Re: [PHP] Recent Influx of Unrelated Discussions
On Jul 16, 2010, at 10:47 AM, Paul M Foster wrote: On Fri, Jul 16, 2010 at 11:59:49AM +0200, Arno Kuhl wrote: And Daniel, your own gentle prods to keep things on track I think sets some of the professional tone of the list. This is very true. I've administered various lists for almost ten years, and I know for a fact that the list administrator plays a tremendous role in the tone of a list. So... By replying to this thread... Are we helping the problem or making it worse by adding to the off topic posts? :P Happy Friday yall! :) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] user login and access + headers already sent
At 4:56 PM +0100 7/15/10, Ashley Sheridan wrote:
On Thu, 2010-07-15 at 15:38 +, Carlos Sura wrote:
> So, I'm wondering, is there any other way to avoid put code in
every page? or... another way to avoid that kind of error.
Common logic for a login is to use an include file that does this:
1. Is user logged in? Yes: goto 5. No: goto 2
2. Have login details been submitted through form or other? Yes:
goto 3. No: goto 4
3. Are login details correct? Yes: goto 5, No: goto 4
4. Show login form & stop
5. Show/redirect to app page
(apologies for the hard to follow list, but I just realised I don't know
a good way to show a flowchart in plain text!)
Flowchart? How about:
1. Is user logged-in?
No, go to logon.php
Nothing else needs to be done to protect any page.
This is accomplished by simply placing at the top of each protected page:
Of course this requires the OP to place this code on each page he
wants to protect, but that's a small price to pay for security and
ease of implementation.
The auth.php script only checks IF the user logged-in via a security
variable. For example:
if ($_SESSION['security'] != TRUE)
{
header('location:logon.php'); // redirect to login script.
exit();
}
// else user is permitted to pass
If the user is logged in, then the user is permitted to travel to
whatever scripts that contain the require(auth.php); statement.
The login script in turn simply asks for the user ID and PASSWORD. If
these are correct (via a db or file lookup), then the login script
sets the security session variable to TRUE else it defaults to FALSE.
Keep in mind that the only job of the login script is to set the
security session variable to TRUE -- it is loosely coupled. Likewise,
the authorization script is only concerned with the setting of the
security session variable -- it is also loosely coupled. Both of
these provide a good security solution.
EOP (End of Problem).
Cheers,
tedd
--
---
http://sperling.com http://ancientstones.com http://earthstones.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ldap_search filter filter?
On Fri, Jul 16, 2010 at 11:42 AM, Richard Lynch wrote: > Any Best Practice suggestions for potentially hostile user input being > sent to ldap_search($ldap, "(username=$_POST[username])"); > > Something like an ldap_escape? > > Please cc me on replies. Thanks. > Long time no see, Richard. There are a couple ldap_escape() functions in the comments here. I don't know enough about ldap to know how robust they are. I have used one of them, but only on a few intranet sites where the probability of malicious activity is fairly low. http://www.php.net/manual/en/function.ldap-search.php Andrew -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Weird behavior of exec()
Em 16/07/2010 09:23, Bob McConnell escreveu:
You are running b.php as an external command, so it is running as a CLI,
not in the httpd server. You need to check to see how your PHP command
line is configured, it may need the full tag no matter how the server is
set up.
Bob McConnell
While reading your post, I thought about using the script and binary
full paths. Now it works.
exec('/usr/local/bin/php /full_path_here/a.php > output.txt &');
The weirdest to me thing is this:
passthru('pwd'); // shows the current directory correctly
passthru('php -h'); // shows php help output correctly
So, if my current working directory is correct, and if "php -h" is
enough for help message, why should I use full path in my sample?
Anyway, it's working and my application is back on-line.
Thank you.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Weird behavior of exec()
Em 16/07/2010 12:18, Jim Lucas escreveu:
I tried running the same script, and found that the php binary is not in my
path.
run this
echo passthru('which php');
Also, modify your existing exec() command to the following and it will capture
errors too.
exec('php b.php> output.txt 2>&1&');
After running this is when I noticed it say "sh: php: not found"
You're right about the path role in the issue. My code is working now,
and the solution is described in my reply to Bob's post.
Thank you.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] ldap_search filter filter?
Any Best Practice suggestions for potentially hostile user input being sent to ldap_search($ldap, "(username=$_POST[username])"); Something like an ldap_escape? Please cc me on replies. Thanks. -- Some people ask for gifts here. I just want you to buy an Indie CD for yourself: http://cdbaby.com/search/from/lynch -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Weird behavior of exec()
Em 16/07/2010 09:09, Richard Quadling escreveu: I'm on Windows XP SP3 and using PHP 5.3.3RC3 (cli) (built: Jul 15 2010 02:00:11) Copyright (c) 1997-2010 The PHP Group All seems to work as expected. Z:\\output.txt'); echo ' File A (2) '; ?> And because of my setup matching the docs at [1], I can actually use ... output.txt'); echo ' File A (2) '; ?> as long as TestA.php and TestB.php are in the same directory. So, initially, this looks like a non win32 issue (windows works - see !!!) Regards, Richard Quadling. [1] http://docs.php.net/manual/en/install.windows.commandline.php Thanks for testing the code. I got it working now, as explained in my reply to Bob's post. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Weird behavior of exec()
Leonardo wrote:
> Hi everybody. I need to use exec() to run a background php script, but
> it's not working properly. Take a look at this sample:
>
> a.php
>
>echo ' File A (1) ';
>
>exec('php b.php > output.txt &');
>
>echo ' File A (2) ';
>
>?>
>
> b.php
>
>echo 'File B';
>
>?>
>
> output.txt (begins with 64 null bytes before the following)
> File A (2)
>
> I would expect the output's content to be "File B", but it's not
> happening. I came across this problem because I have a mailing
> application which stopped working after being moved to a new host. The
> messages were sent by a background script launched on user's demand.
> Like this:
>
> SendMessages.php
> ...
> exec('php Daemon.php -x ' . $USERID . ' > /dev/null &');
> ...
>?>
>
> Now it won't work, and I got no clue about what's going on. What now?
>
> Thank you.
>
I tried running the same script, and found that the php binary is not in my
path.
run this
echo passthru('which php');
Also, modify your existing exec() command to the following and it will capture
errors too.
exec('php b.php > output.txt 2>&1 &');
After running this is when I noticed it say "sh: php: not found"
--
Jim Lucas
A: Maybe because some people are too annoyed by top-posting.
Q: Why do I not get an answer to my question(s)?
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Recent Influx of Unrelated Discussions
On Fri, Jul 16, 2010 at 11:59:49AM +0200, Arno Kuhl wrote: > And Daniel, your own > gentle prods to keep things on track I think sets some of the professional > tone of the list. This is very true. I've administered various lists for almost ten years, and I know for a fact that the list administrator plays a tremendous role in the tone of a list. Paul -- Paul M. Foster -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Determining the similarity between a user supplied short piece of text (between 5 and 15 characters) and a list of similar length text items.
On 16 July 2010 13:47, Daniel P. Brown wrote: > On Fri, Jul 16, 2010 at 07:09, Richard Quadling wrote: >> >> Having just found a levenshtein() UDF for MS SQL [1] >> >> I'm very impressed. >> >> Thank you for the suggestion. >> >> Regards, >> >> Richard. >> >> [1] http://www.sqlteam.com/forums/topic.asp?TOPIC_ID=51540&whichpage=2#425160 > > Dear dearest sir; > > Thank you for your formal reply. Your email is important to me. > Please contact me at your convenience to discuss this reply to your > reply. > > Sincerely, > > Bozo. > > > > -- > > UNADVERTISED DEDICATED SERVER SPECIALS > SAME-DAY SETUP > Just ask me what we're offering today! > daniel.br...@parasane.net || danbr...@php.net > http://www.parasane.net/ || http://www.pilotpig.net/ > Oh. It must be Friday! -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Determining the similarity between a user supplied short piece of text (between 5 and 15 characters) and a list of similar length text items.
On Fri, Jul 16, 2010 at 07:09, Richard Quadling wrote: > > Having just found a levenshtein() UDF for MS SQL [1] > > I'm very impressed. > > Thank you for the suggestion. > > Regards, > > Richard. > > [1] http://www.sqlteam.com/forums/topic.asp?TOPIC_ID=51540&whichpage=2#425160 Dear dearest sir; Thank you for your formal reply. Your email is important to me. Please contact me at your convenience to discuss this reply to your reply. Sincerely, Bozo. -- UNADVERTISED DEDICATED SERVER SPECIALS SAME-DAY SETUP Just ask me what we're offering today! daniel.br...@parasane.net || danbr...@php.net http://www.parasane.net/ || http://www.pilotpig.net/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Re: Weird behavior of exec()
From: Leonardo > Em 15/07/2010 18:54, Shawn McKenzie escreveu: >> On 07/15/2010 04:40 PM, Leonardo wrote: >>> >>> Bad habit. I know. >> >> Did it fix it? >> > > Not really. The server allows short open tags. So, nothing changed. You are running b.php as an external command, so it is running as a CLI, not in the httpd server. You need to check to see how your PHP command line is configured, it may need the full tag no matter how the server is set up. Bob McConnell -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Weird behavior of exec()
On 15 July 2010 16:51, Leonardo wrote:
> Hi everybody. I need to use exec() to run a background php script, but it's
> not working properly. Take a look at this sample:
>
> a.php
>
> echo ' File A (1) ';
>
> exec('php b.php > output.txt &');
>
> echo ' File A (2) ';
>
> ?>
>
> b.php
>
> echo 'File B';
>
> ?>
>
> output.txt (begins with 64 null bytes before the following)
> File A (2)
>
> I would expect the output's content to be "File B", but it's not happening.
> I came across this problem because I have a mailing application which
> stopped working after being moved to a new host. The messages were sent by a
> background script launched on user's demand. Like this:
>
> SendMessages.php
> ...
> exec('php Daemon.php -x ' . $USERID . ' > /dev/null &');
> ...
> ?>
>
> Now it won't work, and I got no clue about what's going on. What now?
>
> Thank you.
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
I'm on Windows XP SP3 and using
PHP 5.3.3RC3 (cli) (built: Jul 15 2010 02:00:11)
Copyright (c) 1997-2010 The PHP Group
All seems to work as expected.
Z:\\output.txt');
echo ' File A (2) ';
?>
And because of my setup matching the docs at [1], I can actually use ...
output.txt');
echo ' File A (2) ';
?>
as long as TestA.php and TestB.php are in the same directory.
So, initially, this looks like a non win32 issue (windows works - see !!!)
Regards,
Richard Quadling.
[1] http://docs.php.net/manual/en/install.windows.commandline.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Determining the similarity between a user supplied short piece of text (between 5 and 15 characters) and a list of similar length text items.
On 15 July 2010 17:09, Daniel P. Brown wrote: > Look into the following functions and families: > > levenshtein() > similar_text() > Having just found a levenshtein() UDF for MS SQL [1] I'm very impressed. Thank you for the suggestion. Regards, Richard. [1] http://www.sqlteam.com/forums/topic.asp?TOPIC_ID=51540&whichpage=2#425160 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Recent Influx of Unrelated Discussions
-Original Message- From: paras...@gmail.com [mailto:paras...@gmail.com] On Behalf Of Daniel Brown Sent: 15 July 2010 05:11 PM To: PHP General Subject: [PHP] Recent Influx of Unrelated Discussions Also known as off-topic posts. We're all guilty of them, but has anyone recently noticed that there is a significant number (about 35% of all traffic) that is off-topic? There have been questions on databases, JavaScript, WordPress, Apache directives, and more none of which were even related to PHP. Unfortunately, this is how dilution occurs, which often causes communities to dwindle into a defunct or otherwise low-quality state. As those of you who have been around for at least a couple of years know, we have continued to thrive here because we're not strict on the topics of discussion, and frequently [d]evolve into off-topic banter (particularly on Fridays, as it used to be). However, have you noticed the influx of extremely low-quality and/or low-class posts to the list? Couple that with the ominous silence from the formerly-frequent contributors of high-quality material, code examples, and community assistance. It is not a coincidence. This is an open list, and we don't moderate or censor any of the discussions, but before it gets out of hand, I'd like to suggest a moratorium on all off-topic posts through the end of this month --- with the exception, again, of Fridays. Which would mean that those in agreement would participate in the hiatus by not only not posting off-topic threads, but also not replying to those that are off the general topic. This isn't to say that threads can't still eventually decay into a friendly discussion, as has always been welcome, but that it shouldn't be the intent of a thread to seek assistance on topics unrelated to PHP and PHP programming in general. -- UNADVERTISED DEDICATED SERVER SPECIALS SAME-DAY SETUP Just ask me what we're offering today! daniel.br...@parasane.net || danbr...@php.net http://www.parasane.net/ || http://www.pilotpig.net/ -- It's Friday so I suppose I can respond... ;) I belong to a couple of mailing lists and always found the PHP list particularly active, focused, mature, and a tremendously helpful resource, even just following issues others raise and resolve. And Daniel, your own gentle prods to keep things on track I think sets some of the professional tone of the list. However, the subject of the list can be broad and fuzzy and can lead to some semi off-topic posts like Apache directives that affect PHP apps, JavaScript/Ajax interaction with PHP code, open-source PHP apps, etc. And even some non-PHP issues that most PHP developers will deal with at some time or another. Of course there are degrees of just how far off-topic one can go, but the fact that you can tap into a huge resource of skills and experience to find answers that can be difficult to find elsewhere is obviously very tempting. I'm sure I'm not the only one who finds some of the responses to these off-topic issues quite edifying, considering they're almost always within the broad realm of PHP-related web development (though I agree low-quality posts are useless to everyone whether on-topic or not). At the same time I can see it's a difficult balancing act to cater for everyone from total beginners to highly skilled professionals and still keep everyone on board, especially if some of the more experienced and busy users feel they're being flooded with hundreds of mostly irrelevant posts (like this one) every day. But I also think those same users have the skills and filters to quickly scan and find the posts that are useful/interesting/relevant. Personally I think this list is great, even with some of the off-topic discussion. And your own involvement has always been very professional, and of course very focused, thanks. Cheers Arno -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] adduser & php
On Fri, 2010-07-16 at 11:59 +0530, Gautam Bhatia wrote:
> hi ,
> Since the adduser command demans input from the shell from the
> user, i would be tempted to use the useradd command to do what you are
> planning to do , give that shot . Thank you
>
> On Sat, 2010-07-10 at 23:02 -0400, Adam Richardson wrote:
> > On Sat, Jul 10, 2010 at 4:39 PM, Matt M. wrote:
> >
> > > The only thing is, when I execute this command from a shell, it works.
> > > Obviously I'm replacing $username and $password with something valid when
> > > doing this manually.
> > >
> > > It's like the script clears the $username variable just before it executes
> > > the command, or because the variable is inside quotes, it is not getting
> > > through.
> > >
> > >
> > > From: Ashley Sheridan
> > > Sent: Saturday, July 10, 2010 2:01 PM
> > > To: Matt Morrow
> > > Cc: php-general@lists.php.net
> > > Subject: Re: [PHP] adduser & php
> > >
> > >
> > > On Sat, 2010-07-10 at 13:45 -0500, Matt Morrow wrote:
> > > I am using php 5 on OpenBSD 4.7
> > >
> > > I have a script which takes a username and password from $_POST, and is
> > > supposed to add the user to the system database. The problem is, adduser
> > > creates a username with the same name as the group. The code is:
> > >
> > >$username=$_POST['username'];
> > >$password=$_POST['password'];
> > >$output=exec('/usr/bin/sudo adduser -unencrypted -batch
> > > $username hosting "$firstname $lastname" $password');
> > >echo "result: " . $result . " output: " . $output;
> > >
> > >
> > > The output is:
> > > Added user ``hosting''
> > >
> > > I have validated that $username and $password contain the correct values
> > > from the form, by outputting them as well above the line which calls the
> > > adduser command.
> > >
> > > Any help is appreciated.
> > >
> > > Matt
> > >
> > > I'm not entirely sure about the syntax you're using here, as it doesn't
> > > quite match up with what I see on the useradd (which is what adduser
> > > synonyms to) man page (type 'man useradd').
> > >
> > > Aside from that, be very, very, very careful with this command. In your
> > > example you've not sanitised the user input, and the useradd command is
> > > used
> > > to update details as well as add new users, and you're running it with
> > > root
> > > privileges under sudo. Maybe enforce some specific name mechanism (a
> > > prefix
> > > like 'yoursystemname_username') to ensure that people aren't unwittingly
> > > or
> > > deliberately trying to overwrite existing system user details.
> > >
> > > Thanks,
> > > Ash
> > > http://www.ashleysheridan.co.uk
> > >
> > >
> > >
> > >
> > Matt, one problem I see:
> >
> > output=exec('/usr/bin/sudo adduser -unencrypted -batch $username hosting
> > > "$firstname $lastname" $password');
> >
> >
> > The code won't replace the variables (i.e., variables are not expanded)
> > because they're contained within single quotes and will be evaluated
> > literally:
> > http://php.net/manual/en/language.types.string.php
> >
> > That said, as others have pointed out, be very, very careful with this type
> > of functionality. Even just viewing the code makes me feel like I should
> > smoke a cigarette to calm my nerves (and I've never been a smoker ;)
> >
> > Adam
> >
>
> Regards,
> Gautam Bhatia
> mail2gautambha...@gmail.com
>
>
There is no useradd command in PHP, and useradd is just a synonym for
adduser in Linux (type man adduser if you don't believe me) The shell
command can be made to run fine without any extra input by piping the
input to it and setting the pipe switch.
Thanks,
Ash
http://www.ashleysheridan.co.uk
