[PHP] Big File Upload how to catch stream
Hello, I have been looking how to upload big files more than 1GB , with php but it doesn't work well. I guess php POST multipart method is to memory consuming. Is there a way , like in the apache.commons to catch the stream and handle it ? I've looked at the rfc1867.c file implementation and it seems that this is where the memory goes really up. Is there a way we could change this ? Kind Regards Wim -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] [php] passing variables doesn't work
Dear all,
I am trying to pass variables from one php-file to another but that
doesn't seem to work. Anyone an idea what I am doing wrong?
The first file shows a dropdown with all the databases on the server
(only 1 for me). You have to select a database and put an SQL query in
the textarea.
Pushing Execute query! then calls the second file test2.php which
should put all the variables on the screen (first there was another
routine but that did not work, so I created this simple output to test
the veriables).
html
head
title PHP SQL Code Tester /title
/head
body
!--query.php--
?php
$host=localhost;
$user=some_user;
$password=some password;
?
form action=test2.php method=post
Please select the database for the query:brbr
select name=database size=1
?php
$wim = 5; /* this is added to test the passing of the variables -
doesn't work either */
$link = mysql_connect($host, $user, $password)
or die( Cannot connect : . mysql_error());
$db_table = mysql_list_dbs();
for ($i = 0; $i mysql_num_rows($db_table); $i++) {
echo(option . mysql_tablename($db_table, $i));
}
?
/select
Please input the SQL query to be executed:brbr
textarea name=query cols=50 rows=10/textarea
brbr
input type=submit value=Execute query!
/form
/body
/html
This routine which is called with the routine above should print all
variables but it doesn't. Well, the routine itself works but the
variables are empty.
html
head
titlePHP SQL code tester/title
/head
body
!-- test2.php--
?php
echo Dit is een testbr;/* this is printed to the screen */
echo $wim; /* this is NOT printed to the screen */
echo $hostbr; /* only the BR is printed */
echo $databasebr; /* only the BR is printed */
echo query: $querybr; /* only the BR is printed */
echo Dit is test 2; /* this is printed to the screen */
?
/body
/html
Thanks for your help,
Wim.
DISCLAIMER
http://www.proximus.be/maildisclaimer
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] PHP manual - multiple HTML pages
Does anyone still have the tarfile for the manual. On the website they announce that these manuals will be redeployed shortly but this message is already three weeks there and I need this (as always ) urgently. Thanx in advance for sending it . Wim -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] odbc_connect
LS, I try to get connected to a MSSQL via ODBC (setup with Windows authentication) , but this is the error I get. Warning: SQL error: [Microsoft][ODBC SQL Server Driver][SQL Server]Login failed for user 'NT AUTHORITY \ANONYMOUS LOGON'., SQL state 28000 in SQLConnect Anyone any ideas ? Thx, Wim -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] php editor?
Well said ! More in general , I would like to take the opportunity to thank you and the Zend team for your contribution with regards to the complete PHP project. Wim -Oorspronkelijk bericht- Van: Zeev Suraski [mailto:[EMAIL PROTECTED] Verzonden: Wednesday, June 18, 2003 9:50 AM Aan: Ryan A CC: [EMAIL PROTECTED] Onderwerp: Re: [PHP] php editor? This list is not owned by Zend. One should still not be talking about cracking software (Zend or otherwise) on it, though... Zeev At 14:51 14/06/2003, Ryan A wrote: What can i say? if you aint living on the edge you're taking up too much space I reccomend you don't talk about cracking Zend software on a list owner by Zend... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Good PHP Books (topic wandering)
I stick with the Wrox publications : for me 'Professional PHP' and 'Beginning PHP Databases' (with very good section about the DB class in PEAR) serve me in almost all my needs. The online manual though serves about 95 % of my queries. -Oorspronkelijk bericht- Van: Joel Rees [mailto:[EMAIL PROTECTED] Verzonden: Tuesday, June 17, 2003 9:57 AM Aan: [EMAIL PROTECTED] Onderwerp: Re: [PHP] Good PHP Books (topic wandering) Some of the O'Reilly books that I thought were not perfect: - All books about Perl. Now that we have nice c-like script languages like PHP, Python and Javascript who still wants to study the mess that Perl is? Heh. PHP, Python, Javascript? It's all perl to me. ;-) The O'Reilly books, as has been noted, are the standard references on perl. - The introduction to Ruby, probably called Ruby in a Nutshell. I had read the introductory article in DrDobbs by the author of the language and the language seemed nice, but whilst reading the book I noticed more and more cases of half-Perl ugliness. The language Ruby was designed by a Japanese and a lot of Japanese designs are flawed by being a seemingly random combination of aspects from Western designs. Ruby is also a dialect of perl, and very well done. You might want to take a closer look at what seems random to you now. But it seems to me you are criticizing languages rather than books in the above. - The Java in a Nutshell book. It consisted mainly of a collection of standard library functions but with to few details to be of any use. Java is a huge language and full of details. Once I got used to Java, O'Reilly's Java in a Nutshell turned out to be just right to have on my desk. The Examples volume is a necessity. PHP's on-line docs are great because PHP is small and glosses over a lot of details. Sun's on-line docs for Java just don't work as primary source because you have to see too much through that itty-bitty seventeen inch screen. (When monitors are 600dpi, and cheap and thin enough that we can have seven or eight of them sitting on our desk, then maybe we can finally get rid of books.) I propose that when looking for a book on a certain subject: - You check out if there is an O'Reilly book about it and when not, why not? - Compare any other book you encounter with the O'Reilly book and see if it is better. It might happen in selected cases. That's probably not a bad approach. By the way, I think that the online PHP-manual at php.net is very good so I have no need for a PHP book, No argument with that. except that I once bought O'Reilly's PHP Kort en Krachtig (the Dutch translation of the PHP Pocket Reference, probably the first version of 2000). Of course I would have bought the English version if it had been in stock here. The Dutch translations of computer books are often very flawed, plus that it's useful to learn the English terms. I imagine things will improve with Dutch. Japanese docs have definitely been improving -- less reliance on technical words borrowed from English, greater accuracy when choosing native terminology, less Janglish grammar. -- Joel Rees [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] MSSQL connection
LS, I am trying to get a connection to a remote MSSQL server. This is what I found in the online manual : quote mssql_connect() establishes a connection to a MS SQL server. The servername argument has to be a valid servername that is defined in the 'interfaces' file. /quote This is the command given : quote $test = mssql_connect(SQL-001,whoever,whatever); /quote This is the output of the code snippet quote Fatal error: Call to undefined function: mssql_connect() in c:\program files\apache\htdocs\pestest\axtest.php on line 5 /quote The error message seems to be out of line with the manual . I was wondering whether this is related to the definition in the 'interfaces' file (whatever that may be). All help highly appreciated. Wim
RE: [PHP] MSSQL connection
That's it . Thank you very much ! -Oorspronkelijk bericht- Van: Adam Voigt [mailto:[EMAIL PROTECTED] Verzonden: Tuesday, June 17, 2003 5:10 PM Aan: Wim Paulussen CC: [EMAIL PROTECTED] Onderwerp: Re: [PHP] MSSQL connection You need to turn on the MSSQL extension in your php.ini, under Windows this file is probably in: c:\winnt\php.ini On Tue, 2003-06-17 at 11:01, Wim Paulussen wrote: LS, I am trying to get a connection to a remote MSSQL server. This is what I found in the online manual : quote mssql_connect() establishes a connection to a MS SQL server. The servername argument has to be a valid servername that is defined in the 'interfaces' file. /quote This is the command given : quote $test = mssql_connect(SQL-001,whoever,whatever); /quote This is the output of the code snippet quote Fatal error: Call to undefined function: mssql_connect() in c:\program files\apache\htdocs\pestest\axtest.php on line 5 /quote The error message seems to be out of line with the manual . I was wondering whether this is related to the definition in the 'interfaces' file (whatever that may be). All help highly appreciated. Wim -- Adam Voigt ([EMAIL PROTECTED]) Linux/Unix Network Administrator The Cryptocomm Group -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] MSSQL connection
At least : step 1. Does anyone know what is meant by the 'interfaces' file ? quote The servername argument has to be a valid servername that is defined in the 'interfaces' file. /quote -Oorspronkelijk bericht- Van: Wim Paulussen [mailto:[EMAIL PROTECTED] Verzonden: Tuesday, June 17, 2003 5:14 PM Aan: [EMAIL PROTECTED] CC: [EMAIL PROTECTED] Onderwerp: RE: [PHP] MSSQL connection That's it . Thank you very much ! -Oorspronkelijk bericht- Van: Adam Voigt [mailto:[EMAIL PROTECTED] Verzonden: Tuesday, June 17, 2003 5:10 PM Aan: Wim Paulussen CC: [EMAIL PROTECTED] Onderwerp: Re: [PHP] MSSQL connection You need to turn on the MSSQL extension in your php.ini, under Windows this file is probably in: c:\winnt\php.ini On Tue, 2003-06-17 at 11:01, Wim Paulussen wrote: LS, I am trying to get a connection to a remote MSSQL server. This is what I found in the online manual : quote mssql_connect() establishes a connection to a MS SQL server. The servername argument has to be a valid servername that is defined in the 'interfaces' file. /quote This is the command given : quote $test = mssql_connect(SQL-001,whoever,whatever); /quote This is the output of the code snippet quote Fatal error: Call to undefined function: mssql_connect() in c:\program files\apache\htdocs\pestest\axtest.php on line 5 /quote The error message seems to be out of line with the manual . I was wondering whether this is related to the definition in the 'interfaces' file (whatever that may be). All help highly appreciated. Wim -- Adam Voigt ([EMAIL PROTECTED]) Linux/Unix Network Administrator The Cryptocomm Group -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] php editor?
My two cents : jEdit main reasons why : - syntax highlighting - works on Linux and Windows (java-based) - full folding capabilities Wim -Oorspronkelijk bericht- Van: M-Ali Mahmoodi [mailto:[EMAIL PROTECTED] Verzonden: Monday, June 16, 2003 7:35 AM Aan: [EMAIL PROTECTED] Onderwerp: Re: [PHP] php editor? if no newer editors? so the old messages suggest the older! Lars Torben Wilson [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] On Sat, 2003-06-14 at 12:59, electroteque wrote: boy how painfully dweebish is vi why make it harder for yourself :O Please don't start this again. If you want arguments about editors just read the old ones in the archives. It's highly unlikely that any useful new arguments will be made if we start a new flamewar over it. :) Just suggesting one or two editors you like is more useful. -- Torben Wilson [EMAIL PROTECTED]+1.604.709.0506 http://www.thebuttlesschaps.com http://www.inflatableeye.com http://www.hybrid17.com http://www.themainonmain.com - Boycott Starbucks! http://www.haidabuckscafe.com - -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] regarding ?php ? tags
extract from php.ini file ; Allow the ? tag. Otherwise, only ?php and script tags are recognized. ; NOTE: Using short tags should be avoided when developing applications or ; libraries that are meant for redistribution, or deployment on PHP ; servers which are not under your control, because short tags may not ; be supported on the target server. For portable, redistributable code, ; be sure not to use short tags. short_open_tag = On ; Allow ASP-style % % tags. asp_tags = Off Hope this helps YT -Oorspronkelijk bericht- Van: Ulrik NIelsen [mailto:[EMAIL PROTECTED] Verzonden: Friday, June 13, 2003 3:39 PM Aan: [EMAIL PROTECTED] Onderwerp: Re: [PHP] regarding ?php ? tags Mike Ford wrote: This has been discussed more than once by the PHP developers, and the decision has always been not to adopt it. I think you can safely file it in the Won't Fix category (there may even be a Feature Request at bugs.php.net marked as such). bugger ;) I would have loved this feature -- ulrik - ulrik(@)lazy.dk excuse of the day : Domain controller not responding from bofh : http://www.cs.wisc.edu/~ballard/bofh/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Sessions and login
page 1 : login.php
input user name - Post veriable
input password- post variable
page 2 : verify.php
session_start()
// supposing name is entered
if (!$_POST['password'] == )
{
// verification against database
if (successfully authenticated)
{
$_SESSION['user'] = $_POST['user'];
header(location: authPage.php);
}
}
header(location: login.php); // returns back to login page
-Oorspronkelijk bericht-
Van: Angelo Zanetti [mailto:[EMAIL PROTECTED]
Verzonden: Wednesday, June 11, 2003 3:09 PM
Aan: [EMAIL PROTECTED]
Onderwerp: [PHP] Sessions and login
Hi guys kinda new to php.
Ok I have a php page that a user has to enter a pw to gain access to another
page (lets call it authPage).However before I i can grant access to authPage
I want to verify 1. that a pw was entered and 2. that it is correct. So I
thought it would be better NOT to do the auth in authPage but rather have
another page that does the authorization. Lets call that page verifyPage. On
here if the password is entered and is correct according to the DB then I
want to create and register a session. This is how ive done the session
section:
session_register('user');
$_SESSION['user'] = ebusUser;
Then I want the session to call authPage (because the pw is correct)
together with the session variable. The way I am doing this (doesnt seem to
be working) is to call authPage with as a header call eg:
header(Location: authPage.php);
The problem I think I am having is that the session variable isnt being
passed to the authPAge. How else can I call the authPage from verifyPage so
that the session variable gets passed. BTW I have register_globals = on;
Any help would be greatly appreciated.
Angelo
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] pattern matching for the dot-sign
LS, I am looking for a way to replace . (=dot) to , in a string with either ereg_replace or preg_match . I read the manual in PHP on Pattern matching for preg_match but could not immediately trace it. All help appreciated. Wim -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Re: OpenSource PHP Project
Check this out , mate. Fatal error: Failed opening required 'PEAR.php' (include_path='') in /home/groups/p/pr/prattcms/htdocs/phplayersmenu-2.3.5/lib/layersmenu.inc.php on line 4 -Oorspronkelijk bericht- Van: Randum Ian [mailto:[EMAIL PROTECTED] Verzonden: Wednesday, June 04, 2003 11:33 AM Aan: [EMAIL PROTECTED] CC: [EMAIL PROTECTED] Onderwerp: Re: [PHP] Re: OpenSource PHP Project Try here mate, http://prattcms.sourceforge.net/ May help if the website worked... OR give us a link to the SF project page? Michael A Smith [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Hi, Anyone interested in helping out with an opensource CMS project. PHP/MySQL/Smarty Templates/Modules checkout prattcms.sf.net. It's different from other CMSs in that it is not user-driven. The pages use a WYSIWYG editor (inline, htmlarea, also open-source). Thanks! -Michael -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php Randum Ian [EMAIL PROTECTED] DancePortalGlobal Webmaster http://www.danceportalglobal.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Sessions can be dangerous
George, Having created an invoicing system using php , I very clearly understand the advantage the session construction holds : the information is maintained on the server, rather than floating around in cyberspace between the client and server each and every time you exchange information. If you want to use hidden input you need to set up a secure link each and every time you transfer the o so important username/password combination. Furthermore , the session data is not that difficult to access with another program as long as you can capture the session-id, which you can. All in all , I did not yet come across a better system to get something working in a manageable and secure way. You could go a step further and mimick the session_data management via a database interface if your data quality is such an important issue, but then again, make sure you have a foolproof system to make logging in into the database secure ! Nobody forces you to use the session system and if you want to shy away from it , it is your choice, but I am a little bit afraid that your lenghty email about session insecurity will be meaningfull only for the core PHP developers/auditors. Wim -Oorspronkelijk bericht- Van: George Whiffen [mailto:[EMAIL PROTECTED] Verzonden: Friday, May 30, 2003 4:27 PM Aan: [EMAIL PROTECTED] Onderwerp: [PHP] Sessions can be dangerous Dear All, There doesn't seem to be much discussion of the disadvantages and long term dangers of using php sessions. So let's redress the balance: 1. Heterogeneous Code Environments php session data is not easily accessible from non-php code e.g. Perl/C/ASP etc. In contrast, either client-stored data e.g. cookies, hidden posts, get variables, or data stored in a structured database table, (i.e. one column per variable), is easily accessible from other code. The implication is that sessions may suit you fine as long as only php is used on your site. However, if your site matures and you ever want or need to use another language for some pages, it will be hard for those pages to access data stored in sessions. On the other hand, if the data had been stored in an well-established industry standard format, you should have no problems. 2. Provably Secure Authentication Data Hopefully we all know by now that the best way to safely authenticate for access control is to make sure the username/password is checked every time either by your script, your webserver or a trusted third-party. However, I have the feeling some session users are tempted to simply authenticate in one script and store a logged in or username flag in the session without the username/password having been re-validated. It's not a complete disaster if you do this, which probably means lots of people do it! But this is only as secure as the session_id key. I don't doubt that session_ids are generated with a high-quality random number generator and should be suitably uncrackable. However, the crackability/vulnerability of a username/password schema is very well understood. Can we really say that the vulnerability/crackability of a session_id is as well understood? What happens if, and I'm sure it's a remote chance, there is ever a bug in the session-key generation that stops them being so random so a session_id crack becomes not just possible but real easy! Usernames/passwords just don't have that kind of vulnerability, and the vulnerabilities they do have are well known. 3. Independent Audit of Server Stored Data Procedures for independently verifying the data stored on a server in a SQL RDBMs are well established. It is easy to query the database schema to see what columns are defined. It is easy to verify that the data actually held in a column is as expected. In general it is easy to prove and verify what data is held e.g. to prove Data Protection compliance or Bank/Credit Card requirements, (no storage of cvv2 for example). It is intrinsically much harder to prove that the contents of php session data are compliant. You need to write a php script to unpack the session data. That means proving that that script itself is safe. Even after you've unpacked the session data, you still have to make sense of it. Different sessions may hold different numbers of differently named variables. But that's not all, the same variable may hold data in different formats in different sessions! Practically you have some pretty complex processes to prove what data you have stored and to verify that you have stored what you thought you'd stored! All in all, php sessions are NOT going to be popular with data auditors. Once again, that may not matter to you now, but down the line it could become a BIG issue. 4. State-ful Designs My personal concern about sessions, is more about the design issues. What worries me is that sessions may be used to try and re-create client/server style state when the most distinctive advantage of the internet, (and the key to its astounding success
RE: [PHP] How to question.
Dear Ryan, 2 possible scenarios I use : a. store the values in variables that you transfer back and forth using 'hidden' input b. store the values in variables that you register in the session you opened (fyi all my php files start with session_start regardless whether I use it or not). Wim -Oorspronkelijk bericht- Van: Ryan A [mailto:[EMAIL PROTECTED] Verzonden: Friday, May 30, 2003 11:37 AM Aan: [EMAIL PROTECTED] Onderwerp: [PHP] How to question. Hi, I am a little confused with something that I am trying to implement (if you want to see the code tell me, but its pretty simple so i dont think you will need to) heres the idea, I want the client to be able to save up his choice into his account eg: his choice is 5 records (which transalates to me just saving the sql for those 5 records into his account) heres my problem, I am trying to make it so that if he tries to save his 5 records and he has not already logged in, he should be presented with the login page (have done this via sessions) *BUT* after he logs in he does not have to pick the 5 records all over again, it should remember his 5 records and automatically put it in. eg: 1.guy come to site and picks 5 records (he is not logged in) 2. gets redirected to the login page (but his 5 records or the sql for the five records are savedhow i dont know) 3.he logs in and the sql is entered into his accounts database for use later on. Sorry if that sounded confusing but if you get what i am trying to say you will see that its not really. Thanks for your help, -Ryan -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Resending POST Variables
You can do this either by sending 'hidden' input and store the POST value in the 'hidden' input or by storing the variables in a session. At least , that is what I do and it works for me. -Oorspronkelijk bericht- Van: Shaun [mailto:[EMAIL PROTECTED] Verzonden: Wednesday, May 28, 2003 6:23 PM Aan: [EMAIL PROTECTED] Onderwerp: [PHP] Resending POST Variables Hi, I have a page which uses POST variables sent from a form. If a user clicks on a link on this page is it possible to send those POST variables to the next page aswell? Thanks for your help -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Session Question
You should be able to use $_SESSION with register_globals on. citation from manual If you want your script to work regardless of register_globals, you need to use the $_SESSION array. All $_SESSION entries are automatically registered. If your script uses session_register(), it will not work in environments where register_globals is disabled. -Oorspronkelijk bericht- Van: Pushpinder Singh Garcha [mailto:[EMAIL PROTECTED] Verzonden: Wednesday, May 28, 2003 6:18 PM Aan: Ernest E Vogelsinger CC: [EMAIL PROTECTED] Onderwerp: Re: [PHP] Session Question Hello Ernest, SInce register_globals() is ON on my server, I need to be able to figure out a way to ensure session security. Another question I had was that, with register_globals() ON can I still use the $_SESSION to set my variables ? I want to avoid recoding the entire application, so I want to see what can be done to enhance security with the current setup. Does the super-global array approach i.e. $_SESSION work, irrespective of the fact that REGISTER_GLOBALS is ON / OFF ? If I start setting session variables in the $_SESSION array from now on, will it improve the security of the session. I am a newbie in PHP session handling and am sorry if any of the above questions sound extremely lame. Thanks in advance, --Pushpinder On Wednesday, May 21, 2003, at 04:34 PM, Ernest E Vogelsinger wrote: At 21:51 21.05.2003, Pushpinder Singh Garcha said: [snip] register_globals is ON on my site. You should really rethink this - have a look at http://www.php.net/manual/en/security.registerglobals.php http://www.php.net/manual/en/ref.session.php section Sessions and Security register_globals=on simply enables anyone injecting globals to your site: http://www.yoursite.com/myscript.php?valid_user=sam+spade To keep sessions secure, one might consider these steps: (1) Filesystem security: session.save_path points to a directoy owned and readable by the webserver user only: session.save_path=/tmp/php chown apache:apache /tmp/php chmod 700 /tmp/php (2) If security issues are high you may attempt to make sure that the session identifier - be it via cookie or via URL parameter - gets additional confirmation. I once used this approach: I am transmitting a random cookie (random name, random value) to the browser, making a note (in $_SESSION) of the cookie name and its value. When the session gets revisited check for the existence and the value of this cookie. If the values match construct another random cookie, having another name and another value (also sending header information to delete the old cookie). If the cookie doesn't match don't discard the session but merely redirect the browser to another URL (usually a login page), clearing the session ID if it was received it as cookie. This has a drawback - clients are forced to accept cookies, or the system wouldn't work at all. Thus you can only implement it where security is at risk, and where acceptance of the additional cookie can be enforced (extranet applications, for example). (3) As a last resort one can remember the client IP that must match for the same session. This is not secure at all, and it doesn't work with some AOL connections where client IPs change at will (by AOL using random proxies for every INet connection). You can however automatically rule out that method if the client IP stems from the AOL-assigned range. Keeping a very good eye on session security, sessions are the only thing where you can keep login data and access rights, just like you're doing it. I would only urge you NOT to use session_register() and session_is_registered(), but to use the $_SESSION[] superglobal to be absolutely sure you're using only data you yourself have put there, and not injected data. -- O Ernest E. Vogelsinger (\)ICQ #13394035 ^ http://www.vogelsinger.at/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Installation help
Did you already look up executables in the mysql/bin folder and ran them . Try launching winmysqladmin. -Oorspronkelijk bericht- Van: Brian Dunning [mailto:[EMAIL PROTECTED] Verzonden: Tuesday, May 27, 2003 6:07 PM Aan: [EMAIL PROTECTED] Onderwerp: [PHP] Installation help Hi, I am a lamer a newbie, and ran the PHP and MySQL installers on my XP box, but can't connect to any database and don't see any new processes running. Is there someplace I can find documentation for this that is optimized for the newbie lamer? Thanks, - Brian -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Permission denied, although permissions are right
So there's no way for me to open that file ? It's generated as zapman and I can't change that... Any ideas or tricks to get around the protection without causing a big security hole ? Fred wrote: Your PHP script may be owned by zapman, but it is run as nobody. Therefore your file that you need to access also needs to be owned by nobody. Fred Wim Godden [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi, I'm trying to open a file (using fopen) in the /tmp directory which is owned by user 'zapman'. The php script is also owned by user 'zapman'. However, when I try to run it, I get : Warning: fopen(/tmp/1.dat,r) - Permission denied in /documents/zapman/html/openfile.php on line 5 If I do a ps auwx | grep http, I get : root 20341 0.0 0.0 15100 56 ?S12:46 0:02 /usr/local/apache/bin/httpd -DSSL nobody 20342 0.6 3.3 18276 4184 ?S12:46 0:26 /usr/local/apache/bin/httpd -DSSL nobody 20343 0.8 4.6 20008 5936 ?S12:46 0:35 /usr/local/apache/bin/httpd -DSSL nobody 20344 0.3 3.2 16100 4108 ?S12:46 0:15 /usr/local/apache/bin/httpd -DSSL So the main process is running as root, the rest is running as nobody... that's the way to do it, right ? Or should I run Apache as root (which I don't like at all !) ? Greetings, Wim Godden -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP] Permission denied, although permissions are right
Hi, I'm trying to open a file (using fopen) in the /tmp directory which is owned by user 'zapman'. The php script is also owned by user 'zapman'. However, when I try to run it, I get : Warning: fopen(/tmp/1.dat,r) - Permission denied in /documents/zapman/html/openfile.php on line 5 If I do a ps auwx | grep http, I get : root 20341 0.0 0.0 15100 56 ?S12:46 0:02 /usr/local/apache/bin/httpd -DSSL nobody 20342 0.6 3.3 18276 4184 ?S12:46 0:26 /usr/local/apache/bin/httpd -DSSL nobody 20343 0.8 4.6 20008 5936 ?S12:46 0:35 /usr/local/apache/bin/httpd -DSSL nobody 20344 0.3 3.2 16100 4108 ?S12:46 0:15 /usr/local/apache/bin/httpd -DSSL So the main process is running as root, the rest is running as nobody... that's the way to do it, right ? Or should I run Apache as root (which I don't like at all !) ? Greetings, Wim Godden -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP] session variables in functions....
Somebody knows why I cannot reach the $HTTP_SESSION_VARS in a function
For example, why does this not output the en-US string three times:
?
session_register(LangID);
$HTTP_SESSION_VARS[LangID] = en-US;
echo($HTTP_SESSION_VARS[LangID]);
echo(**);
function CurrentLang(){
$language = $HTTP_SESSION_VARS[LangID];
echo($language);
}
CurrentLang();
echo(**);
echo($HTTP_SESSION_VARS[LangID]);
?
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP] Calculate # of minutes during working hours between two dates
Hi all, I want to calculate the number of minutes between two dates, but only those minutes on monday through friday between 08.00 and 17.30. I could evaluate every minute in the interval against all known minutes during working hours, but that's a bit much :-) Any suggestions for a better, more efficient algorithm? Tia. -- Greetinx, Wim Koorenneef [EMAIL PROTECTED] Boxtel, the Netherlands -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
