Re: [PHP] Opening a socket and sending GET data
Your request looks fine. What are you doing with $query once you have constructed it? Another question worth asking is what is your ultimate goal here? I'm not sure performing a manual request is necessary, but maybe it is. Chris --- Todd Cary <[EMAIL PROTECTED]> wrote: > # now we build our query > $query = "GET $abs_url" . > "HTTP/1.0\r\n" . > "Accept-Language: en-us\r\n". > "Host: $host:$port\r\n". > "Connection: close\r\n"; -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] using cookies
--- Ken Nagorski <[EMAIL PROTECTED]> wrote: > I have never used cookies before, however I am trying to > implement them to make things a little more secure. Rather > than passing a sql statement via a hidden input tag I am > setting a cookie. I think someone else already mentioned this, but let me emphasize that this is a terrible idea and definitely does not make things a little more secure. The best analogy I can think of for a cookie would be handing out name tags to people who visit your site. Imagine that you write the following SQL on someone's name tag: select * from foo where unique_id='12345' This helps you distinguish them from the next person who may have a unique identifier of 23456. While this might work for those who play by the rules, you are placing a tremendous amount of trust in these people. What if someone erased what you wrote on their name tag, replacing it with this: delete from foo If you were to trust this person's name tag the next time you saw them, you would delete all of the data from that table. In addition to this, hidden form variables are just as bad. It is a different method, but you are still basically sending something to the client and just trusting the client to return exactly what you sent. Placing so much trust in the client is never a good idea. I would recommend abandoning these methods for anything that you, as you say, are wanting to make more secure. Look into using sessions instead. When you use sessions, the only sensitive data you trust the client to return to you is PHPSESSID. While there are some dangers associated with this trust, it is a more tolerable risk. When you set a session variable, it is kept safely on the server, so it is at least much less convenient for an attacker to alter this data, because only you can do that. I hope this helps you get started down the right path. There are methods you can use to further mitigate the risk of trusting the client's PHPSESSID, but that can be discussed later. Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] sessions and trans-sid problem/question
--- Jean-Christian Imbeault <[EMAIL PROTECTED]> wrote: > This now hands me a dilemma ... I was building my site > conservatively, i.e. assuming the user would have > cookies turned off. And so I am making heavy use of > session variables. *But* I had thought that if the > user had cookies enabled then the variables would be > saved as cookie information, hence saving my server a > lot of disk reads and writes. > > Now you have shown me the err of my ways ... > > I have to consider rewriting my scripts so that if > cookies *are* enabled the session information is sent > has cookie data. There are two reasons why you should not consider such a rewrite: 1. performance 2. security You say you want to pass data as cookies to save your server the latency of disk access. Think about that for a moment, and you will see that it makes no sense. This is similar to making a decision to store all of your data on a remote FTP server rather than your local disk, thinking that this somehow saves you time. Regardless of how much bandwidth your network has and how slow your disk is, there is no way transmitting this data to/from the client across the Internet is going to be faster than local disk access. Floppy access is probably not even as slow as what you are considering. A more important reason to avoid the rewrite you are considering is security. A cookie is sent by the client. The client can be anyone using your site. What if the client is trying to circumvent your site's security in some way? Do you really want to trust everyone who visits to be honest? When you set a cookie, you are asking the client to send that cookie (value unchanged of course) in future requests. There is nothing aside from honesty that keeps a client from changing the cookie. Also, cookies are intended as a mechanism for maintaining state. This means that they are well-suited for helping you identify a client (the Web browser). Session management requires a little bit more, and this is where PHP sessions come into play. Cookies are a poor choice for session management (state management + maintaining client data), and this is what it seems like you are considering. Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Insert file into sql server binary field.
--- Marek Kilimajer <[EMAIL PROTECTED]> wrote: > BLOB is like TEXT In what way? BLOB is binary large object. Text is ... text. One is binary, and the other is ASCII. The only similarity I can think of is that they both represent data. However, the format is completely different. Open up a binary file in a text editor, and then do the same with a regular text file. I think you will notice a significant difference. Or, consider the representation of 16 in binary versus ASCII: binary - 1 ascii - 0011000100110110 As Sterling mentioned, using addslashes() on binary data is a bad idea. The same can be said for any string operations intended for ASCII data. Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] What is wrong here?
--- Cesar Aracena <[EMAIL PROTECTED]> wrote: > I have trouble with header("Location... because the > browser is NOT redirected. If I set an echo statement > after I detected that the username and password using > $_POST[""], the echo goes OK but if I comment the echo > and un-comment the > > header("Location: http://www.domainname.com";); > exit; > > nothing happens... It is a good idea to always use a proper URL in conjunction with the Location header, because this is required by the HTTP specification. So, change your code to this: header("Location: http://www.domainname.com/";); However, I doubt this will solve your problem. When you exchange the header() with an echo for debugging, you get the output you expect, right? Is it possible that the echo is not the only output, meaning that it would work fine whereas the header() call would fail due to their being previous output somewhere else? Depending on your HTML, errors might be hidden from the browser, so you might have to glance through the source. The only way to make sure PHP is properly changing the response status code to 302 is to snoop the HTTP traffic surrounding this transaction. Can you do that and show us the results? It might reveal something. Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] quick sanity check on user management / sessions
--- Justin French <[EMAIL PROTECTED]> wrote: > I just need a quick sanity check. I'm no doctor, but I think you're sane. :-) > For some reason (inexperience probably, or a bad > article), it was set-up so that both the uid and pwd > were set as session variables, and EACH PAGE on the > site checked the uid & pwd against the database... > this seems like a lot of overhead to me. This seems superfluous to me as well. So, you are saying that the unique identifier and the password are stored on the server in the session data store (/tmp/sess_$PHPSESSID by default) and validated against the user data store (where the username and password are typically stored) for each access? This offers no benefit that I can think of, because you are validating server data against server data. It does nothing to validate the client data, namely to offer assurance of the client's identity. It is the client that I generally mistrust, not the server. :-) > Here's what I'd like to do: > > login page validates user, and registers > $_SESSION['uid'] (and any others I need, like admin = > true) > > then, all other pages on the site will just need > session_start(); This will work fine and at least seems like a better approach than the old code you found. One thing you might want to consider is what might have been the intent of the old code, which is to add some extra authentication for the client's identity. My reason for suggesting this approach is based on the following: 1. PHP uses a cookie for client identification by default. 2. IE versions 4.0 - 6.0 allow any Web site to read any of the user's cookies, regardless of the access restrictions placed on those cookies. 3. A majority of Web browsers in use identify themselves as being a version of IE between 4.0 and 6.0. Thus, impersonation is quite easy if the cookie is trusted. There are many creative things you can do to add a bit of strength to the identification process. One example would be to store the user agent string in a session variable after authentication and to check the client's user agent for each access within that session thereafter. This would at least force an imposter to replicate the user agent. Yes, this may not be very reliable either, but perhaps it will give you some ideas. Just try to make it hard on the bad guys and easy on the good guys, and you'll probably be fine. Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Automajickally POST to a remote form
--- Kris Williams <[EMAIL PROTECTED]> wrote: > Once upon a time I used to be able to POST form data to external > sites with ASP and an MSXML (or something) server object on IIS > and I'm wondering if there's a similar sort of technique using > PHP. You can post with PHP using cURL or doing it yourself manually. Search the archives for this, as the previous answers to this are more complete than what I have time to explain now. Here is a quick example of the manual approach: http://shiflett.org/tutorials/php_post.txt > The easiest description of what I'm attempting is: user hits PHP > page, page submits predefined search terms to Google and the > results are displayed. Since Google's search uses GET, your question about POST doesn't matter anyway. The following URL will display the search results of a Google search on PHP: http://www.google.com/search?hl=en&ie=UTF-8&oe=UTF-8&q=PHP&btnG=Google+Search If you are wanting to display the search results on your own page, you should use Google's API. I believe parsing their HTML results violates the terms of use, so you might want to read that if you do not want to use the API. The API can be found here: http://www.google.com/apis/ A low-level demonstration of how the API works is given here (I plan to improve this when I have time): http://shiflett.org/tutorials/google.php Hope that helps. Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Form trouble
There is one common method used to avoid this that is pretty reliable. 1. http://example.org/1.php submits to http://example.org/2.php 2. http://example.org/2.php processes the form, then uses a Location header to redirect to http://example.org/3.php. For example: header("Location: http://example.org/3.php";); >From the user's perspective, there are only two URLs involved, http://example.org/1.php and http://example.org/3.php. Clicking back from 3.php brings the user to 1.php and clicking forward simply brings the user to 3.php. It is impossible without clicking the submit button again to execute 2.php again. Thus, 2.php does not display anything but just processes the form and redirects the user to the appropriate URL. That's one technique, anyway. Chris --- David H <[EMAIL PROTECTED]> wrote: > But what about updates to the database...? Is there > away not to have the information send to the server at > all? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Need help on client certificate validation using OpenSSL/PHP
--- Richard Rojas <[EMAIL PROTECTED]> wrote: > I'm a PHP newbie and Im really having difficulty with > client-server certificate validation using Openssl and > PHP. If somehow you know of a tutorial, a website or > sample PHP codes that checks (expired, revoked) and > validates client certificates, it would be of great help. This is a pretty complicated task for a beginner. I assume that you are just new to PHP but are otherwise well-versed in public key cryptography and SSL? It is very difficult to find a great deal of information on client authentication, simply because 99% of SSL implementations are only concerned with authenticating the server. My experience developing an application like this is unfortunately only in ColdFusion, but if memory serves correctly, I found the most useful information when searching through the Web server's documentation. In fact, I am sure that we experimented with allowing the Web server to handle the client authentication, basically only allowing access to clients who presented a digital certificate signed by a specific CA (ours). So, my first suggestion would be to search through your Web server's documentation. We got this working in Apache I know, so if you're using that, I know the information is there. Another recommendation would be to search the mod_ssl documentation. Ralph Engelschall is pretty well-known for providing very accurate and descriptive documentation, and I would be willing to bet that he has some specific examples involving client authentication. Even if you aren't using Apache, I bet this would be helpful. O'Reilly has a book on OpenSSL that I've been thinking of getting myself: http://www.oreilly.com/catalog/openssl/. You might want to check that out in a bookstore or something. Sorry I cannot be more helpful. Perhaps someone else will chime in with some better information. Please let us know what you find. Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] www.php.net
--- Paul Marinas <[EMAIL PROTECTED]> wrote: > is down? > or my computer . It works fine for me. Perhaps you should try a mirror: Australia: http://au.php.net/ English http://au2.php.net/ English Austria: http://at.php.net/ German http://at2.php.net/ German Belgium: http://be.php.net/ English http://be2.php.net/ English Brazil: http://br2.php.net/ Portuguese Bulgaria: http://bg.php.net/ English http://bg2.php.net/ Bulgarian Canada: http://ca.php.net/ English China: http://cn2.php.net/ Chinese Costa Rica: http://cr.php.net/ Spanish http://cr2.php.net/ Spanish Czech Republic: http://cz.php.net/ Czech Denmark: http://dk.php.net/ Danish http://dk2.php.net/ Danish Estonia: http://ee.php.net/ English Finland: http://fi.php.net/ English http://fi2.php.net/ Finnish France: http://fr.php.net/ French http://fr2.php.net/ English http://fr3.php.net/ English Germany: http://de.php.net/ German http://de2.php.net/ German http://php3.de/ German Greece: http://gr.php.net/ Greek http://gr2.php.net/ Greek Hungary: http://hu.php.net/ Hungarian http://hu2.php.net/ Hungarian Iceland: http://is.php.net/ English Iran: http://ir.php.net/ English Ireland: http://ie.php.net/ English Israel: http://il.php.net/ English Italy: http://it.php.net/ Italian http://it2.php.net/ Italian http://it3.php.net/ Italian Japan: http://jp.php.net/ Japanese http://jp2.php.net/ Japanese Latvia: http://lv.php.net/ Latvian Liechtenstein: http://li.php.net/ German http://li2.php.net/ German Lithuania: http://lt.php.net/ English Luxembourg: http://lu.php.net/ English Mexico: http://mx.php.net/ Spanish http://php.unam.mx/ Spanish Netherlands: http://nl.php.net/ Dutch http://nl2.php.net/ English http://php.nederland.net/ Dutch New Zealand: http://nz.php.net/ English http://nz2.php.net/ English Norway: http://no.php.net/ Norwegian http://no2.php.net/ Norwegian Poland: http://pl.php.net/ Polish http://pl2.php.net/ Polish Portugal: http://pt.php.net/ English http://pt2.php.net/ Portuguese Republic of Korea: http://kr.php.net/ Korean http://kr2.php.net/ Korean Romania: http://ro.php.net/ Romanian Russian Federation: http://ru.php.net/ Russian http://ru2.php.net/ Russian Singapore: http://sg.php.net/ English Slovakia: http://sk.php.net/ Slovak Slovenia: http://si.php.net/ Slovenian http://si2.php.net/ Slovenian South Africa: http://za.php.net/ English Spain: http://es.php.net/ Catalan http://es2.php.net/ Spanish Sweden: http://se.php.net/ English http://se2.php.net/ English Switzerland: http://ch.php.net/ English http://ch2.php.net/ German Taiwan: http://tw.php.net/ English Turkey: http://tr.php.net/ Turkish http://tr2.php.net/ Turkish Ukraine: http://ua.php.net/ Ukranian http://ua2.php.net/ Ukranian United Kingdom: http://uk.php.net/ English http://uk2.php.net/ English United States: http://php.joeysmith.com/ English http://us.php.net/ English http://us2.php.net/ English http://us3.php.net/ English Yugoslavia: http://yu.php.net/ English -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] If statement w/ multiple conditions
--- Ernest E Vogelsinger <[EMAIL PROTECTED]> wrote: > At 13:50 26.11.2002, [EMAIL PROTECTED] said: > >if ($lineone && $linetwo && $linethree && $linefour = "") > > Your expression yields true if 1-3 are not-empty AND four is an > empty string. Actually, this expression yields true when $lineone, $linetwo, and $linethree are all true. The variable $linefour is just being set to the empty string. Don't confuse boolean tests with tests for whether a string is empty. Yes, an empty variable will evaluate as false, but so will a variable containing 0 or set to false. > All empty: > !($lineone || $linetwo || $linethree || $linefour) > --or-- > !$lineone && !$linetwo && !$linethree && !$linefour > All set: > $lineone && $linetwo && $linethree && $linefour Same problem here. Try these conditionals with the following values: $lineone = 0; $linetwo = 0; $linethree = 0; $linefour = 0; Something like this will probably work: $all = $lineone . $linetwo . $linethree . $linefour; if (empty($all)) { echo "All lines are empty"; } else { echo "All lines are not empty"; } Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Multiple page form
--- Shane McBride <[EMAIL PROTECTED]> wrote: > I don't remember if I need to pass variables along with the > form for each page, or can I just call them on the last page. Consider using sessions: http://www.php.net/manual/en/ref.session.php Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] If statement w/ multiple conditions
--- Jason Wong <[EMAIL PROTECTED]> wrote: > At 13:50 26.11.2002, [EMAIL PROTECTED] said: > >if ($lineone && $linetwo && $linethree && $linefour = "") > > Actually that expression will always be FALSE. $linefour = "" > does not evaluate to TRUE thus the whole expression to be FALSE! Yes, you're right. Of course, I don't think he meant to be assigning the variable, anyway. :-) Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Multiple page form
--- Chris Boget <[EMAIL PROTECTED]> wrote: > > So, you are using a database to store the records? > > Yes. What's the point in taking the user's information if you > aren't going to store it somewhere. Even if all you need to do is > email the data upon completion of the form, storing the data for > later use would be a good idea. Since it seems like you are inferring otherwise, I should say that a database isn't the only way to store information. Also, many multiple page forms like this are for some sort of user registration or similar task where you might want the entire process completed prior to creating a user record. Perhaps he doesn't want to create the record in the database prior to the user finishing all the screens. Sessions are the more straightforward approach to keeping up with data like this. After all, not everything warrants permanent storage, which is why most Web applications generally have two data stores: 1. Permanent user record data store (where you might store username and password, for example) 2. Session data store (where you might store whether a user is logged in or keep up with form data from page to page) Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Re: & in Query String
--- "Jonathan Rosenberg (Tabby's Place)" <[EMAIL PROTECTED]> wrote: > In an earlier message, Derick Rethans [mailto:[EMAIL PROTECTED]] said > > > Yes it is. Actually, you should specify the URL with the > > & yourself, like this: > > > > > > > > otherwise it is not valid HTML. > > I understand that using '&' is technically not correct HTML. Actually, I think he might have meant XHTML. I'm not sure though. If your syntax looks like this: Then your Web browser should interpret the & as an HTML entity and send a GET request (when you click the link) to: show_pic.php?pic=blah&caption=Some+Text Meaning, if show_pic.php receives $_GET["amp;caption"] as someone else mentioned, the browser has failed. > But I don't see how changing the '&' -> '&' solves my problem. I think your intuition has served you well. From your initial description, it sounds like your problm is that you write this: And the browser sends a GET request to: show_pic.php?pic=blah&caption=Some+Text If this is true, this seems like an obvious browser bug to me. I agree with the other suggestions to beef up the debugging information you mail yourself, since I'm assuming you can't reproduce this on your own. Look at all of the $_GET variables, the user agent, and anything else you can think of. Oh, I assume your past emails have had timestamps. I would recommend looking through your Web server's access logs, and see if you can locate the request that returned an error. See if the URL being requested has the & in it (which it should not). > I'm missing something here. If you use '&' to separate > arguments on the query string, how do they get separated out for > access via $_GET? Because you are writing the & in the HTML source code. The browser should interpret this as & prior to sending the GET request to the Web server. Hope that helps. Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: PHP] can't pass complete URL (part of the query string) from
--- Nicole Lallande <[EMAIL PROTECTED]> wrote: > this page > > where the url is > > http://mydomain.com/displayem.php3?cat=5&olimit=0&zid=1&lid=1 > > results in http://mydomain.com/displayem.php3?cat=5 being passed > and the '&olimit=0&zid=1&lid=1' gets cut off Can you visit this page, view source, and show us what the tag looks like after it is processed by PHP? Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] If statement w/ multiple conditions
--- Ernest E Vogelsinger <[EMAIL PROTECTED]> wrote: > >> >if ($lineone && $linetwo && $linethree && $linefour = "") > >> > >> Your expression yields true if 1-3 are not-empty AND four is an > >> empty string. > > > > Actually, this expression yields true when $lineone, $linetwo, and > > $linethree are all true. The variable $linefour is just being set > > tothe empty string. > > You're so right - I think I need new glasses... > > Thanks for setting this straight :) No problem, except I was wrong, too. :-) Because $linefour is being set to the empty string, it will evaluate to false, causing the entire statement to always evaluate to false. Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: PHP] can't pass complete URL (part of the query string) from
--- Nicole Lallande <[EMAIL PROTECTED]> wrote: > http://embitec.com/fishcart/email.php?ref=http://embitec.com/fishcart/displayem.php3?cat=5&olimit=0&zid=1&lid=1"; method="post"> There is your problem right there. Here are the variables you are passing: ref=http://embitec.com/fishcart/displayem.php3?cat=5 olimit=0 zid=1 lid=1 The URL you want to set ref to needs to be URL encoded. You can use rawurlencode() to achieve this. You will know you have it right when your HTML form tag looks like this: http://embitec.com/fishcart/email.php?ref=http%3A%2F%2Fembitec.com%2Ffishcart%2Fdisplayem.php3%3Fcat%3D5%26olimit%3D0%26zid%3D1%26lid%3D1"; method="post"> Hope that helps. Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: PHP] can't pass complete URL (part of the query string)
--- Nicole Lallande <[EMAIL PROTECTED]> wrote: > Tried that I'm thinking you haven't, but I might be wrong. The HTML you showed us previously was of a form tag. The action attribute of that form tag is where your problem lies. http://embitec.com/fishcart/email.php?ref=http://embitec.com/fishcart/displayem.php3?cat=5&olimit=0&zid=1&lid=1"; method="post"> See? It is still wrong. Remember, you will know when you fix your problem when this form tag looks like this: http://embitec.com/fishcart/email.php?ref=http%3A%2F%2Fembitec.com%2Ffishcart%2Fdisplayem.php3%3Fcat%3D5%26olimit%3D0%26zid%3D1%26lid%3D1"; method="post"> Yours still does not look like this. > "> See, I am guessing that you are doing this on the next page. Meaning, you are URL encoding this: http://embitec.com/fishcart/displayem.php3?cat=5 This is what $_GET["ref"] is going to be if you do not correct your form tag like I am describing. Exactly as I would expect. Focus on fixing your form tag. This other URL encoding you are doing on this hidden form variable is actually unnecessary, because the browser is going to do it again for you. Hope that clears it up for you. Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Re: & in Query String
--- "Jonathan Rosenberg" <[EMAIL PROTECTED]> wrote: > I tried it & it fails. The browser sends the query > string with the & & the $_GET access fails. > > I am using IE 6. I can't imagine that it would be > buggy in this regard. I just tried this in IE 6, and it worked fine for me. My test code follows: "; print_r($_GET); echo ""; } else { ?> Click Here This should display: Array ( [foo] => bar [blah] => blah ) Does it not work for you? Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How do i provide Download facility ??
--- Venkatesh Hosur <[EMAIL PROTECTED]> wrote: > I was just looking around for information on Download > of files using PHP. I need to provide link/button, by > clicking which a user can download a file (Say a CSV > file..) The best solution, in my opinion, is just to use a straightforward HTML link: http://yourserver.org/foo.csv";>Download foo.csv The only caveat to this is that you must make the file available as a URL, meaning it must be stored under document root. If you instead want to have a PHP application decide whether the user is allowed to download the file as a way to restrict access to it, that's a different question. :-) Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Cold Fusion conversion issues: app vars and cached queries
--- Steve W <[EMAIL PROTECTED]> wrote: > My company is looking to move our site away from Cold > Fusion due to the cost. We had talked about JSP, but I > would highly prefer PHP. After evaluation, with the > generic database functions now supporting Oracle in CVS, > I think this might be a possibility. However, there are > 2 concerns I have in converting from Cold Fusion. > > 1) Application variables > 2) Cached queries I can possibly field the first one. ColdFusion has server, application, session, and client scopes, right? Each have their own unique characteristics about them. However, if you speak with the top Macromedia engineers, you will see that client variables are preferred in most cases for high-traffic applications. Server, application, and session variables must be locked with cflock to solve synchronization problems, and cflock under load can present some noticeable bottlenecks. CF's client variables are basically identical to PHP session variables. Rather than having a variable scope such as client.foo, PHP has an array $_SESSION["foo"]. PHP, by default, stores session variables on the local filesystem, so you will want to alter this behavior if you are developing for a clustered environment (which I assume you will be). You have much more flexibility in PHP to alter its default session management mechanism than you have flexibility in the cfapplication tag, but it is not nearly as quick and convenient to do so (especially for using a data store for session storage). However, once you do this once, you will find that programming for the PHP environment is no more difficult than for ColdFusion, and you will probably learn to appreciate the flexibility. I am not aware of an equivalent feature to ColdFusion's cached queries, but perhaps someone else can speak up on that one. > I've seen some solutions to both problems, but mainly I > want the solution to meet one and ideally both of the > following qualifications. First, I don't want to have to > use an add in module. I'd like to only use core PHP > functions and modules that are part of the full PHP > distribution and not SRM or other add-on modules. If you use PHP's built-in session management, you will have no problems with this. Your code will include any logic you add to alter the default behavior, such as in the case of using a central data store for session variables. If you write your own utility, which is pretty trivial, you will also not run into any trouble. I honestly do not care for either PHP or ColdFusion's built-in session management, so I prefer the flexibility PHP gives me to alter its. When developing ColdFusion applications for high-profile sites, I often implement my own mechanism. > These issues above as well as things like not being able > to centrally configure a database connection by using an > alias for the name are areas PHP lacks in comparision to > Cold Fusion. ColdFusion definitely makes managing database connections easier. PHP has no equivalent to the cfadministrator, so many things like this are easier with CF. However, I think you will find that PHP has a slight edge in performance in this regard, even when using native drivers (which you should, of course) in CF. I cannot rightly comment on PHP's Oracle support, however, as I have never used it. > Our CF application gets installed at client sites. Using > PHP, it would require a code change in a db connect file > to change the DB connection information where it really > should be configurable in a central PHP conf file. There are differences, no doubt. I understand your point; you let your clients configure their database connection with cfadministrator and assign it a name that your code uses in its cfquery tags. This makes code quite portable. With PHP, it is not too much more trouble to ask them to assign it a username, password, and name (of the database). Otherwise, you can do like many people do and allow your clients to configure and/or install your application according to their own environment. Meaning, you don't write cfadministrator in PHP, but you do let them change database access credentials and any other basic configuration by using your application. > Even with this being said, I'd like to use PHP for our > application if the 2 issues above can be resolved. I wouldn't look to people being excited about trying to match features with ColdFusion. PHP and CF are simply different. In a survey done a year or two ago (around the time CF 5 came out, I believe), PHP was rated as the most flexible and efficient, and CF was rated as the easiest for beginners and therefore generally more productive. Most PHP developers would prefer to be free from all of the bloat that would be necessary to make it as easy to administer as CF. Also, remember that a big difference stems from the fact that CF is a separate process. PHP (when used as an Apache module, for example) is nothing in and of itself. You really just have a more intelligent Web serve
Re: [PHP] Post Variables
--- Brad Bonkoski <[EMAIL PROTECTED]> wrote: > for ($i=0; $i<=12; $i++) > { > echo ""; > echo ""; > } You only want one tag. Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] socket timeout
--- Gareth Thomas <[EMAIL PROTECTED]> wrote: > I am attempting to timeout a socket_read() that is part > of a handshaking process using socket_set_timeout(). > Problem is it doesn't seem to work at all. If I switch of > the handshaking write on the server side the read just > sits there and doesn't time out at all. I have tried > socket_set_timeout($socket,1) which I believe is 1 second > and it never times out... My bet is that you are only setting the timeout but not ever checking to see whether the socket has timed out. If you want to only read from the socket until it times out, you need to add that to your logic. Try something like this: socket_set_timeout($fp, $timeout_seconds); $response=""; # Get socket status $socket_status = socket_get_status($fp); # Read response up to 128 bytes at a time until EOF or socket times out while(!feof($fp) && !$socket_status["timed_out"]) { $response .= fgets($fp, "128"); $socket_status = socket_get_status($fp); } Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Unsubscribing
--- "Van Andel, Robert" <[EMAIL PROTECTED]> wrote: > Anyone know how to unsubscribe from this list. I have > tried several different things including the unscribe > field on the mailing list page and an unsubscribe command > via email. The unsubscribe page (http://www.php.net/unsub.php) should work. Are you sure you are trying to unsubscribe the correct email address? Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] mail() problems...
--- Anthony Ritter <[EMAIL PROTECTED]> wrote: > "If you're using PHP4 on Windows, look for the following > lines in your php.ini file: > > [mail function] > SMTP =; for Win32 only > sendmail_from = ;for Win32 only > > You'll need to modify the last two lines so that the mail > function works properly. > > 1. For the SMTP entry, use 'localhost" or the name of the > outgoing mailserver you use in your e-mail client. > > 2. For the sendmail_from entry, enter your e-mail > address. > > For example in my php.ini file on Windows contains this: > > [mail function] > SMTP =localhost > sendmail_from = [EMAIL PROTECTED] > > So that's what I did -using localhost - and I get: > > "failed to connect". Right. Unlike Linux, I doubt Windows has a mail server running locally without you having to buy and/or install some extra software. I have very little experience with Windows, but this is most likely your problem. Take the author's advice and use whatever mail server your mail client is using. It is probably a remote server of some sort. Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] redirect URL
--- Carlos Alberto Pinto Hurtado <[EMAIL PROTECTED]> wrote: > I don't can redirect my page to new url Try this: http://www.google.com/";); exit; ?> Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] html output from system() command
--- Clay Stuckey <[EMAIL PROTECTED]> wrote: > When I execute: > system('who'); > > I get the output to the screen but it is all concatenated > together like this: > root pts/0 Dec 6 15:31 (34-218-228-130.arpa.kmail.net) > sneakytrick pts/1 Dec 6 10:22 > (34-218-228-130.arpa.kmail.net) > > How can I make it look like: > root pts/0 Dec 6 15:31 (34-218-228-130.arpa.kmail.net) > sneakytrick pts/1 Dec 6 10:22 > (34-218-228-130.arpa.kmail.net) Try surrounding it with tags. Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Cookie handling, NS 4.x?
--- Chad Day <[EMAIL PROTECTED]> wrote: > I am having a fairly confusing problem with setcookie() > in NS 4.x. > > My script: > > nscookie.php: > > setcookie("NSUSERNAME", 'cday', time()+2592000, '/', > ".mydomain.com"); > Header("Location: nscookie2.php"); > exit(); > > nscookie2.php: > > echo $_COOKIE[NSUSERNAME]; > > In IE (all versions I have tested), this works fine. > > In NS 7, this works fine. > > In NS 4.7 and 4.8 .. nothing is returned. No cookie is > set in the > cookies.txt file at all. > > Can anyone tell me why? I believe this has something to do with the fact that the HTTP response status code is no longer a 200 when you send a Location header, as PHP will automatically change it to a 302 for you. Thus, in some browsers, the result is that the browser will submit a GET request for the URL identified in the Location header, but it will ignore the HTTP headers sent in the 302 response. To see if this is in fact the trouble with Netscape 4.x, try using a meta tag redirect instead. Even though the W3C dislikes this use of http-equiv, it is very consistently supported, and I know many Web sites that use it (SourceForge, for example). Good luck. Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Cookie handling, NS 4.x?
--- Chad Day <[EMAIL PROTECTED]> wrote: > I'm not sure how this would matter since the cookie is > never set at all.. it's not an issue of it reading the > cookie, as it can't read what is never set. I'll give > it a shot when I get home though anyway. Read my response again, and you'll see that what you are saying here does not conflict. The cookie is indeed not getting set, and that is likely because the browser does not take action on the Set-Cookie header when it is contained within a 302 response. If you use a meta redirect rather than a header("Location: ...") call, the response status will be 200 instead of 302, so the browser might accept the cookie. Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] how to send an MSWORD email?
--- See Kok Boon <[EMAIL PROTECTED]> wrote: > I want to send emails that have graphics, for example > the pub logo. I know that there are 2 ways to do so > (maybe there are more, pls enlighten me): > > 1. use html email with >http://www.mydomain.com/logo.gif";> > > 2. use MSWORD to insert the logo into the email. >MSWORD will then send the logo.gif as an >attachment and will ALSO use tags. I doubt anyone on this list is going to know what your second method is, though I would guess that MS Word does nothing special and does the same thing you mention in your first method, except that it attaches the image to the email rather than reference it via URL. You can probably search the archives for more information on sending HTML email as well as sending attachments, which is all you are trying to do. I detest such email myself, so I cannot offer any help. Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Getting full HTTP request the page was requested with?
--- Leif K-Brooks <[EMAIL PROTECTED]> wrote: > Thanks, but I'm trying to see what the client sent to > get my page, not what a host returns when I send it > a request... :-) I think he misunderstood your question or something. There are a few different ways to do what you want to do. First, if you dig through the output of phpinfo(), you can usually determine what the exact request was, though it is not going to be obvious unless you know what you are looking for. In the case of a POST request, you will need to have always_populate_raw_post_data turned on in your php.ini to see the POST data. Another method is to use a utility such as tcpdump on your Web server. This works very well except when you need to capture a specific HTTP request on a busy site. The method I choose is to use software specifically created for this purpose. Most software to do this functions as an HTTP proxy, so that you configure your browser to use it for a proxy, and it reveals the HTTP requests and responses that pass through. I wrote a basic one of these that embeds the HTTP transaction into the page itself, so that you do not need to reference a log and can just scroll to the bottom of each page to see both the request and response. It is written in PHP (as a CLI application), and you are welcome to take a look and see if it would be useful to you - http://protoscope.org/. Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Print text and image in the same page.
--- "Naif M. Al-Otaibi" <[EMAIL PROTECTED]> wrote: > I try to print some information (text and image) that I > retrieve from an oracle DB, but I got the image printed > as binary junk. When I put the line that print the image > in a html image tag, I got a red square with "X" inside. > What can I do to solve this problem? This is really just an HTML question. The tag has an attribute called src that should be given a URL as a value. The URL should be an image. For example: http://www.php.net/gifs/php_snow.gif";> On the other hand, if you want to dump the raw image to the browser and expect it to render it properly, you must tell it that you are sending an image. For example: header("Content-Type: image/gif"); Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Simple text editor for Windows?
I would recommend UltraEdit: http://www.ultraedit.com/ Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Can php auto execute it's script in schedule without opening a webpage?
--- Jack <[EMAIL PROTECTED]> wrote: > i want to set a schedule for php to run certain > script at specify time, to what i understood in > php is : the script can only be process when a > homepage had been execute. but i want the script > to be excute even no one open a homepage contain > php script in it! > > is there anyway i can do that? Sure, though it varies depending on your platform. Assuming you are on Unix, it is likely that you already have a CLI (command line interface) PHP installed somewhere. You can use this to create a PHP script that can be executed like any other shell script. Just put something like this at the top: #! /usr/bin/php -q Be sure it points to the location of your PHP parser (/usr/bin/php in this example). To automate scripts, look into cron: man cron man crontab Good luck. Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] $HTTP_POST_VARS problem
--- "Lee P. Reilly" <[EMAIL PROTECTED]> wrote: > The following statements have the following return > values: > > echo $HTTP_POST_VARS['userfile']; > => C:\\Documents and Settings\\Administrator\\Desktop\\IR > Files\\gmp1.ir > > echo $userfile; > => C:\\Documents and Settings\\Administrator\\Desktop\\IR > Files\\gmp1.ir > > echo $HTTP_POST_VARS['userfile']['name']; > => NOTHING RETURNED > > echo $HTTP_POST_VARS['userfile']['size']; > => NOTHING RETURNED > > echo $userfile_size; > => NOTHING RETURNED > > echo $userfile_name; > => NOTHING RETURNED > > Does anyone know what the problem is? What do you think the problem is? I don't see anything unexpected, unless I'm missing something. Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] newbie having problem with SID
--- Anders Thoresson <[EMAIL PROTECTED]> wrote: > There are obviously differences in how things are > handled now and how they were handled then. Yes, but I don't think there are as many differences as you think. > Can someone point me to a good session tutorial > based on the session array rather than the pre-PHP > 4.2 (I think that's the version when this was > changed)? I would recommend the online manual for date-sensitive information: http://www.php.net/manual/en/ref.session.php Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] stop script on browser closing
--- rolf vreijdenberger <[EMAIL PROTECTED]> wrote: > If I close the browser window before the execution > of the script, a lot of emails do not arrive. is > there a way to prevent this? Try this at the top of your script: ignore_user_abort(true); Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Stumped!
--- [EMAIL PROTECTED] wrote: > I keep getting a parser error and I can't figure > it out. Here is the code and any help is greatly > appreciated. > > $sql = "SELECT * FROM requests"; > > while ($result = mysql_fetch_array($query)) While this is not related to your parse error, it is a major logic flaw, as mysql_fetch_array() takes a result set as an argument, not an SQL statement. > echo ("$meetingName"); This is your parse error. Get rid of the parentheses. The parse error should tell you on exactly which line you had an error, so read those error messages carefully next time. Good luck. Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Stumped!
--- Chris Shiflett <[EMAIL PROTECTED]> wrote: > --- [EMAIL PROTECTED] wrote: > > I keep getting a parser error and I can't figure > > it out. Here is the code and any help is greatly > > appreciated. > > > > $sql = "SELECT * FROM requests"; > > > > while ($result = mysql_fetch_array($query)) > > While this is not related to your parse error, it is a > major logic flaw, as mysql_fetch_array() takes a result > set > as an argument, not an SQL statement. > > > echo (" href=\"edit.php?id='$id'\">$meetingName"); > > This is your parse error. Get rid of the parentheses. Actually, the parse error is that you never close the while loop. Still, the error message would point you in the right direction. Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Socket_connect() timeout
--- Max Clark <[EMAIL PROTECTED]> wrote: > Warning: socket_connect() unable to connect [60]: > Operation timed out in > /usr/home/maxc/public_html/admin/functions.inc on line 66 > > Is there any way to time out this function? I only want > to wait 5 seconds. Now that you mention it, I am not aware of any way to override that timeout setting. The socket extension is still experimental, I believe, with hopes of changing its status soon. Perhaps this is something someone is working on. As a possible way around this, could you possible solve your problem by opening a socket as a virtual file pointer instead? For example, this would only wait 5 seconds for a connection: $fp=fsockopen($host, $port, $err_num, $err_message, "5"); You can treat $fp like any other file pointer, so it is actually a pretty convenient way to read/write to sockets. Hope that helps. Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Hi!!
--- Tomas Lopez <[EMAIL PROTECTED]> wrote: > can someone tell me where can i enroll in a > good proyect o someone to help.. I would recommend finding an open source project to contribute to. You can find many projects that are currently seeking help here: http://sourceforge.net/people/ Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] prevent session_replay
Scott, I think it is safe to say that there is no "official" way to prevent session hijacking like this, nor is there any way to provide absolute assurance that it cannot be done. There are several methods, however, that can make a hijack much more difficult to accomplish without adversely affecting your legitimate users. To get you going (since you are the best person to decide what extra measures to take), consider that you could store the user agent in a session variable. If you check that variable on each page (many people include a common module such as security.inc or session.inc at the top of each script or use a parent script), it will at least prevent your test of using a different browser. Of course, an attacker can still hijack the session by passing the same user agent (either by using the same browser or manually sending the HTTP erquest), but the difficulty is a bit more. Your method of testing is actually a good one. The IP address is a terrible metric for identification, so using the same IP will prevent you from trying to use that to distinguish good guy from bad guy. Just use your creativity, and you will probably be fine. The goal is to make things hard for the bad guys and easy for the good guys. Good luck. Chris --- "scott" <[EMAIL PROTECTED]> wrote: > as the SID is being passed in the url, I am able to > copy the http://url?SID from the browser window if I > close the browser (which from reading the docs on > sessions should end the session) and then re-open > another browser (admittedly on the same machine/ip > address) and post the http://url?SID back in, I get > the page, and the $SESSION[vars] are still there !! > :o( is there a official/approved method to prevent > this from being done ? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] phpinfo() and HTTP_RAW_POST_DATA
That data is only populated when always_populate_raw_post_data is on (check your php.ini). Chris --- Kristopher Yates <[EMAIL PROTECTED]> wrote: > I was just curious, is there a reason $HTTP_RAW_POST_DATA > isn't included in the phpinfo() function? I would > imagine one could see all globals via phpinfo().. Is > $HTTP_RAW_POST_DATA global or is it only global if > globals are registered (php.ini setting)? From what I > can tell, this var is not global, regardless of the > registered_globals setting in php.ini. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Multidimensional Array manipluation...
--- Dhaval Desai <[EMAIL PROTECTED]> wrote: > $test[0] = "hey"; > $test[1] = "hi"; > $test[2] = "hello"; > > Now I want to hold various values in $test[0]["hey"] = > "1" and $test[1]["hi"] = "2" and $test[2]["hello"] = "3" Try this instead: $test["0"]["hey"] = 1; $test["1"]["hi"] = 2; $test["2"]["hello"] = 3; Also, remember that you can often learn these types of things with trial and error by using the print_r() function: print_r($test); Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Multidimensional Array manipluation...
> >$test["0"]["hey"] = 1; > >$test["1"]["hi"] = 2; > >$test["2"]["hello"] = 3; > > I want to update $test["0"]["hey"] and set it as 1+1; If you just want to increment the value: $test["0"]["hey"]++; > Also is there any idea on how can we count() the values > in a multi dimensional arrays... The function array_count_values() might give you what you want. What are you wanting to count exactly? A good reference for you online is: http://www.php.net/manual/en/ref.array.php Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Some questions regarding pfsocketopen()
--- Gareth Hastings <[EMAIL PROTECTED]> wrote: > Could anyone tell me, is it possible to connect to > a persistent socket after it has been opened by a > different script? Sure. Think of it like a persistent database connection in Oracle, where the listener is on socket 1521 for everyone. The persistent part saves you from the 3-way handshake when you use the same socket on subsequent page requests. The only caveat is that you can only do one thing at a time, but this is typically handled for you at a lower level in the form of a queue. If I remember correctly, you can specify the size of the queue in your function call(s). Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] phpinfo() and HTTP_RAW_POST_DATA
--- Kristopher Yates <[EMAIL PROTECTED]> wrote: > I made your suggested change to php.ini and I show local > value 1 and master value 1. Does it mean raw data > populates the variable $HTTP_RAW_POST_DATA when this is > == 1 or does it mean that raw data is visible within > phpinfo() when value ==1 in php.ini file? Sorry, it just populates that variable (to my knowledge). I do not think it is ever included in phpinfo() anywhere, though that would be nice to have when it is on. Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Baffling output
--- Lightfirst <[EMAIL PROTECTED]> wrote: > Can someone explain to me why the loop that counts to 99 > appears before the 5 by 5 grid in the following php code? There is a good chance that the problem is that your HTML table is screwed up. Make sure you close your row and table; it wasn't in the code you provided. If that doesn't fix it, check to ensure that you have the correct number of cells per row. Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Baffling output
--- Steve Keller <[EMAIL PROTECTED]> wrote: > Here's a good tip someone gave me when I first started > learning PHP: when you're dealing with HTML, it's a good > idea to use \n at the end of your echoed lines and \t's > at the beginnings to create staggered indentations, > this makes it a little easier to read when you're > testing the output. Proper HTML formatting is a great suggestion. Many novices write broken tables, simply because their markup is too sloppy for them to notice their errors. Aside from using \n and \t in your echo statements, consider that you can also switch in/out of PHP mode as appropriate. In many cases, there is very little (or no) dymanic data in your output, so it may be better just to write it in HTML. For example, consider this in lieu of your code snippet: else { ?> Hello "; echo ""; echo "Hello" ; $i++; } //for else Not only is this much easier to read, it also would have helped you notice the missing tag that Steve pointed out for you. Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] emulate Post with redirect
--- Bobby Patel <[EMAIL PROTECTED]> wrote: > I was trying to do it without cURL, since it's not on our > server. You can do it manually. There is probably a lot of good information on this topic if you search through the archives on automating a post. To give you a quick idea, you can check out this example: http://shiflett.org/tutorials/php_post.txt Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] frustrating problem
--- "Matthew K. Gold" <[EMAIL PROTECTED]> wrote: > SELECT FooLName, FooPhone, FooEmail > FROM foo, foocontact > WHERE foocontact.FooID=$FooID and foo.FooID=$FooID; You might try this instead: select foolname, foophone, fooemail from foo, foocontact where foo.fooid='$fooid' and foo.fooid=foocontact.fooid Also, are you certain that $fooid is set? You might have to use $_GET["fooid"] if register_globals is not on. Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Force file download with header
--- Altug Sahin <[EMAIL PROTECTED]> wrote: > $file = $_POST[fileID]; > $files_folder = "C:\\temp\\"; > $dlfile = $files_folder.$file; > > header("Content-type: application/pdf"); > readfile("$dlfile"); > ?> > > I get this... > "Warning: readfile("C:\temp\test.pdf") - No such file or > directory in c:\inetpub\wwwroot\dlQ_safe.php on line 10" > > The test.pdf file is of course there... My guess is that the test.pdf file is of course not there. You can try to use file_exists() if you do not trust the warning message, but I see no reason not to trust it. > What do I need to add to this script so that whatever a > pdf filename is submitted, acrobat will open this file > in the user's browser? This is a different question, but search for examples on using the Content-Disposition header. I believe there is a directive called "inline" that you can give it to try to force a browser to display the content inline rather than prompt for a download. Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Can you insert into $_POST manually?
--- Noel Wade <[EMAIL PROTECTED]> wrote: > Thanks - I understand that method; but I'm really > looking for a way to pass them without them being > visible / mucking up the URL line with a buncha > stuff... Noel, To answer your original question, no, you cannot force the remote Web client to submit a POST. If you think about it, this is a good thing. You can, as another person pointed out, manually perform a POST from a PHP script, so that the user can GET your PHP script, initiating a POST. However, the POST request is sent from your Web server, not the Web client. There are ways to "hide" URL variables without resorting to POST. As an example, some people use frames (not my preference). Of course, those who use frames to maintain a simple and clean URL do not (or rather, should not) rely on this for any sort of security. The real URL can be easily discovered. Another idea would be to create a portal of sorts, where you have a PHP script that fetches a verbose URL for you. For example, you could have a PHP script located at http://example.org/search.php that contains the following: http://www.google.com/";> http://www.google.com/search?hl=en&lr=&ie=UTF-8&oe=UTF-8&safe=off&q=PHP&btnG=Google+Search";); ?> Thus, a user who visits http://example.org/search.php would see the results of a Google search for PHP (Note: This is just a hypothetical example, and I am not sure whether this would violate Google's terms of use). For this method to be useful to you, you must know the URL variables in advance, so you might need something more dynamic. Some people will redirect the user after setting some session variables, so that the "final destination" URL is very plain, but the Web client can still use GET to send the data. Hopefully this will give you some ideas, so that you can find a method that works for you. Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] "document contained no data"
--- Justin French <[EMAIL PROTECTED]> wrote: > In NN7 Mac, the error is "the page contained no data". > In IE5.x Mac, the error is along the lines of "host > not found" or "could not access URL ...". This is a bit off-topic, but I would suggest ignoring any error messages from IE. It will generally "hide" the real error and show you some generic page instead. This can be very misleading. Go with Netscape's assessment of the problem. > I guess what I'm hoping for is some wild stabs in the > dark as to what the problem might be, and where I > might start looking. There are a few different ways you can get a "document contained no data" message: 1. You have an endless loop somewhere in your code, so that under certain circumstances, the script never completes. 2. You have an endless loop in the form of protocol-level redirects (using header()), so that the Web client continues to make HTTP requests without ever receiving a 200 response. 3. The network connection is terminated. This can occur when the server crashes, among other things. I can think of no other ways to receive this error (please, someone chime in if I have left one out). So, you can try to rule out possibilities one by one. Endless loops in your code might be difficult to identify if the logical path through your code required to generate it is rare. Sometimes looking through your code with this in mind is the best way to find the problem. Endless amounts of protocol-level redirects can be detected pretty easily. If you can reproduce it in any way, tcpdump or some other debugging tool can reveal the HTTP transactions. Short of this, many requests within a very small window of time from the same IP is a good indicator as well. If the Web server crashes under certain circumstances to cause this error, this can be the most difficult to track down. Your best bet is to be able to at least reproduce the steps necessary to crash the server. If you believe it might be only demonstrable under load, you will want to test the application under heavy load to see if you can reproduce the error. > - (occasionally) makes use of header() redirects I would recommend looking at these first. Make sure there is no way for the client to enter into an endless loop of redirects. Anyway, I hope that helps. Sometimes just knowing some common cases that result in the same error can help you identify the problem. Good luck. Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] forms
--- cj <[EMAIL PROTECTED]> wrote: > Is it possible to have two buttons and have different > actions for each button in the same form? No, because the action belongs to the form, not the submit buttons (which is why action is an attribute of form). However, you can use different names and values for the submit buttons, so that you can tell which was pressed on your receiving page. This way you can act accordingly, which is probably what you wanted to know. Hope that helps. Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] forms
--- cj <[EMAIL PROTECTED]> wrote: > The page that processes the form will have to work out > which button got pressed? Exactly. For starters, use this bit of HTML/PHP code to help you see what the browser sends you when the form is submitted (add this to the receiving page): Alternatively, you can choose to output $_GET or $_POST (instead of $_REQUEST) depending on which method you choose for your form. This will show you how to identify which button was pressed. Good luck. Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] HTTP_ACCEPT - Reliabilty?
--- Danny Shepherd <[EMAIL PROTECTED]> wrote: > No, I wouldn't rely on it at all, I couldn't find a > browser that *does* have that mime-type in it's > header! Danny is right. The reason you cannot depend on the Accept header is that most browsers will include */* as an acceptable type (which basically means the browser will accept any type/subtype) and assign it the lowest quality factor. I cannot imagine a Web browser that will prefer Flash (assigning it anything but the lowest quality factor); maybe some Web developers should consider that when designing user interfaces. :-) Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Cookie, header, output problems
--- "J. Alden Gillespy" <[EMAIL PROTECTED]> wrote: > I'm creating an e-commerce website, and I just need > clarification as to whether a MySQL query is > considered as "browser output". It is not. However, a MySQL error is indeed output. Make sure your query is successful. My suggestion would be to simplify your code. Test your queries independently of setting cookies and redirecting. You have too many potential cases for error as it is, and that makes things difficult. > mysql_query("select * from `$cart->user_table` where > username=\"$username\" and userpass=\"$userpass\"", > $cart->dblink) I'm not sure if it is just formatting or my eyes, but it looks like you have backticks in your query. Also, you should consider using single quotes around your values rather than escaped double quotes. > setcookie("jackloren_user", "$username:$userpass", time() > + 2592000); > header("Location: http://www.jackloren.com/";); You should test this combination separately. Depending on several factors, your cookie may not be getting set due to the Location header redirect. The combination works fine with most modern Web agents, but it has been known to pose problems for developers. Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] htmlspecialchars
--- Foong <[EMAIL PROTECTED]> wrote: > I wonder which is the better way to store data into > database? > 1. stor the data after we call htmlspecialchars with the > data (means we store " as "e; in database) > 2. stor the data in non encoded form and call > htmlspecialchars whenever we want to display it. Option 2. Please do not cross-post questions like this to the developer's list. This list ([EMAIL PROTECTED]) is the appropriate place for these types of questions. Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Why is my URL encoding itself?
--- Don <[EMAIL PROTECTED]> wrote: > In my PHP page, the FORM line reads as: > echo ' action="..\phpscript\general\formmail.php">' . "\n"; > > When I try in I.E., it works fine. > > When I try in Netscape 7, I get a page not found error. This is something I refer to as Windowsitis. URLs use slashes, not backslashes: action="../phpscript/general/formmail.php" Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Next and Previous
--- Miguel Brás <[EMAIL PROTECTED]> wrote: > suppose, the page you're seeing is > http://www.x.com/news.php?ID=501 how to add > a link for the page to show the ID=502 and the > ID=500 Next Previous Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Question about $_GET
--- Frank Keessen <[EMAIL PROTECTED]> wrote: > So the code looks like this: > > $query = "SELECT Newsheadline, News, Contact FROM news > WHERE Newsid = $_GET['id']"; > > But all i'm getting in my browser is: > > parse error, expecting `T_STRING' or `T_VARIABLE' or > `T_NUM_STRING' I could not tell if your question had been adequately answered, but there is an easy way to deal with these types of things without worrying yourself with syntax. Just use concatenation (.) as follows: $query = "select newsheadline, news, contact from news where newsid = '" . $_GET['id'] . "'"; This builds $query using three separate strings. The first and third strings are double quoted, and the middle string is your variable. Note another difference is that the value of $_GET['id'] is going to be surrounded by single quotes once $query is constructed. Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] fgets and Macs
--- Jason Jacobs <[EMAIL PROTECTED]> wrote: > It would be wonderful if my php.ini file actually > contained the variable "auto_detect_line_endings." > How can I solve this problem? Try adding it yourself. Don't let its absence dissuade you from giving it a shot. :-) Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Security in included PHP files
--- Jacob Copsey <[EMAIL PROTECTED]> wrote: > My style of PHP is to name all included files with a .php > extension and of course this raises the problem of people > accessing these script files directly. I always name included files *.inc myself, but that's a personal preference combined with a strong desire to adhere to strict naming conventions. It is very easy to make sure people cannot access your include files directly. There are two common ways to do this, and I will mention my preference first. 1. Do not store your include files under document root. This is a very simple and straightforward approach that negates all of the types of questions you were asking. 2. Deny access to any file with an extension of inc. Of course, you would have to conform to a naming standard a bit more for this to work. A quick Google search revealed this example for Apache: Order Allow, Deny Deny from all Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] HTTP_REFERER work without a problem....
--- Scott Fletcher <[EMAIL PROTECTED]> wrote: > Here's what I found so interesting > > This code, $_SERVER['HTTP_REFERER'] have worked without a > problem when I use the latest Mozilla build. It even work > with the HierMenus, location.replace('http://whatever.com'), > and location.href = http://whatever.com... > > This is a good news for PHP everywhere. > > Unfortunately, Internet Explorer still have this > bug... What bug is that? Is there a question here somewhere? I think I am having a hard time interpreting it. Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Security in included PHP files
--- Jacob Copsey <[EMAIL PROTECTED]> wrote: > I agree these are good solutions and I have considered > them. However, I am looking for an all-inclusive > solution that is code only within PHP that allows the > admin of the application to copy the files to their > server and not need to do any server specific > configuration. This places a large restriction on your ability to provide the best solution. However, there are still a couple of things you might consider, though I'm not sure if you will be fond of them: 1. Force those who install your software to place include files outside of document root. I know a few applications that check this and will output an error with a brief description of the security hazard if the include files are found to be under document root. This way, you can be assured that by the time people get your application to work, the include files will no longer be under document root. A similar notion is to combine this with a Web-based installation program, where your application relocates the include files during installation. 2. If your users are using Apache, you can include a .htaccess file in the top-level directory of your application that denies access to *.inc files. Maybe something like that will work for you. Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] HTTP_REFERER work without a problem....
--- Scott Fletcher <[EMAIL PROTECTED]> wrote: > Many PHP programmer tried to their best to use > HTTP_REFERER so they can keep track of which > webpages on the current website did the user > last visited. I think I see what you are referring to now. The reason that many people (myself included) discourage the use of REFERER for this purpose is not only because support is inconsistent, but also because it is not required that a Web client send this header. In fact, the only required header in the latest version of HTTP (1.1) is the Host header. So, it really boils down to not depending on something that is not guaranteed to be there. More reliable solutions usually incorporate some sort of shared secret between the client and the server. For example, say you have a form located at foo.php that submits to bar.php. Rather than checking the REFERER on bar.php to make sure it is foo.php, it is better to include a hidden form field on foo.php that is dynamically generated and stored in the user's session. You can be assured that the hidden form field will be included with the other form elements, so you can compare it to the value stored in the user's session and not run the risk of it being absent or blank (for the legitimate user, the good guy). Of course, this is just one example of many, but the point is that you need to rely on something that is reliable. :-) Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: Fw: [PHP] HTTP_REFERER work without a problem....
--- Kevin Stone <[EMAIL PROTECTED]> wrote: > What I suggest to you is code a solution around the IP > address. The IP address of course, like any information > coming from the client, can be tampered with but more > than likely it's not going to change while the user is > browsing your website. Right? Sorry to disagree, but this is incorrect. The IP address is a terrible metric for client identification. I mean, it is absolutely terrible. Yes, it is easier for a potential attacker to spoof information at the HTTP level than the TCP/IP level, but that is no defense. More (most?) importantly, there are two situations where you will run into trouble with legitimate users who are just trying to use your site: 1. The users are behind an HTTP proxy, which is a very popular configuration for business environments. Thus, the IP address will be that of the HTTP proxy, not the client. Many people will appear to be the same person. 2. The users are behind a round-robin HTTP proxy, such as all AOL users (a large number of Web users). One person can appear to be many different people. Anyway, I hated to let that one go. Again, sorry to disagree, but relying on an IP address for client identification can lead to some very frustrating problems for inexperienced developers. Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] HTTP_REFERER work without a problem....
--- Scott Fletcher <[EMAIL PROTECTED]> wrote: > Or worse, not substituting the characters in the > Session ID. Just use the same Session ID. What if > there is leftover session file in the /tmp > directory of the Unix machine and we're dealing > with hundred of users each day. Some of those > session files aren't deleted because the user > just closed the browser without logging out. It > is unfortunate that there is no better solution to > this. Actually, there is a better solution. Your observations are perfectly valid and correct. If the session ID is given complete trust (which is the case for many people, unfortunately, especially with the default configuration for sessions), then there are many security risks. Given your observations, I think you are on the right track to developing more secure state and session management mechanisms yourself. I am actually considering submitting a proposal to speak about this topic (well, Web application security with PHP in general) at OSCON and perhaps the PHP Conference coming in May. The reason that many people are hesitant to offer solutions is because no solution is perfectly secure. There are, however, many reliable methods you can use that will not adversely affect your legitimate users in any way and make life a bit harder for the bad guys. A common example I give just to get you going is that you can store the user agent in a session variable. While all Web clients may not send the User-Agent header, you can be assured that those that do will send the same User-Agent header for every request. Verifying this against the session variable can at least prevent the copy/paste from an email attack that you mentioned unless the attacker replicates the exact same User-Agent header. Anyway, you have very valid points. Hopefully I will get the chance to speak about this in more depth at a conference soon, and if not, I will probably at least write an article on it. Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] intermittent session loss
--- Justin French <[EMAIL PROTECTED]> wrote: > I did notice that once I login (it says "you are > logged in as justin" across the top of the screen), > if I refresh the same page a few times, it will > MOSTLY say "you are logged in as..." but > OCCASIONALLY it says "click here to login"... > What's likely to cause this? As I'm sure you're aware, this type of session problem can be difficult to resolve. :-) I am assuming that you are not using any type of load balancing? If you are, that's probably your answer. Short of that, can you replicate this in Mozilla? The reason I ask is that there is now a project on mozdev.org for viewing the HTTP protocol (http://livehttpheaders.mozdev.org/). Otherwise, if you have a tool to view the HTTP transactions, use that. I am particularly curious to see if the HTTP request fails to include the cookie or URL variable (depending on which method you are testing) for the instance when you lose session. If the browser is correctly identifying itself on each request, the requests are going to the same server, and the session file never vanishes, I can see no way you would lose session like that. If all else fails, try using a database for your session store instead of /tmp to see if the behavior changes. Good luck, and let us know what you find out. Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] system(): access denied
--- [EMAIL PROTECTED] wrote: > no, i use mysqldump -uroot -p > my_dump_file.sql > it is not '<' but '>' That syntax is fine, and it should prompt you for a password. My suggestion is to give the root account a password and don't worry about all of this. I think I read that it is currently empty, right? Just assign it a proper password, and move on to the next problem. :-) Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] system(): access denied
--- Chris Boget <[EMAIL PROTECTED]> wrote: > system("mysql -uroot -p < the_dump_file.sql") > > it doesn't know where the command ends and the input > begins. So what's going on is that the command thinks > that the password is coming from the "the_dump_file.sql". It knows exactly where the command ends and the input begins. It is the < symbol. :-) Also, in your example (which strays from the poster's example), the_dump_file.sql is simply executed by mysql once you provide the password (which it prompts for). It does not try to use it for the password as you seem to be thinking. Anyway, the reason the poster wrote it like this: mysqldump -uroot -p > the_dump_file.sql is so that the output of mysqldump (the dump file) is sent to the_dump_file.sql rather than stdout. Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] nl2br too?
--- Cesar Aracena <[EMAIL PROTECTED]> wrote: > When I make a form in a web site for a visitor to > send me some comments, I use nl2br() to put things > like line breaks and see what the visitor wants me > to see. > > But what happens if I have a web form to input some > text into a TEXT cell in MySQL and want to retrieve > it like I wrote it? My advice is to store in MySQL exactly what the user types. This way, you can decide when you retrieve this data whether you want to display it on a page (in which case you would use nl2br) or display it in a text field for editing (in which case you would leave the data raw). Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Redirecting
--- "Denis L. Menezes" <[EMAIL PROTECTED]> wrote: > I want ot redirect users to another page after successful > login. Can someone please help me with the PHP code for > redirecting? You have many options: 1. After a successful login, display the proper page to the user instead of redirecting. This is my preference. 2. Use a Location header to cause a protocol-level redirect. For example, header("Location: http://www.google.com/";); 3. Use an HTML meta tag for redirecting. Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sessions or Cookies?
--- Cesar Aracena <[EMAIL PROTECTED]> wrote: > Should I use the no-so-secure old cookies method > or should I start a new session every time a client > drops in and handle each cart by session name or ID? My advice is to only use cookies to identify a Web client. Any data you want to associate with that Web client (user data, for example) should be stored on the server - database, session store, etc. Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sessions or Cookies?
--- Peter Janett <[EMAIL PROTECTED]> wrote: > Sessions themselves use cookies, though, right? > So, if you want your app to work for those who > don't have cookies, you have to pass the session > data in the url string, at least that's my > understanding. That's not quite right. Session management requires an existing method of state management. The default state management mechanism used by PHP is indeed cookies, but that is not the only way. All that is required for state management is that you assign the Web client a unique identifier that it includes on subsequent requests. Cookies make this easy and are somewhat "automatic" in PHP, but GET and POST variables can also be used. For example, say you normally depend on a cookie to identify the client. This will probably be something like PHPSESSID=12345. The following link would send the same unique identifier as a GET variable: Click Here Unless you have PHP configured to only use cookies to identify the client (which I think is not the default setting anyway), it will use the PHPSESSID when sent on the URL like this. In fact, you can configure PHP to append the unique identifier to the URL automatically if the client does not accept cookies. Just set session.use_trans_sid to 1 in your php.ini file if you compiled PHP with --enable_trans_sid. As I hope is clear, none of this requires that any client data be passed on the URL, in cookies, or anything else. The only data that should be sent by the client is data necessary for client identification. All other data can (and should in most cases) be stored on the server. Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Check for start_sessoin without causing header problems
--- [EMAIL PROTECTED] wrote: > how can I call a register session from within a > class and make sure that the session is allready > active and if not just print a warning. This is closely related; you can check to see whether headers have already been sent: http://www.php.net/manual/en/function.headers-sent.php If they have not, it does not matter if you start the session or use an existing one. You can probably use session_name() to check for an existing session. It is worth experimenting with anyway. Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] 2 Qs: Passing current URL with session and how to avoid session timeout???
--- Cal Evans <[EMAIL PROTECTED]> wrote: > I usually just pass this kind of info around on the URL. > > http://mypage.com/mypage.php?prevURL=http://mypage.com/lastpage.php > > if I have to pass a full query string then I urlencode() > it first and urldecode() it on the other side. Just as a bit of advice, you should always URL encode any data you want to append to the URL like that. Also, decoding it is superfluous, because the Web server will do that for you (since URL data is supposed to be URL encoded). Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] SQL+php
--- Sean Burlington <[EMAIL PROTECTED]> wrote: > I think the bandwidth wasters are those who ask > questions poorly (it takes several follow up mails > to find out what the question was) and those who > don't have a qucik look at the archives first > (is someone puuting together an FAQ ?) I agree. I think John's response was a simple answer to a simple question. He was probably tired of trying to interpret questions from this list. I suppose I take a similar approach in that I quickly delete questions that make no sense or only hint at the real question. Perhaps I am being rude, too, but I'm just quieter about it. :-) Oh, and here is a link that I think John alluded to: http://www.tuxedo.org/~esr/faqs/smart-questions.html Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Multiplication of double
--- Cesar Aracena <[EMAIL PROTECTED]> wrote: > I get two numbers from a FORM, one price and one > quantity and I need to make a multiplication with > them in order to store the total amount also as a > double expression... I'm trying with: > > $totalprice = $price * $qty; > > but when I echo the, it gives me just plain old 0 > (zero). Any suggestions? Without seeing more code, it is hard to say, but I imagine $qty and/or $price are not what you think they are. Here is a little example that you might find useful: Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Getting https-page
--- Martin Thoma <[EMAIL PROTECTED]> wrote: > How can I get an https-page? I have never tested this myself, but I found this page in the manual: http://www.php.net/manual/en/function.fsockopen.php It has this to say: "As of PHP 4.3.0, if you have compiled in OpenSSL support, you may prefix the hostname with either 'ssl://' or 'tls://' to use an SSL or TLS client connection over TCP/IP to connect to the remote host." I'm sure you could use the openssl functions, but this sounds much easier. Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Security
--- Phil Ewington <[EMAIL PROTECTED]> wrote: > Can PHP be configured to allow certain web sites > access to files and directories within their web > root only? I would suggest looking into safe mode. It sounds like it may work for you: http://www.php.net/manual/en/features.safe-mode.php Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] $_POST vars problem
--- Kenneth Brill <[EMAIL PROTECTED]> wrote: > can anyone tell me where the second > "searchstring=TEST" is coming from? I > have tried register globals on and off. Can you also show us the HTML for your form on the previous page? The simplest test case that produces this problem would be best. Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] $_POST vars problem
--- Kenneth Brill <[EMAIL PROTECTED]> wrote: > I will try to shortly. The server in question is > password protected and has lot of information I > don;t need hacked into right now. I'll set up a > limited short term account and post everything then. So you do not have access to the server that has the code you are trying to debug? That seems like a bigger problem. If you can at least test this with a browser, you can use it to view the source. This will reveal the HTML, and you can just show us the relevant parts. Of course, if we notice the problem, it sounds like it is useless anyway, since you cannot access the server to fix anything. Unless I am missing something... Chris > > On another note, I have found that if I include (and use) > the submit button > everything works perfectly, HOWEVER if I just enter data > and hit return then > it messes up. That make no sence to me but maybe someone > out there can put > it together. > > thanks > > "Chris Shiflett" <[EMAIL PROTECTED]> wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > --- Kenneth Brill <[EMAIL PROTECTED]> wrote: > > > can anyone tell me where the second > > > "searchstring=TEST" is coming from? I > > > have tried register globals on and off. > > > > Can you also show us the HTML for your form on the > previous > > page? The simplest test case that produces this problem > > would be best. > > > > Chris > > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Loop inside a table
--- Cesar Aracena <[EMAIL PROTECTED]> wrote: > $message = " > > > > title goes here > > > ". > for ($x = 0; $x < $num_rows; $x++) > { > //several lines made dynamically > } > .." > > ; Try something like this instead, if you want all of your HTML to be in the $message variable: $message = "\n\n"; $message .= "\ttitle goes here\n"; $message .= "\n\n"; for ($x = 0; $x < $num_rows; $x++) { $message .= "whatever you want to add\n"; } $message .= "\n"; Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] pop-up problem
--- Mark McCulligh <[EMAIL PROTECTED]> wrote: > I was wondering if anyone knows of a way to > create a pop-up using PHP or other language to > do the same thing as JavaScript window.open > method. I have an app that uses the JavaScript > popup but now with those popup stopper it will > not always work. That is the point. > For I am looking for another way of creating > popups. Does anyone know of a way other then > window.open to control the window's size and > remove things like the toolbar, address bar, > etc.. > > Is there a way to control is through PHP and the > header information? or I am look for something > that doesn't exist. No, PHP cannot help you here. Controlling client behavior like that is not something that is within the scope of HTTP either, so there are no headers that do anything like that. You must depend on some sort of client-side scripting. Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Change base url
--- JeremÃas Grunge <[EMAIL PROTECTED]> wrote: > I've a few of scrcripts in a directory > $baseurl/PHP/scripts.PHP > > And I want to include these a script in a diferent dir > example $baseurl/otherDir/otherscript.PHP but the > includes that are on the $baseurl/PHP/scripts.PHP now > referrer to $baseurl/otherDir... There is a way to say > a script wthat is its $baseurl? I do not think I understand the question. You can change $baseurl like this: $baseurl = "/something_else"; Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] pop-up problem
--- Mark McCulligh <[EMAIL PROTECTED]> wrote: > I wish people won't miss use features for people start > blocking them. I am using the window.open the way it > was meant for. I have a online help feature. I am not > using it a force people to look at banner after banner. I know exactly what you mean. However, I believe window.open still works when used like this: Click Here At least, that works with Mozilla's pop-up blocker. As I understood it, only those annoying automatic popups are disabled. Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Cannot show reuploaded image file on page unless manual refresh
--- Phil Powell <[EMAIL PROTECTED]> wrote: > I am using the following header() functions to force > view.php to not cache: > > header("Expires: Mon, 26 Jul 1997 05:00:00 GMT"); > header("Last-Modified: " . gmdate("D, d M Y H:i:s") . > " GMT"); > header("Cache-Control: no-store, no-cache, > must-revalidate"); > header("Cache-Control: post-check=0, pre-check=0", > false); > header("Pragma: no-cache"); :-) I think you killed it. > However, when a user reuploads a file in manage.php, it > does a form post onto manage.php and reuploads the file > (which I verified works). However, when redirected via > header() to view.php, they still see their OLD image > file, NOT the new one! Unless I manually refresh the > page, they never see it, until they manually refresh the > page, then the new image file appears! Right. I think you are forgetting that the image is not really part of the PHP resource. Meaning, this is the series of events for a PHP script that refernces a single image called bar.jpg using the tag: 1. HTTP request sent for foo.php (Web client -> Web server) 2. HTTP response sent that includes the output of foo.php (Web server -> Web client) 3. Web client (browser) notices tag referenced in the HTML. 4. HTTP request sent for bar.jpg (Web client -> Web server) 5. HTTP response sent that includes bar.jpg So, the headers that you are setting only matter for the resource returned in step 2. Meaning, the HTML output of foo.php is not cached. The image, since it is returned by the Web server and not your PHP script, is cached. Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Cannot show reuploaded image file on page unless manual refresh
--- Phil Powell <[EMAIL PROTECTED]> wrote: > Chris, that made no sense to me at all! Sorry. :-) > How in the world could an HTTP-RESPONSE send back a > cached .jpg file that no longer exists on the server > end? That's impossible, unless the entire page is > cached. Now, how do I ensure that view.php always > gets the "fresh" image every time? I probably explained this poorly. The main point I was trying to make is that images are completely separate resources. They are not part of a page as you seem to be thinking, even though they appear to be once rendered in your browser. While a request for view.php results in a response that includes all of those headers you explicitly set, a request for blah.jpg gets returned by the Web server directly. It is probably being cached by the browser. However, the Web client usually includes an If-Modified-Since header that will cause the Web server to return a fresh resource if it has in fact been modified. Is there a way you can show us the HTTP transactions for the image in question both before and after it has been modified? Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] login script fix help needed
--- Karl James <[EMAIL PROTECTED]> wrote: > Warning: Cannot add header information - headers already > sent by (output started at > /home/virtual/site12/fst/var/www/html/Create_Account.php:8) > in /home/virtual/site12/fst/var/www/html/Create_Account.php > on line 10 This means you have something on line 10 of Create_account.php that sends headers, but PHP cannot because you have something on line 8 that causes output. Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Header Error message i think!!
--- Justin French <[EMAIL PROTECTED]> wrote: > PLEASE don't post in HTML/Rich Text > > sheeesh! > > Justin Agreed. Also, please quit asking the same question. I answered this one already, and I think someone else did as well. If you are still having trouble after reading our answers, at least let us know what the outcome was. As it is, we have no reason to believe you are putting forth any effort. Chris > on 20/01/03 2:18 PM, Karl James ([EMAIL PROTECTED]) > wrote: > > > http://www.ultimatefootballleague.com/Create_Account.phps > > > > Warning: Cannot add header information - headers > > already sent by (output started at > /home/virtual/site12/fst/var/www/html/Create_Account.php:2) > in > /home/virtual/site12/fst/var/www/html/Create_Account.php > on line 4 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] mysql_connect error
--- Tom Ray <[EMAIL PROTECTED]> wrote: > Can someone please tell me why I'm getting this error: > > *Fatal error*: Call to undefined function: > mysql_connect() in > */webs/tom/www.bohabcentral.com/www/bohabs/auth.php* on > line *4 > > *mysql_connect was working a week or so ago, and I > haven't made any changes to the servers configuration. That seems unlikely, but I'll take your word for it. Can you do a phpinfo() and let us know what the configure line is? Also, does function_exists("mysql_connect") return false? Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Page Rendering
--- "Bill Arbuckle, Jr." <[EMAIL PROTECTED]> wrote: > It works in IE but not Netscape. Nearly every time this happens, you have invalid HTML. Try stripping out all of the HTML, leaving only the plain text content of the page in question. Then, slowly add back the markup, testing each change. Also, never test in IE unless you have a restricted user base that is only going to use IE. It is one of the most lenient browsers with regard to standards, so it will just give you a false positive. Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] $header = "Location:........" being ignored!
--- Shams <[EMAIL PROTECTED]> wrote: > if ( $_POST['passwd'] != $db['password'] > {header("Location: loginfailed.html"); > } You never add the closing parenthesis to your if statement. Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] security question regarding including files..
--- Chad Day <[EMAIL PROTECTED]> wrote: > I want to give my users the ability to submit a URL > to a database, then when they pull up their page, > their photo is included .. what I'm worried about > is them pointing the link to some malicious code or > something.. Your instincts serve you well. There are two types of attacks to worry about in this situation, depending on who can see this "image". If only the user who submitted the URL can see it, then your users only risk CSRF attacks, which are not very common (yet) but are very dangerous. If everyone can see the "image", then your application is also at risk of XSS. If you realize that an embedded image is requested separately by a Web client, you can see that this basically allows an attacker the opportunity of forcing another user to visit a URL of the attacker's choice. For example, consider an image that looks like this: http://bookstore.xxx/buy.php?book=httphandbook";> A browser will try to load that image by sending a request for that URL to bookstore.xxx. So, every user who happens to have a prior relationship with bookstore.xxx (maybe they have one-click ordering) will unknowingly purchase HTTP Developer's Handbook. All the victim will see is a broken image. Even if you check for file extensions, the attacker can have a URL that looks legitimate but is really a PHP script in disguise (their Apache treates .jpg as PHP, for example) and uses header("Location: ...") to redirect to the URL mentioned above. Also, this same attack can be used against one of your users to make them unknowingly submit such a URL to your site. Thus, even if you only show the image to the user who submitted it, that user may still be a victim. For more information on CSRF, check out http://www.tux.org/~peterw/csrf.txt. For more information on XSS, check out http://httpd.apache.org/info/css-security/ and http://www.cert.org/advisories/CA-2000-02.html. My advice would be to require human intervention in the way of a moderation system. Even with this, a URL that returns an image today may not tomorrow. A safer alternative might be to host the images yourself, so that you can check that they are in fact images. Good luck. Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Detecting posts from outside site
--- [EMAIL PROTECTED] wrote: > If it's bulletproof, then I figured this could help > some of you out. If not, I welcome comments (I'm a > little bit hesitant of calling things 'bulletproof'). It's not bulletproof. :-) > if((count($_POST) > 0) && > (!stristr($_SERVER["HTTP_REFERER"], > $http_referer))) { > unset($_POST); > $evil = "postedfromoutsidepage"; > } If this page is located at http://www.example.org/foo.php, and you are trying to ensure that the data is being posted from http://www.example.org/bar.php consider the following: # telnet www.example.org 80 Trying 192.0.34.166... Connected to www.example.org (192.0.34.166). Escape character is '^]'. POST /foobar.php HTTP/1.1 Host: www.example.org Referer: http://www.example.org/bar.php Content-Type: application/x-www-form-urlencoded Content-Length: 26 varname=any_value_i_choose Someone can use this method to bypass your Referer header check and post any data they choose. Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] security question regarding including files..
--- Sean Burlington <[EMAIL PROTECTED]> wrote: > I'm not sure what harm could be done by this though. > > if a broswer attempts to load an image reference by > an I would expect it simply to ignore it... I sent a response about this earlier, but you should research CSRF and XSS. It does not matter that the browser shows a broken image if it has already sent the HTTP request. There is no special HTTP request for checking whether the Content-Type is really an image without the receiving Web server taking any action. A GET is a GET. Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] security question regarding including files..
--- Sean Burlington <[EMAIL PROTECTED]> wrote: > is there really any site which will accept a book > order based an a sigle GET? Well, yes, but that is not the point really. The example of the tag is just one way you can forge an HTTP request from another user (the victim). Also consider that many people create sites with PHP with register_globals set to on. Even when these people go to great lengths to validate all incoming data and to identify the user, this does not defend against CSRF. The data being sent is valid data, and the user sending it is the authenticated user. That is the danger. Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php