[PHP] Issue with encrypted string created with Crypt_CBC and urls and mod_rewrite
hi there im having issue decoding an encoded string created with a pear package Crypt_CBC which i am encoding a uri into the string and sending to a rewrite url. The query string is not returning the encoded part of the url properly for some reason and not decoding properly. I have already sent this to the pear list, but maybe someone here has experienced issues with encoded strings and mod_rewrite not relocating with a url encoded string ? The encoded string without mod_rewrite rules is RandomIVQ%83%80%E6%0F%E7%E4%7CdY%E7%BA%9B%14%5B%60%98%A1%1D%04%94L_%16%E 4%19%EF%F1%FE%5C%D6%CE%09%C8DI%A7%1F%04%25%A8%7B%FA%19%B51%1D%7C%0D%04%1 3%E3%21%F1%60f%C6%91%A8b%82%11YK%21l+%C5%D0W%D9%9A%2B%CD3%C3%FA%82LE%D8% 1EA%07%25%F5%BB%22%EA%B7%B8%82%F0WZ%40 With rewritten urls its from viewing source. RandomIVQƒ€æçä|dY纛[`˜¡”L_äïñþ\ÖÎÈDI§%¨{úµ1| ã!ñ`fÆ‘¨b‚YK!l+ÅÐWÙš+Í3Ãú‚LEØA%õ»ê·¸‚ðWZ@ The rewrite rule is RewriteEngine on RewriteBase / RewriteRule ^feeds/(.*) refer.php?$1 [L] Any ideas why its not urlencoding the urlencoded string in the rewrite url ? I may have to use the request_uri instead of sending it as a query string if this is a flaw in mod_rewrite ?? I think however if i use the request_uri things could break a little. Let me know. Dan -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] PHP 5 DOM, XPath, UTF-8, and Form Input
I have been doing some testing and need confirmation that the following is correct. You have a DOMDocument that potentially contains UTF-8 encoded data (it might not however). You want to search it via DOMXpath-query() using a value that comes from a $_POST value. If the page that posts the data via a form to the search script IS NOT encoded in UTF-8, then the value must be converted to UTF-8 before it is used in the query expression. Else, if the posting page IS UTF-8 encoded, then the $_POST data does not need to be converted before being used in the expression. Is this correct? Also, if the $_POST data comes from a UTF-8 encoded page, and it needs to be sanitized before use, will the basic PHP string functions work on the data (e.g. htmlentities, stripslashes, trim, preg_replace, etc)? If not what do I have to do? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Issue with encrypted string created with Crypt_CBC and urls and mod_rewrite
It also seems that any forward slash being encoded if it encodes, mod_rewrite doesnt like, therefore I have to split up the urls using parse_url, but it seems it still doesnt like the query part and some special characters like ampersands and equals ? On 23/02/2006, at 12:30 PM, Dan Rossi wrote: hi there im having issue decoding an encoded string created with a pear package Crypt_CBC which i am encoding a uri into the string and sending to a rewrite url. The query string is not returning the encoded part of the url properly for some reason and not decoding properly. I have already sent this to the pear list, but maybe someone here has experienced issues with encoded strings and mod_rewrite not relocating with a url encoded string ? The encoded string without mod_rewrite rules is RandomIVQ%83%80%E6%0F%E7%E4%7CdY%E7%BA%9B%14%5B%60%98%A1%1D%04%94L_%16% E4%19%EF%F1%FE%5C%D6%CE%09%C8DI%A7%1F%04%25%A8%7B%FA%19%B51%1D%7C%0D%04 %13%E3%21%F1%60f%C6%91%A8b%82%11YK%21l+%C5%D0W%D9%9A%2B%CD3%C3%FA%82LE% D8%1EA%07%25%F5%BB%22%EA%B7%B8%82%F0WZ%40 With rewritten urls its from viewing source. RandomIVQƒ€æçä|dY纛[`˜¡”L_äïñþ\ÖÎÈDI§%¨{úµ1| ã!ñ`fÆ‘¨b‚YK!l+ÅÐWÙš+Í3Ãú‚LEØA%õ»ê·¸‚ðWZ@ The rewrite rule is RewriteEngine on RewriteBase / RewriteRule ^feeds/(.*) refer.php?$1 [L] Any ideas why its not urlencoding the urlencoded string in the rewrite url ? I may have to use the request_uri instead of sending it as a query string if this is a flaw in mod_rewrite ?? I think however if i use the request_uri things could break a little. Let me know. Dan -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Lions and tigers and slashes, oh my!
Jay Blanchard wrote: [snip] hope the kick didn't break anything. :-) [/snip] Nah, just having a senior moment. Since it is a query string issue I converted the database (even though it is strictly a web database in this case) to 'Oil Gas'. The query string sees the ampersand and doesn't show so the DB is 'correct'. NOw it's just a case or urlencoding the value before sticking it in the URL - that will protect the server from breaking off the query condition/parameter at the point of the '' in 'Oil Gas' and just in case your forced to do the urlencoding of the value on the client side, here is one I stole earlier: // // URLEncode and URLDecode functions // // Copyright Albion Research Ltd. 2002 // http://www.albionresearch.com/ // // The Javascript escape and unescape functions do not correspond // with what browsers actually do... // // You may copy these functions providing that // (a) you leave this copyright notice intact, and // (b) if you use these functions on a publicly accessible // web site you include a credit somewhere on the web site // with a link back to http://www.albionresarch.com/ // // If you find or fix any bugs, please let us know at albionresearch.com // // SpecialThanks to Neelesh Thakur for being the first to // report a bug in URLDecode() - now fixed 2003-02-19. // function URLEncode(plaintext) { if (!plaintext || !plaintext.length) { return plaintext; } var SAFECHARS = 0123456789 + // Numeric ABCDEFGHIJKLMNOPQRSTUVWXYZ + // Alphabetic abcdefghijklmnopqrstuvwxyz + -_.!~*'();// RFC2396 Mark characters var HEX = 0123456789ABCDEF; var encoded = ; for (var i = 0; i plaintext.length; i++ ) { var ch = plaintext.charAt(i); if (ch == ) { encoded += +; // x-www-urlencoded, rather than %20 } else if (SAFECHARS.indexOf(ch) != -1) { encoded += ch; } else { var charCode = ch.charCodeAt(0); if (charCode 255) { /* alert( Unicode Character ' + ch + ' cannot be encoded using standard URL encoding.\n + (URL encoding only supports 8-bit characters.)\n + A space (+) will be substituted. ); */ encoded += +; } else { encoded += %; encoded += HEX.charAt((charCode 4) 0xF); encoded += HEX.charAt(charCode 0xF); } } } // for return encoded; }; function URLDecode(encoded) { if (!encoded || !encoded.length) { return encoded; } // Replace + with ' ' // Replace %xx with equivalent character // Put [ERROR] in output if %xx is invalid. var HEXCHARS = 0123456789ABCDEFabcdef; var plaintext = ; var i = 0; while (i encoded.length) { var ch = encoded.charAt(i); if (ch == +) { plaintext += ; i++; } else if (ch == %) { if (i (encoded.length-2) HEXCHARS.indexOf(encoded.charAt(i+1)) != -1 HEXCHARS.indexOf(encoded.charAt(i+2)) != -1 ) { plaintext += unescape(encoded.substr(i,3)); i += 3; } else { /* alert( 'Bad escape combination near ...' + encoded.substr(i) ); */ plaintext += %[ERROR]; i++; } } else { plaintext += ch; i++; } } // while return plaintext; }; anything past that in the condirion. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Re: amp; in Query String
At 00:00 27.11.2002, Jonathan Rosenberg \(Tabby's Place\) said: [snip] Ok ... I take back what I said about amp; not working in a query string. It works just fine. [snip] Ahhh - and I just created a test page for all to check out... nevertheless, here it is: http://www.vogelsinger.at/test.php Simply provides a link using query parameters encoded with amp;, to check with different browsers. Maybe someone will check this outwith his browser anyway. -- O Ernest E. Vogelsinger (\)ICQ #13394035 ^ http://www.vogelsinger.at/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] URL
Bruno Santos wrote: Im developing a couple of pages and i need to do some redirecting to another page depending on the choice of a user. The problem is, to go to another page, i need to send some parameters in the URL that are alredy present, but i need to make the redirecting independent of the page. if i use $_SERVER['PHP_SELF'], i have only http://some_domain/the_page and what i want is http://some_domain/the_page?some_parameters=valueanother_parameter=value the ?some_parameters=value are alredy present and i need to redirect them again... I know that are some fuctions to manage this, or not... any solucion ?? How about $_SERVER['QUERY_STRING']? That _should_ contain the current query string with the values still encoded, but I'm not sure on that. If they aren't still encoded, then just rebuild the query string by looping through $_GET. $url = $_SERVER['PHP_SELF'] . '?'; foreach($_GET as $key = $value) { $url .= '' . $key . '=' . urlencode($value); } If you have arrays within $_GET, then you'll need a recursive function, but hopefully one of the above will work for your needs. -- ---John Holmes... Amazon Wishlist: www.amazon.com/o/registry/3BEXC84AB3A5E/ php|architect: The Magazine for PHP Professionals www.phparch.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] A problem about urlencode
Teng Wang wrote: I have a url containing some multi-byte characters. So I need urlencode() to change these characters into the %xx form. However, when I encode the whole url string, / is also be encoded as %2F. How to solve this problem? I don't want to analyze the url string before/after urlencode(). According to my understanding this is the correct behaviour for url encode. The fact that your string is multibyte or not has little relevence in convertin '/' to %2f. You are unly supposed to use the urlencode() function on the query string or to be more precise on each value that you pass via the query string and NOT on the whole URL. -- Raditha Dissanayake. http://www.radinks.com/sftp/ | http://www.raditha.com/megaupload Lean and mean Secure FTP applet with | Mega Upload - PHP file uploader Graphical User Inteface. Just 128 KB | with progress bar. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Problems passing variables from Javascript to PHP
Hello =) I'm embedding an SQL query constructed in Javascript to an URL and opening it in PHP where I try to execute it. Problem is, the string arrives garbled, with all the apostrophes escaped. This must be Javascript's type of safe url encoding, but how would I go about decoding it in PHP? I thought about urldecode or rawurldecode, but Javascript doesn't seem to use RFC 1738 encoding (because of the escaped apostrophes). Then I thought about writing a Javascript function to encode the query string into RFC 1738 %-format, but then I couldn't use unicode characters in my query, right? What to do? I need to find a way so that the string can be encoded in Javascript and decoded in PHP and not get garbled. Thanks in advance, Daniel -- There are 10 kinds of people: Those who know binary and those who don't. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: PHP 5 DOM, XPath, UTF-8, and Form Input
C Drozdowski wrote: I have been doing some testing and need confirmation that the following is correct. You have a DOMDocument that potentially contains UTF-8 encoded data (it might not however). You want to search it via DOMXpath-query() using a value that comes from a $_POST value. If the page that posts the data via a form to the search script IS NOT encoded in UTF-8, then the value must be converted to UTF-8 before it is used in the query expression. Else, if the posting page IS UTF-8 encoded, then the $_POST data does not need to be converted before being used in the expression. Is this correct? AFAIK... yes, this is correct. Also, if the $_POST data comes from a UTF-8 encoded page, and it needs to be sanitized before use, will the basic PHP string functions work on the data (e.g. htmlentities, stripslashes, trim, preg_replace, etc)? If not what do I have to do? I believe that PHP uses ISO-8859-1 as the default encoding, but there are ways around it. htmlentities() will let you specify UTF-8 encoding. Remember that your DOMDocument may / may not be whitespace-sensitive, so be careful about how / if you trim(). I don't know how well stripslashes, preg_replace, etc. work with UTF-8. Hopefully someone else will be able to help out with those... -- Teach a man to fish... NEW? | http://www.catb.org/~esr/faqs/smart-questions.html STFA | http://marc.theaimsgroup.com/?l=php-generalw=2 STFM | http://php.net/manual/en/index.php STFW | http://www.google.com/search?q=php LAZY | http://mycroft.mozdev.org/download.html?name=PHPsubmitform=Find+search+plugins signature.asc Description: OpenPGP digital signature
Re: Re: [PHP] passing variables in javascript
From: "Nicholas W. Miller" [EMAIL PROTECTED] H ... is there anyway to do this without requiring the page with the link to use PHP? Well if the string you're going to urlencode() is always going to be the same, then just run it through once, grab the encoded version and hard-code it :) You have to encode each part of the query string on the URL correctly: a href="#" onClick="MM_openBrWindow('../email/popup.php??php echo "title=" . urlencode("B2B Antitrust: Opening Moves in the Game") . "url=" . urlencode("http://www.domain.com/biz/pubs.html#antitrust"); ?', 'email','width=410,height=435')"Emailthis/a -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP] Decoding a URL without decoding values
I've got a querystring that looks like this: ?url=http%3A%2F%2Ftest.alpharetta.ga.us%2Findex.php%3Fm%3Dlinks%26category%3DRecreation%2B%2526%2BParks%26go.x%3D22%26go.y%3D7 As you can gather, I'm trying to pass a URL to another script for some processing. Before I urlencode() the URL and pass it to the query string, it looks like this: http://test.alpharetta.ga.us/index.php?m=linkscategory=Recreation+%26+Parksgo.x=22go.y=7 As you can see, there are already encoded entities in the URL, which are further encoded when passed through urlencode(). The problem I'm having is that when I urldecode() the string from $_GET[url], I get the following string: http://test.alpharetta.ga.us/index.php?m=linkscategory=Recreation Parksgo.x=22go.y=7 It's similar, but the category variable is now Recreation Parks when it needs to be Recreation+%26+Parks. When I try to use file_get_contents() on this string, I get nothing because of the ampersand and spaces in the URL. Is there a way to urldecode() $_GET[url] and still retain its original encoded entities so that I can use it again as a valid URL? -- Regards, Ben Ramsey http://benramsey.com http://www.phpcommunity.org/wiki/People/BenRamsey -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Question: urldecode
--- Ford, Mike [EMAIL PROTECTED] wrote: Are you seeing the URL-encoded version *only* in your browser's Address/Location bar? If so, that's perfectly normal and nothing to worry about -- it should be automatically decoded by the Web server before being passed to PHP. If you're seeing the encoded version actually in your PHP script, that sounds like a major problem, possibly indicating a missing urldecode() or extraneous urlencode() -- in which case, please post a more detailed analysis of your problem, examples of the unwanted behaviour, and the relevant portions of script. I have no idea about what it means to see the encoded version in my script. I have only one urldecode in the script: a href=SearchJobDetails.php?JobID=?php echo urldecode($row_rsVJ['JobID']);? No urlencodes anywhere. I'll assume it's decoded properly before going to php because the script runs fine. I just know that I've seen the hex's normally converted in the browser bar. Further, I was assuming I should add the urldecode to the query string. As I had posted originally. From the example in the manual it appears I might to pass the params through a urldecode counter loop. Lastly, I wasn't concerned about the hex code, but I just made some reconnections of scripts. Users can save their search parameters. I am saving the query string. Now I had this set up before and the way it was working , is when the user wanted to view or edit their saved searches, the search page would come back with all the parameters filled in including shaded parameters in things like mult select lists and menu dropdowns. It's not working that way now , so my first suspicion is perhaps the hex is effecting it. I can post more of the script if that makes sense. Stuart -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Re: amp; in Query String
Looks fine in Opera 6.03 hth http://www.vogelsinger.at/test.php?par1=value1par2=value2par3=value3 Opera Version 6.03 Build 1107 Platform Win32 System Windows 98 Java Sun Java Runtime Environment 1.4 Testing the query string This is the full query string ($_SERVER['QUERY_STRING']): par1=value1par2=value2 par3=value3 This is a printout of $_GET: Array ( [par1] = value1 [par2] = value2 [par3] = value3 ) I will use this string for the link below: /test.php?par1=value1amp;par2=value2 amp;par3=value3 On Wed, 27 Nov 2002 00:09:35 +0100, [EMAIL PROTECTED] (Ernest E Vogelsinger) wrote: At 00:00 27.11.2002, Jonathan Rosenberg \(Tabby's Place\) said: [snip] Ok ... I take back what I said about amp; not working in a query string. It works just fine. [snip] Ahhh - and I just created a test page for all to check out... nevertheless, here it is: http://www.vogelsinger.at/test.php Simply provides a link using query parameters encoded with amp;, to check with different browsers. Maybe someone will check this outwith his browser anyway. -- O Ernest E. Vogelsinger (\)ICQ #13394035 ^ http://www.vogelsinger.at/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] URL encode
Bruno Santos wrote: Hello. Im having some trouble when getting a query from a $_GET method the problem is, when using $_GET, i get some charaters decoded as html entities. if i submit the word %sara% (example), is ok but, if i submi the word %carlos%, i get Êrlos, witch is the translation of html entity %ca so a user is entering '%carlos%'? firstly it _looks_ like you are adding the '%' signs in order to have this affect the way a search query is performed - if this is the case maybe you should consider wrapping the search term on the server side _after_ you have recieved the string? also if you run the following: echo urlencode(%carlos%); you will see that in order to pass the '%' sign in a url it will need to be encoded as '%25'; if you create the string '%carlos%' on the server then you can perform urlencode() on it before outputting the url and it should come back as you expect... if on the otherhand this is user entered info then you may need to use javascript to encode the string before the forms values are submitted. how can i can resolve it ?? ive tryed with htmlentities, urlencode, urldecode, etc... you don't need to run any function over the incoming value - the webserver will urldecode what ever GET string is incoming... if the string is not properly encoded in the first place (i.e. before it is used as a request to the webserver) then there is no proper way of retrieving the original value AFAICS help ? cheers Bruno Santos -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Question: urldecode
Stuart Felenstein wrote: In my search page, the url returned comes back with the ..err I forget what it's called, but query string looks like this: %5B%5D=3. I think the %5B and 5D should be []. What I think is needed is rawurldecode. I've looked through my code and think it belongs somewhere in this block: Don't guess. Figure out *EXACTLY* where and when the URL is being encoded to Hex -- where it first appears in your scripts/database/application as %5B. Decide if it's right for it to be in Hex at that point. If it's not right for it to be Hex at that point, change it there. You'll drive yourself crazy changing it here, where it's already in the system in a format you don't want. My *GUESS* is that you're taking the QUERY string and stuffing it into your database. Since you grab the raw query string, it's in Hex-encoded format. Maybe that's a Good Thing to store in your database. Maybe it's not. All depends what you're going to do with it in the *REST* of the application. But I cannot stress enough that you've got to understand where and how this data is coming from, in what format, and *DESIGN* your application to have the data you want in the place you want. Going about it like you are now, just sort of guessing at what's there and trying to slap in a patch to change it, is going to drive you crazy in the long run. Your solution isn't necessarily wrong: Your approach to making the decision is :-) -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] 2 Qs: Passing current URL with session and how to avoid session timeout???
--- Cal Evans [EMAIL PROTECTED] wrote: I usually just pass this kind of info around on the URL. http://mypage.com/mypage.php?prevURL=http://mypage.com/lastpage.php if I have to pass a full query string then I urlencode() it first and urldecode() it on the other side. Just as a bit of advice, you should always URL encode any data you want to append to the URL like that. Also, decoding it is superfluous, because the Web server will do that for you (since URL data is supposed to be URL encoded). Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] '' Sign in _GET Parameter
From: Pushpinder Singh Garcha [EMAIL PROTECTED] I am using an application where I retrieve user profile from a MySQL DB using the Company Name . I pass the name of the company to the PHP script as a '$_GET' parameter. e.g. when the name of the company is 'IBM'. , the URL with the query string would look like : http://masterstream.com/CRM/full_profile_1.php?name=IBM Now one of the records had a name : PSG Inc. , in this case the URL with the query string would look like http://masterstream.com/CRM/full_profile_1.php?name=PSG%20%20Inc. However in the case of the latter I am not able to pull out any records from the MySQL database. It says that no records with the name were found. I went ahead and tweaked the name of the company, to remove the sign in 'PSG Inc.' Now the query works fine. Can some one throw some light here. I am sure something minor is to be done when passing the name of the company in the parent script. The character separates variables in the query string, so it must be encoded if it appears in the data. Take a look at http://us2.php.net/urlencode ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] '' Sign in _GET Parameter
Thanks for the link, $link = $row['company']; a href=\full_profile_1.php?name=', urlencode($link),' \ However this does not seem to work / what am I missing ? Thanks -Pushpinder On Friday, August 22, 2003, at 03:23 PM, CPT John W. Holmes wrote: From: Pushpinder Singh Garcha [EMAIL PROTECTED] I am using an application where I retrieve user profile from a MySQL DB using the Company Name . I pass the name of the company to the PHP script as a '$_GET' parameter. e.g. when the name of the company is 'IBM'. , the URL with the query string would look like : http://masterstream.com/CRM/full_profile_1.php?name=IBM Now one of the records had a name : PSG Inc. , in this case the URL with the query string would look like http://masterstream.com/CRM/full_profile_1.php?name=PSG%20%20Inc. However in the case of the latter I am not able to pull out any records from the MySQL database. It says that no records with the name were found. I went ahead and tweaked the name of the company, to remove the sign in 'PSG Inc.' Now the query works fine. Can some one throw some light here. I am sure something minor is to be done when passing the name of the company in the parent script. The character separates variables in the query string, so it must be encoded if it appears in the data. Take a look at http://us2.php.net/urlencode ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] '' Sign in _GET Parameter
Try this : $link = $row[company]; echo (a href='full_profile_1.php?name=.urlencode($link).'); -- www.cpm-fr.com Thanks for the link, $link = $row['company'];\00\00 a href=\full_profile_1.php?name=', urlencode($link),' \\00\00 However this does not seem to work / what am I missing ? Thanks -Pushpinder On Friday, August 22, 2003, at 03:23 PM, CPT John W. Holmes wrote: From: Pushpinder Singh Garcha [EMAIL PROTECTED] I am using an application where I retrieve user profile from a MySQL DB using the Company Name . I pass the name of the company to the PHP script as a '$_GET' parameter. e.g. when the name of the company is 'IBM'. , the URL with the query string would look like : http://masterstream.com/CRM/full_profile_1.php?name=IBM Now one of the records had a name : PSG Inc. , in this case the URL with the query string would look like http://masterstream.com/CRM/full_profile_1.php?name=PSG%20%20Inc. However in the case of the latter I am not able to pull out any records from the MySQL database. It says that no records with the name were found. I went ahead and tweaked the name of the company, to remove the sign in 'PSG Inc.' Now the query works fine. Can some one throw some light here. I am sure something minor is to be done when passing the name of the company in the parent script. The character separates variables in the query string, so it must be encoded if it appears in the data. Take a look at http://us2.php.net/urlencode ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] URL
Hi You can user $_SERVER['REQUEST_URI']; Thanks Zareef Ahmed --- John W. Holmes [EMAIL PROTECTED] wrote: Bruno Santos wrote: Im developing a couple of pages and i need to do some redirecting to another page depending on the choice of a user. The problem is, to go to another page, i need to send some parameters in the URL that are alredy present, but i need to make the redirecting independent of the page. if i use $_SERVER['PHP_SELF'], i have only http://some_domain/the_page and what i want is http://some_domain/the_page?some_parameters=valueanother_parameter=value the ?some_parameters=value are alredy present and i need to redirect them again... I know that are some fuctions to manage this, or not... any solucion ?? How about $_SERVER['QUERY_STRING']? That _should_ contain the current query string with the values still encoded, but I'm not sure on that. If they aren't still encoded, then just rebuild the query string by looping through $_GET. $url = $_SERVER['PHP_SELF'] . '?'; foreach($_GET as $key = $value) { $url .= '' . $key . '=' . urlencode($value); } If you have arrays within $_GET, then you'll need a recursive function, but hopefully one of the above will work for your needs. -- ---John Holmes... Amazon Wishlist: www.amazon.com/o/registry/3BEXC84AB3A5E/ php|architect: The Magazine for PHP Professionals www.phparch.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php = Zareef Ahmed :: A PHP Developer in Delhi(India). Homepage :: http://www.zasaifi.com __ Do you Yahoo!? Vote for the stars of Yahoo!'s next ad campaign! http://advision.webevents.yahoo.com/yahoo/votelifeengine/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Odd URL problem
Hello all: I'm seeing an odd problem after I moved a large PHP application from one server to another. Part of the system sends an email to users, containing a clickable http:// link. The link includes a parameter called goto, which bundles up a set of name-value pairs, which indicate the user's final destination. If the user isn't logged in yet, the application holds onto the goto parameter, and once the login is complete, forwards the user on to the specified location. When we send the url, it is encoded, and looks like this: http://foo.bar.org/goto.php?goto=area%3Dpersonnel%26sub%3Dpersonnel%26person nel%3D1002566%26option%3Dedit Once I moved the application, from a PowerMac G4 running LinuxPPC, Apache 1.3.20 and PHP 4.0.5, to a Dell PowerEdge running RedHat 7.3, Apache 1.3.26 and PHP 4.0.6, these URLs seem to not get translated any more. On our development server, Dell server running RedHat 7.1, Apache 1.3.23, PHP 4.1.1, they seem to work fine. When it works, I click an encoded link in my mailer, and my browser tries to access the URL with a correct, decoded query string. When it fails, I get a message from the browser (IE 5+ only for this app) that says Attempt to access http://foo.bar.org/goto.php?goto=area%3Dpersonnel%26sub%3Dpersonnel%26person nel%3D1002566%26option%3Dedit failed. So it seems that the browser in the failing case is trying to deal with the URL in its encoded form. Anyone have any ideas about what I'm missing? -- Steve === Steve Lane Vice President The Moyer Group 833 West Chicago Ave Suite 203 Voice: (312) 433-2421 Email: [EMAIL PROTECTED] Fax: (312) 850-3930 Web: http://www.moyergroup.com === -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Decoding a URL without decoding values
On 21 March 2004 16:03, Ben Ramsey wrote: I've got a querystring that looks like this: ?url=http%3A%2F%2Ftest.alpharetta.ga.us%2Findex.php%3Fm%3Dlink s%26category%3DRecreation%2B%2526%2BParks%26go.x%3D22%26go.y%3D7 As you can gather, I'm trying to pass a URL to another script for some processing. Before I urlencode() the URL and pass it to the query string, it looks like this: http://test.alpharetta.ga.us/index.php?m=linkscategory=Recrea tion+%26+Parksgo.x=22go.y=7 As you can see, there are already encoded entities in the URL, which are further encoded when passed through urlencode(). The problem I'm having is that when I urldecode() the string from $_GET[url], I get the following string: Don't. GET values are automatically urldecoded once by the Web server before they ever reach your script. Cheers! Mike - Mike Ford, Electronic Information Services Adviser, Learning Support Services, Learning Information Services, JG125, James Graham Building, Leeds Metropolitan University, Beckett Park, LEEDS, LS6 3QS, United Kingdom Email: [EMAIL PROTECTED] Tel: +44 113 283 2600 extn 4730 Fax: +44 113 283 3211 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Question: urldecode
To view the terms under which this email is distributed, please go to http://disclaimer.leedsmet.ac.uk/email.htm -Original Message- From: Stuart Felenstein [mailto:[EMAIL PROTECTED] Sent: 09 December 2004 13:38 --- Ford, Mike [EMAIL PROTECTED] wrote: Are you seeing the URL-encoded version *only* in your browser's Address/Location bar? If so, that's perfectly normal and nothing to worry about -- it should be automatically decoded by the Web server before being passed to PHP. If you're seeing the encoded version actually in your PHP script, that sounds like a major problem, possibly indicating a missing urldecode() or extraneous urlencode() -- in which case, please post a more detailed analysis of your problem, examples of the unwanted behaviour, and the relevant portions of script. I have no idea about what it means to see the encoded version in my script. I have only one urldecode in the script: a href=SearchJobDetails.php?JobID=?php echo urldecode($row_rsVJ['JobID']);? I actually doubt whether you even need this urldecode() -- but it depends where that value is coming from. Further, I was assuming I should add the urldecode to the query string. I don't quite understand this -- if you mean the query string supplied to your script and manifesting in your $_GET array, then no, very unlikely, since this should have been taken care of by the Web server before it gets anywhere near PHP. If you're referring to echoing out URLs with query strings on them, then that is one of the few instances where urlENcode() might be necessary, but definitely not urlDEcode(). Lastly, I wasn't concerned about the hex code, but I just made some reconnections of scripts. Users can save their search parameters. I am saving the query string. Now I had this set up before and the way it was working , is when the user wanted to view or edit their saved searches, the search page would come back with all the parameters filled in including shaded parameters in things like mult select lists and menu dropdowns. It's not working that way now , so my first suspicion is perhaps the hex is effecting it. All I can say to this is to re-iterate the point that your Web server should be decoding those %xx values before your script ever gets to see them. You *may* have to urlencode() values you write out that might one day form part of a clickable link -- but, because of the previous sentence, you should not yourself need to do the compensating urldecode() in the target script. Once again, this sounds like a situation where you need to be echoing out everything and anything of even the slightest relevance at the crucial spots of your script -- in the debugging phase, my scripts often have a bunch of debugging echoes every few lines, and some sections even end up with more temporary echoes than actual script! It's tedious wading your way through the screenfuls of output, but can be exceedingly illuminating of an elusive problem. Cheers! Mike - Mike Ford, Electronic Information Services Adviser, Learning Support Services, Learning Information Services, JG125, James Graham Building, Leeds Metropolitan University, Headingley Campus, LEEDS, LS6 3QS, United Kingdom Email: [EMAIL PROTECTED] Tel: +44 113 283 2600 extn 4730 Fax: +44 113 283 3211 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] how do I spoof a get request
Hey Dan: On Tue, Aug 12, 2003 at 08:13:32PM -0400, Dan Anderson wrote: I have noticed that sometimes I cannot fopen($web_address,'r') or use any similar files if the web address contains a form get in it. (i.e. ends in a ?var1=xxxvar2=xxx...). It should work. You said sometimes. What are the times it doesn't work? Are you always passing the same exact query string? If so, then their server is flaky. Or, if are you sending different info in the query string at different times, then you are likely not passing the info correctly. When constructing the query string, the values need to be URL encoded first. See http://php.net/urlencode for more info on this. Also, is there any easy way to spoof posting a form? Yes. http://www.php-faq.com/postToHost.html http://dodds.net/~cardinal/sendtohost.txt --Dan -- FREE scripts that make web and database programming easier http://www.analysisandsolutions.com/software/ T H E A N A L Y S I S A N D S O L U T I O N S C O M P A N Y 4015 7th Ave #4AJ, Brooklyn NYv: 718-854-0335 f: 718-854-0409 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Very Large MySQL Query String
I can't seem to figure out the following. I use the http upload functions a lot, works great!!.. For some months now I have been using a small PHP program which I use to upload PDF files of scanned documents and insert them into a Mysql table.. Normally these files are small (250 kb), but I now have a PDF of 1 MB... When uploading files I run the function: chunk_split(base64_encode($binaryfile)); to encode it, this to transform the binary file to text.. (Works great!!!) When the query was called to insert the data, nothing happens, also no error from mysql... Only think I can think of is that the mysql query string is to long.. ?? (The data when encoded is about 1.3 MB of text).. This is the source code.. if (!($userfile_size == 0)) {$fd = fopen ($userfile, r); $contents = fread ($fd, filesize ($userfile)); fclose ($fd); unlink ($userfile); echo Eerste RAW: .strlen($contents); $encodes_data = chunk_split(base64_encode($contents)); $userfile_name = str_replace( , , $userfile_name); echo strlen($encodes_data). - Displays text size BR; //Works right! mysql ($databasename_boekhoud, insert mubo_boekhoud_images (data, originalname, groep, type) values '$encodes_data', '$userfile_name', '$groep', '$userfile_type')); // mysql_error(); //No error given..? } Any suggestions are very much appreciated... With kind regards, David Bouw -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Very Large MySQL Query String
Instead of uploading to Mysql, why don't you store the file at a directory and on Mysql only the path to it? Retrieving files from the hard drive is much faster than doing the same on Mysql, and also access to manipulation (insert, update, delete, etc...) -- Julio Nobrega. Um dia eu chego lá: http://sourceforge.net/projects/toca Ajudei? Salvei? Que tal um presentinho? http://www.submarino.com.br/wishlistclient.asp?wlid=664176742884 David Bouw [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I can't seem to figure out the following. I use the http upload functions a lot, works great!!.. For some months now I have been using a small PHP program which I use to upload PDF files of scanned documents and insert them into a Mysql table.. Normally these files are small (250 kb), but I now have a PDF of 1 MB... When uploading files I run the function: chunk_split(base64_encode($binaryfile)); to encode it, this to transform the binary file to text.. (Works great!!!) When the query was called to insert the data, nothing happens, also no error from mysql... Only think I can think of is that the mysql query string is to long.. ?? (The data when encoded is about 1.3 MB of text).. This is the source code.. if (!($userfile_size == 0)) {$fd = fopen ($userfile, r); $contents = fread ($fd, filesize ($userfile)); fclose ($fd); unlink ($userfile); echo Eerste RAW: .strlen($contents); $encodes_data = chunk_split(base64_encode($contents)); $userfile_name = str_replace( , , $userfile_name); echo strlen($encodes_data). - Displays text size BR; //Works right! mysql ($databasename_boekhoud, insert mubo_boekhoud_images (data, originalname, groep, type) values '$encodes_data', '$userfile_name', '$groep', '$userfile_type')); // mysql_error(); //No error given..? } Any suggestions are very much appreciated... With kind regards, David Bouw -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: PHP] can't pass complete URL (part of the query string) from
--- Nicole Lallande [EMAIL PROTECTED] wrote: form action=http://embitec.com/fishcart/email.php?ref=http://embitec.com/fishcart/displayem.php3?cat=5olimit=0zid=1lid=1; method=post There is your problem right there. Here are the variables you are passing: ref=http://embitec.com/fishcart/displayem.php3?cat=5 olimit=0 zid=1 lid=1 The URL you want to set ref to needs to be URL encoded. You can use rawurlencode() to achieve this. You will know you have it right when your HTML form tag looks like this: form action=http://embitec.com/fishcart/email.php?ref=http%3A%2F%2Fembitec.com%2Ffishcart%2Fdisplayem.php3%3Fcat%3D5%26olimit%3D0%26zid%3D1%26lid%3D1; method=post Hope that helps. Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re[2]: [PHP] saving form data
Hello Charlie, Monday, February 23, 2004, 10:15:17 PM, you wrote: CFI It's just a matter of development time; if there's a way to CFI use the Perl mail script with a PHP data saving script, it CFI would save time. If I do have to rewrite the whole thing in CFI PHP, how would I accept uploaded file attachments and attach CFI them to the emailed form results? Then how about in reverse? Add something to the end of the Perl script that passes the values to a PHP script? It could even do it via the query string, maybe also passing an md5 encoded password that only your two scripts know (in order to stop someone spoofing your script). -- Best regards, Richard Davey http://www.phpcommunity.org/wiki/296.html -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] saving form data
Richard Davey wrote: CFI It's just a matter of development time; if there's a way to CFI use the Perl mail script with a PHP data saving script, it CFI would save time. If I do have to rewrite the whole thing in CFI PHP, how would I accept uploaded file attachments and attach CFI them to the emailed form results? Then how about in reverse? Add something to the end of the Perl script that passes the values to a PHP script? It could even do it via the query string, maybe also passing an md5 encoded password that only your two scripts know (in order to stop someone spoofing your script). I don't think that would work because they will need to save without sending the form. But I had thought about the reverse: a PHP script that saves the data and then possibly passes it on to the Perl script. Do you or anyone else know how to pass on form results in PHP to another script? (Like I said, I'm pretty new to PHP...) Thanks! -- Charlie Fiskeaux II Media Designer Cre8tive Group cre8tivegroup.com 859/858-9054x29 cell: 859/608-9194 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] I18n problems: Working with double-byte languages
Hi people ! I have a query regarding double-byte languages on PHP. I need to sort a index localized from English to Korean. My idea is: * get the Korean strings from file; * convert them to UTF8; * insert them in a Oracle database set to work with UTF8; * set NLS_LANG with Alter session SQL command to this variable match with Korean language; * get the strings sorted by Oracle with a SELECT * FROM table SORT BY field ASC SQL command; I've tried to convert the Korean string to UTF8 with utf8_encode function, but this function converted each byte from double-byte string to its relative in UTF8 chars. Reverting this string encoded to UTF8 with utf8_decode function, the browser can display successfully the Korean chars (because the individual bytes of the double-byte string will be as them were before), but Oracle can't sort the strings properly because that UTF8 chars converted by utf8_encode function were not relative to a double-byte char, but relative to a 2 single bytes chars! How can I convert a double-byte string to UTF8 properly??? Really thanks _ Ricardo J. A. Júnior, Software Engineer Trainee Bowne Global Solutions Phone +55 21 2515 7713 [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] www.bowneglobal.com.br http://www.bowneglobal.com.br/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP] Re: I18n problems: Working with double-byte languages
Ricardo Junior wrote: Hi people ! I have a query regarding double-byte languages on PHP. I need to sort a index localized from English to Korean. My idea is: * get the Korean strings from file; * convert them to UTF8; * insert them in a Oracle database set to work with UTF8; * set NLS_LANG with Alter session SQL command to this variable match with Korean language; * get the strings sorted by Oracle with a SELECT * FROM table SORT BY field ASC SQL command; I've tried to convert the Korean string to UTF8 with utf8_encode function, but this function converted each byte from double-byte string to its relative in UTF8 chars. Reverting this string encoded to UTF8 with utf8_decode function, the browser can display successfully the Korean chars (because the individual bytes of the double-byte string will be as them were before), but Oracle can't sort the strings properly because that UTF8 chars converted by utf8_encode function were not relative to a double-byte char, but relative to a 2 single bytes chars! How can I convert a double-byte string to UTF8 properly??? Really thanks UTF-8 works but EUC-KR may be better. Anyway, take a look at mbstring, iconv, gettext modules. -- Yasuo Ohgaki -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] Question: urldecode
To view the terms under which this email is distributed, please go to http://disclaimer.leedsmet.ac.uk/email.htm -Original Message- From: Stuart Felenstein [mailto:[EMAIL PROTECTED] Sent: 09 December 2004 11:52 In my search page, the url returned comes back with the ..err I forget what it's called, but query string looks like this: %5B%5D=3. I think the %5B and 5D should be []. Are you seeing the URL-encoded version *only* in your browser's Address/Location bar? If so, that's perfectly normal and nothing to worry about -- it should be automatically decoded by the Web server before being passed to PHP. If you're seeing the encoded version actually in your PHP script, that sounds like a major problem, possibly indicating a missing urldecode() or extraneous urlencode() -- in which case, please post a more detailed analysis of your problem, examples of the unwanted behaviour, and the relevant portions of script. Cheers! Mike - Mike Ford, Electronic Information Services Adviser, Learning Support Services, Learning Information Services, JG125, James Graham Building, Leeds Metropolitan University, Headingley Campus, LEEDS, LS6 3QS, United Kingdom Email: [EMAIL PROTECTED] Tel: +44 113 283 2600 extn 4730 Fax: +44 113 283 3211 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Lions and tigers and slashes, oh my!
On Fri, January 13, 2006 10:55 am, Jay Blanchard wrote: I am having a problem with a an ampersand sign. I have a list of things on a page, in which one category is 'Oil Gas'. I store it in the database as 'Oil amp; Gas'. Don't. The DATA to be stored in the database is 'Oil Gas' When it's time to present it in a browser, and ONLY when it's time to present it in a browser, use: htmlentities('Oil Gas') to make it suitable for HTML transport to the browser. Here's why: Suppose tomorrow you decide to do an RSS Feed, or export to another database, or send that data somewhere OTHER than your browser. Your amp; is *NOT* the raw data, and it's *NOT* what that other technology might *want* for the encoding of That other technology might not even WANT encoded in the first place. Now, RSS might want - amp; for its encoding But can you guarantee that tomorrow's technology will want that? No. Maybe tomorrow's next big thing will want - or perhaps it will want - %#26 or maybe it will want - 'fnord-26' or maybe it won't even need encoded, but it will need the character sequence 'fnord' encoded. The DATA is 'Oil Gas' 'Oil amp; Gas' is merely a presentation / encoding of that data for one (or more) particular (currently popular) transport mechanisms. Encoding the data for today's usage in your orginal source data is sheer folly, of the same magnitude that gave us Y2K. You're making trouble for yourself long-term, and probably confusing yourself short-term. RAW data goes in your database: 'Oil Gas' When the category is clicked the query string shows just an ampersand, i.e. Filter=ProcessFilterKey=Oil%20%20GasOrder=ApplicationDirection=ASCcomm ents= and therefore just shows as an '' and the query only sees 'Oil'. Shows where? Until you tell us what showed you where, we can't even begin to guess what is going on -- because WHERE you saw it changes everything. There are all manner of potential sources of your vision here. What you see in the browser, and what you see in View Source and what you see when your mouse goes over a link are all different, and probably all different from what you would see in the 'mysql' monitor program. If View Source showed you that, then it's probably a problem. If you saw it printed out to your browser, it may or may not be a problem. If it's in the ToolTip from mouse-over of the link, it's may or may not be a problem. The browsers try to hide icky details from normal users, and that means the the amp; will often get converted before you see it. The fact that the link doesn't work means that it obviously *IS* a problem, of course, so exactly where you saw it is somewhat moot, since you shouldn't have put amp; in your database, and after you fix that, the solution will probably entail fixing whatever is causing the amp; to get lost anyway. I guess that I am too tired to deal with this or the answer would come to mind immediately. Can someone drop kick me in the right direction? Ah. An even MORE important reason for not doing what you did. Part of your PROBLEM is you've put amp; in the database instead of So you think it's escaped already. Well, it is... For HTML display, it is escaped. It is *NOT* escaped for a URL. urlencode() is for URL-escaping. htmlentities() is for HTML-escaping. You've done htmlentities() on your data, not urlencode() on your output of your data. What *SHOULD* be done is this: 1. Get the original, un-corrupted (un-escaped) data: 'Oil Gas' $value = 'Oil Gas'; // from db. Note lack of amp; here! Your database has no business [*] keeping the HTML-encoding of its data internally. 2. Since that datum is being passed as an argument in a URL, urlencode() it: $value_url = urlencode($value); //prepare for use in URL $value_url will now most likely contain %26, and the whole - amp; problem will be MOOT. But you never know for sure WHAT data will be in there, so... 3. Make the URL: $url = Filter= . urlencode('Process') . FilterKey=$value_urlOrder= . urlencode('Application') . order= . urlencode('ASC'); NOTE: Just to be pedantic, and to drive the point home, I've urlencode()d every other data element in the URL, even though the output of urlencode() in all these cases *happens*, by sheer luck, to be the same as the input, so you don't need to encode the data. I am as guilty as the next guy of taking shortcuts and not URLencode()ing anything that is 'hard-wired' in PHP source. But if it's coming from your database, or worse, the user, you'd damn well better urlencode() each value element you are putting into the URL. 4. *NOW* you are about to dump that URL into your HTML as the HREF= of a link. At *THAT* point, and *ONLY* at that point, you want to escape it for HTML usage: $url_html = htmlentities($url); //escape for HTML Your URL now has amp; for each separating the key/value pairs in the GET args. That's what HTML *wants* though. Any 'weird' data, where 'weird' is defined by what HTML likes, after urlencode
php-general Digest 26 May 2011 19:00:57 -0000 Issue 7329
php-general Digest 26 May 2011 19:00:57 - Issue 7329 Topics (messages 313153 through 313156): Re: How can a UTF-8 string can be converted to an array of Bytes? 313153 by: Eric Butera Re: simple question abt convert to integer 313154 by: Bálint Horváth 313155 by: Negin Nickparsa PHP to Java integration using : shell_exec function 313156 by: Eli Orr (Office) Administrivia: To subscribe to the digest, e-mail: php-general-digest-subscr...@lists.php.net To unsubscribe from the digest, e-mail: php-general-digest-unsubscr...@lists.php.net To post to the list, e-mail: php-gene...@lists.php.net -- ---BeginMessage--- On Wed, May 25, 2011 at 8:15 AM, Eli Orr (Office) eli@logodial.com wrote: Hi, Since a UTF-8 is a multi-bytes mechanism I get for 2 or 3 bytes UTF-8 encoded character a single character How can it be break into the REAL bytes array that represent the UTF-8 string and how can we reassembled the bytes array back to UTF-8? -- Best Regards, *Eli Orr* CTO Founder *LogoDial Ltd.* __ You can use mb_substr [1] with a UTF-8 encoding to get the single characters. http://us.php.net/mb_substr ---End Message--- ---BeginMessage--- The problem is that if you set the post directly to the query it's available to be an attach code in the field... (eg. DROP DATABASE;) it's called to SQL injection... what I mean on filtering: always check the values in query eg.: $id = $_POST['id']; if(is_numeric($id)){...}else{bad post} and at other fields u can use eg. strstr() etc... On Wed, May 25, 2011 at 4:38 PM, Negin Nickparsa nickpa...@gmail.comwrote: Tnx to all:D Paul you are absolutly right:D it was a bad mistake from me there was no need 2 convert it Balint helped me n with mysql_error i found that my code hasn't any mistake i just forgot the BIG thing! selecting db:D i totally forgot it because i had array keys with if statement n in there i selected it but in the last one of them i forgot 2 set the selection of DB Ashley what is OP? and filtering i didn't understand Andre why u r telling me Note: you *didn't* execute the query by calling mysql_query on it. if it doesn't execute the query then what's it doing? Reply Vitalli believe me that i tried it n i can send the string without error i tried it: $query1=select * from patient where id=.$_POST['txt']; it works! after i found my error i tried it 2 n it was right!!! ---End Message--- ---BeginMessage--- i got it tnx Balint ---End Message--- ---BeginMessage--- Hi, Please advise if the following is possible and how can pass parameters from the PHP to the Java application. Thanks. Here's my script draft: ?PHP ... $XML_toEnc = urlencode ($XML); // The XML_toEnc is a string and shall be urlencoded ! $EncXML = shell_exec(/usr/bin/java/java -jar MyApp.jar -XML $XML_toEnc); == ??? How can I pass parameters like a large string of let say XML? echo $EncXML; // back to the MObile Client // Receiving client shall: // urldecode the string ? Eli Orr ---End Message---
Re: [PHP] Re: sql injection protection
On 26-01-2012 15:46, Haluk Karamete wrote: when we do b64e and then back b64d, you are saying. we get the org input all as clear text but this time as a string. because it is now a string, (which by definition can not be executed) what's the difference between b64e+b64d vs (string) casting then? if you were to cast the original input into string using (string), wouldn't you be in the same shoes? No, it's not. The problem here is that we're using 2 different systems, which have to talk to eachother. They do this via strings. If you send 'SELECT a FROM b', for PHP that's a string. It doesn't know or even care if this is SQL or what you want to do with it. To PHP it's just a string. Once it gets to MySQL however, it will look at that string, parse it as SQL and execute it. Now, if we use: 'SELECT a FROM b; DROP TABLE b' for PHP, it will still be just a string. Nothing special. For MySQL however, it will have turned into 2 different operations, which will both be executed. It will first SELECT a FROM b, and then DROP TABLE b. Can this be resolved by casting the whole query to a string in PHP? No. It's already a string. However, if you base64_encode a part of the query (the variable part that you're afraid might get replaced by malicious code), it will appear as a string to MySQL. It will recieve the following: SELECT a FROM b WHERE c='MSc7RFJPUCBUQUJMRSBiIFdIRVJFIDE9JzE='; instead of: SELECT a FROM b WHERE c='1';DROP TABLE b WHERE 1='1'; To PHP, both are still strings. But to MySQL, the first is an operation which SELECTs a from b where c has a certain value. The second, does the same, but also drops the table (! WHOA! we Don't want that!!). Of course, if we change the code to: SELECT a FROM b WHERE c=BASE64DECODE('MSc7RFJPUCBUQUJMRSBiIFdIRVJFIDE9JzE='); It will select based on the STRING 1';DROP TABLE b WHERE 1='1 and will not execute it, since it did not recieve it as executable code. Do you finally understand the difference? also on another note, if you know the userinput is in UTF-8, ( you verify that by running mb_detect_encoding($str, 'UTF-8', true); ) This doesn't guarantee anything. You can't see the encoding on a bare string. You can guess what it might be (using a function such as mb_detect_encoding), but it might very well be wrong. If I send you a string like 'abcdef', it may be detected as being ANSII, ISO-8859-11, ISO-8859-16, and a million others. Why? Because encoding is just a way of saying value X in this string represents character Y, but to know that, you first need to know what codepage / encoding belongs to it. If you don't know that, value 2148 might mean 'C' or 'F' or 'PO'. You don't know, and you don't have any way of figuring this out. That is why it is CRITICAL to know what encoding is being used. If a UTF-7 encoded string is provided, it may look like a string of crap to you. But when it is interpreted as being in UTF-8 it might suddenly completely change meaning, and contain malicious code. The string itself doesn't change at all, just the interpretation of the string. When starting a connection, you should make sure that the encoding it works with is the same you're using to construct your strings. So if you're working in UTF-7, make sure MySQL is aswell. Otherwise, you have to make sure to manually recode your strings from UTF-7 to UTF-8. Hopefuly that makes it more clear to you. , is there a situation where you think mysql_real_escape_string would fail in SQLINjection against string based user input ? The reason I ask this about specifically for strings is because it is fairly easy to validate againsts integers,floats,booleans using the built in validation filters my biggest issue is on strings... also what do you think about filter_sanitize_string. and finally, where do you think PHP community plus Rasmus is having a hard time implementing what you have in mind - that is a one liner that will do the inline string interpolation you are talking about.. what's the issue that it hasn't been done before? There are many ways of getting around the functions mentioned above. Personally I have little experience with HOW you can do it (although I've been forced to patch holes found due to the fact that we did rely on it though). You can search the internet to find out how. We can't really help you there, we can only advise you (as has been done a million times already, though you don't seem to be able to accept the recommendation). If you decide not to accept the recommendation, then don't, and just use your own way. It may bite you after a while though. Security issues like the one mentioned above are notoriously difficult to eliminate effectively; oneliners rarely if ever suffice. - Tul -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Very Large MySQL Query String
Dear Javier, Yes, indeed when you encode the file it grows. Normally about 30%.. Thus, the file in my situation of 1 Megabyte grows to 1.3 MegaByte.. But I would expect that this should not give any problems... The columns I am using allows 16 Megabyte.. Does anyone else know what the string limitation of PHP Mysql query function is? With kinds regards, David Bouw Hi, I think if you encode the file with base64 and store it in the database the size of the document will be more than 1MB sure. David Bouw wrote: Dear Kirk (and Julio) Thanks for the response.. I don't want to use a link to the images because backing up my data and porting it to another machine is much easier. (Replicating is also very easy.) When storing the file separately this gets more complex, especially when you want to get this data from another machine... The stored data isn't retrieved very often, so speed isn't really an issue. (Till now speed really never was an isse. When adding the right indexes MySql + PHP does incredible things!!.) I do though use the suggested 'linking' method for an website where the images are needed on the website.. In the current situation though I store PDF images of invoices which are basically only needed to look something up if there is a problem... Kirk, I already tried changing the properties of the column in which I store the images.. (Currently it is an longtext, but before this I always used an Longblob...) I can't remember the exact sizes of MySQL, but I believe that an Mediumblob can handle 16 Megabyte.. (I know have little more than a 1 MB..) I will try some things tomorrow, but I can't find out what the problem is.. (Column size, PHP-Mysql string length limitation or maybe something I am overlooking..) I can though echo the query to screen and see that the uploaded file is encoded to a very nice (large) text-string.. Any other suggestions are greatly appreciated. With kind regards, David Bouw If I use the link to the file, i.e. file//C:\filedir\file.pdf or .txt or whatever how do I insert/update/delete the file since MySQL is holding only the link? BTW David, what are the properties of the field you are inserting to? Could that be the problem? -Kirk Julio Nobrega Trabalhando [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Instead of uploading to Mysql, why don't you store the file at a directory and on Mysql only the path to it? Retrieving files from the hard drive is much faster than doing the same on Mysql, and also access to manipulation (insert, update, delete, etc...) -- Julio Nobrega. Um dia eu chego lá: http://sourceforge.net/projects/toca Ajudei? Salvei? Que tal um presentinho? http://www.submarino.com.br/wishlistclient.asp?wlid=664176742884 David Bouw [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I can't seem to figure out the following. I use the http upload functions a lot, works great!!.. For some months now I have been using a small PHP program which I use to upload PDF files of scanned documents and insert them into a Mysql table.. Normally these files are small (250 kb), but I now have a PDF of 1 MB... When uploading files I run the function: chunk_split(base64_encode($binaryfile)); to encode it, this to transform the binary file to text.. (Works great!!!) When the query was called to insert the data, nothing happens, also no error from mysql... Only think I can think of is that the mysql query string is to long.. ?? (The data when encoded is about 1.3 MB of text).. This is the source code.. if (!($userfile_size == 0)) {$fd = fopen ($userfile, r); $contents = fread ($fd, filesize ($userfile)); fclose ($fd); unlink ($userfile); echo Eerste RAW: .strlen($contents); $encodes_data = chunk_split(base64_encode($contents)); $userfile_name = str_replace( , , $userfile_name); echo strlen($encodes_data). - Displays text size BR; //Works right! mysql ($databasename_boekhoud, insert mubo_boekhoud_images (data, originalname, groep, type) values '$encodes_data', '$userfile_name', '$groep', '$userfile_type')); // mysql_error(); //No error given..? } Any suggestions are very much appreciated... With kind regards, David Bouw -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Very Large MySQL Query String
If I use the link to the file, i.e. file//C:\filedir\file.pdf or .txt or whatever how do I insert/update/delete the file since MySQL is holding only the link? BTW David, what are the properties of the field you are inserting to? Could that be the problem? -Kirk Julio Nobrega Trabalhando [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Instead of uploading to Mysql, why don't you store the file at a directory and on Mysql only the path to it? Retrieving files from the hard drive is much faster than doing the same on Mysql, and also access to manipulation (insert, update, delete, etc...) -- Julio Nobrega. Um dia eu chego lá: http://sourceforge.net/projects/toca Ajudei? Salvei? Que tal um presentinho? http://www.submarino.com.br/wishlistclient.asp?wlid=664176742884 David Bouw [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I can't seem to figure out the following. I use the http upload functions a lot, works great!!.. For some months now I have been using a small PHP program which I use to upload PDF files of scanned documents and insert them into a Mysql table.. Normally these files are small (250 kb), but I now have a PDF of 1 MB... When uploading files I run the function: chunk_split(base64_encode($binaryfile)); to encode it, this to transform the binary file to text.. (Works great!!!) When the query was called to insert the data, nothing happens, also no error from mysql... Only think I can think of is that the mysql query string is to long.. ?? (The data when encoded is about 1.3 MB of text).. This is the source code.. if (!($userfile_size == 0)) {$fd = fopen ($userfile, r); $contents = fread ($fd, filesize ($userfile)); fclose ($fd); unlink ($userfile); echo Eerste RAW: .strlen($contents); $encodes_data = chunk_split(base64_encode($contents)); $userfile_name = str_replace( , , $userfile_name); echo strlen($encodes_data). - Displays text size BR; //Works right! mysql ($databasename_boekhoud, insert mubo_boekhoud_images (data, originalname, groep, type) values '$encodes_data', '$userfile_name', '$groep', '$userfile_type')); // mysql_error(); //No error given..? } Any suggestions are very much appreciated... With kind regards, David Bouw -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Selecting Rows Based on Row Values Being in Array
This is working so far but I need to add an additional search. This is what I have so far: $in_list = '.join(',',$cen_chiefs).'; $query_cen_chiefs = SELECT * FROM central WHERE CONCAT(strName,' ',strCity,' ',strState) IN({$in_list}) ORDER BY conName; I also need the query to return records where strName values are in $cen_chiefs I tried query 5 different ways and none return any records except for one above. This is one that failed: SELECT * FROM central WHERE CONCAT(strName,' ',strCity,' ',strState) IN({$in_list}) AND WHERE (strName) IN({$in_list}) ORDER BY conName; Any suggestions? Jim Lucas [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] K. Hayes wrote: Will do. Thanks. - Original Message - From: Jim Lucas [EMAIL PROTECTED] To: kvigor [EMAIL PROTECTED] Cc: php-general@lists.php.net Sent: Saturday, June 30, 2007 1:46 AM Subject: Re: [PHP] Selecting Rows Based on Row Values Being in Array kvigor wrote: Hello All, I'm attempting to return rows from a mysql DB based on this criteria: I have a list, in the form of an array that I need to compare against each row in the table. Where theres a match I need that entire row returned. e.g.$varListof 3outOf_10Fields = array(6blue40lbs, 7orange50lbs, 8orange60lbs, 9purple70lbs); The array contains 3 of the db row fields in 1 value. However there are 10 fields/columns in the table. === what table looks like | === size colorweight ROW 1| value1 | value1 | value1 | value1 | value1 | value1 | So how could I set up a query that would SELECT the entire row, if the row contained $varListof 3outOf_10Fields[1]. Open to any suggestions or work arounds. I'm playing with extract() but code is too crude to even post. I would suggest approaching the problem with a slightly different thought. just have the sql concat() the columns together and then compare. something like this should do the trick $list = array( '6blue40lbs', '7orange50lbs', '8orange60lbs', '9purple70lbs', ); $SQL = SELECT * FROM my_Table WHERE CONCAT(value1, value2, value3) IN ('.join(',', $list).') ; mysql_query($SQL); this should take, for each row in the DB, value1 + value2 + value3 and create one string from them, then it will compare each string in the IN (...) portion to each entry in the $list array(). Let me know if you need any further help one other thing, make sure that you run each of the values in the $list array() through mysql_real_escape_string(). That way it is all nicely encoded for the SQL statement. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Selecting Rows Based on Row Values Being in Array
Ok Jim, This is what I have so far and I'm still working it out. $in_list = .join('',$someArrayList); // do I really need to concatenate or separate anything here since my array values will be '7orange50lbs'? // this is the format I want. $query_One = SELECT * FROM shoe WHERE CONCAT(size,color,weight) IN({$in_list});// size, color, weight are my column names $result = mysql_query($query_One ,$connection) or die(Query failed: . mysql_error($connection)); $row = mysql_fetch_array($result); This is the error I get back from the query: Query failed: Unknown column '6blue40lbs' in 'where clause'// where am I going wrong? == Jim Lucas [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] kvigor wrote: Jim, Please excuse the ignorance, I'm a newbie, but I'm only use to simple SELECT, INSERT statements. Your original code: $SQL = SELECT * FROM my_Table WHERE CONCAT(value1, value2, value3) IN ('.join(',', $list).') This can be broken down into smaller parts so to explain by example. # This is to clean the input values for the SQL statement function mysql_clean($value) { return mysql_real_escape_string($value); } # Define your list of values to compare to $list = array( '6blue40lbs', '7orange50lbs', '8orange60lbs', '9purple70lbs', ); # You will want to do something like this with the values of the $list # array just to make sure they are clean: reference the function above array_walk($list, 'mysql_clean'); # This will return a string formated like this. # '6blue40lbs','7orange50lbs','8orange60lbs','9purple70lbs' $IN_VALUE = '.join(',', $list).'; $SQL = SELECT * FROM my_Table WHERE CONCAT(value1, value2, value3) IN ({$IN_VALUE}); # The final query string will look like this SELECT * FROM my_Table WHERE CONCAT(value1, value2, value3) IN ('6blue40lbs','7orange50lbs','8orange60lbs','9purple70lbs') # Now run this through your query function and get the results $results = mysql_query($SQL) OR die('SQL Failure: '.$SQL); So basically what we have is a comparison that is based off the output of the CONCAT() function that creates one string out of value1, value2, value3 and then compares that with each of the values listed within the parenthesis. the IN (...) part of the SQL statement tells SQL that it is getting a list of values that it should compare the concat() value against. Doing it this way, will allow you to only run one query instead of running one per value that you want to compare against. As you can tell, as your data set grows your multiple queries would drag your DB to a halt Hope this explains it. Let me know if you need further explanation. OK, I get everything up to the ('''.join(''','''$list).''') I'm guessing that the .join( ). putting together some values, but I don't know what also the .join( ). is to be preceded by something... I don't know what. //Forgive my ignorance, I'll can get it. Also the .join( ). what is this doing I looked at the PHP and MySQL function of each, and haven't seen comparable code. I'm asking because I don't know where we're telling the code to compare the values. You stated... and create one string from them Where do I give the name to the string? So this is where I am so far: $sql = SELECT* FROM table WHERE CONCAT(size,color,weight) IN( ); Jim Lucas [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] K. Hayes wrote: Will do. Thanks. - Original Message - From: Jim Lucas [EMAIL PROTECTED] To: kvigor [EMAIL PROTECTED] Cc: php-general@lists.php.net Sent: Saturday, June 30, 2007 1:46 AM Subject: Re: [PHP] Selecting Rows Based on Row Values Being in Array kvigor wrote: Hello All, I'm attempting to return rows from a mysql DB based on this criteria: I have a list, in the form of an array that I need to compare against each row in the table. Where theres a match I need that entire row returned. e.g.$varListof 3outOf_10Fields = array(6blue40lbs, 7orange50lbs, 8orange60lbs, 9purple70lbs); The array contains 3 of the db row fields in 1 value. However there are 10 fields/columns in the table. === what table looks like | === size colorweight ROW 1| value1 | value1 | value1 | value1 | value1 | value1 | So how could I set up a query that would SELECT the entire row, if the row contained $varListof 3outOf_10Fields[1]. Open to any suggestions or work arounds. I'm playing with extract() but code is too crude to even post. I would suggest approaching the problem with a slightly different thought. just have the sql concat() the columns together and then compare. something like this should do the trick $list = array( '6blue40lbs', '7orange50lbs', '8orange60lbs', '9purple70lbs', ); $SQL = SELECT * FROM my_Table WHERE CONCAT(value1, value2, value3) IN ('.join(',', $list
Re: [PHP] Selecting Rows Based on Row Values Being in Array
K. Hayes wrote: Will do. Thanks. - Original Message - From: Jim Lucas [EMAIL PROTECTED] To: kvigor [EMAIL PROTECTED] Cc: php-general@lists.php.net Sent: Saturday, June 30, 2007 1:46 AM Subject: Re: [PHP] Selecting Rows Based on Row Values Being in Array kvigor wrote: Hello All, I'm attempting to return rows from a mysql DB based on this criteria: I have a list, in the form of an array that I need to compare against each row in the table. Where theres a match I need that entire row returned. e.g.$varListof 3outOf_10Fields = array(6blue40lbs, 7orange50lbs, 8orange60lbs, 9purple70lbs); The array contains 3 of the db row fields in 1 value. However there are 10 fields/columns in the table. === what table looks like | === size colorweight ROW 1| value1 | value1 | value1 | value1 | value1 | value1 | So how could I set up a query that would SELECT the entire row, if the row contained $varListof 3outOf_10Fields[1]. Open to any suggestions or work arounds. I'm playing with extract() but code is too crude to even post. I would suggest approaching the problem with a slightly different thought. just have the sql concat() the columns together and then compare. something like this should do the trick $list = array( '6blue40lbs', '7orange50lbs', '8orange60lbs', '9purple70lbs', ); $SQL = SELECT * FROM my_Table WHERE CONCAT(value1, value2, value3) IN ('.join(',', $list).') ; mysql_query($SQL); this should take, for each row in the DB, value1 + value2 + value3 and create one string from them, then it will compare each string in the IN (...) portion to each entry in the $list array(). Let me know if you need any further help one other thing, make sure that you run each of the values in the $list array() through mysql_real_escape_string(). That way it is all nicely encoded for the SQL statement. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] RSS Feed Accented Characters
On 30 September 2011 18:22, Ron Piggott ron@actsministries.org wrote: -Original Message- From: Richard Quadling Sent: Friday, September 30, 2011 12:31 PM To: Ron Piggott Cc: php-general@lists.php.net Subject: Re: [PHP] RSS Feed Accented Characters On 30 September 2011 17:26, Ron Piggott ron@actsministries.org wrote: I am trying to set up an RSS Feed in the Spanish language using a PHP cron job. I am unsure of how to deal with accented letters. An example: This syntax: ?php $rss_content .= description . htmlentities(El Versículo del Día) . /description\r\n; ? Outputs: descriptionEl Versiacute;culo del Diacute;a/description When I use an RSS Feed validator I receive the error message This feed does not validate. a.. line 24, column 20: XML parsing error: unknown:24:20: undefined entity I suspect the “;” is the issue, although it is needed for the accented letters. If I don’t use htmlentities() the accented characters can’t be viewed, they become a “?” How should I proceed? Ron Make sure you have ... ?xml version=1.0 encode=UTF-8? as the first line of the output. That tells the reader that the file is a UTF-8 encoded file. Also, if you ejecting HTTP headers, make sure that they say the encoding is UTF-8 and not a codepage. Go UTF-8 everywhere. -- Richard Quadling Twitter : EE : Zend : PHPDoc @RQuadling : e-e.com/M_248814.html : bit.ly/9O8vFY : bit.ly/lFnVea Hi Richard: Having ?xml version=1.0 encoding=UTF-8? as the starting line didn't correct the problem. The RSS Feed is @ http://www.elversiculodeldia.info/peticiones-de-rezo-rss.xml There are a variety of errors related to accented characters while using a feed valuator http://validator.w3.org/feed/check.cgi?url=http%3A%2F%2Fwww.elversiculodeldia.info%2Fpeticiones-de-rezo-rss.xml - Also While viewing the feed in Firefox once the first accented character is displayed none of the rest of the feed is visible, except by right clicking and view source The RSS Feed content will be populated by a database query. The database columns are set to utf8_unicode_ci How should I proceed? Ron The byte sequence that is being received is just 0xED. php -r file_put_contents('a.rss', file_get_contents('http://www.elversiculodeldia.info/peticiones-de-rezo-rss.xml')); This is NOT UTF-8 encoded data, but is ISO-8859-1 Latin-1 (most likely). So as I see it you have 1 choice. Either use ?xml version=1.0 encoding=ISO-8859-1? as the XML tag or convert the encoded data to UTF-8. It also means that the data in the sql server is NOT UTF-8 and will need to be converted also. I would recommend doing that first. That will mean reading the data as ISO-8859-1 and converting it to UTF-8 and then saving it again. I'd also be looking at the app that inputs the data into the DB initially. To convert the text, here are 2 examples. I'm sure there are more ways. ?php $iso_text = 'El Versículo del Día: Pray For Others: Incoming Prayer Requests'; $utf_8_text = utf8_encode($iso_text); var_dump($iso_text, $utf_8_text); $utf_8_text = iconv('ISO-8859-1', 'UTF-8', $iso_text); var_dump($iso_text, $utf_8_text); ? outputs ... string(63) El Vers퀀culo del D퀀a: Pray For Others: Incoming Prayer Requests string(65) El Versículo del Día: Pray For Others: Incoming Prayer Requests string(63) El Vers퀀culo del D퀀a: Pray For Others: Incoming Prayer Requests string(65) El Versículo del Día: Pray For Others: Incoming Prayer Requests notice that the correct strings are 2 bytes longer? The í is encoded as 0xC3AD or U+00ED. -- Richard Quadling Twitter : EE : Zend : PHPDoc @RQuadling : e-e.com/M_248814.html : bit.ly/9O8vFY : bit.ly/lFnVea -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] RSS Feed Accented Characters
www.TheVerseOfTheDay.info -Original Message- From: Richard Quadling Sent: Friday, September 30, 2011 2:53 PM To: Ron Piggott Cc: php-general@lists.php.net Subject: Re: [PHP] RSS Feed Accented Characters On 30 September 2011 18:22, Ron Piggott ron@actsministries.org wrote: -Original Message- From: Richard Quadling Sent: Friday, September 30, 2011 12:31 PM To: Ron Piggott Cc: php-general@lists.php.net Subject: Re: [PHP] RSS Feed Accented Characters On 30 September 2011 17:26, Ron Piggott ron@actsministries.org wrote: I am trying to set up an RSS Feed in the Spanish language using a PHP cron job. I am unsure of how to deal with accented letters. An example: This syntax: ?php $rss_content .= description . htmlentities(El Versículo del Día) . /description\r\n; ? Outputs: descriptionEl Versiacute;culo del Diacute;a/description When I use an RSS Feed validator I receive the error message This feed does not validate. a.. line 24, column 20: XML parsing error: unknown:24:20: undefined entity I suspect the “;” is the issue, although it is needed for the accented letters. If I don’t use htmlentities() the accented characters can’t be viewed, they become a “?” How should I proceed? Ron Make sure you have ... ?xml version=1.0 encode=UTF-8? as the first line of the output. That tells the reader that the file is a UTF-8 encoded file. Also, if you ejecting HTTP headers, make sure that they say the encoding is UTF-8 and not a codepage. Go UTF-8 everywhere. -- Richard Quadling Twitter : EE : Zend : PHPDoc @RQuadling : e-e.com/M_248814.html : bit.ly/9O8vFY : bit.ly/lFnVea Hi Richard: Having ?xml version=1.0 encoding=UTF-8? as the starting line didn't correct the problem. The RSS Feed is @ http://www.elversiculodeldia.info/peticiones-de-rezo-rss.xml There are a variety of errors related to accented characters while using a feed valuator http://validator.w3.org/feed/check.cgi?url=http%3A%2F%2Fwww.elversiculodeldia.info%2Fpeticiones-de-rezo-rss.xml - Also While viewing the feed in Firefox once the first accented character is displayed none of the rest of the feed is visible, except by right clicking and view source The RSS Feed content will be populated by a database query. The database columns are set to utf8_unicode_ci How should I proceed? Ron The byte sequence that is being received is just 0xED. php -r file_put_contents('a.rss', file_get_contents('http://www.elversiculodeldia.info/peticiones-de-rezo-rss.xml')); This is NOT UTF-8 encoded data, but is ISO-8859-1 Latin-1 (most likely). So as I see it you have 1 choice. Either use ?xml version=1.0 encoding=ISO-8859-1? as the XML tag or convert the encoded data to UTF-8. It also means that the data in the sql server is NOT UTF-8 and will need to be converted also. I would recommend doing that first. That will mean reading the data as ISO-8859-1 and converting it to UTF-8 and then saving it again. I'd also be looking at the app that inputs the data into the DB initially. To convert the text, here are 2 examples. I'm sure there are more ways. ?php $iso_text = 'El Versículo del Día: Pray For Others: Incoming Prayer Requests'; $utf_8_text = utf8_encode($iso_text); var_dump($iso_text, $utf_8_text); $utf_8_text = iconv('ISO-8859-1', 'UTF-8', $iso_text); var_dump($iso_text, $utf_8_text); ? outputs ... string(63) El Vers퀀culo del D퀀a: Pray For Others: Incoming Prayer Requests string(65) El Versículo del Día: Pray For Others: Incoming Prayer Requests string(63) El Vers퀀culo del D퀀a: Pray For Others: Incoming Prayer Requests string(65) El Versículo del Día: Pray For Others: Incoming Prayer Requests notice that the correct strings are 2 bytes longer? The í is encoded as 0xC3AD or U+00ED. -- Richard Quadling Twitter : EE : Zend : PHPDoc @RQuadling : e-e.com/M_248814.html : bit.ly/9O8vFY : bit.ly/lFnVea Richard I was unaware of the utf8_encode command. Thank you very much --- this now works. Now I may continue with the translation into Spanish. Ron -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: sql injection protection
On 01/26/2012 06:46 AM, Haluk Karamete wrote: when we do b64e and then back b64d, you are saying. we get the org input all as clear text but this time as a string. because it is now a string, (which by definition can not be executed) what's the difference between b64e+b64d vs (string) casting then? if you were to cast the original input into string using (string), wouldn't you be in the same shoes? Re-read his example. He encodes the data in PHP. But decodes the data in SQL. So, if you echo the SQL statement, you would see a base64 encoded string that SQL then decodes. also on another note, if you know the userinput is in UTF-8, ( you verify that by running mb_detect_encoding($str, 'UTF-8', true); ), is there a situation where you think mysql_real_escape_string would fail in SQLINjection against string based user input ? The reason I ask this about specifically for strings is because it is fairly easy to validate againsts integers,floats,booleans using the built in validation filters my biggest issue is on strings... also what do you think about filter_sanitize_string. read this: http://www.php.net/manual/en/filter.filters.sanitize.php Then read this: http://www.php.net/manual/en/filter.filters.flags.php It seems to me that filter_sanitize_string does not deal with anything other then ASCII. YMMV and finally, where do you think PHP community plus Rasmus is having a hard time implementing what you have in mind - that is a one liner that will do the inline string interpolation you are talking about.. what's the issue that it hasn't been done before? On Tue, Jan 24, 2012 at 1:45 PM, Alex Nikitinniks...@gmail.com wrote: You don't need to store it in the database as b64, just undo the encoding into your inputs for the purpose of the explanation, this is language independent b64e - encoding function b64d - decoding function pseudo code given: bad_num = ') union select * from foo --' bad_str = good_num = 123456 good_str = some searchable text the b64 way: bad_num=b64e(bad_num) ... good_str=b64e(good_str) inserts: query(insert into foo (num, str) values (b64d(\+bad_num+\), b64d(\+bad_str+\))); query(insert into foo (num, str) values (b64d(\+good_num+\), b64d(\+good_str+\))); Can you see that this will safely insert clear text into the database? This is because when you convert anything from b64, it will return from the function as a string and will not be executed as code... Now let's try a search: bad_num= '1 or 2 not like 5' bad_str = ' or \40oz\ like \40oz\ again we: bad_num=b64e(bad_num) bad_str=b64e(bad_str) then we can do a full text search: query(select * from foo where match(str) against(b64d(\+bad_str+\))) or even a number search query(select * from foo where num=b64d(\+bad_num+\)) again this is possible because no matter what you put in bad num, it will never be able to make post b64e bad_num look like code, just looks like junk, until b64d converts it to a string (which by definition can not be executed) make sense now? by check i mean, run utf8_decode for example... Problem is, that i can tell you how to write the most secure code, but if it's hard, or worse yet creates more problems than it solves (seemingly), nobody other than a few individuals with some passion for security will ever find the code useful. We need to fix this on the language level, then we can go around and tell programmers how to do it right. I mean imagine telling a programmer, that something that takes them 2 lines of code now, can be done much more securely in 5-7, and it creates code that doesn't read linearly... Most programmers will just ignore you. I want to say, hey programmer, what you do in 2 lines of code, you can do in 1 and make it impossible to inject into, then, then people will listen, maybe... This is where inline string interpolation syntax comes in, but it is not implemented in any programming languages, sadly actually. This is what i want to talk to Rasmus about. -- Jim Lucas http://www.cmsws.com/ http://www.cmsws.com/examples/ http://www.bendsource.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Very Large MySQL Query String
Dear Kirk (and Julio) Thanks for the response.. I don't want to use a link to the images because backing up my data and porting it to another machine is much easier. (Replicating is also very easy.) When storing the file separately this gets more complex, especially when you want to get this data from another machine... The stored data isn't retrieved very often, so speed isn't really an issue. (Till now speed really never was an isse. When adding the right indexes MySql + PHP does incredible things!!.) I do though use the suggested 'linking' method for an website where the images are needed on the website.. In the current situation though I store PDF images of invoices which are basically only needed to look something up if there is a problem... Kirk, I already tried changing the properties of the column in which I store the images.. (Currently it is an longtext, but before this I always used an Longblob...) I can't remember the exact sizes of MySQL, but I believe that an Mediumblob can handle 16 Megabyte.. (I know have little more than a 1 MB..) I will try some things tomorrow, but I can't find out what the problem is.. (Column size, PHP-Mysql string length limitation or maybe something I am overlooking..) I can though echo the query to screen and see that the uploaded file is encoded to a very nice (large) text-string.. Any other suggestions are greatly appreciated. With kind regards, David Bouw If I use the link to the file, i.e. file//C:\filedir\file.pdf or .txt or whatever how do I insert/update/delete the file since MySQL is holding only the link? BTW David, what are the properties of the field you are inserting to? Could that be the problem? -Kirk Julio Nobrega Trabalhando [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Instead of uploading to Mysql, why don't you store the file at a directory and on Mysql only the path to it? Retrieving files from the hard drive is much faster than doing the same on Mysql, and also access to manipulation (insert, update, delete, etc...) -- Julio Nobrega. Um dia eu chego lá: http://sourceforge.net/projects/toca Ajudei? Salvei? Que tal um presentinho? http://www.submarino.com.br/wishlistclient.asp?wlid=664176742884 David Bouw [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I can't seem to figure out the following. I use the http upload functions a lot, works great!!.. For some months now I have been using a small PHP program which I use to upload PDF files of scanned documents and insert them into a Mysql table.. Normally these files are small (250 kb), but I now have a PDF of 1 MB... When uploading files I run the function: chunk_split(base64_encode($binaryfile)); to encode it, this to transform the binary file to text.. (Works great!!!) When the query was called to insert the data, nothing happens, also no error from mysql... Only think I can think of is that the mysql query string is to long.. ?? (The data when encoded is about 1.3 MB of text).. This is the source code.. if (!($userfile_size == 0)) {$fd = fopen ($userfile, r); $contents = fread ($fd, filesize ($userfile)); fclose ($fd); unlink ($userfile); echo Eerste RAW: .strlen($contents); $encodes_data = chunk_split(base64_encode($contents)); $userfile_name = str_replace( , , $userfile_name); echo strlen($encodes_data). - Displays text size BR; //Works right! mysql ($databasename_boekhoud, insert mubo_boekhoud_images (data, originalname, groep, type) values '$encodes_data', '$userfile_name', '$groep', '$userfile_type')); // mysql_error(); //No error given..? } Any suggestions are very much appreciated... With kind regards, David Bouw -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Very Large MySQL Query String
Hi, I think if you encode the file with base64 and store it in the database the size of the document will be more than 1MB sure. David Bouw wrote: Dear Kirk (and Julio) Thanks for the response.. I don't want to use a link to the images because backing up my data and porting it to another machine is much easier. (Replicating is also very easy.) When storing the file separately this gets more complex, especially when you want to get this data from another machine... The stored data isn't retrieved very often, so speed isn't really an issue. (Till now speed really never was an isse. When adding the right indexes MySql + PHP does incredible things!!.) I do though use the suggested 'linking' method for an website where the images are needed on the website.. In the current situation though I store PDF images of invoices which are basically only needed to look something up if there is a problem... Kirk, I already tried changing the properties of the column in which I store the images.. (Currently it is an longtext, but before this I always used an Longblob...) I can't remember the exact sizes of MySQL, but I believe that an Mediumblob can handle 16 Megabyte.. (I know have little more than a 1 MB..) I will try some things tomorrow, but I can't find out what the problem is.. (Column size, PHP-Mysql string length limitation or maybe something I am overlooking..) I can though echo the query to screen and see that the uploaded file is encoded to a very nice (large) text-string.. Any other suggestions are greatly appreciated. With kind regards, David Bouw If I use the link to the file, i.e. file//C:\filedir\file.pdf or .txt or whatever how do I insert/update/delete the file since MySQL is holding only the link? BTW David, what are the properties of the field you are inserting to? Could that be the problem? -Kirk Julio Nobrega Trabalhando [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Instead of uploading to Mysql, why don't you store the file at a directory and on Mysql only the path to it? Retrieving files from the hard drive is much faster than doing the same on Mysql, and also access to manipulation (insert, update, delete, etc...) -- Julio Nobrega. Um dia eu chego lá: http://sourceforge.net/projects/toca Ajudei? Salvei? Que tal um presentinho? http://www.submarino.com.br/wishlistclient.asp?wlid=664176742884 David Bouw [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I can't seem to figure out the following. I use the http upload functions a lot, works great!!.. For some months now I have been using a small PHP program which I use to upload PDF files of scanned documents and insert them into a Mysql table.. Normally these files are small (250 kb), but I now have a PDF of 1 MB... When uploading files I run the function: chunk_split(base64_encode($binaryfile)); to encode it, this to transform the binary file to text.. (Works great!!!) When the query was called to insert the data, nothing happens, also no error from mysql... Only think I can think of is that the mysql query string is to long.. ?? (The data when encoded is about 1.3 MB of text).. This is the source code.. if (!($userfile_size == 0)) {$fd = fopen ($userfile, r); $contents = fread ($fd, filesize ($userfile)); fclose ($fd); unlink ($userfile); echo Eerste RAW: .strlen($contents); $encodes_data = chunk_split(base64_encode($contents)); $userfile_name = str_replace( , , $userfile_name); echo strlen($encodes_data). - Displays text size BR; //Works right! mysql ($databasename_boekhoud, insert mubo_boekhoud_images (data, originalname, groep, type) values '$encodes_data', '$userfile_name', '$groep', '$userfile_type')); // mysql_error(); //No error given..? } Any suggestions are very much appreciated... With kind regards, David Bouw -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Thinking out loud - a continuation...
On Wed, Mar 21, 2012 at 2:39 PM, Jay Blanchard jay.blanch...@sigmaphinothing.org wrote: ... I have a project where I have multiple queries and each query uses the results from the previous query to get it's results. I need to do one of two things, either out put a multidimensional array that I can use json_encode() on or I have to format the output from the queries as a JSON string. The resulting JSON will be used by a JavaScript widget and must be formed correctly. I created the following array by hand: $userList = array(John = array( email = j...@demo.com, website = www.john.com, age = 22, password = pass, description = array( hair = blonde, eyes = blue, build = medium )), Anna = array( email = a...@demo.com, website = www.anna.com, age = 24, password = pass, description = array( hair = brunette, eyes = hazel, build = petite ) )); I ran it through json_encode() and got the following output {John:{email:j...@demo.com,website:www.john.com,age:22,password:pass,description:{hair:blonde,eyes:blue,build:medium}},Anna:{email:a...@demo.com,website:www.anna.com,age:24,password:pass,description:{hair:brunette,eyes:hazel,build:petite}}} jslint.com verifies this as good JSON (although I thought there had to be square brackets around child arrays). Speaking to your belief that arrays had to have square brackets, json_encode examines the PHP array and only encodes sequential numbers JSON arrays. Others (as in your case) are encoded as object literals: http://php.net/manual/en/function.json-encode.php That said, you can still access Javascript Object properties with array access if you prefer in the client code: http://www.quirksmode.org/js/associative.html If you were me would you just generate the JSON? If not what is he best way to output an array that will nest properly for each subsequent query? Because of the options json_encode provides and the flexibility it affords while in PHP, I would generate PHP and then always use json_encode to generate the JSON as needed. Adam -- Nephtali: A simple, flexible, fast, and security-focused PHP framework http://nephtaliproject.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: sql injection protection
Re-read his example. He encodes the data in PHP. But decodes the data in SQL. So, if you echo the SQL statement, you would see a base64 encoded string that SQL then decodes. Got it this time! Up until reading your reply, I was reading Alex's example with my pseudo-code glasses. I did not realize that the decoding was being done by SQL! I though it was still in PHP. And that's where I got confused with the hey why not string casting it then and got into what's the difference situation. But, you were laser sharp on that! Thanks a bunch! as to the other issue, the one with utf-8 and mb_detect_encoding, not working for it - cause there are ways of getting around. I still don't get it. First q comes to mind, why the heck use mb_detect_encoding then if it can be hacked around? see what I'm saying. but i don't want to go off on a tangent.. all i'm trying to do is to safely protect myself from a possible sql injection by using the available filters and sanitizations and techniques but without the PDO. That's the requirement. No PDO. From the earlier recommendations, I understand PDO is the way to go - cause it effectively separates the sql code from the user input to make sure user input does not get executed.. that explanation ... i get that... no problems there... yes, do use PDO... but my question is not what's the safest way in general?. But rather, what's the safest way without the PDO? Without the PDO, it seems like b64'ing it will do the job! And since the data will be stored as clear text, the searches against that data will also work too. I can take this implementation and build my library function based on that - instead of making it 1- first check if the in user string is in utf-8, 2- reject the input if not in utf-8 3- accept the input if utf-8 and apply the applicable filters to it starting with filter_sanitize_string 4- and on top of that, also mysql_real_escape it but from what i understand, you guys are saying just don't do this, because it may be overcome and that's not because of the fact filter_sanitize_string or mysql_real_escape_string is not effective, but because of the fact that there is NO WAY to reliably detect whether the incoming user input is in utf-8 or not. On Thu, Jan 26, 2012 at 9:14 AM, Jim Lucas li...@cmsws.com wrote: On 01/26/2012 06:46 AM, Haluk Karamete wrote: when we do b64e and then back b64d, you are saying. we get the org input all as clear text but this time as a string. because it is now a string, (which by definition can not be executed) what's the difference between b64e+b64d vs (string) casting then? if you were to cast the original input into string using (string), wouldn't you be in the same shoes? Re-read his example. He encodes the data in PHP. But decodes the data in SQL. So, if you echo the SQL statement, you would see a base64 encoded string that SQL then decodes. also on another note, if you know the userinput is in UTF-8, ( you verify that by running mb_detect_encoding($str, 'UTF-8', true); ), is there a situation where you think mysql_real_escape_string would fail in SQLINjection against string based user input ? The reason I ask this about specifically for strings is because it is fairly easy to validate againsts integers,floats,booleans using the built in validation filters my biggest issue is on strings... also what do you think about filter_sanitize_string. read this: http://www.php.net/manual/en/filter.filters.sanitize.php Then read this: http://www.php.net/manual/en/filter.filters.flags.php It seems to me that filter_sanitize_string does not deal with anything other then ASCII. YMMV and finally, where do you think PHP community plus Rasmus is having a hard time implementing what you have in mind - that is a one liner that will do the inline string interpolation you are talking about.. what's the issue that it hasn't been done before? On Tue, Jan 24, 2012 at 1:45 PM, Alex Nikitinniks...@gmail.com wrote: You don't need to store it in the database as b64, just undo the encoding into your inputs for the purpose of the explanation, this is language independent b64e - encoding function b64d - decoding function pseudo code given: bad_num = ') union select * from foo --' bad_str = good_num = 123456 good_str = some searchable text the b64 way: bad_num=b64e(bad_num) ... good_str=b64e(good_str) inserts: query(insert into foo (num, str) values (b64d(\+bad_num+\), b64d(\+bad_str+\))); query(insert into foo (num, str) values (b64d(\+good_num+\), b64d(\+good_str+\))); Can you see that this will safely insert clear text into the database? This is because when you convert anything from b64, it will return from the function as a string and will not be executed as code... Now let's try a search: bad_num= '1 or 2 not like 5' bad_str = ' or \40oz\ like \40oz\ again we: bad_num=b64e(bad_num) bad_str=b64e(bad_str) then we can
[PHP] Re: PHP] can't pass complete URL (part of the query string)
Chris - Tried that -- I have urlencode in the script that sends the url and I have url encode right below the form action -- ref is getting cut off at the first ampersand - regardless: where: form action=http://embitec.com/fishcart/email.php?ref=http://embitec.com/fishcart/displayem.php3?cat=5olimit=0zid=1lid=1; method=post and: input type=hidden name=ref value? php echo rawurlencode($ref); ? or even input type=hidden name=ref value? php echo rawurlencode($_GET['ref']); ? yields: input type=hidden name=ref value=http%3A%2F%2Fembitec.com%2Ffishcart%2Fdisplayem.php3%3Fcat%3D4 still cutting off everything after the ampersand..?? Best, Nicole form action=http://embitec.com/fishcart/email.php?ref=http://embitec.com/fishcart/displayem.php3?cat=5olimit=0zid=1lid=1; method=post There is your problem right there. Here are the variables you are passing: ref=http://embitec.com/fishcart/displayem.php3?cat=5 olimit=0 zid=1 lid=1 The URL you want to set ref to needs to be URL encoded. You can use rawurlencode() to achieve this. You will know you have it right when your HTML form tag looks like this: form action=http://embitec.com/fishcart/email.php?ref=http%3A%2F%2Fembitec.com%2Ffishcart%2Fdisplayem.php3%3Fcat%3D5%26olimit%3D0%26zid%3D1%26lid%3D1; method=post Hope that helps. Chris -- Nicole Lallande [EMAIL PROTECTED] 760.753.6766 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] saving form data
On Monday 23 February 2004 02:51 pm, Charlie Fiskeaux II wrote: Richard Davey wrote: CFI It's just a matter of development time; if there's a way to CFI use the Perl mail script with a PHP data saving script, it CFI would save time. If I do have to rewrite the whole thing in CFI PHP, how would I accept uploaded file attachments and attach CFI them to the emailed form results? Then how about in reverse? Add something to the end of the Perl script that passes the values to a PHP script? It could even do it via the query string, maybe also passing an md5 encoded password that only your two scripts know (in order to stop someone spoofing your script). I don't think that would work because they will need to save without sending the form. But I had thought about the reverse: a PHP script that saves the data and then possibly passes it on to the Perl script. Do you or anyone else know how to pass on form results in PHP to another script? (Like I said, I'm pretty new to PHP...) Well you could try using an HTTP 302 Found or 307 Temporary Redirect, but IIRC clients must not redirect the request unless the response is received in response to a GET or HEAD request, so you'd have to use GET. I seem to remember reading something about uploading files, which is kinda difficult with GET... Possibly your best option would be to send a POST request through the HTTPD via a socket- there are libraries out there to help you do this easily, try PEAR, hotscripts, phpclasses, etc. Thanks! -- Charlie Fiskeaux II Media Designer Cre8tive Group cre8tivegroup.com 859/858-9054x29 cell: 859/608-9194 -- Evan Nemerson [EMAIL PROTECTED] http://coeusgroup.com/en -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Secure data management
On Tue, Oct 4, 2011 at 4:11 PM, Stuart Dallas stu...@3ft9.com wrote: On 5 Oct 2011, at 00:04, Mark Kelly wrote: Hi. On Tuesday 04 Oct 2011 at 21:39 Stuart Dallas wrote: http://stut.net/2011/09/15/mysql-real-escape-string-is-not-enough/ Thanks. I followed this link through and read the full message (having missed it the first time round), and while I find the idea of using base64 to sanitise text interesting I can also forsee a few difficulties: It would prevent anyone from accessing the database directly and getting meaningful results unless the en/decode is in triggers, or maybe stored procedures. No more one-off command-line queries. How would you search an encoded column for matching text? I'd be interested in any ideas folk have about these issues, or any others they can envisage with this proposal. Base64 encoding will work when the native base64 functions are available in MySQL which will allow you to base64 encode the data into a statement like INSERT INTO table SET field = FROM_BASE64(?php echo base64_encode($data); ?) sorta thing. I'm still not a massive fan of that idea given that prepared statements are an option, but it would work. -Stuart -- Stuart Dallas 3ft9 Ltd http://3ft9.com/ -- Inserting and updating isn't the problem. I think Mark referring to is how would that be implemented in this simple type of query: SELECT * FROM my_table WHERE col_name LIKE '%key word%'; If there's no viable mean to filter the data, that storage method/medium is rather pointless, IMHO.
Re: [PHP] Re: Secure data management
On 5 Oct 2011, at 00:45, Tommy Pham wrote: On Tue, Oct 4, 2011 at 4:11 PM, Stuart Dallas stu...@3ft9.com wrote: On 5 Oct 2011, at 00:04, Mark Kelly wrote: Hi. On Tuesday 04 Oct 2011 at 21:39 Stuart Dallas wrote: http://stut.net/2011/09/15/mysql-real-escape-string-is-not-enough/ Thanks. I followed this link through and read the full message (having missed it the first time round), and while I find the idea of using base64 to sanitise text interesting I can also forsee a few difficulties: It would prevent anyone from accessing the database directly and getting meaningful results unless the en/decode is in triggers, or maybe stored procedures. No more one-off command-line queries. How would you search an encoded column for matching text? I'd be interested in any ideas folk have about these issues, or any others they can envisage with this proposal. Base64 encoding will work when the native base64 functions are available in MySQL which will allow you to base64 encode the data into a statement like INSERT INTO table SET field = FROM_BASE64(?php echo base64_encode($data); ?) sorta thing. I'm still not a massive fan of that idea given that prepared statements are an option, but it would work. -Stuart -- Stuart Dallas 3ft9 Ltd http://3ft9.com/ -- Inserting and updating isn't the problem. I think Mark referring to is how would that be implemented in this simple type of query: SELECT * FROM my_table WHERE col_name LIKE '%key word%'; If there's no viable mean to filter the data, that storage method/medium is rather pointless, IMHO. Go back and read what I wrote again. Base64 is only being used to transmit the data to MySQL - it's being stored in the database in its decoded form. -Stuart -- Stuart Dallas 3ft9 Ltd http://3ft9.com/
Re: [PHP] Selecting Rows Based on Row Values Being in Array
kvigor wrote: Jim, Please excuse the ignorance, I'm a newbie, but I'm only use to simple SELECT, INSERT statements. Your original code: $SQL = SELECT * FROM my_Table WHERE CONCAT(value1, value2, value3) IN ('.join(',', $list).') This can be broken down into smaller parts so to explain by example. # This is to clean the input values for the SQL statement function mysql_clean($value) { return mysql_real_escape_string($value); } # Define your list of values to compare to $list = array( '6blue40lbs', '7orange50lbs', '8orange60lbs', '9purple70lbs', ); # You will want to do something like this with the values of the $list # array just to make sure they are clean: reference the function above array_walk($list, 'mysql_clean'); # This will return a string formated like this. # '6blue40lbs','7orange50lbs','8orange60lbs','9purple70lbs' $IN_VALUE = '.join(',', $list).'; $SQL = SELECT * FROMmy_Table WHERE CONCAT(value1, value2, value3) IN ({$IN_VALUE}); # The final query string will look like this SELECT * FROMmy_Table WHERE CONCAT(value1, value2, value3) IN ('6blue40lbs','7orange50lbs','8orange60lbs','9purple70lbs') # Now run this through your query function and get the results $results = mysql_query($SQL) OR die('SQL Failure: '.$SQL); So basically what we have is a comparison that is based off the output of the CONCAT() function that creates one string out of value1, value2, value3 and then compares that with each of the values listed within the parenthesis. the IN (...) part of the SQL statement tells SQL that it is getting a list of values that it should compare the concat() value against. Doing it this way, will allow you to only run one query instead of running one per value that you want to compare against. As you can tell, as your data set grows your multiple queries would drag your DB to a halt Hope this explains it. Let me know if you need further explanation. OK, I get everything up to the ('''.join(''','''$list).''') I'm guessing that the .join( ). putting together some values, but I don't know what also the .join( ). is to be preceded by something... I don't know what. //Forgive my ignorance, I'll can get it. Also the .join( ). what is this doing I looked at the PHP and MySQL function of each, and haven't seen comparable code. I'm asking because I don't know where we're telling the code to compare the values. You stated... and create one string from them Where do I give the name to the string? So this is where I am so far: $sql = SELECT* FROM table WHERE CONCAT(size,color,weight) IN( ); Jim Lucas [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] K. Hayes wrote: Will do. Thanks. - Original Message - From: Jim Lucas [EMAIL PROTECTED] To: kvigor [EMAIL PROTECTED] Cc: php-general@lists.php.net Sent: Saturday, June 30, 2007 1:46 AM Subject: Re: [PHP] Selecting Rows Based on Row Values Being in Array kvigor wrote: Hello All, I'm attempting to return rows from a mysql DB based on this criteria: I have a list, in the form of an array that I need to compare against each row in the table. Where theres a match I need that entire row returned. e.g.$varListof 3outOf_10Fields = array(6blue40lbs, 7orange50lbs, 8orange60lbs, 9purple70lbs); The array contains 3 of the db row fields in 1 value. However there are 10 fields/columns in the table. === what table looks like | === size colorweight ROW 1| value1 | value1 | value1 | value1 | value1 | value1 | So how could I set up a query that would SELECT the entire row, if the row contained $varListof 3outOf_10Fields[1]. Open to any suggestions or work arounds. I'm playing with extract() but code is too crude to even post. I would suggest approaching the problem with a slightly different thought. just have the sql concat() the columns together and then compare. something like this should do the trick $list = array( '6blue40lbs', '7orange50lbs', '8orange60lbs', '9purple70lbs', ); $SQL = SELECT * FROM my_Table WHERE CONCAT(value1, value2, value3) IN ('.join(',', $list).') ; mysql_query($SQL); this should take, for each row in the DB, value1 + value2 + value3 and create one string from them, then it will compare each string in the IN (...) portion to each entry in the $list array(). Let me know if you need any further help one other thing, make sure that you run each of the values in the $list array() through mysql_real_escape_string(). That way it is all nicely encoded for the SQL statement. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Help! Made a boo-boo encrypting credit cards
2011/3/4 Nisse Engström news.nospam.0ixbt...@luden.se: On Fri, 11 Feb 2011 14:42:18 -0800, Brian Dunning wrote: Hey all - I'm using mcrypt to store credit cards into MySQL. About 90% of them decrypt fine, but about 10% decrypt as nonsense (b1�\�JEÚU�A��� is a good example). Maybe there is a character that appears in about 10% of my encryptions that's not being encoded properly??? Can you come up with a phony CC number that fails the decryption? If so, please post: $cc_number binhex($iv) binhex($cc_encrypt) binhex($row['encrypt_iv'])) binhex($row['cc_encrypt'])) More below... // Encryption is set up at the top of the script: $crypto = mcrypt_module_open('rijndael-256', '', 'ofb', ''); $iv = mcrypt_create_iv(mcrypt_enc_get_iv_size($crypto), MCRYPT_DEV_RANDOM); $ks = mcrypt_enc_get_key_size($crypto); $key = substr(md5('my_funky_term'), 0, $ks); // When the card number is collected by the form, it's encrypted: $cc_number = addslashes($_POST['cc_number']); mcrypt_generic_init($crypto, $key, $iv); $cc_encrypt = mcrypt_generic($crypto, $cc_number); mcrypt_generic_deinit($crypto); // This is written to the database: $query = update accounts set cc_encrypt='$cc_encrypt', encrypt_iv='$iv', other_fields='$other_stuff' where id='$account_id' limit 1; $result = mysql_query($query) or die(mysql_error()); No mysql_real_escape_string()? Both the cc_encrypt and encrypt_iv fields are tinytext, latin1_swedish_ci, MyISAM, MySQL 5.0.91 Why are you using text fields for storing binary data? Sounds like this could go horribly wrong for a number or reasons. In another script, when I retrieve, I first set it up at the top of the script exactly like step #1 above, then retrieve it like this: mcrypt_generic_init($crypto, $key, $row['encrypt_iv']); $cc_number = trim(mdecrypt_generic($crypto, $row['cc_encrypt'])); mcrypt_generic_deinit($crypto); /Nisse -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php Considering their is no validation of the credit card number, you could just use a random string of numbers starting with 99. According to http://en.wikipedia.org/wiki/List_of_Bank_Identification_Numbers#References, nothing starts with 99. -- Richard Quadling Twitter : EE : Zend @RQuadling : e-e.com/M_248814.html : bit.ly/9O8vFY -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Secure data management
On Tue, Oct 4, 2011 at 4:49 PM, Stuart Dallas stu...@3ft9.com wrote: On 5 Oct 2011, at 00:45, Tommy Pham wrote: On Tue, Oct 4, 2011 at 4:11 PM, Stuart Dallas stu...@3ft9.com wrote: On 5 Oct 2011, at 00:04, Mark Kelly wrote: Hi. On Tuesday 04 Oct 2011 at 21:39 Stuart Dallas wrote: http://stut.net/2011/09/15/mysql-real-escape-string-is-not-enough/ Thanks. I followed this link through and read the full message (having missed it the first time round), and while I find the idea of using base64 to sanitise text interesting I can also forsee a few difficulties: It would prevent anyone from accessing the database directly and getting meaningful results unless the en/decode is in triggers, or maybe stored procedures. No more one-off command-line queries. How would you search an encoded column for matching text? I'd be interested in any ideas folk have about these issues, or any others they can envisage with this proposal. Base64 encoding will work when the native base64 functions are available in MySQL which will allow you to base64 encode the data into a statement like INSERT INTO table SET field = FROM_BASE64(?php echo base64_encode($data); ?) sorta thing. I'm still not a massive fan of that idea given that prepared statements are an option, but it would work. -Stuart -- Stuart Dallas 3ft9 Ltd http://3ft9.com/ -- Inserting and updating isn't the problem. I think Mark referring to is how would that be implemented in this simple type of query: SELECT * FROM my_table WHERE col_name LIKE '%key word%'; If there's no viable mean to filter the data, that storage method/medium is rather pointless, IMHO. Go back and read what I wrote again. Base64 is only being used to transmit the data to MySQL - it's being stored in the database in its decoded form. -Stuart -- Stuart Dallas 3ft9 Ltd http://3ft9.com/ The question still applies as how would you safeguard that 'key word' transmission, especially against SQL injection. I suppose one could do it this way: SELECT * FROM my_table WHERE col_name LIKE CONCAT('%', FROM_BASE64(?php echo base64_encode($data); ?), '%') Is the overhead worth it to warrant that kind of safeguard? That's just a simple query with a simple search criteria. What about in the case of subselect and multi-table joins?
Re: [PHP] Selecting Rows Based on Row Values Being in Array
Jim, Please excuse the ignorance, I'm a newbie, but I'm only use to simple SELECT, INSERT statements. Your original code: $SQL = SELECT * FROM my_Table WHERE CONCAT(value1, value2, value3) IN ('.join(',', $list).') OK, I get everything up to the ('''.join(''','''$list).''') I'm guessing that the .join( ). putting together some values, but I don't know what also the .join( ). is to be preceded by something... I don't know what. //Forgive my ignorance, I'll can get it. Also the .join( ). what is this doing I looked at the PHP and MySQL function of each, and haven't seen comparable code. I'm asking because I don't know where we're telling the code to compare the values. You stated... and create one string from them Where do I give the name to the string? So this is where I am so far: $sql = SELECT* FROM table WHERE CONCAT(size,color,weight) IN( ); Jim Lucas [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] K. Hayes wrote: Will do. Thanks. - Original Message - From: Jim Lucas [EMAIL PROTECTED] To: kvigor [EMAIL PROTECTED] Cc: php-general@lists.php.net Sent: Saturday, June 30, 2007 1:46 AM Subject: Re: [PHP] Selecting Rows Based on Row Values Being in Array kvigor wrote: Hello All, I'm attempting to return rows from a mysql DB based on this criteria: I have a list, in the form of an array that I need to compare against each row in the table. Where theres a match I need that entire row returned. e.g.$varListof 3outOf_10Fields = array(6blue40lbs, 7orange50lbs, 8orange60lbs, 9purple70lbs); The array contains 3 of the db row fields in 1 value. However there are 10 fields/columns in the table. === what table looks like | === size colorweight ROW 1| value1 | value1 | value1 | value1 | value1 | value1 | So how could I set up a query that would SELECT the entire row, if the row contained $varListof 3outOf_10Fields[1]. Open to any suggestions or work arounds. I'm playing with extract() but code is too crude to even post. I would suggest approaching the problem with a slightly different thought. just have the sql concat() the columns together and then compare. something like this should do the trick $list = array( '6blue40lbs', '7orange50lbs', '8orange60lbs', '9purple70lbs', ); $SQL = SELECT * FROM my_Table WHERE CONCAT(value1, value2, value3) IN ('.join(',', $list).') ; mysql_query($SQL); this should take, for each row in the DB, value1 + value2 + value3 and create one string from them, then it will compare each string in the IN (...) portion to each entry in the $list array(). Let me know if you need any further help one other thing, make sure that you run each of the values in the $list array() through mysql_real_escape_string(). That way it is all nicely encoded for the SQL statement. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
php-general Digest 5 Oct 2011 07:40:35 -0000 Issue 7505
what is happening and why the better your software will be. In this particular case, the slashes are designed to mark quotes as part of the data and not the end of the data. For example... this is an unescaped string containing a quotation mark The MySQL parser will see the in the middle and decide that that's the end of the data. However... this is an escaped string containing \ a quotation mark The parser will see the \ before the and that tells it the quote is part of the data. Because the \ is only there to tell it that it doesn't get left in the data when it's pushed into the database. But escaping quotes (i.e. addslashes) is not enough to protect against SQL injection, and neither is mysql_real_escape_string as Shawn suggested. Prepared statements are the best option. -Stuart -- Stuart Dallas 3ft9 Ltd http://3ft9.com/---End Message--- ---BeginMessage--- Hi. On Tuesday 04 Oct 2011 at 21:39 Stuart Dallas wrote: http://stut.net/2011/09/15/mysql-real-escape-string-is-not-enough/ Thanks. I followed this link through and read the full message (having missed it the first time round), and while I find the idea of using base64 to sanitise text interesting I can also forsee a few difficulties: It would prevent anyone from accessing the database directly and getting meaningful results unless the en/decode is in triggers, or maybe stored procedures. No more one-off command-line queries. How would you search an encoded column for matching text? I'd be interested in any ideas folk have about these issues, or any others they can envisage with this proposal. Cheers, Mark ---End Message--- ---BeginMessage--- On 5 Oct 2011, at 00:04, Mark Kelly wrote: Hi. On Tuesday 04 Oct 2011 at 21:39 Stuart Dallas wrote: http://stut.net/2011/09/15/mysql-real-escape-string-is-not-enough/ Thanks. I followed this link through and read the full message (having missed it the first time round), and while I find the idea of using base64 to sanitise text interesting I can also forsee a few difficulties: It would prevent anyone from accessing the database directly and getting meaningful results unless the en/decode is in triggers, or maybe stored procedures. No more one-off command-line queries. How would you search an encoded column for matching text? I'd be interested in any ideas folk have about these issues, or any others they can envisage with this proposal. Base64 encoding will work when the native base64 functions are available in MySQL which will allow you to base64 encode the data into a statement like INSERT INTO table SET field = FROM_BASE64(?php echo base64_encode($data); ?) sorta thing. I'm still not a massive fan of that idea given that prepared statements are an option, but it would work. -Stuart -- Stuart Dallas 3ft9 Ltd http://3ft9.com/---End Message--- ---BeginMessage--- On Tue, Oct 4, 2011 at 4:11 PM, Stuart Dallas stu...@3ft9.com wrote: On 5 Oct 2011, at 00:04, Mark Kelly wrote: Hi. On Tuesday 04 Oct 2011 at 21:39 Stuart Dallas wrote: http://stut.net/2011/09/15/mysql-real-escape-string-is-not-enough/ Thanks. I followed this link through and read the full message (having missed it the first time round), and while I find the idea of using base64 to sanitise text interesting I can also forsee a few difficulties: It would prevent anyone from accessing the database directly and getting meaningful results unless the en/decode is in triggers, or maybe stored procedures. No more one-off command-line queries. How would you search an encoded column for matching text? I'd be interested in any ideas folk have about these issues, or any others they can envisage with this proposal. Base64 encoding will work when the native base64 functions are available in MySQL which will allow you to base64 encode the data into a statement like INSERT INTO table SET field = FROM_BASE64(?php echo base64_encode($data); ?) sorta thing. I'm still not a massive fan of that idea given that prepared statements are an option, but it would work. -Stuart -- Stuart Dallas 3ft9 Ltd http://3ft9.com/ -- Inserting and updating isn't the problem. I think Mark referring to is how would that be implemented in this simple type of query: SELECT * FROM my_table WHERE col_name LIKE '%key word%'; If there's no viable mean to filter the data, that storage method/medium is rather pointless, IMHO. ---End Message--- ---BeginMessage--- On 5 Oct 2011, at 00:45, Tommy Pham wrote: On Tue, Oct 4, 2011 at 4:11 PM, Stuart Dallas stu...@3ft9.com wrote: On 5 Oct 2011, at 00:04, Mark Kelly wrote: Hi. On Tuesday 04 Oct 2011 at 21:39 Stuart Dallas wrote: http://stut.net/2011/09/15/mysql-real-escape-string-is-not-enough/ Thanks. I followed this link through and read the full message (having missed it the first time round), and while I find the idea of using base64 to sanitise text interesting I can also forsee a few difficulties
php-general Digest 25 May 2011 14:38:59 -0000 Issue 7328
tried it n i can send the string without error i tried it: $query1=select * from patient where id=.$_POST['txt']; it works! after i found my error i tried it 2 n it was right!!! ---End Message--- ---BeginMessage--- On Tue, 24 May 2011 23:47:47 +0700, Paul S pau...@roadrunner.com wrote: On Tue, 24 May 2011 21:09:34 +0700, Richard S. Crawford rscrawf...@mossroot.com wrote: On Tue, May 24, 2011 at 6:51 AM, Paul S pau...@roadrunner.com wrote: I'd like to check a table to retrieve rows for which one field equals one of a set of values #get products(fields) in category list while ($row = $db_connect-fetch_array($productsincategory_list)) { $product = $row ['selection']; $fields = $fields . $product,; } $fields = substr($fields,'',-1); ## echo $fieldsbrbr; ## $fields = Prod1, ProD2, Prod3 This ... $db_connect-fetch_array($sql_result); $store_result = $db_connect-query(select * from $sql_usertable WHERE (($sql_usertable.product1 = '($fields)')||( $sql_usertable.product2 = '($fields)')||($sql_usertable.product3 = '($fields)')) order by id desc limit $entry, $entries_per_page); doesn't work. It selects nothing (obviously because no single field equals ' (Prod1, Prod2, Prod3) '). But it's the idea. Can I change the: = '($fields)' syntax I'm trying? The actual select checks more fields for this or that and gets more complicated so I'd like to keep this as simple as possible. I would like to do this without UNIONS (in one pass) if possible (my dbsql.php doesn't seem to go beyond regular query). Try in: where productx in (Prod1, Prod2, Prod3) THANKS. You saved me another day of frustration trying UNION! :-) In addition your answer also got me here: http://dev.mysql.com/doc/refman/4.1/en/comparison-operators.html Except when $fields = '' (blank) MySql error. Can put in if but leaves an undefined resource (warning). Any way to initialize a resourse? ($store_result = $db_connect-query)? -- Using Opera's revolutionary email client: http://www.opera.com/mail/ ---End Message--- ---BeginMessage--- Hi, Since a UTF-8 is a multi-bytes mechanism I get for 2 or 3 bytes UTF-8 encoded character a single character How can it be break into the REAL bytes array that represent the UTF-8 string and how can we reassembled the bytes array back to UTF-8? -- Best Regards, *Eli Orr* CTO Founder *LogoDial Ltd.* __ ---End Message---
Re: [PHP] File To Blob Corruption
Hi, Could it have something to do with an eof character being encoded or something like that? Do you really need to store the files in the DB? It uses more processing power if stored in the DB because on retrieval, you have to unescape the string and return it. Modern filesystems are optimised better for files than databases and storing a filename and returning the contents is easier to implement than retrieving it from the DB... http://forums.codewalkers.com/php-applications-45/upload-image-file-to-mysql-as-blob-849194.html ++Tim Hinnerk Heuer++ http://www.ihostnz.com 2009/11/15 Don Wieland d...@dwdataconcepts.com Hello, I am trying to create an UPLOAD page to Update a Images and PDFs into a BLOB field in mySQL. The image keeps getting corrupted (it draws a portion of the image and the rest is GRAY) We tried it with Safari and Firefox with bad results. Here is the form that is used to browse and select the file. !-- Upload Image dialog -- div id=uploadImage div id=llback/div centerdiv id=uploadForm div id=uploadTitleUpload Thumbnail image/div iframe name=saveImage/iframe bPlease select the thumbnail image, then press Upload./b div style=margin-top:14px;margin-bottom:14px;text-align:center;width:100% form target=saveImage method=post action=ajax/saveDialog.php enctype=multipart/form-data Select Thumbnail: input type=file name=img id=img accept=image/jpeg //div input type=hidden name=obj value=uploadImage / input type=hidden name=id value=?php echo $Area_id ? / input type=button value=Upload onclick=saveDialog('uploadImage','img','jpg'); input type=button value=Cancel onclick=cancelDialog('uploadImage','img') /form /div/center /div Here is the QUERY to upload the image (saveDialog.php): if($_POST['obj'] == uploadImage) { $file = $db-real_escape_string(file_get_contents($_FILES['img']['tmp_name'])); $db-query(UPDATE Areas SET Image = '$file') or die(1.$db-error); Has anyone else ever run into this type of UPDATE error with images and PDF? We really need to get this dealt with ASAP. Thanks! Don Wieland D W D a t a C o n c e p t s ~ d...@dwdataconcepts.com Direct Line - (949) 305-2771 Integrated data solutions to fit your business needs. Need assistance in dialing in your FileMaker solution? Check out our Developer Support Plan at: http://www.dwdataconcepts.com/DevSup.html Appointment 1.0v9 - Powerful Appointment Scheduling for FileMaker Pro 9 or higher http://www.appointment10.com For a quick overview - http://www.appointment10.com/Appt10_Promo/Overview.html -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] File To Blob Corruption
On Sun, 2009-11-15 at 16:43 +1300, German Geek wrote: Hi, Could it have something to do with an eof character being encoded or something like that? Do you really need to store the files in the DB? It uses more processing power if stored in the DB because on retrieval, you have to unescape the string and return it. Modern filesystems are optimised better for files than databases and storing a filename and returning the contents is easier to implement than retrieving it from the DB... http://forums.codewalkers.com/php-applications-45/upload-image-file-to-mysql-as-blob-849194.html ++Tim Hinnerk Heuer++ http://www.ihostnz.com 2009/11/15 Don Wieland d...@dwdataconcepts.com Hello, I am trying to create an UPLOAD page to Update a Images and PDFs into a BLOB field in mySQL. The image keeps getting corrupted (it draws a portion of the image and the rest is GRAY) We tried it with Safari and Firefox with bad results. Here is the form that is used to browse and select the file. !-- Upload Image dialog -- div id=uploadImage div id=llback/div centerdiv id=uploadForm div id=uploadTitleUpload Thumbnail image/div iframe name=saveImage/iframe bPlease select the thumbnail image, then press Upload./b div style=margin-top:14px;margin-bottom:14px;text-align:center;width:100% form target=saveImage method=post action=ajax/saveDialog.php enctype=multipart/form-data Select Thumbnail: input type=file name=img id=img accept=image/jpeg //div input type=hidden name=obj value=uploadImage / input type=hidden name=id value=?php echo $Area_id ? / input type=button value=Upload onclick=saveDialog('uploadImage','img','jpg'); input type=button value=Cancel onclick=cancelDialog('uploadImage','img') /form /div/center /div Here is the QUERY to upload the image (saveDialog.php): if($_POST['obj'] == uploadImage) { $file = $db-real_escape_string(file_get_contents($_FILES['img']['tmp_name'])); $db-query(UPDATE Areas SET Image = '$file') or die(1.$db-error); Has anyone else ever run into this type of UPDATE error with images and PDF? We really need to get this dealt with ASAP. Thanks! Don Wieland D W D a t a C o n c e p t s ~ d...@dwdataconcepts.com Direct Line - (949) 305-2771 Integrated data solutions to fit your business needs. Need assistance in dialing in your FileMaker solution? Check out our Developer Support Plan at: http://www.dwdataconcepts.com/DevSup.html Appointment 1.0v9 - Powerful Appointment Scheduling for FileMaker Pro 9 or higher http://www.appointment10.com For a quick overview - http://www.appointment10.com/Appt10_Promo/Overview.html -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php Like someone mentioned on the link you posted; storing the images in the database does offer a layer of security, as database access is far easier to control than file access. Thanks, Ash http://www.ashleysheridan.co.uk
Re: [PHP] Re: Secure data management
On 5 Oct 2011, at 01:13, Tommy Pham wrote: On Tue, Oct 4, 2011 at 4:49 PM, Stuart Dallas stu...@3ft9.com wrote: On 5 Oct 2011, at 00:45, Tommy Pham wrote: On Tue, Oct 4, 2011 at 4:11 PM, Stuart Dallas stu...@3ft9.com wrote: On 5 Oct 2011, at 00:04, Mark Kelly wrote: Hi. On Tuesday 04 Oct 2011 at 21:39 Stuart Dallas wrote: http://stut.net/2011/09/15/mysql-real-escape-string-is-not-enough/ Thanks. I followed this link through and read the full message (having missed it the first time round), and while I find the idea of using base64 to sanitise text interesting I can also forsee a few difficulties: It would prevent anyone from accessing the database directly and getting meaningful results unless the en/decode is in triggers, or maybe stored procedures. No more one-off command-line queries. How would you search an encoded column for matching text? I'd be interested in any ideas folk have about these issues, or any others they can envisage with this proposal. Base64 encoding will work when the native base64 functions are available in MySQL which will allow you to base64 encode the data into a statement like INSERT INTO table SET field = FROM_BASE64(?php echo base64_encode($data); ?) sorta thing. I'm still not a massive fan of that idea given that prepared statements are an option, but it would work. -Stuart -- Stuart Dallas 3ft9 Ltd http://3ft9.com/ -- Inserting and updating isn't the problem. I think Mark referring to is how would that be implemented in this simple type of query: SELECT * FROM my_table WHERE col_name LIKE '%key word%'; If there's no viable mean to filter the data, that storage method/medium is rather pointless, IMHO. Go back and read what I wrote again. Base64 is only being used to transmit the data to MySQL - it's being stored in the database in its decoded form. -Stuart -- Stuart Dallas 3ft9 Ltd http://3ft9.com/ The question still applies as how would you safeguard that 'key word' transmission, especially against SQL injection. I suppose one could do it this way: SELECT * FROM my_table WHERE col_name LIKE CONCAT('%', FROM_BASE64(?php echo base64_encode($data); ?), '%') Is the overhead worth it to warrant that kind of safeguard? That's just a simple query with a simple search criteria. What about in the case of subselect and multi-table joins? That would indeed be logical if base64 was your chosen method of protection, but I think prepared statements are a far more elegant solution. As for the overhead I very much doubt there's much difference between that and the overhead of prepared statements. -Stuart -- Stuart Dallas 3ft9 Ltd http://3ft9.com/
Re: [PHP] Re: Secure data management
On Tue, Oct 4, 2011 at 5:51 PM, Stuart Dallas stu...@3ft9.com wrote: On 5 Oct 2011, at 01:13, Tommy Pham wrote: On Tue, Oct 4, 2011 at 4:49 PM, Stuart Dallas stu...@3ft9.com wrote: On 5 Oct 2011, at 00:45, Tommy Pham wrote: On Tue, Oct 4, 2011 at 4:11 PM, Stuart Dallas stu...@3ft9.com wrote: On 5 Oct 2011, at 00:04, Mark Kelly wrote: Hi. On Tuesday 04 Oct 2011 at 21:39 Stuart Dallas wrote: http://stut.net/2011/09/15/mysql-real-escape-string-is-not-enough/ Thanks. I followed this link through and read the full message (having missed it the first time round), and while I find the idea of using base64 to sanitise text interesting I can also forsee a few difficulties: It would prevent anyone from accessing the database directly and getting meaningful results unless the en/decode is in triggers, or maybe stored procedures. No more one-off command-line queries. How would you search an encoded column for matching text? I'd be interested in any ideas folk have about these issues, or any others they can envisage with this proposal. Base64 encoding will work when the native base64 functions are available in MySQL which will allow you to base64 encode the data into a statement like INSERT INTO table SET field = FROM_BASE64(?php echo base64_encode($data); ?) sorta thing. I'm still not a massive fan of that idea given that prepared statements are an option, but it would work. -Stuart -- Stuart Dallas 3ft9 Ltd http://3ft9.com/ -- Inserting and updating isn't the problem. I think Mark referring to is how would that be implemented in this simple type of query: SELECT * FROM my_table WHERE col_name LIKE '%key word%'; If there's no viable mean to filter the data, that storage method/medium is rather pointless, IMHO. Go back and read what I wrote again. Base64 is only being used to transmit the data to MySQL - it's being stored in the database in its decoded form. -Stuart -- Stuart Dallas 3ft9 Ltd http://3ft9.com/ The question still applies as how would you safeguard that 'key word' transmission, especially against SQL injection. I suppose one could do it this way: SELECT * FROM my_table WHERE col_name LIKE CONCAT('%', FROM_BASE64(?php echo base64_encode($data); ?), '%') Is the overhead worth it to warrant that kind of safeguard? That's just a simple query with a simple search criteria. What about in the case of subselect and multi-table joins? That would indeed be logical if base64 was your chosen method of protection, but I think prepared statements are a far more elegant solution. As for the overhead I very much doubt there's much difference between that and the overhead of prepared statements. -Stuart -- Stuart Dallas 3ft9 Ltd http://3ft9.com/ IIRC, prepared statements doesn't incur any overhead. Instead, it's supposed to enhance performance by telling SQL to 'prepare' via compilation. So if you're comparing performance between the overhead of base64 vs prepared statement, then the difference would be quite clear, especially when the table(s) is/are more than a couple hundred thousand rows and the queri(es) are complex. This is not mention the added complexity into the application where managing and expanding it would incur real (developer time) overhead, IMO.
php-general Digest 25 Oct 2008 22:28:28 -0000 Issue 5755
Robles, California, Central Coast, USA Cabernet Sauvignon etc and create a query which would return the data like this: Liberty School Chardonnay (USA, California, Central Coast) 2007, 2006, 2005, 2004, 2003, 2002, 2001, 2000, 1997, 1985 Liberty School Cabernet Sauvignon (USA, California) 2006, 2005, 2004, 2003, 2002, 2001, 2000, 1999, 1998, 1997, 1996, 1995, 1990, 1982, 1976 Liberty School Cabernet Sauvignon (USA, California, Central Coast, Paso Robles) 2005, 1993 Liberty School Cabernet Sauvignon (USA, California, Sonoma County) 2003, 1984 Basically I somehow need to do a GROUP BY producer, and yet somehow at the same time, find out all the matching vintages (years), that go along with that group and return them the same time the producer group is returned. Right now, my PHP/SQL query string is: $query = 'SELECT * FROM wine WHERE MATCH(producer, varietal, appellation, designation, region, vineyard, subregion, country, vintage) AGAINST ( ' . $combostring . ' IN BOOLEAN MODE ) ORDER BY ' . $orderby . ', producer ASC LIMIT 0,100'; This produced the first list you see at the top of this email. Any help is greatly appreciated. ---End Message--- ---BeginMessage--- Basically I somehow need to do a GROUP BY producer, and yet somehow at the same time, find out all the matching vintages (years), that go along with that group and return them the same time the producer group is returned. If I'm following you correctly, you have a column year in your group, and rather than returning just one year in your result set, you would like every year in the group. This can be accomplished with the group_concat() [1] function: SELECT field1,field2,field3, GROUP_CONCAT(distint year) as years FROM table WHERE conditions GROUP BY foo; [1] http://dev.mysql.com/doc/refman/5.0/en/group-by-functions.html#function_group-concat -- GREG. ---End Message--- ---BeginMessage--- On Oct 23, 2008, at 2:10 PM, Jochem Maas wrote: The order is reversed, so if $host has a non-zero length, it is not escaped. first thing that I noticed, second wondering why no charset was specified, thirdly was wondering why it's not plain: $host = htmlentities($host); but nonetheless your point stands, :-) Yeah, fair enough. To my credit, I also noticed the problem without spending more than a second or two on that line, but I also recognized how it could be missed. To me, it's similar to missing when someone calls a functions and gets the order of arguments wrong. You can tell what they meant, so the error doesn't stand out as boldly. Perhaps subconsciously you anticipate that they're right, because in most of the code, they are. The challenge of being perfect is why I've developed a number of tools to help me out. I'm going to release one of the best of these as open source in a few months. I might mention that on this list, since it seems appropriate. Hopefully no one will mind the advertising too much. :-) now about that charset ... your blog post uses UTF-7 to demonstrate the potential for problems ... but htmlentities() doesn't support that charset, or at least not according to the docs, in fact the list of supported charsets is quite limited, out of curiosity what would your recommendation be if one is faced with a having 'htmlentize' a string encoded in UTF-7 or some other charset not supported by htmlentities()? That's a good question. I would probably convert it to something like UTF-8, escape it, then convert it back. I've never faced this situation, and the scenario I was recreating in my post was when someone attacked Google using UTF-7. Google didn't actually want to support that character encoding. If you specify ISO-8859-1 in your Content-Type header, it's actually fine to omit the character encoding in htmlentities(), because it uses that by default. (Also, not all mismatches are exploitable.) However, it always catches my eye, because it demonstrates a lax treatment of character encoding in general. I like to see it explicitly declared everywhere. a second question: strip_tags() doesn't have a charset parameter, how does it manage to cope without knowing the input string encoding? or does it not and is it actually vulnerable to maliciously encoded input? My guess would be that it doesn't cope. :-) I never use strip_tags(), so someone else might be able to offer a much better answer. Hope that helps, and thanks for the discussion. Chris -- Chris Shiflett http://shiflett.org/ ---End Message---
[PHP] Re: Newbie Question
Ok, I think I have the solution to your problem. Try using nl2br() on the data in that field.. Example: I have a message table that allows one user to send an instant message to another user on my site. There are several fields, one of which being a TEXT column (MySQL db). I use a simple textarea form element to get the data. It inserts into the DB as basically a single line regardless of the ENTER keystrokes in the data. Now, when I pull it back out I use this: $query = SELECT * FROM message WHERE msg_id = '$msg_id'; $query_result = mysql_query($query); $query_row = mysql_fetch_array($query_result); $message = $query_row[message]; echo Message text:.nl2br($message); And that should do what you need. Lee Willmann Steve Brett [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED]... have a look at get_html_translation_table() in the php manual. there is an example of conversion of all special chars so they can be inserted into the database as text (i.e. £pound) and a cool way of 'decoding' them if you need to write them to a file. A Browser wil interpret them correctly when they are displayed. This must be the question of the day as i have posted this answer three times today :-) Let me know if you need any more help Steve get_html_translation_table manual page is below: PHP Manual Prev Next -- -- get_html_translation_table (PHP 4 = 4.0b4) get_html_translation_table -- Returns the translation table used by htmlspecialchars() and htmlentities() Description string get_html_translation_table (int table [, int quote_style]) get_html_translation_table() will return the translation table that is used internally for htmlspecialchars() and htmlentities(). There are two new defines (HTML_ENTITIES, HTML_SPECIALCHARS) that allow you to specify the table you want. And as in the htmlspecialchars() and htmlentities() functions you can optionally specify the quote_style you are working with. The default is ENT_COMPAT mode. See the description of these modes in htmlspecialchars(). Example 1. Translation Table Example $trans = get_html_translation_table (HTML_ENTITIES); $str = Hallo Frau Krämer; $encoded = strtr ($str, $trans); The $encoded variable will now contain: Hallo amp; lt;Fraugt; amp; Krauml;mer. The cool thing is using array_flip() to change the direction of the translation. $trans = array_flip ($trans); $original = strtr ($str, $trans); The content of $original would be: Hallo Frau Krämer. Note: This function was added in PHP 4.0. See also: htmlspecialchars(), htmlentities(), strtr(), and array_flip(). -- -- Prev Home Next explode Up get_meta_tags Jay Fitzgerald [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED]... Ok, I am still fairly new at PHP and MySQL also, so please bear with me. TASK: I have a client that wants to have job openings listed on their site and they want to be able to add, edit and delete the postings themselves. I would do this in flat-file format but there is the risk of that file size getting too large and slowing down the server. SOLUTION: I have created a MySQL database that will hold all the postings in a table called 'jobs' and have created a PHP form that will post this jobs into the db. PROBLEM: When I go to the PHP form and enter all of the pertinent job information, there is one specific field that will have to have carriage returns/line breaks in it between paragraphs. Everything is working except for this. Is there a way whenever the user presses ENTER, that either PHP/MySQL will convert this into a BR tag only when being displayed in a browser and not in the db?? Can anyone out there please help me with this? I am available off-list as well if it will be easier to pass code back and forth. Any assistance is greatly appreciated! Should you have any questions, comments or concerns, feel free to call me at 318-338-2034. Thank you for your time, Jay Fitzgerald, Design Director - CSBW-A, CPW-A, CWD-A, CEMS-A == Bayou Internet..(888) 30-BAYOUhttp://www.bayou.com Mississippi Internet...(800) MISSISSIPPI...http://www.mississippi.net Vicksburg Online..(800) MISSISSIPPIhttp://www.vicksburg.com == Tel: (318) 338-2034ICQ: 38823829 Fax: (318) 323-5053 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
php-general Digest 2 Jul 2007 12:14:09 -0000 Issue 4880
php-general Digest 2 Jul 2007 12:14:09 - Issue 4880 Topics (messages 258025 through 258028): Re: Selecting Rows Based on Row Values Being in Array 258025 by: Jim Lucas Re: Anybody had luck compiling memcache with php6 ? 258026 by: M. Sokolewicz 258027 by: Stut Re: mail function problem 258028 by: web2.get-telecom.fr Administrivia: To subscribe to the digest, e-mail: [EMAIL PROTECTED] To unsubscribe from the digest, e-mail: [EMAIL PROTECTED] To post to the list, e-mail: [EMAIL PROTECTED] -- ---BeginMessage--- kvigor wrote: Jim, Please excuse the ignorance, I'm a newbie, but I'm only use to simple SELECT, INSERT statements. Your original code: $SQL = SELECT * FROM my_Table WHERE CONCAT(value1, value2, value3) IN ('.join(',', $list).') This can be broken down into smaller parts so to explain by example. # This is to clean the input values for the SQL statement function mysql_clean($value) { return mysql_real_escape_string($value); } # Define your list of values to compare to $list = array( '6blue40lbs', '7orange50lbs', '8orange60lbs', '9purple70lbs', ); # You will want to do something like this with the values of the $list # array just to make sure they are clean: reference the function above array_walk($list, 'mysql_clean'); # This will return a string formated like this. # '6blue40lbs','7orange50lbs','8orange60lbs','9purple70lbs' $IN_VALUE = '.join(',', $list).'; $SQL = SELECT * FROMmy_Table WHERE CONCAT(value1, value2, value3) IN ({$IN_VALUE}); # The final query string will look like this SELECT * FROMmy_Table WHERE CONCAT(value1, value2, value3) IN ('6blue40lbs','7orange50lbs','8orange60lbs','9purple70lbs') # Now run this through your query function and get the results $results = mysql_query($SQL) OR die('SQL Failure: '.$SQL); So basically what we have is a comparison that is based off the output of the CONCAT() function that creates one string out of value1, value2, value3 and then compares that with each of the values listed within the parenthesis. the IN (...) part of the SQL statement tells SQL that it is getting a list of values that it should compare the concat() value against. Doing it this way, will allow you to only run one query instead of running one per value that you want to compare against. As you can tell, as your data set grows your multiple queries would drag your DB to a halt Hope this explains it. Let me know if you need further explanation. OK, I get everything up to the ('''.join(''','''$list).''') I'm guessing that the .join( ). putting together some values, but I don't know what also the .join( ). is to be preceded by something... I don't know what. //Forgive my ignorance, I'll can get it. Also the .join( ). what is this doing I looked at the PHP and MySQL function of each, and haven't seen comparable code. I'm asking because I don't know where we're telling the code to compare the values. You stated... and create one string from them Where do I give the name to the string? So this is where I am so far: $sql = SELECT* FROM table WHERE CONCAT(size,color,weight) IN( ); Jim Lucas [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] K. Hayes wrote: Will do. Thanks. - Original Message - From: Jim Lucas [EMAIL PROTECTED] To: kvigor [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Saturday, June 30, 2007 1:46 AM Subject: Re: [PHP] Selecting Rows Based on Row Values Being in Array kvigor wrote: Hello All, I'm attempting to return rows from a mysql DB based on this criteria: I have a list, in the form of an array that I need to compare against each row in the table. Where theres a match I need that entire row returned. e.g.$varListof 3outOf_10Fields = array(6blue40lbs, 7orange50lbs, 8orange60lbs, 9purple70lbs); The array contains 3 of the db row fields in 1 value. However there are 10 fields/columns in the table. === what table looks like | === size colorweight ROW 1| value1 | value1 | value1 | value1 | value1 | value1 | So how could I set up a query that would SELECT the entire row, if the row contained $varListof 3outOf_10Fields[1]. Open to any suggestions or work arounds. I'm playing with extract() but code is too crude to even post. I would suggest approaching the problem with a slightly different thought. just have the sql concat() the columns together and then compare. something like this should do the trick $list = array( '6blue40lbs', '7orange50lbs', '8orange60lbs', '9purple70lbs', ); $SQL = SELECT * FROM my_Table WHERE CONCAT(value1, value2, value3) IN ('.join(',', $list).') ; mysql_query($SQL); this should take, for each row in the DB, value1
php-general Digest 2 Jul 2007 00:06:55 -0000 Issue 4879
php-general Digest 2 Jul 2007 00:06:55 - Issue 4879 Topics (messages 258021 through 258024): Re: Flash / Ajax / PHP 258021 by: David Giragosian Re: mail function problem 258022 by: Chris Re: Selecting Rows Based on Row Values Being in Array 258023 by: kvigor Anybody had luck compiling memcache with php6 ? 258024 by: Cathy Murphy Administrivia: To subscribe to the digest, e-mail: [EMAIL PROTECTED] To unsubscribe from the digest, e-mail: [EMAIL PROTECTED] To post to the list, e-mail: [EMAIL PROTECTED] -- ---BeginMessage--- On 7/1/07, Ryan A [EMAIL PROTECTED] wrote: but the image, when updated, is still unstable on IE while still _perfectly_ stable on FireFox. This might be due to cacheing on IE which anyone who has messed with php online for a little time will be familier with. IE is a bitch at times... just likes the company that makes the software ;) Sometimes this gets solved with spitting out some headers telling IE not to cache while others have (dirty) solved it by adding a hash or something else unique to the page or the image... for example: php_script.php?get_img=img_namerandom=something_random_here HTH. Cheers! R -- - The faulty interface lies between the chair and the keyboard. - Creativity is great, but plagiarism is faster! - Smile, everyone loves a moron. :-) -- Get the Yahoo! toolbar and be alerted to new email http://us.rd.yahoo.com/evt=48225/*http://new.toolbar.yahoo.com/toolbar/features/mail/index.phpwherever you're surfing. Thanks, Ryan. That gives me something to explore when I get to work on Monday. David ---End Message--- ---BeginMessage--- [EMAIL PROTECTED] wrote: Hi, I'm running PHP 5.2.3 on Solaris 10 (AMD64). My mail function doesn't send any mail, the return value of mail function is false... But sendmail_path value is OK in php.ini, and I've tried to send a mail with sendmail on console with the same user (the apache user), and everything's ok... Does anyone have solution ? Check your mail logs and your apache logs to see if any errors are showing up. -- Postgresql php tutorials http://www.designmagick.com/ ---End Message--- ---BeginMessage--- Jim, Please excuse the ignorance, I'm a newbie, but I'm only use to simple SELECT, INSERT statements. Your original code: $SQL = SELECT * FROM my_Table WHERE CONCAT(value1, value2, value3) IN ('.join(',', $list).') OK, I get everything up to the ('''.join(''','''$list).''') I'm guessing that the .join( ). putting together some values, but I don't know what also the .join( ). is to be preceded by something... I don't know what. //Forgive my ignorance, I'll can get it. Also the .join( ). what is this doing I looked at the PHP and MySQL function of each, and haven't seen comparable code. I'm asking because I don't know where we're telling the code to compare the values. You stated... and create one string from them Where do I give the name to the string? So this is where I am so far: $sql = SELECT* FROM table WHERE CONCAT(size,color,weight) IN( ); Jim Lucas [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] K. Hayes wrote: Will do. Thanks. - Original Message - From: Jim Lucas [EMAIL PROTECTED] To: kvigor [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Saturday, June 30, 2007 1:46 AM Subject: Re: [PHP] Selecting Rows Based on Row Values Being in Array kvigor wrote: Hello All, I'm attempting to return rows from a mysql DB based on this criteria: I have a list, in the form of an array that I need to compare against each row in the table. Where theres a match I need that entire row returned. e.g.$varListof 3outOf_10Fields = array(6blue40lbs, 7orange50lbs, 8orange60lbs, 9purple70lbs); The array contains 3 of the db row fields in 1 value. However there are 10 fields/columns in the table. === what table looks like | === size colorweight ROW 1| value1 | value1 | value1 | value1 | value1 | value1 | So how could I set up a query that would SELECT the entire row, if the row contained $varListof 3outOf_10Fields[1]. Open to any suggestions or work arounds. I'm playing with extract() but code is too crude to even post. I would suggest approaching the problem with a slightly different thought. just have the sql concat() the columns together and then compare. something like this should do the trick $list = array( '6blue40lbs', '7orange50lbs', '8orange60lbs', '9purple70lbs', ); $SQL = SELECT * FROM my_Table WHERE CONCAT(value1, value2, value3) IN ('.join(',', $list).') ; mysql_query($SQL); this should take, for each row in the DB, value1 + value2 + value3 and create one string from them, then it will compare each string in the IN (...) portion to each entry in the $list array(). Let me
Re: [PHP] Re: Secure data management
On 5 Oct 2011, at 02:02, Tommy Pham wrote: On Tue, Oct 4, 2011 at 5:51 PM, Stuart Dallas stu...@3ft9.com wrote: On 5 Oct 2011, at 01:13, Tommy Pham wrote: On Tue, Oct 4, 2011 at 4:49 PM, Stuart Dallas stu...@3ft9.com wrote: On 5 Oct 2011, at 00:45, Tommy Pham wrote: On Tue, Oct 4, 2011 at 4:11 PM, Stuart Dallas stu...@3ft9.com wrote: On 5 Oct 2011, at 00:04, Mark Kelly wrote: Hi. On Tuesday 04 Oct 2011 at 21:39 Stuart Dallas wrote: http://stut.net/2011/09/15/mysql-real-escape-string-is-not-enough/ Thanks. I followed this link through and read the full message (having missed it the first time round), and while I find the idea of using base64 to sanitise text interesting I can also forsee a few difficulties: It would prevent anyone from accessing the database directly and getting meaningful results unless the en/decode is in triggers, or maybe stored procedures. No more one-off command-line queries. How would you search an encoded column for matching text? I'd be interested in any ideas folk have about these issues, or any others they can envisage with this proposal. Base64 encoding will work when the native base64 functions are available in MySQL which will allow you to base64 encode the data into a statement like INSERT INTO table SET field = FROM_BASE64(?php echo base64_encode($data); ?) sorta thing. I'm still not a massive fan of that idea given that prepared statements are an option, but it would work. Inserting and updating isn't the problem. I think Mark referring to is how would that be implemented in this simple type of query: SELECT * FROM my_table WHERE col_name LIKE '%key word%'; If there's no viable mean to filter the data, that storage method/medium is rather pointless, IMHO. Go back and read what I wrote again. Base64 is only being used to transmit the data to MySQL - it's being stored in the database in its decoded form. The question still applies as how would you safeguard that 'key word' transmission, especially against SQL injection. I suppose one could do it this way: SELECT * FROM my_table WHERE col_name LIKE CONCAT('%', FROM_BASE64(?php echo base64_encode($data); ?), '%') Is the overhead worth it to warrant that kind of safeguard? That's just a simple query with a simple search criteria. What about in the case of subselect and multi-table joins? That would indeed be logical if base64 was your chosen method of protection, but I think prepared statements are a far more elegant solution. As for the overhead I very much doubt there's much difference between that and the overhead of prepared statements. IIRC, prepared statements doesn't incur any overhead. Instead, it's supposed to enhance performance by telling SQL to 'prepare' via compilation. So if you're comparing performance between the overhead of base64 vs prepared statement, then the difference would be quite clear, especially when the table(s) is/are more than a couple hundred thousand rows and the queri(es) are complex. This is not mention the added complexity into the application where managing and expanding it would incur real (developer time) overhead, IMO. Prepared statements incur an additional hit against the DB server to prepare the statement. The cost of using base64 in the manner suggested is minimal, regardless of the size of the data. The MySQL query analyser is intelligent enough to know that from_base64('xyz') is a constant expression and will therefore only evaluate it once. As for the added complexity, if you have SQL statements all over your code then yes it will add a time overhead, but any codebase of a significant size should be using a centralised API for database access such that changes like this have a very limited scope. -Stuart -- Stuart Dallas 3ft9 Ltd http://3ft9.com/
Re: [PHP] Re: Secure data management
On Tue, Oct 4, 2011 at 6:10 PM, Stuart Dallas stu...@3ft9.com wrote: On 5 Oct 2011, at 02:02, Tommy Pham wrote: On Tue, Oct 4, 2011 at 5:51 PM, Stuart Dallas stu...@3ft9.com wrote: On 5 Oct 2011, at 01:13, Tommy Pham wrote: On Tue, Oct 4, 2011 at 4:49 PM, Stuart Dallas stu...@3ft9.com wrote: On 5 Oct 2011, at 00:45, Tommy Pham wrote: On Tue, Oct 4, 2011 at 4:11 PM, Stuart Dallas stu...@3ft9.com wrote: On 5 Oct 2011, at 00:04, Mark Kelly wrote: Hi. On Tuesday 04 Oct 2011 at 21:39 Stuart Dallas wrote: http://stut.net/2011/09/15/mysql-real-escape-string-is-not-enough/ Thanks. I followed this link through and read the full message (having missed it the first time round), and while I find the idea of using base64 to sanitise text interesting I can also forsee a few difficulties: It would prevent anyone from accessing the database directly and getting meaningful results unless the en/decode is in triggers, or maybe stored procedures. No more one-off command-line queries. How would you search an encoded column for matching text? I'd be interested in any ideas folk have about these issues, or any others they can envisage with this proposal. Base64 encoding will work when the native base64 functions are available in MySQL which will allow you to base64 encode the data into a statement like INSERT INTO table SET field = FROM_BASE64(?php echo base64_encode($data); ?) sorta thing. I'm still not a massive fan of that idea given that prepared statements are an option, but it would work. Inserting and updating isn't the problem. I think Mark referring to is how would that be implemented in this simple type of query: SELECT * FROM my_table WHERE col_name LIKE '%key word%'; If there's no viable mean to filter the data, that storage method/medium is rather pointless, IMHO. Go back and read what I wrote again. Base64 is only being used to transmit the data to MySQL - it's being stored in the database in its decoded form. The question still applies as how would you safeguard that 'key word' transmission, especially against SQL injection. I suppose one could do it this way: SELECT * FROM my_table WHERE col_name LIKE CONCAT('%', FROM_BASE64(?php echo base64_encode($data); ?), '%') Is the overhead worth it to warrant that kind of safeguard? That's just a simple query with a simple search criteria. What about in the case of subselect and multi-table joins? That would indeed be logical if base64 was your chosen method of protection, but I think prepared statements are a far more elegant solution. As for the overhead I very much doubt there's much difference between that and the overhead of prepared statements. IIRC, prepared statements doesn't incur any overhead. Instead, it's supposed to enhance performance by telling SQL to 'prepare' via compilation. So if you're comparing performance between the overhead of base64 vs prepared statement, then the difference would be quite clear, especially when the table(s) is/are more than a couple hundred thousand rows and the queri(es) are complex. This is not mention the added complexity into the application where managing and expanding it would incur real (developer time) overhead, IMO. Prepared statements incur an additional hit against the DB server to prepare the statement. The cost of using base64 in the manner suggested is minimal, regardless of the size of the data. The MySQL query analyser is intelligent enough to know that from_base64('xyz') is a constant expression and will therefore only evaluate it once. Yes, as in your example, if you're inserting 1 row. What if: $hobbies = array('bicycling', 'hiking', 'reading', 'skiing', 'swimming'); * base64 method pseudo code: loop the $hobbies foreach ($hobbies as $hobby) INSERT INTO hobbies SET `name` = FROM_BASE64(?php echo base64_encode($hobby); ?) end loop * prepared statement pseudo code prepare statement INSERT INTO hobbies SET `name` = ? bind param $hobby loop the $hobbies for ($i = 0; $i count($hobbies); $i++) $hobby = $hobbies[i]; execute statement end loop There would be a difference in performance since the the expression has to be reevaluated, including the function FROM_BASE, every time versus one time evaluation of prepared statement. As for the added complexity, if you have SQL statements all over your code then yes it will add a time overhead, but any codebase of a significant size should be using a centralised API for database access such that changes like this have a very limited scope. Isn't that one of the major points of OOP? Still, what about new developers, having to remember that additional (and most likely unneeded) complexity, to the project which they would like to build additional modules/plugins for? -Stuart -- Stuart Dallas 3ft9 Ltd http://3ft9.com/
php-general Digest 1 Apr 2006 17:45:41 -0000 Issue 4047
the MAJOR difference between your code, so I will point it out. Jasper did this function __get($k) { var_dump($k); } Uhm, no I didn't. Jochem did :) Jochem did this public function __get( $key ) { return $this-array[$key]; } No, I did that. First off, the required public before the function call was not included, secondly, Jasper is var_dumping the key of the array, not the array it self. Public is not required. I always put it regardless, but if you leave it off then PHP defaults to public for compatibility reasons. Jochem's code, which behaves incorrectly, does var_dump. Mine just returns the array key as you would expect. That's why Jochem's doesn't behave correctly with arrays. ---End Message--- ---BeginMessage--- why is this iconv function not working for me? i am converting $search to euc-kr charset. my conversion code is not working. background and motivation i have to mimic a accept-charset on a form to fake a get request by disguising it as a hyperlink. (my firefox refuses me tosend a remote post request from a win_open() [ al a javascript] function. the accept-charset value is 'euc-kr'. i threw in extra iconv_set_encoding to eliminate some problem there, but still no progress... :( code -- $xab = 1; $str_out = mb_detect_encoding($search); $converted_search=ax; iconv_set_encoding(output_encoding, EUC-KR); iconv_set_encoding(input_encoding, $str_out); if ($xab) echo mb_detect_encoding*** . $str_out .***search*** $search***br; if ( function_exists('iconv') ) { if ($str_out != 'euc-kr') { if ($xab) var_dump( iconv_get_encoding('all')); if ($xab) echo iconv: \$converted_search***$converted_search*** br; $converted_search = iconv($str_out,EUC-KR,$search); if ($xab) echo iconv: \$converted_search***$converted_search*** br; } } output (checks that search is proper and outputs iconv_detect_encoding and checks return from iconv function call) - mb_detect_encoding***UTF-8***search***꺼다*** array(3) { [input_encoding]= string(5) UTF-8 [output_encoding]= string(6) EUC-KR [internal_encoding]= string(10) ISO-8859-1 } iconv: $converted_search***ax*** iconv: $converted_search** many blessings to all. merry chirstmas. ---End Message--- ---BeginMessage--- why is this iconv function not working for me? i am converting $search to euc-kr charset. my conversion code is not working. background and motivation i have to mimic a accept-charset on a form to fake a get request by disguising it as a hyperlink. (my firefox refuses me tosend a remote post request from a win_open() [ al a javascript] function. the accept-charset value is 'euc-kr'. i threw in extra iconv_set_encoding to eliminate some problem there, but still no progress... :( code -- $xab = 1; $str_out = mb_detect_encoding($search); $converted_search=ax; iconv_set_encoding(output_encoding, EUC-KR); iconv_set_encoding(input_encoding, $str_out); if ($xab) echo mb_detect_encoding*** . $str_out .***search*** $search***br; if ( function_exists('iconv') ) { if ($str_out != 'euc-kr') { if ($xab) var_dump( iconv_get_encoding('all')); if ($xab) echo iconv: \$converted_search***$converted_search*** br; $converted_search = iconv($str_out,EUC-KR,$search); if ($xab) echo iconv: \$converted_search***$converted_search*** br; } } output (checks that search is proper and outputs iconv_detect_encoding and checks return from iconv function call) - mb_detect_encoding***UTF-8***search***꺼다*** array(3) { [input_encoding]= string(5) UTF-8 [output_encoding]= string(6) EUC-KR [internal_encoding]= string(10) ISO-8859-1 } iconv: $converted_search***ax*** iconv: $converted_search** many blessings to all. merry chirstmas. this works for some utf8 words coming in. strange, also, if i var_dump($converted_search) it says string(4) but it is completely empty for all other purposes. by the way, is this the correct way to send an encoded value over the internet for a href tag, as a get request? the $converted_search is what is output from the iconv functions centerh3search from a href='http://nlpweb.kaist.ac.kr/Urimal/find_word.php?kt_word=\;?php echo $converted_search; ?\cs=ksc'http://nlpweb.kaist.ac.kr/Urimal//a/h3/center ---End Message--- ---BeginMessage--- Hi there, I am trying to encode output with php with uft8_encode(); and then output it to an xml file. Unfortunatelly this does not work as the string that has been encoded by utf8_encode is not valid utf8?! Any ideas how this has happened? Here is a link to this file: http://www.findix.com/syndication/listing_autos.xml Thank you for any hint, Merlin ---End Message--- ---BeginMessage--- Hi, Anyone can suggest me which PHP AJAX framework you are using, for what reason(s), what are pros and cons of your particular choice. I found
php-general Digest 30 Nov 2002 12:31:53 -0000 Issue 1735
on linux systems yet, let alone windows. You'd have much better luck with the 1.3.27 version. Why not??? I'm running a custom built Apache 2.0.40 with the latest PHP and it works trouble free on WinXP ... Granted, this is for experimental testing only ... I'd never have a public server running Windows in any shape or form any way... ---End Message--- ---BeginMessage--- Hi Khalid El-Kary, On Fri, 29 Nov 2002 14:18:15 +, you wrote about Re: [PHP] First PHP something that looked like this: hi, how about the manual? Works for me to learn it ... it's the only thing I've read on PHP besides the WebMonkey guide to get the Apache+PHP set up ... ---End Message--- ---BeginMessage--- Hi, I'm using the following code: $x = imap_open({mail..com:110/pop3}INBOX, [EMAIL PROTECTED], ); echo $x ? YAY! : NO YAY!BR . implode(BR, imap_errors()); It works fine on my local server, but as soon as I try it on the live machine it gives me: Retrying CRAM-MD5 authentication after Retrying CRAM-MD5 authentication after Invalid userid/password Retrying CRAM-MD5 authentication after illegal command Retrying CRAM-MD5 authentication after authentication exchange failed Can not authenticate to POP3 server: authentication exchange failed Which is just mean, the local server is Debian 2.2 running PHP 4.0.3pl1 and the live one is Slackware 8.1-rc1 running PHP 4.2.1. The mail server seems to identify itself as IMail 6.02. The live server can telnet into the mail server okay so it's not a connection problem and it can connect to different mail servers without problems. After extensive googling I found something in Norwegian which I guessed was saying to try replacing the @ in the login to \$, which was tried... as before, worked locally but failed live. So I gave up and decided to leave it to better minds than mine, ie. you. Thanks in advance. ---End Message--- ---BeginMessage--- Looks fine in Opera 6.03 hth http://www.vogelsinger.at/test.php?par1=value1par2=value2par3=value3 Opera Version 6.03 Build 1107 Platform Win32 System Windows 98 Java Sun Java Runtime Environment 1.4 Testing the query string This is the full query string ($_SERVER['QUERY_STRING']): par1=value1par2=value2 par3=value3 This is a printout of $_GET: Array ( [par1] = value1 [par2] = value2 [par3] = value3 ) I will use this string for the link below: /test.php?par1=value1amp;par2=value2 amp;par3=value3 On Wed, 27 Nov 2002 00:09:35 +0100, [EMAIL PROTECTED] (Ernest E Vogelsinger) wrote: At 00:00 27.11.2002, Jonathan Rosenberg \(Tabby's Place\) said: [snip] Ok ... I take back what I said about amp; not working in a query string. It works just fine. [snip] Ahhh - and I just created a test page for all to check out... nevertheless, here it is: http://www.vogelsinger.at/test.php Simply provides a link using query parameters encoded with amp;, to check with different browsers. Maybe someone will check this outwith his browser anyway. -- O Ernest E. Vogelsinger (\)ICQ #13394035 ^ http://www.vogelsinger.at/ ---End Message--- ---BeginMessage--- Is there a way to determine if a string has ascii or binary data in it? -js ---End Message--- ---BeginMessage--- Doh, so simple. I guess the correct form of the question would be how do I determine if a string has just a-zA-Z0-9 in it plus punctuation... thanks, -js Paul Chvostek wrote: On Fri, Nov 29, 2002 at 10:27:05PM -0600, Jonathan Sharp wrote: Is there a way to determine if a string has ascii or binary data in it? You could always see if it matches a regular expression that represents the ascii range you're considering. I.e., ereg('[^a-zA-Z0-9]',$string) will return true if non-alphanumerics are in the string. Remember that a string is just a string. Whether the data contained in it is represented as ASCII or something else is completely a matter of implementation. ALL 7-bit data can be represented as ASCII. All 8-bit data can be represented as IBM Extended ASCII or whatever you want to call it. But the string is just a string of bits. ---End Message--- ---BeginMessage--- On Fri, 29 Nov 2002, Jonathan Sharp wrote: Is there a way to determine if a string has ascii or binary data in it? I've used this kind of approach in the past to determine which encoding to use on a string which may contain text or an image. Basically it uses addcslashes to escape non-ASCII chars, then strips all non-backslash chars, and takes the size of the string... $size should contain the number of bytes (out of 1024) that were escaped, and should be very low for clean text, and pretty high for binary. This was made for analyzing blobs, but maybe the approach is useful... $text = addcslashes(substr($string, 0, 1024), \\\'\0..\37\177..\377); $size = strlen(preg_replace('/[^]/', '', $text)); if ($size 200) print mostly
php-general Digest 1 Mar 2003 16:29:34 -0000 Issue 1912
--- ---BeginMessage--- On February 28, 2003 10:41 am, Leif K-Brooks wrote: Try $timeb ''. Well whatta ya know I learn something new every day.. I thought the only valid not equal operator was !=... I'm used to using only for SQL server stored procedures or VB.. leo ---End Message--- ---BeginMessage--- Data from POST is a hash table of strings, so you should use this to check for zero: if ($_POST['field'] == 0) // Zero was entered ---End Message--- ---BeginMessage--- On Saturday 01 March 2003 06:30, Patrick Teague wrote: I'm trying to compile php on Mandrake 9, but this latest error during compile has me stumped as I've installed all the imap-devel type rpms. . checking for IMAP support... yes checking for pam_start in -lpam... yes checking for crypt in -lcrypt... (cached) yes configure: error: Cannot find imap library (libc-client.a). Please check your IMAP installation any ideas? I checked the php.net faq on building, but I haven't found any info about this. I've searched the imap rpms I have even searched the whole system, but it couldn't find 'libc-client.a' anywhere. Are you using RPMs? On a RH system that file is provided by the IMAP-devel package. I suppose it's similar for MDK. In general you need to install the devel packages of any libraries that you wish to use. -- Jason Wong - Gremlins Associates - www.gremlins.biz Open Source Software Systems Integrators * Web Design Hosting * Internet Intranet Applications Development * -- Search the list archives before you post http://marc.theaimsgroup.com/?l=php-general -- /* Hanson's Treatment of Time: There are never enough hours in a day, but always too many days before Saturday. */ ---End Message--- ---BeginMessage--- localhost is the name of your own machine, for others localhost means their machines. redirect to the network ip address or host name of your server instead of localhost. regds, -Original Message- From: K [mailto:[EMAIL PROTECTED] Sent: Friday, February 28, 2003 09:47 To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: JP Graph Hi all, I'm using JPGraph on a localhost for a website opened via a host redirect. My problem is that nobody can see the graphs but me ('cause I'm on localhost). Any clues? Thx. ---End Message--- ---BeginMessage--- try: select date_format(date_add(arrivaldate1, INTERVAL nights1 DAY), '%Y-%m-%d') as dept_date1 from mytable where (date_add(arrivaldate1, INTERVAL nights1 DAY) BETWEEN '2003-02-01' AND '2003-02-10') regds, -Original Message- From: Dhaval Desai [mailto:[EMAIL PROTECTED] Sent: Friday, February 28, 2003 15:48 To: [EMAIL PROTECTED] Subject: Mysql Date got prob! Hello, As related to my earlier question select date_format(date_add(arrivaldate1, INTERVAL nights1 DAY), '%Y- %m-%d') as dept_date1 from mytable where ('dept_date1' BETWEEN '2003-02-01' AND '2003-02-10') The above query is valid but returns 0 because 'dept_date1' is treated as a string. I want dept_date1 to be treated as date so that it can be compared. I hope it is possible... Thank you! -Dhaval _ Add photos to your messages with MSN 8. Get 2 months FREE*. http://join.msn.com/?page=features/featuredemail ---End Message--- ---BeginMessage--- This is a forwarded message From: Tom Rogers [EMAIL PROTECTED] To: Richard Kurth [EMAIL PROTECTED] Date: Saturday, March 1, 2003, 5:59:11 PM Subject: [PHP] Help!! with array's Please ===8==Original message text=== Hi, Saturday, March 1, 2003, 4:28:27 PM, you wrote: RK Hello Tom, RK I would love to see a basic class to do all of this. I took what you RK showed me and turned it into a function that works perfect. RK The one thing that I have had a lot of trouble with is manipulating RK text based data. And out of all the books I have, none of them get RK into doing this type of programing. Here it is class groupClass { var $groups = array(); var $gid = 499; //if there are no groups, new ones start at this number +1 function groupClass($file){ $r = false; if(file_exists($file)){ $in = file($file); //build an array using names as keys so we can identify entries easier while(list($key,$val) = each($in)){ $val = trim($val); //get rid of newlines list($name,$pass,$gid,$userlist) = split (:, $val); if($gid $this-gid){ $this-gid = $gid; //keep track of the highest gid number } $this-groups[$name]['gid'] = $gid; $this-groups[$name]['pass'] = $pass
Re: [PHP] [newbie] Can PHP be a security risk if it's just connecting to MySQL?
Dave G wrote: If that text is not properly validated and escaped, you could be open to SQL Injection attacks I'm less clear on what properly escaped means. I thought escaping was a matter of putting slashes before special characters, so that their presence doesn't confuse the SQL queries one might run. Is it possible that if one has taken at least that much precaution that a user could still enter malicious script held in a TEXT column? Escaping the data so it's safe to put into a database query is only part of the solution. It really depends on how the data goes into the query how it should be escaped/validated, too. If you have WHERE id = $id then you need to ensure $id is a number and only a number. 1, 100, 10.5, -14.56 and 5.54E06 are all valid values for $id in this case. is_integer(), is_numeric() and using (int), (float) to case values ($id = (int)$id) help here. If you have WHERE name = '$name' in the query, then you need to ensure any single quotes within $name are escaped according to your database. MySQL uses backslashes, so you can use addslashes() to escape the value of $name. Other database use another single quote, so you need O''Kelly instead of O\'Kelly. To further complicate things, you have to take into account the magic_quotes_gpc setting. If that's enabled, PHP would have already escaped any incoming GET/COOKIE/POST/REQUEST data using addslashes(). So if you run addslashes() again, you're data will be escaped twice. The thing to remember is that if you put O\'Kelly into the database, you should be seeing O'Kelly inside the database when doing a SELECT. The \ is simply there to escape the quote upon executing the query. If you see O\'Kelly actually in your database, then you're escaping your data twice. If you find you have to use stripslashes() when you pull data from your database (you shouldn't have to use it), then you're escaping data twice OR you may have magic_quotes_runtime enabled (which will escape data coming back out of databases and files, although this is off by default). If you have WHERE $name in your query, then you need to ensure double quotes are escaped within $name. addslashes() and magic_quotes_gpc will take care of single and double quotes, though, so you're covered there. A lot of people thing that you only need to escape single quotes, but it really depends on how you write your queries. Now that the data is safely in the database, you'll eventually want to display it back to the user, right? Again, you need to ensure the data is escaped (or more properly - encoded) so that any HTML/JavaScript/etc within the data is not rendered on your page (unless you really want it to). If the data came from the user, then you DO NOT want it to render, trust me. Now, if you're validating everything to be a number or say 5 characters, then there's no real malicious code that could be inserted to be rendered on your page. However, the thing to realize is that, sure, you're only allowing 5 character now. Tomorrow your partner comes along and decides to allow 50 characters. He changes your substr() call to chop it to 50 characters and changes the database column. Now, since you weren't encoding the data before you displayed it back to the user, you could be in trouble. The moral is that it really wouldn't hurt to encode a string that you know will only be 5 characters just to cover things if they ever change. So how is this encoding done? htmlentities() is your best friend. When you retrieve data from the database/file, you run it through htmlentities() before putting it on your web page. So something like img supplied by the user will be sent as lt;imggt; in the HTML source. The user will actually see img instead of an image box and a possibly distasteful image. Another use for htmlentities() is for when you display data back to the user in a form input element. This is pretty common for when you want to redisplay a form with the data the user gave so they can edit it, correct it, whatever. Normally, you'll see someone do this: input type=text name=name value=?=$name? Well, what if the value of $name contains a double quote? input type=text name=name value=a double quote That HTML will confuse the browser. It'll see a double as the value of the input element and quote as an unrecognized attribute. Now, that doesn't really cause any harm, you just lose some text. But if the user can supply a value beginning with (such as My HTMLimg), then just ended your input element and anything after it will be rendered as HTML. input type=text name=name value=My HTMLimg Now you're letting them write any HTML/JavaScript/etc they want into your page. This would allow them to inject JavaScript from a remote site, redirect users, and steal cookie values. The PHP session id is saved in a cookie. Once I have that session id, I can hijack your session by providing the same session id when requesting a page on your site
php-general Digest 2 Sep 2011 09:48:19 -0000 Issue 7466
php-general Digest 2 Sep 2011 09:48:19 - Issue 7466 Topics (messages 314702 through 314713): Re: PHP/ Soap issue 314702 by: richard gray 314703 by: richard gray 314704 by: Richard Quadling 314705 by: Richard Quadling 314706 by: Louis Huppenbauer 314708 by: Richard Quadling 314709 by: Richard Quadling Re: Code should be selv-maintaining! 314707 by: Tim Streater 314710 by: Tedd Sperling Re: [EasyPHP] How to export and import `alias` from previous version of EasyPHP? 314711 by: Daniel Brown Re: Bug #51739 tricky string to float conversion 314712 by: Simon J Welsh Does exist any zend debugger for windows 64bit? 314713 by: Ali Asghar Toraby Parizy Administrivia: To subscribe to the digest, e-mail: php-general-digest-subscr...@lists.php.net To unsubscribe from the digest, e-mail: php-general-digest-unsubscr...@lists.php.net To post to the list, e-mail: php-gene...@lists.php.net -- ---BeginMessage--- On 01/09/2011 14:07, Louis Huppenbauer wrote: I think it would be best if you could provide us with the .wsdl (and possibly with the server-code). Thanks for the quick response Louis.. WSDL ?xml version=1.0 encoding=UTF-8? definitions name=CatalogueService targetNamespace=http://example.com/catalogue.wsdl; xmlns=http://schemas.xmlsoap.org/wsdl/; xmlns:soap=http://schemas.xmlsoap.org/wsdl/soap/; xmlns:tns=http://example.com/catalogue.wsdl; xmlns:xsd=http://www.w3.org/2001/XMLSchema; xmlns:xsd1=http://example.com/schema; types xsd:schema targetNamespace=http://example.com/schema; xmlns=http://www.w3.org/2001/XMLSchema; xsd:complexType name=product xsd:sequence xsd:element name=name type=xsd:string/ xsd:element name=description type=xsd:string/ xsd:element name=price type=xsd:double/ xsd:element name=SKU type=xsd:string/ /xsd:sequence /xsd:complexType /xsd:schema /types message name=getProductRequest part name=sku type=xsd:string/ /message message name=getProductResponse part name=product type=xsd1:product/ /message portType name=Product_PortType operation name=getProduct input message=tns:getProductRequest/ output message=tns:getProductResponse/ /operation /portType binding name=Product_Binding type=tns:Product_PortType soap:binding style=rpc transport=http://schemas.xmlsoap.org/soap/http/ operation name=getProduct soap:operation soapAction=urn:examples:CatalogueService/ input soap:body encodingStyle=http://schemas.xmlsoap.org/soap/encoding/; namespace=urn:examples:CatalogueService use=encoded/ /input output soap:body encodingStyle=http://schemas.xmlsoap.org/soap/encoding/; namespace=urn:examples:CatalogueService use=encoded/ /output /operation /binding service name=Product_Service port name=Product_Port binding=tns:Product_Binding soap:address location=http://example.com/api/catalogue/ /port /service /definitions SERVER CODE ini_set('soap.wsdl_cache_enabled',false); $server = new SoapServer('http://example.com/catalogue.wsdl'); $server-handle(); ---End Message--- ---BeginMessage--- On 01/09/2011 14:16, Richard Quadling wrote: Can you give me the URL for the WSDL file? Either online or by direct email. Thanks for the quick response Richard -- I have just posted the WSDL in my earlier resply to Louis... ---End Message--- ---BeginMessage--- On 1 September 2011 13:27, richard gray r...@richgray.com wrote: On 01/09/2011 14:16, Richard Quadling wrote: Can you give me the URL for the WSDL file? Either online or by direct email. Thanks for the quick response Richard -- I have just posted the WSDL in my earlier resply to Louis... Is there any chance of having the live URL? That way I can show exactly what/where the issue lies. I can build my test code for the WSDL file but I can't test it as the URLs are junk. -- Richard Quadling Twitter : EE : Zend : PHPDoc @RQuadling : e-e.com/M_248814.html : bit.ly/9O8vFY : bit.ly/lFnVea ---End Message--- ---BeginMessage--- On 1 September 2011 13:35, Richard Quadling rquadl...@gmail.com wrote: On 1 September 2011 13:27, richard gray r...@richgray.com wrote: On 01/09/2011 14:16, Richard Quadling wrote: Can you give me the URL for the WSDL file? Either online or by direct email. Thanks for the quick response Richard -- I have just posted the WSDL in my earlier resply to Louis... Is there any chance of having the live URL? That way I can show exactly what/where the issue lies. I can build my test code for the WSDL file but I can't test it as the URLs are junk. -- Richard Quadling Twitter : EE : Zend : PHPDoc @RQuadling : e-e.com/M_248814.html : bit.ly/9O8vFY : bit.ly/lFnVea Unless of course, you own example.com! -- Richard Quadling Twitter : EE : Zend : PHPDoc @RQuadling : e-e.com/M_248814.html : bit.ly/9O8vFY : bit.ly/lFnVea ---End
php-general Digest 30 Jun 2007 13:16:14 -0000 Issue 4877
, value3) IN ('.join(',', $list).') ; mysql_query($SQL); this should take, for each row in the DB, value1 + value2 + value3 and create one string from them, then it will compare each string in the IN (...) portion to each entry in the $list array(). Let me know if you need any further help ---End Message--- ---BeginMessage--- Will do. Thanks. - Original Message - From: Jim Lucas [EMAIL PROTECTED] To: kvigor [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Saturday, June 30, 2007 1:46 AM Subject: Re: [PHP] Selecting Rows Based on Row Values Being in Array kvigor wrote: Hello All, I'm attempting to return rows from a mysql DB based on this criteria: I have a list, in the form of an array that I need to compare against each row in the table. Where theres a match I need that entire row returned. e.g.$varListof 3outOf_10Fields = array(6blue40lbs, 7orange50lbs, 8orange60lbs, 9purple70lbs); The array contains 3 of the db row fields in 1 value. However there are 10 fields/columns in the table. === what table looks like | === size colorweight ROW 1| value1 | value1 | value1 | value1 | value1 | value1 | So how could I set up a query that would SELECT the entire row, if the row contained $varListof 3outOf_10Fields[1]. Open to any suggestions or work arounds. I'm playing with extract() but code is too crude to even post. I would suggest approaching the problem with a slightly different thought. just have the sql concat() the columns together and then compare. something like this should do the trick $list = array( '6blue40lbs', '7orange50lbs', '8orange60lbs', '9purple70lbs', ); $SQL = SELECT * FROM my_Table WHERE CONCAT(value1, value2, value3) IN ('.join(',', $list).') ; mysql_query($SQL); this should take, for each row in the DB, value1 + value2 + value3 and create one string from them, then it will compare each string in the IN (...) portion to each entry in the $list array(). Let me know if you need any further help ---End Message--- ---BeginMessage--- K. Hayes wrote: Will do. Thanks. - Original Message - From: Jim Lucas [EMAIL PROTECTED] To: kvigor [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Saturday, June 30, 2007 1:46 AM Subject: Re: [PHP] Selecting Rows Based on Row Values Being in Array kvigor wrote: Hello All, I'm attempting to return rows from a mysql DB based on this criteria: I have a list, in the form of an array that I need to compare against each row in the table. Where theres a match I need that entire row returned. e.g.$varListof 3outOf_10Fields = array(6blue40lbs, 7orange50lbs, 8orange60lbs, 9purple70lbs); The array contains 3 of the db row fields in 1 value. However there are 10 fields/columns in the table. === what table looks like | === size colorweight ROW 1| value1 | value1 | value1 | value1 | value1 | value1 | So how could I set up a query that would SELECT the entire row, if the row contained $varListof 3outOf_10Fields[1]. Open to any suggestions or work arounds. I'm playing with extract() but code is too crude to even post. I would suggest approaching the problem with a slightly different thought. just have the sql concat() the columns together and then compare. something like this should do the trick $list = array( '6blue40lbs', '7orange50lbs', '8orange60lbs', '9purple70lbs', ); $SQL = SELECT * FROM my_Table WHERE CONCAT(value1, value2, value3) IN ('.join(',', $list).') ; mysql_query($SQL); this should take, for each row in the DB, value1 + value2 + value3 and create one string from them, then it will compare each string in the IN (...) portion to each entry in the $list array(). Let me know if you need any further help one other thing, make sure that you run each of the values in the $list array() through mysql_real_escape_string(). That way it is all nicely encoded for the SQL statement. ---End Message--- ---BeginMessage--- Patrick, did you trying going to http://www.php.net/unsub.php yet? =D Brian Seymour AeroCoreProductions http://www.aerocore.net/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php ---End Message---
php-general Digest 4 May 2007 11:11:10 -0000 Issue 4772
php-general Digest 4 May 2007 11:11:10 - Issue 4772 Topics (messages 254377 through 254394): Re: Script feedback: insert string into another string 254377 by: Tijnema ! Re: File uploading and saving info on mysql 254378 by: itoctopus Re: Redirect via GET is loosing characters 254379 by: itoctopus Re: Split string 254380 by: itoctopus Re: What does mean? 254381 by: itoctopus Re: A problem with passing $_GET in an url 254382 by: Davis Chan 254383 by: Davis Chan Re: MySQL change-tracking 254384 by: Chris Re: [opinions] Ashop Commerce 254385 by: Marco Sottana 254386 by: Chris passing GET via include 254387 by: Mark Smith 254389 by: Miguel J. Jiménez 254393 by: Edward Kay 254394 by: Oliver Block Custom session save handler. What's happens really? 254388 by: n.quirin.free.fr Why does this encoding work in PHP? 254390 by: Arno Kuhl 254391 by: Dave Goodchild PHP 5.2.2 and PHP 4.4.7 Released! 254392 by: Derick Rethans Administrivia: To subscribe to the digest, e-mail: [EMAIL PROTECTED] To unsubscribe from the digest, e-mail: [EMAIL PROTECTED] To post to the list, e-mail: [EMAIL PROTECTED] -- ---BeginMessage--- I owe you and Tijnema a beer! Have a great day/night! Cheers, Micky I'm sorry, you have to wait another 9 months, because only than i can legally drink a beer :) (than i will be 16 :) ) Tijnema ---End Message--- ---BeginMessage--- Here's the file upload class making your life easier: ?php /* @class FileManager @description This class handles interaction with Files @copyright itoctopus 2007 - The Genoc Library */ class FileManager{ /* [EMAIL PROTECTED] save [EMAIL PROTECTED] this function saves the file in the database [EMAIL PROTECTED] array $file_handle A handle on the file (ex. $_FILES['the_file']) [EMAIL PROTECTED] string $field_name The name of the field [EMAIL PROTECTED] string $action Update or save the file in the table. Defaults to save. [EMAIL PROTECTED] string $file_source The name of the source table saving the file (such as realestate) [EMAIL PROTECTED] string $file_source_id The id of the row in the source table [EMAIL PROTECTED] object $db The database handle */ static function save($file_handle, $file_source, $file_source_id, $action='save', $allowed_types = array(), $db){ if (empty($file_handle['tmp_name'])) return; $data = addslashes(fread(fopen($file_handle['tmp_name'], r), $file_handle['size'])); if ($action == 'save'){ $creationdate = $lastupdatedate = Date(Y-m-d H:i:s); $sql = 'INSERT INTO file (file_name, file_type, file_size, file_source, file_source_id, file_binary, file_creationdate, file_lastupdatedate) VALUES (\''.$file_handle['name'].'\', \''.$file_handle['type'].'\', \''.$file_handle['size'].'\', \''.$file_source.'\', \''.$file_source_id.'\', \''.$data.'\', \''.$creationdate.'\', \''.$lastupdatedate.'\')'; //now if the type is an image, then create a thumbnail (resize should be relative) } else{ $lastupdatedate = Date(Y-m-d H:i:s); $sql = 'UPDATE file SET file_name=\''.$file_handle['name'].'\', file_type=\''.$file_handle['type'].'\', file_source=\''.$file_source.'\', file_source_id=\''.$file_source_id.'\', file_binary=\''.$data.'\', file_lastupdatedate=\''.$lastupdatedate.'\''; //now if the type is an image, then update a thumbnail } $result= $db-query($sql); } /* [EMAIL PROTECTED] get [EMAIL PROTECTED] This function returns a link to the file based on the id [EMAIL PROTECTED] string $file_id The id of the file in the database [EMAIL PROTECTED] object $db The database handle [EMAIL PROTECTED] void */ static function get($file_id, $db){ $sql = 'SELECT file_id, file_name, file_type, file_size, file_binary FROM file where file_id=\''.$file_id.'\''; $result= $db-query($sql); header('Content-length:'.$result[0]['file_size']); header('Content-type:'.$result[0]['file_type']); //if it's not an image then download it, otherwise display it if (strpos($result[0]['file_type'], 'image') !== FALSE) header(Content-type: .$result[0]['file_type'].; filename=.$result[0]['file_name']); else header(Content-Disposition: attachment; filename=.$result[0]['file_name']); echo($result[0]['file_binary']); } /* [EMAIL PROTECTED] delete [EMAIL PROTECTED] This function delete a file from the database [EMAIL PROTECTED] integer $file_id The id of the file to be deleted [EMAIL PROTECTED] object $db The database handle [EMAIL PROTECTED] */ static function delete($file_id, $db){ $sql = 'DELETE FROM file WHERE file_id=\'$file_id\''; $result= $db-query($sql); } } ? -- itoctopus - http://www.itoctopus.com Marcelo Wolfgang [EMAIL PROTECTED] wrote
php-general Digest 4 Mar 2001 21:30:04 -0000 Issue 547
php-general Digest 4 Mar 2001 21:30:04 - Issue 547 Topics (messages 42494 through 42525): Re: Stripping HTML selectively? 42494 by: Steve Edberg NETSCAPE Screws QUERY STRING!! 42495 by: Thomas Edison Jr. 42498 by: Meir Kriheli - MKsoft 42499 by: Juanma Help Please: Php configuration 42496 by: archana sharma 42497 by: Michael Hall 42502 by: Phil Driscoll PHP PostgreSQL 42500 by: Marcelo Pereira 42508 by: The Hermit Hacker Re: Problems with IIS4 (Win2k) 42501 by: Phil Driscoll Re: Static Classes 42503 by: Alexander Wagner Re: Content-Type: image/gif and send the image in hex 42504 by: Christian Reiniger Re: PHP web based mailing list administrator 42505 by: Christian Reiniger Re: any way to count subscribers to PHP lists? 42506 by: Ned Lilly newbie---cookie help 42507 by: McShen Re: Hebrew websites transition with php3 .. 42509 by: Manuel Lemos 42510 by: Manuel Lemos system() and stdout 42511 by: Michael Robbins 42513 by: Clayton Dukes How much could you charge for a PHP-MySQL Spanish online course? 42512 by: akio How big is too big? 42514 by: Joe Sheble (Wizaerd) file() function 42515 by: Felipe Lopes Re : [PHP] NETSCAPE screws QUERY STRING 42516 by: Thomas Edison Jr. 42517 by: Julian Wood 42518 by: Thomas Edison Jr. 42521 by: Julian Wood NETSCAPE screws up query string : more problems! 42519 by: Thomas Edison Jr. date 42520 by: george 42522 by: Stephan Ahonen Change the Input to st different.. 42523 by: Erdinc Guler Php, Apache, mysql - make error 42524 by: S Jha Re: IE 5.5,authentication,PHP sessions: IE never stops 42525 by: Don Read Administrivia: To subscribe to the digest, e-mail: [EMAIL PROTECTED] To unsubscribe from the digest, e-mail: [EMAIL PROTECTED] To post to the list, e-mail: [EMAIL PROTECTED] -- At 09:43 PM 3/3/01 , Erick Papadakis wrote: Thanks Brian, I have tried the allowable tags, but I need to remove the ATTRIBUTES of a tag, not the tag itself. STRIP_TAGS totally removes the tag, and ALLOWABLE_TAGS lets the tag be. WHat I wish to do is let the main tag be but remove its attributes, as follows: Original text: font class="something" style=""Hi!/font Parsed text: fontHi!/font Thanks/erick Well, in this case, you'd have to use regular expressions. One way to do it would be: $SanitizedString = ereg_replace('[[:space:]]*([[:alnum:]]+)[^]*', "\\1", $String); this _should_ work (haven't tested it). If you wanted to remove some tags entirely, and then remove the attributes of the remaining tags, you could (1) use strip_tags() with a list of allowable tags, then (2) run the regexp above. Incidentally, the above regexp also removes leading spaces from the tag. Eg,font style="unreadable" becomes font. If you don't want, that user the regexp '([[:space:]]*[[:alnum:]]+)[^]*' instead. - steve --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.230 / Virus Database: 111 - Release Date: 25-Jan-01 ++ | Steve Edberg University of California, Davis | | [EMAIL PROTECTED] (530)754-9127 | | http://aesric.ucdavis.edu/ http://pgfsun.ucdavis.edu/ | +-- Gort, Klaatu barada nikto! ------+ I'm passing variables in a query string to my php pages. The variables whose values contain spaces due to multiple words are being passed correctly to the Internet Explorer browser and are working perfectly there. However, they are not working at al in NETSCAPE browser. What should i do? The Internet Explorer converts the spaces in a query string into it's hexadecimal value of "%20" automatically, but netscape is not doing so. It's not reading the space and thus not displaying the page at all and giving the HTTP error 400. This the link i make : a href="add_pro_over.php3?title=? echo $title ?" if $title contains "Project", it goes. But if it contains "Project One" ... it doesn't work in NETSCAPE. When on to the next page, this $title also has to be sent into the Database. what do i do? regards, T. Edison jr. = Rahul S. Johari (Director) ** Abraxas Technologies Inc. Homepage : http://www.abraxastech.com Email : [EMAIL PROTECTED] Tel : 91-4546512/4522124 *** __ Do You Yahoo!? Get email at your
php-general Digest 15 Nov 2009 10:20:08 -0000 Issue 6443
. Many thanks Alessandro ---End Message--- ---BeginMessage--- On Nov 13, 2009, at 6:34 PM, Jim Lucas wrote: You basic problem with the PHP_EOL is that when echo'ed out, it represents a \n character. The value you are working with might be \n\r or just \r I read the links you sent, plus some others. It took me awhile, but I get it now. If the return character that was entered into that field is not the same as what PHP_EOL is looking for, it won't work. $parts = preg_split('|[\n\r]+|', $item['unitprice']); preg_split works perfectly! Very similar to Perl's split function. Here's what I have now: $parts = preg_split('|\s+|', $item['unitprice']); $price = '$'.number_format((count($parts) 1) ? $parts[(count($parts)-1)] : $parts[0],2); Clean and concise. Thanks a million, Jim! I really appreciate your helpful responses. Thanks again, Frank ---End Message--- ---BeginMessage--- Hello, I am trying to create an UPLOAD page to Update a Images and PDFs into a BLOB field in mySQL. The image keeps getting corrupted (it draws a portion of the image and the rest is GRAY) We tried it with Safari and Firefox with bad results. Here is the form that is used to browse and select the file. !-- Upload Image dialog -- div id=uploadImage div id=llback/div centerdiv id=uploadForm div id=uploadTitleUpload Thumbnail image/div iframe name=saveImage/iframe bPlease select the thumbnail image, then press Upload./b div style=margin-top:14px;margin-bottom:14px;text-align:center;width: 100% form target=saveImage method=post action=ajax/saveDialog.php enctype=multipart/form-data Select Thumbnail: input type=file name=img id=img accept=image/ jpeg //div input type=hidden name=obj value=uploadImage / input type=hidden name=id value=?php echo $Area_id ? / input type=button value=Upload onclick=saveDialog('uploadImage','img','jpg'); input type=button value=Cancel onclick=cancelDialog('uploadImage','img') /form /div/center /div Here is the QUERY to upload the image (saveDialog.php): if($_POST['obj'] == uploadImage) { $file = $db-real_escape_string(file_get_contents($_FILES['img'] ['tmp_name'])); $db-query(UPDATE Areas SET Image = '$file') or die(1.$db-error); Has anyone else ever run into this type of UPDATE error with images and PDF? We really need to get this dealt with ASAP. Thanks! Don Wieland D W D a t a C o n c e p t s ~ d...@dwdataconcepts.com Direct Line - (949) 305-2771 Integrated data solutions to fit your business needs. Need assistance in dialing in your FileMaker solution? Check out our Developer Support Plan at: http://www.dwdataconcepts.com/DevSup.html Appointment 1.0v9 - Powerful Appointment Scheduling for FileMaker Pro 9 or higher http://www.appointment10.com For a quick overview - http://www.appointment10.com/Appt10_Promo/Overview.html ---End Message--- ---BeginMessage--- Hi, Could it have something to do with an eof character being encoded or something like that? Do you really need to store the files in the DB? It uses more processing power if stored in the DB because on retrieval, you have to unescape the string and return it. Modern filesystems are optimised better for files than databases and storing a filename and returning the contents is easier to implement than retrieving it from the DB... http://forums.codewalkers.com/php-applications-45/upload-image-file-to-mysql-as-blob-849194.html ++Tim Hinnerk Heuer++ http://www.ihostnz.com 2009/11/15 Don Wieland d...@dwdataconcepts.com Hello, I am trying to create an UPLOAD page to Update a Images and PDFs into a BLOB field in mySQL. The image keeps getting corrupted (it draws a portion of the image and the rest is GRAY) We tried it with Safari and Firefox with bad results. Here is the form that is used to browse and select the file. !-- Upload Image dialog -- div id=uploadImage div id=llback/div centerdiv id=uploadForm div id=uploadTitleUpload Thumbnail image/div iframe name=saveImage/iframe bPlease select the thumbnail image, then press Upload./b div style=margin-top:14px;margin-bottom:14px;text-align:center;width:100% form target=saveImage method=post action=ajax/saveDialog.php enctype=multipart/form-data Select Thumbnail: input type=file name=img id=img accept=image/jpeg //div input type=hidden name=obj value=uploadImage / input type=hidden name=id value=?php echo $Area_id ? / input type=button value=Upload onclick=saveDialog('uploadImage','img','jpg'); input type=button value=Cancel onclick=cancelDialog('uploadImage','img') /form /div/center /div Here is the QUERY to upload the image (saveDialog.php): if($_POST['obj'] == uploadImage) { $file = $db-real_escape_string(file_get_contents($_FILES['img']['tmp_name'])); $db-query(UPDATE Areas SET Image = '$file') or die(1.$db-error); Has anyone else ever run into this type of UPDATE error with images and PDF? We really need to get this dealt with ASAP. Thanks! Don Wieland D W
Re: [PHP] $_GET and multiple spaces.
Andrés Robinet schreef: -Original Message- ... $name = 'mylist[myindex]'; this is almost an invite to moan about how http_build_query() was 'fixed' in 5.1.3 to escape square brackets ... which makes php nolonger do one of the coolest, imho, with regard to incoming GET/POST values - namely auto-convert bracketed request var names into native arrays. at least if those strings are used in anything other than a URL context (form inputs anyone). I would have been nice to have the encoding as an optional switch/argument. Well, almost... the other part of the world that arguably wanted square brackets escaped in http_build_query will be very pleased (let me tell you I don't use http_build_query, but have my own as sometimes PHP 5 is not an option...). I guess they thought http_build_query would always be used in an URL context. But yes... escaping square brackets could be made optional and we get the best of both worlds. Anyway... my point was that names may need escaping, at least in some contexts. But let me ask you because maybe I'm wrong: a href=index.php?list%5Bindex%5D=valueClick/a Wouldn't this be translating into $_GET['list']['index'] == 'value'? As far as I've tested, it is... Also, it seems that [ and ] are unsafe characters according to http://www.ietf.org/rfc/rfc1738.txt ... Maybe that's why they chose to escape square brackets. I'm not a standards freak, but rather a pragmatic man. Just trying to prove a point. you are completely correct, and I agree. I am also pragmatic - it was pragmatism that got me using http_build_query in a non-url context ... I have a ORM-like tool with a generic frontend that creates very complex POST/GET values/strings that describe what I like to call a 'data path' .. which allows you to specify stuff like 'the list [or details] of all subitems belonging to the 3 selected subitems of the item with keyfield values ,Y and Z'. this is done using a structure which is a nested array that translates accross requests nicely using http_build_query() - but it means the resulting request parameters names are used in a GET context and in POST context which means using the parameter names in the context of INPUT tag names, and in such cases the encoding is not wanted - it maybe the that encoding is required by certain standards in such a context BUT php doesn't recognise urlencoded square brackets in the way one wants ... namely one doesn't get a neat nesed array in $_POST but rather stuff like: $_POST[e[f][n]] = entityname (as opposed to:) $_POST[e[f][n] = entityname (which is what my ORM-like generic thingy was expecting.) the function I showed isn't name 'inputPost*' for nothing :-) it was specifically written for the task of making request parameter names as generated by http_build_query() usable in the name attribute of input tags and have them behave as they would if found in a GET query string. the only reason I remember all this about http_build_query() is because it: a) totally broke my app/tool at a time when I didn't have control of the php version and didn't have time to actually fix (well I had to make time :-) b) it was quite a headache getting the regexp in question to do exactly what I wanted (e.g. that only square brackets encountered in request variable names should be decoded and those found in request variable values should be left encoded, etc, etc). sometimes it's fun to reminisce :-P /* since php5.1.3 http_build_query() urlencodes square brackets - this does not please us at all, * this function fixes the problem the encoding causes us when using http_build_query() output * in hidden INPUT field names. */ function inputPostQueryUnBorker($s) { // first version - slower? more code! /* return preg_replace('#(\?|(?:amp;)?)([^=]*)=#eU', '\\1'.str_replace(array('%5B','%5D'), array('[',']'), '\\2').'=', $s); //*/ // second version - faster? more compact! (should work identically to the above statement. return preg_replace('#%5[bd](?=[^]*=)#ei', 'urldecode(\\0)', $s); } ... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] authentication problems!
by using HTML I meant, typing the address in to the broswer as http://username:[EMAIL PROTECTED]/protected/file.pdf or as using the HTML: a href=http://username:[EMAIL PROTECTED]/protected/file.pdfLink.../a or using the header: header(Location: http://username:[EMAIL PROTECTED]/protected/file.pdf); also, there is no problem retrieving a pdf after passing http basic authentication (I just double checked this on a client's site and was appropriately prompted with a pdf handling dialog box after I authenticated). Of course there is not problem if the user is entering the information him or her self. But just using this code: $file = 'http://miningstocks.com/protected/Dec03PostPress.pdf'; //now view the PDF file header(Content-Type: application/pdf); header(Accept-Ranges: bytes); header(Content-Length: .filesize($file)); readfile($file); from a PHP page where no authentication has occured does not work at all. Let me say, if this is not clear, that I do not want unique usernames and passwords for users. I want one username and password that WILL NEVER BE SEEN by the user. The way that I had planned was to keep ONE username and password which would allow access to all the files in a MySql database. After the user entered his name and email address, the username and password would be fetched off the database, and then authentication would occur with this username and password and the user would be served the file. The authentication would be completely transparent to the user. But the different ways to authenticate transparent to the user either do not work or reveal the username and password (making it pointless to even protect the files in the first place). Best Regards, Scott Taylor [EMAIL PROTECTED] wrote: there are a couple of different ways to do this. the http basic approach will work just fine. with http basic the id/pw are passed in the headers in an encoded string, so i'm not certain about your: if using HTML, the username password is easily seen statement. also, there is no problem retrieving a pdf after passing http basic authentication (I just double checked this on a client's site and was appropriately prompted with a pdf handling dialog box after I authenticated). now, http basic assumes that the id/pw are in a file/database/etc. the password is generally encrypted (des or md5) but can be in clear text. so, for this to work, you'd probably need some type of registration page that will store the id/pw info that the apache server will query against. [i strongly recommend using a database, not a file, due to file locking issues.] other approaches to this general issue include a URL mapping scheme. e.g., the public URL would drive the user through a one-time email/name collection process. when the user passes that they are served the document from the actual storage location. they can be done in a way that the true document URL is never shown. obviously you'd have to do this in a way that would give the fake URL as a .pdf so that the client will handle things correctly. -- Original Message -- From: Scott Taylor [EMAIL PROTECTED] To: [EMAIL PROTECTED] Date: Tuesday, January 20, 2004 03:17:21 PM -0500 Subject: [PHP] authentication problems! I am about at my wits end trying to find a good solution to this problem. I've asked various portions of this question to this mail list and still have not found exactly what it is I am looking for, but here it goes. I'm looking for a way to protect my files (this would be pdf files, image files, etc...other things then text/php files) so that for someone to see a current file they will have to enter in their email address and name. Seems fairly simple, and yet I can not figure out how to do it. I've been told of the following alternatives: Protect the files with HTTP auth (basic, or use SSL if very paranoid), then, after entering the info into a database: 1. just link to http://username:[EMAIL PROTECTED]/protect/file.pdf (either directly using html, or use headers). The problem: if using HTML, the username password is easily seen. If using headers, this does not work (it is not seen as a PDF file) - my best guess is that the auth headers get passed along and so it does not work. Of course, I can load a PDF using headers if the file is not in a protected directory without any problems at all. But then again it wouldn't be protected to begin with. 1.b. It was later suggested that I could link to http://username:[EMAIL PROTECTED]/protect/file.pdf and use an apache rewrite statement to change every protected file to exclude the username password. But I've posted to an apache group and they have said that this CAN NOT be done. 2. link to something outside of my httpdocs directory. Unfortunately, I am on a shared server and do not have a private folder (or at least my _private directory which is contained
php-general Digest 22 Mar 2012 05:56:41 -0000 Issue 7738
libmm is optional, and the package maintainers probably had their reasons not to use it anymore. Mine is also compiled without libmm, though I'm on 5.3.10. Is it possible for you to upgrade to the latest version? That might solve the problem too, if not, I suggest to stick with the older one for a while. (and maybe submit a bug report) - Matijn ---End Message--- ---BeginMessage--- Hello. I ran into trouble with a PEAR module and got only a blank (empty) page after filling in a loginform with PEAR::Auth I have error reporting in php.ini that create ordinary error message on my CentOS box, but it do not write error message when using PEAR. In a book I have is PEAR_Error mention, but it did not explain how to get it or run it. If you can help me in this question I am thankful for your time. Karl ---End Message--- ---BeginMessage--- This is a continuation of the nested query thing I posted to the list a while back. I was finally able to output a nested unordered array that worked out well, but scope-creep has come in the door and I have to change gears. I have a project where I have multiple queries and each query uses the results from the previous query to get it's results. I need to do one of two things, either out put a multidimensional array that I can use json_encode() on or I have to format the output from the queries as a JSON string. The resulting JSON will be used by a JavaScript widget and must be formed correctly. I created the following array by hand: $userList = array(John = array( email = j...@demo.com, website = www.john.com, age = 22, password = pass, description = array( hair = blonde, eyes = blue, build = medium )), Anna = array( email = a...@demo.com, website = www.anna.com, age = 24, password = pass, description = array( hair = brunette, eyes = hazel, build = petite ) )); I ran it through json_encode() and got the following output {John:{email:j...@demo.com,website:www.john.com,age:22,password:pass,description:{hair:blonde,eyes:blue,build:medium}},Anna:{email:a...@demo.com,website:www.anna.com,age:24,password:pass,description:{hair:brunette,eyes:hazel,build:petite}}} jslint.com verifies this as good JSON (although I thought there had to be square brackets around child arrays). If you were me would you just generate the JSON? If not what is he best way to output an array that will nest properly for each subsequent query? Thanks for any insight! ---End Message--- ---BeginMessage--- On Wed, Mar 21, 2012 at 2:39 PM, Jay Blanchard jay.blanch...@sigmaphinothing.org wrote: ... I have a project where I have multiple queries and each query uses the results from the previous query to get it's results. I need to do one of two things, either out put a multidimensional array that I can use json_encode() on or I have to format the output from the queries as a JSON string. The resulting JSON will be used by a JavaScript widget and must be formed correctly. I created the following array by hand: $userList = array(John = array( email = j...@demo.com, website = www.john.com, age = 22, password = pass, description = array( hair = blonde, eyes = blue, build = medium )), Anna = array( email = a...@demo.com, website = www.anna.com, age = 24, password = pass, description = array( hair = brunette, eyes = hazel, build = petite ) )); I ran it through json_encode() and got the following output {John:{email:j...@demo.com,website:www.john.com,age:22,password:pass,description:{hair:blonde,eyes:blue,build:medium}},Anna:{email:a...@demo.com,website:www.anna.com,age:24,password:pass,description:{hair:brunette,eyes:hazel,build:petite}}} jslint.com verifies this as good JSON (although I thought there had to be square brackets around child arrays). Speaking to your belief that arrays had to have square brackets, json_encode examines the PHP array and only encodes sequential numbers JSON arrays. Others (as in your case) are encoded as object literals: http://php.net/manual/en/function.json-encode.php That said, you can still access Javascript Object properties with array access if you prefer in the client code: http
php-general Digest 22 May 2011 14:31:08 -0000 Issue 7323
?xml version=1.0 encoding=UTF-8? it DOES NOT assure the text inside is encoded in UTF-8 so but maybe (many cases) t other iso-xxx method. The point of the header is telling readers what encoding is used. Of course that means errors are possible - setting the header is not magic, it doesn't change the rest of the file. You need to make sure the contents of the file match the encoding from the header when you make XML documents. Anyway, from your perspective, the header is an indication but not a foolproof way of figuring encoding out. My question was for a function that scan the bytes of the file and decided WITHOUT the BOM heading. I mean by checking the bytes sequence in the file. I claim that WITHOUT a BOM it might be impossible to assure it is UTF-8 encoding which is a whole escape sequence logic that may convert one character into one, two or three character. http://se.php.net/manual/en/function.mb-detect-encoding.php - the first comment should be interesting to you. * If you try to use mb_detect_encoding to detect whether a string is valid UTF-8, use the strict mode, it is pretty worthless otherwise. ?php $str = 'áéóú'; // ISO-8859-1 mb_detect_encoding($str, 'UTF-8'); // 'UTF-8' mb_detect_encoding($str, 'UTF-8', true); // false ? Regards Peter -- hype WWW: plphp.dk / plind.dk LinkedIn: plind BeWelcome/Couchsurfing: Fake51 Twitter: kafe15 /hype ---End Message--- ---BeginMessage--- Dear Peter, But my point was different. If you DO NOT have any BOM of a File does mb_detect_encodin can detect the file type by scanning the whole file ?? Thanks Eli On 22/05/2011 09:53, Peter Lind wrote: On 22 May 2011 08:17, Eli Orr (Office)eli@logodial.com wrote: Hi Adam, I have a prof that the XML advise does not work in real cases I had. We are using XMLs in our system but when you edit the XML with a text editor and put the XML heading of UTF-8 ?xml version=1.0 encoding=UTF-8? it DOES NOT assure the text inside is encoded in UTF-8 so but maybe (many cases) t other iso-xxx method. The point of the header is telling readers what encoding is used. Of course that means errors are possible - setting the header is not magic, it doesn't change the rest of the file. You need to make sure the contents of the file match the encoding from the header when you make XML documents. Anyway, from your perspective, the header is an indication but not a foolproof way of figuring encoding out. My question was for a function that scan the bytes of the file and decided WITHOUT the BOM heading. I mean by checking the bytes sequence in the file. I claim that WITHOUT a BOM it might be impossible to assure it is UTF-8 encoding which is a whole escape sequence logic that may convert one character into one, two or three character. http://se.php.net/manual/en/function.mb-detect-encoding.php - the first comment should be interesting to you. * If you try to use mb_detect_encoding to detect whether a string is valid UTF-8, use the strict mode, it is pretty worthless otherwise. ?php $str = 'áéóú'; // ISO-8859-1 mb_detect_encoding($str, 'UTF-8'); // 'UTF-8' mb_detect_encoding($str, 'UTF-8', true); // false ? Regards Peter -- Best Regards, *Eli Orr* CTO Founder *LogoDial Ltd.* M:+972-54-7379604 O:+972-74-703-2034 F: +972-77-3379604 Plaut 10, Rehovot, Israel Email: _Eli.Orr@LogoDial.com_ Skype: _eliorr.com_ ---End Message--- ---BeginMessage--- On 22 May 2011 09:03, Eli Orr (Office) eli@logodial.com wrote: Dear Peter, But my point was different. If you DO NOT have any BOM of a File does mb_detect_encodin can detect the file type by scanning the whole file ?? A few points: 1. top-posting on this list is frowned upon. Please bottom-post. 2. I did not write anything about BOM as far as I can recall. Neither does the page I linked to contain much about BOM (I really suggest reading it - as pointed out, the first comment should help you) Regards Peter -- hype WWW: plphp.dk / plind.dk LinkedIn: plind BeWelcome/Couchsurfing: Fake51 Twitter: kafe15 /hype ---End Message--- ---BeginMessage--- Thank you Peter. Can you please advise if mb_detect_encodin does detect the file type by its structure / content? Thanks Eli On 22/05/2011 10:12, Peter Lind wrote: On 22 May 2011 09:03, Eli Orr (Office)eli@logodial.com wrote: Dear Peter, But my point was different. If you DO NOT have any BOM of a File does mb_detect_encodin can detect the file type by scanning the whole file ?? A few points: 1. top-posting on this list is frowned upon. Please bottom-post. 2. I did not write anything about BOM as far as I can recall. Neither does the page I linked to contain much about BOM (I really suggest reading it - as pointed out, the first comment should help you) Regards Peter -- Best Regards, *Eli Orr* CTO Founder *LogoDial Ltd.* M:+972-54-7379604 O:+972-74-703-2034 F: +972-77-3379604 Plaut 10, Rehovot, Israel Email: _Eli.Orr@LogoDial.com_
php-general Digest 2 May 2004 10:48:04 -0000 Issue 2739
php-general Digest 2 May 2004 10:48:04 - Issue 2739 Topics (messages 185111 through 185135): Sorting text with multibyte characters 185111 by: Michal Migurski 185114 by: Red Wingate 185117 by: Michal Migurski - Delete records in an Access DB 185112 by: francesco.automationsoft.biz 185113 by: Torsten Roehr Re: Select from 24 tables 185115 by: Richard A. DeVenezia 185116 by: Michal Migurski 185119 by: Travis Low 185122 by: Michal Migurski 185124 by: Travis Low 185125 by: Curt Zirzow php user management functionality 185118 by: bruce 185121 by: Travis Low Re: reversing an IF statement 185120 by: Curt Zirzow Re: Php MySql selection question 185123 by: Curt Zirzow Re: creating a mailing list 185126 by: Manuel Lemos 185128 by: Curt Zirzow Re: Installing sendmail in win9X/Me 185127 by: Manuel Lemos Re: Batch/Prepared statements for Mysql in PHP 185129 by: Curt Zirzow String Question 185130 by: Dave Carrera Frage 185131 by: Draw-A-Line 185133 by: Jordi Canals [Newbie Guide] For the benefit of new members 185132 by: Ma Siva Kumar Re: https sessions failing to persist 185134 by: Jordi Canals Numeric Index of an array 185135 by: Natascha Chrobok Administrivia: To subscribe to the digest, e-mail: [EMAIL PROTECTED] To unsubscribe from the digest, e-mail: [EMAIL PROTECTED] To post to the list, e-mail: [EMAIL PROTECTED] -- ---BeginMessage--- Hi, Does anyone have any thoughts on how to effectively sort text with multi byte characters? I am working on a project that uses lots of German text, and the letters with umlauts don't sort correctly. I'm using the mb_* functions in a few places (to adapt an ASCII-encoded database to XML output for flash, which is always expected to be in UTF-8), but none of them seems to be made for string comparison. thanks, -mike. - michal migurski- contact info and pgp key: sf/cahttp://mike.teczno.com/contact.html ---End Message--- ---BeginMessage--- Run into this before, PHP seams to do quite well when you set the locale right ( de_DE ) which will place AÄBCD instead of ABCDÄÖÜ. Hope this helps :-) -- red Michal Migurski wrote: Hi, Does anyone have any thoughts on how to effectively sort text with multi byte characters? I am working on a project that uses lots of German text, and the letters with umlauts don't sort correctly. I'm using the mb_* functions in a few places (to adapt an ASCII-encoded database to XML output for flash, which is always expected to be in UTF-8), but none of them seems to be made for string comparison. thanks, -mike. - michal migurski- contact info and pgp key: sf/cahttp://mike.teczno.com/contact.html ---End Message--- ---BeginMessage--- Run into this before, PHP seams to do quite well when you set the locale right ( de_DE ) which will place AÄBCD instead of ABCDÄÖÜ. Hope this helps :-) Thanks, I hadn't thought of that. - michal migurski- contact info and pgp key: sf/cahttp://mike.teczno.com/contact.html ---End Message--- ---BeginMessage--- Hi all, I have this problem: I want to delete records in an Access DB. I use this code: $query=DELETE FROM Test_Table WHERE name='franco';; // the connection parameters $path=d:/inetpub/webs/my_site/mdb-database/ ; $db_name=test.mdb ; $dsource=$path.$db_name ; $cn_string=Provider=Microsoft.Jet.OLEDB.4.0; ; $cn_string.=Data Source=$dsource; ; // connection $cn=new COM(ADODB.Connection); $cn-open($cn_string); // object Recordset and send query by Open() metod $rs=new COM(ADODB.Recordset) ; $rs-open($query,$cn) ; // clean Recordset object $rs-Release() ; $rs=null ; /* close connection */ $cn-Close() ; $cn-Release() ; $cn=null ; but I have this error message: Fatal error: Call to undefined function: open() in D:\Inetpub\webs\metagenonlinecom\canc.php on line 11 Where is the problem? Is this the correct way to delete records from an Access DB? If this is a bad tecnic, can you suggest me what is the correct way? Thanks in advance to all. (The server where this script run is a Microsoft server). Francesco ---End Message--- ---BeginMessage--- So the problem is not the delete statement but that you cannot even open a connection, right? Have you tried PHP's ODBC functions to connect to the Access DB?: http://de.php.net/manual/en/function.odbc-connect.php There are some user comments regarding Access - maybe this helps. Regards, Torsten [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Hi all, I have this problem
php-general Digest 15 Feb 2003 08:32:44 -0000 Issue 1884
php-general Digest 15 Feb 2003 08:32:44 - Issue 1884 Topics (messages 135600 through 135633): Re: calculating kilobytes 135600 by: Kevin Stone 135606 by: joe 135607 by: Greg Donald 135633 by: joe http://www.act.com---CRM 135601 by: Leonard Burton Re: need apostrophe solution 135602 by: Chris Shiflett Re: text to image 135603 by: Alex Shi 135605 by: Alex Shi 135630 by: Jason Wong 135632 by: Hugh Danaher browser identification problem 135604 by: chip.wiegand.simrad.com 135612 by: Chris Shiflett 135629 by: Jason Wong Urgent Help Needed removing \n\r 135608 by: Daniel Negron/KBE 135610 by: Ernest E Vogelsinger imap_append 135609 by: Jeff Schwartz problem with importing fields. 135611 by: Webmaster MBT function problem 135613 by: Peter Gumbrell 135615 by: Kevin Stone 135617 by: Peter Gumbrell 135621 by: Nicholas Wieland xslt_process problem 135614 by: Chris slideshow/flush 135616 by: Bryan Koschmann - GKT Re: HTML Mail problem 135618 by: Manuel Lemos 135627 by: Mark McCulligh recursion? 135619 by: Alex Davis 135620 by: Bas Jobsen 135631 by: David Freeman Re: How does PHP transforms an integer on a string? like 3 onto three 135622 by: Tom Rogers redirect 135623 by: Alex Davis 135625 by: Greg Donald SQL Query 135624 by: Zydox 135626 by: Dennis Cole PHP ODBC Problem 135628 by: Mike Administrivia: To subscribe to the digest, e-mail: [EMAIL PROTECTED] To unsubscribe from the digest, e-mail: [EMAIL PROTECTED] To post to the list, e-mail: [EMAIL PROTECTED] -- ---BeginMessage--- Joe, you might try something like this instead of a slow PHP function. I based it off of a user example on the PHP site. This is tested and I use it often for various purposes. I think it may be ideal for you becuase it is extremely fast. Requires Linux though I'm certain there's an equivilant command in Windows. --- $dir=/path/to/home/directory/; $out = `find $dir -depth -type f`; $files = explode(\n, $out); $numfiles = count($files); for ($i=0; $i$numfiles; $i++) { $filelist .= $files[$i].br; if (false != ($size = @filesize($files[$i]))); { $totalfilesize += $size; } } echo $numfiles. filesbr; echo $totalfilesize. kilobytes totalbr; echo $filelist; Let me know how that works for you. - Kevin - Original Message - From: joe [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, February 14, 2003 12:17 PM Subject: [PHP] calculating kilobytes hi first of all i think this is a great community here :) now to the point... i need a script. it should work on safe mode php so it should be as simple as possible. it should calculate all the file sizes in the directory that it is in and in the subdirectories also (only 1 level subdirectories). it should echo the total size of the uploaded files. then it should take the filesize and substract it from 25 megabytes. that is the limit on this server. then it should echo the result (the maximum number of kilobytes that can still fit on this account). unfortunately i have insuffitient knowlege to do it miself. i just want to thank anyone who can help me. if you want to send it to my email then its [EMAIL PROTECTED] . or you can just write it here. thank you :) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php ---End Message--- ---BeginMessage--- Jason Wong [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... On Saturday 15 February 2003 03:17, joe wrote: now to the point... i need a script. it should work on safe mode php so it should be as simple as possible. it should calculate all the file sizes in the directory that it is in and in the subdirectories also (only 1 level subdirectories). it should echo the total size of the uploaded files. then it should take the filesize and substract it from 25 megabytes. that is the limit on this server. then it should echo the result (the maximum number of kilobytes that can still fit on this account). unfortunately i have insuffitient knowlege to do it miself. i just want to thank anyone who can help me. Most of the functions that you need to accomplish this can be found in chapters 'Directory functions' 'Filesystem functions'. -- Jason Wong - Gremlins Associates - www.gremlins.biz Open Source Software Systems Integrators * Web Design Hosting * Internet Intranet Applications Development * -- Search the list archives before you post http://marc.theaimsgroup.com/?l=php
php-general Digest 22 Mar 2004 01:22:55 -0000 Issue 2660
Message--- ---BeginMessage--- Hi I'm looking for a function To check SQL Injection in Mysql RDBMS please tell me if anyone know good function or solution thank's---End Message--- ---BeginMessage--- --- Ali Ashrafzadeh [EMAIL PROTECTED] wrote: I'm looking for a function To check SQL Injection in Mysql RDBMS please tell me if anyone know good function or solution In my opinion, this is the wrong approach. SQL injection vulnerabilities exist when you use data that the user gave you to create your SQL statement. So, anytime that this happens, simply make absolutely sure that the data you are using from the user fits a very specific format that you are expecting. To be clear: make sure the data that the user submitted only contains the characters you think are valid (don't bother trying to guess malicious characters - you're sure to miss one) and is a valid length. Once you've done this, and your design helps you to make sure that this step can't be bypassed by the user, you're protected against SQL injection. There is also a rather handy document available from NYPHP: http://phundamentals.nyphp.org/PH_storingretrieving.php This is good for describing magic_quotes and mysql_escape_string(). Hope that helps. Chris = Chris Shiflett - http://shiflett.org/ PHP Security - O'Reilly Coming mid-2004 HTTP Developer's Handbook - Sams http://httphandbook.org/ PHP Community Site http://phpcommunity.org/ ---End Message--- ---BeginMessage--- On Sun, 21 Mar 2004 13:49:22 -0800, Chris Shiflett wrote: To be clear: make sure the data that the user submitted only contains the characters you think are valid (don't bother trying to guess malicious characters - you're sure to miss one) and is a valid length. Once you've done this, and your design helps you to make sure that this step can't be bypassed by the user, you're protected against SQL injection. Or even better: Use only prepared statements. -- Hilsen/Regards Michael Rasmussen -- Be cheerful while you are alive. -- Phathotep, 24th Century B.C. ---End Message--- ---BeginMessage--- Jeff Oien wrote: When I do this: $lastmonth = mktime(0, 0, 0, date(m)-9, date(d), date(Y)); this will not work most of the year, if current month is August or less, the month value will be negative. Use strtotime('-9 months') instead. ---End Message--- ---BeginMessage--- Marek Kilimajer wrote: Jeff Oien wrote: When I do this: $lastmonth = mktime(0, 0, 0, date(m)-9, date(d), date(Y)); this will not work most of the year, if current month is August or less, the month value will be negative. Use strtotime('-9 months') instead. This code works just fine for me: $nine_months_ago = mktime(0, 0, 0, date(m)-9, date(d), date(Y)); echo date(m/d/Y, $nine_months_ago); If today is March 21, 2004, then this outputs 06/21/2003. That's exactly nine months ago. See http://www.php.net/date -- Regards, Ben Ramsey http://benramsey.com http://www.phpcommunity.org/wiki/People/BenRamsey ---End Message--- ---BeginMessage--- On Sun, 21 Mar 2004, Marek Kilimajer wrote: Jeff Oien wrote: When I do this: $lastmonth = mktime(0, 0, 0, date(m)-9, date(d), date(Y)); this will not work most of the year, if current month is August or less, the month value will be negative. mktime() can take negative values just fine. -Rasmus ---End Message--- ---BeginMessage--- I've got a querystring that looks like this: ?url=http%3A%2F%2Ftest.alpharetta.ga.us%2Findex.php%3Fm%3Dlinks%26category%3DRecreation%2B%2526%2BParks%26go.x%3D22%26go.y%3D7 As you can gather, I'm trying to pass a URL to another script for some processing. Before I urlencode() the URL and pass it to the query string, it looks like this: http://test.alpharetta.ga.us/index.php?m=linkscategory=Recreation+%26+Parksgo.x=22go.y=7 As you can see, there are already encoded entities in the URL, which are further encoded when passed through urlencode(). The problem I'm having is that when I urldecode() the string from $_GET[url], I get the following string: http://test.alpharetta.ga.us/index.php?m=linkscategory=Recreation Parksgo.x=22go.y=7 It's similar, but the category variable is now Recreation Parks when it needs to be Recreation+%26+Parks. When I try to use file_get_contents() on this string, I get nothing because of the ampersand and spaces in the URL. Is there a way to urldecode() $_GET[url] and still retain its original encoded entities so that I can use it again as a valid URL? -- Regards, Ben Ramsey http://benramsey.com http://www.phpcommunity.org/wiki/People/BenRamsey ---End Message--- ---BeginMessage--- On Monday 22 March 2004 00:03, Ben Ramsey wrote: [snip] Is there a way to urldecode() $_GET[url] and still retain its original encoded entities so that I can use it again as a valid URL? You can base64_encode() it. -- Jason Wong - Gremlins Associates - www.gremlins.biz Open Source Software Systems
php-general Digest 22 Mar 2004 13:23:02 -0000 Issue 2661
server will not work, internic divert to third and forth server. But I need to keep new server mysql database refreshed. Where can I find best idea to make such a mirror with my existing server and new server? This is a PHP list. You need to ask on a MySQL list. ---End Message--- ---BeginMessage--- do you know best mysql newsgroup address? Burhan Khalid [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] QT wrote: Dear Sirs, I have a web site which is keeping user data in mysql. I am afraiding that to collapse of existing server without my control. I want to use another server to keep in standby and I want to set new server DNS as a third and forth server. As far as I know if primary and secondary server will not work, internic divert to third and forth server. But I need to keep new server mysql database refreshed. Where can I find best idea to make such a mirror with my existing server and new server? This is a PHP list. You need to ask on a MySQL list. ---End Message--- ---BeginMessage--- Here's the code: ?php $a = 676.6; $b = 0.175; $y = $a * (1 + $b); echo(y: . $a . * (1 + . $b . ) = $yBR); $z = $a + ($a * $b); echo(z: . $a . + ( . $a . * . $b . ) = $zBR); echo(number format(y)=.number_format($y, 2).BR); echo(number format(z)=.number_format($z, 2).BR); ? Here's the output: y: 676.6 * (1 + 0.175) = 795.005 z: 676.6 + ( 676.6 * 0.175) = 795.005 number format(y)=795.01 number format(z)=795.00 In other words, using two logically equivalent (?) formulae to derive exactly the same result from the same two values results in somehow different results (I guess it's not an issue with number_format() per se, but with associativity or summat...). Hope it's not an obvious schoolboy error - any ideas? PHP 4.2.2 Apache 2.0.40 Redhat 7.3 --- Paul Hopkins - Senior Web Developer, Doctor Net - http://www.doc-net.com/ The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. If you received this in error, please contact the sender and delete the material. ---End Message--- ---BeginMessage--- On 22 March 2004 10:31, Paul Hopkins wrote: Here's the code: ?php $a = 676.6; $b = 0.175; $y = $a * (1 + $b); echo(y: . $a . * (1 + . $b . ) = $yBR); $z = $a + ($a * $b); echo(z: . $a . + ( . $a . * . $b . ) = $zBR); echo(number format(y)=.number_format($y, 2).BR); echo(number format(z)=.number_format($z, 2).BR); Here's the output: y: 676.6 * (1 + 0.175) = 795.005 z: 676.6 + ( 676.6 * 0.175) = 795.005 number format(y)=795.01 number format(z)=795.00 This is because of the inherent minor imprecision in the way floating point numbers are represented in a computer -- please see the big fat note headed Floating point precision at http://www.php.net/manual/en/language.types.float.php. You should never rely on the absolute accuracy of floating point numbers -- even very simple calculations can be off by an infinitesimal but nonetheless significant amount (for example, 10.0/3*3 almost never equals 10.0 ;). Cheers! Mike - Mike Ford, Electronic Information Services Adviser, Learning Support Services, Learning Information Services, JG125, James Graham Building, Leeds Metropolitan University, Beckett Park, LEEDS, LS6 3QS, United Kingdom Email: [EMAIL PROTECTED] Tel: +44 113 283 2600 extn 4730 Fax: +44 113 283 3211 ---End Message--- ---BeginMessage--- Hey guys, A server I'm using has PHP compiled into Apache, and I want to leave that alone and just build a CLI version of php. Can I get away with just going: ./configure --with-mysql --prefix=/some/home/dir make make install ? I dont' want to upset the existing apache installation of PHP or anything, just want a CLI exe in my home dir to do some stuff with. thanks, neko ---End Message--- ---BeginMessage--- On 21 March 2004 16:03, Ben Ramsey wrote: I've got a querystring that looks like this: ?url=http%3A%2F%2Ftest.alpharetta.ga.us%2Findex.php%3Fm%3Dlink s%26category%3DRecreation%2B%2526%2BParks%26go.x%3D22%26go.y%3D7 As you can gather, I'm trying to pass a URL to another script for some processing. Before I urlencode() the URL and pass it to the query string, it looks like this: http://test.alpharetta.ga.us/index.php?m=linkscategory=Recrea tion+%26+Parksgo.x=22go.y=7 As you can see, there are already encoded entities in the URL, which are further encoded when passed through urlencode(). The problem I'm having is that when I urldecode() the string from $_GET[url], I get the following string: Don't. GET values are automatically urldecoded once by the Web server before they ever reach your script. Cheers! Mike - Mike Ford, Electronic Information Services Adviser, Learning
php-general Digest 8 Oct 2008 10:11:05 -0000 Issue 5724
and print it (this one is very rarely used!). ---End Message--- ---BeginMessage--- Dan Joseph wrote: On Thu, Oct 2, 2008 at 12:35 PM, Jason Pruim [EMAIL PROTECTED] wrote: SQLTEST: SELECT * FROM `timeStore` WHERE`timein` BETWEEN 1222315200 AND 122292 Could not perform query: Query was empty [EMAIL PROTECTED] Put a ' around your timestamp numbers. I think that should fix that query. Although I'll admitt, I have no way to test that on mysql, but that is how MS SQL works... Int's don't need quoting in mysql (or postgres, or oracle).. not sure why ms-sql would need that. -- Postgresql php tutorials http://www.designmagick.com/ ---End Message--- ---BeginMessage--- I have a series of questions. How do I count the number of br / 's in a string? How do I add text in the middle of a string, let's say after the 3rd br / Ron ---End Message--- ---BeginMessage--- For the 1st question: http://us.php.net/manual/en/function.substr-count.php For the second question: http://us.php.net/manual/en/function.strpos.php http://us.php.net/manual/en/function.str-replace.php Thank you, Micah Gersten onShore Networks Internal Developer http://www.onshore.com Ron Piggott wrote: I have a series of questions. How do I count the number of br / 's in a string? How do I add text in the middle of a string, let's say after the 3rd br / Ron ---End Message--- ---BeginMessage--- The first question was to find out how long the blog entry was (number of paragraphs.) I am wanting to put an ad in half way. Consequently there are going to be many br / 's before the one I am wanting to add text to. How should I handle this? Ron On Tue, 2008-10-07 at 20:55 -0500, Micah Gersten wrote: For the second question: http://us.php.net/manual/en/function.strpos.php http://us.php.net/manual/en/function.str-replace.php Thank you, Micah Gersten onShore Networks Internal Developer http://www.onshore.com Ron Piggott wrote: I have a series of questions. How do I count the number of br / 's in a string? How do I add text in the middle of a string, let's say after the 3rd br / Ron ---End Message--- ---BeginMessage--- Then you'll need this as well: http://us.php.net/manual/en/function.strlen.php **strpos** ( $text , 'br /' http://us.php.net/manual/en/language.pseudo-types.php#language.types.mixed, strlen($text)/2 ); Will give you the position. Use str_replace to insert your ad. Thank you, Micah Gersten onShore Networks Internal Developer http://www.onshore.com Ron Piggott wrote: The first question was to find out how long the blog entry was (number of paragraphs.) I am wanting to put an ad in half way. Consequently there are going to be many br / 's before the one I am wanting to add text to. How should I handle this? Ron On Tue, 2008-10-07 at 20:55 -0500, Micah Gersten wrote: For the second question: http://us.php.net/manual/en/function.strpos.php http://us.php.net/manual/en/function.str-replace.php Thank you, Micah Gersten onShore Networks Internal Developer http://www.onshore.com Ron Piggott wrote: I have a series of questions. How do I count the number of br / 's in a string? How do I add text in the middle of a string, let's say after the 3rd br / Ron ---End Message--- ---BeginMessage--- Ron Piggott wrote: I have a series of questions. How do I count the number of br / 's in a string? How do I add text in the middle of a string, let's say after the 3rd br / Ron simplest way from experience is to simply explode('br /', $the_string) you can then count the array -1 for number of br's; and add text to the front and end of each; or indeed add/remove paragraphs before imploding it back together. If you want more power, most would say use regex or str_ functions, however I'd recommend getting used to the DOMDocument to traverse the html and make fine grained adjustments. regards, -- nathan ( [EMAIL PROTECTED] ) { Senior Web Developer php + java + flex + xmpp + xml + ecmascript web development edinburgh | http://kraya.co.uk/ } ---End Message--- ---BeginMessage--- PHP framework vs just php ? http://paul-m-jones.com/?p=315 according to the benchmark.Just PHP win by more than 100% to average framework. even the fastest solar only manage to serve 154pages/sec compare to just php 1320pages/sec call me outdated. but i stay with just php! On 10/8/08, Eric Butera [EMAIL PROTECTED] wrote: On Tue, Oct 7, 2008 at 2:47 PM, Ashley Sheridan [EMAIL PROTECTED] wrote: On Tue, 2008-10-07 at 11:20 -0300, uaca man wrote: Farid, I like to use PRADO(www.pradosoft.com), it is very easy to use for those who are coming from Microsoft .Net platform as it uses the same architecture. I did not like symfony, too much to read before the first example. Angelo 2008/10/6 farid lópez [EMAIL PROTECTED]: what is your framework??? uacaman. i'm using symfony, but i'm reading the book. it's hard
php-general Digest 1 May 2008 07:55:49 -0000 Issue 5434
php-general Digest 1 May 2008 07:55:49 - Issue 5434 Topics (messages 273738 through 273758): Re: Fun with SOAP. 273738 by: Larry Brown 273739 by: Nathan Nobbe Re: php 5 and mysql failure 273740 by: Shawn McKenzie 273741 by: Dan Joseph check if any element of an array is not empty 273742 by: afan pasalic 273743 by: Nathan Nobbe 273744 by: Richard Heyes 273745 by: afan pasalic 273746 by: Nathan Nobbe Re: Best practices for using MySQL index 273747 by: Chris 273749 by: Larry Garfield 273753 by: Shelley 273754 by: Shelley 273755 by: Chris Variable varialbe with array not working 273748 by: kronostar.aol.com problem imap_headerinfo 273750 by: Richard Kurth 273751 by: Chris 273752 by: Kalle Sommer Nielsen equivalent to perl shift function 273756 by: Richard Luckhurst 273757 by: Chris 273758 by: Richard Luckhurst Administrivia: To subscribe to the digest, e-mail: [EMAIL PROTECTED] To unsubscribe from the digest, e-mail: [EMAIL PROTECTED] To post to the list, e-mail: [EMAIL PROTECTED] -- ---BeginMessage--- I'm not sure how it looks etc with with soapui but I noticed you mentioning you don't want to mess with nusoap. I've used nusoap for both client and server uses for years and I'm really impressed with how easily it works. Using $soapInstance-request and $soapInstance-response the xml is displayed where you can see how it was created based on the array you fed the instance before sending for your message. It makes troubleshooting much easier for me. That being said I don't send attachments. However just doing a quick google on nusoap attachments (without the quotes) has mention of people sending MIME attachments and one listing an issue with DIME encoded attachments yet another explaining that he solved the DIME encoded issue and referred to wrox book open source webservices page 315 which is an on-line book. Sorry no quick silver bullet, but I would highly recommend looking at nusoap if only as a test. Larry On Wed, 2008-04-30 at 08:21 -0400, Eric Butera wrote: On Wed, Apr 30, 2008 at 7:35 AM, Eric Butera [EMAIL PROTECTED] wrote: On Tue, Apr 29, 2008 at 5:07 PM, Nathan Nobbe [EMAIL PROTECTED] wrote: i know this has nothing to do w/ getting it to work w/ php, eric, but have you tried hitting the service w/ soap ui? http://www.soapui.org/ although its written in java, its an indispensable testing tool, imho, and i always give it a shot when im having soap troubles. i might try to see if you can get a successful response from the service w/ it. -nathan Hi Nathan! Thanks for the reply. I'm download it as we speak. Hopefully it'll give me some sort of answer as to what is going on. I really haven't found out enough about the SOAP standard enough to know what is expected behavior, etc. I know I can see all of the raw data there, just ext/soap doesn't seem to like the multi-part. Maybe soapUI will give me some sort of answer for this. After using soapUI I've determined that the SOAP response gives back an envelope and has one attachment. Does anyone know if the SOAP extension can handle attachments? I'd really rather not mess around with nusoap or the pear soap package. I don't see anywhere on the manual where it is possible to download attachments. Hopefully someone else has dealt with this before. -- Larry Brown [EMAIL PROTECTED] ---End Message--- ---BeginMessage--- On Wed, Apr 30, 2008 at 1:53 PM, Larry Brown [EMAIL PROTECTED] wrote: Sorry no quick silver bullet, but I would highly recommend looking at nusoap if only as a test. additionally, i could not find any occurrence of 'attachment' grepping through the c code in the soap extension or the rpc extension.. -nathan ---End Message--- ---BeginMessage--- Yehudi Alexis Garrett wrote: I'm using a php script which performs three xml queries to other three servers to retrieve a set of ids and after I do a query to mysql of the kind SELECT * FROM table WHERE id IN ('set of ids'); Although I'm sure the connection to the database is ok, I sometimes get an error of this kind: *Warning*: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in ... This does not happen every time i run the script, only sometimes. If I echo the query, copy and paste in phpmyadmin, or if I perform the same query in a script that does only the query without the rest it works! After troubleshooting this issue I noticed that it usually failed when I had a big set of ids (positive response from more than one server). This means that the script used a bigger amount of memory and probably more resources, but I did not get an out of memory error, I got the one described bfore. My
php-general Digest 23 Aug 2003 06:02:48 -0000 Issue 2253
the name of the company is 'IBM'. , the URL with the query string would look like : http://masterstream.com/CRM/full_profile_1.php?name=IBM Now one of the records had a name : PSG Inc. , in this case the URL with the query string would look like http://masterstream.com/CRM/full_profile_1.php?name=PSG%20%20Inc. However in the case of the latter I am not able to pull out any records from the MySQL database. It says that no records with the name were found. I went ahead and tweaked the name of the company, to remove the sign in 'PSG Inc.' Now the query works fine. Can some one throw some light here. I am sure something minor is to be done when passing the name of the company in the parent script. Thanks in advance --Pushpinder ---End Message--- ---BeginMessage--- On Fri, 2003-08-22 at 12:05, Pushpinder Singh Garcha wrote: Hello All, I am using an application where I retrieve user profile from a MySQL DB using the Company Name . I pass the name of the company to the PHP script as a '$_GET' parameter. e.g. when the name of the company is 'IBM'. , the URL with the query string would look like : http://masterstream.com/CRM/full_profile_1.php?name=IBM Now one of the records had a name : PSG Inc. , in this case the URL with the query string would look like http://masterstream.com/CRM/full_profile_1.php?name=PSG%20%20Inc no, this is not how it should look... the '' in the above query string is saying the variable 'name' ends and a new variable follows. If you are submitting this in a form using method=get... it should look something like: ?name=PSG+%26+Inc if you are really passing this in a form using method=get, then this should be handled automatically. how are you accessing the passed variable? $_GET['name'] ?? ---End Message--- ---BeginMessage--- From: Pushpinder Singh Garcha [EMAIL PROTECTED] I am using an application where I retrieve user profile from a MySQL DB using the Company Name . I pass the name of the company to the PHP script as a '$_GET' parameter. e.g. when the name of the company is 'IBM'. , the URL with the query string would look like : http://masterstream.com/CRM/full_profile_1.php?name=IBM Now one of the records had a name : PSG Inc. , in this case the URL with the query string would look like http://masterstream.com/CRM/full_profile_1.php?name=PSG%20%20Inc. However in the case of the latter I am not able to pull out any records from the MySQL database. It says that no records with the name were found. I went ahead and tweaked the name of the company, to remove the sign in 'PSG Inc.' Now the query works fine. Can some one throw some light here. I am sure something minor is to be done when passing the name of the company in the parent script. The character separates variables in the query string, so it must be encoded if it appears in the data. Take a look at http://us2.php.net/urlencode ---John Holmes... ---End Message--- ---BeginMessage--- Thanks for the link, $link = $row['company']; a href=\full_profile_1.php?name=', urlencode($link),' \ However this does not seem to work / what am I missing ? Thanks -Pushpinder On Friday, August 22, 2003, at 03:23 PM, CPT John W. Holmes wrote: From: Pushpinder Singh Garcha [EMAIL PROTECTED] I am using an application where I retrieve user profile from a MySQL DB using the Company Name . I pass the name of the company to the PHP script as a '$_GET' parameter. e.g. when the name of the company is 'IBM'. , the URL with the query string would look like : http://masterstream.com/CRM/full_profile_1.php?name=IBM Now one of the records had a name : PSG Inc. , in this case the URL with the query string would look like http://masterstream.com/CRM/full_profile_1.php?name=PSG%20%20Inc. However in the case of the latter I am not able to pull out any records from the MySQL database. It says that no records with the name were found. I went ahead and tweaked the name of the company, to remove the sign in 'PSG Inc.' Now the query works fine. Can some one throw some light here. I am sure something minor is to be done when passing the name of the company in the parent script. The character separates variables in the query string, so it must be encoded if it appears in the data. Take a look at http://us2.php.net/urlencode ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php ---End Message--- ---BeginMessage--- I am looking for a way to say please wait generating thumbnails... while actually doing so. I have tried calling the JavaScript alert() function before starting the image processing but it waits for the page to complete loading before displaying the alert box. anyone have any ideas on this?? BTW: at the time I am trying to display a message I have already started output to the browser. --- Jeffrey D. Means CIO for MeansPC [EMAIL PROTECTED] --- Outgoing mail is certified Virus Free
php-general Digest 14 May 2009 09:19:17 -0000 Issue 6120
php-general Digest 14 May 2009 09:19:17 - Issue 6120 Topics (messages 292558 through 292562): Re: how to enable ttf support in php 5.2.9 292558 by: Ross McKay Re: handling chunked input from php://stdin 292559 by: whisperstream Re: fileinfo on RHEL5 292560 by: Michael A. Peters Re: shell_exec problem with bsdtar 292561 by: Lester Caine Cannot output the same data from text file in PHP 292562 by: Moses Administrivia: To subscribe to the digest, e-mail: php-general-digest-subscr...@lists.php.net To unsubscribe from the digest, e-mail: php-general-digest-unsubscr...@lists.php.net To post to the list, e-mail: php-gene...@lists.php.net -- ---BeginMessage--- Ashley Sheridan wrote: Great idea in theory, if you can guarantee that they'll *only* be using MS Office to paste from. In my experience, you can only guarantee on the stupidity of the end users, nothing else. I was mostly being facetious :) The only thing that really works is getting the users to cooperate by giving them a button for Word and a button for Text and explaining to them how it *helps them* to use those buttons properly. But that only works while they remember, and they never remember when they're in a hurry (which is always). -- Ross McKay, Toronto, NSW Australia Darwin's rolling over in his coffin, 'cos the fittest are surviving much less often - NOFX ---End Message--- ---BeginMessage--- Thanks for the code, but I figured out the issue I was having. My problem was actually getting the data not parsing chunked text. After taking a wireshark trace of the traffic I realised that the chunked xml didn't even hit the php process and instead died somewhere in IIS's fastcgi process. If anyone else stumbles upon this, here is the problem and my solution. Production env was IIS 6.0, php 5.2.9-2, installed as module under fastcgi. XML posted form services was sent to the php script responsible for handling it However, if the xml data was chunked, IIS would die with a 500 Server Error message and the php processor would never even see the xml. From what I can gather (really not a whole lot of data out there), fastcgi under IIS 6.0 doesn't seem to handle chunked transfer-encoded data...(it seems like such a major flaw that I'm wondering if I missed some configuration setting to get it to work?) Solution: Since php5.2.9-2 no longer has the isapi module, I had to uninstall 5.2.9-2 and instead installed 5.2.6 with the php5isapi.dll. Once that was configured I retested and hey presto, the chunked data is sent to the php process without error. I didn't even need to decode the chunked data as it is done before I even get access to the data. Spent a day trying to figure out what was wrong, hopefully it'll save someone else some time. Nathan Rixham wrote: Shawn McKenzie wrote: whisperstream wrote: I have a server running that receives xml formatted events from other services I have no control over. For certain events the transfer-encoding is chunked. I was just doing $input = file_get_contents('php://stdin'); and this works well until there is chunked input. Then I tried $handle = fopen('php://input', rb); $input = ''; while (!feof($handle)) { $input .= fread($handle, 8192); } fclose($handle); And that gives about the same result, has anyone else come across this and how did they solve it? Thanks in advance There aren't really many examples around, but check http_chunked_decode() from PECL. simples! function HTTPChunkDecoder( $chunkedData ) { $decodedData = ''; do { $tempChunk = explode(chr(13).chr(10), $chunkedData, 2); $chunkSize = hexdec($tempChunk[0]); $decodedData .= substr($tempChunk[1], 0, $chunkSize); $chunkedData = substr($tempChunk[1], $chunkSize+2); } while (strlen($chunkedData) 0); return $decodedData; } -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- View this message in context: http://www.nabble.com/handling-chunked-input-from-php%3A--stdin-tp23512171p23533268.html Sent from the PHP - General mailing list archive at Nabble.com. ---End Message--- ---BeginMessage--- brian wrote: RHEL5/PHP 5.1.6 I'm having some trouble getting the Fileinfo package working. It installed fine, and phpinfo() says it's enabled. But it consistently returns an empty string when getting the MIME of a file. /usr/share/pear/bin/pecl install fileinfo vi /etc/php.d/fileinfo.ini extension=fileinfo.so ln -s /usr/share/file/magic /etc/magic.mime The code: define('FINFO_PATH', '/usr/share/file/magic'); ... $fi = new finfo(FILEINFO_MIME, FINFO_PATH); $type = $fi-file($file_path); $type is always empty. And, yes, the path to the file is good. This works fine on the dev box (PHP 5.2.6). Unfortunately, the decision to use RHEL5 for production was out
php-general Digest 23 Feb 2004 17:11:59 -0000 Issue 2607
will still actually be there (view the source to see) it's just that HTML won't render them the way you're expecting. The spaces will be converted into a single space and the line-feeds/carriage returns won't do anything either unless you're using a fixed-width font. Two choices: Convert the non-displaying characters to their HTML equivalents (i.e. space to nbsp;) or wrap the text in a pre tag. -- Best regards, Richard Davey http://www.phpcommunity.org/wiki/296.html ---End Message--- ---BeginMessage--- From: Miguel J. Jiménez [mailto:[EMAIL PROTECTED] You must convert \n to br and spaces to nbsp; You can use strreplace() or some other function that exist in PHP just for that... nl2br() should do that. Usage: nl2br($foo) $foo is your textarea variable. ---End Message--- ---BeginMessage--- Jason, Have no worries, I'm not looking for anyone to write my code for me. It's precisely because the str_replace command is so simple that I figure if the results are strange that there is something I don't understand. And I want to understand it, not just be given code to copy and paste. As it turns out, by experimenting with the var_dump() command that you recommended (which I wasn't aware of), I learned that what was going wrong was that the line breaks coming out of my MySQL DB aren't just \n, but \r\n. So swapping around the elements I was replacing, and experimenting, was not going to do me much good until I knew this. So now it's working, and largely thanks to the suggestions you gave. I would never have been able to guess on my own at using var_dump() in order to get at the solution. Please don't assume that just because a query is simple that it means that the person asking is not willing to work or that they haven't already attempted to work at it. Sometimes it just means that the person asking doesn't know all the angles possible. Thanks for your help. -- Yoroshiku! Dave G [EMAIL PROTECTED] ---End Message--- ---BeginMessage--- On Monday 23 February 2004 19:12, Dave G wrote: So now it's working, and largely thanks to the suggestions you gave. I would never have been able to guess on my own at using var_dump() in order to get at the solution. Please don't assume that just because a query is simple that it means that the person asking is not willing to work or that they haven't already attempted to work at it. Sometimes it just means that the person asking doesn't know all the angles possible. It's good to know you've solved your problem. I hope you appreciate that my suggestions will be of more use to you in the long run than a straight forward answer to your problem. It's better to teach someone how to fish than to do the fishing for them. -- Jason Wong - Gremlins Associates - www.gremlins.biz Open Source Software Systems Integrators * Web Design Hosting * Internet Intranet Applications Development * -- Search the list archives before you post http://marc.theaimsgroup.com/?l=php-general -- /* You may easily play a joke on a man who likes to argue -- agree with him. -- Ed Howe */ ---End Message--- ---BeginMessage--- Hi, I'm trying to get a 500 character split of a string, I only want about the fist 500 characters, I would like to split on a space, which I have managed to do so far, but I would also like the split to not take place inside an HTML tag, so that I don't end up with weird looking pages. I was trying to use strip_tags() error checking to tell me whether I my string was valid html or not. If it's not valid html then I would like to split before that part of the html begins. Possibly even as simply as removing the last 10 characters (to the nearest space) until I get valid HTML. Can anyone help me get a way to split my text at around the 500 character mark without breaking any HTML which may be inside the string I am displaying on the page? Also, if you're interested in the strip_tags() problem I was speaking about then take a look at: http://better.domain.name/php/strip.php there is a link to the source on the page. Regards, Stuart Gilbert. ---End Message--- ---BeginMessage--- Hi I'm trying to encode text entered into an html form. In dreamweaver, special characters seem to be encoded as #8220; (a curly quote) for example, which I assume is utf-8. Here is my code snippet: htmlentities(html_entity_decode(strip_tags(stripslashes(trim($data, ENT_QUOTES), ENT_QUOTES, utf-8) but this does not seem to return the encoded value. I've tried all the character sets, but none of them seem to do anything apart from the windows specific character set, which doesn't return the value I want. I've tried using html_entity_decode with uft-8, but it throws an error saying that the function doesn't support MBCS (Multibyte character sets???) I've also tried using utf8_encode() before trying to html encode, but this doesn't work
php-general Digest 21 May 2001 13:20:48 -0000 Issue 699
etc), the overhead would increase and increase. i thought php has always cached compiled scripts (since it is fast enough for me so far), but the fact is it does not. without cacher like apc or zend cache, mod_php is no better than cgi, except it avoids per-request forking and configuration parsing. why oh why doesn't php/plain zend cache scripts in the first place? :-/ Regards, Steve On 20/05/2001 20:53, Christopher Leigh wrote: ok, are servlets/jsp faster than php4? since zend cache isn't free... :( -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] Hi All, I have a form where i let people choose a file to upload, but i want to limit them to image files only. So i want to only allow the .gif and .jpg to be uploaded. What i tried doing was this: if ($filename_type == image/gif) -- upload file otherwise give an error message! but for some reason this doesn't work. It uploads any kind of file without complaint! So what am i doing wrong? Is there another operator to compare strings for instance? Or what is the problem? Thanks! = Heidi Belal ICQ# 32127109 A bus stops at a bus station. A train stops at a train station. On my desk I have a work station... __ Do You Yahoo!? Yahoo! Auctions - buy the things you want at great prices http://auctions.yahoo.com/ On Monday 21 May 2001 08:03, Heidi Belal wrote: I have a form where i let people choose a file to upload, but i want to limit them to image files only. So i want to only allow the .gif and .jpg to be uploaded. What i tried doing was this: if ($filename_type == image/gif) -- upload file otherwise give an error message! but for some reason this doesn't work. It uploads any kind of file without complaint! So what am i doing wrong? Is there another operator to compare strings for instance? Or what is the problem? == is perfectly fine for string comparison. Try doing a echo '$filename_type'; and (generally) a phpinfo (); to see what's passed to your script. -- Christian Reiniger LGDC Webmaster (http://sunsite.dk/lgdc/) Those who will not reason, are bigots, those who cannot, are fools, and those who dare not, are slaves. - George Gordon Noel Byron (1788-1824), [Lord Byron] I'm trying to test the gz_handler, among other things, but I have no idea if the output is actually gzip encoded. I'm using PHP 4.0.5 as an Apache module, and here's an example of a test script: ?php ob_start(ob_gzhandler); ? pThis should be compressed. [bunch of text here just to ensure it's big enough to be encoded. the file size is about 5700kb] ?php ob_end_flush(); ? I'm using IE 5.5 to view the page, and PHP shows the HTTP_SERVER_VARS[HTTP_ACCEPT_ENCODING] variable as gzip, deflate, so the browser is saying it supports gzip content. Now the question is, how do I actually know if the browser is getting gzip content? Plutarck On Monday 21 May 2001 08:14, Plutarck wrote: I'm trying to test the gz_handler, among other things, but I have no idea if the output is actually gzip encoded. You could try using wget with a custom Http-Accept-Encoding: header -- Christian Reiniger LGDC Webmaster (http://sunsite.dk/lgdc/) Those who will not reason, are bigots, those who cannot, are fools, and those who dare not, are slaves. - George Gordon Noel Byron (1788-1824), [Lord Byron] First, i'm sorry if this is an out of topic subject, but i've try to post this email to one of postgres mailing list, and i can't find any help there. i wish, if one of you know the solutions of my problem, you can share it with me. i create a little stored procedure using plpgsql from pgaccess. function input is table name where the function will simply iterate along each record in the table and raise notice for each of them. when i run this function from shell command using : select browse_table('sex'), the function error with error message 'ERROR: parser: parse error at or near $2'. As i concern, this error came from the line i mark because the function can't receive variable 'table_name' to generate query. i'm new here, so can some body help me, please the source code is below. === DECLARE table_name ALIAS for $1; each_row RECORD; BEGIN FOR each_row IN select * from table_name LOOP == i believe this's an error source raise notice 'row'; END LOOP; END; === function description : function name : browse_table returns : bpchar parameters: bpchar language : plpgsql -toto- Hello, you should execute your select statement as an dynamic query, because plpgsql assumes that there is valid / parseable query (and not a string c
php-general Digest 20 May 2002 03:20:44 -0000 Issue 1355
example or give a small hint on what to look for on google. Sound interesting! I tryed to to perform a createfromjpeg command to that file and it did not work. So the magic is to save it in photoshop for web and then as jpeg and not with save as (jpeg). But this gives me a headache, because how do user know the difference? The file extension is jpeg and all programms can display it. Maybe there is a way in php as well to do a kind of createfromjpeg commmand?! Thanx, Andy Miguel Cruz [EMAIL PROTECTED] schrieb im Newsbeitrag [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... On Sun, 19 May 2002, andy wrote: I do have trouble with finding out if a file is a jpeg or not. This is the command I am using: $_FILES[picture_location][type] works fine exept in one case: With Photoshop 6.0 I do open the jpeg (which workes fine) an save as jpeg as another file name. Then upload the new file. This returns a type called: application/octet-stream So what is this type anyway. I do know jpeg and jpg and pjpeg but octed-stream?! application/octet-stream just means a generic binary file. I don't think that $_FILES[]['type'] is really all that useful for getting reliable information about a file, since it just trusts the browser/user, which could be uninformed, misinformed, or deliberately dishonest. Either pass the temp file to the unix 'file' command or peek inside it on your own (check the 'magic' file that comes with the unix 'file' command for details on what to look for). miguel ---End Message--- ---BeginMessage--- Does anyone know how I can test (and see) if my ob_gzhandler() is working? I've written the following script, and run it from the command line to see the output -- hoping it's encoded -- it isn't -- so I want to make sure I'm doing it right. ? header(Accept-Encoding: gzip, deflate); ob_start(ob_gzhandler); ? some HTML code ? ob_end_flush(); ob_end_clean(); ? I save then run the file: C:php test.php Thanks ---End Message--- ---BeginMessage--- I doubt that'll work, as I don't think the gzhandler code will send gzipped data without a successful negotiation with the client (which can't happen at the command line). As others have suggested, the easiest way is probably to use lynx's --mime_header option. miguel On Sun, 19 May 2002, Jason Caldwell wrote: Does anyone know how I can test (and see) if my ob_gzhandler() is working? I've written the following script, and run it from the command line to see the output -- hoping it's encoded -- it isn't -- so I want to make sure I'm doing it right. ? header(Accept-Encoding: gzip, deflate); ob_start(ob_gzhandler); ? some HTML code ? ob_end_flush(); ob_end_clean(); ? I save then run the file: C:php test.php Thanks ---End Message--- ---BeginMessage--- Will browsers that receive gzip encoded pages, transmit gzip encoded POST or GET data back? Jason Jason Caldwell [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Does anyone know how I can test (and see) if my ob_gzhandler() is working? I've written the following script, and run it from the command line to see the output -- hoping it's encoded -- it isn't -- so I want to make sure I'm doing it right. ? header(Accept-Encoding: gzip, deflate); ob_start(ob_gzhandler); ? some HTML code ? ob_end_flush(); ob_end_clean(); ? I save then run the file: C:php test.php Thanks ---End Message--- ---BeginMessage--- Hello I have a string like $str=Hello World ; and i want to find the first occurance of any one of the char in or $sp=strpos($str,) Did not work, beacuse in this I can give only one char Can i give filter in this as [ ] If yes then how? Or any other idea to get this ... -- Bye, and Have a nice day. Prachait Saxena If you do for other's ! Other's will do for you !! Visit me at http://www.sitesontesting.com/prachait ---End Message--- ---BeginMessage--- Prachait Saxena [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I have a string like $str=Hello World ; and i want to find the first occurance of any one of the char in or $sp=strpos($str,) Did not work, beacuse in this I can give only one char function strpos_multi($str, $chars) { $firstpos = $badvalue = $strlen($str); $numchars = strlen($chars); for ($i = 0; $i $numchars; $i++) { $ch = substr($chars, $i, 1); $pos = strpos($str, $ch); if ($pos !== false) // NOTE: op is bang-equals-equals $firstpos = min($pos, $firstpos); } if ($firstpos == $badvalue) return -1; else return $firstpos; } $charpos = strpos_multi($str, ); ---End Message--- ---BeginMessage--- Hello I have a string like $str=Hello World ; and i want to find the first occurance of any one of the char in or $sp=str
php-general Digest 15 Sep 2006 18:39:46 -0000 Issue 4349
--- ---BeginMessage--- Hi from Spain. This is my first post and im sure it wont be last :) AraDaen ---End Message--- ---BeginMessage--- Hi AraDaen, and welcome to the list ;-) On Sep 15, 2006, at 7:32 AM, AraDaen wrote: Hi from Spain. This is my first post and im sure it wont be last :) AraDaen -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php ---End Message--- ---BeginMessage--- RTFM Oops, sorry, that seems to be everyone favourite so thought i would be the first one to say it... and welcome to the list :) Cheers! -- - The faulty interface lies between the chair and the keyboard. - Creativity is great, but plagiarism is faster! - Smile, everyone loves a moron. :-) __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ---End Message--- ---BeginMessage--- Lea el f**king manual! On 15/09/06, Ryan A [EMAIL PROTECTED] wrote: RTFM Oops, sorry, that seems to be everyone favourite so thought i would be the first one to say it... and welcome to the list :) Cheers! -- - The faulty interface lies between the chair and the keyboard. - Creativity is great, but plagiarism is faster! - Smile, everyone loves a moron. :-) __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- http://www.web-buddha.co.uk http://www.projectkarma.co.uk ---End Message--- ---BeginMessage--- Hi. I need to send large binary data over http post (so that urlencoding or base64 encoding is not an option). I use request like this: http://people.ksp.sk/~mmx/request (there is a zero byte between A and B). There are 3 bytes of data, but when I do ?php echo strlen($HTTP_POST_VARS['DATA']); ? it yields 1 (it truncates the string after the first zero byte). Is there a way to access all of the binary post data correctly? Thanks in advance for any advice. -- Marek 'MMx' Ludha ---End Message--- ---BeginMessage--- Marek 'MMx' Ludha wrote: I need to send large binary data over http post (so that urlencoding or base64 encoding is not an option). I use request like this: http://people.ksp.sk/~mmx/request (there is a zero byte between A and B). There are 3 bytes of data, but when I do ?php echo strlen($HTTP_POST_VARS['DATA']); ? it yields 1 (it truncates the string after the first zero byte). Is The fact you're accessing it as an element of $HTTP_POST_VARS (which should be $_POST anyway) means it's expected to be URL encoded. Instead set your request Content-Type to octet-stream and grab the whole post body at once. eg. // To send... $c = stream_context_create( array( 'http' = array( 'method' = 'post', 'header' = 'Content-Type: application/octet-stream', 'content' = whatever you want \x00 here ) ) ); file_get_contents('http://example.com/foo.php', false, $c); // To receive $data = file_get_contents('php://input'); ---End Message--- ---BeginMessage--- As I read through my first email again I see I didn't write clearly what I intended, sorry for this. I already have an application that sends binary data with requests like the one mentioned before. Now I need to parse those requests using PHP. Since the content-type is multipart/form-data, neither php://input nor $HTTP_RAW_POST_DATA works. That request type was taken from an example from w3c webpage (http://www.w3.org/TR/html4/interact/forms.html#h-17.13.4), so I believe there will not be much trouble parsing them. On 9/15/06, Arpad Ray [EMAIL PROTECTED] wrote: The fact you're accessing it as an element of $HTTP_POST_VARS (which should be $_POST anyway) means it's expected to be URL encoded. Instead set your request Content-Type to octet-stream and grab the whole post body at once. eg. // To send... $c = stream_context_create( array( 'http' = array( 'method' = 'post', 'header' = 'Content-Type: application/octet-stream', 'content' = whatever you want \x00 here ) ) ); file_get_contents('http://example.com/foo.php', false, $c); // To receive $data = file_get_contents('php://input'); ---End Message--- ---BeginMessage--- Hi all. I am building an online events listing and when I run the following query I get the expected result set: SELECT events.id AS eventid, name, postcode, start_time, dates.date FROM events, dates_events, dates WHERE dates_events.event_id = events.id and dates_events.date_id = dates.id AND dates.date = '$start_string' AND dates.date = '$end_string' ORDER BY date ASC ...however, when I look for a one-off event the following query fails: SELECT events.id AS eventid, name, postcode, start_time, dates.date FROM events, dates_events, dates WHERE dates_events.event_id
php-general Digest 10 Sep 2002 15:53:46 -0000 Issue 1577
php-general Digest 10 Sep 2002 15:53:46 - Issue 1577 Topics (messages 115806 through 115859): E-mail a submit 115806 by: Chuck \PUP\ Payne Re: QUery success, but blank results/variables 115807 by: Tom Rogers 115809 by: David Freeman Brainfart while uploading 115808 by: César Aracena form variables 115810 by: Hans Prins 115811 by: Chris Shiflett 115815 by: Hans Prins 115817 by: Justin French Re: LDAP (NDS) authentication example... 115812 by: joshua Need more memory... possible to set? 115813 by: Damian Harouff Re: Problems with GD 2.0.1 115814 by: Tim Re: Brainfart while uploading -- SOLVED -- Sorry ;) 115816 by: César Aracena message board and gb... 115818 by: Matt Zur Re: header(location: ) causes GET vars to be encoded in wrong charset in IE5.5 115819 by: Jean-Christian Imbeault 115825 by: Chris Shiflett 115826 by: Chris Shiflett 115827 by: . Edwin 115828 by: . Edwin Count in PHP 115820 by: Chuck \PUP\ Payne 115821 by: Martin Towell 115822 by: Tyler Longren 115823 by: Jome 115831 by: xdrag changing session name 115824 by: Mohd_Q 115830 by: Luke Welling 115833 by: Erwin Re: POST form variables not being sent to destination page 115829 by: Erwin Re: dropdown Newbie question 115832 by: Mario Ohnewald 115834 by: yasin inat Generating CSV files on the fly and getting the browser to download 115835 by: Henry 115836 by: lallous 115837 by: Henry 115838 by: Dave at Sinewaves.net 115839 by: Erwin DPHPEdit new version 115840 by: Davor Pleskina PhpMyAdmin and PHP4.2.* Too many I/Os 115841 by: Jean-Pierre Arneodo Mail() function problem 115842 by: Alva Chew 115852 by: Pekka Saarinen Re: Upload Progress 115843 by: electroteque Re: checkbox question 115844 by: B.C. Lance 115850 by: Craig Donnelly Trying to add table prefix variable to query 115845 by: Verdon Vaillancourt 115846 by: Jay Blanchard 115847 by: bbonkosk.tampabay.rr.com Populating Other People's Forms 115848 by: Mike At Spy Re: Trying to add table prefix variable to query (solved) 115849 by: Verdon Vaillancourt random array sort 115851 by: ROBERT MCPEAK 115853 by: Mike At Spy 115854 by: David Rice 115855 by: Mike At Spy 115856 by: Jacob Miller Handling variables POSTed from form 115857 by: Wm Verify phone format? 115858 by: Jeff Lewis Re: random array sort -- array() selection quant?? 115859 by: ROBERT MCPEAK Administrivia: To subscribe to the digest, e-mail: [EMAIL PROTECTED] To unsubscribe from the digest, e-mail: [EMAIL PROTECTED] To post to the list, e-mail: [EMAIL PROTECTED] -- ---BeginMessage--- Hi, Is there a way that when someone add a submit or edits a record that I can have my php page e-mail that record? And is hard to do? Chuck Payne ---End Message--- ---BeginMessage--- Hi, Tuesday, September 10, 2002, 1:41:23 PM, you wrote: PH Hello everyone..tryin to run this qry against a mysql db, but after it runs, PH it doesn't assign anything to the variables as it should. If i return all PH rows, and spit out each record in the result in an array, i have the same PH problem, but have 24 'blank' records instead of 1. Any ideas? Thanks for any PH input. I tried doing a print mysql_error(); after the query and the result, PH but it doesn't return anything. Column names, db name, and WHERE clause are PH all spelled correctly, and the $currenttaskid is populated (as 1)... PH $detailqry = SELECT id, parentitemid, itemtypeid, itemstatusid, PH itemlevelid, shortdescription, PH createdby_memberid, assignedto_memberid, completedby_memberid, createddate, PH assigneddate, PH estcompletiondate, completeddate, projectid, lastuserid, lastdate FROM item PH WHERE id=$currenttaskid; PH $result = mysql_query($detailqry) or die(Failed finding task details); PH$taskid = $result[id]; PH$taskparentitemid = $result[parentitemid]; PH$taskitemtypeid = $result[itemtypeid]; PH$taskitemstatusid = $result[itemstatusid]; PH$taskitemlevelid = $result[itemlevelid]; PH$taskshortdescription = $result[shortdescription]; PH$createdbyid = $result[createdby_memberid]; PH$assignedtoid = $result[assignedto_memberid]; PH$completedbyid = $result[completedby_memberid]; PH$taskcreateddate = $result[createddate]; PH$taskassigneddate = $result[assigneddate]; PH$taskestcompletiondate = $result[estcompletiondate]; PH$taskcompleteddate = $result[completeddate]; PH$taskprojectid = $result[projectid]; PH
php-general Digest 24 Jul 2008 10:08:38 -0000 Issue 5586
, this is super-easy, cause the paths are exactly the same. anyway, what you want to do here, is on this initial screen, put the path to the base of your source code on both the client and server. if there are other entry points, for example if you have a vhost pointing to a subdirectory of this code, you need to hit the 'Mappings' tab, and add those paths accordingly for both file and server filesystems. once you have all that setup, you should be pretty much ready. you just click that little icon at the bottom of ff w/ protoeditor running and *it should* jump you into a debug session when you pull up a page from your site. -nathan ---End Message--- ---BeginMessage--- hi, I hope this is the right group for this type of problem: I am using hash_hmac to provide me with a sha1 encoded hash string. The problem is as follows: $hash = hash_hmac('sha1', '030B6A05696E657400C54601C60001550187360603773500018707060373796E63000187340603687474703A2F2F772E73796E632E636F6D2F73796E630001C65901873A06032E2F636F6E7461637473000187070603436F6E74616374732044420001872E0603746578742F782D7663617264000101C6570187310603757365726E616D6500018732060370617373776F72640001010101', '1234'); Note: it is important the key to use during encoding id 1234 for this example. Result: eb38ffd597c6d1e01cd24a0e46dff426354510fe Using a hash calculator from slavasoft also yields this result, which indicate the encoding is fine. eb38ffd597c6d1e01cd24a0e46dff426354510fe However, Slavasoft's calculator has an option to provide the string as Text or Hex. Selecting hex yields this result: 9f9be99ea5bf5ba009af0a5c12021f420cb27652 and this is the string I need!!! So either hash_hmac function needs a way to let it know the string is of type hexor the string itself needs to be converted. I have tried some conversions on the string but to no avail. Anyone have any thoughts? ---End Message--- ---BeginMessage--- On Thu, Jul 24, 2008 at 12:50 AM, Leon du Plessis [EMAIL PROTECTED] wrote: hi, I hope this is the right group for this type of problem: I am using hash_hmac to provide me with a sha1 encoded hash string. The problem is as follows: $hash = hash_hmac('sha1', '030B6A05696E657400C54601C60001550187360603773500018707060373796E63000187340603687474703A2F2F772E73796E632E636F6D2F73796E630001C65901873A06032E2F636F6E7461637473000187070603436F6E74616374732044420001872E0603746578742F782D7663617264000101C6570187310603757365726E616D6500018732060370617373776F72640001010101', '1234'); Note: it is important the key to use during encoding id 1234 for this example. Result: eb38ffd597c6d1e01cd24a0e46dff426354510fe Using a hash calculator from slavasoft also yields this result, which indicate the encoding is fine. eb38ffd597c6d1e01cd24a0e46dff426354510fe However, Slavasoft's calculator has an option to provide the string as Text or Hex. Selecting hex yields this result: 9f9be99ea5bf5ba009af0a5c12021f420cb27652 and this is the string I need!!! So either hash_hmac function needs a way to let it know the string is of type hexor the string itself needs to be converted. I have tried some conversions on the string but to no avail. Anyone have any thoughts? gotchu covered ;) found this on the web: http://www.pgregg.com/projects/php/code/hexstr.phps so then, ?php function hexstr($hexstr) { $hexstr = str_replace(' ', '', $hexstr); $retstr = pack('H*', $hexstr); return $retstr; } $hash = hash_hmac('sha1', hexstr( '030B6A05696E657400C54601C60001550187360603773500018707060373796E63000187340603687474703A2F2F772E73796E632E636F6D2F73796E630001C65901873A06032E2F636F6E7461637473000187070603436F6E74616374732044420001872E0603746578742F782D7663617264000101C6570187310603757365726E616D6500018732060370617373776F72640001010101'), '1234'); echo $hash; ? produc ---End Message--- ---BeginMessage--- On Thu, Jul 24, 2008 at 1:21 AM, Nathan Nobbe [EMAIL PROTECTED]wrote: On Thu, Jul 24, 2008 at 12:50 AM, Leon du Plessis [EMAIL PROTECTED] wrote: hi, I hope this is the right group for this type of problem: I am using hash_hmac to provide me with a sha1 encoded hash string. The problem is as follows: $hash = hash_hmac('sha1', '030B6A05696E657400C54601C60001550187360603773500018707060373796E63000187340603687474703A2F2F772E73796E632E636F6D2F73796E630001C65901873A06032E2F636F6E7461637473000187070603436F6E74616374732044420001872E0603746578742F782D7663617264000101C6570187310603757365726E616D6500018732060370617373776F72640001010101', '1234'); Note: it is important the key to use during encoding id 1234 for this example. Result: eb38ffd597c6d1e01cd24a0e46dff426354510fe Using a hash calculator from slavasoft also yields this result, which indicate the encoding is fine. eb38ffd597c6d1e01cd24a0e46dff426354510fe However, Slavasoft's calculator has an option to provide the string as Text or Hex. Selecting hex yields this result: 9f9be99ea5bf5ba009af0a5c12021f420cb27652
php-general Digest 19 Jan 2003 03:23:15 -0000 Issue 1831
session timeout??? Hi gang Been trying to figure out this session stuff, but since I was unable to make the manual sample into something workable, I instead decided to actually try and make the session do what I need it for: Passing the URL of the caller page to the page that's being called. 1. Only I can't figure out if there's a function to just pull the current URL and plop it into a session variable. The thing is that these pages are all built by using a bunch of GET variables in the URL, so it would be easiest to just do something like: $_SESSION['mother'] = $currentURL; And then in the called, daughter, page do this: a href=?php echo(\$_SESSION['mother']\) ?Get back to where you came from/a As the only other way I've found is to have it use the string-functions and re-build the current URL throughout the if-tree that builds the page. I need to pass the mother URL to the daughter pages because there's two main entry-points into the daugther pages, and one of them can have 10-15 different states... But how do you pull the current url? ParseURL just smacks it into an array, and I'll then have to rebuild it anyway ... which makes it about just as simple as running it through the if-tree. Whether or not the session-id is inside the URL is not essential to me, but dunno if php cares about it. 2. Since the above is required to function at all times, I need to override the expiration time. I can't do it in the ini file, 'cause I can't modify the server where it's to run, and it's set to 0 there... (not sure if that means it expires right away, or not at all) Anyway to do this??? TIA Rene -- Rene Brehmer This message was written on 100% recycled spam. Come see! My brand new site is now online! http://www.metalbunny.net -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php ---End Message--- ---BeginMessage--- --- Cal Evans [EMAIL PROTECTED] wrote: I usually just pass this kind of info around on the URL. http://mypage.com/mypage.php?prevURL=http://mypage.com/lastpage.php if I have to pass a full query string then I urlencode() it first and urldecode() it on the other side. Just as a bit of advice, you should always URL encode any data you want to append to the URL like that. Also, decoding it is superfluous, because the Web server will do that for you (since URL data is supposed to be URL encoded). Chris ---End Message--- ---BeginMessage--- 1. You can create the current page with a combination of PHP_SELF, QUERY_STRING, etc... Take a look at a phpinfo() page to see all of the variables. 2. You can use ini_set() in your code to change the settings for your sessions or an .htaccess file if your on *nix. ---John W. Holmes... PHP Architect - A monthly magazine for PHP Professionals. Get your copy today. http://www.phparch.com/ -Original Message- From: -[ Rene Brehmer ]- [mailto:[EMAIL PROTECTED]] Sent: Saturday, January 18, 2003 11:04 AM To: [EMAIL PROTECTED] Subject: [PHP] 2 Qs: Passing current URL with session and how to avoid session timeout??? Hi gang Been trying to figure out this session stuff, but since I was unable to make the manual sample into something workable, I instead decided to actually try and make the session do what I need it for: Passing the URL of the caller page to the page that's being called. 1. Only I can't figure out if there's a function to just pull the current URL and plop it into a session variable. The thing is that these pages are all built by using a bunch of GET variables in the URL, so it would be easiest to just do something like: $_SESSION['mother'] = $currentURL; And then in the called, daughter, page do this: a href=?php echo(\$_SESSION['mother']\) ?Get back to where you came from/a As the only other way I've found is to have it use the string-functions and re-build the current URL throughout the if-tree that builds the page. I need to pass the mother URL to the daughter pages because there's two main entry-points into the daugther pages, and one of them can have 10-15 different states... But how do you pull the current url? ParseURL just smacks it into an array, and I'll then have to rebuild it anyway ... which makes it about just as simple as running it through the if-tree. Whether or not the session-id is inside the URL is not essential to me, but dunno if php cares about it. 2. Since the above is required to function at all times, I need to override the expiration time. I can't do it in the ini file, 'cause I can't modify the server where it's to run, and it's set to 0 there... (not sure if that means it expires right away, or not at all) Anyway to do this??? TIA Rene -- Rene Brehmer This message was written on 100% recycled spam. Come see! My brand new site is now online! http://www.metalbunny.net -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
php-general Digest 28 Jul 2009 15:25:54 -0000 Issue 6254
. In the ops case mysql_real_escape_string() is the correct tool for the job. What about using prepared statements? This is my preferred method of escaping output when I'm using variables in a database query. Of course the ease and convenience of this method will depend to a great extent on what version of PHP is available on the server. For the OP, have you read up much on SQL injection? If not, here's a decent place to start: http://www.owasp.org/index.php/SQL_injection Ben ---End Message--- ---BeginMessage--- Ben Dunlap wrote: You can use http://us.php.net/mysql_real_escape_string to escape the input. [8] You should prep your data for insertion into the data by using a tool that formats it strictly for the database. In the ops case mysql_real_escape_string() is the correct tool for the job. What about using prepared statements? This is my preferred method of escaping output when I'm using variables in a database query. Of course the ease and convenience of this method will depend to a great extent on what version of PHP is available on the server. For the OP, have you read up much on SQL injection? If not, here's a decent place to start: http://www.owasp.org/index.php/SQL_injection Ben Prepared statements are what I use. -=- The problem I have with htmlentities is that the entities are only guaranteed for html. Many of the entities do not work in other sgml or xml applications, it is better to just use the numbered entity (IE #160; for a non breaking space) or for things like smart quotes, possessive apostraphe's, etc. - the proper utf8 character directly (make sure to serve document as utf8 encoded and that your database is set to utf8) I found that out the hard way, and had to redo a lot of stuff where I previously used the php htmlentities function. Using the function to spit out html is fine, but to write functions / classes you can re-use in non html documents, you should avoid it all together. ---End Message--- ---BeginMessage--- Hi, Is there a possibility that if there is no font installed on client side somehow browser finds it and redirect that font form server to client machine. For example: I have site that use Microsoft font and that font is not available on Linux distributions. So when u open page in FF on some Linux u get some default font (because browser doesn't recognize that font). I hope that I've managed to explane a problem :-) Does anyone has any solution for this problem??? Please it's very urgent Thanks, Dusan -- made by Dusan ---End Message--- ---BeginMessage--- On Tue, 2009-07-28 at 12:07 +0200, Dušan Novaković wrote: Hi, Is there a possibility that if there is no font installed on client side somehow browser finds it and redirect that font form server to client machine. For example: I have site that use Microsoft font and that font is not available on Linux distributions. So when u open page in FF on some Linux u get some default font (because browser doesn't recognize that font). I hope that I've managed to explane a problem :-) Does anyone has any solution for this problem??? Please it's very urgent Thanks, Dusan -- made by Dusan Basically that's a big no. At the moment, there is no cross-browser way to determine if a font is installed on an end system. The best you can do is to use either a graphic in-place of the text, or use something like siFr. Both of these methods are only suitable for headings though. Have you looked at what standard fonts are available to you? The list at http://www.ampsoft.net/webdesign-l/WindowsMacFonts.html is quite good at showing these. You can use CSS to give fallback fonts in order of what you prefer. There are meant to be plans on how to handle these sorts of situations in CSS3 though, but you may have to wait a year for the browsers to adopt! Thanks, Ash http://www.ashleysheridan.co.uk ---End Message--- ---BeginMessage--- 2009/7/28 Dušan Novaković ndu...@gmail.com: Hi, Is there a possibility that if there is no font installed on client side somehow browser finds it and redirect that font form server to client machine. For example: I have site that use Microsoft font and that font is not available on Linux distributions. So when u open page in FF on some Linux u get some default font (because browser doesn't recognize that font). I hope that I've managed to explane a problem :-) Does anyone has any solution for this problem??? Please it's very urgent Not really, no. The choice of font is up to the user's browser. However, you can, with CSS, set some basic parameters. If, say, you want to ensure that the users sees a sans-serif font on their browser, you can use: font-family: arial, helvetica, verdana, sans-serif This basically says, ensure that the browser uses arial; if arial isn't available, use helvetica; if helvetica isn't available, use verdana; and if verdana isn't available, use whatever sans-serif font the user has installed
php-general Digest 5 May 2012 22:35:42 -0000 Issue 7802
php-general Digest 5 May 2012 22:35:42 - Issue 7802 Topics (messages 317793 through 317804): Re: Calculating driving distance between UK postcodes 317793 by: tamouse mailing lists Re: function 317794 by: tamouse mailing lists 317797 by: Jim Giner 317801 by: tamouse mailing lists 317802 by: tamouse mailing lists Re: PHP Emacs 317795 by: tamouse mailing lists Re: Retrieve pages from an ASP driven site 317796 by: tamouse mailing lists Re: Running through an enormous SQL file 317798 by: Brian Dunning 317800 by: tamouse mailing lists Re: get content rss feed 317799 by: tamouse mailing lists Re: code deployment through php 317803 by: tamouse mailing lists Re: PHP Database Problems -- Code Snippets 317804 by: Matijn Woudt Administrivia: To subscribe to the digest, e-mail: php-general-digest-subscr...@lists.php.net To unsubscribe from the digest, e-mail: php-general-digest-unsubscr...@lists.php.net To post to the list, e-mail: php-gene...@lists.php.net -- ---BeginMessage--- On Fri, May 4, 2012 at 9:18 AM, Terry Ally (Gmail) terrya...@gmail.com wrote: Google works in Javascript extensively - not a language with which I have in-depth experience hence my reason for asking for PHP solution. For example the following will get me a JSON output with the distance in Kms and time. I don't know how to get PHP to read this information and extract just the distance. I need the distance so that I can calculate cost of a trip. form id=google action= http://maps.googleapis.com/maps/api/distancematrix/json; method=get input type=text name=origins value= / input type=text name=destinations value= / input type=hidden name=sensor value=false input type=hidden name=submitted value=1 bra type=submit onClick=document.getElementById('google').submit()strongstrongGet Distance/strong/strong/a /form Using Google Maps API is pretty straight-forward. You don't need to set up a form or a use a POST to get the info. This page should describes how to use a standard GET query to get the info you want: https://developers.google.com/maps/documentation/distancematrix/ Setting up the proper URL to call, you can activate it using file_get_contents provided you have allow_url_fopen set to true in php.ini. (Do make sure to check for possible errors returned.) You can get the response back as either JSON or XML, both of which PHP can parse into useful data structures: http://us.php.net/manual/en/function.json-decode.php http://us.php.net/manual/en/book.simplexml.php ---End Message--- ---BeginMessage--- On Thu, May 3, 2012 at 9:12 PM, Ron Piggott ron.pigg...@actsministries.org wrote: I need to access a FUNCTION I programmed within a different FUNCTION. Are these able to be passed like a variable? Or are they able to become like a $_SESSION variable in nature? How am I able to do this? I am essentially programming: === function name( $flag1, $flag2 ) { # some PHP echo name_of_a_different_function( $flag1 , $flag2 ); } === The error I am receiving is “Call to undefined function name_of_a_different_function” Where is name_of_a_different_function defined? If it is somewhere in the same file as name, that shouldn't be a problem, provided it is defined in the same namespace/scope as name. If it is defined in a different file, you need to include that file before you make the echo statement. For example: function func1 ($flag1, $flag2) { # blah blah echo func2($flag1, $flag2); } function func2 ($flag1, $flag2) { #blah blah return some string value; } in the same file should be just fine. It doesn't really matter what order func1 and func2 are declared in. However, if func2 is defined in some_other_file.php, you need to include it in this_file.php (where func1 is defined) first: this_file.php: include('some_other_file.php'); function func1 ($flag1, $flag2) { #blah blah echo func2 ($flag1, $flag2); } some_other_file.php: function func2 ($flag1, $flag2) { #blah blah return some string value; } If func2 is a method for an object/class, you'll have to access it that way in func1: this_file.php: include('MyClass.php'); function func1 ($flag1, $flag2) { # blah blah, instantiate object? $myobj = new MyClass(); echo $myobj-func2 ($flag1, $flag2); } MyClass.php: class MyClass { function func2 ($flag1, $flag2) { #blah blah return some string value; } } ---End Message--- ---BeginMessage--- But the OP says function is defined inside a different function. Your theories to a solution don't fit that problem. tamouse mailing lists tamouse.li...@gmail.com wrote in message news:cahuc_t-416_-lpcn3mo8qqxwrh4pnq5fmwouhwpdk+hmkgh...@mail.gmail.com... On Thu, May 3, 2012 at 9:12 PM, Ron Piggott ron.pigg...@actsministries.org wrote: Where
php-general Digest 24 Nov 2007 16:38:40 -0000 Issue 5145
encoding I choose (IE and FF switch automatically to UTF-8 as per the page metatag and content-type header) I get funny characters at http://se.php.net/manual/sv/ref.dir.php, I don't know if this is because of the default browser font, because I've tried several ones. My system is Windows XP SP2 Spanish version, but I don't think that's the cause either as it is up to date, and I have even installed support for right to left writing... Ok, I know I can just use wget, save the result and open it in a binary editor to see what are the actual bytes and check for the encoding (I won't... I'm kind of lazy today :D ) Regarding your question, I have these functions I copied from the notes to the extended CHM version of the PHP manual, they are at the mb_convert_encoding function reference and should be in the online version of the manual as well (won't check it... too lazy, I told you)... [snip] volker at machon dot biz (25-Sep-2007 05:05) Hey guys. For everybody who's looking for a function that is converting an iso-string to utf8 or an utf8-string to iso, here's your solution: public function encodeToUtf8($string) { return mb_convert_encoding($string, UTF-8, mb_detect_encoding($string, UTF-8, ISO-8859-1, ISO-8859-15, true)); } public function encodeToIso($string) { return mb_convert_encoding($string, ISO-8859-1, mb_detect_encoding($string, UTF-8, ISO-8859-1, ISO-8859-15, true)); } For me these functions are working fine. Give it a try [/snip] The first thing to test for would be if the directory/filesystem functions are retrieving data encoded in ISO-8859-1 or not (I guess it depends on the OS, but you might know better), otherwise mb_convert_encoding would act like double escaping or double urlencoding (a known issue for all of us, ha?). That's why encodeToUtf8 uses mb_detect_encoding first... anyway, I wonder if mb_detect_encoding can guarantee you anything other than the byte stream of data being valid in the given character set(s). So... what do you think, did you get any further results about this? And also, do you have any code sample you are working on to share? Regards, Rob Andrés Robinet | Lead Developer | BESTPLACE CORPORATION 5100 Bayview Drive 206, Royal Lauderdale Landings, Fort Lauderdale, FL 33308 | TEL 954-607-4207 | FAX 954-337-2695 | Email: [EMAIL PROTECTED] | MSN Chat: [EMAIL PROTECTED] | SKYPE: bestplace | Web: bestplace.biz | Web: seo-diy.com ---End Message--- ---BeginMessage--- Hi Rob, et al.: - Original Message - From: Andrés Robinet [EMAIL PROTECTED] -Original Message- From: Jon Westcot [mailto:[EMAIL PROTECTED] :: gigantic snip here:: So, long story short (oops -- too late!), what's the concensus among the learned assembly here? Is it faster to just UPDATE the record if it already exists regardless of the fact that maybe only one or two out of 75 or more fields changed versus testing each one of those 75 fields to try and figure out which ones actually changed and then only update those? I look forward to reading all of your thoughts. Sincerely, Jon I don't know about consensus over here because I'm kind of newgie (stands for new geek, as opposed to newbie which stands for new ball breaker :D :D ). I don't know of your previous messages but I can tell you one story... Some time ago I got involved in a project that required geo-distance calculation (you know distance between two points with latitude and longitude). Basically I had to take a set of points and calculate the distance of each of those points to a given (reference) one. The math was something like the square root of the sum of a constant times the square sin of... well, I can't remember it, but the point is, it was a complicated formula, which I thought it would allow for some optimizations in PHP. Accustomed to regular (compiled) programming languages I developed a set of routines to optimize the task and went ahead and queried the database for the (say, 1000 records) dataset of points. Then applied the math to the points and the reference point and got the result... in about 5 minutes to my (disgusting) surprise. Then I grabbed the MySQL manual, built a non-optimized version of the formula to put directly in the SQL query and get the shortest distance (which was my goal in the end) calculated by MySQL right away. I thought ok, I'll prepare a cup of coffee to wait for MySQL to finish the calculation. To my surprise the query returned the expected result in less than 2 seconds. My logic was (wrongly) the following: PHP is a programming language, SQL is a data access language; I'll get the data using MySQL and do the math using PHP. But I forgot PHP is an interpreted language, that a number is more than a number to PHP, but a ZVAL_whatever object behind the scenes. I forgot about the memory and the time required to build those objects when one retrieves data out of a database server. I forgot about parsing
php-general Digest 19 May 2002 14:18:19 -0000 Issue 1354
; } } xml_parser_free($xml_parser); for($i=0; $i $item_counter; $i++) { printf(a href=\%s\%s/a - %sbr\n, $fm_headlines_data[$i]['link'], $fm_headlines_data[$i]['title'], $fm_headlines_data[$i]['description'] ); } ? ---End Message--- ---BeginMessage--- In article [EMAIL PROTECTED], [EMAIL PROTECTED] (Jason Caldwell) wrote: Here's my code: ? set_time_limit(1); function clean_up() { if(connection_status() TIMEOUT) print(Script timed out.\n); } register_shutdown_function(clean_up); while(1); ? Here's the message I get: (I should get Script timed out.) No, you shouldn't/wouldn't, because--as is noted in the docs http://php.net/register-shutdown-function--no more output (print is specifically mentioned as an example) can be sent to the browser at that stage. Try sending youself an email, or logging to a file instead. -- CC ---End Message--- ---BeginMessage--- It doesn't matter. I'm setting the output *not* to the browser, but to the command shell, where I am running the script from. If you look at the errors, you'll see 2 of them, one points to line 7, where the IF() command is -- the script terminates there... I've put error_log() and exec() functions in place of the print() function -- it doesn't make a difference -- the script just won't execute the function in the register_shutdown_function() -- The following script works great (see below) -- it seems that for some reason its a TIMEOUT issue (bug). Running the script below, I will get the output of the print() function -- as stated, from the command line. I understand that it wouldn't show up in the browser. If I replace the exit; command with say a while(1); where the script will loop indefinitely, the timeout, set by the set_time_limit(1) will stop the script, but again -- register_shutdown_function() seems to want to work as the function IS CALLED, but NEVER executed, and instead errors on the 1st line in the FUNCTION -- always on a TIMEOUT. Run this script from your command line (ie. C:php test.php) -- then change the set_time_limit(30) to set_time_limit(1), and replace the exit with a while(1) -- run the script again, you'll see what I mean. And, if you still don't believe me, replace the print() in the function with error_log('Script Terminated', 3, 'errorlog.txt'); and see if the errorlog.txt file is ever created -- it isn't. ? set_time_limit(30); function clean_up() { print(Script Terminated); } register_shutdown_function(clean_up); exit; ? If anyone can offer any reason why its doing this, please help -- thanks. Jason Cc Zona [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... In article [EMAIL PROTECTED], [EMAIL PROTECTED] (Jason Caldwell) wrote: Here's my code: ? set_time_limit(1); function clean_up() { if(connection_status() TIMEOUT) print(Script timed out.\n); } register_shutdown_function(clean_up); while(1); ? Here's the message I get: (I should get Script timed out.) No, you shouldn't/wouldn't, because--as is noted in the docs http://php.net/register-shutdown-function--no more output (print is specifically mentioned as an example) can be sent to the browser at that stage. Try sending youself an email, or logging to a file instead. -- CC ---End Message--- ---BeginMessage--- I just upgraded from 4.1.1 to 4.2.1 -- didn't fix the problem. I'd be curious to know if other Windows users are having the same problem. Thanks. Jason ---End Message--- ---BeginMessage--- Is there any way to ask the user to type the value of a variable from stdin ? (like read in Pascal, or scanf in C). I'm using PHP from command line. Thanks Rafael Perazzo __ Do You Yahoo!? LAUNCH - Your Yahoo! Music Experience http://launch.yahoo.com ---End Message--- ---BeginMessage--- On Sat, 18 May 2002, Rafael Perazzo wrote: Is there any way to ask the user to type the value of a variable from stdin ? (like read in Pascal, or scanf in C). I'm using PHP from command line. ? $f = fopen('php://stdin', 'r'); // this line answers your question while ($l = fgets($f, 100)) print strtoupper($l); fclose($f); ? miguel ---End Message--- ---BeginMessage--- I have the following code for a mySQL query in php: $text = "sort_text"; $query = "SELECT code FROM links ORDER BY $text WHERE ".$text." like '".$l."%'"; $result = mysql_query($query) or die("Query failed"); When I do the query I get Query failed. When I remove the sort parameter they are all printed correctly(except the fact the aren't in alphabetical order) I am a newbie so be nice. Any Ideas? JJ Harrison[EMAIL PROTECTED]www.tececo.com ---End Message--- ---BeginMessage--- Wel
php-general Digest 12 May 2010 16:09:15 -0000 Issue 6740
php-general Digest 12 May 2010 16:09:15 - Issue 6740 Topics (messages 305109 through 305128): Re: PHP Application Structre 305109 by: Kevin Kinsey 305111 by: Peter Lind 305124 by: Paul M Foster 305125 by: Kevin Kinsey 305126 by: Peter Lind 305127 by: Peter Lind Re: 2D barcodes 305110 by: Manuel Lemos Re: PHP Encoder like IonCube 305112 by: Pete Ford 305114 by: Pete Ford 305115 by: shiplu 305116 by: Peter Lind 305118 by: Pete Ford 305120 by: shiplu 305122 by: Peter Lind Re: regexp questions 305113 by: Ford, Mike 305128 by: Spud. Ivan. Re: __call and recursion 305117 by: Richard Quadling 305119 by: Lawrance Shepstone Generating PHP from WSDL 305121 by: Gary . 305123 by: Richard Quadling Administrivia: To subscribe to the digest, e-mail: php-general-digest-subscr...@lists.php.net To unsubscribe from the digest, e-mail: php-general-digest-unsubscr...@lists.php.net To post to the list, e-mail: php-gene...@lists.php.net -- ---BeginMessage--- Ashley Sheridan wrote: On Tue, 2010-05-11 at 08:48 +0530, chetan rane wrote: Hi all, mod rewrite was actually inrduced to have search engne frendly urls. hnce if you want a seo site then you have to use options 1 2. using smarty or any templating engine for readibility is not total true. one of the major advantages of using template engines is caching I've read some {disparaging?) comments on option 2, but I've got a question, or point, about that. I'm not at all sure that you have to use mod_rewrite at all, can't you just use a FORCETYPE directive on your handler script(s)? I've certainly got some work in the form: somesite.com/scriptname/var1/var2/var3 that seems to work well with no use of the rewrite module. Aside from the fact that I've yet to find any actual evidence that search engines treat what most people consider 'search engine friendly' urls any different from the 'unfriendly dynamic' ones. Next time you search for something online have a look at the URLs and see how many belong to forums with dynamic URLs. More than you'd think I would imagine, but it does go a long way to prove that most search engines don't give much credence to the URL these days. Of course, it does help if your keywords are in the URL, but I've not noticed much of a difference between: somesite.com/page-about-subject and somesite.com/?page=page-about-subject I think that this may be an artifact of an earlier time. There was a time when SE's didn't do so well with query strings, but it'd be a little silly to think their owners didn't realize this and left things exactly the way they were back in 2002 ... wouldn't it? My $0.02, Kevin Kinsey ---End Message--- ---BeginMessage--- On 12 May 2010 07:10, Kevin Kinsey k...@daleco.biz wrote: Ashley Sheridan wrote: On Tue, 2010-05-11 at 08:48 +0530, chetan rane wrote: Hi all, mod rewrite was actually inrduced to have search engne frendly urls. hnce if you want a seo site then you have to use options 1 2. using smarty or any templating engine for readibility is not total true. one of the major advantages of using template engines is caching I've read some {disparaging?) comments on option 2, but I've got a question, or point, about that. I'm not at all sure that you have to use mod_rewrite at all, can't you just use a FORCETYPE directive on your handler script(s)? I've certainly got some work in the form: somesite.com/scriptname/var1/var2/var3 that seems to work well with no use of the rewrite module. And why wouldn't you want to use mod_rewrite? It's an extremely powerful tool that does the job really well. Regards Peter -- hype WWW: http://plphp.dk / http://plind.dk LinkedIn: http://www.linkedin.com/in/plind Flickr: http://www.flickr.com/photos/fake51 BeWelcome: Fake51 Couchsurfing: Fake51 /hype ---End Message--- ---BeginMessage--- On Wed, May 12, 2010 at 10:16:04AM +0200, Peter Lind wrote: On 12 May 2010 07:10, Kevin Kinsey k...@daleco.biz wrote: Ashley Sheridan wrote: On Tue, 2010-05-11 at 08:48 +0530, chetan rane wrote: Hi all, mod rewrite was actually inrduced to have search engne frendly urls. hnce if you want a seo site then you have to use options 1 2. using smarty or any templating engine for readibility is not total true. one of the major advantages of using template engines is caching I've read some {disparaging?) comments on option 2, but I've got a question, or point, about that. I'm not at all sure that you have to use mod_rewrite at all, can't you just use a FORCETYPE directive on your handler script(s)? I've certainly got some work in the form: somesite.com/scriptname/var1/var2/var3 that seems to work well with no use of the rewrite module. And why wouldn't you