At 16:28 28/07/2001, Ron Chmara wrote:
On Saturday, July 28, 2001, at 12:52 PM, Zeev Suraski wrote:
At 06:01 28/07/2001, Phil Driscoll wrote:
I and no doubt thousands of others will turn
register_globals on because it gives much more readable code, much less
typing and does not IMHO add one
It's pretty close to what I had in mind:
At 22:17 28/07/2001, Rasmus Lerdorf wrote:
The best thing about PHP is that it has such a shallow learning curve that
non-programmers can write web apps.
The worst thing about PHP is that it has such a shallow learning curve
that non-programmers write
One thing I've been thinking about recently is a desire for PHP to
provide a function whereby PHP scripts can log incoming variables (such
as $HTTP_POST_VARS) and the PHP scripts which process them. Such a
function can prove very useful in knowing what a particular user has
done.
Of course, not
On Sat, 28 Jul 2001, Rasmus Lerdorf wrote:
// And perhaps some globbing:
// Import any variable with abc in its name from anywhere.
// Could alternatively use SQL-style or perhaps real regex
// expressions here although I think full regex support would be
//
I'm against a global function like this, but in favour of the 2nd flavour,
where you have to explicitly pass a list of variable names to import.
Actually, I mostly had something like: import_globals(ES) in mind for
the import all variety. Importing all server and environment variables
when
On Saturday 28 July 2001 20:52, Zeev Suraski wrote:
a rebuf to each of my arguments :)
Rather than prolong the agony, my point is that in all the cases where a
malicious user has the chance to inject a dodgy variable, the code must
normally have a logic path which allows the code to pass
On 28 Jul 2001 [EMAIL PROTECTED] wrote:
Recode versions tested: 3.5d, 3.6.
PHP versions tested: 4.0.6.
I'd like to add Apache 1.3.19 on OpenBSD-current (i386) with PHP 4.0.6,
recode 3.6 and mysql 3.23.40 (non-bundled) to platforms affected.
Recode and MySQL work just fine (i.e., they are
From: [EMAIL PROTECTED]
Operating system: Linux
PHP version: 4.0.6
PHP Bug Type: Variables related
Bug description: Static references are transient inside methods
Another unfortunate bug with references appears to be that statics holding
references inside methods are
Guten Tag,
vom Rechner 217.1.142.1 hat jemand Ihnen folgende Seite geschickt:
http://phpcenter.de/index.php3
Title: PHP-Center -
Startseite
Suche:
Seite verschickenQuickrefdeen
Inhalt
Max Landborn wrote:
Hello everyone!
I'm new to this list, therefore I do not know if you have discussed this
matter before. I'm interested in something like crontab for PHP. This should
be plattform independent and easy to maintain. I have a few ideas of how to
implement it even though
Alex Vincent wrote:
One thing I've been thinking about recently is a desire for PHP to
provide a function whereby PHP scripts can log incoming variables (such
as $HTTP_POST_VARS) and the PHP scripts which process them. Such a
function can prove very useful in knowing what a particular user
Max Landborn wrote:
Hello everyone!
I'm new to this list, therefore I do not know if you have discussed this
matter before. I'm interested in something like crontab for PHP. This
should
be plattform independent and easy to maintain. I have a few ideas of how
to
implement it even
I'm completely open to better solutions, but haven't actually be able to
find any. We _could_ start browser sniffing I guess.
My experience is that you have to make fonts slightly bigger for
Netscape 4.x on X11 and Opera.
It would not be simpler to avoid the use of font-size?
--
PHP
From: [EMAIL PROTECTED]
Operating system: Linux Slackware 8.0
PHP version: 4.0.6
PHP Bug Type: Compile Failure
Bug description: PHP does not compile with --with-apxs2
Apache 2.0.16 was configured with --enable-so
PHP was configured with --with-mysql=/path/to/mysql
At 01:04 29/07/2001, Phil Driscoll wrote:
On Saturday 28 July 2001 20:52, Zeev Suraski wrote:
a rebuf to each of my arguments :)
Rather than prolong the agony, my point is that in all the cases where a
malicious user has the chance to inject a dodgy variable, the code must
normally have a logic
At 00:48 29/07/2001, Rasmus Lerdorf wrote:
I'm against a global function like this, but in favour of the 2nd flavour,
where you have to explicitly pass a list of variable names to import.
Actually, I mostly had something like: import_globals(ES) in mind for
the import all variety. Importing
At 00:27 29/07/2001, Heikki Korpela wrote:
On Sat, 28 Jul 2001, Rasmus Lerdorf wrote:
// And perhaps some globbing:
// Import any variable with abc in its name from anywhere.
// Could alternatively use SQL-style or perhaps real regex
// expressions here although I
Note again that we should not see this change for what it isn't - it *is*
going to be a painful move for those who actually do it. The reason for
this is that register_globals=on silently encouraged writing of faulty
code. In turn, this means that people would have to go over their code in
On Sunday 29 July 2001 17:35, Zeev Suraski wrote:
*sigh* :) As I said numerous times, PHP gives you standard clean ways to
test your variables without generating E_NOTICE's, namely, isset() (very
popular) and empty() (less popular, but available all the same). There's a
good, fairly darned
At 10:27 29/07/2001, Phil Driscoll wrote:
On Sunday 29 July 2001 17:35, Zeev Suraski wrote:
*sigh* :) As I said numerous times, PHP gives you standard clean ways to
test your variables without generating E_NOTICE's, namely, isset() (very
popular) and empty() (less popular, but available
Hello ...
It shouldn't be so difficult to make a simple text exitor like Notepad
but how to make it have a syntax hightlight ability ? Is there any document
dealing with how to make such aditor for PHP or for any other language ?
Thanks in advance ...(and sorry if this is not the right
Howdy,
Just been going through the latest thread safety patch and I was
wondering why the EXT* macro's have been deleted in favor of
directly passing the zend_*_globals *name (take a look at OCI8 for
more of what I'm talking about).
-Sterling
--
PHP Development
Full name: Serdar Soydemir
Email: [EMAIL PROTECTED]
ID:tpug
Purpose: I am one of the council-members of Turkiye PHP Users Group, www.php.org.tr.
We are planning to work on Turkish translation of PHP Manual. If no one/team is
assigned on this work, we want to create a new Turkish
g'day,
I'm just sending a message to check how different the OO overloading
interface will be in the Zend Engine 2? I'm currently writing an
extension which uses the current overloading stuff, how different
will the new stuff be? will there be some level of backwards
ID: 12455
Updated by: rasmus
Reported By: [EMAIL PROTECTED]
Status: Open
Bug Type: *Math Functions
Operating System: SunOS 5.8 (Solaris)
PHP Version: 4.0.4pl1
New Comment:
I don't think I understand what the problem is here. I tested your code with the
following:
?
function pwd() {
Rasmus Lerdorf ([EMAIL PROTECTED]) wrote:
Think about whether in each of these cases it would have happened if the
developers of the app had developed with E_NOTICE on. In a high number of
these cases it probably wouldn't. And if this number is close to 100%,
then it would point to the fact
On 29 Jul 2001, [EMAIL PROTECTED] wrote:
From: [EMAIL PROTECTED]
Operating system: Linux Slackware 8.0
PHP version: 4.0.6
PHP Bug Type: Compile Failure
Bug description: PHP does not compile with --with-apxs2
Apache 2.0.16 was configured with --enable-so
That
Hi Phil!
On Sat, 28 Jul 2001, Phil Driscoll wrote:
That's not going to find half, or a quarter, or whatever of the problems,
since PHP has tools to cleanly handle undefined variables - namely isset()
and empty(). They, or at least isset(), are quite popular.
I always use something
Hi Marcus!
On Thu, 26 Jul 2001, Marcus wrote:
shouldn't the function basename() return only the
script part and not the query part?
I guess basename() is a filesistem function, and hence it doesn't make sense
to care about `query string' cause in the file systems there are no such
things.
I
Hi btanner!
On Sun, 29 Jul 2001, [EMAIL PROTECTED] wrote:
From: [EMAIL PROTECTED]
Operating system: Win2k
PHP version: 4.0.6
PHP Bug Type: Scripting Engine problem
Bug description: comparing 0==null is true?
If you compare the integer(0) to the string null, PHP
Hi Zeev!
On Thu, 26 Jul 2001, Zeev Suraski wrote:
At 02:18 26/07/2001, Ron Chmara wrote:
If most of the PHP apps out there are or were vulnerable to
register_globals=on attacks, we can't (shouldn't) blame the whole world,
but fix the language instead.
I'd suggest fixing the code
Hi Ron!
On Sat, 28 Jul 2001, Ron Chmara wrote:
On Saturday, July 28, 2001, at 12:52 PM, Zeev Suraski wrote:
At 06:01 28/07/2001, Phil Driscoll wrote:
I and no doubt thousands of others will turn
register_globals on because it gives much more readable code,
much less
typing and does
I was going to reply to Phil Driscoll's post (from Friday) about
E_SECURITY warning level, but thought it might belong better in a
different thread.
This thread is for collecting some ideas for security enhancements that
can happen in PHP, besides the already-known register_globals.
My idea:
Have PHP reject (fail to process, die, whatever) a hit that is
anomalous. Definitions of anomalous:
1. GET variables set while METHOD != GET
i.e.
form action=foo.php?x=1 method=POST
...
/form
Huh? I use this all the time in my apps. There is absolutely nothing
Quoting Rasmus Lerdorf [EMAIL PROTECTED]:
Huh? I use this all the time in my apps. There is absolutely nothing
wrong with having both GET and POST method variables at the same time.
Disallowing this would break almost every app I have ever written.
Well, it works fine with Apache, and
Huh? I use this all the time in my apps. There is absolutely nothing
wrong with having both GET and POST method variables at the same time.
Disallowing this would break almost every app I have ever written.
Well, it works fine with Apache, and probably some other servers, but it
Quoting Rasmus Lerdorf [EMAIL PROTECTED]:
As long as it works with all browsers, which as far as I can tell it does,
then it doesn't really concern me that some servers don't support it.
Apache will definitely always support this.
Yup - I haven't found a browser that has problems with it.
From: [EMAIL PROTECTED]
Operating system: Widnows 98
PHP version: 4.0.6
PHP Bug Type: PHP options/info functions
Bug description: Mail()
I want to know , if the function mail() it can be placed in the middle of
the page. Without being placed in the beginning, before the
Rasmus Lerdorf ([EMAIL PROTECTED]) wrote:
How to get there...
For 4.0.7:
- We leave all default configuration settings as they are now.
- We add $_GET, $_POST, $_COOKIE, $_ENV, $_SERVER and perhaps make them
super-globals like $GLOBALS
+1
- We add a new function, somewhat like
Stig S. Bakken ([EMAIL PROTECTED]) wrote:
Uhm, why not simply run PHP scripts from cron? Or did you want
something inside a web server environment?
I personally have been looking for something similar. AOLServer has
this facility:
http://www.aolserver.com/docs/tcldev/tapi-114.htm
Full name: Halil Sen
Email: [EMAIL PROTECTED]
ID:halilsen
Purpose: Maintaining www.php.net,
Developing the PHP runtime
--
PHP Development Mailing List http://www.php.net/
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the
ID: 12403
Updated by: phanto
Reported By: [EMAIL PROTECTED]
Status: Open
Bug Type: COM related
Operating System: NT 4
PHP Version: 4.0.6
New Comment:
simply comment them out for now, it doesn't matter. you only won't have these
constants defined in your php build (but you can't use them on your
ID: 12403
Updated by: phanto
Reported By: [EMAIL PROTECTED]
Old Status: Open
Status: Closed
Bug Type: COM related
Operating System: NT 4
PHP Version: 4.0.6
New Comment:
forgot to close
Previous Comments:
[2001-07-29
ID: 12455
User updated by: [EMAIL PROTECTED]
Reported By: [EMAIL PROTECTED]
Status: Open
Bug Type: *Math Functions
Operating System: SunOS 5.8 (Solaris)
PHP Version: 4.0.4pl1
New Comment:
Well, when I run that code I get 4, not 500. Upping the
number of iterations doesn't help. I think the
On Mon, 30 Jul 2001, Stig S. Bakken wrote:
Sterling Hughes wrote:
g'day,
I'm just sending a message to check how different the OO overloading
interface will be in the Zend Engine 2? I'm currently writing an
extension which uses the current overloading stuff, how
Alexander Merz wrote:
I'm completely open to better solutions, but haven't actually be able to
find any. We _could_ start browser sniffing I guess.
My experience is that you have to make fonts slightly bigger for
Netscape 4.x on X11 and Opera.
It would not be simpler to avoid the
ID: 12457
Updated by: mfischer
Reported By: [EMAIL PROTECTED]
Old Status: Open
Status: Closed
Bug Type: PHP options/info functions
Operating System: Widnows 98
PHP Version: 4.0.6
New Comment:
Yes, you can call it whereever you want.
Btw, such questions are best asked at [EMAIL PROTECTED]
Anyone got an Apache2 running (which one) with PHP (which one) ?
thx
ciao
-- teodor
--
PHP Development Mailing List http://www.php.net/
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
Hello.I instantiated new class [
eg.? $system = new Java('java.lang.System'); ?
]. I got blank response, and that child of Apache
died. Is this a bug that I should report? or I'm missing
somthing here? Any expert please give me some
suggestions.For Apache error log, [Fri Jul 27 17:40:01
ID: 12166
Updated by: kalowsky
Reported By: [EMAIL PROTECTED]
Old Status: Open
Status: Feedback
Bug Type: ODBC related
Operating System: Windows ME
PHP Version: 4.0.6
New Comment:
Which docs are you referring to? The ODBC docs for PHP? The ODBC v3 docs?
The ODBC v3.5 docs?
ID: 12209
Updated by: avsm
Reported By: [EMAIL PROTECTED]
Old Status: Open
Status: Feedback
Bug Type: Apache related
Operating System: OpenBSD 2.9
PHP Version: 4.0.6
Previous Comments:
[2001-07-17 11:52:05] [EMAIL
What you ignored completely are three facts:
- register_globals=on leads to insecure code, which was demonstrated time
and time again in the past.
- Once it's off, we're going to provide methods of accessing variables
which are just as easy, and quite easier in case you access them from
Generally I agree, except I don't think we should go as far as changing the
theme of PHP. Putting form variables into a different space would be the
simplest and equally secure way to do the trick.
At 08:32 26/07/2001, [EMAIL PROTECTED] wrote:
Hi Zeev!
On Thu, 26 Jul 2001, Zeev Suraski wrote:
At 12:04 29/07/2001, Stephen van Egmond wrote:
2. when a uploaded file fails is_uploaded_file().
My English parser bailed out on this one :)
I felt bad when I saw is_uploaded_file() introduced - it is such a
cheezy function call; people shouldn't even have to call it themselves,
and I can
At 02:40 29/07/2001, Sterling Hughes wrote:
Ahh well, I guess I'll have to commit it before the changes and then
expect Zeev and Andi to fix it :)
We have no plans to fix those, because they'd require complete rewrites :)
Zeev
--
PHP Development Mailing List http://www.php.net/
To
Guys,
Please follow the coding standards as they appear in the CODING_STANDARDS
with code you commit to the PHP repository.
Stuff I noticed while going over large portions of code in the last few days:
- open-curly-braces should not appear on the same line as a function
declaration, but on
Zeev Suraski ([EMAIL PROTECTED]) wrote:
At 12:04 29/07/2001, Stephen van Egmond wrote:
2. when a uploaded file fails is_uploaded_file().
My English parser bailed out on this one :)
How's your PHP parser doing? :)
foreach $f ($HTTP_POST_FILES) {
if (!is_uploaded_file($f)) {
Zeev Suraski ([EMAIL PROTECTED]) wrote:
- register_globals=on leads to insecure code, which was demonstrated time
and time again in the past.
- Once it's off, we're going to provide methods of accessing variables
which are just as easy, and quite easier in case you access them from
I was trying to step back a bit and identify some of the patterns in
the attacks identified in the paper. One extremely popular pattern was
spoofing variables by overwriting them: GET variables overwriting
POST, usually, and I suggested that some SAPI stunt be pulled to catch
that.
That's
At 21:34 29/07/2001, Stephen van Egmond wrote:
Zeev Suraski ([EMAIL PROTECTED]) wrote:
- register_globals=on leads to insecure code, which was demonstrated time
and time again in the past.
- Once it's off, we're going to provide methods of accessing variables
which are just as easy, and
For those of you who aren't sure where the heck those space-after-comma and
the other rules are coming from, that's the KR coding standard, which is
the coding standard for the php4 repository. One other rule that's really
not followed is [3]:
[3] Be generous with whitespace and braces.
ID: 12335
User updated by: [EMAIL PROTECTED]
Reported By: [EMAIL PROTECTED]
Old Status: Feedback
Status: Open
Bug Type: Mail related
Operating System: Sun Solaris 2.6
PHP Version: 4.0.6
New Comment:
This was a misunderstanding.
I have the problems with version 4.0.6.
But this machine is not on
62 matches
Mail list logo