On 23 June 2010 08:53, Tanel Tammik wrote:
> Hi,
>
> is there a vulnerability with using $_SERVER['REMOTE_ADDR'] in sql queries?
>
With any and all input to sql queries: escape the input. Then you
don't have to ask the question.
Regards
Peter
--
WWW: http://plphp.dk / http://plind.dk
LinkedIn
There's a vulnerability in using anything from the user in SQL queries. Escape
it :)
On 23/06/2010, at 6:53 PM, Tanel Tammik wrote:
> Hi,
>
> is there a vulnerability with using $_SERVER['REMOTE_ADDR'] in sql queries?
>
> Br
> Tanel
>
>
>
> --
> PHP General Mailing List (http://www.php.net
On Wed, Jun 23, 2010 at 2:53 AM, Tanel Tammik wrote:
> Hi,
>
> is there a vulnerability with using $_SERVER['REMOTE_ADDR'] in sql queries?
>
> Br
> Tanel
>
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
As long as you treat it w
unlikely. it's a apache delivered ip address.. very little chance of
insert vulnerabilities, imho.
On Wed, Jun 23, 2010 at 8:53 AM, Tanel Tammik wrote:
> Hi,
>
> is there a vulnerability with using $_SERVER['REMOTE_ADDR'] in sql queries?
>
> Br
> Tanel
>
>
>
> --
> PHP General Mailing List (http:
This is somewhat related to the whole PCI/credit card discussion a
couple weeks back. The consensus was basically "leave it to other
people" - however, what if YOU are the other person?
I wonder if anyone has some BKMs to share about encrypting data in a
web application. A lot of people take the m
I was wondering, if there is a chance to manipulate the data this variable
holds?
Br
Tanel
"Rene Veerman" wrote in message
news:aanlktikwldeucxkru-4ni4pet5lq_5cc_vstnwrtx...@mail.gmail.com...
> unlikely. it's a apache delivered ip address.. very little chance of
> insert vulnerabilities, imho.
On Wed, Jun 23, 2010 at 12:06 AM, Rene Veerman wrote:
> unlikely. it's a apache delivered ip address.. very little chance of
> insert vulnerabilities, imho.
still, the overhead for a db escape is better than your site being trashed.
also, you could look at converting the IP to an INT(10) (at lea
On 23 June 2010 09:11, Michael Shadle wrote:
> This is somewhat related to the whole PCI/credit card discussion a
> couple weeks back. The consensus was basically "leave it to other
> people" - however, what if YOU are the other person?
>
> I wonder if anyone has some BKMs to share about encryptin
On Wed, Jun 23, 2010 at 12:21 AM, Peter Lind wrote:
> I haven't had to implement a scheme like this but for an app I'm
> working on we've been considering the same issues in order to keep
> member data safe. I would say your best bet is to keep the decryption
> key in memory while the app is runn
> -Original Message-
> From: Peter Lind [mailto:peter.e.l...@gmail.com]
> Sent: Wednesday, June 23, 2010 12:22 AM
> To: Michael Shadle
> Cc: PHP-General
> Subject: Re: [PHP] How to store encrypted data and how to store the key?
>
> On 23 June 2010 09:11, Michael Shadle wrote:
> > This is
> -Original Message-
> From: Michael Shadle [mailto:mike...@gmail.com]
> Sent: Wednesday, June 23, 2010 12:17 AM
> To: Rene Veerman
> Cc: Tanel Tammik; php-general@lists.php.net
> Subject: Re: [PHP] $_SERVER['REMOTE_ADDR'] and sql injection
>
> On Wed, Jun 23, 2010 at 12:06 AM, Rene Veerma
On Wed, Jun 23, 2010 at 1:01 AM, Tommy Pham wrote:
> If you're going to implement this, then it's better to implement the
> conversion in the backend DB (via SP or UDF). So you can always use MySQL
> query browser or the command line to run queries or other methods depending
> on your access
On Wed, Jun 23, 2010 at 12:55 AM, Tommy Pham wrote:
>> I haven't had to implement a scheme like this but for an app I'm working on
>> we've been considering the same issues in order to keep member data safe.
>> I would say your best bet is to keep the decryption key in memory while the
>
> This i
> -Original Message-
> From: Michael Shadle [mailto:mike...@gmail.com]
> Sent: Wednesday, June 23, 2010 1:07 AM
> To: Tommy Pham
> Cc: php-general@lists.php.net
> Subject: Re: [PHP] $_SERVER['REMOTE_ADDR'] and sql injection
>
> On Wed, Jun 23, 2010 at 1:01 AM, Tommy Pham
> wrote:
>
> > I
On Wed, Jun 23, 2010 at 1:12 AM, Tommy Pham wrote:
> Then I presume that your firewall, servers, and application is test proven
> 'bulletproof'? :-P
a) no such thing
b) pretty damn solid, yes
and the reason? because i don't overcomplicate things.
"a simple stack is a happy stack"
:)
--
PHP
> -Original Message-
> From: Michael Shadle [mailto:mike...@gmail.com]
> Sent: Wednesday, June 23, 2010 1:20 AM
> To: Tommy Pham
> Cc: php-general@lists.php.net
> Subject: Re: [PHP] $_SERVER['REMOTE_ADDR'] and sql injection
>
> On Wed, Jun 23, 2010 at 1:12 AM, Tommy Pham
> wrote:
>
> > T
> -Original Message-
> From: Michael Shadle [mailto:mike...@gmail.com]
> Sent: Wednesday, June 23, 2010 1:07 AM
> To: Tommy Pham
> Cc: php-general@lists.php.net
> Subject: Re: [PHP] $_SERVER['REMOTE_ADDR'] and sql injection
>
> On Wed, Jun 23, 2010 at 1:01 AM, Tommy Pham
> wrote:
>
> > I
On Tue, 2010-06-22 at 10:41 -0400, Daniel P. Brown wrote:
> On Tue, Jun 22, 2010 at 10:17, Mike Davies
> wrote:
> [snip!]
> >
> > Warning: reset() [function.reset]: Passed variable is not an array or
> > object in /home/b23aadf/public_html/news/details.php on line 72
> [snip!]
> >
> > Is anyone a
"Michael Shadle" wrote in message
news:aanlktildd_gdnlffpuwdx5acwwk45jbu4i6ybbmgj...@mail.gmail.com...
> On Wed, Jun 23, 2010 at 12:06 AM, Rene Veerman wrote:
>> unlikely. it's a apache delivered ip address.. very little chance of
>> insert vulnerabilities, imho.
>
> still, the overhead for a db
On 23 June 2010 01:03, Rick Dwyer wrote:
> $find = '/[^a-z0-9]/i';
Replace that with ...
$find = '/[^a-z0-9]++/i';
And now you only need ...
$new_string = trim(preg_replace($find, $replace, $old_string));
--
-
Richard Quadling
"Standing on the shoulders of some very clever giants!"
EE
On 23 June 2010 07:44, Tommy Pham wrote:
>> -Original Message-
>> From: James Colannino [mailto:ja...@colannino.org]
>> Sent: Tuesday, June 22, 2010 10:06 PM
>> To: PHP-General List
>> Subject: Re: [PHP] Question about logins and locking
>>
>> Tommy Pham wrote:
>>
>> > 1) Set an encrypted
On Wed, 2010-06-23 at 12:21 +0300, Tanel Tammik wrote:
> "Michael Shadle" wrote in message
> news:aanlktildd_gdnlffpuwdx5acwwk45jbu4i6ybbmgj...@mail.gmail.com...
> > On Wed, Jun 23, 2010 at 12:06 AM, Rene Veerman wrote:
> >> unlikely. it's a apache delivered ip address.. very little chance of
>
On 23 June 2010 10:09, Michael Shadle wrote:
> On Wed, Jun 23, 2010 at 12:55 AM, Tommy Pham wrote:
>
>>> I haven't had to implement a scheme like this but for an app I'm working on
>>> we've been considering the same issues in order to keep member data safe.
>>> I would say your best bet is to ke
Mike,
Little weird. I executed the same lines of code against my sample database
and did not got any warning. You might want to send the code for projects
and news to do any comparison?
*[I will silently wait for the PHP demi-gods (the Ashleys, the Pauls et al)
at hover their vigilant eyes on your
On Wed, 2010-06-23 at 15:55 +0530, Shreyas Agasthya wrote:
> Mike,
>
> Little weird. I executed the same lines of code against my sample database
> and did not got any warning. You might want to send the code for projects
> and news to do any comparison?
> *[I will silently wait for the PHP demi-
Hold everything, Mike!
On Wed, Jun 23, 2010 at 05:18, Mike Davies wrote:
[snip!]
>
> mysql_select_db($database_general, $general);
> $query_details = "SELECT * FROM news WHERE news_id = '$_GET[id]'";
/**
* Above line is placed here so that we can be easily,
* deliberately, a
Hello,
I am trying connect to freebsd. I have php 5.3.2 installed. I have to connect
using public keys, but without succes. Function ssh2_connect throws me
following error (then I have invalid resource for function
ssh2_auth_pubkey_file)...
PHP Warning: ssh2_connect(): Error starting up SSH
Hello,
I am trying connect to freebsd. I have php 5.3.2 installed. I have to connect
using public keys, but without succes. Function ssh2_connect throws me
following error (then I have invalid resource for function
ssh2_auth_pubkey_file)...
PHP Warning: ssh2_connect(): Error starting up SSH c
2010/6/23 Radek Krejča :
>
> PHP Warning: ssh2_connect(): Error starting up SSH connection(-5): Unable to
> exchange encryption keys in /usr/home/radek/pokus.php on line 14
Make sure that
the key file exists by that name in the location you're
specifying (hint: use a full p
From: Radek Krejca
> I am trying connect to freebsd. I have php 5.3.2 installed. I have to
connect
> using public keys, but without succes. Function ssh2_connect throws me
> following error (then I have invalid resource for function
ssh2_auth_pubkey_file)...
>
> PHP Warning: ssh2_connect(): Erro
> Have you tried opening the connection from the command line with OpenSSL
> or similar tools? Do you know those credentials will actually work?
Yes, It is my key (now I am testing), but I got this message before I run
ssh2_auth_public...
Radek
--
PHP General Mailing List (http://www.php.net/)
On Wed, Jun 23, 2010 at 6:09 AM, Peter Lind wrote:
> On 23 June 2010 10:09, Michael Shadle wrote:
>> On Wed, Jun 23, 2010 at 12:55 AM, Tommy Pham wrote:
>>
I haven't had to implement a scheme like this but for an app I'm working on
we've been considering the same issues in order to kee
Now that I'm finally landing some freelance PHP work, I am in need of some
software that I can add clients, enter estimates, keep track of hours, and
create invoices with. I'd like it to be Web-based. I could write my own, of
course, but why do it if it's already done?! Does anyone know of su
Make sure that
the key file exists by that name in the location you're
specifying (hint: use a full path).
it is the right key for that server.
the permissions on the file are very strict (chmod 0400 ssh-rsa).
I got error message immediately after
2010/6/23 Radek Krejča :
>
> Make sure that
>
> the key file exists by that name in the location you're
> specifying (hint: use a full path).
> it is the right key for that server.
> the permissions on the file are very strict (chmod 0400 ssh-rsa).
>
>
> I
On Wed, Jun 23, 2010 at 09:52, Floyd Resler wrote:
> Now that I'm finally landing some freelance PHP work, I am in need of some
> software that I can add clients, enter estimates, keep track of hours, and
> create invoices with. I'd like it to be Web-based. I could write my own, of
> course,
>
>Make sure that
>
> the key file exists by that name in the location you're
> specifying (hint: use a full path).
Its in ssh2_auth_public..., yes, I am using full path there.
> it is the right key for that server.
Yes, I use it with ssh command from line on the sam
On Wed, Jun 23, 2010 at 6:01 AM, Ashley Sheridan
wrote:
> That's what I'd use. You may also have to wrap it inside an abs() call
> to ensure it's a positive number, as some IP addresses equate to
> negative with ip2long().
NO NO NO NO NO
Andrew
--
PHP General Mailing List (http://www.php
On Wed, 2010-06-23 at 10:35 -0400, Andrew Ballard wrote:
> On Wed, Jun 23, 2010 at 6:01 AM, Ashley Sheridan
> wrote:
> > That's what I'd use. You may also have to wrap it inside an abs() call
> > to ensure it's a positive number, as some IP addresses equate to
> > negative with ip2long().
>
> NO
On Wed, Jun 23, 2010 at 09:52:21AM -0400, Floyd Resler wrote:
> Now that I'm finally landing some freelance PHP work, I am in need of some
> software that I can add clients, enter estimates, keep track of hours, and
> create invoices with. I'd like it to be Web-based. I could write my own, of
freshbooks.com
On 2010-06-23, at 11:44 AM, Paul M Foster wrote:
> On Wed, Jun 23, 2010 at 09:52:21AM -0400, Floyd Resler wrote:
>
>> Now that I'm finally landing some freelance PHP work, I am in need of some
>> software that I can add clients, enter estimates, keep track of hours, and
>> creat
On Wed, Jun 23, 2010 at 10:39 AM, Ashley Sheridan
wrote:
>
> On Wed, 2010-06-23 at 10:35 -0400, Andrew Ballard wrote:
>
> On Wed, Jun 23, 2010 at 6:01 AM, Ashley Sheridan
> wrote:
> > That's what I'd use. You may also have to wrap it inside an abs() call
> > to ensure it's a positive number, as s
On Wed, 2010-06-23 at 10:58 -0400, Andrew Ballard wrote:
> On Wed, Jun 23, 2010 at 10:39 AM, Ashley Sheridan
> wrote:
> >
> > On Wed, 2010-06-23 at 10:35 -0400, Andrew Ballard wrote:
> >
> > On Wed, Jun 23, 2010 at 6:01 AM, Ashley Sheridan
> > wrote:
> > > That's what I'd use. You may also have
On Wed, 2010-06-23 at 09:09 -0400, Daniel Brown wrote:
> Hold everything, Mike!
>
> On Wed, Jun 23, 2010 at 05:18, Mike Davies
> wrote:
> [snip!]
> >
> > > mysql_select_db($database_general, $general);
> > $query_details = "SELECT * FROM news WHERE news_id = '$_GET[id]'";
>
> /**
> *
On Wed, 2010-06-23 at 16:14 +0100, Mike Davies wrote:
> On Wed, 2010-06-23 at 09:09 -0400, Daniel Brown wrote:
> > Hold everything, Mike!
> >
> > On Wed, Jun 23, 2010 at 05:18, Mike Davies
> > wrote:
> > [snip!]
> > >
> > > > > mysql_select_db($database_general, $general);
> > > $query_details
On Wed, Jun 23, 2010 at 10:01 AM, Daniel P. Brown
wrote:
> On Wed, Jun 23, 2010 at 09:52, Floyd Resler wrote:
>> Now that I'm finally landing some freelance PHP work, I am in need of some
>> software that I can add clients, enter estimates, keep track of hours, and
>> create invoices with. I'd
On Wed, Jun 23, 2010 at 11:14, Mike Davies wrote:
>>
> Nothing is returned for SELECT query as there is nothing in the table as
> yet. Perhaps this is the problem. Typically all projects would have an
> associated thumb image but all news items may not. Perhaps a thumb image
> is necessary to stop
From: Ashley Sheridan
> Out of interest, how does PHP calculate the IP number, as it was my
> understanding of IP numbers that they can't be negative.
>
> For example, my IP address is 89.243.156.135
> The four parts as binary:
> 01011001
> 0011
> 10011100
> 1111
>
> >From there, I thoug
Please DO NOT click on the following link. It should have been sent in
a previous email. Seems like someone has hijacked my email and is
sending this to all my contacts.
Thanks,
Navid
On Wed, Jun 23, 2010 at 7:38 AM, Navid Yar wrote:
> http://saq9.grkhworld.com/
>
>
>
>
>
--
PHP General Maili
On Wed, 2010-06-23 at 16:22 +0100, Ashley Sheridan wrote:
> On Wed, 2010-06-23 at 16:14 +0100, Mike Davies wrote:
> If you haven't in your code, then make sure you define $thumbsarray as
> an array before you attempt to use it in the loop. This will have no
> effect where rows are returned, but i
On Wed, Jun 23, 2010 at 11:09 AM, Ashley Sheridan
wrote:
> Out of interest, how does PHP calculate the IP number, as it was my
> understanding of IP numbers that they can't be negative.
>
> For example, my IP address is 89.243.156.135
> The four parts as binary:
> 01011001
> 0011
> 10011100
>
On Jun 23, 2010, at 11:24 AM, Bastien Koert wrote:
> On Wed, Jun 23, 2010 at 10:01 AM, Daniel P. Brown
> wrote:
>> On Wed, Jun 23, 2010 at 09:52, Floyd Resler wrote:
>>> Now that I'm finally landing some freelance PHP work, I am in need of some
>>> software that I can add clients, enter estima
Do you have lexneter installed. I think that could be the problem.
2010/6/23 Radek Krejča
> >
> >Make sure that
> >
> > the key file exists by that name in the location you're
> > specifying (hint: use a full path).
> Its in ssh2_auth_public..., yes, I am using full path ther
Priceless. Could also be extended applied to babies too. ;-p
object babies extends mammal (
function eat (milk $food)
)
ROFL.
> -Original Message-
> From: Rene Veerman [mailto:rene7...@gmail.com]
> Sent: Tuesday, June 22, 2010 11:58 PM
>
> object mammal (
> function eat (mixed $fo
I talked with a friend who actually had this implemented before and
banks had signed off on it after reviewing it.
load balancer (irrelevant to the security piece)
web server(s) - only accepts traffic to port 80/443. can only forward
requests on to the app server, one direction.
app server(s) -
On 23 June 2010 20:55, Michael Shadle wrote:
> I talked with a friend who actually had this implemented before and
> banks had signed off on it after reviewing it.
>
> load balancer (irrelevant to the security piece)
>
> web server(s) - only accepts traffic to port 80/443. can only forward
> reque
On Wed, Jun 23, 2010 at 12:43 PM, Peter Lind wrote:
> I'm just wondering if this is a correct understanding:
> 1. plaintext data arrives on the web frontend.
or over SSL
> 2. It's sent to the app server
SSL or non-SSL - your choice
> 3. It's encrypted and sent to the DB server
encrypted or n
Do you have lexneter installed. I think that could be the problem.
2010/6/23 Radek Krejča
>
> Make sure that
What is lexneter please?
Radek
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Greetings All,
I am at a new Gig.
So this is the existing setup so changing it at least in the short term is
not an option.
We are in an IIS shop.
We have a bunch of files that are html, and in need of php functionality.
And that would be a BUNCH of files.
I am interested in setting if I can set
On Wed, 2010-06-23 at 16:26 -0600, Phillip Baker wrote:
> Greetings All,
>
> I am at a new Gig.
> So this is the existing setup so changing it at least in the short term is
> not an option.
>
> We are in an IIS shop.
> We have a bunch of files that are html, and in need of php functionality.
> A
> -Original Message-
> From: Ashley Sheridan [mailto:a...@ashleysheridan.co.uk]
> Sent: Wednesday, June 23, 2010 4:47 PM
> To: Phillip Baker
> Cc: PHP General List
> Subject: Re: [PHP] IIS, PHP and HTML
>
> On Wed, 2010-06-23 at 16:26 -0600, Phillip Baker wrote:
>
> > Greetings All,
> >
>
On Wed, 2010-06-23 at 17:34 -0700, Tommy Pham wrote:
> > -Original Message-
> > From: Ashley Sheridan [mailto:a...@ashleysheridan.co.uk]
> > Sent: Wednesday, June 23, 2010 4:47 PM
> > To: Phillip Baker
> > Cc: PHP General List
> > Subject: Re: [PHP] IIS, PHP and HTML
> >
> > On Wed, 2010-
62 matches
Mail list logo
