php-general Digest 15 Aug 2004 14:53:56 -0000 Issue 2938
Topics (messages 193865 through 193882):
Re: PHP not working with apache2
193865 by: Jason Wong
193873 by: Burhan Khalid
Re: What happend to _SERVER?
193866 by: Allen Wayne Best
Re: PHP Security Workbook
193867 by: Burhan Khalid
193876 by: Chris Shiflett
193877 by: Octavian Rasnita
193878 by: Chris Shiflett
193879 by: Octavian Rasnita
Re: How to determine if date/time is with DST or not ?
193868 by: Torsten Roehr
193871 by: Burhan Khalid
Re: Kerberos authentication
193869 by: Burhan Khalid
Re: A function in PHP that changes html in a string from <p align=center> to <p
align="center"> ?
193870 by: Burhan Khalid
Re: Anyone know of a PHP Dictionary Password Generator
193872 by: Burhan Khalid
193875 by: Chris Shiflett
Re: [PHP-General List] - Cron or script like Cron -
193874 by: francesco[AT]automationsoft[DOT]biz
Need help with some logic and how to do it in PHP
193880 by: Brent Clements
193882 by: Jason Wong
Re: Help with Regular Expressions
193881 by: killu0007-widget.yahoo.co.in
Administrivia:
To subscribe to the digest, e-mail:
[EMAIL PROTECTED]
To unsubscribe from the digest, e-mail:
[EMAIL PROTECTED]
To post to the list, e-mail:
[EMAIL PROTECTED]
----------------------------------------------------------------------
--- Begin Message ---
On Sunday 15 August 2004 10:09, Grant wrote:
> I have asked about this on the Gentoo list and was
> told to add "-D PHP4" to an apache2 directive. I did
> that, but it still doesn't work.
Then escalate the issue! Or go through the chapter:
manual > Installation > Servers-Apache 2.0
to make sure that all the steps outlined have been performed correctly by the
emerge.
> Having apache and apache2 installed is some kind of a
> mistake. I'm a newbie and not sure how it happened.
> I plan on completely starting over and setting up my
> server again from nothing to make it very clean, but
> everything except PHP is working great. This is the
> absolute last thing standing in the way of going live.
That's a good idea. Like I said unless you know what you're doing having both
apaches installed is not a very good idea.
> When I see the raw code I am hitting apache2 as apache
> is not running.
>
> The only reason I need PHP is squirrelmail. Is
> mod_php necessary in this situation?
I would guess yes, but it all depends on how your system is setup. Furthermore
you have to establish
1) whether mod_php is installing against apache, apache2, or both
2) whether squirrelmail is installing against apache, apache2, or both
Again, the Gentoo list is what you want.
--
Jason Wong -> Gremlins Associates -> www.gremlins.biz
Open Source Software Systems Integrators
* Web Design & Hosting * Internet & Intranet Applications Development *
------------------------------------------
Search the list archives before you post
http://marc.theaimsgroup.com/?l=php-general
------------------------------------------
/*
Whom the mad would destroy, first they make Gods.
-- Bernard Levin
*/
--- End Message ---
--- Begin Message ---
Grant wrote:
I'm running Gentoo Linux, and emerged (installed)
squirrelmail which automatically installed all of its
dependencies including PHP and (I think) mod_php. PHP
doesn't seem to be working though, as I always end up
looking at the raw PHP code in a browser. I do have
apache and apache2 installed on my system, and I
suspect some key PHP things may have been set up for
apache instead of apache2. Does anyone have any
pointers?
In Gentoo, emerge php just installs the client build, emerge mod_php
installs the Apache module.
Therefore, what you need to do is emerge -av mod_php
Also, emerge apache installs Apache2, eventhough you may see apache and
apache2 in /etc/
Then edit /etc/conf.d/apache2 and add -D PHP4 to the APACHE2_OPTS variable.
Finally, issue /etc/init.d/apache2 restart
--- End Message ---
--- Begin Message ---
john:
ah-ha! I found the problem!
I change
ServerSignature Off
to
ServerSignature On
and now all is well......
Thanks everyone for chiming in.... :<))
On Saturday 14 August 2004 21:32, John Holmes pronounced:
> Allen Wayne Best wrote:
> > ooops! yes, i do. fixed. ran thru the web browser (no change!) fyi, the
> > web server is apache 2.0.40-21.11 on a rh9 box.
>
> I'm pretty sure you already said that a phpinfo() page resulted in no
> output, either.
>
> I'd say that, however you did it, PHP isn't installed correctly. Did you
> make the changes needed to httpd.conf for Apache to recognize PHP?
>
> --
>
> ---John Holmes...
>
> Amazon Wishlist: www.amazon.com/o/registry/3BEXC84AB3A5E/
>
> php|architect: The Magazine for PHP Professionals – www.phparch.com
--
regards,
allen wayne best, esq
"your friendly neighborhood rambler owner"
"my rambler will go from 0 to 105"
Current date: 7:7:21::226:2004
It seems a little silly now, but this country was founded as a protest
against taxation.
--- End Message ---
--- Begin Message ---
Chris Shiflett wrote:
This news is a bit old, but I have made the workbook for my OSCON tutorial
freely available from this URL:
http://shiflett.org/php-security.pdf
It's a 55 page PDF that has a lot of information (more than the slides)
about some of the more important security topics.
Nice article. Most of the stuff was common sense to me (and I was glad I
was doing those things unconsciously). However, I do have issue with
one paragraph:
Page 29,
* Using POST rather than GET in forms.
"Specify POST in the method attribute of your forms. Of course, this
isn't appropriate fot all your forms, but it is appropriate when a form
is performin an action, such as buying stocks. In fact, the HTTP
specification requires that GET be considered safe."
Don't you mean "In fact, the HTTP specification requires that POST be
considered safe?" Didn't make sense to me when I read it last night.
--- End Message ---
--- Begin Message ---
--- Burhan Khalid <[EMAIL PROTECTED]> wrote:
> Most of the stuff was common sense to me (and I was glad I
> was doing those things unconsciously).
That's good to hear. :-)
Most of the people that have heard me give this talk (which is a few
hundred now) have realized several vulnerabilities in their current
applications, bad development habits, etc. I actually get tired of giving
the same (or very similar) talks, but I'll keep giving this one as long as
it keeps surprising a lot of the audience. The fewer excuses we give
people to equate PHP with poor security, the better off we'll all be.
> However, I do have issue with one paragraph:
>
> Page 29,
>
> * Using POST rather than GET in forms.
>
> "Specify POST in the method attribute of your forms. Of course, this
> isn't appropriate fot all your forms, but it is appropriate when a form
> is performing an action, such as buying stocks. In fact, the HTTP
> specification requires that GET be considered safe."
>
> Don't you mean "In fact, the HTTP specification requires that POST be
> considered safe?" Didn't make sense to me when I read it last night.
Nope, it's correct as written. Perhaps it just needs to be rephrased, or
maybe I need to elaborate about what "safe" means in this context.
The piece of the HTTP specification I'm referring to is within section
9.1.1 of RFC 2616, entitled "Safe Methods," and it has the following to
say:
"In particular, the convention has been established that the GET and
HEAD methods SHOULD NOT have the significance of taking an action
other than retrieval. These methods ought to be considered "safe".
This allows user agents to represent other methods, such as POST, PUT
and DELETE, in a special way, so that the user is made aware of the
fact that a possibly unsafe action is being requested."
Thus, as developers, we should never perform an action when the request
method is GET. This means that forms intended to perform actions such as
buying stocks should specify the POST method, and we should also not rely
on register_globals or $_REQUEST, because both of these hide whether the
data we are using was sent in a GET request or a POST request. Specify
POST, and use $_POST.
Hope that clarifies what I mean a bit. Of course, I elaborate more in the
actual talk; this was just the workbook for people to reference and take
home to help remember the points. I just decided to give it away, since I
had put so much work into it. :-)
But, I'm always looking for improvements. I'll try to add a bit of
clarification in there somehow.
Thanks for the feedback.
Chris
=====
Chris Shiflett - http://shiflett.org/
PHP Security - O'Reilly
Coming Fall 2004
HTTP Developer's Handbook - Sams
http://httphandbook.org/
PHP Community Site
http://phpcommunity.org/
--- End Message ---
--- Begin Message ---
I have also read that pdf document and I have found another interesting
advice.
The author says that a good way of hiding the username/password is to put a
file that exports 2 environment variables in a directory that can be read
only by the root, then include a call to that file in httpd.conf in order to
let the web server to have access to those variables.
Well, I don't really understand why this is so secure.
I understand that the web server is run by root, which sees that file and
exports the variables, then another user without many priviledges runs the
child process of the web server, but if there are more than one user that
run PHP files or files made in other languages on that server, they will
also be able to see those environment variables.
Did I understand correctly?
Teddy
----- Original Message -----
From: "Chris Shiflett" <[EMAIL PROTECTED]>
To: "Burhan Khalid" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Sunday, August 15, 2004 4:05 PM
Subject: Re: [PHP] PHP Security Workbook
> --- Burhan Khalid <[EMAIL PROTECTED]> wrote:
> > Most of the stuff was common sense to me (and I was glad I
> > was doing those things unconsciously).
>
> That's good to hear. :-)
>
> Most of the people that have heard me give this talk (which is a few
> hundred now) have realized several vulnerabilities in their current
> applications, bad development habits, etc. I actually get tired of giving
> the same (or very similar) talks, but I'll keep giving this one as long as
> it keeps surprising a lot of the audience. The fewer excuses we give
> people to equate PHP with poor security, the better off we'll all be.
>
> > However, I do have issue with one paragraph:
> >
> > Page 29,
> >
--- End Message ---
--- Begin Message ---
--- Octavian Rasnita <[EMAIL PROTECTED]> wrote:
> I have also read that pdf document and I have found another
> interesting advice.
>
> The author says that a good way of hiding the username/password
> is to put a file that exports 2 environment variables in a directory
> that can be read only by the root, then include a call to that file in
> httpd.conf in order to let the web server to have access to those
> variables.
I can't take credit for thinking of this approach. This comes from David
Sklar and Adam Trachtenberg, authors of PHP Cookbook (and others).
> Well, I don't really understand why this is so secure.
>
> I understand that the web server is run by root, which sees that file
> and exports the variables, then another user without many
> priviledges runs the child process of the web server, but if there are
> more than one user that run PHP files or files made in other
> languages on that server, they will also be able to see those
> environment variables.
>
> Did I understand correctly?
Yes, this is another thing that I mention in the talk but failed to
include in the workbook. When this approach is being applied to a shared
hosting environment, you want to put the Include directive within a
VirtualHost block of httpd.conf, so that it only applies to a single
virtual host.
Also, each unprivileged child process that handles requests for this
virtual host has this sensitive information in memory. So, while the data
is safer, it is not completely safe (nothing is). If a user can exploit a
vulnerability in your application that lets them execute arbitrary code,
they can access this data. Of course, they can do a lot of bad things in
this case. :-)
Hope that clarifies. Thanks for the feedback.
Chris
=====
Chris Shiflett - http://shiflett.org/
PHP Security - O'Reilly
Coming Fall 2004
HTTP Developer's Handbook - Sams
http://httphandbook.org/
PHP Community Site
http://phpcommunity.org/
--- End Message ---
--- Begin Message ---
Oh thank you for this information. This is very important for me to know.
> Yes, this is another thing that I mention in the talk but failed to
> include in the workbook. When this approach is being applied to a shared
> hosting environment, you want to put the Include directive within a
> VirtualHost block of httpd.conf, so that it only applies to a single
> virtual host.
>
--- End Message ---
--- Begin Message ---
"-{ Rene Brehmer }-" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
> hi gang
>
> I'm trying to find a simple way to determine if a given date/time is with
> DST for a given locale at any point in time ... the point is basically to
> convert date strings into accurate GMT timestamps for storage in the
> database...
>
> Like I've got date strings looking like:
>
> Thursday, July 22, 2004 8:50:01 PM
> July 22, 2004 6:42 PM
>
> the strings are submitted through a form, together with a variable
> determining the time zone these times are in. I just want to figure out if
> the dates are with or without dst for that locale, at that given time, so
> that I can properly convert them to GMT times ... but I have no clue how
to
> do that ... haven't been able to find anything useful in the manual or the
> PHP Cookbook ... the time zone is submitted negative of the actual value
...
> so a time offset of -0700 is submitted as +7 and +0200 as -2 ... this is
> simply to make the time conversion simpler...
>
> these are extracts of the current time calculation codes, including some
> debugging code for the time conversion:
>
> <?php
> $date = $_POST['date'];
> $tzone = $_POST['tzone'];
>
> $timestamp = strtotime($date);
>
> if ($tzone != 'none') {
> $tdif = $tzone.' hours';
> $timestamp = strtotime($tdif,$timestamp);
> }
> ?>
>
> /* the following part is an extra of a larger table ... the formatting of
> the time zone is merely for displaying purposes atm. The goal is to create
> RFC2822 dates to be stored in the database alongside messages...
> */
>
> <td>Workdate: <?php echo($date.' '.$tzone); ?><br>
> Time difference: <?php
> if ($tzone > 0) {
> $format = '-';
> } else {
> $format = '+';
> }
> if (abs($tzone) > 9) {
> $format .= '%u00';
> } else {
> $format .= '0%u00';
> }
> printf($format,abs($tzone)); ?><br>
> Unix timestamp: <?php echo($timestamp); ?><br>
> GMT date: <?php echo(date('D, d M Y H:i:s',$timestamp)); ?></td>
>
>
> if anyone has any ideas for determining whether DST is on or off, I'd
> appreciate it. right now I have no clue how to do this the easiest...
>
> TIA
>
> Rene
> --
> Rene Brehmer
> aka Metalbunny
>
> If your life was a dream, would you wake up from a nightmare, dripping of
sweat, hoping it was over? Or would you wake up happy and pleased, ready to
take on the day with a smile?
>
> http://metalbunny.net/
> References, tools, and other useful stuff...
> Check out the new Metalbunny forums at http://forums.metalbunny.net/
Hi Rene,
I'm not totally sure but I loosely remember this topic being discussed here
some weeks ago. Try your look by searching the mailing list archives.
Best regards, Torsten Roehr
--- End Message ---
--- Begin Message ---
-{ Rene Brehmer }- wrote:
hi gang
I'm trying to find a simple way to determine if a given date/time is with
DST for a given locale at any point in time ... the point is basically to
convert date strings into accurate GMT timestamps for storage in the
database...
http://www.php.net/date
I (capital i) Whether or not the date is in daylights savings time 1 if
Daylight Savings Time, 0 otherwise.
[ snipped rest ]
--- End Message ---
--- Begin Message ---
Matthew Runo wrote:
I am working on a project that requires Kerberos authentication,
however - we are unable to use the apache module that one would
normally use [sys admin.. *grumble*].
I searched the archives to find a script that would authenticate a user
against a Kerberos server, and found very little. Does anyone have any
ideas? I'd bow down and be very, very, excited if someone did...
1. Bribe/convince/threaten the sysadmin to install the mod_auth_kerberos
module
2. Try using DCE [ http://www.opengroup.org/dce/ ]
--- End Message ---
--- Begin Message ---
Jay Blanchard wrote:
[snip]
Is there any function in PHP that changes html in a string from <p
align=center> to <p align="center"> ? (e.g. adding the double quotes)
[/snip]
Nah, but you could write a function to add quotes to attributes of any
tag that you would like.
Tidy [ http://tidy.sf.net ] can do this
"Tidy inserts quote marks around all attribute values for you. It can
also detect when you have forgotten the closing quote mark, although
this is something you will have to fix yourself."
That from http://www.w3.org/People/Raggett/tidy/
--- End Message ---
--- Begin Message ---
John Holmes wrote:
Anyone know of a PHP english word password generator? Something that'll
produce easy to read and remember codes like "buffalo_candy" or
"shipment+plant", etc?
I had a look on phpclasses.org, but didn't find anything like this.
Or, as an alternative, I'll code it myself if anyone can point me to a
"dictionary" of english words that I could use populate a text file or
database to choose from.
John,
On a recent project I had a similar problem, and then I found pwgen [
http://sf.net/projects/pwgen/ ] and it worked great. It creates
passwords that are easy for humans to remember, but difficult for
machines to guess. It can even create "machine" passwords.
Here's sample output :
[EMAIL PROTECTED] burhan $ pwgen -n -c -C 8 5
shie9ohG hu8Aengu Thie2ahx Ajien9ai eM2youhu
With its various options, you can modify the lenth and number of
passwords generated. The source code is also available, but I didn't
have the time to convert it to PHP.
Hopfully this helps,
Burhan
--- End Message ---
--- Begin Message ---
--- John Holmes <[EMAIL PROTECTED]> wrote:
> Anyone know of a PHP english word password generator? Something
> that'll produce easy to read and remember codes like "buffalo_candy"
> or "shipment+plant", etc?
>
> I had a look on phpclasses.org, but didn't find anything like this.
>
> Or, as an alternative, I'll code it myself if anyone can point me to a
> "dictionary" of english words that I could use populate a text file or
> database to choose from.
Don't the spelling extensions have some sort of dictionary that they use?
You can probably use whatever they use.
If you do write this, please don't call it a password generator, else
people might use these things for passwords. :-)
Chris
--- End Message ---
--- Begin Message ---
I'm sorry Hannes, I have seen now that I email only to you and not to the
PHP list.
Sorry.
Thanks.
----- Original Message -----
From: "Hannes Magnusson" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Saturday, August 14, 2004 7:26 PM
Subject: [PHP] Re: [PHP-General List] - Cron or script like Cron -
> Don't mail me directly, no good comes from that.
>
> Anyway, see my answear below.
> -Hannes
>
> From: "francesco[AT]automationsoft[DOT]biz" <[EMAIL PROTECTED]>
> To: "Hannes Magnusson" <[EMAIL PROTECTED]>
> Subject: Re: [PHP] Re: [PHP-General List] - Cron or script like Cron -
> Date: Sat, 14 Aug 2004 19:03:02 +0200
> X-Mailer: Microsoft Outlook Express 6.00.2800.1106
>
> Hi Hannes,
> I'm not sure that I understand your solution.
> Can explain me well?
> Thank's
>
> > run cron via httpd user? i.e.
> > fputs STDIN crontab -e blablabla........
> can't doit via fputs, was just trying to put in your head some ideas how
to do this.
> can problibly do something like shell_exec ( 'echo "YourNewCronjob" >>
/path/to/nobody/crontab' );
>
> This doesnt have alot todo with php thou.
> >
> > - Hannes
> >
> > On Sat, 14 Aug 2004 18:34:10 +0200
> > [EMAIL PROTECTED] (FrancescoAutomationsoftBiz) wrote:
> >
> > > Hi all,
> > > I have a script that generate a benchmark report, in *.csv, every day.
> > > I want to have the possibility to send me this report every day at the
> same time, during night, i.e. at the 03.00 am. I know that there is Cron
> that give me the possibility to do this, but I'm not the server manager
and
> I cannot use Cron. I find a good alternative script, called Pseudo-Cron,
but
> it runs only when the page that contains script is called.
> > > There is a script that have the same function of Cron but is only php,
> or there is another way to call Cron or anyother way to use Cron?
> > > All helps are very appreciated.
> > > Thank's all.
> > > Francesco
> > > [EMAIL PROTECTED]
> > >
> >
> > --
> > PHP General Mailing List (http://www.php.net/)
> > To unsubscribe, visit: http://www.php.net/unsub.php
> >
> >
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
--- End Message ---
--- Begin Message ---
I have the following problem.
I have 7 string values, if any number of them are the same, I need to ouput that
value, if they are all different, I need to output a blank string "". How would I do
this in php outside of writing a huge if/then statement? This is a variation of my
"String compare of 7 text strings" question yesterday. All of the 7 string values are
values in an array, ie $strings = array($string1, $string2, $string3, $string4,
$string5, $string6, $string7);
Thanks,
Brent
--- End Message ---
--- Begin Message ---
On Sunday 15 August 2004 22:44, Brent Clements wrote:
> I have 7 string values, if any number of them are the same, I need to ouput
> that value, if they are all different, I need to output a blank string "".
> How would I do this in php outside of writing a huge if/then statement?
> This is a variation of my "String compare of 7 text strings" question
> yesterday. All of the 7 string values are values in an array, ie $strings
> = array($string1, $string2, $string3, $string4, $string5, $string6,
> $string7);
array_count_values()
--
Jason Wong -> Gremlins Associates -> www.gremlins.biz
Open Source Software Systems Integrators
* Web Design & Hosting * Internet & Intranet Applications Development *
------------------------------------------
Search the list archives before you post
http://marc.theaimsgroup.com/?l=php-general
------------------------------------------
/*
An infallible method of conciliating a tiger is to allow oneself to be
devoured.
-- Konrad Adenauer
*/
--- End Message ---
--- Begin Message ---
Hi all,
I am working on a small php script which should do the
following. I want all the links in the page to be
preceded by first character and first two characters
of the link.Please look into the example below for
more
clarification.
eg.
<a href="/code.html">link here</a> to be
replaced as
<a href="/c/co/code.html">link here</a>
I guess, this is possible by using regular expressions
but I am not able to crack the right expression.
Any help would be highly appreciated in this
regards.
Cheers,
Killu
________________________________________________________________________
Yahoo! India Matrimony: Find your life partner online
Go to: http://yahoo.shaadi.com/india-matrimony
--- End Message ---
