php-general Digest 30 May 2006 11:51:48 -0000 Issue 4156
Topics (messages 237048 through 237073):
Re: pop-up window in php???
237048 by: Jay Blanchard
237050 by: tedd
237051 by: Paul Novitski
237052 by: Paul Novitski
237053 by: Jay Blanchard
237055 by: Richard Lynch
237069 by: Paul Novitski
Re: Better method than stristr
237049 by: tedd
237054 by: Richard Lynch
Re: Blacklisted using mail()
237056 by: Richard Lynch
Re: problems with regex
237057 by: Richard Lynch
Re: Fatal error: Call to undefined function mysql_create_db()
237058 by: Richard Lynch
Re: anti SQL injection method in php manual.
237059 by: Richard Lynch
237071 by: Dotan Cohen
Re: weird characters problem
237060 by: Richard Lynch
Re: Including Functions; one file or many?
237061 by: Richard Lynch
237062 by: Richard Lynch
Re: Question about set_time_out and shell_exec
237063 by: Richard Lynch
Re: Serialize
237064 by: Richard Lynch
Re: captcha or other recommendations
237065 by: Richard Lynch
Re: Can a script run twice?
237066 by: Richard Lynch
Re: how include works?
237067 by: Richard Lynch
237073 by: Arno Kuhl
Re: How to disable PHP's POST caching?
237068 by: Richard Lynch
Converting text strings [out of topic a bit]
237070 by: Jonas Rosling
More about converting text strings
237072 by: Jonas Rosling
Administrivia:
To subscribe to the digest, e-mail:
[EMAIL PROTECTED]
To unsubscribe from the digest, e-mail:
[EMAIL PROTECTED]
To post to the list, e-mail:
php-general@lists.php.net
----------------------------------------------------------------------
--- Begin Message ---
[snip]
However, PHP can download a page with input fields disabled that
includes a div styled to look like a dialog box with a couple of
submit buttons labeled YES & NO. Submitting YES will request the
same page from PHP but without the dialog div and with user interface
fields enabled; NO will request the same page but without the dialog
div and with UI fields disabled.
From the user's point of view, the main difference between doing
this with PHP and doing it with JavaScript is that the PHP solution
will take at least a few seconds for the round-trip to the server
whereas JavaScript's response to a confirm() dialog will seem
instantaneous.
[/snip]
Interesting concept Paul, so you are saying that PHP can be used to
generate something that looks like an alert box using CSS? Or are you
saying that PHP would use an intermediary page to generate the behavior?
--- End Message ---
--- Begin Message ---
At 6:38 PM -0500 5/29/06, Jay Blanchard wrote:
[snip]
However, PHP can download a page with input fields disabled that
includes a div styled to look like a dialog box with a couple of
submit buttons labeled YES & NO. Submitting YES will request the
same page from PHP but without the dialog div and with user interface
fields enabled; NO will request the same page but without the dialog
div and with UI fields disabled.
From the user's point of view, the main difference between doing
this with PHP and doing it with JavaScript is that the PHP solution
will take at least a few seconds for the round-trip to the server
whereas JavaScript's response to a confirm() dialog will seem
instantaneous.
[/snip]
Interesting concept Paul, so you are saying that PHP can be used to
generate something that looks like an alert box using CSS? Or are you
saying that PHP would use an intermediary page to generate the behavior?
This really isn't any different than a page calling itself, or
another page, where the result looks like a pop-up dialog box.
I think the only real difference here is that in a "true" pop-up
dialog box, the pop-up window appears above the previous window and
goes away after the dialog leaving the previous window. However, that
may be accomplished if php can generate two browser windows -- I
don't know if it can, but I suspect it might.
tedd
--
------------------------------------------------------------------------------------
http://sperling.com http://ancientstones.com http://earthstones.com
--- End Message ---
--- Begin Message ---
At 04:38 PM 5/29/2006, Jay Blanchard wrote:
[snip]
However, PHP can download a page with input fields disabled that
includes a div styled to look like a dialog box with a couple of
submit buttons labeled YES & NO. Submitting YES will request the
same page from PHP but without the dialog div and with user interface
fields enabled; NO will request the same page but without the dialog
div and with UI fields disabled.
From the user's point of view, the main difference between doing
this with PHP and doing it with JavaScript is that the PHP solution
will take at least a few seconds for the round-trip to the server
whereas JavaScript's response to a confirm() dialog will seem
instantaneous.
[/snip]
Interesting concept Paul, so you are saying that PHP can be used to
generate something that looks like an alert box using CSS? Or are you
saying that PHP would use an intermediary page to generate the behavior?
The former. No big deal, just a regular page with a small gray form
layered on top. The original poster asked for a way to do this
without using JavaScript, so I assume that we're only dealing with a
single window here.
Regards,
Paul
--- End Message ---
--- Begin Message ---
At 05:04 PM 5/29/2006, tedd wrote:
This really isn't any different than a page calling itself, or
another page, where the result looks like a pop-up dialog box.
That's right. Add the dialog form to the markup and position it
absolutely to appear centered a bit down from the top of the
window. To imitate a modal dialog, disable all other links and form
controls by tweaking the markup in PHP before download. (I can't
recall how cross-browser successful it is to cover up the page with a
large transparent image to disable all UI, but that might be worth exploring.)
I think the only real difference here is that in a "true" pop-up
dialog box, the pop-up window appears above the previous window and
goes away after the dialog leaving the previous window. However,
that may be accomplished if php can generate two browser windows --
I don't know if it can, but I suspect it might.
I'm not aware that PHP can ask a browser to open a second window
without using JavaScript.
What I'm suggesting would LOOK like a second window appearing on top
of the primary window, then going away, when it would actually be a
single page cleverly styled.
Regards,
Paul
--- End Message ---
--- Begin Message ---
[snip]
I'm not aware that PHP can ask a browser to open a second window
without using JavaScript.
What I'm suggesting would LOOK like a second window appearing on top
of the primary window, then going away, when it would actually be a
single page cleverly styled.
[/snip]
PHP could not open a second window unless you found a way to hack the
target attribute in an href link.
I have done some clever styling, but I am unaware of how you could hide
all of the toolars, etc.
--- End Message ---
--- Begin Message ---
On Mon, May 29, 2006 1:03 pm, [EMAIL PROTECTED] wrote:
> Is there anyway to have a pop-up window to ask "are you sure? yes /
> no" in php?
> I know you can do it in Javascript, but I'm not sure what's the best
> way to
> implement it in php. I want the page to do nothing if "no" is pressed.
The only way this question even makes any sense at all is:
http://gtk.php.net
I'm 99.99999% certain that this ain't what you are using, though.
What you probably need to do us just use JavaScript and/or AJAX, or
not do what you think you want to do.
--
Like Music?
http://l-i-e.com/artists.htm
--- End Message ---
--- Begin Message ---
At 06:25 PM 5/29/2006, Jay Blanchard wrote:
[snip]
I'm not aware that PHP can ask a browser to open a second window
without using JavaScript.
What I'm suggesting would LOOK like a second window appearing on top
of the primary window, then going away, when it would actually be a
single page cleverly styled.
[/snip]
PHP could not open a second window unless you found a way to hack the
target attribute in an href link.
OK, I see what you mean: PHP could modify links & buttons on a page
being downloaded so that a second window would be opened
(target="_blank") [if permitted by the browser settings] when the
user tried to navigate. However, that child window couldn't close
itself like a modal dialog does without using JavaScript, which is
the driving constraint of this whole thought-problem.
I have done some clever styling, but I am unaware of how you could hide
all of the toolars, etc.
Toolbars? No, I'm not that clever. I was only referring to
disabling links and form fields within the HTML page itself. The
best I could do using this technique wouldn't exactly mimic a modal
dialog, just approximate one.
Paul
--- End Message ---
--- Begin Message ---
At 2:27 PM -0500 5/29/06, Steven Osborn wrote:
Can someone please advise a faster solution to do
what I'm doing below? All I need to be able to do is determine if
any of the strings in the array are contained in $q. The method I
have works, but I'm sure its not the most efficient way to do it.
$dirtyWord = array("UNION","LOAD_FILE","LOAD DATA
INFILE","LOAD FILE","BENCHMARK","INTO OUTFILE");
foreach($dirtyWord as $injection)
{
if(stristr($q,$injection))
{
//Do Something to remove injection and log it
}
}
Thank you.
--Steven
--Steven:
This is the way I would attempt it.
$q = explode(" ", $q);
$result = array_intersect($dirtyWord,$q);
If (count($result))
{
// then you have dirty words
}
If you want to remove them, then try this:
$q = explode(" ", $q);
$result = array_diff($dirtyWord,$q);
$q = implode(" ", $result);
But why are you doing this?
hth's
tedd
--
------------------------------------------------------------------------------------
http://sperling.com http://ancientstones.com http://earthstones.com
--- End Message ---
--- Begin Message ---
On Mon, May 29, 2006 2:27 pm, Steven Osborn wrote:
> Can someone please advise a faster solution to do what I'm doing
> below? All I need to be able to do is determine if any of the
> strings in the array are contained in $q. The method I have works,
> but I'm sure its not the most efficient way to do it.
>
> $dirtyWord = array("UNION","LOAD_FILE","LOAD DATA INFILE","LOAD
> FILE","BENCHMARK","INTO OUTFILE");
For starters, you should probably have your MySQL user constrained
from doing those things, rather than trying to hack this in PHP.
Next, what makes you think this is "slow"?
I should not be particularly slow as you are iterating over only 6
items in a PHP array.
I suppose you could try array_walk or something, but it's probably not
going to be significantly different, based on what we see here...
--
Like Music?
http://l-i-e.com/artists.htm
--- End Message ---
--- Begin Message ---
On Mon, May 29, 2006 12:53 pm, Peter Lauri wrote:
> I have been having problems that I am being classed as spam server if
> I use
> the mail() function to send out mail to people who are using my system
> (notifications etc). How can I avoid this? Anyone with experience?
#1. Stop sending HTML enhanced (cough, cough) emails.
Find out which spam software filtering is being used, and run that on
your own emails and see how it works. There's no way for us to guess
which of the THOUSANDS of things you might have done wrong, you did
wrong.
--
Like Music?
http://l-i-e.com/artists.htm
--- End Message ---
--- Begin Message ---
On Sat, May 27, 2006 8:58 am, Merlin wrote:
> I am somehow lost when it comes to regex. I am trying to remove ! and
> ?
> characters from a string. Could somebody please help me to get a
> working
> regex running for that?
>
> I tried: $str = preg_replace('/\!\?\./', ' ', $str);
An alternative:
$str = preg_replace('/[\\!\\?\\.]*/', ' ', $str);
And usual rant #37:
\ and ' are special characters inside of '' and you really SHOULD
escape them, even though PHP will let you get away with not doing it,
yea, even unto it being a "documented feature" that \x will turn into
\x so long as x is not \ or '
I also think str_replace() might be more appropriate, but would be
cautious about claims on speed for str_replace versus preg_replace,
if, for example, the array() of characters to be replaced was HUGE...
You'll have to benchmark on your own gear *IF* it matters to you,
which I doubt.
--
Like Music?
http://l-i-e.com/artists.htm
--- End Message ---
--- Begin Message ---
This function is deprecated, and you ought to use mysql_query() to
send the CREATE DB sql anyway -- So the book is either out-dated or
just plain bad.
If the function doesn't exist, then you either don't have MySQL
extension to PHP installed, or your ISP has removed that function.
On Sat, May 27, 2006 5:02 am, Mark Sargent wrote:
> Hi All,
>
> I get the following,
>
> *Fatal error*: Call to undefined function mysql_create_db() in
> */usr/local/apache2/htdocs/createmovie.php* on line 6
>
> for this code,
>
> 5 //create the moviesite database
> 6 mysql_create_db("moviesite") or die(mysql_error());
>
> which is from a tutorial in the book I'm using. Any pointers? Code
> looks
> identical to the book's. Cheers.
>
> P.S. I also tried this,
>
> mysql_create_db("moviesite", $connect) or die(mysql_error());
>
> and
>
> mysql_create_db("moviesite", "$connect") or die(mysql_error());
>
> Mark Sargent.
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
--
Like Music?
http://l-i-e.com/artists.htm
--- End Message ---
--- Begin Message ---
On Fri, May 26, 2006 10:39 am, Dotan Cohen wrote:
> What is the purpose of the sprintf? If it were using %d on integers I
> could see the point, but as we're talking about %s strings, what is
> the advantage to using sprintf?
None, really.
> How does this differ from:
> $query = "SELECT * FROM users WHERE user=".$_POST['username']." AND
> password=".$_POST['password'];
Well, except that you forgot to actually use the smart_quote()
function around the POST data, no difference really.
Some would find the sprintf more readable.
It also leads more naturally to the usage of prepared queries wherein
the data cannot be un-escaped by programmer error/accident.
But if the sprintf offends you, skip it.
Just don't skip the smart_quote bit. :-)
--
Like Music?
http://l-i-e.com/artists.htm
--- End Message ---
--- Begin Message ---
On 5/30/06, Richard Lynch <[EMAIL PROTECTED]> wrote:
On Fri, May 26, 2006 10:39 am, Dotan Cohen wrote:
> What is the purpose of the sprintf? If it were using %d on integers I
> could see the point, but as we're talking about %s strings, what is
> the advantage to using sprintf?
None, really.
> How does this differ from:
> $query = "SELECT * FROM users WHERE user=".$_POST['username']." AND
> password=".$_POST['password'];
Well, except that you forgot to actually use the smart_quote()
function around the POST data, no difference really.
Some would find the sprintf more readable.
It also leads more naturally to the usage of prepared queries wherein
the data cannot be un-escaped by programmer error/accident.
But if the sprintf offends you, skip it.
Just don't skip the smart_quote bit. :-)
--
Like Music?
http://l-i-e.com/artists.htm
Thanks. I didn't mean to skip that part- snipping error. Thanks. As I
don't come from a C background, the sprintf just clutters things from
my perspective.
Dotan Cohen
http://what-is-what.com
235
--- End Message ---
--- Begin Message ---
On Fri, May 26, 2006 9:13 am, Angelo Zanetti wrote:
> I have a situation where people enter values into a textfield can
> include the following:
>
> 1 ! 2 @ 3 # 4 $ 5 % 6 ^ 7 & 8 * 9 ( 10 ) 11 ; 12 : 13 " 14 ' 15 ? 16 -
> 17 _ 18
>
> now once the move to another page and then come back to the page where
> the textfield is I echo out the value they previously entered, from a
> session variable. When the values are saved in a session
> variable I addslashes and when I echo I stripslashes, however because
> of the " double quote it screws up my page. because the textfield's
> value is escaped prematurely.
addslashes is (or, rather, WAS) the way to escape data before it went
into the database.
Not "before it went to HTML and then into a database".
Do *NOT* do the addslashes (or mysql_real_escape_string, or whatever)
until the last possible moment, right before the $query is set up.
Meanwhile, back at the ranch, data going out to a BROWSER as part of
HTML should have http://php.net/htmlentities called on it.
This will convert your " into " which is what it should be to be
considered "data" by the browser.
Again, this should be done at the last possible moment before going
out to the browser, and without modifying your original variable
holding the data, so that you don't muddy the waters by trying to cram
" into your database.
--
Like Music?
http://l-i-e.com/artists.htm
--- End Message ---
--- Begin Message ---
You do NOT want one function per file.
Dog-slow.
You *MIGHT* want to group a bunch of functions logically into one
file, breaking up a monster file into "several" files.
On Fri, May 26, 2006 3:02 am, Mark Kelly wrote:
> Hi
>
> I'm writing a set of db abstraction functions for an internal app
> which will
> give us a set of simple function calls for dealing with the db, like
>
> $result = db_AddEmployee($EmployeeData);
> $EmployeeData = db_GetEmployee($EmployeeID);
>
> etc.
>
> There will be quite a few functions needed to deal with all the
> different
> ways the app touches the db, so my question is:
>
> Am I better off putting all these functions into one big include file
> (which
> could get pretty big) or using a seperate 'include' file for each
> function?
>
> I'm thinking about the tradeoff between simplifying code by only
> having a
> single include file (parsing a lot of functions that aren't used, but
> less
> disk access) and having several include files (no extra funcs but lots
> more
> disk access).
>
> I realise there probably isn't a 'correct' way to do this, I'm curious
> about
> which methods folk here use in situations like this.
>
> TIA in advance for any advice,
>
> Mark
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
--
Like Music?
http://l-i-e.com/artists.htm
--- End Message ---
--- Begin Message ---
On Fri, May 26, 2006 9:46 am, Mark Kelly wrote:
> On Friday 26 May 2006 14:56, Matt Carlson wrote:
>> One note on include files. Usually it's "best practice" to not name
>> them
>> .inc
>>
>> Name them .inc.php so that they cannot be opened by a webbrowser,
>> thus
>> giving more information to a potential attacker.
>
> Is this still a concern when all include files are stored outside the
> webroot (and thus in theory not directly accessible) anyway?
If they are outside the web-tree, the concerns about .inc that are
addressed by .inc.php do, in fact, become moot.
You could name them .beezelbub at that point... :-)
--
Like Music?
http://l-i-e.com/artists.htm
--- End Message ---
--- Begin Message ---
On Wed, May 24, 2006 11:26 am, Suhas wrote:
> I am trying to write a script which will avoid browser timeout problem
> and
> in that process I have created 2 files
>
> FILE1.php:
> set_time_out(1);
> echo shell_exec("/usr/local/bin/php -f FILE2.php &");
>
> FILE2.php:
> @mail($to,$sub,$msg);
> sleep(60);
> @mail($to,$sub,$msg);
>
> I run File1.php thr' browser and I get 2 emails 1 min apart. But
> browser
> does not timeout and PHP also does not throw error about timeout even
> if I
> have specified time limit to 1sec.
>
> Is there any explanation to this behaviour?
PHP time only counts stuff PHP is actually doing.
If you have a PHP script that executes a 5-minute SQL query, PHP
doesn't count *ANY* of that 5 minutes for its timeout limit.
Ditto for exec and friends.
--
Like Music?
http://l-i-e.com/artists.htm
--- End Message ---
--- Begin Message ---
On Wed, May 24, 2006 4:50 am, [EMAIL PROTECTED] wrote:
> Is a serialized array a "safe" string to insert into a mysql text
> field? Or is a
> function such as mysql_real_escape_string always needed?
Assume that a Bad Guy is smart enough to get SOMETHING in there to
mess you up, even if you serialize it.
Thus, you need to escape it.
--
Like Music?
http://l-i-e.com/artists.htm
--- End Message ---
--- Begin Message ---
On Wed, May 24, 2006 3:30 am, Angelo Zanetti wrote:
> I've been playing with captcha for one of my sites. It works well but
> have had a few issues integrating it into the site and sometimes it
> appears not to work/show the textfield and graphic.
>
> Anyway are there any other suggestions for something with similiar
> functionality as captcha and what are your experiences with these code
> bases?
There are dozens, nay, hundreds of CAPTCHA implementations.
Maybe you picked a sucky one.
It's really hard for us to say, since you don't tell us which one you
are using...
There are innumerable possible places for the system to break down,
but without knowing which implementation and seeing the source, we
could never begin to guess.
The only CAPTCHA I ever actually used to stop Bad Guys was a hokey
roll-my-own that doesn't even attempt to defeat OCR.
But I've also had to default a CAPTCHA using OCR, and it wasn't that
tricky, for that particular impelementation.
That's all the info I can give without you re-posting a better question.
--
Like Music?
http://l-i-e.com/artists.htm
--- End Message ---
--- Begin Message ---
On Wed, May 24, 2006 12:45 am, Lester Caine wrote:
> I found while trying to track things. The original problem *IS* that
> PHP
> can run two copies of a script in parallel and the second copy does
> NOT
> see the 'locking' in place on the first copy. I had always thought
> that
> PHP was sequential, but I'm not so sure now.
PHP can run as many in parallel as there are Apache children, not just 2.
You have to always assume that there are N copies of your script
running in parallel, where N is httpd.conf MaxChildren (or whatever it
is)
The Operating System can, and will, "swap" in and out of your N PHP
scripts at any point it feels like it in the middle of your code.
Nothing is sequential nor atomic unless it is documented as atomic.
You can prove this rather quickly with some http://php.net/sleep and
http://php.net/error_log and http://php.net/getmypid calls and many
browsers open, and just hitting re-load really really fast.
--
Like Music?
http://l-i-e.com/artists.htm
--- End Message ---
--- Begin Message ---
On Tue, May 23, 2006 6:19 pm, Mindaugas L wrote:
> can anybody explain how require works, and what's the difference
> between
> _once and regular? What's going on when php file is processed? In
> manual is
> written just, that it's readed once if include_once. What does to mean
> "readed"? Thank You
require and include both basically work EXACTLY as if you
copied/pasted the file into your source code, except that you are
"out" of PHP mode in the included file.
Adding _once means that PHP will ignore the statement if you have
already included or required that file anywhere else in your script
previously.
--
Like Music?
http://l-i-e.com/artists.htm
--- End Message ---
--- Begin Message ---
-----Original Message-----
From: Richard Lynch [mailto:[EMAIL PROTECTED]
Sent: 30 May 2006 06:11
To: Mindaugas L
Cc: php-general@lists.php.net
Subject: Re: [PHP] how include works?
On Tue, May 23, 2006 6:19 pm, Mindaugas L wrote:
> can anybody explain how require works, and what's the difference
> between
> _once and regular? What's going on when php file is processed? In
> manual is
> written just, that it's readed once if include_once. What does to mean
> "readed"? Thank You
require and include both basically work EXACTLY as if you
copied/pasted the file into your source code, except that you are
"out" of PHP mode in the included file.
Adding _once means that PHP will ignore the statement if you have
already included or required that file anywhere else in your script
previously.
--
I understand the difference well enough, but I've never really understood
the reason for having both. Is it to help find errors in sloppy coding, or
is there a case where including a file more than once is desirable (and
won't cause an error)?
Arno
________________________
DotContent
Professional Content Management Solutions
www.dotcontent.net
--- End Message ---
--- Begin Message ---
On Tue, May 23, 2006 5:23 pm, Adam Zey wrote:
>> why is port 80 a requirement - HTTP can technically over any port.
>>
> It must be accessible to any client, no matter what sort of firewall
> or
> proxy they go through. The only way to absolutely assure that is, as
> far
> as I know, to use port 80. It is the only port that you can count on
> with a fair degree of certainty, if the user is proxied or firewalled.
>
> I'd just as soon write my own simple webserver, but then it'd run into
> conflicts with existing webservers on port 80.
>
> My current solution is to buffer data on the client-side, and send a
> fresh POST request every so many milliseconds (Say, 250) over a
> keepalive connection with the latest buffered data. The downside of
> this
> is that it introduces up to 250ms of latency on top of the existing
> network latency, and it produces a lot of POST requests. I would
> really
> like to eliminate that by streaming the data rather than splitting it
> up
> like that.
You might maybe want to try running PHP as a CGI instead of Module,
just to see if the dirt-simple fopen('php://stdin','r') will "just
work"...
It's also remotely possible that you could check if there's a way to
implement "custom" methods other than GET/POST in PHP, which might
open up the possibility of getting partial data.
It's even remotely possible that PUT is not buffered, though I doubt it.
Ultimately, though, I think you've been painted into a corner from
which there is no real escape...
Might be time to re-negotiated.
You MIGHT be able to run a Proxy on the server side, so that your HTTP
port 80 for this particular URL gets forwarded to some other port/IP
behind the scenes -- and then PHP sockets may be viable.
This would meet most of the original requirements, and I think it
would work...
--
Like Music?
http://l-i-e.com/artists.htm
--- End Message ---
--- Begin Message ---
Hi all,
when my documents are using iso-8859-1 (Latin 1) as char set I have some
problems with displaying my JS dialogs correct with none international
characters (å, ä and ö). Allthough this hasen't got anything to do with PHP,
does anyone have any good idéas on how to solve this?
Normaly I use UTF-8 as char set, but in this case I need to use iso-8859-1
(Latin 1).
Thanks // Jonas
--- End Message ---
--- Begin Message ---
While I'm using UTF-8 as char set in my documents JavaScript messages works
correct with none international characters. But not the PHP code with
session_start(). I get the following error message:
Warning: session_start(): Cannot send session cookie - headers already sent
by (output started at /var/www/html/index3.php:1) in
/var/www/html/index3.php on line 2
But if I set the char set to Latin 1 the error message doesn't show. But
then the none internationl characters in the JavaScript messages doesn't
show as they should.
Thought I should explain my self a little bit more.
// Jonas
--- End Message ---
