Re: [PHP] Any conflict with $_POST when 2 users concurrently submitting the same form using POST method?
Craige, Marc, Nitsan,Bastien, Thanks for your reply! This is my understanding and comment from your replies: (1) If the web server do have assign anonymous request ID to each HTTP request from client browser, and assign $_POST to each request ID and works within request ID scope, this is fine with session or without session. (2) If the above is not the case, then session is required. However web server still need to provide each session ID a $_POST array and works within this scope. (3) If the web server does not work in case(1) neither case(2), then include user ID into $_POST is appropriate, e.g. $_POST[userID][input_submitted_name][input_submitted_value] instead of just $_POST][input_submitted_name][input_submitted_value]. So, which of the 3 cases above is appropriate? Thanks! Craige Leeder clee...@gmail.com wrote in message news:4a2e85b3@gmail.com... While yes $_POST is a supergloabal, even a superglobal has it's own scope. The scope of $_POST is to the call of the user to the web server. Therefor, no User A's information will not be overwritten by User B's information. Hope this helps. Let me know if you want any further clarification. This was just a very simplified answer. Keith wrote: Let's say user A and user B submitting purchase order form with order.php at the same time, with method=post action='confirmation.php'. (1) Will $_POST['order'] submitted by user A replaced by $_POST['order'] submitted by user B, and the both user A B getting the same order, which is made by user B? Why? (2)Since $_POST['xxx'] is superglobal array, will $_POST['order'] read by users other than A B? In shared hosting server environment, are all domains hosted within that server using the same $_POST array? Can $_POST array accessible by all domains even if not from the originating domain? Thx for clarification! Keith -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Any conflict with $_POST when 2 users concurrently submitting the same form using POST method?
Keith wrote: Let's say user A and user B submitting purchase order form with order.php at the same time, with method=post action='confirmation.php'. (1) Will $_POST['order'] submitted by user A replaced by $_POST['order'] submitted by user B, and the both user A B getting the same order, which is made by user B? Why? (2)Since $_POST['xxx'] is superglobal array, will $_POST['order'] read by users other than A B? In shared hosting server environment, are all domains hosted within that server using the same $_POST array? Can $_POST array accessible by all domains even if not from the originating domain? Thx for clarification! Keith Other posters have explained, but I'm not sure their explanations are clear. Think of it like this: User A posts to confirmation.php. When the server receives the request, it starts up a Process and fills the $_POST array with whatever came in, then runs confirmation.php with that information. User B posts to confirmation.php. When the server receives the request, it starts up a Process and fills the $_POST array with whatever came in, then runs confirmation.php with that information. The KEY thing is that the process in each case is entirely separate. Each makes it's own copy of the script in its own bit of memory, and each has its own version of $_POST in its own bit of memory. The two posts can happen at the same time and they will still be completely independent. The fact that $_POST is called superglobal does not mean that it is shared by separate requests - it is not even shared by requests in the same session. It just means that it is already declared and you don't need to use the global keyword to access it in your PHP pages. -- Peter Ford phone: 01580 89 Developer fax: 01580 893399 Justcroft International Ltd., Staplehurst, Kent -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] php applications
At 11:49 AM -0400 6/8/09, Daniel Brown wrote: On Mon, Jun 8, 2009 at 11:48, teddt...@sperling.com wrote: Hi gang: I've heard that php can be used for more than web programming, but I am not aware of specifically how that can be done. So, let me ask directly -- can php be used to create a Mac Application? If so, how? Probably the most well-known method is php-gtk: http://gtk.php.net/ I must be getting too old for this stuff. I'm used to an IDE where you write code, run, and debug it. When you get it where you want and want to create an application, then you compile the code and there's an application -- a stand alone application -- done! But I don't see anything like that there. In fact, if you review their applications link, you'll see that they don't have any applications either. It's all There's not any applications in this category ... Maybe you would like to add one? Well... a Hello world would be nice. I downloaded and installed the MacPorts too, but that leaves me wanting for a simple Hello World example as well, but nothing there either. In both cases they are very verbose about command line stuff, but short on how to use php to create an application. I just don't see it. Maybe my terminology is not correct. My applications stand by themselves and run when clicked -- no command line is needed. To me it looks like another one of those other things that everyone says is great, but I sit here saying Hey, I don't know about you guys, but the Emperor's naked. Cheers, tedd -- Nusphere has something called PhpDock, but it's for Windows desktop only. I use their excellent PhpED IDE and have seen references in PhpED for PhpDock development, exactly as you describe (code-debug-test-encode-deploy all in PhpED - a well-dressed Emperor). Looking at how they do it I'm not too sure why PhpDock is Windows-only. From the Nusphere forum I've seen that Mac users use PhpED fine in wine or vmware, but I don't know if that also works for PhpDock runtime. I haven't tried any PhpDock development. http://www.nusphere.com/products/phpdock.htm Cheers Arno -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] php applications
At 2:28 AM +0100 6/10/09, Michael wrote: The standard PHP execution model is geared almost exclusively towards web-used (though crons etc. are reasonable)... that is, to sit in/with a server and handle requests... to operate over, at maximum, insane lifespans of 30 seconds. There are languages designed to be used for desktop programming, and for various tasks in general. The smart thing would be to use them. PHP may be a hammer, but every problem is not a nail. Use the tools designed for the job. Michael Michael: I've written many different desktop apps that wrap routines from other languages and/or use applications that are just below the surface (for example, a desktop apps that uses an Unix app). If you can do it, it sure beats rewriting everything in one language. Plus, I have also written desktop apps that interface with php scripts to do web stuff -- that's not difficult. So, I don't think it's too much a stretch of the imagination to think there might be a php environment that could create a desktop application to do web work. Beside, this is how languages evolve. There is no job that any tool is designed for. The job is our current perception of the task at hand and that is always changing. Think about it -- why are all languages are looking more and more alike? Why is it that you can jump from versions of BASIC to C, C++, php, JAVA, javascript and others and not find yourself in a completely foreign environment? You think that's by design? Or is there something else going on? Perhaps what's going on it that these languages are expanding and adapting to the task at hand (the job) as perceived by countless programmer working in different environments. Usually, there is one most logical way to solve any problem. We all shoot at the target and it should come to no surprise that our shots are grouped around a comment goal. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] php applications
On Wed, Jun 10, 2009 at 08:37, teddtedd.sperl...@gmail.com wrote: Beside, this is how languages evolve. There is no job that any tool is designed for. The job is our current perception of the task at hand and that is always changing. That's the point I was trying to get at in the email I wrote last night that no one read. Seems like everyone saw the word police and ran like kids at a beer party. ;-P -- /Daniel P. Brown daniel.br...@parasane.net || danbr...@php.net http://www.parasane.net/ || http://www.pilotpig.net/ 50% Off All Shared Hosting Plans at PilotPig: Use Coupon DOW1 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] php applications
Daniel Brown wrote: On Wed, Jun 10, 2009 at 08:37, teddtedd.sperl...@gmail.com wrote: Beside, this is how languages evolve. There is no job that any tool is designed for. The job is our current perception of the task at hand and that is always changing. That's the point I was trying to get at in the email I wrote last night that no one read. Seems like everyone saw the word police and ran like kids at a beer party. ;-P Don't you have VB applications to write? :D Cheers, Rob. -- http://www.interjinn.com Application and Templating Framework for PHP -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP as Server Side for a Web Database Application.
On Wed, Jun 10, 2009 at 01:41, R. S. Patilkpr.rspa...@gmail.com wrote: Hi, We are in phase of evaluating PHP as Serverside technology for our first web application. We have finalized Flex for user interface and Birt as reporting engine. Now the data services are to be evaluated. Flex forums recommended us using PHP for this. We would like to implement SOA for database access/Inserts/Updates/Queries for report engine BIRT. For SOA implementation we are considering XML-RPC and WSO2-WSF since we dont have any past experience on web development we are not position to make any decisions about PHP serverside technologies can somebody guide use which one we should select (May be different than these two). We will be using flex forms to insert and update data through web services (mainly CRUD operations) and PHP Query data services will be acting as Data Source to Birt for reporting. Please suggest us technolgy which is secure and prooven. The problem of integrating Birt in to PHP has been solved and successfully tested also. Thanks and Best Regards Wow, thanks for letting us know all of the backstory there! Robert Cummings and I just had a long, deep talk the other night, and the question arose: when will Raja start asking us about PHP instead of checking Google for his answers? Well, you've put that question to bed, sir, and thank you. Here's all the help you should need for that very vague and general request (at least enough to get you started to form a basic question): http://www.google.com/search?q=what+is+php -- /Daniel P. Brown daniel.br...@parasane.net || danbr...@php.net http://www.parasane.net/ || http://www.pilotpig.net/ 50% Off All Shared Hosting Plans at PilotPig: Use Coupon DOW1 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] php applications
On Wed, Jun 10, 2009 at 08:59, Robert Cummingsrob...@interjinn.com wrote: Don't you have VB applications to write? And this after I just mentioned your name in another thread without throwing up in my mouth. -- /Daniel P. Brown daniel.br...@parasane.net || danbr...@php.net http://www.parasane.net/ || http://www.pilotpig.net/ 50% Off All Shared Hosting Plans at PilotPig: Use Coupon DOW1 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP as Server Side for a Web Database Application.
Dan, I do appreciate when you share your pillow talk with the list at large. Cheers, Eddie On Wed, Jun 10, 2009 at 9:06 AM, Robert Cummings rob...@interjinn.comwrote: Daniel Brown wrote: On Wed, Jun 10, 2009 at 01:41, R. S. Patilkpr.rspa...@gmail.com wrote: Hi, We are in phase of evaluating PHP as Serverside technology for our first web application. We have finalized Flex for user interface and Birt as reporting engine. Now the data services are to be evaluated. Flex forums recommended us using PHP for this. We would like to implement SOA for database access/Inserts/Updates/Queries for report engine BIRT. For SOA implementation we are considering XML-RPC and WSO2-WSF since we dont have any past experience on web development we are not position to make any decisions about PHP serverside technologies can somebody guide use which one we should select (May be different than these two). We will be using flex forms to insert and update data through web services (mainly CRUD operations) and PHP Query data services will be acting as Data Source to Birt for reporting. Please suggest us technolgy which is secure and prooven. The problem of integrating Birt in to PHP has been solved and successfully tested also. Thanks and Best Regards Wow, thanks for letting us know all of the backstory there! Robert Cummings and I just had a long, deep talk the other night, and the question arose: when will Raja start asking us about PHP instead of checking Google for his answers? Well, you've put that question to bed, sir, and thank you. Dan, I'd appreciate it if you wouldn't share our pillow talk with the list at large. Cheers, Rob. -- http://www.interjinn.com Application and Templating Framework for PHP -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP as Server Side for a Web Database Application.
Eddie Drapkin wrote: Dan, I do appreciate when you share your pillow talk with the list at large. Just so everyone knows... Dan was catcher when we were having that long deep talk. Cheers, Rob. -- http://www.interjinn.com Application and Templating Framework for PHP -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP as Server Side for a Web Database Application.
On Wed, Jun 10, 2009 at 09:06, Robert Cummingsrob...@interjinn.com wrote: Dan, I'd appreciate it if you wouldn't share our pillow talk with the list at large. Oh, stop, it's not like I mentioned the rash for which you've been getting that cream. -- /Daniel P. Brown daniel.br...@parasane.net || danbr...@php.net http://www.parasane.net/ || http://www.pilotpig.net/ 50% Off All Shared Hosting Plans at PilotPig: Use Coupon DOW1 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP as Server Side for a Web Database Application.
On Wed, Jun 10, 2009 at 09:11, Daniel Browndanbr...@php.net wrote: On Wed, Jun 10, 2009 at 09:06, Robert Cummingsrob...@interjinn.com wrote: Dan, I'd appreciate it if you wouldn't share our pillow talk with the list at large. Oh, stop, it's not like I mentioned the rash for which you've been getting that cream. Oops. -- /Daniel P. Brown daniel.br...@parasane.net || danbr...@php.net http://www.parasane.net/ || http://www.pilotpig.net/ 50% Off All Shared Hosting Plans at PilotPig: Use Coupon DOW1 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP as Server Side for a Web Database Application.
Daniel Brown wrote: On Wed, Jun 10, 2009 at 09:06, Robert Cummingsrob...@interjinn.com wrote: Dan, I'd appreciate it if you wouldn't share our pillow talk with the list at large. Oh, stop, it's not like I mentioned the rash for which you've been getting that cream. I just realized... today isn't Friday ;) Cheers, Rob. -- http://www.interjinn.com Application and Templating Framework for PHP -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP as Server Side for a Web Database Application.
The question then becomes whether he was one of the boring catchers and just sort of sat there or was actively discussing with you. On Wed, Jun 10, 2009 at 9:11 AM, Robert Cummings rob...@interjinn.comwrote: Eddie Drapkin wrote: Dan, I do appreciate when you share your pillow talk with the list at large. Just so everyone knows... Dan was catcher when we were having that long deep talk. Cheers, Rob. -- http://www.interjinn.com Application and Templating Framework for PHP
Re: [PHP] PHP as Server Side for a Web Database Application.
Eddie Drapkin wrote: The question then becomes whether he was one of the boring catchers and just sort of sat there or was actively discussing with you. He was quite active... when I raised a really good point all he could do was scream. Cheers, Rob. -- http://www.interjinn.com Application and Templating Framework for PHP -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] php applications
At 8:53 AM -0400 6/10/09, Daniel Brown wrote: On Wed, Jun 10, 2009 at 08:37, teddtedd.sperl...@gmail.com wrote: Beside, this is how languages evolve. There is no job that any tool is designed for. The job is our current perception of the task at hand and that is always changing. That's the point I was trying to get at in the email I wrote last night that no one read. Seems like everyone saw the word police and ran like kids at a beer party. ;-P -- /Daniel P. Brown That's Okay, I just say it better than you. :-) Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] php applications
At 9:07 AM -0400 6/10/09, Robert Cummings wrote: Daniel Brown wrote: On Wed, Jun 10, 2009 at 08:59, Robert Cummingsrob...@interjinn.com wrote: Don't you have VB applications to write? And this after I just mentioned your name in another thread without throwing up in my mouth. You've finally got those gag reflexes under control... call me!! *wink wink* *nudge nudge* Cheers, Rob. Get a room. :-) tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP as Server Side for a Web Database Application.
On Wed, Jun 10, 2009 at 09:14, Robert Cummingsrob...@interjinn.com wrote: He was quite active... when I raised a really good point all he could do was scream. and it is at this point that I would like to remind you that we are on the air, gentlemen, live and being recorded for future generations to search through, mock, and form opinions on our professionalism. So you can both publicly bite me (though not in the manner to which you're alluding). ;-P -- /Daniel P. Brown daniel.br...@parasane.net || danbr...@php.net http://www.parasane.net/ || http://www.pilotpig.net/ 50% Off All Shared Hosting Plans at PilotPig: Use Coupon DOW1 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] php applications
On Wed, Jun 10, 2009 at 09:16, teddtedd.sperl...@gmail.com wrote: That's Okay, I just say it better than you. :-) Show-off. -- /Daniel P. Brown daniel.br...@parasane.net || danbr...@php.net http://www.parasane.net/ || http://www.pilotpig.net/ 50% Off All Shared Hosting Plans at PilotPig: Use Coupon DOW1 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP as Server Side for a Web Database Application.
Daniel Brown wrote: On Wed, Jun 10, 2009 at 09:14, Robert Cummingsrob...@interjinn.com wrote: He was quite active... when I raised a really good point all he could do was scream. and it is at this point that I would like to remind you that we are on the air, gentlemen, live and being recorded for future generations to search through, mock, and form opinions on our professionalism. So you can both publicly bite me (though not in the manner to which you're alluding). ;-P *lol* One hopes that they would read the entire thread to catch the humour... then again, it's rare someone even bothers to search the archives :P As for professionalism... I'm not on here in a professional capacity, I'm here to help and to be part of the community *woot*! Cheers, Rob. -- http://www.interjinn.com Application and Templating Framework for PHP -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] php applications
On Wed, Jun 10, 2009 at 08:37:23AM -0400, tedd wrote: snip Think about it -- why are all languages are looking more and more alike? Why is it that you can jump from versions of BASIC to C, C++, php, JAVA, javascript and others and not find yourself in a completely foreign environment? You think that's by design? Or is there something else going on? snip I suspect this is because the guys who create a new language learned programming in another language. So when they create a new language, to some extent, they pattern it after what they've learned elsewhere. And generally, there are typical ways that humans think about accomplishing programming tasks, which are reflected in the way that humans design programming languages. Paul -- Paul M. Foster -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] [php] read/write error
2009/6/8 HELP! izod...@gmail.com opening of the sorket is ok and writting LOGIN packet to the sorket is also ok but reading the response to know if the login is accepted or rejected is a not OK. Don't use fread() to read from sockets, use stream_get_contents(). Example 3 on the fread() manual page tells you why. -robin
Re: [PHP] Show the entire browser request
2009/6/10 Dotan Cohen dotanco...@gmail.com Just checked your site in Elinks (works like Lynx) and I'm getting the headers come back to me. I'm assuming you changed your site code before me sending this and after you sent the original message? The individual headers are as they always were. It's the entire request verbatim (valid or not) that I'd like to add. Is installing the pecl_http extension on your server an option? http://php.net/manual/en/function.httprequest-getrawrequestmessage.php -robin
Re: [PHP] Show the entire browser request
2009/6/10 Robin Vickery rob...@gmail.com 2009/6/10 Dotan Cohen dotanco...@gmail.com Just checked your site in Elinks (works like Lynx) and I'm getting the headers come back to me. I'm assuming you changed your site code before me sending this and after you sent the original message? The individual headers are as they always were. It's the entire request verbatim (valid or not) that I'd like to add. Is installing the pecl_http extension on your server an option? http://php.net/manual/en/function.httprequest-getrawrequestmessage.php Oh.. ignore that, sorry. I'm an idiot. -robin
[PHP] Preventing XSS Attacks
Hi all, I'm looking at adding a new search feature to my site, and one of the elements of this is to echo back in the search results page, the original string the user searched for. Up until now, XSS hasn't (afaik) been an issue for my site, but I can see from a mile off this will be. What would you guys recommend to avoid this? I'd thought initially of using a mixture of html_special_chars() and a regex (as yet not sure what I'll be stripping out with this) to sanitise the output for display on the results page, but is this enough? Thanks Ash www.ashleysheridan.co.uk
Re: [PHP] Php and Imagemagick problems
What exactly is the problem or error message you get? Also if this is your script, really, it needs a LOT of cleanup!! Here's an example that could point out the problem: $FileName = str_replace(.jpg, , $FileName); $FileName = str_replace(/, , $ImageName); $FileName = str_replace(.jpg, , $ImageName); //actual path to the files with NO file extension as found on the hard drive $SysPath = C:/Inetpub/wwwroot/HarrisAutomate/output/WebImagesHiRes/test/$FileName; You realize that you have overwritten the value in $FileName a couple times in a useless manner? Here you see, $FileName is _just_ equal to str_replace(.jpg, , $ImageName); and nothing more, the 2 previous lines are useless. Also, you do realize that str_replace(/, , $ImageName); will just strip out the slashes from $ImageName? So if i have some/path/to/some/image.jpg, it would become somepathtosomeimage.jpg... is this really what you want? Same thing for the str_replace(.jpg) it strips out the extension so that $Filename would be something like image and not image.jpg. Finally, $SysPath has forward slashes in the windows path, i'm not sure how PHP can tolerate this on windows, but windows path use backslashes ( like this: C:\some\path\to\some\image.jpg). Good luck! -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Preventing XSS Attacks
On Wed, 2009-06-10 at 18:28 +0200, Nitsan Bin-Nun wrote: mysql_real_escape_string() only sanitise the input. I would personally only allow [a-zA-Z0-9-_] in search string but that's just me ;) Validate the input in some way, or make extra sanitisation of it before running the search query. Regarding the HTML output, just entities() it and you'll be good :) On Wed, Jun 10, 2009 at 6:32 PM, Ashley Sheridan a...@ashleysheridan.co.uk wrote: On Wed, 2009-06-10 at 18:18 +0200, Nitsan Bin-Nun wrote: As far for the output, just html entities () it and you will be good. You better check the search query for sql injection, which is more dangerous. HTH Nitsan On Wed, Jun 10, 2009 at 6:19 PM, Ashley Sheridan a...@ashleysheridan.co.uk wrote: Hi all, I'm looking at adding a new search feature to my site, and one of the elements of this is to echo back in the search results page, the original string the user searched for. Up until now, XSS hasn't (afaik) been an issue for my site, but I can see from a mile off this will be. What would you guys recommend to avoid this? I'd thought initially of using a mixture of html_special_chars() and a regex (as yet not sure what I'll be stripping out with this) to sanitise the output for display on the results page, but is this enough? Thanks Ash www.ashleysheridan.co.uk I always use mysql_real_escape_string() for that sort of thing, not had a problem with it, but is there anything you think I should be wary of? Thanks Ash www.ashleysheridan.co.uk [just bringing it back on list] Well, I don't understand, what is the problem with mysql_real_escape_string() for sanitising input to use for a search? It should escape anything out so that the query can't be used in ways that I don't want no? I'd thought about using a whitelist-only regex, but that seems a little limiting tbh, and as my site contains code, it's not unreasonable to expect some people might want to search for particular code excerpts. Thanks Ash www.ashleysheridan.co.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] C++, $_POST - php-cgi
I'm working on something similar, here's the pseudo-code of what
happens to ensure the PHP script run by my server doesnt see any
difference than when it runs under apache or others...
Say the php file to execute is index.php and it was called from a
form post, the form tag also specified GET arguments like this FORM
METHOD=POST ACTION=index.php?somegetvar=getvalue...
The PHP script will expect this:
$_GET['somegetvar'] = getvalue;
$_POST['somepostvar'] = postvalue;
and
$_REQUEST['somegetvar'] = getvalue;
$_REQUEST['somepostvar'] = postvalue;
To get this working, the server first has to parse the HTTP message to
grab the GET arguments in the URI. After this, the server has to
parse the Body entity of the HTTP message for POST values. Once the
server has all the information, it can execute the php script.
I personally like to use popen(php, w) which opens a write-only
pipe to the php process... it's like just typing php on the
commandline, php then listens on stdin for the code and it executes
when it receives EOF (on the commandline this happens after a ctrl-d
on linux), using popen() this happens on a pclose().
Once you've popen()ed php, you start writting something like this:
?PHP
$_GET['somegetvar'] = getvalue;
$_POST['somepostvar'] = postvalue;
$_REQUEST['somegetvar'] = getvalue;
$_REQUEST['somepostvar'] = postvalue;
//[...] Also handle other superglobals here
require(index.php);
?
And bingo!
Hope this helps, good luck!
On Mon, Jun 8, 2009 at 9:29 AM, Jasperjazu...@luukku.com wrote:
Hi,
i'm planning to create a win32 http server that supports cgi. Does anybody
see the problem in C++ -source? Php doesn't give any output, but if I don't
set the rfc3875 environment variables, all output comes
normally (expect post and other variables aren't set).
Only what I'm able to set is $_GET -variables as
script arguments.
So how can I set post variables and others, like RAW_POST_DATA?
The c code above lets php to read the script by itself and post -variables
are written to stdin pipe. Output
should be able to be readed from stdout (problem is
that there are no output, even not the headers).
I hope that you understand what I mean...
-
Test script: (D:\test.php)
-
?php echo 'Wd: ',getcwd(),' var=',$_POST['var']; ?
-
C++ source:
-
#include windows.h
#include conio.h
#include stdio.h
int main()
{
SECURITY_ATTRIBUTES sa = {sizeof(SECURITY_ATTRIBUTES)};
sa.bInheritHandle = 1;
sa.lpSecurityDescriptor = NULL;
HANDLE hStdoutR, hStdoutW, hStdinR, hStdinW;
CreatePipe(hStdoutR,hStdoutW,sa,0);
SetHandleInformation(hStdoutR,HANDLE_FLAG_INHERIT,0);
CreatePipe(hStdinR,hStdinW,sa,0);
SetHandleInformation(hStdinW,HANDLE_FLAG_INHERIT,0);
STARTUPINFO si = {sizeof(STARTUPINFO)};
PROCESS_INFORMATION pi;
si.dwFlags = STARTF_USESTDHANDLES;
si.hStdOutput = hStdoutW;
si.hStdInput = hStdinR;
char env[255] =
REQUEST_METHOD=POST\0CONTENT_LENGTH=17\0CONTENT_TYPE=application/x-www-form-urlencoded\0SCRIPT_FILENAME=D:\\test.php;
if(!CreateProcess(NULL,php-5.2.9-1-Win32\\php-cgi.exe
D:\\test.php,NULL,NULL,1,NORMAL_PRIORITY_CLASS,env,NULL,si,pi))
return 0;
CloseHandle(hStdoutW);
CloseHandle(hStdinR);
DWORD dwWritten = 0;
//Write post data here?
if(!WriteFile(hStdinW,var=post+variable,20,dwWritten,NULL))
return 0;
CloseHandle(hStdinW);
char buf[1000] = {0};
DWORD dwRead = 0;
while(ReadFile(hStdoutR,buf,sizeof(buf),dwRead,NULL) dwRead != 0){
printf(buf);
}
printf(|\n\nEND);
CloseHandle(hStdoutR);
getch();
return 0;
}
--
Thanks!
Jasper
...
Luukku Plus paketilla pääset eroon tila- ja turvallisuusongelmista.
Hanki Luukku Plus ja helpotat elämääsi. http://www.mtv3.fi/luukku
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] URL injection
https://www.xxx.co.uk/register.php;| grep 123 I wonder what kind of browser could make this, probably a hacker-made one! This URL will have to be translated into its equivalent URI, if using GET the HTTP message's start line would look like: GET /register.php| grep 123 HTTP/1.1 First of all, the HTTP protocol states that the start line should contain: METHOD one or more spaces URI one or more spaces HTTP/1.1 So, this is clearly violated as there are two spaces surrounding grep, i believe if the server has trouble with this request, it's not yet at the PHP level... it's an HTTP issue, clearly server related. You wont detect this with PHP, and if you do detect anything, it means your server has modified it so you could... for example, in this case it might convert the whole | grep 123 into a single get argument's name, it could be simply removed/ignored, the server could try to see if there is a file named `/register.php| grep 123` and returns a 404... but the only acceptable behavior in this case is for the server to return 400 (read http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.1). Good luck! -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Preventing XSS Attacks
The problem with using a database escaping string for output escaping is
that something like (despite being the world's lamest XSS)
script
location.href('google.com')
/script
Would output mostly the same and with some cleverness, it wouldn't be too
hard to get that to function properly with a full fledged XSS attack. I'd
personally use one of the FILTER_* constants in conjunction with the filter
functions themselves, say filter_var and FILTER_SANITIZE_SPECIAL_CHARS.
On Wed, Jun 10, 2009 at 12:44 PM, Ashley Sheridan
a...@ashleysheridan.co.ukwrote:
On Wed, 2009-06-10 at 18:28 +0200, Nitsan Bin-Nun wrote:
mysql_real_escape_string() only sanitise the input. I would personally
only allow [a-zA-Z0-9-_] in search string but that's just me ;)
Validate the input in some way, or make extra sanitisation of it
before running the search query.
Regarding the HTML output, just entities() it and you'll be good :)
On Wed, Jun 10, 2009 at 6:32 PM, Ashley Sheridan
a...@ashleysheridan.co.uk wrote:
On Wed, 2009-06-10 at 18:18 +0200, Nitsan Bin-Nun wrote:
As far for the output, just html entities () it and you will
be good.
You better check the search query for sql injection, which
is more
dangerous.
HTH
Nitsan
On Wed, Jun 10, 2009 at 6:19 PM, Ashley Sheridan
a...@ashleysheridan.co.uk wrote:
Hi all,
I'm looking at adding a new search feature to my
site, and one
of the
elements of this is to echo back in the search
results page,
the
original string the user searched for. Up until now,
XSS
hasn't (afaik)
been an issue for my site, but I can see from a mile
off this
will be.
What would you guys recommend to avoid this?
I'd thought initially of using a mixture of
html_special_chars() and a
regex (as yet not sure what I'll be stripping out
with this)
to sanitise
the output for display on the results page, but is
this
enough?
Thanks
Ash
www.ashleysheridan.co.uk
I always use mysql_real_escape_string() for that sort of
thing, not had
a problem with it, but is there anything you think I should be
wary of?
Thanks
Ash
www.ashleysheridan.co.uk
[just bringing it back on list]
Well, I don't understand, what is the problem with
mysql_real_escape_string() for sanitising input to use for a search? It
should escape anything out so that the query can't be used in ways that
I don't want no?
I'd thought about using a whitelist-only regex, but that seems a little
limiting tbh, and as my site contains code, it's not unreasonable to
expect some people might want to search for particular code excerpts.
Thanks
Ash
www.ashleysheridan.co.uk
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Mail function and hotmail
Hello, I am sending an html message with and embedded image using the following code: // Read message from html template $message = fread(template.html, filesize(template.html)); // I replace the values in $message that are necessary to // fill the tempalte ... // Generate a boundary string $rand_value = md5(time()); $mime_boundary = -$rand_value; $headers = MIME-Version: 1.0\r\n; $headers .= From: Name n...@domain.com\r\n; $headers .= Reply-To: Name n...@domain.com\r\n; $headers .= Return-Path: n...@domain.com\r\n; $headers .= Organization: Name\r\n; $headers .= X-Mailer: PHP's mail() Function\r\n; $headers .= Content-Type: multipart/related; ; $headers .= boundary=\$mime_boundary\; type=\text/html\\r\n\r\n; $body = This is a multi-part message in MIME format.\r\n; $body .= --$mime_boundary\r\n; $body .= Content-Type: text/html; charset=UTF-8\r\n; $body .= Content-Transfer-Encoding: 7bit\r\n\r\n$message\r\n\r\n; $body .= --$mime_boundary\r\n; $body .= Content-Type: image/jpg\r\n; $body .= Content-Transfer-Encoding: base64\r\n; $body .= Content-ID: ggtourslogo\r\n\r\n; $body .= chunk_split(base64_encode(file_get_contents(./templates/emaillogo.jpg))); $body .= --$mime_boundary--; return mail(em...@domain.com, Subject, $body, $headers); However when it is send to a hotmail.com address the message is received blank. It does work fine with Gmail, Yahoo mail, Outlook Express and Thunderbird. Your help is much appreciated. Fernando _ We are your photos. Share us now with Windows Live Photos. http://go.microsoft.com/?linkid=9666047
Re: [PHP] Preventing XSS Attacks
On Wed, 2009-06-10 at 12:55 -0400, Eddie Drapkin wrote:
The problem with using a database escaping string for output escaping
is that something like (despite being the world's lamest XSS)
script
location.href('google.com')
/script
Would output mostly the same and with some cleverness, it wouldn't be
too hard to get that to function properly with a full fledged XSS
attack. I'd personally use one of the FILTER_* constants in
conjunction with the filter functions themselves, say filter_var and
FILTER_SANITIZE_SPECIAL_CHARS.
On Wed, Jun 10, 2009 at 12:44 PM, Ashley Sheridan
a...@ashleysheridan.co.uk wrote:
On Wed, 2009-06-10 at 18:28 +0200, Nitsan Bin-Nun wrote:
mysql_real_escape_string() only sanitise the input. I would
personally
only allow [a-zA-Z0-9-_] in search string but that's just
me ;)
Validate the input in some way, or make extra sanitisation
of it
before running the search query.
Regarding the HTML output, just entities() it and you'll be
good :)
On Wed, Jun 10, 2009 at 6:32 PM, Ashley Sheridan
a...@ashleysheridan.co.uk wrote:
On Wed, 2009-06-10 at 18:18 +0200, Nitsan Bin-Nun
wrote:
As far for the output, just html entities () it
and you will
be good.
You better check the search query for sql
injection, which
is more
dangerous.
HTH
Nitsan
On Wed, Jun 10, 2009 at 6:19 PM, Ashley Sheridan
a...@ashleysheridan.co.uk wrote:
Hi all,
I'm looking at adding a new search feature
to my
site, and one
of the
elements of this is to echo back in the
search
results page,
the
original string the user searched for. Up
until now,
XSS
hasn't (afaik)
been an issue for my site, but I can see
from a mile
off this
will be.
What would you guys recommend to avoid
this?
I'd thought initially of using a mixture
of
html_special_chars() and a
regex (as yet not sure what I'll be
stripping out
with this)
to sanitise
the output for display on the results
page, but is
this
enough?
Thanks
Ash
www.ashleysheridan.co.uk
I always use mysql_real_escape_string() for that
sort of
thing, not had
a problem with it, but is there anything you think I
should be
wary of?
Thanks
Ash
www.ashleysheridan.co.uk
[just bringing it back on list]
Well, I don't understand, what is the problem with
mysql_real_escape_string() for sanitising input to use for a
search? It
should escape anything out so that the query can't be used in
ways that
I don't want no?
I'd thought about using a whitelist-only regex, but that seems
a little
limiting tbh, and as my site contains code, it's not
unreasonable to
expect some people might want to search for particular code
excerpts.
Thanks
Ash
www.ashleysheridan.co.uk
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Oh no, I think I'm misunderstood here. I was going to use
mysql_real_escape_string only for the database input, and use
htmlentities for the display output, as essentially they are separate,
and should be treated as such.
I've been doing a bit of reading, and I can't really understand why XSS
is such an issue. Sure, if a user can insert a script tag, what
difference will that make to anyone else, as it is only on their own
browser.
Thanks
Ash
www.ashleysheridan.co.uk
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit:
Re: [PHP] Mail function and hotmail
On Wed, 2009-06-10 at 12:59 -0400, Fernando G wrote: Hello, I am sending an html message with and embedded image using the following code: // Read message from html template $message = fread(template.html, filesize(template.html)); // I replace the values in $message that are necessary to // fill the tempalte ... // Generate a boundary string $rand_value = md5(time()); $mime_boundary = -$rand_value; $headers = MIME-Version: 1.0\r\n; $headers .= From: Name n...@domain.com\r\n; $headers .= Reply-To: Name n...@domain.com\r\n; $headers .= Return-Path: n...@domain.com\r\n; $headers .= Organization: Name\r\n; $headers .= X-Mailer: PHP's mail() Function\r\n; $headers .= Content-Type: multipart/related; ; $headers .= boundary=\$mime_boundary\; type=\text/html\\r\n\r\n; $body = This is a multi-part message in MIME format.\r\n; $body .= --$mime_boundary\r\n; $body .= Content-Type: text/html; charset=UTF-8\r\n; $body .= Content-Transfer-Encoding: 7bit\r\n\r\n$message\r\n\r\n; $body .= --$mime_boundary\r\n; $body .= Content-Type: image/jpg\r\n; $body .= Content-Transfer-Encoding: base64\r\n; $body .= Content-ID: ggtourslogo\r\n\r\n; $body .= chunk_split(base64_encode(file_get_contents(./templates/emaillogo.jpg))); $body .= --$mime_boundary--; return mail(em...@domain.com, Subject, $body, $headers); However when it is send to a hotmail.com address the message is received blank. It does work fine with Gmail, Yahoo mail, Outlook Express and Thunderbird. Your help is much appreciated. Fernando _ We are your photos. Share us now with Windows Live Photos. http://go.microsoft.com/?linkid=9666047 As far as I'm aware, Hotmail blocks all images by default. Also, I've seen Outlook choke on message with the \r\n line endings, could Hotmail be doing that too? Thanks Ash www.ashleysheridan.co.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Preventing XSS Attacks
Ashley Sheridan wrote: On Wed, 2009-06-10 at 18:28 +0200, Nitsan Bin-Nun wrote: mysql_real_escape_string() only sanitise the input. I would personally only allow [a-zA-Z0-9-_] in search string but that's just me ;) Validate the input in some way, or make extra sanitisation of it before running the search query. Regarding the HTML output, just entities() it and you'll be good :) On Wed, Jun 10, 2009 at 6:32 PM, Ashley Sheridan a...@ashleysheridan.co.uk wrote: On Wed, 2009-06-10 at 18:18 +0200, Nitsan Bin-Nun wrote: As far for the output, just html entities () it and you will be good. You better check the search query for sql injection, which is more dangerous. HTH Nitsan On Wed, Jun 10, 2009 at 6:19 PM, Ashley Sheridan a...@ashleysheridan.co.uk wrote: Hi all, I'm looking at adding a new search feature to my site, and one of the elements of this is to echo back in the search results page, the original string the user searched for. Up until now, XSS hasn't (afaik) been an issue for my site, but I can see from a mile off this will be. What would you guys recommend to avoid this? I'd thought initially of using a mixture of html_special_chars() and a regex (as yet not sure what I'll be stripping out with this) to sanitise the output for display on the results page, but is this enough? Thanks Ash www.ashleysheridan.co.uk I always use mysql_real_escape_string() for that sort of thing, not had a problem with it, but is there anything you think I should be wary of? Thanks Ash www.ashleysheridan.co.uk [just bringing it back on list] Well, I don't understand, what is the problem with mysql_real_escape_string() for sanitising input to use for a search? It should escape anything out so that the query can't be used in ways that I don't want no? I'd thought about using a whitelist-only regex, but that seems a little limiting tbh, and as my site contains code, it's not unreasonable to expect some people might want to search for particular code excerpts. Thanks Ash www.ashleysheridan.co.uk You would use mysql_real_escape_string() before using the string in a db query (searching). You should use htmlentities() and/or strip tags before displaying the string. -- Thanks! -Shawn http://www.spidean.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Mail function and hotmail
Hi, ... Use something that is already proven to work. It will save you an awful lot of time. -- Richard Heyes HTML5 graphing: RGraph (www.rgraph.net - updated 6th June) PHP mail: RMail (www.phpguru.org/rmail) PHP datagrid: RGrid (www.phpguru.org/rgrid) PHP Template: RTemplate (www.phpguru.org/rtemplate) PHP SMTP: http://www.phpguru.org/smtp -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Mail function and hotmail
I have not idea of what else to use. Your suggestions are appreciated. Fernando. Date: Wed, 10 Jun 2009 18:04:31 +0100 From: rich...@php.net To: jfer...@hotmail.com CC: php-general@lists.php.net Subject: Re: [PHP] Mail function and hotmail Hi, ... Use something that is already proven to work. It will save you an awful lot of time. -- Richard Heyes HTML5 graphing: RGraph (www.rgraph.net - updated 6th June) PHP mail: RMail (www.phpguru.org/rmail) PHP datagrid: RGrid (www.phpguru.org/rgrid) PHP Template: RTemplate (www.phpguru.org/rtemplate) PHP SMTP: http://www.phpguru.org/smtp -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php _ Internet explorer 8 lets you browse the web faster. http://go.microsoft.com/?linkid=9655582
Re: [PHP] Re: Background Process
kranthi, you are wrong here. popen() will open a pipe to a process. You must have meant fopen() which doesnt work with pipes, but with files. you first popen php (ie execute it) you then write the code you want php to exec (php is still executing, reading your input) at the end you pclose php and then it is executed But this, while still using 2 threads (ie the original webserver thread, and the popen(php...) will not be multitasking, why? Because the first thread is writing to the second one. You will need to look into threading functions to get a multi-threaded program. But a simpler approach is to execute something in the background like this: system(someprog ) This works on linux at least. System will return immediately with success (you will never be able to catch someprog's return). But being a completely separate process, there wont be any communication possible naturally, you would have to implement inter-process communication (IPC)... but the simplest approach would probably be: 1) webserver receives client request and data 2) webserver writes data on file, ready to be worked on by the bg thread. 3) webserver calls system(somebgprog ) 4) somebgprog starts executing and checks the content of predetermined file and starts working on it. It could report its status into another file (which can be read by the server). A simple way to make this somebgprog is using php... you build your CLI-PHP script and then call system(php /path/to/bgscript.php ) One problem to think about in advance: What happens if you have many of these queries at the same time? eh, you'll get many threads working at the same time in bg... this could lead to issues... Good luck! On Tue, May 26, 2009 at 4:55 AM, kranthikranthi...@gmail.com wrote: popen will allow you to read/write data to a file but not execute the php code. i am assuming that you want to execute the php script like include/require does.. if that is the case system() will serve your purposebut this requires php to be installed as a CLI ?php $res = system(path/to/php.exe /path/to/second/file.php); ? but as Nathan suggested it would be best for you if you considered alternative options. for example you can make an AJAX request to the second file. Kranthi. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Mail function and hotmail
On Wed, Jun 10, 2009 at 1:11 PM, Fernando Gjfer...@hotmail.com wrote: I have not idea of what else to use. Your suggestions are appreciated. Fernando. Date: Wed, 10 Jun 2009 18:04:31 +0100 From: rich...@php.net To: jfer...@hotmail.com CC: php-general@lists.php.net Subject: Re: [PHP] Mail function and hotmail Hi, ... Use something that is already proven to work. It will save you an awful lot of time. -- Richard Heyes HTML5 graphing: RGraph (www.rgraph.net - updated 6th June) PHP mail: RMail (www.phpguru.org/rmail) PHP datagrid: RGrid (www.phpguru.org/rgrid) PHP Template: RTemplate (www.phpguru.org/rtemplate) PHP SMTP: http://www.phpguru.org/smtp -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php _ Internet explorer 8 lets you browse the web faster. http://go.microsoft.com/?linkid=9655582 Richard was likely suggestion his mail example as listed in his signature Other options include phpmailer pear's mime mail various other classes available www.phpclasses.org -- Bastien Cat, the other other white meat -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Mail function and hotmail
Hi, pear's mime mail I believe I had a hand in that too. It's like a bad rash - it gets everywhere... :-) -- Richard Heyes HTML5 graphing: RGraph (www.rgraph.net - updated 6th June) PHP mail: RMail (www.phpguru.org/rmail) PHP datagrid: RGrid (www.phpguru.org/rgrid) PHP Template: RTemplate (www.phpguru.org/rtemplate) PHP SMTP: http://www.phpguru.org/smtp -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Mail function and hotmail
Thanks. I'll check that out. Date: Wed, 10 Jun 2009 18:24:45 +0100 Subject: Re: [PHP] Mail function and hotmail From: rich...@php.net To: phps...@gmail.com CC: jfer...@hotmail.com; php-general@lists.php.net Hi, pear's mime mail I believe I had a hand in that too. It's like a bad rash - it gets everywhere... :-) -- Richard Heyes HTML5 graphing: RGraph (www.rgraph.net - updated 6th June) PHP mail: RMail (www.phpguru.org/rmail) PHP datagrid: RGrid (www.phpguru.org/rgrid) PHP Template: RTemplate (www.phpguru.org/rtemplate) PHP SMTP: http://www.phpguru.org/smtp _ Internet explorer 8 lets you browse the web faster. http://go.microsoft.com/?linkid=9655582
Re: [PHP] Preventing XSS Attacks
I've been doing a bit of reading, and I can't really understand why XSS is such an issue. Sure, if a user can insert a script tag, what difference will that make to anyone else, as it is only on their own browser. 1. User 1 logs on to the application. Fills up the form with malicious JS code in it. The server accepts the input, is stored in the database. 2. User 2 logs on to the application. Goes to the view the information stored in the database. The JS gets executed on user 2's browser. User is attacked by XSS. I hope that clarifies the question. -- With warm regards, Sudheer. S Business: http://binaryvibes.co.in, Tech stuff: http://techchorus.net, Personal: http://sudheer.net -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP as Server Side for a Web Database Application.
I reckon Dan brown is fond of pillow talks instead of PHP(pillow has p*nux) in here very much ;) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Preventing XSS Attacks
On Wed, 2009-06-10 at 23:05 +0530, Sudheer Satyanarayana wrote: I've been doing a bit of reading, and I can't really understand why XSS is such an issue. Sure, if a user can insert a script tag, what difference will that make to anyone else, as it is only on their own browser. 1. User 1 logs on to the application. Fills up the form with malicious JS code in it. The server accepts the input, is stored in the database. 2. User 2 logs on to the application. Goes to the view the information stored in the database. The JS gets executed on user 2's browser. User is attacked by XSS. I hope that clarifies the question. It does to a degree. So I shouldn't really worry about it in this case, as input from one user will never be displayed to any other user. If it was a forum or something, it would, but the search string is only ever shown to the user who entered it, and never stored for later display. Thanks Ash www.ashleysheridan.co.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Mail function and hotmail
Richard was likely suggestion his mail example as listed in his signature Other options include phpmailer pear's mime mail various other classes available www.phpclasses.org Fernando, I recommend you check out the various PHP frameworks out there. Instead of randomly searching for classes for common functionality like sending an email from your script, you could use the framework's classes. I am sure all of the frameworks provide classes to send emails. The next time you need a class to read email from your scripts, you can simply look for classes your framework of choice provides. I personally use Zend Framework. But there are many available - Cake, CI, Symphony, etc. Also take a look at PEAR like Bastien said. -- With warm regards, Sudheer. S Business: http://binaryvibes.co.in, Tech stuff: http://techchorus.net, Personal: http://sudheer.net -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Preventing XSS Attacks
On Wed, 2009-06-10 at 23:17 +0530, Sudheer Satyanarayana wrote: Ashley Sheridan wrote: On Wed, 2009-06-10 at 23:05 +0530, Sudheer Satyanarayana wrote: I've been doing a bit of reading, and I can't really understand why XSS is such an issue. Sure, if a user can insert a script tag, what difference will that make to anyone else, as it is only on their own browser. 1. User 1 logs on to the application. Fills up the form with malicious JS code in it. The server accepts the input, is stored in the database. 2. User 2 logs on to the application. Goes to the view the information stored in the database. The JS gets executed on user 2's browser. User is attacked by XSS. I hope that clarifies the question. It does to a degree. So I shouldn't really worry about it in this case, as input from one user will never be displayed to any other user. If it was a forum or something, it would, but the search string is only ever shown to the user who entered it, and never stored for later display. It is easy to slip by. I recall a website was hacked using XSS on the page the admin views the log entries. Just in case, you or somebody else tries to add the search log feature in the future, keep this at the back of your mind. Having the user to click on a harmful URI is ridiculously easy. -- With warm regards, Sudheer. S Business: http://binaryvibes.co.in, Tech stuff: http://techchorus.net, Personal: http://sudheer.net Yeah, I never realised what a minefield it could be, but I've been doing a lot of reading today! Thanks Ash www.ashleysheridan.co.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Preventing XSS Attacks
On Wed, 2009-06-10 at 19:03 +0100, Ashley Sheridan wrote: On Wed, 2009-06-10 at 23:17 +0530, Sudheer Satyanarayana wrote: Ashley Sheridan wrote: On Wed, 2009-06-10 at 23:05 +0530, Sudheer Satyanarayana wrote: I've been doing a bit of reading, and I can't really understand why XSS is such an issue. Sure, if a user can insert a script tag, what difference will that make to anyone else, as it is only on their own browser. 1. User 1 logs on to the application. Fills up the form with malicious JS code in it. The server accepts the input, is stored in the database. 2. User 2 logs on to the application. Goes to the view the information stored in the database. The JS gets executed on user 2's browser. User is attacked by XSS. I hope that clarifies the question. It does to a degree. So I shouldn't really worry about it in this case, as input from one user will never be displayed to any other user. If it was a forum or something, it would, but the search string is only ever shown to the user who entered it, and never stored for later display. It is easy to slip by. I recall a website was hacked using XSS on the page the admin views the log entries. Just in case, you or somebody else tries to add the search log feature in the future, keep this at the back of your mind. Having the user to click on a harmful URI is ridiculously easy. -- With warm regards, Sudheer. S Business: http://binaryvibes.co.in, Tech stuff: http://techchorus.net, Personal: http://sudheer.net Yeah, I never realised what a minefield it could be, but I've been doing a lot of reading today! Thanks Ash www.ashleysheridan.co.uk So something like this would be acceptable?: $searchTerms = (isset($_REQUEST['q']))?$_REQUEST['q']:''; $searchTerms = htmlentities($searchTerms); $dbSearchTerms = mysql_real_escape_string($searchTerms); Giving me two variables, one for display output to user, the other for use in the database? Thanks Ash www.ashleysheridan.co.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Preventing XSS Attacks
That would do the job. If you are already digging into it, take a look at XSRF/CSRF which are both can be very harmful, especially for ecommerce websites. On Wed, Jun 10, 2009 at 8:08 PM, Ashley Sheridana...@ashleysheridan.co.uk wrote: On Wed, 2009-06-10 at 19:03 +0100, Ashley Sheridan wrote: On Wed, 2009-06-10 at 23:17 +0530, Sudheer Satyanarayana wrote: Ashley Sheridan wrote: On Wed, 2009-06-10 at 23:05 +0530, Sudheer Satyanarayana wrote: I've been doing a bit of reading, and I can't really understand why XSS is such an issue. Sure, if a user can insert a script tag, what difference will that make to anyone else, as it is only on their own browser. 1. User 1 logs on to the application. Fills up the form with malicious JS code in it. The server accepts the input, is stored in the database. 2. User 2 logs on to the application. Goes to the view the information stored in the database. The JS gets executed on user 2's browser. User is attacked by XSS. I hope that clarifies the question. It does to a degree. So I shouldn't really worry about it in this case, as input from one user will never be displayed to any other user. If it was a forum or something, it would, but the search string is only ever shown to the user who entered it, and never stored for later display. It is easy to slip by. I recall a website was hacked using XSS on the page the admin views the log entries. Just in case, you or somebody else tries to add the search log feature in the future, keep this at the back of your mind. Having the user to click on a harmful URI is ridiculously easy. -- With warm regards, Sudheer. S Business: http://binaryvibes.co.in, Tech stuff: http://techchorus.net, Personal: http://sudheer.net Yeah, I never realised what a minefield it could be, but I've been doing a lot of reading today! Thanks Ash www.ashleysheridan.co.uk So something like this would be acceptable?: $searchTerms = (isset($_REQUEST['q']))?$_REQUEST['q']:''; $searchTerms = htmlentities($searchTerms); $dbSearchTerms = mysql_real_escape_string($searchTerms); Giving me two variables, one for display output to user, the other for use in the database? Thanks Ash www.ashleysheridan.co.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Preventing XSS Attacks
On Wed, 2009-06-10 at 19:59 +0200, Nitsan Bin-Nun wrote: That would do the job. If you are already digging into it, take a look at XSRF/CSRF which are both can be very harmful, especially for ecommerce websites. On Wed, Jun 10, 2009 at 8:08 PM, Ashley Sheridana...@ashleysheridan.co.uk wrote: On Wed, 2009-06-10 at 19:03 +0100, Ashley Sheridan wrote: On Wed, 2009-06-10 at 23:17 +0530, Sudheer Satyanarayana wrote: Ashley Sheridan wrote: On Wed, 2009-06-10 at 23:05 +0530, Sudheer Satyanarayana wrote: I've been doing a bit of reading, and I can't really understand why XSS is such an issue. Sure, if a user can insert a script tag, what difference will that make to anyone else, as it is only on their own browser. 1. User 1 logs on to the application. Fills up the form with malicious JS code in it. The server accepts the input, is stored in the database. 2. User 2 logs on to the application. Goes to the view the information stored in the database. The JS gets executed on user 2's browser. User is attacked by XSS. I hope that clarifies the question. It does to a degree. So I shouldn't really worry about it in this case, as input from one user will never be displayed to any other user. If it was a forum or something, it would, but the search string is only ever shown to the user who entered it, and never stored for later display. It is easy to slip by. I recall a website was hacked using XSS on the page the admin views the log entries. Just in case, you or somebody else tries to add the search log feature in the future, keep this at the back of your mind. Having the user to click on a harmful URI is ridiculously easy. -- With warm regards, Sudheer. S Business: http://binaryvibes.co.in, Tech stuff: http://techchorus.net, Personal: http://sudheer.net Yeah, I never realised what a minefield it could be, but I've been doing a lot of reading today! Thanks Ash www.ashleysheridan.co.uk So something like this would be acceptable?: $searchTerms = (isset($_REQUEST['q']))?$_REQUEST['q']:''; $searchTerms = htmlentities($searchTerms); $dbSearchTerms = mysql_real_escape_string($searchTerms); Giving me two variables, one for display output to user, the other for use in the database? Thanks Ash www.ashleysheridan.co.uk Thanks, I will. Thanks Ash www.ashleysheridan.co.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Form handling
I've been charged with writing a class that handles forms, once they've been
POSTed to. The idea of the class is to handle the most common use-cases of
POST forms, and any special functionality can be handled with a child class
at a later date, but for our uses, we're going to have mostly pretty typical
POST forms. Follows is the list of cases I've determined that are the most
common, can anyone think of any that are omitted or that are never going to
be used?
class form_handler {
public /* bool */ function setRequiredFields(array $fields); //takes a
simple array that corresponds to a $_POST key, verifying that there is data
on required fields but not for optional fields, returns true or false on
error
public /* bool */ function setRequiredFieldTypes(array $fieldTypes);
//array of field names = type a la ('username' = array(regex,
'/a-zA-Z0-9\-_/'))
//or 'phone_number' = (array('int', 'min_len' = 7,
'max_len' = 10)) etc, the exact spec is obviously nowhere near done but
will probably just wrap a lot of filter_ functions, returns true or false on
error
public /* string */ function validateAndCaptureError(); //returns error
or empty string
public /* void */ function validateAndForwardTo($page); //forwards to
page on error, or not
}
each of the globule setters will have a corresponding appendRequired...
method, so as not to require handling enormous data structures for
conditional form building.
♦
As you can see, the class looks pretty barren, but I can't think of any more
functionality than would be required, although I am kickign the idea around
of having very specific validation type methods ie.
form_handler::requireInt($field, array $options) or
form_handler::requireRegex($field, $regex), etc.
Thoughts?
Thanks in advance,
--Eddie
Re: [PHP] Preventing XSS Attacks
Ashley Sheridan wrote: On Wed, 2009-06-10 at 23:05 +0530, Sudheer Satyanarayana wrote: I've been doing a bit of reading, and I can't really understand why XSS is such an issue. Sure, if a user can insert a script tag, what difference will that make to anyone else, as it is only on their own browser. 1. User 1 logs on to the application. Fills up the form with malicious JS code in it. The server accepts the input, is stored in the database. 2. User 2 logs on to the application. Goes to the view the information stored in the database. The JS gets executed on user 2's browser. User is attacked by XSS. I hope that clarifies the question. It does to a degree. So I shouldn't really worry about it in this case, as input from one user will never be displayed to any other user. If it was a forum or something, it would, but the search string is only ever shown to the user who entered it, and never stored for later display. It is easy to slip by. I recall a website was hacked using XSS on the page the admin views the log entries. Just in case, you or somebody else tries to add the search log feature in the future, keep this at the back of your mind. Having the user to click on a harmful URI is ridiculously easy. -- With warm regards, Sudheer. S Business: http://binaryvibes.co.in, Tech stuff: http://techchorus.net, Personal: http://sudheer.net -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Preventing XSS Attacks
On Wed, Jun 10, 2009 at 2:08 PM, Ashley Sheridan a...@ashleysheridan.co.ukwrote: On Wed, 2009-06-10 at 19:03 +0100, Ashley Sheridan wrote: On Wed, 2009-06-10 at 23:17 +0530, Sudheer Satyanarayana wrote: Ashley Sheridan wrote: On Wed, 2009-06-10 at 23:05 +0530, Sudheer Satyanarayana wrote: I've been doing a bit of reading, and I can't really understand why XSS is such an issue. Sure, if a user can insert a script tag, what difference will that make to anyone else, as it is only on their own browser. 1. User 1 logs on to the application. Fills up the form with malicious JS code in it. The server accepts the input, is stored in the database. 2. User 2 logs on to the application. Goes to the view the information stored in the database. The JS gets executed on user 2's browser. User is attacked by XSS. I hope that clarifies the question. It does to a degree. So I shouldn't really worry about it in this case, as input from one user will never be displayed to any other user. If it was a forum or something, it would, but the search string is only ever shown to the user who entered it, and never stored for later display. It is easy to slip by. I recall a website was hacked using XSS on the page the admin views the log entries. Just in case, you or somebody else tries to add the search log feature in the future, keep this at the back of your mind. Having the user to click on a harmful URI is ridiculously easy. -- With warm regards, Sudheer. S Business: http://binaryvibes.co.in, Tech stuff: http://techchorus.net, Personal: http://sudheer.net Yeah, I never realised what a minefield it could be, but I've been doing a lot of reading today! Thanks Ash www.ashleysheridan.co.uk So something like this would be acceptable?: $searchTerms = (isset($_REQUEST['q']))?$_REQUEST['q']:''; $searchTerms = htmlentities($searchTerms); $dbSearchTerms = mysql_real_escape_string($searchTerms); Giving me two variables, one for display output to user, the other for use in the database? Thanks Ash www.ashleysheridan.co.uk You wouldn't want to insert htmlentity escaped information into your database. This method has always worked well for me: Accept input - db escape - store; Retrieve output from db - html escape - display; So, I'm actually storing (in at least one case that I've seen), human readable XSS in the database, but I have a consistent approach to escaping before outputting so that it never gets displayed as XSS and I never accidentally escape it twice, which depending on a few factors, can have some pretty ugly results. You wouldn't want to see amp;amp; anywhere, would you? Alternatively though, if you are storing it html-escaped in the database, make sure you don't ever escape it before you output, but I find that approach a lot less flexible, has problems with searches, isn't easy to read from the mysql cli console, etc. etc.
Re: [PHP] Preventing XSS Attacks
On Wed, 2009-06-10 at 14:14 -0400, Eddie Drapkin wrote: On Wed, Jun 10, 2009 at 2:08 PM, Ashley Sheridan a...@ashleysheridan.co.ukwrote: On Wed, 2009-06-10 at 19:03 +0100, Ashley Sheridan wrote: On Wed, 2009-06-10 at 23:17 +0530, Sudheer Satyanarayana wrote: Ashley Sheridan wrote: On Wed, 2009-06-10 at 23:05 +0530, Sudheer Satyanarayana wrote: I've been doing a bit of reading, and I can't really understand why XSS is such an issue. Sure, if a user can insert a script tag, what difference will that make to anyone else, as it is only on their own browser. 1. User 1 logs on to the application. Fills up the form with malicious JS code in it. The server accepts the input, is stored in the database. 2. User 2 logs on to the application. Goes to the view the information stored in the database. The JS gets executed on user 2's browser. User is attacked by XSS. I hope that clarifies the question. It does to a degree. So I shouldn't really worry about it in this case, as input from one user will never be displayed to any other user. If it was a forum or something, it would, but the search string is only ever shown to the user who entered it, and never stored for later display. It is easy to slip by. I recall a website was hacked using XSS on the page the admin views the log entries. Just in case, you or somebody else tries to add the search log feature in the future, keep this at the back of your mind. Having the user to click on a harmful URI is ridiculously easy. -- With warm regards, Sudheer. S Business: http://binaryvibes.co.in, Tech stuff: http://techchorus.net, Personal: http://sudheer.net Yeah, I never realised what a minefield it could be, but I've been doing a lot of reading today! Thanks Ash www.ashleysheridan.co.uk So something like this would be acceptable?: $searchTerms = (isset($_REQUEST['q']))?$_REQUEST['q']:''; $searchTerms = htmlentities($searchTerms); $dbSearchTerms = mysql_real_escape_string($searchTerms); Giving me two variables, one for display output to user, the other for use in the database? Thanks Ash www.ashleysheridan.co.uk You wouldn't want to insert htmlentity escaped information into your database. This method has always worked well for me: Accept input - db escape - store; Retrieve output from db - html escape - display; So, I'm actually storing (in at least one case that I've seen), human readable XSS in the database, but I have a consistent approach to escaping before outputting so that it never gets displayed as XSS and I never accidentally escape it twice, which depending on a few factors, can have some pretty ugly results. You wouldn't want to see amp;amp; anywhere, would you? Alternatively though, if you are storing it html-escaped in the database, make sure you don't ever escape it before you output, but I find that approach a lot less flexible, has problems with searches, isn't easy to read from the mysql cli console, etc. etc. OK, so I just swapped those last two lines over like so: $searchTerms = (isset($_REQUEST['q']))?trim($_REQUEST['q']):''; $dbSearchTerms = mysql_real_escape_string($searchTerms); $searchTerms = htmlentities($searchTerms); Thanks Ash www.ashleysheridan.co.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Mail function and hotmail
Thank you. I'm looking at PEAR Mail_mime right now. It seems promising. Fernando. Date: Wed, 10 Jun 2009 23:14:11 +0530 From: sudhee...@binaryvibes.co.in To: phps...@gmail.com CC: jfer...@hotmail.com; rich...@php.net; php-general@lists.php.net Subject: Re: [PHP] Mail function and hotmail Richard was likely suggestion his mail example as listed in his signature Other options include phpmailer pear's mime mail various other classes available www.phpclasses.org Fernando, I recommend you check out the various PHP frameworks out there. Instead of randomly searching for classes for common functionality like sending an email from your script, you could use the framework's classes. I am sure all of the frameworks provide classes to send emails. The next time you need a class to read email from your scripts, you can simply look for classes your framework of choice provides. I personally use Zend Framework. But there are many available - Cake, CI, Symphony, etc. Also take a look at PEAR like Bastien said. -- With warm regards, Sudheer. S Business: http://binaryvibes.co.in, Tech stuff: http://techchorus.net, Personal: http://sudheer.net _ Attention all humans. We are your photos. Free us. http://go.microsoft.com/?linkid=9666046
Re: [PHP] Preventing XSS Attacks
On Wed, Jun 10, 2009 at 2:26 PM, Ashley Sheridana...@ashleysheridan.co.uk wrote: On Wed, 2009-06-10 at 14:14 -0400, Eddie Drapkin wrote: On Wed, Jun 10, 2009 at 2:08 PM, Ashley Sheridan a...@ashleysheridan.co.ukwrote: On Wed, 2009-06-10 at 19:03 +0100, Ashley Sheridan wrote: On Wed, 2009-06-10 at 23:17 +0530, Sudheer Satyanarayana wrote: Ashley Sheridan wrote: On Wed, 2009-06-10 at 23:05 +0530, Sudheer Satyanarayana wrote: I've been doing a bit of reading, and I can't really understand why XSS is such an issue. Sure, if a user can insert a script tag, what difference will that make to anyone else, as it is only on their own browser. 1. User 1 logs on to the application. Fills up the form with malicious JS code in it. The server accepts the input, is stored in the database. 2. User 2 logs on to the application. Goes to the view the information stored in the database. The JS gets executed on user 2's browser. User is attacked by XSS. I hope that clarifies the question. It does to a degree. So I shouldn't really worry about it in this case, as input from one user will never be displayed to any other user. If it was a forum or something, it would, but the search string is only ever shown to the user who entered it, and never stored for later display. It is easy to slip by. I recall a website was hacked using XSS on the page the admin views the log entries. Just in case, you or somebody else tries to add the search log feature in the future, keep this at the back of your mind. Having the user to click on a harmful URI is ridiculously easy. -- With warm regards, Sudheer. S Business: http://binaryvibes.co.in, Tech stuff: http://techchorus.net, Personal: http://sudheer.net Yeah, I never realised what a minefield it could be, but I've been doing a lot of reading today! Thanks Ash www.ashleysheridan.co.uk So something like this would be acceptable?: $searchTerms = (isset($_REQUEST['q']))?$_REQUEST['q']:''; $searchTerms = htmlentities($searchTerms); $dbSearchTerms = mysql_real_escape_string($searchTerms); Giving me two variables, one for display output to user, the other for use in the database? Thanks Ash www.ashleysheridan.co.uk You wouldn't want to insert htmlentity escaped information into your database. This method has always worked well for me: Accept input - db escape - store; Retrieve output from db - html escape - display; So, I'm actually storing (in at least one case that I've seen), human readable XSS in the database, but I have a consistent approach to escaping before outputting so that it never gets displayed as XSS and I never accidentally escape it twice, which depending on a few factors, can have some pretty ugly results. You wouldn't want to see amp;amp; anywhere, would you? Alternatively though, if you are storing it html-escaped in the database, make sure you don't ever escape it before you output, but I find that approach a lot less flexible, has problems with searches, isn't easy to read from the mysql cli console, etc. etc. OK, so I just swapped those last two lines over like so: $searchTerms = (isset($_REQUEST['q']))?trim($_REQUEST['q']):''; $dbSearchTerms = mysql_real_escape_string($searchTerms); $searchTerms = htmlentities($searchTerms); Thanks Ash www.ashleysheridan.co.uk I wouldn't self-assign the output of htmlentities to $searchTerms at all. ?php $searchTerms = (isset($_REQUEST['q']))?trim($_REQUEST['q']):''; // Rather than this: $searchTerms = htmlspecialchars($searchTerms); echo $searchTerms; // I prefer this: echo htmlspecialchars($searchTerms); ? Escape sequences are not part of the data, so I don't store them. Andrew -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Preventing XSS Attacks
On Wed, 2009-06-10 at 14:40 -0400, Andrew Ballard wrote: On Wed, Jun 10, 2009 at 2:26 PM, Ashley Sheridana...@ashleysheridan.co.uk wrote: On Wed, 2009-06-10 at 14:14 -0400, Eddie Drapkin wrote: On Wed, Jun 10, 2009 at 2:08 PM, Ashley Sheridan a...@ashleysheridan.co.ukwrote: On Wed, 2009-06-10 at 19:03 +0100, Ashley Sheridan wrote: On Wed, 2009-06-10 at 23:17 +0530, Sudheer Satyanarayana wrote: Ashley Sheridan wrote: On Wed, 2009-06-10 at 23:05 +0530, Sudheer Satyanarayana wrote: I've been doing a bit of reading, and I can't really understand why XSS is such an issue. Sure, if a user can insert a script tag, what difference will that make to anyone else, as it is only on their own browser. 1. User 1 logs on to the application. Fills up the form with malicious JS code in it. The server accepts the input, is stored in the database. 2. User 2 logs on to the application. Goes to the view the information stored in the database. The JS gets executed on user 2's browser. User is attacked by XSS. I hope that clarifies the question. It does to a degree. So I shouldn't really worry about it in this case, as input from one user will never be displayed to any other user. If it was a forum or something, it would, but the search string is only ever shown to the user who entered it, and never stored for later display. It is easy to slip by. I recall a website was hacked using XSS on the page the admin views the log entries. Just in case, you or somebody else tries to add the search log feature in the future, keep this at the back of your mind. Having the user to click on a harmful URI is ridiculously easy. -- With warm regards, Sudheer. S Business: http://binaryvibes.co.in, Tech stuff: http://techchorus.net, Personal: http://sudheer.net Yeah, I never realised what a minefield it could be, but I've been doing a lot of reading today! Thanks Ash www.ashleysheridan.co.uk So something like this would be acceptable?: $searchTerms = (isset($_REQUEST['q']))?$_REQUEST['q']:''; $searchTerms = htmlentities($searchTerms); $dbSearchTerms = mysql_real_escape_string($searchTerms); Giving me two variables, one for display output to user, the other for use in the database? Thanks Ash www.ashleysheridan.co.uk You wouldn't want to insert htmlentity escaped information into your database. This method has always worked well for me: Accept input - db escape - store; Retrieve output from db - html escape - display; So, I'm actually storing (in at least one case that I've seen), human readable XSS in the database, but I have a consistent approach to escaping before outputting so that it never gets displayed as XSS and I never accidentally escape it twice, which depending on a few factors, can have some pretty ugly results. You wouldn't want to see amp;amp; anywhere, would you? Alternatively though, if you are storing it html-escaped in the database, make sure you don't ever escape it before you output, but I find that approach a lot less flexible, has problems with searches, isn't easy to read from the mysql cli console, etc. etc. OK, so I just swapped those last two lines over like so: $searchTerms = (isset($_REQUEST['q']))?trim($_REQUEST['q']):''; $dbSearchTerms = mysql_real_escape_string($searchTerms); $searchTerms = htmlentities($searchTerms); Thanks Ash www.ashleysheridan.co.uk I wouldn't self-assign the output of htmlentities to $searchTerms at all. ?php $searchTerms = (isset($_REQUEST['q']))?trim($_REQUEST['q']):''; // Rather than this: $searchTerms = htmlspecialchars($searchTerms); echo $searchTerms; // I prefer this: echo htmlspecialchars($searchTerms); ? Escape sequences are not part of the data, so I don't store them. Andrew If you'll notice, I'm not storing the escape sequences, I'm displaying them, hence the $dbSearchTerms variable, which is just for the database, and outputting the return from the function rather than assigning it to a variable and then outputting it is probably just down to taste. Thanks Ash www.ashleysheridan.co.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Preventing XSS Attacks
On Wed, Jun 10, 2009 at 2:56 PM, Ashley Sheridana...@ashleysheridan.co.uk wrote: On Wed, 2009-06-10 at 14:40 -0400, Andrew Ballard wrote: On Wed, Jun 10, 2009 at 2:26 PM, Ashley Sheridana...@ashleysheridan.co.uk wrote: On Wed, 2009-06-10 at 14:14 -0400, Eddie Drapkin wrote: On Wed, Jun 10, 2009 at 2:08 PM, Ashley Sheridan a...@ashleysheridan.co.ukwrote: On Wed, 2009-06-10 at 19:03 +0100, Ashley Sheridan wrote: On Wed, 2009-06-10 at 23:17 +0530, Sudheer Satyanarayana wrote: Ashley Sheridan wrote: On Wed, 2009-06-10 at 23:05 +0530, Sudheer Satyanarayana wrote: I've been doing a bit of reading, and I can't really understand why XSS is such an issue. Sure, if a user can insert a script tag, what difference will that make to anyone else, as it is only on their own browser. 1. User 1 logs on to the application. Fills up the form with malicious JS code in it. The server accepts the input, is stored in the database. 2. User 2 logs on to the application. Goes to the view the information stored in the database. The JS gets executed on user 2's browser. User is attacked by XSS. I hope that clarifies the question. It does to a degree. So I shouldn't really worry about it in this case, as input from one user will never be displayed to any other user. If it was a forum or something, it would, but the search string is only ever shown to the user who entered it, and never stored for later display. It is easy to slip by. I recall a website was hacked using XSS on the page the admin views the log entries. Just in case, you or somebody else tries to add the search log feature in the future, keep this at the back of your mind. Having the user to click on a harmful URI is ridiculously easy. -- With warm regards, Sudheer. S Business: http://binaryvibes.co.in, Tech stuff: http://techchorus.net, Personal: http://sudheer.net Yeah, I never realised what a minefield it could be, but I've been doing a lot of reading today! Thanks Ash www.ashleysheridan.co.uk So something like this would be acceptable?: $searchTerms = (isset($_REQUEST['q']))?$_REQUEST['q']:''; $searchTerms = htmlentities($searchTerms); $dbSearchTerms = mysql_real_escape_string($searchTerms); Giving me two variables, one for display output to user, the other for use in the database? Thanks Ash www.ashleysheridan.co.uk You wouldn't want to insert htmlentity escaped information into your database. This method has always worked well for me: Accept input - db escape - store; Retrieve output from db - html escape - display; So, I'm actually storing (in at least one case that I've seen), human readable XSS in the database, but I have a consistent approach to escaping before outputting so that it never gets displayed as XSS and I never accidentally escape it twice, which depending on a few factors, can have some pretty ugly results. You wouldn't want to see amp;amp; anywhere, would you? Alternatively though, if you are storing it html-escaped in the database, make sure you don't ever escape it before you output, but I find that approach a lot less flexible, has problems with searches, isn't easy to read from the mysql cli console, etc. etc. OK, so I just swapped those last two lines over like so: $searchTerms = (isset($_REQUEST['q']))?trim($_REQUEST['q']):''; $dbSearchTerms = mysql_real_escape_string($searchTerms); $searchTerms = htmlentities($searchTerms); Thanks Ash www.ashleysheridan.co.uk I wouldn't self-assign the output of htmlentities to $searchTerms at all. ?php $searchTerms = (isset($_REQUEST['q']))?trim($_REQUEST['q']):''; // Rather than this: $searchTerms = htmlspecialchars($searchTerms); echo $searchTerms; // I prefer this: echo htmlspecialchars($searchTerms); ? Escape sequences are not part of the data, so I don't store them. Andrew If you'll notice, I'm not storing the escape sequences, I'm displaying them, hence the $dbSearchTerms variable, which is just for the database, and outputting the return from the function rather than assigning it to a variable and then outputting it is probably just down to taste. Thanks Ash www.ashleysheridan.co.uk You are storing it - in a variable. If I store an escaped value in a variable, it is a very specifically purposed variable with a very limited scope. I still prefer to keep a pure copy of the variable somewhere in case I need to use it for a different purpose elsewhere in the script. Andrew -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Preventing XSS Attacks
Ashley Sheridan wrote: On Wed, 2009-06-10 at 14:40 -0400, Andrew Ballard wrote: On Wed, Jun 10, 2009 at 2:26 PM, Ashley Sheridana...@ashleysheridan.co.uk wrote: On Wed, 2009-06-10 at 14:14 -0400, Eddie Drapkin wrote: On Wed, Jun 10, 2009 at 2:08 PM, Ashley Sheridan a...@ashleysheridan.co.ukwrote: On Wed, 2009-06-10 at 19:03 +0100, Ashley Sheridan wrote: On Wed, 2009-06-10 at 23:17 +0530, Sudheer Satyanarayana wrote: Ashley Sheridan wrote: On Wed, 2009-06-10 at 23:05 +0530, Sudheer Satyanarayana wrote: I've been doing a bit of reading, and I can't really understand why XSS is such an issue. Sure, if a user can insert a script tag, what difference will that make to anyone else, as it is only on their own browser. 1. User 1 logs on to the application. Fills up the form with malicious JS code in it. The server accepts the input, is stored in the database. 2. User 2 logs on to the application. Goes to the view the information stored in the database. The JS gets executed on user 2's browser. User is attacked by XSS. I hope that clarifies the question. It does to a degree. So I shouldn't really worry about it in this case, as input from one user will never be displayed to any other user. If it was a forum or something, it would, but the search string is only ever shown to the user who entered it, and never stored for later display. It is easy to slip by. I recall a website was hacked using XSS on the page the admin views the log entries. Just in case, you or somebody else tries to add the search log feature in the future, keep this at the back of your mind. Having the user to click on a harmful URI is ridiculously easy. -- With warm regards, Sudheer. S Business: http://binaryvibes.co.in, Tech stuff: http://techchorus.net, Personal: http://sudheer.net Yeah, I never realised what a minefield it could be, but I've been doing a lot of reading today! Thanks Ash www.ashleysheridan.co.uk So something like this would be acceptable?: $searchTerms = (isset($_REQUEST['q']))?$_REQUEST['q']:''; $searchTerms = htmlentities($searchTerms); $dbSearchTerms = mysql_real_escape_string($searchTerms); Giving me two variables, one for display output to user, the other for use in the database? Thanks Ash www.ashleysheridan.co.uk You wouldn't want to insert htmlentity escaped information into your database. This method has always worked well for me: Accept input - db escape - store; Retrieve output from db - html escape - display; So, I'm actually storing (in at least one case that I've seen), human readable XSS in the database, but I have a consistent approach to escaping before outputting so that it never gets displayed as XSS and I never accidentally escape it twice, which depending on a few factors, can have some pretty ugly results. You wouldn't want to see amp;amp; anywhere, would you? Alternatively though, if you are storing it html-escaped in the database, make sure you don't ever escape it before you output, but I find that approach a lot less flexible, has problems with searches, isn't easy to read from the mysql cli console, etc. etc. OK, so I just swapped those last two lines over like so: $searchTerms = (isset($_REQUEST['q']))?trim($_REQUEST['q']):''; $dbSearchTerms = mysql_real_escape_string($searchTerms); $searchTerms = htmlentities($searchTerms); Thanks Ash www.ashleysheridan.co.uk I wouldn't self-assign the output of htmlentities to $searchTerms at all. ?php $searchTerms = (isset($_REQUEST['q']))?trim($_REQUEST['q']):''; // Rather than this: $searchTerms = htmlspecialchars($searchTerms); echo $searchTerms; // I prefer this: echo htmlspecialchars($searchTerms); ? Escape sequences are not part of the data, so I don't store them. Andrew If you'll notice, I'm not storing the escape sequences, I'm displaying them, hence the $dbSearchTerms variable, which is just for the database, and outputting the return from the function rather than assigning it to a variable and then outputting it is probably just down to taste. Thanks Ash www.ashleysheridan.co.uk I normally use and recommend a set of functions that you can use for both cases, display_prep(), store_prep(). You can pass optional args that tell the function whether to htmlentities() or striptags() or both, etc... You can extend them later to do more complex checks or sanitizing. Then you can just use them inline: $searchTerms = (isset($_REQUEST['q']))?trim($_REQUEST['q']):''; echo display_prep($searchTerms); $sql = SELECT * FROM table WHERE field=' . store_prep($searchTerms) . '; -- Thanks! -Shawn http://www.spidean.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Preventing XSS Attacks
Usually I would support you on this one. In chemistry you always keep your stock pure and make any observations or mixtures in clean and other glasses in order to keep it pure. When it comes to printing an output or hosting it in a variables and then printing it out it is just a matter of taste. On Wed, Jun 10, 2009 at 8:54 PM, Andrew Ballardaball...@gmail.com wrote: On Wed, Jun 10, 2009 at 2:56 PM, Ashley Sheridana...@ashleysheridan.co.uk wrote: On Wed, 2009-06-10 at 14:40 -0400, Andrew Ballard wrote: On Wed, Jun 10, 2009 at 2:26 PM, Ashley Sheridana...@ashleysheridan.co.uk wrote: On Wed, 2009-06-10 at 14:14 -0400, Eddie Drapkin wrote: On Wed, Jun 10, 2009 at 2:08 PM, Ashley Sheridan a...@ashleysheridan.co.ukwrote: On Wed, 2009-06-10 at 19:03 +0100, Ashley Sheridan wrote: On Wed, 2009-06-10 at 23:17 +0530, Sudheer Satyanarayana wrote: Ashley Sheridan wrote: On Wed, 2009-06-10 at 23:05 +0530, Sudheer Satyanarayana wrote: I've been doing a bit of reading, and I can't really understand why XSS is such an issue. Sure, if a user can insert a script tag, what difference will that make to anyone else, as it is only on their own browser. 1. User 1 logs on to the application. Fills up the form with malicious JS code in it. The server accepts the input, is stored in the database. 2. User 2 logs on to the application. Goes to the view the information stored in the database. The JS gets executed on user 2's browser. User is attacked by XSS. I hope that clarifies the question. It does to a degree. So I shouldn't really worry about it in this case, as input from one user will never be displayed to any other user. If it was a forum or something, it would, but the search string is only ever shown to the user who entered it, and never stored for later display. It is easy to slip by. I recall a website was hacked using XSS on the page the admin views the log entries. Just in case, you or somebody else tries to add the search log feature in the future, keep this at the back of your mind. Having the user to click on a harmful URI is ridiculously easy. -- With warm regards, Sudheer. S Business: http://binaryvibes.co.in, Tech stuff: http://techchorus.net, Personal: http://sudheer.net Yeah, I never realised what a minefield it could be, but I've been doing a lot of reading today! Thanks Ash www.ashleysheridan.co.uk So something like this would be acceptable?: $searchTerms = (isset($_REQUEST['q']))?$_REQUEST['q']:''; $searchTerms = htmlentities($searchTerms); $dbSearchTerms = mysql_real_escape_string($searchTerms); Giving me two variables, one for display output to user, the other for use in the database? Thanks Ash www.ashleysheridan.co.uk You wouldn't want to insert htmlentity escaped information into your database. This method has always worked well for me: Accept input - db escape - store; Retrieve output from db - html escape - display; So, I'm actually storing (in at least one case that I've seen), human readable XSS in the database, but I have a consistent approach to escaping before outputting so that it never gets displayed as XSS and I never accidentally escape it twice, which depending on a few factors, can have some pretty ugly results. You wouldn't want to see amp;amp; anywhere, would you? Alternatively though, if you are storing it html-escaped in the database, make sure you don't ever escape it before you output, but I find that approach a lot less flexible, has problems with searches, isn't easy to read from the mysql cli console, etc. etc. OK, so I just swapped those last two lines over like so: $searchTerms = (isset($_REQUEST['q']))?trim($_REQUEST['q']):''; $dbSearchTerms = mysql_real_escape_string($searchTerms); $searchTerms = htmlentities($searchTerms); Thanks Ash www.ashleysheridan.co.uk I wouldn't self-assign the output of htmlentities to $searchTerms at all. ?php $searchTerms = (isset($_REQUEST['q']))?trim($_REQUEST['q']):''; // Rather than this: $searchTerms = htmlspecialchars($searchTerms); echo $searchTerms; // I prefer this: echo htmlspecialchars($searchTerms); ? Escape sequences are not part of the data, so I don't store them. Andrew If you'll notice, I'm not storing the escape sequences, I'm displaying them, hence the $dbSearchTerms variable, which is just for the database, and outputting the return from the function rather than assigning it to a variable and then outputting it is probably just down to taste. Thanks Ash www.ashleysheridan.co.uk You are storing it - in a variable.
[PHP] detect cli sapi
what's a reliable way to detect that the sapi is cli, including in a included scripts? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] detect cli sapi
if(PHP_SAPI == 'cli') { }
or
if(php_sapi_name() == 'cli') { }
On Wed, Jun 10, 2009 at 3:42 PM, Tom Worster f...@thefsb.org wrote:
what's a reliable way to detect that the sapi is cli, including in a
included scripts?
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Preventing XSS Attacks
On Wed, Jun 10, 2009 at 3:10 PM, Nitsan Bin-Nunnitsa...@gmail.com wrote: Usually I would support you on this one. In chemistry you always keep your stock pure and make any observations or mixtures in clean and other glasses in order to keep it pure. When it comes to printing an output or hosting it in a variables and then printing it out it is just a matter of taste. It is a matter of taste. If I see a variable named $searchTerms, I expect it to have the only the (appropriately sanitized) search terms in it without any specific escape sequences. For me, it's the same problem I have with magic_quotes (and related variants). If the magic_quotes setting is enabled, you have to call stripslashes() on the variable before you do just about anything with it, such as passing it to htmlspecialchars(), mysql_real_escape_string(), a DBMS other than MySQL, etc. All I'm saying is that if I want to assign the returned value of an escape function to a variable, I use a new variable whose name describes its purpose -- Ash's $dbSearchTerms variable does just this -- rather than assigning it back to the original variable. (I do sometimes make an exception when the variable's scope is inside a function whose sole purpose is to escape the value and then do something with the escaped value.) I just often skip the extra variable and use the function return value directly unless having the extra variable makes the code more readable -- as a matter of taste. :-) Andrew -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Form handling
Have a look at Zend Form -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Any conflict with $_POST when 2 users concurrently submitting the same form using POST method?
Thanks! Peter. I’m very clear now. Peter Ford p...@justcroft.com wrote in message news:bd.38.16665.07c6f...@pb1.pair.com... Keith wrote: Let's say user A and user B submitting purchase order form with order.php at the same time, with method=post action='confirmation.php'. (1) Will $_POST['order'] submitted by user A replaced by $_POST['order'] submitted by user B, and the both user A B getting the same order, which is made by user B? Why? (2)Since $_POST['xxx'] is superglobal array, will $_POST['order'] read by users other than A B? In shared hosting server environment, are all domains hosted within that server using the same $_POST array? Can $_POST array accessible by all domains even if not from the originating domain? Thx for clarification! Keith Other posters have explained, but I'm not sure their explanations are clear. Think of it like this: User A posts to confirmation.php. When the server receives the request, it starts up a Process and fills the $_POST array with whatever came in, then runs confirmation.php with that information. User B posts to confirmation.php. When the server receives the request, it starts up a Process and fills the $_POST array with whatever came in, then runs confirmation.php with that information. The KEY thing is that the process in each case is entirely separate. Each makes it's own copy of the script in its own bit of memory, and each has its own version of $_POST in its own bit of memory. The two posts can happen at the same time and they will still be completely independent. The fact that $_POST is called superglobal does not mean that it is shared by separate requests - it is not even shared by requests in the same session. It just means that it is already declared and you don't need to use the global keyword to access it in your PHP pages. -- Peter Ford phone: 01580 89 Developer fax: 01580 893399 Justcroft International Ltd., Staplehurst, Kent -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
