[PHP] Re: Any conflict with $_POST when 2 users concurrently submitting the same form using POST method?
Keith wrote: > Let's say user A and user B submitting purchase order form with > "order.php" at the same time, with method=post action='confirmation.php'. > > (1) Will $_POST['order'] submitted by user A replaced by > $_POST['order'] submitted by user B, and the both user A & B getting the > same order, which is made by user B? Why? > > (2)Since $_POST['xxx'] is superglobal array, will $_POST['order'] > read by users other than A & B? In shared hosting server environment, > are all domains hosted within that server using the same $_POST array? > Can $_POST array accessible by all domains even if not from the > originating domain? > > Thx for clarification! > > Keith Other posters have explained, but I'm not sure their explanations are clear. Think of it like this: User A posts to "confirmation.php". When the server receives the request, it starts up a Process and fills the $_POST array with whatever came in, then runs confirmation.php with that information. User B posts to "confirmation.php". When the server receives the request, it starts up a Process and fills the $_POST array with whatever came in, then runs confirmation.php with that information. The KEY thing is that the process in each case is entirely separate. Each makes it's own copy of the script in its own bit of memory, and each has its own version of $_POST in its own bit of memory. The two posts can happen at the same time and they will still be completely independent. The fact that $_POST is called "superglobal" does not mean that it is shared by separate requests - it is not even shared by requests in the same session. It just means that it is already declared and you don't need to use the "global" keyword to access it in your PHP pages. -- Peter Ford phone: 01580 89 Developer fax: 01580 893399 Justcroft International Ltd., Staplehurst, Kent -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] php applications
At 11:49 AM -0400 6/8/09, Daniel Brown wrote: >On Mon, Jun 8, 2009 at 11:48, tedd wrote: >> Hi gang: >> >> I've heard that php can be used for more than web programming, but I >> am not aware of specifically how that can be done. So, let me ask >> directly -- can php be used to create a Mac Application? >> >> If so, how? > > Probably the most well-known method is php-gtk: > > http://gtk.php.net/ I must be getting too old for this stuff. I'm used to an IDE where you write code, run, and debug it. When you get it where you want and want to create an application, then you compile the code and there's an application -- a stand alone application -- done! But I don't see anything like that there. In fact, if you review their applications link, you'll see that they don't have any applications either. It's all "There's not any applications in this category ... Maybe you would like to add one?" Well... a "Hello world" would be nice. I downloaded and installed the MacPorts too, but that leaves me wanting for a simple Hello World example as well, but nothing there either. In both cases they are very verbose about command line stuff, but short on how to use php to create an application. I just don't see it. Maybe my terminology is not correct. My applications stand by themselves and run when clicked -- no command line is needed. To me it looks like another one of those other things that everyone says is great, but I sit here saying "Hey, I don't know about you guys, but the Emperor's naked." Cheers, tedd -- Nusphere has something called PhpDock, but it's for Windows desktop only. I use their excellent PhpED IDE and have seen references in PhpED for PhpDock development, exactly as you describe (code-debug-test-encode-deploy all in PhpED - a well-dressed Emperor). Looking at how they do it I'm not too sure why PhpDock is Windows-only. From the Nusphere forum I've seen that Mac users use PhpED fine in wine or vmware, but I don't know if that also works for PhpDock runtime. I haven't tried any PhpDock development. http://www.nusphere.com/products/phpdock.htm Cheers Arno -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] php applications
At 2:28 AM +0100 6/10/09, Michael wrote: The standard PHP execution model is geared almost exclusively towards web-used (though crons etc. are reasonable)... that is, to sit in/with a server and handle requests... to operate over, at maximum, "insane" lifespans of 30 seconds. There are languages designed to be used for desktop programming, and for various tasks in general. The smart thing would be to use them. PHP may be a hammer, but every problem is not a nail. Use the tools designed for the job. Michael Michael: I've written many different desktop apps that wrap routines from other languages and/or use applications that are just below the surface (for example, a desktop apps that uses an Unix app). If you can do it, it sure beats rewriting everything in one language. Plus, I have also written desktop apps that interface with php scripts to do web stuff -- that's not difficult. So, I don't think it's too much a stretch of the imagination to think there might be a php environment that could create a desktop application to do web work. Beside, this is how languages evolve. There is no job that any tool is designed for. The "job" is our current perception of the task at hand and that is always changing. Think about it -- why are all languages are looking more and more alike? Why is it that you can jump from versions of BASIC to C, C++, php, JAVA, javascript and others and not find yourself in a completely foreign environment? You think that's by design? Or is there something else going on? Perhaps what's going on it that these languages are expanding and adapting to the task at hand (the job) as perceived by countless programmer working in different environments. Usually, there is one most logical way to solve any problem. We all shoot at the target and it should come to no surprise that our shots are grouped around a comment goal. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] php applications
On Wed, Jun 10, 2009 at 08:37, tedd wrote: > > Beside, this is how languages evolve. There is no job that any tool is > designed for. The "job" is our current perception of the task at hand and > that is always changing. That's the point I was trying to get at in the email I wrote last night that no one read. Seems like everyone saw the word "police" and ran like kids at a beer party. ;-P -- daniel.br...@parasane.net || danbr...@php.net http://www.parasane.net/ || http://www.pilotpig.net/ 50% Off All Shared Hosting Plans at PilotPig: Use Coupon DOW1 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] php applications
Daniel Brown wrote: On Wed, Jun 10, 2009 at 08:37, tedd wrote: Beside, this is how languages evolve. There is no job that any tool is designed for. The "job" is our current perception of the task at hand and that is always changing. That's the point I was trying to get at in the email I wrote last night that no one read. Seems like everyone saw the word "police" and ran like kids at a beer party. ;-P Don't you have VB applications to write? >:D Cheers, Rob. -- http://www.interjinn.com Application and Templating Framework for PHP -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP as Server Side for a Web Database Application.
On Wed, Jun 10, 2009 at 01:41, R. S. Patil wrote: > Hi, > > We are in phase of evaluating PHP as Serverside technology for our first web > application. > We have finalized Flex for user interface and Birt as reporting engine. Now > the data services > are to be evaluated. Flex forums recommended us using PHP for this. > We would like to implement SOA for database access/Inserts/Updates/Queries > for report engine BIRT. > For SOA implementation we are considering XML-RPC and WSO2-WSF since we dont > have any past > experience on web development we are not position to make any decisions > about PHP serverside > technologies can somebody guide use which one we should select (May be > different than these two). > We will be using flex forms to insert and update data through web services > (mainly CRUD operations) > and PHP "Query" data services will be acting as Data Source to Birt for > reporting. Please suggest us > technolgy which is secure and prooven. The problem of integrating Birt in to > PHP has been solved > and successfully tested also. > > Thanks and Best Regards Wow, thanks for letting us know all of the backstory there! Robert Cummings and I just had a long, deep talk the other night, and the question arose: when will Raja start asking us about PHP instead of checking Google for his answers? Well, you've put that question to bed, sir, and thank you. Here's all the help you should need for that very vague and general request (at least enough to get you started to form a basic question): http://www.google.com/search?q=what+is+php -- daniel.br...@parasane.net || danbr...@php.net http://www.parasane.net/ || http://www.pilotpig.net/ 50% Off All Shared Hosting Plans at PilotPig: Use Coupon DOW1 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] php applications
On Wed, Jun 10, 2009 at 08:59, Robert Cummings wrote: > > Don't you have VB applications to write? And this after I just mentioned your name in another thread without throwing up in my mouth. -- daniel.br...@parasane.net || danbr...@php.net http://www.parasane.net/ || http://www.pilotpig.net/ 50% Off All Shared Hosting Plans at PilotPig: Use Coupon DOW1 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] php applications
On Wed, 2009-06-10 at 08:53 -0400, Daniel Brown wrote: > On Wed, Jun 10, 2009 at 08:37, tedd wrote: > > > > Beside, this is how languages evolve. There is no job that any tool is > > designed for. The "job" is our current perception of the task at hand and > > that is always changing. > > That's the point I was trying to get at in the email I wrote last > night that no one read. Seems like everyone saw the word "police" and > ran like kids at a beer party. ;-P > > -- > > daniel.br...@parasane.net || danbr...@php.net > http://www.parasane.net/ || http://www.pilotpig.net/ > 50% Off All Shared Hosting Plans at PilotPig: Use Coupon DOW1 > Beer?! Where?! Ash www.ashleysheridan.co.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP as Server Side for a Web Database Application.
Daniel Brown wrote: On Wed, Jun 10, 2009 at 01:41, R. S. Patil wrote: Hi, We are in phase of evaluating PHP as Serverside technology for our first web application. We have finalized Flex for user interface and Birt as reporting engine. Now the data services are to be evaluated. Flex forums recommended us using PHP for this. We would like to implement SOA for database access/Inserts/Updates/Queries for report engine BIRT. For SOA implementation we are considering XML-RPC and WSO2-WSF since we dont have any past experience on web development we are not position to make any decisions about PHP serverside technologies can somebody guide use which one we should select (May be different than these two). We will be using flex forms to insert and update data through web services (mainly CRUD operations) and PHP "Query" data services will be acting as Data Source to Birt for reporting. Please suggest us technolgy which is secure and prooven. The problem of integrating Birt in to PHP has been solved and successfully tested also. Thanks and Best Regards Wow, thanks for letting us know all of the backstory there! Robert Cummings and I just had a long, deep talk the other night, and the question arose: when will Raja start asking us about PHP instead of checking Google for his answers? Well, you've put that question to bed, sir, and thank you. Dan, I'd appreciate it if you wouldn't share our pillow talk with the list at large. Cheers, Rob. -- http://www.interjinn.com Application and Templating Framework for PHP -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] php applications
Daniel Brown wrote: On Wed, Jun 10, 2009 at 08:59, Robert Cummings wrote: Don't you have VB applications to write? And this after I just mentioned your name in another thread without throwing up in my mouth. You've finally got those gag reflexes under control... call me!! *wink wink* *nudge nudge* Cheers, Rob. -- http://www.interjinn.com Application and Templating Framework for PHP -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP as Server Side for a Web Database Application.
Dan, I do appreciate when you share your pillow talk with the list at large. Cheers, Eddie On Wed, Jun 10, 2009 at 9:06 AM, Robert Cummings wrote: > Daniel Brown wrote: > >> On Wed, Jun 10, 2009 at 01:41, R. S. Patil wrote: >> >>> Hi, >>> >>> We are in phase of evaluating PHP as Serverside technology for our first >>> web >>> application. >>> We have finalized Flex for user interface and Birt as reporting engine. >>> Now >>> the data services >>> are to be evaluated. Flex forums recommended us using PHP for this. >>> We would like to implement SOA for database >>> access/Inserts/Updates/Queries >>> for report engine BIRT. >>> For SOA implementation we are considering XML-RPC and WSO2-WSF since we >>> dont >>> have any past >>> experience on web development we are not position to make any decisions >>> about PHP serverside >>> technologies can somebody guide use which one we should select (May be >>> different than these two). >>> We will be using flex forms to insert and update data through web >>> services >>> (mainly CRUD operations) >>> and PHP "Query" data services will be acting as Data Source to Birt for >>> reporting. Please suggest us >>> technolgy which is secure and prooven. The problem of integrating Birt in >>> to >>> PHP has been solved >>> and successfully tested also. >>> >>> Thanks and Best Regards >>> >> >>Wow, thanks for letting us know all of the backstory there! >> Robert Cummings and I just had a long, deep talk the other night, and >> the question arose: when will Raja start asking us about PHP instead >> of checking Google for his answers? Well, you've put that question to >> bed, sir, and thank you. >> > > Dan, I'd appreciate it if you wouldn't share our pillow talk with the list > at large. > > Cheers, > Rob. > -- > http://www.interjinn.com > Application and Templating Framework for PHP > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > >
Re: [PHP] PHP as Server Side for a Web Database Application.
Eddie Drapkin wrote: Dan, I do appreciate when you share your pillow talk with the list at large. Just so everyone knows... Dan was catcher when we were having that long "deep" talk. Cheers, Rob. -- http://www.interjinn.com Application and Templating Framework for PHP -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP as Server Side for a Web Database Application.
On Wed, Jun 10, 2009 at 09:06, Robert Cummings wrote: > > Dan, I'd appreciate it if you wouldn't share our pillow talk with the list > at large. Oh, stop, it's not like I mentioned the rash for which you've been getting that cream. -- daniel.br...@parasane.net || danbr...@php.net http://www.parasane.net/ || http://www.pilotpig.net/ 50% Off All Shared Hosting Plans at PilotPig: Use Coupon DOW1 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP as Server Side for a Web Database Application.
On Wed, Jun 10, 2009 at 09:11, Daniel Brown wrote: > On Wed, Jun 10, 2009 at 09:06, Robert Cummings wrote: >> >> Dan, I'd appreciate it if you wouldn't share our pillow talk with the list >> at large. > > Oh, stop, it's not like I mentioned the rash for which you've been > getting that cream. Oops. -- daniel.br...@parasane.net || danbr...@php.net http://www.parasane.net/ || http://www.pilotpig.net/ 50% Off All Shared Hosting Plans at PilotPig: Use Coupon DOW1 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP as Server Side for a Web Database Application.
Daniel Brown wrote: On Wed, Jun 10, 2009 at 09:06, Robert Cummings wrote: Dan, I'd appreciate it if you wouldn't share our pillow talk with the list at large. Oh, stop, it's not like I mentioned the rash for which you've been getting that cream. I just realized... today isn't Friday ;) Cheers, Rob. -- http://www.interjinn.com Application and Templating Framework for PHP -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP as Server Side for a Web Database Application.
The question then becomes whether he was one of the boring catchers and just sort of "sat there" or was "actively discussing" with you. On Wed, Jun 10, 2009 at 9:11 AM, Robert Cummings wrote: > Eddie Drapkin wrote: > >> Dan, I do appreciate when you share your pillow talk with the list at >> large. >> > > Just so everyone knows... Dan was catcher when we were having that long > "deep" talk. > > > Cheers, > Rob. > -- > http://www.interjinn.com > Application and Templating Framework for PHP >
Re: [PHP] PHP as Server Side for a Web Database Application.
Eddie Drapkin wrote: The question then becomes whether he was one of the boring catchers and just sort of "sat there" or was "actively discussing" with you. He was quite active... when I raised a really good point all he could do was scream. Cheers, Rob. -- http://www.interjinn.com Application and Templating Framework for PHP -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] php applications
At 8:53 AM -0400 6/10/09, Daniel Brown wrote: On Wed, Jun 10, 2009 at 08:37, tedd wrote: Beside, this is how languages evolve. There is no job that any tool is designed for. The "job" is our current perception of the task at hand and that is always changing. That's the point I was trying to get at in the email I wrote last night that no one read. Seems like everyone saw the word "police" and ran like kids at a beer party. ;-P -- That's Okay, I just say it better than you. :-) Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] php applications
At 9:07 AM -0400 6/10/09, Robert Cummings wrote: Daniel Brown wrote: On Wed, Jun 10, 2009 at 08:59, Robert Cummings wrote: Don't you have VB applications to write? And this after I just mentioned your name in another thread without throwing up in my mouth. You've finally got those gag reflexes under control... call me!! *wink wink* *nudge nudge* Cheers, Rob. Get a room. :-) tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP as Server Side for a Web Database Application.
On Wed, Jun 10, 2009 at 09:14, Robert Cummings wrote: > > He was quite active... when I raised a really good point all he could do was > scream. and it is at this point that I would like to remind you that we are on the air, gentlemen, live and being recorded for future generations to search through, mock, and form opinions on our professionalism. So you can both publicly bite me (though not in the manner to which you're alluding). ;-P -- daniel.br...@parasane.net || danbr...@php.net http://www.parasane.net/ || http://www.pilotpig.net/ 50% Off All Shared Hosting Plans at PilotPig: Use Coupon DOW1 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] php applications
On Wed, Jun 10, 2009 at 09:16, tedd wrote: > > That's Okay, I just say it better than you. :-) Show-off. -- daniel.br...@parasane.net || danbr...@php.net http://www.parasane.net/ || http://www.pilotpig.net/ 50% Off All Shared Hosting Plans at PilotPig: Use Coupon DOW1 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP as Server Side for a Web Database Application.
On Wed, Jun 10, 2009 at 9:13 AM, Robert Cummings wrote: > Daniel Brown wrote: >> >> On Wed, Jun 10, 2009 at 09:06, Robert Cummings >> wrote: >>> >>> Dan, I'd appreciate it if you wouldn't share our pillow talk with the >>> list >>> at large. >> >> Oh, stop, it's not like I mentioned the rash for which you've been >> getting that cream. > > I just realized... today isn't Friday ;) > > Cheers, > Rob. > -- > http://www.interjinn.com > Application and Templating Framework for PHP > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > Rob, off the meds again? Back to the OT...this is the exact stack that I am using for a new project. Using Ajax instead of XML_RPC -- Bastien Cat, the other other white meat -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP as Server Side for a Web Database Application.
Daniel Brown wrote: On Wed, Jun 10, 2009 at 09:14, Robert Cummings wrote: He was quite active... when I raised a really good point all he could do was scream. and it is at this point that I would like to remind you that we are on the air, gentlemen, live and being recorded for future generations to search through, mock, and form opinions on our professionalism. So you can both publicly bite me (though not in the manner to which you're alluding). ;-P *lol* One hopes that they would read the entire thread to catch the humour... then again, it's rare someone even bothers to search the archives :P As for professionalism... I'm not on here in a professional capacity, I'm here to help and to be part of the community *woot*! Cheers, Rob. -- http://www.interjinn.com Application and Templating Framework for PHP -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] php applications
On Wed, Jun 10, 2009 at 08:37:23AM -0400, tedd wrote: > > Think about it -- why are all languages are looking more and more > alike? Why is it that you can jump from versions of BASIC to C, C++, > php, JAVA, javascript and others and not find yourself in a > completely foreign environment? You think that's by design? Or is > there something else going on? I suspect this is because the guys who create a new language learned programming in another language. So when they create a new language, to some extent, they pattern it after what they've learned elsewhere. And generally, there are typical ways that humans think about accomplishing programming tasks, which are reflected in the way that humans design programming languages. Paul -- Paul M. Foster -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] [php] read/write error
2009/6/8 HELP! > opening of the sorket is ok and writting LOGIN packet to the sorket is also > ok but reading the response to know if the login is accepted or rejected is > a not OK. Don't use fread() to read from sockets, use stream_get_contents(). Example 3 on the fread() manual page tells you why. -robin
Re: [PHP] Show the entire browser request
2009/6/10 Dotan Cohen > > Just checked your site in Elinks (works like Lynx) and I'm getting the > > headers come back to me. I'm assuming you changed your site code before > > me sending this and after you sent the original message? > > > > The individual headers are as they always were. It's the entire > request verbatim (valid or not) that I'd like to add. > Is installing the pecl_http extension on your server an option? http://php.net/manual/en/function.httprequest-getrawrequestmessage.php -robin
Re: [PHP] Show the entire browser request
2009/6/10 Robin Vickery > > > 2009/6/10 Dotan Cohen > >> > Just checked your site in Elinks (works like Lynx) and I'm getting the >> > headers come back to me. I'm assuming you changed your site code before >> > me sending this and after you sent the original message? >> > >> >> The individual headers are as they always were. It's the entire >> request verbatim (valid or not) that I'd like to add. >> > > Is installing the pecl_http extension on your server an option? > > http://php.net/manual/en/function.httprequest-getrawrequestmessage.php > Oh.. ignore that, sorry. I'm an idiot. -robin
[PHP] Preventing XSS Attacks
Hi all, I'm looking at adding a new search feature to my site, and one of the elements of this is to echo back in the search results page, the original string the user searched for. Up until now, XSS hasn't (afaik) been an issue for my site, but I can see from a mile off this will be. What would you guys recommend to avoid this? I'd thought initially of using a mixture of html_special_chars() and a regex (as yet not sure what I'll be stripping out with this) to sanitise the output for display on the results page, but is this enough? Thanks Ash www.ashleysheridan.co.uk
Re: [PHP] Php and Imagemagick problems
What exactly is the problem or error message you get?
Also if this is your script, really, it needs a LOT of cleanup!!
Here's an example that could point out the problem:
> $FileName =
> str_replace(".jpg", "", $FileName);
>
> $FileName =
> str_replace("/", "", $ImageName);
> $FileName = str_replace(".jpg", "",
> $ImageName);
>
> //actual path to the files with NO file extension
> as found on the hard drive
> $SysPath =
> "C:/Inetpub/wwwroot/HarrisAutomate/output/WebImagesHiRes/test/$FileName";
You realize that you have overwritten the value in $FileName a couple
times in a useless manner?
Here you see, $FileName is _just_ equal to str_replace(".jpg", "",
$ImageName); and nothing more, the 2 previous lines are useless.
Also, you do realize that str_replace("/", "", $ImageName); will just
strip out the slashes from $ImageName? So if i have
"some/path/to/some/image.jpg", it would become
"somepathtosomeimage.jpg"... is this really what you want? Same thing
for the str_replace(".jpg") it strips out the extension so that
$Filename would be something like "image" and not "image.jpg".
Finally, $SysPath has forward slashes in the windows path, i'm not
sure how PHP can tolerate this on windows, but windows path use
backslashes ( like this: C:\some\path\to\some\image.jpg).
Good luck!
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Preventing XSS Attacks
On Wed, 2009-06-10 at 18:28 +0200, Nitsan Bin-Nun wrote: > mysql_real_escape_string() only sanitise the input. I would personally > only allow [a-zA-Z0-9-_] in search string but that's just me ;) > Validate the input in some way, or make extra sanitisation of it > before running the search query. > > Regarding the HTML output, just entities() it and you'll be good :) > > On Wed, Jun 10, 2009 at 6:32 PM, Ashley Sheridan > wrote: > > On Wed, 2009-06-10 at 18:18 +0200, Nitsan Bin-Nun wrote: > > As far for the output, just html entities () it and you will > be good. > > > > You better check the search query for sql injection, which > is more > > dangerous. > > > > HTH > > Nitsan > > > > On Wed, Jun 10, 2009 at 6:19 PM, Ashley Sheridan > > wrote: > > Hi all, > > > > I'm looking at adding a new search feature to my > site, and one > > of the > > elements of this is to echo back in the search > results page, > > the > > original string the user searched for. Up until now, > XSS > > hasn't (afaik) > > been an issue for my site, but I can see from a mile > off this > > will be. > > What would you guys recommend to avoid this? > > > > I'd thought initially of using a mixture of > > html_special_chars() and a > > regex (as yet not sure what I'll be stripping out > with this) > > to sanitise > > the output for display on the results page, but is > this > > enough? > > > > Thanks > > Ash > > www.ashleysheridan.co.uk > > > > > > I always use mysql_real_escape_string() for that sort of > thing, not had > a problem with it, but is there anything you think I should be > wary of? > > > Thanks > Ash > www.ashleysheridan.co.uk > > > > [just bringing it back on list] Well, I don't understand, what is the problem with mysql_real_escape_string() for sanitising input to use for a search? It should escape anything out so that the query can't be used in ways that I don't want no? I'd thought about using a whitelist-only regex, but that seems a little limiting tbh, and as my site contains code, it's not unreasonable to expect some people might want to search for particular code excerpts. Thanks Ash www.ashleysheridan.co.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] C++, $_POST -> php-cgi
I'm working on something similar, here's the pseudo-code of what
happens to ensure the PHP script run by my server doesnt see any
difference than when it runs under apache or others...
Say the php file to execute is "index.php" and it was called from a
form post, the form tag also specified GET arguments like this ...
The PHP script will expect this:
$_GET['somegetvar'] = "getvalue";
$_POST['somepostvar'] = "postvalue";
and
$_REQUEST['somegetvar'] = "getvalue";
$_REQUEST['somepostvar'] = "postvalue";
To get this working, the server first has to parse the HTTP message to
grab the GET arguments in the URI. After this, the server has to
parse the Body entity of the HTTP message for POST values. Once the
server has all the information, it can execute the php script.
I personally like to use popen("php", "w") which opens a write-only
pipe to the php process... it's like just typing "php" on the
commandline, php then listens on stdin for the code and it executes
when it receives EOF (on the commandline this happens after a ctrl-d
on linux), using popen() this happens on a pclose().
Once you've popen()ed php, you start writting something like this:
And bingo!
Hope this helps, good luck!
On Mon, Jun 8, 2009 at 9:29 AM, Jasper wrote:
> Hi,
> i'm planning to create a win32 http server that supports cgi. Does anybody
> see the problem in C++ -source? Php doesn't give any output, but if I don't
> set the rfc3875 environment variables, all output comes
> normally (expect post and other variables aren't set).
> Only what I'm able to set is $_GET -variables as
> script arguments.
>
> So how can I set post variables and others, like RAW_POST_DATA?
> The c code above lets php to read the script by itself and post -variables
> are written to stdin pipe. Output
> should be able to be readed from stdout (problem is
> that there are no output, even not the headers).
>
> I hope that you understand what I mean...
>
> -
> Test script: (D:\test.php)
> -
>
>
> -
> C++ source:
> -
> #include
> #include
> #include
>
> int main()
> {
>SECURITY_ATTRIBUTES sa = {sizeof(SECURITY_ATTRIBUTES)};
>sa.bInheritHandle = 1;
>sa.lpSecurityDescriptor = NULL;
>
>HANDLE hStdoutR, hStdoutW, hStdinR, hStdinW;
>CreatePipe(&hStdoutR,&hStdoutW,&sa,0);
>SetHandleInformation(hStdoutR,HANDLE_FLAG_INHERIT,0);
>CreatePipe(&hStdinR,&hStdinW,&sa,0);
>SetHandleInformation(hStdinW,HANDLE_FLAG_INHERIT,0);
>
>STARTUPINFO si = {sizeof(STARTUPINFO)};
>PROCESS_INFORMATION pi;
>si.dwFlags = STARTF_USESTDHANDLES;
>si.hStdOutput = hStdoutW;
>si.hStdInput = hStdinR;
>
>char env[255] =
> "REQUEST_METHOD=POST\0CONTENT_LENGTH=17\0CONTENT_TYPE=application/x-www-form-urlencoded\0SCRIPT_FILENAME=D:\\test.php";
>if(!CreateProcess(NULL,"php-5.2.9-1-Win32\\php-cgi.exe
> D:\\test.php",NULL,NULL,1,NORMAL_PRIORITY_CLASS,env,NULL,&si,&pi))
>return 0;
>CloseHandle(hStdoutW);
>CloseHandle(hStdinR);
>
>DWORD dwWritten = 0;
> //Write post data here?
> if(!WriteFile(hStdinW,"var=post+variable",20,&dwWritten,NULL))
>return 0;
>
>CloseHandle(hStdinW);
>
>char buf[1000] = {0};
>DWORD dwRead = 0;
>while(ReadFile(hStdoutR,buf,sizeof(buf),&dwRead,NULL) && dwRead != 0){
>printf(buf);
>}
>printf("|\n\nEND");
>CloseHandle(hStdoutR);
>
>getch();
>
>return 0;
> }
> --
> Thanks!
> Jasper
>
> ...
> Luukku Plus paketilla pääset eroon tila- ja turvallisuusongelmista.
> Hanki Luukku Plus ja helpotat elämääsi. http://www.mtv3.fi/luukku
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] URL injection
> https://www.xxx.co.uk/register.php";| grep "123" I wonder what kind of browser could make this, probably a hacker-made one! This URL will have to be translated into its equivalent URI, if using GET the HTTP message's start line would look like: GET /register.php"| grep "123" HTTP/1.1 First of all, the HTTP protocol states that the start line should contain: METHOD URI HTTP/1.1 So, this is clearly violated as there are two spaces surrounding grep, i believe if the server has trouble with this request, it's not yet at the PHP level... it's an HTTP issue, clearly server related. You wont detect this with PHP, and if you do detect anything, it means your server has modified it so you could... for example, in this case it might convert the whole "| grep "123" into a single get argument's name, it could be simply removed/ignored, the server could try to see if there is a file named `/register.php"| grep "123"` and returns a 404... but the only acceptable behavior in this case is for the server to return 400 (read http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.1). Good luck! -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Preventing XSS Attacks
The problem with using a database escaping string for output escaping is
that something like (despite being the world's lamest XSS)
location.href('google.com')
Would output mostly the same and with some cleverness, it wouldn't be too
hard to get that to function properly with a full fledged XSS attack. I'd
personally use one of the FILTER_* constants in conjunction with the filter
functions themselves, say filter_var and FILTER_SANITIZE_SPECIAL_CHARS.
On Wed, Jun 10, 2009 at 12:44 PM, Ashley Sheridan
wrote:
> On Wed, 2009-06-10 at 18:28 +0200, Nitsan Bin-Nun wrote:
> > mysql_real_escape_string() only sanitise the input. I would personally
> > only allow [a-zA-Z0-9-_] in search string but that's just me ;)
> > Validate the input in some way, or make extra sanitisation of it
> > before running the search query.
> >
> > Regarding the HTML output, just entities() it and you'll be good :)
> >
> > On Wed, Jun 10, 2009 at 6:32 PM, Ashley Sheridan
> > wrote:
> >
> > On Wed, 2009-06-10 at 18:18 +0200, Nitsan Bin-Nun wrote:
> > > As far for the output, just html entities () it and you will
> > be good.
> > >
> > > You better check the search query for sql injection, which
> > is more
> > > dangerous.
> > >
> > > HTH
> > > Nitsan
> > >
> > > On Wed, Jun 10, 2009 at 6:19 PM, Ashley Sheridan
> > > wrote:
> > > Hi all,
> > >
> > > I'm looking at adding a new search feature to my
> > site, and one
> > > of the
> > > elements of this is to echo back in the search
> > results page,
> > > the
> > > original string the user searched for. Up until now,
> > XSS
> > > hasn't (afaik)
> > > been an issue for my site, but I can see from a mile
> > off this
> > > will be.
> > > What would you guys recommend to avoid this?
> > >
> > > I'd thought initially of using a mixture of
> > > html_special_chars() and a
> > > regex (as yet not sure what I'll be stripping out
> > with this)
> > > to sanitise
> > > the output for display on the results page, but is
> > this
> > > enough?
> > >
> > > Thanks
> > > Ash
> > > www.ashleysheridan.co.uk
> > >
> > >
> >
> > I always use mysql_real_escape_string() for that sort of
> > thing, not had
> > a problem with it, but is there anything you think I should be
> > wary of?
> >
> >
> > Thanks
> > Ash
> > www.ashleysheridan.co.uk
> >
> >
> >
> >
> [just bringing it back on list]
>
> Well, I don't understand, what is the problem with
> mysql_real_escape_string() for sanitising input to use for a search? It
> should escape anything out so that the query can't be used in ways that
> I don't want no?
>
> I'd thought about using a whitelist-only regex, but that seems a little
> limiting tbh, and as my site contains code, it's not unreasonable to
> expect some people might want to search for particular code excerpts.
>
>
> Thanks
> Ash
> www.ashleysheridan.co.uk
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
[PHP] Mail function and hotmail
Hello,
I am sending an html message with and embedded image using the following code:
// Read message from html template
$message = fread("template.html", filesize("template.html"));
// I replace the values in $message that are necessary to
// fill the tempalte
...
// Generate a boundary string
$rand_value = md5(time());
$mime_boundary = "-$rand_value";
$headers = "MIME-Version: 1.0\r\n";
$headers .= "From: Name \r\n";
$headers .= "Reply-To: Name \r\n";
$headers .= "Return-Path: n...@domain.com\r\n";
$headers .= "Organization: Name\r\n";
$headers .= "X-Mailer: PHP's mail() Function\r\n";
$headers .= "Content-Type: multipart/related; ";
$headers .= "boundary=\"$mime_boundary\"; type=\"text/html\"\r\n\r\n";
$body = "This is a multi-part message in MIME format.\r\n";
$body .= "--$mime_boundary\r\n";
$body .= "Content-Type: text/html; charset=UTF-8\r\n";
$body .= "Content-Transfer-Encoding: 7bit\r\n\r\n$message\r\n\r\n";
$body .= "--$mime_boundary\r\n";
$body .= "Content-Type: image/jpg\r\n";
$body .= "Content-Transfer-Encoding: base64\r\n";
$body .= "Content-ID: \r\n\r\n";
$body .=
chunk_split(base64_encode(file_get_contents("./templates/emaillogo.jpg")));
$body .= "--$mime_boundary--";
return mail("em...@domain.com", "Subject", $body, $headers);
However when it is send to a hotmail.com address the message is received blank.
It does work fine with Gmail, Yahoo mail, Outlook Express and Thunderbird.
Your help is much appreciated.
Fernando
_
We are your photos. Share us now with Windows Live Photos.
http://go.microsoft.com/?linkid=9666047
Re: [PHP] Preventing XSS Attacks
On Wed, 2009-06-10 at 12:55 -0400, Eddie Drapkin wrote:
> The problem with using a database escaping string for output escaping
> is that something like (despite being the world's lamest XSS)
>
> location.href('google.com')
>
> Would output mostly the same and with some cleverness, it wouldn't be
> too hard to get that to function properly with a full fledged XSS
> attack. I'd personally use one of the FILTER_* constants in
> conjunction with the filter functions themselves, say filter_var and
> FILTER_SANITIZE_SPECIAL_CHARS.
>
>
> On Wed, Jun 10, 2009 at 12:44 PM, Ashley Sheridan
> wrote:
> On Wed, 2009-06-10 at 18:28 +0200, Nitsan Bin-Nun wrote:
> > mysql_real_escape_string() only sanitise the input. I would
> personally
> > only allow [a-zA-Z0-9-_] in search string but that's just
> me ;)
> > Validate the input in some way, or make extra sanitisation
> of it
> > before running the search query.
> >
> > Regarding the HTML output, just entities() it and you'll be
> good :)
> >
> > On Wed, Jun 10, 2009 at 6:32 PM, Ashley Sheridan
> > wrote:
> >
> > On Wed, 2009-06-10 at 18:18 +0200, Nitsan Bin-Nun
> wrote:
> > > As far for the output, just html entities () it
> and you will
> > be good.
> > >
> > > You better check the search query for sql
> injection, which
> > is more
> > > dangerous.
> > >
> > > HTH
> > > Nitsan
>
> > >
> > > On Wed, Jun 10, 2009 at 6:19 PM, Ashley Sheridan
> > > wrote:
> > > Hi all,
> > >
> > > I'm looking at adding a new search feature
> to my
> > site, and one
> > > of the
> > > elements of this is to echo back in the
> search
> > results page,
> > > the
> > > original string the user searched for. Up
> until now,
> > XSS
> > > hasn't (afaik)
> > > been an issue for my site, but I can see
> from a mile
> > off this
> > > will be.
> > > What would you guys recommend to avoid
> this?
> > >
> > > I'd thought initially of using a mixture
> of
> > > html_special_chars() and a
> > > regex (as yet not sure what I'll be
> stripping out
> > with this)
> > > to sanitise
> > > the output for display on the results
> page, but is
> > this
> > > enough?
> > >
> > > Thanks
> > > Ash
> > > www.ashleysheridan.co.uk
> > >
> > >
> >
>
> > I always use mysql_real_escape_string() for that
> sort of
> > thing, not had
> > a problem with it, but is there anything you think I
> should be
> > wary of?
> >
> >
> > Thanks
> > Ash
> > www.ashleysheridan.co.uk
> >
> >
> >
> >
>
> [just bringing it back on list]
>
> Well, I don't understand, what is the problem with
> mysql_real_escape_string() for sanitising input to use for a
> search? It
> should escape anything out so that the query can't be used in
> ways that
> I don't want no?
>
> I'd thought about using a whitelist-only regex, but that seems
> a little
> limiting tbh, and as my site contains code, it's not
> unreasonable to
> expect some people might want to search for particular code
> excerpts.
>
>
>
> Thanks
> Ash
> www.ashleysheridan.co.uk
>
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
Oh no, I think I'm misunderstood here. I was going to use
mysql_real_escape_string only for the database input, and use
htmlentities for the display output, as essentially they are separate,
and should be treated as such.
I've been doing a bit of reading, and I can't really understand why XSS
is such an issue. Sure, if a user can insert a
Re: [PHP] Mail function and hotmail
On Wed, 2009-06-10 at 12:59 -0400, Fernando G wrote:
> Hello,
>
> I am sending an html message with and embedded image using the following code:
>
> // Read message from html template
> $message = fread("template.html", filesize("template.html"));
>
> // I replace the values in $message that are necessary to
> // fill the tempalte
> ...
>
> // Generate a boundary string
> $rand_value = md5(time());
> $mime_boundary = "-$rand_value";
>
> $headers = "MIME-Version: 1.0\r\n";
> $headers .= "From: Name \r\n";
> $headers .= "Reply-To: Name \r\n";
> $headers .= "Return-Path: n...@domain.com\r\n";
> $headers .= "Organization: Name\r\n";
> $headers .= "X-Mailer: PHP's mail() Function\r\n";
> $headers .= "Content-Type: multipart/related; ";
> $headers .= "boundary=\"$mime_boundary\"; type=\"text/html\"\r\n\r\n";
>
> $body = "This is a multi-part message in MIME format.\r\n";
> $body .= "--$mime_boundary\r\n";
> $body .= "Content-Type: text/html; charset=UTF-8\r\n";
> $body .= "Content-Transfer-Encoding: 7bit\r\n\r\n$message\r\n\r\n";
> $body .= "--$mime_boundary\r\n";
> $body .= "Content-Type: image/jpg\r\n";
> $body .= "Content-Transfer-Encoding: base64\r\n";
> $body .= "Content-ID: \r\n\r\n";
> $body .=
> chunk_split(base64_encode(file_get_contents("./templates/emaillogo.jpg")));
> $body .= "--$mime_boundary--";
>
> return mail("em...@domain.com", "Subject", $body, $headers);
>
> However when it is send to a hotmail.com address the message is received
> blank. It does work fine with Gmail, Yahoo mail, Outlook Express and
> Thunderbird.
>
> Your help is much appreciated.
>
> Fernando
>
> _
> We are your photos. Share us now with Windows Live Photos.
> http://go.microsoft.com/?linkid=9666047
As far as I'm aware, Hotmail blocks all images by default. Also, I've
seen Outlook choke on message with the \r\n line endings, could Hotmail
be doing that too?
Thanks
Ash
www.ashleysheridan.co.uk
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Preventing XSS Attacks
Ashley Sheridan wrote: > On Wed, 2009-06-10 at 18:28 +0200, Nitsan Bin-Nun wrote: >> mysql_real_escape_string() only sanitise the input. I would personally >> only allow [a-zA-Z0-9-_] in search string but that's just me ;) >> Validate the input in some way, or make extra sanitisation of it >> before running the search query. >> >> Regarding the HTML output, just entities() it and you'll be good :) >> >> On Wed, Jun 10, 2009 at 6:32 PM, Ashley Sheridan >> wrote: >> >> On Wed, 2009-06-10 at 18:18 +0200, Nitsan Bin-Nun wrote: >> > As far for the output, just html entities () it and you will >> be good. >> > >> > You better check the search query for sql injection, which >> is more >> > dangerous. >> > >> > HTH >> > Nitsan >> > >> > On Wed, Jun 10, 2009 at 6:19 PM, Ashley Sheridan >> > wrote: >> > Hi all, >> > >> > I'm looking at adding a new search feature to my >> site, and one >> > of the >> > elements of this is to echo back in the search >> results page, >> > the >> > original string the user searched for. Up until now, >> XSS >> > hasn't (afaik) >> > been an issue for my site, but I can see from a mile >> off this >> > will be. >> > What would you guys recommend to avoid this? >> > >> > I'd thought initially of using a mixture of >> > html_special_chars() and a >> > regex (as yet not sure what I'll be stripping out >> with this) >> > to sanitise >> > the output for display on the results page, but is >> this >> > enough? >> > >> > Thanks >> > Ash >> > www.ashleysheridan.co.uk >> > >> > >> >> I always use mysql_real_escape_string() for that sort of >> thing, not had >> a problem with it, but is there anything you think I should be >> wary of? >> >> >> Thanks >> Ash >> www.ashleysheridan.co.uk >> >> >> >> > [just bringing it back on list] > > Well, I don't understand, what is the problem with > mysql_real_escape_string() for sanitising input to use for a search? It > should escape anything out so that the query can't be used in ways that > I don't want no? > > I'd thought about using a whitelist-only regex, but that seems a little > limiting tbh, and as my site contains code, it's not unreasonable to > expect some people might want to search for particular code excerpts. > > > Thanks > Ash > www.ashleysheridan.co.uk > You would use mysql_real_escape_string() before using the string in a db query (searching). You should use htmlentities() and/or strip tags before displaying the string. -- Thanks! -Shawn http://www.spidean.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Mail function and hotmail
Hi, > ... Use something that is already proven to work. It will save you an awful lot of time. -- Richard Heyes HTML5 graphing: RGraph (www.rgraph.net - updated 6th June) PHP mail: RMail (www.phpguru.org/rmail) PHP datagrid: RGrid (www.phpguru.org/rgrid) PHP Template: RTemplate (www.phpguru.org/rtemplate) PHP SMTP: http://www.phpguru.org/smtp -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Mail function and hotmail
I have not idea of what else to use. Your suggestions are appreciated. Fernando. > Date: Wed, 10 Jun 2009 18:04:31 +0100 > From: rich...@php.net > To: jfer...@hotmail.com > CC: php-general@lists.php.net > Subject: Re: [PHP] Mail function and hotmail > > Hi, > > > ... > > Use something that is already proven to work. It will save you an > awful lot of time. > > -- > Richard Heyes > HTML5 graphing: RGraph (www.rgraph.net - updated 6th June) > PHP mail: RMail (www.phpguru.org/rmail) > PHP datagrid: RGrid (www.phpguru.org/rgrid) > PHP Template: RTemplate (www.phpguru.org/rtemplate) > PHP SMTP: http://www.phpguru.org/smtp > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > _ Internet explorer 8 lets you browse the web faster. http://go.microsoft.com/?linkid=9655582
Re: [PHP] Re: Background Process
kranthi, you are wrong here. popen() will open a pipe to a process.
You must have meant fopen() which doesnt work with pipes, but with
files.
you first popen php (ie execute it)
you then write the code you want php to exec (php is still executing,
reading your input)
at the end you pclose php and then it is executed
But this, while still using 2 threads (ie the original webserver
thread, and the popen("php"...) will not be multitasking, why?
Because the first thread is writing to the second one.
You will need to look into threading functions to get a multi-threaded
program. But a simpler approach is to execute something in the
background like this:
system("someprog &")
This works on linux at least. System will return immediately with
success (you will never be able to catch someprog's return). But
being a completely separate process, there wont be any communication
possible naturally, you would have to implement inter-process
communication (IPC)... but the simplest approach would probably be:
1) webserver receives client request and data
2) webserver writes data on file, ready to be worked on by the bg thread.
3) webserver calls system("somebgprog &")
4) somebgprog starts executing and checks the content of predetermined
file and starts working on it. It could report its status into
another file (which can be read by the server).
A simple way to make this "somebgprog" is using php... you build your
CLI-PHP script and then call system("php /path/to/bgscript.php &")
One problem to think about in advance: What happens if you have many
of these queries at the same time? eh, you'll get many threads
working at the same time in bg... this could lead to issues...
Good luck!
On Tue, May 26, 2009 at 4:55 AM, kranthi wrote:
> popen will allow you to read/write data to a file but not execute the php
> code.
>
> i am assuming that you want to execute the php script like
> include/require does.. if that is the case system() will serve your
> purposebut this requires php to be installed as a CLI
> $res = system("path/to/php.exe /path/to/second/file.php");
> ?>
>
> but as Nathan suggested it would be best for you if you considered
> alternative options. for example you can make an AJAX request to the
> second file.
> Kranthi.
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Mail function and hotmail
On Wed, Jun 10, 2009 at 1:11 PM, Fernando G wrote: > > I have not idea of what else to use. Your suggestions are appreciated. > > Fernando. > >> Date: Wed, 10 Jun 2009 18:04:31 +0100 >> From: rich...@php.net >> To: jfer...@hotmail.com >> CC: php-general@lists.php.net >> Subject: Re: [PHP] Mail function and hotmail >> >> Hi, >> >> > ... >> >> Use something that is already proven to work. It will save you an >> awful lot of time. >> >> -- >> Richard Heyes >> HTML5 graphing: RGraph (www.rgraph.net - updated 6th June) >> PHP mail: RMail (www.phpguru.org/rmail) >> PHP datagrid: RGrid (www.phpguru.org/rgrid) >> PHP Template: RTemplate (www.phpguru.org/rtemplate) >> PHP SMTP: http://www.phpguru.org/smtp >> >> -- >> PHP General Mailing List (http://www.php.net/) >> To unsubscribe, visit: http://www.php.net/unsub.php >> > > _ > Internet explorer 8 lets you browse the web faster. > http://go.microsoft.com/?linkid=9655582 Richard was likely suggestion his mail example as listed in his signature Other options include phpmailer pear's mime mail various other classes available www.phpclasses.org -- Bastien Cat, the other other white meat -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Mail function and hotmail
Hi, > pear's mime mail I believe I had a hand in that too. It's like a bad rash - it gets everywhere... :-) -- Richard Heyes HTML5 graphing: RGraph (www.rgraph.net - updated 6th June) PHP mail: RMail (www.phpguru.org/rmail) PHP datagrid: RGrid (www.phpguru.org/rgrid) PHP Template: RTemplate (www.phpguru.org/rtemplate) PHP SMTP: http://www.phpguru.org/smtp -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Mail function and hotmail
Thanks. I'll check that out. > Date: Wed, 10 Jun 2009 18:24:45 +0100 > Subject: Re: [PHP] Mail function and hotmail > From: rich...@php.net > To: phps...@gmail.com > CC: jfer...@hotmail.com; php-general@lists.php.net > > Hi, > > > pear's mime mail > > I believe I had a hand in that too. It's like a bad rash - it gets > everywhere... :-) > > -- > Richard Heyes > HTML5 graphing: RGraph (www.rgraph.net - updated 6th June) > PHP mail: RMail (www.phpguru.org/rmail) > PHP datagrid: RGrid (www.phpguru.org/rgrid) > PHP Template: RTemplate (www.phpguru.org/rtemplate) > PHP SMTP: http://www.phpguru.org/smtp _ Internet explorer 8 lets you browse the web faster. http://go.microsoft.com/?linkid=9655582
Re: [PHP] Preventing XSS Attacks
I've been doing a bit of reading, and I can't really understand why XSS is such an issue. Sure, if a user can insert a
Re: [PHP] PHP as Server Side for a Web Database Application.
I reckon Dan brown is fond of pillow talks instead of PHP(pillow has p*nux) in here very much ;) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Preventing XSS Attacks
On Wed, 2009-06-10 at 23:05 +0530, Sudheer Satyanarayana wrote: > > I've been doing a bit of reading, and I can't really understand why XSS > > is such an issue. Sure, if a user can insert a
Re: [PHP] Mail function and hotmail
Richard was likely suggestion his mail example as listed in his signature Other options include phpmailer pear's mime mail various other classes available www.phpclasses.org Fernando, I recommend you check out the various PHP frameworks out there. Instead of randomly searching for classes for common functionality like sending an email from your script, you could use the framework's classes. I am sure all of the frameworks provide classes to send emails. The next time you need a class to read email from your scripts, you can simply look for classes your framework of choice provides. I personally use Zend Framework. But there are many available - Cake, CI, Symphony, etc. Also take a look at PEAR like Bastien said. -- With warm regards, Sudheer. S Business: http://binaryvibes.co.in, Tech stuff: http://techchorus.net, Personal: http://sudheer.net -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Preventing XSS Attacks
On Wed, 2009-06-10 at 23:17 +0530, Sudheer Satyanarayana wrote: > Ashley Sheridan wrote: > > On Wed, 2009-06-10 at 23:05 +0530, Sudheer Satyanarayana wrote: > > > >>> I've been doing a bit of reading, and I can't really understand why XSS > >>> is such an issue. Sure, if a user can insert a
Re: [PHP] Preventing XSS Attacks
On Wed, 2009-06-10 at 19:03 +0100, Ashley Sheridan wrote: > On Wed, 2009-06-10 at 23:17 +0530, Sudheer Satyanarayana wrote: > > Ashley Sheridan wrote: > > > On Wed, 2009-06-10 at 23:05 +0530, Sudheer Satyanarayana wrote: > > > > > >>> I've been doing a bit of reading, and I can't really understand why XSS > > >>> is such an issue. Sure, if a user can insert a
Re: [PHP] Preventing XSS Attacks
That would do the job. If you are already digging into it, take a look at XSRF/CSRF which are both can be very harmful, especially for ecommerce websites. On Wed, Jun 10, 2009 at 8:08 PM, Ashley Sheridan wrote: > On Wed, 2009-06-10 at 19:03 +0100, Ashley Sheridan wrote: >> On Wed, 2009-06-10 at 23:17 +0530, Sudheer Satyanarayana wrote: >> > Ashley Sheridan wrote: >> > > On Wed, 2009-06-10 at 23:05 +0530, Sudheer Satyanarayana wrote: >> > > >> > >>> I've been doing a bit of reading, and I can't really understand why XSS >> > >>> is such an issue. Sure, if a user can insert a
Re: [PHP] Preventing XSS Attacks
On Wed, 2009-06-10 at 19:59 +0200, Nitsan Bin-Nun wrote: > That would do the job. > > If you are already digging into it, take a look at XSRF/CSRF which are > both can be very harmful, especially for ecommerce websites. > > On Wed, Jun 10, 2009 at 8:08 PM, Ashley > Sheridan wrote: > > On Wed, 2009-06-10 at 19:03 +0100, Ashley Sheridan wrote: > >> On Wed, 2009-06-10 at 23:17 +0530, Sudheer Satyanarayana wrote: > >> > Ashley Sheridan wrote: > >> > > On Wed, 2009-06-10 at 23:05 +0530, Sudheer Satyanarayana wrote: > >> > > > >> > >>> I've been doing a bit of reading, and I can't really understand why > >> > >>> XSS > >> > >>> is such an issue. Sure, if a user can insert a
[PHP] Form handling
I've been charged with writing a class that handles forms, once they've been
POSTed to. The idea of the class is to handle the most common use-cases of
POST forms, and any special functionality can be handled with a child class
at a later date, but for our uses, we're going to have mostly pretty typical
POST forms. Follows is the list of cases I've determined that are the most
common, can anyone think of any that are omitted or that are never going to
be used?
class form_handler {
public /* bool */ function setRequiredFields(array $fields); //takes a
simple array that corresponds to a $_POST key, verifying that there is data
on required fields but not for optional fields, returns true or false on
error
public /* bool */ function setRequiredFieldTypes(array $fieldTypes);
//array of field names => type a la ('username' => array(regex,
'/a-zA-Z0-9\-_/'))
//or 'phone_number' => (array('int', 'min_len' => 7,
'max_len' => 10)) etc, the exact spec is obviously nowhere near done but
will probably just wrap a lot of filter_ functions, returns true or false on
error
public /* string */ function validateAndCaptureError(); //returns error
or empty string
public /* void */ function validateAndForwardTo($page); //forwards to
page on error, or not
}
each of the globule setters will have a corresponding appendRequired...
method, so as not to require handling enormous data structures for
conditional form building.
♦
As you can see, the class looks pretty barren, but I can't think of any more
functionality than would be required, although I am kickign the idea around
of having very specific validation type methods ie.
form_handler::requireInt($field, array $options) or
form_handler::requireRegex($field, $regex), etc.
Thoughts?
Thanks in advance,
--Eddie
Re: [PHP] Preventing XSS Attacks
Ashley Sheridan wrote: On Wed, 2009-06-10 at 23:05 +0530, Sudheer Satyanarayana wrote: I've been doing a bit of reading, and I can't really understand why XSS is such an issue. Sure, if a user can insert a
Re: [PHP] Preventing XSS Attacks
On Wed, Jun 10, 2009 at 2:08 PM, Ashley Sheridan wrote: > On Wed, 2009-06-10 at 19:03 +0100, Ashley Sheridan wrote: > > On Wed, 2009-06-10 at 23:17 +0530, Sudheer Satyanarayana wrote: > > > Ashley Sheridan wrote: > > > > On Wed, 2009-06-10 at 23:05 +0530, Sudheer Satyanarayana wrote: > > > > > > > >>> I've been doing a bit of reading, and I can't really understand why > XSS > > > >>> is such an issue. Sure, if a user can insert a
Re: [PHP] Preventing XSS Attacks
On Wed, 2009-06-10 at 14:14 -0400, Eddie Drapkin wrote: > On Wed, Jun 10, 2009 at 2:08 PM, Ashley Sheridan > wrote: > > > On Wed, 2009-06-10 at 19:03 +0100, Ashley Sheridan wrote: > > > On Wed, 2009-06-10 at 23:17 +0530, Sudheer Satyanarayana wrote: > > > > Ashley Sheridan wrote: > > > > > On Wed, 2009-06-10 at 23:05 +0530, Sudheer Satyanarayana wrote: > > > > > > > > > >>> I've been doing a bit of reading, and I can't really understand why > > XSS > > > > >>> is such an issue. Sure, if a user can insert a
RE: [PHP] Mail function and hotmail
Thank you. I'm looking at PEAR Mail_mime right now. It seems promising. Fernando. > Date: Wed, 10 Jun 2009 23:14:11 +0530 > From: sudhee...@binaryvibes.co.in > To: phps...@gmail.com > CC: jfer...@hotmail.com; rich...@php.net; php-general@lists.php.net > Subject: Re: [PHP] Mail function and hotmail > > > > > > Richard was likely suggestion his mail example as listed in his signature > > > > Other options include > > > > phpmailer > > pear's mime mail > > > > various other classes available www.phpclasses.org > > > Fernando, > > I recommend you check out the various PHP frameworks out there. Instead > of randomly searching for classes for common functionality like sending > an email from your script, you could use the framework's classes. I am > sure all of the frameworks provide classes to send emails. The next > time you need a class to read email from your scripts, you can simply > look for classes your framework of choice provides. > > I personally use Zend Framework. But there are many available - Cake, > CI, Symphony, etc. > > Also take a look at PEAR like Bastien said. > -- > > With warm regards, > Sudheer. S > Business: http://binaryvibes.co.in, Tech stuff: http://techchorus.net, > Personal: http://sudheer.net > _ Attention all humans. We are your photos. Free us. http://go.microsoft.com/?linkid=9666046
Re: [PHP] Preventing XSS Attacks
On Wed, Jun 10, 2009 at 2:26 PM, Ashley Sheridan wrote: > On Wed, 2009-06-10 at 14:14 -0400, Eddie Drapkin wrote: >> On Wed, Jun 10, 2009 at 2:08 PM, Ashley Sheridan >> wrote: >> >> > On Wed, 2009-06-10 at 19:03 +0100, Ashley Sheridan wrote: >> > > On Wed, 2009-06-10 at 23:17 +0530, Sudheer Satyanarayana wrote: >> > > > Ashley Sheridan wrote: >> > > > > On Wed, 2009-06-10 at 23:05 +0530, Sudheer Satyanarayana wrote: >> > > > > >> > > > >>> I've been doing a bit of reading, and I can't really understand why >> > XSS >> > > > >>> is such an issue. Sure, if a user can insert a
Re: [PHP] Preventing XSS Attacks
On Wed, 2009-06-10 at 14:40 -0400, Andrew Ballard wrote: > On Wed, Jun 10, 2009 at 2:26 PM, Ashley > Sheridan wrote: > > On Wed, 2009-06-10 at 14:14 -0400, Eddie Drapkin wrote: > >> On Wed, Jun 10, 2009 at 2:08 PM, Ashley Sheridan > >> wrote: > >> > >> > On Wed, 2009-06-10 at 19:03 +0100, Ashley Sheridan wrote: > >> > > On Wed, 2009-06-10 at 23:17 +0530, Sudheer Satyanarayana wrote: > >> > > > Ashley Sheridan wrote: > >> > > > > On Wed, 2009-06-10 at 23:05 +0530, Sudheer Satyanarayana wrote: > >> > > > > > >> > > > >>> I've been doing a bit of reading, and I can't really understand > >> > > > >>> why > >> > XSS > >> > > > >>> is such an issue. Sure, if a user can insert a
Re: [PHP] Preventing XSS Attacks
On Wed, Jun 10, 2009 at 2:56 PM, Ashley Sheridan wrote: > On Wed, 2009-06-10 at 14:40 -0400, Andrew Ballard wrote: >> On Wed, Jun 10, 2009 at 2:26 PM, Ashley >> Sheridan wrote: >> > On Wed, 2009-06-10 at 14:14 -0400, Eddie Drapkin wrote: >> >> On Wed, Jun 10, 2009 at 2:08 PM, Ashley Sheridan >> >> wrote: >> >> >> >> > On Wed, 2009-06-10 at 19:03 +0100, Ashley Sheridan wrote: >> >> > > On Wed, 2009-06-10 at 23:17 +0530, Sudheer Satyanarayana wrote: >> >> > > > Ashley Sheridan wrote: >> >> > > > > On Wed, 2009-06-10 at 23:05 +0530, Sudheer Satyanarayana wrote: >> >> > > > > >> >> > > > >>> I've been doing a bit of reading, and I can't really understand >> >> > > > >>> why >> >> > XSS >> >> > > > >>> is such an issue. Sure, if a user can insert a
Re: [PHP] Preventing XSS Attacks
Ashley Sheridan wrote: > On Wed, 2009-06-10 at 14:40 -0400, Andrew Ballard wrote: >> On Wed, Jun 10, 2009 at 2:26 PM, Ashley >> Sheridan wrote: >>> On Wed, 2009-06-10 at 14:14 -0400, Eddie Drapkin wrote: On Wed, Jun 10, 2009 at 2:08 PM, Ashley Sheridan wrote: > On Wed, 2009-06-10 at 19:03 +0100, Ashley Sheridan wrote: >> On Wed, 2009-06-10 at 23:17 +0530, Sudheer Satyanarayana wrote: >>> Ashley Sheridan wrote: On Wed, 2009-06-10 at 23:05 +0530, Sudheer Satyanarayana wrote: >> I've been doing a bit of reading, and I can't really understand why > XSS >> is such an issue. Sure, if a user can insert a
Re: [PHP] Preventing XSS Attacks
Usually I would support you on this one. In chemistry you always keep your stock "pure" and make any observations or mixtures in clean and other glasses in order to keep it pure. When it comes to printing an output or hosting it in a variables and then printing it out it is just a matter of taste. On Wed, Jun 10, 2009 at 8:54 PM, Andrew Ballard wrote: > On Wed, Jun 10, 2009 at 2:56 PM, Ashley > Sheridan wrote: >> On Wed, 2009-06-10 at 14:40 -0400, Andrew Ballard wrote: >>> On Wed, Jun 10, 2009 at 2:26 PM, Ashley >>> Sheridan wrote: >>> > On Wed, 2009-06-10 at 14:14 -0400, Eddie Drapkin wrote: >>> >> On Wed, Jun 10, 2009 at 2:08 PM, Ashley Sheridan >>> >> wrote: >>> >> >>> >> > On Wed, 2009-06-10 at 19:03 +0100, Ashley Sheridan wrote: >>> >> > > On Wed, 2009-06-10 at 23:17 +0530, Sudheer Satyanarayana wrote: >>> >> > > > Ashley Sheridan wrote: >>> >> > > > > On Wed, 2009-06-10 at 23:05 +0530, Sudheer Satyanarayana wrote: >>> >> > > > > >>> >> > > > >>> I've been doing a bit of reading, and I can't really >>> >> > > > >>> understand why >>> >> > XSS >>> >> > > > >>> is such an issue. Sure, if a user can insert a
[PHP] detect cli sapi
what's a reliable way to detect that the sapi is cli, including in a included scripts? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] detect cli sapi
if(PHP_SAPI == 'cli') { }
or
if(php_sapi_name() == 'cli') { }
On Wed, Jun 10, 2009 at 3:42 PM, Tom Worster wrote:
> what's a reliable way to detect that the sapi is cli, including in a
> included scripts?
>
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
Re: [PHP] Preventing XSS Attacks
On Wed, Jun 10, 2009 at 3:10 PM, Nitsan Bin-Nun wrote: > Usually I would support you on this one. In chemistry you always keep > your stock "pure" and make any observations or mixtures in clean and > other glasses in order to keep it pure. > > When it comes to printing an output or hosting it in a variables and > then printing it out it is just a matter of taste. > It is a matter of taste. If I see a variable named $searchTerms, I expect it to have the only the (appropriately sanitized) search terms in it without any specific escape sequences. For me, it's the same problem I have with magic_quotes (and related variants). If the magic_quotes setting is enabled, you have to call stripslashes() on the variable before you do just about anything with it, such as passing it to htmlspecialchars(), mysql_real_escape_string(), a DBMS other than MySQL, etc. All I'm saying is that if I want to assign the returned value of an escape function to a variable, I use a new variable whose name describes its purpose -- Ash's $dbSearchTerms variable does just this -- rather than assigning it back to the original variable. (I do sometimes make an exception when the variable's scope is inside a function whose sole purpose is to escape the value and then do something with the escaped value.) I just often skip the extra variable and use the function return value directly unless having the extra variable makes the code more readable -- as a matter of taste. :-) Andrew -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Form handling
Have a look at Zend Form -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Any conflict with $_POST when 2 users concurrently submitting the same form using POST method?
Thanks! Peter. I’m very clear now. "Peter Ford" wrote in message news:bd.38.16665.07c6f...@pb1.pair.com... Keith wrote: Let's say user A and user B submitting purchase order form with "order.php" at the same time, with method=post action='confirmation.php'. (1) Will $_POST['order'] submitted by user A replaced by $_POST['order'] submitted by user B, and the both user A & B getting the same order, which is made by user B? Why? (2)Since $_POST['xxx'] is superglobal array, will $_POST['order'] read by users other than A & B? In shared hosting server environment, are all domains hosted within that server using the same $_POST array? Can $_POST array accessible by all domains even if not from the originating domain? Thx for clarification! Keith Other posters have explained, but I'm not sure their explanations are clear. Think of it like this: User A posts to "confirmation.php". When the server receives the request, it starts up a Process and fills the $_POST array with whatever came in, then runs confirmation.php with that information. User B posts to "confirmation.php". When the server receives the request, it starts up a Process and fills the $_POST array with whatever came in, then runs confirmation.php with that information. The KEY thing is that the process in each case is entirely separate. Each makes it's own copy of the script in its own bit of memory, and each has its own version of $_POST in its own bit of memory. The two posts can happen at the same time and they will still be completely independent. The fact that $_POST is called "superglobal" does not mean that it is shared by separate requests - it is not even shared by requests in the same session. It just means that it is already declared and you don't need to use the "global" keyword to access it in your PHP pages. -- Peter Ford phone: 01580 89 Developer fax: 01580 893399 Justcroft International Ltd., Staplehurst, Kent -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Form handling
Hello,
on 06/10/2009 03:10 PM Eddie Drapkin said the following:
> I've been charged with writing a class that handles forms, once they've been
> POSTed to. The idea of the class is to handle the most common use-cases of
> POST forms, and any special functionality can be handled with a child class
> at a later date, but for our uses, we're going to have mostly pretty typical
> POST forms. Follows is the list of cases I've determined that are the most
> common, can anyone think of any that are omitted or that are never going to
> be used?
>
> class form_handler {
> public /* bool */ function setRequiredFields(array $fields); //takes a
> simple array that corresponds to a $_POST key, verifying that there is data
> on required fields but not for optional fields, returns true or false on
> error
> public /* bool */ function setRequiredFieldTypes(array $fieldTypes);
> //array of field names => type a la ('username' => array(regex,
> '/a-zA-Z0-9\-_/'))
> //or 'phone_number' => (array('int', 'min_len' => 7,
> 'max_len' => 10)) etc, the exact spec is obviously nowhere near done but
> will probably just wrap a lot of filter_ functions, returns true or false on
> error
> public /* string */ function validateAndCaptureError(); //returns error
> or empty string
> public /* void */ function validateAndForwardTo($page); //forwards to
> page on error, or not
> }
>
> each of the globule setters will have a corresponding appendRequired...
> method, so as not to require handling enormous data structures for
> conditional form building.
> ♦
> As you can see, the class looks pretty barren, but I can't think of any more
> functionality than would be required, although I am kickign the idea around
> of having very specific validation type methods ie.
> form_handler::requireInt($field, array $options) or
> form_handler::requireRegex($field, $regex), etc.
>
> Thoughts?
You may want consider not reinventing the wheel.
I use this popular forms generation and validation class since about 10
years now. It can deal with pretty much all you need now and probably later.
http://www.phpclasses.org/formsgeneration
Here are some live examples of the class and its plug-ins.
http://www.meta-language.net/forms-examples.html
--
Regards,
Manuel Lemos
Find and post PHP jobs
http://www.phpclasses.org/jobs/
PHP Classes - Free ready to use OOP components written in PHP
http://www.phpclasses.org/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
