php-general Digest 23 Apr 2007 12:10:11 -0000 Issue 4751
Topics (messages 253500 through 253513):
Why do i get this error message?
253500 by: H.T
253501 by: Buesching, Logan J
Re: Best practices to ensure compatibility with PHP 6
253502 by: Davi
253508 by: ufan100.gmail.com
Re: Preventing SQL Injection/ Cross Site Scripting
253503 by: Buesching, Logan J
Re: echo date('Y-m-d', $mydata->timestamp);
253504 by: Buesching, Logan J
Re: should I be looking to eliminate all notices?
253505 by: Buesching, Logan J
Re: PhpMyAdmin slow on windows but fast on linux
253506 by: chris smith
253507 by: Juergen Wind
253512 by: Don Don
Session Variable in Global Scope
253509 by: Sascha Braun
253510 by: Jochem Maas
unset() side effects in functions
253511 by: Robert Enyedi
Hi
253513 by: Nathan Wallis
Administrivia:
To subscribe to the digest, e-mail:
[EMAIL PROTECTED]
To unsubscribe from the digest, e-mail:
[EMAIL PROTECTED]
To post to the list, e-mail:
[EMAIL PROTECTED]
----------------------------------------------------------------------
--- Begin Message ---
I get this error message when i try to check my site on localhost running
IIS and PHP 5.1.2 :
Fatal error: Allowed memory size of 8388608 bytes exhausted (tried to
allocate 24576 bytes) in ...
and it points to the line which is pure html code!
What could be the cause of this problem?
--- End Message ---
--- Begin Message ---
Could you also send the code? Maybe 5 lines before and 5 lines after the
line it is pointing to?
It also means it tried to allocate 2KB of memory, which put you over
your 8MB in whatever script you are running. You can set the maximum
amount of memory a PHP script can use in your PHP.ini file.
-----Original Message-----
From: H.T [mailto:[EMAIL PROTECTED]
Sent: Sunday, April 22, 2007 6:48 PM
To: [EMAIL PROTECTED]
Subject: [PHP] Why do i get this error message?
I get this error message when i try to check my site on localhost
running
IIS and PHP 5.1.2 :
Fatal error: Allowed memory size of 8388608 bytes exhausted (tried to
allocate 24576 bytes) in ...
and it points to the line which is pure html code!
What could be the cause of this problem?
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--- End Message ---
--- Begin Message ---
Em Domingo 22 Abril 2007 18:54, [EMAIL PROTECTED] escreveu:
> Hi
>
> I'm would like to avoid PHP usages that are deprecated with
> regard to PHP 6. I would also like to code according to
> what is regarded as best practice. Are there any web
> resources that I can read to keep up to date?
>
Have a look at PHP metting [1] and PHP-wiki [2]... =]
[1] - http://www.php.net/~derick/meeting-notes.html
[2] - http://oss.backendmedia.com/PhP60
--
Davi Vidal
[EMAIL PROTECTED]
[EMAIL PROTECTED]
--
Agora com fortune:
"Many have marked the speed with which Muad'Dib learned the necessities of
Arrakis. The Bene Gesserit, of course, know the basis of this speed. For the
others, we can say that Muad'Dib learned rapidly because his first training
was
in how to learn. And the first lesson of all was the basic trust that he could
learn. It is shocking to find how many people do not believe they can learn,
and how many more believe learning to be difficult. Muad'Dib knew that every
experience carries its lesson.
-- from "The Humanity of Muad'Dib" by the Princess Irulan"
pgpQjODJqXVNR.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
Davi wrote:
Em Domingo 22 Abril 2007 18:54, [EMAIL PROTECTED] escreveu:
...
Have a look at PHP metting [1] and PHP-wiki [2]... =]
[1] - http://www.php.net/~derick/meeting-notes.html
[2] - http://oss.backendmedia.com/PhP60
Thank you for the links - it will get me started.
--- End Message ---
--- Begin Message ---
There are many good resources out there, and one of my favorites for this type
of information is from Chris Shiflett.
http://shiflett.org/articles/sql-injection
http://shiflett.org/articles/foiling-cross-site-attacks
http://shiflett.org/blog/2007/mar/allowing-html-and-preventing-xss
Those are a few articles on the subject, maybe some reader comments have more
good links.
Also, just as a best-practice, you usually don't want to reassign things into
the super globals. Also to note, your filtering may be a bit too aggressive,
and not all-inclusive at the same time. Too aggressive because if I want to
talk about java in a comment, it will filter out every time I say java. Too
lax because you are forgetting all of the HTML onclick, onhover etc... that
don't need to have a <script> tag in them to be executed. Any of the
preg_replace's with an = in them is redundant because you have already filtered
out all of the ='s, but also note that you can have multiple spaces between
href and =. You are banking that they will have 0 or 1.
If available, you can look into PHP 5.2 which added some filter functions
(albeit I myself haven't checked them out). You can also look into OWASP's PHP
project, http://www.owasp.org/index.php/Category:OWASP_PHP_Project. That is a
pretty good resource in secure coding best-practices.
-Logan
-----Original Message-----
From: Dotan Cohen [mailto:[EMAIL PROTECTED]
Sent: Friday, April 20, 2007 9:08 PM
To: php php
Subject: [PHP] Preventing SQL Injection/ Cross Site Scripting
I've got a comments form that I'd like to harden against SQL Injection
/ XSS attacks. The data is stored in UTF-8 in a mysql database. I
currently parse the data as such:
$_POST["commentform"]=str_replace ("'", "''", $_POST["commentform"]);
// q->qq
$_POST["commentform"]=str_replace ("--", "", $_POST["commentform"]);
// -- -> x
$_POST["commentform"]=str_replace (";", "", $_POST["commentform"]);
// ; -> x
$_POST["commentform"]=str_replace ("=", "''", $_POST["commentform"]);
// = -> x
$_POST["commentform"]=preg_replace ("/java/i", "''", $_POST["commentform"]);
$_POST["commentform"]=preg_replace ("/script/i", "''", $_POST["commentform"]);
$_POST["commentform"]=preg_replace ("/src=/i", "''", $_POST["commentform"]);
$_POST["commentform"]=preg_replace ("/src =/i", "''", $_POST["commentform"]);
$_POST["commentform"]=preg_replace ("/iframe/i", "''", $_POST["commentform"]);
$_POST["commentform"]=preg_replace ("/rel=/i", "''", $_POST["commentform"]);
$_POST["commentform"]=preg_replace ("/rel =/i", "''", $_POST["commentform"]);
$_POST["commentform"]=preg_replace ("/href=/i", "''", $_POST["commentform"]);
$_POST["commentform"]=preg_replace ("/href =/i", "''", $_POST["commentform"]);
$_POST["commentform"]=preg_replace ("//i", "''", $_POST["commentform"]);
$_POST["commentform"]=htmlspecialchars( mysql_real_escape_string
($_POST["commentform"]) );
The first statement doubles up quotes, it's a bit difficult to see in the code.
After seeing this:
http://ha.ckers.org/xss.html
and another similar one for SQL injection, I'm worried that my filters
are not enough. What do the pro php programers out there use?
Thanks in advance.
Dotan Cohen
http://lyricslist.com/
http://what-is-what.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--- End Message ---
--- Begin Message ---
You are misunderstanding what timestamp means. The value of a timestamp
is from UNIX epoch http://en.wikipedia.org/wiki/Unix_time. It is
calculated by the number of seconds after January 1st, 1970. Also note,
that you are overflowing the integer, which is giving you a
http://en.wikipedia.org/wiki/Year_2038_problem Y2K38 problem.
If you want the UNIX timestamp of 4/19/2007 16:21:23, you can do
mktime(16,21,23,4,19,2007);
(http://us.php.net/manual/en/function.mktime.php).
-Logan
-----Original Message-----
From: John Taylor-Johnston
[mailto:[EMAIL PROTECTED]
Sent: Sunday, April 22, 2007 2:05 AM
To: PHP-General
Cc: John Taylor-Johnston
Subject: [PHP] echo date('Y-m-d', $mydata->timestamp);
$mydata->timestamp = "20070419162123";
echo date('Y-m-d', $mydata->timestamp);
result: 2038-01-18
?? What is wrong?? Should be 2007-04-19?
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--- End Message ---
--- Begin Message ---
[snip]
I don't really want to do a isset check for every index I have.
[/snip]
Premature optimization is the root of all evil. Checks like this will
take nanoseconds to check. Find another way to optimize, like writing
better SQL queries.
--- End Message ---
--- Begin Message ---
On 4/23/07, Don Don <[EMAIL PROTECTED]> wrote:
Hi all how can i make my phpmyadmin run fast on windows ? I installed
phpmyadmin on a linux and windows machines, but the windows version runs
(executes) too slow, i.e. it takes to long for a page to be loaded, while it
take less that 3 secs for the linux version. Both however run on the same
system config.
The phpmyadmin guys will be able to help you a lot better than we can:
http://sourceforge.net/mail/?group_id=23067
--
Postgresql & php tutorials
http://www.designmagick.com/
--- End Message ---
--- Begin Message ---
Don Don wrote:
>
> Hi all how can i make my phpmyadmin run fast on windows ? I installed
> phpmyadmin on a linux and windows machines, but the windows version runs
> (executes) too slow, i.e. it takes to long for a page to be loaded, while
> it take less that 3 secs for the linux version. Both however run on the
> same system config.
>
Linux tries using sockets by default if (mysql)host='localhost',
that's almost twice as fast as host='127.0.0.1' (using a tcp connection).
On a win box you need "enable-named-pipe" in your my.cnf
and connect using host='.' for connecting not using tcp.
"skip-name-resolve" can speed up things a bit as well.
For finding the bottleneck you can try and connect the
linux mysqld from your script on the win webserver
and vice versa (using tcp of course).
--
View this message in context:
http://www.nabble.com/PhpMyAdmin-slow-on-windows-but-fast-on-linux-tf3627944.html#a10135939
Sent from the PHP - General mailing list archive at Nabble.com.
--- End Message ---
--- Begin Message ---
Hi Logan, yes
reason being the linux box is live and the windows box is dev.
"Buesching, Logan J" <[EMAIL PROTECTED]> wrote: You say they both have the same
config, so do you mean that they both
have the same version of PHP, same computer setup (Memory, CPU speed,
HDD speed), both running the same version of Apache, and that both are
running as either CGI or an apache module?
-Logan
-----Original Message-----
From: Don Don [mailto:[EMAIL PROTECTED]
Sent: Sunday, April 22, 2007 4:34 PM
To: PHP List
Subject: [PHP] PhpMyAdmin slow on windows but fast on linux
Hi all how can i make my phpmyadmin run fast on windows ? I installed
phpmyadmin on a linux and windows machines, but the windows version runs
(executes) too slow, i.e. it takes to long for a page to be loaded,
while it take less that 3 secs for the linux version. Both however run
on the same system config.
Cheers
---------------------------------
Ahhh...imagining that irresistible "new car" smell?
Check outnew cars at Yahoo! Autos.
---------------------------------
Ahhh...imagining that irresistible "new car" smell?
Check outnew cars at Yahoo! Autos.
--- End Message ---
--- Begin Message ---
Hi Fellows,
I'm getting this warning on my website:
Warning: Unknown: Your script possibly relies on a session side-effect
which existed until PHP 4.2.3. Please be advised that the session
extension does not consider global variables as a source of data, unless
register_globals is enabled. You can disable this functionality and this
warning by setting session.bug_compat_42 or session.bug_compat_warn to
off, respectively. in Unknown on line 0
I don't really understand, how it comes to that error. In the php.ini is
written, that this error occours when i register a session in a global
scope. What does it mean exactly?
Another thing is, that I'm often loosing the session, while surfing the
website using ajax functionality in the background. I started to send
the session id with the request all the time, but it seems, that some
of the request are made, without showing an IP Adress in the sessions
table, of my installation.
I'm actually not using cookies, but the error does not occour in mozilla
firefox on a windows plattform, its only occouring under linux using
firefox. Internet Explorer isnt tested well enough yet, to come to an
conclusion.
Maybe someone is working with ajax, alot, so you might have experience
with it too.
Thank you very much for your help.
Best Regards,
Sascha
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
--- End Message ---
--- Begin Message ---
post some code please ...
Sascha Braun wrote:
> Hi Fellows,
>
...
>
> I'm actually not using cookies,
using cookies is the highly recommended over passing the SID via the url,
if your loosing the session data for some [ajax] request then that means
php is not seeing or recieving the SID via the url ... in which case you will
have to examine log files and headers to find out what's going on.
either way I would recommend stepping over to using session cookies -
personally I use php/ajax in conjunction with sessions quite a bit and
have never had problems when sticking with session cookies.
> but the error does not occour in mozilla
> firefox on a windows plattform, its only occouring under linux using
> firefox. Internet Explorer isnt tested well enough yet, to come to an
> conclusion.
>
> Maybe someone is working with ajax, alot, so you might have experience
> with it too.
>
> Thank you very much for your help.
>
> Best Regards,
>
> Sascha
>
>
--- End Message ---
--- Begin Message ---
I'm doing some experimenting with the unset() (http://php.net/unset)
language construct in a PHP 5.2.1 installation. I did not find any
documentation on what happens to an identically named local variable's
value after an unset is performed.
Let me start with this example:
<?php
function dostuff() {
$a = 4;
echo ">in function (init): ".$a."<\n";
global $a;
/*CHANGEME*/ unset($a);
echo ">in function (after unset): ".$a."<\n";
$a = 3;
echo ">in function (after local assign): ".$a."<\n";
}
$a = 2;
dostuff();
echo ">in page: ".$a."<\n";
?>
The output is:
>in function (init): 4<
>in function (after unset): <
>in function (after local assign): 3<
>in page: 2<
So this basically means that the global $a is dereferenced by the
unset() call and the local $a gets reinitialized.
A different thing happens when we replace the /*CHANGEME*/ line with
unset using the $GLOBALS[] array (the recommended way of unsetting a
global variable from inside a function):
unset($GLOBALS['a']);
This time the output is:
>in function (init): 4<
>in function (after unset): 2<
>in function (after local assign): 3<
>in page: <
Notice that after the unset statement the global $a is properly unset
BUT the value of the local $a becomes 2, which was the value of the
global $a at the function entry point.
Are these behaviors documented somewhere or should't I rely on these
unset() side effects at all in my code?
Thanks,
Robert
--- End Message ---
--- Begin Message ---
Hi guys and girls,
I have question for you all.
I have developed a flash application which is a test for students. For each
test their is an accompanying excel spreadsheet that has information related
to each question they have answered and whether they got it right or wrong.
I am receiving whether the student got the question right or wrong in PHP
from FLASH. That part is complete. The other part I have complete is PHP
emailing the teacher with an attached excel spreadsheet renamed to the
studentsname_results.xls....the last part I want to complete is that of the
students results being inputted into the correct column in the spreadsheet
and then being attached to the email.
I am guessing I would be best to not attach a physical file that resides on
the server but build the data up inside PHP to resemble the file format I am
trying to generate and attach that to my email.
Two questions.
Can someone tell me the best format to be sending (i.e. the format that has
the best support for PHP) and also is this method dependent on the web
server being windows or linux based. I am no expert but from what I can
gather I take it that COM object support is really just for windows based
web servers.
Thanks and all the best,
Nathan
--- End Message ---
