Hi,
At 08:18 14-8-2002, Yasuo Ohgaki wrote:
Rasmus Lerdorf wrote:
As much as I think trans-sid sucks from a performance perspective, what's
with this comment in php.ini-dist?
; trans sid support is disabled by default.
; Use of trans sid may risk your users security. It may not be
; feasible to
Hi,
On Tue, Aug 13, 2002 at 05:26:17PM +0200, Marcus Börger wrote:
At 17:05 13.08.2002, Dan Kalowsky wrote:
On Tue, 13 Aug 2002, Marcus [iso-8859-1] Börger wrote:
2) Can we please remove the http://www.php.net/manual/en/blahblahblah;
style of use for this? It will tend to force users
At 10:03 14.08.2002, Jan Lehnardt wrote:
Hi,
On Tue, Aug 13, 2002 at 05:26:17PM +0200, Marcus Börger wrote:
At 17:05 13.08.2002, Dan Kalowsky wrote:
On Tue, 13 Aug 2002, Marcus [iso-8859-1] Börger wrote:
2) Can we please remove the
http://www.php.net/manual/en/blahblahblah;
style
Hi,
On Wed, Aug 14, 2002 at 10:09:52AM +0200, Marcus Börger wrote:
Then there is only the last argument not spoken about yet:
Externally developed extensions.
and PECL extensions respectively. For external developed extensions I suggest
putting them into PECL (at least the documentation, if
At 10:15 14.08.2002, Jan Lehnardt wrote:
Hi,
On Wed, Aug 14, 2002 at 10:09:52AM +0200, Marcus Börger wrote:
Then there is only the last argument not spoken about yet:
Externally developed extensions.
and PECL extensions respectively. For external developed extensions I suggest
putting them
Hi,
I guess you missed some points :)
Melvyn Sopacua wrote:
At 08:18 14-8-2002, Yasuo Ohgaki wrote:
Rasmus Lerdorf wrote:
As much as I think trans-sid sucks from a performance perspective,
what's
with this comment in php.ini-dist?
; trans sid support is disabled by default.
; Use of
Hi,
On Wed, Aug 14, 2002 at 10:25:40AM +0200, Marcus Börger wrote:
Erm - good point we cannot find pecl.function.name automatically by
docref=NULL. Either pecl must be available by function.name or by
just using name on php.net. This is also a problem for external copies
of the manual.
erm,
I'm not saying cookie based session is perfectly secure, but
it's obvious to me that URL based session is much less secure
than cookie one, especially compare to session cookie.
URL based session-id transferal is not much less secure, because all the
user has to do is open up their cache and
At 10:58 14-8-2002, Yasuo Ohgaki wrote:
Hi,
I guess you missed some points :)
Nope :-)
Melvyn Sopacua wrote:
At 08:18 14-8-2002, Yasuo Ohgaki wrote:
Rasmus Lerdorf wrote:
As much as I think trans-sid sucks from a performance perspective, what's
with this comment in php.ini-dist?
; trans sid
On Tue, Aug 13, 2002 at 03:54:58PM +0200, Piotr Klaban wrote:
and if I call http://server/dir/file.php?q=1, the result is:
Apache module PHP CGI
PHP_SELF /dir/file.php/path-info/dir/file.php
I am sorry it is a mistake, it should be:
errata
and if I call
At 11:01 14-8-2002, Dan Hardiker wrote:
This bit confused me slightly ... whats the difference between a Session
cookie and a Normal cookie?
It's stored in memory, not on disk.
For the end-user Mr. Priest, this would be considered even 'less secure',
because he expects it to be deleted and
Hello everyone,
I am new to this list, but urgently in need of a solution for a problem
i am currently facing.
First, i'll give a description of my current platform:
Linux 2.4.18 (origninally slackware, heavily modified)
apache 1.3.22
php 4.1.2
mysql 3.23.46
(i am aware that these are not the
Dan Hardiker wrote:
I'm not saying cookie based session is perfectly secure, but
it's obvious to me that URL based session is much less secure
than cookie one, especially compare to session cookie.
URL based session-id transferal is not much less secure, because all the
user has to do is
This bit confused me slightly ... whats the difference between a
Session cookie and a Normal cookie?
It's stored in memory, not on disk.
How you can tell a cookie to be stored in RAM rather than on the HDD, Im
not sure ... but that might mean I need to brush up.
For the end-user Mr. Priest,
Melvyn Sopacua wrote:
Again - security by obscurity. It does not change the fact, that
if($_SESSION['logged_in']) { 'good' } is insecure.
Using a trans-sid only makes things more transparent, which is not equal
to less secure in my book, but I know opinions vary in that area.
Who is
URL based sessin management has more risks than cookie's.
Please advise people to consider risks :)
but cookies arent always enabled (in my area of deployment 90% dont have
them enabled) .. and the fact is no matter where the data goes client
side, the data can still be pulled.
I can knock a
Now this is where the code dev needs an IQ above 3. *Use IP and
Browser
String authentication*
Except you cannot rely on ppl coming from the same IP on every hit.
Many firewalls use several exit IPs (Cisco PIX for example), so
users coming from networks like that would be randomly loged out.
Any chance you're using output buffering?
Zeev
At 12:25 14/08/2002, Joost Lek wrote:
Hello everyone,
I am new to this list, but urgently in need of a solution for a problem i
am currently facing.
First, i'll give a description of my current platform:
Linux 2.4.18 (origninally slackware,
Dan Hardiker wrote:
URL based sessin management has more risks than cookie's.
Please advise people to consider risks :)
but cookies arent always enabled (in my area of deployment 90% dont have
them enabled) .. and the fact is no matter where the data goes client
side, the data can still be
Then there is only the last argument not spoken about yet:
Externally developed extensions.
and PECL extensions respectively. For external developed extensions I
suggest
putting them into PECL (at least the documentation, if there are license
issues about the extension's code itself) and for
At 10:57 14.08.2002, Gabor Hojtsy wrote:
Then there is only the last argument not spoken about yet:
Externally developed extensions.
and PECL extensions respectively. For external developed extensions I
suggest
putting them into PECL (at least the documentation, if there are license
| Erm - good point we cannot find pecl.function.name automatically by
| docref=NULL. Either pecl must be available by function.name or by
| just using name on php.net. This is also a problem for external
copies
| of the manual.
PECL, PEAR and other functions won't be available as
Dan Hardiker wrote:
How you can tell a cookie to be stored in RAM rather than on the HDD, Im
not sure ... but that might mean I need to brush up.
do not set a lifetime and it won't be stored on disk
and live in browser ram until browser is terminated
has been so ever since netscape came up
At 12:04 14-8-2002, Yasuo Ohgaki wrote:
Melvyn Sopacua wrote:
Again - security by obscurity. It does not change the fact, that
if($_SESSION['logged_in']) { 'good' } is insecure.
Using a trans-sid only makes things more transparent, which is not equal
to less secure in my book, but I know
So, you're suggesting that all external extensions have to be in PECL
in order for the error message to link to further documentation??
What about projects like APC/APD? SRM?
NameOfYourFavouriteThirdPartyBinarySCEHere?
Do they all have to be hosted on php.net??
--Wez.
On 08/14/02, Jan
Melvyn Sopacua wrote:
At 12:04 14-8-2002, Yasuo Ohgaki wrote:
Aren't we discussing what method of passing session ID is less
secure than others?
Yes, but I fail to see what it has to do with security.
For instance - I use sessions to store some output that takes a lot of
time to
We seem to go around in circles :-)
At 13:08 14-8-2002, you wrote:
Melvyn Sopacua wrote:
At 12:04 14-8-2002, Yasuo Ohgaki wrote:
Aren't we discussing what method of passing session ID is less
secure than others?
Yes, but I fail to see what it has to do with security.
For instance - I use
Melvyn Sopacua wrote:
We seem to go around in circles :-)
At 13:08 14-8-2002, you wrote:
Melvyn Sopacua wrote:
At 12:04 14-8-2002, Yasuo Ohgaki wrote:
Aren't we discussing what method of passing session ID is less
secure than others?
Yes, but I fail to see what it has to do with
Hi,
On Wed, Aug 14, 2002 at 10:41:24AM +0100, Wez Furlong wrote:
So, you're suggesting that all external extensions have to be in PECL
in order for the error message to link to further documentation??
What about projects like APC/APD? SRM?
NameOfYourFavouriteThirdPartyBinarySCEHere?
Do
On August 14, 2002 02:05 am, you wrote:
Hi Ilia,
One of the compaliant about PHP is things has been
depreciated/changed w/o proper prior notice. Many
users are tried with the _bad_ practice AFAIK.
Well depreciation does not mean the functions were removed, it simply means
that there is an
While building the latest snapshot, I get the following error during
make:
ext/standard/info.lo: In function `php_print_info':
/home/martin/source/php4-200208140300/ext/standard/info.c:233:
undefined reference to `iconv_globals'
collect2: ld returned 1 exit status
make: *** [sapi/cli/php] Error
At 13:37 14-8-2002, Yasuo Ohgaki wrote:
Improvements, additional descriptions, corrections are welcome
at any time.
Allright, lemme whip up something.
Met vriendelijke groeten / With kind regards,
Webmaster IDG.nl
Melvyn Sopacua
--
PHP Development Mailing List http://www.php.net/
To
On 08/14/02, Zeev Suraski [EMAIL PROTECTED] wrote:
Any chance you're using output buffering?
Hopefully you are just using output buffering; check for
settings in your php.ini or apache configuration such as
zlib.output_compression, output_buffering, output_handler.
If that doesn't seem to
Once you've eliminated that problem, I'd suggest that you
use readfile() instead of manually looping; readfile should
be much kinder to your hardware as it uses mmap, which means
that PHP doesn't need to keep allocating small buffers in the loop,
and that the OS can potentially share the
oh sorry, my previous reply didn't CC the mailing list.
the problem has been solved now, it was indeed the output buffering :(
Wez Furlong wrote:
On 08/14/02, Zeev Suraski [EMAIL PROTECTED] wrote:
Any chance you're using output buffering?
Hopefully you are just using output
Hi,
I enclose the patch for ext/mysql/php_mysql.[ch]
(against PHP version 4.2.2 - for earlier version it also works)
that adds new PHP function - mysql_info().
This function exists in mysql library log time,
and is also defined in the PHP's version of libmysql.
I would like to have acces to
Hi,
this version exists in 4.3-dev and will be available in the upcoming 4.3
release, however, not in earlier ones. I added it months ago ;)
Jan
--
Q: Thank Jan? A: http://geschenke.an.dasmoped.net/
Got an old and spare laptop? Please send me a mail.
--
PHP Development Mailing List
On Wed, Aug 14, 2002 at 02:44:28PM +0200, Jan Lehnardt wrote:
Hi,
this version exists in 4.3-dev and will be available in the upcoming 4.3
release, however, not in earlier ones. I added it months ago ;)
Thank you very much, this function would help me much.
Regards,
--
Piotr Klaban
--
Can we not document the real issues about this in the manual, and just
say something like
There are security issues in using any type of sessions with HTTP,
please read the manual at
http://www.php.net/en/manual/security.sessions.html
for a more detail discussion on this subject..
regards
At 15:46 14-8-2002, Alan Knowles wrote:
Can we not document the real issues about this in the manual, and just say
something like
There are security issues in using any type of sessions with HTTP, please
read the manual at
http://www.php.net/en/manual/security.sessions.html
for a more detail
Andi,
along the lines of my previous request, is it possible to also export
zend_register_functions ? actually a more general request would be to
evaluate the codebase to determine which functions are likely candidates...
thanks,
l0t3k
BTW - i'll try again to subscribe to the ZE2 mailing
Inlined for the list.
Index: reference.xml
===
RCS file: /repository/phpdoc/en/reference/session/reference.xml,v
retrieving revision 1.8
diff -u -r1.8 reference.xml
--- reference.xml 28 Jul 2002 14:04:32 - 1.8
+++
Potentially, yes, depending on how well your OS handles this,
and how often the script is called and so on.
Under linux, with reasonable amounts of RAM, and assuming that
the script is called frequently enough for the OS not to re-use
the buffers, after the first hit (that maps the file) I'd
I do not understand the sense of this whole discussion.
HTTP is a plaintext protocol. So nothing transfered over HTTP can be secure.
No urls, no session no anything.
Stefan
--
PHP Development Mailing List http://www.php.net/
To unsubscribe, visit: http://www.php.net/unsub.php
+para
+ Therefore, when dealing with sensative information, there should +
always be additional methods to decide whether it is a valid +
session. Sessions are strongnot reliable/strong as a secure +
authentication mechanism.
+/para
So if Im to write an online web-based
Guys, documentation is about giving people information that will help them
solve problems, not about FUD. That was my original point about the
php.ini entry. You can't just state that something is very very bad
without giving workable solutins and alternatives.
Present ways of solving the
hi,
I absolutely agree with Stefan here. It is *not* PHP's job to secure
a connection. SSL does this.
-daniel
- Original Message -
From: Stefan Esser [EMAIL PROTECTED]
Sent: Wed, 14 Aug 2002 16:23:16 +0200
To: [EMAIL PROTECTED]
Subject: Re: [PHP-DEV] trans-sid warning?
I do not
I absolutely agree with Stefan here. It is *not* PHP's job to
secure
a connection. SSL does this.
Like that's going to stop users from pasting url with SID in it to
an email, which is what this thread is about.
Edin
--
PHP Development Mailing List http://www.php.net/
To unsubscribe, visit:
hi!
i have written a little extension to the php-java module to allow
convenient access to objects living in other virtual machines via rmi.
this should be handy because the php-java JVM terminates at the end of
every php-script.
the idea was to make remote objects look like local objects:
I absolutely agree with Stefan here. It is *not* PHP's job to secure
a connection. SSL does this.
Like that's going to stop users from pasting url with SID in it to an
email, which is what this thread is about.
There are 2 issues at play here, firstly is educating PHP site builders
that
At 17:15 14-8-2002, Dan Hardiker wrote:
+para
+ Therefore, when dealing with sensative information, there should +
always be additional methods to decide whether it is a valid +
session. Sessions are strongnot reliable/strong as a secure +
authentication mechanism.
+
At 17:22 14-8-2002, Rasmus Lerdorf wrote:
Guys, documentation is about giving people information that will help them
solve problems, not about FUD. That was my original point about the
php.ini entry. You can't just state that something is very very bad
without giving workable solutins and
and here are the files!
http://www.scheinwelt.at/~norbertf/files/php-java-rmi-remotecontrol.zip
n.
--
PHP Development Mailing List http://www.php.net/
To unsubscribe, visit: http://www.php.net/unsub.php
Caro php-dev,
--
Sds;
Gustavo Almeida
[EMAIL PROTECTED]
Web Developer
Medsys On Line
www.medsys.com.br
(27)3332-2027
--
PHP Development Mailing List http://www.php.net/
To unsubscribe, visit: http://www.php.net/unsub.php
Hi all,
there are some bug reports regarding large file uploads, but here is an
observation that might give additional hints for solving the problem:
I'm not able to upload files via HTTP POST greater than 102574 KByte
(with Mozilla 1.1). This applies no mater what i set max_upload_size,
So if Im to write an online web-based banking system (either in
Java/JSP,
PHP, ASP - whatever)... what method would you suggest that IS secure?
As for the propagation of the session id, there is only one
pseudo-secure
method -- using HTTP basic authentication. On authenticated pages, the
So if Im to write an online web-based banking system (either in
Java/JSP,
PHP, ASP - whatever)... what method would you suggest that IS secure?
As for the propagation of the session id, there is only one
pseudo-secure
method -- using HTTP basic authentication. On authenticated pages, the
http://nohn.net/lalafarm/200208140900-error.log
Regards,
Sebastian Nohn
--
+49 170 471 8105 - [EMAIL PROTECTED] - http://www.nohn.net/
PGP Key Available - Did I help you? Consider a gift:
http://www.amazon.de/exec/obidos/wishlist/3HYH6NR8ZI0WI/
--
PHP Development Mailing List
Dan Hardiker:
However, HTTP basic authentication is passed the same as session
cookies
(discussed earlier in this thread) - in the headers of the HTTP
communication. This can very easily be faked with something like cURL.
On the other hand, if you know the user's credentials, why bother to
PHP is very Good.
--
PHP Development Mailing List http://www.php.net/
To unsubscribe, visit: http://www.php.net/unsub.php
PHP is very Good.
and you require a PHP CVS account because ... heh
--
Dan Hardiker [[EMAIL PROTECTED]]
ADAM Software Systems Engineer
First Creative Ltd
--
PHP Development Mailing List http://www.php.net/
To unsubscribe, visit: http://www.php.net/unsub.php
According to the PHP manual _once functions support inclusion of remote URLs,
which they do. However, unlike when dealing with local files those functions
do not actually keep track of how many times the file is included and prevent
double inclusion of the same file. Meaning that those
Ilia A. wrote:
On August 14, 2002 02:05 am, you wrote:
Hi Ilia,
One of the compaliant about PHP is things has been
depreciated/changed w/o proper prior notice. Many
users are tried with the _bad_ practice AFAIK.
Well depreciation does not mean the functions were removed, it simply means
Melvyn Sopacua wrote:
At 15:46 14-8-2002, Alan Knowles wrote:
Can we not document the real issues about this in the manual, and just
say something like
There are security issues in using any type of sessions with HTTP,
please read the manual at
Could you try cvs version again?
marcus
At 13:49 14.08.2002, Martin Jansen wrote:
While building the latest snapshot, I get the following error during
make:
ext/standard/info.lo: In function `php_print_info':
/home/martin/source/php4-200208140300/ext/standard/info.c:233:
undefined reference to
On Thu Aug 15, 2002 at 01:5043AM +0200, Marcus Börger wrote:
Could you try cvs version again?
Build fine now. Thanks for your help.
--
- Martin Martin Jansen
http://martinjansen.com/
--
PHP Development Mailing List http://www.php.net/
66 matches
Mail list logo