php-general Digest 27 Apr 2012 00:23:27 -0000 Issue 7791
Topics (messages 317695 through 317710):
Re: Should I check imput for bad chars in this case?
317695 by: marco.behnke.biz
317696 by: Simon Schick
317698 by: mirrys.net
317709 by: Simon Schick
Segmentation fault while fetching BLOB data from mysql with ODBC
317697 by: Leandro Dardini
317704 by: shiplu
url string being split
317699 by: Chris Stinemetz
317700 by: Vikash Kumar
317701 by: Jim Giner
317702 by: Stuart Dallas
Re: Serving a .dmg via readfile?
317703 by: Brian Dunning
undefined offset
317705 by: Jim Giner
317706 by: Stuart Dallas
317707 by: Jim Giner
FPDF ?
317708 by: Jim Giner
Insert group by
317710 by: Rick Dwyer
Administrivia:
To subscribe to the digest, e-mail:
php-general-digest-subscr...@lists.php.net
To unsubscribe from the digest, e-mail:
php-general-digest-unsubscr...@lists.php.net
To post to the list, e-mail:
php-gene...@lists.php.net
----------------------------------------------------------------------
--- Begin Message ---
"mirrys.net" <mirrys....@gmail.com> hat am 26. April 2012 um 14:15
geschrieben:
> Hi all,
>
> this is more question than real problem (I hope :)). I include this
> script into my pages to log IPs of visitors (they are saved info txt
> file and send to e-mail later):
You definitly should. There were some bugs (even in bigger applications
like Coppermine f.e.) that have been introduced by clients sending
manipulated ip oder hostname Strings.
For the IP address simply check if it is a valid IP4 or IP6 tupel. There
are checks for that.
>
> function getIPadress()
> {
> if (isset($_SERVER["HTTP_CLIENT_IP"]))
> {
> return $_SERVER["HTTP_CLIENT_IP"];
> }
> elseif (isset($_SERVER["HTTP_X_FORWARDED_FOR"]))
> {
> return $_SERVER["HTTP_X_FORWARDED_FOR"];
> }
> elseif (isset($_SERVER["HTTP_X_FORWARDED"]))
> {
> return $_SERVER["HTTP_X_FORWARDED"];
> }
> elseif (isset($_SERVER["HTTP_FORWARDED_FOR"]))
> {
> return $_SERVER["HTTP_FORWARDED_FOR"];
> }
> elseif (isset($_SERVER["HTTP_FORWARDED"]))
> {
> return $_SERVER["HTTP_FORWARDED"];
> }
> else
> {
> return $_SERVER["REMOTE_ADDR"];
> }
> }
>
> // save log to txt
> $fh = fopen($fileWithLog, 'a+') or die("Oups " . $fileWithLog ." !");
> $IPAdress = getIPadress();
> fwrite($fh, date('j.n.Y G:i:s') . $IPAdress . " (" .
> gethostbyaddr($IPAdress) . ")\n");
> fclose($fh);
>
> ...can this be some possible security risk (XSS or so..), becose I
> does not check chars in IP adress and host name mainly. It is probably
> crazy, but on the other side I think it isn't imposibble to use some
> bad strings in host name.
>
> Would you recommend use "$IPAdress = htmlspecialchars(getIPadress());"
> or something like? Or is it nonsense?
>
> Thx and excuse me, if this question is too stupid :(. Br, Mir R.
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
Marco Behnke
Dipl. Informatiker (FH), SAE Audio Engineer Diploma
Zend Certified Engineer PHP 5.3
Tel.: 0174 / 9722336
e-Mail: ma...@behnke.biz
Softwaretechnik Behnke
Heinrich-Heine-Str. 7D
21218 Seevetal
http://www.behnke.biz
--- End Message ---
--- Begin Message ---
On Thu, Apr 26, 2012 at 2:15 PM, mirrys.net <mirrys....@gmail.com> wrote:
> Hi all,
>
> this is more question than real problem (I hope :)). I include this
> script into my pages to log IPs of visitors (they are saved info txt
> file and send to e-mail later):
>
> function getIPadress()
> {
> if (isset($_SERVER["HTTP_CLIENT_IP"]))
> {
> return $_SERVER["HTTP_CLIENT_IP"];
> }
> elseif (isset($_SERVER["HTTP_X_FORWARDED_FOR"]))
> {
> return $_SERVER["HTTP_X_FORWARDED_FOR"];
> }
> elseif (isset($_SERVER["HTTP_X_FORWARDED"]))
> {
> return $_SERVER["HTTP_X_FORWARDED"];
> }
> elseif (isset($_SERVER["HTTP_FORWARDED_FOR"]))
> {
> return $_SERVER["HTTP_FORWARDED_FOR"];
> }
> elseif (isset($_SERVER["HTTP_FORWARDED"]))
> {
> return $_SERVER["HTTP_FORWARDED"];
> }
> else
> {
> return $_SERVER["REMOTE_ADDR"];
> }
> }
>
> // save log to txt
> $fh = fopen($fileWithLog, 'a+') or die("Oups " . $fileWithLog ." !");
> $IPAdress = getIPadress();
> fwrite($fh, date('j.n.Y G:i:s') . $IPAdress . " (" .
> gethostbyaddr($IPAdress) . ")\n");
> fclose($fh);
>
> ...can this be some possible security risk (XSS or so..), becose I
> does not check chars in IP adress and host name mainly. It is probably
> crazy, but on the other side I think it isn't imposibble to use some
> bad strings in host name.
>
> Would you recommend use "$IPAdress = htmlspecialchars(getIPadress());"
> or something like? Or is it nonsense?
>
> Thx and excuse me, if this question is too stupid :(. Br, Mir R.
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
Hi, mirrys
Why not use the function filter_input()? This would be at least show
if the value is a valid ip-address.
function getIPadress() {
$params = array(
"HTTP_CLIENT_IP",
"HTTP_X_FORWARDED_FOR",
"HTTP_X_FORWARDED",
"HTTP_FORWARDED_FOR",
"HTTP_FORWARDED",
"REMOTE_ADDR"
);
foreach($params as $param) {
if ($val = filter_input(INPUT_SERVER, $param,
FILTER_VALIDATE_IP))
return $val;
}
return false;
}
This way you could even specify "I don't want ip's out of a private
range" and stuff like that ...
http://www.php.net/manual/en/filter.filters.validate.php
http://www.php.net/manual/en/function.filter-input.php
If no valid ip-address is found you'll get false here ... depends -
may you want to give "127.0.0.1" back then ;)
Bye
Simon
--- End Message ---
--- Begin Message ---
Thank you for your help Marco & Simon. No doubt, your code is much
cleaner and better.
One more question, without any filter or something could be my
original code somehow compromised (mean some security bug)? Or rather
was a major problem in the possibility of a script crash?
On 4/26/12, ma...@behnke.biz <ma...@behnke.biz> wrote:
>
> You definitly should. There were some bugs (even in bigger applications
> like Coppermine f.e.) that have been introduced by clients sending
> manipulated ip oder hostname Strings.
>
> For the IP address simply check if it is a valid IP4 or IP6 tupel. There
> are checks for that.
--- End Message ---
--- Begin Message ---
On Thu, Apr 26, 2012 at 3:59 PM, mirrys.net <mirrys....@gmail.com> wrote:
> Thank you for your help Marco & Simon. No doubt, your code is much
> cleaner and better.
>
> One more question, without any filter or something could be my
> original code somehow compromised (mean some security bug)? Or rather
> was a major problem in the possibility of a script crash?
>
Hi, Mirrys
I personally can not see a security-hole at the first view ...
Stuff in the global server-variable should only be set by the
webserver and therefore it should be kind-of save (depending on the
quality of the configuration of the webserver ;))
That was also the main reason why I would do a validation-check for this.
Talking about a script-crash ... I don't know ... I just found this
line in a comment for the function gethostbyaddress()
> If you use gethostbyaddr() with a bad IP address then it will send an error
> message to the error log.
Bye
Simon
--- End Message ---
--- Begin Message ---
Anyone has experienced segmentation fault while reading blob (longblog)
data from mysql using ODBC?
If not, can you provide me few rows of code to show me how you fetch it?
I am using php 5.3.3 and this code segfaults:
$conn=odbc_connect("db","","");
$sql="select * from table where id=1";
$res=odbc_exec($conn,$sql);
$row=odbc_fetch_object($res);
Leandro
--- End Message ---
--- Begin Message ---
On Thursday, April 26, 2012, Leandro Dardini wrote:
> Anyone has experienced segmentation fault while reading blob (longblog)
> data from mysql using ODBC?
>
> If not, can you provide me few rows of code to show me how you fetch it?
>
> I am using php 5.3.3 and this code segfaults:
>
> $conn=odbc_connect("db","","");
> $sql="select * from table where id=1";
> $res=odbc_exec($conn,$sql);
> $row=odbc_fetch_object($res);
>
> Leandro
>
This is certainly a bug. But I'm curious why you are not using MySQL
extension?
--
Shiplu.Mokadd.im
ImgSign.com | A dynamic signature machine
Innovation distinguishes between follower and leader
--- End Message ---
--- Begin Message ---
Hello list,
I'm trying to pass a query string through $_GET but for some reason
the array is being split on '&'. How may I avoid this so it stays
intacted?
user selection portion:
while($storerow = mysql_fetch_assoc($storesresult))
echo '<h4><a href="store.php?id=' . $storerow['store_subject'] . '">'
. $storerow['store_subject'] . '</a></h4> at ' . date('m-d-Y h:i:s A',
strtotime($storerow['real_time_date']));
produces url string:
http://westeng/forum/store.php?id=Wiser Communication, LLC -& - Sprague Ave
print("<pre>".print_r($_GET,true)."</pre>"); ## results below
Array
(
[id] => Wiser Communication, LLC -
[-_Sprague_Ave] =>
)
How do I make it so the string isn't split into two elements in the
array? I want it to stay instact.
Thank you,
Chris
--- End Message ---
--- Begin Message ---
On 26 April 2012 22:27, Chris Stinemetz <chrisstinem...@gmail.com> wrote:
> Hello list,
>
> I'm trying to pass a query string through $_GET but for some reason
> the array is being split on '&'. How may I avoid this so it stays
> intacted?
>
> user selection portion:
>
> while($storerow = mysql_fetch_assoc($storesresult))
> echo '<h4><a href="store.php?id=' . $storerow['store_subject'] . '">'
> . $storerow['store_subject'] . '</a></h4> at ' . date('m-d-Y h:i:s A',
> strtotime($storerow['real_time_date']));
>
> produces url string:
>
> http://westeng/forum/store.php?id=Wiser Communication, LLC -& - Sprague
> Ave
>
>
> print("<pre>".print_r($_GET,true)."</pre>"); ## results below
>
> Array
> (
> [id] => Wiser Communication, LLC -
> [-_Sprague_Ave] =>
> )
>
> How do I make it so the string isn't split into two elements in the
> array? I want it to stay instact.
>
You should urlencode the query parameter.
>
> Thank you,
>
> Chris
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
--- End Message ---
--- Begin Message ---
I"m no expert, but why would you expose a query to the world thru the use of
a GET? Why not just collect the params and build the string in your code?
That is how people hack into your database - via a re-formed query. You're
giving someone an open invitation.
--- End Message ---
--- Begin Message ---
On 26 Apr 2012, at 18:37, Jim Giner wrote:
> I"m no expert, but why would you expose a query to the world thru the use of
> a GET? Why not just collect the params and build the string in your code?
> That is how people hack into your database - via a re-formed query. You're
> giving someone an open invitation.
A "query string" has nothing to do with databases.
-Stuart
--
Stuart Dallas
3ft9 Ltd
http://3ft9.com/
--- End Message ---
--- Begin Message ---
Thanks, this suggestion from Dante completely solved the problem.
Replaced:
readfile('/var/www/mypath/My Cool Image.dmg');
With:
$fd = fopen ('/var/www/mypath/My Cool Image.dmg', "r");
while(!feof($fd)) {
set_time_limit(30);
echo fread($fd, 4096);
flush();
}
fclose ($fd);
It's now serving all files properly.
On Apr 25, 2012, at 9:07 PM, D. Dante Lorenso wrote:
> You'll want to use fopen, fread, fwrite, and fclose to loop through bytes in
> your file as you shuttle chunks to the client instead of slooping it all into
> memory in one hunk.
--- End Message ---
--- Begin Message ---
Sorry - can't seem to find anything that explains this on google.
I'm using a List command to break out an array into distinct field names. I
keep getting these errors as I go thru my loop::
Notice: Undefined offset: 10 in (.....) on line 151
Notice: Undefined offset: 9 in (.....) on line 151
Notice: Undefined offset: 8 in (.....) on line 151
Notice: Undefined offset: 7 in (.....) on line 151
Notice: Undefined offset: 6 in (.....) on line 151
Notice: Undefined offset: 5 in (.....) on line 151
Notice: Undefined offset: 4 in (.....) on line 151
Notice: Undefined offset: 3 in (.....) on line 151
Notice: Undefined offset: 2 in (.....) on line 151
Notice: Undefined offset: 1 in (.....) on line 151
The array is loaded with
while ($line = fgetcsv($hdlin))
My trouble line of code is:
list($LastName, $FirstName,$MI, $Eventcode,$Event_Partner_Ln,
$Event_Partner_Fn, $Event_Partner_MI,$t,$u,$v,$Draw_pos) = $line;
I've confirmed that I have a field name for each element in my rows. All
the rows are the same size naturally. So - what is it telling me?
--- End Message ---
--- Begin Message ---
On 26 Apr 2012, at 21:20, Jim Giner wrote:
> Sorry - can't seem to find anything that explains this on google.
>
> I'm using a List command to break out an array into distinct field names. I
> keep getting these errors as I go thru my loop::
>
> Notice: Undefined offset: 10 in (.....) on line 151
> Notice: Undefined offset: 9 in (.....) on line 151
> Notice: Undefined offset: 8 in (.....) on line 151
> Notice: Undefined offset: 7 in (.....) on line 151
> Notice: Undefined offset: 6 in (.....) on line 151
> Notice: Undefined offset: 5 in (.....) on line 151
> Notice: Undefined offset: 4 in (.....) on line 151
> Notice: Undefined offset: 3 in (.....) on line 151
> Notice: Undefined offset: 2 in (.....) on line 151
> Notice: Undefined offset: 1 in (.....) on line 151
>
> The array is loaded with
> while ($line = fgetcsv($hdlin))
>
> My trouble line of code is:
> list($LastName, $FirstName,$MI, $Eventcode,$Event_Partner_Ln,
> $Event_Partner_Fn, $Event_Partner_MI,$t,$u,$v,$Draw_pos) = $line;
>
> I've confirmed that I have a field name for each element in my rows. All
> the rows are the same size naturally. So - what is it telling me?
For every iteration of the loop or just once? If it's just once then you're not
handling the possibility of a blank line. If more than once then the file
doesn't contain what you think it contains.
-Stuart
--
Stuart Dallas
3ft9 Ltd
http://3ft9.com/
--- End Message ---
--- Begin Message ---
Thanks. That was it -my last line was null.
----- Original Message -----
From: "Stuart Dallas" <stu...@3ft9.com>
To: "Jim Giner" <jim.gi...@albanyhandball.com>
Cc: <php-gene...@lists.php.net>
Sent: Thursday, April 26, 2012 4:21 PM
Subject: Re: [PHP] undefined offset
On 26 Apr 2012, at 21:20, Jim Giner wrote:
Sorry - can't seem to find anything that explains this on google.
I'm using a List command to break out an array into distinct field names.
I
keep getting these errors as I go thru my loop::
Notice: Undefined offset: 10 in (.....) on line 151
Notice: Undefined offset: 9 in (.....) on line 151
Notice: Undefined offset: 8 in (.....) on line 151
Notice: Undefined offset: 7 in (.....) on line 151
Notice: Undefined offset: 6 in (.....) on line 151
Notice: Undefined offset: 5 in (.....) on line 151
Notice: Undefined offset: 4 in (.....) on line 151
Notice: Undefined offset: 3 in (.....) on line 151
Notice: Undefined offset: 2 in (.....) on line 151
Notice: Undefined offset: 1 in (.....) on line 151
The array is loaded with
while ($line = fgetcsv($hdlin))
My trouble line of code is:
list($LastName, $FirstName,$MI, $Eventcode,$Event_Partner_Ln,
$Event_Partner_Fn, $Event_Partner_MI,$t,$u,$v,$Draw_pos) = $line;
I've confirmed that I have a field name for each element in my rows. All
the rows are the same size naturally. So - what is it telling me?
For every iteration of the loop or just once? If it's just once then you're
not handling the possibility of a blank line. If more than once then the
file doesn't contain what you think it contains.
-Stuart
--
Stuart Dallas
3ft9 Ltd
http://3ft9.com/
--- End Message ---
--- Begin Message ---
For those of you with FPDF experience.
I've just begun using it and have figured out how it works I think. I am
still having trouble with the bottom of the page tho. Seems that if I get
too close to the bottom margin and my data line exceeds the amount of
available space, my MultiCell elements print some of their contents and then
my Footer gets printed and then I go to a new page where some small amount
of the remaining data for that line gets printed and then a new page is
output and repeat. This can go on for 3-4 pages before things work out and
my report continues until it gets a full page again and then it all happens
again.
I know it sounds complicated, but I'm hoping someone else has experienced
this kind of learning curve and can give me a clue as to what I'm doing
wrong, or at least what's happening. Even better would be an algorithm for
detecting how much space I have left so I can avoid these split lines and
perhaps solve my entire problem.
--- End Message ---
--- Begin Message ---
Hello all.
This is more of a MySQL question, but I'm hoping it can be answered here.
On one of my pages, I issue a SQL command to group data as such:
$sql='select count(*) as count, searchkeywords from searchkeywords group by
searchkeywords order by count desc'
Works well... but I would like it to groups plurals with singular words as
well. So "hats" are grouped with "hat".
Since I'm doing a "group by" column name, I don't know that this can be done.
Any help is appreciated.
Thanks,
--Rick
--- End Message ---
