php-general Digest 27 Apr 2012 00:23:27 -0000 Issue 7791
php-general Digest 27 Apr 2012 00:23:27 - Issue 7791 Topics (messages 317695 through 317710): Re: Should I check imput for bad chars in this case? 317695 by: marco.behnke.biz 317696 by: Simon Schick 317698 by: mirrys.net 317709 by: Simon Schick Segmentation fault while fetching BLOB data from mysql with ODBC 317697 by: Leandro Dardini 317704 by: shiplu url string being split 317699 by: Chris Stinemetz 317700 by: Vikash Kumar 317701 by: Jim Giner 317702 by: Stuart Dallas Re: Serving a .dmg via readfile? 317703 by: Brian Dunning undefined offset 317705 by: Jim Giner 317706 by: Stuart Dallas 317707 by: Jim Giner FPDF ? 317708 by: Jim Giner Insert group by 317710 by: Rick Dwyer Administrivia: To subscribe to the digest, e-mail: php-general-digest-subscr...@lists.php.net To unsubscribe from the digest, e-mail: php-general-digest-unsubscr...@lists.php.net To post to the list, e-mail: php-gene...@lists.php.net -- ---BeginMessage--- mirrys.net mirrys@gmail.com hat am 26. April 2012 um 14:15 geschrieben: Hi all, this is more question than real problem (I hope :)). I include this script into my pages to log IPs of visitors (they are saved info txt file and send to e-mail later): You definitly should. There were some bugs (even in bigger applications like Coppermine f.e.) that have been introduced by clients sending manipulated ip oder hostname Strings. For the IP address simply check if it is a valid IP4 or IP6 tupel. There are checks for that. function getIPadress() { if (isset($_SERVER[HTTP_CLIENT_IP])) { return $_SERVER[HTTP_CLIENT_IP]; } elseif (isset($_SERVER[HTTP_X_FORWARDED_FOR])) { return $_SERVER[HTTP_X_FORWARDED_FOR]; } elseif (isset($_SERVER[HTTP_X_FORWARDED])) { return $_SERVER[HTTP_X_FORWARDED]; } elseif (isset($_SERVER[HTTP_FORWARDED_FOR])) { return $_SERVER[HTTP_FORWARDED_FOR]; } elseif (isset($_SERVER[HTTP_FORWARDED])) { return $_SERVER[HTTP_FORWARDED]; } else { return $_SERVER[REMOTE_ADDR]; } } // save log to txt $fh = fopen($fileWithLog, 'a+') or die(Oups . $fileWithLog . !); $IPAdress = getIPadress(); fwrite($fh, date('j.n.Y G:i:s') . $IPAdress . ( . gethostbyaddr($IPAdress) . )\n); fclose($fh); ...can this be some possible security risk (XSS or so..), becose I does not check chars in IP adress and host name mainly. It is probably crazy, but on the other side I think it isn't imposibble to use some bad strings in host name. Would you recommend use $IPAdress = htmlspecialchars(getIPadress()); or something like? Or is it nonsense? Thx and excuse me, if this question is too stupid :(. Br, Mir R. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php Marco Behnke Dipl. Informatiker (FH), SAE Audio Engineer Diploma Zend Certified Engineer PHP 5.3 Tel.: 0174 / 9722336 e-Mail: ma...@behnke.biz Softwaretechnik Behnke Heinrich-Heine-Str. 7D 21218 Seevetal http://www.behnke.biz ---End Message--- ---BeginMessage--- On Thu, Apr 26, 2012 at 2:15 PM, mirrys.net mirrys@gmail.com wrote: Hi all, this is more question than real problem (I hope :)). I include this script into my pages to log IPs of visitors (they are saved info txt file and send to e-mail later): function getIPadress() { if (isset($_SERVER[HTTP_CLIENT_IP])) { return $_SERVER[HTTP_CLIENT_IP]; } elseif (isset($_SERVER[HTTP_X_FORWARDED_FOR])) { return $_SERVER[HTTP_X_FORWARDED_FOR]; } elseif (isset($_SERVER[HTTP_X_FORWARDED])) { return $_SERVER[HTTP_X_FORWARDED]; } elseif (isset($_SERVER[HTTP_FORWARDED_FOR])) { return $_SERVER[HTTP_FORWARDED_FOR]; } elseif (isset($_SERVER[HTTP_FORWARDED])) { return $_SERVER[HTTP_FORWARDED]; } else { return $_SERVER[REMOTE_ADDR]; } } // save log to txt $fh = fopen($fileWithLog, 'a+') or die(Oups . $fileWithLog . !); $IPAdress = getIPadress(); fwrite($fh, date('j.n.Y G:i:s') . $IPAdress . ( . gethostbyaddr($IPAdress) . )\n); fclose($fh); ...can this be some possible security risk (XSS or so..), becose I does not check chars in IP adress and host name mainly. It is probably crazy, but on the other side I think it isn't imposibble to use some bad strings in host name. Would you recommend use $IPAdress = htmlspecialchars(getIPadress()); or something like? Or is it nonsense? Thx and excuse me, if this question is too stupid :(. Br, Mir R. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php Hi, mirrys Why not use the function filter_input()? This would
Re: [PHP] date() confustion
Nathan Nobbe quickshif...@gmail.com hat am 26. April 2012 um 06:40 geschrieben: INSERT TIMESTAMP: 1335414561 INSERT DATE TIME: 2012-04-26 4:29:21 But then from the interactive interpreter on the same box (same php.ini as well): php echo date(Y-m-d G:i:s, 1335414561); 2012-04-25 22:29:21 I get this same output from another random computer of mine and I've verified date.timezone is consistent in both environments. This definitly looks like a timezone offset! Try the following code in your environments. $date = new DateTime ( ); $tz = $date - getTimezone (); echo $tz - getName (); PHP for CLI mode has a different php.ini than the one for apache2. Maybe that is a problem? Check also php -i | grep date.timezone -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Best PHP Template System
On Thu, Apr 26, 2012 at 12:07 AM, Yared Hufkens y4...@yahoo.de wrote: Why use an external engine which slows your scripts down to do something which can easily be done by PHP itself? PHP is imho the best template engine for PHP. With PHP 5.4, it became even easier because ?=$do-somestuff()? can be used without short_open_tag enabled. However, you always schould divide UI and backend. Hi, If you like to write an xml-template by having purely xml, you could also use OPT (Open Power Template). You can f.e. add a attribute to a tag by decision by writing this code: div opt:attribute name=class value=highlight opt:if=$highlightDiv/ Content /div Feels a bit cleaner to me than writing div ?php if ($highlightDiv) : ?class=highlight?php endif; ? Content /div -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Should I check imput for bad chars in this case?
mirrys.net mirrys@gmail.com hat am 26. April 2012 um 14:15 geschrieben: Hi all, this is more question than real problem (I hope :)). I include this script into my pages to log IPs of visitors (they are saved info txt file and send to e-mail later): You definitly should. There were some bugs (even in bigger applications like Coppermine f.e.) that have been introduced by clients sending manipulated ip oder hostname Strings. For the IP address simply check if it is a valid IP4 or IP6 tupel. There are checks for that. function getIPadress() { if (isset($_SERVER[HTTP_CLIENT_IP])) { return $_SERVER[HTTP_CLIENT_IP]; } elseif (isset($_SERVER[HTTP_X_FORWARDED_FOR])) { return $_SERVER[HTTP_X_FORWARDED_FOR]; } elseif (isset($_SERVER[HTTP_X_FORWARDED])) { return $_SERVER[HTTP_X_FORWARDED]; } elseif (isset($_SERVER[HTTP_FORWARDED_FOR])) { return $_SERVER[HTTP_FORWARDED_FOR]; } elseif (isset($_SERVER[HTTP_FORWARDED])) { return $_SERVER[HTTP_FORWARDED]; } else { return $_SERVER[REMOTE_ADDR]; } } // save log to txt $fh = fopen($fileWithLog, 'a+') or die(Oups . $fileWithLog . !); $IPAdress = getIPadress(); fwrite($fh, date('j.n.Y G:i:s') . $IPAdress . ( . gethostbyaddr($IPAdress) . )\n); fclose($fh); ...can this be some possible security risk (XSS or so..), becose I does not check chars in IP adress and host name mainly. It is probably crazy, but on the other side I think it isn't imposibble to use some bad strings in host name. Would you recommend use $IPAdress = htmlspecialchars(getIPadress()); or something like? Or is it nonsense? Thx and excuse me, if this question is too stupid :(. Br, Mir R. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php Marco Behnke Dipl. Informatiker (FH), SAE Audio Engineer Diploma Zend Certified Engineer PHP 5.3 Tel.: 0174 / 9722336 e-Mail: ma...@behnke.biz Softwaretechnik Behnke Heinrich-Heine-Str. 7D 21218 Seevetal http://www.behnke.biz -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Should I check imput for bad chars in this case?
On Thu, Apr 26, 2012 at 2:15 PM, mirrys.net mirrys@gmail.com wrote: Hi all, this is more question than real problem (I hope :)). I include this script into my pages to log IPs of visitors (they are saved info txt file and send to e-mail later): function getIPadress() { if (isset($_SERVER[HTTP_CLIENT_IP])) { return $_SERVER[HTTP_CLIENT_IP]; } elseif (isset($_SERVER[HTTP_X_FORWARDED_FOR])) { return $_SERVER[HTTP_X_FORWARDED_FOR]; } elseif (isset($_SERVER[HTTP_X_FORWARDED])) { return $_SERVER[HTTP_X_FORWARDED]; } elseif (isset($_SERVER[HTTP_FORWARDED_FOR])) { return $_SERVER[HTTP_FORWARDED_FOR]; } elseif (isset($_SERVER[HTTP_FORWARDED])) { return $_SERVER[HTTP_FORWARDED]; } else { return $_SERVER[REMOTE_ADDR]; } } // save log to txt $fh = fopen($fileWithLog, 'a+') or die(Oups . $fileWithLog . !); $IPAdress = getIPadress(); fwrite($fh, date('j.n.Y G:i:s') . $IPAdress . ( . gethostbyaddr($IPAdress) . )\n); fclose($fh); ...can this be some possible security risk (XSS or so..), becose I does not check chars in IP adress and host name mainly. It is probably crazy, but on the other side I think it isn't imposibble to use some bad strings in host name. Would you recommend use $IPAdress = htmlspecialchars(getIPadress()); or something like? Or is it nonsense? Thx and excuse me, if this question is too stupid :(. Br, Mir R. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php Hi, mirrys Why not use the function filter_input()? This would be at least show if the value is a valid ip-address. function getIPadress() { $params = array( HTTP_CLIENT_IP, HTTP_X_FORWARDED_FOR, HTTP_X_FORWARDED, HTTP_FORWARDED_FOR, HTTP_FORWARDED, REMOTE_ADDR ); foreach($params as $param) { if ($val = filter_input(INPUT_SERVER, $param, FILTER_VALIDATE_IP)) return $val; } return false; } This way you could even specify I don't want ip's out of a private range and stuff like that ... http://www.php.net/manual/en/filter.filters.validate.php http://www.php.net/manual/en/function.filter-input.php If no valid ip-address is found you'll get false here ... depends - may you want to give 127.0.0.1 back then ;) Bye Simon -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Segmentation fault while fetching BLOB data from mysql with ODBC
Anyone has experienced segmentation fault while reading blob (longblog) data from mysql using ODBC? If not, can you provide me few rows of code to show me how you fetch it? I am using php 5.3.3 and this code segfaults: $conn=odbc_connect(db,,); $sql=select * from table where id=1; $res=odbc_exec($conn,$sql); $row=odbc_fetch_object($res); Leandro
Re: [PHP] Should I check imput for bad chars in this case?
Thank you for your help Marco Simon. No doubt, your code is much cleaner and better. One more question, without any filter or something could be my original code somehow compromised (mean some security bug)? Or rather was a major problem in the possibility of a script crash? On 4/26/12, ma...@behnke.biz ma...@behnke.biz wrote: You definitly should. There were some bugs (even in bigger applications like Coppermine f.e.) that have been introduced by clients sending manipulated ip oder hostname Strings. For the IP address simply check if it is a valid IP4 or IP6 tupel. There are checks for that. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] url string being split
Hello list, I'm trying to pass a query string through $_GET but for some reason the array is being split on ''. How may I avoid this so it stays intacted? user selection portion: while($storerow = mysql_fetch_assoc($storesresult)) echo 'h4a href=store.php?id=' . $storerow['store_subject'] . '' . $storerow['store_subject'] . '/a/h4 at ' . date('m-d-Y h:i:s A', strtotime($storerow['real_time_date'])); produces url string: http://westeng/forum/store.php?id=Wiser Communication, LLC - - Sprague Ave print(pre.print_r($_GET,true)./pre); ## results below Array ( [id] = Wiser Communication, LLC - [-_Sprague_Ave] = ) How do I make it so the string isn't split into two elements in the array? I want it to stay instact. Thank you, Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] url string being split
On 26 April 2012 22:27, Chris Stinemetz chrisstinem...@gmail.com wrote: Hello list, I'm trying to pass a query string through $_GET but for some reason the array is being split on ''. How may I avoid this so it stays intacted? user selection portion: while($storerow = mysql_fetch_assoc($storesresult)) echo 'h4a href=store.php?id=' . $storerow['store_subject'] . '' . $storerow['store_subject'] . '/a/h4 at ' . date('m-d-Y h:i:s A', strtotime($storerow['real_time_date'])); produces url string: http://westeng/forum/store.php?id=Wiser Communication, LLC - - Sprague Ave print(pre.print_r($_GET,true)./pre); ## results below Array ( [id] = Wiser Communication, LLC - [-_Sprague_Ave] = ) How do I make it so the string isn't split into two elements in the array? I want it to stay instact. You should urlencode the query parameter. Thank you, Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] url string being split
Im no expert, but why would you expose a query to the world thru the use of a GET? Why not just collect the params and build the string in your code? That is how people hack into your database - via a re-formed query. You're giving someone an open invitation. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] url string being split
On 26 Apr 2012, at 18:37, Jim Giner wrote: Im no expert, but why would you expose a query to the world thru the use of a GET? Why not just collect the params and build the string in your code? That is how people hack into your database - via a re-formed query. You're giving someone an open invitation. A query string has nothing to do with databases. -Stuart -- Stuart Dallas 3ft9 Ltd http://3ft9.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Serving a .dmg via readfile?
Thanks, this suggestion from Dante completely solved the problem. Replaced: readfile('/var/www/mypath/My Cool Image.dmg'); With: $fd = fopen ('/var/www/mypath/My Cool Image.dmg', r); while(!feof($fd)) { set_time_limit(30); echo fread($fd, 4096); flush(); } fclose ($fd); It's now serving all files properly. On Apr 25, 2012, at 9:07 PM, D. Dante Lorenso wrote: You'll want to use fopen, fread, fwrite, and fclose to loop through bytes in your file as you shuttle chunks to the client instead of slooping it all into memory in one hunk. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Segmentation fault while fetching BLOB data from mysql with ODBC
On Thursday, April 26, 2012, Leandro Dardini wrote: Anyone has experienced segmentation fault while reading blob (longblog) data from mysql using ODBC? If not, can you provide me few rows of code to show me how you fetch it? I am using php 5.3.3 and this code segfaults: $conn=odbc_connect(db,,); $sql=select * from table where id=1; $res=odbc_exec($conn,$sql); $row=odbc_fetch_object($res); Leandro This is certainly a bug. But I'm curious why you are not using MySQL extension? -- Shiplu.Mokadd.im ImgSign.com | A dynamic signature machine Innovation distinguishes between follower and leader
[PHP] undefined offset
Sorry - can't seem to find anything that explains this on google. I'm using a List command to break out an array into distinct field names. I keep getting these errors as I go thru my loop:: Notice: Undefined offset: 10 in (.) on line 151 Notice: Undefined offset: 9 in (.) on line 151 Notice: Undefined offset: 8 in (.) on line 151 Notice: Undefined offset: 7 in (.) on line 151 Notice: Undefined offset: 6 in (.) on line 151 Notice: Undefined offset: 5 in (.) on line 151 Notice: Undefined offset: 4 in (.) on line 151 Notice: Undefined offset: 3 in (.) on line 151 Notice: Undefined offset: 2 in (.) on line 151 Notice: Undefined offset: 1 in (.) on line 151 The array is loaded with while ($line = fgetcsv($hdlin)) My trouble line of code is: list($LastName, $FirstName,$MI, $Eventcode,$Event_Partner_Ln, $Event_Partner_Fn, $Event_Partner_MI,$t,$u,$v,$Draw_pos) = $line; I've confirmed that I have a field name for each element in my rows. All the rows are the same size naturally. So - what is it telling me? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] undefined offset
On 26 Apr 2012, at 21:20, Jim Giner wrote: Sorry - can't seem to find anything that explains this on google. I'm using a List command to break out an array into distinct field names. I keep getting these errors as I go thru my loop:: Notice: Undefined offset: 10 in (.) on line 151 Notice: Undefined offset: 9 in (.) on line 151 Notice: Undefined offset: 8 in (.) on line 151 Notice: Undefined offset: 7 in (.) on line 151 Notice: Undefined offset: 6 in (.) on line 151 Notice: Undefined offset: 5 in (.) on line 151 Notice: Undefined offset: 4 in (.) on line 151 Notice: Undefined offset: 3 in (.) on line 151 Notice: Undefined offset: 2 in (.) on line 151 Notice: Undefined offset: 1 in (.) on line 151 The array is loaded with while ($line = fgetcsv($hdlin)) My trouble line of code is: list($LastName, $FirstName,$MI, $Eventcode,$Event_Partner_Ln, $Event_Partner_Fn, $Event_Partner_MI,$t,$u,$v,$Draw_pos) = $line; I've confirmed that I have a field name for each element in my rows. All the rows are the same size naturally. So - what is it telling me? For every iteration of the loop or just once? If it's just once then you're not handling the possibility of a blank line. If more than once then the file doesn't contain what you think it contains. -Stuart -- Stuart Dallas 3ft9 Ltd http://3ft9.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] undefined offset
Thanks. That was it -my last line was null. - Original Message - From: Stuart Dallas stu...@3ft9.com To: Jim Giner jim.gi...@albanyhandball.com Cc: php-general@lists.php.net Sent: Thursday, April 26, 2012 4:21 PM Subject: Re: [PHP] undefined offset On 26 Apr 2012, at 21:20, Jim Giner wrote: Sorry - can't seem to find anything that explains this on google. I'm using a List command to break out an array into distinct field names. I keep getting these errors as I go thru my loop:: Notice: Undefined offset: 10 in (.) on line 151 Notice: Undefined offset: 9 in (.) on line 151 Notice: Undefined offset: 8 in (.) on line 151 Notice: Undefined offset: 7 in (.) on line 151 Notice: Undefined offset: 6 in (.) on line 151 Notice: Undefined offset: 5 in (.) on line 151 Notice: Undefined offset: 4 in (.) on line 151 Notice: Undefined offset: 3 in (.) on line 151 Notice: Undefined offset: 2 in (.) on line 151 Notice: Undefined offset: 1 in (.) on line 151 The array is loaded with while ($line = fgetcsv($hdlin)) My trouble line of code is: list($LastName, $FirstName,$MI, $Eventcode,$Event_Partner_Ln, $Event_Partner_Fn, $Event_Partner_MI,$t,$u,$v,$Draw_pos) = $line; I've confirmed that I have a field name for each element in my rows. All the rows are the same size naturally. So - what is it telling me? For every iteration of the loop or just once? If it's just once then you're not handling the possibility of a blank line. If more than once then the file doesn't contain what you think it contains. -Stuart -- Stuart Dallas 3ft9 Ltd http://3ft9.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] FPDF ?
For those of you with FPDF experience. I've just begun using it and have figured out how it works I think. I am still having trouble with the bottom of the page tho. Seems that if I get too close to the bottom margin and my data line exceeds the amount of available space, my MultiCell elements print some of their contents and then my Footer gets printed and then I go to a new page where some small amount of the remaining data for that line gets printed and then a new page is output and repeat. This can go on for 3-4 pages before things work out and my report continues until it gets a full page again and then it all happens again. I know it sounds complicated, but I'm hoping someone else has experienced this kind of learning curve and can give me a clue as to what I'm doing wrong, or at least what's happening. Even better would be an algorithm for detecting how much space I have left so I can avoid these split lines and perhaps solve my entire problem. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Should I check imput for bad chars in this case?
On Thu, Apr 26, 2012 at 3:59 PM, mirrys.net mirrys@gmail.com wrote: Thank you for your help Marco Simon. No doubt, your code is much cleaner and better. One more question, without any filter or something could be my original code somehow compromised (mean some security bug)? Or rather was a major problem in the possibility of a script crash? Hi, Mirrys I personally can not see a security-hole at the first view ... Stuff in the global server-variable should only be set by the webserver and therefore it should be kind-of save (depending on the quality of the configuration of the webserver ;)) That was also the main reason why I would do a validation-check for this. Talking about a script-crash ... I don't know ... I just found this line in a comment for the function gethostbyaddress() If you use gethostbyaddr() with a bad IP address then it will send an error message to the error log. Bye Simon -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Insert group by
Hello all. This is more of a MySQL question, but I'm hoping it can be answered here. On one of my pages, I issue a SQL command to group data as such: $sql='select count(*) as count, searchkeywords from searchkeywords group by searchkeywords order by count desc' Works well... but I would like it to groups plurals with singular words as well. So hats are grouped with hat. Since I'm doing a group by column name, I don't know that this can be done. Any help is appreciated. Thanks, --Rick -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php