Hi All,
My very first post to this group as I'm a freshly spanked new born php
baby. Hope I have the correct stop for noob tech questions. Please
re-direct me if I have it wrong. I've been doing web dev for a quite while
with a variety of methods (html, xhtml/css, cfml, flash/as, on and
Thanks, Jasper
I looked at my banks TCs and it says don't use software that stores
your password unless it is used by a specific banking service.
I am going to look into the curl functions, but I am pretty sure that
the bank won't let it work unless it thinks it is a proper browser like
IE
I. Gray wrote:
I looked at my banks TCs and it says don't use software that stores
your password unless it is used by a specific banking service.
You might like to send them an email to clarify; as a general rule your
bank manager is the kind of person you least want to piss off ;)
I am
Hi all
I came across some text that sais PHP compiles the script to bytecode prior to
running it.
Is this true, and is it possible to instead of .php source files, use those
bytecodes files in distribution?
With kind regards
Andy
--
Registered Linux User Number 379093
Now listening to
Andy Pieters wrote:
I came across some text that sais PHP compiles the script to bytecode prior to
running it.
Is this true, and is it possible to instead of .php source files, use those
bytecodes files in distribution?
http://php.net/bcompiler
--
Jasper Bryant-Greene
Freelance web
I came across some text that sais PHP compiles the script to bytecode prior to
running it.
PHP compilies the source to OPCodes.
Is this true, and is it possible to instead of .php source files, use those
bytecodes files in distribution?
With kind regards
Andy
--
Registered
On 9/21/05, Andy Pieters [EMAIL PROTECTED] wrote:
Hi all
I came across some text that sais PHP compiles the script to bytecode prior to
running it.
Is this true, and is it possible to instead of .php source files, use those
bytecodes files in distribution?
There are no bytecode files.
Got the solution finally!!! The code is not optimised yet but here it is:
(The accomodation holds total availability and the accomodation1 the
bookings...)
function
checkspecificdate($thespecificdatefrom,$thespecificdateto,$productid) {
list($dd1,$mm1,$1) = split(/,
Michael Sims wrote:
Jochem Maas wrote:
Michael Sims wrote:
So, as far as foo() knows:
foo($a = 5);
and
foo(5);
are exactly the same...
I don't think they are, and you're examples don't prove it.
Anyone care to come up with the proof.
No, I was wrong, Rasmus corrected me. That's my
Joseph Crawford wrote:
Ok so finally i implemented my logging class into my mail merge object, this
is the results
Word - Application Opened.
Word - Document1 Document Added.
Word - header.doc Document Saved.
Word - header.doc Document Closed.
Word - Document2 Document Added.
Word - ds.doc
Jasper Bryant-Greene wrote:
John Nichel wrote:
I. Gray wrote:
I thought I may of read of this somewhere- but I may be wrong. I am also
not sure whether this is allowed by banks, so please let me know- I want
to stay on the right side of the law!
Your account...I can't see where it would
hi..
i've been searching/researching the areas of security regarding url input,
form input, as well as database input (mysql). while there are plenty of
articles that touch on the topic, i'm looking for a given site/package/lib
(open source) that is pretty much the standard that i could use for
Bruce,
If you're looking for commercial-grade open-source packages, I think
you're going to have a pretty hard time finding much. Most
commercial-grade software is...commercial. The truly robust open-source
packages, i.e. Mozilla, MySQL, JBoss, BerkeleyDB, etc., are backed by
some sort of
i would have thought (perhaps wrongly) that someone would have created a
series of functions/routines and wrapped them in a package/lib to deal with
the security issues that i've raised!!
but i have to tell you. i've looked at some open source classess/apps that
aren't that strong. in fact, some
I have two programs on two servers, and they both have similar problems.
In each one, I use 'exec' to call a helper program. In one case, it is
ecasound, which I use to resample an mp3. In the other, it is convert,
which creates a thumbnail of a very large image the user has uploaded. In
[EMAIL PROTECTED] wrote:
I have two programs on two servers, and they both have similar problems.
In each one, I use 'exec' to call a helper program. In one case, it is
ecasound, which I use to resample an mp3. In the other, it is convert,
which creates a thumbnail of a very large image the
[EMAIL PROTECTED] wrote:
I have two programs on two servers, and they both have similar problems.
In each one, I use 'exec' to call a helper program. In one case, it is
ecasound, which I use to resample an mp3. In the other, it is convert,
which creates a thumbnail of a very large image the
have you tried googling on +application framework +php..
that seems like what you're looking for and several of these projects are
commercial-grade and open source.
i use dbasis as my application framework and highly recommend it -- its a
component of the syntaxCMS project. i have also used
Please reply to the list.
[EMAIL PROTECTED] wrote:
No, all of these things your are bringing up would cause the programs to
NEVER work, not work some of the time or when the data they are
processing is small.
Depends on the install. My cli uses a different php.ini than the web one.
Did you
I don't want to crowd the list up with dead ends, so I was trying to
respond only to you.
I'm not calling a php program from exec, I'm calling ecasound and
convert. For example, in the php code:
exec(convert $internalpath/$filename -resize
{$thumbWidth}x{$thumbHeight}
[EMAIL PROTECTED] wrote:
I don't want to crowd the list up with dead ends, so I was trying to
respond only to you.
snip
You'll get more chances at finding the solution to this with the list's
eyes on it rather than just myself. Plus, it provides an archive of the
problem and the (if we find
If the web server didn't have permission to execute the app, it would
NEVER execute the app, not execute it some of the time. In fact, it
ALWAYS executes the app, it just doesn't always allow it to finish.
I log all attempts to run these apps in order to debug, so I know that
the command as
[EMAIL PROTECTED] wrote:
If the web server didn't have permission to execute the app, it would
NEVER execute the app, not execute it some of the time. In fact, it
ALWAYS executes the app, it just doesn't always allow it to finish.
I log all attempts to run these apps in order to debug, so I
the logs say things like:
/kunden/homepages/12/d117065027/htdocs/software/ImageMagick-6.2.3/utilities/convert
ib_images/Other_Spices_Basic_004.jpg -resize 180x120 ib_images/Other_Spices_Basic_004_thumb.jpg
this is a command I'm trying to get php to run. I then cut and paste it
to the command
[EMAIL PROTECTED] wrote:
the logs say things like:
/kunden/homepages/12/d117065027/htdocs/software/ImageMagick-6.2.3/utilities/convert
ib_images/Other_Spices_Basic_004.jpg -resize 180x120
ib_images/Other_Spices_Basic_004_thumb.jpg
this is a command I'm trying to get php to run. I then cut
timeout isn't being used on either of these machines, and as far as I read
it, the timeout directive would make the web server fail, producing an
apache error or some strange behaviour on the client end. Neither of
these happens, the php script completes normally, but the exec command
(and
[EMAIL PROTECTED] wrote:
timeout isn't being used on either of these machines, and as far as I
read it, the timeout directive would make the web server fail, producing
an apache error or some strange behaviour on the client end. Neither of
How is timeout _not_ being used? It's a core
as I said, the default timout is 300 seconds, a lot longer than my program
takes to run, and I am pretty certain that if timeout were triggered, I'd
see it in the client.
Yeah, I'm using a browser on the php page, and everything seems to
function fine from the browser to the server, it's
Hi,
I'm installing and configuring Gallery 2.0. One system check is check
memory limit. The warning is:
Warning: Your PHP is configured to limit the memory to 8Mb
(memory_limit parameter in php.ini). You should raise this limit to at
least 16MB for proper Gallery operation.
[EMAIL PROTECTED] wrote:
as I said, the default timout is 300 seconds, a lot longer than my
program takes to run, and I am pretty certain that if timeout were
triggered, I'd see it in the client.
Yeah, I'm using a browser on the php page, and everything seems to
function fine from the
convert doesn't produce any output regardless of whether it works or not.
Ecasound produces output when it works, but when it doesn't, it produces
no output. Using php tricks to capture standard error also produces no
output.
On Wed, 21 Sep 2005, John Nichel wrote:
[EMAIL PROTECTED]
Hi,
I have a rather peculiar problem with session.gc_maxlifetime local
settings not being respected under certain circumstances. In order to
ensure that sessions created for our application would have a max
lifetime longer than the default 24 minutes, we cranked
session.gc_maxlifetime in an
got it!!
if i could find docs/methods/etc.. i'd gladly share...
two questions:
1) css scripting. how can it be prevented?? what are some of the methods
that you guys use?
2) what are some of the actual code methods used in real sites to deal with
URL/Query (GET/POST) parsing?
what do you guys
bruce wrote:
i've been searching/researching the areas of security regarding url
input, form input, as well as database input (mysql). while there
are plenty of articles that touch on the topic, i'm looking for a
given site/package/lib (open source) that is pretty much the
standard that i could
[EMAIL PROTECTED] wrote:
convert doesn't produce any output regardless of whether it works or
not. Ecasound produces output when it works, but when it doesn't, it
produces no output. Using php tricks to capture standard error also
produces no output.
Hopefully somebody else on the list can
Hi,
I have a rather peculiar problem with session.gc_maxlifetime local
settings not being respected under certain circumstances. In order to
ensure that sessions created for our application would have a max
lifetime longer than the default 24 minutes, we cranked
session.gc_maxlifetime in an
You're telling me. That's why I think php or apache kills it.
On Wed, 21 Sep 2005, John Nichel wrote:
[EMAIL PROTECTED] wrote:
convert doesn't produce any output regardless of whether it works or not.
Ecasound produces output when it works, but when it doesn't, it produces no
output. Using
Steve Lefevre wrote:
I have a php site on a production server. The production server doesn't
have the spell libraries, and rather than migrate the site, we setup
spell checking functions on the development site, and shuttled the users
back and forth with specially crafted get links and forms.
[EMAIL PROTECTED] wrote:
You're telling me. That's why I think php or apache kills it.
I didn't really follow this, but typically you can debug exec problems
from the command line by switching to the web server user id and running
the exact same command.
-Rasmus
--
PHP General Mailing List
Andy Pieters wrote:
I came across some text that sais PHP compiles the script to bytecode prior to
running it.
Is this true, and is it possible to instead of .php source files, use those
bytecodes files in distribution?
It sounds like you're looking for APC:
http://php.net/apc
Hope that
Yes, but that's been done. Since these are shared servers, on one I am
logged in as the user the web server is running as, on the other I can't
su to nobody, but were there permissions errors, I would have been able to
capture them. If permissions caused this, it would fail every time, since
I am assuming that you get hold of the file through uploading it, correct?
So, when it fails maybe another upload (i.e. script invocation) is happening
and the previous file gets lost/corrupted/whatever. Try to move the file to
another dir (maybe /tmp) with a random name and see what happens.
php places uploaded files in the /tmp directory with a unique name, and
when I copy them to my directory, I also guarantee a unique name for them.
I have verified that this is all working. I've patched this with a cron
job that runs every minute, but it really should happen in php, so that
I threw together this totally untested and unreliable code to solicit
comments on whether or not this is a good way to validate emails. Consider
the following:
pseudocode
function validate_email($email){
if (str_word_count($email,'@')!=1){return('Not a proper email address');}
Jim Moseby wrote:
I threw together this totally untested and unreliable code to solicit
comments on whether or not this is a good way to validate emails. Consider
the following:
pseudocode
function validate_email($email){
if (str_word_count($email,'@')!=1){return('Not a proper email
So, what is the general thought about validating email
addresses in this
manner?
JM
Thre is a good reason why virtually everyone uses regex
patterns for email validating.
Excellent start! And that good reason is...?
How can regex ensure that the email address that is submitted is
jim...
validating email means different things to different people...
but there's no way you're going to be able to 'throw' together something in
2-3 days that others have taken years to create/refine...
if you only want to determine if an email address is valid, what does that
mean to you? are
Jim Moseby said the following on 09/21/05 11:00:
So, what is the general thought about validating email
addresses in this
manner?
JM
Thre is a good reason why virtually everyone uses regex
patterns for email validating.
Excellent start! And that good reason is...?
How can regex
jim...
validating email means different things to different people...
True, but for the most part people just want to know whether a user has
entered a real working email address into their forms. What better test
than to try to send an email to it?
but there's no way you're going to
is it possible to retrieve the name of a variable passed into a
function from within the function?
?
function example($input) {
//for example here can I determine that $input came from $a in the
previous scope?
}
example($a);
?
Jeffrey Sambells
Director of Research and Development
did you tried to run the script from the shell as www-data user ?
(if not su www-data) an then run the script may be something regarding
permission
hth
2005/9/21, John Nichel [EMAIL PROTECTED]:
[EMAIL PROTECTED] wrote:
I have two programs on two servers, and they both have similar problems.
Hello,
on 09/21/2005 02:49 PM Jim Moseby said the following:
I threw together this totally untested and unreliable code to solicit
comments on whether or not this is a good way to validate emails.
Consider
the following:
So, what is the general thought about validating email addresses in
yeah, if you look at the thread you will see that I've already done this.
On Wed, 21 Sep 2005, adriano ghezzi wrote:
did you tried to run the script from the shell as www-data user ?
(if not su www-data) an then run the script may be something regarding
permission
hth
2005/9/21, John Nichel
(Forwarding private reply to the list)
-Original Message-
From: Al Rider
Sent: Wednesday, September 21, 2005 2:19 PM
To: Jim Moseby
Subject: Re: [PHP] Re: email validation (no regex)
What you have is virtually impossible to determine if all legitimate
possibilities are covered.
What you have is virtually impossible to determine if all legitimate
possibilities are covered.
email validation using regex is a very heavily analyzed subject
Google regex email validate and you'll find loads of expressions.
Look at the Zend article, it provides some insight.
I
(private email forwarded to list)
-Original Message-
From: [EMAIL PROTECTED]
Sent: Wednesday, September 21, 2005 2:19 PM
To: Jim Moseby
Subject: Re: [PHP] email validation (no regex)
There's no requirement for an MX-record, so you'd need to check the
A-record ($domain) too.
This
because you should want/need to validate that the address is correct prior
to determining if the email server is up running...
the regex function simply allows you to quickly determine if the address is
valid... doens't mean that it's going to go to an actual live user...!!
btw simply checking
because you should want/need to validate that the address is correct prior
to determining if the email server is up running...
the regex function simply allows you to quickly determine if the address
is
valid... doens't mean that it's going to go to an actual live user...!!
btw simply
btw simply checking for a single '@' with a domain doesn't do
it... what if
the user has '[EMAIL PROTECTED]' or '[EMAIL PROTECTED]'. will your
regex accept/deny
this???
My function will quickly deny those because the DNS lookup for them will
immediately fail. Will your regex deny '[EMAIL
because you should want/need to validate that the address is correct
prior
to determining if the email server is up running...
the regex function simply allows you to quickly determine if the address
is
valid... doens't mean that it's going to go to an actual live user...!!
btw
Jim Moseby wrote:
There's no requirement for an MX-record, so you'd need to check the
A-record ($domain) too.
Excellent answer. No requirement for MX record?
[showing my ignorance]
How does email routing happen if there is no mail exchanger in the
zonefile for a particular domain?
but you could do what you want to do. however, it's going to
be painful if
you want it to match the rfc spec...
Really? Why does it need to be painful? I just need to do a 'EHLO', 'Mail
From:' and 'RCPT to:' and 'QUIT'. It's not going to actually send an email.
Seems simple to me. Maybe
Not sure about Gallery or Apache 2 but Apache 1 uses different php.ini
files for cli, cgi and mod_php. It could be that gallery checks using
the command line version of php which has a different setting for
memory limit? Seems silly but it's a thought.
Jeff
Jeffrey Sambells
Director of
Philip Hallstrom wrote:
but you could do what you want to do. however, it's going to be
painful if you want it to match the rfc spec...
Really? Why does it need to be painful? I just need to do a
'EHLO', 'Mail From:' and 'RCPT to:' and 'QUIT'. It's not going to
actually send an email.
-Original Message-
From: Jim Moseby [mailto:[EMAIL PROTECTED]
Sent: Wednesday, September 21, 2005 12:21 PM
To: php-general@lists.php.net
Subject: RE: [PHP] Re: email validation (no regex)
btw simply checking for a single '@' with a domain doesn't do
it... what if
the user
Chris Shiflett wrote:
Steve Lefevre wrote:
I have a php site on a production server. The production server doesn't
have the spell libraries, and rather than migrate the site, we setup
spell checking functions on the development site, and shuttled the users
back and forth with specially
Jeffrey Sambells [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
is it possible to retrieve the name of a variable passed into a function
from within the function?
Short Answer : No
Longer Answer : Maybe, if you have knowledge of PHP internals and a
willingness to write an
bruce wrote:
two questions:
1) css scripting. how can it be prevented?? what are some of the methods
that you guys use?
Before outputting anything user-sourced to the browser,
htmlspecialchars() it, preferably with the ENT_QUOTES option. If you
want to allow some HTML, only then parse the
Short Answer : No
Longer Answer : Maybe, if you have knowledge of PHP internals and a
willingness to write an extension. Even then it may not work.. g
Well, PHP5's magic methods __get()/ __set() could be used to resolve the
variable's name...
--
PHP General Mailing List
ok...
i'm confused regarding XSS. Cross-Site Scripting appears to be due to
somehow allowing a user to insert 'html'/data/etc into the URL that you as the
app are expecting? is this correct? wouldn't this be easy enough to solve in
most cases, if the app did the proper validation/data
is it possible to retrieve the name of a variable passed into a
function from within the function?
Sure. Use debug_backtrace to figure out what line and what file the
caller is in, then read that file, find that line, find the function
call within that line, and read what ever is between the
followup...
i just read an article that described how someone could have a url of
'http://foo.com/' and have the URL in an img in their website. the
website could be cat.com. the article implied that if a user would select the
img, the link to the foo.com would be initiated, thereby
Maybe something fancy with references?
http://us2.php.net/manual/en/language.references.php
On 9/21/05, Thorsten Suckow-Homberg [EMAIL PROTECTED] wrote:
Short Answer : No
Longer Answer : Maybe, if you have knowledge of PHP internals and a
willingness to write an extension. Even then it may
oh well, thanks for the help.
Jeffrey Sambells
Director of Research and Development
We-Create Inc.
519.897.2552 cell
519.745.7374 office
888.615.7374 toll free
http://www.wecreate.com
On 21-Sep-05, at 6:02 PM, Jake Gardner wrote:
Maybe something fancy with references?
Steve Lefevre wrote:
No, it's not. They're totally separate machines at different ISPs.
In this case, a user's session is stagnant for the duration of their
trip to the other server. I'm guessing that users are typically only
there for a brief moment, but this is something to keep in mind.
Jasper Bryant-Greene wrote:
Before outputting anything user-sourced to the browser,
htmlspecialchars() it, preferably with the ENT_QUOTES option. If you
want to allow some HTML, only then parse the string to un-escape
certain HTML tags.
Jasper++
Check the types if it's a problem for you
bruce wrote:
i'm confused regarding XSS. Cross-Site Scripting appears to be
due to somehow allowing a user to insert 'html'/data/etc into the
URL that you as the app are expecting? is this correct?
A XSS vulnerability exists whenever you output tainted data. For
example, if a user can
Checking data types can be very misleading. I've seen many examples
(even recently in a book) that use is_int() to check to see whether
something in $_GET or $_POST is an integer. Because everything in
$_GET and $_POST is a string, this check always fails.
Chris
I have found that adding 0
bruce wrote:
i just read an article that described how someone could have a url of
'http://foo.com/' and have the URL in an img in their website.
the website could be cat.com. the article implied that if a user would
select the img, the link to the foo.com would be initiated, thereby
fooling
Mikey wrote:
I have found that adding 0 and then running is_int() usually works.
You mean always works. :-) Casting something to an integer and then
checking to see if it's an integer doesn't tell you anything useful:
?php
$int = 'this is not an int';
$int += 0;
if (is_int($int))
{
chris..
i'm still confused... w/r to your example, what's wrong with using the
$_GET['username'] that you present. unless you're saying it should be
checked/validated before using it.. in which case the app could do something
like $_GET['username'] = reg_check($_GET['username'])...
is this
chris..
thanks for the replies... i think i understand what you're stating.. but i'm
still confused as to why my app/server would allow a GET/POST piece of data
that would/should be originating from a form on my site to come from a 3rd
party/external site/app? i would have assumed that there
On Wed, 2005-09-21 at 19:21, Chris Shiflett wrote:
Mikey wrote:
I have found that adding 0 and then running is_int() usually works.
You mean always works. :-) Casting something to an integer and then
checking to see if it's an integer doesn't tell you anything useful:
?php
$int =
but now that you're talking about ints/strings/floats, aren't you now
getting into data typing issues... which gets into the correct/appropriate
archistecture of your app, variable namespace issues, etc...
-bruce
-Original Message-
From: Robert Cummings [mailto:[EMAIL PROTECTED]
Sent:
followup...
for the short term, i'm going to rip apart a few of the open source web apps
that have received funding, to get a feel for what/how these apps have
decided to handle their security issues...
the assumption/hope is that these guys have put $$$ into doing a serious
security audit on
On Wed, 2005-09-21 at 19:54, bruce wrote:
but now that you're talking about ints/strings/floats, aren't you now
getting into data typing issues... which gets into the correct/appropriate
archistecture of your app, variable namespace issues, etc...
Nope, just showing that adding 0 to data
recognized that...
but in all honesty, if you're going to write an app, and you're going to do
something with the data, it makes sense to me that you 'know'/ensure that
you're dealing with the correct kind of data. as i see it, this allows you
another way (low entropy) to determine that the
bruce wrote:
thanks for the replies... i think i understand what you're stating..
but i'm still confused as to why my app/server would allow a GET/POST
piece of data that would/should be originating from a form on my site
to come from a 3rd party/external site/app? i would have assumed that
Jasper Bryant-Greene wrote:
Anyone else could link to your page with that URL and have the script
executed on your page. You can't stop this, so you have to escape and
validate the data coming in.
Sorry to reply to my own message, but to clarify, I meant you can't stop
others linking to your
bruce mailto:[EMAIL PROTECTED]
on Wednesday, September 21, 2005 5:10 PM said:
but in all honesty
thanks for being honest.
, if you're going to write an app, and you're going
to do something with the data, it makes sense to me that you
'know'/ensure that you're dealing with the correct
Robert Cummings wrote:
Not if it's a float.
True. :-)
The point remains - checking data type is often misleading.
Chris
--
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit:
bruce wrote:
but in all honesty, if you're going to write an app, and you're going
to do something with the data, it makes sense to me that you
'know'/ensure that you're dealing with the correct kind of data. as i
see it, this allows you another way (low entropy) to determine that
the
On Wed, 2005-09-21 at 20:18, Chris Shiflett wrote:
Robert Cummings wrote:
Not if it's a float.
True. :-)
The point remains - checking data type is often misleading.
Yep, I wasn't trying to remove the point, just don't want noobs getting
mixed up on type juggling :)
Cheers,
Rob.
--
i agree with what you're saying...
my primary concern was to make sure that there wasn't/isn't something going
on that i haven't seen... up to know, i'm ok with what you're saying.
however, i still don't have a good answer to my question regarding how easy
(or hard) it is to detect if a query
hey...
can you guys give the names of any schools/colleges that have formal
programs to teach web development/security applications.
thanks
-bruce
[EMAIL PROTECTED]
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
followup...
surprisingly, google doesn't really list alot based on my searches...
thanks
hey...
can you guys give the names of any schools/colleges that have formal
programs to teach web development/security applications.
thanks
-bruce
[EMAIL PROTECTED]
--
PHP General Mailing List
right...
but here again, you're talking about the server app, getting the query, and
validating the information within the query. since i assume the '%x' chars
traslate into something other than straight text, i assume that the html
function you mention strips out these chars, or it returns a
since we've long had software to scan C/C++ code for errors, are there
similar 'open source' software apps for scanning web applications?
more to the point, are there any good 'open source' testing apps for web
sites? not just apps that test the usage load of a site, but apps that can
be used to
Chris Shiflett wrote:
Steve Lefevre wrote:
In this case, a user's session is stagnant for the duration of their
trip to the other server. I'm guessing that users are typically only
there for a brief moment, but this is something to keep in mind. Is
there a way that some of your users might
Hi,
Pretty soon I'm going to be needing to generate a unique identifier in a
script. I'm looking into how to go about doing it now.
It has to work on Apache 2 / PHP 5.0.4 (Module) / Windows 2000 Server.
Any suggestions on how I might be able to do it?
I've noticed the uuid PECL package,
1 - 100 of 122 matches
Mail list logo