Re: [PHP] Re: strpos error (I'm missing something obvious)
On 10/2/07, Al <[EMAIL PROTECTED]> wrote: > I didn't mean that the function was foolproof, only the match function itself. Understood. :-) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: strpos error (I'm missing something obvious)
I didn't mean that the function was foolproof, only the match function itself. However, your suggestion to add the line start is simple and effective. Andrew Ballard wrote: I'd suggest the following *slight* enhancement to make sure that the HTTP_REFERER actually *begins* with the site name, not simply contains it. // prevents visits from pages like http://badsite.com/form.htm?http://www.wnc.edu if (strpos($referer, $site) === 0) { echo 'yes'; } (or, if you like the preg solution) if (preg_match("%^$site%", $referer)) { // } However, I'd argue that the effectiveness of checking the referrer itself could be considered "negligible", and hardly "foolproof". The header is easily spoofed in scripts, and may not even be sent at all by legitimate clients because of various browser and/or personal firewall options. Andrew -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: strpos error (I'm missing something obvious)
Thanks for the info. I've modified the script to reflect that. I actually ended up reversing it, and so I used !== 0 which should work just the same. All this is a minor portion of a much larger security scheme for an intranet site (which is protected by an LDAP server), where I am just trying to keep images outside the web directory, and want to prevent people from linking directly to an image... the only way an image displays is if they view the page, and not link directly to the image. Not foolproof, I know, but I'm not dealing with the general population here, just internal employees some of whom are more computer savvy than others. Thanks all for your help. It seems to be working now. -- Kevin Murphy Webmaster: Information and Marketing Services Western Nevada College www.wnc.edu 775-445-3326 P.S. Please note that my e-mail and website address have changed from wncc.edu to wnc.edu. On Oct 2, 2007, at 8:32 AM, Andrew Ballard wrote: I'd suggest the following *slight* enhancement to make sure that the HTTP_REFERER actually *begins* with the site name, not simply contains it. // prevents visits from pages like http://badsite.com/form.htm?http://www.wnc.edu if (strpos($referer, $site) === 0) { echo 'yes'; } (or, if you like the preg solution) if (preg_match("%^$site%", $referer)) { // } However, I'd argue that the effectiveness of checking the referrer itself could be considered "negligible", and hardly "foolproof". The header is easily spoofed in scripts, and may not even be sent at all by legitimate clients because of various browser and/or personal firewall options. Andrew -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: strpos error (I'm missing something obvious)
I'd suggest the following *slight* enhancement to make sure that the HTTP_REFERER actually *begins* with the site name, not simply contains it. // prevents visits from pages like http://badsite.com/form.htm?http://www.wnc.edu if (strpos($referer, $site) === 0) { echo 'yes'; } (or, if you like the preg solution) if (preg_match("%^$site%", $referer)) { // } However, I'd argue that the effectiveness of checking the referrer itself could be considered "negligible", and hardly "foolproof". The header is easily spoofed in scripts, and may not even be sent at all by legitimate clients because of various browser and/or personal firewall options. Andrew -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: strpos
Andrew Kirilenko wrote: > Oops. Forgot about 0 return ;( Which means ??? They both work for me, yeah? No? This tells me that the user made a boo boo: if((strpos($yourimage, "\.jpg") !== false) || (strpos($yourimage, "\.jpeg") !== false)) So what does this do? if((!strpos($yourimage, ".jpg")) || (!strpos($yourimage, ".jpeg"))) J > > > -Original Message- > > From: Martin Thoma [mailto:[EMAIL PROTECTED]] > > Sent: Friday, November 16, 2001 9:42 AM > > To: [EMAIL PROTECTED] > > Subject: Re: [PHP] Re: strpos > > > > > > > if (!strpos(...)) > > > will be better... > > > > Why? > > > > > > > > -- > > PHP General Mailing List (http://www.php.net/) > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > To contact the list administrators, e-mail: [EMAIL PROTECTED] > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] Re: strpos
Oops. Forgot about 0 return ;( > -Original Message- > From: Martin Thoma [mailto:[EMAIL PROTECTED]] > Sent: Friday, November 16, 2001 9:42 AM > To: [EMAIL PROTECTED] > Subject: Re: [PHP] Re: strpos > > > > if (!strpos(...)) > > will be better... > > Why? > > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > To contact the list administrators, e-mail: [EMAIL PROTECTED] > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Re: strpos
> if (!strpos(...)) > will be better... Why? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] Re: strpos
Hello! if (!strpos(...)) will be better... Best regards, Andrew Kirilenko. > -Original Message- > From: Martin Thoma [mailto:[EMAIL PROTECTED]] > Sent: Friday, November 16, 2001 9:28 AM > To: [EMAIL PROTECTED] > Subject: [PHP] Re: strpos > > > strpos return false if the search fails. You have therefore to test for: > > if (strpos(...,...) === false) > > or > > if (strpos(...,...) !== false) > > Martin > > > Jtjohnston wrote: > > > I suppose I'm doing this right? I want to know if the user entered > > "\.jpeg" or "\.jpg". If he didn't, it should error. > > > > It errors anyways? What do I have to do add slashes in my ??? > > :o) > > > > // if((!strpos($yourimage, "\.jpg")) || (!strpos($yourimage, > > "\.jpeg"))) \\ <--- tried both! > > if((!strpos($yourimage, ".jpg")) || (!strpos($yourimage, ".jpeg"))) > > { > > error_found("error found"); > > $errorfound++; > > } > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > To contact the list administrators, e-mail: [EMAIL PROTECTED] > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]