[PHP] HELP !!!!! PHP SOAP Not building objects correctly
Hi all, sorry for the cross post to the general PHP list as well as the SOAP PHP list, but I'm a little bit desperate... Ok, for some reason when I am sending the proper objects to the __soapCall method, it is not including those objects in the XML call itself... I am using PHP 5.2.6 now after using 5.2.5 and thinking this may be fixed in an upgrade, but it is not... ok, here is a dump of the object I am sending the __soapCall method as an argument : [struct] = CreateCustomerPaymentProfile Object ( [merchantAuthentication] = MerchantAuthenticationType Object ( [name] = x [transactionKey] = xx ) [customerProfileId] = 181854 [paymentProfile] = CustomerPaymentProfileType Object ( [payment] = PaymentSimpleType Object ( [creditCard] = CreditCardType Object ( [cardNumber] = [expirationDate] = -XX ) ) [customerType] = individual [billTo] = CustomerAddressType Object ( [firstName] = Tim [lastName] = Traver ) ) [validationMode] = none ) And here is the call that is generated : [__last_request] = ?xml version=1.0 encoding=UTF-8? SOAP-ENV:Envelope xmlns:SOAP-ENV=http://schemas.xmlsoap.org/soap/envelope/; xmlns:ns1=https://api.authorize.net/soap/v1/; SOAP-ENV:Body ns1:CreateCustomerPaymentProfile ns1:merchantAuthentication ns1:name/ns1:name ns1:transactionKey/ns1:transactionKey /ns1:merchantAuthentication ns1:customerProfileId181854/ns1:customerProfileId ns1:paymentProfile ns1:customerTypeindividual/ns1:customerType ns1:billTo ns1:firstNameTim/ns1:firstName ns1:lastNameTraver/ns1:lastName /ns1:billTo ns1:payment/ /ns1:paymentProfile ns1:validationModenone/ns1:validationMode /ns1:CreateCustomerPaymentProfile /SOAP-ENV:Body /SOAP-ENV:Envelope As you can see, all of the object variables are created correctly, except that the payment object is not. It is simply represented by ns1:payment/ and has no start, and no variables that were sent in the object. This is very strange, and I can't figure out where to look to try and solve this problem, but it is a very big problem. I have tried to changed the order of the objects, what the actual values of the objects are, but I'm now banging my head as to why the soap construction is not including these values... Any help would be greatly appreciated, Tim.
Re: [PHP] HELP !!!!! PHP SOAP Not building objects correctly
Nathan Nobbe wrote: On Fri, May 16, 2008 at 1:04 PM, Tim Traver [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Hi all, sorry for the cross post to the general PHP list as well as the SOAP PHP list, but I'm a little bit desperate... Ok, for some reason when I am sending the proper objects to the __soapCall method, it is not including those objects in the XML call itself... I am using PHP 5.2.6 now after using 5.2.5 and thinking this may be fixed in an upgrade, but it is not... ok, here is a dump of the object I am sending the __soapCall method as an argument : [struct] = CreateCustomerPaymentProfile Object ( [merchantAuthentication] = MerchantAuthenticationType Object ( [name] = x [transactionKey] = xx ) [customerProfileId] = 181854 [paymentProfile] = CustomerPaymentProfileType Object ( [payment] = PaymentSimpleType Object ( [creditCard] = CreditCardType Object ( [cardNumber] = [expirationDate] = -XX ) ) [customerType] = individual [billTo] = CustomerAddressType Object ( [firstName] = Tim [lastName] = Traver ) ) [validationMode] = none ) And here is the call that is generated : [__last_request] = ?xml version=1.0 encoding=UTF-8? SOAP-ENV:Envelope xmlns:SOAP-ENV=http://schemas.xmlsoap.org/soap/envelope/; xmlns:ns1=https://api.authorize.net/soap/v1/; SOAP-ENV:Body ns1:CreateCustomerPaymentProfile ns1:merchantAuthentication ns1:name/ns1:name ns1:transactionKey/ns1:transactionKey /ns1:merchantAuthentication ns1:customerProfileId181854/ns1:customerProfileId ns1:paymentProfile ns1:customerTypeindividual/ns1:customerType ns1:billTo ns1:firstNameTim/ns1:firstName ns1:lastNameTraver/ns1:lastName /ns1:billTo ns1:payment/ /ns1:paymentProfile ns1:validationModenone/ns1:validationMode /ns1:CreateCustomerPaymentProfile /SOAP-ENV:Body /SOAP-ENV:Envelope As you can see, all of the object variables are created correctly, except that the payment object is not. It is simply represented by ns1:payment/ and has no start, and no variables that were sent in the object. This is very strange, and I can't figure out where to look to try and solve this problem, but it is a very big problem. I have tried to changed the order of the objects, what the actual values of the objects are, but I'm now banging my head as to why the soap construction is not including these values... Any help would be greatly appreciated, Tim. first thing that comes to mind, the SoapClient::__call() method is deprecated. have you tried using the SoapClient instance directly? for example, if you are in WSDL mode and the wsdl defines a method doStuff(), you can use a SoapClient instance $sc as $sc-doStuff(). i would try that and see what happens. -nathan Thanks for the response Nathan, but that doesn't appear to change anything... I'm just super confused as to why it would leave an entire object out of the tree that it is sending... Anyone else have any suggestions??? Tim.
[PHP] PHP SOAP Client formats
Hi all, ok, I am a little bit new to the SOAP game, but I understand it, and am using it to talk to an outside API. The problem that I have is that the server that I am talking to (that is not in my control), will accept the following SOAP call ?xml version=1.0 encoding=utf-8? soap:Envelope xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance; xmlns:xsd=http://www.w3.org/2001/XMLSchema; xmlns:soap=http://schemas.xmlsoap.org/soap/envelope/; soap:Body AuthenticateTest xmlns=https://api.authorize.net/soap/v1/; merchantAuthentication namename/name transactionKeystring/transactionKey /merchantAuthentication /AuthenticateTest /soap:Body /soap:Envelope But it refuses a call that I have made using the SOAPClient PHP classes that look like this : ?xml version=1.0 encoding=UTF-8? SOAP-ENV:Envelope xmlns:SOAP-ENV=http://schemas.xmlsoap.org/soap/envelope/; xmlns:ns1=https://api.authorize.net/soap/v1/; SOAP-ENV:Body ns1:AuthenticateTest merchantAuthentication namename/name transactionKeystring/transactionKey /merchantAuthentication /ns1:AuthenticateTest /SOAP-ENV:Body /SOAP-ENV:Envelope It appears that the one that PHP creates is all in line with all of the latest standards, and I know that the server is a Microsoft IIS server. Does anyone know any parameters that I can use with the PHP SOAP client that could help me contruct the request like the top one??? I don't want to have to build the text myself, and open a socket and send the text manually like I did to verify that the top one works, and the bottom one doesn't. Thanks, Tim.
Re: [PHP] PHP SOAP Client formats
Bastien, Thank you for answering, but the issue is that the PHP SOAPClient classes actually create that xml to send, so I have no control over the xml that is sent with a call command to the SOAP object... I just wondered if there was any flags that I am missing that might bring the php stuff in line with what the server expects. I want to use PHP's built in classes for this so I don't have to manually send xml to the api... Thanks, Tim. Bastien Koert wrote: XML is case sensitive. I notice the case of the xml is different. Try making the PHP created xml the same case. Bastien Date: Wed, 9 Jan 2008 13:54:36 -0800 From: [EMAIL PROTECTED] To: php-general@lists.php.net Subject: [PHP] PHP SOAP Client formats Hi all, ok, I am a little bit new to the SOAP game, but I understand it, and am using it to talk to an outside API. The problem that I have is that the server that I am talking to (that is not in my control), will accept the following SOAP call ?xml version=1.0 encoding=utf-8? soap:Envelope xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance; xmlns:xsd=http://www.w3.org/2001/XMLSchema; xmlns:soap=http://schemas.xmlsoap.org/soap/envelope/; soap:Body AuthenticateTest xmlns=https://api.authorize.net/soap/v1/; merchantAuthentication namename/name transactionKeystring/transactionKey /merchantAuthentication /AuthenticateTest /soap:Body /soap:Envelope But it refuses a call that I have made using the SOAPClient PHP classes that look like this : ?xml version=1.0 encoding=UTF-8? SOAP-ENV:Envelope xmlns:SOAP-ENV=http://schemas.xmlsoap.org/soap/envelope/; xmlns:ns1=https://api.authorize.net/soap/v1/; SOAP-ENV:Body ns1:AuthenticateTest merchantAuthentication namename/name transactionKeystring/transactionKey /merchantAuthentication /ns1:AuthenticateTest /SOAP-ENV:Body /SOAP-ENV:Envelope It appears that the one that PHP creates is all in line with all of the latest standards, and I know that the server is a Microsoft IIS server. Does anyone know any parameters that I can use with the PHP SOAP client that could help me contruct the request like the top one??? I don't want to have to build the text myself, and open a socket and send the text manually like I did to verify that the top one works, and the bottom one doesn't. Thanks, Tim. HO HO HO, if you've been nice this year, email Santa! Visit asksanta.ca to learn more! http://asksanta.ca/?icid=SANTAENCA005
Re: [PHP] PHP SOAP Client formats
Nathan Nobbe wrote: On Jan 9, 2008 10:45 PM, Tim Traver [EMAIL PROTECTED] wrote: Bastien, I want to use PHP's built in classes for this so I don't have to manually send xml to the api... writing the xml by hand would be madness... i didnt want to spend all night screwing around w/ it, since i dont have any credentials to test w/, but if you look on the auth.net website you will see they have a robust api in several languages, including php, that happens to use the SoapClient class from php5. there is a nice manual, http://www.authorize.net/support/CIM_SOAP_guide.pdf in it i found the service call you have mentioned in your initial post, at that point in the document is a link to sample code http://developer.authorize.net/dscode/php_cim.zip which should have everything you need to interact w/ the auth.net services in php (at a cursory glance). -nathan Hey Nathan, Thanks...that's actually really funny, because they must have put the PHP sample code for the CIM method in there within the last week, because that was why I was writing my own SOAP stuff to interact with them (using those manuals)... The issue that I ended up running in to was that the SOAP calls I was making were getting errors back, and I couldn't get anyone from authorize.net to give me any support for what the issue was... Hopefully, their PHP class will do the trick... Thanks, Tim.
[PHP] PHP Accelerator
Hi, I've been happily using the Free PHP Accelerator for years now, and I recently updated to php 4.4, and I get the following error : the ionCube PHP Accelerator requires Zend Engine API version 20021010. The Zend Engine API version 20050606 which is installed, is newer. Contact Nick Lindridge at http://www.php-accelerator.co.uk for a later version of the ionCube PHP Accelerator. but when I go to that site, nothing has been updated for several years now. Is this product still available in the same form??? or has it been replaced ??? Thanks, Tim. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Really stupid cookie question
Brian Dunning wrote: I am embarrassed to ask this. If I set a cookie for 30 days, and the visitor comes back 25 days later but I do nothing to re-set the cookie, will his cookie expire in 5 days, or does his browser automatically reset it to another 30 days? That depends on if you reset the cookie when they come back or not. If your routines set the cookie only if the cookie does not already exist, then it would not reset the cookie at 25 days, so it would indeed expire 5 days after that. If you check to see if the cookie exists first, and then reset the expiration date at that time, then the cookie would last for another 30 days... Tim. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ssl.
João Cândido de Souza Neto wrote: Hy everyone. Since we change our ssl key from 128kb to a 256kb i notice that something´s going wrong. In my e-commerce, part is secure and part isn´t. when i join into the secure part of the site, everithing works fine. But, when the sale is finishes and my script run header(Location: http://www.?;) to exit from the secure part, the browser gives me a notice that some parts of the page i´ve been led to a non-secure region and ask me if i realy want to do that (it never had happened before). Thought i confirm by clicking in yes buttom, i doesn´t goes away from https. Now my question: Has some difference between 128kb e 256kb ssl key? There´s some way to fix it? Thanks a lot in advance for any tips... João, This shouldn't have anything to do with the certificate. It most likely has to do with something being loaded on the exit page that is not secure. For example, if there is a hard coded link to an image, or an included javascript link to an outside source. If anything on the page is not secure, then you will get that error. Tim. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Simulating mysql_real_escape_string
Hi all, ok, have a relatively complicated architecture of php scripts in place, and after reading more about SQL injection, want to make sure that I clean my data completely before I enter it into a MySQL db. I tend to clean the data on the way into the app, which has many subroutines that process the data. I've written generic functions to wrap queries to the database. So, because I don't yet have an open connection to the database when the data comes in the front door, or even when I am constructing the query, I cannot use mysql_real_escape_string to clean the data. Is there a way to essentially duplicate the mysql_real_escape_string if you already know the character set that the MySQL db is using ??? When I'm constructing a query, it doesn't make sense to open the connection just to use that function. Can I just use the depricated mysql_escape_string ? or is there maybe a sequence of addcslashes parameters that can accomplish the same thing ??? Thanks, Tim. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] PHP CGI Security
Hi all, ok, I have come up with an architecture to offer PHP to customers as a CGI, and want to get some opinions to make sure I'm not missing any glaring holes... I've decided to use suPHP to fork off PHP CGI scripts as the user and group. It seems to work pretty well, and I have tweaked suPHP (i.e. hacked the source) to force a particular GID as the group that is different than the web server group. I have also forced a chroot to a jailed filesystem in which they have access to the php libraries just like they would on a real system. So here's the gist of it : 1) For arguments sake, lets say that Apache is running as user www and group www. 2) Each user has their own user ID and all files in their directories are group www, allowing apache to serve all of their web data. 3) When suPHP is invoked, it changes the script to user u1234 and group www2, and jails the script to /jail 4) Because the user directories are shared across NFS, the users structure (and all other users structures) are also mounted in the /jail 5) Because the users PHP script is running as user u1234 and group www2, it has no access to any of the other users data. 6) All directories within a users space are in group www and have the group sticky bit turned on, so that any files created will get created with the www group and not the www2 group. This will allow any files the user creates in their own directories to be read by apache. 7) I have created an auto_prepend_file that sets the session.save_path ini variable to a local directory within the users account so that session files are not in a place that can be read by anyone else. 8) Safe mode is disabled to allow users to be able to use PHP scripts that need safe mode to be turned off. 9) In the /jail area, all unnecessary binaries have been removed (things like ifconfig, mount, and dev stuff) to make it more secure, but useful binaries were left for scripts to use (things like ls, rm, etc...) Does anyone see any glaring holes in this model ??? Thanks, Tim. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] PHP CGI Variables
Hi all, ok, I want to re-post this so that more people might see it, cause there has to be an answer somewhere... When using the GCI version of PHP with apache, I need to be able to set some of the php_admin_values that normally get set in the php.ini file on the fly... Since I am not using mod_php, the solutions already given to me of setting php_admin_values in Directory sections or .htaccess files simply doesn't work, cause apache doesn't have any idea what they are. I am trying to avoid having to have separate php.ini files for every virtual host, as I only want to set a few convenience parameters. Besides PHPRC, does the CGI version of the PHP binary read in any other environment variables ? Cause it would be easy enough to set an environment variable to be passed to PHP for those settings. There's got to be someone out there that has done this, or wants to do this. I'm tempted to start looking at the code base and seeing if a simple patch will allow me to do that, but I want to make sure I'm not missing anything... Any PHP Guru's out there ??? Thanks, Tim. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] admin variables in CGI version
Hi all, ok, when using the CGI binary for PHP execution, is there a way to send it environment variables to set the admin values like you can in mod_php ??? For instance, when using the apache module, you might do something like this : php_admin_value session.save_path /some/path I know that you can have it loaded in a local php.ini file within the directory of the executed script, but I don't want to have to put a php.ini file if I am setting values on the fly... I tried setting the environment variable, and it shows up in php_info as an env variable, but how can I get it to actually be set ??? Anyone ??? Thanks, Tim. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Optimizing Images
Hi all, ok, I'm trying to write a script to optimize images for the web, but I can't seem to figure out how to go about reducing the color pallete, and therefor reducing the size of the images. I'm trying to be generic about it so that users can optimize GIF's and JPG's or even PNG's. I can't find much in the way of code on the net about doing this... Does anyone have any suggestions as to maybe some freely available scripts or classes that can help me figure this out ??? Thanks, Tim. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] default mail headers ?
Hi all, when using the mail() function in the base PHP distribution, is there a way to inject a default header onto all mail being sent out ? I thought at some point there was already a header that specified the script that was making the mail() call in it, but it doesn't look like that is happening. Did it used to be that way ? I could have sworn that I remember it being like that... Thanks, Tim. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Compiling PHP 4.3.11 on FreeBSD 5.4 amd64
Hi all, For some reason, when I compile php on my FreeBSD 5.4 machine (amd64 architecture), it is not creating the shared object file. Here is my config : ./configure --with-apxs=/usr/local/apache/bin/apxs --enable-ftp --with-mcrypt=/usr/local -with-openssl -enable-url-fopen-wrapper --enable-ftp --with-gd --with-zlib --with-jpeg-dir=/usr/local/lib --with-png-dir=/usr/local/lib --with-ttf --enable-gd-native-ttf --with-freetype-dir=/usr/local/lib --enable-shared when I use this same config on a 4.11 FreeBSD, it works fine. I will probably post this on the FreeBSD lists, but I figured I would ask here first. Everything appears to compile properly (no errors out of the usual)... Any ideas why the compilation would not create a shared object for me to install on apache ??? Apache is 1.3.33 and compiles and works fine... Thanks, Tim. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] text editor
Hi all, ok, I have created my own php text editor that allows a user to edit files from local(server) disk. I use a basic html textarea to show the contents of the file, and let them edit it, and then save it to disk. I've just realized that when editing an html file, that everything is ok, unless the file has a textarea tag in it. Then the editing textarea tag gets closed, and you end up not getting all of the data to save. Any way to work around this and still use simple forms ? Thanks, Tim. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Trouble Compiling 4.3.10 on FreeBSD 5.X
Hi all, for some reason, I cannot get php to compile a shared object to work with apache 1.3.33... Here are the config commands that I used for apache and php : EAPI_MM=SYSTEM ./configure --enable-module=so --enable-module=info --enable-module=status --enable-module=rewrite --enable-module=ssl --enable-shared=ssl --disable-rule=SSL_COMPAT apache installs and works just fine. I use this for php : ./configure --with-apxs=/usr/local/apache/bin/apxs --enable-ftp --with-mcrypt=/usr/local -with-openssl -enable-url-fopen-wrapper --enable-ftp --with-gd --with-zlib --with-jpeg-dir=/usr/local/lib --with-png-dir=/usr/local/lib --with-ttf --enable-gd-native-ttf --with-freetype-dir=/usr/local/lib --enable-shared It compiles ok, but when I go to install it, it gives an error : Installing PHP SAPI module: apache [activating module `php4' in /usr/local/apache/conf/httpd.conf] cp libs/libphp4.so /usr/local/apache/libexec/libphp4.so cp: libs/libphp4.so: No such file or directory apxs:Break: Command failed with rc=1 *** Error code 1 Stop in /dev/php-4.3.10. and there is no shared object file in the libs directory. This works just fine on a FreeBSD 4.10 client, but for some reason it doesn't create the shared object on this 5.3 system. More info : System is a Dual Opteron AMD architecture, running a fresh install of FreeBSD 5.3... thanks, Tim. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Running PHP as CGI
Hi all, In the quest to secure php script running, I am starting to think about running php as a cgi instead of through the module. I generally set the open_basedir directory within the apache configuration file for individual hosts. If I ran php as a CGI, would that directive still be in effect ? or do I have to set that in a php.ini file that is specific for that virtual host ? Thanks, Tim. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Running PHP as CGI
I guess what I'm really asking is do the php_admin environment variables that can get set in Apache get passed to the CGI version of php when called as a CGI ? Tim. Curt Zirzow wrote: * Thus wrote Tim Traver: Hi all, In the quest to secure php script running, I am starting to think about running php as a cgi instead of through the module. I generally set the open_basedir directory within the apache configuration file for individual hosts. If I ran php as a CGI, would that directive still be in effect ? or do I have to set that in a php.ini file that is specific for that virtual host ? The directive will be effectve for which ever apache's Directory direcve applies, other wise the setting to the default directory will be used. php in general, has no clue about virtual hosts. This is rather a appache issue. Curt
Re: [PHP] php security on shared hosts
Chris, I believe that is the reason that the PHP group came up with the open_basedir directive. The open_basedir prevents you from looking into anything higher than a particular directory tree using PHP. So, a combination of safe_mode and open_basedir should prevent your script from being able to walk the tree. Is there some way to get around open_basedir ? I didn't think there was, and if there is, then we better post that to the security guys at php, cause that's not good. Yes, there are many scripts that assume no safe_mode, and therefor do not work. It usually means they are trying to do something a little more powerful with the filesystem, or system commands, and shared hosts don't want random system commands being run on the machines...;) Am I saying its perfect ? No. I think it should be pretty safe though if implemented correctly. Tim. At 09:47 PM 9/25/2004, Chris Shiflett wrote: --- Tim Traver [EMAIL PROTECTED] wrote: I can guarantee that is not the way it is supposed to be. We make sure that can't happen by running in Safe mode, using the open_basedir directive, and making sure the directory tree has the correct permissions so the situation you described cannot happen. The safe_mode and open_basedir directives are certainly no protection. I'm curious what sort of permissions you are using that prevents this scenario, since it seems impossible to me. If the legitimate developer can include code using include or require, it means the Web server must be able to read those files. The exception would be if you're running each user in a chroot jail or something, mimicking a dedicated environment. So, I'd say that your shared host is doing a poor job of implementing PHP. I used to think the same, but I've changed my mind, because: 1. safe_mode is no protection. 2. Many prepackaged PHP applications don't work with safe_mode enabled. Hope that helps. Chris = Chris Shiflett - http://shiflett.org/ PHP Security - O'Reilly Coming December 2004 HTTP Developer's Handbook - Sams http://httphandbook.org/ PHP Community Site http://phpcommunity.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php SimpleNet's Back ! http://www.simplenet.com
Re: [PHP] php security on shared hosts
Oh, and I forgot, you can also specify specific include directories to be allowed for a particular user... Tim. At 09:47 PM 9/25/2004, Chris Shiflett wrote: --- Tim Traver [EMAIL PROTECTED] wrote: I can guarantee that is not the way it is supposed to be. We make sure that can't happen by running in Safe mode, using the open_basedir directive, and making sure the directory tree has the correct permissions so the situation you described cannot happen. The safe_mode and open_basedir directives are certainly no protection. I'm curious what sort of permissions you are using that prevents this scenario, since it seems impossible to me. If the legitimate developer can include code using include or require, it means the Web server must be able to read those files. The exception would be if you're running each user in a chroot jail or something, mimicking a dedicated environment. So, I'd say that your shared host is doing a poor job of implementing PHP. I used to think the same, but I've changed my mind, because: 1. safe_mode is no protection. 2. Many prepackaged PHP applications don't work with safe_mode enabled. Hope that helps. Chris = Chris Shiflett - http://shiflett.org/ PHP Security - O'Reilly Coming December 2004 HTTP Developer's Handbook - Sams http://httphandbook.org/ PHP Community Site http://phpcommunity.org/ SimpleNet's Back ! http://www.simplenet.com
Re: [PHP] php security on shared hosts
Ahhh...ok, now you're talking about something else. I thought we were just talking about the security model of PHP only. Yes, if a host has decided to offer another means for CGI that isn't safe, then that is another issue all together...;) I was just talking about PHP's security model. Safe mode + open_basedir + included directories + exec directories should be enough to prevent a PHP script from viewing the tree, and anyone else's data. If you have a way, using PHP (not a perl or sh or tcl script), to get around those directives, then please let me know. Personally, I never wanted to offer any CGI scripting to our customers, but in this day and age, a shared host has to, because the customers expect it, even though they have no idea how to use it. So I've created a jailed environment for perl to run as the user, and away from everyone else's directories. I am still wary of how safe that is, but its as close as I can get it... Seriously, let me know if you've got any issues with PHP's security model. Tim. At 11:26 AM 9/26/2004, Chris Shiflett wrote: --- Tim Traver [EMAIL PROTECTED] wrote: I believe that is the reason that the PHP group came up with the open_basedir directive. The open_basedir prevents you from looking into anything higher than a particular directory tree using PHP. So, a combination of safe_mode and open_basedir should prevent your script from being able to walk the tree. We know what these directives do. I think you're missing the point. How can a PHP directive offer any protection against someone writing a CGI that reads a file somewhere? Think about it. I didn't think there was, and if there is, then we better post that to the security guys at php, cause that's not good. We know that neither safe_mode nor open_basedir offer protection from this. We also know that it's impossible to solve this problem at the PHP level, because it is completely independent of PHP. I think it should be pretty safe though if implemented correctly. If you do not offer CGI access or any interpreter besides PHP, then I suppose it's better than nothing, but I wouldn't characterize this as safe. I suspect that if I were a user on this host, I could give you a URL that displays another account's password within a few minutes. But, I'm just speculating. :-) Chris = Chris Shiflett - http://shiflett.org/ PHP Security - O'Reilly Coming December 2004 HTTP Developer's Handbook - Sams http://httphandbook.org/ PHP Community Site http://phpcommunity.org/ SimpleNet's Back ! http://www.simplenet.com
RE: [PHP] php security on shared hosts
Pablo, I tested Chris's script on our systems, and couldn't browse anywhere other than my own directories, so it is possible to set php up on shared hosts that is a lot more secure than what your host has done. May I ask what host this is ? Is it a major one ? Tim. At 02:09 PM 9/26/2004, Pablo Gosse wrote: [snip] In short, what you've found is typical for most shared hosts [/snip] I've just been reviewing the way sites are housed on my host, and what directories are readable by the web server and I'm curious to get opinions on this. When I use Chris' file browser script, there is a folder called 'virtual' in the site root, and it is readable by the web browser. Inside /virtual there are three folders for every site, which I list below. -- site357 pablogosse.com admin357 -- Browsing these for my site I see the following: site357: 4096 ./ 20480 ../ 4096 fst/ 4096 info/ pablogosse.com and admin357: 4096 ./ 4096 ../ 4096 bin/ 4096 boot/ 4096 dev/ 4096 etc/ 4096 home/ 4096 initrd/ 4096 lib/ 4096 mnt/ 4096 opt/ 4096 proc/ 4096 root/ 4096 sbin/ 4096 tmp/ 4096 usr/ 4096 var/ 498subdomain 4096 mysql/ 7392 dump.xml Also, if I browse the fst/ folder inside site357, I get the same results as pablogosse.com and admin357. I'm then able to browse freely through all the above folders except /home and /root. I'm no security expert so I have to ask, is this indeed normal? Cheers and TIA. Pablo -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php SimpleNet's Back ! http://www.simplenet.com
Re: [PHP] php security on shared hosts
Pablo, As a shared hosting company myself (http://www.simplenet.com/), I can guarantee that is not the way it is supposed to be. We make sure that can't happen by running in Safe mode, using the open_basedir directive, and making sure the directory tree has the correct permissions so the situation you described cannot happen. So, I'd say that your shared host is doing a poor job of implementing PHP. Tim. At 08:31 PM 9/25/2004, Pablo Gosse wrote: Hi folks. I recently set up hosting for my site and have noticed something which is making me nervous. I can't seem to include files outside of my webroot, so I wrote a script to test permissions using passthru to output the results of a bunch of ls -la commands to see what I did and did not have access to. Eventually I was able to read the directory which holds the root folders for all sites on the server, and from there I was able to read files (revealing the php source) from the webroot of another site. This to me is a huge security issue since if anyone has any sensitive information there, it could easily be accessed by anyone else hosting on the same server. And because I can't seem to include files from outside my webroot, if I stay with this company I'll be forced to include information such as database passwords inside my webroot, therefore exposing the information to every other user on the server, and that's just not acceptable. All of my experience until now has been in situations where the sites I've worked on have been hosted on dedicated servers, so this has never been a problem. Is this a common set up for shared hosting? Is there any way around this? Cheers and TIA. Pablo -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php SimpleNet's Back ! http://www.simplenet.com
[PHP] PHP HTML text editor issues...
Hi all, ok, I've made my own version of a file manager complete with a text editor, and I'm having troubles figuring out some issues. I present the text to be edited retrieved from a file in a textarea box for a user to edit, and then POST that to my PHP application, which then saves it to disk. I have found it to break when the text file has intentional backslashes in it. For instance, if you are editing a perl script, there are a lot of times where you need lots of backslashes in a row. Does the POST data get urlencoded as it is coming in to the program, and then PHP unencodes it to put it in the variable ? It seems that there is some kind of translation. I've tried to use addslashes and stripslashes to prevent some of the clobbering of the text, but it doesn't seem to be working. If I don't do anything, it looks like PHP (or HTML) backslashes all quotes... I just want to get the EXACT text that is in the textarea to be saved to disk... Here is an example of a line that gets clobbered : $value =~ tr/\0//d; I read the file in from disk using file_get_contents. Does that do any translation ??? Any help would be appreciated, Tim. SimpleNet's Back ! http://www.simplenet.com
Re: [PHP] PHP HTML text editor issues...
No, magic quotes are turned off... Tim. At 09:44 AM 8/18/2004, Jason Davidson wrote: Do you have magic quotes turned on in your php ini file? Jason Tim Traver [EMAIL PROTECTED] wrote: Hi all, ok, I've made my own version of a file manager complete with a text editor, and I'm having troubles figuring out some issues. I present the text to be edited retrieved from a file in a textarea box for a user to edit, and then POST that to my PHP application, which then saves it to disk. I have found it to break when the text file has intentional backslashes in it. For instance, if you are editing a perl script, there are a lot of times where you need lots of backslashes in a row. Does the POST data get urlencoded as it is coming in to the program, and then PHP unencodes it to put it in the variable ? It seems that there is some kind of translation. I've tried to use addslashes and stripslashes to prevent some of the clobbering of the text, but it doesn't seem to be working. If I don't do anything, it looks like PHP (or HTML) backslashes all quotes... I just want to get the EXACT text that is in the textarea to be saved to disk... Here is an example of a line that gets clobbered : $value =~ tr/\0//d; I read the file in from disk using file_get_contents. Does that do any translation ??? Any help would be appreciated, Tim. SimpleNet's Back ! http://www.simplenet.com SimpleNet's Back ! http://www.simplenet.com
Re: [PHP] PHP HTML text editor issues...
Darnit if the php.ini file that I was looking at was the wrong one... looks like turning the magic quotes off in the correct php.ini file worked... thanks, Tim. At 10:17 AM 8/18/2004, Curt Zirzow wrote: * Thus wrote Tim Traver: Hi all, ok, I've made my own version of a file manager complete with a text editor, and I'm having troubles figuring out some issues. ... I've tried to use addslashes and stripslashes to prevent some of the clobbering of the text, but it doesn't seem to be working. If I don't do anything, it looks like PHP (or HTML) backslashes all quotes... I just want to get the EXACT text that is in the textarea to be saved to disk... Here is an example of a line that gets clobbered : $value =~ tr/\0//d; I read the file in from disk using file_get_contents. Does that do any translation ??? file_get_contents doesn't do any filtering. The issue your you're probably running into is that magic_quotes_gpc is set to On. This will addslashes to all your data by default. Two options: 1. Turn it off. 2. apply strip_slashes() to the string before writing to disk Curt -- First, let me assure you that this is not one of those shady pyramid schemes you've been hearing about. No, sir. Our model is the trapezoid! -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php SimpleNet's Back ! http://www.simplenet.com
Re: [PHP] Re: Mixing $_POST with text in a variable
I think the better way is to use brackets to enclose your variable...
So it would look like this :
$message =
Name: {$_POST['Name']}
Division: {$_POST['Division']}
Phone: {$_POST['Phone']}
Email: {$_POST['Email']};
Tim.
At 11:15 AM 7/19/2004, Jason Barnett wrote:
Markus Stobbs wrote:
I'm changing my HTTP POST variable declarations from $variablename to
$_POST['variablename'] to make my code more compliant with current best
practices.
However, I find that I cannot mix these new variable declarations into
big variable strings like I used to. For example, this works:
$message =
Name: $Name
Division: $Division
Phone: $Phone
Email: $Email;
...but when I change $Name and the other variables to $_POST['Name'], I
get this error:
Parse error: parse error, unexpected T_ENCAPSED_AND_WHITESPACE, expecting
T_STRING or T_VARIABLE or T_NUM_STRING in
/web/scd/vets/Vislab/eventrequest.php on line 94
When you have a variable that is inside a text string (double quotes) like
that then you do not need to have the quotes for your array index. So in
your case something like this should work:
$message =
Name: $_POST[Name]
Division: $_POST[Division]
Phone: $_POST[Phone]
Email: $_POST[Email];
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP Sessions Question
It could be a case that your provider is load balancing across several machines. If they are, and they aren't storing the session data in a central location, then that might account for the issue. That would explain the intermittent failure. The user might be making keepalive requests to the same box and being ok, and then get bounced once it hits a machine that doesn't have the session data... You might ask them about it... Tim. At 09:43 PM 7/8/2004, Ed Lazor wrote: What kind of problems could be happening server-side that would result in PHP sessions randomly disappearing? And, is there a way to log or track this information? Oh, and best of all, any recommendations on solutions? I have a PHP / MySQL application that's been running at a host provider for almost a year now. PHP sessions are used to track logged in users, For example, $_SESSION[UserID]. If the UserID isn't stored as a session variable, the user must not be logged in, so prompt them with a login screen. Most recent updates were made last week and everything has been working fine until this afternoon. Session data is somehow being lost. It seems random. A person will be logged in and navigating through the site when they suddenly get a login screen. They'll log back in and continue navigating for a little while when it will happen again - sometimes within seconds and othertimes within minutes. Sometimes it won't even happen for 30 minutes and then it suddenly begins to occur again. Thanks in advance for any ideas or recommendations that I can forward to my hosting provider on how to fix the problem. -Ed SimpleNet's Back ! http://www.simplenet.com
Re: [PHP] Crontab PHP Script
Not sure if this is different in linux, but usually the first parameter is the minutes, and if you had 01 in it, that means that it would do it once an hour (i.e. 12:01, 1:01, 2:01, etc... They should all have stars to do it once a minute. In freeBSD, it would look like this : * * * * root/usr/local/bin/php home/httpd/vhosts/tgwedding.com/httpdocs/tgwedding/crontab.php Tim. At 04:34 PM 6/26/2004, Ryan Schefke wrote: Hi, Can someone please give me some guidance. I'd like to run a php script every minute (in reality every night, but just testing). I've done some reading and found that a crontab is the best way to go (I think). I'm using Plesk 7 on a Linux box and I have root access. I made a quick php script called crontab.php to email me. == ?php //send email on domain /* subject */ $str_subject = crontab test; /* message */ $messagecontent = this is a test to see if crontab working nightly\n\n; /* to */ $to = [EMAIL PROTECTED]; /* from */ $headers .= From: tgWedding [EMAIL PROTECTED]\r\n; /* bcc */ // $headers .= Bcc: [EMAIL PROTECTED]; mail($to, $str_subject, $messagecontent, $headers); ? Then I setup my crontab command as: /home/httpd/vhosts/tgwedding.com/httpdocs/tgwedding/crontab.php https://217.160.251.56:8443/sysuser/crontab_edit.php?cte_src=CTEJKgkqCSoJKg kvaG9tZS9odHRwZC92aG9zdHMvdGd3ZWRkaW5nLmNvbS9odHRwZG9jcy90Z3dlZGRpbmcvY3Jvbn RhYi5waHA= I used * for every field except M, which I set to 01 to run every minute. It's not working...can someone guide me along and let me know what I've done wrong. Thanks, Ryan SimpleNet's Back ! http://www.simplenet.com
[PHP] getting the line number
Hi all, Is it possible to get the line number of the parent script of a subroutine ??? ok, let me explain that a little better. I have a script that includes a separate file for functions. In a particular function, if a query gets an error, write out a log file that explains the error. The thing I am trying to determine is from what line the call was made from the parent script to the subroutine. I know that I can get the line number of the current script, but that doesn't tell me where the function was called from... Hope I explained that correctly, Thanks, Tim. SimpleNet's Back ! http://www.simplenet.com/
Re: [PHP] getting the line number
That is exactly what I needed... Thanks ! Tim. At 12:04 PM 6/7/2004, Adam Bregenzer wrote: On Mon, 2004-06-07 at 14:52, Tim Traver wrote: I have a script that includes a separate file for functions. In a particular function, if a query gets an error, write out a log file that explains the error. The thing I am trying to determine is from what line the call was made from the parent script to the subroutine. I know that I can get the line number of the current script, but that doesn't tell me where the function was called from... debug_backtrace[1] should get you everything you want and then some. [1] http://www.php.net/debug_backtrace -- Adam Bregenzer [EMAIL PROTECTED] http://adam.bregenzer.net/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] easy question...
Hi all, I'm sure this question has come up before, so it should be an easy answer... I'm running PHP as an apache module, and have safe_mode turned on. When a script attempts to create a directory, or upload a file, it creates it as the web server user. Since it is an apache module, running suexec won't make it act like a particular user, so how can you get it to create directories, or upload files that have a particular user ownership ? Thanks, Tim. SimpleNet's Back ! http://www.simplenet.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ColdFusion / SQL PHP / mySQL HELP!
Oh my god...I'm crying... what the heck is a bacon stretcher ? t At 03:52 PM 5/28/2004, Travis Low wrote: Here's what you do. Assume 10-hour work days. Obviously, you want to start with the schema. That's pretty darn important, so allow yourself a whole day for that. You have four days left. Oh wait -- you will probably have to work the weekend for this one. So you have six days left. That's 60 hours, or 3600 minutes. You have 300 files, so you can't spend more than 12 minutes per file. Wait, you said OVER 300, so try to keep it to 10 minutes per file. To play it safe, spend no more than 8 minutes per file -- that way, you have a little extra time in case something unexpected comes up. It might be easier to buy a CFM-to-PHP converter. You can get those at most Kmart stores. They're usually next to the bacon stretchers and smoke-shifters. Hope this helps! cheers, Travis Chris Jernigan wrote: Hi everyone, Ok, I need serious help. I have been handed a project by my boss to convert an existing site that was built using ColdFusion / SQL into a site that will use PHP / mySQL. The site relies heavily on calls to the database for everything from site content, to an admin area where you can edit that content, to a news ticker, to the actual navigation of the site. What's the problem? I have one week to do this. Oh, and did I mention that I know VERY little about PHP / mySQL. I know NOTHING about ColdFusion or MSSQL. And to top it off, the site in question contains over 300 .cfm files! Does anyone have any idea how I could pull this off? Even if I had a working knowledge of ColdFusion, MSSQL, PHP, mySQL...still one week isn't enough time to retool a site of this proportion. Especially considering that I don't understand any of the code that I'm staring at. I've been a web designer for about five years now. Notice I said designer not developer. I want to learn PHP / mySQL but in order to complete this project I also need to understand ColdFusion in order to replicate the site functionality. Any advice on what I should do? Thanks in advance for your help, Chris -- Travis Low mailto:[EMAIL PROTECTED] http://www.dawnstar.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] cron job for php not working
It looks like that cron line is making it so that the command runs as the user php... so, you should check if that user has permission to run the script. Tim. At 08:33 AM 5/20/2004, Merlin wrote: Hi there, I am trying to install following cron job: 0 6 * * * php /home/www/project/app_cron/follow_up_new_members.php The script works, if I run this php /home... line manually it works out, but it does not automaticaly at 6 am as supposed. I do also see in /var/log/messages that the cron job has happened at that time, but the file did not generate the emails like it supposed to. I am running the crontab as webserver user. Thanx for any helpful ideas on that, Merlin -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Simple MySQL/PHP Query
If you know exactly what you need to append, then you can just do the update query directly. UPDATE tablename SET body=concat(body,'string to add') that should do it... Tim At 09:04 AM 5/20/2004, Nick Wilson wrote: Hi all, First off, yeah, it's a dumb Q ;-) but I cant remember enuf about mysql to know if I need a php script or it might be done from the command line... I have a DB that has a field called 'body' - it holds the body of html pages of course... What I need to do, is add to the very end of each html page, one short peice of text.. not a footer, just an adition to every page. How do I do that? - Do I need to select the body, then add the text to it, then UPDATE it, or can i just appened somthing to what's already there? Many thx! -- Nick W -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Simple MySQL/PHP Query
yeah, the + modifier thinks you mean you want to add them as integers... use my previous post with the concat command and that works... Tim. At 09:20 AM 5/20/2004, Nick Wilson wrote: * and then Nick Wilson declared pages of course... What I need to do, is add to the very end of each html page, one short peice of text.. not a footer, just an adition to every page. UPDATE table SET body = body + text to append Hehe, it's been such a lng time since i did even the simplest SQL work ;-) DAMN! - Good job i tested on the local DB not the live one! That wiped the entire DB and put a '0' in place of every body column? Here's what I did: update node set body = body + \n\npThis is extra/p; Anyone see what went wrong? -- Nick W -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] php_admin values solution
Just in case anyone wants to know the solution, I found one on the apache list... Apparently, from within an apache module, one can use the function zend_alter_ini_entry(open_basedir, 13, path, strlen(path), 4, 16); This function is included in the zend base libraries, and will let you set the php admin variables on the fly... Thanks, Tim. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] please remove this user
Can any admin remove this user from the list ? Advance Credit Suisse Bank [EMAIL PROTECTED] Every time I post, I get an autoresponse from that address... Anyone else get that ? Thanks, Tim. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] php_admin values solution
Curt, This is an apache module that dynamically determines the data directories for a particular incoming request based upon the Host header. After that directory is determined, then I set the admin value of things like open_basedir for php. This prevents me from having to make an entry for every virtual host in the config file. As long as the directory exists, then apache will serve it up... Tim. At 11:46 AM 5/7/2004, Curt Zirzow wrote: * Thus wrote Tim Traver ([EMAIL PROTECTED]): Just in case anyone wants to know the solution, I found one on the apache list... Apparently, from within an apache module, one can use the function zend_alter_ini_entry(open_basedir, 13, path, strlen(path), 4, 16); I am curious as why you want to make a module to have it override admin set settings in php userland. There is a reason why admin values are set. Curt -- I used to think I was indecisive, but now I'm not so sure. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] please remove this user
Uhhh...I shouldn't have to do that... and admin on this list should be able to remove those two offending addresses, right ? Tim. At 11:18 AM 5/7/2004, John Nichel wrote: Tim Traver wrote: Can any admin remove this user from the list ? Advance Credit Suisse Bank [EMAIL PROTECTED] Every time I post, I get an autoresponse from that address... Anyone else get that ? Thanks, Tim. Send it to /dev/null (or make a filter for it in your mail client). -- John C. Nichel KegWorks.com 716.856.9675 [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] setting php_admin_value 2
David and all, I apologize for not posting properly. I did not realize that headers were keeping track of the threads of this mailing list. I will make sure I don't do it again. I am actually simply using the Host header to make a dynamic path to its data location in my apache module. Unfortunately, the mod_php4 modules is rather cryptic in how it does things, and it looks like it doesn't do any of the variable setups on a per-request basis, so it would be difficult to track where it puts that information, but I guess its the only place for me to look unless you or anyone else has a better idea of where I can tap in to make those kind of changes on the fly... In case no one else got my message due to my fopaux, I have included a copy of my original message below. To clarify, the goal is to set up some security variables like open_basedir... Thanks, Tim. Hi all, ok, I am writing an apache module that dynamically figures out virtual host variables for data locations for my users. I need to be able to set the php_admin_values for each request so that those values get passed through to php and take effect for each request. Normally, this would be static inside the apache conf file using the php_admin_value directive. Does anyone here know how I could set these variables dynamically ? Do I have to load the apache configuration tables and change it manually ? or can I set a particular environment variable that gets read by php ? Thanks, Tim. SimpleNet's Back ! http://www.simplenet.com
[PHP] setting php_admin_value
Hi all, ok, I am writing an apache module that dynamically figures out virtual host variables for data locations for my users. I need to be able to set the php_admin_values for each request so that those values get passed through to php and take effect for each request. Normally, this would be static inside the apache conf file using the php_admin_value directive. Does anyone here know how I could set these variables dynamically ? Do I have to load the apache configuration tables and change it manually ? or can I set a particular environment variable that gets read by php ? Thanks, Tim. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] SSI and query string variables to PHP
Yes, I mean that php gets the server information for the request, but it doesn't get the QUERY_STRING variable. But it does get the UNESCAPED_QUERY_STRING variable...wierd, huh ? It might be that apache isn't sending that variable to php from an included file...not sure... That's why I'm asking everyone. Tim. At 01:22 AM 4/25/2004, Evan Nemerson wrote: On Saturday 24 April 2004 10:29 pm, Tim Traver wrote: Hi all, ok, this may be a dumb question, but I have a page that has server side includes that include a php script like this : !--#include virtual=schedule.php -- works fine, except the script doesn't appear to receive any of the query string information if that page has a query string on it... an example would be something like this : http://www.domain.com/index.shtml?myvariable=1 the php script should get $_REQUEST['myvariable']==1, but instead does not get any of the query information. The $_SERVER global gets the unescaped query string, but has no value for just the query string... um, huh? you mean it has the query string but it isn't parsed into the proper superglobals ($_GET, $_REQUEST)? Not really sure what you're looking for here so i'm going to just pretend this paragraph isn't here ;) any way around this without making the whole page a php script ? php.net/parse_str Thanks, Tim -- Evan Nemerson [EMAIL PROTECTED] http://coeusgroup.com/en -- The greatest mistake is to imagine that the human being is an autonomous individual. The secret freedom which you can supposedly enjoy under a despotic government is nonsense, because your thoughts are never entirely your own. Philosophers, writers, artists, even scientists, not only need encouragement and an audience, they need constant stimulation from other people. It is almost impossible to think without talking. If Defoe had really lived on a desert island, he could not have written Robinson Crusoe, nor would he have wanted to. Take away freedom of speech, and the creative faculties dry up. -George Orwell -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php SimpleNet's Back ! http://www.simplenet.com
Re: [PHP] SSI and query string variables to PHP
Hmmm after doing more research on it, it appears that this server variable only appears in SSI documents. And I didn't quote the variable correctly, its QUERY_STRING_UNESCAPED I guess that SSI does not send through the querystring to the included script. I might have to just use the QUERY_STRING_UNESCAPED variable and populate the $_REQUEST array myself, cause the QUERY_STRING variable is empty... Tim. At 10:52 AM 4/25/2004, Evan Nemerson wrote: On Sunday 25 April 2004 09:56 am, Tim Traver wrote: Yes, I mean that php gets the server information for the request, but it doesn't get the QUERY_STRING variable. But it does get the UNESCAPED_QUERY_STRING variable...wierd, huh ? Yeah, especially since I've never heard of UNESCAPED_QUERY_STRING- but then again, neither has google- http://www.google.com/search?q=%22UNESCAPED_QUERY_STRING%22 Can you send a copy of the variable, or if you're comfortable a phpinfo()? It might be that apache isn't sending that variable to php from an included file...not sure... That's why I'm asking everyone. Tim. At 01:22 AM 4/25/2004, Evan Nemerson wrote: On Saturday 24 April 2004 10:29 pm, Tim Traver wrote: Hi all, ok, this may be a dumb question, but I have a page that has server side includes that include a php script like this : !--#include virtual=schedule.php -- works fine, except the script doesn't appear to receive any of the query string information if that page has a query string on it... an example would be something like this : http://www.domain.com/index.shtml?myvariable=1 the php script should get $_REQUEST['myvariable']==1, but instead does not get any of the query information. The $_SERVER global gets the unescaped query string, but has no value for just the query string... um, huh? you mean it has the query string but it isn't parsed into the proper superglobals ($_GET, $_REQUEST)? Not really sure what you're looking for here so i'm going to just pretend this paragraph isn't here ;) any way around this without making the whole page a php script ? php.net/parse_str Thanks, Tim -- Evan Nemerson [EMAIL PROTECTED] http://coeusgroup.com/en -- The greatest mistake is to imagine that the human being is an autonomous individual. The secret freedom which you can supposedly enjoy under a despotic government is nonsense, because your thoughts are never entirely your own. Philosophers, writers, artists, even scientists, not only need encouragement and an audience, they need constant stimulation from other people. It is almost impossible to think without talking. If Defoe had really lived on a desert island, he could not have written Robinson Crusoe, nor would he have wanted to. Take away freedom of speech, and the creative faculties dry up. -George Orwell -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php SimpleNet's Back ! http://www.simplenet.com -- Evan Nemerson [EMAIL PROTECTED] http://coeusgroup.com/en -- The greatest mistake is to imagine that the human being is an autonomous individual. The secret freedom which you can supposedly enjoy under a despotic government is nonsense, because your thoughts are never entirely your own. Philosophers, writers, artists, even scientists, not only need encouragement and an audience, they need constant stimulation from other people. It is almost impossible to think without talking. If Defoe had really lived on a desert island, he could not have written Robinson Crusoe, nor would he have wanted to. Take away freedom of speech, and the creative faculties dry up. -George Orwell -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php SimpleNet's Back ! http://www.simplenet.com
[PHP] SSI and query string variables to PHP
Hi all, ok, this may be a dumb question, but I have a page that has server side includes that include a php script like this : !--#include virtual=schedule.php -- works fine, except the script doesn't appear to receive any of the query string information if that page has a query string on it... an example would be something like this : http://www.domain.com/index.shtml?myvariable=1 the php script should get $_REQUEST['myvariable']==1, but instead does not get any of the query information. The $_SERVER global gets the unescaped query string, but has no value for just the query string... any way around this without making the whole page a php script ? Thanks, Tim -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] SSI and query string variables to PHP
Hi all, ok, this may be a dumb question, but I have a page that has server side includes that include a php script like this : !--#include virtual=schedule.php -- works fine, except the script doesn't appear to receive any of the query string information if that page has a query string on it... an example would be something like this : http://www.domain.com/index.shtml?myvariable=1 the php script should get $_REQUEST['myvariable']==1, but instead does not get any of the query information. The $_SERVER global gets the unescaped query string, but has no value for just the query string... any way around this without making the whole page a php script ? Thanks, Tim -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: smarty
Enrico,
Actually, you can use smarty in a way that solves those issues. Simply do
not include the logic features of smarty in your templates. That way, the
only thing included in the templates is html, and {$variables}.
Then your web designers don't need to learn anything.
The problem that you'll find with that, is that it means you will have to
do more html work in your back end logic to produce the same results.
Yes, it is bound to php, and yes, it has to happen on the application
server that gets the call, but if you're using php as your application
processing, then why would you need it to be somewhere else.
Smarty is a tool. You can choose to use the tool however you wish. If you
have designers that are basic programmers too, then it is very powerful. If
not, then you just have to do more of the work.
Personally, I like Smarty very much, because I do both.
Its no different than say java servlets, or xml, or any number of other
ways to do it...
Tim.
At 08:38 AM 4/14/2004, Enrico Weigelt wrote:
* pete M [EMAIL PROTECTED] [2004-04-14 13:50:19 +0100]:
Moving our sites to smarty is the best thing we've done at our company...
I do the php/database coding (logic)
the html designer does the templates/css
and the graphic designer does his bit.
I really don't like smarty. The idea is simply not right.
The problem is, that smarty itself (or its template-language) also
contains imperative process logic. In fact it is not an real template engine,
but instead an php dialect which helps a bit on website programming.
Smarty still lets some major problems unsolved:
+ does not separate (imperative) code from layout. it still models
process logic
+ such non-trivial imperative code is not suited for non-programmer's
(perhaps graphical) editing tools.
+ the layouter has still so learn (a subset of) php and so also has
to be a programmer
+ offers no clear borderline between layout definitions and application code.
you simply can't give a customer of your application service access to
without imposing really serious security problems.
+ bound to the php-interpreter and cannot be used w/ other languages.
+ content rendering process cannot be separated from the application server.
(still must happen in the same process)
Well, I personally prefer the patTemplate way.
And if you wanna see my last two points solved, then my own branch
(pTemplate) will offer good help.
cu
--
-
Enrico Weigelt== metux IT services
phone: +49 36207 519931 www: http://www.metux.de/
fax: +49 36207 519932 email: [EMAIL PROTECTED]
cellphone: +49 174 7066481
-
-- DSL-Zugang ab 0 Euro. -- statische IP -- UUCP -- Hosting --
-
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
SimpleNet's Back !
http://www.simplenet.com
Re: [PHP] preg_match
Jason,
well, if the string is exactly how you have it, then something like this
would do :
$var=mailto:[EMAIL PROTECTED]);
if(preg_match(/^(\S+)\s.+/,$var,$match)){
$name=$match[1];
}
Of course, that would exclude those addresses that might have two names,
like Tim Traver [EMAIL PROTECTED]
In order to get that one, you might do something like this :
$var=Tim Traver [EMAIL PROTECTED];
if(preg_match(/^(.+)\s\{.+/,$var,$match)){
$name=$match[1];
}
That would get anything before the bracket, excluding the space...
Hope that helps...
Tim.
At 08:10 PM 3/28/2004, Jason Williard wrote:
I am trying to use preg_match to pull a specific piece of a variable.
However, I don't have enough experience with the syntax to be able to figure
this out.
The variable looks like: John {mailto:[EMAIL PROTECTED])
All I need is the name, John. The rest can be discarded. How would I pull
that bit out?
Thanks,
Jason
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
SimpleNet's Back !
http://www.simplenet.com
[PHP] new session in new window
Hi all, I am programming an interface using PHP and rely on sessions to keep state. What I want to be able to do is to open a new window from my application that has a new session, without disturbing the current session. I know that I can kill the current session and start a new one, but that's not what I want to do. When I launch a new window, it keeps the same session as the one that it was launched from. If I kill the session in that new window, then it kills the old sessino too... Any suggestions ??? Thanks, Tim. SimpleNet's Back ! http://www.simplenet.com/
Re: [PHP] new session in new window
Hthat would mean that anywhere I used sessions I would have to specify a window name, right ? and where do I determine the window name ? not sure that would work with what I want to do...I just want to start a new window like I would start it if I opened a fresh IE window. Each of those windows would have different session id's... It sounds like you were talking about doing something similar, cause what I want to do is to automatically log someone in to a different app, while keeping the main person logged in to the main window... Anyone else have any ideas ? Tim. At 02:21 PM 3/8/2004, Jason Davidson wrote: could create an array to hold the same session? This may not at all be what your looking for, but ive used something similar to this when building a wizard class to handle storing states in wizard steps. like $_SESSION['mySessions']['WindowOne'] = array($userid, $loginTime, $etc) $_SESSION['mySessions']['WindowTwo'] = array($userid, $loginTime, $etc) Tim Traver [EMAIL PROTECTED] wrote: Hi all, I am programming an interface using PHP and rely on sessions to keep state. What I want to be able to do is to open a new window from my application that has a new session, without disturbing the current session. I know that I can kill the current session and start a new one, but that's not what I want to do. When I launch a new window, it keeps the same session as the one that it was launched from. If I kill the session in that new window, then it kills the old sessino too... Any suggestions ??? Thanks, Tim. SimpleNet's Back ! http://www.simplenet.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] new session in new window
Chris, ok, here's what the application is about. As an administrator, you log in to the main application. session id's keep track that you are authenticated, and who you are. In the application, you can get a list of the other users on the system. From that user list, I want to be able to launch a new window that logs you in as that user, while leaving your administrator window alone. The new window would need new session information because of the new login. I've got it working now where you can do it by using the same window, and changing the session info to reflect the new user and go on your merry way. It just means that you would have to log in to the administrator account again later. So, what you're saying is that I can make up a new session ID in the URL of the launched window ? hmmm...I think that might just work...I'll try it... Tim. At 03:16 PM 3/8/2004, Chris Shiflett wrote: --- Tim Traver [EMAIL PROTECTED] wrote: What I want to be able to do is to open a new window from my application that has a new session, without disturbing the current session. Can you elaborate on this a little? This approach seems very odd to me, and I feel certain that it must be unnecessary. But, you never know... When I launch a new window, it keeps the same session as the one that it was launched from. Of course. It's the same browser, the same computer, the same user, etc. This is the point of sessions. Any suggestions ??? For whatever links that you want to spawn a new session, you can include a different session identifier on the URL. As long as both instances of the browser maintain their own unique session identifier through URL proagation, you can make this happen. But, this approach seems very, very ugly. Chris = Chris Shiflett - http://shiflett.org/ PHP Security - O'Reilly Coming mid-2004 HTTP Developer's Handbook - Sams http://httphandbook.org/ PHP Community Site http://phpcommunity.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] new session in new window
hthat didn't work. I sent a new session ID with the link to the new window like this : a href=?PHPSESSID=123456789 target=_blank but all it does is change the current session id to the new one, so if I go back to the main window, it carries the new session into it. The reason I'm doing the access control through sessions is so that I don't have to pass any info in URL's and re-authenticate a user every time they hit a page. By saving that information locally in session variables, none of that info gets out, and no one can spoof it. If I open a brand new window, it creates a new session ID for that window. I just can't seem to get it to create a new session ID when creating a popup window... Any other ideas ? Tim. wrote: --- Tim Traver [EMAIL PROTECTED] wrote: As an administrator, you log in to the main application. session id's keep track that you are authenticated, and who you are. In the application, you can get a list of the other users on the system. From that user list, I want to be able to launch a new window that logs you in as that user, while leaving your administrator window alone. Yeah, the method I mentioned will work for this. You may also consider whether your access control can make this unnecessary. You can achieve this sort of thing in your programming logic. But, whatever makes you happy and works. :-) Chris = Chris Shiflett - http://shiflett.org/ PHP Security - O'Reilly Coming mid-2004 HTTP Developer's Handbook - Sams http://httphandbook.org/ PHP Community Site http://phpcommunity.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] new session in new window
Chris, ok, let me start over a little bit... what I meant by the session data getting stored locally is that it is local to the web server, not locally on the client browser. I understand how session variables work. I just said local, and i was thinking server...sorry about that... what i meant by no one can spoof it is that no one knows what session variables are stored with what data that is being used to authenticate that session (ie additional digests to authenticate the request), and none of those variables and values are set in a cookie or in URL's. Nice article by the way, and I am indeed already using those same methods to secure the user session. (I use SHA1 on the IP,PHPSESSIONID,user agent, and a secret...) So, it sounds like the only way for it to set a new cookie is by opening a new browser app, which would allow you to send a new cookie different than your other windows, and it doesn't look like I can do that from an existing window, cause it will always send the same cookie... darn...I guess I'll have to live with that...h...maybe I can set it on a different cookie path...that might work... anyways, thanks for the discussion chris. Tim. At 08:16 PM 3/8/2004, Chris Shiflett wrote: --- Tim Traver [EMAIL PROTECTED] wrote: I sent a new session ID with the link to the new window like this : a href=?PHPSESSID=123456789 target=_blank but all it does is change the current session id to the new one, so if I go back to the main window, it carries the new session into it. Yeah, you're only using one browser, so you can only have one set of cookies. To do this, you can't rely on cookies at all, which can be a hassle. Otherwise, the session identifier will always be the most recent one used, because that's what the cookie will reflect (unless you add some logic to do otherwise). I still think it might be better to approach this with programming logic. As I said, this strategy will work, but it's ugly. The reason I'm doing the access control through sessions is so that I don't have to pass any info in URL's and re-authenticate a user every time they hit a page. We're only talking about propagating the session identifier on the URL. This has nothing to do with authentication and everything to do with identification. By saving that information locally in session variables, none of that info gets out, and no one can spoof it. Yikes, that's a lot of misinformation in one sentence! Cookies are saved locally, and they can make session identifier propagation seem transparent for both the user and the developer. However, just as with URL data, cookies are just something sent along in the request, so they're being provided by the client. So, this information most definitely gets out. Sessions are not stored locally; they are stored on the server. It is very important that you understand this, in fact, if you want to implement secure session management. You should leverage this fact to strengthen your mechanism. Lastly, anyone can spoof this. The session identifier has to be provided by the client, but a secure session mechanism will treat it with some skepticism. Nothing from the client should ever be blindly trusted, which is what I interpret no one can spoof it to be suggesting. I have an article that elaborates much more on this topic that you can read for free: http://shiflett.org/articles/the-truth-about-sessions Hope that helps. Chris = Chris Shiflett - http://shiflett.org/ PHP Security - O'Reilly Coming mid-2004 HTTP Developer's Handbook - Sams http://httphandbook.org/ PHP Community Site http://phpcommunity.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php SimpleNet's Back ! http://www.simplenet.com
