From: raditha dissanayake [EMAIL PROTECTED]
i think you are looking for something like turck mmcache.
Do you know if Turck MMCache works with PHP 5.0?
Teddy
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Hi,
I took a look to Smarty and Savant templating systems, and I like a few
things from both of them.
However, none of them are satisfactory.
I don't like Smarty because it needs another language and I find Savant more
easy to use.
I would like to have a templating system that:
1. Separates:
-
I think it still works with the old one, its not yet release a stable
version for 5.0 and i think for 4.3.6? only in beta.
hmm, better check their site out to know the full details.
thanks
On Mon, 16 Aug 2004 09:32:52 +0300, Octavian Rasnita [EMAIL PROTECTED] wrote:
From: raditha dissanayake
I'm looking for PHP code that will produce diff's between two texts, and
render them inline. By that I mean not the standard *nix diff output,
which compares and outputs lines, but a diff that compares inline text
and outputs the bits before and after in place, marked with a custom
span or
I've been using func imagecreatefromstring for
creating JPEGs obtained from MySQL database.
The function sometimes fails terminating script
with no error message.
Has somebody reached such problem?
I don't want to save images to temp files.
Linux 2.4.26, PHP 4.3.8, gd 2.0 or higher
--
PHP
Hello all!
I have a frustrating problem with PHP and am hoping someone on the list might
know a solution.
I need to set up an apache server with php on Linux and AIX machines, and it
all has to be in a chrooted environment. Most things work very well except
for the mail() function. It
raditha dissanayake wrote:
This mail probably shows how little you know about matt wright's
FormMail more than anything else - just to give you an idea it's banned
on all shared servers of our ISP.
I'm very aware of the FormMail.pl's problems and bugs, and I'm
definetely not going to use it...
Hi Markus,
do I get you right, you can't invoke mail() because php can't find the
sendmail executable?
perhaps this does the trick:
function my_mail_inject($mail)
{
$sendmail = ini_get(sendmail_path);
if(!$sendmail) $sendmail = /var/qmail/bin/qmail-inject;
$p = popen($sendmail, w);
if($p)
{
Hi all.
I just wanted to throw this message in here and get some opinions before I
go off developing something So will post in the correct newsgroup later
(when I find which newsgroup I need).
Before I post a more thorough thread in the correct area I just wanted to
find out if this was
Hi php-general,
I am trying to make my web server (Apache 2 + mod_ssl) connect to my ldap server with
mutual authentication using PHP. This means I want them to exchange their certificate.
For this purpose, I connect to ldap on port 389 then start TLS using ldap_start_tls().
This works perfectly
[snip]
I just wanted to throw this message in here and get some opinions before
I
go off developing something So will post in the correct newsgroup later
(when I find which newsgroup I need).
Before I post a more thorough thread in the correct area I just wanted
to
find out if this was achievable
Juan Nin wrote:
raditha dissanayake wrote:
This mail probably shows how little you know about matt wright's
FormMail more than anything else - just to give you an idea it's
banned on all shared servers of our ISP.
I'm very aware of the FormMail.pl's problems and bugs, and I'm
definetely not
Harlequin wrote:
Hi all.
I just wanted to throw this message in here and get some opinions before I
go off developing something So will post in the correct newsgroup later
(when I find which newsgroup I need).
Before I post a more thorough thread in the correct area I just wanted to
find out if
Hi Stephan,
On Monday 16 August 2004 15:16, Stephan Fiedler wrote:
do I get you right, you can't invoke mail() because php can't find the
sendmail executable?
Indeed you get me right. As I said in my post, alternatives such as qmail,
exim, postfix and similar full featured MTA's in the
On Mon, 2004-08-16 at 02:31, Octavian Rasnita wrote:
Hi,
I took a look to Smarty and Savant templating systems, and I like a few
things from both of them.
However, none of them are satisfactory.
I don't like Smarty because it needs another language and I find Savant more
easy to use.
[snip]
Can anybody help me to open all subdirectories in a directory, I used
is_dir() to check whether it is a dir, and if yes, I recursively called
it with the new dir name. But all subdirectories are not open the
recursion is not working for more than 1 level. I tested it in windows
server.
Hi all,
I have a simple PHP store, and it appears that someone is using it to
test credit card numbers. I'm getting a very high number of small
orders every day, but a lot more declines. My merchant provider
suggests blocking that person's IP address, but that's not practical
since it's
I was wondering if there was a block of code I could place at the bottom of
the file that would write the page's source code to an html file. I need
this because I'm posting pages to a server sans a PHP compiler. Basically,
I'd like for every time I run a page its source code to be saved in the
Hi,
Im running a win2k with apache and PHP 4.3.4 and I have gone through
the installation readme for PHP. I have copied the necessary files to
the correct directories. I have also set register_globals= Off (default)
I have set my session path (it exists).
Now my problem is that I cant get my
I think VB or some MS dev tool will do the job.
John Nichel [EMAIL PROTECTED] 8/16/2004 3:48:11 PM
Harlequin wrote:
Hi all.
I just wanted to throw this message in here and get some opinions before I
go off developing something So will post in the correct newsgroup later
(when I find
if (session_is_registered($_SESSION['login']))
echo(seesion is reg);
else
echo(seesion not reg);
try
if (isset($_SESSION['login']))
echo(seesion is reg);
else
echo(seesion not reg);
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit:
Brian,
The best thing that I can suggest is to take a look at the actual orders
themselves and find out if there are any one or two things that seem to be
common about them.
Once you can find some sort of pattern, you can then code against it.
For example, if you find that he seems to send 20
[snip]
Ok here is what I do:
$_SESSION['login']=true;
if (session_is_registered($_SESSION['login']))
echo(seesion is reg);
else
echo(seesion not reg);
I have not used the session_register function as the manual says the
following:
[/snip]
Have you
On Mon, 2004-08-16 at 07:26, Brian Dunning wrote:
Hi all,
I have a simple PHP store, and it appears that someone is using it to
test credit card numbers. I'm getting a very high number of small
orders every day, but a lot more declines. My merchant provider
suggests blocking that
Angelo Zanetti [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
Hi,
Im running a win2k with apache and PHP 4.3.4 and I have gone through
the installation readme for PHP. I have copied the necessary files to
the correct directories. I have also set register_globals= Off (default)
I
[reply]
Please try if those changes solve your problem. Whenever one of
your values
will contain a single quote you will get an SQL error - so use
addslashes()
or (better) mysql_real_escape_string() on all insert values.
[/reply]
That is my whole point though, is that it does not
Hi Brian,
One possibility is to use a MySQL database which records all failures with the
credit card verifications, the IP address of the failure, and when the
failure was. Write a script which looks at the failures and if it detects
three or more failures from any IP in a set time frame (24
Hi all,
I want to create an html cache of a page, like when that page is saved to
the disk and let the visitors download that static page and not a dynamic
one.
Of course, a dynamic PHP program will load that static page and display it,
but without need to connect to databases, to make
Thanks to all of you for your suggestions. Yes I have been logging IP
address in my orders database.
I think I may have solved it by an even simpler method: I emailed the
perpetrator to thank him for all of his orders to see what he'd say.
His first few orders came with real email addresses,
thanks MATT it appears that the isset function worked!
Jay Blanchard [EMAIL PROTECTED] 8/16/2004
4:46:16 PM
[snip]
Ok here is what I do:
$_SESSION['login']=true;
if (session_is_registered($_SESSION['login']))
echo(seesion is reg);
else
Hi Brian,
One possibility is to use a MySQL database which records all failures with the
credit card verifications, the IP address of the failure, and when the
failure was. Write a script which looks at the failures and if it detects
three or more failures from any IP in a set time frame (24
Octavian Rasnita [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
Hi all,
I want to create an html cache of a page, like when that page is saved to
the disk and let the visitors download that static page and not a dynamic
one.
Of course, a dynamic PHP program will load that static
On 14 August 2004 15:50, raditha dissanayake wrote:
Ford, Mike [LSS] wrote:
(And, BTW, the HTTP definition says that the Location:
header should specify a full absolute URL, so that should be:
header(Location:
http://your.server.name/path/to/errors/servererror.php;);
are
Hi
I have a site that uses a large number of data arrays that are nearly
static (change once a week or less) they are used on almost every page
in the site Currently I have them as a separate file that is included at
the top of each script page. I would like a way to cache? them at the
server
ok I thought the problem was fixed but its not. The session variable
gets registered correctly however when I go to the next page and too see
if its still registered using the isset() function its not registered
anymore. I do have session_start(); at the top of the new page.
I cant think why its
Hello,
I'm sending a custom request to a server using CURL, which may contain
some high-ascii characters. Are there certain characters that would
cause CURL not to send the complete custom request? Are there some CURL
options that can help make sure the request is sent in its entirity?
Here is
Hi, what my goal is is to be able to authenticate a user by they SSH acount on the
system using php. I tried looking on google, but didn't see anything with ssh. What
i've tried to do is use the exec() and just do:
exec(ssh [EMAIL PROTECTED].escapleshellard(password));
but that didn't seem to
Angelo Zanetti [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
ok I thought the problem was fixed but its not. The session variable
gets registered correctly however when I go to the next page and too see
if its still registered using the isset() function its not registered
anymore.
On Mon, 16 Aug 2004 17:39:21 +0200, Angelo Zanetti [EMAIL PROTECTED] wrote:
ok I thought the problem was fixed but its not. The session variable
gets registered correctly however when I go to the next page and too see
if its still registered using the isset() function its not registered
Hi Matt,
The session_id() is correct on both pages. Some info I forgot to add is
this:
on my first page:
session_write_close();
header(Location: franchise_menu.php?.SID);
exit();
however on my franchise_menu.php page, no SID is displayed in the
browser address. could that be a reason? Or have
no I'm not using cookies.
Session configuration values from php.ini:
session.save_handler = files
session.save_path = c:\temp\sessions
session.use_cookies = 0
session.name = PHPSESSID
session.auto_start = 0
session.cookie_lifetime = 0
session.cookie_path = /
session.cookie_domain =
session_write_close();
header(Location: franchise_menu.php?.SID);
exit();
SID will be empty if session ID was set in an appropriate session cookie
if you do a print_r($_SESSION) on franchise_menu.php do you see anything?
If you have access to the webserver you could just go in and look at
On Mon, 2004-08-16 at 08:39, Teren wrote:
Hi, what my goal is is to be able to authenticate a user by they SSH acount on the
system using php. I tried looking on google, but didn't see anything with ssh. What
i've tried to do is use the exec() and just do:
exec(ssh [EMAIL
Is it true that turck is faster than Zend?
i think you are looking for something like turck mmcache.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[snip]
Is it true that turck is faster than Zend?
i think you are looking for something like turck mmcache.
[/snip]
What about something like http://www.priadoblender.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Wow. I just saw the $2,880 price tag on the Zend Encoder. I guess Turck is
better?! Who cares if it's a little bit slower than Zend (or even faster
according to the Turck site). That's a lot of moola!
-Original Message-
http://www.zend.com/store/products/zend-encoder.php
On Mon,
Geesh, this sounds scary. Are you requiring account login before processing
payments?
-Original Message-
I have a simple PHP store, and it appears that someone is using it to
test credit card numbers. I'm getting a very high number of small
orders every day, but a lot more declines.
Hi, what my goal is is to be able to authenticate a user by they SSH
acount on the system using php. I tried looking on google, but didn't
see anything with ssh. What i've tried to do is use the exec() and
just do:
exec(ssh [EMAIL PROTECTED].escapleshellard(password));
You can try
http://www.php.net/manual/en/ref.outcontrol.php
On Mon, 16 Aug 2004 10:35:42 -0400
[EMAIL PROTECTED] (Doug Parker) wrote:
I was wondering if there was a block of code I could place at the bottom of
the file that would write the page's source code to an html file. I need
this because I'm
On Aug 16, 2004, at 10:07 AM, Ed Lazor wrote:
Geesh, this sounds scary. Are you requiring account login before
processing
payments?
Not on this store, it's a really competitive market.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
On Mon, 2004-08-16 at 10:15, Michal Migurski wrote:
Hi, what my goal is is to be able to authenticate a user by they SSH
acount on the system using php. I tried looking on google, but didn't
see anything with ssh. What i've tried to do is use the exec() and
just do:
exec(ssh
Brian Dunning wrote:
On Aug 16, 2004, at 10:07 AM, Ed Lazor wrote:
Geesh, this sounds scary. Are you requiring account login before
processing
payments?
Not on this store, it's a really competitive market.
Requiring an account to purchase would more than likely cut down on
fraud orders.
--
Ok, here's the whole project, I have an openbsd box using authpf which uses
authentication via ssh login. So, i'm trying to create a weblogin using php
so people just have to enter their username/password (which would be a
restricted unix account) to gain access to the internet. I have authpf all
Am 2004-08-16 08:03:51, schrieb Brian Dunning:
Anyone know who the proper authorities are, to whom I could give my
logs? Amazingly, my CardService rep didn't know. He also didn't seem to
care or think it was a very big deal. The total orders that went
through are about 100 orders at $15
Hello All,
I am working on securing an application that uses CDSSO (Cross Domain
Single Sign On).
I am trying to reproduce the CSRF (Cross Site Request Forgery) attack
(using img/ TAG) in I.E. 6.01, but am unable to do so. However the
attack works on Mozilla and other older browsers.
My
Hmm,
Simply make a RSS feed or something, md5 the last changed date of all files
combined every say 30 mins and put that in the rss file, have the systray
icon program look at that file every 5 mins or so, if the file has changed,
flash..
John Nichel [EMAIL PROTECTED] wrote in message
news:[EMAIL
[snip]
I am working on securing an application that uses CDSSO (Cross Domain
Single Sign On).
I am trying to reproduce the CSRF (Cross Site Request Forgery) attack
(using img/ TAG) in I.E. 6.01, but am unable to do so. However the
attack works on Mozilla and other older browsers.
My
Perhaps the question could be asked another way and be more on topic.
Is there a fix in I.E. 6.01 that would interfere with PHP being able to
generate different mime types on the fly, like .png or .jpg
Thanks,
Warren Vail
-Original Message-
From: Jay Blanchard [mailto:[EMAIL
[snip]
Perhaps the question could be asked another way and be more on topic.
Is there a fix in I.E. 6.01 that would interfere with PHP being able to
generate different mime types on the fly, like .png or .jpg
[/snip]
a. But that wasn't what he asked.
2. Top-posting === bad
--
PHP General
Ah, you should try to authenticate differently then. You're going about
this the wrong wa. :-)
The PEAR::Auth package provides methods for creating an authentication
system using PHP.
Currently it supports the following storage containers to read/write
the login data:
* All databases
Hello,
On 08/16/2004 12:40 PM, Dominic Schanen wrote:
I'm sending a custom request to a server using CURL, which may contain
some high-ascii characters. Are there certain characters that would
cause CURL not to send the complete custom request? Are there some CURL
options that can help make
Ok, here's the whole project, I have an openbsd box using authpf which
uses authentication via ssh login. So, i'm trying to create a weblogin
using php so people just have to enter their username/password (which
would be a restricted unix account) to gain access to the internet. I
have authpf
--- Jay Blanchard [EMAIL PROTECTED] wrote:
You would have to ask the Microsoft Development Group, who
probably does not subscribe to this list. Crossposting is bad.
Being OT during a crosspost is even worse. I can hear the
falmethrowers warming up in the wings.
FYI - This is (or use to be)
Ok, here's the whole project, I have an openbsd box using authpf which
uses authentication via ssh login. So, i'm trying to create a weblogin
using php so people just have to enter their username/password (which
would be a restricted unix account) to gain access to the internet. I
have authpf
Jay Blanchard wrote:
FYI - This is (or use to be) a PHP list
If I have a web server running php, how do I change the oil in my car?
--
John C. Nichel
ÜberGeek
KegWorks.com
716.856.9675
[EMAIL PROTECTED]
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit:
--- [EMAIL PROTECTED] wrote:
My question: Is I.E. 6.01 SP1 doing something to foil the CSRF
attack, i.e. only allow image extensions .gif .png .jpeg?
This seems highly unlikely. Can you show us the code you're using to test?
Chris
=
Chris Shiflett - http://shiflett.org/
PHP Security
--- Jay Blanchard [EMAIL PROTECTED] wrote:
[snip]
Perhaps the question could be asked another way and be more on
topic.
Is there a fix in I.E. 6.01 that would interfere with PHP being
able to generate different mime types on the fly, like .png or
.jpg
[/snip]
a. But that wasn't
Thanks Chris,
Yup I think my posting is very on-topic. The application that I am working
on is written in PHP.
And I m sure all PHP developers check their applications for CSRF
vulnerability, in various browsers (including I.E. ).
As a PHP/Java developer, I would be interested to know what
[snip]
Yup I think my posting is very on-topic. The application that
I am working on is written in PHP.
[/snip]
Thanks for stating that in your original post.
Hello Chris,
I can't share the exact code ;) , but here is something very similar:
img src=http://slashdot.org/my/logout; height=1 width=1
If I load a web page with the above code, it should log me out of
slashdot. It works in Mozilla (and netscape), but not in I.E. 6.01 SP1
Hi,
some newbie questions about PEAR:
1. How do I know if its already installed? (via
phpinfo() ? )
2. Can I install it myself if its not already
installed or do I have to contact my host?
Thanks,
Mag
=
--
- The faulty interface lies between the chair and the keyboard.
- Creativity is
Hello,
On 08/16/2004 10:00 AM, Markus Mayer wrote:
- Does anyone know of a way to make PHP on *nix use an external smtp server
without having to hack around in the source code of PHP?
- Has anyone got either ssmtp or esmtp working with PHP?
You may want to try this class that can be used to do
--- [EMAIL PROTECTED] wrote:
And I m sure all PHP developers check their applications for
CSRF vulnerability, in various browsers (including I.E. ).
I speak about CSRF in many of the talks I give, and I think you'd be
surprised by how many people haven't even heard of it.
As a PHP/Java
--- [EMAIL PROTECTED] wrote:
I can't share the exact code ;) , but here is something very
similar:
img src=http://slashdot.org/my/logout; height=1 width=1
If I load a web page with the above code, it should log me out
of slashdot. It works in Mozilla (and netscape), but not in I.E.
6.01
-Original Message-
Jay Blanchard wrote:
FYI - This is (or use to be) a PHP list
If I have a web server running php, how do I change the oil in my car?
Have you tried the OilChange class from PHPClasses.org? ;)
-Ed
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe,
What if you add a random seed to the URL?
img src=http://slashdot.org/my/logout?fluff=?php echo rand(1,200);?
height=1 width=1
-Original Message-
Hello Chris,
I can't share the exact code ;) , but here is something very similar:
img src=http://slashdot.org/my/logout; height=1
Watty [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
Is it possible to compile a PHP script? And if so, how?
there is a roadsend php compiler, but I have not used it myself.
rush
--
http://www.templatetamer.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe,
-Original Message-
The best information would be if you can capture the exact HTTP
transactions involved. For example, using something like ethereal, capture
the request and response for Mozilla, and then do the same for IE 6.01
SP1.
Short of that, you could create a URL
--- Ed Lazor [EMAIL PROTECTED] wrote:
Wouldn't it work to just make the script spit out a mime type
header and a small (1x1) image when it's done to satisfy the
browser's mime type requirements?
Definitely, but most CSRF attacks are meant to spoof a request from the
legitimate user to some Web
-Original Message-
Definitely, but most CSRF attacks are meant to spoof a request from the
legitimate user to some Web site where he/she already has privilege. Thus,
the receiving site is usually as much the victim as the user.
I'm not sure if that makes any sense... :-)
It does =)
Angelo Zanetti [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
Hi Matt,
The session_id() is correct on both pages. Some info I forgot to add is
this:
on my first page:
session_write_close();
header(Location: franchise_menu.php?.SID);
exit();
however on my franchise_menu.php
Hi all!
Can you please help me with the following;
I've got a form (that comes in 'three parts' a1.php a2.php and a3.php)with sessions
that refuses to go back!
On A2.php and A3.php i made a back button like:
input type=image src=images/back_button.jpg onClick=history.back()
and
input
Mag [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
Hi,
some newbie questions about PEAR:
1. How do I know if its already installed? (via
phpinfo() ? )
2. Can I install it myself if its not already
installed or do I have to contact my host?
Thanks,
Mag
You will find answers
Why is so important if Internet Explorer allows URLS of images where the
file name is only .jpg, .png, or .gif?
A url can be something like:
http://www.site.com/script.php/image.jpg?logout=true
Internet Explorer might think that the file is a .jpg and that script.php is
a directory but only the
Hello,
I m not saying the I.E. completely fixed the CSRF attacks, by only
allowing .jpg .gif .png files.
But it might be one possible way to minimize CSRF attack, just like
using POST vs GET can help minimize the chances of that attack.
BTW, using POST instead of GET does NOT guarantee that
Hello Chris,
Upon your suggestion, I used a sniffer to sniff traffic for the web app
that I am working on.
To my surprise, the data captured during the sniff for both browsers was
exactly the same. Which mean my theory of limiting the img/ TAG to .gif
.jpeg .png is NOT true.
So now I am
--- Octavian Rasnita [EMAIL PROTECTED] wrote:
Why is so important if Internet Explorer allows URLS of images
where the file name is only .jpg, .png, or .gif?
A url can be something like:
http://www.site.com/script.php/image.jpg?logout=true
This is definitely true, but as I mentionde in a
--- [EMAIL PROTECTED] wrote:
Upon your suggestion, I used a sniffer to sniff traffic for
the web app that I am working on.
To my surprise, the data captured during the sniff for both
browsers was exactly the same.
Can you elaborate or post the exact requests sent from each browser? I'm
Hello Curt,
Yes, the /. system depends on cookies to keep the user logged in.
However a CSRF attack is NOT trying to access a third party cookie.
The web browser make the same GET request whether it is using img/ TAG
or the user clicking on a link. So in either case the cookies are in the
* Thus wrote [EMAIL PROTECTED]:
Hello Chris,
I can't share the exact code ;) , but here is something very similar:
img src=http://slashdot.org/my/logout; height=1 width=1
If I load a web page with the above code, it should log me out of
slashdot. It works in Mozilla (and netscape), but
-Original Message-
So now I am completely clueless as to why this particular attacks works in
Mozilla but not in IE.
Could you describe the problem again and give full detail? I think we need
to better model the problem in order to present a more effective solution.
The link below
Hello Ed,
To give some details:
I am unable to re-produce a CSRF attack when the victim is using a I.E.
6.01 SP1 (all patches applied). However the attack works in Mozilla and
other older browsers.
I can't give you the exact code for attack (for security reasons), but it
is similar to the
--- [EMAIL PROTECTED] wrote:
Hello Curt,
Yes, the /. system depends on cookies to keep the user logged
in.
However a CSRF attack is NOT trying to access a third party
cookie.
The web browser make the same GET request whether it is using
img/ TAG or the user clicking on a link. So in
--- Curt Zirzow [EMAIL PROTECTED] wrote:
I'm not sure how the /. logout system works, but my guess is
that they rely on cookies to do this. Since that is a different
site than from the originating file, those cookies would be
considered third party. I know in IE you can disable third
party
--- Ed Lazor [EMAIL PROTECTED] wrote:
The link below goes to a page I found that describes CSRF a
little differently than what Chris was presenting - to give a
different perspective on things.
http://www.squarefree.com/securitytips/web-developers.html
It doesn't seem to be different,
--- [EMAIL PROTECTED] wrote:
To give some details:
I am unable to re-produce a CSRF attack when the victim is
using a I.E. 6.01 SP1 (all patches applied). However the
attack works in Mozilla and other older browsers.
I can't give you the exact code for attack (for security
reasons), but
I was able to confirm / reproduce what you're experiencing. I was also able
to confirm that toggling IE 6's acceptance of 3rd party cookies changes the
behavior.
Create an HTML on your local machine with the following line:
img src=http://www.atfantasy.com/test/image_status.php;
It'll load an
-Original Message-
However a CSRF attack is NOT trying to access a third party cookie.
The web browser make the same GET request whether it is using img/ TAG
or the user clicking on a link. So in either case the cookies are in the
context of the website to which the cookies belong.
I've recently encountered a problem with hidden (POST) form fields being
ignored when an html textarea (or text) tag value contains the following
character: '
It seems when you paste text from outlook, to an html 'textarea', it
converts the apostrophe character (') to this character ('), which
--- Sean O'Donnell [EMAIL PROTECTED] wrote:
I've recently encountered a problem with hidden (POST) form fields being
ignored when an html textarea (or text) tag value contains the following
character: '
My guess is that you're displaying this data in HTML and delimiting it
with the same
1 - 100 of 109 matches
Mail list logo
