Re: [PHP-DEV] Errors while building latest snapshot

On Thu Aug 15, 2002 at 01:5043AM +0200, Marcus Börger wrote: > Could you try cvs version again? Build fine now. Thanks for your help. -- - Martin Martin Jansen http://martinjansen.com/ -- PHP Development Mailing List

Re: [PHP-DEV] Errors while building latest snapshot

Could you try cvs version again? marcus At 13:49 14.08.2002, Martin Jansen wrote: >While building the latest snapshot, I get the following error during >"make": > >ext/standard/info.lo: In function `php_print_info': >/home/martin/source/php4-200208140300/ext/standard/info.c:233: >undefined refer

Re: [PHP-DEV] trans-sid warning?

Melvyn Sopacua wrote: > At 15:46 14-8-2002, Alan Knowles wrote: > > >> Can we not document the real issues about this in the manual, and just >> say something like >> >> There are security issues in using any type of sessions with HTTP, >> please read the manual at >> http://www.php.net/en/man

[PHP-DEV] Re: Bug #10374 [Opn->Bgs]: Depreciated features or not

Ilia A. wrote: > On August 14, 2002 02:05 am, you wrote: > >>Hi Ilia, >> >>One of the compaliant about PHP is things has been >>depreciated/changed w/o proper prior notice. Many >>users are tried with the _bad_ practice AFAIK. > > > Well depreciation does not mean the functions were removed, it

[PHP-DEV] Problem with include_once/require_once & remote URLs

According to the PHP manual _once functions support inclusion of remote URLs, which they do. However, unlike when dealing with local files those functions do not actually keep track of how many times the file is included and prevent double inclusion of the same file. Meaning that those function

Re: [PHP-DEV] CVS Account Request: m_alnasri31

> PHP is very Good. and you require a PHP CVS account because ... heh -- Dan Hardiker [[EMAIL PROTECTED]] ADAM Software & Systems Engineer First Creative Ltd -- PHP Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] trans-sid warning?

> On the other hand, if you know the user's credentials, why bother to > fake anything -- just log in to the system like anyone else! Thats user security - only user training can do that. > So... In a system where eavesdropping or man-in-the-middle attacks are > not possible (ie. HTTP over SSL),

[PHP-DEV] CVS Account Request: m_alnasri31

PHP is very Good. -- PHP Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] trans-sid warning?

Dan Hardiker: > However, HTTP basic authentication is passed the same as session > cookies > (discussed earlier in this thread) - in the headers of the HTTP > communication. This can very easily be faked with something like cURL. On the other hand, if you know the user's credentials, why bother

[PHP-DEV] [PATCH] Apache2+safe_mode

The attached patch fixes by implementing the necessary php_apache_sapi_get_stat function. As I wrote in the comment, it does one more system call than is strictly necessary and won't help in cases where the request does not originate from a file. It's a p

[PHP-DEV] current warnings on compaq tru64

http://nohn.net/lalafarm/200208140900-error.log Regards, Sebastian Nohn -- +49 170 471 8105 - [EMAIL PROTECTED] - http://www.nohn.net/ PGP Key Available - Did I help you? Consider a gift: http://www.amazon.de/exec/obidos/wishlist/3HYH6NR8ZI0WI/ -- PHP Development Mailing List

Re: [PHP-DEV] trans-sid warning?

>> So if Im to write an online web-based banking system (either in >> Java/JSP, >> PHP, ASP - whatever)... what method would you suggest that IS secure? > > As for the propagation of the session id, there is only one > pseudo-secure > method -- using HTTP basic authentication. On authenticated pa

Re: [PHP-DEV] trans-sid warning?

> So if Im to write an online web-based banking system (either in > Java/JSP, > PHP, ASP - whatever)... what method would you suggest that IS secure? As for the propagation of the session id, there is only one pseudo-secure method -- using HTTP basic authentication. On authenticated pages, the

[PHP-DEV] Problems uploading large files

Hi all, there are some bug reports regarding large file uploads, but here is an observation that might give additional hints for solving the problem: I'm not able to upload files via HTTP POST greater than 102574 KByte (with Mozilla 1.1). This applies no mater what i set max_upload_size, post

[PHP-DEV] S

Caro php-dev, -- Sds; Gustavo Almeida [EMAIL PROTECTED] Web Developer Medsys On Line www.medsys.com.br (27)3332-2027 -- PHP Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php

[PHP-DEV] Re: my little php-ext/java-RMI extension

and here are the files! http://www.scheinwelt.at/~norbertf/files/php-java-rmi-remotecontrol.zip n. -- PHP Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] trans-sid warning?

At 17:22 14-8-2002, Rasmus Lerdorf wrote: >Guys, documentation is about giving people information that will help them >solve problems, not about FUD. That was my original point about the >php.ini entry. You can't just state that something is very very bad >without giving workable solutins and a

Re: [PHP-DEV] trans-sid warning?

At 17:15 14-8-2002, Dan Hardiker wrote: > > + > > + Therefore, when dealing with sensative information, there should + > > always be additional methods to decide whether it is a valid + > > session. Sessions are not reliable as a secure + > > authentication mechanism. > > + > >So

Re: [PHP-DEV] trans-sid warning?

>> I absolutely agree with Stefan here. It is *not* PHP's job to secure >> a connection. SSL does this. > > Like that's going to stop users from pasting url with SID in it to an > email, which is what this thread is about. There are 2 issues at play here, firstly is educating PHP site builders th

[PHP-DEV] my little php-ext/java-RMI extension

hi! i have written a little extension to the php-java module to allow convenient access to objects living in other virtual machines via rmi. this should be handy because the php-java JVM terminates at the end of every php-script. the idea was to make remote objects look like local objects: -

Re: [PHP-DEV] trans-sid warning?

> I absolutely agree with Stefan here. It is *not* PHP's job to secure > a connection. SSL does this. Like that's going to stop users from pasting url with SID in it to an email, which is what this thread is about. Edin -- PHP Development Mailing List To unsubscribe, vis

Re: [PHP-DEV] trans-sid warning?

hi, I absolutely agree with Stefan here. It is *not* PHP's job to secure a connection. SSL does this. -daniel - Original Message - From: "Stefan Esser" <[EMAIL PROTECTED]> Sent: Wed, 14 Aug 2002 16:23:16 +0200 To: <[EMAIL PROTECTED]> Subject: Re: [PHP-DEV] trans-sid warning? > I do no

Re: [PHP-DEV] trans-sid warning?

Guys, documentation is about giving people information that will help them solve problems, not about FUD. That was my original point about the php.ini entry. You can't just state that something is very very bad without giving workable solutins and alternatives. Present ways of solving the probl

Re: [PHP-DEV] trans-sid warning?

> + > + Therefore, when dealing with sensative information, there should + > always be additional methods to decide whether it is a valid + > session. Sessions are not reliable as a secure + > authentication mechanism. > + So if Im to write an online web-based banking system (eith

Re: [PHP-DEV] trans-sid warning?

I do not understand the sense of this whole discussion. HTTP is a plaintext protocol. So nothing transfered over HTTP can be secure. No urls, no session no anything. Stefan -- PHP Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] HUGE memory consumption on fread()

Potentially, yes, depending on how well your OS handles this, and how often the script is called and so on. Under linux, with reasonable amounts of RAM, and assuming that the script is called frequently enough for the OS not to re-use the buffers, after the first hit (that maps the file) I'd expe

Re: [PHP-DEV] trans-sid warning?

Inlined for the list. Index: reference.xml === RCS file: /repository/phpdoc/en/reference/session/reference.xml,v retrieving revision 1.8 diff -u -r1.8 reference.xml --- reference.xml 28 Jul 2002 14:04:32 - 1.8 +++ refe

[PHP-DEV] [PHP-Dev] ZE2 Favour..

Andi, along the lines of my previous request, is it possible to also export zend_register_functions ? actually a more general request would be to evaluate the codebase to determine which functions are likely candidates... thanks, l0t3k BTW - i'll try again to subscribe to the ZE2 mailing list..

Re: [PHP-DEV] trans-sid warning?

At 15:46 14-8-2002, Alan Knowles wrote: >Can we not document the real issues about this in the manual, and just say >something like > >There are security issues in using any type of sessions with HTTP, please >read the manual at >http://www.php.net/en/manual/security.sessions.html >for a more

Re: [PHP-DEV] trans-sid warning?

Can we not document the real issues about this in the manual, and just say something like There are security issues in using any type of sessions with HTTP, please read the manual at http://www.php.net/en/manual/security.sessions.html for a more detail discussion on this subject.. regards Alan

Re: [PHP-DEV] New function request - mysql_info() (patch included)

On Wed, Aug 14, 2002 at 02:44:28PM +0200, Jan Lehnardt wrote: > Hi, > this version exists in 4.3-dev and will be available in the upcoming 4.3 > release, however, not in earlier ones. I added it months ago ;) Thank you very much, this function would help me much. Regards, -- Piotr Klaban --

Re: [PHP-DEV] New function request - mysql_info() (patch included)

Hi, this version exists in 4.3-dev and will be available in the upcoming 4.3 release, however, not in earlier ones. I added it months ago ;) Jan -- Q: Thank Jan? A: http://geschenke.an.dasmoped.net/ Got an old and spare laptop? Please send me a mail. -- PHP Development Mailing List

[PHP-DEV] New function request - mysql_info() (patch included)

Hi, I enclose the patch for ext/mysql/php_mysql.[ch] (against PHP version 4.2.2 - for earlier version it also works) that adds new PHP function - mysql_info(). This function exists in mysql library log time, and is also defined in the PHP's version of libmysql. I would like to have acces to thi

Re: [PHP-DEV] HUGE memory consumption on fread()

oh sorry, my previous reply didn't CC the mailing list. the problem has been solved now, it was indeed the output buffering :( Wez Furlong wrote: >On 08/14/02, "Zeev Suraski" <[EMAIL PROTECTED]> wrote: > > >>Any chance you're using output buffering? >> >> > >Hopefully you are just using o

Re: [PHP-DEV] HUGE memory consumption on fread()

> > Once you've eliminated that problem, I'd suggest that you > use readfile() instead of manually looping; readfile should > be much kinder to your hardware as it uses mmap, which means > that PHP doesn't need to keep allocating small buffers in the loop, > and that the OS can potentially share t

Re: [PHP-DEV] HUGE memory consumption on fread()

On 08/14/02, "Zeev Suraski" <[EMAIL PROTECTED]> wrote: > Any chance you're using output buffering? Hopefully you are just using output buffering; check for settings in your php.ini or apache configuration such as zlib.output_compression, output_buffering, output_handler. If that doesn't seem to

Re: [PHP-DEV] Re: trans-sid warning?

At 13:37 14-8-2002, Yasuo Ohgaki wrote: >Improvements, additional descriptions, corrections are welcome >at any time. Allright, lemme whip up something. Met vriendelijke groeten / With kind regards, Webmaster IDG.nl Melvyn Sopacua -- PHP Development Mailing List To

[PHP-DEV] Errors while building latest snapshot

While building the latest snapshot, I get the following error during "make": ext/standard/info.lo: In function `php_print_info': /home/martin/source/php4-200208140300/ext/standard/info.c:233: undefined reference to `iconv_globals' collect2: ld returned 1 exit status make: *** [sapi/cli/php] Error

[PHP-DEV] Re: Bug #10374 [Opn->Bgs]: Depreciated features or not

On August 14, 2002 02:05 am, you wrote: > Hi Ilia, > > One of the compaliant about PHP is things has been > depreciated/changed w/o proper prior notice. Many > users are tried with the _bad_ practice AFAIK. Well depreciation does not mean the functions were removed, it simply means that there is

Re: [PHP-DEV] Re: [PHP-DOC] Re: [PHP-DEV] php_error_docref

Hi, On Wed, Aug 14, 2002 at 10:41:24AM +0100, Wez Furlong wrote: > So, you're suggesting that all external extensions have to be in PECL > in order for the error message to link to further documentation?? > > What about projects like APC/APD? SRM? > ? > Do they all have to be hosted on php.net??

Re: [PHP-DEV] Re: trans-sid warning?

Melvyn Sopacua wrote: > > We seem to go around in circles :-) > > At 13:08 14-8-2002, you wrote: > >> Melvyn Sopacua wrote: >> >>> At 12:04 14-8-2002, Yasuo Ohgaki wrote: >>> Aren't we discussing what method of passing session ID is less secure than others? >>> >>> >>> Yes, but I fail

Re: [PHP-DEV] Re: trans-sid warning?

We seem to go around in circles :-) At 13:08 14-8-2002, you wrote: >Melvyn Sopacua wrote: >>At 12:04 14-8-2002, Yasuo Ohgaki wrote: >>>Aren't we discussing what method of passing session ID is less >>>secure than others? >> >>Yes, but I fail to see what it has to do with security. >>For instanc

Re: [PHP-DEV] Re: trans-sid warning?

Melvyn Sopacua wrote: > At 12:04 14-8-2002, Yasuo Ohgaki wrote: >> Aren't we discussing what method of passing session ID is less >> secure than others? > > > Yes, but I fail to see what it has to do with security. > For instance - I use sessions to store some output that takes a lot of > time

Re: [PHP-DEV] Re: [PHP-DOC] Re: [PHP-DEV] php_error_docref

So, you're suggesting that all external extensions have to be in PECL in order for the error message to link to further documentation?? What about projects like APC/APD? SRM? ? Do they all have to be hosted on php.net?? --Wez. On 08/14/02, "Jan Lehnardt" <[EMAIL PROTECTED]> wrote: > Hi, > On W

Re: [PHP-DEV] Re: trans-sid warning?

At 12:04 14-8-2002, Yasuo Ohgaki wrote: >Melvyn Sopacua wrote: >>Again - security by obscurity. It does not change the fact, that >>if($_SESSION['logged_in']) { 'good' } is insecure. >>Using a trans-sid only makes things more transparent, which is not equal >>to less secure in my book, but I kn

Re: [PHP-DEV] Re: trans-sid warning?

Dan Hardiker wrote: > How you can tell a cookie to be stored in RAM rather than on the HDD, Im > not sure ... but that might mean I need to brush up. do not set a lifetime and it won't be stored on disk and live in browser ram until browser is terminated has been so ever since netscape came up wi

Re: [PHP-DEV] Re: trans-sid warning?

Dan Hardiker wrote: >>URL based sessin management has more risks than cookie's. >>Please advise people to consider risks :) > > > but cookies arent always enabled (in my area of deployment 90% dont have > them enabled) .. and the fact is no matter where the data goes client > side, the data can

Re: [PHP-DEV] HUGE memory consumption on fread()

Any chance you're using output buffering? Zeev At 12:25 14/08/2002, Joost Lek wrote: >Hello everyone, > >I am new to this list, but urgently in need of a solution for a problem i >am currently facing. >First, i'll give a description of my current platform: >Linux 2.4.18 (origninally slackware,

Re: [PHP-DEV] Re: trans-sid warning?

> Now this is where the code dev needs an IQ above 3. *Use IP and Browser > String authentication* Except you cannot rely on ppl coming from the same IP on every hit. Many firewalls use several exit IPs (Cisco PIX for example), so users coming from networks like that would be randomly loged out.

Re: [PHP-DEV] Re: trans-sid warning?

> URL based sessin management has more risks than cookie's. > Please advise people to consider risks :) but cookies arent always enabled (in my area of deployment 90% dont have them enabled) .. and the fact is no matter where the data goes client side, the data can still be pulled. I can knock a

Re: [PHP-DEV] Re: trans-sid warning?

Melvyn Sopacua wrote: > Again - security by obscurity. It does not change the fact, that > if($_SESSION['logged_in']) { 'good' } is insecure. > Using a trans-sid only makes things more transparent, which is not equal > to less secure in my book, but I know opinions vary in that area. Who is tal

Re: [PHP-DEV] Re: trans-sid warning?

>>This bit confused me slightly ... whats the difference between a >> Session cookie and a Normal cookie? > > It's stored in memory, not on disk. How you can tell a cookie to be stored in RAM rather than on the HDD, Im not sure ... but that might mean I need to brush up. > For the end-user Mr. P

Re: [PHP-DEV] Re: trans-sid warning?

Dan Hardiker wrote: >>I'm not saying cookie based session is perfectly secure, but >>it's obvious to me that URL based session is much less secure >>than cookie one, especially compare to session cookie. > > > URL based session-id transferal is not much less secure, because all the > user has to

[PHP-DEV] HUGE memory consumption on fread()

Hello everyone, I am new to this list, but urgently in need of a solution for a problem i am currently facing. First, i'll give a description of my current platform: Linux 2.4.18 (origninally slackware, heavily modified) apache 1.3.22 php 4.1.2 mysql 3.23.46 (i am aware that these are not the la

Re: [PHP-DEV] Re: trans-sid warning?

At 11:01 14-8-2002, Dan Hardiker wrote: >This bit confused me slightly ... whats the difference between a Session >cookie and a Normal cookie? It's stored in memory, not on disk. For the end-user Mr. Priest, this would be considered even 'less secure', because he expects it to be deleted and

[PHP-DEV] Re: [PHP-DOC] Re: [PHP-DEV] Re: [PHP-DOC] Re: [PHP-DEV]php_error_docref

> >| Erm - good point we cannot find "pecl.function.name" automatically by > >| docref=NULL. Either pecl must be available by "function.name" or by > >| just using "name" on php.net. This is also a problem for external copies > >| of the manual. > > > >PECL, PEAR and other functions won't be avail

[PHP-DEV] Re: [PHP-DOC] Re: [PHP-DEV] Re: [PHP-DOC] Re: [PHP-DEV] php_error_docref

At 10:57 14.08.2002, Gabor Hojtsy wrote: > > > Then there is only the last argument not spoken about yet: > > > Externally developed extensions. > >and PECL extensions respectively. For external developed extensions I >suggest > >putting them into PECL (at least the documentation, if there are lic

Re: [PHP-DEV] PHP_SELF confusion (errata)

On Tue, Aug 13, 2002 at 03:54:58PM +0200, Piotr Klaban wrote: > and if I call http://server/dir/file.php?q=1, the result is: > >Apache module PHP CGI > PHP_SELF /dir/file.php/path-info/dir/file.php I am sorry it is a mistake, it should be: and if I call http://se

Re: [PHP-DEV] Re: trans-sid warning?

At 10:58 14-8-2002, Yasuo Ohgaki wrote: >Hi, > >I guess you missed some points :) Nope :-) >Melvyn Sopacua wrote: >>At 08:18 14-8-2002, Yasuo Ohgaki wrote: >> >>>Rasmus Lerdorf wrote: >>> As much as I think trans-sid sucks from a performance perspective, what's with this comment in php.

Re: [PHP-DEV] Re: trans-sid warning?

> I'm not saying cookie based session is perfectly secure, but > it's obvious to me that URL based session is much less secure > than cookie one, especially compare to session cookie. URL based session-id transferal is not much less secure, because all the user has to do is open up their cache an

[PHP-DEV] Re: [PHP-DOC] Re: [PHP-DEV] Re: [PHP-DOC] Re: [PHP-DEV]php_error_docref

> > Then there is only the last argument not spoken about yet: > > Externally developed extensions. >and PECL extensions respectively. For external developed extensions I suggest >putting them into PECL (at least the documentation, if there are license >issues about the extension's code itself) an

Re: [PHP-DEV] Re: [PHP-DOC] Re: [PHP-DEV] php_error_docref

Hi, On Wed, Aug 14, 2002 at 10:25:40AM +0200, Marcus Börger wrote: > > Erm - good point we cannot find "pecl.function.name" automatically by > docref=NULL. Either pecl must be available by "function.name" or by > just using "name" on php.net. This is also a problem for external copies > of the ma

Re: [PHP-DEV] Re: trans-sid warning?

Hi, I guess you missed some points :) Melvyn Sopacua wrote: > At 08:18 14-8-2002, Yasuo Ohgaki wrote: > >> Rasmus Lerdorf wrote: >> >>> As much as I think trans-sid sucks from a performance perspective, >>> what's >>> with this comment in php.ini-dist? >>> ; trans sid support is disabled by de

Re: [PHP-DEV] Re: [PHP-DOC] Re: [PHP-DEV] php_error_docref

At 10:15 14.08.2002, Jan Lehnardt wrote: >Hi, >On Wed, Aug 14, 2002 at 10:09:52AM +0200, Marcus Börger wrote: > > Then there is only the last argument not spoken about yet: > > Externally developed extensions. >and PECL extensions respectively. For external developed extensions I suggest >putting

Re: [PHP-DEV] Re: [PHP-DOC] Re: [PHP-DEV] php_error_docref

Hi, On Wed, Aug 14, 2002 at 10:09:52AM +0200, Marcus Börger wrote: > Then there is only the last argument not spoken about yet: > Externally developed extensions. and PECL extensions respectively. For external developed extensions I suggest putting them into PECL (at least the documentation, if th

Re: [PHP-DEV] Re: [PHP-DOC] Re: [PHP-DEV] php_error_docref

At 10:03 14.08.2002, Jan Lehnardt wrote: >Hi, >On Tue, Aug 13, 2002 at 05:26:17PM +0200, Marcus Börger wrote: > > At 17:05 13.08.2002, Dan Kalowsky wrote: > > >On Tue, 13 Aug 2002, Marcus [iso-8859-1] Börger wrote: > > > > > > > >2) Can we please remove the > "http://www.php.net/manual/en/blahbla

[PHP-DEV] Re: [PHP-DOC] Re: [PHP-DEV] php_error_docref

Hi, On Tue, Aug 13, 2002 at 05:26:17PM +0200, Marcus Börger wrote: > At 17:05 13.08.2002, Dan Kalowsky wrote: > >On Tue, 13 Aug 2002, Marcus [iso-8859-1] Börger wrote: > > > > > >2) Can we please remove the "http://www.php.net/manual/en/blahblahblah"; > > > >style of use for this? It will tend to

Re: [PHP-DEV] Re: trans-sid warning?

Hi, At 08:18 14-8-2002, Yasuo Ohgaki wrote: >Rasmus Lerdorf wrote: >>As much as I think trans-sid sucks from a performance perspective, what's >>with this comment in php.ini-dist? >>; trans sid support is disabled by default. >>; Use of trans sid may risk your users security. It may not be >>; f