php-general Digest 7 Jul 2008 10:27:09 -0000 Issue 5555
php-general Digest 7 Jul 2008 10:27:09 - Issue Topics (messages 276338 through 276346): Re: Multiple words str_shuffle 276338 by: David Giragosian 276339 by: Brady Mitchell Re: No Database Connection possible (mySQL) 276340 by: Chris Haensel Problem with special characters - PHP AJAX 276341 by: bperquku 276345 by: Michael Kubler 276346 by: Jason Norwood-Young Looking for a reasonable explanation as to why $_REQUEST exists 276342 by: mike Re: Session variables disappear (some of them only) 276343 by: karma 276344 by: Chris Administrivia: To subscribe to the digest, e-mail: [EMAIL PROTECTED] To unsubscribe from the digest, e-mail: [EMAIL PROTECTED] To post to the list, e-mail: [EMAIL PROTECTED] -- ---BeginMessage--- On 7/6/08, Ron Piggott [EMAIL PROTECTED] wrote: I am trying to scramble individual words and/or phrases. When it is a phrase I would like to keep the letters of each word together, with a space between each one. The code I have so far is below. I use PHP 4.4.7. The code below is fine for a single word; it is phrases that I am now trying to accommodate. An example: rise and shine Desired output: I S R E N A D E H I S N Thanks for your help, Ron $keyword might be $keyword = str_shuffle(strtoupper($keyword)); $buffer = ; for ($count = 0; ($count strlen($keyword)); $count++) $buffer .= $keyword{$count}. ; $keyword = trim($buffer); unset($buffer); Once the individual words have had their letters shuffled, explode the sentence on a space, then use the shuffle function ( http://us3.php.net/manual/en/function.shuffle.php) to, um, shuffle the array. David ---End Message--- ---BeginMessage--- On Jul 6, 2008, at 305PM, Ron Piggott wrote: I am trying to scramble individual words and/or phrases. When it is a phrase I would like to keep the letters of each word together, with a space between each one. The code I have so far is below. I use PHP 4.4.7. The code below is fine for a single word; it is phrases that I am now trying to accommodate. $orig_phrase = 'rise and shine'; // Split the phrase into an array with each word as an element $array_phrase = explode(' ',$orig_phrase); // Cycle through the array processing one word at a tie foreach($array_phrase as $key = $value) { // $orig_value is used in the do while loop to ensure that the shuffled string is not the original string. $orig_value = $value; // Shuffle the string, and continue to do so until the returned string is not the original string do{ $value = str_shuffle($value); } while($value == $orig_value); // Uppercase value $value = strtoupper($value); // Insert a space after every letter $value = chunk_split($value,1,' '); // Set array value to newly formatted version $array_phrase[$key] = $value; } // I'm using nbsp; so it will echo and be obvious that there are two spaces between words. $scramble_phrase = implode('nbsp;nbsp;',$array_phrase); echo $orig_phrase; echo 'br /'; echo $scramble_phrase; Everything after the do...while loop can be easily combined into one line; I left it as separate lines for clarity. Brady---End Message--- ---BeginMessage--- -Original Message- From: M. Sokolewicz [mailto:[EMAIL PROTECTED] Sent: Friday, July 04, 2008 10:18 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: [PHP] Re: No Database Connection possible (mySQL) David Robley wrote: Aviation Coding wrote: Hi all, I am having problems with a connection to a mysql database. I am using function con() { mysql_connect(localhost,user,pass) or die(mysql_error()); mysql_select_db(tava) or die(mysql_error()); } Now, when I call the _function_ (!) con() or die(no con); I get the no con output. When I call the mysql_connect and mysql_select directly before executing a query, I get some DB output. But that won't work when I am using the function... Any ideas would be greatly appreciated. Cheers! Chris I think you need to return something from the function, like true if the connection/select worked, false if not. Cheers You are correct. function foo() { // does something } var_dump(foo()); // returns NULL why? because you don't explicitly return anything. If you did, that'd be the return value. So if you did: function bar() { // does something return true; } var_dump(bar()); // return true Now, your script assumes a return-value: baz() or somethingElse(); is an expression. This basically says: if(!baz()) { somethingElse(); } Now, return (implicitly) null will result in (trough lazy comparison) a false value (*null == false*, null !== false), which then triggers your die() condition.
[PHP] Problem with special characters - PHP AJAX
Hi all, I'm writing a simple dictionary with php and ajax. It works perfects with firefox but not in IE. Here is the link http://kllapa.com/fjahalori/test.html I used alerts in js and find out that in the following function: function updateMsgOnBrowser(testXML) { var test = testXML.getElementsByTagName(test)[0]; var message=new Array(20); var m = new Array(20); var td = new Array(20); var i; for (i=1;i=10;i++){ message[i]=testXML.getElementsByTagName(message+i)[0]; message[i+1]=testXML.getElementsByTagName(message+i+r)[0]; if (message[i]!=null){m[i] = message[i].firstChild.nodeValue;} else{m[i]=} if (message[i+1]!=null){m[i+1] = message[i+1].firstChild.nodeValue;} else{m[i+1]=} td[i]= document.getElementById(td+i); td[i+1]= document.getElementById(td+i+r); td[i].innerHTML=+m[i]; td[i+1].innerHTML=+m[i+1]; } } the line message[i]=testXML.getElementsByTagName(message+i)[0]; becomes null in IE when tag message contains special character (ë, ç, Ë, Ç, etc.). Why this works perfect in Firefox? Any idea what could be the issue?? Thanks in advance -- View this message in context: http://www.nabble.com/Problem-with-special-characters---PHP---AJAX-tp18311031p18311031.html Sent from the PHP - General mailing list archive at Nabble.com. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Looking for a reasonable explanation as to why $_REQUEST exists
I have never had a use for this feature. To me it introduces another register_globals style atttack vector. I see no need why people need to combine post/get/etc variables into the same superglobal. I actually run unset($_REQUEST) on it at the top of my library to discourage its use. For third party products which use it I tell people to combine it themselves by using array_merge() - like $_REQUEST = array_merge($_POST, $_GET) etc... Anyway can someone here please give me a good reasoning why it should exist? It isn't as easily abused as register_globals but when people have a session variable they want to access and use $_REQUEST for it I could easily override it by using a GET param on the url (depending on how the order of globals get processed) Simply put, I see no reason why people would not want to clearly define where they are getting their input from. If for some reason there is some need to lazily code something I would still say to do something like: if(isset($_GET['foo'])) { $foo = $_GET['foo']; } elseif(isset($_POST['foo'])) { $foo = $_POST['foo']; } else { $foo = 'default value'; } ... or just do the array merge. But please someone maybe can justify this to me... I've been using superglobals before I really understood how important they were and then one day I see they introduced $_REQUEST and thought .. okay that seems stupid. I finally am deciding to see if anyone can give me a reason as to why this is useful and not just a lazy coding practice that can lead to security risks. You don't really know if your data is coming from GET, from POST, a SESSION variable, etc... I'd love to see a good discussion going on this. I might have overlooked something important. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Session variables disappear (some of them only)
Hi, Ted Fabrice, thanks for your answers. Sessions variables are only stored in a local file. The dir permissions are ok, and I've tried to store these files in another dir (/var/tmp/php) just to check. The session id is transmitted via cookies only : session.use_cookies = 1 session.use_only_cookies = 1== I've tried with 0 and 1 session.auto_start = 0 session.cookie_lifetime = 0 I guess the Session ID is correctly transmitted because the errors doesn't occur on the first 2 scripts. First, the login page requires cookies to be enabled, and this step is ok. Then the user has to choose something in a menu, this step is fine too : some variables are set according to the user choice and the user is redirected to the 3rd script. The errors occur on this one. Between the 2nd and 3rd scripts, variables are created from a database query : it _can't_ fail and the results are cheched : no possible mistake here. I use this kind of method : - the user chooses some $id (type and value tested, ok), then : $res=pg_query($dbr, select a, b, c, ..., from table where table_id='$id'); if(pg_num_rows($res)) { list($_SESSION[a], $_SESSION[b], $_SESSION[c], ...)=pg_fetch_row($res, 0); pg_free_result($res); header(Location:my_third_script.php); exit(); } Then the errors sometimes occur in my apache2/ssl_error_log (undefined index in $_SESSION variable). When I check the sess_12345789... file, some of the variables are missing : $_SESSION[a] and [b] are there, but not $_SESSION[c], even an empty one, it is just gone. That's all I know. I would like to try to store my sessions variables in the main database, but it is quite difficult since the application is currently used by many people. I'll also have to upgrade a lot of scripts (a bit time consuming) to test this solution... Regards, C. Fabrice VIGNALS a écrit : Difficult to help you because there are many method of session : - where do you store the sessions_variables : in local file, db or cookie ? - how you transmit the session id, beetween pages(runtimes) : cookie, $GET link, database ? Did you check the availability of user cookie if you use it ? Because if in each page of your application you define a session variable it's sure it will be every time here. But the problem of session it's to transmit its ID between different pages, or session will be reset. If a user don't authorised cookie you must transmit the session id by db storage or $Get link. Also I don't see, a php modification during the last upgrades to explain that's kind of session problem. karma [EMAIL PROTECTED] a écrit dans le message de news:[EMAIL PROTECTED] Hi ! I have a very weird issue since the last Apache upgrade (- 2.2.8-r3, a month ago), but I'm not sure it is related (well, I'm pretty sure it's not). Like many people, I've written an application that use PHP session variables, like $_SESSION[my_variable]. Sometimes (it doesn't happen all the time), _some_ of these variables are not written in the session file and they are lost after a simple header(Location:...); (same domain). The session file is in the right directory (permissions are fine), but some of my variables are missing. The facts : - Apache 2.2.9 + PHP 5.2.6_rc4 running on a Gentoo (up-to-date) - all my scripts begin with session_start(). I've tried to add session_write_close() before every header(Location:...) call, it doesn't help. - I didn't change anything in my program (it has been running just fine for 2 years), it just began to fail from time to time (I would say 10 times a day). There is no hidden unset() function : it would fail for everyone. - these variables are all set correctly, and they don't have reserved names. - only a few variables disappear, but they are always the same ones (could it depend on their position in the session file ?!?) - the session files are very small (max 100ko) - it seems that it doesn't depend on the browser, but IE6 and IE7 seem to be the most affected ones (it may be because my users mostly use these browsers). - I can't reproduce this issue from my local network (any OS/browser - it would be too easy :) - reverting to the previous stable Apache and/or PHP versions doesn't help. - I didn't change any php.ini directive. Any idea ? Thanks ! PS: if you need more details, just ask. The only thing I can't do is pasting the code : the scripts are quite huge. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Session variables disappear (some of them only)
Then the errors sometimes occur in my apache2/ssl_error_log (undefined index in $_SESSION variable). When I check the sess_12345789... file, some of the variables are missing : $_SESSION[a] and [b] are there, but not $_SESSION[c], even an empty one, it is just gone. That's all I know. Sounds like for those situations, the user doesn't have one of the options set (the database is returning a null value). Check that by matching up whatever 'a' and 'b' are with what's in the database. -- Postgresql php tutorials http://www.designmagick.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Problem with special characters - PHP AJAX
Are the messages being sent as UTF-8 or something else? Is the server sending the headers as something different to that listed in the header? Actually, looking at it, you don't have a valid DOC-TYPE http://validator.w3.org/check?uri=http%3A%2F%2Fkllapa.com%2Ffjahalori%2Ftest.htmlcharset=%28detect+automatically%29doctype=Inlinegroup=0, nor character Encoding set. It might be something else, but I haven't played with enough AJAX to debug the javascript. Michael Kubler *G*rey *P*hoenix *P*roductions http://www.greyphoenix.biz bperquku wrote: Hi all, I'm writing a simple dictionary with php and ajax. It works perfects with firefox but not in IE. Here is the link http://kllapa.com/fjahalori/test.html I used alerts in js and find out that in the following function: function updateMsgOnBrowser(testXML) { var test = testXML.getElementsByTagName(test)[0]; var message=new Array(20); var m = new Array(20); var td = new Array(20); var i; for (i=1;i=10;i++){ message[i]=testXML.getElementsByTagName(message+i)[0]; message[i+1]=testXML.getElementsByTagName(message+i+r)[0]; if (message[i]!=null){m[i] = message[i].firstChild.nodeValue;} else{m[i]=} if (message[i+1]!=null){m[i+1] = message[i+1].firstChild.nodeValue;} else{m[i+1]=} td[i]= document.getElementById(td+i); td[i+1]= document.getElementById(td+i+r); td[i].innerHTML=+m[i]; td[i+1].innerHTML=+m[i+1]; } } the line message[i]=testXML.getElementsByTagName(message+i)[0]; becomes null in IE when tag message contains special character (ë, ç, Ë, Ç, etc.). Why this works perfect in Firefox? Any idea what could be the issue?? Thanks in advance
Re: [PHP] Problem with special characters - PHP AJAX
On Mon, 2008-07-07 at 19:35 +0930, Michael Kubler wrote: Are the messages being sent as UTF-8 or something else? Is the server sending the headers as something different to that listed in the header? Actually, looking at it, you don't have a valid DOC-TYPE http://validator.w3.org/check?uri=http%3A%2F%2Fkllapa.com%2Ffjahalori%2Ftest.htmlcharset=%28detect+automatically%29doctype=Inlinegroup=0, nor character Encoding set. Yeah you might want to check out HTML Entities (http://www.php.net/manual/en/function.htmlentities.php) - great help in encoding. Then set a doc type too. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] V4 Vs V5 Issue
Hi Thanks to those who got back to me on this. Turns out the issue was HTTP_POST_VARS..GET, SERVER being so depreciated that they no longer worked at all. Changed all to _POST..._GET, _SERVER etc and all worked fine. I guess they will make a programmer of me yet...hmmm one day maybe. Anyway thanks again Cheers Neil At 01:27 AM 2/07/2008, Neil wrote: Hi First Post here, I hope this is the right place for this post. This is probably not a php problem, I think it may a configuration issue, but sorry I just dont know where to look I have a V4 site the calls an on line editor and part of the process is by window.onload. If I had to explain how it all works I could'nt JS is not my thing and this is a fairly old piece of code. anyways -- Have a bit of code that looks like this . . body leftmargin=2 marginwidth=2 topmargin=2 marginheight=2 onResize=blockDefault(); content; include($settings['app_dir'].'/js/core_js.php'); echo content script LANGUAGE=Javascript window.onload=initEditor /script table border=0 cellpadding=5 cellspacing=0 width=100% height=100% class=framed . . . -- Under My V4 Sever it works fine .the Java script loads and an all is fine. On my V5 Sever I get the following Errors Line: 68 Char: 21 Error: Syntax error Code: 0 URL: .. and then Line: 600 Char: 11 Error 'initEditor' is undefined Code 0 URL Now the thing is, when I view source code in IE off both servers the the core_js.php is being read and is visible, the initEditor function is there for all the world to see. If I rename the initEditor function on the V5 version and add a new empty function I still get the same error messages. I dont have much hair and I am tearing out the rest as we speak :).I have no idea where to look so I am just hoping someone can point me in the right direction. Like I said in the beginning I think it must be a configuration issue but I just dont know what or where. Anyways TIA Cheers Neil -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: class_is_loadable?
On Sun, Jul 6, 2008 at 6:06 AM, Fabrice VIGNALS [EMAIL PROTECTED] wrote: Hi, The problem is not the autoload but the implementation of such function. class_is_loadable mean, hey php look at my class somewhere in my files. PHP should inspect some files, in some directories and list classes. Which files, which extensions files, in which directories ? ... In my mind you must replan your autoload, for exemple make a link beetween classes and files name, ie : if file_exists( A.class.php ) include_once( B.class.php) else include_once( A.class.php ); Check the factory method at Zend site, that explain how to work with class method, without to know the exact name of class (ex : load an specific class depending of the database available) file_exist isn't going to help you if the file is in the include path somewhere else. I routinely use the include path to have my shared code base across multiple sites without duplicated files. You'd end up writing some horrible fopen with the use include path flag to test this. var_dump(file_exists('PEAR.php')); - false var_dump(fopen('PEAR.php', 'r', true)); - resource if exists -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Looking for a reasonable explanation as to why $_REQUEST exists
On Mon, Jul 7, 2008 at 3:10 AM, mike [EMAIL PROTECTED] wrote: I have never had a use for this feature. To me it introduces another register_globals style atttack vector. I see no need why people need to combine post/get/etc variables into the same superglobal. I actually run unset($_REQUEST) on it at the top of my library to discourage its use. For third party products which use it I tell people to combine it themselves by using array_merge() - like $_REQUEST = array_merge($_POST, $_GET) etc... Anyway can someone here please give me a good reasoning why it should exist? It isn't as easily abused as register_globals but when people have a session variable they want to access and use $_REQUEST for it I could easily override it by using a GET param on the url (depending on how the order of globals get processed) Simply put, I see no reason why people would not want to clearly define where they are getting their input from. If for some reason there is some need to lazily code something I would still say to do something like: if(isset($_GET['foo'])) { $foo = $_GET['foo']; } elseif(isset($_POST['foo'])) { $foo = $_POST['foo']; } else { $foo = 'default value'; } ... or just do the array merge. But please someone maybe can justify this to me... I've been using superglobals before I really understood how important they were and then one day I see they introduced $_REQUEST and thought .. okay that seems stupid. I finally am deciding to see if anyone can give me a reason as to why this is useful and not just a lazy coding practice that can lead to security risks. You don't really know if your data is coming from GET, from POST, a SESSION variable, etc... I'd love to see a good discussion going on this. I might have overlooked something important. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php Laziness/convenience. I always get my data from the exact source I want. If someone chooses to use REQUEST it shouldn't break their application. You say it is a security risk, but not really. As long as everything is filtered/escaped properly it should be fine because you force the data to play by your rules. I don't trust any piece of data that exists on my site whether it comes from request data, the database, or filesystem. So whether id comes from get or post doesn't matter because I always require it to be an int so it really wouldn't matter the origin. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Multiple words str_shuffle
On Sun, Jul 6, 2008 at 8:04 PM, Brady Mitchell [EMAIL PROTECTED] wrote: On Jul 6, 2008, at 305PM, Ron Piggott wrote: I am trying to scramble individual words and/or phrases. When it is a phrase I would like to keep the letters of each word together, with a space between each one. The code I have so far is below. I use PHP 4.4.7. The code below is fine for a single word; it is phrases that I am now trying to accommodate. $orig_phrase = 'rise and shine'; // Split the phrase into an array with each word as an element $array_phrase = explode(' ',$orig_phrase); // Cycle through the array processing one word at a tie foreach($array_phrase as $key = $value) { // $orig_value is used in the do while loop to ensure that the shuffled string is not the original string. $orig_value = $value; // Shuffle the string, and continue to do so until the returned string is not the original string do{ $value = str_shuffle($value); } while($value == $orig_value); // Uppercase value $value = strtoupper($value); // Insert a space after every letter $value = chunk_split($value,1,' '); // Set array value to newly formatted version $array_phrase[$key] = $value; } // I'm using nbsp; so it will echo and be obvious that there are two spaces between words. $scramble_phrase = implode('nbsp;nbsp;',$array_phrase); echo $orig_phrase; echo 'br /'; echo $scramble_phrase; Everything after the do...while loop can be easily combined into one line; I left it as separate lines for clarity. Brady Why not something like this? ?php $phrase = 'The rain in Spain falls mainly on the plain'; $words = split(' ', $phrase); array_walk($words, 'str_shuffle'); echo join(' ', $words); ? Andrew -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Fwd: [PHP-DOC] ftp help
Forwarding to correct list. -- Forwarded message -- From: Dan [EMAIL PROTECTED] Date: Fri, Jul 4, 2008 at 1:56 PM Subject: [PHP-DOC] ftp help To: [EMAIL PROTECTED] I am using a php script to connect to an ftp server. However, the server requires a password change every 90 days. Any ideas on how to handle this? -- Thiago Henrique Pojda
Re: [PHP] Fwd: [PHP-DOC] ftp help
Thiago H. Pojda wrote: Forwarding to correct list. -- Forwarded message -- From: Dan [EMAIL PROTECTED] Date: Fri, Jul 4, 2008 at 1:56 PM Subject: [PHP-DOC] ftp help To: [EMAIL PROTECTED] I am using a php script to connect to an ftp server. However, the server requires a password change every 90 days. Any ideas on how to handle this? Yes. This can be accomplished in the following steps: 1) change password every 90 days HTH Stijn -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Fwd: [PHP-DOC] ftp help
Thiago H. Pojda wrote: Forwarding to correct list. -- Forwarded message -- From: Dan [EMAIL PROTECTED] Date: Fri, Jul 4, 2008 at 1:56 PM Subject: [PHP-DOC] ftp help To: [EMAIL PROTECTED] I am using a php script to connect to an ftp server. However, the server requires a password change every 90 days. Any ideas on how to handle this? Yes. This can be accomplished in the following steps: 1) change password every 90 days HTH Stijn -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: [PHP-DOC] Network Interface Card Name
Forwarding to correct list. On Mon, Jul 7, 2008 at 10:25 AM, Kapil Kapil [EMAIL PROTECTED] wrote: No, I want the name of network interface cards of server, not of client. Thanks regards Kapil On Mon, Jul 7, 2008 at 6:38 PM, Thiago H. Pojda [EMAIL PROTECTED] wrote: That's client-side you're probably not going to do that w/o any client-side software. You should be asking this on php-general. Regards, Thiago On Mon, Jul 7, 2008 at 8:19 AM, Kapil Kapil [EMAIL PROTECTED] wrote: Hi ! I want to get the name of network interface card, like - VIA Rhine I Fast Ethernet Adapter. Is there any function in php for this or perhaps a way to find it out? Thanks Kapil -- Thiago Henrique Pojda -- Thiago Henrique Pojda
Re: [PHP] Re: [PHP-DOC] Network Interface Card Name
Thiago H. Pojda wrote: On Mon, Jul 7, 2008 at 8:19 AM, Kapil Kapil [EMAIL PROTECTED] wrote: Hi ! I want to get the name of network interface card, like - VIA Rhine I Fast Ethernet Adapter. Is there any function in php for this or perhaps a way to find it out? Not really a PHP question, but the answer is 'lspci'. Here's some sample output: 00:0c.0 Ethernet controller: Advanced Micro Devices [AMD] 79c970 [PCnet32 LANCE] (rev 26) 04:0a.0 Ethernet controller: Advanced Micro Devices [AMD] 79c970 [PCnet32 LANCE] (rev 26) /Per Jessen, Zürich -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Keeping POST values when paging
Hiya all, I have coded a PHP site on an intranet which forms a MySQL query based on multiple inputs on a large form. The form results are POSTed back to itself, and query is formed, and the results are returned from the database and echoed. I am looking to set up a basic paging system (back/next, jump to page 3, etc) in order to limit results for efficiency. The problem I get is that my next link - something like href='resultspage.php?page=2' - naturally reloads the page without all the POST variables it needs to recreate the query. Is there some way of forcing the page to remember and reload the POST variables when clicking next? Or, if that's difficult, can anyone suggest a good way of addressing this problem without too much recoding? I'm sure there must be a neater way of doing it then simply passing 30 or so variables using GET. Many thanks in advance. Jon. Jonathan Mayer Motion Capture Studio Manager TT Games (www.ttgames.com) Email: [EMAIL PROTECTED] Tel: 01565 757357 Mob: 07814 973885 Address: Traveller's Tales, Canute Court, Toft Road, Knutsford, Cheshire, WA16 0NL -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Keeping POST values when paging
On Mon, Jul 7, 2008 at 9:51 AM, Mayer, Jonathan [EMAIL PROTECTED] wrote: Hiya all, I have coded a PHP site on an intranet which forms a MySQL query based on multiple inputs on a large form. The form results are POSTed back to itself, and query is formed, and the results are returned from the database and echoed. I am looking to set up a basic paging system (back/next, jump to page 3, etc) in order to limit results for efficiency. The problem I get is that my next link - something like href='resultspage.php?page=2' - naturally reloads the page without all the POST variables it needs to recreate the query. Is there some way of forcing the page to remember and reload the POST variables when clicking next? Or, if that's difficult, can anyone suggest a good way of addressing this problem without too much recoding? I'm sure there must be a neater way of doing it then simply passing 30 or so variables using GET. Many thanks in advance. Jon. Jonathan Mayer Motion Capture Studio Manager TT Games (www.ttgames.com) Email: [EMAIL PROTECTED] Tel: 01565 757357 Mob: 07814 973885 Address: Traveller's Tales, Canute Court, Toft Road, Knutsford, Cheshire, WA16 0NL -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php Two semi-quick solutions: 1) Change your paging links to be inside a single form so that when you click the button 3 it re-posts your hidden data fields with the value 3 2) Persist your post data using session variables -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Keeping POST values when paging
Mayer wrote: Hiya all, I have coded a PHP site on an intranet which forms a MySQL query based on multiple inputs on a large form. The form results are POSTed back to itself, and query is formed, and the results are returned from the database and echoed. I am looking to set up a basic paging system (back/next, jump to page 3, etc) in order to limit results for efficiency. The problem I get is that my next link - something like href='resultspage.php?page=2' - naturally reloads the page without all the POST variables it needs to recreate the query. Is there some way of forcing the page to remember and reload the POST variables when clicking next? Or, if that's difficult, can anyone suggest a good way of addressing this problem without too much recoding? I'm sure there must be a neater way of doing it then simply passing 30 or so variables using GET. Many thanks in advance. Jon. Set session variables, have the script check the session variables. That'll keep the pages rolling, shouldn't take much coding, and you can change some things on-the-fly. HTH, Wolf -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Keeping POST values when paging
Thanks Wolf and Eric, I shall experiment with the two options you have suggested. Cheers, Jon. -Original Message- From: Wolf [mailto:[EMAIL PROTECTED] Sent: 07 July 2008 14:58 To: Mayer, Jonathan Cc: 'php-general@lists.php.net' Subject: Re: [PHP] Keeping POST values when paging Mayer wrote: Hiya all, I have coded a PHP site on an intranet which forms a MySQL query based on multiple inputs on a large form. The form results are POSTed back to itself, and query is formed, and the results are returned from the database and echoed. I am looking to set up a basic paging system (back/next, jump to page 3, etc) in order to limit results for efficiency. The problem I get is that my next link - something like href='resultspage.php?page=2' - naturally reloads the page without all the POST variables it needs to recreate the query. Is there some way of forcing the page to remember and reload the POST variables when clicking next? Or, if that's difficult, can anyone suggest a good way of addressing this problem without too much recoding? I'm sure there must be a neater way of doing it then simply passing 30 or so variables using GET. Many thanks in advance. Jon. Set session variables, have the script check the session variables. That'll keep the pages rolling, shouldn't take much coding, and you can change some things on-the-fly. HTH, Wolf -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Keeping POST values when paging
Mayer, Jonathan wrote: Is there some way of forcing the page to remember and reload the POST variables when clicking next? Or, if that's difficult, can anyone suggest a good way of addressing this problem without too much recoding? I'm sure there must be a neater way of doing it then simply passing 30 or so variables using GET. When you build page2, add hidden input variables with the values from page1 etc. /Per Jessen, Zürich -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Another instance of shameless self promotion
On Sat, Jun 28, 2008 at 5:04 PM, Richard Heyes [EMAIL PROTECTED] wrote: This time its a line chart: http://www.phpguru.org/line/test.html BTW Is anyone else dumbfounded at the inability of the CANVAS tag to render text natively? A gross oversight IMO. I'm dumbfounded by the inability of the CANVAS tag to detect a 404 and properly redirect. ;-P -- /Daniel P. Brown Dedicated Servers - Intel 2.4GHz w/2TB bandwidth/mo. starting at just $59.99/mo. with no contract! Dedicated servers, VPS, and hosting from $2.50/mo. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Execute command line as a different user
On Tue, Jul 1, 2008 at 1:17 PM, Matt palermo [EMAIL PROTECTED] wrote: My PHP is running as a user with limited rights. I'd like to execute a command line as a different user. I'm trying to delete a file and the PHP user doesn't have access to do this. I know the username and password for the admin user that has rights to delete a file. Is there a command I can use to make PHP run a delete command as the admin user? If so, how can I do this? You can always create a script and have crond handle it running as the admin user, if you're on *NIX. Otherwise, check into the Winblows command `AT`. -- /Daniel P. Brown Dedicated Servers - Intel 2.4GHz w/2TB bandwidth/mo. starting at just $59.99/mo. with no contract! Dedicated servers, VPS, and hosting from $2.50/mo. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Splitting up long URLs
On Jul 1, 2008, at 4:27 PM, Nate Tallman wrote: If you want to do it on the php side, I would do something like this: a href=$fullURLsubstr($fullURL, 0, 9)/a It would provide a valid link using the full url, but chop off everything after the 10th character and replace with a Nate I've seen some sites(/browsers?) do something similar to this - they show the first of the URL and some of the last. For example... ?php $url = http://www.letshaveareallylongurl.com/somedirectory/;. somelocation/someplace/32j1580/ksaladfji/. dji23adf/adfjadf/dja9Jkda.html; $len = strlen ($url); $shortLen = 40; $longLen = 100; if ($len ($shortLen + 10)) { if ($len $longLen) { // Show first and last of the url $newUrl = substr ($url, 0, $shortLen) . '...' . substr ($url, -10); } else { // Only show first $newUrl = substr ($url, 0, $shortLen+7) . '...'; } } else { $newUrl = $url; } echo a href=\$url\$newUrl/a; ? This output would be: http://www.letshaveareallylongurl.com/so...9Jkda.html Of course, you can change the lengths around to suit your needs. Just another way to skin the cat. ~Philip On Tue, Jul 1, 2008 at 3:45 PM, Boyd, Todd M. [EMAIL PROTECTED] wrote: -Original Message- From: Brian Dunning [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 01, 2008 3:27 PM To: php-general@lists.php.net Subject: [PHP] Splitting up long URLs I have a web page that lists most recent comments in a left margin. Sometimes people post long URLs, or even just really really long words, that force that margin to display way too wide, screwing up the page layout. Is there a way to make sure URLs or other text in a string gets split up so this doesn't happen? If there's a CSS solution that's better than a PHP solution I'll take that too. :-) STFW: http://www.w3.org/TR/css3-text/#white-space ...doesn't say much in the article about whether or not it will break up words rather than lines, but it's worth a shot. Todd Boyd Web Programmer -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Session variables disappear (some of them only)
karma wrote: Hi, Ted Fabrice, thanks for your answers. Sessions variables are only stored in a local file. The dir permissions are ok, and I've tried to store these files in another dir (/var/tmp/php) just to check. The session id is transmitted via cookies only : session.use_cookies = 1 session.use_only_cookies = 1== I've tried with 0 and 1 session.auto_start = 0 session.cookie_lifetime = 0 I guess the Session ID is correctly transmitted because the errors doesn't occur on the first 2 scripts. First, the login page requires cookies to be enabled, and this step is ok. Then the user has to choose something in a menu, this step is fine too : some variables are set according to the user choice and the user is redirected to the 3rd script. The errors occur on this one. Between the 2nd and 3rd scripts, variables are created from a database query : it _can't_ fail and the results are cheched : no possible mistake here. I use this kind of method : - the user chooses some $id (type and value tested, ok), then : $res=pg_query($dbr, select a, b, c, ..., from table where table_id='$id'); if(pg_num_rows($res)) { list($_SESSION[a], $_SESSION[b], $_SESSION[c], ...)=pg_fetch_row($res, 0); pg_free_result($res); header(Location:my_third_script.php); exit(); } Then the errors sometimes occur in my apache2/ssl_error_log (undefined index in $_SESSION variable). When I check the sess_12345789... file, some of the variables are missing : $_SESSION[a] and [b] are there, but not $_SESSION[c], even an empty one, it is just gone. That's all I know. I would like to try to store my sessions variables in the main database, but it is quite difficult since the application is currently used by many people. I'll also have to upgrade a lot of scripts (a bit time consuming) to test this solution... Regards, C. Fabrice VIGNALS a écrit : Difficult to help you because there are many method of session : - where do you store the sessions_variables : in local file, db or cookie ? - how you transmit the session id, beetween pages(runtimes) : cookie, $GET link, database ? Did you check the availability of user cookie if you use it ? Because if in each page of your application you define a session variable it's sure it will be every time here. But the problem of session it's to transmit its ID between different pages, or session will be reset. If a user don't authorised cookie you must transmit the session id by db storage or $Get link. Also I don't see, a php modification during the last upgrades to explain that's kind of session problem. karma [EMAIL PROTECTED] a écrit dans le message de news:[EMAIL PROTECTED] Hi ! I have a very weird issue since the last Apache upgrade (- 2.2.8-r3, a month ago), but I'm not sure it is related (well, I'm pretty sure it's not). Like many people, I've written an application that use PHP session variables, like $_SESSION[my_variable]. Sometimes (it doesn't happen all the time), _some_ of these variables are not written in the session file and they are lost after a simple header(Location:...); (same domain). The session file is in the right directory (permissions are fine), but some of my variables are missing. The facts : - Apache 2.2.9 + PHP 5.2.6_rc4 running on a Gentoo (up-to-date) - all my scripts begin with session_start(). I've tried to add session_write_close() before every header(Location:...) call, it doesn't help. - I didn't change anything in my program (it has been running just fine for 2 years), it just began to fail from time to time (I would say 10 times a day). There is no hidden unset() function : it would fail for everyone. - these variables are all set correctly, and they don't have reserved names. - only a few variables disappear, but they are always the same ones (could it depend on their position in the session file ?!?) - the session files are very small (max 100ko) - it seems that it doesn't depend on the browser, but IE6 and IE7 seem to be the most affected ones (it may be because my users mostly use these browsers). - I can't reproduce this issue from my local network (any OS/browser - it would be too easy :) - reverting to the previous stable Apache and/or PHP versions doesn't help. - I didn't change any php.ini directive. Any idea ? Thanks ! PS: if you need more details, just ask. The only thing I can't do is pasting the code : the scripts are quite huge. http://us.php.net/manual/en/function.header.php Note: Session ID is not passed with Location header even if session.use_trans_sid is enabled. It must by passed manually using SID constant. -Shawn -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Session variables disappear (some of them only)
karma wrote: Hi, Ted Fabrice, thanks for your answers. Sessions variables are only stored in a local file. The dir permissions are ok, and I've tried to store these files in another dir (/var/tmp/php) just to check. The session id is transmitted via cookies only : session.use_cookies = 1 session.use_only_cookies = 1== I've tried with 0 and 1 session.auto_start = 0 session.cookie_lifetime = 0 I guess the Session ID is correctly transmitted because the errors doesn't occur on the first 2 scripts. First, the login page requires cookies to be enabled, and this step is ok. Then the user has to choose something in a menu, this step is fine too : some variables are set according to the user choice and the user is redirected to the 3rd script. The errors occur on this one. Between the 2nd and 3rd scripts, variables are created from a database query : it _can't_ fail and the results are cheched : no possible mistake here. I use this kind of method : - the user chooses some $id (type and value tested, ok), then : $res=pg_query($dbr, select a, b, c, ..., from table where table_id='$id'); if(pg_num_rows($res)) { list($_SESSION[a], $_SESSION[b], $_SESSION[c], ...)=pg_fetch_row($res, 0); pg_free_result($res); header(Location:my_third_script.php); exit(); } Then the errors sometimes occur in my apache2/ssl_error_log (undefined index in $_SESSION variable). When I check the sess_12345789... file, some of the variables are missing : $_SESSION[a] and [b] are there, but not $_SESSION[c], even an empty one, it is just gone. That's all I know. I would like to try to store my sessions variables in the main database, but it is quite difficult since the application is currently used by many people. I'll also have to upgrade a lot of scripts (a bit time consuming) to test this solution... Regards, C. Fabrice VIGNALS a écrit : Difficult to help you because there are many method of session : - where do you store the sessions_variables : in local file, db or cookie ? - how you transmit the session id, beetween pages(runtimes) : cookie, $GET link, database ? Did you check the availability of user cookie if you use it ? Because if in each page of your application you define a session variable it's sure it will be every time here. But the problem of session it's to transmit its ID between different pages, or session will be reset. If a user don't authorised cookie you must transmit the session id by db storage or $Get link. Also I don't see, a php modification during the last upgrades to explain that's kind of session problem. karma [EMAIL PROTECTED] a écrit dans le message de news:[EMAIL PROTECTED] Hi ! I have a very weird issue since the last Apache upgrade (- 2.2.8-r3, a month ago), but I'm not sure it is related (well, I'm pretty sure it's not). Like many people, I've written an application that use PHP session variables, like $_SESSION[my_variable]. Sometimes (it doesn't happen all the time), _some_ of these variables are not written in the session file and they are lost after a simple header(Location:...); (same domain). The session file is in the right directory (permissions are fine), but some of my variables are missing. The facts : - Apache 2.2.9 + PHP 5.2.6_rc4 running on a Gentoo (up-to-date) - all my scripts begin with session_start(). I've tried to add session_write_close() before every header(Location:...) call, it doesn't help. - I didn't change anything in my program (it has been running just fine for 2 years), it just began to fail from time to time (I would say 10 times a day). There is no hidden unset() function : it would fail for everyone. - these variables are all set correctly, and they don't have reserved names. - only a few variables disappear, but they are always the same ones (could it depend on their position in the session file ?!?) - the session files are very small (max 100ko) - it seems that it doesn't depend on the browser, but IE6 and IE7 seem to be the most affected ones (it may be because my users mostly use these browsers). - I can't reproduce this issue from my local network (any OS/browser - it would be too easy :) - reverting to the previous stable Apache and/or PHP versions doesn't help. - I didn't change any php.ini directive. Any idea ? Thanks ! PS: if you need more details, just ask. The only thing I can't do is pasting the code : the scripts are quite huge. Also: Note: HTTP/1.1 requires an absolute URI as argument to » Location: including the scheme, hostname and absolute path. -Shawn -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Looking for a reasonable explanation as to why $_REQUEST exists
Eric Butera wrote: On Mon, Jul 7, 2008 at 3:10 AM, mike [EMAIL PROTECTED] wrote: I have never had a use for this feature. To me it introduces another register_globals style atttack vector. I see no need why people need to combine post/get/etc variables into the same superglobal. I actually run unset($_REQUEST) on it at the top of my library to discourage its use. For third party products which use it I tell people to combine it themselves by using array_merge() - like $_REQUEST = array_merge($_POST, $_GET) etc... Anyway can someone here please give me a good reasoning why it should exist? It isn't as easily abused as register_globals but when people have a session variable they want to access and use $_REQUEST for it I could easily override it by using a GET param on the url (depending on how the order of globals get processed) Simply put, I see no reason why people would not want to clearly define where they are getting their input from. If for some reason there is some need to lazily code something I would still say to do something like: if(isset($_GET['foo'])) { $foo = $_GET['foo']; } elseif(isset($_POST['foo'])) { $foo = $_POST['foo']; } else { $foo = 'default value'; } ... or just do the array merge. But please someone maybe can justify this to me... I've been using superglobals before I really understood how important they were and then one day I see they introduced $_REQUEST and thought .. okay that seems stupid. I finally am deciding to see if anyone can give me a reason as to why this is useful and not just a lazy coding practice that can lead to security risks. You don't really know if your data is coming from GET, from POST, a SESSION variable, etc... I'd love to see a good discussion going on this. I might have overlooked something important. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php Laziness/convenience. I always get my data from the exact source I want. If someone chooses to use REQUEST it shouldn't break their application. You say it is a security risk, but not really. As long as everything is filtered/escaped properly it should be fine because you force the data to play by your rules. I don't trust any piece of data that exists on my site whether it comes from request data, the database, or filesystem. So whether id comes from get or post doesn't matter because I always require it to be an int so it really wouldn't matter the origin. When you use register_globals it extracts the vars from get, post, cookie and session, or used to. But, I don't think session vars are in $_REQUEST. -Shawn -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: [PHP-DOC] Network Interface Card Name
Per Jessen wrote: Thiago H. Pojda wrote: On Mon, Jul 7, 2008 at 8:19 AM, Kapil Kapil [EMAIL PROTECTED] wrote: Hi ! I want to get the name of network interface card, like - VIA Rhine I Fast Ethernet Adapter. Is there any function in php for this or perhaps a way to find it out? Not really a PHP question, but the answer is 'lspci'. Here's some sample output: 00:0c.0 Ethernet controller: Advanced Micro Devices [AMD] 79c970 [PCnet32 LANCE] (rev 26) 04:0a.0 Ethernet controller: Advanced Micro Devices [AMD] 79c970 [PCnet32 LANCE] (rev 26) /Per Jessen, Zürich Windows you can use: ipconfig /all Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : localdomain Description . . . . . . . . . . . : Intel(R) PRO/1000 PL Network Connection -Shawn -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Looking for a reasonable explanation as to why $_REQUEST exists
On Mon, Jul 7, 2008 at 11:23 AM, Shawn McKenzie [EMAIL PROTECTED] wrote: When you use register_globals it extracts the vars from get, post, cookie and session, or used to. But, I don't think session vars are in $_REQUEST. -Shawn http://us2.php.net/manual/en/ini.core.php#ini.request-order -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Looking for a reasonable explanation as to why $_REQUEST exists
[snip] When you use register_globals it extracts the vars from get, post, cookie and session, or used to. But, I don't think session vars are in $_REQUEST. [/snip] $_REQUEST is no different than $_POST or $_GET from a security standpoint. And using register_globals did not carry a security risk as long as the programmer did every responsible thing with regard to that input. $_GET['foo'] $_POST['foo'] $_REQUEST['foo'] $foo It is all a matter of how you handle foo, the rest is semantics. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Looking for a reasonable explanation as to why $_REQUEST exists
Eric Butera wrote: On Mon, Jul 7, 2008 at 11:23 AM, Shawn McKenzie [EMAIL PROTECTED] wrote: When you use register_globals it extracts the vars from get, post, cookie and session, or used to. But, I don't think session vars are in $_REQUEST. -Shawn http://us2.php.net/manual/en/ini.core.php#ini.request-order So I was 50% correct. That's better than my normal 0%-33%. -Shawn -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Looking for a reasonable explanation as to why $_REQUEST exists
On Mon, Jul 7, 2008 at 11:23 AM, Shawn McKenzie [EMAIL PROTECTED] wrote: When you use register_globals it extracts the vars from get, post, cookie and session, or used to. But, I don't think session vars are in $_REQUEST. They can be. Google EGPCS. -- /Daniel P. Brown Dedicated Servers - Intel 2.4GHz w/2TB bandwidth/mo. starting at just $59.99/mo. with no contract! Dedicated servers, VPS, and hosting from $2.50/mo. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Looking for a reasonable explanation as to why $_REQUEST exists
On Mon, Jul 7, 2008 at 11:36 AM, Shawn McKenzie [EMAIL PROTECTED] wrote: So I was 50% correct. That's better than my normal 0%-33%. Haha ;) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Looking for a reasonable explanation as to why $_REQUEST exists
They can be what? I was wrong, the S is $_SERVER not $_SESSION. -Shawn Daniel Brown wrote: On Mon, Jul 7, 2008 at 11:23 AM, Shawn McKenzie [EMAIL PROTECTED] wrote: When you use register_globals it extracts the vars from get, post, cookie and session, or used to. But, I don't think session vars are in $_REQUEST. They can be. Google EGPCS. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Looking for a reasonable explanation as to why $_REQUEST exists
On Mon, Jul 7, 2008 at 11:43 AM, Shawn McKenzie [EMAIL PROTECTED] wrote: They can be what? I was wrong, the S is $_SERVER not $_SESSION. Sorry, Shawn. That message was meant for the OP, but I clipped your message to send a response to you as well. Disregard. The body is here, but the brain is still on the beach in Florida. -- /Daniel P. Brown Dedicated Servers - Intel 2.4GHz w/2TB bandwidth/mo. starting at just $59.99/mo. with no contract! Dedicated servers, VPS, and hosting from $2.50/mo. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Looking for a reasonable explanation as to why $_REQUEST exists
Daniel Brown wrote: On Mon, Jul 7, 2008 at 11:43 AM, Shawn McKenzie [EMAIL PROTECTED] wrote: They can be what? I was wrong, the S is $_SERVER not $_SESSION. Sorry, Shawn. That message was meant for the OP, but I clipped your message to send a response to you as well. Disregard. The body is here, but the brain is still on the beach in Florida. Cliff, is that you ? Cliff Clavin ? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] rfc822_write_address() / CVE-2008-2829 problem
Hello, list. A few days ago, a security scan said that our machines that were running PHP had potential vulnerability CVE-2008-2829 , a buffer overflow in rfc822_write_address(). Discussions about this are relatively easy to find with Google, but check out http://bugs.php.net/bug.php?id=42862 for a reasonable discussion and an (unofficial) patch. I'm just curious as to what other PHP users are doing about the problem, since Redhat says meh even though the company doing the security scan says OMG PANIC!!1! Let me know what you guys think. Thanks, -- The Crow202 Blog: http://crow202.org/wordpress/ There is no Darkness in Eternity/But only Light too dim for us to see -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: rfc822_write_address() / CVE-2008-2829 problem
Matt Graham wrote: Hello, list. A few days ago, a security scan said that our machines that were running PHP had potential vulnerability CVE-2008-2829 , a buffer overflow in rfc822_write_address(). Discussions about this are relatively easy to find with Google, but check out http://bugs.php.net/bug.php?id=42862 for a reasonable discussion and an (unofficial) patch. I'm just curious as to what other PHP users are doing about the problem, since Redhat says meh even though the company doing the security scan says OMG PANIC!!1! Let me know what you guys think. Thanks, it's doesn't look that dangerous to me, I'd personally rather side with Redhat in their meh than with the security-scan-company's OMG PANIC!!1!. If you want the patch to appear in the next version of PHP (5.2.3), make some noise about it on the internals list. Ask around why it hasn't been applied until one of the devs gets so annoyed with you spamming him with it that he'll either apply it (thus getting it into the next release) or tell you what's wrong with it so you'll finally leave him alone. A simple solution :) - Tul P.S. note: the potential vulnerability only occurs if you actually use the imap functions. If you don't: don't worry, you're still safe. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Looking for a reasonable explanation as to why $_REQUEST exists
On Mon, Jul 7, 2008 at 12:33 PM, metastable [EMAIL PROTECTED] wrote: Cliff, is that you ? Cliff Clavin ? Very astute of you, but I consider myself more of a Norm Peterson. ;-P -- /Daniel P. Brown Dedicated Servers - Intel 2.4GHz w/2TB bandwidth/mo. starting at just $59.99/mo. with no contract! Dedicated servers, VPS, and hosting from $2.50/mo. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: rfc822_write_address() / CVE-2008-2829 problem
From: M. Sokolewicz [EMAIL PROTECTED] Matt Graham wrote: PHP had potential vulnerability CVE-2008-2829 http://bugs.php.net/bug.php?id=42862 for a reasonable discussion and an (unofficial) patch. I'm just curious as to what other PHP users are doing about the problem, since Redhat says meh even though the company doing the security scan says OMG PANIC!!1! it's doesn't look that dangerous to me, I'd personally rather side with Redhat in their meh than with the security-scan-company's OMG PANIC!!1!. This is what I thought. However, they would rather believe the security scan company for some reason. If you want the patch to appear in the next version of PHP (5.2.3), make some noise about it on the internals list. ? I thought they were up to 5.2.6 it hasn't been applied until one of the devs gets so annoyed with you spamming him with it that he'll either apply it (thus getting it into the next release) or tell you what's wrong with it so you'll finally leave him alone. A simple solution :) Yep. I prefer to avoid annoying and spamming developers, though :-] P.S. note: the potential vulnerability only occurs if you actually use the imap functions. If you don't: don't worry, you're still safe. Aye. However, I mangled the source and compiled a version of PHP 5.2.6 such that the IMAP stuff wasn't even compiled, then installed that mangled version on a test box. The security scan company then scanned that test box, and said, Problem CVE-2008-2829 still exists. I do wonder what they're doing when they're scanning -- The Crow202 Blog: http://crow202.org/wordpress/ There is no Darkness in Eternity/But only Light too dim for us to see -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Keeping POST values when paging
At 2:51 PM +0100 7/7/08, Mayer, Jonathan wrote: Hiya all, I have coded a PHP site on an intranet which forms a MySQL query based on multiple inputs on a large form. The form results are POSTed back to itself, and query is formed, and the results are returned from the database and echoed. I am looking to set up a basic paging system (back/next, jump to page 3, etc) in order to limit results for efficiency. Jon: Here's my version of paging: http://webbytedd.com/bbb/paging/ And here's some different styles: http://webbytedd.com/ccc/pagination/ Here's an example of paging using ajax -- however, it's not as simple as the others: http://www.webbytedd.com/b1/photo-retouch/ Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: [PHP-DOC] Network Interface Card Name
No, there isn't. It's a system-related info and doesn't affect how PHP works. And, IMHO, it's good that PHP is not aware of these stuff. Use exec(), `, or system() to run these commands. Regards, Thiago On Mon, Jul 7, 2008 at 2:51 PM, Kapil Kapil [EMAIL PROTECTED] wrote: This is a way, I know but does there any function in php specific to this. Thanks Kapil On Mon, Jul 7, 2008 at 10:16 PM, Thiago H. Pojda [EMAIL PROTECTED] wrote: Forwarding if you're not on this list. -- Forwarded message -- From: Shawn McKenzie [EMAIL PROTECTED] Date: Mon, Jul 7, 2008 at 12:30 PM Subject: Re: [PHP] Re: [PHP-DOC] Network Interface Card Name To: php-general@lists.php.net Per Jessen wrote: Thiago H. Pojda wrote: On Mon, Jul 7, 2008 at 8:19 AM, Kapil Kapil [EMAIL PROTECTED] wrote: Hi ! I want to get the name of network interface card, like - VIA Rhine I Fast Ethernet Adapter. Is there any function in php for this or perhaps a way to find it out? Not really a PHP question, but the answer is 'lspci'. Here's some sample output: 00:0c.0 Ethernet controller: Advanced Micro Devices [AMD] 79c970 [PCnet32 LANCE] (rev 26) 04:0a.0 Ethernet controller: Advanced Micro Devices [AMD] 79c970 [PCnet32 LANCE] (rev 26) /Per Jessen, Zürich Windows you can use: ipconfig /all Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : localdomain Description . . . . . . . . . . . : Intel(R) PRO/1000 PL Network Connection -Shawn -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- Thiago Henrique Pojda -- Thiago Henrique Pojda
[PHP] PHP's mail(): proper way to send a 'From' header
Greetings folks. I seem to be having a problem with PHP's mail() function and sending 'From' headers properly. Here's my setup: I have a site I set up for a client that has a form their clients can fill out to submit some data. When the form is submitted, I have PHP gather the data and create the body of an email which is then sent to both the owners of the site and back to the person who submitted the data. Because the server hosts multiple sites, I am sending an additional 'From' header so the email doesn't appear to come from the hostname of the server itself ([EMAIL PROTECTED]). Because I did not have a DNS entry for my hostname, the 'domain does not exist' error I'm seeing in the bounce emails is correct. I do not wish to keep a DNS entry for it (I have added one as a temporary fix), as that doesn't fix the 'From' header issue to begin with, so I would appreciate it if you did not make that suggestion. As per PHP's documentation of the mail() function, I am sending the header like so: From: [EMAIL PROTECTED] I am getting bounce emails from certain ISPs (AOL, Roadrunner, some local ISPs) saying the sender's domain does not exist. It seems that either mails are coming from my hostname ([EMAIL PROTECTED]), or those ISPs are reading the additional headers incorrectly. Unfortunately, this is not acceptable. People aren't getting their emails, and the hammer is coming down on me. As far as I know (based on the lack of bounce emails), this worked fine on PHP4, but with our new webserver (running PHP5), I'm experiencing problems. Far as I can tell, the mail() function has not changed between versions. I'm stumped here and need to get this fixed asap. I've tried 'From' and 'FROM', tried a 'Name Here [EMAIL PROTECTED]' format, and tried terminating with double newlines with and without the carriage return. Nothing seems to work. I've even gone so far as to edit php.ini with a default from address, but that doesn't appear to have fixed anything either. Please help. Thanks in advance, Jay -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] PHP's mail(): proper way to send a 'From' header
**Apologies if this posts twice. I got some crazy response from the server after sending this the first time.** I have a site I set up for a client that has a form their clients can fill out to submit some data. When the form is submitted, I have PHP gather the data and create the body of an email which is then sent to both the owners of the site and back to the person who submitted the data. Because the server hosts multiple sites, I am sending an additional 'From' header so the email doesn't appear to come from the hostname of the server itself ([EMAIL PROTECTED]). As per PHP's documentation of the mail() function, I am sending the header like so: From: [EMAIL PROTECTED] I am getting bounce emails from certain ISPs (AOL, Roadrunner, some local ISPs) saying the sender's domain does not exist. It seems that either mails are coming from my hostname ([EMAIL PROTECTED]), or those ISPs are reading the additional headers incorrectly. Unfortunately, this is not acceptable. People aren't getting their emails, and the hammer is coming down on me. Because I did not have a DNS entry for my hostname, the 'domain does not exist' error I'm seeing in the bounce emails is correct. I do not wish to keep a DNS entry for it (I have added one as a temporary fix), as that doesn't fix the 'From' header issue to begin with, so I would appreciate it if you did not make that suggestion. As far as I know (based on the lack of bounce emails), this worked fine on PHP4, but with our new webserver (running PHP5), I'm experiencing problems. Far as I can tell, the mail() function has not changed between versions. I'm stumped here and need to get this fixed asap. I've tried 'From' and 'FROM', tried a 'Name Here [EMAIL PROTECTED]' format, and tried terminating with double newlines with and without the carriage return. Nothing seems to work. I've even gone so far as to edit php.ini with a default from address, but that doesn't appear to have fixed anything either. Please help. Thanks in advance, Jay -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP's mail(): proper way to send a 'From' header
You missed the period in your header to join the name and the line break?? 'From: [EMAIL PROTECTED]' . \r\n On 7/7/08, Jay Moore [EMAIL PROTECTED] wrote: Greetings folks. I seem to be having a problem with PHP's mail() function and sending 'From' headers properly. Here's my setup: I have a site I set up for a client that has a form their clients can fill out to submit some data. When the form is submitted, I have PHP gather the data and create the body of an email which is then sent to both the owners of the site and back to the person who submitted the data. Because the server hosts multiple sites, I am sending an additional 'From' header so the email doesn't appear to come from the hostname of the server itself ( [EMAIL PROTECTED]). Because I did not have a DNS entry for my hostname, the 'domain does not exist' error I'm seeing in the bounce emails is correct. I do not wish to keep a DNS entry for it (I have added one as a temporary fix), as that doesn't fix the 'From' header issue to begin with, so I would appreciate it if you did not make that suggestion. As per PHP's documentation of the mail() function, I am sending the header like so: From: [EMAIL PROTECTED] I am getting bounce emails from certain ISPs (AOL, Roadrunner, some local ISPs) saying the sender's domain does not exist. It seems that either mails are coming from my hostname ([EMAIL PROTECTED]), or those ISPs are reading the additional headers incorrectly. Unfortunately, this is not acceptable. People aren't getting their emails, and the hammer is coming down on me. As far as I know (based on the lack of bounce emails), this worked fine on PHP4, but with our new webserver (running PHP5), I'm experiencing problems. Far as I can tell, the mail() function has not changed between versions. I'm stumped here and need to get this fixed asap. I've tried 'From' and 'FROM', tried a 'Name Here [EMAIL PROTECTED]' format, and tried terminating with double newlines with and without the carriage return. Nothing seems to work. I've even gone so far as to edit php.ini with a default from address, but that doesn't appear to have fixed anything either. Please help. Thanks in advance, Jay -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP's mail(): proper way to send a 'From' header
On Mon, Jul 7, 2008 at 2:06 PM, Dan Shirah [EMAIL PROTECTED] wrote: You missed the period in your header to join the name and the line break?? That's not required, since the OP is using double quotes (translation will occur). -- /Daniel P. Brown Dedicated Servers - Intel 2.4GHz w/2TB bandwidth/mo. starting at just $59.99/mo. with no contract! Dedicated servers, VPS, and hosting from $2.50/mo. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP's mail(): proper way to send a 'From' header
On Mon, Jul 7, 2008 at 2:06 PM, Dan Shirah [EMAIL PROTECTED] wrote: You missed the period in your header to join the name and the line break?? 'From: [EMAIL PROTECTED]' . \r\n On 7/7/08, Jay Moore [EMAIL PROTECTED] wrote: Greetings folks. I seem to be having a problem with PHP's mail() function and sending 'From' headers properly. Here's my setup: I have a site I set up for a client that has a form their clients can fill out to submit some data. When the form is submitted, I have PHP gather the data and create the body of an email which is then sent to both the owners of the site and back to the person who submitted the data. Because the server hosts multiple sites, I am sending an additional 'From' header so the email doesn't appear to come from the hostname of the server itself ( [EMAIL PROTECTED]). Because I did not have a DNS entry for my hostname, the 'domain does not exist' error I'm seeing in the bounce emails is correct. I do not wish to keep a DNS entry for it (I have added one as a temporary fix), as that doesn't fix the 'From' header issue to begin with, so I would appreciate it if you did not make that suggestion. As per PHP's documentation of the mail() function, I am sending the header like so: From: [EMAIL PROTECTED] I am getting bounce emails from certain ISPs (AOL, Roadrunner, some local ISPs) saying the sender's domain does not exist. It seems that either mails are coming from my hostname ([EMAIL PROTECTED]), or those ISPs are reading the additional headers incorrectly. Unfortunately, this is not acceptable. People aren't getting their emails, and the hammer is coming down on me. As far as I know (based on the lack of bounce emails), this worked fine on PHP4, but with our new webserver (running PHP5), I'm experiencing problems. Far as I can tell, the mail() function has not changed between versions. I'm stumped here and need to get this fixed asap. I've tried 'From' and 'FROM', tried a 'Name Here [EMAIL PROTECTED]' format, and tried terminating with double newlines with and without the carriage return. Nothing seems to work. I've even gone so far as to edit php.ini with a default from address, but that doesn't appear to have fixed anything either. Please help. Thanks in advance, Jay -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php Dan, His example would have worked since it was the entire thing surrounded in quotes. Jay, Perhaps you can use the additional parameters to -f a return path along with your header. Whatever your current scripts domain is can be set as the [EMAIL PROTECTED] as long as you control the domain (see SPF rules). Maybe this will fix your issues? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP's mail(): proper way to send a 'From' header
On Mon, Jul 7, 2008 at 1:50 PM, Jay Moore [EMAIL PROTECTED] wrote: Greetings folks. I seem to be having a problem with PHP's mail() function and sending 'From' headers properly. Here's my setup: [snip!] I am getting bounce emails from certain ISPs (AOL, Roadrunner, some local ISPs) saying the sender's domain does not exist. It seems that either mails are coming from my hostname ([EMAIL PROTECTED]), or those ISPs are reading the additional headers incorrectly. Unfortunately, this is not acceptable. People aren't getting their emails, and the hammer is coming down on me. Jay, try something like this: ?php $to = [EMAIL PROTECTED]; $from = [EMAIL PROTECTED]; $subject = This is a test!; $body = \tThis is a test email.\n; $body .= That is all.; $headers = From: .$from.\r\n; $headers .= Reply-To: .$from.\r\n; $headers .= X-Mailer: .basename(__FILE__).-PHP/.phpversion().\r\n; $headers .= Return-Path: .$from.\r\n; mail($to,$subject,$body,$headers,'-f'.$from); ? Note the fifth parameter passed to mail(): http://php.net/mail -- /Daniel P. Brown Dedicated Servers - Intel 2.4GHz w/2TB bandwidth/mo. starting at just $59.99/mo. with no contract! Dedicated servers, VPS, and hosting from $2.50/mo. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP's mail(): proper way to send a 'From' header
On Mon, Jul 7, 2008 at 2:13 PM, Daniel Brown [EMAIL PROTECTED] wrote: On Mon, Jul 7, 2008 at 1:50 PM, Jay Moore [EMAIL PROTECTED] wrote: Greetings folks. I seem to be having a problem with PHP's mail() function and sending 'From' headers properly. Here's my setup: [snip!] I am getting bounce emails from certain ISPs (AOL, Roadrunner, some local ISPs) saying the sender's domain does not exist. It seems that either mails are coming from my hostname ([EMAIL PROTECTED]), or those ISPs are reading the additional headers incorrectly. Unfortunately, this is not acceptable. People aren't getting their emails, and the hammer is coming down on me. Jay, try something like this: ?php $to = [EMAIL PROTECTED]; $from = [EMAIL PROTECTED]; $subject = This is a test!; $body = \tThis is a test email.\n; $body .= That is all.; $headers = From: .$from.\r\n; $headers .= Reply-To: .$from.\r\n; $headers .= X-Mailer: .basename(__FILE__).-PHP/.phpversion().\r\n; $headers .= Return-Path: .$from.\r\n; mail($to,$subject,$body,$headers,'-f'.$from); ? Note the fifth parameter passed to mail(): http://php.net/mail -- /Daniel P. Brown Dedicated Servers - Intel 2.4GHz w/2TB bandwidth/mo. starting at just $59.99/mo. with no contract! Dedicated servers, VPS, and hosting from $2.50/mo. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php Yep! Just a note on this though. You have to control the domain you're forcing the return-path on or else it will get rejected by a lot of servers because of SPF rules. It has bit my company in the behind quite a bit recently. :) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP's mail(): proper way to send a 'From' header
On Mon, Jul 7, 2008 at 2:17 PM, Eric Butera [EMAIL PROTECTED] wrote: Yep! Just a note on this though. You have to control the domain you're forcing the return-path on or else it will get rejected by a lot of servers because of SPF rules. It has bit my company in the behind quite a bit recently. :) Thanks for adding that, Eric. I had forgotten to mention it. :-) And I've run into the same problems, especially in the last year or so. It was because of an inter-domain contact form, similar to email, that allowed users to mail each other online without giving out an actual email address. The forced FROM caused a lot of problems, which could only be fixed by making permanent changes to the DNS --- which the OP doesn't want to do in this case. -- /Daniel P. Brown Dedicated Servers - Intel 2.4GHz w/2TB bandwidth/mo. starting at just $59.99/mo. with no contract! Dedicated servers, VPS, and hosting from $2.50/mo. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP's mail(): proper way to send a 'From' header
On 7 Jul 2008, at 18:50, Jay Moore wrote: Greetings folks. I seem to be having a problem with PHP's mail() function and sending 'From' headers properly. Here's my setup: I have a site I set up for a client that has a form their clients can fill out to submit some data. When the form is submitted, I have PHP gather the data and create the body of an email which is then sent to both the owners of the site and back to the person who submitted the data. Because the server hosts multiple sites, I am sending an additional 'From' header so the email doesn't appear to come from the hostname of the server itself ([EMAIL PROTECTED]). Because I did not have a DNS entry for my hostname, the 'domain does not exist' error I'm seeing in the bounce emails is correct. I do not wish to keep a DNS entry for it (I have added one as a temporary fix), as that doesn't fix the 'From' header issue to begin with, so I would appreciate it if you did not make that suggestion. As per PHP's documentation of the mail() function, I am sending the header like so: From: [EMAIL PROTECTED] I am getting bounce emails from certain ISPs (AOL, Roadrunner, some local ISPs) saying the sender's domain does not exist. It seems that either mails are coming from my hostname ([EMAIL PROTECTED]), or those ISPs are reading the additional headers incorrectly. Unfortunately, this is not acceptable. People aren't getting their emails, and the hammer is coming down on me. As far as I know (based on the lack of bounce emails), this worked fine on PHP4, but with our new webserver (running PHP5), I'm experiencing problems. Far as I can tell, the mail() function has not changed between versions. I'm stumped here and need to get this fixed asap. I've tried 'From' and 'FROM', tried a 'Name Here [EMAIL PROTECTED]' format, and tried terminating with double newlines with and without the carriage return. Nothing seems to work. I've even gone so far as to edit php.ini with a default from address, but that doesn't appear to have fixed anything either. The ISPs are likely looking at the envelope sender rather than the sender specified in the headers. If you're on a box using sendmail (which I think you are based on what you've said) you can set this using the 5th parameter to mail set to - f followed by the email address you want to use. i.e. '[EMAIL PROTECTED]' I believe this is covered on the manual page for the mail function. -Stut -- http://stut.net/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: rfc822_write_address() / CVE-2008-2829 problem
Matt Graham wrote: From: M. Sokolewicz [EMAIL PROTECTED] Matt Graham wrote: PHP had potential vulnerability CVE-2008-2829 http://bugs.php.net/bug.php?id=42862 for a reasonable discussion and an (unofficial) patch. I'm just curious as to what other PHP users are doing about the problem, since Redhat says meh even though the company doing the security scan says OMG PANIC!!1! it's doesn't look that dangerous to me, I'd personally rather side with Redhat in their meh than with the security-scan-company's OMG PANIC!!1!. This is what I thought. However, they would rather believe the security scan company for some reason. If you want the patch to appear in the next version of PHP (5.2.3), make some noise about it on the internals list. ? I thought they were up to 5.2.6 it hasn't been applied until one of the devs gets so annoyed with you spamming him with it that he'll either apply it (thus getting it into the next release) or tell you what's wrong with it so you'll finally leave him alone. A simple solution :) Yep. I prefer to avoid annoying and spamming developers, though :-] P.S. note: the potential vulnerability only occurs if you actually use the imap functions. If you don't: don't worry, you're still safe. Aye. However, I mangled the source and compiled a version of PHP 5.2.6 such that the IMAP stuff wasn't even compiled, then installed that mangled version on a test box. The security scan company then scanned that test box, and said, Problem CVE-2008-2829 still exists. I do wonder what they're doing when they're scanning Their scan is most likely basing it on the PHP version number only. There is no other way for them to be doing it unless they have access to the server and are able to run test code to exploit this. In php.ini, try: expose_php = Off See if that helps. -Shawn -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Looking for a reasonable explanation as to why $_REQUEST exists
On 7/7/08, Eric Butera [EMAIL PROTECTED] wrote: Laziness/convenience. I always get my data from the exact source I want. If someone chooses to use REQUEST it shouldn't break their application. You say it is a security risk, but not really. As long as everything is filtered/escaped properly it should be fine because you force the data to play by your rules. I'm not talking about escaping/filtering. I'm talking about variable overriding. In the past, it was $_GET['foo'] $foo register_globals fixed that. however, if your app is relying on $_SESSION['username'] or $_COOKIE['username'] or something like that, depending on the variables order, it can be overridden. I don't see why if you -know- you need $_COOKIE['username'] someone would be lazy and use $_REQUEST['username'] It winds up allowing the end user to override information themselves (again, depending on the variables order) which depending on that and how poor the code is (which to me if you're relying on $_REQUEST you've probably got some bugs and exploitable holes in there) creates a security risk. and session vars are in $_REQUEST, I tried it to sanity check myself before posting this :) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Looking for a reasonable explanation as to why $_REQUEST exists
mike wrote: On 7/7/08, Eric Butera [EMAIL PROTECTED] wrote: Laziness/convenience. I always get my data from the exact source I want. If someone chooses to use REQUEST it shouldn't break their application. You say it is a security risk, but not really. As long as everything is filtered/escaped properly it should be fine because you force the data to play by your rules. I'm not talking about escaping/filtering. I'm talking about variable overriding. In the past, it was $_GET['foo'] $foo register_globals fixed that. however, if your app is relying on $_SESSION['username'] or $_COOKIE['username'] or something like that, depending on the variables order, it can be overridden. I don't see why if you -know- you need $_COOKIE['username'] someone would be lazy and use $_REQUEST['username'] It winds up allowing the end user to override information themselves (again, depending on the variables order) which depending on that and how poor the code is (which to me if you're relying on $_REQUEST you've probably got some bugs and exploitable holes in there) creates a security risk. and session vars are in $_REQUEST, I tried it to sanity check myself before posting this :) Well, either your sanity or your PHP is broken. Session vars are not in $_REQUEST. The session ID may be because it might be in a cookie var which is in $_REQUEST. -Shawn -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Looking for a reasonable explanation as to why $_REQUEST exists
On Mon, Jul 7, 2008 at 2:47 PM, mike [EMAIL PROTECTED] wrote: I don't see why if you -know- you need $_COOKIE['username'] someone would be lazy and use $_REQUEST['username'] That's the point --- it's intended as a fallback where you *don't* know the method that will be used, or if you want to be lackadaisical with your code (which, as we all know, is HIGHLY unrecommended). So if you are an application service provider (ASP) who, perhaps, runs a simple word shuffling script, with no database, email, or other externally-processed services, you may have a script like so: ?php $word = $_REQUEST['word']; echo str_shuffle($word).br /\n; ? Because, in this case, it really doesn't matter if $word is obtained via GET or POST, so you can allow external users to use your service via an HTTP POST form or a plain URL. Conversely, it can also be used as a login mechanism or other secure system, if you know what you're doing with regard to EGPCS (which I mentioned to the wrong poster before! :-\) and proper secure coding techniques. It will go through a matter of precedence, which can be useful in some (rare) circumstances. -- /Daniel P. Brown Dedicated Servers - Intel 2.4GHz w/2TB bandwidth/mo. starting at just $59.99/mo. with no contract! Dedicated servers, VPS, and hosting from $2.50/mo. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Looking for a reasonable explanation as to why $_REQUEST exists
On Mon, Jul 7, 2008 at 2:55 PM, Shawn McKenzie [EMAIL PROTECTED] wrote: mike wrote: On 7/7/08, Eric Butera [EMAIL PROTECTED] wrote: Laziness/convenience. I always get my data from the exact source I want. If someone chooses to use REQUEST it shouldn't break their application. You say it is a security risk, but not really. As long as everything is filtered/escaped properly it should be fine because you force the data to play by your rules. I'm not talking about escaping/filtering. I'm talking about variable overriding. In the past, it was $_GET['foo'] $foo register_globals fixed that. however, if your app is relying on $_SESSION['username'] or $_COOKIE['username'] or something like that, depending on the variables order, it can be overridden. I don't see why if you -know- you need $_COOKIE['username'] someone would be lazy and use $_REQUEST['username'] It winds up allowing the end user to override information themselves (again, depending on the variables order) which depending on that and how poor the code is (which to me if you're relying on $_REQUEST you've probably got some bugs and exploitable holes in there) creates a security risk. and session vars are in $_REQUEST, I tried it to sanity check myself before posting this :) Well, either your sanity or your PHP is broken. Session vars are not in $_REQUEST. The session ID may be because it might be in a cookie var which is in $_REQUEST. -Shawn -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php Where I see this used a lot is in searching/pagination type scenarios...for the submission, the form is POSTED and then on subsequent pages, the data is stored in the url and posted back to the same script. Using $_REQUEST means that you won't really care about whether the data is POST or GET. -- Bastien Cat, the other other white meat
Re: [PHP] Looking for a reasonable explanation as to why $_REQUEST exists
On 7/7/08, Daniel Brown [EMAIL PROTECTED] wrote: That's the point --- it's intended as a fallback where you *don't* know the method that will be used, or if you want to be lackadaisical with your code (which, as we all know, is HIGHLY unrecommended). Then you should code for that, not fallback to a lazy overrideable option. if(isset($_GET['foo'])) { $foo = $_GET['foo']; } etc ... or $foo = array_merge($_GET['foo'], $_POST['foo']) or something like that. Because, in this case, it really doesn't matter if $word is obtained via GET or POST, so you can allow external users to use your service via an HTTP POST form or a plain URL. Then code for it :P I understand the idea, I don't see the need to create a dedicated construct in PHP for it. Part of PHP's power to me was finally getting away from the lazy ASP (VB-based) Request.Value('foo') or whatever it was and not able to identify if it was post, get, etc and making the coder define exactly what source of data he's getting it from. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Looking for a reasonable explanation as to why $_REQUEST exists
On Mon, Jul 7, 2008 at 3:08 PM, mike [EMAIL PROTECTED] wrote: Then code for it :P I understand the idea, I don't see the need to create a dedicated construct in PHP for it. Part of PHP's power to me was finally getting away from the lazy ASP (VB-based) Request.Value('foo') or whatever it was and not able to identify if it was post, get, etc and making the coder define exactly what source of data he's getting it from. What your saying makes sense, Mike, and is the preferred method of doing things however, that doesn't invalidate the reason $_REQUEST exists. Your initial email asked why it was there, not why some people consider themselves programmers and rely on cheats and hacks like that. ;-P -- /Daniel P. Brown Dedicated Servers - Intel 2.4GHz w/2TB bandwidth/mo. starting at just $59.99/mo. with no contract! Dedicated servers, VPS, and hosting from $2.50/mo. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Looking for a reasonable explanation as to why $_REQUEST exists
mike wrote: On 7/7/08, Eric Butera [EMAIL PROTECTED] wrote: Laziness/convenience. I always get my data from the exact source I want. If someone chooses to use REQUEST it shouldn't break their application. You say it is a security risk, but not really. As long as everything is filtered/escaped properly it should be fine because you force the data to play by your rules. I'm not talking about escaping/filtering. I'm talking about variable overriding. In the past, it was $_GET['foo'] $foo register_globals fixed that. however, if your app is relying on $_SESSION['username'] or $_COOKIE['username'] or something like that, depending on the variables order, it can be overridden. I don't see why if you -know- you need $_COOKIE['username'] someone would be lazy and use $_REQUEST['username'] It winds up allowing the end user to override information themselves (again, depending on the variables order) which depending on that and how poor the code is (which to me if you're relying on $_REQUEST you've probably got some bugs and exploitable holes in there) creates a security risk. and session vars are in $_REQUEST, I tried it to sanity check myself before posting this :) I do agree with your distrust of $_REQUEST though. I doubt that it will be removed as many applications probably use it. It comes down to secure coding. It is required to know where from you are getting data (post or get), because it's not valid to perform an action (other than retrieval) based upon a get request, hence the name GET. You should only perform actions (insert, update, delete, whatever) with POST (or PUT, DELETE if available). -Shawn -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Looking for a reasonable explanation as to why $_REQUEST exists
On Mon, Jul 7, 2008 at 2:47 PM, mike [EMAIL PROTECTED] wrote: On 7/7/08, Eric Butera [EMAIL PROTECTED] wrote: Laziness/convenience. I always get my data from the exact source I want. If someone chooses to use REQUEST it shouldn't break their application. You say it is a security risk, but not really. As long as everything is filtered/escaped properly it should be fine because you force the data to play by your rules. I'm not talking about escaping/filtering. I'm talking about variable overriding. In the past, it was $_GET['foo'] $foo register_globals fixed that. however, if your app is relying on $_SESSION['username'] or $_COOKIE['username'] or something like that, depending on the variables order, it can be overridden. I don't see why if you -know- you need $_COOKIE['username'] someone would be lazy and use $_REQUEST['username'] It winds up allowing the end user to override information themselves (again, depending on the variables order) which depending on that and how poor the code is (which to me if you're relying on $_REQUEST you've probably got some bugs and exploitable holes in there) creates a security risk. and session vars are in $_REQUEST, I tried it to sanity check myself before posting this :) Usually from what I've seen $_REQUEST is a lazy way to get an id from either a post or a get. Say you show a form and the url is page.php?id=x and then you post said page it might include a hidden form field called id so using request you don't have to worry about how to load your record back based on get or post. I'm not saying it is right, but that is how a lot of people use it. If your app is written correctly it doesn't matter what is thrown at it, it should always work. Even if a variable gets overridden it should still be forced to play with the rules of the app and work like a valid request does. I think that having a set of if statements that say something like the following is silly. if (isset($_POST['id'])) { } else if (isset($_GET['id'])) { } The id should always be a get parameter since it is part of the request to build the state, not the state itself. So on my stuff if I need an id lookup, that is always going to be a GET. My post action will be save?id=x. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Question before I end up writing alot of extra code...
Hi everyone! So it's been a nice long weekend, I come in to work and try and mess with a project that I'm working on to get some new features added. All was going well until I realized that now my application is breaking... Here's the details... PHP 5.2 MySQL 5.2 I store the info in the database which is submitted from a HTML form.. Some of it text boxes, some check boxes, some radio buttons... I $_POST the info from the form into the processing script. The problem I'm running into though, is when a value has not changed it doesn't get $_POSTed back and my update script erases the info in the database... I'm trying to avoid using $_GET since it can be quite a few variables. Is there anyway I can do it without comparing the original field to what I am displaying? -- Jason Pruim Raoset Inc. Technology Manager MQC Specialist 11287 James St Holland, MI 49424 www.raoset.com [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: rfc822_write_address() / CVE-2008-2829 problem
Matt Graham wrote: From: M. Sokolewicz [EMAIL PROTECTED] Matt Graham wrote: PHP had potential vulnerability CVE-2008-2829 http://bugs.php.net/bug.php?id=42862 for a reasonable discussion and an (unofficial) patch. I'm just curious as to what other PHP users are doing about the problem, since Redhat says meh even though the company doing the security scan says OMG PANIC!!1! it's doesn't look that dangerous to me, I'd personally rather side with Redhat in their meh than with the security-scan-company's OMG PANIC!!1!. This is what I thought. However, they would rather believe the security scan company for some reason. If you want the patch to appear in the next version of PHP (5.2.3), make some noise about it on the internals list. ? I thought they were up to 5.2.6 ugh, sorry, meant 5.3, I type too fast for myself to read what I just typed ;) it hasn't been applied until one of the devs gets so annoyed with you spamming him with it that he'll either apply it (thus getting it into the next release) or tell you what's wrong with it so you'll finally leave him alone. A simple solution :) Yep. I prefer to avoid annoying and spamming developers, though :-] P.S. note: the potential vulnerability only occurs if you actually use the imap functions. If you don't: don't worry, you're still safe. Aye. However, I mangled the source and compiled a version of PHP 5.2.6 such that the IMAP stuff wasn't even compiled, then installed that mangled version on a test box. The security scan company then scanned that test box, and said, Problem CVE-2008-2829 still exists. I do wonder what they're doing when they're scanning As Shawn said, it's probably purely based on the PHP version, nothing more. - Tul -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Looking for a reasonable explanation as to why $_REQUEST exists
On 7/7/08, Eric Butera [EMAIL PROTECTED] wrote: If your app is written correctly it doesn't matter what is thrown at it, it should always work. Even if a variable gets overridden it should still be forced to play with the rules of the app and work like a valid request does. That is not an excuse to trust GET and POST for the same variable. 1) Filter your input 2) Sanity check your input/fill in your own default value if one is requied I think that having a set of if statements that say something like the following is silly. if (isset($_POST['id'])) { } else if (isset($_GET['id'])) { } Oh it definately is silly. I'm saying that's a workaround if people -had- to mix their POST/GET data. I've never had to do it and I've coded a variety of apps, including plenty of various pagination methods, multi-page forms, etc, etc. For example: # 1 - filter it, and typecast it to int $page = $page = intval(filter_input(INPUT_GET, 'page', FILTER_SANITIZE_NUMBER_INT)); # 2 - sanity check. a page number cannot be negative and it cannot be greater than the number of pages (which can be determined by a db query, or hardcoded somewhere else) if($page 0 || $page $maxpages) { $page = 1; } In the end $page should be trusted as it won't have any foreign data - it has been intval()'ed and there is a default value put in - $page = 1, and there is a bounds check to ensure it's valid info. For a better user experience, instead of setting $page = 1, I would probably use a header(Location: foo.php?page=1); exit(); so the user's URL in the address bar properly matches up with the page. But you get the idea. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Question before I end up writing alot of extra code...
Jason Pruim wrote: The problem I'm running into though, is when a value has not changed it doesn't get $_POSTed back Are you certain about that? I'm pretty certain _all_ values are posted back, regardless of whether they've changed or not. Otherwise, how would you ever get a hidden value POSTed ? /Per Jessen, Zürich -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Question before I end up writing alot of extra code...
Jason Pruim wrote: Hi everyone! So it's been a nice long weekend, I come in to work and try and mess with a project that I'm working on to get some new features added. All was going well until I realized that now my application is breaking... Here's the details... PHP 5.2 MySQL 5.2 I store the info in the database which is submitted from a HTML form.. Some of it text boxes, some check boxes, some radio buttons... I $_POST the info from the form into the processing script. The problem I'm running into though, is when a value has not changed it doesn't get $_POSTed back and my update script erases the info in the database... I'm trying to avoid using $_GET since it can be quite a few variables. Is there anyway I can do it without comparing the original field to what I am displaying? -- Jason Pruim Raoset Inc. Technology Manager MQC Specialist 11287 James St Holland, MI 49424 www.raoset.com [EMAIL PROTECTED] I don't see how this happens unless you are using a blank form to update an existing record. -Shawn -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Question before I end up writing alot of extra code...
Jason Pruim [EMAIL PROTECTED] wrote: Hi everyone! So it's been a nice long weekend, I come in to work and try and mess with a project that I'm working on to get some new features added. All was going well until I realized that now my application is breaking... Here's the details... PHP 5.2 MySQL 5.2 I store the info in the database which is submitted from a HTML form.. Some of it text boxes, some check boxes, some radio buttons... I $_POST the info from the form into the processing script. The problem I'm running into though, is when a value has not changed it doesn't get $_POSTed back and my update script erases the info in the database... I'm trying to avoid using $_GET since it can be quite a few variables. Is there anyway I can do it without comparing the original field to what I am displaying? Gone for a weekend and we have to retrain, at least I'm not the only one... ;) POSTed variables are ALWAYS posted back, changed or not. More then likely you are forgetting a piece of code, but since you didn't post the offending code, I can't point out where you forgot the $ or to restate a variable. :-P Have you tried echoing the mysql query to verify it is correct? Have you checked the logs? Wolf -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Question before I end up writing alot of extra code...
The problem I'm running into though, is when a value has not changed it doesn't get $_POSTed back and my update script erases the info in the database... I'm trying to avoid using $_GET since it can be quite a few variables. Is there anyway I can do it without comparing the original field to what I am displaying? I would assume that when you bring up your form to be edited you would query your database to pull up the current information and then: 1 - echo those values out in your form fields OR 2 - Put the values into hidden form fields If you use #2 then when you do your update you can just check to see if any form objects are left blank...if they are blank use your hidden values...if they aren't blank use the form values. f you use #1 then you just update using all the form values.
Re: [PHP] Question before I end up writing alot of extra code...
On Jul 7, 2008, at 3:36 PM, Wolf wrote: Jason Pruim [EMAIL PROTECTED] wrote: Hi everyone! So it's been a nice long weekend, I come in to work and try and mess with a project that I'm working on to get some new features added. All was going well until I realized that now my application is breaking... Here's the details... PHP 5.2 MySQL 5.2 I store the info in the database which is submitted from a HTML form.. Some of it text boxes, some check boxes, some radio buttons... I $_POST the info from the form into the processing script. The problem I'm running into though, is when a value has not changed it doesn't get $_POSTed back and my update script erases the info in the database... I'm trying to avoid using $_GET since it can be quite a few variables. Is there anyway I can do it without comparing the original field to what I am displaying? Gone for a weekend and we have to retrain, at least I'm not the only one... ;) POSTed variables are ALWAYS posted back, changed or not. More then likely you are forgetting a piece of code, but since you didn't post the offending code, I can't point out where you forgot the $ or to restate a variable. :-P Here is a VERY simplified test :) MAIN PAGE: ?PHP if($row['Tab'] == done){ $Tchecked1 = CHECKED; $Tchecked2 = NULL; }else{ $Tchecked1 = NULL; $Tchecked2 = CHECKED; } echo fieldsetTabBR input type=radio name=rdoTab value=done $Tchecked1Done BR input type=radio name=rdoTab value=on $Tchecked2Not DoneBR /fieldset; ? PROCESSING: ?PHP $tab = $_POST['rdoTab']; $record = $_POST['txtRecord']; $updateQuery = UPDATE `current` SET Tab='$tab' WHERE Record='$record'; mysqli_real_query($link, $updateQuery); ? -- Jason Pruim Raoset Inc. Technology Manager MQC Specialist 11287 James St Holland, MI 49424 www.raoset.com [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Question before I end up writing alot of extra code...
Jason Pruim wrote: MAIN PAGE: ?PHP echo $row['Tab']; //what do you get? if($row['Tab'] == done){ $Tchecked1 = CHECKED; $Tchecked2 = NULL; }else{ $Tchecked1 = NULL; $Tchecked2 = CHECKED; } echo fieldsetTabBR input type=radio name=rdoTab value=done $Tchecked1Done BR input type=radio name=rdoTab value=on $Tchecked2Not DoneBR /fieldset; ? PROCESSING: ?PHP print_r($_POST); //what do you get? $tab = $_POST['rdoTab']; $record = $_POST['txtRecord']; $updateQuery = UPDATE `current` SET Tab='$tab' WHERE Record='$record'; mysqli_real_query($link, $updateQuery); ? You're saying now that that record now has field Tab=''? -Shawn -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Question before I end up writing alot of extra code...
At 3:25 PM -0400 7/7/08, Jason Pruim wrote: Hi everyone! So it's been a nice long weekend, I come in to work and try and mess with a project that I'm working on to get some new features added. All was going well until I realized that now my application is breaking... Here's the details... PHP 5.2 MySQL 5.2 I store the info in the database which is submitted from a HTML form.. Some of it text boxes, some check boxes, some radio buttons... I $_POST the info from the form into the processing script. The problem I'm running into though, is when a value has not changed it doesn't get $_POSTed back and my update script erases the info in the database... I'm trying to avoid using $_GET since it can be quite a few variables. Is there anyway I can do it without comparing the original field to what I am displaying? Try print_r($_POST); to see if everything is OK. Sometimes I get get tripped up on what html controls actually are set to (i.e., 'on' instead of 1). Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Question before I end up writing alot of extra code...
please oh please also run that through filter_input() before throwing a $_POST directly into the db query ;p On 7/7/08, Shawn McKenzie [EMAIL PROTECTED] wrote: Jason Pruim wrote: MAIN PAGE: ?PHP echo $row['Tab']; //what do you get? if($row['Tab'] == done){ $Tchecked1 = CHECKED; $Tchecked2 = NULL; }else{ $Tchecked1 = NULL; $Tchecked2 = CHECKED; } echo fieldsetTabBR input type=radio name=rdoTab value=done $Tchecked1Done BR input type=radio name=rdoTab value=on $Tchecked2Not DoneBR /fieldset; ? PROCESSING: ?PHP print_r($_POST); //what do you get? $tab = $_POST['rdoTab']; $record = $_POST['txtRecord']; $updateQuery = UPDATE `current` SET Tab='$tab' WHERE Record='$record'; mysqli_real_query($link, $updateQuery); ? You're saying now that that record now has field Tab=''? -Shawn -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Question before I end up writing alot of extra code...
doh - and mysql_escape_string or equivalent. On 7/7/08, mike [EMAIL PROTECTED] wrote: please oh please also run that through filter_input() before throwing a $_POST directly into the db query ;p On 7/7/08, Shawn McKenzie [EMAIL PROTECTED] wrote: Jason Pruim wrote: MAIN PAGE: ?PHP echo $row['Tab']; //what do you get? if($row['Tab'] == done){ $Tchecked1 = CHECKED; $Tchecked2 = NULL; }else{ $Tchecked1 = NULL; $Tchecked2 = CHECKED; } echo fieldsetTabBR input type=radio name=rdoTab value=done $Tchecked1Done BR input type=radio name=rdoTab value=on $Tchecked2Not DoneBR /fieldset; ? PROCESSING: ?PHP print_r($_POST); //what do you get? $tab = $_POST['rdoTab']; $record = $_POST['txtRecord']; $updateQuery = UPDATE `current` SET Tab='$tab' WHERE Record='$record'; mysqli_real_query($link, $updateQuery); ? You're saying now that that record now has field Tab=''? -Shawn -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Question before I end up writing alot of extra code...
Oh, and make sure you bottom post too so you actually follow everything! ;) mike [EMAIL PROTECTED] wrote: doh - and mysql_escape_string or equivalent. On 7/7/08, mike [EMAIL PROTECTED] wrote: please oh please also run that through filter_input() before throwing a $_POST directly into the db query ;p On 7/7/08, Shawn McKenzie [EMAIL PROTECTED] wrote: Jason Pruim wrote: MAIN PAGE: ?PHP echo $row['Tab']; //what do you get? if($row['Tab'] == done){ $Tchecked1 = CHECKED; $Tchecked2 = NULL; }else{ $Tchecked1 = NULL; $Tchecked2 = CHECKED; } echo fieldsetTabBR input type=radio name=rdoTab value=done $Tchecked1Done BR input type=radio name=rdoTab value=on $Tchecked2Not DoneBR /fieldset; ? PROCESSING: ?PHP print_r($_POST); //what do you get? $tab = $_POST['rdoTab']; $record = $_POST['txtRecord']; $updateQuery = UPDATE `current` SET Tab='$tab' WHERE Record='$record'; mysqli_real_query($link, $updateQuery); ? You're saying now that that record now has field Tab=''? -Shawn -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Looking for a reasonable explanation as to why $_REQUEST exists
At 3:00 PM -0400 7/7/08, Bastien Koert wrote: Where I see this used a lot is in searching/pagination type scenarios...for the submission, the form is POSTED and then on subsequent pages, the data is stored in the url and posted back to the same script. Using $_REQUEST means that you won't really care about whether the data is POST or GET. -- Bastien Yes, but one of the problems with using REQUEST is that if COOKIES are involved, then those values will take precedence over the same variable found in POST or GET (i.e., PGC). Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Looking for a reasonable explanation as to why $_REQUEST exists
-Original Message- From: mike [mailto:[EMAIL PROTECTED] Sent: Monday, July 07, 2008 2:09 PM To: Daniel Brown Cc: Eric Butera; php-general@lists.php.net Subject: Re: [PHP] Looking for a reasonable explanation as to why $_REQUEST exists On 7/7/08, Daniel Brown [EMAIL PROTECTED] wrote: That's the point --- it's intended as a fallback where you *don't* know the method that will be used, or if you want to be lackadaisical with your code (which, as we all know, is HIGHLY unrecommended). Then you should code for that, not fallback to a lazy overrideable option. if(isset($_GET['foo'])) { $foo = $_GET['foo']; } etc ... or $foo = array_merge($_GET['foo'], $_POST['foo']) or something like that. Because, in this case, it really doesn't matter if $word is obtained via GET or POST, so you can allow external users to use your service via an HTTP POST form or a plain URL. Then code for it :P I understand the idea, I don't see the need to create a dedicated construct in PHP for it. Part of PHP's power to me was finally getting away from the lazy ASP (VB-based) Request.Value('foo') or whatever it was and not able to identify if it was post, get, etc and making the coder define exactly what source of data he's getting it from. *cough* ... Request.Value? That seems like lazy VB.NET/ASP.NET code to me. :) It can be split into either Request.QueryString (for GET) or Request.Form (for POST). Anyway, a bit OT... Todd Boyd Web Programmer
Re: [PHP] Looking for a reasonable explanation as to why $_REQUEST exists
*cough* ... Request.Value? That seems like lazy VB.NET/ASP.NET code to me. :) It can be split into either Request.QueryString (for GET) or Request.Form (for POST). Anyway, a bit OT... Todd Boyd Web Programmer ASP is the best *hack hack* :-P -- Bastien Cat, the other other white meat
Re: [PHP] CURL de-bugging: So why am I not getting the results page on the target site?
My code is as below. It comes back with 'Bad session variable name - CompanySerialNo' from the site.but the COOKIEJAR does not show this variable name and it is not sent, it just shows: www.targetsite.comFALSE/FALSE0 ASPSESSIONIDQCSQDTABLKAONANAFJPNMFFECLFNCLBP There is a serialno but that is sent in the (URL below). Question is: What to test now? I am trying to get a results page from an input page. What code below is trying to do is access the page, get any cookies set then try the page again with the relevant inputs. ? $url=https://www.targetsite.com/subdir/page.asp?serialno=GM201OtherCode=NextCode=;; $ch = curl_init(); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE); curl_setopt ($ch, CURLOPT_COOKIEJAR, cookies.txt); curl_setopt ($ch, CURLOPT_COOKIEFILE, cookies.txt); curl_setopt($ch, CURLOPT_HEADER, 0); curl_setopt($ch, CURLOPT_AUTOREFERER, true); curl_setopt($ch, CURLOPT_URL, $url); /* //GET list from submitting POST form as GET https://www.shortstay-london.com/checkavail.asp? 1 - clock=+09%3A54 2 - StartDay=6 3 - StartMonth=September+%3A+2008 4 - EndDay=13 5 - EndMonth=September+%3A+2008 13 - CheckThis=Check+This use this list to create POST data */ curl_setopt($ch, CURLOPT_POST, 1); $curlPost=array(); $curlPost[clock]= 09:54; $curlPost[StartDay]=6; $curlPost[StartMonth]=September : 2008; $curlPost[EndDay]=13; $curlPost[EndMonth]=September : 2008; //etc $curlPost[CheckThis]=Check This; curl_setopt($ch, CURLOPT_POSTFIELDS,$curlPost); curl_setopt($ch, CURLOPT_FOLLOWLOCATION ,1); curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1); $store = curl_exec ($ch); curl_close ($ch); print($store); ? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Looking for a reasonable explanation as to why $_REQUEST exists
On Mon, Jul 7, 2008 at 3:28 PM, mike [EMAIL PROTECTED] wrote: On 7/7/08, Eric Butera [EMAIL PROTECTED] wrote: If your app is written correctly it doesn't matter what is thrown at it, it should always work. Even if a variable gets overridden it should still be forced to play with the rules of the app and work like a valid request does. That is not an excuse to trust GET and POST for the same variable. 1) Filter your input 2) Sanity check your input/fill in your own default value if one is requied I think that having a set of if statements that say something like the following is silly. if (isset($_POST['id'])) { } else if (isset($_GET['id'])) { } Oh it definately is silly. I'm saying that's a workaround if people -had- to mix their POST/GET data. I've never had to do it and I've coded a variety of apps, including plenty of various pagination methods, multi-page forms, etc, etc. For example: # 1 - filter it, and typecast it to int $page = $page = intval(filter_input(INPUT_GET, 'page', FILTER_SANITIZE_NUMBER_INT)); # 2 - sanity check. a page number cannot be negative and it cannot be greater than the number of pages (which can be determined by a db query, or hardcoded somewhere else) if($page 0 || $page $maxpages) { $page = 1; } In the end $page should be trusted as it won't have any foreign data - it has been intval()'ed and there is a default value put in - $page = 1, and there is a bounds check to ensure it's valid info. For a better user experience, instead of setting $page = 1, I would probably use a header(Location: foo.php?page=1); exit(); so the user's URL in the address bar properly matches up with the page. But you get the idea. You asked for an explanation. I was just stating that is how I've seen some people write apps. I've also stated that isn't how I write them either. I use something along these lines: $page = $request-getFiltered(new namespace_Validate_Int(min, max), 'page', namespace_Request::GET); :) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP's mail(): proper way to send a 'From' header
?php $to = [EMAIL PROTECTED]; $from = [EMAIL PROTECTED]; $subject = This is a test!; $body = \tThis is a test email.\n; $body .= That is all.; $headers = From: .$from.\r\n; $headers .= Reply-To: .$from.\r\n; $headers .= X-Mailer: .basename(__FILE__).-PHP/.phpversion().\r\n; $headers .= Return-Path: .$from.\r\n; mail($to,$subject,$body,$headers,'-f'.$from); ? Note the fifth parameter passed to mail(): http://php.net/mail And also note that the 5th parameter is an email address only.. Don't do something like: ?php $from = Me [EMAIL PROTECTED]; and try to use that as the 5th parameter, it won't work. -- Postgresql php tutorials http://www.designmagick.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Looking for a reasonable explanation as to why $_REQUEST exists
On 7/7/08, Eric Butera [EMAIL PROTECTED] wrote: You asked for an explanation. I was just stating that is how I've seen some people write apps. I've also stated that isn't how I write them either. I use something along these lines: This is true. I really wanted to ask the internals folks first, to see how it came up. I mean, if there wasn't the option available, people would figure out a way to do it (probably one of the two ways I was showing before) The problem is, the cat's out of the bag now and a lot of people are just being lazy (in my mind) especially those who are used to ASP's Request.Value() which unfortunately is a lot of our developers at work. They don't have a real good background as to the difference between POST vs GET and even how the web works it seems. That's why in the library I've created for us to use, I unset() it before it's usable. Most third party software works okay too - off the top of my head we've got Pligg, WordPress, MediaWiki all using hooks into my library - a couple I did have to do a $_REQUEST = array_merge($_POST, $_GET) on, unfortunately. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Question before I end up writing alot of extra code...
Here is a VERY simplified test :) MAIN PAGE: ?PHP if($row['Tab'] == done){ $Tchecked1 = CHECKED; $Tchecked2 = NULL; }else{ $Tchecked1 = NULL; $Tchecked2 = CHECKED; } echo fieldsetTabBR input type=radio name=rdoTab value=done $Tchecked1Done BR input type=radio name=rdoTab value=on $Tchecked2Not DoneBR /fieldset; ? PROCESSING: ?PHP $tab = $_POST['rdoTab']; $record = $_POST['txtRecord']; $updateQuery = UPDATE `current` SET Tab='$tab' WHERE Record='$record'; mysqli_real_query($link, $updateQuery); Checkboxes and radio buttons only post back the values for the ones selected. If you have: form method=post action=?php echo $_SERVER['PHP_SELF']; ? input type=checkbox name=ids[] value=1Option 1br/ input type=checkbox name=ids[] value=2Option 2br/ input type=checkbox name=ids[] value=3Option 3br/ /form view that, and tick options 1 and 3, only they will be available in $_POST. This has not changed in any version of php, it has always been this way - and it will be exactly the same in perl, python, ruby and any other language. -- Postgresql php tutorials http://www.designmagick.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Looking for a reasonable explanation as to why $_REQUEST exists
On Mon, Jul 7, 2008 at 8:08 PM, mike [EMAIL PROTECTED] wrote: The problem is, the cat's out of the bag now and a lot of people are just being lazy (in my mind) especially those who are used to ASP's Request.Value() which unfortunately is a lot of our developers at work. They don't have a real good background as to the difference between POST vs GET and even how the web works it seems. Then the question isn't really why $_REQUEST exists, but rather, why do these folks have jobs? :-\ -- /Daniel P. Brown Dedicated Servers - Intel 2.4GHz w/2TB bandwidth/mo. starting at just $59.99/mo. with no contract! Dedicated servers, VPS, and hosting from $2.50/mo. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Multiple words str_shuffle
grrr ... I rear my ugly head, briefly ... Ron Piggott schreef: I am trying to scramble individual words and/or phrases. try harder. ?php function mixit($m) { return trim(chunk_split(str_shuffle(strtoupper($m[1])),1,' ')); } echo preg_replace_callback('#(\w+)#', 'mixit', 'The rain. in Spain falls, mainly on the plain!'); ? have integrity, read these before you copy, paste 'n' use: http://php.net/chunk_split http://php.net/preg_replace_callback questions on a postcard to Dan Brown, he just got married, he deserves it ;-) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Looking for a reasonable explanation as to why $_REQUEST exists
Daniel Brown schreef: On Mon, Jul 7, 2008 at 2:47 PM, mike [EMAIL PROTECTED] wrote: I don't see why if you -know- you need $_COOKIE['username'] someone would be lazy and use $_REQUEST['username'] That's the point --- it's intended as a fallback where you *don't* know the method that will be used, or if you want to be lackadaisical with your code (which, as we all know, is HIGHLY unrecommended). So if you are an application service provider (ASP) who, perhaps, runs a simple word shuffling script, with no database, email, or other externally-processed services, you may have a script like so: ?php $word = $_REQUEST['word']; echo str_shuffle($word).br /\n; ? Because, in this case, it really doesn't matter if $word is obtained via GET or POST, so you can allow external users to use your service via an HTTP POST form or a plain URL. Conversely, it can also be used as a login mechanism or other secure system, if you know what you're doing with regard to EGPCS the C allow DoS attacks on clients via XXS/etc if $_REQUEST is used. imagine setting a cookie id=CANT_USE_THIS_SITE_ANYMORE for a webshop that has urls like article.php?id=123 where article.php uses something like: $id = (int)$_REQUEST[id]; $_REQUEST is borked and should not contain ECS (of EGPCS) ... at least one should be able to exclude certain superglobals without actually making not set at all, currently you can't do that .. last I looked. $_REQUEST = array_merge($_GET, $_POST); // the only sensible thing to do in all cases. (which I mentioned to the wrong poster before! :-\) and proper secure coding techniques. It will go through a matter of precedence, which can be useful in some (rare) circumstances. but still borked in the case of REQUEST, Stefan Esser wrote about it. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Multiple words str_shuffle
Jochem Maas schreef: /snip this is a little better: ?php // $argv[1] is the first script argument on the CLI $phrase = isset($argv[1]) is_string($argv[1]) ? $argv[1] : 'The rain. in Spain falls, mainly on the plain!'; $phrase = preg_replace_callback('#(\w+)#', 'mixit', str_replace( , , $phrase)); function mixit($m) { return trim(chunk_split(str_shuffle(strtoupper($m[1])),1,' ')); } -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] php my admin
Team, Can anyone help me create a form, so I can just insert from a website to my players profile database? I am trying to learn php all over again, so bare with me please. I just need into use form to submit player into players database. Or, should I continue to use the phpmyadmin 2.10.1 Also, I created a position table, Should I label what position the player has with in the player table? IE QB = 1, RB = 2, etc. Karl James www.theufl.com [EMAIL PROTECTED]