php-general Digest 18 Nov 2005 10:54:01 -0000 Issue 3801
Topics (messages 226016 through 226036):
Re: php + cURL issue
226016 by: Manuel Lemos
226024 by: Curt Zirzow
Mail Injection- Which Mail function Parameters
226017 by: Chris Drozdowski
Mail Injection- Which Mail function Parameters CORRECTED
226018 by: Chris Drozdowski
226025 by: Curt Zirzow
226028 by: Ligaya Turmelle
226030 by: Curt Zirzow
php error message
226019 by: Edward Martin
226020 by: Ben
226022 by: Chuck Anderson
226023 by: Jasper Bryant-Greene
replicate a live stream from one server to another with php and wget [slightly
ot]
226021 by: Graham Anderson
SESSION expiry time setting
226026 by: Angelo Zanetti
226032 by: David Grant
Re: Regex for Amateur Radio Callsigns
226027 by: Greg Beaver
Re: Does anyone here use the pecl extension APC?
226029 by: Rasmus Lerdorf
Version question on WAMP setup
226031 by: MOREMAN Dave
226034 by: Richard Davey
Dynamic DB query - form display
226033 by: Adrian Bruce
226035 by: David Grant
226036 by: Adrian Bruce
Administrivia:
To subscribe to the digest, e-mail:
[EMAIL PROTECTED]
To unsubscribe from the digest, e-mail:
[EMAIL PROTECTED]
To post to the list, e-mail:
[email protected]
----------------------------------------------------------------------
--- Begin Message ---
Hello,
on 11/17/2005 08:00 PM Nate Nielsen said the following:
I'm having an issue with cURL. I have installed it on two different
boxes, one is working properly, and another isn't.
The script auto login's a user to a site. One server it works as
expected and logs the user in, the other it does not. It appears the
cookie data that is being saved is different on the two machines from
the login.
The code itself is identical. The result on the two servers is
different. I've fiddled with this thing for a couple weeks, and now
its too late to mess with it anymore as I have a launch target I need
to hit.
This sounds like bugs in different curl library versions.
I cannot help you with CURL itself because I do not use it except for
circumstances where SSL is needed and OpenSSl is not available.
Anyway, I use this HTTP client class that uses either fsockopen
connections or curl depending what is available. When SSL is not
necessary, the Curl library is not used at all.
The class takes care of collecting and send back any site cookies,
handles redirection, complex HTTP authentication methods, etc.. You may
want to take a look at it here:
http://www.phpclasses.org/httpclient
--
Regards,
Manuel Lemos
Metastorage - Data object relational mapping layer generator
http://www.metastorage.net/
PHP Classes - Free ready to use OOP components written in PHP
http://www.phpclasses.org/
--- End Message ---
--- Begin Message ---
On Thu, Nov 17, 2005 at 04:00:21PM -0600, Nate Nielsen wrote:
> I'm having an issue with cURL. I have installed it on two different boxes,
> one is working properly, and another isn't.
>
> The script auto login's a user to a site. One server it works as expected
> and logs the user in, the other it does not. It appears the cookie data that
> is being saved is different on the two machines from the login.
>
what are the differences in the cookies?
have you tried curl_setopt() with:
curl_setopt($ch, CURLOPT_VERBOSE);
curl_setopt($ch, CURLOPT_STDERR, $filehandle); // where to log
have you looked at the output on the login request to ensure that
the content is being returned as expected.
What does the code look like?
Curt.
--
--- End Message ---
--- Begin Message ---
Hello,
When using the mail() function to send a simple mail message, which
specific parameters of the function need to cleaned to prevent mail
injection?
First of all I am already validating the $to parameter to be a valid
email address.
After reading http://securephp.damonkohler.com/index.php/
Email_Injection, I gather the parameters that need to be cleaned to
prevent mail injection are the $headers and the $additional_parameters.
Is this correct?
Do I also need to clean the $subject parameter to prevent mail
injection?
What about the $message parameter?
Thanks,
C Drozdowski
--- End Message ---
--- Begin Message ---
Hello,
When using the mail() function to send a simple mail message, which
specific parameters of the function need to cleaned to prevent mail
injection?
First of all I am already validating the $to parameter to be a valid
email address.
After reading http://securephp.damonkohler.com/index.php/
Email_Injection, I gather the parameters that need to be cleaned to
prevent mail injection are the $headers and the $additional_headers.
Is this correct?
Do I also need to clean the $subject parameter to prevent mail
injection?
What about the $message parameter?
Thanks,
C Drozdowski
--- End Message ---
--- Begin Message ---
On Thu, Nov 17, 2005 at 07:10:06PM -0500, Chris Drozdowski wrote:
> Hello,
>
> When using the mail() function to send a simple mail message, which
> specific parameters of the function need to cleaned to prevent mail
> injection?
This is a good topic. I'm in the process of writing an article on
it as well.
Consider:
mail ($to, $subject, $message, $additional_headers, $additional_parameters);
$to - yes (should clean)
----------
As we've seen validating emails tends to be a long discussion on to
properly accomplish the validation. Things to consider:
- Are you going to allow them to send to multiple emails.
- Do you want them to allow them to include the name of the
person the email is to: "Joe Something" <[EMAIL PROTECTED]>
based on what ever validation you choose and what you want to
allow, the key things to watch out for are the comma (,),
semicolon (;), line feed/carriage return (\r and/or \n)
$subject - yes
----------
You want ensure that the \r and/or \n or properly removed (or
escaped)
$message - yes
---------------
This usually can go without any special escaping, unless you have
certain headers (the Boundary: header) or allow an injection into
the $additional_headers field. If this is the case a malicious
user could attach a virus to be sent anonymously.
$additional_headers - yes
-------------------------
As with $to, $subject you need to make sure \r and/or \n are
removed or escaped properly. The most common used header is the
>From header:
From: "$fromname" <$fromemail>
As noted in the $message section, if you have dont take care in
ensuring this paramater isn't done correctly you could potentially
allow the user to setup their own Boundary: header, which then
would allow them to freely make what ever attachments they like.
Also this is where the open (well psudo open) relay occurs, if you
dont filter things properly, you can open up the CC: and BCC:
headers, allowing the person to anonymously send emails.
additional_parameters - very much yes
-------------------------------------
The most common value passed here is usually something like:
"-f $fromemail"
if you consider what this actually does, send parameters to the
sendmail binary directly you could open your self to exploits
unlreated to php itself. Caution should really be used when
allowing outside data to be used here.
>
> After reading http://securephp.damonkohler.com/index.php/
> Email_Injection, I gather the parameters that need to be cleaned to
> prevent mail injection are the $headers and the $additional_headers.
This is a nice article it rather makes me wonder if my article will
be as good as this one.
Curt.
--
--- End Message ---
--- Begin Message ---
$message - yes
---------------
This usually can go without any special escaping, unless you have
certain headers (the Boundary: header) or allow an injection into
the $additional_headers field. If this is the case a malicious
user could attach a virus to be sent anonymously.
Shouldn't you also worry about html script tags in the body of an HTML
email? Couldn't a person also use those to send you a nasty "present"?
$additional_headers - yes
-------------------------
As with $to, $subject you need to make sure \r and/or \n are
removed or escaped properly. The most common used header is the
From header:
From: "$fromname" <$fromemail>
As noted in the $message section, if you have dont take care in
ensuring this paramater isn't done correctly you could potentially
allow the user to setup their own Boundary: header, which then
would allow them to freely make what ever attachments they like.
Also this is where the open (well psudo open) relay occurs, if you
dont filter things properly, you can open up the CC: and BCC:
headers, allowing the person to anonymously send emails.
why would a person allow a user to input header information on a web
form? That sounds like a HUGE security hole or is there someway I just
can't see?
--
--------------------------------
life is a game... so have fun.
--- End Message ---
--- Begin Message ---
On Fri, Nov 18, 2005 at 05:06:36PM -0800, Ligaya Turmelle wrote:
>
> >$message - yes
> >---------------
> >This usually can go without any special escaping, unless you have
> >certain headers (the Boundary: header) or allow an injection into
> >the $additional_headers field. If this is the case a malicious
> >user could attach a virus to be sent anonymously.
>
> Shouldn't you also worry about html script tags in the body of an HTML
> email? Couldn't a person also use those to send you a nasty "present"?
This is more of a second hand issue, but still valid nonetheless.
Depending on the client that sees the email and the context the
email was sent in, for example:
It is a rather common thing to send two parts, one just plain text
and another one with markup (usually html), and depending on how
the client reads things and displays it to the user, the outcome
could be lead to problems.
I usually use the Boundary: header as a good example of how one
could take advantage of non-escaped data, but that doesn't protect
someone from sending some well formed message that might perhaps
do some phishing type thing.
>
> >
> >$additional_headers - yes
> >-------------------------
> >As with $to, $subject you need to make sure \r and/or \n are
> >removed or escaped properly. The most common used header is the
> >>From header:
> >
> > From: "$fromname" <$fromemail>
> >
> >As noted in the $message section, if you have dont take care in
> >ensuring this paramater isn't done correctly you could potentially
> >allow the user to setup their own Boundary: header, which then
> >would allow them to freely make what ever attachments they like.
> >
> >Also this is where the open (well psudo open) relay occurs, if you
> >dont filter things properly, you can open up the CC: and BCC:
> >headers, allowing the person to anonymously send emails.
>
> why would a person allow a user to input header information on a web
> form? That sounds like a HUGE security hole or is there someway I just
> can't see?
The thing is that they dont realize that it is being allowed. If i
dont protect the variable $fromname from the ability to allow a
\n or \r\n someone could send me that results with:
$_POST['fromname'] == "your friend\" <[EMAIL PROTECTED]>\r\nBCC: [a list of
peoplel]\r\nNull: \"";
Resulting in:
From: "your friend" <[EMAIL PROTECTED]>
BCC: [a list of people]
Null: "" <thefromemail>
and if I want to be tricky i'd slip in a coupld Recieved: headers
to throw off people the hint of what route the message took. Or
mabey another Subject: header to by pass the previous rules on
subject so I can get the subject I want.
Curt.
--
null
--- End Message ---
--- Begin Message ---
I am new to working with php and I am having trouble trying to figure
out this following "error" message that is displayed when I access a php
file. Can you tell me what this error message means (in plain English)
and what steps I might take to correct it?
"Warning: Cannot modify header information - headers already sent by
(output started at
/usr/home/ecmartin/public_html/ethics06/calendarlogin.php:8) in
/usr/home/ecmartin/public_html/ethics06/sas.php on line 34"
The page that displays this error has a small php log-in script on in.
(Depending on where I place the script in the page code, the error
message moves to a different location on the page). The page originally
was an html page that contained typical stylesheet data, javascript
scripts (for headers and menus) and a flash-based menu. ALL of these
features still work when the page is displayed (as well as the php
log-in script), however, I cannot get rid of the error message.
Thanks
--- End Message ---
--- Begin Message ---
Edward Martin said the following on 11/17/2005 04:27 PM:
"Warning: Cannot modify header information - headers already sent by
(output started at
/usr/home/ecmartin/public_html/ethics06/calendarlogin.php:8) in
/usr/home/ecmartin/public_html/ethics06/sas.php on line 34"
It means you are trying to change the page's headers after they have
already been sent to the user's browser. You are probably trying to use
the header() function after HTML/Javascript/what have you has already
been sent to the browser. If you need to use header() you should write
any earlier output to a variable and only output it to the browser after
any header() function use.
- Ben
--- End Message ---
--- Begin Message ---
Ben wrote:
Edward Martin said the following on 11/17/2005 04:27 PM:
"Warning: Cannot modify header information - headers already sent by
(output started at
/usr/home/ecmartin/public_html/ethics06/calendarlogin.php:8) in
/usr/home/ecmartin/public_html/ethics06/sas.php on line 34"
It means you are trying to change the page's headers after they have
already been sent to the user's browser. You are probably trying to use
the header() function after HTML/Javascript/what have you has already
been sent to the browser. If you need to use header() you should write
any earlier output to a variable and only output it to the browser after
any header() function use.
- Ben
Most likely that is exactly what's happening. To be even more clear -
the solution is to use the header function before any HTML (before *any*
output). I learned this when I had an include file that was all Php
causing this problem. The end of the included file had a carriage return
after the closing tag ?>. That was a nasty one to locate. Now I always
make sure there is no white space after the closing tag in files I might
include somewhere else.
--
*****************************
Chuck Anderson • Boulder, CO
http://www.CycleTourist.com
Integrity is obvious.
The lack of it is common.
*****************************
--- End Message ---
--- Begin Message ---
Chuck Anderson wrote:
Ben wrote:
Edward Martin said the following on 11/17/2005 04:27 PM:
"Warning: Cannot modify header information - headers already sent by
(output started at
/usr/home/ecmartin/public_html/ethics06/calendarlogin.php:8) in
/usr/home/ecmartin/public_html/ethics06/sas.php on line 34"
It means you are trying to change the page's headers after they have
already been sent to the user's browser. You are probably trying to
use the header() function after HTML/Javascript/what have you has
already been sent to the browser. If you need to use header() you
should write any earlier output to a variable and only output it to
the browser after any header() function use.
- Ben
Most likely that is exactly what's happening. To be even more clear -
the solution is to use the header function before any HTML (before *any*
output). I learned this when I had an include file that was all Php
causing this problem. The end of the included file had a carriage return
after the closing tag ?>. That was a nasty one to locate. Now I always
make sure there is no white space after the closing tag in files I might
include somewhere else.
An alternative solution is to just turn on output buffering, which will
make sure no output gets sent until after all PHP has stopped processing
(unless you specifically tell it to get sent earlier).
Jasper
--- End Message ---
--- Begin Message ---
has anyone here used wget or similar command to redirect/reflect a
live stream data from one server to another server ?
I wanted to use each server's upload bandwidth to transfer a live
stream to a new server
that way, my hope is that I can balance the bandwidth load a bit
between servers for users in different areas.
Would it just be a question of duplicating the headers of the
incoming file and redirecting it to another server?
I am 'fishing' a bit so any help from those who use php with live
streaming is appreciated.
Server side:
live stream is encoded and sent to
streaming server 1 in Los Angeles which sends the data to
streaming server 2 in Chicago which sends the data to
streaming server 3 in Mexico City
Client Side:
The below is pretty simple to do :)
When the user tries to access the live broadcast stream, a php script
determines the nearest non-overloaded server.
In this case, the user is directed to the live stream on server two
in Chicago
many thanks
g
--- End Message ---
--- Begin Message ---
Hi guys.
I've been searching for where the time is set for a session to expire
but had little luck.
in the PHP.ini file I found:
session.cache_expire
which specifies the time in minutes but is this what sets the session to
timeout once the setting time has been surpassed?
Or am I looking in the totally wrong direction??
thanks in advance.
Angelo
--- End Message ---
--- Begin Message ---
Hi Angelo,
You might want:
session.cookie_lifetime = <time in seconds>
Obviously this only has an effect if the session.use_cookies directive
is set to "1".
Cheers,
David Grant
Angelo Zanetti wrote:
> Hi guys.
>
> I've been searching for where the time is set for a session to expire
> but had little luck.
>
> in the PHP.ini file I found:
>
> session.cache_expire
>
> which specifies the time in minutes but is this what sets the session to
> timeout once the setting time has been surpassed?
>
> Or am I looking in the totally wrong direction??
>
> thanks in advance.
>
> Angelo
>
--- End Message ---
--- Begin Message ---
Leonard Burton wrote:
HI,
Tuesday, November 15, 2005, 8:39:19 PM, you wrote:
Here are how they look
W1W
W1AW
WA1W
AD4HZ
N9URK
WB6NOA
4N1UBG
Let's do it this way... What are the rules for a valid callsign?
Basicly, you see an example of each different type of callsign. Other
than the patterns you see above there are no real rules. A letter in
the example above means that there can only be a letter in the spot
and a number in a spot means there can only be a number in that spot.
There are 7 different formats and you see the one above.
Did you see the regex I had in a previous post?
/^([A-Z]{1,2}|[0-9][A-Z])([0-9])([A-Z]{1,3})$/
Using preg_match(), this will split a callsign like N8LAI into
array(
0 => 'N8LAI',
1 => 'N',
2 => '8',
3 => 'LAI'
)
and you can use the information however you like (i.e. this is a
standard technician/general class call sign, located in region 8
Michigan/Ohio/Kentucky, etc.)
_... .
Greg
--- End Message ---
--- Begin Message ---
Filing a bug against APC with a gdb backtrace from one of these crashes would
be useful.
See http://pecl.php.net/bugs/report.php?package=APC
-Rasmus
--- End Message ---
--- Begin Message ---
Hi
I just installed Apache 2.0.55 / PHP 5.0.5 and MySQL5.0.15 on WinXP. All
seems OK, except that when I look at the PHP configuration using
phpinfo() it reports the MySQL version as 4.1.7 .
Any ideas?
Otherwise all OK!
Dave
------------------------------------------------------------------------
-----------------
Dr. Dave.Moreman
Room 110a, Mellor,
Faculty of Health and Sciences,
Staffordshire University, ST4 2DE,
United.Kingdom
------------------------------------------------------------------------
-----------------
email : [EMAIL PROTECTED]
visit our distance learning website :
http://www.staffs.ac.uk/schools/sciences/distlearn/
tel : 00 44 (1) 782 294776
------------------------------------------------------------------------
-----------------
This e-mail and the information it contains may be privileged and/or
confidential. It is for the intended addressee(s) only, and does not
represent the opinions of Staffordshire University.
------------------------------------------------------------------------
-----------------
The information in this email is confidential and is intended solely for the
addressee. Access to this email by anyone else is unauthorised.
If you are not the intended recipient, any disclosure, copying, distribution or
any action taken or omitted to be taken in reliance on it, except for the
purpose of delivery to the addressee, is prohibited and may be unlawful.
Kindly notify the sender and delete the message and any attachment from your
computer.
--- End Message ---
--- Begin Message ---
Hi,
Thursday, November 17, 2005, 11:55:14 AM, you wrote:
> I just installed Apache 2.0.55 / PHP 5.0.5 and MySQL5.0.15 on WinXP.
> All seems OK, except that when I look at the PHP configuration using
> phpinfo() it reports the MySQL version as 4.1.7 .
I may well be wrong, but isn't the Client API version the version of
the API library that PHP is using to communicate with MySQL, rather
than the version of MySQL you're running (which, to all intents and
purposes, PHP could never know until you actually connect to it -
which phpinfo certainly doesn't).
Cheers,
Rich
--
Zend Certified Engineer
PHP Development Services
http://www.corephp.co.uk
--- End Message ---
--- Begin Message ---
Hi
I am trying Dynamically creating a Query based on form input for an
intranet, i have a text input that allows a user to input part of a
where clause such as - not like '04%' - . this bit works fine but i
would like to display the clause back in the form field when the page
reloads.
$clause = "not like '04%'";
echo"<input type='text' value='$clause'>";
Now obviously i hit a problem with the use of 'the quotation marks ' '
and just see - not like \ - in the form field. I need to keep the '
marks around the 04% for the query. Any ideas how i can do this??
Any help much appreciated!
Adrian
--- End Message ---
--- Begin Message ---
Hi Adrian,
This appears to be a security hole, but since that wasn't the reason for
the question, please try:
echo"<input type='text' value='" . htmlentities($clause, ENT_QUOTES) . "'>";
php.net/htmlentities
Cheers,
David Grant
Adrian Bruce wrote:
> Hi
>
> I am trying Dynamically creating a Query based on form input for an
> intranet, i have a text input that allows a user to input part of a
> where clause such as - not like '04%' - . this bit works fine but i
> would like to display the clause back in the form field when the page
> reloads.
> $clause = "not like '04%'";
> echo"<input type='text' value='$clause'>";
>
> Now obviously i hit a problem with the use of 'the quotation marks ' '
> and just see - not like \ - in the form field. I need to keep the '
> marks around the 04% for the query. Any ideas how i can do this??
>
> Any help much appreciated!
>
> Adrian
>
--- End Message ---
--- Begin Message ---
I'm aware it would be a security hole if it were available to all users,
but it's just for me at the mo, other users get a watered down version
with just check boxes. I basically want to allow flexible filtering of
a set of data but obviously this poses a few challenges, any ideas
always weclome!
Thanks for the tip by the way, i ended up doing the following
$field = stripslashes(htmlentities($field,ENT_QUOTES));
Adrian
David Grant wrote:
Hi Adrian,
This appears to be a security hole, but since that wasn't the reason for
the question, please try:
echo"<input type='text' value='" . htmlentities($clause, ENT_QUOTES) . "'>";
php.net/htmlentities
Cheers,
David Grant
Adrian Bruce wrote:
Hi
I am trying Dynamically creating a Query based on form input for an
intranet, i have a text input that allows a user to input part of a
where clause such as - not like '04%' - . this bit works fine but i
would like to display the clause back in the form field when the page
reloads.
$clause = "not like '04%'";
echo"<input type='text' value='$clause'>";
Now obviously i hit a problem with the use of 'the quotation marks ' '
and just see - not like \ - in the form field. I need to keep the '
marks around the 04% for the query. Any ideas how i can do this??
Any help much appreciated!
Adrian
--- End Message ---
