Re: [PHP] link to a css file requires .css ???
Just use following .htaccess rewrite rule RewriteRule ^some.css$ some.php and this is the perfect solution. On Mon, Aug 17, 2009 at 3:14 AM, Adam Shannon a...@ashannon.us wrote: On Sun, Aug 16, 2009 at 4:37 PM, Daniel Kolbo kolb0...@umn.edu wrote: Hello, I realize this is more of an html question than a php, but I was hoping someone here would know what's going on. I am linking to a stylesheet and it is requiring me to use *.css extension. I want to use a .php extension (and have the php engine generate css). However, whenever i use a .php extension the link tag does not seem to work. This works! link rel=stylesheet type=text/css href=http://localhost:8080/some.css; / This doesn't work but I don't understand why not??? link rel=stylesheet type=text/css href=http://localhost:8080/some.php; / The page http://localhost:8080/some.php displays the css exactly the same as http://localhost:8080/some.css Why can't I link to a css file by using a different extension? Thanks in advance, dK ` -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php Oh, I think it's part of the spec. You could always use .htaccess rules to parse .css files as .php, this will keep search engines happy and browsers happy as well. -- - Adam Shannon ( http://ashannon.us ) -- Devendra Jadhav
[PHP] is there a better way to know from which php file the request comes from ??
This is a newbie question... Let's say there are 3 php files, page1.php, page2.php and page3.php. Form submission from page1.php or page2.php will take user to page3.php. I know that we can use parameter that is appended in the action attribute of the form (e.g FORM METHOD=POST ACTION=tes.php?var1=val1) But I think, appending this parameter is transparent to the user, since it's visible in the url. And I think we can also use the hidden field or (form name ??.). So which one is most secured and better ?? Thanks.. -- View this message in context: http://www.nabble.com/is-there-a-better-way-to-know-from-which-php-file-the-request-comes-fromtp25003587p25003587.html Sent from the PHP - General mailing list archive at Nabble.com. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] is there a better way to know from which php file the request comes from ??
On Mon, 2009-08-17 at 02:17 -0700, nashrul wrote: This is a newbie question... Let's say there are 3 php files, page1.php, page2.php and page3.php. Form submission from page1.php or page2.php will take user to page3.php. I know that we can use parameter that is appended in the action attribute of the form (e.g FORM METHOD=POST ACTION=tes.php?var1=val1) But I think, appending this parameter is transparent to the user, since it's visible in the url. And I think we can also use the hidden field or (form name ??.). So which one is most secured and better ?? Thanks.. -- View this message in context: http://www.nabble.com/is-there-a-better-way-to-know-from-which-php-file-the-request-comes-fromtp25003587p25003587.html Sent from the PHP - General mailing list archive at Nabble.com. Neither GET or POST is more secure, it's just that POST requires a tiny bit more work to see what's being sent. You can use the $_SERVER['HTTP_REFERER'] variable to detect where a request has come from. The documentation for this particular variable mentions that it can't be trusted, as it can be changed by the client browser, but then, so can hidden form fields, etc. Personally, I'd go with the HTTP_REFERER route, because it is completely transparent, and the majority of users aren't going to bother changing it. Thanks, Ash http://www.ashleysheridan.co.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] running str_replace, it misbehaves!
-Original Message- From: Allen McCabe [mailto:allenmcc...@gmail.com] Sent: 16 August 2009 22:07 [...] Here is an example of my code: [code] ?php //ENCRYPT FUNCTIONS function format_string($string,$functions) { $funcs = explode(,,$functions); foreach ($funcs as $func) { if (function_exists($func)) $string = $func($string); } return $string; } function enc_string($string) { $search = array(a,b,c,d,e,f,g,h,i,..); //62 values $replace = array(j9,k8,q7,v6,...); //62 values $string = str_replace($search, $replace, $string); $search2 = array(9k,8q,7v,6w,5x,4y,3z,2j,); // 126 values $string = str_replace($search2, $replace2, $string); return $string; } When you feed array search and replace values to str_replace, it runs them in sequence, not in parallel As you haven't given us a full input alphabet above (and, incidentally, you've left out the value of $replace2!), I can't give an example using your encoding, so let's just take, for example: $string = 'word'; and feed it through str_replace(array('d','o','r','w'), array('w9', 'r8', 'o7', 'd6'), $string); This proceeds as follows: d - w9 = worw9 o - r8 = wr8rw9 r - o7 = wo78o7w9// Note how TWO r-o7 replaces were made here! w - d6 = d6o78o7d69 // and similarly w-d6 twice! I think this gives you a clue as to what is happening -- the same effect will occur on your second str_replace, as well, giving you your apparent multiple encode problem. If you must do this kind of translation, then you need a function that doesn't have this re-replace effect, such as strtr() http://php.net/strtr. But, I have to wonder, why aren't you just using one of the encoding functions readily available in PHP, such as md5() or sha1(), or hash()? Cheers! Mike -- Mike Ford, Electronic Information Developer, Libraries and Learning Innovation, Leeds Metropolitan University, C507, Civic Quarter Campus, Woodhouse Lane, LEEDS, LS1 3HE, United Kingdom Email: m.f...@leedsmet.ac.uk Tel: +44 113 812 4730 To view the terms under which this email is distributed, please go to http://disclaimer.leedsmet.ac.uk/email.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] is there a better way to know from which php file the request comes from ??
HTTP_REFERRER is transparent, but if can be messed with very easily. I prefer use of $_SESSION vars if security is needed in my application (epically when a page is shown after a POST request) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] link to a css file requires .css ???
A browser will always parse link .. tag regard less of the extension. the only condition is that the file should provide a mine type 'text/css' for css files. https://developer.mozilla.org/en/Incorrect_MIME_Type_for_CSS_Files -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Another date exercise
dont you think http://in3.php.net/strtotime is a solution to your problem ? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Cannot exec in my own directory
see if can run the same php file via CLI. does script.sh run without any problems ? then, probably something linke SELinux is preventing httpd from running scripts. you have to contact your system administrator to get this fixed. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Cannot exec in my own directory
see if can run the same php file via CLI. does script.sh run without any problems ? then, probably something linke SELinux is preventing httpd from running scripts. you have to contact your system administrator to get this fixed. You are right. Running the php script from the CLI in an SSH session results in the expected behaviour: the script specified in the exec command is run. Not so if I call the php script from a web browser. Thanks for the tipoff. -- Dotan Cohen http://what-is-what.com http://gibberish.co.il -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Cannot exec in my own directory
Did you check SELinux options ?? I have a similar problem. For some unknown reason scan_dir() is not able to read /home/user when run as Apache module. but the CLI is giving expected results. I did not find any work around, but had to read /var/www which is the home directory of 'apache' (this is the user under which apache runs by default. hence you script needs 777 to execute) So if every thing else fails I'll recommend you to move the script to /var/ww (usually your server root) instead of /home/user -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Cannot exec in my own directory
Did you check SELinux options ?? I do not have root access to that server. I have a similar problem. For some unknown reason scan_dir() is not able to read /home/user when run as Apache module. but the CLI is giving expected results. I did not find any work around, but had to read /var/www which is the home directory of 'apache' (this is the user under which apache runs by default. hence you script needs 777 to execute) Actually, it currently is 777. I thought it might be a permissions problem so I 777ed it as a troubleshooting measure. So if every thing else fails I'll recommend you to move the script to /var/ww (usually your server root) instead of /home/user I have no access to that directory. -- Dotan Cohen http://what-is-what.com http://gibberish.co.il -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Cannot exec in my own directory
On Mon, 2009-08-17 at 19:23 +0530, kranthi wrote: Did you check SELinux options ?? I have a similar problem. For some unknown reason scan_dir() is not able to read /home/user when run as Apache module. but the CLI is giving expected results. I did not find any work around, but had to read /var/www which is the home directory of 'apache' (this is the user under which apache runs by default. hence you script needs 777 to execute) So if every thing else fails I'll recommend you to move the script to /var/ww (usually your server root) instead of /home/user That's a potential security flaw waiting to happen. A script like this shouldn't be kept in a web-accessible directory. Thanks, Ash http://www.ashleysheridan.co.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Cannot exec in my own directory
That's a potential security flaw waiting to happen. A script like this shouldn't be kept in a web-accessible directory. Thanks, Ash. That directory is HTTP-password protected. -- Dotan Cohen http://what-is-what.com http://gibberish.co.il -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Cannot exec in my own directory
On Mon, 2009-08-17 at 17:01 +0300, Dotan Cohen wrote: Did you check SELinux options ?? I do not have root access to that server. I have a similar problem. For some unknown reason scan_dir() is not able to read /home/user when run as Apache module. but the CLI is giving expected results. I did not find any work around, but had to read /var/www which is the home directory of 'apache' (this is the user under which apache runs by default. hence you script needs 777 to execute) Actually, it currently is 777. I thought it might be a permissions problem so I 777ed it as a troubleshooting measure. So if every thing else fails I'll recommend you to move the script to /var/ww (usually your server root) instead of /home/user I have no access to that directory. -- Dotan Cohen http://what-is-what.com http://gibberish.co.il Just out of curiosity, have you been able to run even the most basic of scripts from PHP, like a plain old BASH 'echo' statement or something? I only ask, because sometimes within the shell scripts themselves are calls to other command line programs (even something as simple as 'ls') which need to be called using their full path because Apache has a different path for shell scripts. Also, you said you used include files in that same area. Is it possible that you are also trying to use one of them inside your shell script, but because the paths are different, the system cannot find the things you expect it to? Thanks, Ash http://www.ashleysheridan.co.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Cannot exec in my own directory
Just out of curiosity, have you been able to run even the most basic of scripts from PHP, like a plain old BASH 'echo' statement or something? I only ask, because sometimes within the shell scripts themselves are calls to other command line programs (even something as simple as 'ls') which need to be called using their full path because Apache has a different path for shell scripts. ls, pwd, and other commands run fine. The only command in the called shell script is /usr/bin/mysqldump which for some reason out of habit I always type with the full path! Also, you said you used include files in that same area. Is it possible that you are also trying to use one of them inside your shell script, but because the paths are different, the system cannot find the things you expect it to? No, there are no other files included in this instance. I only mentioned it to show that PHP can read from that directory. Thanks. -- Dotan Cohen http://what-is-what.com http://gibberish.co.il -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Another date exercise
At 3:40 PM +0530 8/17/09, kranthi wrote: dont you think http://in3.php.net/strtotime is a solution to your problem ? No, it's not a solution to my problem -- I have he problem solved. I was just asking if anyone wanted to submit their php solution. It was only an exercise. I know there are numerous javascript solutions (some good, some bad), but ALL of their data has to be accepted and scrubbed by a php script anyway, so I was suggesting creating a php script to do it. If it's not a good exercise, then don't do it. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Cannot exec in my own directory
That's a potential security flaw waiting to happen. A script like this shouldn't be kept in a web-accessible directory. /var/www is not the document root. document root is /var/www/html so I dont think there's a problem. /var/www (usually your server root) I am mistaken regarding this. for details (the location of httpd.conf may vary depending on your distro, but it is definitely located in /etc/) $ cat /etc/passwd | grep apache $ cat /etc/httpd/conf/httpd.conf | grep ^ServerRoot $ cat /etc/httpd/conf/httpd.conf | grep ^DocumentRoot $ cat /etc/httpd/conf/httpd.conf | grep ^User I have no access to that directory. seems you do not have access to any directory other than /home/user. but i dont think there's a work around, you'll have to request your administrator to move that file to /var/www directory (and retain 777). ls, pwd, and other commands run fine. i dont think ls /home/user will work fine. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Cannot exec in my own directory
On Mon, 2009-08-17 at 20:16 +0530, kranthi wrote: That's a potential security flaw waiting to happen. A script like this shouldn't be kept in a web-accessible directory. /var/www is not the document root. document root is /var/www/html so I dont think there's a problem. /var/www (usually your server root) I am mistaken regarding this. for details (the location of httpd.conf may vary depending on your distro, but it is definitely located in /etc/) $ cat /etc/passwd | grep apache $ cat /etc/httpd/conf/httpd.conf | grep ^ServerRoot $ cat /etc/httpd/conf/httpd.conf | grep ^DocumentRoot $ cat /etc/httpd/conf/httpd.conf | grep ^User I have no access to that directory. seems you do not have access to any directory other than /home/user. but i dont think there's a work around, you'll have to request your administrator to move that file to /var/www directory (and retain 777). ls, pwd, and other commands run fine. i dont think ls /home/user will work fine. Why move the script to somewhere that he can't access? If the existing PHP scripts are all in /home/user then Apache is set up to allow the local user filespace to be used as a web server area. As such, there wouldn't be much point in trying to put the script in /var/www (assuming that Apache is set up to use /var/www at all, on Suse for example it uses /srv/www/) Thanks, Ash http://www.ashleysheridan.co.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Another date exercise
At 4:22 PM -0400 8/16/09, Paul M Foster wrote: On Sun, Aug 16, 2009 at 08:36:17AM +0100, Lester Caine wrote: -snip- But as has been said, the real solution is a date picker. I *hate* date pickers. They slow down input. I can type 082309Enter faster than I can ever do it with a date picker. The date class knows I'm in America and since it's a six-digit date, it must be mmddyy. (Yes, for those of you *not* in America, I agree our dates are goofy. I think we all ought to be on the metic system, too, but America and the UK seem intent on sticking to Imperial measure.) Paul Paul: Yes, that's part of the problem. I was suggesting an exercise where people could put their collective heads together and create a php solution. I realize that US has DD, MM, and the Euros have , MM, DD and others have other things (i.e., Year of the York). Not addressing the other things -- to me, if one uses a character for a month, then there's no problem in deciphering any entry regardless of format. For example, 2009 Aug 23, or Aug 23 2009, or Aug 2009 23, or 23 2009 Aug, -- they could all be entered in whatever order you want and deciphered correctly. The rules of course are: Year must be in thousands -- 1000-5000. Month must be a character -- D for December, May for May, Jun for June and so on. Day must be in ones or tens -- 1 or 09, or 31. It's certainly not a problem to write such code, I only suggested the exercise to get people to expound on the problems they encountered. Instead, I received use javascript. Okay... but that's not a php solution, right? Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Another date exercise
2009/8/17 tedd tedd.sperl...@gmail.com At 4:22 PM -0400 8/16/09, Paul M Foster wrote: On Sun, Aug 16, 2009 at 08:36:17AM +0100, Lester Caine wrote: -snip- But as has been said, the real solution is a date picker. I *hate* date pickers. They slow down input. I can type 082309Enter faster than I can ever do it with a date picker. The date class knows I'm in America and since it's a six-digit date, it must be mmddyy. (Yes, for those of you *not* in America, I agree our dates are goofy. I think we all ought to be on the metic system, too, but America and the UK seem intent on sticking to Imperial measure.) Paul Paul: Yes, that's part of the problem. I was suggesting an exercise where people could put their collective heads together and create a php solution. I realize that US has DD, MM, and the Euros have , MM, DD and others have other things (i.e., Year of the York). Not addressing the other things -- to me, if one uses a character for a month, then there's no problem in deciphering any entry regardless of format. For example, 2009 Aug 23, or Aug 23 2009, or Aug 2009 23, or 23 2009 Aug, -- they could all be entered in whatever order you want and deciphered correctly. The rules of course are: Year must be in thousands -- 1000-5000. Month must be a character -- D for December, May for May, Jun for June and so on. Day must be in ones or tens -- 1 or 09, or 31. It's certainly not a problem to write such code, I only suggested the exercise to get people to expound on the problems they encountered. Instead, I received use javascript. Okay... but that's not a php solution, right? Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php What would be really cool is if someone wrote a PHP script that generates some Javascript code that could do this. I mean while we're on the subject of complicating things ;) -- Luke Slater :O) this text is protected by international copyright. it is illegal for anybody apart from the recipient to keep a copy of this text. dieser text wird von internationalem urheberrecht geschuetzt. allen ausser dem/der empfaenger/-in ist untersagt, eine kopie dieses textes zu behalten.
Re: [PHP] Another date exercise
At 4:10 PM +0100 8/17/09, Luke wrote: What would be really cool is if someone wrote a PHP script that generates some Javascript code that could do this. I mean while we're on the subject of complicating things ;) -- Luke Slater :O) While writing/creating javascript from php can be done, that's not the problem. The problem is that the data provided from a javascript program that cannot be trusted. All data taken from javascript routines must be sanitized. So if you want to talk about complicating things, start accepting data from javascript routines without sanitizing and see how that works out for you. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Another date exercise
2009/8/17 tedd tedd.sperl...@gmail.com At 4:10 PM +0100 8/17/09, Luke wrote: What would be really cool is if someone wrote a PHP script that generates some Javascript code that could do this. I mean while we're on the subject of complicating things ;) -- Luke Slater :O) While writing/creating javascript from php can be done, that's not the problem. The problem is that the data provided from a javascript program that cannot be trusted. All data taken from javascript routines must be sanitized. So if you want to talk about complicating things, start accepting data from javascript routines without sanitizing and see how that works out for you. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php I didn't say anything about accepting unsanitized data now did I? -- Luke Slater :O) this text is protected by international copyright. it is illegal for anybody apart from the recipient to keep a copy of this text. dieser text wird von internationalem urheberrecht geschuetzt. allen ausser dem/der empfaenger/-in ist untersagt, eine kopie dieses textes zu behalten.
Re: [PHP] Sanitizing mysql inserts of user data
Note: If this function is not used to escape data, the query is vulnerable to SQL Injection Attacks. Does that necessarily imply this: If this function is used to escape data, the query is not vulnerable to SQL Injection Attacks.? Logically, it does _not_ mean the same thing. Definitely not -- it would be a bit presumptuous to claim If you do X, the query is not vulnerable to SQL injection attacks for just about any value of X. That said, I would recommend binding parameters if you can. It's a cleaner way of separating the logic of a query from its data, and theoretically more reliable than mysql_real_escape_string(): http://en.wikipedia.org/wiki/SQL_injection#Parameterized_statements Ben -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] is there a better way to know from which php file the request comes from ??
This is a newbie question... Let's say there are 3 php files, page1.php, page2.php and page3.php. Form submission from page1.php or page2.php will take user to page3.php. I know that we can use parameter that is appended in the action attribute of the form (e.g FORM METHOD=POST ACTION=tes.php?var1=val1) But I think, appending this parameter is transparent to the user, since it's visible in the url. Why does it matter? I don't meant to suggest that it doesn't, but I'm just wondering if you could explain the design of your app a bit. You've sketched out an attack scenario in which a user maliciously alters a variable in the request so that page3.php thinks the request is coming from page2.php, when in fact it's coming from page1.php -- or vice versa. But suppose an attacker does trick page3.php into mistaking the origin of the POST. Does it make a difference? Presumably page3.php will be filtering all of its input, and will discard the request if, for example, it claims to be from page2.php but doesn't contain the sort of data that a request from page2 would contain. But if it does contain the right data, and the data is valid, then does it matter if the data was not actually collected on page2.php? The statelessness of HTTP can be one of its beauties -- and I would be inclined against introducing statefulness unless the app really needs it. At any rate your problem is reminiscent of CSRF: http://en.wikipedia.org/wiki/Cross-site_request_forgery And I'm wondering if you could borrow from anti-CSRF techniques to solve it (assuming, again, that it really needs to be solved). Ben -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sanitizing mysql inserts of user data
On Mon, Aug 17, 2009 at 10:10:47PM +0300, Dotan Cohen wrote: Logically, it does _not_ mean the same thing. Definitely not -- it would be a bit presumptuous to claim If you do X, the query is not vulnerable to SQL injection attacks for just about any value of X. That is what I though: no magic bullet. That said, I would recommend binding parameters if you can. It's a cleaner way of separating the logic of a query from its data, and theoretically more reliable than mysql_real_escape_string(): http://en.wikipedia.org/wiki/SQL_injection#Parameterized_statements I fail to understand what is happening here. For the sake of context, here is the PHP code in TFA: $db = new PDO('pgsql:dbname=database'); $stmt = $db-prepare(SELECT priv FROM testUsers WHERE username=:username AND password=:password); $stmt-bindParam(':username', $user); $stmt-bindParam(':password', $pass); $stmt-execute(); What exactly does bindParam do? I read these pages in TFM but I still do not understand what exactly is being sent to the database: http://il2.php.net/manual/en/function.db2-bind-param.php http://il2.php.net/manual/en/function.maxdb-stmt-bind-param.php http://il2.php.net/manual/en/mysqli-stmt.bind-param.php I do not see how there could possibly be a prepared statement for a user comment. I am not a programmer by trade, so I may be missing something obvious. If so, a link and a friendly RTFM would be great. Typically, prepared statements do a couple of things. First, they ensure that values sent to the DBMS are properly quoted. You'd be surprised how difficult a problem that is. Date and string values must be surrounded by quotes, but numerics shouldn't be. And how they're quoted depends on the DBMS you're using. So prepared statements take care of this for you. The second thing they do is examine the values you're attempting to pass into the database, and ensure they don't contain SQL injection type code. This is hard to explain, but it's relatively simple to insert code in place of an actual value, and do malicious things to your database, or obtain information you don't want users to see (like credit card numbers). If you're curious, search for SQL injection to get more information and see examples. When you put something like username = :username in the arguments for the prepare() function, the second parameter (:username) is really just a placeholder for a value. It tells MySQL that this is where you want a username to go in the final statement. The bindParam() function tells MySQL the actual value you want to substitute for that placeholder. In your case, it's a PHP variable named $user. When you call the execute() function, it puts the values together with their placeholders, forms a complete statement, and sends that off to the MySQL database engine. I haven't followed this thread, so I don't know what you mean by, I do not see how there could possibly be a prepared statement for a user comment. Maybe someone else can answer that part of your query. Paul -- Paul M. Foster -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sanitizing mysql inserts of user data
$stmt = $db-prepare(SELECT priv FROM testUsers WHERE username=:username AND password=:password); $stmt-bindParam(':username', $user); $stmt-bindParam(':password', $pass); $stmt-execute(); [8] I haven't followed this thread, so I don't know what you mean by, I do not see how there could possibly be a prepared statement for a user comment. Maybe someone else can answer that part of your query. Thanks Paul, that was a much better explanation than the one I was attempting. I'm guessing the OP was being thrown off by the colons in the SELECT statement above. I can see how those could look like comments to someone not familiar with PDO and named parameters. Ben -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] is there a better way to know from which php file the request comes from ??
On 8/17/09 5:24 AM, Ashley Sheridan a...@ashleysheridan.co.uk wrote: On Mon, 2009-08-17 at 02:17 -0700, nashrul wrote: This is a newbie question... Let's say there are 3 php files, page1.php, page2.php and page3.php. Form submission from page1.php or page2.php will take user to page3.php. I know that we can use parameter that is appended in the action attribute of the form (e.g FORM METHOD=POST ACTION=tes.php?var1=val1) But I think, appending this parameter is transparent to the user, since it's visible in the url. And I think we can also use the hidden field or (form name ??.). So which one is most secured and better ?? Thanks.. -- View this message in context: http://www.nabble.com/is-there-a-better-way-to-know-from-which-php-file-the-r equest-comes-fromtp25003587p25003587.html Sent from the PHP - General mailing list archive at Nabble.com. Neither GET or POST is more secure, it's just that POST requires a tiny bit more work to see what's being sent. You can use the $_SERVER['HTTP_REFERER'] variable to detect where a request has come from. The documentation for this particular variable mentions that it can't be trusted, as it can be changed by the client browser, but then, so can hidden form fields, etc. Personally, I'd go with the HTTP_REFERER route, because it is completely transparent, and the majority of users aren't going to bother changing it. your probably right. though i remember when i considered using HTTP_REFERER. i looked up the http rfc and it said that use of the header was optional. that made sense. so i decided not to make any of app functionality depend on it. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] is there a better way to know from which php file the request comes from ??
On 8/17/09 5:17 AM, nashrul anas_a...@yahoo.com wrote: This is a newbie question... Let's say there are 3 php files, page1.php, page2.php and page3.php. Form submission from page1.php or page2.php will take user to page3.php. I know that we can use parameter that is appended in the action attribute of the form (e.g FORM METHOD=POST ACTION=tes.php?var1=val1) But I think, appending this parameter is transparent to the user, since it's visible in the url. And I think we can also use the hidden field or (form name ??.). So which one is most secured and better ?? i'm not in love with using the form POST method combined with an action url that includes pseudo-GET parameters. for POST forms, i use a convention of always having a hidden input in the form to indicate which form sent the query, e.g. input type=hidden name=whichform value=foobarform this also comes in handy if one server script processes more than one form. as for security, there's little difference between this method, using GET values, using HTTP_REFERER, or what have you. protection against spoofing lies not in these choices. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] is there a better way to know from which php file the requestcomes from ??
nashrul wrote: This is a newbie question... Let's say there are 3 php files, page1.php, page2.php and page3.php. Form submission from page1.php or page2.php will take user to page3.php. I know that we can use parameter that is appended in the action attribute of the form (e.g FORM METHOD=POST ACTION=tes.php?var1=val1) But I think, appending this parameter is transparent to the user, since it's visible in the url. And I think we can also use the hidden field or (form name ??.). So which one is most secured and better ?? Thanks.. I personally don't see a problem with using get or post vars, but to keep the user from being able to manipulate it do this. This could also be in a header file included at the top of all pages: //page1.php and page2.php session_start(); $_SESSION['page'] = $_SERVER['PHP_SELF']; //page3.php session_start(); $page = $_SESSION['page'] // use $page somehow . . . -- Thanks! -Shawn http://www.spidean.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] SMDR/CDR daemon/processor
I was asked the other day to build a Station Message Detail Recording (SMDR) or Call Detail Record (CDR) processor for a client. I started searching for examples of such a thing. I mostly found commercial apps to handle the job. I could not find anything on Hotscripts, phpGround.com, and a few others. I did find a few Open Source things on Source Forge. http://sourceforge.net/projects/simplesmdr/ It is active, but has missing files... References /home/administrator/* Those were not included though... http://sourceforge.net/projects/opensmdr/ Written in PHP, but it hasn't been touched since 2004. http://sourceforge.net/projects/astbilling/ Haven't had a chance to look at it yet. My question: has anybody worked with any type of project that involved capturing/parsing/storing/regurgitating such information? also, have you ever worked with this or similar devices? http://www.precidia.com/products/ipocket_232.html TIA! Jim Lucas -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] is there a better way to know from which php file the requestcomes from ??
On Mon, Aug 17, 2009 at 5:31 PM, Shawn McKenzienos...@mckenzies.net wrote: nashrul wrote: This is a newbie question... Let's say there are 3 php files, page1.php, page2.php and page3.php. Form submission from page1.php or page2.php will take user to page3.php. I know that we can use parameter that is appended in the action attribute of the form (e.g FORM METHOD=POST ACTION=tes.php?var1=val1) But I think, appending this parameter is transparent to the user, since it's visible in the url. And I think we can also use the hidden field or (form name ??.). So which one is most secured and better ?? Thanks.. I personally don't see a problem with using get or post vars, but to keep the user from being able to manipulate it do this. This could also be in a header file included at the top of all pages: //page1.php and page2.php session_start(); $_SESSION['page'] = $_SERVER['PHP_SELF']; //page3.php session_start(); $page = $_SESSION['page'] // use $page somehow . . . -- Thanks! -Shawn http://www.spidean.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php This approach degrades very simply: 1) Say you have four pages, a.php, b.php, c.php and d.php. 2) b expects user to come from a, d from c. 3) I open two tabs, a.php and c.php. 4) $_SESSION['from'] is now c.php 5) I post to b from a, get an error. $_SESSION['from'] is now b.php. 6) I post to d from c and get an error. Obviously this example is a tad bit contrived, but as long as your user is browsing your site in more than one tab/window, using that approach will break often and result in a user experience, so I'd stick away from it. As far as relying on cookies, HTTP headers, hidden form fields, etc. they are all user input, and Lesson 1 in Security 101 that you don't trust user input. Ever. I always assume that the best HTTP blackhats are after my sites when I write them and make them unnecessarily overthought, but they're secure. I even let a few (black|white|grey)hat friends of mine take a peak at the code, when I can, to get their input. If you can think of a way to exploit your code, so can someone else. And so will someone else. Generally speaking, I'm not entirely sure that this is a question that even needs an answer. I'm going to have to echo a sentiment from earlier in the thread that you need to be validating all of your data anyway, so it shouldn't matter if I POST to page3 from page2 or from page1 or from a CLI app written with curl/wget. What should matter is whether or not the data I'm POST'ing meets the security criteria that you've dictated (whatever that may be) and gets properly escaped/filtered before being entered into the database or otherwise used. I'd venture so far as to say that if you need to care about where a form is POST'd from for security, you have a flawed security model and in all likelihood a very insecure application and some serious refactoring to do. I can't imagine a situation where dictating page2 comes from page1 and page3 comes from page2 is necessary for security at all. Perhaps I'm being shortsited and you can provide some examples? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] is there a better way to know from which php file the requestcomes from ??
Eddie Drapkin wrote: On Mon, Aug 17, 2009 at 5:31 PM, Shawn McKenzienos...@mckenzies.net wrote: nashrul wrote: This is a newbie question... Let's say there are 3 php files, page1.php, page2.php and page3.php. Form submission from page1.php or page2.php will take user to page3.php. I know that we can use parameter that is appended in the action attribute of the form (e.g FORM METHOD=POST ACTION=tes.php?var1=val1) But I think, appending this parameter is transparent to the user, since it's visible in the url. And I think we can also use the hidden field or (form name ??.). So which one is most secured and better ?? Thanks.. I personally don't see a problem with using get or post vars, but to keep the user from being able to manipulate it do this. This could also be in a header file included at the top of all pages: //page1.php and page2.php session_start(); $_SESSION['page'] = $_SERVER['PHP_SELF']; //page3.php session_start(); $page = $_SESSION['page'] // use $page somehow . . . -- Thanks! -Shawn http://www.spidean.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php This approach degrades very simply: 1) Say you have four pages, a.php, b.php, c.php and d.php. 2) b expects user to come from a, d from c. 3) I open two tabs, a.php and c.php. 4) $_SESSION['from'] is now c.php 5) I post to b from a, get an error. $_SESSION['from'] is now b.php. 6) I post to d from c and get an error. Yep, I didn't really think it through :-( -- Thanks! -Shawn http://www.spidean.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] daemon without pcntl_fork
Does anybody know how to use PHP as a daemon without the use of pcntl_fork. http://php.net/pcntl_fork I don't want to have to have a person have a special/custom compilation of PHP just to run a simple daemon. My system: OpenBSD 4.5 w/PHP v5.2.8 I want to launch a daemon out of the /etc/rc.local when the system starts. My goal is to write a script that will be launched from /etc/rc.local when a system boots. I want it to be detached from any shell or ssh login that I launch it from also. Anybody have any idea on how to do this? I have played with system() and it does work. test.php: ?php echo 'Starting'; system('/usr/local/bin/php test_cli.php /dev/null '); echo 'Done'; ? test_cli.php ?php for( $i=1; $i=10; $i++ ) { echo Echo {$i}\n; sleep(1); } echo 'Done'; ? The above, when called, launches test_cli.php and detaches it from the cli and returns to the system prompt Well, after writing all this out, I think I have answered by own question. If anybody else has a better suggestion, I am all ears. If you have a better way of doing it, please share. Also, a second piece to this would be a script to manage (start/stop/restart/etc...) the parent daemon. Something along the line of apachectl or similar. TIA! Update to the last email also. I found another device that does RS232 to ethernet: http://www.hw-group.com/products/portstore2/index_en.html Anybody work with one of these? Again, thanks! Jim Lucas -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] SMDR/CDR daemon/processor
Jim Lucas wrote: I was asked the other day to build a Station Message Detail Recording (SMDR) or Call Detail Record (CDR) processor for a client. I started searching for examples of such a thing. I mostly found commercial apps to handle the job. What sort of processing do you need? I just record all CDRs in a database, mostly as an easily accessible audit trail. My question: has anybody worked with any type of project that involved capturing/parsing/storing/regurgitating such information? Asterisk does the capturing/parsing/storing bit for you, but you didn't mention Asterisk, so that may not be of much use. /Per -- Per Jessen, Zürich (19.3°C) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] daemon without pcntl_fork
2009/8/17 Jim Lucas li...@cmsws.com: Does anybody know how to use PHP as a daemon without the use of pcntl_fork. http://php.net/pcntl_fork Hi Jim, AFAIK you can't. Read on. . . I don't want to have to have a person have a special/custom compilation of PHP just to run a simple daemon. My system: OpenBSD 4.5 w/PHP v5.2.8 I want to launch a daemon out of the /etc/rc.local when the system starts. My goal is to write a script that will be launched from /etc/rc.local when a system boots. I want it to be detached from any shell or ssh login that I launch it from also. Anybody have any idea on how to do this? I have played with system() and it does work. What you've done below is not create a daemon, but a background process. It's still attached to the shell you started it in (try killing the shell you started it from and see what happens). There are other differences too. IMHO the approach you've used here does have its uses, and I've used it (and still do) when it's appropriate, but when what you need is a daemon, then faking it with a background process just isn't enough. Compiling in pcntl isn't really that big of a deal--depending on exactly what you're trying to accomplish. Why is it a problem in your case? Perhaps there is another way around the issue which has a cleaner solution. For the cases I've run into, pcntl has worked admirably. test.php: ?php echo 'Starting'; system('/usr/local/bin/php test_cli.php /dev/null '); echo 'Done'; ? test_cli.php ?php for( $i=1; $i=10; $i++ ) { echo Echo {$i}\n; sleep(1); } echo 'Done'; ? The above, when called, launches test_cli.php and detaches it from the cli and returns to the system prompt Well, after writing all this out, I think I have answered by own question. If anybody else has a better suggestion, I am all ears. If you have a better way of doing it, please share. Also, a second piece to this would be a script to manage (start/stop/restart/etc...) the parent daemon. Something along the line of apachectl or similar. TIA! Update to the last email also. I found another device that does RS232 to ethernet: http://www.hw-group.com/products/portstore2/index_en.html Anybody work with one of these? Not me. But I've solved similar problems using ser2net (see http://sourceforge.net/projects/ser2net/ ), sometimes running it on a small embedded Linux device. Works great and I don't have to pay someone else to sell me a free solution. :) But again, it depends on your actual situation and what problem you're trying to solve. On the face of it the device you linked looks OK. (I'm afraid I missed your earlier post on the topic.) Again, thanks! Jim Lucas I'm not trying to shoot down any ideas you've had or anything, just wondering what's so bad about compiling pcntl in and hoping that maybe you can save a few bucks on the serial-to-network problem by making use of existing free software. Post more about what your situation is and who knows? Maybe a fakey-daemon using background processes and a proprietary serial-to-network device really is the best answer for you. Either way, good luck! Regards, Torben -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php