Re: [PHP] Fwd: Is it possible???
On Mon, Jun 24, 2013 at 06:17:33PM +0200, Maciek Sokolewicz wrote: Please please please please don't do this! 1) You did not answer the question, nor giving any related information. 2) This was debug-output. I see not point in optimizing. 3) print is language construct, just as is echo 4) the argument to print is converted to string anyways, so ... 5) the quotes around a single variable allows fast adding helping text while debugging; so it was on purpose You are not the only one that has a coding style for a reason. So back to topic: I guess the case-sensitive variables were the most helpfull hint for the thread-starter? If not please send a complete example of your code. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Thread-Hijacking (was: Re: [PHP] Fwd: Is it possible???)
Maciek Sokolewicz maciek.sokolew...@gmail.com wrote: Please please please please don't do this! Please Please Please Do Not Hijack Threads. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Thread-Hijacking (was: Re: [PHP] Fwd: Is it possible???)
On 25 June 2013 10:02, Tamara Temple tamouse.li...@gmail.com wrote: Maciek Sokolewicz maciek.sokolew...@gmail.com wrote: Please please please please don't do this! Please Please Please Do Not Hijack Threads. Hijacking would be starting a completely different discussion in the same thread. This wasn't a discussion-starter, rather a warning ;) - Tul
[PHP] Fwd: Is it possible???
Error in my last post This is corrected: $item_amount_in_store = 223; $update_amount = 7; $item_amount_in_Store += $update_amount; It show the result = 227 and not 230. Why is this happen? Karl -- Forwarded message -- From: Karl-Arne Gjersøyen karlar...@gmail.com Date: 2013/6/24 Subject: Is it possible??? To: PHP Mailinglist php-general@lists.php.net $item_amount_in_store = 223; $update_amount = 7; $update_item_amount_in_store += $update_amount; $update_amoint_in_store is now 227; Why? That should be 230! Karl -- Hjemmeside: http://www.karl-arne.name/
Re: [PHP] Fwd: Is it possible???
On 24 Jun 2013, at 13:02, Karl-Arne Gjersøyen karlar...@gmail.com wrote: Error in my last post This is corrected: $item_amount_in_store = 223; $update_amount = 7; $item_amount_in_Store += $update_amount; It show the result = 227 and not 230. Why is this happen? Something else is going on to give you 227, but variable names are case sensitive which is why you're not getting what you expect. ?php $item_amount_in_store = 223; $update_amount = 7; $item_amount_in_Store += $update_amount; var_dump($item_amount_in_store); var_dump($item_amount_in_Store); ? Output: int(223) int(7) -Stuart -- Stuart Dallas 3ft9 Ltd http://3ft9.com/ -- Forwarded message -- From: Karl-Arne Gjersøyen karlar...@gmail.com Date: 2013/6/24 Subject: Is it possible??? To: PHP Mailinglist php-general@lists.php.net $item_amount_in_store = 223; $update_amount = 7; $update_item_amount_in_store += $update_amount; $update_amoint_in_store is now 227; Why? That should be 230! Karl -- Hjemmeside: http://www.karl-arne.name/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Fwd: Is it possible???
You should give a complete programm so we can run exactly the same you do, like this: ?php $item_amount_in_store = 223; print ($item_amount_in_store); $update_amount = 7; $item_amount_in_store += $update_amount; print ( + $update_amount = $item_amount_in_store ); ? which gives this result: 223 + 7 = 230 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Fwd: Is it possible???
variables are case-sensitive. $item_amount_in_store is different from $item_amount_in_Store 1st variable contains all lowercase characters, while the 2nd one contains S uppercase character. happy coding sachin On Mon, Jun 24, 2013 at 5:32 PM, Karl-Arne Gjersøyen karlar...@gmail.comwrote: Error in my last post This is corrected: $item_amount_in_store = 223; $update_amount = 7; $item_amount_in_Store += $update_amount; It show the result = 227 and not 230. Why is this happen? Karl -- Forwarded message -- From: Karl-Arne Gjersøyen karlar...@gmail.com Date: 2013/6/24 Subject: Is it possible??? To: PHP Mailinglist php-general@lists.php.net $item_amount_in_store = 223; $update_amount = 7; $update_item_amount_in_store += $update_amount; $update_amoint_in_store is now 227; Why? That should be 230! Karl -- Hjemmeside: http://www.karl-arne.name/
Re: [PHP] Fwd: Is it possible???
On 24-6-2013 14:27, n...@nobswolf.info wrote: You should give a complete programm so we can run exactly the same you do, like this: ?php $item_amount_in_store = 223; print ($item_amount_in_store); Please please please please don't do this! First of all, I don't know why you would use the print *function* when you can also use the echo language construct (better and faster). But that's not that important; it's not bad to use it, just imo a bit ugly (pet peeve ;)). But more importantly: $variable is completely and utterly useless. You're basically creating a string, interpolating a variable in it, and adding no more content. This is effectively the same as saying: print(.$var.) Does that look right to you? To me it looks... wrong... Why not just a simple: echo $var; or print($var) if you really must. And if you really really must cast the variable to a string, you can always use the explicit: (string) $var $update_amount = 7; $item_amount_in_store += $update_amount; print ( + $update_amount = $item_amount_in_store ); ? which gives this result: 223 + 7 = 230 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Fwd: Is it possible???
Amen! Am 24.06.2013 18:17, schrieb Maciek Sokolewicz: On 24-6-2013 14:27, n...@nobswolf.info wrote: You should give a complete programm so we can run exactly the same you do, like this: ?php $item_amount_in_store = 223; print ($item_amount_in_store); Please please please please don't do this! First of all, I don't know why you would use the print *function* when you can also use the echo language construct (better and faster). But that's not that important; it's not bad to use it, just imo a bit ugly (pet peeve ;)). But more importantly: $variable is completely and utterly useless. You're basically creating a string, interpolating a variable in it, and adding no more content. This is effectively the same as saying: print(.$var.) Does that look right to you? To me it looks... wrong... Why not just a simple: echo $var; or print($var) if you really must. And if you really really must cast the variable to a string, you can always use the explicit: (string) $var $update_amount = 7; $item_amount_in_store += $update_amount; print ( + $update_amount = $item_amount_in_store ); ? which gives this result: 223 + 7 = 230 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Fwd: Is it possible???
Am 24.06.2013 18:17, schrieb Maciek Sokolewicz: On 24-6-2013 14:27, n...@nobswolf.info wrote: You should give a complete programm so we can run exactly the same you do, like this: ?php $item_amount_in_store = 223; print ($item_amount_in_store); Please please please please don't do this! First of all, I don't know why you would use the print *function* when you can also use the echo language construct (better and faster). But read and learn http://de2.php.net/manual/en/function.print.php print is not actually a real function (it is a language construct) -- Marco Behnke Dipl. Informatiker (FH), SAE Audio Engineer Zend Certified Engineer PHP 5.3 Tel.: 0174 / 9722336 e-Mail: ma...@behnke.biz Softwaretechnik Behnke Heinrich-Heine-Str. 7D 21218 Seevetal http://www.behnke.biz smime.p7s Description: S/MIME Kryptografische Unterschrift
Re: [PHP] How is this possible???? (addslashes)
On Thu, 17 Feb 2011 07:50:45 +0700, Daniel Brown paras...@gmail.com wrote: No offense, but are you kidding me? The host disables phpinfo() for security reasons, but keeps 4.4.4 running? Talk about running, Paul run away from them. Fast. AND they have a condition (this reported) that could cause (fail to prevent) SQL injection! Legacy configurations remain when ISPs don't want to force customers to do the code changes that might be necessary to upgrade It runs. I'd rather not do the changes necessary to go to PHP5 now. But I cannot add an edit HTML via forms feature to the administration until this is resolved. I want to get to the bottom of this. PLEASE!! ANYONE ??? HOW COULD THIS POSSIBLY HAPPEN. They must have something messed up in the PHP configuration. What is it? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] How is this possible???? (addslashes)
Can anyone please tell me how the addslashes output (note = Everyone''s a card on the \earth) in the following example is possible. It is addslashes output but this result is consistent with the output from post when runtime is set: 1): a single quote is inserted before a single quote and nothing is added before or \. php: ... --- ?php //error_reporting(E_ALL); echo 'display_errors = ' . ini_get('display_errors') . br; echo 'register_globals = ' . ini_get('register_globals') . br; echo 'magic_quotes_gpc = ' . ini_get('magic_quotes_gpc') . br; echo 'get_magic_quotes_gpc = ' . get_magic_quotes_gpc() . br; echo 'get_magic_quotes_runtime = ' . get_magic_quotes_runtime() . br; echo brbr; echo br; echo 'Current PHP version: ' . phpversion(); echo brbr; ? ?php $note = Everyone's a card on the \earth; echo br$notebr; $note = addslashes($note); echo brnote = $notebr; ? ?php phpinfo(); ? - output: display_errors = 1 register_globals = 1 magic_quotes_gpc = 1 get_magic_quotes_gpc = 1 get_magic_quotes_runtime = 1 Current PHP version: 4.4.4 Everyone's a card on the \earth note = Everyone''s a card on the \earth Warning: phpinfo() has been disabled for security reasons in --- -- Using Opera's revolutionary email client: http://www.opera.com/mail/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How is this possible???? (addslashes)
On Feb 16, 2011 7:07 PM, Paul S pau...@roadrunner.com wrote: Can anyone please tell me how the addslashes output (note = Everyone''s a card on the \earth) in the following example is possible. It is addslashes output but this result is consistent with the output from post when runtime is set: 1): a single quote is inserted before a single quote and nothing is added before or \. php: ... --- ?php //error_reporting(E_ALL); echo 'display_errors = ' . ini_get('display_errors') . br; echo 'register_globals = ' . ini_get('register_globals') . br; echo 'magic_quotes_gpc = ' . ini_get('magic_quotes_gpc') . br; echo 'get_magic_quotes_gpc = ' . get_magic_quotes_gpc() . br; echo 'get_magic_quotes_runtime = ' . get_magic_quotes_runtime() . br; echo brbr; echo br; echo 'Current PHP version: ' . phpversion(); echo brbr; ? ?php $note = Everyone's a card on the \earth; echo br$notebr; $note = addslashes($note); echo brnote = $notebr; ? ?php phpinfo(); ? - output: display_errors = 1 register_globals = 1 magic_quotes_gpc = 1 get_magic_quotes_gpc = 1 get_magic_quotes_runtime = 1 Current PHP version: 4.4.4 No offense, but are you kidding me? The host disables phpinfo() for security reasons, but keeps 4.4.4 running? Talk about running, Paul run away from them. Fast. Everyone's a card on the \earth note = Everyone''s a card on the \earth Warning: phpinfo() has been disabled for security reasons in --- -- Using Opera's revolutionary email client: http://www.opera.com/mail/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Is it possible to create a global namespace alias?
I'm assuming there is no way to make a global alias. Can anyone confirm/deny this? Matt Palermo wrote in message news:5e7b8989448b45dbbeeb6fb89b3f3...@rachet... Is it possible to create a global namespace alias in PHP or does the alias have to be defined in EVERY file that I use? Here is an example: file: main.php ?php use \this\is\my\custom\namespace\Item as nsItem; ? file: index.php ?php require_once “main.php”; // Attempt to use namespace alias defined in main.php file nsItem::test(); ? The above code doesn’t work for me. The namespace alias defined in the main.php file isn’t accessible in the index.php file. Is there a way to make the “nsItem” alias a “global” one, so that I don’t have to define it in EVERY file that I want to use? -Matt -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Is it possible to create a global namespace alias?
On Tue, Oct 5, 2010 at 8:41 AM, Matt Palermo palermom...@gmail.com wrote: I'm assuming there is no way to make a global alias. Can anyone confirm/deny this? I reread the documentation on namespaces, and from what I can tell this is no way to do it. Each file maintains its own active namespace *at compile time*. This means you can't even get around it with eval() or including another script to set it. I can't say I'm positive someone won't find a way around it, but short of an extension I don't see one. David
[PHP] SOAPParam - Does it possible?
Hi, I'm creating a wsdl server but I have one doubt about the soapparam::soapparam(). I want to know how to return several parameters using the soapparam::soapparam(). I'm doing this: class MyApi implements API { public function Send($param) { $resp = array('resposta' = 'works', 'events' = array ('from' = 'smith', 'text' = 'Hello world', 'to' = 'john')); return new SoapParam($resp, 'events'); } Looking in the php.net Docs the soapparam() has this definition: *SoapParam::SoapParam* ( mixedhttp://br3.php.net/manual/en/language.pseudo-types.php#language.types.mixed $data , string $name ) *data* The data to pass or return. This parameter can be passed directly as PHP value, but in this case it will be named as *paramN* and the SOAP service may not understand it. *name* The parameter name. But How can I return the entire array: $resp = array('resposta' = 'works', 'events' = array ('from' = 'smith', 'text' = 'Hello world', 'to' = 'john')); ? Looks this wsdl schema in this email I think you will understand more about my problem. Thanks Augusto Morais -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] How is this possible?
Hi gang: I am reviewing some old code (circa 2003) where the programmer had one script call another and placed variable values in the URL, like so: a href=user_edit.php?user_id=5223action=edit That seems innocent enough. However, in the called script (i.e., user_edit.php) there are no: $user_id = $_GET['user_id']; $action = $_GET['action']; statements to populate the variables, yet the variables get populated with the values sent!?! How did he do that? Incidentally, he did have in the .htaccess file the statement: php_flag register_globals 1 So I figure that Globals have something to do with it, but I never use Globals. And if I print_r $GLOBALS, I find that user_id and action are listed (many times), but I don't see how that works. Furthermore, something got changed and the entire script no longer works. So I'm in a quandary to figure this out -- any ideas, suggestions, references? Thanks, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How is this possible?
2009/10/28 tedd t...@sperling.com: Hi gang: http://php.net/manual/en/security.globals.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How is this possible?
I don't do this personally, but you can probably get your script working by doing something like this: foreach( $_GET as $k = $v ) $$k = $v; You would put that at the top of your page, but be aware that it allows other people to set variables on your page (just like register globals does). If you want to do basic sanitization to your incoming values, such as trimming them, you can do something like this too: foreach( $_GET as $k = $v ) $$k = trim( $v ); None of this is best practices, FYI. Adam. On Wed, Oct 28, 2009 at 10:29 AM, David Otton phpm...@jawbone.freeserve.co.uk wrote: 2009/10/28 tedd t...@sperling.com: Hi gang: http://php.net/manual/en/security.globals.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- Adam Randall http://www.xaren.net AIM: blitz574 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How is this possible?
On Wed, Oct 28, 2009 at 1:27 PM, tedd t...@sperling.com wrote: Hi gang: I am reviewing some old code (circa 2003) where the programmer had one script call another and placed variable values in the URL, like so: a href=user_edit.php?user_id=5223action=edit That seems innocent enough. However, in the called script (i.e., user_edit.php) there are no: $user_id = $_GET['user_id']; $action = $_GET['action']; statements to populate the variables, yet the variables get populated with the values sent!?! How did he do that? Incidentally, he did have in the .htaccess file the statement: php_flag register_globals 1 So I figure that Globals have something to do with it, but I never use Globals. And if I print_r $GLOBALS, I find that user_id and action are listed (many times), but I don't see how that works. Furthermore, something got changed and the entire script no longer works. So I'm in a quandary to figure this out -- any ideas, suggestions, references? Thanks, tedd That's exactly what register_globals does. It's analogous to prepending your scripts with this: ?php extract($_GET); extract($_POST); extract($_COOKIE); extract($_SESSION); ? (The order would be determined by the ini directive variables_order) Andrew -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How is this possible?
On Wed, 2009-10-28 at 13:47 -0400, Andrew Ballard wrote: On Wed, Oct 28, 2009 at 1:27 PM, tedd t...@sperling.com wrote: Hi gang: I am reviewing some old code (circa 2003) where the programmer had one script call another and placed variable values in the URL, like so: a href=user_edit.php?user_id=5223action=edit That seems innocent enough. However, in the called script (i.e., user_edit.php) there are no: $user_id = $_GET['user_id']; $action = $_GET['action']; statements to populate the variables, yet the variables get populated with the values sent!?! How did he do that? Incidentally, he did have in the .htaccess file the statement: php_flag register_globals 1 So I figure that Globals have something to do with it, but I never use Globals. And if I print_r $GLOBALS, I find that user_id and action are listed (many times), but I don't see how that works. Furthermore, something got changed and the entire script no longer works. So I'm in a quandary to figure this out -- any ideas, suggestions, references? Thanks, tedd That's exactly what register_globals does. It's analogous to prepending your scripts with this: ?php extract($_GET); extract($_POST); extract($_COOKIE); extract($_SESSION); ? (The order would be determined by the ini directive variables_order) Andrew Register globals is evil; somewhere between M$ and the chocolate that are always left over in the Xmas tin that nobody likes. Best bet is to try and steer the system away from it's dependency on this old directive. Thanks, Ash http://www.ashleysheridan.co.uk
Re: [PHP] How is this possible? [Solved]
To all: I found the problem, which basically was that I had declared a variable in a preceding script with the same name, namely $user_id. When I changed my script to $u_id, everything worked as before. Clearly, Globals are evil. It's a bitch to have to work with code you can't change unless you are willing to edit over 1500 files. Many thanks for all input and suggestions. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] How is this possible? [Solved]
From: tedd I found the problem, which basically was that I had declared a variable in a preceding script with the same name, namely $user_id. When I changed my script to $u_id, everything worked as before. Clearly, Globals are evil. It's a bitch to have to work with code you can't change unless you are willing to edit over 1500 files. Just keep in mind that register_globals is deprecated and will be going away in a future release of PHP. You might want to start thinking about a strategy to update those files before that happens. Bob McConnell -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How is this possible? [Solved]
Bob McConnell wrote: From: tedd I found the problem, which basically was that I had declared a variable in a preceding script with the same name, namely $user_id. When I changed my script to $u_id, everything worked as before. Clearly, Globals are evil. It's a bitch to have to work with code you can't change unless you are willing to edit over 1500 files. Just keep in mind that register_globals is deprecated and will be going away in a future release of PHP. You might want to start thinking about a strategy to update those files before that happens. Bob McConnell I don't think his problem was register_globals, I think it was the other problem of globals... namely variable naming collision causing value clobber. Cheers, Rob. -- http://www.interjinn.com Application and Templating Framework for PHP -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How is this possible? [Solved]
At 2:48 PM -0400 10/28/09, Robert Cummings wrote: Bob McConnell wrote: From: tedd I found the problem, which basically was that I had declared a variable in a preceding script with the same name, namely $user_id. When I changed my script to $u_id, everything worked as before. Clearly, Globals are evil. It's a bitch to have to work with code you can't change unless you are willing to edit over 1500 files. Just keep in mind that register_globals is deprecated and will be going away in a future release of PHP. You might want to start thinking about a strategy to update those files before that happens. Bob McConnell I don't think his problem was register_globals, I think it was the other problem of globals... namely variable naming collision causing value clobber. Cheers, Rob. Rob: You were exactly right -- it was a collision. Now, if I can only find out why header(location:..); stopped working. Sometimes old code presents a lot of problems to solve. Thanks, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How is this possible? [Solved]
tedd wrote: At 2:48 PM -0400 10/28/09, Robert Cummings wrote: Bob McConnell wrote: From: tedd I found the problem, which basically was that I had declared a variable in a preceding script with the same name, namely $user_id. When I changed my script to $u_id, everything worked as before. Clearly, Globals are evil. It's a bitch to have to work with code you can't change unless you are willing to edit over 1500 files. Just keep in mind that register_globals is deprecated and will be going away in a future release of PHP. You might want to start thinking about a strategy to update those files before that happens. Bob McConnell I don't think his problem was register_globals, I think it was the other problem of globals... namely variable naming collision causing value clobber. Cheers, Rob. Rob: You were exactly right -- it was a collision. Now, if I can only find out why header(location:..); stopped working. Sometimes old code presents a lot of problems to solve. Thanks, tedd I would use headers_sent() to find out if the headers have been sent before calling header() -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Problems with APC, possible cache-corruption?
On Sun, Jun 21, 2009 at 6:17 PM, James McLean james.mcl...@gmail.comwrote: On Mon, Jun 22, 2009 at 9:40 AM, Nathan Nobbequickshif...@gmail.com wrote: On Sun, Jun 21, 2009 at 5:56 PM, James McLean james.mcl...@gmail.com wrote: did you take a look at the size of the cache you created ? Yes. Tried multiple segments and single, with cache size values between 128mb and 256mb. Also tried with stat on and off. also, arent you planning to cache php opcodes, so if you load up the page, index.html, i would expect to see a bunch of php files mentioned in the apc cache.. Well, index.html wouldn't be cached because it's not parsed by the PHP engine. But yes, if it were index.php for example each compiled PHP file is then cached in the opcode cache - include files and everything. This is how it works on every other APC installation i've tried :) This installation is not doing that, even though this is the default behaviour. if apc has support for output caching, ive not yet used it so im not sure how much i could help there (sort of sounds like youre shooting for output caching the way you describe things above). No, i'm not looking for output caching. Apologies if my original email was poorly worded. maybe you could dump out your ini settings for apc and share them here? No need. they're all default as reccomended by PHP and APC. hmm, 2 other thoughts i have.. . long shot, but do you have apc.php installed on a diff domain than the moodle app (not sure but i suspect apc.php only shows cached values for the domain in which its currently running (i know this is something eaccelerator does). . as a test, perhaps setup a simple test site, w/ 2 files, apc.php and one index.php file on this rhel box. if things are working (index.php cached w/ apc.php), it would seem something goofy is going on indside the moodle app. -nathan
Re: [PHP] Problems with APC, possible cache-corruption?
On Tue, Jun 23, 2009 at 6:17 AM, Nathan Nobbequickshif...@gmail.com wrote: hmm, 2 other thoughts i have.. . long shot, but do you have apc.php installed on a diff domain than the moodle app (not sure but i suspect apc.php only shows cached values for the domain in which its currently running (i know this is something eaccelerator does). No. Same domain. . as a test, perhaps setup a simple test site, w/ 2 files, apc.php and one index.php file on this rhel box. if things are working (index.php cached w/ apc.php), it would seem something goofy is going on indside the moodle app. The RHEL box works flawlessly, as has almost every other APC install i've ever done. I simply used it as an example that Moodle likely wasn't at fault, and I have since further proved this by grepping the source - it isn't setting any of it's own apc filters as suggested before. On the APC install that is not working correctly, when I switch between my info.php and apc.php files - the counter on the cached file (apc.php) resets, and info.php is not cached. That was all outlined in the original email. I guess this is not a common issue, no one seems to have experienced it before.. Cheers -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Problems with APC, possible cache-corruption?
(Resend from around 1 week ago, because of no responses) Hi All, Over the weekend I setup a test of APC intending to benchmark a Moodle installation with various APC settings to see how well I could get it to perform. I successfully installed Moodle 1.9 and 2.0 under Apache 2.2.3 (installed via apt on Ubuntu 9.04), and with PHP 5.2.9 compiled from source. I should note, that Ubuntu had an older version of PHP installed from apt with Suhosin hardened PHP built in. Moodle 2.0 required at least PHP 5.2.8, so I uninstalled the original PHP module before compiling and installing the 5.2.9. No issues there; PHP worked well and performance was (mostly) acceptable. Progressed onto installing APC, firstly by downloading the APC 3.1.2 source from PECL and following the usual 'phpize, configure, make, make install' process which worked as expected, stop and start Apache and APC was present in my phpinfo();. I started with the reccomended PHP config exept with error_display turned on and E_ALL | E_STRICT enabled, and also the reccomended APC config also. I copied the 'apc.php' from the source tree to my webroot and changed the password as suggested. The issue arose when I attempted to benchmark my Moodle install with 'ab' (I realise it only downloads the single page, but it's good enough for what I need for now though) and the result was no different to before I had installed APC. View the apc.php page, and the only page cached is apc.php itself.. Certainly not what I've witnessed in the past. Then what would happen was if I viewed my seperate info.php page containing simply the opening PHP tag and a single line with phpinfo(); in the file - the cache would appear to reset, and it would firstly not load the info.php into the cache, it would reset the counter on the apc.php file back to 0. Through all of this, there was no errors displayed on the screen and no errors listed in the Apache error log either. Increased the Apache log level up to Debug, and no related information was displayed. Moodle itself worked as expected with no errors, and on a seperate RHEL installation I have Moodle working with APC and it is caching all it's files as expected. At this point, I thought it may be an issue with the module I compiled myself. I backed up the module, and allowed PECL to install the module, it installed 3.0.19. Restarted Apache and verified the version was as PECL had built and installed. This had no effect, and yeilded the same behaviour. I'm stumped as to what the issue could be, however I did see this issue of APC not caching files on an installation of Red Hat Enterprise Linux in the past - however at the time we assumed it was an issue with the framework we were using and due to time constraints simply ran without APC and didn't investigate further. Has anyone seen this issue in the past and perhaps even rectified it? Any information would be appreciated. Cheers, James -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Problems with APC, possible cache-corruption?
On Sun, Jun 21, 2009 at 5:56 PM, James McLean james.mcl...@gmail.comwrote: (Resend from around 1 week ago, because of no responses) Hi All, Over the weekend I setup a test of APC intending to benchmark a Moodle installation with various APC settings to see how well I could get it to perform. I successfully installed Moodle 1.9 and 2.0 under Apache 2.2.3 (installed via apt on Ubuntu 9.04), and with PHP 5.2.9 compiled from source. I should note, that Ubuntu had an older version of PHP installed from apt with Suhosin hardened PHP built in. Moodle 2.0 required at least PHP 5.2.8, so I uninstalled the original PHP module before compiling and installing the 5.2.9. No issues there; PHP worked well and performance was (mostly) acceptable. Progressed onto installing APC, firstly by downloading the APC 3.1.2 source from PECL and following the usual 'phpize, configure, make, make install' process which worked as expected, stop and start Apache and APC was present in my phpinfo();. I started with the reccomended PHP config exept with error_display turned on and E_ALL | E_STRICT enabled, and also the reccomended APC config also. I copied the 'apc.php' from the source tree to my webroot and changed the password as suggested. The issue arose when I attempted to benchmark my Moodle install with 'ab' (I realise it only downloads the single page, but it's good enough for what I need for now though) and the result was no different to before I had installed APC. View the apc.php page, and the only page cached is apc.php itself.. Certainly not what I've witnessed in the past. Then what would happen was if I viewed my seperate info.php page containing simply the opening PHP tag and a single line with phpinfo(); in the file - the cache would appear to reset, and it would firstly not load the info.php into the cache, it would reset the counter on the apc.php file back to 0. Through all of this, there was no errors displayed on the screen and no errors listed in the Apache error log either. Increased the Apache log level up to Debug, and no related information was displayed. Moodle itself worked as expected with no errors, and on a seperate RHEL installation I have Moodle working with APC and it is caching all it's files as expected. At this point, I thought it may be an issue with the module I compiled myself. I backed up the module, and allowed PECL to install the module, it installed 3.0.19. Restarted Apache and verified the version was as PECL had built and installed. This had no effect, and yeilded the same behaviour. I'm stumped as to what the issue could be, however I did see this issue of APC not caching files on an installation of Red Hat Enterprise Linux in the past - however at the time we assumed it was an issue with the framework we were using and due to time constraints simply ran without APC and didn't investigate further. Has anyone seen this issue in the past and perhaps even rectified it? Any information would be appreciated. did you take a look at the size of the cache you created ? also, arent you planning to cache php opcodes, so if you load up the page, index.html, i would expect to see a bunch of php files mentioned in the apc cache.. if apc has support for output caching, ive not yet used it so im not sure how much i could help there (sort of sounds like youre shooting for output caching the way you describe things above). maybe you could dump out your ini settings for apc and share them here? -nathan
Re: [PHP] Problems with APC, possible cache-corruption?
On Mon, Jun 22, 2009 at 9:40 AM, Nathan Nobbequickshif...@gmail.com wrote: On Sun, Jun 21, 2009 at 5:56 PM, James McLean james.mcl...@gmail.com wrote: did you take a look at the size of the cache you created ? Yes. Tried multiple segments and single, with cache size values between 128mb and 256mb. Also tried with stat on and off. also, arent you planning to cache php opcodes, so if you load up the page, index.html, i would expect to see a bunch of php files mentioned in the apc cache.. Well, index.html wouldn't be cached because it's not parsed by the PHP engine. But yes, if it were index.php for example each compiled PHP file is then cached in the opcode cache - include files and everything. This is how it works on every other APC installation i've tried :) This installation is not doing that, even though this is the default behaviour. if apc has support for output caching, ive not yet used it so im not sure how much i could help there (sort of sounds like youre shooting for output caching the way you describe things above). No, i'm not looking for output caching. Apologies if my original email was poorly worded. maybe you could dump out your ini settings for apc and share them here? No need. they're all default as reccomended by PHP and APC. Thanks, James -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Problems with APC, possible cache-corruption?
Can you do a phpinfo(); and tell us the value of the setting apc.filters (or every apc.* if you can)? Just curious, but I've seen apps set that setting to avoid APC opcode caching. Jonathan On Sun, Jun 21, 2009 at 8:56 PM, James McLeanjames.mcl...@gmail.com wrote: (Resend from around 1 week ago, because of no responses) Hi All, Over the weekend I setup a test of APC intending to benchmark a Moodle installation with various APC settings to see how well I could get it to perform. I successfully installed Moodle 1.9 and 2.0 under Apache 2.2.3 (installed via apt on Ubuntu 9.04), and with PHP 5.2.9 compiled from source. I should note, that Ubuntu had an older version of PHP installed from apt with Suhosin hardened PHP built in. Moodle 2.0 required at least PHP 5.2.8, so I uninstalled the original PHP module before compiling and installing the 5.2.9. No issues there; PHP worked well and performance was (mostly) acceptable. Progressed onto installing APC, firstly by downloading the APC 3.1.2 source from PECL and following the usual 'phpize, configure, make, make install' process which worked as expected, stop and start Apache and APC was present in my phpinfo();. I started with the reccomended PHP config exept with error_display turned on and E_ALL | E_STRICT enabled, and also the reccomended APC config also. I copied the 'apc.php' from the source tree to my webroot and changed the password as suggested. The issue arose when I attempted to benchmark my Moodle install with 'ab' (I realise it only downloads the single page, but it's good enough for what I need for now though) and the result was no different to before I had installed APC. View the apc.php page, and the only page cached is apc.php itself.. Certainly not what I've witnessed in the past. Then what would happen was if I viewed my seperate info.php page containing simply the opening PHP tag and a single line with phpinfo(); in the file - the cache would appear to reset, and it would firstly not load the info.php into the cache, it would reset the counter on the apc.php file back to 0. Through all of this, there was no errors displayed on the screen and no errors listed in the Apache error log either. Increased the Apache log level up to Debug, and no related information was displayed. Moodle itself worked as expected with no errors, and on a seperate RHEL installation I have Moodle working with APC and it is caching all it's files as expected. At this point, I thought it may be an issue with the module I compiled myself. I backed up the module, and allowed PECL to install the module, it installed 3.0.19. Restarted Apache and verified the version was as PECL had built and installed. This had no effect, and yeilded the same behaviour. I'm stumped as to what the issue could be, however I did see this issue of APC not caching files on an installation of Red Hat Enterprise Linux in the past - however at the time we assumed it was an issue with the framework we were using and due to time constraints simply ran without APC and didn't investigate further. Has anyone seen this issue in the past and perhaps even rectified it? Any information would be appreciated. Cheers, James -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Problems with APC, possible cache-corruption?
On Mon, Jun 22, 2009 at 10:02 AM, Jonathan Tapicertapi...@gmail.com wrote: Can you do a phpinfo(); and tell us the value of the setting apc.filters (or every apc.* if you can)? Just curious, but I've seen apps set that setting to avoid APC opcode caching. Certainly, however it will have to wait until I am home and have access to that machine again. Though I'm not sure that would be the case as APC is caching all Moodle files on my development server here. That being said I'll grep the codebase anyway to see if it's setting any filters. Thanks. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] No Database Connection possible (mySQL)
Hi all, I am having problems with a connection to a mysql database. I am using function con() { mysql_connect(localhost,user,pass) or die(mysql_error()); mysql_select_db(tava) or die(mysql_error()); } Now, when I call the _function_ (!) con() or die(no con); I get the no con output. When I call the mysql_connect and mysql_select directly before executing a query, I get some DB output. But that won't work when I am using the function... Any ideas would be greatly appreciated. Cheers! Chris
[PHP] FW: [SPAM] [PHP] No Database Connection possible (mySQL)
-Original Message- From: Aviation Coding [mailto:[EMAIL PROTECTED] Sent: Friday, July 04, 2008 10:15 AM To: php-general@lists.php.net Subject: [SPAM] [PHP] No Database Connection possible (mySQL) Importance: Low Hi all, I am having problems with a connection to a mysql database. I am using function con() { mysql_connect(localhost,user,pass) or die(mysql_error()); mysql_select_db(tava) or die(mysql_error()); } Now, when I call the _function_ (!) con() or die(no con); I get the no con output. When I call the mysql_connect and mysql_select directly before executing a query, I get some DB output. But that won't work when I am using the function... Any ideas would be greatly appreciated. Cheers! Chris It's a bit of a long shot but are you using variables in the function which might be out of scope? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] FW: [SPAM] [PHP] No Database Connection possible (mySQL)
-Original Message- From: Chris Scott [mailto:[EMAIL PROTECTED] Sent: Friday, July 04, 2008 11:41 AM To: php-general@lists.php.net Subject: [PHP] FW: [SPAM] [PHP] No Database Connection possible (mySQL) Importance: Low -Original Message- From: Aviation Coding [mailto:[EMAIL PROTECTED] Sent: Friday, July 04, 2008 10:15 AM To: php-general@lists.php.net Subject: [SPAM] [PHP] No Database Connection possible (mySQL) Importance: Low Hi all, I am having problems with a connection to a mysql database. I am using function con() { mysql_connect(localhost,user,pass) or die(mysql_error()); mysql_select_db(tava) or die(mysql_error()); } Now, when I call the _function_ (!) con() or die(no con); I get the no con output. When I call the mysql_connect and mysql_select directly before executing a query, I get some DB output. But that won't work when I am using the function... Any ideas would be greatly appreciated. Cheers! Chris It's a bit of a long shot but are you using variables in the function which might be out of scope? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php Hi mate, no, I am using no variables in the other function. The function goes like con() or die(no con); $query = SELECT ; and so on and I always get no con... Cheers! Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Is it possible to get the name of the top most calling script?
If the scripts are using a common file, [e.g., config, functions, etc.] you could define two constants. define(ORG_FILE, __FILE__); define(ORG_LINE, __LINE__); barophobia wrote: Hello, I know that __FILE__ and __LINE__ report on the file and line that they occur in. What I want is to be able to get the file name and line of the calling script. The only way I can do this so far is by passing the values through function arguments. Is there any way around this? Thanks, Chris. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Is this possible with php
Mace Eliason wrote: Hi, I really don't think this is possible from what I know of php, but I thought I would as the experts. Is it possible to have php create directories and move files on a local machine. I have created a web portal for a client and now they would like it to upload files to an server, no a problem. But they would like it to also move temp files on the users computer to new directories and then upload the file to the server with no user interation other than clicking go. I have thought of doing this in vb or c# but I have done very little with these languages, and php just rocks. Thanks Scandog php can only do things on its server and send stuff for rendering to the client. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Is this possible with php
(Re-sending as I accidentally sent my original post directly to Al) Al wrote: Mace Eliason wrote: I really don't think this is possible from what I know of php, but I thought I would as the experts. Is it possible to have php create directories and move files on a local machine. I have created a web portal for a client and now they would like it to upload files to an server, no a problem. But they would like it to also move temp files on the users computer to new directories and then upload the file to the server with no user interation other than clicking go. I have thought of doing this in vb or c# but I have done very little with these languages, and php just rocks. php can only do things on its server and send stuff for rendering to the client. It also sounds like a MAJOR security issue to me. I sure don't want a 3rd party web site moving files around on MY system... Regards, Ozz. signature.asc Description: OpenPGP digital signature
[PHP] Re: Is this possible with php
PHP don't do this. The user must select a file to upload and then the PHP can work with this. PHP has no access to local files, think with me, how can PHP discover which machine in internet he has to access to get files. Mace Eliason wrote: Hi, I really don't think this is possible from what I know of php, but I thought I would as the experts. Is it possible to have php create directories and move files on a local machine. I have created a web portal for a client and now they would like it to upload files to an server, no a problem. But they would like it to also move temp files on the users computer to new directories and then upload the file to the server with no user interation other than clicking go. I have thought of doing this in vb or c# but I have done very little with these languages, and php just rocks. Thanks Scandog -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Is this possible with php
PHP can do this, but you'd need it set up on each of the client computers and periodically run to check the temp folder and perform the upload. That's what any other application that can do similar does. Cheers, Rob. On Mon, 2006-03-06 at 15:30, João Cândido de Souza Neto wrote: PHP don't do this. The user must select a file to upload and then the PHP can work with this. PHP has no access to local files, think with me, how can PHP discover which machine in internet he has to access to get files. Mace Eliason wrote: Hi, I really don't think this is possible from what I know of php, but I thought I would as the experts. Is it possible to have php create directories and move files on a local machine. I have created a web portal for a client and now they would like it to upload files to an server, no a problem. But they would like it to also move temp files on the users computer to new directories and then upload the file to the server with no user interation other than clicking go. I have thought of doing this in vb or c# but I have done very little with these languages, and php just rocks. Thanks Scandog -- .. | InterJinn Application Framework - http://www.interjinn.com | :: | An application and templating framework for PHP. Boasting | | a powerful, scalable system for accessing system services | | such as forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Is this possible with php
Ok, but you're telling that the client will be doing upload to server. Not the server doing a dounload from client. I was understood as a wrong way. I'm sorry. Robert Cummings wrote: PHP can do this, but you'd need it set up on each of the client computers and periodically run to check the temp folder and perform the upload. That's what any other application that can do similar does. Cheers, Rob. On Mon, 2006-03-06 at 15:30, João Cândido de Souza Neto wrote: PHP don't do this. The user must select a file to upload and then the PHP can work with this. PHP has no access to local files, think with me, how can PHP discover which machine in internet he has to access to get files. Mace Eliason wrote: Hi, I really don't think this is possible from what I know of php, but I thought I would as the experts. Is it possible to have php create directories and move files on a local machine. I have created a web portal for a client and now they would like it to upload files to an server, no a problem. But they would like it to also move temp files on the users computer to new directories and then upload the file to the server with no user interation other than clicking go. I have thought of doing this in vb or c# but I have done very little with these languages, and php just rocks. Thanks Scandog -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Is this possible with php
Yeah, you can't do the local computer file moving and all that with the same script as your server side component, but if you'd rather not learn C# or another language like that, but you're comfortable with PHP, I'd highly recommend checking out Winbinder (http://www.winbinder.com). Assuming your clients are all windows machines. PHP is very powerful, it's just cumbersome to get a non-tech person to use a typically shell oriented language to do things on the client's machine. Winbinder provides a merging of PHP and Windows' native API. Takes a little getting used to at first, but works great. -TG = = = Original message = = = PHP can do this, but you'd need it set up on each of the client computers and periodically run to check the temp folder and perform the upload. That's what any other application that can do similar does. Cheers, Rob. On Mon, 2006-03-06 at 15:30, Jo~o C~ndido de Souza Neto wrote: PHP don't do this. The user must select a file to upload and then the PHP can work with this. PHP has no access to local files, think with me, how can PHP discover which machine in internet he has to access to get files. Mace Eliason wrote: Hi, I really don't think this is possible from what I know of php, but I thought I would as the experts. Is it possible to have php create directories and move files on a local machine. I have created a web portal for a client and now they would like it to upload files to an server, no a problem. But they would like it to also move temp files on the users computer to new directories and then upload the file to the server with no user interation other than clicking go. I have thought of doing this in vb or c# but I have done very little with these languages, and php just rocks. Thanks Scandog ___ Sent by ePrompter, the premier email notification software. Free download at http://www.ePrompter.com. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Is it possible to use header() to POST form data?
Hello. pw wrote: Does anyone know if it's possible to use the header() function to POST form data to a URL? If so what syntax needs to be used? I guess you cannot use the header() function in that way. Take a look at the header() documentation http://php.net/header. What do you need to do? Are you working with wrappers? If so, take a look at the 2nd example in the streams documentation http://php.net/stream. Cheers. -- Gustavo Narea. PHP Documentation - Spanish Translation Team. Valencia, Venezuela. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: PHP CLI - possible for mass mailing?
Hello, on 09/27/2005 02:44 AM Denis Gerasimov said the following: I was said that using Perl script is more suitable for such task since PHP scripts have problems with sending large amount of mail. Is that true or not? Any success/failure stories? It is a myth that Perl is better (or worse) than PHP for sending messages to many users. The truth is that usually you do not send messages directly to the users, but rather queue the messages in your MTA and it takes care of the actual delivery, retrying later, bounce handling etc.. I use this popular MIME message class for composing and sending messages to over 120,000 newsletter subscribers on a daily basis. The class provides means to employ some tricks to minimize the queue time and memory usage. It takes about 1 hour to queue individual messages to all the recipients. PHP CGI/CLI version are started from a cron job that calls set_time_limit(0); to let PHP run the script for a long time. The class comes with examples of optimize its use for bulk mailing. http://www.phpclasses.org/mimemessage -- Regards, Manuel Lemos PHP Classes - Free ready to use OOP components written in PHP http://www.phpclasses.org/ PHP Reviews - Reviews of PHP books and other products http://www.phpclasses.org/reviews/ Metastorage - Data object relational mapping layer generator http://www.meta-language.net/metastorage.html -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Is it possible to get the whole address (including http:// ) ?
Labunski wrote: Hello, I know for example how to get http vars or basename, but this time I need to get the whole address, including http:// . Is it possible? Thanks in advance, Lab. http://php.net/reserved.variables ?php var_dump($_SERVER['REQUEST_URI']); ? -- Teach a man to fish... NEW? | http://www.catb.org/~esr/faqs/smart-questions.html STFA | http://marc.theaimsgroup.com/?l=php-generalw=2 STFM | http://php.net/manual/en/index.php STFW | http://www.google.com/search?q=php LAZY | http://mycroft.mozdev.org/download.html?name=PHPsubmitform=Find+search+plugins signature.asc Description: OpenPGP digital signature
[PHP] Why is it possible to assign data to _not_declared_ vars in a class (PHP 5.0.3)?
Hello All, Why is this working? ?php class foobar { public $a, $b; public function __construct() { $this-a = Hello ; $this-b = world! ; $this-c = Good bye... ; } public function foo() { echo $this-a.br; echo $this-b.br; echo $this-c.br; } } ? CALL: $test = new foobar(); $test-foo(); OUTPUT: Hello world Good bye... If i understand right, all variables should be declared in PHP5. So why is it possible to add a membervariable called c to the object without making a declaration? I got no error with this. I thought E_STRICT should show me things like that. Could someone explain me that? I found this problem by building one dynamic get and set method for all member variables with the help of the interceptor method __call() . In this method i originally has build a try catch block that looks like this: example_code try { $this-non_existent_member = FooBar; } catch (Exception $e) { echo The variable 'non_existent_member' is not declared!; } /example_code I expected that the try block should catch the ERROR run the catch block but this doesn't heppend and and took some time to figure that out. I think it is really bad, that this kind of logical error must be catched in some way or must be at least reported with E_STRICT on. I am only develping with E_STRICT and thought this will give hints to all design faults. Kind regards Johannes Findeisen P.S.: I am going crazy ... This works too: ?php class foobar { public $a, $b; var $bla; public function __construct() { $this-a = Hello ; $this-b = world! ; $this-c = Good bye... ; } public function foo() { echo $this-a.br; echo $this-b.br; echo $this-c.br; } } class failover { public $foobar; public function __construct() { $this-foobar = new foobar(); $this-foobar-d = ...all Aliens! ; } public function bar() { echo $this-foobar-a.br; echo $this-foobar-b.br; echo $this-foobar-c.br; echo $this-foobar-d.br; } } ? CALL: $test = new foobar(); $test-foo(); $test2 = new failover(); $test2-bar(); OUTPUT: Hello world! Good bye... Hello world! Good bye... ...all Aliens! -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Is it Possible?
Sagar C Nannapaneni wrote: I'm calling a php script with img tag for ex: img src=http://localhost/test.php?img=asfd; and the test.php is as follows... test.php ? some server side validations readfile(abcd.gif); ? --- Theres no problem with this..its working fine. But i want to return some text(or Html) the browser along with the image. So is there anyway that i can send the text to the browser You seem to have a pretty good understanding of what's going on already. What you can do is have one script (main.php) that includes the img tag that links to the PHP generated gif (test.php). Then you can put whatever text / html you want in main.php ?php /** main.php */ echo pI am a super cool piece of text. Now check out this picture!/p\nimg src=\http://localhost/test.php?img=asdf\;; ? in this fashion. Even anyother solution other than the img is also Ok. Showing img is not a priority for me but sending the text is.. Any help will be greatly appreciated.. Thanks, /sagar -- Teach a man to fish... NEW? | http://www.catb.org/~esr/faqs/smart-questions.html STFA | http://marc.theaimsgroup.com/?l=php-generalw=2 STFM | http://www.php.net/manual/en/index.php STFW | http://www.google.com/search?q=php LAZY | http://mycroft.mozdev.org/download.html?name=PHPsubmitform=Find+search+plugins signature.asc Description: OpenPGP digital signature
Re: [PHP] Is this even possible?
Tony Di Croce wrote: Is it even possible to connect to a postgres server (thats running on linux) from a windows CLI php script? I'm seeing a pg_connect() error... FATAL: no pg_hba.conf entry for host 192.168.1.100 Any ideas? The easiest way to get PG up and running on a Windows system is cygwin. Or at least that's my opinion... YMMV -- Teach a man to fish... NEW? | http://www.catb.org/~esr/faqs/smart-questions.html STFA | http://marc.theaimsgroup.com/?l=php-generalw=2 STFM | http://www.php.net/manual/en/index.php STFW | http://www.google.com/search?q=php LAZY | http://mycroft.mozdev.org/download.html?name=PHPsubmitform=Find+search+plugins -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Is this even possible?
On Mon, 24 Jan 2005 10:28:09 -0500, Jason Barnett [EMAIL PROTECTED] wrote: Tony Di Croce wrote: Is it even possible to connect to a postgres server (thats running on linux) from a windows CLI php script? Yup. I'm seeing a pg_connect() error... FATAL: no pg_hba.conf entry for host 192.168.1.100 So edit your pg_hba.conf and add an entry. The easiest way to get PG up and running on a Windows system is cygwin. Or at least that's my opinion... YMMV The 8.0 beta installed for me just fine with no cygwin. -- Greg Donald Zend Certified Engineer http://destiney.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Is this even possible?
-Original Message- From: Tony Di Croce [mailto:[EMAIL PROTECTED] Sent: 22 January 2005 23:21 To: php-general@lists.php.net Subject: [PHP] Is this even possible? Is it even possible to connect to a postgres server (thats running on linux) from a windows CLI php script? I'm seeing a pg_connect() error... FATAL: no pg_hba.conf entry for host 192.168.1.100 Any ideas? You will need to install the client libraries, as you would for any database - you will need to go to the Postgres web-site for details of how to do that. HTH, Mikey -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Is this even possible?
Is it even possible to connect to a postgres server (thats running on linux) from a windows CLI php script? I'm seeing a pg_connect() error... FATAL: no pg_hba.conf entry for host 192.168.1.100 Any ideas? -- td -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Is this even possible?
On Sunday 23 January 2005 07:20, Tony Di Croce wrote: Is it even possible to connect to a postgres server (thats running on linux) from a windows CLI php script? Yes. I'm seeing a pg_connect() error... FATAL: no pg_hba.conf entry for host 192.168.1.100 Exactly. So put the appropriate entry in pg_hba.conf. Any ideas? Hop over to the postgresql site and consult the manual. -- Jason Wong - Gremlins Associates - www.gremlins.biz Open Source Software Systems Integrators * Web Design Hosting * Internet Intranet Applications Development * -- Search the list archives before you post http://marc.theaimsgroup.com/?l=php-general -- New Year Resolution: Ignore top posted posts -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Are server classes possible?
I am thinking like JavaBeans. Here is what I have going on: I have a series of rather database intensive queries that I would like some class to cache and provide access for page loads. I don't care how the information is stored, but I am trying to minimize the database call down to only once an hour at the most. The trick is that I just want the data - like a quazi-db table in memory... Is there something like that I should look at? Somewhere in PEAR? Thank you in advance! -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Are server classes possible?
I have used Turck MMCache in the past to store results in shared memory with an specific TTL. Also you could use Cache_Lite in PEAR. Hope it helps, Adrian Madrid Jed R. Brubaker wrote: I am thinking like JavaBeans. Here is what I have going on: I have a series of rather database intensive queries that I would like some class to cache and provide access for page loads. I don't care how the information is stored, but I am trying to minimize the database call down to only once an hour at the most. The trick is that I just want the data - like a quazi-db table in memory... Is there something like that I should look at? Somewhere in PEAR? Thank you in advance! -- Adrian Madrid HyperX Inc. Mobile: 801.815.1870 Office: 801.566.0670 [EMAIL PROTECTED] www.hyperxmedia.com 9000 S. 45 W. Sandy, UT 84070 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] objects - is that possible at runtime in php4 or php5 ?
I want to create and defined variables of an object in runtime , is that possible ? I can do that with arrays but I want the access it as variable from obbject it self and not like member of an array are defined on object before I load it ! -- Alawi Albaity Jeddah - KSA Mobile : +966506660442 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] objects - is that possible at runtime in php4 or php5 ?
Alawi Albaity wrote: I want to create and defined variables of an object in runtime , is that possible ? I can do that with arrays but I want the access it as variable from obbject it self and not like member of an array are defined on object before I load it ! What about trying it before asking? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] CSRF attack not possible in I.E. 6.01 SP1?
Hello All, I am working on securing an application that uses CDSSO (Cross Domain Single Sign On). I am trying to reproduce the CSRF (Cross Site Request Forgery) attack (using img/ TAG) in I.E. 6.01, but am unable to do so. However the attack works on Mozilla and other older browsers. My question: Is I.E. 6.01 SP1 doing something to foil the CSRF attack, i.e. only allow image extensions .gif .png .jpeg? Regards, Saqib Ali http://validate.sf.net DocBook XML - XHTML / PDF Convertor
RE: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
[snip] I am working on securing an application that uses CDSSO (Cross Domain Single Sign On). I am trying to reproduce the CSRF (Cross Site Request Forgery) attack (using img/ TAG) in I.E. 6.01, but am unable to do so. However the attack works on Mozilla and other older browsers. My question: Is I.E. 6.01 SP1 doing something to foil the CSRF attack, i.e. only allow image extensions .gif .png .jpeg? [/snip] You would have to ask the Microsoft Development Group, who probably does not subscribe to this list. Crossposting is bad. Being OT during a crosspost is even worse. I can hear the falmethrowers warming up in the wings. FYI - This is (or use to be) a PHP list -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
Perhaps the question could be asked another way and be more on topic. Is there a fix in I.E. 6.01 that would interfere with PHP being able to generate different mime types on the fly, like .png or .jpg Thanks, Warren Vail -Original Message- From: Jay Blanchard [mailto:[EMAIL PROTECTED] Sent: Monday, August 16, 2004 10:57 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: [PHP] CSRF attack not possible in I.E. 6.01 SP1? [snip] I am working on securing an application that uses CDSSO (Cross Domain Single Sign On). I am trying to reproduce the CSRF (Cross Site Request Forgery) attack (using img/ TAG) in I.E. 6.01, but am unable to do so. However the attack works on Mozilla and other older browsers. My question: Is I.E. 6.01 SP1 doing something to foil the CSRF attack, i.e. only allow image extensions .gif .png .jpeg? [/snip] You would have to ask the Microsoft Development Group, who probably does not subscribe to this list. Crossposting is bad. Being OT during a crosspost is even worse. I can hear the falmethrowers warming up in the wings. FYI - This is (or use to be) a PHP list -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] CSRF attack not possible in I.E. 6.01 SP1? WOT
[snip] Perhaps the question could be asked another way and be more on topic. Is there a fix in I.E. 6.01 that would interfere with PHP being able to generate different mime types on the fly, like .png or .jpg [/snip] a. But that wasn't what he asked. 2. Top-posting === bad -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
--- Jay Blanchard [EMAIL PROTECTED] wrote: You would have to ask the Microsoft Development Group, who probably does not subscribe to this list. Crossposting is bad. Being OT during a crosspost is even worse. I can hear the falmethrowers warming up in the wings. FYI - This is (or use to be) a PHP list I won't defend cross-posting, but I think CSRF is very on-topic. Chris = Chris Shiflett - http://shiflett.org/ PHP Security - O'Reilly Coming Fall 2004 HTTP Developer's Handbook - Sams http://httphandbook.org/ PHP Community Site http://phpcommunity.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
Jay Blanchard wrote: FYI - This is (or use to be) a PHP list If I have a web server running php, how do I change the oil in my car? -- John C. Nichel ÜberGeek KegWorks.com 716.856.9675 [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
--- [EMAIL PROTECTED] wrote: My question: Is I.E. 6.01 SP1 doing something to foil the CSRF attack, i.e. only allow image extensions .gif .png .jpeg? This seems highly unlikely. Can you show us the code you're using to test? Chris = Chris Shiflett - http://shiflett.org/ PHP Security - O'Reilly Coming Fall 2004 HTTP Developer's Handbook - Sams http://httphandbook.org/ PHP Community Site http://phpcommunity.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] CSRF attack not possible in I.E. 6.01 SP1? WOT
--- Jay Blanchard [EMAIL PROTECTED] wrote: [snip] Perhaps the question could be asked another way and be more on topic. Is there a fix in I.E. 6.01 that would interfere with PHP being able to generate different mime types on the fly, like .png or .jpg [/snip] a. But that wasn't what he asked. Actually, that's exactly what he asked, just rephrased. :-) Chris = Chris Shiflett - http://shiflett.org/ PHP Security - O'Reilly Coming Fall 2004 HTTP Developer's Handbook - Sams http://httphandbook.org/ PHP Community Site http://phpcommunity.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
Thanks Chris, Yup I think my posting is very on-topic. The application that I am working on is written in PHP. And I m sure all PHP developers check their applications for CSRF vulnerability, in various browsers (including I.E. ). As a PHP/Java developer, I would be interested to know what I.E. is doing in their browsers to prevent CSRF attacks. I m not trying to start a browser war here. Regards, Saqib Ali http://validate.sf.net DocBook XML - XHTML / PDF Convertor Chris Shiflett [EMAIL PROTECTED] No Phone Info Available 08/16/2004 11:17 AM Please respond to [EMAIL PROTECTED] To Jay Blanchard [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] cc Subject RE: [PHP] CSRF attack not possible in I.E. 6.01 SP1? --- Jay Blanchard [EMAIL PROTECTED] wrote: You would have to ask the Microsoft Development Group, who probably does not subscribe to this list. Crossposting is bad. Being OT during a crosspost is even worse. I can hear the falmethrowers warming up in the wings. FYI - This is (or use to be) a PHP list I won't defend cross-posting, but I think CSRF is very on-topic. Chris = Chris Shiflett - http://shiflett.org/ PHP Security - O'Reilly Coming Fall 2004 HTTP Developer's Handbook - Sams http://httphandbook.org/ PHP Community Site http://phpcommunity.org/
RE: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
[snip] Yup I think my posting is very on-topic. The application that I am working on is written in PHP. [/snip] Thanks for stating that in your original post.
Re: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
Hello Chris, I can't share the exact code ;) , but here is something very similar: img src=http://slashdot.org/my/logout; height=1 width=1 If I load a web page with the above code, it should log me out of slashdot. It works in Mozilla (and netscape), but not in I.E. 6.01 SP1 downloads.seagate.com Chris Shiflett [EMAIL PROTECTED] No Phone Info Available 08/16/2004 11:24 AM Please respond to [EMAIL PROTECTED] To [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] cc Subject Re: [PHP] CSRF attack not possible in I.E. 6.01 SP1? --- [EMAIL PROTECTED] wrote: My question: Is I.E. 6.01 SP1 doing something to foil the CSRF attack, i.e. only allow image extensions .gif .png .jpeg? This seems highly unlikely. Can you show us the code you're using to test? Chris = Chris Shiflett - http://shiflett.org/ PHP Security - O'Reilly Coming Fall 2004 HTTP Developer's Handbook - Sams http://httphandbook.org/ PHP Community Site http://phpcommunity.org/
RE: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
--- [EMAIL PROTECTED] wrote: And I m sure all PHP developers check their applications for CSRF vulnerability, in various browsers (including I.E. ). I speak about CSRF in many of the talks I give, and I think you'd be surprised by how many people haven't even heard of it. As a PHP/Java developer, I would be interested to know what I.E. is doing in their browsers to prevent CSRF attacks. I m not trying to start a browser war here. Well, to be fair, even if it is true that IE does not request a URL referenced in an img tag unless the file extension matches a known image type, this isn't a complete or even optimal solution to the problem. Also, as Web developers, we can't assume that 100% of users are using this specific browser anyway, and that's the only way that it could eliminate the need to be mindful of CSRF attacks when we're writing our PHP code. Chris = Chris Shiflett - http://shiflett.org/ PHP Security - O'Reilly Coming Fall 2004 HTTP Developer's Handbook - Sams http://httphandbook.org/ PHP Community Site http://phpcommunity.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
--- [EMAIL PROTECTED] wrote: I can't share the exact code ;) , but here is something very similar: img src=http://slashdot.org/my/logout; height=1 width=1 If I load a web page with the above code, it should log me out of slashdot. It works in Mozilla (and netscape), but not in I.E. 6.01 SP1 The best information would be if you can capture the exact HTTP transactions involved. For example, using something like ethereal, capture the request and response for Mozilla, and then do the same for IE 6.01 SP1. Short of that, you could create a URL specifically made for testing this. You can create a PHP file called csrf.php and another called csrf.png. Make .png files be interepreted as PHP (just for the purposes of this test), and then you can log a lot of useful information in your test scripts. Hope that helps. Chris = Chris Shiflett - http://shiflett.org/ PHP Security - O'Reilly Coming Fall 2004 HTTP Developer's Handbook - Sams http://httphandbook.org/ PHP Community Site http://phpcommunity.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
-Original Message- Jay Blanchard wrote: FYI - This is (or use to be) a PHP list If I have a web server running php, how do I change the oil in my car? Have you tried the OilChange class from PHPClasses.org? ;) -Ed -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
What if you add a random seed to the URL? img src=http://slashdot.org/my/logout?fluff=?php echo rand(1,200);? height=1 width=1 -Original Message- Hello Chris, I can't share the exact code ;) , but here is something very similar: img src=http://slashdot.org/my/logout; height=1 width=1 If I load a web page with the above code, it should log me out of slashdot. It works in Mozilla (and netscape), but not in I.E. 6.01 SP1 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
-Original Message- The best information would be if you can capture the exact HTTP transactions involved. For example, using something like ethereal, capture the request and response for Mozilla, and then do the same for IE 6.01 SP1. Short of that, you could create a URL specifically made for testing this. You can create a PHP file called csrf.php and another called csrf.png. Make .png files be interepreted as PHP (just for the purposes of this test), and then you can log a lot of useful information in your test scripts. Wouldn't it work to just make the script spit out a mime type header and a small (1x1) image when it's done to satisfy the browser's mime type requirements? -Ed -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
--- Ed Lazor [EMAIL PROTECTED] wrote: Wouldn't it work to just make the script spit out a mime type header and a small (1x1) image when it's done to satisfy the browser's mime type requirements? Definitely, but most CSRF attacks are meant to spoof a request from the legitimate user to some Web site where he/she already has privilege. Thus, the receiving site is usually as much the victim as the user. I'm not sure if that makes any sense... :-) Chris = Chris Shiflett - http://shiflett.org/ PHP Security - O'Reilly Coming Fall 2004 HTTP Developer's Handbook - Sams http://httphandbook.org/ PHP Community Site http://phpcommunity.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
-Original Message- Definitely, but most CSRF attacks are meant to spoof a request from the legitimate user to some Web site where he/she already has privilege. Thus, the receiving site is usually as much the victim as the user. I'm not sure if that makes any sense... :-) It does =) -Ed -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
Why is so important if Internet Explorer allows URLS of images where the file name is only .jpg, .png, or .gif? A url can be something like: http://www.site.com/script.php/image.jpg?logout=true Internet Explorer might think that the file is a .jpg and that script.php is a directory but only the target web server knows which is the program. Or a PHP code might be contained in a image.jpg file. Teddy Teddy - Original Message - From: Chris Shiflett [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: Jay Blanchard [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Monday, August 16, 2004 9:52 PM Subject: RE: [PHP] CSRF attack not possible in I.E. 6.01 SP1? --- [EMAIL PROTECTED] wrote: And I m sure all PHP developers check their applications for CSRF vulnerability, in various browsers (including I.E. ). I speak about CSRF in many of the talks I give, and I think you'd be surprised by how many people haven't even heard of it. As a PHP/Java developer, I would be interested to know what I.E. is doing in their browsers to prevent CSRF attacks. I m not trying to start a browser war here. Well, to be fair, even if it is true that IE does not request a URL referenced in an img tag unless the file extension matches a known image type, this isn't a complete or even optimal solution to the problem. Also, -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
Hello, I m not saying the I.E. completely fixed the CSRF attacks, by only allowing .jpg .gif .png files. But it might be one possible way to minimize CSRF attack, just like using POST vs GET can help minimize the chances of that attack. BTW, using POST instead of GET does NOT guarantee that an CSRF attack will not work, either. Thanks. Saqib Ali http://validate.sf.net XHTML/DocBook XML Validator and Transformer Octavian Rasnita [EMAIL PROTECTED] No Phone Info Available 08/16/2004 12:57 PM To [EMAIL PROTECTED], [EMAIL PROTECTED] cc Jay Blanchard [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] Subject Re: [PHP] CSRF attack not possible in I.E. 6.01 SP1? Why is so important if Internet Explorer allows URLS of images where the file name is only .jpg, .png, or .gif? A url can be something like: http://www.site.com/script.php/image.jpg?logout=true Internet Explorer might think that the file is a .jpg and that script.php is a directory but only the target web server knows which is the program. Or a PHP code might be contained in a image.jpg file. Teddy Teddy - Original Message - From: Chris Shiflett [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: Jay Blanchard [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Monday, August 16, 2004 9:52 PM Subject: RE: [PHP] CSRF attack not possible in I.E. 6.01 SP1? --- [EMAIL PROTECTED] wrote: And I m sure all PHP developers check their applications for CSRF vulnerability, in various browsers (including I.E. ). I speak about CSRF in many of the talks I give, and I think you'd be surprised by how many people haven't even heard of it. As a PHP/Java developer, I would be interested to know what I.E. is doing in their browsers to prevent CSRF attacks. I m not trying to start a browser war here. Well, to be fair, even if it is true that IE does not request a URL referenced in an img tag unless the file extension matches a known image type, this isn't a complete or even optimal solution to the problem. Also, -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
Hello Chris, Upon your suggestion, I used a sniffer to sniff traffic for the web app that I am working on. To my surprise, the data captured during the sniff for both browsers was exactly the same. Which mean my theory of limiting the img/ TAG to .gif .jpeg .png is NOT true. So now I am completely clueless as to why this particular attacks works in Mozilla but not in IE. Any ideas? Thanks. Saqib Ali http://validate.sf.net XHTML/DocBook XML Validator and Transformer Chris Shiflett [EMAIL PROTECTED] No Phone Info Available 08/16/2004 11:55 AM Please respond to [EMAIL PROTECTED] To [EMAIL PROTECTED], [EMAIL PROTECTED] cc [EMAIL PROTECTED], [EMAIL PROTECTED] Subject Re: [PHP] CSRF attack not possible in I.E. 6.01 SP1? --- [EMAIL PROTECTED] wrote: I can't share the exact code ;) , but here is something very similar: img src=http://slashdot.org/my/logout; height=1 width=1 If I load a web page with the above code, it should log me out of slashdot. It works in Mozilla (and netscape), but not in I.E. 6.01 SP1 The best information would be if you can capture the exact HTTP transactions involved. For example, using something like ethereal, capture the request and response for Mozilla, and then do the same for IE 6.01 SP1. Short of that, you could create a URL specifically made for testing this. You can create a PHP file called csrf.php and another called csrf.png. Make .png files be interepreted as PHP (just for the purposes of this test), and then you can log a lot of useful information in your test scripts. Hope that helps. Chris = Chris Shiflett - http://shiflett.org/ PHP Security - O'Reilly Coming Fall 2004 HTTP Developer's Handbook - Sams http://httphandbook.org/ PHP Community Site http://phpcommunity.org/
Re: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
--- Octavian Rasnita [EMAIL PROTECTED] wrote: Why is so important if Internet Explorer allows URLS of images where the file name is only .jpg, .png, or .gif? A url can be something like: http://www.site.com/script.php/image.jpg?logout=true This is definitely true, but as I mentionde in a previous reply, the point of most CSRF attacks is to spoof a request from a trusted user to another Web site. Thus, both the user and the other Web site are the victims. Most Web sites don't have pages that use the .png extension. The attacker isn't the receiving site; he/she is the person launching the attack that causes the spoofed request. For more information, since I fear my brief description is inadequate, you can see these resources: http://shiflett.org/articles/foiling-cross-site-attacks http://shiflett.org/talks/oscon2004/foiling-cross-site-attacks http://shiflett.org/php-security.pdf Hope that helps. Chris = Chris Shiflett - http://shiflett.org/ PHP Security - O'Reilly Coming Fall 2004 HTTP Developer's Handbook - Sams http://httphandbook.org/ PHP Community Site http://phpcommunity.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
--- [EMAIL PROTECTED] wrote: Upon your suggestion, I used a sniffer to sniff traffic for the web app that I am working on. To my surprise, the data captured during the sniff for both browsers was exactly the same. Can you elaborate or post the exact requests sent from each browser? I'm assuming the User-Agent header was different, at the very least, so I question what exactly means in this case. :-) Chris = Chris Shiflett - http://shiflett.org/ PHP Security - O'Reilly Coming Fall 2004 HTTP Developer's Handbook - Sams http://httphandbook.org/ PHP Community Site http://phpcommunity.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
Hello Curt, Yes, the /. system depends on cookies to keep the user logged in. However a CSRF attack is NOT trying to access a third party cookie. The web browser make the same GET request whether it is using img/ TAG or the user clicking on a link. So in either case the cookies are in the context of the website to which the cookies belong. Maybe Chris can correct me, if I am wrong here. Thanks. Saqib Ali http://validate.sf.net XHTML/DocBook XML Validator and Transformer Curt Zirzow [EMAIL PROTECTED] No Phone Info Available 08/16/2004 02:40 PM To [EMAIL PROTECTED] cc Subject Re: [PHP] CSRF attack not possible in I.E. 6.01 SP1? * Thus wrote [EMAIL PROTECTED]: Hello Chris, I can't share the exact code ;) , but here is something very similar: img src=http://slashdot.org/my/logout; height=1 width=1 If I load a web page with the above code, it should log me out of slashdot. It works in Mozilla (and netscape), but not in I.E. 6.01 SP1 I'm not sure how the /. logout system works, but my guess is that they rely on cookies to do this. Since that is a different site than from the originating file, those cookies would be considered third party. I know in IE you can disable third party cookie access. Curt -- First, let me assure you that this is not one of those shady pyramid schemes you've been hearing about. No, sir. Our model is the trapezoid! -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
* Thus wrote [EMAIL PROTECTED]: Hello Chris, I can't share the exact code ;) , but here is something very similar: img src=http://slashdot.org/my/logout; height=1 width=1 If I load a web page with the above code, it should log me out of slashdot. It works in Mozilla (and netscape), but not in I.E. 6.01 SP1 I'm not sure how the /. logout system works, but my guess is that they rely on cookies to do this. Since that is a different site than from the originating file, those cookies would be considered third party. I know in IE you can disable third party cookie access. Curt -- First, let me assure you that this is not one of those shady pyramid schemes you've been hearing about. No, sir. Our model is the trapezoid! -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
-Original Message- So now I am completely clueless as to why this particular attacks works in Mozilla but not in IE. Could you describe the problem again and give full detail? I think we need to better model the problem in order to present a more effective solution. The link below goes to a page I found that describes CSRF a little differently than what Chris was presenting - to give a different perspective on things. http://www.squarefree.com/securitytips/web-developers.html -Ed -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
Hello Ed, To give some details: I am unable to re-produce a CSRF attack when the victim is using a I.E. 6.01 SP1 (all patches applied). However the attack works in Mozilla and other older browsers. I can't give you the exact code for attack (for security reasons), but it is similar to the following: If you insert the following HTML code in any web page residing at any domain, it will cause you to be logged out of /. if you previously logged in the /. system: img src=http://slashdot.org/my/logout; height=1 width=1 This type of attack makes use of CSRF. Try to insert the above HTML line a web page of your choice, and then load the web page. If you are using Mozilla, it will log you off from /. However in the latest build of I.E. it doesn't work, whereas it should work. Thanks. Saqib Ali http://validate.sf.net XHTML/DocBook XML Validator and Transformer Ed Lazor [EMAIL PROTECTED] No Phone Info Available 08/16/2004 02:26 PM To [EMAIL PROTECTED] cc Subject RE: [PHP] CSRF attack not possible in I.E. 6.01 SP1? -Original Message- So now I am completely clueless as to why this particular attacks works in Mozilla but not in IE. Could you describe the problem again and give full detail? I think we need to better model the problem in order to present a more effective solution. The link below goes to a page I found that describes CSRF a little differently than what Chris was presenting - to give a different perspective on things. http://www.squarefree.com/securitytips/web-developers.html -Ed -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
--- [EMAIL PROTECTED] wrote: Hello Curt, Yes, the /. system depends on cookies to keep the user logged in. However a CSRF attack is NOT trying to access a third party cookie. The web browser make the same GET request whether it is using img/ TAG or the user clicking on a link. So in either case the cookies are in the context of the website to which the cookies belong. Maybe Chris can correct me, if I am wrong here. Well, you're not really wrong, but I think I can clarify what Curt was trying to say, and then he can correct me if I'm wrong. :-) When a browser makes a request for an embedded resource (an image is just one example), it is identical to the request it would make if the user were to browse to that same URL manually. I think we're all in agreement here. Thus, the same cookies would be included in this request. What Curt is suggesting, I believe, is that your version of IE might behave differently, by default. It might not include cookies in requests for embedded resources when those resources are located at a different domain (thus his mention of third-party cookies). For example, if you're at http://example.org/, and it has an image from http://slashdot.org/, the browser won't include it's slashdot.org cookies when making the request to Slashdot. This is an option for most browsers, but it has never been the default behavior for any, to my knowledge. Maybe that helps clarify something... :-) Chris = Chris Shiflett - http://shiflett.org/ PHP Security - O'Reilly Coming Fall 2004 HTTP Developer's Handbook - Sams http://httphandbook.org/ PHP Community Site http://phpcommunity.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
--- Curt Zirzow [EMAIL PROTECTED] wrote: I'm not sure how the /. logout system works, but my guess is that they rely on cookies to do this. Since that is a different site than from the originating file, those cookies would be considered third party. I know in IE you can disable third party cookie access. Good call, Curt. :-) You can disable this in other Web clients as well, but I don't think it's the default behavior for anything. Perhaps this particular version of IE does not send cookies in requests for embedded resources? This does seem like a plus. Chris = Chris Shiflett - http://shiflett.org/ PHP Security - O'Reilly Coming Fall 2004 HTTP Developer's Handbook - Sams http://httphandbook.org/ PHP Community Site http://phpcommunity.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
--- Ed Lazor [EMAIL PROTECTED] wrote: The link below goes to a page I found that describes CSRF a little differently than what Chris was presenting - to give a different perspective on things. http://www.squarefree.com/securitytips/web-developers.html It doesn't seem to be different, actually. It just fails to elaborate much at all. For a non-Chris description of CSRF, you can always have a look at the original description: http://www.tux.org/~peterw/csrf.txt This is at least a little more complete. I think CSRF is a bit difficult for someone to grasp at first, especially within a few sentences. :-) Chris = Chris Shiflett - http://shiflett.org/ PHP Security - O'Reilly Coming Fall 2004 HTTP Developer's Handbook - Sams http://httphandbook.org/ PHP Community Site http://phpcommunity.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
--- [EMAIL PROTECTED] wrote: To give some details: I am unable to re-produce a CSRF attack when the victim is using a I.E. 6.01 SP1 (all patches applied). However the attack works in Mozilla and other older browsers. I can't give you the exact code for attack (for security reasons), but it is similar to the following: If you insert the following HTML code in any web page residing at any domain, it will cause you to be logged out of /. if you previously logged in the /. system: img src=http://slashdot.org/my/logout; height=1 width=1 This type of attack makes use of CSRF. Try to insert the above HTML line a web page of your choice, and then load the web page. If you are using Mozilla, it will log you off from /. However in the latest build of I.E. it doesn't work, whereas it should work. Very nice description of what you've been observing. I still find it impossible to believe that the HTTP requests for http://slashdot.org/my/logout sent from Mozilla and IE are identical. :-) Can you show us the exact requests that you logged? Chris = Chris Shiflett - http://shiflett.org/ PHP Security - O'Reilly Coming Fall 2004 HTTP Developer's Handbook - Sams http://httphandbook.org/ PHP Community Site http://phpcommunity.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
I was able to confirm / reproduce what you're experiencing. I was also able to confirm that toggling IE 6's acceptance of 3rd party cookies changes the behavior. Create an HTML on your local machine with the following line: img src=http://www.atfantasy.com/test/image_status.php; It'll load an image that says the cookie is not set. Next, open a new browser and go to http://www.atfantasy.com/test/index.php It'll set the cookie. Now go back and reload the first browser. It says the cookie is still not set. Go into IE's Privacy options and set IE to accept 3rd party cookies. Do another refresh in the first browser and the image will display saying the cookie is set. The test index also has other options for setting the cookie, unsetting the cookie, and displaying the image directly (not through your local page). I think all of this confirms what Curt was saying. If IE has access to third party cookies disabled, the local page may refer to a script elsewhere, but it won't pass cookies back and forth. Squarefree.com's article (http://www.squarefree.com/securitytips/web-developers.html) recommends a few solutions. -Ed -Original Message- I am unable to re-produce a CSRF attack when the victim is using a I.E. 6.01 SP1 (all patches applied). However the attack works in Mozilla and other older browsers. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
-Original Message- However a CSRF attack is NOT trying to access a third party cookie. The web browser make the same GET request whether it is using img/ TAG or the user clicking on a link. So in either case the cookies are in the context of the website to which the cookies belong. I think Curt was correct actually. Hopefully the test I sent earlier can confirm or at least cross-reference this. -Ed -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
Thanks Curt, Chris and Ed, It is indeed the disabling of third-party cookies that is causing this behaviour in I.E. :) So thanks all the help :) Thanks. Saqib Ali http://validate.sf.net XHTML/DocBook XML Validator and Transformer Ed Lazor [EMAIL PROTECTED] No Phone Info Available 08/16/2004 04:57 PM To [EMAIL PROTECTED], [EMAIL PROTECTED] cc [EMAIL PROTECTED] Subject RE: [PHP] CSRF attack not possible in I.E. 6.01 SP1? -Original Message- However a CSRF attack is NOT trying to access a third party cookie. The web browser make the same GET request whether it is using img/ TAG or the user clicking on a link. So in either case the cookies are in the context of the website to which the cookies belong. I think Curt was correct actually. Hopefully the test I sent earlier can confirm or at least cross-reference this. -Ed -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Self Testing PHP Code... Is it possible or practical??
Hello all. I have been reading much lately about the wonders of writing self testing code for java, perl and others. Is this a feasible task to accomplish in PHP? I have googled every search I can think of and there just does not appear to be any information regarding self testing php out there. Thanks for any pointers, ideas, advice or help you may have. -Adam R. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Self Testing PHP Code... Is it possible or practical??
Hello all. I have been reading much lately about the wonders of writing self testing code for java, perl and others. Is this a feasible task to accomplish in PHP? I have googled every search I can think of and there just does not appear to be any information regarding self testing php out there. Thanks for any pointers, ideas, advice or help you may have. You can use assert() for simple debugging. http://php.net/assert There's also PHPUnit2 for bigger stuff. http://pear.php.net/package/PHPUnit2 -- Greg Donald http://destiney.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] page design and possible conflict??
hi.. this might be sort of ot and out of the range of the list but i had a site design question: is it an absolute no no to put inset borders 3px wide around EVERY table on the section of the site?? im trying to make an attempt at making the site have some sort of layout standards and that happen to be one of the new changes (my part) the site owner liked.. i didnt think there was any huge rule for that as long as everybody could still use the page... possible conflict: the main person doing the site doesnt like it when there are borders around any table at all and i was already told by him not to do that or my stuff wont get added?? even though i was paid before i finished the work *stress* dont know what to do... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] page design and possible conflict??
dont know what his deal is but ok will close this idea now i guess.. - Original Message - From: Miles Thompson [EMAIL PROTECTED] To: Andy B [EMAIL PROTECTED] Sent: Thursday, April 08, 2004 7:41 AM Subject: Re: [PHP] page design and possible conflict?? You're right, ot out of range. Seems to be an issue of taste and control. Could this be because the person in charge is confusing CSS borders with padding? MT At 07:19 AM 4/8/2004 -0400, you wrote: hi.. this might be sort of ot and out of the range of the list but i had a site design question: is it an absolute no no to put inset borders 3px wide around EVERY table on the section of the site?? im trying to make an attempt at making the site have some sort of layout standards and that happen to be one of the new changes (my part) the site owner liked.. i didnt think there was any huge rule for that as long as everybody could still use the page... possible conflict: the main person doing the site doesnt like it when there are borders around any table at all and i was already told by him not to do that or my stuff wont get added?? even though i was paid before i finished the work *stress* dont know what to do... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] page design and possible conflict??
ok Am Donnerstag, 8. April 2004 14:45 schrieb Andy B: dont know what his deal is but ok will close this idea now i guess.. - Original Message - From: Miles Thompson [EMAIL PROTECTED] To: Andy B [EMAIL PROTECTED] Sent: Thursday, April 08, 2004 7:41 AM Subject: Re: [PHP] page design and possible conflict?? You're right, ot out of range. Seems to be an issue of taste and control. Could this be because the person in charge is confusing CSS borders with padding? MT At 07:19 AM 4/8/2004 -0400, you wrote: hi.. this might be sort of ot and out of the range of the list but i had a site design question: is it an absolute no no to put inset borders 3px wide around EVERY table on the section of the site?? im trying to make an attempt at making the site have some sort of layout standards and that happen to be one of the new changes (my part) the site owner liked.. i didnt think there was any huge rule for that as long as everybody could still use the page... possible conflict: the main person doing the site doesnt like it when there are borders around any table at all and i was already told by him not to do that or my stuff wont get added?? even though i was paid before i finished the work *stress* dont know what to do... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] page design and possible conflict??
Rather than doing something soley to comply with a standard you must sell your client on the idea or not do it, they are the ones that ultimately must live with the decision and be happy with it. As a programmer it is your job to make sure they have all the information and the pro's and cons of each solution, after that point let your client hash it out, providing additional information as needed. If you really like the way it looks provide a mockup of the front page with the changes you are suggesting and one without the changes and explain the benefits of your changes. At the end of the day after all information has been considered and a decision has been made you are there to do what the client wants you to do, not what you think or believe is best. Who do you report to, the main site guy or the site owner? If you report to the site owner your responsibility is to him, likewise if you report to the person doing the site it is to him. A lot of times the maintenance person feels like they should have got the programming job and are very resesntful and hard to work with, if possible you should try to build a good working relationship with him and stroke his ego a bit as the owner probably selected him for some reason and he might have a say about future jobs and at the least know other people in the business and positive advertising is always good. Jason -Original Message- From: Andy B [mailto:[EMAIL PROTECTED] Sent: Thursday, April 08, 2004 5:20 AM To: [EMAIL PROTECTED] Subject: [PHP] page design and possible conflict?? hi.. this might be sort of ot and out of the range of the list but i had a site design question: is it an absolute no no to put inset borders 3px wide around EVERY table on the section of the site?? im trying to make an attempt at making the site have some sort of layout standards and that happen to be one of the new changes (my part) the site owner liked.. i didnt think there was any huge rule for that as long as everybody could still use the page... possible conflict: the main person doing the site doesnt like it when there are borders around any table at all and i was already told by him not to do that or my stuff wont get added?? even though i was paid before i finished the work *stress* dont know what to do... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] mkdir and rmdir possible but not readdir and opendir???
The work-around is to create the directory outside of your web application from your regular account. Or if you are allowed to run cgi scripts and these are set up via cgiwrapper or suExec to run as your own user id, use this to create the directory. Once created with the right owner, you can manipulate it from your regular Apache-embedded PHP scripts. Thank you! I'm definitely filing this solution for later use. Meanwhile, I went back to trying the FTP_MKDIR method and found why that didnt work. I realized when accessing the website via ftp that the system path was different than the one displayed online. IE: my script path was shown as /home/virtual/site... while in my ftp client I was seeing /var/www/html... Changing my path references to the later one fixed everything...so far! Thanks for the help :) -s -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] mkdir and rmdir possible but not readdir and opendir???
Hi, I'm having trouble understanding why I can create and delete directories with my script via mkdir and rmdir, but not simply being able to read them with opendir or readdir? For example, when I attempt to access these directories with opendir, I get this error message: Warning: opendir(): SAFE MODE Restriction in effect. The script whose uid is 789 is not allowed to access... Safe Mode is on as I am hosted on a shared server and cannot change this. Surely there's a work-around for this? Any helpfull input would appreciated Thanks, -s -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] mkdir and rmdir possible but not readdir and opendir???
Hi, I'm having trouble understanding why I can create and delete directories with my script via mkdir and rmdir, but not simply being able to read them with opendir or readdir? For example, when I attempt to access these directories with opendir, I get this error message: Warning: opendir(): SAFE MODE Restriction in effect. The script whose uid is 789 is not allowed to access... Safe Mode is on as I am hosted on a shared server and cannot change this. Surely there's a work-around for this? Any helpfull input would appreciated Thanks, -s -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php