php-general Digest 7 Jun 2010 09:45:48 - Issue 6785
Topics (messages 305858 through 305873):
Re: unlink()?
305858 by: Ashley Sheridan
305860 by: tedd
DOMDocument throws Unexpected end tag error when loading valid HTML
305859 by: Raymond Irving
305873 by:
On 6 June 2010 19:56, Raymond Irving xwis...@gmail.com wrote:
Hello,
Sorry to have to be writing to you directly. I've tried sending this email
to the mailing list but it keeps returning with a failure message:
Remote host said: 550 5.7.1 reject mailfrom [sbl]
It appears that my yahoo
On 6 June 2010 19:56, Raymond Irving xwis...@gmail.com wrote:
Hello,
Sorry to have to be writing to you directly. I've tried sending this email
to the mailing list but it keeps returning with a failure message:
Remote host said: 550 5.7.1 reject mailfrom [sbl]
It appears that my yahoo
On 7 June 2010 04:20, Skip Evans s...@bigskypenguin.com wrote:
Hey Ash all,
Thanks for that detailed explanation.
This is a lot of what I was thinking. Cookies can get deleted, etc, and all
the other things that can toss wrenches into this.
To clarify, they want to limit a single user to
Hi Folks!
The portal for which I work is suffering constant attacks that I feel that
is PHP Injection. Somehow the hacker is getting to change the cache files
that our system generates. Concatenating the HTML file with another that
have an iframe to a malicious JAR file. Do you have any
On Mon, 2010-06-07 at 09:54 -0300, Igor Escobar wrote:
Hi Folks!
The portal for which I work is suffering constant attacks that I feel that
is PHP Injection. Somehow the hacker is getting to change the cache files
that our system generates. Concatenating the HTML file with another that
On Sun, 6 Jun 2010 13:56:25 -0500, Raymond Irving wrote:
Here's the script. Can anyone confirm this error or is there a known
workaround?
?php
$html = '
!DOCTYPE html
html
head
meta http-equiv=Content-Type content=text/html; charset=UTF-8/
script
On 7 June 2010 14:54, Igor Escobar titiolin...@gmail.com wrote:
Hi Folks!
The portal for which I work is suffering constant attacks that I feel that
is PHP Injection. Somehow the hacker is getting to change the cache files
that our system generates. Concatenating the HTML file with another
On Mon, 2010-06-07 at 10:38 -0700, Michael Shadle wrote:
It's not that bad.
Use filter functions and sanity checks for input.
Use htmlspecialchars() basically on output.
That should take care of basically everything.
On Jun 7, 2010, at 6:16 AM, Igor Escobar titiolin...@gmail.com
Oh yeah. I do more than just intval() I make sure they didn't feed me
anything BUT numeric text first. I do sanity check before type
forcing :)
I use garbage in garbage out. So I take what is given to me and yes I
escape if before the db of course as well, and then encode on output.
On
On Mon, 2010-06-07 at 14:42 -0300, Igor Escobar wrote:
It's not a SQL Injection or XSS problem, Michael.
It's a PHP Injection problem. I know how fix that but the web site is very
very huge, have lots and lots of partners and i'm have a bug difficult do
identify the focus of the problem.
Hello,
I've got a form with two combo boxes, one for the month one for the
day. Both are required. I've got code that checks the post submission
to ensure neither is empty. My problem is that if a user does not
select anything in the combo boxes January first is sent, this i don't
want. If they
On Mon, 2010-06-07 at 10:48 -0700, Michael Shadle wrote:
Oh yeah. I do more than just intval() I make sure they didn't feed me
anything BUT numeric text first. I do sanity check before type
forcing :)
I use garbage in garbage out. So I take what is given to me and yes I
escape if
I think we're getting off topic here folks...
Regards,
Igor Escobar
Systems Analyst Interface Designer
+ http://blog.igorescobar.com
+ http://www.igorescobar.com
+ @igorescobar (twitter)
On Mon, Jun 7, 2010 at 2:51 PM, Ashley Sheridan
a...@ashleysheridan.co.ukwrote:
On Mon, 2010-06-07
You could do generic things to modify the $_GET and other superglobal
arrays. For example if you wanted to implement magic quote yourself
have a recursive function (I'd paste one but I'm on my phone) but
something akin to this:
$_GET = your_function_name($_GET);
An idea for you might be
On Mon, 2010-06-07 at 13:49 -0400, David Mehler wrote:
Hello,
I've got a form with two combo boxes, one for the month one for the
day. Both are required. I've got code that checks the post submission
to ensure neither is empty. My problem is that if a user does not
select anything in the
Because that only typecasts it. It's safe but it isn't what the user
actually entered.
This way I can actually determine if the user put in 123abc and
reject it, not accept it and keep the 123 silently for example. Same
with floats. You may or may not consider a negative number acceptable,
PHP Injection is the technical name given to a security hole in PHP
applications. When this gap there is a hacker can do with an external code
that is interpreted as an inner code as if the code included was more a part
of the script.
// my code...
// my code...
include
--
---
http://sperling.com http://ancientstones.com http://earthstones.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
I'm totally agree with you Ash,
I came up here to ask you guys some for light. Anything to well me to track
that M%$#% F#$CK#$# and discover from where he's attacking.
Regards,
Igor Escobar
Systems Analyst Interface Designer
+ http://blog.igorescobar.com
+ http://www.igorescobar.com
+
I couldn´t resist.
tedd tedd.sperl...@gmail.com escreveu na mensagem
news:p0624080cc832e662f...@[192.168.1.102]...
--
---
http://sperling.com http://ancientstones.com http://earthstones.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit:
I couldn´t resist.
tedd tedd.sperl...@gmail.com escreveu na mensagem
news:p0624080cc832e662f...@[192.168.1.102]...
--
---
http://sperling.com http://ancientstones.com http://earthstones.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit:
I disagree and this kind of approach could be appropriate if you walk
your input globals and apply some sanity checks and appropriate
filtering you could fix the issue.
On Jun 7, 2010, at 10:52 AM, Igor Escobar titiolin...@gmail.com wrote:
I think we're getting off topic here folks...
On Mon, 2010-06-07 at 15:00 -0300, Igor Escobar wrote:
PHP Injection is the technical name given to a security hole in PHP
applications. When this gap there is a hacker can do with an external
code that is interpreted as an inner code as if the code included was
more a part of the script.
From: Ashley Sheridan
On Mon, 2010-06-07 at 15:00 -0300, Igor Escobar wrote:
PHP Injection is the technical name given to a security hole in PHP
applications. When this gap there is a hacker can do with an external
code that is interpreted as an inner code as if the code included was
more
Hi Adam,
Thanks for the update but I'm thinking that it would be much easier if the
DOM parser could just ignore the contents of the script tags when parsing
HTML content. This way we would not have to out JavaScript or force uses to
add JavaScript to a separate file.
What do you think?
__
Hi Richard,
![CDATA[
htmltagsouphere/soup/tag/html
]]
I believe putting ![CDATA[ ]] around the HTML will not work when using
DOCTYPE html and it will also prevent the html from being parsed into
nodes that can be access via the DOM APIs
Or should the html that is inside the JS be urlencoded?
Thanks Nisse. This works great!
I just wish the HTML DOM parser could just ignore the contents of the
script tags. It would have made life so much easier for developers working
with the DOM.
Best regards,
__
Raymond Irving
2010/6/7 Nisse Engström news.nospam.0ixbt...@luden.se
In HTML, the /
Hi,
empty() cannot check the return value of the method or function. which would
be the best workaround?
empty($class-method()) // gets an error
i could do
$method_return_value = $class-method() and then run empty() on
$method_return_value or is there an better option? i would like to do
On Mon, Jun 7, 2010 at 3:30 PM, Raymond Irving xwis...@gmail.com wrote:
Hi Adam,
Thanks for the update but I'm thinking that it would be much easier if the
DOM parser could just ignore the contents of the script tags when parsing
HTML content. This way we would not have to out JavaScript or
On Mon, 2010-06-07 at 22:40 +0300, Tanel Tammik wrote:
Hi,
empty() cannot check the return value of the method or function. which would
be the best workaround?
empty($class-method()) // gets an error
i could do
$method_return_value = $class-method() and then run empty() on
On 6/7/2010 9:15 PM, João Cândido de Souza Neto wrote:
I couldn´t resist.
teddtedd.sperl...@gmail.com escreveu na mensagem
news:p0624080cc832e662f...@[192.168.1.102]...
--
---
http://sperling.com http://ancientstones.com http://earthstones.com
me too ;)
--
PHP General Mailing
Peter Lind peter.e.l...@gmail.com wrote in message
news:aanlktilqkz8dnc0zacfv70tctf2wqkgpzojccqtuw...@mail.gmail.com...
On 1 June 2010 17:33, Ashley Sheridan a...@ashleysheridan.co.uk wrote:
On Tue, 2010-06-01 at 16:31 +0100, Richard Quadling wrote:
$re1 = '/^[a-z]++$/i';
$re2 = '/^[a-z
Ashley Sheridan a...@ashleysheridan.co.uk wrote in message
news:1275940320.2248.40.ca...@localhost...
On Mon, 2010-06-07 at 22:40 +0300, Tanel Tammik wrote:
Hi,
empty() cannot check the return value of the method or function. which
would
be the best workaround?
empty($class-method())
On 7 June 2010 21:52, Ashley Sheridan a...@ashleysheridan.co.uk wrote:
On Mon, 2010-06-07 at 22:40 +0300, Tanel Tammik wrote:
Hi,
empty() cannot check the return value of the method or function. which would
be the best workaround?
empty($class-method()) // gets an error
i could do
Peter Lind peter.e.l...@gmail.com wrote in message
news:aanlktinmvaqv-hdgjlq_dwoquvojbbmbfrixnxvqk...@mail.gmail.com...
On 7 June 2010 21:52, Ashley Sheridan a...@ashleysheridan.co.uk wrote:
On Mon, 2010-06-07 at 22:40 +0300, Tanel Tammik wrote:
Hi,
empty() cannot check the return value of
Hey - It looks like a PHP form on my server is insecure and is being used to
send spam. This is Rackspace's best guess. The problem is there are SO MANY
forms on all the web sites on this server that it would be a nightmare task to
try and look at them all to be sure they're properly secured.
On 07/06/2010 20:00, Igor Escobar wrote:
PHP Injection is the technical name given to a security hole in PHP
applications. When this gap there is a hacker can do with an external code
that is interpreted as an inner code as if the code included was more a part
of the script.
// my code...
// my
On 7 June 2010 22:25, Brian Dunning br...@briandunning.com wrote:
Hey - It looks like a PHP form on my server is insecure and is being used to
send spam. This is Rackspace's best guess. The problem is there are SO MANY
forms on all the web sites on this server that it would be a nightmare
Brian Dunning wrote:
Hey - It looks like a PHP form on my server is insecure and is being used to
send spam. This is Rackspace's best guess. The problem is there are SO MANY
forms on all the web sites on this server that it would be a nightmare task
to try and look at them all to be sure
On Mon, Jun 07, 2010 at 01:25:28PM -0700, Brian Dunning wrote:
Hey - It looks like a PHP form on my server is insecure and is being used to
send spam. This is Rackspace's best guess. The problem is there are SO MANY
forms on all the web sites on this server that it would be a nightmare task
Agreed that's a great overall strategy but what I need now is a way to track
down the offending script, within the next few days if possible.
On Jun 7, 2010, at 1:35 PM, Jim Lucas wrote:
Change all the forms to use a single
processing script and then you won't have such a big problem tracking
Hello,
I've got a form with three fields that are not required for proper
completion of it, ending month, day, year fields. If a user enters
nothing no problem, but if those form fields are entered I need them
validated. They have to be in the correct format -MM-DD date
format and that value
Brian Dunning wrote:
Agreed that's a great overall strategy but what I need now is a way to track
down the offending script, within the next few days if possible.
On Jun 7, 2010, at 1:35 PM, Jim Lucas wrote:
Change all the forms to use a single
processing script and then you won't have such
I think I must have misstated the problem. Thanks to everyone for the replies,
but the question is not how to fix it, it's how to find the script being
attacked. Many different admins manage many different sites on this server, and
I can't even begin to guess how many mail forms are on there
On Mon, 2010-06-07 at 22:54 +0300, Tanel Tammik wrote:
Peter Lind peter.e.l...@gmail.com wrote in message
news:aanlktilqkz8dnc0zacfv70tctf2wqkgpzojccqtuw...@mail.gmail.com...
On 1 June 2010 17:33, Ashley Sheridan a...@ashleysheridan.co.uk wrote:
On Tue, 2010-06-01 at 16:31 +0100, Richard
On Mon, 2010-06-07 at 16:51 -0400, David Mehler wrote:
Hello,
I've got a form with three fields that are not required for proper
completion of it, ending month, day, year fields. If a user enters
nothing no problem, but if those form fields are entered I need them
validated. They have to be
On Mon, 2010-06-07 at 14:34 -0700, Brian Dunning wrote:
I think I must have misstated the problem. Thanks to everyone for the
replies, but the question is not how to fix it, it's how to find the script
being attacked. Many different admins manage many different sites on this
server, and I
Well you coud do just that but after you turn it back on. Set up a
fresh error log based on the reset of the mail server. You then have
some kind of script monitoring the in and out of your server.
Disconnecting the mail server momentarily and maybe a pass reset for
your users would stunt
Brian Dunning wrote:
I think I must have misstated the problem. Thanks to everyone for the
replies, but the question is not how to fix it, it's how to find the script
being attacked. Many different admins manage many different sites on this
server, and I can't even begin to guess how many
I'm currently geotargeting all the IPs in the log, and focusing on the hits
from Russia (the majority of these apache@ spams seem to be Russian). I've got
a much shorter list of scripts to look at now. Hopefully I'll find some that
just use mail() with no scrubbing.
--
PHP General Mailing List
On Mon, 2010-06-07 at 17:29 -0700, Brian Dunning wrote:
I'm currently geotargeting all the IPs in the log, and focusing on the hits
from Russia (the majority of these apache@ spams seem to be Russian). I've
got a much shorter list of scripts to look at now. Hopefully I'll find some
that
David Mehler wrote:
Hello,
I've got a form with three fields that are not required for proper
completion of it, ending month, day, year fields. If a user enters
nothing no problem, but if those form fields are entered I need them
validated. They have to be in the correct format -MM-DD
Sorry everyone, I know this isn't PHP related and I hope I'm not out of line,
If I am I sincerly appologize. I don't know who else I could ask.
What I want to know if anyone can reconize this font. I have searched the web
high and low and can't find any matching letter A's in the font examples.
Hi Dave,
It is called Fine Hand I believe. Found a copy here.
http://www.fonts.com/FindFonts/Detail.htm?pid=203813/cgi-bin/
MsmGo.exe?grab_id=0page_id=8346query=HANDWRITINGSCOPE=Fonts
HTH,
Karl
On Jun 7, 2010, at 9:01 PM, David McGlone wrote:
Sorry everyone, I know this isn't PHP related
On Mon, Jun 07, 2010 at 02:34:23PM -0700, Brian Dunning wrote:
I think I must have misstated the problem. Thanks to everyone for the
replies, but the question is not how to fix it, it's how to find the script
being attacked. Many different admins manage many different sites on this
server,
I've got a file of passwords I'd like to encrypt/decrypt using blowfish. I'd
like to be able to do so with PHP and via the command line. I have a
Linux utility call bcrypt which encrypts/decrypts files using
blowfish. And I'm using the following code under PHP to do
encryption/decryption:
On Mon, Jun 7, 2010 at 10:22 PM, Karl DeSaulniers k...@designdrumm.comwrote:
Hi Dave,
It is called Fine Hand I believe. Found a copy here.
http://www.fonts.com/FindFonts/Detail.htm?pid=203813/cgi-bin/MsmGo.exe?grab_id=0page_id=8346query=HANDWRITINGSCOPE=Fonts
HTH,
Karl
On Jun 7,
On Mon, Jun 7, 2010 at 11:20 PM, Paul M Foster pa...@quillandmouse.comwrote:
I've got a file of passwords I'd like to encrypt/decrypt using blowfish.
I'd
like to be able to do so with PHP and via the command line. I have a
Linux utility call bcrypt which encrypts/decrypts files using
59 matches
Mail list logo