php-general Digest 7 Feb 2006 16:33:20 -0000 Issue 3950
php-general Digest 7 Feb 2006 16:33:20 - Issue 3950 Topics (messages 230024 through 230048): Re: Is this the most effient to do with php an mysql? 230024 by: Ligaya Turmelle 230026 by: Peter Lauri 230027 by: Oliver Grätz 230028 by: Peter Lauri Re: Making Php Libraries 230025 by: Oliver Grätz 230030 by: Christopher Taylor Re: Window close. 230029 by: Oliver Grätz 230033 by: Labunski 230035 by: Barry 230041 by: Miles Thompson setting Headers using htmlMimeMail class? 230031 by: Angelo Zanetti 230032 by: Angelo Zanetti 230043 by: Richard Heyes 230044 by: Angelo Zanetti Re: APD generates no output 230034 by: Jochem Maas 230042 by: Gustavo Narea How to user curl_setopt? 230036 by: lhb 230038 by: James Benson Re: mail problem 230037 by: Angelo Zanetti Re: Get recursive array 230039 by: Jochem Maas Re: Recompile PHP on pre-installed system 230040 by: Jochem Maas 230047 by: Marcus Bointon The Big Date and Time Debacle 230045 by: Stephen Martindale 230046 by: Christopher Taylor 230048 by: Dan Baker Administrivia: To subscribe to the digest, e-mail: [EMAIL PROTECTED] To unsubscribe from the digest, e-mail: [EMAIL PROTECTED] To post to the list, e-mail: php-general@lists.php.net -- ---BeginMessage--- using mysql is better then using php. SELECT y_id, year FROM Year WHERE year = year(curdate) ORDER BY year desc; Paul Goepfert wrote: Hi all, I have a table of years going from 1985 - 2008. These years represent the purchase year. I have created a SQL statement that selects the years that are available for purchase years. For example 2006 -1985. Here is the SQL statement I created to produce that output. SELECT y_id, year FROM Year WHERE year = extract(year from now()) ORDER BY year desc; Is there a more efficient way to do this using more PHP and less mysql? Thanks Paul -- life is a game... so have fun. ---End Message--- ---BeginMessage--- Paul, In your purchase table, do you have the exact date when the equipment was purchased? If that is the case, then you do not need the additional year table, your original table already consist of that information. /Peter -Original Message- From: Paul Goepfert [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 07, 2006 10:45 AM To: Peter Lauri Cc: php-general@lists.php.net Subject: Re: [PHP] Is this the most effient to do with php an mysql? I am using this table to find out what year the person purchased their equipment On 2/6/06, Peter Lauri [EMAIL PROTECTED] wrote: I do not know if it is more efficient, but you can do this: $year = date(Y); $Query = sprintf(SELECT y_id, year FROM Year WHERE year = %s ORDER BY year DESC;, $year); $Result = mysql_query($Query); May I ask you what you are using this table for? /Peter -Original Message- From: Paul Goepfert [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 07, 2006 7:55 AM To: php-general@lists.php.net Subject: [PHP] Is this the most effient to do with php an mysql? Hi all, I have a table of years going from 1985 - 2008. These years represent the purchase year. I have created a SQL statement that selects the years that are available for purchase years. For example 2006 -1985. Here is the SQL statement I created to produce that output. SELECT y_id, year FROM Year WHERE year = extract(year from now()) ORDER BY year desc; Is there a more efficient way to do this using more PHP and less mysql? Thanks Paul -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php ---End Message--- ---BeginMessage--- Paul Goepfert schrieb: Is there a more efficient way to do this using more PHP and less mysql? Anything that helps you inside SQL to get your solution doing just one statement should be faster than doing two queries with some PHP code inbetween for reasonable complicated tasks. This is because the time overheads for using the connection and the socket overhead are bigger than the time won by doing the intermediate calculation a bit better with PHP. So, if your SQL looks somehow similar to what you would do on the PHP side: Keep it that way! OLLi ---End Message--- ---BeginMessage--- And mysql is probably the fastest way. BUT use microtime and clock your scripts to find out witch one is faster. -Original Message- From: Paul Goepfert [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 07, 2006 10:45 AM To: Peter Lauri Cc: php-general@lists.php.net Subject: Re: [PHP] Is this the most effient to do with php an mysql? I am using this table to find out what year the person purchased their equipment On
php-general Digest 8 Feb 2006 06:26:31 -0000 Issue 3951
php-general Digest 8 Feb 2006 06:26:31 - Issue 3951 Topics (messages 230049 through 230065): PHP Application Vuln. Testing 230049 by: Jason Gerfen 230050 by: Richard Davey 230051 by: Jason Gerfen 230053 by: John Nichel 230059 by: Matt Stone 230061 by: Ligaya Turmelle Re: Window close. 230052 by: Jason Petersen str_replace ? \r 230054 by: Sam Smith 230055 by: Jay Paulson 230060 by: Curt Zirzow 230064 by: Matty Sarro echo date(l); 230056 by: Khristian Hamilton-Bailey 230057 by: John Nichel 230058 by: Stut image location hiding techniques 230062 by: hbeaumont hbeaumont Re: How to user curl_setopt? 230063 by: Hybau Leu which version fixes bug 29922 230065 by: Daniel Bondurant Administrivia: To subscribe to the digest, e-mail: [EMAIL PROTECTED] To unsubscribe from the digest, e-mail: [EMAIL PROTECTED] To post to the list, e-mail: php-general@lists.php.net -- ---BeginMessage--- I have a question which as of yet I am unable to find any information about from googling. Lets say you have just written a fairly robust PHP/MySQL application and would like to put it on your production server. For reasons of clarification lets say this application handles sensitive customer data including credit infromation, so it is imperitive that the data remain secure and during the development process at every turn you went through great lengths to filter data on forms, URL's file uploads etc. Is there any product available, commercial or free which performs source code auditing which *specificly searches PHP code for SQL, XSS type of attacks or vulnerabilities? TIA. -- Jason Gerfen the life you live ignoring who, ignoring who you're giving money to. and you, you support the corrupt industries and companies who dont think to care. guilty...guilty...guilty by ignorance. no feeling... no substance... killing... you're killing through your ignorance. ~ Snapcase ---End Message--- ---BeginMessage--- On 7 Feb 2006, at 16:54, Jason Gerfen wrote: Is there any product available, commercial or free which performs source code auditing which *specificly searches PHP code for SQL, XSS type of attacks or vulnerabilities? TIA. No. But there are people who can perform the service for you (Brainbulb, Hardened PHP, etc) Cheers, Rich -- http://www.corephp.co.uk Zend Certified Engineer PHP Development Services ---End Message--- ---BeginMessage--- Richard Davey wrote: On 7 Feb 2006, at 16:54, Jason Gerfen wrote: Is there any product available, commercial or free which performs source code auditing which *specificly searches PHP code for SQL, XSS type of attacks or vulnerabilities? TIA. No. But there are people who can perform the service for you (Brainbulb, Hardened PHP, etc) Cheers, Rich -- http://www.corephp.co.uk Zend Certified Engineer PHP Development Services Hmm, I found one but it seems it is still in beta. http://www.codescan.com/product.html I have done some of my own auditing but the application I have been working on is nothing but form after form. At each point the form is submitted I do sanity checks on the data to ensure that 1) it is being submitted from a page on the server. 2) that it doesn't contain script|object|embed type of code or SQL syntax. 3) that the specified length of the submitted data is of a certain length. Can anyone on this list perhaps engage this conversation? I am bringing up this topic, not just for the application I am working on but for the information to be spread to other developers. Any code examples, tips, resources etc., is appreciated. -- Jason Gerfen the life you live ignoring who, ignoring who you're giving money to. and you, you support the corrupt industries and companies who dont think to care. guilty...guilty...guilty by ignorance. no feeling... no substance... killing... you're killing through your ignorance. ~ Snapcase ---End Message--- ---BeginMessage--- Jason Gerfen wrote: I have a question which as of yet I am unable to find any information about from googling. Lets say you have just written a fairly robust PHP/MySQL application and would like to put it on your production server. For reasons of clarification lets say this application handles sensitive customer data including credit infromation, so it is imperitive that the data remain secure and during the development process at every turn you went through great lengths to filter data on forms, URL's file uploads etc. Is there any product available, commercial or free which performs source code auditing which *specificly searches PHP code for SQL, XSS type of attacks or vulnerabilities? TIA. Product, I don't know. But talk to Chris Shiflett on this list. I *think* his company performs this service.
Re: [PHP] APD generates no output
Gustavo Narea wrote: Hello everybody. I'm trying to use the Advanced PHP Debugger (APD), but it generates no output. Actually, It does generate a file, but with no content. What's going on? 1.- I installed the APD by running `pear install APD` with no problem. 2.- Setup my php.ini file the same way as described in http://php.net/apd. 3.- Restarted my web server. 4.- Called the apd_set_pprof_trace() function at the first line of my script. 5.- Loaded the web page. I have error_reporting set to E_ALL and display_errors is enabled, but... PHP doesn't output errors, does it mean that everything was OK? you would think that wouldn't you! but there is a possibility that php is crashing and leaving no trace of the event - I have seen it happen alot (I get the impression what I witnessed is related to the use of __get()/__set() in php5 objects) 6.- When I open the file generated by APD, I realize it's empty. 7.- Anyway, I run `pprofp -R pprof.number.0`, but there's no output (not even an error message). I was using PHP v5.0.4 and APD worked just fine, but I had to downgrade to PHP v5.0.3 and now I have this problem. In both versions of PHP I was using APD v1.0.1. The fact that I had downgraded to v5.0.3 has nothing to do with this problem (IMO), as I deleted all of the files in the previous PHP directory prior to install PHP 5.0.3. just because you have a pristine installation of php5.0.3 doesn't necessarily mean that: a, it's not broken. b, APD actually works with that version. TIA! Cheers. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Window close.
Oliver Grätz wrote: Just for the laugh: You could send a redirection to a page that causes the browser to crash ;-) No client side scripting involved *g*. OLLi Or fill up the buffer till browser crashes ^_^ -- Smileys rule (cX.x)C --o(^_^o) Dance for me! ^(^_^)o (o^_^)o o(^_^)^ o(^_^o) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] How to user curl_setopt?
Hello, Now I need to use curl to connect to a secure website, I have three certificates files, two .cer files and one .pfx file. After I import the certificates into IE browser, the visit is OK. However, when I use curl_setopt to configure the certificates, it failed. Can anybody help me? Thanks. The code is below: ? $ch = curl_init(); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0); curl_setopt ($ch, CURLOPT_SSL_VERIFYHOST, 0); curl_setopt($ch, CURLOPT_SSLCERT,'G:\test\ssl\mes1.cer'); curl_setopt($ch, CURLOPT_SSLCERT,'G:\test\ssl\mes2.cer'); curl_setopt($ch, CURLOPT_SSLKEY, 'G:\test\ssl\.pfx'); curl_setopt($ch, CURLOPT_SSLKEYPASSWD,'password'); curl_setopt($ch, CURLOPT_URL, $host.$uri); curl_setopt($ch, CURLOPT_POST, 1); curl_setopt($ch,CURLOPT_HEADER,1); curl_setopt($ch, CURLOPT_RETURNTRANSFER,1); $returned = curl_exec($ch); echo $returned; ? lhb -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] mail problem
Chris wrote: check your SMTP settings in the PHP.ini file. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: How to user curl_setopt?
should it not be:- G:\\test\ssl\mes1.cer' notice how I changed the path to reflect a proper windows drive path! James lhb wrote: Hello, Now I need to use curl to connect to a secure website, I have three certificates files, two .cer files and one .pfx file. After I import the certificates into IE browser, the visit is OK. However, when I use curl_setopt to configure the certificates, it failed. Can anybody help me? Thanks. The code is below: ? $ch = curl_init(); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0); curl_setopt ($ch, CURLOPT_SSL_VERIFYHOST, 0); curl_setopt($ch, CURLOPT_SSLCERT,'G:\test\ssl\mes1.cer'); curl_setopt($ch, CURLOPT_SSLCERT,'G:\test\ssl\mes2.cer'); curl_setopt($ch, CURLOPT_SSLKEY, 'G:\test\ssl\.pfx'); curl_setopt($ch, CURLOPT_SSLKEYPASSWD,'password'); curl_setopt($ch, CURLOPT_URL, $host.$uri); curl_setopt($ch, CURLOPT_POST, 1); curl_setopt($ch,CURLOPT_HEADER,1); curl_setopt($ch, CURLOPT_RETURNTRANSFER,1); $returned = curl_exec($ch); echo $returned; ? lhb -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Get recursive array
Bruno B B Magalhães wrote:
Hi Jochem,
well, thanks for the code... it's working perfect, but it seams a
little bit slow as it's using while... doesn't?
slow as compared to what? - its a very basic loop.
maybe a foreach loop would run quicker but unless you we're calling
this method 10,000s of times per request I doubt you see any difference.
I don't actually know which would be theoretically faster anyway.
Now, abusing of you, how can I unset a variable the same recursive way?
:D Maybe like this?
not to seem rude - but have you bothered to try it out?
looks like it should work btw.
/
***
* @function_name get_var
* @function_type Method
* @function_input None
* @function_description None
***/
function get_var()
{
$arguments = func_get_args();
if(empty($arguments))
{
return null;
}
$reference = $this-vars;
while($argument = array_shift($arguments))
{
if(!isset($reference[$argument]))
{
return null;
}
else
{
$reference = $reference[$argument];
}
}
unset($reference);
}
And I didn't double posted, I had to subscribe... and I didn't know if
my message had been sent or not.
righto - no big deal either way :-) it might get annoying if double posted
all day every day though ;-)
Thanks,
Bruno B B Magalhaes
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Recompile PHP on pre-installed system
Justin Cook wrote: Before I came to my company, they created a Redhat server for our web server. Of course they let the redhat installer install PHP. It all works great but now I need to compile a module into php. Is this possible to do without causing havok? Bascially we really can't have more downtime that it would take to stop and start Apache. Would the best solution be to download the php source, compile it into the directory it is installed into now, but only compile with the new module or will I need to compile it using the --with-apxs and all of the other modules that it is already compiled with? I would rather not have to recompile with all of the options that it is compiled with now. I don't like redhat - I would take the time to build it manually (avoids redhat from updating your php install) steps to take: 1. download source 2. compile (with alll req. modules) 3. do a 'make test' 4. install 5. edit/check the relevant conf files. 6 restart apache in theory your done, in practice something might bite you in the ass ... oh and then there is the issue of making sure that the redhat package manager really won't overwrite your handbuilt php install (cannot for the life of me remember what you have to do to make redhat ignore the php install). Thanks for you help! -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Window close.
At 03:42 AM 2/7/2006, Labunski wrote:
It can'tbe done with PHP, cause it must be client side script, aka
Javascript:
javascript: window.close();
--
Actually, expand it a little bit, and you avoid the JS Alert.
function close_opener(){
parentwin = window.self; // Make handle for current
window named parentwin
parentwin.opener = window.self;// Tell current window that it
opened itself
parentwin.close(); // Close window's parent (e.g.
the current window)
}
Can't take credit for it, had a similar problem years ago when I had to pop
a window up to establish a session and immediately destroy it. And that was
because I could not set a session from within Flash, nor access a session
from Flash.
Regards - Miles Thompson
--
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.1.375 / Virus Database: 267.15.2/252 - Release Date: 2/6/2006
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] APD generates no output
Hello, Jochem. Thanks for your response. I just filled a bug report because I realized there are many bugs like the one I have, specially with PHP v5.0.3. Cheers! Jochem Maas wrote: Gustavo Narea wrote: Hello everybody. I'm trying to use the Advanced PHP Debugger (APD), but it generates no output. Actually, It does generate a file, but with no content. What's going on? 1.- I installed the APD by running `pear install APD` with no problem. 2.- Setup my php.ini file the same way as described in http://php.net/apd. 3.- Restarted my web server. 4.- Called the apd_set_pprof_trace() function at the first line of my script. 5.- Loaded the web page. I have error_reporting set to E_ALL and display_errors is enabled, but... PHP doesn't output errors, does it mean that everything was OK? you would think that wouldn't you! but there is a possibility that php is crashing and leaving no trace of the event - I have seen it happen alot (I get the impression what I witnessed is related to the use of __get()/__set() in php5 objects) 6.- When I open the file generated by APD, I realize it's empty. 7.- Anyway, I run `pprofp -R pprof.number.0`, but there's no output (not even an error message). I was using PHP v5.0.4 and APD worked just fine, but I had to downgrade to PHP v5.0.3 and now I have this problem. In both versions of PHP I was using APD v1.0.1. The fact that I had downgraded to v5.0.3 has nothing to do with this problem (IMO), as I deleted all of the files in the previous PHP directory prior to install PHP 5.0.3. just because you have a pristine installation of php5.0.3 doesn't necessarily mean that: a, it's not broken. b, APD actually works with that version. TIA! Cheers. -- Gustavo Narea. PHP Documentation - Spanish Translation Team. Valencia, Venezuela. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] setting Headers using htmlMimeMail class?
Angelo Zanetti wrote: Ok I take it, it will be something like this: $mail = new htmlMimeMail(); $mail-setHeader(Return-Path, $proxy_from); $mail-setHeader(Reply-To, $proxy_from); ?? Correct. -- Richard Heyes -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] setting Headers using htmlMimeMail class?
Richard Heyes wrote: Angelo Zanetti wrote: Ok I take it, it will be something like this: $mail = new htmlMimeMail(); $mail-setHeader(Return-Path, $proxy_from); $mail-setHeader(Reply-To, $proxy_from); ?? Correct. yip it worked thanks!! -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] The Big Date and Time Debacle
I am having great difficulty understanding dates and times with PHP and MySql. As far as I understand them, the PHP date and time construct is timezone and DST aware, but MySql's DATETIME and TIMESTAMP fields are not. I believe that this is where my confusion originates from. After searching the web and the docs for hours, I have not managed to find an article that explains how this system works and what the best practices are for an application that may be used in many timezones, some with DST and some without. Please point me in the direction of a good source on this subject. I am new to PHP, coming from a several-year-long period of C++ and, recently, ASP.NET. (Ok, I admit it, I only started using PHP a week ago!) BTW: I've loved every minute of it! PHP Rocks! -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] The Big Date and Time Debacle
Stephen Martindale wrote: I am having great difficulty understanding dates and times with PHP and MySql. As far as I understand them, the PHP date and time construct is timezone and DST aware, but MySql's DATETIME and TIMESTAMP fields are not. I believe that this is where my confusion originates from. After searching the web and the docs for hours, I have not managed to find an article that explains how this system works and what the best practices are for an application that may be used in many timezones, some with DST and some without. Please point me in the direction of a good source on this subject. I am new to PHP, coming from a several-year-long period of C++ and, recently, ASP.NET. (Ok, I admit it, I only started using PHP a week ago!) BTW: I've loved every minute of it! PHP Rocks! Stephen, I don't know what is considered standard, but for the apps that I have worked on, including php and c++, timestamps are always stored in GMT and presented in the local timezone. In the case of the database, the timestamp is GMT and another field is used to store the timezone offset. The timezone offset changes in regards to DST. For example NYC is -5 hours part of the year and -4 hours. Hope this helps. Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Recompile PHP on pre-installed system
On 7 Feb 2006, at 11:13, Jochem Maas wrote: in theory your done, in practice something might bite you in the ass ... oh and then there is the issue of making sure that the redhat package manager really won't overwrite your handbuilt php install (cannot for the life of me remember what you have to do to make redhat ignore the php install). This might be of help: http://www.ae.iitm.ac.in/pipermail/ilugc/2005- August/020152.html You can edit those srpms to include whatever configure line switches you need. I run RHEL4, and my own compile of PHP, set up outside of rpm. You only need to worry about rpm getting confused if you use it to install any packages that are dependent on php, e.g. squirrelmail. Essentially either do ALL of your PHP setup and install through rpm or none of it. I'm quite happy handling PHP myself, and conflicts are rare as php is rarely a dependency for apps installed through rpm. Marcus -- Marcus Bointon Synchromedia Limited: Putting you in the picture [EMAIL PROTECTED] | http://www.synchromedia.co.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: The Big Date and Time Debacle
Stephen Martindale [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] I am having great difficulty understanding dates and times with PHP and MySql. As far as I understand them, the PHP date and time construct is timezone and DST aware, but MySql's DATETIME and TIMESTAMP fields are not. I believe that this is where my confusion originates from. After searching the web and the docs for hours, I have not managed to find an article that explains how this system works and what the best practices are for an application that may be used in many timezones, some with DST and some without. Please point me in the direction of a good source on this subject. I am new to PHP, coming from a several-year-long period of C++ and, recently, ASP.NET. (Ok, I admit it, I only started using PHP a week ago!) I wrote a time class in PHP, and use it to manage all my dates and times. Basically, I use an INT to store the timestamp in the database, which is a simple timestamp (see PHP functions: time(), date(), strtotime(), mktime(), , strftime()). DanB -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] PHP Application Vuln. Testing
I have a question which as of yet I am unable to find any information about from googling. Lets say you have just written a fairly robust PHP/MySQL application and would like to put it on your production server. For reasons of clarification lets say this application handles sensitive customer data including credit infromation, so it is imperitive that the data remain secure and during the development process at every turn you went through great lengths to filter data on forms, URL's file uploads etc. Is there any product available, commercial or free which performs source code auditing which *specificly searches PHP code for SQL, XSS type of attacks or vulnerabilities? TIA. -- Jason Gerfen the life you live ignoring who, ignoring who you're giving money to. and you, you support the corrupt industries and companies who dont think to care. guilty...guilty...guilty by ignorance. no feeling... no substance... killing... you're killing through your ignorance. ~ Snapcase -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP Application Vuln. Testing
On 7 Feb 2006, at 16:54, Jason Gerfen wrote: Is there any product available, commercial or free which performs source code auditing which *specificly searches PHP code for SQL, XSS type of attacks or vulnerabilities? TIA. No. But there are people who can perform the service for you (Brainbulb, Hardened PHP, etc) Cheers, Rich -- http://www.corephp.co.uk Zend Certified Engineer PHP Development Services -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP Application Vuln. Testing
Richard Davey wrote: On 7 Feb 2006, at 16:54, Jason Gerfen wrote: Is there any product available, commercial or free which performs source code auditing which *specificly searches PHP code for SQL, XSS type of attacks or vulnerabilities? TIA. No. But there are people who can perform the service for you (Brainbulb, Hardened PHP, etc) Cheers, Rich -- http://www.corephp.co.uk Zend Certified Engineer PHP Development Services Hmm, I found one but it seems it is still in beta. http://www.codescan.com/product.html I have done some of my own auditing but the application I have been working on is nothing but form after form. At each point the form is submitted I do sanity checks on the data to ensure that 1) it is being submitted from a page on the server. 2) that it doesn't contain script|object|embed type of code or SQL syntax. 3) that the specified length of the submitted data is of a certain length. Can anyone on this list perhaps engage this conversation? I am bringing up this topic, not just for the application I am working on but for the information to be spread to other developers. Any code examples, tips, resources etc., is appreciated. -- Jason Gerfen the life you live ignoring who, ignoring who you're giving money to. and you, you support the corrupt industries and companies who dont think to care. guilty...guilty...guilty by ignorance. no feeling... no substance... killing... you're killing through your ignorance. ~ Snapcase -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Window close.
On 2/7/06, Miles Thompson [EMAIL PROTECTED] wrote:
Actually, expand it a little bit, and you avoid the JS Alert.
function close_opener(){
parentwin = window.self; // Make handle for current
window named parentwin
parentwin.opener = window.self;// Tell current window that it
opened itself
parentwin.close(); // Close window's parent (e.g.
the current window)
}
Interesting, but this code seems to be exploiting a flaw in certain browsers
(Internet Explorer). I believe the window.opener property is read-only in
Firefox and probably other browsers. At the very least, I wouldn't rely on
this method.
Jason
Re: [PHP] PHP Application Vuln. Testing
Jason Gerfen wrote: I have a question which as of yet I am unable to find any information about from googling. Lets say you have just written a fairly robust PHP/MySQL application and would like to put it on your production server. For reasons of clarification lets say this application handles sensitive customer data including credit infromation, so it is imperitive that the data remain secure and during the development process at every turn you went through great lengths to filter data on forms, URL's file uploads etc. Is there any product available, commercial or free which performs source code auditing which *specificly searches PHP code for SQL, XSS type of attacks or vulnerabilities? TIA. Product, I don't know. But talk to Chris Shiflett on this list. I *think* his company performs this service. http://shiflett.org/ -- John C. Nichel IV Programmer/System Admin (ÜberGeek) Dot Com Holdings of Buffalo 716.856.9675 [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] str_replace ? \r
From a textarea on a web form I'm attempting to convert all returns(\r),
from the users input, to br /, for db INSERT, and then back again for
display in the textarea. (They remain as br /s for normal HTML web page
display.)
code:
// From textarea to db UPDATE
function addBR($tv) {
$tv = addslashes($tv);
$tv = str_replace(\r,br /,$tv);
// $tv = preg_replace(/(\r\n|\n|\r)/, br /, $tv);
// $tv = preg_replace(/(\r\n|\n|\r)/, , $tv);
return $tv;}
// For display in textarea
function remBR($tv) {
$tv = str_replace(br /,\r,$tv);
$tv = stripslashes($tv);
return $tv;
}
IT ALL works fine accept if a return is entered in the form's textarea at
the very beginning:
mysql SELECT jbs_jobDesA FROM jobs WHERE jbs_ID=77 \G
*** 1. row ***
jbs_jobDesA: br /[the return is still here]
Lesequam coreet la feum nulla feu facil iriure faccummolut ulput num augait
1 row in set (0.00 sec)
the return is converted to br /\r (leaving the return). AND then when
converted back for for the textarea both are stripped out, that is, there
is nothing in front of the first character. When resubmitted for UPDATE:
mysql SELECT jbs_jobDesA FROM jobs WHERE jbs_ID=77 \G
*** 1. row ***
jbs_jobDesA: Lesequam coreet la feum nulla feu facil iriure faccummolut
ulput num augait
1 row in set (0.00 sec)
Q. Why is that first return treated differently? All other returns are
treated as expected.
Thanks,
sam
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] str_replace ? \r
http://us3.php.net/manual/en/function.nl2br.php
Instead of using br / I would use p/p tags. That's just me though. :)
On 2/7/06 12:38 PM, Sam Smith [EMAIL PROTECTED] wrote:
From a textarea on a web form I'm attempting to convert all returns(\r),
from the users input, to br /, for db INSERT, and then back again for
display in the textarea. (They remain as br /s for normal HTML web page
display.)
code:
// From textarea to db UPDATE
function addBR($tv) {
$tv = addslashes($tv);
$tv = str_replace(\r,br /,$tv);
// $tv = preg_replace(/(\r\n|\n|\r)/, br /, $tv);
// $tv = preg_replace(/(\r\n|\n|\r)/, , $tv);
return $tv;}
// For display in textarea
function remBR($tv) {
$tv = str_replace(br /,\r,$tv);
$tv = stripslashes($tv);
return $tv;
}
IT ALL works fine accept if a return is entered in the form's textarea at
the very beginning:
mysql SELECT jbs_jobDesA FROM jobs WHERE jbs_ID=77 \G
*** 1. row ***
jbs_jobDesA: br /[the return is still here]
Lesequam coreet la feum nulla feu facil iriure faccummolut ulput num augait
1 row in set (0.00 sec)
the return is converted to br /\r (leaving the return). AND then when
converted back for for the textarea both are stripped out, that is, there
is nothing in front of the first character. When resubmitted for UPDATE:
mysql SELECT jbs_jobDesA FROM jobs WHERE jbs_ID=77 \G
*** 1. row ***
jbs_jobDesA: Lesequam coreet la feum nulla feu facil iriure faccummolut
ulput num augait
1 row in set (0.00 sec)
Q. Why is that first return treated differently? All other returns are
treated as expected.
Thanks,
sam
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] echo date(l);
Hi, I currently use the date function as follows: ?php $day= date(l); ? so I can then use this to call records from a database where todays day matches that of a record, however I would also like to call records for tomorrow, is there a way in which I could use the date function to add one day so that as well as the above i could also use something like $tomorrow= x Many thanks for any help. Khristian
Re: [PHP] echo date(l);
Khristian Hamilton-Bailey wrote: Hi, I currently use the date function as follows: ?php $day= date(l); ? so I can then use this to call records from a database where todays day matches that of a record, however I would also like to call records for tomorrow, is there a way in which I could use the date function to add one day so that as well as the above i could also use something like $tomorrow= x Many thanks for any help. Khristian http://us3.php.net/date Look at example 3 -- John C. Nichel IV Programmer/System Admin (ÜberGeek) Dot Com Holdings of Buffalo 716.856.9675 [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] echo date(l);
John Nichel wrote:
Khristian Hamilton-Bailey wrote:
Hi,
I currently use the date function as follows:
?php
$day= date(l);
?
so I can then use this to call records from a database where todays day
matches that of a record, however I would also like to call records for
tomorrow, is there a way in which I could use the date function to add
one
day so that as well as the above i could also use something like
$tomorrow=
x
Many thanks for any help.
Khristian
http://us3.php.net/date
Look at example 3
While that would work surely it's more efficient to call date('l',
strtotime('+1 day')), 1 date call and 1 strtotime call than to call date
three times? It would need a test script to find out, but even if
they're almost the same I find the strtotime solution easier to read.
-Stut
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP Application Vuln. Testing
- Original Message - From: Jason Gerfen [EMAIL PROTECTED] To: PHP General (E-mail) php-general@lists.php.net Sent: Tuesday, February 07, 2006 4:54 PM Subject: [PHP] PHP Application Vuln. Testing Is there any product available, commercial or free which performs source code auditing which *specificly searches PHP code for SQL, XSS type of attacks or vulnerabilities? TIA. http://www.parosproxy.org/index.shtml doesn't audit source code but if you can dump your code on a test box you can test it from another machine. Cheers Matt -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] str_replace ? \r
On Tue, Feb 07, 2006 at 10:38:37AM -0800, Sam Smith wrote: From a textarea on a web form I'm attempting to convert all returns(\r), from the users input, to br /, for db INSERT, and then back again for display in the textarea. (They remain as br /s for normal HTML web page display.) You really shouldnt convert the data to br's into the database, just do it at the time at displaying it in html, and keep the raw data in the database. // add to database (prepare avoiding sql injection) $field = mysql_real_escape_string($_POST['textarea']); $sql = update jobs set jbs_jobDesA = '$field' WHERE jbs_ID=77; // output to html, removing xxs ablity and add html br's $field_from_db = $row['jbs_jobDesA']; echo div . nl2br(htmlentities($field_from_db)) . /div; // output to a textarea, removing xxs ability $field_from_db = $row['jbs_jobDesA']; echo textarea . htmlentities($field_from_db) . /textarea; This would work much nicer. No need to do any two-way convertion of your data. Curt. -- cat .signature: No such file or directory -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP Application Vuln. Testing
Have you looked over phpsec.org site? read over the security guide, and the various articles? Jason Gerfen wrote: Richard Davey wrote: On 7 Feb 2006, at 16:54, Jason Gerfen wrote: Is there any product available, commercial or free which performs source code auditing which *specificly searches PHP code for SQL, XSS type of attacks or vulnerabilities? TIA. No. But there are people who can perform the service for you (Brainbulb, Hardened PHP, etc) Cheers, Rich -- http://www.corephp.co.uk Zend Certified Engineer PHP Development Services Hmm, I found one but it seems it is still in beta. http://www.codescan.com/product.html I have done some of my own auditing but the application I have been working on is nothing but form after form. At each point the form is submitted I do sanity checks on the data to ensure that 1) it is being submitted from a page on the server. 2) that it doesn't contain script|object|embed type of code or SQL syntax. 3) that the specified length of the submitted data is of a certain length. Can anyone on this list perhaps engage this conversation? I am bringing up this topic, not just for the application I am working on but for the information to be spread to other developers. Any code examples, tips, resources etc., is appreciated. -- life is a game... so have fun. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] image location hiding techniques
Hi, I have a site with images that I want people to download but not have the direct path to. ie. I do not want them to be able to just view the source, find the dir and then download everything or direct link to them. However I can see no way to do this other than keeping the images on disk, having a php script read them and then spit them out. example: view.php?92348924 where 92348924 is a code that translates to the image on disk. Can anyone think of a better method? If not, what is the most efficient way to do this (ie. avoid the most i/o) Thanks! P.S. I also realize I could use .htaccess to stop direct linking and turn off directory indexes. Still I think there might be some other problems with .htaccess -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: How to user curl_setopt?
Thanks for your input. However, I still can't get it work. Do you have success examples? I really don't know how to set the curl options. I am confusing to the options of CURLOPT_CAINFO, CURLOPT_SSLCERT, CURLOPT_SSLKEY, etc. lhb James Benson [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] should it not be:- G:\\test\ssl\mes1.cer' notice how I changed the path to reflect a proper windows drive path! James lhb wrote: Hello, Now I need to use curl to connect to a secure website, I have three certificates files, two .cer files and one .pfx file. After I import the certificates into IE browser, the visit is OK. However, when I use curl_setopt to configure the certificates, it failed. Can anybody help me? Thanks. The code is below: ? $ch = curl_init(); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0); curl_setopt ($ch, CURLOPT_SSL_VERIFYHOST, 0); curl_setopt($ch, CURLOPT_SSLCERT,'G:\test\ssl\mes1.cer'); curl_setopt($ch, CURLOPT_SSLCERT,'G:\test\ssl\mes2.cer'); curl_setopt($ch, CURLOPT_SSLKEY, 'G:\test\ssl\.pfx'); curl_setopt($ch, CURLOPT_SSLKEYPASSWD,'password'); curl_setopt($ch, CURLOPT_URL, $host.$uri); curl_setopt($ch, CURLOPT_POST, 1); curl_setopt($ch,CURLOPT_HEADER,1); curl_setopt($ch, CURLOPT_RETURNTRANSFER,1); $returned = curl_exec($ch); echo $returned; ? lhb -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] str_replace ? \r
Agreed - try to think of it as a filter and less of something that needs to be computed both ways... much easier in the long run, and more efficient :) On 2/7/06, Curt Zirzow [EMAIL PROTECTED] wrote: On Tue, Feb 07, 2006 at 10:38:37AM -0800, Sam Smith wrote: From a textarea on a web form I'm attempting to convert all returns(\r), from the users input, to br /, for db INSERT, and then back again for display in the textarea. (They remain as br /s for normal HTML web page display.) You really shouldnt convert the data to br's into the database, just do it at the time at displaying it in html, and keep the raw data in the database. // add to database (prepare avoiding sql injection) $field = mysql_real_escape_string($_POST['textarea']); $sql = update jobs set jbs_jobDesA = '$field' WHERE jbs_ID=77; // output to html, removing xxs ablity and add html br's $field_from_db = $row['jbs_jobDesA']; echo div . nl2br(htmlentities($field_from_db)) . /div; // output to a textarea, removing xxs ability $field_from_db = $row['jbs_jobDesA']; echo textarea . htmlentities($field_from_db) . /textarea; This would work much nicer. No need to do any two-way convertion of your data. Curt. -- cat .signature: No such file or directory -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] which version fixes bug 29922
I am trying to track down which version of php4 has the fix for bug 29922. I am running 4.3.11 which came out after the bug was fixed in CVS, but I seem to be having the problem listed in the bug. For various reason, I can't upgrade to a later version very easily. thanks - daniel -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Suggested product for ticket support and project management
Hi there, please dont bite, but we are looking for an open source or commercial php product for ticket support and another for project managent. I have already googled a bit and what ive seen isnt so good. For our ticketing we mostly require a hosting style ticket system for server support and website problems with a tiny area for a bugzilla style code bug system. For the project management, possibly the most important thing is project logging, file sharing, reporting, calendar syndication and a possible integration with publishing and subscribing via ical. Its always possible to build it yourself but there is no time allocated to do so. Let me know thanks. Dan -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] str_replace ? \r
On Tue, Feb 07, 2006 at 03:43:38PM -0800, Curt Zirzow wrote: On Tue, Feb 07, 2006 at 10:38:37AM -0800, Sam Smith wrote: // output to html, removing xxs ablity and add html br's I mean XSS (Cross Site Scripting) Curt. -- cat .signature: No such file or directory -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] image location hiding techniques
hbeaumont hbeaumont wrote: Hi, I have a site with images that I want people to download but not have the direct path to. ie. I do not want them to be able to just view the source, find the dir and then download everything or direct link to them. However I can see no way to do this other than keeping the images on disk, having a php script read them and then spit them out. example: view.php?92348924 where 92348924 is a code that translates to the image on disk. Doing this would cause an extra hit to disk to load the PHP script and the image instead of just the image file, if you are concerned about disk I/O. You could go the script route as you have mentioned and also add a check on HTTP_REFERER to ensure they came from your site. You might even set a cookie and ensure that exists as well. Randomize the image numbers so they are not sequential, add some alpha characters to make it real fun. Give a 404 Not Found instead of an error if the referer or cookie wasn't set to add some obscurity to the mix. This will deter most people from grabbing all of the images, but if they are available to the public for download it will always be possible for someone to figure out your counter measures. It doesn't mean you can't make it trivial enough that they move along to the next site. Travis Doherty -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
