Re: [PHP] Re: Anyone good with multiple SSL on Apache?
Jochen Schultz wrote: AFAIK Apache 2 doesn't support virtual hosts for SSL. I think it does now - there was even a c't article on the topic not long ago. I'll see if I can find it. /Per -- Per Jessen, Zürich (-4.0°C) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Anyone good with multiple SSL on Apache?
Per Jessen wrote: Jochen Schultz wrote: AFAIK Apache 2 doesn't support virtual hosts for SSL. I think it does now - there was even a c't article on the topic not long ago. I'll see if I can find it. http://www.heise.de/kiosk/archiv/ct/2009/23/174_kiosk (download for a fee) -- Per Jessen, Zürich (-3.9°C) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Anyone good with multiple SSL on Apache?
Thanks Per, well here is a short translation of this article: http://www.tech-nerds.de/blog/2009/02/apache2-mit-mehreren-ssl-virtualhosts/ If you havn't installed apache2-threaded-dev: You need the current verion of gnutls (download from gnu.org) Download, unpack, compile and install as usual. Than call ldconfig. And than install apache2-threaded-dev: ./configure --with.apxs2=/usr/bin/apxs2 make install (Which copies apache module (hopefully) to this path: /usr/lib/apache2/modules) Than create /etc/apache2/mods-enabled/gnutls.load with following entry: LoadModule gnutls_module /usr/lib/apache2/modules/mod_gnutls.so And you have to Create /etc/apache2/mods-enabled/gnutls.conf containing the following: IfModule gnutls_module GnuTLSCache dbm /var/cache/mod_gnutls_cache GnuTLSCacheTimeout 300 /IfModule Well and than every vhost that has to use SSL needs an entry like this: VirtualHost 192.168.1.250:443 ServerName www.example.de GnuTLSEnable on GnuTLSPriorities NORMAL GnuTLSCertificateFile /etc/certs/example_server.pem GnuTLSKeyFile /etc/certs/example_key.pem DocumentRoot /var/www/example.de ... /DocumentRoot regards Jochen Schultz P.S. I think i will have to give it a try right now. Per Jessen schrieb: Jochen Schultz wrote: AFAIK Apache 2 doesn't support virtual hosts for SSL. I think it does now - there was even a c't article on the topic not long ago. I'll see if I can find it. /Per -- Sport Import GmbH - Amtsgericht Oldenburg - Tel: +49-4405-9280-63 Industriestrasse 39 - HRB 1202900- 26188 Edewecht - GF: Michael Müllmann -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Anyone good with multiple SSL on Apache?
AFAIK Apache 2 doesn't support virtual hosts for SSL. But you may use one cert per socket, e.g it is possible to set one cert up on port 447 and one on 8080. https://example1.com https://example2.com:8080 regards Jochen Schultz Manuel Lemos schrieb: Hello, on 03/08/2010 07:13 PM Skip Evans said the following: Hey all, I have an Apache virtual config running a bunch of sites, one with SSL. I finally have a need to add SSL to one more, but when I do the first one (which is further down the file) comes up untrusted. Since this is pretty far off topic I'd be obliged if someone who has configured this before can email me off list for some assistance. AFAIK, you need to have a different certificate per domain, although there are certificates that can be used for all domains. -- Sport Import GmbH - Amtsgericht Oldenburg - Tel: +49-4405-9280-63 Industriestrasse 39 - HRB 1202900- 26188 Edewecht - GF: Michael Müllmann -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Anyone know of a project like Redmine written in PHP?
Mantis is a pain in the a*** (for non technical persons). We (we as in 'the IT department') are using mantis, but all other persons in the firm fail to do so. Not very useful. Most persons doesn't even get how the filters work. byebye 2009/3/17 Micah Gersten news.php@micahscomputing.com: mike wrote: http://www.redmine.org/ Looks pretty useful; I want one in PHP though. Anyone? Mantis Bug Tracker has some of the features you are looking for: http://www.mantisbt.org/ -- Micah -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Anyone know of a project like Redmine written in PHP?
On Wed, Mar 18, 2009 at 8:30 AM, Jan G.B. ro0ot.w...@googlemail.com wrote: Mantis is a pain in the a*** (for non technical persons). +1 had some annoying bugs, too. it's only really a bug tracker last i checked anyhow. trac or redmine is more what would be beneficial. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Anyone know of a project like Redmine written in PHP?
mike wrote: On Wed, Mar 18, 2009 at 8:30 AM, Jan G.B. ro0ot.w...@googlemail.com wrote: Mantis is a pain in the a*** (for non technical persons). +1 had some annoying bugs, too. it's only really a bug tracker last i checked anyhow. trac or redmine is more what would be beneficial. OP asked for PHP. Trac is python and Redmine is Ruby. They've added twitter support, VCS support, and wiki support lately and are working on the major 1.2 upgrade now. -- Micah -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Anyone know of a project like Redmine written in PHP?
On Wed, Mar 18, 2009 at 1:22 PM, Micah Gersten news.php@micahscomputing.com OP asked for PHP. Trac is python and Redmine is Ruby. They've added twitter support, VCS support, and wiki support lately and are working on the major 1.2 upgrade now. i am the OP :) i know. i was just adding trac as another example. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Anyone know of a project like Redmine written in PHP?
mike wrote: On Wed, Mar 18, 2009 at 1:22 PM, Micah Gersten news.php@micahscomputing.com OP asked for PHP. Trac is python and Redmine is Ruby. They've added twitter support, VCS support, and wiki support lately and are working on the major 1.2 upgrade now. i am the OP :) i know. i was just adding trac as another example. Sorry, didn't notice it was you, but you did ask for PHP and Trac isn't. -- Micah -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Anyone knows when PHP5 is released?
Congratulations and good luck to the PHP 5.0.0 team!! Alberto Brea -Original Message- From: John W. Holmes [EMAIL PROTECTED] To: Ben Ramsey [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Date: Tue, 13 Jul 2004 18:44:06 -0400 Subject: Re: [PHP] Re: Anyone knows when PHP5 is released? Ben Ramsey wrote: Aidan Lister wrote: When it's ready Hopefully we'll see the stable release in the next 24 hours. There was a post to the internals@ list yesterday. Andi announced a test roll of 5.0.0 saying that he would release PHP 5 within the next 24 hours if all goes well. Keep your fingers crossed. Refer to: http://www.phpdeveloper.org/index/2279 www.php.net says PHP 5.0.0 is released now. I'm sure there'll be an annoucement soon... -- ---John Holmes... Amazon Wishlist: www.amazon.com/o/registry/3BEXC84AB3A5E/ php|architect: The Magazine for PHP Professionals www.phparch.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Anyone knows when PHP5 is released?
Ben Ramsey wrote: Aidan Lister wrote: When it's ready Hopefully we'll see the stable release in the next 24 hours. There was a post to the internals@ list yesterday. Andi announced a test roll of 5.0.0 saying that he would release PHP 5 within the next 24 hours if all goes well. Keep your fingers crossed. Refer to: http://www.phpdeveloper.org/index/2279 www.php.net says PHP 5.0.0 is released now. I'm sure there'll be an annoucement soon... -- ---John Holmes... Amazon Wishlist: www.amazon.com/o/registry/3BEXC84AB3A5E/ php|architect: The Magazine for PHP Professionals www.phparch.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Anyone?
Yes, PHP is a secure programming language. On Thu, 2002-06-06 at 13:18, Jas wrote: I cannot believe that no one with alot of PHP and MySQL experience has not replied to this post yet. Is PHP not a secure scripting language? I would really like a little insight into this question, anyone? Jas [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I posted this yesterday and did not get any response at all? Just wondering if someone can give me some insight into some security measures for a content management application... Posted 06/05/2002 Ok, I am not a security expert so I would like to know if my security measures I have implimented is adequate enough to keep people out. Any pointers on this would be very helpful as I am trying to impliment a secure way for people to update a website through the use of a content management application. Example of code is as follows // Login form - index.php form name=authenticate method=post action=auth_done.php input type=text name=user size=20 maxlength=20br input type=password name=pw size=20 maxlength=20br Select an image to identify yourself as an administrator.br select name=image option value=image01.jpgimage01/option option value=image02.jpgimage02/option option value=image03.jpgimage03/option option value=image04.jpgimage04/option option value=image05.jpgimage05/option /selectbrbr input type=submit name=Login value=Login input type=reset name=Reset value=Reset /form // Authentication checker - auth_done.php #check fields for valid entries in form if ((!$u_name) || (!$p_word) || (!$image)){ header(Location: index.php); exit; } connects to database require '/path/to/database/connection/script/dbcon.php'; #selects database table containing users that are allowed to use application $db_table = 'users'; $sql = SELECT * from $db_table WHERE un = \$user\ AND pw = password(\$pw\); $result = @mysql_query($sql,$dbh) or die(Couldn't execute query); #loops through all records to find a match $num = mysql_numrows($result); if ($num !=0) { #creates variables for sessions $p_hash = $p_word; $to_hash = $image; #creates md5 hash of image user selected $pstring = md5($to_hash); #creates md5 hash of password user entered $image_sel = md5(uniqid(microtime($p_word),1)); #starts session for user session_start(); #registers variables created (md5 of password, username, image) in session session_register('user'); session_register('$pstring'); session_register('$image_sel'); #captures users ip address (logging stuff, not listed in this code for security reasons) $ipaddy = $REMOTE_ADDR; #echoes success message to authenticated user $msg_success = bYou have been authorized to make changes to the website! Your IP address has been recorded and sent to the administrator: $ipaddy/b; } else { #this prints if user name and password combination is not found in database print pYou are not authorized to use this application!/p; exit; } Now on each page in the content management app I have these lines of code: #Start the session# session_start(); #check session variables# if (isset($HTTP_SESSION_VARS['user']) || isset($HTTP_SESSION_VARS['$image_sel']) || isset($HTTP_SESSION_VARS['$pstring'])) { $main = Some kinda message for page in question; #connects to database# require '/path/to/database/connection/script/dbcon.php'; #if session variables not registered kick the user back to login form# } else { header (Location: index.php); } Now just so you know I have changed all the variables to something other than what I am currently using, however I have made sure that this is a working example so everything should work as is. Also I have tested this a few different ways, including: creating a page that tries to include one of the pages I have my security checks on from another website, linking directly to a script within the application etc. In any event, I also have logging setup on each and every script which I have not included here (different topic), just in case someone does get in I can at least try to find them. Any help, pointers, tutorials, examples, etc. would be appreciated!!! TIA Jas -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To
RE: [PHP] Re: Anyone?
[snip] I cannot believe that no one with alot of PHP and MySQL experience has not replied to this post yet. Is PHP not a secure scripting language? I would really like a little insight into this question, anyone? [/snip] [rant warning!] I'll bite! ;-( A. You gave so much code that those of us on the list who may be working may have not had time to set it all up and test it. 2. Security from what standpoint? That you can't be hacked? That people can't use your CMS without authorization? That your code is complicated enough to be impressive? Test your code...if it works you're good, if not...fix it. III. Your code is somewhat bloated, you don't have to go through everything you go through to assure yourself security. Is this for an Intranet? If so is the URL to the CMS accessible through the firewall? If for an Internet site have you thought about putting the CMS on an SSL. Dang...and D. PHP is secure. You may, to assuage any further fears, encrypt any username password information that gets transmitted from the login to the server the first time. That is very insecure. I could port sniff your butt to kingdom come and gain usernames and passwords all day long. You cannot believe that no one with alot of PHP and MySQL experience has not replied to this post yet. I cannot believe that anyone asking about security would transmit the initial login as plain text...so we're even. [/rant] Jay -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Anyone?
Ok, so you have pointed out an problem, now that you have been so kind to do this could please recommend how to resolve this? Thanks, Jas Jay Blanchard [EMAIL PROTECTED] wrote in message 002201c20d80$552be430$8102a8c0@niigziuo4ohhdt">news:002201c20d80$552be430$8102a8c0@niigziuo4ohhdt... [snip] I cannot believe that no one with alot of PHP and MySQL experience has not replied to this post yet. Is PHP not a secure scripting language? I would really like a little insight into this question, anyone? [/snip] [rant warning!] I'll bite! ;-( A. You gave so much code that those of us on the list who may be working may have not had time to set it all up and test it. 2. Security from what standpoint? That you can't be hacked? That people can't use your CMS without authorization? That your code is complicated enough to be impressive? Test your code...if it works you're good, if not...fix it. III. Your code is somewhat bloated, you don't have to go through everything you go through to assure yourself security. Is this for an Intranet? If so is the URL to the CMS accessible through the firewall? If for an Internet site have you thought about putting the CMS on an SSL. Dang...and D. PHP is secure. You may, to assuage any further fears, encrypt any username password information that gets transmitted from the login to the server the first time. That is very insecure. I could port sniff your butt to kingdom come and gain usernames and passwords all day long. You cannot believe that no one with alot of PHP and MySQL experience has not replied to this post yet. I cannot believe that anyone asking about security would transmit the initial login as plain text...so we're even. [/rant] Jay -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Re: Anyone?
[snip] Ok, so you have pointed out an problem, now that you have been so kind to do this could please recommend how to resolve this? [/snip] You may want to do some research on securing plain text transmission. http://www.ariadne.ac.uk/issue5/securing-forms/ http://www.google.com/search?hl=enie=UTF8oe=UTF8q=securing+plain+textbtn G=Google+Search HTH! Jay -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Re: Anyone?
The whole idea is that we offer help after you have exhausted all other resources... If security is an issue then I suggest getting on a security mailing list and post your questions. Plus, it would be better if you found out how to solve the problems that are associated with security... check on ssl and encryption...you could even go with Kerberos or secure ldap systems. There are many options open...remember google is your friend Ray BigDog -Original Message- From: Jas [mailto:[EMAIL PROTECTED]] Sent: Thursday, June 06, 2002 11:41 AM To: [EMAIL PROTECTED] Subject: Re: [PHP] Re: Anyone? Ok, so you have pointed out an problem, now that you have been so kind to do this could please recommend how to resolve this? Thanks, Jas Jay Blanchard [EMAIL PROTECTED] wrote in message 002201c20d80$552be430$8102a8c0@niigziuo4ohhdt">news:002201c20d80$552be430$8102a8c0@niigziuo4ohhdt... [snip] I cannot believe that no one with alot of PHP and MySQL experience has not replied to this post yet. Is PHP not a secure scripting language? I would really like a little insight into this question, anyone? [/snip] [rant warning!] I'll bite! ;-( A. You gave so much code that those of us on the list who may be working may have not had time to set it all up and test it. 2. Security from what standpoint? That you can't be hacked? That people can't use your CMS without authorization? That your code is complicated enough to be impressive? Test your code...if it works you're good, if not...fix it. III. Your code is somewhat bloated, you don't have to go through everything you go through to assure yourself security. Is this for an Intranet? If so is the URL to the CMS accessible through the firewall? If for an Internet site have you thought about putting the CMS on an SSL. Dang...and D. PHP is secure. You may, to assuage any further fears, encrypt any username password information that gets transmitted from the login to the server the first time. That is very insecure. I could port sniff your butt to kingdom come and gain usernames and passwords all day long. You cannot believe that no one with alot of PHP and MySQL experience has not replied to this post yet. I cannot believe that anyone asking about security would transmit the initial login as plain text...so we're even. [/rant] Jay -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Anyone?
Sorry, never thought about using a search on forms to check my existing security measures... I am currently employing the use of SSL, however I am not that familiar with securing forms in the traditional sense so I do appreciate your comments. And also, I am not trying to show off my code, simply find ways to improve my existing ideas. Thanks again, jas Jay Blanchard [EMAIL PROTECTED] wrote in message 002301c20d82$444a6130$8102a8c0@niigziuo4ohhdt">news:002301c20d82$444a6130$8102a8c0@niigziuo4ohhdt... [snip] Ok, so you have pointed out an problem, now that you have been so kind to do this could please recommend how to resolve this? [/snip] You may want to do some research on securing plain text transmission. http://www.ariadne.ac.uk/issue5/securing-forms/ http://www.google.com/search?hl=enie=UTF8oe=UTF8q=securing+plain+textbtn G=Google+Search HTH! Jay -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Re: Anyone?
No language is secure becuase there's no such thing. even supposedly secure Java VM sandboxes have well-known security exploits. PHP code is as secure as you write it. Bad programmer = bad code Name any language or program and there are well-documented ways to subvert it. Buffer overflows in C, and flawed Double-byte char support in IIS, to name a few recent and better-known exploits. --- Scott Hurring Systems Programmer EAC Corporation [EMAIL PROTECTED] Voice: 201-462-2149 Fax: 201-288-1515 -Original Message- From: Adam Voigt [mailto:[EMAIL PROTECTED]] Sent: Thursday, June 06, 2002 1:22 PM To: [EMAIL PROTECTED] Subject: Re: [PHP] Re: Anyone? Yes, PHP is a secure programming language. On Thu, 2002-06-06 at 13:18, Jas wrote: I cannot believe that no one with alot of PHP and MySQL experience has not replied to this post yet. Is PHP not a secure scripting language? I would really like a little insight into this question, anyone? Jas [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I posted this yesterday and did not get any response at all? Just wondering if someone can give me some insight into some security measures for a content management application... Posted 06/05/2002 Ok, I am not a security expert so I would like to know if my security measures I have implimented is adequate enough to keep people out. Any pointers on this would be very helpful as I am trying to impliment a secure way for people to update a website through the use of a content management application. Example of code is as follows // Login form - index.php form name=authenticate method=post action=auth_done.php input type=text name=user size=20 maxlength=20br input type=password name=pw size=20 maxlength=20br Select an image to identify yourself as an administrator.br select name=image option value=image01.jpgimage01/option option value=image02.jpgimage02/option option value=image03.jpgimage03/option option value=image04.jpgimage04/option option value=image05.jpgimage05/option /selectbrbr input type=submit name=Login value=Login input type=reset name=Reset value=Reset /form // Authentication checker - auth_done.php #check fields for valid entries in form if ((!$u_name) || (!$p_word) || (!$image)){ header(Location: index.php); exit; } connects to database require '/path/to/database/connection/script/dbcon.php'; #selects database table containing users that are allowed to use application $db_table = 'users'; $sql = SELECT * from $db_table WHERE un = \$user\ AND pw = password(\$pw\); $result = @mysql_query($sql,$dbh) or die(Couldn't execute query); #loops through all records to find a match $num = mysql_numrows($result); if ($num !=0) { #creates variables for sessions $p_hash = $p_word; $to_hash = $image; #creates md5 hash of image user selected $pstring = md5($to_hash); #creates md5 hash of password user entered $image_sel = md5(uniqid(microtime($p_word),1)); #starts session for user session_start(); #registers variables created (md5 of password, username, image) in session session_register('user'); session_register('$pstring'); session_register('$image_sel'); #captures users ip address (logging stuff, not listed in this code for security reasons) $ipaddy = $REMOTE_ADDR; #echoes success message to authenticated user $msg_success = bYou have been authorized to make changes to the website! Your IP address has been recorded and sent to the administrator: $ipaddy/b; } else { #this prints if user name and password combination is not found in database print pYou are not authorized to use this application!/p; exit; } Now on each page in the content management app I have these lines of code: #Start the session# session_start(); #check session variables# if (isset($HTTP_SESSION_VARS['user']) || isset($HTTP_SESSION_VARS['$image_sel']) || isset($HTTP_SESSION_VARS['$pstring'])) { $main = Some kinda message for page in question; #connects to database# require '/path/to/database/connection/script/dbcon.php'; #if session variables not registered kick the user back to login form# } else { header (Location: index.php); } Now just so you know I have changed all the variables to s
Re: [PHP] Re: Anyone?
Ok, I think you have gotten my point... I simply want to make sure that the code I am writting is up to par on security issues such as you listed. Maybe there are some examples of what to do vs. what not to do when writting code that would be near impossible to exploit. I simply do not need some script kiddie messing with the time and research I have put into making this application. Any resources would be appreciated! Jas Scott Hurring [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... No language is secure becuase there's no such thing. even supposedly secure Java VM sandboxes have well-known security exploits. PHP code is as secure as you write it. Bad programmer = bad code Name any language or program and there are well-documented ways to subvert it. Buffer overflows in C, and flawed Double-byte char support in IIS, to name a few recent and better-known exploits. --- Scott Hurring Systems Programmer EAC Corporation [EMAIL PROTECTED] Voice: 201-462-2149 Fax: 201-288-1515 -Original Message- From: Adam Voigt [mailto:[EMAIL PROTECTED]] Sent: Thursday, June 06, 2002 1:22 PM To: [EMAIL PROTECTED] Subject: Re: [PHP] Re: Anyone? Yes, PHP is a secure programming language. On Thu, 2002-06-06 at 13:18, Jas wrote: I cannot believe that no one with alot of PHP and MySQL experience has not replied to this post yet. Is PHP not a secure scripting language? I would really like a little insight into this question, anyone? Jas [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I posted this yesterday and did not get any response at all? Just wondering if someone can give me some insight into some security measures for a content management application... Posted 06/05/2002 Ok, I am not a security expert so I would like to know if my security measures I have implimented is adequate enough to keep people out. Any pointers on this would be very helpful as I am trying to impliment a secure way for people to update a website through the use of a content management application. Example of code is as follows // Login form - index.php form name=authenticate method=post action=auth_done.php input type=text name=user size=20 maxlength=20br input type=password name=pw size=20 maxlength=20br Select an image to identify yourself as an administrator.br select name=image option value=image01.jpgimage01/option option value=image02.jpgimage02/option option value=image03.jpgimage03/option option value=image04.jpgimage04/option option value=image05.jpgimage05/option /selectbrbr input type=submit name=Login value=Login input type=reset name=Reset value=Reset /form // Authentication checker - auth_done.php #check fields for valid entries in form if ((!$u_name) || (!$p_word) || (!$image)){ header(Location: index.php); exit; } connects to database require '/path/to/database/connection/script/dbcon.php'; #selects database table containing users that are allowed to use application $db_table = 'users'; $sql = SELECT * from $db_table WHERE un = \$user\ AND pw = password(\$pw\); $result = @mysql_query($sql,$dbh) or die(Couldn't execute query); #loops through all records to find a match $num = mysql_numrows($result); if ($num !=0) { #creates variables for sessions $p_hash = $p_word; $to_hash = $image; #creates md5 hash of image user selected $pstring = md5($to_hash); #creates md5 hash of password user entered $image_sel = md5(uniqid(microtime($p_word),1)); #starts session for user session_start(); #registers variables created (md5 of password, username, image) in session session_register('user'); session_register('$pstring'); session_register('$image_sel'); #captures users ip address (logging stuff, not listed in this code for security reasons) $ipaddy = $REMOTE_ADDR; #echoes success message to authenticated user $msg_success = bYou have been authorized to make changes to the website! Your IP address has been recorded and sent to the administrator: $ipaddy/b; } else { #this prints if user name and password combination is not found in database print pYou are not authorized to use this application!/p; exit; } Now on each page in the content management app I have these lines of code: ##
Re: [PHP] Re: Anyone?
Just FYI, I read your previous two messages and decided not to answer them for the following (very subjective) reasons: 1. Your commenting style () made my head hurt. 2. The question was a little too open-ended yet the answer would be very specific. I'm happy to write a long-winded blowhard essay if I think it will contribute to a broad discussion of interest to many people. But when it's just in effect a free programming help service, I tend to take on the terser projects. There are plenty of kind-hearted people who will respond to messages like yours, at least sometimes (when they have enough time, or are waiting for a big compile to finish, or feel guilty about cutting someone off on the freeway this morning and want to earn karma back, or whatever). But it seemed like you were sort of curious as to why you didn't get any response, so there you go. miguel On Thu, 6 Jun 2002, Jas wrote: I cannot believe that no one with alot of PHP and MySQL experience has not replied to this post yet. Is PHP not a secure scripting language? I would really like a little insight into this question, anyone? Jas [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I posted this yesterday and did not get any response at all? Just wondering if someone can give me some insight into some security measures for a content management application... Posted 06/05/2002 Ok, I am not a security expert so I would like to know if my security measures I have implimented is adequate enough to keep people out. Any pointers on this would be very helpful as I am trying to impliment a secure way for people to update a website through the use of a content management application. Example of code is as follows // Login form - index.php form name=authenticate method=post action=auth_done.php input type=text name=user size=20 maxlength=20br input type=password name=pw size=20 maxlength=20br Select an image to identify yourself as an administrator.br select name=image option value=image01.jpgimage01/option option value=image02.jpgimage02/option option value=image03.jpgimage03/option option value=image04.jpgimage04/option option value=image05.jpgimage05/option /selectbrbr input type=submit name=Login value=Login input type=reset name=Reset value=Reset /form // Authentication checker - auth_done.php #check fields for valid entries in form if ((!$u_name) || (!$p_word) || (!$image)){ header(Location: index.php); exit; } connects to database require '/path/to/database/connection/script/dbcon.php'; #selects database table containing users that are allowed to use application $db_table = 'users'; $sql = SELECT * from $db_table WHERE un = \$user\ AND pw = password(\$pw\); $result = @mysql_query($sql,$dbh) or die(Couldn't execute query); #loops through all records to find a match $num = mysql_numrows($result); if ($num !=0) { #creates variables for sessions $p_hash = $p_word; $to_hash = $image; #creates md5 hash of image user selected $pstring = md5($to_hash); #creates md5 hash of password user entered $image_sel = md5(uniqid(microtime($p_word),1)); #starts session for user session_start(); #registers variables created (md5 of password, username, image) in session session_register('user'); session_register('$pstring'); session_register('$image_sel'); #captures users ip address (logging stuff, not listed in this code for security reasons) $ipaddy = $REMOTE_ADDR; #echoes success message to authenticated user $msg_success = bYou have been authorized to make changes to the website! Your IP address has been recorded and sent to the administrator: $ipaddy/b; } else { #this prints if user name and password combination is not found in database print pYou are not authorized to use this application!/p; exit; } Now on each page in the content management app I have these lines of code: #Start the session# session_start(); #check session variables# if (isset($HTTP_SESSION_VARS['user']) || isset($HTTP_SESSION_VARS['$image_sel']) || isset($HTTP_SESSION_VARS['$pstring'])) { $main = Some kinda message for page in question; #connects to database# require '/path/to/database/connection/script/dbcon.php'; #if session variables not registered kick the user back to login form# } else { header (Location: index.php); } Now just so you know I have changed all the
Re: [PHP] Re: Anyone?
PHP is secure, it's upto the programmer to make sure the script they write is secure. I'd guess the reason that no one has replied is because we hate reading 75+ lines of code. In my experience on this list, the best answers come when you ask a specific question about a specific problem... NOT when you post a big chunk of code and ask a vague question. Perhaps another way you could assess your script's security is to download a popular, respected application (like a e-commerce library, content management library, etc etc) which has simular needs to yours, and see how they do it. Or check out a decent article on the subject. Security is a massive topic. Justin French Creative Director http://Indent.com.au on 07/06/02 3:18 AM, Jas ([EMAIL PROTECTED]) wrote: I cannot believe that no one with alot of PHP and MySQL experience has not replied to this post yet. Is PHP not a secure scripting language? I would really like a little insight into this question, anyone? Jas [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I posted this yesterday and did not get any response at all? Just wondering if someone can give me some insight into some security measures for a content management application... Posted 06/05/2002 Ok, I am not a security expert so I would like to know if my security measures I have implimented is adequate enough to keep people out. Any pointers on this would be very helpful as I am trying to impliment a secure way for people to update a website through the use of a content management application. Example of code is as follows // Login form - index.php form name=authenticate method=post action=auth_done.php input type=text name=user size=20 maxlength=20br input type=password name=pw size=20 maxlength=20br Select an image to identify yourself as an administrator.br select name=image option value=image01.jpgimage01/option option value=image02.jpgimage02/option option value=image03.jpgimage03/option option value=image04.jpgimage04/option option value=image05.jpgimage05/option /selectbrbr input type=submit name=Login value=Login input type=reset name=Reset value=Reset /form // Authentication checker - auth_done.php #check fields for valid entries in form if ((!$u_name) || (!$p_word) || (!$image)){ header(Location: index.php); exit; } connects to database require '/path/to/database/connection/script/dbcon.php'; #selects database table containing users that are allowed to use application $db_table = 'users'; $sql = SELECT * from $db_table WHERE un = \$user\ AND pw = password(\$pw\); $result = @mysql_query($sql,$dbh) or die(Couldn't execute query); #loops through all records to find a match $num = mysql_numrows($result); if ($num !=0) { #creates variables for sessions $p_hash = $p_word; $to_hash = $image; #creates md5 hash of image user selected $pstring = md5($to_hash); #creates md5 hash of password user entered $image_sel = md5(uniqid(microtime($p_word),1)); #starts session for user session_start(); #registers variables created (md5 of password, username, image) in session session_register('user'); session_register('$pstring'); session_register('$image_sel'); #captures users ip address (logging stuff, not listed in this code for security reasons) $ipaddy = $REMOTE_ADDR; #echoes success message to authenticated user $msg_success = bYou have been authorized to make changes to the website! Your IP address has been recorded and sent to the administrator: $ipaddy/b; } else { #this prints if user name and password combination is not found in database print pYou are not authorized to use this application!/p; exit; } Now on each page in the content management app I have these lines of code: #Start the session# session_start(); #check session variables# if (isset($HTTP_SESSION_VARS['user']) || isset($HTTP_SESSION_VARS['$image_sel']) || isset($HTTP_SESSION_VARS['$pstring'])) { $main = Some kinda message for page in question; #connects to database# require '/path/to/database/connection/script/dbcon.php'; #if session variables not registered kick the user back to login form# } else { header (Location: index.php); } Now just so you know I have changed all the variables to something other than what I am currently using, however I have made sure that this is a working example so everything should work as is. Also I have tested this a few different ways, including: creating a page that tries to include one of the pages I have my security checks
Re: [PHP] Re: Anyone Up?
I think you'll need something like this: VALUE=\'Your Name1\' / /single quote marks I believe (and I certainly could be wrong). otherwise it'll truncate at 'Your' of course, if this is what you want... Hugh - Original Message - From: Luke Welling [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, January 31, 2002 11:50 PM Subject: [PHP] Re: Anyone Up? Jtjohnston [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Luke is that 6:47 pm tomorrow? :) You lost an entire day! Enough Oz Jokes. Here is my predicament in Canada :-) $varname = Check.$i; $varname = Check1 but I want $varname = Your Name1 to Your Name12. One more try? :) INPUT TYPE=checkbox NAME=Check1 VALUE=Your Name1 INPUT TYPE=checkbox NAME=Check2 VALUE=Your Name2 INPUT TYPE=checkbox NAME=Check3 VALUE=Your Name3 etc. for ($i = 1; $i = $NMax; $i++) { #$varname = $Check.$i; $varname = Check.$i #echo $varname; if ($varname) echo $varname = $ibr; } In that case it is easy, I did not know that the ids were just 1 to 12, I thought they could be anything spat out by the database. How about something like this: for ($i = 1; $i = $NMax; $i++) { $varname = Check.$i if (isset($$varname) echo $$varname.br; } Luke Welling. -- PHP and MySQL Web Development by Luke Welling and Laura Thomson http://www.amazon.com/exec/obidos/ASIN/0672317842 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] Re: Anyone Up?
You're wrong here, my friend. You can have any value you like. value=@£$ASDFSDF ASDP fosifu @}{$#%/@would work. Niklas -Original Message- From: hugh danaher [mailto:[EMAIL PROTECTED]] Sent: 1. helmikuuta 2002 10:48 To: Luke Welling Cc: Php-General Subject: Re: [PHP] Re: Anyone Up? I think you'll need something like this: VALUE=\'Your Name1\' / /single quote marks I believe (and I certainly could be wrong). otherwise it'll truncate at 'Your' of course, if this is what you want... Hugh - Original Message - From: Luke Welling [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, January 31, 2002 11:50 PM Subject: [PHP] Re: Anyone Up? Jtjohnston [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Luke is that 6:47 pm tomorrow? :) You lost an entire day! Enough Oz Jokes. Here is my predicament in Canada :-) $varname = Check.$i; $varname = Check1 but I want $varname = Your Name1 to Your Name12. One more try? :) INPUT TYPE=checkbox NAME=Check1 VALUE=Your Name1 INPUT TYPE=checkbox NAME=Check2 VALUE=Your Name2 INPUT TYPE=checkbox NAME=Check3 VALUE=Your Name3 etc. for ($i = 1; $i = $NMax; $i++) { #$varname = $Check.$i; $varname = Check.$i #echo $varname; if ($varname) echo $varname = $ibr; } In that case it is easy, I did not know that the ids were just 1 to 12, I thought they could be anything spat out by the database. How about something like this: for ($i = 1; $i = $NMax; $i++) { $varname = Check.$i if (isset($$varname) echo $$varname.br; } Luke Welling. -- PHP and MySQL Web Development by Luke Welling and Laura Thomson http://www.amazon.com/exec/obidos/ASIN/0672317842 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Re: Anyone Up?
* hugh danaher ([EMAIL PROTECTED]) [Feb 01. 2002 03:48]: I think you'll need something like this: VALUE=\'Your Name1\' / /single quote marks I believe (and I certainly could be wrong). otherwise it'll truncate at 'Your' of course, if this is what you want... (Not trying to pick on you, Hugh. g) It'd be better just to write proper HTML/XHTML and use double quotes. ?php /* php scripting */ ? !-- HTML -- ?php /* back to php scripting */ ? or just: print 'input type=checkbox value=Your Name1'; But it would work with single quotes around attributes. I don't know if it'd validate though. -- Brian Clark | Avoiding the general public since 1805! Fingerprint: 07CE FA37 8DF6 A109 8119 076B B5A2 E5FB E4D0 C7C8 5 out of 4 people have trouble with fractions. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Re: Anyone Up?
Not familiar with anything but php and html. I know that in a type=text (obviously not a checkbox) if you don't use the escape backslashes, the value written into the box is 'Your' without the 'Name #' I am told this is because the browser views the space after 'r' in 'Your' as a break and is looking at Name # as the next instruction, which it isn't. My two cents for the evening. Hugh - Original Message - From: Brian Clark [EMAIL PROTECTED] To: PHP is not a drug. [EMAIL PROTECTED] Sent: Friday, February 01, 2002 12:54 AM Subject: Re: [PHP] Re: Anyone Up? * hugh danaher ([EMAIL PROTECTED]) [Feb 01. 2002 03:48]: I think you'll need something like this: VALUE=\'Your Name1\' / /single quote marks I believe (and I certainly could be wrong). otherwise it'll truncate at 'Your' of course, if this is what you want... (Not trying to pick on you, Hugh. g) It'd be better just to write proper HTML/XHTML and use double quotes. ?php /* php scripting */ ? !-- HTML -- ?php /* back to php scripting */ ? or just: print 'input type=checkbox value=Your Name1'; But it would work with single quotes around attributes. I don't know if it'd validate though. -- Brian Clark | Avoiding the general public since 1805! Fingerprint: 07CE FA37 8DF6 A109 8119 076B B5A2 E5FB E4D0 C7C8 5 out of 4 people have trouble with fractions. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Re: Anyone Up?
* hugh danaher ([EMAIL PROTECTED]) [Feb 01. 2002 04:21]: Not familiar with anything but php and html. XHTML isn't too different. There are different `rules' -- like tags and attributes must be lower case, values must be surrounded by double quotes, tags without closing tags: br /, img src=i.gif alt= /, Etc.. I know that in a type=text (obviously not a checkbox) if you don't use the escape backslashes, the value written into the box is 'Your' without the 'Name #' I am told this is because the browser views the space after 'r' in 'Your' as a break and is looking at Name # as the next instruction, which it isn't. My two cents for the evening. Yes, that's why you surround the value in quotes. :-) Escaping has noting to do with it really, unless you're print()ing like: print Brian is a little off his \rocker\; Likewise: print 'Brian is somewhat \'out of it\' most of the time'; The problem you spoke of happens when you do this: input type=text name=brian value=is insane IIRC, $brian would turn out to contain 'is' without the insanity. -- Brian Clark | Avoiding the general public since 1805! Fingerprint: 07CE FA37 8DF6 A109 8119 076B B5A2 E5FB E4D0 C7C8 I intend to live forever - so far, so good. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] Re: Anyone Up?
Well, Netscape breaks value=This is to This, but IE understands that as This%20is. so if you set the value to be This%20is, both Netscape and IE understands that as This is. There are many other chars that can f**k up the value, so use htmlspecialchars() to correct that. Niklas -Original Message- From: hugh danaher [mailto:[EMAIL PROTECTED]] Sent: 1. helmikuuta 2002 11:21 To: Php-General Subject: Re: [PHP] Re: Anyone Up? Not familiar with anything but php and html. I know that in a type=text (obviously not a checkbox) if you don't use the escape backslashes, the value written into the box is 'Your' without the 'Name #' I am told this is because the browser views the space after 'r' in 'Your' as a break and is looking at Name # as the next instruction, which it isn't. My two cents for the evening. Hugh - Original Message - From: Brian Clark [EMAIL PROTECTED] To: PHP is not a drug. [EMAIL PROTECTED] Sent: Friday, February 01, 2002 12:54 AM Subject: Re: [PHP] Re: Anyone Up? * hugh danaher ([EMAIL PROTECTED]) [Feb 01. 2002 03:48]: I think you'll need something like this: VALUE=\'Your Name1\' / /single quote marks I believe (and I certainly could be wrong). otherwise it'll truncate at 'Your' of course, if this is what you want... (Not trying to pick on you, Hugh. g) It'd be better just to write proper HTML/XHTML and use double quotes. ?php /* php scripting */ ? !-- HTML -- ?php /* back to php scripting */ ? or just: print 'input type=checkbox value=Your Name1'; But it would work with single quotes around attributes. I don't know if it'd validate though. -- Brian Clark | Avoiding the general public since 1805! Fingerprint: 07CE FA37 8DF6 A109 8119 076B B5A2 E5FB E4D0 C7C8 5 out of 4 people have trouble with fractions. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Re: Anyone Up?
On Fri, 2002-02-01 at 01:20, hugh danaher wrote: Not familiar with anything but php and html. I know that in a type=text (obviously not a checkbox) if you don't use the escape backslashes, the value written into the box is 'Your' without the 'Name #' I am told this is because the browser views the space after 'r' in 'Your' as a break and is looking at Name # as the next instruction, which it isn't. My two cents for the evening. Hugh A few notes: o Single or double quotes will work fine; either are valid (so long as they match). o input type=text value=this is a joke will give a value of 'this' and is bad style--*always* quote your attributes :), o input type=text value=this is a joke will give a value of this is a joke. You needed to escape the backslashes so that the double quotes inside a double-quoted string wouldn't tell PHP to end that string. Torben - Original Message - From: Brian Clark [EMAIL PROTECTED] To: PHP is not a drug. [EMAIL PROTECTED] Sent: Friday, February 01, 2002 12:54 AM Subject: Re: [PHP] Re: Anyone Up? * hugh danaher ([EMAIL PROTECTED]) [Feb 01. 2002 03:48]: I think you'll need something like this: VALUE=\'Your Name1\' / /single quote marks I believe (and I certainly could be wrong). otherwise it'll truncate at 'Your' of course, if this is what you want... (Not trying to pick on you, Hugh. g) It'd be better just to write proper HTML/XHTML and use double quotes. ?php /* php scripting */ ? !-- HTML -- ?php /* back to php scripting */ ? or just: print 'input type=checkbox value=Your Name1'; But it would work with single quotes around attributes. I don't know if it'd validate though. -- Brian Clark | Avoiding the general public since 1805! Fingerprint: 07CE FA37 8DF6 A109 8119 076B B5A2 E5FB E4D0 C7C8 5 out of 4 people have trouble with fractions. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- Torben Wilson [EMAIL PROTECTED] http://www.thebuttlesschaps.com http://www.hybrid17.com http://www.inflatableeye.com +1.604.709.0506 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Re: Anyone Up?
On Fri, 2002-02-01 at 01:33, Brian Clark wrote: * hugh danaher ([EMAIL PROTECTED]) [Feb 01. 2002 04:21]: Not familiar with anything but php and html. XHTML isn't too different. There are different `rules' -- like tags and attributes must be lower case, values must be surrounded by double quotes, tags without closing tags: br /, img src=i.gif alt= /, Etc.. Everything is correct 'cept the 'double quotes' bit--XML accepts attribute values enclosed in either single or double quotes. Torben I know that in a type=text (obviously not a checkbox) if you don't use the escape backslashes, the value written into the box is 'Your' without the 'Name #' I am told this is because the browser views the space after 'r' in 'Your' as a break and is looking at Name # as the next instruction, which it isn't. My two cents for the evening. Yes, that's why you surround the value in quotes. :-) Escaping has noting to do with it really, unless you're print()ing like: print Brian is a little off his \rocker\; Likewise: print 'Brian is somewhat \'out of it\' most of the time'; The problem you spoke of happens when you do this: input type=text name=brian value=is insane IIRC, $brian would turn out to contain 'is' without the insanity. -- Brian Clark | Avoiding the general public since 1805! Fingerprint: 07CE FA37 8DF6 A109 8119 076B B5A2 E5FB E4D0 C7C8 I intend to live forever - so far, so good. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- Torben Wilson [EMAIL PROTECTED] http://www.thebuttlesschaps.com http://www.hybrid17.com http://www.inflatableeye.com +1.604.709.0506 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Re: Anyone Up?
* Lars Torben Wilson ([EMAIL PROTECTED]) [Feb 01. 2002 05:07]: On Fri, 2002-02-01 at 01:33, Brian Clark wrote: XHTML isn't too different. There are different `rules' -- like tags and attributes must be lower case, values must be surrounded by double quotes, tags without closing tags: br /, img src=i.gif alt= /, Etc.. Everything is correct 'cept the 'double quotes' bit--XML accepts attribute values enclosed in either single or double quotes. Well I be! I just validated a test page using XHTML 1.0 transitional and you're right. I guess I learn something new every day. 0_o Happy Trails, -- Brian Clark | Unable to leap tall buildings in a single bound. Fingerprint: 07CE FA37 8DF6 A109 8119 076B B5A2 E5FB E4D0 C7C8 Sinners can repent, but stupid is forever. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Re: Anyone Up?
On Friday, February 1, 2002, at 05:07 AM, Lars Torben Wilson wrote: Everything is correct 'cept the 'double quotes' bit--XML accepts attribute values enclosed in either single or double quotes. Yes, and to extend on that: you need to stick to one convention or the other throughout the entire document. You can't have one entity with double quotes and another one using singles. Erik Erik Price Web Developer Temp Media Lab, H.H. Brown [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Re: Anyone Up?
On Fri, 2002-02-01 at 10:48, Erik Price wrote: On Friday, February 1, 2002, at 05:07 AM, Lars Torben Wilson wrote: Everything is correct 'cept the 'double quotes' bit--XML accepts attribute values enclosed in either single or double quotes. Yes, and to extend on that: you need to stick to one convention or the other throughout the entire document. You can't have one entity with double quotes and another one using singles. No, that's incorrect. As long as they match for a given attribute value, you're OK. At least, that's what the spec and nsgmls say. :) BTW--entities are something else entirely. Torben Erik Erik Price Web Developer Temp Media Lab, H.H. Brown [EMAIL PROTECTED] -- Torben Wilson [EMAIL PROTECTED] http://www.thebuttlesschaps.com http://www.hybrid17.com http://www.inflatableeye.com +1.604.709.0506 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Re: Anyone Up?
On Friday, February 1, 2002, at 03:05 PM, Lars Torben Wilson wrote: Everything is correct 'cept the 'double quotes' bit--XML accepts attribute values enclosed in either single or double quotes. Yes, and to extend on that: you need to stick to one convention or the other throughout the entire document. You can't have one entity with double quotes and another one using singles. No, that's incorrect. As long as they match for a given attribute value, you're OK. At least, that's what the spec and nsgmls say. :) Hm... I don't know why I thought otherwise. I checked with the spec (http://www.w3.org/TR/xhtml1/#h-4.4), and it really doesn't say yes or no to this. But I'm sure you're right, since some attributes contain quoted content, which is why you would switch from one to the other. BTW--entities are something else entirely. In trying to avoid calling XML entities tags, I forgot that we were talking about XHTML, where tags do indeed exist. Thanks for the correction. Erik Erik Price Web Developer Temp Media Lab, H.H. Brown [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Re: Anyone Up?
On Fri, 2002-02-01 at 13:54, Erik Price wrote: Hm... I don't know why I thought otherwise. I checked with the spec (http://www.w3.org/TR/xhtml1/#h-4.4), and it really doesn't say yes or no to this. But I'm sure you're right, since some attributes contain quoted content, which is why you would switch from one to the other. This is handled in the XML spec; XHTML is just an XML application and is therefore subject to the XML spec: http://www.w3.org/TR/REC-xml Cheers, Torben BTW--entities are something else entirely. In trying to avoid calling XML entities tags, I forgot that we were talking about XHTML, where tags do indeed exist. Thanks for the correction. Erik -- Torben Wilson [EMAIL PROTECTED] http://www.thebuttlesschaps.com http://www.hybrid17.com http://www.inflatableeye.com +1.604.709.0506 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]