php-general Digest 21 Mar 2010 12:48:30 -0000 Issue 6651
Topics (messages 303062 through 303074):
Re: Session Variable Problem
303062 by: Adam Richardson
303074 by: tedd
Pulling my hair out over an include_once();
303063 by: Watson Blair
303064 by: Watson Blair
303065 by: Stan Vassilev
303066 by: Adam Richardson
303067 by: Rene Veerman
303068 by: Adam Richardson
303069 by: Watson Blair
303070 by: Watson Blair
303071 by: Adam Richardson
303072 by: Rene Veerman
REMINDER: Month of PHP Security 2010 - CALL FOR PAPERS - Only 3 weeks left
303073 by: Stefan Esser
Administrivia:
To subscribe to the digest, e-mail:
php-general-digest-subscr...@lists.php.net
To unsubscribe from the digest, e-mail:
php-general-digest-unsubscr...@lists.php.net
To post to the list, e-mail:
php-gene...@lists.php.net
----------------------------------------------------------------------
--- Begin Message ---
On Sat, Mar 20, 2010 at 6:56 PM, Gary <gwp...@ptd.net> wrote:
> Adam
>
> Thank you for your reply.
>
> ""Are you checking to see if the post variable is set in the code that
> handles saving the form values to session variables? ""
>
> No, I not done anything about the post variable, frankly I thought the
> session variable would cover it. I tried your code
>
> if (isset($_POST['lend_fname'])){
> $_SESSION['lend_fname']=stripslashes($_POST['lend_fname']);
> }
>
> And it seems to work fine, the data seems to stay. Is there an easier
> method
> (perhaps putting the post or session variables into an array?
>
> Again thank you for your reply and your solution.
>
> Gary
>
>
> "Adam Richardson" <simples...@gmail.com> wrote in message
> news:e4d8ea9d1003201529p1ab72baei147549423f5e3...@mail.gmail.com...
> > On Sat, Mar 20, 2010 at 2:22 PM, Gary <gwp...@ptd.net> wrote:
> >
> >> I have this perplexing issue of session varibles getting dropped. It is
> >> a
> >> 4
> >> page form, the last page being a review page incase the submitter wants
> >> to
> >> change any of the information.If you go through the form, all of the
> >> information carries forward, and from the review page if you go back to
> >> edit, it is there, however is you go back to page 2, then to page 1,
> page
> >> one info is gone.It gets worse in that page 2 sessions drop (more likely
> >> over written) if you go from page 3 to 2.
> >>
> >> Each page is started with
> >>
> >> <?php if(!isset($_SESSION)) {
> >> session_start();
> >> }
> >>
> >> Session varible:
> >>
> >> $_SESSION['lend_fname']=stripslashes($_POST['lend_fname']);
> >>
> >> Calling the session varible to the input field for review
> >>
> >> <?php if (isset($_SESSION['lend_fname'])) {echo
> >> 'value="'.htmlentities($_SESSION['lend_fname']).'"';}?>
> >>
> >> The page starts at
> http://www.paulgdesigns.com/one2one/lend_bor_input.php
> >>
> >> Im confused as to why they keep getting dropped and how to stop it.
> >>
> >> Hopefully I have given enough information.
> >>
> >> Thank you
> >>
> >> Gary
> >>
> >>
> >>
> >> __________ Information from ESET Smart Security, version of virus
> >> signature
> >> database 4961 (20100320) __________
> >>
> >> The message was checked by ESET Smart Security.
> >>
> >> http://www.eset.com
> >>
> >>
> >>
> >>
> >>
> >> --
> >> PHP General Mailing List (http://www.php.net/)
> >> To unsubscribe, visit: http://www.php.net/unsub.php
> >>
> >>
> >
> >
> > Are you checking to see if the post variable is set in the code that
> > handles
> > saving the form values to session variables? I can't tell if you're
> doing
> > this from the code you provided. If not, it's possible that when you are
> > returning to one of the earlier pages, you're attempting to again save
> the
> > form values even though the corresponding $_POST vars are empty. This
> > would
> > cause visiting page 2 to essentially delete the data previously posted
> > from
> > page 1.
> >
> > Using your example:
> >
> > // Only save if post variable present, which means
> > if (isset($_POST['lend_fname']))
> > {
> > $_SESSION['lend_fname']=stripslashes($_POST['lend_fname']);
> > }
> >
> > Also, some users will likely click the back button during the process,
> > which
> > brings up a funky message. You might try building one page that is
> > dedicated to saving all of the session variables, which then redirects to
> > the corresponding next page in the process.
> >
> > Adam
> >
> > --
> > Nephtali: PHP web framework that functions beautifully
> > http://nephtaliproject.com
> >
> >
> >
> > __________ Information from ESET Smart Security, version of virus
> > signature database 4961 (20100320) __________
> >
> > The message was checked by ESET Smart Security.
> >
> > http://www.eset.com
> >
> >
>
>
>
> __________ Information from ESET Smart Security, version of virus signature
> database 4961 (20100320) __________
>
> The message was checked by ESET Smart Security.
>
> http://www.eset.com
>
>
>
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
The session variables store what you tell them to store. The way your pages
were set up, it sounds like you always called the code that set the session
variable, even if the session variable was already set and even if there
were no POST variables sent.
People often do use sessions to preserve the state of a form's fields if the
form has multiple pages, just as you are doing. In this type of situation
someone can be visiting a page to 1) submit new data (POST data is present
such as when somebody clicks on the submit button in the previous page), or
2) review the data they've already entered (no POST data present, such as
when somebody uses the navigation on your page.) You have to check to see
which of the two possible types of page requests is occurring.
Using the code you have, you can probably just wrap the code that you have
that sets the session variables in an if block that checks for one of the
post variables you're expecting.
I'd recommend reading a tutorial or two on how PHP sessions work, such as
the following:
http://php.about.com/od/advancedphp/ss/php_sessions.htm
Adam
--
Nephtali: PHP web framework that functions beautifully
http://nephtaliproject.com
--- End Message ---
--- Begin Message ---
At 2:22 PM -0400 3/20/10, Gary wrote:
I have this perplexing issue of session varibles getting dropped. It is a 4
page form, the last page being a review page incase the submitter wants to
change any of the information.If you go through the form, all of the
information carries forward, and from the review page if you go back to
edit, it is there, however is you go back to page 2, then to page 1, page
one info is gone.It gets worse in that page 2 sessions drop (more likely
over written) if you go from page 3 to 2.
Each page is started with
<?php if(!isset($_SESSION)) {
session_start();
}
Session varible:
$_SESSION['lend_fname']=stripslashes($_POST['lend_fname']);
Calling the session varible to the input field for review
<?php if (isset($_SESSION['lend_fname'])) {echo
'value="'.htmlentities($_SESSION['lend_fname']).'"';}?>
The page starts at http://www.paulgdesigns.com/one2one/lend_bor_input.php
Im confused as to why they keep getting dropped and how to stop it.
Hopefully I have given enough information.
Thank you
Gary
Gary:
I think I know what the problem is. When you revisit previous pages,
you write over the previous data from an empty $_POST. Here's a way
to stop that.
<?php session_start();
if (isset($_POST ['lend_fname'])
{
$_SESSION['lend_fname'] = $_POST['lend_fname'];
}
As far as using strip_slashes() and htmlentities() I wait until I am
going to use the variables in some manner and then clean/scrub them
all at one time. That makes the process simpler for me -- plus I can
then keep all my security checks in one location.
Cheers,
tedd
--
-------
http://sperling.com http://ancientstones.com http://earthstones.com
--- End Message ---
--- Begin Message ---
Hey all, i'm sure i'm missing something glaringly obvious, but i have yet to
find a solution to this online... so heres the line of code that i'm getting
hung up on:
<?php include_once("http://www.jennysjunket.com/magpierss/rss_fetch.inc";);?>
which gives me this:
*Warning*: include() [function.include]: URL file-access is disabled in the
server configuration in */home/content/81/5634781/html/ebay.php* on line*1*
*Warning*: include(http://www.jennysjunket.com/magpierss/rss_fetch.inc) [
function.include]: failed to open stream: no suitable wrapper could be found
in */home/content/81/5634781/html/ebay.php* on line *1*
*Warning*: include() [function.include]: Failed opening '
http://www.jennysjunket.com/magpierss/rss_fetch.inc' for inclusion
(include_path='.:/usr/local/php5/lib/php') in *
/home/content/81/5634781/html/ebay.php* on line *1*
*
*
ive got all of my permissions set as open as i can, but i'm
still baffled about it.
Thanks,
Watson
--- End Message ---
--- Begin Message ---
ah, i forgot to properly phrase my question... what am i doing wrong, and
how do i make it work? slash, could you guys/girls point me towards a
tutorial that will give me a hand?
Thanks again,
Watson
On Sun, Mar 21, 2010 at 1:00 AM, Watson Blair <bestudios...@gmail.com>wrote:
> Hey all, i'm sure i'm missing something glaringly obvious, but i have yet
> to find a solution to this online... so heres the line of code that i'm
> getting hung up on:
>
> <?php include_once("http://www.jennysjunket.com/magpierss/rss_fetch.inc
> ");?>
>
> which gives me this:
>
> *Warning*: include() [function.include]: URL file-access is disabled in
> the server configuration in */home/content/81/5634781/html/ebay.php* on
> line*1*
>
> *Warning*: include(http://www.jennysjunket.com/magpierss/rss_fetch.inc) [
> function.include]: failed to open stream: no suitable wrapper could be
> found in */home/content/81/5634781/html/ebay.php* on line *1*
>
> *Warning*: include() [function.include]: Failed opening '
> http://www.jennysjunket.com/magpierss/rss_fetch.inc' for inclusion
> (include_path='.:/usr/local/php5/lib/php') in *
> /home/content/81/5634781/html/ebay.php* on line *1*
> *
> *
> ive got all of my permissions set as open as i can, but i'm
> still baffled about it.
> Thanks,
> Watson
>
--- End Message ---
--- Begin Message ---
Hi,
As the error says, this is a problem with the server configuration.
In your php.ini file, allow_url_include should be enabled.
As an alternative, if you have allow_url_include off, but allow_url_fopen
on, you can file_get_contents() that URL and eval() it.
Keep in mind you need *absolute* trust that the URL won't serve malicious
PHP code, or change and break your site. If you need to run this code, it's
a lot better to save the file from your browser and store it with your site,
then include it locally. It'll be also faster this way.
Regards,
Stan Vassilev
ah, i forgot to properly phrase my question... what am i doing wrong, and
how do i make it work? slash, could you guys/girls point me towards a
tutorial that will give me a hand?
Thanks again,
Watson
On Sun, Mar 21, 2010 at 1:00 AM, Watson Blair
<bestudios...@gmail.com>wrote:
Hey all, i'm sure i'm missing something glaringly obvious, but i have yet
to find a solution to this online... so heres the line of code that i'm
getting hung up on:
<?php include_once("http://www.jennysjunket.com/magpierss/rss_fetch.inc
");?>
which gives me this:
*Warning*: include() [function.include]: URL file-access is disabled in
the server configuration in */home/content/81/5634781/html/ebay.php* on
line*1*
*Warning*: include(http://www.jennysjunket.com/magpierss/rss_fetch.inc) [
function.include]: failed to open stream: no suitable wrapper could be
found in */home/content/81/5634781/html/ebay.php* on line *1*
*Warning*: include() [function.include]: Failed opening '
http://www.jennysjunket.com/magpierss/rss_fetch.inc' for inclusion
(include_path='.:/usr/local/php5/lib/php') in *
/home/content/81/5634781/html/ebay.php* on line *1*
*
*
ive got all of my permissions set as open as i can, but i'm
still baffled about it.
Thanks,
Watson
--- End Message ---
--- Begin Message ---
On Sun, Mar 21, 2010 at 1:12 AM, Watson Blair <bestudios...@gmail.com>wrote:
> ah, i forgot to properly phrase my question... what am i doing wrong, and
> how do i make it work? slash, could you guys/girls point me towards a
> tutorial that will give me a hand?
> Thanks again,
> Watson
>
> On Sun, Mar 21, 2010 at 1:00 AM, Watson Blair <bestudios...@gmail.com
> >wrote:
>
> > Hey all, i'm sure i'm missing something glaringly obvious, but i have yet
> > to find a solution to this online... so heres the line of code that i'm
> > getting hung up on:
> >
> > <?php include_once("http://www.jennysjunket.com/magpierss/rss_fetch.inc
> > ");?>
> >
> > which gives me this:
> >
> > *Warning*: include() [function.include]: URL file-access is disabled in
> > the server configuration in */home/content/81/5634781/html/ebay.php* on
> > line*1*
> >
> > *Warning*: include(http://www.jennysjunket.com/magpierss/rss_fetch.inc)
> [
> > function.include]: failed to open stream: no suitable wrapper could be
> > found in */home/content/81/5634781/html/ebay.php* on line *1*
> >
> > *Warning*: include() [function.include]: Failed opening '
> > http://www.jennysjunket.com/magpierss/rss_fetch.inc' for inclusion
> > (include_path='.:/usr/local/php5/lib/php') in *
> > /home/content/81/5634781/html/ebay.php* on line *1*
> > *
> > *
> > ive got all of my permissions set as open as i can, but i'm
> > still baffled about it.
> > Thanks,
> > Watson
> >
>
There are several potential problems with trying to use include_once (same
issues as include()) when trying to retrieve a resource by URL:
http://www.php.net/manual/en/function.include.php
Try file_get_contents instead, as in the below example:
<?php file_get_contents("http://www.jennysjunket.com/magpierss/rss_fetch.inc
");?>
And if that's not enabled on your server, try using CURL as outlined in this
tutorial:
http://phpsense.com/php/php-curl-functions.html
Adam
--
Nephtali: PHP web framework that functions beautifully
http://nephtaliproject.com
--- End Message ---
--- Begin Message ---
is this file you need on your local server or truely on another machine?
and if it's on another machine, why do you need to include() it from there?
why not make a local copy as was suggested earlier?
there are many reasons not to include php scripts off other servers,
esp if the servers involved are not in the same building.
On Sun, Mar 21, 2010 at 6:00 AM, Watson Blair <bestudios...@gmail.com> wrote:
> Hey all, i'm sure i'm missing something glaringly obvious, but i have yet to
> find a solution to this online... so heres the line of code that i'm getting
> hung up on:
>
> <?php include_once("http://www.jennysjunket.com/magpierss/rss_fetch.inc";);?>
>
> which gives me this:
>
> *Warning*: include() [function.include]: URL file-access is disabled in the
> server configuration in */home/content/81/5634781/html/ebay.php* on line*1*
>
> *Warning*: include(http://www.jennysjunket.com/magpierss/rss_fetch.inc) [
> function.include]: failed to open stream: no suitable wrapper could be found
> in */home/content/81/5634781/html/ebay.php* on line *1*
>
> *Warning*: include() [function.include]: Failed opening '
> http://www.jennysjunket.com/magpierss/rss_fetch.inc' for inclusion
> (include_path='.:/usr/local/php5/lib/php') in *
> /home/content/81/5634781/html/ebay.php* on line *1*
> *
> *
> ive got all of my permissions set as open as i can, but i'm
> still baffled about it.
> Thanks,
> Watson
>
--- End Message ---
--- Begin Message ---
On Sun, Mar 21, 2010 at 1:45 AM, Stan Vassilev <sv_for...@fmethod.com>wrote:
>
> Hi,
>
> As the error says, this is a problem with the server configuration.
> In your php.ini file, allow_url_include should be enabled.
>
> As an alternative, if you have allow_url_include off, but allow_url_fopen
> on, you can file_get_contents() that URL and eval() it.
>
> Keep in mind you need *absolute* trust that the URL won't serve malicious
> PHP code, or change and break your site. If you need to run this code, it's
> a lot better to save the file from your browser and store it with your site,
> then include it locally. It'll be also faster this way.
>
> Regards,
> Stan Vassilev
>
>
>
> ah, i forgot to properly phrase my question... what am i doing wrong, and
>> how do i make it work? slash, could you guys/girls point me towards a
>> tutorial that will give me a hand?
>> Thanks again,
>> Watson
>>
>> On Sun, Mar 21, 2010 at 1:00 AM, Watson Blair <bestudios...@gmail.com
>> >wrote:
>>
>> Hey all, i'm sure i'm missing something glaringly obvious, but i have yet
>>> to find a solution to this online... so heres the line of code that i'm
>>> getting hung up on:
>>>
>>> <?php include_once("http://www.jennysjunket.com/magpierss/rss_fetch.inc
>>> ");?>
>>>
>>> which gives me this:
>>>
>>> *Warning*: include() [function.include]: URL file-access is disabled in
>>> the server configuration in */home/content/81/5634781/html/ebay.php* on
>>> line*1*
>>>
>>> *Warning*: include(http://www.jennysjunket.com/magpierss/rss_fetch.inc)
>>> [
>>> function.include]: failed to open stream: no suitable wrapper could be
>>> found in */home/content/81/5634781/html/ebay.php* on line *1*
>>>
>>> *Warning*: include() [function.include]: Failed opening '
>>> http://www.jennysjunket.com/magpierss/rss_fetch.inc' for inclusion
>>> (include_path='.:/usr/local/php5/lib/php') in *
>>> /home/content/81/5634781/html/ebay.php* on line *1*
>>> *
>>> *
>>> ive got all of my permissions set as open as i can, but i'm
>>> still baffled about it.
>>> Thanks,
>>> Watson
>>>
>>>
>>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
Actually, after looking at the link you mentioned, I see it's PHP (I'm
sorry, I didn't check the link before), and I'm wondering if you were just
trying to include a file that's already on your server. Grabbing a PHP file
from a remote source for parsing is a bad idea in terms of security, so
hopefully that's not what you're doing.
If the file is on your server, then the path would be something like below
judging by your error message:
<?php include_once("/home/content/81/5634781/html/magpierss/rss_fetch.inc");
?>
Adam
--
Nephtali: PHP web framework that functions beautifully
http://nephtaliproject.com
--- End Message ---
--- Begin Message ---
hey adam,
i changed the code to use file_get_contents();, however, when i tried to
later call a function form the file rss_fetch.inc it came up as an undefined
function.... did i miss something?
thanks,
Watson
On Sun, Mar 21, 2010 at 1:46 AM, Adam Richardson <simples...@gmail.com>wrote:
> On Sun, Mar 21, 2010 at 1:12 AM, Watson Blair <bestudios...@gmail.com>wrote:
>
>> ah, i forgot to properly phrase my question... what am i doing wrong, and
>> how do i make it work? slash, could you guys/girls point me towards a
>> tutorial that will give me a hand?
>> Thanks again,
>> Watson
>>
>> On Sun, Mar 21, 2010 at 1:00 AM, Watson Blair <bestudios...@gmail.com
>> >wrote:
>>
>> > Hey all, i'm sure i'm missing something glaringly obvious, but i have
>> yet
>> > to find a solution to this online... so heres the line of code that i'm
>> > getting hung up on:
>> >
>> > <?php include_once("http://www.jennysjunket.com/magpierss/rss_fetch.inc
>> > ");?>
>> >
>> > which gives me this:
>> >
>> > *Warning*: include() [function.include]: URL file-access is disabled in
>> > the server configuration in */home/content/81/5634781/html/ebay.php* on
>> > line*1*
>> >
>> > *Warning*: include(http://www.jennysjunket.com/magpierss/rss_fetch.inc)
>> [
>>
>> > function.include]: failed to open stream: no suitable wrapper could be
>> > found in */home/content/81/5634781/html/ebay.php* on line *1*
>> >
>> > *Warning*: include() [function.include]: Failed opening '
>> > http://www.jennysjunket.com/magpierss/rss_fetch.inc' for inclusion
>> > (include_path='.:/usr/local/php5/lib/php') in *
>> > /home/content/81/5634781/html/ebay.php* on line *1*
>> > *
>> > *
>> > ive got all of my permissions set as open as i can, but i'm
>> > still baffled about it.
>> > Thanks,
>> > Watson
>> >
>>
>
> There are several potential problems with trying to use include_once (same
> issues as include()) when trying to retrieve a resource by URL:
> http://www.php.net/manual/en/function.include.php
>
> Try file_get_contents instead, as in the below example:
> <?php file_get_contents("
> http://www.jennysjunket.com/magpierss/rss_fetch.inc";);?>
>
> And if that's not enabled on your server, try using CURL as outlined in
> this tutorial:
> http://phpsense.com/php/php-curl-functions.html
>
> Adam
>
> --
> Nephtali: PHP web framework that functions beautifully
> http://nephtaliproject.com
>
--- End Message ---
--- Begin Message ---
ya, sorry i diden't specify, i'm trying to build a simple RSS (haha, fat
chance it being simple, right?) reader for a site to import an ebay RSS feed
and desplay the contense. I'm using Magpie to accomplish it. also, you'll be
glad to know that your fix worked like a charm, all i need to do now is
limit the number of results and orginize all of the data returned (images
and such). my only curiousity about this now is what is up with that file
path.... why woulden't using the URL work?
On Sun, Mar 21, 2010 at 2:13 AM, Adam Richardson <simples...@gmail.com>wrote:
> On Sun, Mar 21, 2010 at 1:45 AM, Stan Vassilev <sv_for...@fmethod.com>wrote:
>
>>
>> Hi,
>>
>> As the error says, this is a problem with the server configuration.
>> In your php.ini file, allow_url_include should be enabled.
>>
>> As an alternative, if you have allow_url_include off, but allow_url_fopen
>> on, you can file_get_contents() that URL and eval() it.
>>
>> Keep in mind you need *absolute* trust that the URL won't serve malicious
>> PHP code, or change and break your site. If you need to run this code, it's
>> a lot better to save the file from your browser and store it with your site,
>> then include it locally. It'll be also faster this way.
>>
>> Regards,
>> Stan Vassilev
>>
>>
>>
>> ah, i forgot to properly phrase my question... what am i doing wrong, and
>>> how do i make it work? slash, could you guys/girls point me towards a
>>> tutorial that will give me a hand?
>>> Thanks again,
>>> Watson
>>>
>>> On Sun, Mar 21, 2010 at 1:00 AM, Watson Blair <bestudios...@gmail.com
>>> >wrote:
>>>
>>> Hey all, i'm sure i'm missing something glaringly obvious, but i have
>>>> yet
>>>> to find a solution to this online... so heres the line of code that i'm
>>>> getting hung up on:
>>>>
>>>> <?php include_once("http://www.jennysjunket.com/magpierss/rss_fetch.inc
>>>> ");?>
>>>>
>>>> which gives me this:
>>>>
>>>> *Warning*: include() [function.include]: URL file-access is disabled in
>>>> the server configuration in */home/content/81/5634781/html/ebay.php* on
>>>> line*1*
>>>>
>>>> *Warning*: include(http://www.jennysjunket.com/magpierss/rss_fetch.inc)
>>>> [
>>>> function.include]: failed to open stream: no suitable wrapper could be
>>>> found in */home/content/81/5634781/html/ebay.php* on line *1*
>>>>
>>>> *Warning*: include() [function.include]: Failed opening '
>>>> http://www.jennysjunket.com/magpierss/rss_fetch.inc' for inclusion
>>>> (include_path='.:/usr/local/php5/lib/php') in *
>>>> /home/content/81/5634781/html/ebay.php* on line *1*
>>>> *
>>>> *
>>>> ive got all of my permissions set as open as i can, but i'm
>>>> still baffled about it.
>>>> Thanks,
>>>> Watson
>>>>
>>>>
>>>
>>
>> --
>> PHP General Mailing List (http://www.php.net/)
>> To unsubscribe, visit: http://www.php.net/unsub.php
>>
>>
> Actually, after looking at the link you mentioned, I see it's PHP (I'm
> sorry, I didn't check the link before), and I'm wondering if you were just
> trying to include a file that's already on your server. Grabbing a PHP file
> from a remote source for parsing is a bad idea in terms of security, so
> hopefully that's not what you're doing.
>
> If the file is on your server, then the path would be something like below
> judging by your error message:
> <?php
> include_once("/home/content/81/5634781/html/magpierss/rss_fetch.inc"); ?>
>
> Adam
>
> --
> Nephtali: PHP web framework that functions beautifully
> http://nephtaliproject.com
>
--- End Message ---
--- Begin Message ---
On Sun, Mar 21, 2010 at 2:20 AM, Watson Blair <bestudios...@gmail.com>wrote:
> ya, sorry i diden't specify, i'm trying to build a simple RSS (haha, fat
> chance it being simple, right?) reader for a site to import an ebay RSS feed
> and desplay the contense. I'm using Magpie to accomplish it. also, you'll be
> glad to know that your fix worked like a charm, all i need to do now is
> limit the number of results and orginize all of the data returned (images
> and such). my only curiousity about this now is what is up with that file
> path.... why woulden't using the URL work?
>
>
> On Sun, Mar 21, 2010 at 2:13 AM, Adam Richardson <simples...@gmail.com>wrote:
>
>> On Sun, Mar 21, 2010 at 1:45 AM, Stan Vassilev <sv_for...@fmethod.com>wrote:
>>
>>>
>>> Hi,
>>>
>>> As the error says, this is a problem with the server configuration.
>>> In your php.ini file, allow_url_include should be enabled.
>>>
>>> As an alternative, if you have allow_url_include off, but allow_url_fopen
>>> on, you can file_get_contents() that URL and eval() it.
>>>
>>> Keep in mind you need *absolute* trust that the URL won't serve malicious
>>> PHP code, or change and break your site. If you need to run this code, it's
>>> a lot better to save the file from your browser and store it with your site,
>>> then include it locally. It'll be also faster this way.
>>>
>>> Regards,
>>> Stan Vassilev
>>>
>>>
>>>
>>> ah, i forgot to properly phrase my question... what am i doing wrong,
>>>> and
>>>> how do i make it work? slash, could you guys/girls point me towards a
>>>> tutorial that will give me a hand?
>>>> Thanks again,
>>>> Watson
>>>>
>>>> On Sun, Mar 21, 2010 at 1:00 AM, Watson Blair <bestudios...@gmail.com
>>>> >wrote:
>>>>
>>>> Hey all, i'm sure i'm missing something glaringly obvious, but i have
>>>>> yet
>>>>> to find a solution to this online... so heres the line of code that i'm
>>>>> getting hung up on:
>>>>>
>>>>> <?php include_once("
>>>>> http://www.jennysjunket.com/magpierss/rss_fetch.inc
>>>>> ");?>
>>>>>
>>>>> which gives me this:
>>>>>
>>>>> *Warning*: include() [function.include]: URL file-access is disabled in
>>>>> the server configuration in */home/content/81/5634781/html/ebay.php* on
>>>>> line*1*
>>>>>
>>>>> *Warning*: include(http://www.jennysjunket.com/magpierss/rss_fetch.inc)
>>>>> [
>>>>> function.include]: failed to open stream: no suitable wrapper could be
>>>>> found in */home/content/81/5634781/html/ebay.php* on line *1*
>>>>>
>>>>> *Warning*: include() [function.include]: Failed opening '
>>>>> http://www.jennysjunket.com/magpierss/rss_fetch.inc' for inclusion
>>>>> (include_path='.:/usr/local/php5/lib/php') in *
>>>>> /home/content/81/5634781/html/ebay.php* on line *1*
>>>>> *
>>>>> *
>>>>> ive got all of my permissions set as open as i can, but i'm
>>>>> still baffled about it.
>>>>> Thanks,
>>>>> Watson
>>>>>
>>>>>
>>>>
>>>
>>> --
>>> PHP General Mailing List (http://www.php.net/)
>>> To unsubscribe, visit: http://www.php.net/unsub.php
>>>
>>>
>> Actually, after looking at the link you mentioned, I see it's PHP (I'm
>> sorry, I didn't check the link before), and I'm wondering if you were just
>> trying to include a file that's already on your server. Grabbing a PHP file
>> from a remote source for parsing is a bad idea in terms of security, so
>> hopefully that's not what you're doing.
>>
>> If the file is on your server, then the path would be something like below
>> judging by your error message:
>> <?php
>> include_once("/home/content/81/5634781/html/magpierss/rss_fetch.inc"); ?>
>>
>> Adam
>>
>> --
>> Nephtali: PHP web framework that functions beautifully
>> http://nephtaliproject.com
>>
>
>
Because of the potential security issues, the option to supply URL's is
often not enabled:
http://www.php.net/manual/en/filesystem.configuration.php#ini.allow-url-fopen
Most of the time you can just look at your error messages when an include
doesn't work on your server to figure out what the local path should be.
Adam
--
Nephtali: PHP web framework that functions beautifully
http://nephtaliproject.com
--- End Message ---
--- Begin Message ---
cool.
tip: if you're gonna use libs like magpie, in 1 or more projects on a
webserver, i'd put it in htdocs/lib/magpie-x.y.z,
(x.y.z=versionnumber), then require_once('/lib/magpie-x.y.z/[magpie
top include script.inc]') it at the top of
htdocs/projectName/index.php or if it's only to be used in a specific
function of the website, at the top of where-ever the code
handles(starts) that function.
an alternative is htdocs/projectName/lib/magpie-x.y.z
it's not necessary to do it this way, but it does provide faster
management of libs and a decrease in bug-count.
On Sun, Mar 21, 2010 at 7:28 AM, <bestudios...@gmail.com> wrote:
> Duly noted. Thanks for baring with me on this one guys!
> Sent from my Verizon Wireless BlackBerry
>
> -----Original Message-----
> From: Rene Veerman <rene7...@gmail.com>
> Date: Sun, 21 Mar 2010 07:26:24
> To: Watson Blair<bestudios...@gmail.com>
> Subject: Re: [PHP] Re: Pulling my hair out over an include_once();
>
> if you're going to use php software, put it on the server it must run
> on, and require_once() it with an absolute or relative path, not a
> URL. That's a golden rule for security, stability and performance
> reasons.
>
> On Sun, Mar 21, 2010 at 7:20 AM, Watson Blair <bestudios...@gmail.com> wrote:
>> ya, sorry i diden't specify, i'm trying to build a simple RSS (haha, fat
>> chance it being simple, right?) reader for a site to import an ebay RSS feed
>> and desplay the contense. I'm using Magpie to accomplish it. also, you'll be
>> glad to know that your fix worked like a charm, all i need to do now is
>> limit the number of results and orginize all of the data returned (images
>> and such). my only curiousity about this now is what is up with that file
>> path.... why woulden't using the URL work?
>>
>> On Sun, Mar 21, 2010 at 2:13 AM, Adam Richardson <simples...@gmail.com>wrote:
>>
>>> On Sun, Mar 21, 2010 at 1:45 AM, Stan Vassilev <sv_for...@fmethod.com>wrote:
>>>
>>>>
>>>> Hi,
>>>>
>>>> As the error says, this is a problem with the server configuration.
>>>> In your php.ini file, allow_url_include should be enabled.
>>>>
>>>> As an alternative, if you have allow_url_include off, but allow_url_fopen
>>>> on, you can file_get_contents() that URL and eval() it.
>>>>
>>>> Keep in mind you need *absolute* trust that the URL won't serve malicious
>>>> PHP code, or change and break your site. If you need to run this code, it's
>>>> a lot better to save the file from your browser and store it with your
>>>> site,
>>>> then include it locally. It'll be also faster this way.
>>>>
>>>> Regards,
>>>> Stan Vassilev
>>>>
>>>>
>>>>
>>>> ah, i forgot to properly phrase my question... what am i doing wrong, and
>>>>> how do i make it work? slash, could you guys/girls point me towards a
>>>>> tutorial that will give me a hand?
>>>>> Thanks again,
>>>>> Watson
>>>>>
>>>>> On Sun, Mar 21, 2010 at 1:00 AM, Watson Blair <bestudios...@gmail.com
>>>>> >wrote:
>>>>>
>>>>> Hey all, i'm sure i'm missing something glaringly obvious, but i have
>>>>>> yet
>>>>>> to find a solution to this online... so heres the line of code that i'm
>>>>>> getting hung up on:
>>>>>>
>>>>>> <?php include_once("http://www.jennysjunket.com/magpierss/rss_fetch.inc
>>>>>> ");?>
>>>>>>
>>>>>> which gives me this:
>>>>>>
>>>>>> *Warning*: include() [function.include]: URL file-access is disabled in
>>>>>> the server configuration in */home/content/81/5634781/html/ebay.php* on
>>>>>> line*1*
>>>>>>
>>>>>> *Warning*: include(http://www.jennysjunket.com/magpierss/rss_fetch.inc)
>>>>>> [
>>>>>> function.include]: failed to open stream: no suitable wrapper could be
>>>>>> found in */home/content/81/5634781/html/ebay.php* on line *1*
>>>>>>
>>>>>> *Warning*: include() [function.include]: Failed opening '
>>>>>> http://www.jennysjunket.com/magpierss/rss_fetch.inc' for inclusion
>>>>>> (include_path='.:/usr/local/php5/lib/php') in *
>>>>>> /home/content/81/5634781/html/ebay.php* on line *1*
>>>>>> *
>>>>>> *
>>>>>> ive got all of my permissions set as open as i can, but i'm
>>>>>> still baffled about it.
>>>>>> Thanks,
>>>>>> Watson
>>>>>>
>>>>>>
>>>>>
>>>>
>>>> --
>>>> PHP General Mailing List (http://www.php.net/)
>>>> To unsubscribe, visit: http://www.php.net/unsub.php
>>>>
>>>>
>>> Actually, after looking at the link you mentioned, I see it's PHP (I'm
>>> sorry, I didn't check the link before), and I'm wondering if you were just
>>> trying to include a file that's already on your server. Grabbing a PHP file
>>> from a remote source for parsing is a bad idea in terms of security, so
>>> hopefully that's not what you're doing.
>>>
>>> If the file is on your server, then the path would be something like below
>>> judging by your error message:
>>> <?php
>>> include_once("/home/content/81/5634781/html/magpierss/rss_fetch.inc"); ?>
>>>
>>> Adam
>>>
>>> --
>>> Nephtali: PHP web framework that functions beautifully
>>> http://nephtaliproject.com
>>>
>>
>
--- End Message ---
--- Begin Message ---
Month of PHP Security 2010 - CALL FOR PAPERS
--------------------------------------------
Three years ago, in March 2007, the Hardened-PHP project had organized
the Month of PHP Bugs. During one month more than 40 vulnerabilities in
the PHP interpreter were disclosed in order to improve the overall
security of PHP. Now, three years later, SektionEins GmbH will
continue in the same spirit and organize the Month of PHP Security.
The intention of the Month of PHP Security is to gather the best
research and articles about PHP security topics from the security
community and share them with the rest of the world. This time the goal
is not only to improve the security of PHP itself and applications
directly by fixing security bugs, but also to help PHP developers
around the world to write better and more secure PHP applications.
The Month of PHP Security will be held in May 2010 by SektionEins
GmbH. During the month of May all qualifying entries will be published
at http://php-security.org day by day.
CFP Committee
-------------
The CFP committee for the Month of PHP Security consists of
1) Johann-Peter Hartmann
2) Stefan Esser
3) Fukami
4) Ben Fuhrmannek
The CFP committee will review all submissions and select the list of
articles that will be published on http://php-security.org
Accepted Topics/Articles
------------------------
* New vulnerability in PHP [1]
(not simple safe_mode, open_basedir bypass vulnerabilities)
* New vulnerability in PHP related software [1]
(popular 3rd party PHP extensions/patches)
* Explain a single topic of PHP application security in detail
(such as guidelines on how to store passwords)
* Explain a complicated vulnerability in/attack against a PHP
widespread application [1]
* Explain a complicated topic of attacking PHP (e.g. explain how to
exploit heap overflows in PHP's heap implementation)
* Explain how to attack encrypted PHP applications
* Release of a new open source PHP security tool
* Other topics related to PHP or PHP application security
[1] Articles about new vulnerabilities should mention possible
fixes or mitigations.
Responsible Disclosure
----------------------
In case of submitted vulnerabilities SektionEins GmbH will contact
the security team of the software vendor after the submission deadline
and share the vulnerability information with them. Along with the
vulnerability information SektionEins will provide the name of the
submitting party in order to give proper credits.
Prizes
------
At the end of May the CFP committee will review the published
material and determine the best entries. Selected winners will
get the following prizes.
1. 1000 EUR + Syscan Ticket + CodeScan PHP License
2. 750 EUR + Syscan Ticket
3. 500 EUR + Syscan Ticket
4. 250 EUR + Syscan Ticket
5.-6. CodeScan PHP License
7.-16. Amazon Coupon of 65 USD/50 EUR
SektionEins reserves the right to disqualify any submitted entry.
While employees of SektionEins can and will submit entries for
the Month of PHP Security they are excluded from receiving prizes.
The 1000 EUR cash prize and the Syscan tickets were generously
sponsored by Syscan. CodeScan PHP Licenses were sponsored by
CodeScan Limited. All other cash and non-cash prizes are sponsored
by SektionEins.
The winners of the Syscan tickets can choose one of the four
Syscan 2010 conferences to go to. Syscan Tickets include free
admission to the conference, speaker's dinner and speaker party.
Hotel and travelcosts are NOT included.
Please note that non-cash prizes cannot be changed into cash prizes.
Submission
----------
Submissions should be sent to c...@php-security.org and consist of the
following information:
1) Name and contact information (e-mail, postal address)
2) Employer and/or affiliations
3) Article about one of the allowed topics (at least 1000 words)
4) Optionally additional material like slides, whitepaper in PDF format
All submissions must be in English. The preferred delivery format is
plain text or HTML, but PDF is also accepted. Please pack all the
required items (pictures, text, ...) in a ZIP archive and submit this
ZIP archive by email.
Deadline for submissions is April 11, 2010.
Additional Information
----------------------
After submission SektionEins GmbH will acknowledge submissions with
a signed email. If you do not receive such an email within one week
after submission, then please contact us at c...@php-security.org
again.
By submitting your article you are granting SektionEins GmbH the rights
to reproduce, distribute, advertise and show your article including but
not limited to http://php-security.org, printed and/or electronic
advertisements, and all other media. However you are still allowed to
publish your own work in whatever way you want.
Thanks
------
We would like to thank Syscan and Coseinc for generously offering
1000 EUR cash prize and four tickets to Syscan. If you are interested
in the latest and greatest security research you should really consider
visiting one of the four Syscan conferences. You will find furhter
information at http://www.syscan.org/
Also we would like to thank CodeScan Limited to offer CodeScan for PHP
licenses as a prize. If you are interested in static code analysis for
PHP, you might want to check http://www.codescan.com/.
Additional Drawing
------------------
If you help us to spread the word about the Month of PHP Security
and the open CFP by writing a blog posting about it, you have the
chance to win one of ten 33 USD/25 EUR Amazon Coupons. To participate
you have to write a blog posting about the Month of PHP Security CFP
and send a link to your blog posting to draw...@php-security.org
The winners will be announced on May 1, 2010.
--
Thank you
Stefan Esser
Organiser
Month of PHP Security / php-security.org
SektionEins GmbH / www.sektioneins.com
--- End Message ---
