php-general Digest 20 Oct 2006 06:50:39 -0000 Issue 4411
php-general Digest 20 Oct 2006 06:50:39 - Issue 4411
Topics (messages 243360 through 243371):
Re: User question for PHP
243360 by: Christian Heinrich
243361 by: Al
243362 by: Andy Hultgren
243369 by: Chris
Weird stack trace in error_log from PDOException
243363 by: Russ Brown
[ANNOUNCE] php|tek
243364 by: Richard Lynch
ENV vars
243365 by: jekillen
243366 by: Ed Lazor
Re: Creating Tree Structure from associative array
243367 by: Larry Garfield
243370 by: Robert Cummings
Re: Problems with open_basedir
243368 by: Chris
Setting try and catch to use my own error handler
243371 by: Dave M G
Administrivia:
To subscribe to the digest, e-mail:
[EMAIL PROTECTED]
To unsubscribe from the digest, e-mail:
[EMAIL PROTECTED]
To post to the list, e-mail:
php-general@lists.php.net
--
---BeginMessage---
try suPHP :-)
Is it possible to have a PHP script execute as the user of the domain
instead of the webserver? So when I upload files through a PHP script
they are owned by me and not wwwrun or nobody?
---End Message---
---BeginMessage---
Christian Heinrich wrote:
try suPHP :-)
Is it possible to have a PHP script execute as the user of the domain
instead of the webserver? So when I upload files through a PHP script
they are owned by me and not wwwrun or nobody?
Sounds like it could be a big security issue if not very carefully.
---End Message---
---BeginMessage---
To whoever was asking this (sorry didn't see the original email):
Is it possible to have a PHP script execute as the user of the domain
instead of the webserver? So when I upload files through a PHP script
they are owned by me and not wwwrun or nobody?
I was recently exchanging on this list about that very topic. It's in the
archives for this list. Go to www.php.net and set the dropdown menu in the
upper right corner of the page to general mailing list, then type File
Upload Security and chmod into the search field and hit enter. The
conversation is within the first few hits on this search.
The server hosting my site runs with php executing as me (the owner of the
domain), and we covered some of the potential security pitfalls of such a
situation (mainly centered on the fact that this makes any php script far
too powerful). In my situation I couldn't change how the server was set up;
however, the general consensus was that this situation created a number of
serious security concerns that had to be very carefully addressed. I would
avoid this configuration if you have the choice, based purely on the advice
I received.
Hope that helps,
Andy
---End Message---
---BeginMessage---
Andy Hultgren wrote:
To whoever was asking this (sorry didn't see the original email):
Is it possible to have a PHP script execute as the user of the domain
instead of the webserver? So when I upload files through a PHP script
they are owned by me and not wwwrun or nobody?
I was recently exchanging on this list about that very topic. It's in the
archives for this list. Go to www.php.net and set the dropdown menu in the
upper right corner of the page to general mailing list, then type File
Upload Security and chmod into the search field and hit enter. The
conversation is within the first few hits on this search.
The server hosting my site runs with php executing as me (the owner of
the
domain), and we covered some of the potential security pitfalls of such a
situation (mainly centered on the fact that this makes any php script far
too powerful). In my situation I couldn't change how the server was set
up;
however, the general consensus was that this situation created a number of
serious security concerns that had to be very carefully addressed. I would
avoid this configuration if you have the choice, based purely on the advice
I received.
Actually you have that the wrong way around.
If php is running as www or nobody then any files or directories
that a php script creates will be done as the web server user.
That means (potentially) that if domain 'a' creates a file, domain 'b'
can read and write to that file and even delete it.
If php is running as you instead, you can control this with appropriate
chmod commands (at least removing the risk of deleting of files /
updating of files).
A shared user (like www or nobody) is a *much* bigger risk than
separate users.
--
Postgresql php tutorials
http://www.designmagick.com/
---End Message---
---BeginMessage---
Hi,
I have a pretty simple bit of code that looks like the following;
// Prepare a statement. This will actually call a stored procedure
$objStatement = $objDB-prepare($strInsert);
try
{
$objStatement-execute($arrParams);
error_log(ABOUT TO fetchColumn);
$intID = $objStatement-fetchColumn();
error_log(AFTER fetchColumn);
$objStatement-closeCursor();
}
catch
[PHP] Setting try and catch to use my own error handler
PHP List,
I have a system where the code parses the URL and creates objects based
on the classes named in the link.
In order to prevent a user typing in a URL that contains an object that
doesn't exist, and getting an error, I'm trying to set up an error
handler class, called ErrorHandler, that will handle it.
I set the error handler to be my own, and then put a Try and Catch
around the part of the code that
set_error_handler(ErrorHandler::handleError());
try
{
object = new $urlParts[0]();
if (!empty($urlParts[2]))
{
$object-$urlParts[1]($urlParts[2]);
}
else
{
$object-$urlParts[1]();
}
}
catch (Error $e)
{
echo Sorry, the web page you are looking for can not be found.;
}
Inside my ErrorHandler, I have this:
public static function handleError($errno, $errstr, $errfile, $errline)
{
echo Hey dude! Error! . $errno . $errstr . $errfile . $errline ;
}
However, I get errors saying that the arguments for handleError don't exist.
Shouldn't they be automatically passed to my own error handler?
Thank you for any advise.
--
Dave M G
Ubuntu 6.06 LTS
Kernel 2.6.17.7
Pentium D Dual Core Processor
PHP 5, MySQL 5, Apache 2
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Setting try and catch to use my own error handler
On Fri, 2006-10-20 at 15:50 +0900, Dave M G wrote:
I have a system where the code parses the URL and creates objects based
on the classes named in the link.
In order to prevent a user typing in a URL that contains an object that
doesn't exist, and getting an error, I'm trying to set up an error
handler class, called ErrorHandler, that will handle it.
I set the error handler to be my own, and then put a Try and Catch
around the part of the code that
You are getting confused as to what an error handler is and what a
custom exception handler is.
You need to define a class that extends Exception to handle your
errors in that way.
class myExceptionHandler extends Exception {
...
...
public function handleError($args)
{
//do something
}
}
Then when you try and instantiate your object:
throw new myException(Your object is whack);
try {
$obj = new Object();
}
catch(myException $e)
{
myException::handleError();
}
--Paul
All Email originating from UWC is covered by disclaimer
http://www.uwc.ac.za/portal/uwc2006/content/mail_disclaimer/index.htm
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] array_walk, or array_map, or foreach?
PHP List,
I took a snippet of code right off the php.net site to use trim on all
the elements of an array.
Theoretically, it should test if the element in an array is in turn
another array, and break it down to the next level until it gets to a
string it can use trim on.
This is the code:
public static function trimArray($array)
{
if (is_array($array))
{
array_walk($array, trimArray);
}
else
{
$array = trim($array);
}
return $array;
}
The function exists inside a static class called Utility where I keep
all basic utility functions.
I don't know if it's the fact that it's in a static class that makes a
difference, but I've tried the following variations on the line with
array_walk() in it:
array_walk($array, Utlity::trimArray)
array_map(Utility::trimArray, $array)
array_map(trimArray, $array)
I've even tried accomplishing it with a foreach(), but no matter what I
do, it doesn't work.
As it walks through the array, it seems to trim a copy of the element in
the array, trim that, but leave the original array untouched.
What am I missing here?
--
Dave M G
Ubuntu 6.06 LTS
Kernel 2.6.17.7
Pentium D Dual Core Processor
PHP 5, MySQL 5, Apache 2
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] array_walk, or array_map, or foreach?
On Fri, 2006-10-20 at 16:04 +0900, Dave M G wrote:
PHP List,
I took a snippet of code right off the php.net site to use trim on all
the elements of an array.
Theoretically, it should test if the element in an array is in turn
another array, and break it down to the next level until it gets to a
string it can use trim on.
This is the code:
public static function trimArray($array)
{
if (is_array($array))
{
array_walk($array, trimArray);
I'm too lazy too look, but usually when using a class method as a
handler for PHP callback functions you pass the method as follows:
array_walk( $array, array( 'ClassName', 'trimArray' ) );
Cheers,
Rob.
--
..
| InterJinn Application Framework - http://www.interjinn.com |
::
| An application and templating framework for PHP. Boasting |
| a powerful, scalable system for accessing system services |
| such as forms, properties, sessions, and caches. InterJinn |
| also provides an extremely flexible architecture for |
| creating re-usable components quickly and easily. |
`'
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] User question for PHP
On Fri, 20 Oct 2006 15:49:14 +1000, Chris wrote: Andy Hultgren wrote: To whoever was asking this (sorry didn't see the original email): Is it possible to have a PHP script execute as the user of the domain instead of the webserver? So when I upload files through a PHP script they are owned by me and not wwwrun or nobody? I was recently exchanging on this list about that very topic. It's in the archives for this list. Go to www.php.net and set the dropdown menu in the upper right corner of the page to general mailing list, then type File Upload Security and chmod into the search field and hit enter. The conversation is within the first few hits on this search. The server hosting my site runs with php executing as me (the owner of the domain), and we covered some of the potential security pitfalls of such a situation (mainly centered on the fact that this makes any php script far too powerful). In my situation I couldn't change how the server was set up; however, the general consensus was that this situation created a number of serious security concerns that had to be very carefully addressed. I would avoid this configuration if you have the choice, based purely on the advice I received. Actually you have that the wrong way around. If php is running as www or nobody then any files or directories that a php script creates will be done as the web server user. That means (potentially) that if domain 'a' creates a file, domain 'b' can read and write to that file and even delete it. If php is running as you instead, you can control this with appropriate chmod commands (at least removing the risk of deleting of files / updating of files). A shared user (like www or nobody) is a *much* bigger risk than separate users. Unless those separate users have a little more access than just SSH and FTP access to the machine... I guess that if anyone with special rights carelessly activates suPHP and leaves the PHP files owned by him, you'd have PHP scripts capable of reading out special log files and whatnot. To my experience, apache (with PHP running as www-data or nobody or whatever) will not be able to create files or folders without user intervention (chmod, chown), thus no updating and removing is possible either by default. Using suPHP, it is. You can argue that it can only do this to the PHP files owned by the same user, and therefor probably limiting the damage to one specific website, however we're still having a security problem. Both situations seem dangerous to me, both in different ways. Wouldn't you say that the user must know what the hell he's doing in both situations? Ivo -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: array_walk, or array_map, or foreach?
On Fri, 20 Oct 2006 16:04:27 +0900, Dave M G wrote:
PHP List,
I took a snippet of code right off the php.net site to use trim on all
the elements of an array.
Theoretically, it should test if the element in an array is in turn
another array, and break it down to the next level until it gets to a
string it can use trim on.
This is the code:
public static function trimArray($array)
{
if (is_array($array))
{
array_walk($array, trimArray);
}
else
{
$array = trim($array);
}
return $array;
}
The function exists inside a static class called Utility where I keep
all basic utility functions.
I don't know if it's the fact that it's in a static class that makes a
difference, but I've tried the following variations on the line with
array_walk() in it:
array_walk($array, Utlity::trimArray)
array_map(Utility::trimArray, $array)
array_map(trimArray, $array)
I've even tried accomplishing it with a foreach(), but no matter what I
do, it doesn't work.
As it walks through the array, it seems to trim a copy of the element in
the array, trim that, but leave the original array untouched.
What am I missing here?
'pass-by-reference', as mentioned on the array_walk() doc page. Functions
have their own variable scope. If those words mean nothing to you:
http://www.php.net/manual/en/language.variables.scope.php
http://www.php.net/manual/en/language.references.pass.php
Bottom line: the values get changed within the function, but when the
function ends, the value changes are 'lost'.
Ivo
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Ensuring all links go to index.php
PHP List, This problem is a little hard to describe. Please forgive me in advance if it's not clear. I have set up my .htaccess file to work with my PHP script to create friendly URLs. For example, the URL mysite.com/user/login will take the user to a page where a user logs in. It does this by stripping everything out except user and login. It takes user and creates a user object, and then passes a login method to that class to take the user to the login page. Somehow, in this process, the local URL is becoming mysite/user, even though I'm just using that user designation to drive the creation of objects from classes. So, for example, I have a link to logout which is simply href=user/logout. But when I mouse over it, and look at the status bar at the bottom of my FireFox browser window, it says that the link points to: mysite.com/user/user/logout That URL, obviously, doesn't work for my system. It tries to make a User object and call a user method which doesn't exist. So... my question is, why is the /user portion of my URL being retained as a directory? I thought it had something to do with setting headers. I want everything to operate through the index.php file in my root directory, so I thought I could do that by putting this at the top of the index.php page: header(Location: /); Or: header(/local/server/www/directory/); Bottom line is, how do I ensure that all links and user requests through the URL end up going to the index.php in my web site's root directory? I hope this question is clear enough, and thank you for any and all advice. -- Dave M G Ubuntu 6.06 LTS Kernel 2.6.17.7 Pentium D Dual Core Processor PHP 5, MySQL 5, Apache 2 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Problems with open_basedir
Chris skrev: Patrik Jansson wrote: Hello, I'm having some difficulties with open_basedir. If I include the prefix /home/web25637/ in open_basedir shouldn't it include every directory within this? We're getting this error: Warning: file_exists() [function.file-exists]: open_basedir restriction in effect. File(/home/web25637/domains/abc.ssf.scout.se/public_html//components/com_sef/sef.php) The // might cause a problem, if you fix that does it work? The // does not cause the problem. This was a bad example, it has appeared several times without the //. Like Colin said, this might have to do with the symlink, the files lies within /usr/home but the open_basedir uses /home which is a symbolic link for /usr/home. I will try it out today. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Telemarketing Script/Tracking Application
Is anyone aware of a PHP/MySQL app that would be used by telemarketing staff to track calls, do follow-ups, allow scripting, etc.? We could write something in house but we are pressed for time. I have been poking around the web this morning, but have not found much. TVMIA! SugarCRM? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
FW: [PHP] Ensuring all links go to index.php
PHP List, This problem is a little hard to describe. Please forgive me in advance if it's not clear. I have set up my .htaccess file to work with my PHP script to create friendly URLs. For example, the URL mysite.com/user/login will take the user to a page where a user logs in. It does this by stripping everything out except user and login. It takes user and creates a user object, and then passes a login method to that class to take the user to the login page. Somehow, in this process, the local URL is becoming mysite/user, even though I'm just using that user designation to drive the creation of objects from classes. So, for example, I have a link to logout which is simply href=user/logout. But when I mouse over it, and look at the status bar at the bottom of my FireFox browser window, it says that the link points to: mysite.com/user/user/logout That URL, obviously, doesn't work for my system. It tries to make a User object and call a user method which doesn't exist. So... my question is, why is the /user portion of my URL being retained as a directory? If the URL is as you describe, this should be href=/user/logout. Without the preceeding slash, this will only work from pages with a URL in the root of your site. I thought it had something to do with setting headers. I want everything to operate through the index.php file in my root directory, so I thought I could do that by putting this at the top of the index.php page: header(Location: /); Or: header(/local/server/www/directory/); Bottom line is, how do I ensure that all links and user requests through the URL end up going to the index.php in my web site's root directory? If your using headers to set the location, you need to provide a full URL, inc. protocol and domain. i.e. http://www.example.com/page.php Edward -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Problems with open_basedir
Colin Guthrie wrote: Patrik Jansson wrote: I ran into problems with openbase_dir when using symlinks... They only really reared their ugly head when I upgraded to 5.1.6 before that they were OK (tho' if memory serves I had to add both the symlink location and the directory it pointed to. Anyway, are symlinks to blame here? I've added the real path into open_basedir, I also removed the // error but still I get the restriction message: *Warning*: file_exists() [function.file-exists]: open_basedir restriction in effect. File(/home/web25637/domains/abc.ssf.scout.se/public_html/components/com_sef/sef.php) is not within the allowed path(s): (/home/web25637/:/usr/home/web25637/:/tmp/:/var/www/:/usr/local/lib/php/:/etc/virtual/:/var/uploads/:/var/squirrelmail) in */usr/home/web25637/domains/abc.ssf.scout.se/public_html/index.php* on line *46 * So then I changed the absolute path in Joomla from /home/... to /usr/home/... and now I don't get the error anymore so it seems like it has something to do with the symbolic link after all. Is this considered a bug? We're running PHP 5.1.6. If it could work using the symbolic link /home too I would really appreciate. -Patrik -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Check HTML style sheet?
Is it possible to use php to check that the .css file in the html of a web page is the correct one e.g. check if the file included in the html is new.css. I think I will have to write a regex but if anyone has any ideas (or already has a regex to do this), it would be much appreciated. Thanks, Marc -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Recieve information on a html site using php?
Is it possible to receive information on a html site, such as the language, date modified? If so how would I go about doing this? Thanks, Marc -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Setting try and catch to use my own error handler
# [EMAIL PROTECTED] / 2006-10-20 15:50:32 +0900:
set_error_handler(ErrorHandler::handleError());
Inside my ErrorHandler, I have this:
public static function handleError($errno, $errstr, $errfile, $errline)
{
echo Hey dude! Error! . $errno . $errstr . $errfile . $errline ;
}
However, I get errors saying that the arguments for handleError don't exist.
You are calling the method without any arguments:
set_error_handler(ErrorHandler::handleError());
http://www.php.net/manual/en/language.pseudo-types.php
http://www.php.net/set_error_handler
--
How many Vietnam vets does it take to screw in a light bulb?
You don't know, man. You don't KNOW.
Cause you weren't THERE. http://bash.org/?255991
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Recieve information on a html site using php?
# [EMAIL PROTECTED] / 2006-10-18 17:23:53 +0200: Is it possible to receive information on a html site, such as the language, date modified? If so how would I go about doing this? Your question is very vague, so I'm taking the liberty of interpretation. - ftp://ftp.rfc-editor.org/in-notes/rfc2616.txt - http://www.php.net/http (haven't used pecl_http myself, you might have to resort to http://www.php.net/sockets) -- How many Vietnam vets does it take to screw in a light bulb? You don't know, man. You don't KNOW. Cause you weren't THERE. http://bash.org/?255991 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Ensuring all links go to index.php
# [EMAIL PROTECTED] / 2006-10-20 17:00:05 +0900: header(Location: /); header(/local/server/www/directory/); Do you know that both headers are invalid? -- How many Vietnam vets does it take to screw in a light bulb? You don't know, man. You don't KNOW. Cause you weren't THERE. http://bash.org/?255991 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: IMAP extension causing delays
Edward Kay wrote: Thanks for your suggestions John. At the moment, I do need to run it as a CGI as I need different php.ini files for each virtual host. For what it's worth, when you use PHP as a module, you can change almost all settings in php ini on a per-virtual host basis using the Apache directives php_value and php_flag (you can use php_admin_value and php_admin_flag too to ensure these are not overridable in e.g. .htaccess) Col -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Problems with open_basedir
Patrik Jansson wrote: Anyway, are symlinks to blame here? I've added the real path into open_basedir, I also removed the // error but still I get the restriction message: So then I changed the absolute path in Joomla from /home/... to /usr/home/... and now I don't get the error anymore so it seems like it has something to do with the symbolic link after all. Is this considered a bug? We're running PHP 5.1.6. If it could work using the symbolic link /home too I would really appreciate. Well, I was never sure that it was a bug or not. I wasn't sure if it was my distro's packaging and any custom patches it applies and also where it was some x86_64 wierdness. Recently (last week) it was confirmed to me that it was not x86_64 at fault, but it was still my distro. It now looks like you're snarled by the same bug. Assuming you're not using Mandriva 2007, then I think this should be classified as a bug or regression. It could be that a security bug relating to symlinks was fixed (symlink attacks are a common vector for security issues to present themselves), and this had the inadvertant effect of causing this problem. I remeber some time ago that I looked for other people with the same issue on google etc. but came up blank. It's probably worth submitting a bug to PHP now so that the devs can comment on it. For me it's not too important as my setup was just local development on my machine (and I used symlinks to make it look like the production filesystem layout). I was albe to easly adapt my local system to work without symlinks. However, I also use a complex symlink setup on our production servers for a number of Joomla installs. (I use symlinks such that I only have one copy of the joomla source to make updating it much easier :)). We have not yet deployed PHP 5.1.6 there and I suspect I'll get bitten again by this problem. If you have the time to post a bug I'd appreciate it, if not please let me know and I'll do it. All the best. Col. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Problems with open_basedir
Colin Guthrie wrote: Well, I was never sure that it was a bug or not. I wasn't sure if it was my distro's packaging and any custom patches it applies and also where it was some x86_64 wierdness. Recently (last week) it was confirmed to me that it was not x86_64 at fault, but it was still my distro. It now looks like you're snarled by the same bug. Assuming you're not using Mandriva 2007, then I think this should be classified as a bug or regression. It could be that a security bug relating to symlinks was fixed (symlink attacks are a common vector for security issues to present themselves), and this had the inadvertant effect of causing this problem. I remeber some time ago that I looked for other people with the same issue on google etc. but came up blank. It's probably worth submitting a bug to PHP now so that the devs can comment on it. For me it's not too important as my setup was just local development on my machine (and I used symlinks to make it look like the production filesystem layout). I was albe to easly adapt my local system to work without symlinks. However, I also use a complex symlink setup on our production servers for a number of Joomla installs. (I use symlinks such that I only have one copy of the joomla source to make updating it much easier :)). We have not yet deployed PHP 5.1.6 there and I suspect I'll get bitten again by this problem. If you have the time to post a bug I'd appreciate it, if not please let me know and I'll do it. All the best. Col. Thanks a lot for your answer. I've seen this issue on a few machines that we run and all of them are different versions of FreeBSD. This particular problem occured on a FreeBSD 5.4 machine. I'm quite eager to get this to work, our machines are all production boxes with a least couple of hundred users on machines where this issue occurs. I will try to post the bug and see what happends. Thanks again, -Patrik -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] session - cookie issues
Hi all, I am having issues with users not being able to post their details
to my site. The system uses sessions, so when they hit the index page a test
cookie is set thus:
setcookie('djst', 'test');
and then I test whether that cookie is set on the next page. If not, I
direct the users to an informational page. This works my end in FF and IE6
(sec settings tested at low, medium and medium high) but appox 1 in 20 users
cannot get past the cookie warning, even if they set their security settings
to low in IE.
I am also setting PHPSESSID to something of my own, as I hear that IE does
not like PHPSESSID (correct?).
Any ideas?
--
http://www.web-buddha.co.uk
Re: [PHP] session - cookie issues
The way you're setting cookies (without a time parameter), it's set to
expire at the end of the current session. Though it should work
regardless, try setting an expire time:
setcookie('djst', 'test', time()+3600); // expire in an hour
On 10/20/06, Dave Goodchild [EMAIL PROTECTED] wrote:
Hi all, I am having issues with users not being able to post their details
to my site. The system uses sessions, so when they hit the index page a test
cookie is set thus:
setcookie('djst', 'test');
and then I test whether that cookie is set on the next page. If not, I
direct the users to an informational page. This works my end in FF and IE6
(sec settings tested at low, medium and medium high) but appox 1 in 20 users
cannot get past the cookie warning, even if they set their security settings
to low in IE.
I am also setting PHPSESSID to something of my own, as I hear that IE does
not like PHPSESSID (correct?).
Any ideas?
--
http://www.web-buddha.co.uk
--
Mukul Sabharwal
http://mjsabby.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Problems with open_basedir
I noticed that this bug is already to be found in the bug database. This is exactly how I'm experiencing it: http://bugs.php.net/bug.php?id=37556 In that report they link the reader to http://bugs.php.net/bug.php?id=30188 which is also applicable. Although I can't understand the last answer: Obviously PHP cannot resolve /home/wejn/x/docs1/html/y as it even doesn't exist, so it compares non-existing /home/wejn/x/docs1/html/y to /home/wejn/x/docs/html/ and reports that they aren't the same. This would mean that every file that doesn't exist does not lie within any open_basedir at all? How can file_exists() be useful if that's the case? And why is it only the case if the symbolic link is used? They claim this isn't a bug but it still doesn't work as I would expect it to do. -Patrik -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Recieve information on a html site using php?
Thanks for the response,
I think I have solved the problem using the code in the attached text
document.
Thanks for the help,
Marc
Roman Neuhauser wrote:
# [EMAIL PROTECTED] / 2006-10-18 17:23:53 +0200:
Is it possible to receive information on a html site, such as the
language, date modified?
If so how would I go about doing this?
Your question is very vague, so I'm taking the liberty of
interpretation.
- ftp://ftp.rfc-editor.org/in-notes/rfc2616.txt
- http://www.php.net/http
(haven't used pecl_http myself, you might have to resort to
http://www.php.net/sockets)
function get_raw_header($host,$doc)
{
$httpheader = '';
$fp = fsockopen ($host, 80, $errno, $errstr, 30);
if (!$fp)
{
echo $errstr.' ('.$errno.')';
}else{
fputs($fp, 'GET '.$doc.' HTTP/1.0'.\r\n.'Host:
'.$host.\r\n\r\n);
while(!feof($fp))
{
$httpresult = fgets ($fp,1024);
$httpheader = $httpheader.$httpresult;
if (ereg(^\r\n,$httpresult))
break;
}
fclose ($fp);
}
return $httpheader;
}
function get_header_array($Url)
{
$Url = ereg_replace('http://','',$Url);
$endHostPos = strpos($Url,'/');
if(!$endHostPos) $endHostPos = strlen($Url);
$host = substr($Url,0,$endHostPos);
$doc = substr($Url,$endHostPos,strlen($Url)-$endHostPos);
if($doc == '') $doc = '/';
$raw = get_raw_header($host,$doc);
$tmpArray = explode(\n,$raw);
for ($i=0;$isizeof($tmpArray); $i++)
{
@list($Name, $value) = explode(':', $tmpArray[$i], 2);
$array[trim($Name)]=trim($value);
}
return $array;
}
$remote_file = 'http://www.whatever.com/';//states which url to read
the modified date from
$array = get_header_array($remote_file);//gets the data on the page
$remote_file
$deUpdate = date('Ymj',strtotime($array['Last-modified']));
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] User question for PHP
On 10/20/06, Ivo F.A.C. Fokkema [EMAIL PROTECTED] wrote:
On Fri, 20 Oct 2006 15:49:14 +1000, Chris wrote:
Andy Hultgren wrote:
To whoever was asking this (sorry didn't see the original email):
Is it possible to have a PHP script execute as the user of the domain
instead of the webserver? So when I upload files through a PHP script
they are owned by me and not wwwrun or nobody?
I was recently exchanging on this list about that very topic. It's in the
archives for this list. Go to www.php.net and set the dropdown menu in the
upper right corner of the page to general mailing list, then type File
Upload Security and chmod into the search field and hit enter. The
conversation is within the first few hits on this search.
The server hosting my site runs with php executing as me (the owner of
the
domain), and we covered some of the potential security pitfalls of such a
situation (mainly centered on the fact that this makes any php script far
too powerful). In my situation I couldn't change how the server was set
up;
however, the general consensus was that this situation created a number of
serious security concerns that had to be very carefully addressed. I would
avoid this configuration if you have the choice, based purely on the advice
I received.
Actually you have that the wrong way around.
If php is running as www or nobody then any files or directories
that a php script creates will be done as the web server user.
That means (potentially) that if domain 'a' creates a file, domain 'b'
can read and write to that file and even delete it.
If php is running as you instead, you can control this with appropriate
chmod commands (at least removing the risk of deleting of files /
updating of files).
A shared user (like www or nobody) is a *much* bigger risk than
separate users.
Unless those separate users have a little more access than just SSH
and FTP access to the machine... I guess that if anyone with special
rights carelessly activates suPHP and leaves the PHP files owned by him,
you'd have PHP scripts capable of reading out special log files and
whatnot.
To my experience, apache (with PHP running as www-data or nobody or
whatever) will not be able to create files or folders without user
intervention (chmod, chown), thus no updating and removing is possible
either by default.
php running through apache:
?php
mkdir('/path/to/dir');
?
Making that in a shared location will allow *any* domain to write to
it, read from it or delete it (forget about possible open_basedir
restrictions).
Running as cgi you don't get that problem.
I could be completely misunderstanding what suPHP does.
--
Postgresql php tutorials
http://www.designmagick.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Fwd: Parsing and using URL variables
-- Forwarded message -- From: andrew newman [EMAIL PROTECTED] Date: Oct 20, 2006 2:30 PM Subject: Parsing and using URL variables To: php-general-digest@lists.php.net Hello I am very new to PHP and I am trying to parse the values of variables from a URL into a web page. to build a very simple CMS! For example if the url is www.mywebsite.com?ph=My Websitept=Welcome Pagecf=home.htm I then have a php file that is something like this: html head title ?php $val = $_GET['ph']; echo $val;? /title /head body b?php $val = $_GET['pt']; echo $val;?/b p/ ?php $val = $_GET['cf']; Include '$val'; ? /body /html Any advice would be most welcome! Thanks Andrew -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Ensuring all links go to index.php
On Oct 20, 2006, at 4:00 AM, Dave M G wrote: PHP List, This problem is a little hard to describe. Please forgive me in advance if it's not clear. I have set up my .htaccess file to work with my PHP script to create friendly URLs. [snip] I thought it had something to do with setting headers. I want everything to operate through the index.php file in my root directory, so I thought I could do that by putting this at the top of the index.php page: header(Location: /); Or: header(/local/server/www/directory/); Bottom line is, how do I ensure that all links and user requests through the URL end up going to the index.php in my web site's root directory? If you want all requests to go through index.php, then the .htaccess file would be something like: RewriteEngine On RewriteRule ^whatever/.*$ - [L] RewriteRule !\.(gif|jpg|png|css|pdf)$ /server_path/index.php The second line exempts the directory whatever and the third line starts by exempting direct requests for files ending with gif, jpg, etc. Then, index.php would examine $_SERVER[REQUEST_URI] to map the friendly URL to content by including files or redirecting with header(). Is that what you mean? -- Lowell Allen -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Encode text
Hi everyone I have a variable with UTF-8 text inside it and I want to convert this text to windows encode, is it possible in very easy way ? Thanks --- Ahmad http://www.v-tadawul.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Fwd: Parsing and using URL variables
looks like your having fun ... but before you go building using something that is going to cause you major security headaches go to this site and read, read, read: http://phpsec.org/ and remember NEVER TRUST USER INPUT (or data from *any* outside source); currently your example will probably allow me to read your passwd file (I doubt that that was your intention) ... www.mywebsite.com?ph=U%20HAVE%20BEEN%20OWNEDpt=scriptsomemeallyourcookies();/scriptcf=/etc/passwd andrew newman wrote: -- Forwarded message -- From: andrew newman [EMAIL PROTECTED] Date: Oct 20, 2006 2:30 PM Subject: Parsing and using URL variables To: php-general-digest@lists.php.net Hello I am very new to PHP and I am trying to parse the values of variables from a URL into a web page. to build a very simple CMS! For example if the url is www.mywebsite.com?ph=My Websitept=Welcome Pagecf=home.htm I then have a php file that is something like this: html head title ?php $val = $_GET['ph']; echo $val;? /title /head body b?php $val = $_GET['pt']; echo $val;?/b p/ ?php $val = $_GET['cf']; Include '$val'; ? /body /html Any advice would be most welcome! Thanks Andrew -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] handling multipart form-data
DOCUMENTATION php://input is not available with enctype=multipart/form-data. What I should do if I really need to get multipart data? I want to implement my own form-data parser with PHP5. Can I at least turn off the PHP's one to be able to use php://input with multipart? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] User question for PHP
On Fri, 20 Oct 2006 23:24:14 +1000, chris smith wrote:
On 10/20/06, Ivo F.A.C. Fokkema [EMAIL PROTECTED] wrote:
On Fri, 20 Oct 2006 15:49:14 +1000, Chris wrote:
Andy Hultgren wrote:
To whoever was asking this (sorry didn't see the original email):
Is it possible to have a PHP script execute as the user of the domain
instead of the webserver? So when I upload files through a PHP script
they are owned by me and not wwwrun or nobody?
I was recently exchanging on this list about that very topic. It's in the
archives for this list. Go to www.php.net and set the dropdown menu in
the
upper right corner of the page to general mailing list, then type File
Upload Security and chmod into the search field and hit enter. The
conversation is within the first few hits on this search.
The server hosting my site runs with php executing as me (the owner of
the
domain), and we covered some of the potential security pitfalls of such a
situation (mainly centered on the fact that this makes any php script far
too powerful). In my situation I couldn't change how the server was set
up;
however, the general consensus was that this situation created a number of
serious security concerns that had to be very carefully addressed. I
would
avoid this configuration if you have the choice, based purely on the
advice
I received.
Actually you have that the wrong way around.
If php is running as www or nobody then any files or directories
that a php script creates will be done as the web server user.
That means (potentially) that if domain 'a' creates a file, domain 'b'
can read and write to that file and even delete it.
If php is running as you instead, you can control this with appropriate
chmod commands (at least removing the risk of deleting of files /
updating of files).
A shared user (like www or nobody) is a *much* bigger risk than
separate users.
Unless those separate users have a little more access than just SSH
and FTP access to the machine... I guess that if anyone with special
rights carelessly activates suPHP and leaves the PHP files owned by him,
you'd have PHP scripts capable of reading out special log files and
whatnot.
To my experience, apache (with PHP running as www-data or nobody or
whatever) will not be able to create files or folders without user
intervention (chmod, chown), thus no updating and removing is possible
either by default.
php running through apache:
?php
mkdir('/path/to/dir');
?
Making that in a shared location will allow *any* domain to write to
it, read from it or delete it (forget about possible open_basedir
restrictions).
I see your point and I agree this is an issue, but given the
relatively small incidence of such a situation, I personally would not say
this is a much bigger problem than a PHP file being able to remove all
other files owned by the same owner (i.e. usually the whole site at least)...
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Paginating searchs = performance problem
I have PHP/PostgreSQL application were i got a search page with some items to search, am building the search query on server side. I need to display a paginated search and for this i need to get the total count of lines matching the search before OFFSET/LIMITing my page, am i obliged to repeat the query twice ??? first to get the total count, second to get my page. it's very heavy Any one's suggesting better doing ?
[PHP] Re: Encode text
On Fri, 20 Oct 2006 16:57:16 +0300, Ahmad Al-Twaijiry wrote: Hi everyone I have a variable with UTF-8 text inside it and I want to convert this text to windows encode, is it possible in very easy way ? Thanks --- Ahmad Hi Ahmad, utf8_decode() will decode your string to ISO-8859-1. Ivo -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Paginating searchs = performance problem
On Fri, 20 Oct 2006 17:04:35 +0200, Fourat Zouari wrote: I have PHP/PostgreSQL application were i got a search page with some items to search, am building the search query on server side. I need to display a paginated search and for this i need to get the total count of lines matching the search before OFFSET/LIMITing my page, am i obliged to repeat the query twice ??? first to get the total count, second to get my page. it's very heavy Any one's suggesting better doing ? As far as I know, this is the only way. The first query, you don't need to sort your data though, and you might be able to drop a join, depending on whether or not you use the joined table in your WHERE clause. But I think due to caching the database will not take a long time for the second query, since it just recently had (almost) the same query - YMMV. Ivo -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Encode text
# [EMAIL PROTECTED] / 2006-10-20 16:57:16 +0300: I have a variable with UTF-8 text inside it and I want to convert this text to windows encode, is it possible in very easy way ? http://php.net/iconv -- How many Vietnam vets does it take to screw in a light bulb? You don't know, man. You don't KNOW. Cause you weren't THERE. http://bash.org/?255991 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Ensuring all links go to index.php
On 20 Oct 2006, at 02:00 , Dave M G wrote: So... my question is, why is the /user portion of my URL being retained as a directory? You need RewriteEngine On and RewriteBase and RewriteCond and RewriteRule, it sounds like. Not really a php issue per se. -- I wrote this song two hours before we met. I didn't know your name, or what you looked like yet -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Paginating searchs = performance problem
On Fri, 2006-10-20 at 17:22 +0200, Ivo F.A.C. Fokkema wrote: On Fri, 20 Oct 2006 17:04:35 +0200, Fourat Zouari wrote: I have PHP/PostgreSQL application were i got a search page with some items to search, am building the search query on server side. I need to display a paginated search and for this i need to get the total count of lines matching the search before OFFSET/LIMITing my page, am i obliged to repeat the query twice ??? first to get the total count, second to get my page. it's very heavy Any one's suggesting better doing ? As far as I know, this is the only way. The first query, you don't need to sort your data though, and you might be able to drop a join, depending on whether or not you use the joined table in your WHERE clause. But I think due to caching the database will not take a long time for the second query, since it just recently had (almost) the same query - YMMV. Hell no, don't use the same query twice. Use a count in the first query that only returns 1 row... the count. The second query can return the records (which may be less than the count returns since you're paging). Cheers, Rob. -- .. | InterJinn Application Framework - http://www.interjinn.com | :: | An application and templating framework for PHP. Boasting | | a powerful, scalable system for accessing system services | | such as forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Creating Tree Structure from associative array
Robert Cummings wrote:
On Thu, 2006-10-19 at 23:58 -0500, Larry Garfield wrote:
That depends on what your data structure is, exactly, and what sort of
tree
structure you want on the other side. Please be more specific.
On Thursday 19 October 2006 09:08, Angelo Zanetti wrote:
Hi all,
I have an associative array, which contains parent and child
relationships. I've searched the web for creating a tree structure from
this and found a few good sites but doesnt help 100% perhaps someone
can
point me in the correct direction? I've started to code it got to a
point where I cant go any further, the code is pseudo code and dont
want
to reinvent the wheel.
any suggestions would be really appreciated.
It's kinda simple...
?php
//
//6 5
// / \ / \
// 2 7 9 3
// / | \
// 1 4 8
//
$list = array
(
array
(
'id'= '1',
'pid' = '2',
'value' = 'Value Foo 1',
),
array
(
'id'= '2',
'pid' = '6',
'value' = 'Value Foo 2',
),
array
(
'id'= '3',
'pid' = '5',
'value' = 'Value Foo 3',
),
array
(
'id'= '4',
'pid' = '2',
'value' = 'Value Foo 4',
),
array
(
'id'= '5',
'pid' = '0',
'value' = 'Value Foo 5',
),
array
(
'id'= '6',
'pid' = '0',
'value' = 'Value Foo 6',
),
array
(
'id'= '7',
'pid' = '6',
'value' = 'Value Foo 7',
),
array
(
'id'= '8',
'pid' = '2',
'value' = 'Value Foo 8',
),
array
(
'id'= '9',
'pid' = '5',
'value' = 'Value Foo 9',
),
);
//
// Set up indexing of the above list (in case it wasn't indexed).
//
$lookup = array();
foreach( $list as $item )
{
$item['children'] = array();
$lookup[$item['id']] = $item;
}
//
// Now build tree.
//
$tree = array();
foreach( $lookup as $id = $foo )
{
$item = $lookup[$id];
if( $item['pid'] == 0 )
{
$tree[$id] = $item;
}
else
if( isset( $lookup[$item['pid']] ) )
{
$lookup[$item['pid']]['children'][$id] = $item;
}
else
{
$tree['_orphans_'][$id] = $item;
}
}
//
// WooohoOO!
//
print_r( $tree );
?
Cheers,
Rob.
--
..
| InterJinn Application Framework - http://www.interjinn.com |
::
| An application and templating framework for PHP. Boasting |
| a powerful, scalable system for accessing system services |
| such as forms, properties, sessions, and caches. InterJinn |
| also provides an extremely flexible architecture for |
| creating re-usable components quickly and easily. |
`'
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
for web browser:
// WooohoOO!
//
echo 'pre';
print_r( $tree );
--
View this message in context:
http://www.nabble.com/Creating-Tree-Structure-from-associative-array-tf2473585.html#a6920126
Sent from the PHP - General mailing list archive at Nabble.com.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Creating Tree Structure from associative array
On Fri, 2006-10-20 at 09:20 -0700, Jürgen Wind wrote: for web browser: // WooohoOO! // echo 'pre'; print_r( $tree ); True, but I do quick sample scripts from the command-line :D Cheers, Rob. -- .. | InterJinn Application Framework - http://www.interjinn.com | :: | An application and templating framework for PHP. Boasting | | a powerful, scalable system for accessing system services | | such as forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] connectivity weirdness
The canonical PHP example of web-scraping:
?php echo file_get_contents('http://php.net/');?
fails on a machine I'm using.
I'm laying out here all the things I've done and eliminated, and it
got awfully long...
Short Version:
FC4 + LAMPP on 2 different private IP boxes at day job
file_get_contents('http://php.net') hangs and times out after 2 minutes.
telnet php.net 80 | GET / HTTP/1.0 hangs and times out after 2 minutes.
wget php.net WORKS
links php.net WORKS
My windows/cygwin desktop on the same subnet WORKS
[Well, windows is broken, of course, but that's not relevant here :-)]
ping and traceroute both work fine everywhere
What configuration boo-boo from a stock FC 4 + LAMPP install could
manage to break file_get_contents and telent, but wget and links
work?!
Long Version:
I've checked allow_url_fopen with phpinfo() and php -i
allow_url_fopen = On = On
Further analysys reveals some odd info:
telnet php.net 80
GET / HTTP/1.0
Host: php.net
[yes, I hit enter here]
just sort of hangs until it times out in TWO MINUTES
So you'd think that it's obviously the DNS records screwed up somehow,
with an extra-long 2-minute timeout instead of the usual 30 seconds.
Buuut:
wget http://php.net
works flawlessly
links http://php.net
works flawlessly
I can ping php.net just fine -- which is maybe a no-brainer with wget
and links working, but I like to check.
traceroute also looks normal to me, though I'm no expert
[aside: How come guys set things up so complex they gotta bounce my
routing between four of their own machines in the same data center?
What's up with that? (shrug)]
So, apparently, wget and links are doing something extra that breaks
through whatever this roadblock is for file_get_contents and telnet
80.
I thought it might maybe be some kind of header redirect support that
is lacking, but then telnet 80 would behave differently, and
file_get_contents should work for that. Plus I tried it on my own
site that does not have any kind of redirect headers going out, and
got the same results. file_get_contents/telnet fail. wget/links
works.
Now I realize that wget and links are vastly superior weapons and send
all kinds of extra headers.
But I can do the above script on other boxes, and it works fine, so
it's probably not the web-servers denying access on the basis of
sparse headers.
Now this could be a TWO MINUTE warning since the Bears are 5-0 or
whatever, but I think I'll ignore that possiblity for now.
I'm also fairly sure it's not even a PHP problem, but don't know where
to turn, so I'm posting here in time-honored fashion :-)
If it was consistently failing no matter the software used to scrape
(php, wget, links) I'd know it was DNS or the network card or
whatever.
But what would make telnet and file_get_contents fail and timeout
after 2 minutes, while wget and links work flawlessly?
Where would I even start? I'm checking in-house with our IT guys, but
they're mostly Windows guys, so if this is something specific to LAMP,
I'm down the tubes there.
The box is a duplicate of another box, and I installed everything
rather quickly to make them both match as far as I could tell.
Fedore Core 4
LAMPP
I don't know much about LAMPP, except they put everything in /opt
which was annoying, but it all works, so I just left it alone.
The RELEASE_NOTES document it as:
[2006-01-08] XAMPP for Linux 1.5.1
Since telnet is not acting right, I doubt that LAMPP is the culprit...
Oh, and of course I checked the other box, of which this is a
duplicate, and it behaves the same way.
The only thing I can tell you about our network topology is:
Box #1: 192.168.4.5 (the bulk of the email is about)
Box #2: 192.168.5.123 (the original just referenced)
Desktop: 192.168.4.13 (Windows box, with Cygwin, works fine)
All other Internet things I've done from my desktop work just fine --
Including the file_get_contents() referenced above. So now I've
narrowed it down to FC4 and/or LAMPP configuration, but have no idea
what to do next.
I'm definitely not a hardware guy, and not a network admin guy either,
so hopefully all this has made the answer painfully obvious to
somebody who is and they can help this poor befuddled application
developer out. :-)
Apologies for this NNOT post, but even a pointer of where to start
would be good. I suppose LAMPP would be my next guess, since it's
inconceivable that FC4 would be this borked without a zillion alarms
going off, but how could LAMPP manage to break this?
--
Some people have a gift link here.
Know what I want?
I want you to buy a CD from some starving artist.
http://cdbaby.com/browse/from/lynch
Yeah, I get a buck. So?
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] connectivity weirdness
?php echo file_get_contents('http://php.net/');?
takes only 2 seconds here.
w2k php5.14 FF1.5.0.7
--
View this message in context:
http://www.nabble.com/connectivity-weirdness-tf2481786.html#a6920671
Sent from the PHP - General mailing list archive at Nabble.com.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] connectivity weirdness
For what it's worth, for me telnet php.net 80 (then GET ...) takes ~25
seconds, most of which seems to be the reverse lookup. If I just telnet
directly to php.net's IP directly and do the same, it's instant. Doing
file_get_contents takes less than 1s numerically or not.
jon
(Replied directly to the list, 'cause I know you're on it, and I don't
see the need for you to get two copies of the same thing. :-)
Richard Lynch wrote:
The canonical PHP example of web-scraping:
?php echo file_get_contents('http://php.net/');?
fails on a machine I'm using.
I'm laying out here all the things I've done and eliminated, and it
got awfully long...
Short Version:
FC4 + LAMPP on 2 different private IP boxes at day job
file_get_contents('http://php.net') hangs and times out after 2 minutes.
telnet php.net 80 | GET / HTTP/1.0 hangs and times out after 2 minutes.
wget php.net WORKS
links php.net WORKS
My windows/cygwin desktop on the same subnet WORKS
[Well, windows is broken, of course, but that's not relevant here :-)]
ping and traceroute both work fine everywhere
What configuration boo-boo from a stock FC 4 + LAMPP install could
manage to break file_get_contents and telent, but wget and links
work?!
Long Version:
I've checked allow_url_fopen with phpinfo() and php -i
allow_url_fopen = On = On
Further analysys reveals some odd info:
telnet php.net 80
GET / HTTP/1.0
Host: php.net
[yes, I hit enter here]
just sort of hangs until it times out in TWO MINUTES
So you'd think that it's obviously the DNS records screwed up somehow,
with an extra-long 2-minute timeout instead of the usual 30 seconds.
Buuut:
wget http://php.net
works flawlessly
links http://php.net
works flawlessly
I can ping php.net just fine -- which is maybe a no-brainer with wget
and links working, but I like to check.
traceroute also looks normal to me, though I'm no expert
[aside: How come guys set things up so complex they gotta bounce my
routing between four of their own machines in the same data center?
What's up with that? (shrug)]
So, apparently, wget and links are doing something extra that breaks
through whatever this roadblock is for file_get_contents and telnet
80.
I thought it might maybe be some kind of header redirect support that
is lacking, but then telnet 80 would behave differently, and
file_get_contents should work for that. Plus I tried it on my own
site that does not have any kind of redirect headers going out, and
got the same results. file_get_contents/telnet fail. wget/links
works.
Now I realize that wget and links are vastly superior weapons and send
all kinds of extra headers.
But I can do the above script on other boxes, and it works fine, so
it's probably not the web-servers denying access on the basis of
sparse headers.
Now this could be a TWO MINUTE warning since the Bears are 5-0 or
whatever, but I think I'll ignore that possiblity for now.
I'm also fairly sure it's not even a PHP problem, but don't know where
to turn, so I'm posting here in time-honored fashion :-)
If it was consistently failing no matter the software used to scrape
(php, wget, links) I'd know it was DNS or the network card or
whatever.
But what would make telnet and file_get_contents fail and timeout
after 2 minutes, while wget and links work flawlessly?
Where would I even start? I'm checking in-house with our IT guys, but
they're mostly Windows guys, so if this is something specific to LAMP,
I'm down the tubes there.
The box is a duplicate of another box, and I installed everything
rather quickly to make them both match as far as I could tell.
Fedore Core 4
LAMPP
I don't know much about LAMPP, except they put everything in /opt
which was annoying, but it all works, so I just left it alone.
The RELEASE_NOTES document it as:
[2006-01-08] XAMPP for Linux 1.5.1
Since telnet is not acting right, I doubt that LAMPP is the culprit...
Oh, and of course I checked the other box, of which this is a
duplicate, and it behaves the same way.
The only thing I can tell you about our network topology is:
Box #1: 192.168.4.5 (the bulk of the email is about)
Box #2: 192.168.5.123 (the original just referenced)
Desktop: 192.168.4.13 (Windows box, with Cygwin, works fine)
All other Internet things I've done from my desktop work just fine --
Including the file_get_contents() referenced above. So now I've
narrowed it down to FC4 and/or LAMPP configuration, but have no idea
what to do next.
I'm definitely not a hardware guy, and not a network admin guy either,
so hopefully all this has made the answer painfully obvious to
somebody who is and they can help this poor befuddled application
developer out. :-)
Apologies for this NNOT post, but even a pointer of where to start
would be good. I suppose LAMPP would be my next guess, since it's
inconceivable that FC4 would be this borked without a zillion alarms
going off, but how could LAMPP manage to break this?
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit:
Re: [PHP] Recieve information on a html site using php?
Marc Roberts wrote:
Thanks for the response,
I think I have solved the problem using the code in the attached text
document.
Thanks for the help,
Marc
Roman Neuhauser wrote:
# [EMAIL PROTECTED] / 2006-10-18 17:23:53 +0200:
Is it possible to receive information on a html site, such as the
language, date modified?
If so how would I go about doing this?
Your question is very vague, so I'm taking the liberty of
interpretation.
- ftp://ftp.rfc-editor.org/in-notes/rfc2616.txt
- http://www.php.net/http
(haven't used pecl_http myself, you might have to resort to
http://www.php.net/sockets)
function get_raw_header($host,$doc)
{
$httpheader = '';
$fp = fsockopen ($host, 80, $errno, $errstr, 30);
if (!$fp)
{
echo $errstr.' ('.$errno.')';
}else{
fputs($fp, 'GET '.$doc.' HTTP/1.0'.\r\n.'Host:
'.$host.\r\n\r\n);
while(!feof($fp))
{
$httpresult = fgets ($fp,1024);
$httpheader = $httpheader.$httpresult;
if (ereg(^\r\n,$httpresult))
break;
}
fclose ($fp);
}
return $httpheader;
}
function get_header_array($Url)
{
$Url = ereg_replace('http://','',$Url);
$endHostPos = strpos($Url,'/');
if(!$endHostPos) $endHostPos = strlen($Url);
$host = substr($Url,0,$endHostPos);
$doc = substr($Url,$endHostPos,strlen($Url)-$endHostPos);
if($doc == '') $doc = '/';
$raw = get_raw_header($host,$doc);
$tmpArray = explode(\n,$raw);
for ($i=0;$isizeof($tmpArray); $i++)
{
@list($Name, $value) = explode(':', $tmpArray[$i], 2);
$array[trim($Name)]=trim($value);
}
return $array;
}
$remote_file = 'http://www.whatever.com/';//states which url to read the
modified date from
$array = get_header_array($remote_file);//gets the data on the page
$remote_file
$deUpdate = date('Ymj',strtotime($array['Last-modified']));
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
not every site sends 'Last-modified' , f.e. www.heise.de:
---
HTTP/1.1 200 OK
Date: Fri, 20 Oct 2006 18:27:03 GMT
Server: Apache/1.3.34
Expires: Fri, 20 Oct 2006 18:42:03 GMT
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=iso-8859-1
---
--
View this message in context:
http://www.nabble.com/Recieve-information-on-a-html-site-using-php--tf2478503.html#a6922634
Sent from the PHP - General mailing list archive at Nabble.com.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] A problem with dates
Hi all. I have an online events directory and am having some issues with date calculations. I have a table of dates (next year) and an events table - which have a many to many relationship and so use an intermediary mapping table called dates_events. All good - when the user enters a single, multi-day, daily or monthly event the event is entered into its table and some calculations done to enter values in the mapping table. When I perform a search all the events fall on their specified dates. Apart from weekly events that is. When a user enters a weekly event, the system looks at the start and end dates, finds out the ids of all the dates in the date table in increments of 7, and adds the mappings. When the weekly events are viewed, every 4 weeks they shift forward by one day over the week. There is some kind of ominous pattern here, but the maths is very simple (increment by 7) and so i thought I'd see if anyone can spot this right away before I dedicate my weekend to poring through PHP and mySQL date maths. Thanks in advance! -- http://www.web-buddha.co.uk
Re: [PHP] session - cookie issues
Dave Goodchild wrote:
Hi all, I am having issues with users not being able to post their details
to my site. The system uses sessions, so when they hit the index page a
test
cookie is set thus:
setcookie('djst', 'test');
and then I test whether that cookie is set on the next page. If not, I
direct the users to an informational page. This works my end in FF and IE6
(sec settings tested at low, medium and medium high) but appox 1 in 20
users
cannot get past the cookie warning, even if they set their security
settings
to low in IE.
I am also setting PHPSESSID to something of my own, as I hear that IE does
not like PHPSESSID (correct?).
Any ideas?
--
http://www.web-buddha.co.uk
maybe this is of interest:
http://www.salesforce.com/developer/tech-notes.jsp?tn=TN-18
- Creating Cookies with P3P
--
View this message in context:
http://www.nabble.com/session---cookie-issues-tf2478990.html#a6923903
Sent from the PHP - General mailing list archive at Nabble.com.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Daylight saving time
Hello, Regarding PHP5 bug #35296, http://bugs.php.net/bug.php?id=35296 I assume that it has been fixed in PHP5 for a while now (any version higher than PHP 5.0.5 ). Could someone tell me if PHP4 has been corrected as well ? in other word, what is the oldest version of PHP4 that contains the bug fix ? Thank you, -- Raphaël Chassé
Re: [PHP] User question for PHP
On 10/21/06, Ivo F.A.C. Fokkema [EMAIL PROTECTED] wrote:
On Fri, 20 Oct 2006 23:24:14 +1000, chris smith wrote:
On 10/20/06, Ivo F.A.C. Fokkema [EMAIL PROTECTED] wrote:
On Fri, 20 Oct 2006 15:49:14 +1000, Chris wrote:
Andy Hultgren wrote:
To whoever was asking this (sorry didn't see the original email):
Is it possible to have a PHP script execute as the user of the domain
instead of the webserver? So when I upload files through a PHP script
they are owned by me and not wwwrun or nobody?
I was recently exchanging on this list about that very topic. It's in the
archives for this list. Go to www.php.net and set the dropdown menu in
the
upper right corner of the page to general mailing list, then type File
Upload Security and chmod into the search field and hit enter. The
conversation is within the first few hits on this search.
The server hosting my site runs with php executing as me (the owner of
the
domain), and we covered some of the potential security pitfalls of such a
situation (mainly centered on the fact that this makes any php script far
too powerful). In my situation I couldn't change how the server was set
up;
however, the general consensus was that this situation created a number of
serious security concerns that had to be very carefully addressed. I
would
avoid this configuration if you have the choice, based purely on the
advice
I received.
Actually you have that the wrong way around.
If php is running as www or nobody then any files or directories
that a php script creates will be done as the web server user.
That means (potentially) that if domain 'a' creates a file, domain 'b'
can read and write to that file and even delete it.
If php is running as you instead, you can control this with appropriate
chmod commands (at least removing the risk of deleting of files /
updating of files).
A shared user (like www or nobody) is a *much* bigger risk than
separate users.
Unless those separate users have a little more access than just SSH
and FTP access to the machine... I guess that if anyone with special
rights carelessly activates suPHP and leaves the PHP files owned by him,
you'd have PHP scripts capable of reading out special log files and
whatnot.
To my experience, apache (with PHP running as www-data or nobody or
whatever) will not be able to create files or folders without user
intervention (chmod, chown), thus no updating and removing is possible
either by default.
php running through apache:
?php
mkdir('/path/to/dir');
?
Making that in a shared location will allow *any* domain to write to
it, read from it or delete it (forget about possible open_basedir
restrictions).
I see your point and I agree this is an issue, but given the
relatively small incidence of such a situation, I personally would not say
this is a much bigger problem than a PHP file being able to remove all
other files owned by the same owner (i.e. usually the whole site at least)...
Running it as separate users removes safe-mode problems (the file
uploaded will be as www or nobody, the script trying to access it
is user), stops you having to have '777' type permissions on temp
or data directories, user a can't do anything to user bs files
and so on. Plus if your domain gets hacked through php, they can
*only* do damage to your domain. They'd have to hack the other domains
on the server because they are owned by different users...
--
Postgresql php tutorials
http://www.designmagick.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Creating Tree Structure from associative array
Robert Cummings wrote: On Fri, 2006-10-20 at 09:20 -0700, Jürgen Wind wrote: for web browser: // WooohoOO! myself, I'm more partial to // YeeHaw! // echo 'pre'; print_r( $tree ); True, but I do quick sample scripts from the command-line :D Cheers, Rob. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] User question for PHP
chris smith wrote:
On 10/21/06, Ivo F.A.C. Fokkema [EMAIL PROTECTED] wrote:
On Fri, 20 Oct 2006 23:24:14 +1000, chris smith wrote:
On 10/20/06, Ivo F.A.C. Fokkema [EMAIL PROTECTED] wrote:
To my experience, apache (with PHP running as www-data or nobody or
whatever) will not be able to create files or folders without user
intervention (chmod, chown), thus no updating and removing is possible
either by default.
php running through apache:
?php
mkdir('/path/to/dir');
?
Making that in a shared location will allow *any* domain to write to
it, read from it or delete it (forget about possible open_basedir
restrictions).
I see your point and I agree this is an issue, but given the
relatively small incidence of such a situation, I personally would not
say
this is a much bigger problem than a PHP file being able to remove all
other files owned by the same owner (i.e. usually the whole site at
least)...
Running it as separate users removes safe-mode problems (the file
uploaded will be as www or nobody, the script trying to access it
is user), stops you having to have '777' type permissions on temp
or data directories, user a can't do anything to user bs files
and so on.
but php and the webserver now has full rights over all your files not just
a few of your designated data files. e.g.
exec('rm ~/.ssh/*'); // nice
maybe you should check out open_base_dir, for instance set it in the vhost
config:
php_admin_value open_base_dir
/path2/2/web/include_dir:/path/2/webroot:/usr/lib/php:;
Plus if your domain gets hacked through php, they can
*only* do damage to your domain. They'd have to hack the other domains
on the server because they are owned by different users...
how relevant is this is in relation to actual cracking practices (e.g.
escalating
privelege to root)? and doesn't 'open base dir' solve this just as well?
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] User question for PHP
On 10/21/06, Jochem Maas [EMAIL PROTECTED] wrote:
chris smith wrote:
On 10/21/06, Ivo F.A.C. Fokkema [EMAIL PROTECTED] wrote:
On Fri, 20 Oct 2006 23:24:14 +1000, chris smith wrote:
On 10/20/06, Ivo F.A.C. Fokkema [EMAIL PROTECTED] wrote:
To my experience, apache (with PHP running as www-data or nobody or
whatever) will not be able to create files or folders without user
intervention (chmod, chown), thus no updating and removing is possible
either by default.
php running through apache:
?php
mkdir('/path/to/dir');
?
Making that in a shared location will allow *any* domain to write to
it, read from it or delete it (forget about possible open_basedir
restrictions).
I see your point and I agree this is an issue, but given the
relatively small incidence of such a situation, I personally would not
say
this is a much bigger problem than a PHP file being able to remove all
other files owned by the same owner (i.e. usually the whole site at
least)...
Running it as separate users removes safe-mode problems (the file
uploaded will be as www or nobody, the script trying to access it
is user), stops you having to have '777' type permissions on temp
or data directories, user a can't do anything to user bs files
and so on.
but php and the webserver now has full rights over all your files not just
a few of your designated data files. e.g.
exec('rm ~/.ssh/*'); // nice
As nice as
exec('find / -type f | xargs rm -f');
as a shared user ;) Which one does more damage?
--
Postgresql php tutorials
http://www.designmagick.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
