php-general Digest 11 Mar 2006 10:18:07 -0000 Issue 4009
Topics (messages 231760 through 231781):
Re: highlight_string()
231760 by: Weber Sites LTD
Re: Editing an existing pdf?
231761 by: Sam Smith
231765 by: Meron
231771 by: Sam Smith
231774 by: Meron
Re: LDAP and Single Sign On MORE THOUGHTS
231762 by: Rick Emery
231763 by: jblanchard.pocket.com
231764 by: Rick Emery
231766 by: jblanchard.pocket.com
231768 by: Rick Emery
231769 by: Jochem Maas
231775 by: Rick Emery
231780 by: Rory Browne
Re: Dynamic Form List - how to change values
231767 by: Jochem Maas
Displaying documents stored under web root
231770 by: Gerry Danen
231777 by: Chuck Anderson
QUARANTINED: Xuvpcx
231772 by: WorkgroupMail Content Filter
PDOStatement::execute() Return Values
231773 by: Chris
Re: ebay/nusoap example?
231776 by: Paul Reinheimer
mktime month
231778 by: Mark Steudel
231779 by: Austin Denyer
database connection pool
231781 by: Khai
Administrivia:
To subscribe to the digest, e-mail:
[EMAIL PROTECTED]
To unsubscribe from the digest, e-mail:
[EMAIL PROTECTED]
To post to the list, e-mail:
php-general@lists.php.net
----------------------------------------------------------------------
--- Begin Message ---
Hi
I found an example for this on WeberDev and got it to work pretty good.
However, when I started to check, I now have a different issue.
Till now, I just highlighted all of the text. Now I take the php code
Out, highlight only the php code and put it back in.
The problem is that I'm looking for anything between <? And ?>
And some of the code examples have <?..... <?xml..... ?>.....?>
So what I really take out is <?..... <?xml..... ?>
How can I avoid this?
thanks
-----Original Message-----
From: chris smith [mailto:[EMAIL PROTECTED]
Sent: Friday, March 10, 2006 1:19 PM
To: Weber Sites LTD
Cc: php-general@lists.php.net
Subject: Re: [PHP] highlight_string()
On 3/10/06, Weber Sites LTD <[EMAIL PROTECTED]> wrote:
> Hi
>
> I'm trying to go with your idea but I'm having difficulties with
> preg_match_all.
> I want the text between <?php and ?>. The use of preg_match_all bellow
> only Returns text that is in a single line. If the <php is on one line
> and the ?> is A few lines bellow, it does not match.
>
> preg_match_all('/<\?php(.*?)\?>/i',$text,$CodeArray,PREG_PATTERN_ORDER
> );
Try /is
it will treat the string as one huge line.
> -----Original Message-----
> From: Chris [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, March 07, 2006 3:08 AM
> To: Weber Sites LTD
> Cc: php-general@lists.php.net
> Subject: Re: [PHP] highlight_string()
>
> Weber Sites LTD wrote:
> > I was afraid of that...
> > I need to do HTML manipulations on the text that is outside the <??>.
> > After I run highlight_string the original text is messed up.
> > If I run the manipulations before then they will look like HTML And
> > not act as HTML...
> >
> > Any ideas?
>
> You could get the php from your page, highlight it and replace it back in:
>
> preg_replace('%<?(.*)?>%s', 'highlight_string(${1})', $content);
>
> don't know if that will work straight out for you but that should give
> you an idea on how to proceed.
>
>
> Or you could temporarily remove them, do whatever then replace it back in:
>
> $placeholders = array();
> while(preg_match('%<?(.*)?>%s', $content, $matches)) {
> $size = sizeof($placeholders);
> $placeholders[$size] = $matches[1];
> $content = str_replace($matches[0], '%%PLACEHOLDER['.$size.']%%',
> $content); }
>
> ... other processing here.
>
> foreach($placeholders as $i => $text) {
> $content = str_replace('%%PLACEHOLDER['.$i.']%%',
> highlight_string($text), $content);
> }
>
>
> > -----Original Message-----
> > From: chris smith [mailto:[EMAIL PROTECTED]
> > Sent: Monday, March 06, 2006 11:59 AM
> > To: Weber Sites LTD
> > Cc: php-general@lists.php.net
> > Subject: Re: [PHP] highlight_string()
> >
> > On 3/6/06, Weber Sites LTD <[EMAIL PROTECTED]> wrote:
> >
> >>The only way I could work around this was to put empty <??> at the
> >>Beginning of the text and now highlight_string() highlights only
> >>what Is inside <? ?>
> >>
> >>You can see an example of the problematic text in the example Area
> >>of this page : http://www.weberdev.com/get_example-4345.html
> >>
> >>Notice the empty <? ?> at the beginning of the example.
> >>Without them, all of the example, including the text and HTML Part
> >>will be painted by highlight_string().
> >>
> >>Is this a bug?
> >
> >
> > No. It will highlight html as well.
> >
> > You can give the illusion of it not highlighting the html by using:
> >
> > ini_set('highlight.html', '#000000');
--
Postgresql & php tutorials
http://www.designmagick.com/
--- End Message ---
--- Begin Message ---
>
> I wanted to add texts from an html form to existing pdf.
> I was able to create a pdf but not to edit it.
>
> Please give me guidance how to.
FDF is what you're after if I understand this brief post.
Google FDF PDF PHP. PHP writes the FDF file which fills out a linked PDF
form. Notice I said PDF form.
--- End Message ---
--- Begin Message ---
Thankyou for the quick reply Sam.
Infact I took this option at first but I didnot proceed because creating a
pdf form is new to me.
And also I donot have the tool. what do you advise me.
--
View this message in context:
http://www.nabble.com/Editing-an-existing-pdf--t1202479.html#a3339621
Sent from the PHP - General forum at Nabble.com.
--- End Message ---
--- Begin Message ---
>
> Thankyou for the quick reply Sam.
> Infact I took this option at first but I didnot proceed because creating a
> pdf form is new to me.
> And also I donot have the tool. what do you advise me.
I would like to hang out on a yacht off the coast of Saint Tropez where
Paris Hilton and her friends stop by most afternoons because they love
trying to beat me at strip poker but I'm poor and ugly, what do you advise.
Seriously, you need to tools and the education. Get the Acrobat demo for
free 30 days. <http://www.adobe.com/products/acrobatpro/tryout.html>
There's a companion app called Designer that builds forms.
--- End Message ---
--- Begin Message ---
Thank you for replying patiently.
No hard feelings but imagination is better than preinformation. Einstein
--
View this message in context:
http://www.nabble.com/Editing-an-existing-pdf--t1202479.html#a3343684
Sent from the PHP - General forum at Nabble.com.
--- End Message ---
--- Begin Message ---
Quoting [EMAIL PROTECTED]:
[snip]
As far as I can tell you will have to ask the user to login at the web
application level again, but you can verify it against your AD via LDAP
with the basic stuff from http://www.php.net/ldap
[/snip]
We are sitting here having a discussion on login techniques and I cam up
with a thought...why not have a login script write a cookie that then
coulod be read by PHP and compared against the AD via LDAP? Does anyone
see any gotcha's with that kind of process?
Couldn't I write my own cookie to fool the authentication into
thinking I'm somebody else?
--
Rick Emery
"When once you have tasted flight, you will forever walk the Earth
with your eyes turned skyward, for there you have been, and there
you will always long to return"
-- Leonardo Da Vinci
--- End Message ---
--- Begin Message ---
[snip]
> We are sitting here having a discussion on login techniques and I cam
up
> with a thought...why not have a login script write a cookie that then
> coulod be read by PHP and compared against the AD via LDAP? Does
anyone
> see any gotcha's with that kind of process?
Couldn't I write my own cookie to fool the authentication into
thinking I'm somebody else?
[/snip]
I suppose that you could do that if you were savvy enough to realize
that automatic login to the intranet used a cookie for authentication
and you knew how to format the cookie and properly hash a checksum
stored in the cookie. The user information stored in the cookie would be
verified against the AD via LDAP.
--- End Message ---
--- Begin Message ---
Quoting [EMAIL PROTECTED]:
[snip]
Couldn't I write my own cookie to fool the authentication into
thinking I'm somebody else?
[/snip]
I suppose that you could do that if you were savvy enough to realize
that automatic login to the intranet used a cookie for authentication
and you knew how to format the cookie and properly hash a checksum
stored in the cookie. The user information stored in the cookie would be
verified against the AD via LDAP.
First, let me apologize for having to take it to a basic level. I'll
admit that I'm fairly new to web development, but this is something I
could *really* use at work and I want to make sure I understand (just
to set the stage, we use Windows/Active Directory/MS SQL Server at
work, but have decided that future applications will be written in PHP
run on Linux/Apache).
So I have a login script that sets a cookie when the user logs in.
Then I have an application written in PHP that reads the cookie for
authentication purposes.
What would I store in the cookie? Would the username be sufficient
(since the cookie was set, we can assume that it was already
authenticated through AD, right), or is there something more I can add
to the cookie to make the process more secure?
Which leads back to my original question; what would keep me from
setting a cookie with, say, my manager's username, fooling the PHP
application into thinking I'm her?
I can't help but feel like I'm missing something.
Thanks,
Rick
--- End Message ---
--- Begin Message ---
[snip]
First, let me apologize for having to take it to a basic level. I'll
admit that I'm fairly new to web development, but this is something I
could *really* use at work and I want to make sure I understand (just
to set the stage, we use Windows/Active Directory/MS SQL Server at
work, but have decided that future applications will be written in PHP
run on Linux/Apache).
So I have a login script that sets a cookie when the user logs in.
Then I have an application written in PHP that reads the cookie for
authentication purposes.
What would I store in the cookie? Would the username be sufficient
(since the cookie was set, we can assume that it was already
authenticated through AD, right), or is there something more I can add
to the cookie to make the process more secure?
Which leads back to my original question; what would keep me from
setting a cookie with, say, my manager's username, fooling the PHP
application into thinking I'm her?
[/snip]
You could just store a username, since they have already authenticated,
but a cookie with just a username would be easy to duplicate. My current
thought is to hash a checksum of some sort and storing that in the
cookie as well. That way you avoid the username only problem. I do not
want to store the users password in any format in the cookie. I am
thinking that the login script will cause a cookie to be written (via
PHP) with a base64 encoded
(http://www.php.net/manual/en/function.base64-encode.php) string or some
other hash method. Then that string could be decoded when the user
accesses the intranet site and compared against whatever criteria you
deem necessary.
I have not tested this though. It is on my task list for next week
though. :)
So, you could set a cookie with your manager's name, but it wouldn't
work. You would also have to know how to encode a string properly for
storage in the cookie. Read
http://www.php.net/manual/en/function.setcookie.php for more information
on cookies.
--- End Message ---
--- Begin Message ---
Quoting [EMAIL PROTECTED]:
You could just store a username, since they have already authenticated,
but a cookie with just a username would be easy to duplicate. My current
thought is to hash a checksum of some sort and storing that in the
cookie as well. That way you avoid the username only problem. I do not
want to store the users password in any format in the cookie. I am
thinking that the login script will cause a cookie to be written (via
PHP) with a base64 encoded
(http://www.php.net/manual/en/function.base64-encode.php) string or some
other hash method. Then that string could be decoded when the user
accesses the intranet site and compared against whatever criteria you
deem necessary.
Okay, I'm following all of this. So I could take, say, the username
reversed and encode it, then decode it in the PHP application, and be
safe as long as nobody ever figures out what I'm encoding and how I'm
encoding it. What would be great would be if the value that gets
encoded could somehow be dynamic (like the current time, or even a
randomly generated string). But then how would the PHP script know
what the decoded value is supposed to be? Hmmm...something to think
about.
I have not tested this though. It is on my task list for next week
though. :)
Let us know how it goes!
Thanks,
Rick
--- End Message ---
--- Begin Message ---
Rick Emery wrote:
Quoting [EMAIL PROTECTED]:
You could just store a username, since they have already authenticated,
but a cookie with just a username would be easy to duplicate. My current
thought is to hash a checksum of some sort and storing that in the
cookie as well. That way you avoid the username only problem. I do not
want to store the users password in any format in the cookie. I am
thinking that the login script will cause a cookie to be written (via
PHP) with a base64 encoded
(http://www.php.net/manual/en/function.base64-encode.php) string or some
other hash method. Then that string could be decoded when the user
accesses the intranet site and compared against whatever criteria you
deem necessary.
Okay, I'm following all of this. So I could take, say, the username
reversed and encode it, then decode it in the PHP application, and be
I wouldn't do it like that....
instead stick the username in the cookie in plaintext and as a oneway encoded
hash (the hash creation could make use of a fixed, secret prefix string [amongst
other things) to make it secure] - then to check the cookie you take the
plain text name perform the same hash creation routine on it and compared the
results
of that with the encoded hash that was sent in the cookie - if they match the
cookie could be considered valid and untampered.
the basic jist being don't use two way encryption, use a oneway hash like
sha1().
safe as long as nobody ever figures out what I'm encoding and how I'm
encoding it. What would be great would be if the value that gets
encoded could somehow be dynamic (like the current time, or even a
randomly generated string). But then how would the PHP script know what
the decoded value is supposed to be? Hmmm...something to think about.
well you can stick it in the session ... but like I said decoding is an
unnecessary step it seems to me (given that you can achieve the validation
using a oneway encryption method)
I have not tested this though. It is on my task list for next week
though. :)
Let us know how it goes!
Thanks,
Rick
--- End Message ---
--- Begin Message ---
Quoting Jochem Maas <[EMAIL PROTECTED]>:
Rick Emery wrote:
Okay, I'm following all of this. So I could take, say, the username
reversed and encode it, then decode it in the PHP application,
and be
I wouldn't do it like that....
instead stick the username in the cookie in plaintext and as a oneway encoded
hash (the hash creation could make use of a fixed, secret prefix string
[amongst
other things) to make it secure] - then to check the cookie you take the
plain text name perform the same hash creation routine on it and
compared the results
of that with the encoded hash that was sent in the cookie - if they match the
cookie could be considered valid and untampered.
the basic jist being don't use two way encryption, use a oneway hash
like sha1().
Okay. I don't know enough about encoding/encryption to discuss the
merits either way, but I'll go along with your suggestion.
So to carry through on my thought, the "secret prefix" would have to
be constant. I'd like to find a way to make it variable (and random,
even; I'm working under the assumption that at least one of our users
would be smart enough to write a cookie to masquerade as another user).
I have an idea, but I have little experience with Active Directory or
LDAP, and I think I'm venturing into the space of "off-topic". I
wonder if it would be possible (probably after modifying the schema)
to write a value into the user's account in Active Directory/LDAP. The
login script could generate a random string to prefix the username,
hash it, write the random value into the user's LDAP record, and write
the cookie. The PHP app on the other side could get the value from the
user's LDAP record and then do the comparison. That way, each user
would have a different "secret prefix", and it would be different each
time that user logged in.
Thoughts?
well you can stick it in the session ... but like I said decoding is an
unnecessary step it seems to me (given that you can achieve the validation
using a oneway encryption method)
Wouldn't the session expire on completion of the login script? If I
opened a browser to run an application on our Intranet, wouldn't that
create a different session? Again, I may be missing something.
Thanks for the discussion; I'm really enjoying it.
Rick
--- End Message ---
--- Begin Message ---
I've got a bit lost on this, but assuming that we are talking about an
intranet enviornment, with windows/IE6 clients, and apache servers, then
personally:
I would check logins based on a valid session. If the user doesn't have a
session they aren't logged in. Store the username in the session variable.
PHP session variables are AFAIK designed to be hard to detect and fake.
Any code that is run under a http:// website ( as opposed to an ssl or
https:// one ), reads the session(ie does not write to it). Any
authentication should be done using a script accessed over https, protected
by mod_auth_kerb.
The http:// script would be accessed by the person when they first access
the protected site. The protected site would detect that the user is not
logged in, and redirect them to the authentication site(which is behind
mod_auth_kerb, and https), which would create the session, and redirect the
user back, to the page where they originally tried to access.
--- End Message ---
--- Begin Message ---
tedd wrote:
Pat:
I would suggest changing to:
http://.../chkout.php?imagename=NATURE-1.jpg&count=6&continue=Continue+Checkout,
$newqty = $_GET['count'];
$imagename = $_GET['imagename'];
Also, to see what you are actually "getting" try:
echo ("<br/>");
echo ("<pre>");
echo ("GET info:\n");
print_r($_GET);
echo("</pre>");
You might also want to consider taking care of undefined variables --
here's a reference:
http://www.weberdev.com/get_example-3823.html
HTH's
tedd
Ok, this works for one item, but my shopping cart may have (hopefully)
dozens of items in it. How do I refer to each new quantity changes for
each new row in the table? I was hoping that by making the qty field a
name of the image, I would be able to match the new qty up with the
right image quickly, but that won't work, obviously.
How can I change multiple items in a list (or all) when the list is
dynamically created? My approach may be wrong -- suggestions?
Pat:
You can add numerous items to the url. I don't remember the total number
of characters that's allowed, but it's considerable.
if your running Apache the default max length of the url is 8K - this can be
upped
but you have to recompile Apache. the HTTP spec itself doesn't stipulate a limit
to the length... in general though anything over 512 bytes (outside of
CMS tools) is discouraged...
If you reach the limit, but might consider reducing the number of
characters in your variables, such as: "NATURE-1.jpg" could be n1 where
you had a look-up table or you knew what the cryptic code was to make
the transformation.
Or you could continue on a course like you were with n1=6 where you know
that n1 stands for "NATURE-1.jpg" and the value contained therein is the
value for that image.
There's lot's of ways to do this.
As for it being dynamically created, that shouldn't present a problem
either -- just treat the url as a string and add ampersands (&) between
"variables and their value" pairs.
HTH's
tedd
--- End Message ---
--- Begin Message ---
Adrian,
I use something like this:
<?php
if ( $is_member) // global var set during login
{
include("/home/belowdocroot/project_a/memberprofile.php"); // or whatever
your page is
}
else
{
echo "Sorry, members only. Please login or register.";
header("location:/members/login.php" );
}
HTH
Gerry
http://groups.yahoo.com/group/php_and_mysql/
On 3/10/06, Adrian Bruce <[EMAIL PROTECTED]> wrote:
>
> Hi
>
> After some advice (surprise!)
>
> I currently store restricted documents beneath the web root so they are
> not accessible via the URL, when a valid user wishes to view a document
> i copy it to a temporary folder above the root and load it in a new
> page. the only way i can then manage to delete the copy is
> automatically deleting all temp files when any user goes to the log out
> page.
>
> This is obviously not a very good way of doing this but unless i can
> establish when a user is no longer viewing the doc then i dont know when
> to delete it. I was wandering how others deal with these problems like
> this
>
--- End Message ---
--- Begin Message ---
Adrian Bruce wrote:
Hi
After some advice (surprise!)
I currently store restricted documents beneath the web root so they are
not accessible via the URL, when a valid user wishes to view a document
i copy it to a temporary folder above the root and load it in a new
page. the only way i can then manage to delete the copy is
automatically deleting all temp files when any user goes to the log out
page.
This is obviously not a very good way of doing this but unless i can
establish when a user is no longer viewing the doc then i dont know when
to delete it. I was wandering how others deal with these problems like this
any advice appreciated greatly
Ade
I deliver restricted PDFs that are kept *above* the web root without
using a temporary file. Why do you need to create a temporary file? I
use headers and readfile.
--
*****************************
Chuck Anderson • Boulder, CO
http://www.CycleTourist.com
Integrity is obvious.
The lack of it is common.
*****************************
--- End Message ---
--- Begin Message ---
The message "Xuvpcx" from MAILER-DAEMON, sent on 3/10/2006 09:42 was
quarantined because it contained either an executable file, a batch file or a
screen saver file. All of these types of attachments are considered security
risks. Please consult your mail administrator who can release the message.
This message was checked by MailScan for WorkgroupMail.
www.workgroupmail.com
--- End Message ---
--- Begin Message ---
Under what circumstances does PDOStatement::execute() return false?
It seems to always return true.
Thanks,
Chris
--- End Message ---
--- Begin Message ---
I tried to get the eBay API working with nusoap for quite a while, but
eventually gave up and wrote my own code from scratch.
There is a pear project that deals with eBay if you're more interested
in using a prefab solution than coding your own from scratch.
paul
On 3/8/06, jon <[EMAIL PROTECTED]> wrote:
> Howdy...
>
> I don't suppose that any of you would happen to have an example of how
> to use the ebay API with nusoap?
>
> I've done plenty o' projects with nusoap, but working with the ebay api
> has me stumped. I don't really even know how to get started,
> coding-wise. (I've setup all the developer tokens and whatnot, so that's
> all good.)
>
> Thanks a lot,
>
> -- jon
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
--
Paul Reinheimer
Zend Certified Engineer
--- End Message ---
--- Begin Message ---
Im a little confused on the number I should use for the month:
Take the following:
echo date('Ymd', mktime(0, 0, 0, 3, 0, date("Y")) );
I expected it to output: 20060331
But instead it outputs 20060228.
In the examples for january in the php manual I get december instead of
january.
Is there a server config or any ideas what I am doing wrong?
Thanks, Mark
--- End Message ---
--- Begin Message ---
Mark Steudel wrote:
> Im a little confused on the number I should use for the month:
>
> Take the following:
>
> echo date('Ymd', mktime(0, 0, 0, 3, 0, date("Y")) );
>
> I expected it to output: 20060331
>
> But instead it outputs 20060228.
Correct.
You are asking it for the zeroth day of March, which is the last day of
February.
Regards,
Ozz.
signature.asc
Description: OpenPGP digital signature
--- End Message ---
--- Begin Message ---
Hello,
My name is Khai. I am new to PHP. I am well versed with mod_perl and
apache. With mod_perl, I can use Apache::DBI to cache database
connections. Is there a module for PHP that does the same thing ?
Thank you,
Khai
--- End Message ---
