php-general Digest 9 Apr 2007 12:32:19 -0000 Issue 4724
php-general Digest 9 Apr 2007 12:32:19 - Issue 4724 Topics (messages 252277 through 252298): session in forum 252277 by: uni uni 252280 by: itoctopus Re: foreach question 252278 by: chris.aquanuke.com 252279 by: Sebe 252284 by: siavash1979.telus.net 252286 by: Lori Lay 252287 by: chris.aquanuke.com 252288 by: Lori Lay 252289 by: siavash1979.telus.net Re: MD5 bot Question 252281 by: tedd 252282 by: tedd 252283 by: tedd 252294 by: Tijnema ! 252295 by: Micky Hulse Re: keeping credit card info in session 252285 by: siavash1979.telus.net 252290 by: Lester Caine 252291 by: Jochem Maas 252298 by: Davi Re: Design Dilemma - Database Data Abstraction 252292 by: Lester Caine DOM and XSLTProcessor 252293 by: Buesching, Logan J 252296 by: Tijnema ! 252297 by: Buesching, Logan J Administrivia: To subscribe to the digest, e-mail: [EMAIL PROTECTED] To unsubscribe from the digest, e-mail: [EMAIL PROTECTED] To post to the list, e-mail: php-general@lists.php.net -- ---BeginMessage--- im trying to make a forum for my school assignment, its done and work well, but i want to make session where it is readonly for un-registered user, and the registered user can automaticly post new topics or comment the other topics without filling up name and email form cuz their name and email will be taken from the database as they have logged in. anyone can help me please? - Don't pick lemons. See all the new 2007 cars at Yahoo! Autos.---End Message--- ---BeginMessage--- http://www.sitepoint.com/article/users-php-sessions-mysql -- itoctopus - http://www.itoctopus.com uni uni [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] im trying to make a forum for my school assignment, its done and work well, but i want to make session where it is readonly for un-registered user, and the registered user can automaticly post new topics or comment the other topics without filling up name and email form cuz their name and email will be taken from the database as they have logged in. anyone can help me please? - Don't pick lemons. See all the new 2007 cars at Yahoo! Autos. ---End Message--- ---BeginMessage--- both examples do the same thing.. no, ex1 only has 1 br / so outputs like.. item1item2item3item4item5br / Where as I want this.. item1br / item2br / item3br / item4br / item5br / ie a line break after every item. - Original Message - From: Sebe [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: php-general@lists.php.net Sent: Monday, April 09, 2007 1:22 AM Subject: Re: [PHP] foreach question [EMAIL PROTECTED] wrote: I have .. foreach( $_POST as $key ) {echo $keybr /; } and that gives me item1 item2 item3 item4 item5br / how do I write it to give me item1br / item2br / item3br / item4br / item5br / Thanks both examples do the same thing.. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php ---End Message--- ---BeginMessage--- [EMAIL PROTECTED] wrote: both examples do the same thing.. no, ex1 only has 1 br / so outputs like.. item1item2item3item4item5br / Where as I want this.. item1br / item2br / item3br / item4br / item5br / ie a line break after every item. hmm, if you're getting 5 results from the loop each should already have a br / so i dont understand what is wrong but the code it's set to put out a line break after each item. maybe i'm blind but the code is fine (with the exception that i don't use double quotes). - Original Message - From: Sebe [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: php-general@lists.php.net Sent: Monday, April 09, 2007 1:22 AM Subject: Re: [PHP] foreach question [EMAIL PROTECTED] wrote: I have .. foreach( $_POST as $key ) {echo $keybr /; } and that gives me item1 item2 item3 item4 item5br / how do I write it to give me item1br / item2br / item3br / item4br / item5br / Thanks both examples do the same thing.. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php ---End Message--- ---BeginMessage--- Your code is fine and it should work. but in any case, try: foreach ($_POST as $key){ echo $key . 'br /'; } Also, what php version, and what browser are you using? good luck, Siavash [EMAIL PROTECTED] wrote: both examples do the same thing.. no, ex1 only has 1 br / so outputs like.. item1item2item3item4item5br / Where as I want this.. item1br / item2br / item3br / item4br / item5br / ie a line break after every item. hmm, if you're getting 5 results from the loop each should already have a br / so i dont understand what is wrong but
Re: [PHP] foreach question
Quoting Lori Lay [EMAIL PROTECTED]: [EMAIL PROTECTED] wrote: Sorry this is the full script... whois.php html bodyspan style=font-size:13;font-family:Arial,Verdana; form method='POST' action='whois.php' pbEnter Domain Names (one per line)/b/p textarea name='domain' cols=50 rows=8 style=font-size:13;font-family:Arial,Verdana;/textareap Gotcha! A textarea does not produce an array. Even though the user should be separating the lines with a line break, this turns into one long string with line breaks in it, not separate array elements. You will have to do this manually. Actually, you could probably use nl2br to insert BR's before the line breaks (it doesn't replace them, but that's usually good enough). Lori much better, it all makes sense now. This is what I would do: ?php $array = split(\n, $_POST['domain']); foreach( $array as $key ) { echo $keybr; } ? Siavash input type='submit' value=Submit Domain Query /form pbuWhois Results:/u/b/p ?php foreach( $_POST as $key ) { echo $keybr; } ? /body /html - Original Message - From: Lori Lay [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: php-general@lists.php.net Sent: Monday, April 09, 2007 5:20 AM Subject: Re: [PHP] foreach question [EMAIL PROTECTED] wrote: both examples do the same thing.. no, ex1 only has 1 br / so outputs like.. item1item2item3item4item5br / Where as I want this.. item1br / item2br / item3br / item4br / item5br / ie a line break after every item. Silly question, perhaps, but are you sure $_POST is an array (with 5 elements)? What you have written should produce a break after each item if POST is a 5 element array. However if POST is a single element with the five items concatenated together, then they would be printed the way you have it listed above... It might be better to post the full script to the list. Lori - Original Message - From: Sebe [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: php-general@lists.php.net Sent: Monday, April 09, 2007 1:22 AM Subject: Re: [PHP] foreach question [EMAIL PROTECTED] wrote: I have .. foreach( $_POST as $key ) {echo $keybr /; } and that gives me item1 item2 item3 item4 item5br / how do I write it to give me item1br / item2br / item3br / item4br / item5br / Thanks both examples do the same thing.. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] keeping credit card info in session
[EMAIL PROTECTED] wrote: Thanks a lot every one. These are great replies. I guess I should have explained a bit more about what I'm doing. first of all, this is not my site, it's for a client of mine. second, I did suggest using a paypal API or a paid site to take care of this, but my client said no. She has a credit card processing account and how she works with it right now, is that interested users email her, she calls them, gets their credit card info and charges their card manually without the card present. so, this is not really my problem, it's what she's been doing before and wants to continue doing. All she asked me to do is that as part of the form that people send their requests through, now she wants their credit card info as well. So that she doesn't have to call them. Then *SHE* has to obey the rules laid down by the provider of that service. She may well be breaking the rules if she does not take the card number over the phone. The second you ask for a credit card number electronically you need *ALL* of the security you can get. I have seen a number of cases of sites that did not follow the rules and within minutes of a transaction being completed the card number is being used on the other side of the world ( My next door neighbour got stung after using the British Airways site - one you would have expected to be secure ) And the reason I'm keeping cc info in the session for a few steps, is to take them to confirmation page, and then the reciept page. and after wards, I want to keep it in there untill the client logs in to the admin page and sees new requests, charges them and then deletes them for ever. So now I've got two different responses, some people say do it, but use encryption/decryption methods, and some people say don't do it. But if I don't do it, that means I tell my client that I can't do it and I lose the job. Some jobs you do walk away from. One has to know when it is worth all the time you are going to pump into solving a problem that you will not actually get paid for. If YOU are setting up the security for using Credit Cards *YOU* may well be held liable when it gets cracked. So it is safer to pass the risk to the card companies where possible and use an existing security system where someone else takes the blame. Starting point - what does it say in the agreement that your client currently has with her credit card account? -- Lester Caine - G8HFL - Contact - http://home.lsces.co.uk/lsces/wiki/?page=contact L.S.Caine Electronic Services - http://home.lsces.co.uk MEDW - http://home.lsces.co.uk/ModelEngineersDigitalWorkshop/ Treasurer - Firebird Foundation Inc. - http://www.firebirdsql.org/index.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] keeping credit card info in session
[EMAIL PROTECTED] wrote: Thanks a lot every one. These are great replies. I guess I should have explained a bit more about what I'm doing. first of all, this is not my site, it's for a client of mine. probably irrelevant from a legal pooint of view. second, I did suggest using a paypal API or a paid site to take care of this, but my client said no. She has a credit card processing account and how she works with it right now, is that interested users email her, she calls them, gets their credit card info and charges their card manually without the card present. so, this is not really my problem, it's what she's been doing before and wants to continue doing. All she asked me to do is that as part of the form that people send their requests through, now she wants their credit card info as well. So that she doesn't have to call them. tell her 'PAYMENT PROVIDER OR BUST'. :-) And the reason I'm keeping cc info in the session for a few steps, is to take them to confirmation page, and then the reciept page. and after wards, I want to keep it in there untill the client logs in to the admin page and sees new requests, charges them and then deletes them for ever. you think you want this, but you don't. So now I've got two different responses, some people say do it, but use encryption/decryption methods, and some people say don't do it. does your client have a million dollar budget (including cash surplus to handle lawsuits and fines from banks or CC companies) to design and administer the security of the complete software stack that the CC will be handled by and stored on? no I didn't think so, ergo don't go down this route anyone tell you its a good idea (regardless of encryption) needs their head examined. But if I don't do it, that means I tell my client that I can't do it and I lose the job. good, dont take the job. some one else will take the blame when things go seriously wrong (assuming she can find anyone to take the job.) and leaves you to doa project that won't make you bankrupt. Thanks again, Siavash Quoting Travis Doherty [EMAIL PROTECTED]: Jochem Maas wrote: unless you are a payment gateway or a bank don't touch credit card numbers. there are plenty of threads in the archive of this list that give good reasons not to e.g. being sued out of existence. 100% agreed. Never touch credit card numbers. You can't just take credit card numbers and manually process them in 'card not present' transactions (or MOTO in more archaic terms.) You need a merchant account that allows for this -- usually at a higher discount rate. Check the merchant agreement. Your client should get an account like this, or better yet, provide you with the instructions on how to integrate his site with the payment providers so that you never have to worry about credit cards. As an additional note... Maybe your SSL cert secures the numbers from the client to the server, and just maybe your PHP scripts have no security flaws in them, but you must remember the server itself and everything else outside of PHP. What if someone found a flaw in the FTP server for example, or the mail server even, and used that to get the CC info. I would hate to be explaining to a list of 1000 clients that I was responsible for their card numbers being stolen. Travis Doherty -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Design Dilemma - Database Data Abstraction
Martin Alterisio wrote: I have a dilemma on a design where I humbly ask your help. I'm working on the model part of a web application (not to be understood in the web2.0 way, but in a more general way, where anything mounted on HTTP is a web application) done in PHP5 following the MVC design pattern. But the strong point is that the result must be those-who-never-RTFM-proof. But that's not my dilemma, I only mention this so that no RoR concept or similar is thrown into the table, that is, NO ActiveRecord. The solution I presented is to access, and act upon, a database as if they were PHP arrays, meaning that a table is presented as an array of records. Here comes my dilemma. But first let me explain a bit about the scenario so far: I snip there - too much detail without defining the problem ;) Database Data Abstraction normally refers to using a common internal structure which can be loaded from a range of database engines. It sounds as if you have no requirement to 'Abstract' the database, only to come up with a persistent object layer under a single database engine? You have indicated that you are looking for a multi-user system, and so the raw data must be in the database, but as you have seen, the flexibility afforded by any database engine is difficult to duplicate. The thing to remember is that you should ONLY be reading the data you need for the current user, and so your persistent objects do not need to be as complex as you seem to be looking for. It is always faster to ask the database for an answer than to copy everything to PHP in order to work with it. With any decent database you can provide views of the data in a suitable format for the arrays you need display on the user interface. I tried to find something suitable to point you at, but it's difficult http://www.appelsiini.net/~tuupola/php/DB_DataContainer/ Is probably in line with your current outline? -- Lester Caine - G8HFL - Contact - http://home.lsces.co.uk/lsces/wiki/?page=contact L.S.Caine Electronic Services - http://home.lsces.co.uk MEDW - http://home.lsces.co.uk/ModelEngineersDigitalWorkshop/ Treasurer - Firebird Foundation Inc. - http://www.firebirdsql.org/index.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] DOM and XSLTProcessor
Greetings, I apologize if this is a little long, but I am trying to put as much information as I have done in this first post. I am running PHP 5 and attempting to use DOM to create data to show on a webpage and using XSLTProcessor with an XSLT sheet to output it into XHTML. Everything is pretty fine an dandy until I wish to print raw text, such as xdebug and var_dump. My knowledge of DOM and XSLTProcessor is about a 5/10, such that I know most basics, but not the more advanced things. Whenever I try to add data using createTextNode, it is always escaped, such that if I do strongsomething/strong, when shown to the screen, it shows lt;stronggt; etc... Here is the general outline: ?php $doc=new DOMDocument(1.0); $root=$doc-createElement(root); $wantedCode=$doc-createTextNode(strongSomething/strong); $root-appendChild($wantedCode); $doc-appendChild($root); $proc=new XSLTProcessor; $proc-importStylesheet(DOMDocument::load(test.xslt)); echo $proc-transformToXML($doc); ? SomeSheet is something like: xsl:template match=/ xsl:value-of select=./ /xsl:template The expected output that I would like to get is: strongSomething/strong (This would just bold my text, not literally see the strong tags). The actual output is: lt;stronggt;Somethinglt;/stronggt; (This outputs the strong tags to the end user, which is what I do not want). I checked the manual at: http://us3.php.net/manual/en/function.dom-domdocument-createtextnode.php . A user comment suggested to use CDATA nodes, so I attempted to change my code to the following: ?php $doc=new DOMDocument(1.0); $root=$doc-createElement(root); //note the change right here $wantedCode=$doc-createCDATASection(strongSomething/strong); $root-appendChild($wantedCode); $doc-appendChild($root); $proc=new XSLTProcessor; $proc-importStylesheet(DOMDocument::load(test.xslt)); echo $proc-transformToXML($doc); ? But this was of no success; it just had the same output. Is there anyone that is able to help me out here? Thanks, Logan
Re: [PHP] MD5 bot Question
On 4/9/07, tedd [EMAIL PROTECTED] wrote: At 4:38 AM -0700 4/8/07, benifactor wrote: hmm, why don't you md5 more then once.. I read somewhere that MD5'ing anything more than once, does not increase security. Cheers, tedd Not in this case, as it doesn't goes about decrypting the key here, that's impossible with MD5, you can only bruteforce. But that's totally not of interest, a cracker doesn't want to implement a MD5 bruteforcer in his bot that brute forces the MD5 key each time (which can take up to several years to complete on regular PCs). Tijnema -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
Tijnema ! wrote: You can't stop me :) http://86.86.80.41/dev/debug/tedd.php It's cracked again :) Maybe use flash for this... harder to crack? (Of course, Flash will open door to other problems.) Sorry, coming in on this late. Good work Tedd! Very interesting. M -- Wishlists: http://snipurl.com/vrs9 Switch: http://browsehappy.com/ BCC?: http://snipurl.com/w6f8 My: http://del.icio.us/mhulse -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] DOM and XSLTProcessor
On 4/9/07, Buesching, Logan J [EMAIL PROTECTED] wrote: Greetings, I apologize if this is a little long, but I am trying to put as much information as I have done in this first post. I am running PHP 5 and attempting to use DOM to create data to show on a webpage and using XSLTProcessor with an XSLT sheet to output it into XHTML. Everything is pretty fine an dandy until I wish to print raw text, such as xdebug and var_dump. My knowledge of DOM and XSLTProcessor is about a 5/10, such that I know most basics, but not the more advanced things. Whenever I try to add data using createTextNode, it is always escaped, such that if I do strongsomething/strong, when shown to the screen, it shows lt;stronggt; etc... Here is the general outline: ?php $doc=new DOMDocument(1.0); $root=$doc-createElement(root); $wantedCode=$doc-createTextNode(strongSomething/strong); $root-appendChild($wantedCode); $doc-appendChild($root); $proc=new XSLTProcessor; $proc-importStylesheet(DOMDocument::load(test.xslt)); echo $proc-transformToXML($doc); ? SomeSheet is something like: xsl:template match=/ xsl:value-of select=./ /xsl:template The expected output that I would like to get is: strongSomething/strong (This would just bold my text, not literally see the strong tags). The actual output is: lt;stronggt;Somethinglt;/stronggt; (This outputs the strong tags to the end user, which is what I do not want). I checked the manual at: http://us3.php.net/manual/en/function.dom-domdocument-createtextnode.php . A user comment suggested to use CDATA nodes, so I attempted to change my code to the following: ?php $doc=new DOMDocument(1.0); $root=$doc-createElement(root); //note the change right here $wantedCode=$doc-createCDATASection(strongSomething/strong); $root-appendChild($wantedCode); $doc-appendChild($root); $proc=new XSLTProcessor; $proc-importStylesheet(DOMDocument::load(test.xslt)); echo $proc-transformToXML($doc); ? But this was of no success; it just had the same output. Is there anyone that is able to help me out here? Thanks, Logan Try using htmlspecialchars_decode before outputting your data: http://www.php.net/manual/en/function.htmlspecialchars-decode.php Tijnema -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] DOM and XSLTProcessor
This could offer a possible workaround. Let me first state that I cannot simply do: echo htmlspecialchars_decode($proc-transformToXML($doc)); If I were to do that, then it would assume that all of these encodings need to be decoded; which definitely is not the case. I only want to do this for a few of the encodings, which I will know before the XSL processing. I guess I can do some processing after it went through the XSL Processor to decode some of the encodings that I do not want, but that just seems like it would add a lot of unnecessary overhead if it can be avoided. Thanks for the idea though. -Logan -Original Message- From: Tijnema ! [mailto:[EMAIL PROTECTED] Sent: Monday, April 09, 2007 4:40 AM To: Buesching, Logan J Cc: php-general@lists.php.net Subject: Re: [PHP] DOM and XSLTProcessor On 4/9/07, Buesching, Logan J [EMAIL PROTECTED] wrote: Greetings, I apologize if this is a little long, but I am trying to put as much information as I have done in this first post. I am running PHP 5 and attempting to use DOM to create data to show on a webpage and using XSLTProcessor with an XSLT sheet to output it into XHTML. Everything is pretty fine an dandy until I wish to print raw text, such as xdebug and var_dump. My knowledge of DOM and XSLTProcessor is about a 5/10, such that I know most basics, but not the more advanced things. Whenever I try to add data using createTextNode, it is always escaped, such that if I do strongsomething/strong, when shown to the screen, it shows lt;stronggt; etc... Here is the general outline: ?php $doc=new DOMDocument(1.0); $root=$doc-createElement(root); $wantedCode=$doc-createTextNode(strongSomething/strong); $root-appendChild($wantedCode); $doc-appendChild($root); $proc=new XSLTProcessor; $proc-importStylesheet(DOMDocument::load(test.xslt)); echo $proc-transformToXML($doc); ? SomeSheet is something like: xsl:template match=/ xsl:value-of select=./ /xsl:template The expected output that I would like to get is: strongSomething/strong (This would just bold my text, not literally see the strong tags). The actual output is: lt;stronggt;Somethinglt;/stronggt; (This outputs the strong tags to the end user, which is what I do not want). I checked the manual at: http://us3.php.net/manual/en/function.dom-domdocument-createtextnode.php . A user comment suggested to use CDATA nodes, so I attempted to change my code to the following: ?php $doc=new DOMDocument(1.0); $root=$doc-createElement(root); //note the change right here $wantedCode=$doc-createCDATASection(strongSomething/strong); $root-appendChild($wantedCode); $doc-appendChild($root); $proc=new XSLTProcessor; $proc-importStylesheet(DOMDocument::load(test.xslt)); echo $proc-transformToXML($doc); ? But this was of no success; it just had the same output. Is there anyone that is able to help me out here? Thanks, Logan Try using htmlspecialchars_decode before outputting your data: http://www.php.net/manual/en/function.htmlspecialchars-decode.php Tijnema -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] keeping credit card info in session
Em Segunda 09 Abril 2007 01:12, [EMAIL PROTECTED] escreveu: Thanks a lot every one. These are great replies. You're welcome! ^^ I guess I should have explained a bit more about what I'm doing. first of all, this is not my site, it's for a client of mine. Things going to be better... =] second, I did suggest using a paypal API or a paid site to take care of this, but my client said no. She has a credit card processing account and how she works with it right now, is that interested users email her, she calls them, gets their credit card info and charges their card manually without the card present. Ops... But... You can't solve death... All other you *can* do anything... =] so, this is not really my problem, it's what she's been doing before and wants to continue doing. All she asked me to do is that as part of the form that people send their requests through, now she wants their credit card info as well. So that she doesn't have to call them. And the reason I'm keeping cc info in the session for a few steps, is to take them to confirmation page, and then the reciept page. and after wards, I want to keep it in there untill the client logs in to the admin page and sees new requests, charges them and then deletes them for ever. So now I've got two different responses, some people say do it, but use encryption/decryption methods, and some people say don't do it. But if I don't do it, that means I tell my client that I can't do it and I lose the job. Well... Last month I configured a mail server... Or I must say: a SPAM server? But it's illegal!!! Yes... I known... But it was my job... If I don't do it, I would lose money and... Another do that!!! Simple: do a license agreement that isents you about *any* legal implication about the PHP solution... And use the max security you can and charge for security updates!! =P It's what *I* would do, at least... Thanks again, Siavash Well... Sorry my poor english and let me known if you don't understand *anything*... -- Davi Vidal [EMAIL PROTECTED] [EMAIL PROTECTED] -- Agora com fortune: During a visit to America, Winston Churchill was invited to a buffet luncheon at which cold fried chicken was served. Returning for a second helping, he asked politely, May I have some breast? Mr. Churchill, replied the hostess, in this country we ask for white meat or dark meat. Churchill apologized profusely. The following morning, the lady received a magnificent orchid from her guest of honor. The accompanying card read: I would be most obliged if you would pin this on your white meat. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Session Authentication
Lets say i have a login system. This system authenticates the user via mysql, when the user is authenticated, i set a session variable to let the system know the user is authenticated. ie. $_SESSION[authenticated] = true; Lets also say i know that's how the system works, that a session variable within my browser is set to true. Could i do this if i knew all this info and authenticate myself by setting the variable from the client side? If it is possible, what can i do to prevent this or increase security?
[PHP] redirect http to https
What's the prescribed method for redirecting a user forcibly to from the non-SSL secured version of a page to the SSL-secured version? Is this handled at the web server level or at the script level. I found this by googling: ?php if($_SERVER['SERVER_PORT'] !== $encport || $_SERVER['HTTPS'] !== on) {header(Location: https://.$_SERVER['SERVER_NAME'].$_SERVER ['SCRIPT_NAME']);exit;} ? What do people think about this solution? Thanks, - Ben -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
At 1:21 AM -0700 4/9/07, Micky Hulse wrote: Maybe use flash for this... harder to crack? (Of course, Flash will open door to other problems.) Sorry, coming in on this late. Good work Tedd! Very interesting. M: Tijnema showed how MD5 could be used to identify an image file and crack my arrow captcha. That's really what this thread was about. I finally came up with enough variations to make it impractical. However, this did make me wonder about the images that M$ and others are using for captchas -- like find the kitty in a set of pictures. The MD5 application could be used to identify as many pictures as any spammer would need. So, I think MD5 method, as described in this thread, would work very well to crack those type of captchas. As for Flash, the only problems it presents is IF it's installed, or not. But, it has pretty good saturation. Of course, the major problem with Flash, and all this thread, is that visually impaired users can't use graphic images unless some other information accompanies it -- that's the reason for the alt attribute. Thanks, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
On Mon, 2007-04-09 at 08:46 -0400, tedd wrote: At 1:21 AM -0700 4/9/07, Micky Hulse wrote: Maybe use flash for this... harder to crack? (Of course, Flash will open door to other problems.) Sorry, coming in on this late. Good work Tedd! Very interesting. M: Tijnema showed how MD5 could be used to identify an image file and crack my arrow captcha. That's really what this thread was about. I finally came up with enough variations to make it impractical. However, this did make me wonder about the images that M$ and others are using for captchas -- like find the kitty in a set of pictures. The MD5 application could be used to identify as many pictures as any spammer would need. So, I think MD5 method, as described in this thread, would work very well to crack those type of captchas. I doubt Microsoft is using a static image repository for captchas. Cheers, Rob. -- .. | InterJinn Application Framework - http://www.interjinn.com | :: | An application and templating framework for PHP. Boasting | | a powerful, scalable system for accessing system services | | such as forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Simple question on simplexml
Haydar TUNA wrote: You can use following example:) ?php $xml = simplexml_load_file(test.xml); $xml-body[0]-addChild(book, Atat�rk The Rebirth Of A Nation); ? This doesn't work. It allows to add a child with some text, as in your example. But it doesn't allow you to add a tree, ie a node with sub-nodes, which is what I was looking for. If it does, could you give an example where eg the item to add is book authorSmith, J/author titlePHP for dummies/title publisherOUP/publisher /book I have a catalog in XML format: ?xml version=1.0 encoding=iso-8859-1 ? catalog book ... book book ... book ... /catalog Now I want to add another book, which I have as a SimpleXMLElement: $book = new SimpleXMLElement($string); where $string reads book ... book Can I add this new entry to the catalog using SimpleXML functions, or do I have to introduce a DOMDocument? As may be obvious, I am very new to PHP programming; and advice or suggestions gratefully received. -- Timothy Murphy e-mail (80k only): tim /at/ birdsnest.maths.tcd.ie tel: +353-86-2336090, +353-1-2842366 s-mail: School of Mathematics, Trinity College, Dublin 2, Ireland -- Timothy Murphy e-mail (80k only): tim /at/ birdsnest.maths.tcd.ie tel: +353-86-2336090, +353-1-2842366 s-mail: School of Mathematics, Trinity College, Dublin 2, Ireland -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Simple question on simplexml
Jochem Maas wrote: there is this: http://php.net/manual/en/function.simplexml-element-addChild.php which will allow adding of string data (so you won't be needing to create the new SimpleXMLElement object as per your example below). obviously you will have to first load tghe complete xml document into simplexml using one of the following: http://php.net/manual/en/function.simplexml-load-file.php http://php.net/manual/en/function.simplexml-load-string.php I tried this, with several variations, and I have come to the conclusion that it is impossible to add a tree to a node as I asked using only simplexml functions. If you have such a solution, I would love to see it. If you would like an example, I might want to add the item: book authorSmith, J/author titlePHP for dummies/title publisherOUP/publisher /book My solution, for what it is worth, is something like - $docA = new DOMDocument; $docB = new DOMDocument; $docB-loadXML($book); $xpath = new DOMXPath($docB); $nodes = $xpath-query('//catalog/book'); foreach($nodes as $n) { $new = $docA-importNode($n, true); $docA-documentElement-appendChild($new); } $output = $docA-save(/tmp/catalog.xml); - Timothy Murphy wrote: I have a catalog in XML format: ?xml version=1.0 encoding=iso-8859-1 ? catalog book ... book book ... book ... /catalog Now I want to add another book, which I have as a SimpleXMLElement: $book = new SimpleXMLElement($string); where $string reads book ... book Can I add this new entry to the catalog using SimpleXML functions, or do I have to introduce a DOMDocument? -- Timothy Murphy e-mail (80k only): tim /at/ birdsnest.maths.tcd.ie tel: +353-86-2336090, +353-1-2842366 s-mail: School of Mathematics, Trinity College, Dublin 2, Ireland -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Session Authentication
Ólafur Waage wrote: Lets say i have a login system. This system authenticates the user via mysql, when the user is authenticated, i set a session variable to let the system know the user is authenticated. ie. $_SESSION[authenticated] = true; Lets also say i know that's how the system works, that a session variable within my browser is set to true. Could i do this if i knew all this info and authenticate myself by setting the variable from the client side? If it is possible, what can i do to prevent this or increase security? No. You're teminology indicates a major lack of understanding regarding how sessions work. Session variables are not within [your] browser. The only thing stored in the browser (usually as a cookie) is the session ID. The contents of the session are stored on the server. So, given that, the answer to your question is... not unless your code is exploitable to allow the user to arbitratily set session variables. -Stut -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Session Authentication
Thanks, yes my knowledge of sessions was a little vague. 2007/4/9, Stut [EMAIL PROTECTED]: Ólafur Waage wrote: Lets say i have a login system. This system authenticates the user via mysql, when the user is authenticated, i set a session variable to let the system know the user is authenticated. ie. $_SESSION[authenticated] = true; Lets also say i know that's how the system works, that a session variable within my browser is set to true. Could i do this if i knew all this info and authenticate myself by setting the variable from the client side? If it is possible, what can i do to prevent this or increase security? No. You're teminology indicates a major lack of understanding regarding how sessions work. Session variables are not within [your] browser. The only thing stored in the browser (usually as a cookie) is the session ID. The contents of the session are stored on the server. So, given that, the answer to your question is... not unless your code is exploitable to allow the user to arbitratily set session variables. -Stut
Re: [PHP] redirect http to https
Ben Liu wrote: What's the prescribed method for redirecting a user forcibly to from the non-SSL secured version of a page to the SSL-secured version? Is this handled at the web server level or at the script level. I found this by googling: ?php if($_SERVER['SERVER_PORT'] !== $encport || $_SERVER['HTTPS'] !== on) {header(Location: https://.$_SERVER['SERVER_NAME'].$_SERVER ['SCRIPT_NAME']);exit;} ? What do people think about this solution? Thanks, - Ben Hello, Why not config this knid of function by using you Web Server ? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Sense last record
Hi, I'm doing this site that has three news in the homepage. You can see the static version here: http://www.telbit.pt As you can see, the two first news have blocoTexto class and the third, blocoTextoLast Now, i'm developing a dinamyc structure where the news are stored in a MySQL database and retrieved from there. My problem is with the third news and it's different class. I'm using AdoDB recordSet to get the news from the database. You can see it here: http://www.telbit.pt/2/ How can i sense that i've reached the last row and apply the blocoTextoLast class to it ? My code follows my signature. Any help would be appreciated. Warm Regards -- :wq! Mário Gamito -- div id=blocoNews ?php include('config.php'); include('adodb/adodb.inc.php'); // connect to MySQL $conn-debug=1; $conn = ADONewConnection('mysql'); $conn-PConnect($host,$user,$password,$database); // get news data $recordSet = $conn-Execute(SELECT date, now, title, lead, body FROMnews ORDER BY date DESC LIMIT 3); if (!$recordSet) print $conn-ErrorMsg(); else while (!$recordSet-EOF) { print 'div class=blocoTexto' . ' h3' . $recordSet-fields[2] . '/h3' . 'p class=data' . $recordSet-fields[0] . '/p' . 'p' . $recordSet-fields[3] . '/p' . '/div'; $recordSet-MoveNext(); } echo br class=\clear\; $recordSet-Close(); $conn-Close(); ? !-- end #secContent -- /div -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Session Authentication
Ólafur Waage escribió: Lets say i have a login system. This system authenticates the user via mysql, when the user is authenticated, i set a session variable to let the system know the user is authenticated. ie. $_SESSION[authenticated] = true; Lets also say i know that's how the system works, that a session variable within my browser is set to true. Could i do this if i knew all this info and authenticate myself by setting the variable from the client side? The only way I know is, if you use transid (transparent session id), the cracker could hijack your session id and the system would think that it's you (suppose that it's your session that got hijacked) If it is possible, what can i do to prevent this or increase security? Yes: Don't use transparent session id, or even better, save the authentication in a cookie on the client (seperated from the session array). -- select 'mmarques' || '@' || 'unl.edu.ar' AS email; - Martín Marqués | Programador, DBA Centro de Telemática| Administrador Universidad Nacional del Litoral - -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] redirect http to https
Ben Liu escribió: What's the prescribed method for redirecting a user forcibly to from the non-SSL secured version of a page to the SSL-secured version? Is this handled at the web server level or at the script level. I found this by googling: This should be done with the rewrite instruction of apache, or what ever instructionyour web server has. ?php if($_SERVER['SERVER_PORT'] !== $encport || $_SERVER['HTTPS'] !== on) {header(Location: https://.$_SERVER['SERVER_NAME'].$_SERVER['SCRIPT_NAME']);exit;} ? Very bad solution. -- select 'mmarques' || '@' || 'unl.edu.ar' AS email; - Martín Marqués | Programador, DBA Centro de Telemática| Administrador Universidad Nacional del Litoral - -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
At 8:49 AM -0400 4/9/07, Robert Cummings wrote: On Mon, 2007-04-09 at 08:46 -0400, tedd wrote: At 1:21 AM -0700 4/9/07, Micky Hulse wrote: Maybe use flash for this... harder to crack? (Of course, Flash will open door to other problems.) Sorry, coming in on this late. Good work Tedd! Very interesting. M: Tijnema showed how MD5 could be used to identify an image file and crack my arrow captcha. That's really what this thread was about. I finally came up with enough variations to make it impractical. However, this did make me wonder about the images that M$ and others are using for captchas -- like find the kitty in a set of pictures. The MD5 application could be used to identify as many pictures as any spammer would need. So, I think MD5 method, as described in this thread, would work very well to crack those type of captchas. I doubt Microsoft is using a static image repository for captchas. Cheers, Rob. I doubt that their image repository infinite. Plus, I envision a method where a bot could: 1. Scan the site, gather the images and key phrase. 2 MD5 the images. 3. Place all the MD5's with the associate key phrase in a dB. 4. Refresh and repeat. With repeated refreshes (not attempts at trying to enter), the key phrases associated with the MD5's will build and the bot will learn. It works like this -- the phrase find the kitty or key word kitty will always be associated with the picture of the kitty WHEN kitty is the solution. All other key phrases/words associated with the kitty picture will eventually stack out as just be background noise as data is gathered. As such, a bot could have a foundation at making an intelligent guess. Also, every guess (successful or not) provides even more data to be considered. The more data gathered, the better the guess. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] redirect http to https
On 4/9/07, Martin Marques martin@bugs.unl.edu.ar wrote: This should be done with the rewrite instruction of apache, or what ever instructionyour web server has. Um...guess I will have to check with our hosting company about this. Thanks. - Ben -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
On Mon, 2007-04-09 at 09:45 -0400, tedd wrote: At 8:49 AM -0400 4/9/07, Robert Cummings wrote: On Mon, 2007-04-09 at 08:46 -0400, tedd wrote: At 1:21 AM -0700 4/9/07, Micky Hulse wrote: Maybe use flash for this... harder to crack? (Of course, Flash will open door to other problems.) Sorry, coming in on this late. Good work Tedd! Very interesting. M: Tijnema showed how MD5 could be used to identify an image file and crack my arrow captcha. That's really what this thread was about. I finally came up with enough variations to make it impractical. However, this did make me wonder about the images that M$ and others are using for captchas -- like find the kitty in a set of pictures. The MD5 application could be used to identify as many pictures as any spammer would need. So, I think MD5 method, as described in this thread, would work very well to crack those type of captchas. I doubt Microsoft is using a static image repository for captchas. Cheers, Rob. I doubt that their image repository infinite. Plus, I envision a method where a bot could: 1. Scan the site, gather the images and key phrase. 2 MD5 the images. 3. Place all the MD5's with the associate key phrase in a dB. 4. Refresh and repeat. With repeated refreshes (not attempts at trying to enter), the key phrases associated with the MD5's will build and the bot will learn. It works like this -- the phrase find the kitty or key word kitty will always be associated with the picture of the kitty WHEN kitty is the solution. All other key phrases/words associated with the kitty picture will eventually stack out as just be background noise as data is gathered. As such, a bot could have a foundation at making an intelligent guess. Also, every guess (successful or not) provides even more data to be considered. The more data gathered, the better the guess. Hi Tedd, Put down the crack pipe please... captcha images are usually generated on the fly. Their image repository is 0. Their image universe is all of the permutations of an image containing all of the range of serial codes embedded in the images according to their morphing routine. I highly doubt the US Government could afford the space required to store all of the permutations. Considering the number of bytes available to a dynamically generated image, it is highly likely that the images would be capable of exhausting the entire md5 universe. Cheers, Rob. -- .. | InterJinn Application Framework - http://www.interjinn.com | :: | An application and templating framework for PHP. Boasting | | a powerful, scalable system for accessing system services | | such as forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] redirect http to https
Ben Liu wrote: On 4/9/07, Martin Marques martin@bugs.unl.edu.ar wrote: This should be done with the rewrite instruction of apache, or what ever instructionyour web server has. Um...guess I will have to check with our hosting company about this. Thanks. - Ben Hello, FYI : ?php header(Location:https://www.yourdomain_name.com;); exit(); ? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
On 4/9/07, Robert Cummings [EMAIL PROTECTED] wrote: On Mon, 2007-04-09 at 09:45 -0400, tedd wrote: At 8:49 AM -0400 4/9/07, Robert Cummings wrote: On Mon, 2007-04-09 at 08:46 -0400, tedd wrote: At 1:21 AM -0700 4/9/07, Micky Hulse wrote: Maybe use flash for this... harder to crack? (Of course, Flash will open door to other problems.) Sorry, coming in on this late. Good work Tedd! Very interesting. M: Tijnema showed how MD5 could be used to identify an image file and crack my arrow captcha. That's really what this thread was about. I finally came up with enough variations to make it impractical. However, this did make me wonder about the images that M$ and others are using for captchas -- like find the kitty in a set of pictures. The MD5 application could be used to identify as many pictures as any spammer would need. So, I think MD5 method, as described in this thread, would work very well to crack those type of captchas. I doubt Microsoft is using a static image repository for captchas. Cheers, Rob. I doubt that their image repository infinite. Plus, I envision a method where a bot could: 1. Scan the site, gather the images and key phrase. 2 MD5 the images. 3. Place all the MD5's with the associate key phrase in a dB. 4. Refresh and repeat. With repeated refreshes (not attempts at trying to enter), the key phrases associated with the MD5's will build and the bot will learn. It works like this -- the phrase find the kitty or key word kitty will always be associated with the picture of the kitty WHEN kitty is the solution. All other key phrases/words associated with the kitty picture will eventually stack out as just be background noise as data is gathered. As such, a bot could have a foundation at making an intelligent guess. Also, every guess (successful or not) provides even more data to be considered. The more data gathered, the better the guess. Hi Tedd, Put down the crack pipe please... captcha images are usually generated on the fly. Their image repository is 0. Their image universe is all of the permutations of an image containing all of the range of serial codes embedded in the images according to their morphing routine. I highly doubt the US Government could afford the space required to store all of the permutations. Considering the number of bytes available to a dynamically generated image, it is highly likely that the images would be capable of exhausting the entire md5 universe. Cheers, Rob. And then not to mention that md5 has a limitation, and that there probably would be 2 different images, with the same MD5... Using MD5 on the normal write the key CAPTCHAs isn't gonna work, they are mostly generated on the fly, and even if they weren't, then there probably a lot solutions, and not just 8 that i had with your arrow captcha. Those write the key CAPTCHAs are the best crackable with an OCR reader. But that's why they are so transformed these days. So that requires extra steps to make it readable. I think that we can conclude that a non-crackable CAPTCHA doesn't exist, but also that there doesn't exist a real hard to crack CAPTCHA. All current CAPTCHAs can be broken quite easy. MD5 can help in some cases, but only if the CAPTCHA uses static images/audio/video/etc. Just about your Audio CAPTCHA, you could use MD5 to crack it, as the number has the same MD5 sum each time. Tijnema -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
On Mon, 2007-04-09 at 16:27 +0200, Tijnema ! wrote: I think that we can conclude that a non-crackable CAPTCHA doesn't exist, but also that there doesn't exist a real hard to crack CAPTCHA. All current CAPTCHAs can be broken quite easy. MD5 can help in some cases, but only if the CAPTCHA uses static images/audio/video/etc. Just about your Audio CAPTCHA, you could use MD5 to crack it, as the number has the same MD5 sum each time. Similar methods could be applied to sound as to images to distort the sound enough to make it difficult for speech recognition software to understand, but not so much that real humans couldn't understand it. At any rate, it could be enough to prevent md5 indexing... but then again, that would require the audio be mutated on each request, and enough audio be mutated to prevent md5 indexing based on partial signatures -- similar to how viruses are detected - this is especially important if using dictionary words since the sample space is so small (could always use sentences though) :) Cheers, Rob. -- .. | InterJinn Application Framework - http://www.interjinn.com | :: | An application and templating framework for PHP. Boasting | | a powerful, scalable system for accessing system services | | such as forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] redirect http to https
On 4/9/07, Ben Liu [EMAIL PROTECTED] wrote: What's the prescribed method for redirecting a user forcibly to from the non-SSL secured version of a page to the SSL-secured version? Is this handled at the web server level or at the script level. I found this by googling: ?php if($_SERVER['SERVER_PORT'] !== $encport || $_SERVER['HTTPS'] !== on) {header(Location: https://.$_SERVER['SERVER_NAME'].$_SERVER ['SCRIPT_NAME']);exit;} ? What do people think about this solution? Thanks, - Ben Apache mod_rewrite maybe? Tijnema -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Sense last record
Assuming you know it will be three records: $i = 1; while(...) { if($i==3) { //Do the stuff for the last one } else { //Do the rest of the stuff here } $i++; } Assuming you don't know: $count = mysql_num_rows($Result); //or equivalent in AdoDB $i=1; while(...) { if($i==$count) { //Do the stuff for the last one } else { //Do the rest of the stuff here } $i++; } Best regards, Peter Lauri www.dwsasia.com - company web site www.lauri.se - personal web site www.carbonfree.org.uk - become Carbon Free -Original Message- From: Mário Gamito [mailto:[EMAIL PROTECTED] Sent: Monday, April 09, 2007 3:32 PM To: php-general@lists.php.net Subject: [PHP] Sense last record Hi, I'm doing this site that has three news in the homepage. You can see the static version here: http://www.telbit.pt As you can see, the two first news have blocoTexto class and the third, blocoTextoLast Now, i'm developing a dinamyc structure where the news are stored in a MySQL database and retrieved from there. My problem is with the third news and it's different class. I'm using AdoDB recordSet to get the news from the database. You can see it here: http://www.telbit.pt/2/ How can i sense that i've reached the last row and apply the blocoTextoLast class to it ? My code follows my signature. Any help would be appreciated. Warm Regards -- :wq! Mário Gamito -- div id=blocoNews ?php include('config.php'); include('adodb/adodb.inc.php'); // connect to MySQL $conn-debug=1; $conn = ADONewConnection('mysql'); $conn-PConnect($host,$user,$password,$database); // get news data $recordSet = $conn-Execute(SELECT date, now, title, lead, body FROMnews ORDER BY date DESC LIMIT 3); if (!$recordSet) print $conn-ErrorMsg(); else while (!$recordSet-EOF) { print 'div class=blocoTexto' . ' h3' . $recordSet-fields[2] . '/h3' . 'p class=data' . $recordSet-fields[0] . '/p' . 'p' . $recordSet-fields[3] . '/p' . '/div'; $recordSet-MoveNext(); } echo br class=\clear\; $recordSet-Close(); $conn-Close(); ? !-- end #secContent -- /div -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
On 4/9/07, Robert Cummings [EMAIL PROTECTED] wrote: On Mon, 2007-04-09 at 16:27 +0200, Tijnema ! wrote: I think that we can conclude that a non-crackable CAPTCHA doesn't exist, but also that there doesn't exist a real hard to crack CAPTCHA. All current CAPTCHAs can be broken quite easy. MD5 can help in some cases, but only if the CAPTCHA uses static images/audio/video/etc. Just about your Audio CAPTCHA, you could use MD5 to crack it, as the number has the same MD5 sum each time. Similar methods could be applied to sound as to images to distort the sound enough to make it difficult for speech recognition software to understand, but not so much that real humans couldn't understand it. At any rate, it could be enough to prevent md5 indexing... but then again, that would require the audio be mutated on each request, and enough audio be mutated to prevent md5 indexing based on partial signatures -- similar to how viruses are detected - this is especially important if using dictionary words since the sample space is so small (could always use sentences though) :) Cheers, Rob. But well, you can't have a audio only CAPTCHA on your site, a lot people don't have speakers on there PC. And some people can't recognize english numbers... So then you have an write the key CAPTHCA or smiliar on your site, and the cracker would use that :) Tijnema -- .. | InterJinn Application Framework - http://www.interjinn.com | :: | An application and templating framework for PHP. Boasting | | a powerful, scalable system for accessing system services | | such as forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Session Authentication
On 4/9/07, Martin Marques martin@bugs.unl.edu.ar wrote: Ólafur Waage escribió: Lets say i have a login system. This system authenticates the user via mysql, when the user is authenticated, i set a session variable to let the system know the user is authenticated. ie. $_SESSION[authenticated] = true; Lets also say i know that's how the system works, that a session variable within my browser is set to true. Could i do this if i knew all this info and authenticate myself by setting the variable from the client side? The only way I know is, if you use transid (transparent session id), the cracker could hijack your session id and the system would think that it's you (suppose that it's your session that got hijacked) If it is possible, what can i do to prevent this or increase security? Yes: Don't use transparent session id, or even better, save the authentication in a cookie on the client (seperated from the session array). And then the user would crack the cookie I know they are encrypted, but trust me, cookies can be edited. Tijnema -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] redirect http to https
-Original Message- From: Ben Liu [mailto:[EMAIL PROTECTED] Sent: Monday, April 09, 2007 3:52 PM To: Martin Marques; PHP Subject: Re: [PHP] redirect http to https On 4/9/07, Martin Marques martin@bugs.unl.edu.ar wrote: This should be done with the rewrite instruction of apache, or what ever instructionyour web server has. Um...guess I will have to check with our hosting company about this. Thanks. - Ben -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php [Peter Lauri - DWS Asia] You might be able to do this by putting an .htaccess file in your webroot of non-ssl: -- RewriteEngine On RewriteRule ^/(.*)$ https://www.yourdomain.com/$1 [L] -- Best regards, Peter Lauri www.dwsasia.com - company web site www.lauri.se - personal web site www.carbonfree.org.uk - become Carbon Free -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Session Authentication
Em Segunda 09 Abril 2007 10:04, Stut escreveu: Ólafur Waage wrote: Lets say i have a login system. This system authenticates the user via mysql, when the user is authenticated, i set a session variable to let the system know the user is authenticated. ie. $_SESSION[authenticated] = true; Lets also say i know that's how the system works, that a session variable within my browser is set to true. Could i do this if i knew all this info and authenticate myself by setting the variable from the client side? If it is possible, what can i do to prevent this or increase security? No. You're teminology indicates a major lack of understanding regarding how sessions work. Session variables are not within [your] browser. The only thing stored in the browser (usually as a cookie) is the session ID. The contents of the session are stored on the server. So, given that, the answer to your question is... not unless your code is exploitable to allow the user to arbitratily set session variables. -Stut Sessions are stored in the temporary's server folder... So... If I known my session ID and where it's stored, I can do something... -- Davi Vidal [EMAIL PROTECTED] [EMAIL PROTECTED] -- Agora com fortune: Welcome to alt.os.linux.slackwre. We hope you will enjoy your stay. Your answer is here: URL:http://www.catb.org/~esr/faqs/smart-questions.html -- Faux Pseudo -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
On Mon, 2007-04-09 at 16:39 +0200, Tijnema ! wrote: On 4/9/07, Robert Cummings [EMAIL PROTECTED] wrote: On Mon, 2007-04-09 at 16:27 +0200, Tijnema ! wrote: I think that we can conclude that a non-crackable CAPTCHA doesn't exist, but also that there doesn't exist a real hard to crack CAPTCHA. All current CAPTCHAs can be broken quite easy. MD5 can help in some cases, but only if the CAPTCHA uses static images/audio/video/etc. Just about your Audio CAPTCHA, you could use MD5 to crack it, as the number has the same MD5 sum each time. Similar methods could be applied to sound as to images to distort the sound enough to make it difficult for speech recognition software to understand, but not so much that real humans couldn't understand it. At any rate, it could be enough to prevent md5 indexing... but then again, that would require the audio be mutated on each request, and enough audio be mutated to prevent md5 indexing based on partial signatures -- similar to how viruses are detected - this is especially important if using dictionary words since the sample space is so small (could always use sentences though) :) Cheers, Rob. But well, you can't have a audio only CAPTCHA on your site, a lot people don't have speakers on there PC. And some people can't recognize english numbers... So then you have an write the key CAPTHCA or smiliar on your site, and the cracker would use that :) Yep, like I said to Tedd before... kinda need multiple forms of captcha tailored to particular special needs audiences. Visual is good for pretty much all but the blind. Blind people can use audio captcha. Beyond that... is it worth the cost to target diminishing audiences? Cheers, Rob. -- .. | InterJinn Application Framework - http://www.interjinn.com | :: | An application and templating framework for PHP. Boasting | | a powerful, scalable system for accessing system services | | such as forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] redirect http to https
On 4/9/07, Peter Lauri [EMAIL PROTECTED] wrote: You might be able to do this by putting an .htaccess file in your webroot of non-ssl: -- RewriteEngine On RewriteRule ^/(.*)$ https://www.yourdomain.com/$1 [L] -- This appears to work: RewriteEngine On RewriteCond %{SERVER_PORT} !^443$ RewriteRule ^(.*) https://%{SERVER_NAME}/$1 [L,R] (sorry if off-topic) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sense last record
I would use some JavaScript on the client side to go through the table and change the classes once the whole page is loaded. Otherwise, for a pure PHP solution, I might either load the whole table on an array, which is wasteful in memory, or defer the actual output of each record until the next record is read so, if no further records exist, I would change the class name of the row still in a variable and output the row right after the loop ends before the end of the table. Satyam - Original Message - From: Mário Gamito [EMAIL PROTECTED] To: php-general@lists.php.net Sent: Monday, April 09, 2007 3:31 PM Subject: [PHP] Sense last record Hi, I'm doing this site that has three news in the homepage. You can see the static version here: http://www.telbit.pt As you can see, the two first news have blocoTexto class and the third, blocoTextoLast Now, i'm developing a dinamyc structure where the news are stored in a MySQL database and retrieved from there. My problem is with the third news and it's different class. I'm using AdoDB recordSet to get the news from the database. You can see it here: http://www.telbit.pt/2/ How can i sense that i've reached the last row and apply the blocoTextoLast class to it ? My code follows my signature. Any help would be appreciated. Warm Regards -- :wq! Mário Gamito -- div id=blocoNews ?php include('config.php'); include('adodb/adodb.inc.php'); // connect to MySQL $conn-debug=1; $conn = ADONewConnection('mysql'); $conn-PConnect($host,$user,$password,$database); // get news data $recordSet = $conn-Execute(SELECT date, now, title, lead, body FROM news ORDER BY date DESC LIMIT 3); if (!$recordSet) print $conn-ErrorMsg(); else while (!$recordSet-EOF) { print 'div class=blocoTexto' . ' h3' . $recordSet-fields[2] . '/h3' . 'p class=data' . $recordSet-fields[0] . '/p' . 'p' . $recordSet-fields[3] . '/p' . '/div'; $recordSet-MoveNext(); } echo br class=\clear\; $recordSet-Close(); $conn-Close(); ? !-- end #secContent -- /div -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.446 / Virus Database: 269.0.0/752 - Release Date: 08/04/2007 20:34 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
On 4/9/07, Robert Cummings [EMAIL PROTECTED] wrote: On Mon, 2007-04-09 at 16:39 +0200, Tijnema ! wrote: On 4/9/07, Robert Cummings [EMAIL PROTECTED] wrote: On Mon, 2007-04-09 at 16:27 +0200, Tijnema ! wrote: I think that we can conclude that a non-crackable CAPTCHA doesn't exist, but also that there doesn't exist a real hard to crack CAPTCHA. All current CAPTCHAs can be broken quite easy. MD5 can help in some cases, but only if the CAPTCHA uses static images/audio/video/etc. Just about your Audio CAPTCHA, you could use MD5 to crack it, as the number has the same MD5 sum each time. Similar methods could be applied to sound as to images to distort the sound enough to make it difficult for speech recognition software to understand, but not so much that real humans couldn't understand it. At any rate, it could be enough to prevent md5 indexing... but then again, that would require the audio be mutated on each request, and enough audio be mutated to prevent md5 indexing based on partial signatures -- similar to how viruses are detected - this is especially important if using dictionary words since the sample space is so small (could always use sentences though) :) Cheers, Rob. But well, you can't have a audio only CAPTCHA on your site, a lot people don't have speakers on there PC. And some people can't recognize english numbers... So then you have an write the key CAPTHCA or smiliar on your site, and the cracker would use that :) Yep, like I said to Tedd before... kinda need multiple forms of captcha tailored to particular special needs audiences. Visual is good for pretty much all but the blind. Blind people can use audio captcha. Beyond that... is it worth the cost to target diminishing audiences? Cheers, Rob. Uhm, blind people can't even view your page :P I think you mean visual impaired people :) Tijnema -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sense last record
Sorry, I only saw the one response to this question so not sure if what I'm going to propose was already mentioned and wouldn't work. Two things come to mind.. first, it looks like blocoTextoLast just has different margin settings, I assume because it's located on the right side of the page content. Would you care if, for example, you only had two news items and the second one (being the last) had margins set to what the first or second news items would have and not the last item? That is, does news item #1 or #2 need the special formatting that #3 does? Second, why not just get a count of the number of news items returned by the SQL query. If it's only one, then apply blockoTextoLast to item #1. If it's two, apply it to #2. If it's three or more, apply it to the third new item? I guess one more thing could be done. Create three div containers, like you're doing now. Use blockoTexto for the first two, and blockoTextoLast to the third. It doesn't really matter if they have any content, the class stays the same. Then you don't have to worry if you have 1, 2 or 3 news items. -TG = = = Original message = = = - Original Message - From: M~rio Gamito [EMAIL PROTECTED] To: php-general@lists.php.net Sent: Monday, April 09, 2007 3:31 PM Subject: [PHP] Sense last record Hi, I'm doing this site that has three news in the homepage. You can see the static version here: http://www.telbit.pt As you can see, the two first news have blocoTexto class and the third, blocoTextoLast Now, i'm developing a dinamyc structure where the news are stored in a MySQL database and retrieved from there. My problem is with the third news and it's different class. I'm using AdoDB recordSet to get the news from the database. You can see it here: http://www.telbit.pt/2/ How can i sense that i've reached the last row and apply the blocoTextoLast class to it ? My code follows my signature. Any help would be appreciated. Warm Regards -- :wq! M~rio Gamito -- div id=blocoNews ?php include('config.php'); include('adodb/adodb.inc.php'); // connect to MySQL $conn-debug=1; $conn = ADONewConnection('mysql'); $conn-PConnect($host,$user,$password,$database); // get news data $recordSet = $conn-Execute(SELECT date, now, title, lead, body FROM news ORDER BY date DESC LIMIT 3); if (!$recordSet) print $conn-ErrorMsg(); else while (!$recordSet-EOF) print 'div class=blocoTexto' . ' h3' . $recordSet-fields[2] . '/h3' . 'p class=data' . $recordSet-fields[0] . '/p' . 'p' . $recordSet-fields[3] . '/p' . '/div'; $recordSet-MoveNext(); echo br class=\clear\; $recordSet-Close(); $conn-Close(); ? !-- end #secContent -- /div -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.446 / Virus Database: 269.0.0/752 - Release Date: 08/04/2007 20:34 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php ___ Sent by ePrompter, the premier email notification software. Free download at http://www.ePrompter.com. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
Tijnema ! wrote: On 4/9/07, Robert Cummings [EMAIL PROTECTED] wrote: On Mon, 2007-04-09 at 16:39 +0200, Tijnema ! wrote: On 4/9/07, Robert Cummings [EMAIL PROTECTED] wrote: On Mon, 2007-04-09 at 16:27 +0200, Tijnema ! wrote: I think that we can conclude that a non-crackable CAPTCHA doesn't exist, but also that there doesn't exist a real hard to crack CAPTCHA. All current CAPTCHAs can be broken quite easy. MD5 can help in some cases, but only if the CAPTCHA uses static images/audio/video/etc. Just about your Audio CAPTCHA, you could use MD5 to crack it, as the number has the same MD5 sum each time. Similar methods could be applied to sound as to images to distort the sound enough to make it difficult for speech recognition software to understand, but not so much that real humans couldn't understand it. At any rate, it could be enough to prevent md5 indexing... but then again, that would require the audio be mutated on each request, and enough audio be mutated to prevent md5 indexing based on partial signatures -- similar to how viruses are detected - this is especially important if using dictionary words since the sample space is so small (could always use sentences though) :) Cheers, Rob. But well, you can't have a audio only CAPTCHA on your site, a lot people don't have speakers on there PC. And some people can't recognize english numbers... So then you have an write the key CAPTHCA or smiliar on your site, and the cracker would use that :) Yep, like I said to Tedd before... kinda need multiple forms of captcha tailored to particular special needs audiences. Visual is good for pretty much all but the blind. Blind people can use audio captcha. Beyond that... is it worth the cost to target diminishing audiences? Cheers, Rob. Uhm, blind people can't even view your page :P I think you mean visual impaired people :) Yes they can... http://www.webaim.org/articles/visual/blind.php -Stut -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
On 4/9/07, Stut [EMAIL PROTECTED] wrote: Tijnema ! wrote: On 4/9/07, Robert Cummings [EMAIL PROTECTED] wrote: On Mon, 2007-04-09 at 16:39 +0200, Tijnema ! wrote: On 4/9/07, Robert Cummings [EMAIL PROTECTED] wrote: On Mon, 2007-04-09 at 16:27 +0200, Tijnema ! wrote: I think that we can conclude that a non-crackable CAPTCHA doesn't exist, but also that there doesn't exist a real hard to crack CAPTCHA. All current CAPTCHAs can be broken quite easy. MD5 can help in some cases, but only if the CAPTCHA uses static images/audio/video/etc. Just about your Audio CAPTCHA, you could use MD5 to crack it, as the number has the same MD5 sum each time. Similar methods could be applied to sound as to images to distort the sound enough to make it difficult for speech recognition software to understand, but not so much that real humans couldn't understand it. At any rate, it could be enough to prevent md5 indexing... but then again, that would require the audio be mutated on each request, and enough audio be mutated to prevent md5 indexing based on partial signatures -- similar to how viruses are detected - this is especially important if using dictionary words since the sample space is so small (could always use sentences though) :) Cheers, Rob. But well, you can't have a audio only CAPTCHA on your site, a lot people don't have speakers on there PC. And some people can't recognize english numbers... So then you have an write the key CAPTHCA or smiliar on your site, and the cracker would use that :) Yep, like I said to Tedd before... kinda need multiple forms of captcha tailored to particular special needs audiences. Visual is good for pretty much all but the blind. Blind people can use audio captcha. Beyond that... is it worth the cost to target diminishing audiences? Cheers, Rob. Uhm, blind people can't even view your page :P I think you mean visual impaired people :) Yes they can... http://www.webaim.org/articles/visual/blind.php -Stut Interesting... Didn't know that... :) Tijnema -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sense last record
Hi, Thank you all for your answers. I solved the problem with: div id=blocoNews ?php include('config.php'); include('adodb/adodb.inc.php'); $debug = 1; // connect to MySQL $conn-debug=1; $conn = ADONewConnection('mysql'); $conn-PConnect($host,$user,$password,$database); // insert subscription values $recordSet = $conn-Execute(SELECT id_news, date, now, title, lead, body FROM news ORDER BY now DESC LIMIT 3); $counter = 0; if (!$recordSet) print $conn-ErrorMsg(); else while (!$recordSet-EOF) { $counter++; if ($counter == 3) $div = 'div class=blocoTextoLast'; else $div = 'div class=blocoTexto'; print($div); print 'h3' . $recordSet-fields[3] . '/h3' . 'p class=data' . $recordSet-fields[1] . '/p' . 'p' . $recordSet-fields[4] . 'a href=news.php?news='. $recordSet-fields[0] . '[+]/a' . '/p' . '/div'; $recordSet-MoveNext(); } echo br class=\clear\; $recordSet-Close(); $conn-Close(); ? !-- end #secContent -- /div Warm Regards -- :wq! Mário Gamito -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Session Authentication
Tijnema ! escribió: On 4/9/07, Martin Marques martin@bugs.unl.edu.ar wrote: Yes: Don't use transparent session id, or even better, save the authentication in a cookie on the client (seperated from the session array). And then the user would crack the cookie I know they are encrypted, but trust me, cookies can be edited. So what? The user authenticated himself, so what is he gonna crack? You want better info on this subject, see how webmail apps store the suthentication information (gmail.com comes to mind now). -- select 'mmarques' || '@' || 'unl.edu.ar' AS email; - Martín Marqués | Programador, DBA Centro de Telemática| Administrador Universidad Nacional del Litoral - -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
On Mon, 2007-04-09 at 17:28 +0200, Tijnema ! wrote: On 4/9/07, Stut [EMAIL PROTECTED] wrote: Tijnema ! wrote: On 4/9/07, Robert Cummings [EMAIL PROTECTED] wrote: On Mon, 2007-04-09 at 16:39 +0200, Tijnema ! wrote: On 4/9/07, Robert Cummings [EMAIL PROTECTED] wrote: On Mon, 2007-04-09 at 16:27 +0200, Tijnema ! wrote: I think that we can conclude that a non-crackable CAPTCHA doesn't exist, but also that there doesn't exist a real hard to crack CAPTCHA. All current CAPTCHAs can be broken quite easy. MD5 can help in some cases, but only if the CAPTCHA uses static images/audio/video/etc. Just about your Audio CAPTCHA, you could use MD5 to crack it, as the number has the same MD5 sum each time. Similar methods could be applied to sound as to images to distort the sound enough to make it difficult for speech recognition software to understand, but not so much that real humans couldn't understand it. At any rate, it could be enough to prevent md5 indexing... but then again, that would require the audio be mutated on each request, and enough audio be mutated to prevent md5 indexing based on partial signatures -- similar to how viruses are detected - this is especially important if using dictionary words since the sample space is so small (could always use sentences though) :) Cheers, Rob. But well, you can't have a audio only CAPTCHA on your site, a lot people don't have speakers on there PC. And some people can't recognize english numbers... So then you have an write the key CAPTHCA or smiliar on your site, and the cracker would use that :) Yep, like I said to Tedd before... kinda need multiple forms of captcha tailored to particular special needs audiences. Visual is good for pretty much all but the blind. Blind people can use audio captcha. Beyond that... is it worth the cost to target diminishing audiences? Cheers, Rob. Uhm, blind people can't even view your page :P I think you mean visual impaired people :) Yes they can... http://www.webaim.org/articles/visual/blind.php -Stut Interesting... Didn't know that... :) By blind though I meant both visually impaired and as Stut pointed out for you, completely blind :) They sort of need the same solution unless the visual impairment is minor. Cheers, Rob. -- .. | InterJinn Application Framework - http://www.interjinn.com | :: | An application and templating framework for PHP. Boasting | | a powerful, scalable system for accessing system services | | such as forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Session Authentication
On 4/9/07, Martin Marques martin@bugs.unl.edu.ar wrote: Tijnema ! escribió: On 4/9/07, Martin Marques martin@bugs.unl.edu.ar wrote: Yes: Don't use transparent session id, or even better, save the authentication in a cookie on the client (seperated from the session array). And then the user would crack the cookie I know they are encrypted, but trust me, cookies can be edited. So what? The user authenticated himself, so what is he gonna crack? Yes, but i guess you're not only storing if the user has authenticated, also storing a username? And if that's not the case, then you could authenticate by creating a cookie where it says authenticated = yes, and you're authenticated... Tijnema -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Session Authentication
Em Segunda 09 Abril 2007 12:37, Tijnema ! escreveu: On 4/9/07, Martin Marques martin@bugs.unl.edu.ar wrote: Tijnema ! escribió: On 4/9/07, Martin Marques martin@bugs.unl.edu.ar wrote: Yes: Don't use transparent session id, or even better, save the authentication in a cookie on the client (seperated from the session array). And then the user would crack the cookie I know they are encrypted, but trust me, cookies can be edited. So what? The user authenticated himself, so what is he gonna crack? Yes, but i guess you're not only storing if the user has authenticated, also storing a username? And if that's not the case, then you could authenticate by creating a cookie where it says authenticated = yes, and you're authenticated... Tijnema ... and we get a security crater... =] -- Davi Vidal [EMAIL PROTECTED] [EMAIL PROTECTED] -- Agora com fortune: Crito, I owe a cock to Asclepius; will you remember to pay the debt? -- Socrates' last words -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Session Authentication
-Original Message- From: Tijnema ! [mailto:[EMAIL PROTECTED] Sent: Monday, April 09, 2007 5:38 PM To: Martin Marques Cc: Ólafur Waage; php-general@lists.php.net Subject: Re: [PHP] Session Authentication On 4/9/07, Martin Marques martin@bugs.unl.edu.ar wrote: Tijnema ! escribió: On 4/9/07, Martin Marques martin@bugs.unl.edu.ar wrote: Yes: Don't use transparent session id, or even better, save the authentication in a cookie on the client (seperated from the session array). And then the user would crack the cookie I know they are encrypted, but trust me, cookies can be edited. So what? The user authenticated himself, so what is he gonna crack? Yes, but i guess you're not only storing if the user has authenticated, also storing a username? And if that's not the case, then you could authenticate by creating a cookie where it says authenticated = yes, and you're authenticated... Tijnema -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php [Peter Lauri - DWS Asia] If cookies were that unsecured so you could create your own cookies that easily, then would cookies exist? Best regards, Peter Lauri www.dwsasia.com - company web site www.lauri.se - personal web site www.carbonfree.org.uk - become Carbon Free -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Session Authentication
On 4/9/07, Peter Lauri [EMAIL PROTECTED] wrote: -Original Message- From: Tijnema ! [mailto:[EMAIL PROTECTED] Sent: Monday, April 09, 2007 5:38 PM To: Martin Marques Cc: Ólafur Waage; php-general@lists.php.net Subject: Re: [PHP] Session Authentication On 4/9/07, Martin Marques martin@bugs.unl.edu.ar wrote: Tijnema ! escribió: On 4/9/07, Martin Marques martin@bugs.unl.edu.ar wrote: Yes: Don't use transparent session id, or even better, save the authentication in a cookie on the client (seperated from the session array). And then the user would crack the cookie I know they are encrypted, but trust me, cookies can be edited. So what? The user authenticated himself, so what is he gonna crack? Yes, but i guess you're not only storing if the user has authenticated, also storing a username? And if that's not the case, then you could authenticate by creating a cookie where it says authenticated = yes, and you're authenticated... Tijnema -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php [Peter Lauri - DWS Asia] If cookies were that unsecured so you could create your own cookies that easily, then would cookies exist? Best regards, Peter Lauri Cookies are old, so in the time they were introduced, today it is possible to create and modify cookies with some good tools. These tools are illegal, but every cracker is 99% illegal right? But that means i can't give you these tools to proof it, but it is possible. Tijnema -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Session Authentication
Cookies are old, so in the time they were introduced, today it is possible to create and modify cookies with some good tools. These tools are illegal, but every cracker is 99% illegal right? But that means i can't give you these tools to proof it, but it is possible. Tijnema [Peter Lauri - DWS Asia] Having these tools is probably not illegal. But using them illegally is illegal :) Could you send me some more info off-list about this. Knowing how to use these tools will probably help me making my sites more secure, am I not right? :) Best regards, Peter Lauri www.dwsasia.com - company web site www.lauri.se - personal web site www.carbonfree.org.uk - become Carbon Free -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Session Authentication
Peter Lauri wrote: -Original Message- From: Tijnema ! [mailto:[EMAIL PROTECTED] Sent: Monday, April 09, 2007 5:38 PM To: Martin Marques Cc: Ólafur Waage; php-general@lists.php.net Subject: Re: [PHP] Session Authentication On 4/9/07, Martin Marques martin@bugs.unl.edu.ar wrote: Tijnema ! escribió: On 4/9/07, Martin Marques martin@bugs.unl.edu.ar wrote: Yes: Don't use transparent session id, or even better, save the authentication in a cookie on the client (seperated from the session array). And then the user would crack the cookie I know they are encrypted, but trust me, cookies can be edited. So what? The user authenticated himself, so what is he gonna crack? Yes, but i guess you're not only storing if the user has authenticated, also storing a username? And if that's not the case, then you could authenticate by creating a cookie where it says authenticated = yes, and you're authenticated... Tijnema -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php [Peter Lauri - DWS Asia] If cookies were that unsecured so you could create your own cookies that easily, then would cookies exist? Cookies really are that insecure, which is why you *don't* use them to store whether the user has authenticated. You store that in the session and use a cookie purely to identify the session. The main thing to remember is that cookies are transmitted between client and server for every request. This means that they *can* be faked. Sessions live only on the server making them a lot more secure, but by no means completely secure. -Stut -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Design Dilemma - Database Data Abstraction
2007/4/9, Lester Caine [EMAIL PROTECTED]: Martin Alterisio wrote: I have a dilemma on a design where I humbly ask your help. I'm working on the model part of a web application (not to be understood in the web2.0 way, but in a more general way, where anything mounted on HTTP is a web application) done in PHP5 following the MVC design pattern. But the strong point is that the result must be those-who-never-RTFM-proof. But that's not my dilemma, I only mention this so that no RoR concept or similar is thrown into the table, that is, NO ActiveRecord. The solution I presented is to access, and act upon, a database as if they were PHP arrays, meaning that a table is presented as an array of records. Here comes my dilemma. But first let me explain a bit about the scenario so far: I snip there - too much detail without defining the problem ;) Yeah, sorry about that, the concept seems a bit difficult to explain. I didn't found anything similar to point as reference. Database Data Abstraction normally refers to using a common internal structure which can be loaded from a range of database engines. It sounds as if you have no requirement to 'Abstract' the database, only to come up with a persistent object layer under a single database engine? Nope. It's an abstraction layer where the API is the common array operations, implemented through the SPL interfaces for that purpose. No explicit database is involved, except that some constrains to the structure of the data shall be involved. You have indicated that you are looking for a multi-user system, and so the raw data must be in the database, but as you have seen, the flexibility afforded by any database engine is difficult to duplicate. The thing to remember is that you should ONLY be reading the data you need for the current user, and so your persistent objects do not need to be as complex as you seem to be looking for. It is always faster to ask the database for an answer than to copy everything to PHP in order to work with it. With any decent database you can provide views of the data in a suitable format for the arrays you need display on the user interface. I completely understand, that's why from the beginning I decided that no precaching nor caching would be done, and lazy evaluation would be the way to go. The array operations would be transparently mapped to their counterpart db action when needed. I tried to find something suitable to point you at, but it's difficult http://www.appelsiini.net/~tuupola/php/DB_DataContainer/ Is probably in line with your current outline? Thanks but that's exactly what I don't want to do. -- Lester Caine - G8HFL - Contact - http://home.lsces.co.uk/lsces/wiki/?page=contact L.S.Caine Electronic Services - http://home.lsces.co.uk MEDW - http://home.lsces.co.uk/ModelEngineersDigitalWorkshop/ Treasurer - Firebird Foundation Inc. - http://www.firebirdsql.org/index.php Thanks for answering but my problem isn't how the abstraction will be actually implemented, but that the API (the array interface) stays as coherent as possible. If you have the time, please read what was snipped, those are my thoughts about how to make the array API coherent and what problems I encountered. Thanks again.
RE: [PHP] Session Authentication
On Mon, 2007-04-09 at 18:57 +0200, Peter Lauri wrote: Cookies are old, so in the time they were introduced, today it is possible to create and modify cookies with some good tools. These tools are illegal, but every cracker is 99% illegal right? But that means i can't give you these tools to proof it, but it is possible. Tijnema [Peter Lauri - DWS Asia] Having these tools is probably not illegal. But using them illegally is illegal :) Could you send me some more info off-list about this. Knowing how to use these tools will probably help me making my sites more secure, am I not right? :) You don't need tools. Just go find where your browser stores them. Alternatively, enable cookies when using Curl, then you have them and can mod them on the fly as you see fit. Hasn't anyone here had a boring day (yeears ago) when they created an auto vote bot for some stupid poll? :B Cookies are only slightly more secure than trans sid PHPSESSID since it's less likely the ignorant masses will post their cookie contents to a forum :) Cheers, Rob. -- .. | InterJinn Application Framework - http://www.interjinn.com | :: | An application and templating framework for PHP. Boasting | | a powerful, scalable system for accessing system services | | such as forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Session Authentication
Peter Lauri wrote: Cookies are old, so in the time they were introduced, today it is possible to create and modify cookies with some good tools. These tools are illegal, but every cracker is 99% illegal right? But that means i can't give you these tools to proof it, but it is possible. Tijnema [Peter Lauri - DWS Asia] Having these tools is probably not illegal. But using them illegally is illegal :) Could you send me some more info off-list about this. Knowing how to use these tools will probably help me making my sites more secure, am I not right? :) Cookies are HTTP headers, nothing more, nothing less. The minimum tool you need is telnet. If you're writing web applications and don't know that, please take the time to read the HTTP spec, and then the cookie spec. Google for them. -Stut -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Session Authentication
On 4/9/07, Stut [EMAIL PROTECTED] wrote: Peter Lauri wrote: Cookies are old, so in the time they were introduced, today it is possible to create and modify cookies with some good tools. These tools are illegal, but every cracker is 99% illegal right? But that means i can't give you these tools to proof it, but it is possible. Tijnema [Peter Lauri - DWS Asia] Having these tools is probably not illegal. But using them illegally is illegal :) Could you send me some more info off-list about this. Knowing how to use these tools will probably help me making my sites more secure, am I not right? :) Cookies are HTTP headers, nothing more, nothing less. The minimum tool you need is telnet. If you're writing web applications and don't know that, please take the time to read the HTTP spec, and then the cookie spec. Google for them. -Stut Encrypted stuff maybe? Faking cookies can be done without any tools, but were talking about editing here... Tijnema -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Session Authentication
On 4/9/07, Tijnema ! [EMAIL PROTECTED] wrote: On 4/9/07, Stut [EMAIL PROTECTED] wrote: Peter Lauri wrote: Cookies are old, so in the time they were introduced, today it is possible to create and modify cookies with some good tools. These tools are illegal, but every cracker is 99% illegal right? But that means i can't give you these tools to proof it, but it is possible. Tijnema [Peter Lauri - DWS Asia] Having these tools is probably not illegal. But using them illegally is illegal :) Could you send me some more info off-list about this. Knowing how to use these tools will probably help me making my sites more secure, am I not right? :) Cookies are HTTP headers, nothing more, nothing less. The minimum tool you need is telnet. If you're writing web applications and don't know that, please take the time to read the HTTP spec, and then the cookie spec. Google for them. -Stut Encrypted stuff maybe? Faking cookies can be done without any tools, but were talking about editing here... Tijnema Editing IE cookies, FireFox cookies can be edited in firefox i believe. Tijnema -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Session Authentication
Em Segunda 09 Abril 2007 13:05, Robert Cummings escreveu: (...) Hasn't anyone here had a boring day (yeears ago) when they created an auto vote bot for some stupid poll? :B I never do this!!! =P But I changed a cookie of an browser game XD -- Davi Vidal [EMAIL PROTECTED] [EMAIL PROTECTED] -- Agora com fortune: Scintillation is not always identification for an auric substance. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Session Authentication
Tijnema ! escribió: On 4/9/07, Martin Marques martin@bugs.unl.edu.ar wrote: So what? The user authenticated himself, so what is he gonna crack? Yes, but i guess you're not only storing if the user has authenticated, also storing a username? And if that's not the case, then you could authenticate by creating a cookie where it says authenticated = yes, and you're authenticated... That would the stupidest thing to do. I can't even imagine somebody thinking about doing it. -- select 'mmarques' || '@' || 'unl.edu.ar' AS email; - Martín Marqués | Programador, DBA Centro de Telemática| Administrador Universidad Nacional del Litoral - -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Session Authentication
Davi escribió: Sessions are stored in the temporary's server folder... So... If I known my session ID and where it's stored, I can do something... Have you tried it? I mean, as a non-root, non-apache user. :-P -- select 'mmarques' || '@' || 'unl.edu.ar' AS email; - Martín Marqués | Programador, DBA Centro de Telemática| Administrador Universidad Nacional del Litoral - -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Session Authentication
Em Segunda 09 Abril 2007 13:47, Martin Marques escreveu: Davi escribió: Sessions are stored in the temporary's server folder... So... If I known my session ID and where it's stored, I can do something... Have you tried it? I mean, as a non-root, non-apache user. :-P No. And I known that is _impossible_... But... Don't expect it... ;-) -- Davi Vidal [EMAIL PROTECTED] [EMAIL PROTECTED] -- Agora com fortune: Asshole I'm talking to you. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
At 9:58 AM -0400 4/9/07, Robert Cummings wrote: On Mon, 2007-04-09 at 09:45 -0400, tedd wrote: However, this did make me wonder about the images that M$ and others are using for captchas -- like find the kitty in a set of pictures. The MD5 application could be used to identify as many pictures as any spammer would need. So, I think MD5 method, as described in this thread, would work very well to crack those type of captchas. I doubt Microsoft is using a static image repository for captchas. Cheers, Rob. I doubt that their image repository infinite. Plus, I envision a method where a bot could: 1. Scan the site, gather the images and key phrase. 2 MD5 the images. 3. Place all the MD5's with the associate key phrase in a dB. 4. Refresh and repeat. With repeated refreshes (not attempts at trying to enter), the key phrases associated with the MD5's will build and the bot will learn. It works like this -- the phrase find the kitty or key word kitty will always be associated with the picture of the kitty WHEN kitty is the solution. All other key phrases/words associated with the kitty picture will eventually stack out as just be background noise as data is gathered. As such, a bot could have a foundation at making an intelligent guess. Also, every guess (successful or not) provides even more data to be considered. The more data gathered, the better the guess. Hi Tedd, Put down the crack pipe please... captcha images are usually generated on the fly. Their image repository is 0. Their image universe is all of the permutations of an image containing all of the range of serial codes embedded in the images according to their morphing routine. I highly doubt the US Government could afford the space required to store all of the permutations. Considering the number of bytes available to a dynamically generated image, it is highly likely that the images would be capable of exhausting the entire md5 universe. Cheers, Rob. Rob: Duh -- put down the joint and stay on the subject. We were talking about M$'s picture captcha where they show pictures and ask a question like Pick the picture that shows a kitty and NOT an on the fly graphic captcha. There are different types of captchas. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
On Mon, 2007-04-09 at 12:51 -0400, tedd wrote: At 9:58 AM -0400 4/9/07, Robert Cummings wrote: Hi Tedd, Put down the crack pipe please... captcha images are usually generated on the fly. Their image repository is 0. Their image universe is all of the permutations of an image containing all of the range of serial codes embedded in the images according to their morphing routine. I highly doubt the US Government could afford the space required to store all of the permutations. Considering the number of bytes available to a dynamically generated image, it is highly likely that the images would be capable of exhausting the entire md5 universe. Cheers, Rob. Rob: Duh -- put down the joint and stay on the subject. We were talking about M$'s picture captcha where they show pictures and ask a question like Pick the picture that shows a kitty and NOT an on the fly graphic captcha. There are different types of captchas. Ah, I see. I was too lazy to go check since I don't use Microsoft except insofar as to make things work in their crappy browser. Either way, can you verify the images are static? See if getting two kitty cats produces the same md5 signature :) Just because it's a picture doesn't invalidate what I said. Cheers, Rob. -- .. | InterJinn Application Framework - http://www.interjinn.com | :: | An application and templating framework for PHP. Boasting | | a powerful, scalable system for accessing system services | | such as forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Session Authentication
At 5:55 PM +0200 4/9/07, Tijnema ! wrote: Cookies are old, so in the time they were introduced, today it is possible to create and modify cookies with some good tools. These tools are illegal, I don't believe that. FireFox probably has most, if not all. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Session Authentication
On 4/9/07, tedd [EMAIL PROTECTED] wrote: At 5:55 PM +0200 4/9/07, Tijnema ! wrote: Cookies are old, so in the time they were introduced, today it is possible to create and modify cookies with some good tools. These tools are illegal, I don't believe that. FireFox probably has most, if not all. Cheers, tedd Who said firefox is legal? :P I believe that what firefox can do is limited, some things that are illegal are not possible. I don't know exactly what's illegal, i searched for it a few years ago, and that's what i found then. Tijnema -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Session Authentication
Tijnema ! escribió: Who said firefox is legal? :P I believe that what firefox can do is limited, some things that are illegal are not possible. I don't know exactly what's illegal, i searched for it a few years ago, and that's what i found then. Explain how it would be illegal to modify cookies that are in MY computer. On the other hand, it's STUPID to rely on data that comes from a cookie without double checking it. -- select 'mmarques' || '@' || 'unl.edu.ar' AS email; - Martín Marqués | Programador, DBA Centro de Telemática| Administrador Universidad Nacional del Litoral - -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Need a working SOAP example using SOAP -- PHP is blocking the calls
c, could you be having a problem related to the allow_url_fopen ini setting? Now we're talkin! Okay, I made sure that allow_url_fopen and allow_url_include are both on. Verified via phpinfo(); Still no luck. :-\ However, this sparked an idea... I have been using my WinXP and IE to hit my Gentoo notebook running apache2/php/etc. (samba mounting the /home/machine/... to edit the files) When I fired up KDE and hit the EXACT same pages (which are now local), they magically worked! So now the question is, what setting do I have to change in my php.ini file to get remote requests to work? I'm not following what you mean by local and remote and when your considering something to be one or the other. (locutus) Gentoo/Notebook/Apache/PHP/Samba (gabriel) WinXP/IDE/IE6 All the code sits on locutus. I samba share the directory so can edit in my HomeSite IDE on gabriel. I edit my 'hosts' file (on both machines) to point at the proper IP (172.16.35.223 machine.locutus.com) setting up a vhost on locutus, etc... I can make the initial connection to client.php. I can do most anything (php, mysql, htaccess, etc), as locutus is a webserver -- I use this method to develop a dozen sites, all work flawlessley. You follow so far? This should be a pretty normal setup. Nothing fancy here. So, as stated in previous post. If I use gabriel to access http://machine.locutus.com, I can get to any of the individual pages related to this SOAP exercise (server.php, .wsdl, client.php, etc.). The problem is that the client.php can't make a server.php call though, and throws that exception. Now, to add to my confusion and simultaneiously lets me know that my actual CODE is working, as per the spark above, I fired up KDE on locutus. Then I hit the exact same URL, and pinch my ass and call me Charlie, the SOAP example works. SAME EXACT CODE. SAME EXACT FILES. SAME EXACT URLS. Something in PHP land (php.ini) seems to be horking me. I had a co-worker put my code on his linux (debian) box, and he could then connect from his XP to the URL and it worked for him too (even using https://). You might be thinking, well just diff the php.ini files and see. Not so easy my friend. They're not condusive to that. And we tried to eyeball what we could, but didn't see anything obvious. I thought for sure allow_url_fopen and allow_url_include were my silver bullets here, but they're 'On' in both php.ini files (his and mine). windows firewall springs to mind but I can't tell if it could even be involved from your current description. Windows Firewall should not be an issue here b/c the soap requests are originating from locutus to locutus -- the files are in the same directory. SOAP (at this stage) is only an exercise -- it's not making any remote calls across a network. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Need a working SOAP example using SOAP -- PHP is blocking the calls (scripts)
Here is the code I'm using: client1.php ?php $client = new SoapClient(http://machine.locutus.com/StockQuote/stockquote.wsdl;, # $client = new SoapClient(https://admin:[EMAIL PROTECTED]/stockquote.wsdl, array( # login = admin, # password = testing, trace = 1, exceptions = 0)); print($client-getQuote(ibm)); ? server1.php ?php // http://devzone.zend.com/node/view/id/689 $quotes = array( ibm = 98.42 ); function getQuote($symbol) { global $quotes; return $quotes[$symbol]; } ini_set(soap.wsdl_cache_enabled, 0); // disabling WSDL cache //exit( foo); $server = new SoapServer(stockquote.wsdl); $server-addFunction(getQuote); $server-handle(); ? stockquote.wsdl ?xml version ='1.0' encoding ='UTF-8' ? definitions name='StockQuote' targetNamespace='http://example.org/StockQuote' xmlns:tns='http://example.org/StockQuote' xmlns:soap='http://schemas.xmlsoap.org/wsdl/soap/' xmlns:xsd='http://www.w3.org/2001/XMLSchema' xmlns:soapenc='http://schemas.xmlsoap.org/soap/encoding/' xmlns:wsdl='http://schemas.xmlsoap.org/wsdl/' xmlns='http://schemas.xmlsoap.org/wsdl/' message name='getQuoteRequest' part name='symbol' type='xsd:string'/ /message message name='getQuoteResponse' part name='Result' type='xsd:float'/ /message portType name='StockQuotePortType' operation name='getQuote' input message='tns:getQuoteRequest'/ output message='tns:getQuoteResponse'/ /operation /portType binding name='StockQuoteBinding' type='tns:StockQuotePortType' soap:binding style='rpc' transport='http://schemas.xmlsoap.org/soap/http'/ operation name='getQuote' soap:operation soapAction='urn:xmethods-delayed-quotes#getQuote'/ input soap:body use='encoded' namespace='urn:xmethods-delayed-quotes' encodingStyle='http://schemas.xmlsoap.org/soap/encoding/'/ /input output soap:body use='encoded' namespace='urn:xmethods-delayed-quotes' encodingStyle='http://schemas.xmlsoap.org/soap/encoding/'/ /output /operation /binding service name='StockQuoteService' port name='StockQuotePort' binding='tns:StockQuoteBinding' soap:address location='http://machine.locutus.com/StockQuote/server1.php'/ /port /service /definitions -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Where to insert a phrase in the right place
Hi, I'm making this site that was static and now has some dynamic features, so it's a little bit patched :) If you care to visit http://www.telbit.pt/2/login.php you'll notice that the word Welcome is already present, and only should be after the download. Also, the error You didn't fill all fields, please try again. is being displayed on page load. This is my problem and to which i ask you for your help. How can i make the word Welcome appear only after the login ? My code follows my signature. Any help would be appreciated. Warm Regards -- :wq! Mário Gamito -- pa href=recover-password.phpForgot your password ?/a ?php if ($_GET['error']) { // SESSION $field1 = $_SESSION['field1']; $field2 = $_SESSION['field2']; // GET $field1 = urldecode($_GET['field1']); $field2 = urldecode($_GET['field2']); } $email = mysql_escape_string($_REQUEST['email']); $pass = mysql_escape_string($_REQUEST['pass']); include('config.php'); include('adodb/adodb.inc.php'); // connect to MySQL $conn-debug=1; $conn = ADONewConnection('mysql'); $conn-PConnect($host,$user,$password,$database); // get password from db $rsSel = SELECT name, password FROM subscribers WHERE email = '$email' AND valid = '1'; $rs = $conn-Execute($rsSel); $name= $rs-fields[0]; $password_db = $rs-fields[1]; if ($pass != $password_db) { field1=.urlencode($_POST['field1']).field2=.urlencode($_POST['field2']); echo div class=\blocoApresentacao\ pWrong password, please try again./p /div; exit; } print('Welcome ' . $name); unset ($_SESSION['error']); $conn-Close(); ? !-- end .titulo -- /div !-- end #secContent -- /div !-- end #Content e #picContent-- /div /div div id=footer p id=copyrightCopyrightcopy;2006 Telbit - Tecnologias de Informaccedil;atilde;o, Lda./p -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Need a working SOAP example using SOAP -- PHP is blocking the calls
Daevid Vincent wrote: c, could you be having a problem related to the allow_url_fopen ini setting? Now we're talkin! Okay, I made sure that allow_url_fopen and allow_url_include are both on. Verified via phpinfo(); Still no luck. :-\ However, this sparked an idea... I have been using my WinXP and IE to hit my Gentoo notebook running apache2/php/etc. (samba mounting the /home/machine/... to edit the files) When I fired up KDE and hit the EXACT same pages (which are now local), they magically worked! So now the question is, what setting do I have to change in my php.ini file to get remote requests to work? I'm not following what you mean by local and remote and when your considering something to be one or the other. (locutus) Gentoo/Notebook/Apache/PHP/Samba (gabriel) WinXP/IDE/IE6 All the code sits on locutus. I samba share the directory so can edit in my HomeSite IDE on gabriel. I edit my 'hosts' file (on both machines) to point at the proper IP (172.16.35.223 machine.locutus.com) setting up a vhost on locutus, etc... I can make the initial connection to client.php. I can do most anything (php, mysql, htaccess, etc), as locutus is a webserver -- I use this method to develop a dozen sites, all work flawlessley. You follow so far? This should be a pretty normal setup. Nothing fancy here. So, as stated in previous post. If I use gabriel to access http://machine.locutus.com, I can get to any of the individual pages related to this SOAP exercise (server.php, .wsdl, client.php, etc.). The problem is that the client.php can't make a server.php call though, and throws that exception. Now, to add to my confusion and simultaneiously lets me know that my actual CODE is working, as per the spark above, I fired up KDE on locutus. Then I hit the exact same URL, and pinch my ass and call me Charlie, the SOAP example works. SAME EXACT CODE. SAME EXACT FILES. SAME EXACT URLS. Something in PHP land (php.ini) seems to be horking me. I had a co-worker put my code on his linux (debian) box, and he could then connect from his XP to the URL and it worked for him too (even using https://). You might be thinking, well just diff the php.ini files and see. Not so easy my friend. They're not condusive to that. And we tried to eyeball what we could, but didn't see anything obvious. I thought for sure allow_url_fopen and allow_url_include were my silver bullets here, but they're 'On' in both php.ini files (his and mine). windows firewall springs to mind but I can't tell if it could even be involved from your current description. Windows Firewall should not be an issue here b/c the soap requests are originating from locutus to locutus -- the files are in the same directory. SOAP (at this stage) is only an exercise -- it's not making any remote calls across a network. Daevid, I am by no means an expert on this, but I know that when we've had issues with running some scripts, we had to look into the Linux security settings. We're running SE Linux (Red Hat) and that shuts down a lot of the remote access. When we were trying to get some CURL scripts working, we had to temporarily disable the Linux firewall so that we could track the calls in the messages log. Then we could see what the required privileges were and set things up appropriately. I don't know if Gentoo has anything like that or if you have any of the security stuff turned on, but you might want to check the equivalent of the messages log in Gentoo and see if that's where you're being blocked. Lori -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Where to insert a phrase in the right place
[snip] How can i make the word Welcome appear only after the login ? [/snip] If you set a cookie upon login you can then check for the existence of the cookie. If the cookie exists do not display 'Welcome'. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
Robert Cummings wrote: On Mon, 2007-04-09 at 12:51 -0400, tedd wrote: At 9:58 AM -0400 4/9/07, Robert Cummings wrote: Hi Tedd, Put down the crack pipe please... captcha images are usually generated on the fly. Their image repository is 0. Their image universe is all of the permutations of an image containing all of the range of serial codes embedded in the images according to their morphing routine. I highly doubt the US Government could afford the space required to store all of the permutations. Considering the number of bytes available to a dynamically generated image, it is highly likely that the images would be capable of exhausting the entire md5 universe. Cheers, Rob. Rob: Duh -- put down the joint and stay on the subject. We were talking about M$'s picture captcha where they show pictures and ask a question like Pick the picture that shows a kitty and NOT an on the fly graphic captcha. There are different types of captchas. Ah, I see. I was too lazy to go check since I don't use Microsoft except insofar as to make things work in their crappy browser. Either way, can you verify the images are static? See if getting two kitty cats produces the same md5 signature :) Just because it's a picture doesn't invalidate what I said. Cheers, Rob. Steganography has been able to hide text in images for quite some time now. Basically you cram whatever info you want into the 'unused' or 'less used' bytes of the image. With this in mind I imagine even if you did have an image repository of only 8 images you could add some random bytes to the right spots in the image without distorting it beyond recognition/corrupting it, and therefore get a hybrid of static/on-the-fly images, that hashing couldn't break so simply. 2 cents... Travis Doherty -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Session Authentication
Martin Marques wrote: Tijnema ! escribió: Who said firefox is legal? :P I believe that what firefox can do is limited, some things that are illegal are not possible. I don't know exactly what's illegal, i searched for it a few years ago, and that's what i found then. Explain how it would be illegal to modify cookies that are in MY computer. As with most things these days it probably breaches the DMCA. But frankly speaking, if doing that works then the developers of the application, and by extension the company, deserve everything they get. -Stut -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
On 4/9/07, Travis Doherty [EMAIL PROTECTED] wrote: Robert Cummings wrote: On Mon, 2007-04-09 at 12:51 -0400, tedd wrote: At 9:58 AM -0400 4/9/07, Robert Cummings wrote: Hi Tedd, Put down the crack pipe please... captcha images are usually generated on the fly. Their image repository is 0. Their image universe is all of the permutations of an image containing all of the range of serial codes embedded in the images according to their morphing routine. I highly doubt the US Government could afford the space required to store all of the permutations. Considering the number of bytes available to a dynamically generated image, it is highly likely that the images would be capable of exhausting the entire md5 universe. Cheers, Rob. Rob: Duh -- put down the joint and stay on the subject. We were talking about M$'s picture captcha where they show pictures and ask a question like Pick the picture that shows a kitty and NOT an on the fly graphic captcha. There are different types of captchas. Ah, I see. I was too lazy to go check since I don't use Microsoft except insofar as to make things work in their crappy browser. Either way, can you verify the images are static? See if getting two kitty cats produces the same md5 signature :) Just because it's a picture doesn't invalidate what I said. Cheers, Rob. Steganography has been able to hide text in images for quite some time now. Basically you cram whatever info you want into the 'unused' or 'less used' bytes of the image. With this in mind I imagine even if you did have an image repository of only 8 images you could add some random bytes to the right spots in the image without distorting it beyond recognition/corrupting it, and therefore get a hybrid of static/on-the-fly images, that hashing couldn't break so simply. 2 cents... Travis Doherty This is exactly what tedd did in his last arrow example. He edited the header of the GIF image, and so that would result in different MD5. Finding this part and skipping it in the MD5 check would do the job. :) Tijnema -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
At 1:04 PM -0400 4/9/07, Robert Cummings wrote: On Mon, 2007-04-09 at 12:51 -0400, tedd wrote: We were talking about M$'s picture captcha where they show pictures and ask a question like Pick the picture that shows a kitty and NOT an on the fly graphic captcha. There are different types of captchas. Ah, I see. I was too lazy to go check since I don't use Microsoft except insofar as to make things work in their crappy browser. Either way, can you verify the images are static? See if getting two kitty cats produces the same md5 signature :) Just because it's a picture doesn't invalidate what I said. I'm not out to validate, or invalidate, what you said. I'm just making the point that a finite number of pictures is different than an almost infinite number of on the fly generated graphic images. The new captcha M$ is trying, is to use pictures of objects and have the user identify which are cat pictures, like so: http://research.microsoft.com/asirra/ The web site states that it has over two million pictures of cats and dogs. This captcha requires that you simply to select ALL the cat photos leaving the dog photos unchecked. After doing so, it checks your score to allow entry. This one is different than the first one I saw, which presented only one cat picture in several dog pictures -- I think I could break that. But, this one is more difficult. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
At 4:19 PM -0400 4/9/07, Travis Doherty wrote: Steganography has been able to hide text in images for quite some time now. Basically you cram whatever info you want into the 'unused' or 'less used' bytes of the image. With this in mind I imagine even if you did have an image repository of only 8 images you could add some random bytes to the right spots in the image without distorting it beyond recognition/corrupting it, and therefore get a hybrid of static/on-the-fly images, that hashing couldn't break so simply. Yes, that's the conclusion I came to in this experiment. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Session Authentication
Stut escribió: As with most things these days it probably breaches the DMCA. But frankly speaking, if doing that works then the developers of the application, and by extension the company, deserve everything they get. DMCA is a real piece of crap. -- select 'mmarques' || '@' || 'unl.edu.ar' AS email; - Martín Marqués | Programador, DBA Centro de Telemática| Administrador Universidad Nacional del Litoral - -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
On Mon, 2007-04-09 at 22:27 +0200, Tijnema ! wrote: On 4/9/07, Travis Doherty [EMAIL PROTECTED] wrote: Robert Cummings wrote: On Mon, 2007-04-09 at 12:51 -0400, tedd wrote: At 9:58 AM -0400 4/9/07, Robert Cummings wrote: Hi Tedd, Put down the crack pipe please... captcha images are usually generated on the fly. Their image repository is 0. Their image universe is all of the permutations of an image containing all of the range of serial codes embedded in the images according to their morphing routine. I highly doubt the US Government could afford the space required to store all of the permutations. Considering the number of bytes available to a dynamically generated image, it is highly likely that the images would be capable of exhausting the entire md5 universe. Cheers, Rob. Rob: Duh -- put down the joint and stay on the subject. We were talking about M$'s picture captcha where they show pictures and ask a question like Pick the picture that shows a kitty and NOT an on the fly graphic captcha. There are different types of captchas. Ah, I see. I was too lazy to go check since I don't use Microsoft except insofar as to make things work in their crappy browser. Either way, can you verify the images are static? See if getting two kitty cats produces the same md5 signature :) Just because it's a picture doesn't invalidate what I said. Cheers, Rob. Steganography has been able to hide text in images for quite some time now. Basically you cram whatever info you want into the 'unused' or 'less used' bytes of the image. With this in mind I imagine even if you did have an image repository of only 8 images you could add some random bytes to the right spots in the image without distorting it beyond recognition/corrupting it, and therefore get a hybrid of static/on-the-fly images, that hashing couldn't break so simply. 2 cents... Travis Doherty This is exactly what tedd did in his last arrow example. He edited the header of the GIF image, and so that would result in different MD5. Finding this part and skipping it in the MD5 check would do the job. :) Yep, that's an obvious solution since it's the same way virus signatures are matched. The entire image needs some kind of permutation. Passing a couple of curved ripples across the image as a transformation, and in different directions should suffice to obfuscate the image signature without obfuscating the image itself :) Similarly watermarking the image using fractal patterns should also provide good noise. Cheers, Rob. -- .. | InterJinn Application Framework - http://www.interjinn.com | :: | An application and templating framework for PHP. Boasting | | a powerful, scalable system for accessing system services | | such as forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Where to insert a phrase in the right place
Hi, Jay Blanchard wrote: [snip] How can i make the word Welcome appear only after the login ? [/snip] If you set a cookie upon login you can then check for the existence of the cookie. If the cookie exists do not display 'Welcome'. I have: session_start(); session_register(email); in the beginning of the file. I've tried: if (isset($_SESSION['email'])) print('Welcome ' . $name); but obviously it prints the Welcome word as the same. Any ideas ? Thanks in advance. Warm Regards -- :wq! Mário Gamito -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
At 4:39 PM -0400 4/9/07, Robert Cummings wrote: On Mon, 2007-04-09 at 22:27 +0200, Tijnema ! wrote: This is exactly what tedd did in his last arrow example. He edited the header of the GIF image, and so that would result in different MD5. Finding this part and skipping it in the MD5 check would do the job. :) Yep, that's an obvious solution since it's the same way virus signatures are matched. The entire image needs some kind of permutation. Passing a couple of curved ripples across the image as a transformation, and in different directions should suffice to obfuscate the image signature without obfuscating the image itself :) Similarly watermarking the image using fractal patterns should also provide good noise. Cheers, Rob. Rob: It doesn't need to be complicated, just random placed pixels on the image from a selection of colors would provide millions of permutations. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] mysql if empty
If I search for something in mysql that returns an empty result I cant get it to return No result found always returns Found even though the recoed does not exist... $sql = SELECT Client FROM booked WHERE Name = 'larry'; $result = mysql_query($sql); if ($result == ) { echo No result found; } echo Found; - Original Message - From: Martin Marques martin@bugs.unl.edu.ar To: Stut [EMAIL PROTECTED] Cc: Tijnema ! [EMAIL PROTECTED]; tedd [EMAIL PROTECTED]; Peter Lauri [EMAIL PROTECTED]; Ólafur Waage [EMAIL PROTECTED]; php-general@lists.php.net Sent: Monday, April 09, 2007 9:45 PM Subject: Re: [PHP] Session Authentication Stut escribió: As with most things these days it probably breaches the DMCA. But frankly speaking, if doing that works then the developers of the application, and by extension the company, deserve everything they get. DMCA is a real piece of crap. -- select 'mmarques' || '@' || 'unl.edu.ar' AS email; - Martín Marqués | Programador, DBA Centro de Telemática | Administrador Universidad Nacional del Litoral - -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] mysql if empty
If I search for something in mysql that returns an empty result I cant get it to return No result found always returns Found even though the recoed does not exist... $sql = SELECT Client FROM booked WHERE Name = 'larry'; $result = mysql_query($sql); if ($result == ) { echo No result found; } echo Found; try this: $sql = SELECT Client FROM booked WHERE Name = 'larry'; $result = mysql_query($sql); if(mysql_num_rows($result) == 0) { echo No result found; } else { $myresults = mysql_fetch_array($result); } -afan - Original Message - From: Martin Marques martin@bugs.unl.edu.ar To: Stut [EMAIL PROTECTED] Cc: Tijnema ! [EMAIL PROTECTED]; tedd [EMAIL PROTECTED]; Peter Lauri [EMAIL PROTECTED]; Ólafur Waage [EMAIL PROTECTED]; php-general@lists.php.net Sent: Monday, April 09, 2007 9:45 PM Subject: Re: [PHP] Session Authentication Stut escribió: As with most things these days it probably breaches the DMCA. But frankly speaking, if doing that works then the developers of the application, and by extension the company, deserve everything they get. DMCA is a real piece of crap. -- select 'mmarques' || '@' || 'unl.edu.ar' AS email; - Martín Marqués | Programador, DBA Centro de Telemática | Administrador Universidad Nacional del Litoral - -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] mysql if empty
[EMAIL PROTECTED] wrote: If I search for something in mysql that returns an empty result I cant get it to return No result found always returns Found even though the recoed does not exist... $sql = SELECT Client FROM booked WHERE Name = 'larry'; $result = mysql_query($sql); if ($result == ) { echo No result found; } echo Found; Use isset. if (!isset($result)) { echo No result found; }... Lori -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] mysql if empty
Em Segunda 09 Abril 2007 18:27, Lori Lay escreveu: [EMAIL PROTECTED] wrote: If I search for something in mysql that returns an empty result I cant get it to return No result found always returns Found even though the recoed does not exist... $sql = SELECT Client FROM booked WHERE Name = 'larry'; $result = mysql_query($sql); if ($result == ) { echo No result found; } echo Found; Use isset. if (!isset($result)) { echo No result found; }... Lori $result is set ($result = mysql_query($query))... compare to 0 is satisfatory: $result=mysql_query($query) $results=mysql_num_rows($result) if($results==0) { echo no result found; } elseif($results0) { echo Some error? .mysql_error(); } else { //your code here } -- Davi Vidal [EMAIL PROTECTED] [EMAIL PROTECTED] -- Agora com fortune: I imagine bugs and girls have a dim perception that nature played a cruel trick on them, but they lack the intelligence to really comprehend the magnitude of it. -- Calvin -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Design Dilemma - Database Data Abstraction
Martin Alterisio [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] I have a dilemma on a design where I humbly ask your help. I'm working on the model part of a web application (not to be understood in the web2.0 way, but in a more general way, where anything mounted on HTTP is a web application) done in PHP5 following the MVC design pattern. But the strong point is that the result must be those-who-never-RTFM-proof. But that's not my dilemma, I only mention this so that no RoR concept or similar is thrown into the table, that is, NO ActiveRecord. The solution I presented is to access, and act upon, a database as if they were PHP arrays, meaning that a table is presented as an array of records. Here comes my dilemma. But first let me explain a bit about the scenario so far: * It's aceptable that some restrictions are set upon the DB structure, only if at least the following constructions are allowed: a) tables with only one field in the PK (usually an autonumeric int). b) tables with a one-to-many relationship with itself, and one field PK (a tree structure). c) tables with a one-to-one relationship, and at most two fields in the PK, and if there are two, one is a FK. d) tables with a one-to-many relationship with one of the before mentioned tables, at most two fields in the PK, and if there are two, one is a FK. e) tables that create a many-to-many relationship between two of the before mentioned tables, with possibly extra fields other than the fields of the relationship, at most three fields int the PK, and if there are two or more, two of them are FK. * The actions than will be more used to access the data will be: a) get one record using its PK, or a combination of FKs where it applies. b) get one record using a unique key. c) update or delete one record using its PK. d) insert one record e) loop on many records of one table, all or just one page, or those related to a FK. f) order the records before the loop My dilemma is as follows: a PHP array is a construct more restricted than a DB table. In a PHP array the index is either an int or a string, in a table de index can be any combination of fields. Then, my problem is how to design coherently the indexing of the arrays that represent the DB tables. I could index by the order as they are presented by the DB: $DB['users'][0] is the first user from the query SELECT * FROM users $DB['users'][1] is the second user from the query SELECT * FROM users etc.. But this have many cons. First, without a deterministic order, the array can change its logic order on the whim of the DB, nobody assures that the order will be kept after a modification is made to the data, and this can be confusing and error prone: $name1 = $DB['users'][3]['name']; $name2 = $DB['users'][5]['name']; $DB['users'][3]['name'] = $name2; $DB['users'][5]['name'] = $name1; The last sentence may not be writing to the adequate record. But this indexation has its pros. It can be used with a traditional for loop (although it will prove inefficient in most cases). And the records after and before can be easily obtained. Another possible indexation could be by the value of the PK, but this also have some problems. First, it can be confusing if the PK is an autonumeric int, as this might be seen as a numeric indexation. Second, not all tables have only one field as PK (I can ask that all tables have at least a PK, but I can't ask that the PK is made of only one field). But I have many pros with this strategy. I solve the actions on one record using the PK (only if the PK is made of only one field): $user = $DB['users'][$userid]; // get $DB['users'][$userid] = $user; // update or insert $DB['users'][] = $userid; // insert unset($DB['users'][$userid]); // delete I think I could use other than ints and strings in the array index, but I rather stick to keeping this as seemingly equal to PHP arrays. I also could use FK relationships to solve this, for example, if tone table has an index made of two fields, one is an FK to another table, I could make one table look as an array inside the other: foreach ($DB['users'][$userid]['address_book'] as $address) { ... } In this case address_book refers to another table rather than a field (I would have to ask that there are no fields with the same name). This table has an FK to the id of the users tables and one other record working as a PK. Accesing the array this way I have one of the values of the PK (the user id), and I use the other as the array index. There is also the problem with many-to-many relationships. If there was only one table that related two tables in this way, I could do the following: $DB['users'][$userid]['groups'] - groups where the user belongs $DB['groups'][$groupid]['users'] - the users of a group There would be a third table other than users and groups which doesn't show up. But,
Re: [PHP] Where to insert a phrase in the right place
Hi, André Medeiros wrote: ?php session_start(); if(!isset($_SESSION['greeted'])) { echo Welcome; $_SESSION['greeted'] = 1; } ? It doesn't work :( if ($_SESSION['greeted'] == 1) print('Welcome ' . $name); $_SESSION['greeted'] is always equal to 1 as set in the beginning of the file. http://www.telbit.pt/2/login.php Warm Regards -- :wq! Mário Gamito -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
On 4/9/07, tedd [EMAIL PROTECTED] wrote: At 4:39 PM -0400 4/9/07, Robert Cummings wrote: On Mon, 2007-04-09 at 22:27 +0200, Tijnema ! wrote: This is exactly what tedd did in his last arrow example. He edited the header of the GIF image, and so that would result in different MD5. Finding this part and skipping it in the MD5 check would do the job. :) Yep, that's an obvious solution since it's the same way virus signatures are matched. The entire image needs some kind of permutation. Passing a couple of curved ripples across the image as a transformation, and in different directions should suffice to obfuscate the image signature without obfuscating the image itself :) Similarly watermarking the image using fractal patterns should also provide good noise. Cheers, Rob. Rob: It doesn't need to be complicated, just random placed pixels on the image from a selection of colors would provide millions of permutations. Cheers, tedd But then OCR would still work, as when somebody scans a document, there are also some not white pixels. Tijnema -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] mysql if empty
At 4/9/2007 02:18 PM, [EMAIL PROTECTED] wrote: If I search for something in mysql that returns an empty result I cant get it to return No result found always returns Found even though the recoed does not exist... $sql = SELECT Client FROM booked WHERE Name = 'larry'; $result = mysql_query($sql); if ($result == ) { echo No result found; } echo Found; $result tells you whether or not the query executed successfully. If ($result === FALSE), look to mysql_error() for a description of the problem. Otherwise, $result is the handle to the query's result. A successful (non-error-producing) query can return zero rows of data. A perfect example is when you check a user table to make sure a username isn't already taken before creating a new record. Read this page again carefully: http://php.net/mysql_query Regards, Paul __ Paul Novitski Juniper Webcraft Ltd. http://juniperwebcraft.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] DOM and XSLTProcessor
If there are parts of an XML document where you do not want '' and '' changed in 'lt;' and 'gt;' during the transformation then you need to use the disable-output-escaping option, as in the following example. xsl:if test=/root/footer div class=footer xsl:value-of select=/root/footer disable-output-escaping=yes / /div /xsl:if You also need to insert such text into the XML document using the createCDATASection() method otherwise the tags will be converted BEFORE the XSLT processor gets to look at it. -- Tony Marston http://www.tonymarston.net http://www.radicore.org Buesching, Logan J [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] This could offer a possible workaround. Let me first state that I cannot simply do: echo htmlspecialchars_decode($proc-transformToXML($doc)); If I were to do that, then it would assume that all of these encodings need to be decoded; which definitely is not the case. I only want to do this for a few of the encodings, which I will know before the XSL processing. I guess I can do some processing after it went through the XSL Processor to decode some of the encodings that I do not want, but that just seems like it would add a lot of unnecessary overhead if it can be avoided. Thanks for the idea though. -Logan -Original Message- From: Tijnema ! [mailto:[EMAIL PROTECTED] Sent: Monday, April 09, 2007 4:40 AM To: Buesching, Logan J Cc: php-general@lists.php.net Subject: Re: [PHP] DOM and XSLTProcessor On 4/9/07, Buesching, Logan J [EMAIL PROTECTED] wrote: Greetings, I apologize if this is a little long, but I am trying to put as much information as I have done in this first post. I am running PHP 5 and attempting to use DOM to create data to show on a webpage and using XSLTProcessor with an XSLT sheet to output it into XHTML. Everything is pretty fine an dandy until I wish to print raw text, such as xdebug and var_dump. My knowledge of DOM and XSLTProcessor is about a 5/10, such that I know most basics, but not the more advanced things. Whenever I try to add data using createTextNode, it is always escaped, such that if I do strongsomething/strong, when shown to the screen, it shows lt;stronggt; etc... Here is the general outline: ?php $doc=new DOMDocument(1.0); $root=$doc-createElement(root); $wantedCode=$doc-createTextNode(strongSomething/strong); $root-appendChild($wantedCode); $doc-appendChild($root); $proc=new XSLTProcessor; $proc-importStylesheet(DOMDocument::load(test.xslt)); echo $proc-transformToXML($doc); ? SomeSheet is something like: xsl:template match=/ xsl:value-of select=./ /xsl:template The expected output that I would like to get is: strongSomething/strong (This would just bold my text, not literally see the strong tags). The actual output is: lt;stronggt;Somethinglt;/stronggt; (This outputs the strong tags to the end user, which is what I do not want). I checked the manual at: http://us3.php.net/manual/en/function.dom-domdocument-createtextnode.php . A user comment suggested to use CDATA nodes, so I attempted to change my code to the following: ?php $doc=new DOMDocument(1.0); $root=$doc-createElement(root); //note the change right here $wantedCode=$doc-createCDATASection(strongSomething/strong); $root-appendChild($wantedCode); $doc-appendChild($root); $proc=new XSLTProcessor; $proc-importStylesheet(DOMDocument::load(test.xslt)); echo $proc-transformToXML($doc); ? But this was of no success; it just had the same output. Is there anyone that is able to help me out here? Thanks, Logan Try using htmlspecialchars_decode before outputting your data: http://www.php.net/manual/en/function.htmlspecialchars-decode.php Tijnema -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] mysql if empty
An empty result is still a valid result. As long as the SQL statement is valid, you will get a result set. This doesn't meant that the variable holding the reference to the result set is itself empty, but that you will fail to fetch any results from it. Satyam - Original Message - From: [EMAIL PROTECTED] To: php-general@lists.php.net Sent: Monday, April 09, 2007 11:18 PM Subject: [PHP] mysql if empty If I search for something in mysql that returns an empty result I cant get it to return No result found always returns Found even though the recoed does not exist... $sql = SELECT Client FROM booked WHERE Name = 'larry'; $result = mysql_query($sql); if ($result == ) { echo No result found; } echo Found; - Original Message - From: Martin Marques martin@bugs.unl.edu.ar To: Stut [EMAIL PROTECTED] Cc: Tijnema ! [EMAIL PROTECTED]; tedd [EMAIL PROTECTED]; Peter Lauri [EMAIL PROTECTED]; Ólafur Waage [EMAIL PROTECTED]; php-general@lists.php.net Sent: Monday, April 09, 2007 9:45 PM Subject: Re: [PHP] Session Authentication Stut escribió: As with most things these days it probably breaches the DMCA. But frankly speaking, if doing that works then the developers of the application, and by extension the company, deserve everything they get. DMCA is a real piece of crap. -- select 'mmarques' || '@' || 'unl.edu.ar' AS email; - Martín Marqués | Programador, DBA Centro de Telemática | Administrador Universidad Nacional del Litoral - -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.446 / Virus Database: 269.0.0/752 - Release Date: 08/04/2007 20:34 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Question about OO design
Hello, I'm working on a project now and I'd like to get some feedback on how to implement a proper class (or two). This is an application that records an employee's used vacation time. There are two tables: (1) events, (2) users. Users: id (int) name (varchar) email (varchar) balance (mediumint, stored in seconds) // this is the balance for // the user after all events // have been accounted for. accrual (smallint, stored in seconds) is_manager (bool) Events: id (int) uid (int, users.id) date (date) duration (smallint, stored in seconds) balance (smallint, stored in seconds) // this is the balance for // the user at the time the // event was added. created (datetime) Currently I have just one class called User that looks like this: (I'm dealing with PHP4.) class User { var id; var name; var email; var balance; var accrual; var is_manager; function User($user_id) { $this-id = $user_id; $this-name = get_name(); // ... $this-accrual = get_accrual(); } function get_name() { // get name from db $sql = ...; $db = DB::singleton(); $db-execute($sql); } function get_email() function get_accrual() function is_manager() { // same as above more or less } function get_events() { // this function gets all the events for // the current users and returns them // as an array. } function add_event() { // this function adds a single event for // the current user. it also recalculates // the 'balance' for each event because // of data display requirements. } function del_event($event_id) { // delete an event from the current user's // events list based on $event_id. } } As I started to write this and use it I get the feeling that there should also be an Event class that is extended by the User class. Reason being that each User object is a reference to the currently logged in user, not anyone else. But if you're a manager you have the responsibility to approve/deny and/or add/delete events for your employees. But with that in mind I've gone from a class that handles the currently logged in user to one that handles the currently logged in user plus any number of other users. I guess I'm thinking of this in the same terms as db normalization. Ex: I could add an extra price_level column to my products table each time I need a new pricing level but it's probably better to create a separate table called products_prices. It's slightly more complicated but it would allow me to have as many pricing levels as I want without modifying my databse or code. I'd appreciate any kind of feedback on this. If I haven't been clear with something please let me know. Thanks, Chris. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Need a working SOAP example using SOAP -- PHP is blocking the calls
Daevid Vincent wrote: c, could you be having a problem related to the allow_url_fopen ini setting? Now we're talkin! Okay, I made sure that allow_url_fopen and allow_url_include are both on. Verified via phpinfo(); Still no luck. :-\ However, this sparked an idea... I have been using my WinXP and IE to hit my Gentoo notebook running apache2/php/etc. (samba mounting the /home/machine/... to edit the files) When I fired up KDE and hit the EXACT same pages (which are now local), they magically worked! So now the question is, what setting do I have to change in my php.ini file to get remote requests to work? I'm not following what you mean by local and remote and when your considering something to be one or the other. (locutus) Gentoo/Notebook/Apache/PHP/Samba (gabriel) WinXP/IDE/IE6 All the code sits on locutus. I samba share the directory so can edit in my HomeSite IDE on gabriel. I edit my 'hosts' file (on both machines) to point at the proper IP (172.16.35.223 machine.locutus.com) setting up a vhost on locutus, etc... ... I follow you now. doesn't smell like a php issue, more like something at the OS or firewall level. probably time to start tailing the relevant logs (e.g. apache, system message, etc) to see if you get a hint. what happens if you point machine.locutus.com to 127.0.0.1 on locutus? do the scripts on locutus return what you expect if you var_dump() the relevant calls to gethostbyname(), gethostbynamel(), gethostbyaddr()? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
tedd wrote: ...snip... that's the reason for the alt attribute. Thanks for clarification! :) You are doing some great work with captchas... I also really like your audio captcha experiments. Keep up the great work! Cheers, Micky -- Wishlists: http://snipurl.com/vrs9 Switch: http://browsehappy.com/ BCC?: http://snipurl.com/w6f8 My: http://del.icio.us/mhulse -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] MySQL exceptions
Hi all! I'm developing an OOP app using PHP 5. I want to use try-catch with mysql functions. So, the question is: what are the exceptions classes of MySQL? Where can I found it? TIA -- Davi Vidal [EMAIL PROTECTED] [EMAIL PROTECTED] -- Agora com fortune: BOFH Excuse #426: internet is needed to catch the etherbunny -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Design Dilemma - Database Data Abstraction
2007/4/9, Tony Marston [EMAIL PROTECTED]: Martin Alterisio [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] I have a dilemma on a design where I humbly ask your help. I'm working on the model part of a web application (not to be understood in the web2.0 way, but in a more general way, where anything mounted on HTTP is a web application) done in PHP5 following the MVC design pattern. But the strong point is that the result must be those-who-never-RTFM-proof. But that's not my dilemma, I only mention this so that no RoR concept or similar is thrown into the table, that is, NO ActiveRecord. The solution I presented is to access, and act upon, a database as if they were PHP arrays, meaning that a table is presented as an array of records. Here comes my dilemma. But first let me explain a bit about the scenario so far: * It's aceptable that some restrictions are set upon the DB structure, only if at least the following constructions are allowed: a) tables with only one field in the PK (usually an autonumeric int). b) tables with a one-to-many relationship with itself, and one field PK (a tree structure). c) tables with a one-to-one relationship, and at most two fields in the PK, and if there are two, one is a FK. d) tables with a one-to-many relationship with one of the before mentioned tables, at most two fields in the PK, and if there are two, one is a FK. e) tables that create a many-to-many relationship between two of the before mentioned tables, with possibly extra fields other than the fields of the relationship, at most three fields int the PK, and if there are two or more, two of them are FK. * The actions than will be more used to access the data will be: a) get one record using its PK, or a combination of FKs where it applies. b) get one record using a unique key. c) update or delete one record using its PK. d) insert one record e) loop on many records of one table, all or just one page, or those related to a FK. f) order the records before the loop My dilemma is as follows: a PHP array is a construct more restricted than a DB table. In a PHP array the index is either an int or a string, in a table de index can be any combination of fields. Then, my problem is how to design coherently the indexing of the arrays that represent the DB tables. I could index by the order as they are presented by the DB: $DB['users'][0] is the first user from the query SELECT * FROM users $DB['users'][1] is the second user from the query SELECT * FROM users etc.. But this have many cons. First, without a deterministic order, the array can change its logic order on the whim of the DB, nobody assures that the order will be kept after a modification is made to the data, and this can be confusing and error prone: $name1 = $DB['users'][3]['name']; $name2 = $DB['users'][5]['name']; $DB['users'][3]['name'] = $name2; $DB['users'][5]['name'] = $name1; The last sentence may not be writing to the adequate record. But this indexation has its pros. It can be used with a traditional for loop (although it will prove inefficient in most cases). And the records after and before can be easily obtained. Another possible indexation could be by the value of the PK, but this also have some problems. First, it can be confusing if the PK is an autonumeric int, as this might be seen as a numeric indexation. Second, not all tables have only one field as PK (I can ask that all tables have at least a PK, but I can't ask that the PK is made of only one field). But I have many pros with this strategy. I solve the actions on one record using the PK (only if the PK is made of only one field): $user = $DB['users'][$userid]; // get $DB['users'][$userid] = $user; // update or insert $DB['users'][] = $userid; // insert unset($DB['users'][$userid]); // delete I think I could use other than ints and strings in the array index, but I rather stick to keeping this as seemingly equal to PHP arrays. I also could use FK relationships to solve this, for example, if tone table has an index made of two fields, one is an FK to another table, I could make one table look as an array inside the other: foreach ($DB['users'][$userid]['address_book'] as $address) { ... } In this case address_book refers to another table rather than a field (I would have to ask that there are no fields with the same name). This table has an FK to the id of the users tables and one other record working as a PK. Accesing the array this way I have one of the values of the PK (the user id), and I use the other as the array index. There is also the problem with many-to-many relationships. If there was only one table that related two tables in this way, I could do the following: $DB['users'][$userid]['groups'] - groups where the user belongs $DB['groups'][$groupid]['users'] - the users of a group There would be a third table other than users and groups which
Re: [PHP] Session Authentication
Thanks for the replies guys, became a pretty big thread. The actual code is just a select statement from the user table using sprintf and mysql_real_escape_string for the username and password. I count how many row's the select statement returns, if its not zero then i authenticate by setting a session variable to true (the one in my 1st post) Thanks again. 2007/4/9, Martin Marques martin@bugs.unl.edu.ar: Stut escribió: As with most things these days it probably breaches the DMCA. But frankly speaking, if doing that works then the developers of the application, and by extension the company, deserve everything they get. DMCA is a real piece of crap. -- select 'mmarques' || '@' || 'unl.edu.ar' AS email; - Martín Marqués | Programador, DBA Centro de Telemática| Administrador Universidad Nacional del Litoral -
Re: [PHP] Question about OO design
Chris W. Parker wrote: Hello, I'm working on a project now and I'd like to get some feedback on how to implement a proper class (or two). This is an application that records an employee's used vacation time. There are two tables: (1) events, (2) users. Users: id (int) name (varchar) email (varchar) balance (mediumint, stored in seconds) // this is the balance for // the user after all events // have been accounted for. accrual (smallint, stored in seconds) is_manager (bool) Events: id (int) uid (int, users.id) date (date) duration (smallint, stored in seconds) balance (smallint, stored in seconds) // this is the balance for // the user at the time the // event was added. created (datetime) Currently I have just one class called User that looks like this: (I'm dealing with PHP4.) class User { var id; var name; var email; var balance; var accrual; var is_manager; function User($user_id) { $this-id = $user_id; $this-name = get_name(); // ... $this-accrual = get_accrual(); } function get_name() { // get name from db $sql = ...; $db = DB::singleton(); $db-execute($sql); you probably only want one DB call to populate the User object with all the relevant user data at the point where the object is created. function User($user_id) { // check the user id properly? // see the getEmployee() example below for the // reason for the array usage if (is_array($user_id)) { $this-id = $user_id['id']; $this-load($user_id); } else { $this-id = $user_id; $this-load(); } } function load($data = null) { if (!is_array($data) || empty($data)) { // get user data from db $sql = SELECT * FROM users WHERE id={$this-id}; // error checking? $db = DB::singleton(); $db-execute($sql); $data = $db-getRow(); } $this-name = $data['name']; $this-accrual = $data['accrual']; $this-email= $data['email']; /// etc } function get_email() function get_accrual() function is_manager() { // same as above more or less } function get_events() { // this function gets all the events for // the current users and returns them // as an array. } function add_event() { // this function adds a single event for // the current user. it also recalculates // the 'balance' for each event because // of data display requirements. } function del_event($event_id) { // delete an event from the current user's // events list based on $event_id. } } As I started to write this and use it I get the feeling that there should also be an Event class that is extended by the User class. Reason if you use an Event class then it should just represent an Event (and a User object would [probably] contain an array of Event objects). AFAICT there is no good reason to have Event extend User. being that each User object is a reference to the currently logged in user, not anyone else. the User class is merely a representation of *a* user - you can use an instance for the currently logged in user, but that doesn't stop you from using the same class to model the collection of users that fall under a given manager. But if you're a manager you have the responsibility to approve/deny and/or add/delete events for your employees. // you might need to f around with returning references here, // (I can never quite get that right without a bit of trial and error in php4) function getEmployees() { // consider caching the result? $emps = array(); if ($this-is_manager) { // get user data from db $sql = SELECT * FROM users WHERE manager_id={$this-id}; // error checking? $db = DB::singleton(); $db-execute($sql); while ($data = $db-getRow()) $emps[] = new User($data); } return $emps; } But with that in mind I've gone from a class that handles the currently logged in user to one that handles the currently logged in user plus any number of other users. I guess I'm thinking of this in the same terms as db normalization. Ex: I could add an extra price_level column to my products table each
Re: [PHP] MySQL exceptions
Davi wrote: Hi all! I'm developing an OOP app using PHP 5. I want to use try-catch with mysql functions. So, the question is: what are the exceptions classes of MySQL? Where can I found it? IIRC mysqli (certainly not mysql) extension does not throw exceptions, so write code that checks for errors using the relevant functions and throw your own exceptions as you see fit. the reasoning is that php doesn't force you to use exceptions - other than some caveats, like the SOAP extension, some SPL classes (I think), etc. TIA -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Question about OO design
On Monday, April 09, 2007 3:51 PM Jochem Maas mailto:[EMAIL PROTECTED] said: Thanks for the response Jochem. Chris W. Parker wrote: [snip] you probably only want one DB call to populate the User object with all the relevant user data at the point where the object is created. [snip] Ok. I see what you're saying. If I populate all that data during the constructor why would I ever call the function again right? [snip] As I started to write this and use it I get the feeling that there should also be an Event class that is extended by the User class. Reason if you use an Event class then it should just represent an Event (and a User object would [probably] contain an array of Event objects). AFAICT there is no good reason to have Event extend User. I see. being that each User object is a reference to the currently logged in user, not anyone else. the User class is merely a representation of *a* user - you can use an instance for the currently logged in user, but that doesn't stop you from using the same class to model the collection of users that fall under a given manager. I see. // you might need to f around with returning references here, // (I can never quite get that right without a bit of trial and error in php4) function getEmployees() { // consider caching the result? $emps = array(); if ($this-is_manager) { // get user data from db $sql = SELECT * FROM users WHERE manager_id={$this-id}; // error checking? $db = DB::singleton(); $db-execute($sql); while ($data = $db-getRow()) $emps[] = new User($data); } return $emps; } How do I reference a User object within the $emps array? Is it like $emps[0]-accrual ? Thanks, Chris. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: MySQL exceptions
Use the @ in front of the statement and then check the result if it's valid. -- itoctopus - http://www.itoctopus.com Davi [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Hi all! I'm developing an OOP app using PHP 5. I want to use try-catch with mysql functions. So, the question is: what are the exceptions classes of MySQL? Where can I found it? TIA -- Davi Vidal [EMAIL PROTECTED] [EMAIL PROTECTED] -- Agora com fortune: BOFH Excuse #426: internet is needed to catch the etherbunny -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Question about OO design
Chris W. Parker wrote: On Monday, April 09, 2007 3:51 PM Jochem Maas mailto:[EMAIL PROTECTED] said: Thanks for the response Jochem. Chris W. Parker wrote: [snip] you probably only want one DB call to populate the User object with all the relevant user data at the point where the object is created. [snip] Ok. I see what you're saying. If I populate all that data during the constructor why would I ever call the function again right? you could refresh the data if needed - but basically the idea is to cut down the user data grab into a single sql call. [snip] As I started to write this and use it I get the feeling that there should also be an Event class that is extended by the User class. Reason if you use an Event class then it should just represent an Event (and a User object would [probably] contain an array of Event objects). AFAICT there is no good reason to have Event extend User. I see. being that each User object is a reference to the currently logged in user, not anyone else. the User class is merely a representation of *a* user - you can use an instance for the currently logged in user, but that doesn't stop you from using the same class to model the collection of users that fall under a given manager. I see. // you might need to f around with returning references here, // (I can never quite get that right without a bit of trial and error in php4) function getEmployees() { // consider caching the result? $emps = array(); if ($this-is_manager) { // get user data from db $sql = SELECT * FROM users WHERE manager_id={$this-id}; // error checking? $db = DB::singleton(); $db-execute($sql); while ($data = $db-getRow()) $emps[] = new User($data); $emps[$data['id']] = new User($data); } return $emps; } How do I reference a User object within the $emps array? Is it like $emps[0]-accrual ? that's one way, you might consider keying the emps array on the user id for easier retrieval (see above), which would allow you to quickly reference the correct employee User object when a manager performs an action on a given emp. or when a manager edits multiple employees: $manager = new User($_SESSION['userid']); $emps= $manager-getEmployees(); // think about using references here? foreach ($emps as $id = $emp) { if (isset($_POST['emps'][$id])) { // just some vague 'update' concept/action thingummy $emp-doSomeUpdateStuff($_POST['emps'][$id]); $emp-saveUpdateStuffToDB(); } } or a different tack foreach ($_POST['emps'] as $id = $stuff)) { $manager-updateEmpStuff($id, $stuff); } // where updateEmpStuff does something like User { function updateEmpStuff($id, $stuff) { if ($this-is_manager) { // don't forget to cache the emps array?? // don't forget the use of references?? $emps = $this0getEmployees(); if (isset($emps[$id])) { // again a vague thingummy representing something // a manager might [need to be able to] do. $emps[$id]-managerUpdatesStuff($stuff); } } } } Thanks, Chris. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php