?shopid=$1 [L,NS] He also suggested it might be the fault of the php scripting: this is what i do: if (isset($_GET[page])) switch (strtolower($_GET[page])) { // snip // break; case basket: echo pre\n; var_dump(get_defined_vars ()); echo /pre\n; include(includes/basket.inc.php); in IE i get this output for post and get: array(18) { [HTTP_POST_VARS]= array(0) { } [_POST]= array(0) { } [HTTP_GET_VARS]= array(2) { [shopid]= string(3) wsn [page]= string(6) Basket } [_GET]= array(2) { [shopid]= string(3) wsn [page]= string(6) Basket } // snip // Am i doing something wrong? Bart Seresia [EMAIL PROTECTED] schreef in bericht news:[EMAIL PROTECTED] Hi, I'm currently developing a webapplication that uses mod_rewrite. At some point i have to post data but i't seems to get lost, checking the web and some archives i've found that normaly mod_rewrite should preserver this data, but apparently it doesn't. Could anyone help me? Im using: Apache/2.0.52 (Unix) mod_ssl/2.0.52 OpenSSL/0.9.7b PHP/4.3.11 Server at host.mydomain.com Port 80 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] DOMDocument and html doctype
On Sat, 2005-05-14 at 16:08, Johannes Findeisen wrote: On Saturday 14 May 2005 16:25, Brian V Bonini wrote: ?php $html = EOS !DOCTYPE HTML PUBLIC -//W3C//DTD HTML 4.01 Transitional//EN htmlbodyTestbr/body/html EOS; $pattern = '!DOCTYPE HTML PUBLIC -//W3C//DTD HTML 4.01 Transitional//EN'; $doc = new DOMDocument(); $doc-loadHTML($html); preg_match($pattern, $doc-saveHTML(), $matches); echo 'lt;' . $matches[0] . 'gt;'; ? Well, that ist a very crazy idea... If Claudio knows the doctype allready, he not needs to access this doc type string. A preg_match is the wrong function at this place or will you write a switch/case block that knows every doctype definition? This only is usefull to see if the string exists or not. I'm sorry, I missed your solution, what was it again? He said Do someone know how I can access this string? There it is, THAT string is now in $matches[0]; Do what you want with it from there. Otherwise set pattern to a regex and search for similar strings if the search pattern is not EXACTLY that. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] DOMDocument and html doctype
On Sat, 2005-05-14 at 13:03, Jared Williams wrote: On Sat, 2005-05-14 at 07:57, Jared Williams wrote: Hi, I've used loadHTML() to read a HTML file to DOM. This file starts with a string like !DOCTYPE HTML PUBLIC -//W3C//DTD HTML 4.01 Transitional//EN Do someone know how I can access this string? By reading the doctype back from DOMDocument I only found the name (HTML) but nothing more... Use $document-doctype, its DOMDocumentType object.. That's part of DOM XML isn't it? I think he's referring to the newer DOM extension since 'loadHTML() is cited...??? I was referring to the new PHP5 DOM extension. OOppps, there it is, tabel 3 on the first page of the DOM section in the manual... I swear it wasn't there earlier.. ;-) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] using require
Hello Cima, Friday, October 14, 2005, 12:33:57 PM, you wrote: C any info will be highly appreciated!! The easiest way to handle this is to set a session variable once they're authenticated and on all your pages you have something like this: session_start(); if (!$_SESSION['isAuthenticated'] == Yeppers) include('auth.php'); IIRC you have to use include() vs. require() because a require() would force auth.php regardless of the outcome of the if statement. I'm pretty sure I remember reading this somewhere, but I could be wrong. By using the session variable you only force an auth for people who already haven't authenticated. If you're not familiar with sessions, the key thing to remember is you need to do a session_start(); somewhere in the page prior to reading or writing session variables. Cheers, Leif Gregory -- TB Lists Moderator (and fellow registered end-user) PCWize Editor / ICQ 216395 / PGP Key ID 0x7CD4926F Web Site http://www.PCWize.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] using require
On 10/14/05, Cima [EMAIL PROTECTED] wrote: hi all, i have my web site working something like this: in every php script i have require(auth.php). this auth.php has my connection to my postgresql server and database along with some other stuff i need for the user to be authenticated to my web site. when i log on, this auth.php connects to the dbserver and checks if my username and password are stored and then i go to a home page. my connection is stored in $dbh. what happens when i start moving through all these web pages (php scripts), each requires auth.php, with respect to the connection? is a new connection established for every web page i go into that uses my $dbh for querying purposes or is it the same connection i originally made when i first logged into the web site? any info will be highly appreciated!! thanx. -- jamwil.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] using require
On 5/14/05, James Williams [EMAIL PROTECTED] wrote: On 10/14/05, Cima [EMAIL PROTECTED] wrote: hi all, i have my web site working something like this: in every php script i have require(auth.php). this auth.php has my connection to my postgresql server and database along with some other stuff i need for the user to be authenticated to my web site. when i log on, this auth.php connects to the dbserver and checks if my username and password are stored and then i go to a home page. my connection is stored in $dbh. what happens when i start moving through all these web pages (php scripts), each requires auth.php, with respect to the connection? is a new connection established for every web page i go into that uses my $dbh for querying purposes or is it the same connection i originally made when i first logged into the web site? any info will be highly appreciated!! thanx. A new connection will be established to the database for every time you run auth.php -- jamwil.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Finding current PHP sessions
Marek Kilimajer wrote: Bogdan Stancescu wrote: Ok, I went with the solution you recommended, by the way of a thank you to the list, here's the resulting function: /** * This function returns the IDs of the current PHP sessions. * At this time, it only works with * [EMAIL PROTECTED] http://www.php.net/manual/en/ref.session.php#AEN129461} * PHP session.save_handler='files' * * @author Bogdan Stancescu * @license http://opensource.org/licenses/lgpl-license.php GNU Lesser General Public License * * @return mixed false on error or the indexed array of the session IDs; * please note that the session IDs are 16-bit values represented as 16-bit. That's not very secure ;) Should be 256-bit * 32-character long hexadecimal strings; letters are in lower caps. */ True, that should've read 16 byte, documentation error -- thanks for pointing it out! Cheers, Bogdan -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: CASE tool
Hello, on 05/14/2005 10:49 AM Krid said the following: can anybody here tell me if there is a (open souce) CASE tool which supports PHP code generation? I could not find anything like this yet. What's the best way designing PHP applikations? I guess anybody knows a whitepaper or tutorial URI ?! You may want to take a look at Metastorage. This is a CASE tool that generates code for data access object classes based on an high level definition in a XML format (CPML) of a model of your application persistent objects. You just define your classes in CPML, with variables, validation rules, relationships and functions to manipulate the objects of such classes and Metastorage generates classes that perform Object Relational Mapping (ORM) to store persistent objects in a relational database using SQL. http://www.meta-language.net/metastorage.html -- Regards, Manuel Lemos PHP Classes - Free ready to use OOP components written in PHP http://www.phpclasses.org/ PHP Reviews - Reviews of PHP books and other products http://www.phpclasses.org/reviews/ Metastorage - Data object relational mapping layer generator http://www.meta-language.net/metastorage.html -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] using require
On Fri, October 14, 2005 11:33 am, Cima said: i have my web site working something like this: in every php script i have require(auth.php). this auth.php has my connection to my postgresql server and database along with some other stuff i need for the user to be authenticated to my web site. when i log on, this auth.php connects to the dbserver and checks if my username and password are stored and then i go to a home page. my connection is stored in $dbh. what happens when i start moving through all these web pages (php scripts), each requires auth.php, with respect to the connection? is a new connection established for every web page i go into that uses my $dbh for querying purposes or is it the same connection i originally made when i first logged into the web site? You'll get a new connection on each page. Which is good, because database connections CANNOT be shared across page hits. If you use _pconnect, you can get a refurbished connection from the database instead of a truly new one. But there are gotchas with that, and I wouldn't recommend you jump into that without a lot more research/experience. I would suggest, however, that you put the database connection in a totally separate file from the auth.php, and require them separately. You may find more uses for your database some day, maybe even for pages that do NOT require authentication, and you'll more easily do that if you can just do: ?php require 'db_connect.php';? For the pages that need authentication, you'd do: ?php require 'db_connect.php'; require 'auth.php'; ? You could also look into http://php.net/require_once, but I tend to find that people who start off with that end up being sloppy coders and end up having a whole rats' nest of includes with no real Plan behind them, which cause problems in the long run. Just my opinion, and I'm bound to take flak for it. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: why are session only working with cookies?
On Sat, May 14, 2005 7:49 am, Brian V Bonini said: On Fri, 2005-05-13 at 23:31, Jason Wong wrote: On Saturday 14 May 2005 09:42, Brian V Bonini wrote: Yeah, I know session support is there and I DO NOT have it set to use ONLY cookies. But if I disable cookies in the browser stuff relying on sessions stops working. I'm using 5.0.3 session.use_trans_sid 0 0 Set that to 1. Sessions *are* cookies, they're cookies that have been set to expire when the browsing session finishes (ie when the browser is closed). I thought the idea was; cookies if available otherwise the session data gets serialized and propagated in the URL? The later of which appears to not work, for me, if applicable Sessions are *NOT* cookies. PHP sessions use *A* Cookie to maintain state -- specifically to indentify a singe user/browser on repeat HTTP connections. The session *data* is not going to be transmitted in the URL -- Only the Cookie name/value pair will go in the URL. Using Cookies, or using URL, the session DATA will be stored on the server in /tmp files -- Unless you change php.ini to store them somewhere else, in which case, again, the Cookie and URL only holds the ID and all the data goes wherever you store it: database, shared memory, or an army of elves for all PHP cares. If trans_sid is not working for you, let's narrow this down: If you do this: ?php session_start(); echo a href=\yourdomainnamehere.com\click me/abr /\n; ? Do you see something like ?PHPSESSID=a847hjfu3734hgfjgurur tacked on to the end of the URL? If not, trans_sid is NOT enabled. Did you restart Apache? Did you turn *OFF* Cookies? If PHP *can* use Cookies, I think it's gonna use Cookies, and not bother with the trans_sid stuff, though maybe it always puts it there. I never really dived into that. To be certain, though, turn off Cookies in php.ini and/or in your browser. Re-start Apache for your php.ini changes to kick in. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Shopping Cart, security concerns
On Sat, May 14, 2005 6:30 am, mayo said: I have to say it's a pretty simple project. The don't want to keep any information in a db. (!!??!!) Info will be sent to a merchant services account and to the distributor which will process the form. Info will be kept in hidden fields input type=hidden ... and in session variables then sent off. Don't put anything you *NEED* to be correct/accurate in type=hidden The web surfer can *CHANGE* that in about 5 seconds and send whatever they want. All your prices, all you shipping costs, all the weights, etc had better be in your PHP source code, as arrays, I guess... You'd really be better off just using a database with an existing cart. The amount of code you'll have to write to do this correctly is insane. They have three products (it may rise to 5) and everything will be hardcoded as there are no size or color variations. I told them that it's not advisable to have everything hardcoded but the client insists there is no reason to pull anything from a database. The on-site graphics/web designer person will make the changes. He is competent to do that and did a good job with the basic design. But you CANNOT put your prices in type=hidden fields!!! That's EXACTLY how you get a shopping cart where the user changes the price! This is not my very first foray into PHP but first time doing something more complicated than 1. if person has this permission then show A else show B or 2. if person is on page 1 then show page 1 as bold else show page 1 as normal -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Same sessions / different domains
On Sat, May 14, 2005 4:45 am, mbneto said: They are in the same machine. My major concern is with security and the hability to make sure if a user logs in, or adds something to a shopping cart in one domain it will be available to the other domain. Can I set call setCookie twice with the same variable name but different domain ? I could set the sessionid and call session_start with the propagated id when/if a user crosses from one domain to another. No, you can't call setcookie with a domain name AT ALL. If you could, what would stop you from setting Cookies for *my* site? Or msn.com? Or Sothebys.com? Then you could just take all their customers' money, and not need to worry about your own shopping cart. If you want to transfer Cookies from two domains you control, it's up to you to do that with your own hack. It would make a lot more sense to just put all the shopping on one domain, or have different carts for two domains. It's more than a little odd to have the same cart on two sites from a user perspective... Something that's likely to confuse customers, and make them think your site is insecure if you can't even keep your shopping cart confined to one site. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Auslaender bevorzugt
Lese selbst: http://www.npd.de/npd_info/deutschland/2005/d0305-14.html Jetzt weiss man auch, wie es dazu kommt, dass Drogen, Waffen Handy's in die Haende der Knacki's gelangen! -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: [thelist] SEO
On Sat, May 14, 2005 12:25 am, [EMAIL PROTECTED] said: For example: mysite/sweaters/ (I think) is better than: mysite/index.php?section=1content=23style=5. It's more usable I guess. What handles that though? I'm finding it hard to organise the back end of that in my head. I don't think there's any way around that ending up looking for an index file in the sweaters directory. So then you're ending up with lots of index files. Maybe they could redirect to the one program that That's where you are wrong. :-) 'sweaters' isn't a directory. It's not even a file. It's a URL. The file that *handles* that URL is index.php You do NOT have a one-to-one mapping from URL to file, nor even from what looks like a directory to a URL. Consider these pages: http://uncommonground.com/artist_profile/Ellen+Rosner http://uncommonground.com/artist_profile/gray http://uncommonground.com/artist_profile/TRAIN http://uncommonground.com/artist_profile/David+Gray You don't think I build 2000 of those things, do you? artist_profile is the PHP script. It tears apart $_SERVER['PATH_INFO'] and figures out which artist you want, or gives you a list to choose from if more than one matches. Another most excellent example of this kind of thing can be found all over: http://cdbaby.com/ Every URL you surf to there is really a PHP script. I dunno which ones he's got in actual directories, and which ones are actually PHP scripts, but I don't care. I can remember the URL, which is all I, as the user, cares about. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php