This may be entirely incorrect, but something that might be worth
checking is to find the SQL statements being executed for item 2) in
your list and make sure that all values in the SQL statement have had
addslashes() performed on them.
For example, if your statement is something like:
You are experiencing two different problems.
1) The blank page you are seeing is possibly due to incorrect HTML
markup, where you are using tables incorrectly (most common problem for
people). Check to make sure you have the same number of data cells in
each row, that all your tag are
of the script (as it should) while ie blissfully ignored
it(??). Anyway it all works now. Thanks again.
Chris Shiflett wrote:
You are experiencing two different problems.
1) The blank page you are seeing is possibly due to incorrect HTML
markup, where you are using tables incorrectly (most common
The best way to do this is with an HTTP header called Location.
It is used like this. If page1.php contains a form that submits to
page2.php, you will want to handle the form data with page2.php, and
when you're finished, have a line that looks like this:
header(Location:
I'm not sure what sysadmins you are talking about, but /tmp is typically
a world-writable directory.
Also, there is no such strict Unix naming convention. The directory
/tmp is always /tmp, so matter how lenient you want to be. There is
simply a difference between relative paths and absolute
This depends on what you mean by right, of course, but remember that
the referer (sic) is just a string. You can use any string manupulation
functions to help you test your string, such as searching for
substrings, matching patterns with regular expressions, etc.
If you need more specific
Each item within double quotes is a literal string. The example you
inquire about dynamically builds an SQL statement.
For example, if $searchtype is author_name and $searchterm is
Rasmus, then you would build a statement like:
select * from books where author_name like '%Rasmus%';
The SQL
I might be misinterpreting the question, because it sounds like the same
question as before. Let me try to be more thorough.
SQL statements traditionally use single quotes around literal values.
There is no reason of escaping that makes this characteristic exist.
Now, in PHP, most people
Anthony,
Can you create a very simple test case that demonstrates this problem
and post it? It might reveal something, because otherwise, I don't see a
cause for trouble with what you've described.
Chris
P.S. Please copy me in any replies if you want to make sure I see it.
Anthony 'Crash'
I'm not sure if this might be related to the problem you're having, but
Internet Explorer has a long history of poor cookie implementation, from
the browser allowing anyone to read cookies from any site (versions 4.0
- 6.0) to the browser not sending the cookie information in subsequent
Netcom
- Original Message -
From: Chris Shiflett [EMAIL PROTECTED]
To: Bob Irwin [EMAIL PROTECTED]
Cc: php-general [EMAIL PROTECTED]
Sent: Wednesday, June 19, 2002 11:36 AM
Subject: Re: [PHP] Session problems based on browser?
I'm not sure if this might be related to the problem you're
I mentioned a couple in a previous email:
header(Expires: . gmdate(D, d M Y H:i:s, time()) . GMT);
header(Cache-Control: Private);
Most HTTP headers with regards to caching are more intended to dictate
proxy behavior. For example, the header above specifying that
cache-control be private
I think Ramus's recent book, _Programming_PHP_ (O'Reilly), is quite a
good introduction to the language and teaches some good fundamentals
about the way PHP works as well.
Chris
[EMAIL PROTECTED] wrote:
I am coming over from Perl life. Does anyone recommend any good beginners
books on
Tom,
Include the $returl variable within the quotes, like this:
header(Location: $returl);
If that doesn't work, add these two lines just before the header() function:
echo h1[$returl]/h1;
exit;
Maybe that will uncover something.
Chris
Tom Beidler wrote:
I'm trying to use header(Location
PHP is probably escaping the single quotes for you:
it's - it\'s
When addslashes() is applied to this, both the backslash character and
the single quote are escaped:
\ - \\
' - \'
The result is what you see:
it\'s - it\\\'s
If you strip slashes twice, you'll be back to normal.
Chris
The only problem I know of with IE and using the header() function is
when you use the header function like this:
header(Location: http://www.php.net/;);
IE will correctly realize that it needs to make a second request (GET,
no matter what type of request the original was), but it fails to
Al,
This depends entirely on your browser actually, as it is the one sending
form variables back to the server in a POST request. Luckily, browsers
are very consistent with how they handle this. :)
Off the top of my head (I might be forgetting some form field types):
text fields - always set
Those presentations are great.
Also, the source code to power them is available if your browse through
the PHP CVS tree; I believe it's just called pres or something like
that. That way you can tailor your slide shows to your audience as well
as present it without having to have a network
Take those presentations and modify them to fit your needs. I believe
there is even a presentation on how to implement the presentation system.
Chris
1LT John W. Holmes wrote:
Sorry, I should've mentioned I had looked over those. I may take bits and
pieces from those. Was just wondering if
Actually, it looks to me like you're missing a semicolon terminating
your SQL statement. Try this:
$query=update $table set field1='$var1' where id='$id';;
1LT John W. Holmes wrote:
It's correct for PHP, but there's no telling what MySQL is actually
recieving.
- Original Message -
Go here and do it yourself:
http://www.php.net/mailing-lists.php
[EMAIL PROTECTED] wrote:
If any of you have an idea on who the admin is kindly tell him to remove me, he/she
can send me a confirmation email if needed to prove that [EMAIL PROTECTED] is my address
too, but please ask him/her
This is sometimes a confusing issue for people, but remember that
cookies work like this:
1) client requests a resource from a Web server
2) Web server returns a response to the client including a request to
set cookies (Set-Cookie header)
3) client requests another page from the Web server
The only data returned by a browser in a Cookie header is the
name/value pairs. So, your example would not pose a threat of any sort.
The Referer and User-Agent are separate headers, but like all data
from the client, they should also not be trusted.
If you have magic quotes enabled, you're
When you see document contains no data like that, the most likely cause
is an endless loop. So, for whatever, reason, it seems that your
conditional statement is returning true every time.
Remove the Location header for now, and replace that line with:
echo h1Redirecting to
Most questions like this depend more on your ability to think creatively
than your experience with PHP, so don't let inexperience discourage you
from exploring on your own.
First, decide what you consider to be online exactly. If I, for
example, requested a page 30 seconds ago, you would
Corinne Shea wrote:
Hi,
I'd like to write a function that will take a string of characters and
output it in a phone number format (xxx)xxx- and one for credit
cards ---.
This is actually very easy to do if all you want to do is format,
meaning you have already validated
George Whiffen wrote:
The best way to do this is server side with strlen(). You can use
javascript or maxlength, but if a user wants to get around it, they can.
---John Holmes...
John,
The best way to do this is with both. maxlength/Javascript as a courtesy,
strlen for security.
As
Try this:
$query=select max(id) as id from bc_topic;
Leave the rest the same. I'm not so sure that the max(id) selection will
populate a column named id necessarily (in fact, I think it doesn't).
That may be your problem.
Chris
Phil Schwarzmann wrote:
Here is my code...
$query = SELECT
Alex Elderson wrote:
The problem is the Connection: Close\n\n header. The webserver close the connection
after the first request, if i remove
the Connection: Close\n\n header the first fgets($web_conn, 128) command will never
ends.
This is because persistent TCP connections are the default
Mike Tuller wrote:
I only ask questions if I have tried to do something myself already. I am
not looking for someone to do something for me. When I do ask a question
though, I feel I deserve at least a little respect. If you want to be an
ass, do it somewhere else.
It seems *you* are the one
Jed Verity wrote:
I can't find any information on passing JavaScript variables to PHP on the
same page (i.e. not through the POST information of a submitted form). Is
this because it's not possible?
Basically, this is not possible.
A common area of confusion to those new to Web programming is
Jed Verity wrote:
In general, is it faster and more efficient to query a MySQL database once with
a large SQL select statement and then loop through the huge resulting table?
Or does it make better sense to perform a number of smaller queries with
smaller resulting tables?
This is a hard
Duncan Hill wrote:
Is a free required for every query? Or can I go connect, query, query,
query, free, close?
You never have to free your results if you don't want to. As I
understand it, doing so simply frees up the memory that is being taken
up by the result set ($result in most
Leif K-Brooks wrote:
I have a switch in a script I'm working on. I need to have case 1 and
2 both to to case 3, but without case 1 going through case 2. Is this
possible?
Does case 3 have to be in the switch? If not, just leave it to execute
just after the end of the switch.
Steve Yates wrote:
Justin French [EMAIL PROTECTED] wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
1. Name all included files .inc
If you name them *.php then put anything in them inside a function, then
when the user browses to that file he/she won't see anything at all.
Richard Lynch wrote:
Secondly, I think it's probably just a Bad Idea (tm) to try to force HTTP to
do 2 files in one connection anyway -- It just complicates your life, and is
giving you headaches already... How much worse will it get in a year?
Actually, it's a very good idea and very well
Richard Lynch wrote:
The problem is this redirection is being done with the GET method, so
all query string will be shown. How can I make this redirection use the
POST method?
You can't. This redirection is just a way of informing the browser
that it needs to to to the location
B.C. Lance wrote:
http://domainname.com/register.php
display a user registration form having
[form action=https://domainname.com/register.php; method=post]
will the data from that page be encrypted when it is sent via https
specified in the [form] action?
The answer is yes. The SSL
Cord Schneider wrote:
Here is an outline of the problem:
1) client browser hits myPage.php
2) myPage.php does a few checks recognises that this is a first visit
3) myPage.php sets a cookie using setCookie()
4) myPage.php redirects to checkBrow.php which uses JavaScript to do some
basic browser
Michael Sweeney wrote:
Your form action parameter has an absolute url specifying an https
protocol. When the browser submits the form, it uses the url you specify
which is https. So the request is going to be encrypted. You might
consider serving the form page from https as well to kind of
Scott Fletcher wrote:
This is a PHP newsgroup, it is for PHP discussion. This is not a PHP
discussion, so it is a spam mail. Please refrain from using it.
Actually, I think it is pretty obvious that this guy is just trying to
subscribe. Your email (and consequently mine) are more easily
Richard Lynch wrote:
http://domainname.com/register.php
display a user registration form having
[form action=https://domainname.com/register.php; method=post]
will the data from that page be encrypted when it is sent via https
specified in the [form] action?
note: the registration form is
Richard Lynch wrote:
Your form action parameter has an absolute url specifying an https
protocol. When the browser submits the form, it uses the url you specify
which is https. So the request is going to be encrypted. You might
consider serving the form page from https as well to kind of tighten
Justin French wrote:
on 03/07/02 11:54 AM, Richard Lynch ([EMAIL PROTECTED]) wrote:
Rule of Thumb:
If you have to do header(Location: ...) you have a
design/engineering/organizational problem in your code/pages/site.
I'm sure a zillion people will disagree with this rule
I agree,
Jean-Christian Imbeault wrote:
I'm writing my first commercial site and of course I am thinking about
security. I'm worried about someone using a flaw in my PHP script
logic to access information they shouldn't.
I've read the PHP books I have and Googled around but can't quite find
Lazor, Ed wrote:
Use sessions. Create a user_id and pass that as a session variable rather
than the user's actual login and password.
-Original Message-
On my site, when a user logs in, their password is encrypted using md5() and
the username and encrypted password is then passed from
Alberto Serra wrote:
Chris Shiflett wrote:
How do sessions help against this? Well, they don't solve the problem
entirely, of course, but the unique ID you pass around won't be the
same unique ID *every* time that user visits the site. So, you at
least have a good chance of making
Alberto Serra wrote:
So you mean I have a 32 byte MD5 session id to identify the current
visit, plus another such thing to identify the step within it, right?
But why decrypting it? A presentation attack would give it back to
server in the encrypted form anyway. What do we lose by just
Lazor, Ed wrote:
I saw that Microsoft has a Certificate Authority server package that allows
you to create your own key. Is there a way to do this in linux? In this
particular instance, it's me accessing my own web site. I'd like to encrypt
the session and I'm don't need someone to confirm
Richard Lynch wrote:
You can create your own SSL key pair very, very, very easily...
But unless you paid the $200 to get it from a CA, surfers will see a nasty
(and totally inaccurate/misleading) warning about how insecure it is.
They should. To do otherwise would be inaccurate and
Richard Lynch wrote:
In the HTTPS exchange, however, extra key-pairs are generated on the fly,
and the private half of the new pair are exchanged, encrypted with the
public halfs of the old pairs, so that the server and the browser are using
a UNIQUE public/private pair so that nobody can snoop
Richard,
Honestly, I think you need to just buy on book on this. I think I
explained things pretty clearly, and your confusion now seems to be
based more on a lack of trusting my explanation more than anything. I
can't imagine how you could still be this confused.
I will try to explain once
I just explained this all in great detail, so please read that. I don't
just think you are confused; I am positive you are.
However, I did notice that you are the same person who gives many good
answers to other peoples' questions. This giving of your time to be
helpful is commendable, and I
I think I'm going to forget trying to explain the technical details,
because somehow this conversation is completely missing the point now. :)
SSL allows you to be sure that your credit card number is getting safely
and securely to the Web site identified by a certain domain name. That's
all
Jo wrote:
The problem:
When connecting to the mysql server on the local machine its fine, but when you
connect to a remote machine
eg $db = mysql_connect(x.x.x.x, user, password);
and request something from the database, it connects, BUT it takes about 5 minutes...
I have an idea, yes. Make
. For
example, you can be guaranteed that a public key belongs to me (Chris
Shiflett) and thus, only Chris Shiflett will be able to decrypt the
communication. If someone is trying to pose as me, you may send them
encrypted communication, but they won't be able to decrypt it.
Yes, because
Miguel Cruz wrote:
Nobody thinks they're checking whether or not goodguys.com are good guys.
It is your job as a consumer to research them. Once you have researched
them and decided to do business with them, the certificate authority gives
you a pretty solid basis for believing that you
Greg Donald wrote:
If you can't be helpful then feel free to shutup..
Please don't attack people who freely give their time to try and help
you. Mr. Cruz did not ridicule you in any way but merely asked that you
be more specific than, it doesn't work, which is very good advice and
a sincere
Greg Donald wrote:
On Sun, 7 Jul 2002, Chris Shiflett wrote:
I refer you to this URL:
http://www.tuxedo.org/~esr/faqs/smart-questions.html
I refer you to this URL: http://php.net/ini_set and ask why does this
function not work as per the manual?
Again, here is my code:
?
if(ini_set
Stefen,
There is no built-in way to do what you are speaking about here (that I
know of), but there is a pretty easy technique. However, even this
requires a lot of work to integrate into your existing code, but it will
ease all future additions and maintenance.
Keep a variable called
/?? echo $next_query_string; ?Site 3/a
The same conditional logic can be used. This allows for URLs that
already have a query string to be addressed as follows:
a href=http://www.site3.com/index.php?task=incoming;? echo
$next_query_string; ?Site 3/a
Happy hacking.
Chris
Chris Shiflett wrote
Chris (nice name),
Chris Kay wrote:
A worm of many subjects \\\The Klez\\\ worm arrives in an e-mail
Anytime you see three backslashes in a row, the likely case is the
addslashes() has been performed twice. For example, the following two
iterations:
1. The Klez - \The Klez\
2. \The Klez\ -
Martin Towell wrote:
Chris S - I think you're confusing stripslashes w/ addslashes, but
everything else I'm an agreement w/.
You're absolutely right. *blush*
Chris K - Ignore my last paragraph, and everything else should make at
least partial sense. :-)
Ignore this:
Well, here's where
Stefen Lars wrote:
I think that the solution you offer is a great idea. However, in my
case, I may not be able to implement it as I, as the webmaster, do not
always get the chance to add '$next_query_string' to the a href. Some
of the cross-site links are added to discussion forums by the
Djurovski Dejan wrote:
What's wron in my script?
I receive message:
*Warning*: Supplied argument is not a valid MySQL result resource in
*c:\inetpub\wwwroot\login.php* on line *12*
I input validate username password!
?php
include(config.php);
if(!empty($username))
{
Richard Lynch wrote:
Would setCookie('user_id', $PHPSESSID, 0, '/othersite.com');
let you get away with setting the cookies for the other site?
Luckily no. :-)
There are vulnerabilities in IE 4.0 - 6.0 that will let you read/write
cookies not in your domain, but this is a result of a bug
Someone should sign this guy up for a hotmail account and check every
box for spam there is.
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Oh look, there's how I unsubscribe.
PHP General Mailing List (http://www.php.net/)
To unsubscribe,
Brendan P. Caulfield wrote:
this is dumb. can we just ignore this and move. we are all smart enough
to block his posts. let's just do it and quit wasting all of our time and
get back to doing what we do here.
Actually, some of us don't check mail from this list until the evenings.
By the
I just thought this was worth sharing. :-)
- The following addresses had permanent fatal errors -
[EMAIL PROTECTED]
- Transcript of session follows -
RECIPIENTS MAILBOX IS FULL
554 [EMAIL PROTECTED]... Service unavailable
--
PHP General Mailing List (http://www.php.net/)
To
Peter Thoenen wrote:
Question on optimizing code for quicker runtimes.
Which is quicker (this is on a webpage also..NOT
commandline)?
?php if ($a){ echo 'abc'; } ?
OR
?php if ($a) { ? abc ?php } ?
Because the difference is going to be undetectable, this would probably
be a question that
Joshua Alexander wrote:
So I was trying to get the server to treat shtml files as both
server-parsed and as php scripts. Not working too well. ;)
Anyone have any ideas?
We'd need to know more about your setup, but if you're using Apache, you
should be able to edit your httpd.conf file
Patrick Teague wrote:
For some reason the following line is not behaving
$os = eregi_replace( Win[^dows], Windows , $os );
I'm pretty sure (I'm not a regular expression expert) this matches a
string that begins with Win followed by a character that is not d, o, w,
or s.
Thus, in the case
In a weak attempt at improving my knowledge of regular expressions, I
came up with a less elegant solution than Dan's. :-)
$os=eregi_replace(Win([^0-9NT]*), Windows \1 $os);
This adds some additional handy replacements, such as:
Winblows98 - Windows 98
Windoze98 - Windows 98
It's a decent
David Busby wrote:
List,
I'm trying to set a cookie like this:
?php
function redirect() {
if ($_SERVER['HTTP_HOST'] == $_SERVER['SERVER_NAME']) {
$to = func_get_arg(0);
header(HTTP/1.1 301\n);
header(Location:http://.$_SERVER['SERVER_NAME'].$to.\n);
This looks like a variant of the code red worm and will only bother you
if you are running IIS, which I would hope you are not. :-)
218.5.149.77 is apparently running an infected IIS Web server. You might
want to let them know.
Happy hacking.
Chris
andy wrote:
Hi there,
I am getting from
Chad Day wrote:
What I'm looking to do is when a user logs in, I start up the session.. I
then have the registered session var to verify they are authenticated as
they move throughout the site.
Now, when they close the browser and come back, I want them to still be
authenticated. Obviously, I
Monty wrote:
This is probably more of an HTML question... Is there a way to pass
variables to another page via POST instead of via the URL?
Yes.
form action=another_page.php method=post
... (form fields here) ...
input name=button_name type=submit value=Button Text
/form
--
PHP General
Ray Todd Stevens wrote:
I am working on a web site that is using php controled www-
authenticate authentication. User ids are specific to users and
different pages and different levels of information for a given page
will be displayed based on the user id used. The problem is how do
you log
Richard Lynch wrote:
But Cookies sent to the HTTPS are not on the HTTP and vice versa.
That ain't PHP, that's just how cookies work.
Are you sure about this? That's definitely not how the specification
reads (assuming I'm interpreting what you're trying to say correctly),
and that is not
1. You complain about Zend charging for a product when someone else has
created an equivalent open source product.
2. You support ColdFusion and ASP when someone else has created an
equivalent open source product.
The point is that you need better logic in your arguments before you
will
Dan Harrington wrote:
I'm having the same problem from time to time as well.
Just straight up out of the blue it gives you a new SESSION id.
As a general rule, the reason that you will find yourself with a new
session ID is that the old session ID was not properly communicated back
to the
There are other ways of doing this, but I think you might be looking for
the logical AND operator ().
if ($idx != 1 $idx != 4 $idx != 9)
Happy hacking.
Chris
Liam MacKenzie wrote:
Ok, I'm having a blonde day...
If $idx == 1, 4 or 9 I don't want it to echo $results.
I have this, what's
César Aracena wrote:
Just usa an OR concatenator like:
If ($idx != '1' OR $idx != '4' OR $idx != '9'){
echo $results;
}
Actually, this statement will always evaluate to true. I think you mean
to use .
Chris
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit:
Show us the output of:
select login, password from user where login='sysdata';
My guess is that the password is not 1b1c2457d12dd976d4cfa556ac6661f6
- the md5 of sysdata.
Chris
Reymond wrote:
I have login = sysdata and
password = sysdata on md5 function
How to select md5 function
Yeah, that's a little short for md5, plus you want to allow alphabetic
characters, too.
Try varchar(32).
Happy hacking.
Chris
Reymond wrote:
This is output...
select login, password from User where login = 'sysdata';
+-+--+
| login | password |
I'm not sure about others, but I am glad this behavior is like this.
It is very nice for modules to stand on their own so to speak, so that
you don't have to worry about what context they are used in. If the file
you are including is plain HTML, would you want it to be parsed as if it
were
if last_email_date != today
{
send email
last_email_date = today
}
Happy hacking.
Chris
NoWhErEMan wrote:
I can ensure ar least one visitor per day, that;s me!!
Since my server in on my local windows mechine, i can load the page at start
up.
But i have a question, how can i ensure
I think you were on the right track with your first response. Selecting
a count(*) gives you the number of rows returned without the overhead of
actually returning all of the rows to PHP. Most people will rename the
count as something more easy to reference (and/or more descriptive) in
the
Daniel Guerrier wrote:
echo($_POST['userfile]);
Do you mean $_POST[userfile] here? It looks like you're missing a quote.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Yes, you can make Apache reload a config file without restarting. You
must send it a SIGHUP:
kill -HUP `cat /var/run/httpd.pid`
If you execute this as nobody, I believe it will work, but I haven't
tested it.
Also, I believe Apache will restart when given a kill -1. If the above
suggestions
Matt Zur wrote:
BUT on the index.php I want to write this if statement:
if ($vw == ) {
write this code
}
If you really mean to see if the variable has been set, try this instead:
if (!isset($vw))
{
echo variable is not set;
}
Happy hacking.
Chris
--
PHP General Mailing List
There is no way to force the behavior, but you can exclude the HTTP
headers that tell the Web browser to not cache the pages.
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Expires: date from the past
etc.
I believe PHP may include some or all of these when you use session
I'm not sure if you've gotten any responses to this, but you might try
asking a question that doesn't require knowledge of ASP. Though a lot
of people do know both PHP and ASP, just about everyone reading this
list at least knows PHP. Some of us are lucky enough to have never had
to learn
Check our cURL for Web client functions.
I'm not aware of a function like hidden() the way you describe it, but
you could easily write it yourself. Look into user-defined functions in
the manual.
Happy hacking.
Chris
Matt Zur wrote:
A Call Function to emulate a browser and contact a
I think you are definitely on the right track here, though I
unfortunately haven't had time to look at your code (thus, I'm just
going by your description).
Due to frequent vulnerabilities found in Internet Explorer's cookie
handling (versions 4.0 - 6.0 allow anyone to view cookies from any
I am guessing you mean the input is a textarea.
At any rate, I believe what you want is nl2br()
Happy hacking.
Chris
Hans Prins wrote:
Hello,
I have a form field of the type scrolling text box it lets users input a
multiline string. I then pass this string as a variable to a php document
You should always use a proper full URL in the Location header. Try that
first.
header(Location:
http://192.168.254.14/show_products_html.php?maker_name=$maker_namePHPSESSID=$PHPSESSID;);
I doubt this will solve your problem, but it is good practice anyway.
One thing that would help debug a
I also just noticed that your first variable in the query string (which
begins after the ? character) begins with an , which is a separator
character. I'm not sure what's going on there, but it should be
something more like this:
header(Location:
It sounds like you need to look into using cURL. It helps with automated
posting.
Now, you need to first determine whether the forms in question use a
method of get or post before deciding how to proceed. If they use
get, you can simply use a series of fopen() calls with the appropriate
You should search for some SQL tutorials on the Web.
What it sounds like you are looking for is the update SQL statement
which modifies an existing row (for your second form, for example).
Thus, you insert the row to create it (which assigns the key using the
auto increment), then update that
1 - 100 of 1537 matches
Mail list logo
