php-general Digest 4 Jun 2007 19:13:08 -0000 Issue 4829
Topics (messages 256035 through 256056):
Re: Making thumbs same size
256035 by: Christian Haensel
256039 by: Stut
256043 by: itoctopus
256048 by: tedd
256050 by: Robert Cummings
Re: Is the GD module standard?
256036 by: Tijnema
256044 by: itoctopus
Re: Error logging
256037 by: Vincent Tumwijukye
Re: Single Sign On
256038 by: Steve Edberg
256040 by: info.phpyellow.com
undefined GD function
256041 by: C.R.Vegelin
256042 by: Fernando Cosso
256047 by: zerof
256049 by: Robert Cummings
Security for uploaded PDF files
256045 by: Al
Re: Is the GD module standard? [SOLVED]
256046 by: Dave M G
Double checking - I should turn off "magic quotes"
256051 by: Dave M G
256052 by: Robert Cummings
256053 by: Dave M G
256054 by: Richard Davey
256055 by: Robert Cummings
Removing a row from an Array
256056 by: Ken Kixmoeller -- reply to ken.kixmoeller.com
Administrivia:
To subscribe to the digest, e-mail:
[EMAIL PROTECTED]
To unsubscribe from the digest, e-mail:
[EMAIL PROTECTED]
To post to the list, e-mail:
[EMAIL PROTECTED]
----------------------------------------------------------------------
--- Begin Message ---
Morning :o)
This is what I am using
--------------- SNIP ----------------
<?php
// The file
$filename = $_GET['filename'];
$file = $_GET['filename'];
$target_path = "../_images/news/";
$filename = $target_path.$filename;
// Set a maximum height and width
$width = 250;
$height = 250;
// Content type
header('Content-type: image/jpeg');
// Get new dimensions
list($width_orig, $height_orig) = getimagesize($filename);
$ratio_orig = $width_orig/$height_orig;
if ($width/$height > $ratio_orig) {
$width = $height*$ratio_orig;
} else {
$height = $width/$ratio_orig;
}
// Resample
$image_p = imagecreatetruecolor($width, $height);
$image = imagecreatefromjpeg($filename);
$dest_path = "../_images/news/";
imagecopyresampled($image_p, $image, 0, 0, 0, 0, $width, $height,
$width_orig, $height_orig);
$dest_file = $dest_path."thumb_".$file;
// Output
imagejpeg($image_p, $dest_file, 100);
?>
------------- SNAP ---------------
If I read it now, I must admit that it might be hard to understand (even I
am having a hard time reading it... I guess there is some useless stuff in
there, too)... but I haven't had coffee yet, so I might be able to explain
that stuff to you a bot late. But maybe this code example does help you...
if not, please ask. :o) I will try my best then ... hopefully you just
needed the calculation part :oP
Cheerio mate
Chris
----- Original Message -----
From: "Humani Power" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, June 04, 2007 8:44 AM
Subject: [PHP] Making thumbs same size
Hey hi!!.
I have a few pages that uploads images to the apache server and makes a
registry on a mysql database. Everything is going well just for a few
details.
When I make the upload for an image, it creates me a thumb image, but not
as
I want. For example, if I have an image that its of 2000 x 2000 px, the
thumb created is 200 x 200, If I upload another with 300x300 px, my thumb
will be 30x30 px, making look the gallery pretty bad. The only thing that
I
need is that all my thumbs were on the same size.
I've tried to modify the thumb width and height size, but doesnt work..
Probably I am not undersatnding hoy to use the resampling() tool.
here is my code.
<?php
include("connection.php");
//make variables avaliable
$image_caption = $_POST['image_caption'];
$image_username = $_POST['image_username'];
$image_tempname = $_FILES['image_filename']['name'];
$image_date = date($_POST['image_date']);
$today= date("Y-m-d");
//upload image and check for image type
$ImageDir="/var/www/apache2-default/images/";
$Imagethumb=$ImageDir."thumbs/";
$ImageName=$ImageDir . $image_tempname;
if (move_uploaded_file($_FILES['image_filename']['tmp_name'],
$ImageName)) {
//get info about the image being uploaded
list($width, $height, $type, $attr)= getimagesize($ImageName);
//insert info into the table
$insert= "insert into rsiis_images
(image_caption,image_username,image_date,image_date_upload)
values
('$image_caption','$image_username','$image_date','$today')";
$insertresults=mysql_query($insert)
or die(mysql_error());
$lastpicid=mysql_insert_id();
$newfilename=$ImageDir . $lastpicid .".jpg";
if($type==2){
rename($ImageName, $newfilename);
} else {
if ($type==1){
$image_old=imagecreatefromgif($ImageName);
}elseif ($type==3){
$image_old=imagecreatefrompng($ImageName);
}
//"convert the image to JPG
$image_jpg=imagecreatetruecolor($width,$height);
imagecopyresampled($image_jpg,$image_old, 0, 0, 0, 0, $width,
$height,$width,$height);
imagejpeg($image_jpg,$newfilename);
imagedestroy($image_old);
imagedestroy($image_jpg);
}
$newthumbname=$Imagethumb.$lastpicid.".jpg";
//get dimensions of the thumbnail
$thumb_width=$width*0.10;
$thumb_height=$height*.10;
//Create thumbnail
$largeimage=imagecreatefromjpeg($newfilename);
$thumb=imagecreatetruecolor($thumb_width,$thumb_height);
imagecopy($thumb, $largeimage, 0, 0, 0, 0,$width,$height);
imagecopyresampled($thumb, $largeimage, 0, 0, 0, 0,
$thumb_width,$thumb_height,$width,$height);
imagejpeg($thumb,$newthumbname);
imagedestroy($largeimage);
imagedestroy($thumb);
$url="location:showimage.php?id=".$lastpicid;
header($url);
}
?>
thanks for your help
--- End Message ---
--- Begin Message ---
Humani Power wrote:
Hey hi!!.
I have a few pages that uploads images to the apache server and makes a
registry on a mysql database. Everything is going well just for a few
details.
When I make the upload for an image, it creates me a thumb image, but
not as
I want. For example, if I have an image that its of 2000 x 2000 px, the
thumb created is 200 x 200, If I upload another with 300x300 px, my thumb
will be 30x30 px, making look the gallery pretty bad. The only thing
that I
need is that all my thumbs were on the same size.
I've tried to modify the thumb width and height size, but doesnt work..
Probably I am not undersatnding hoy to use the resampling() tool.
Shockingly, the following lines which multiply the image width and
height by 0.1 to create the thumb width and height mean that your thumb
is always 10% of the size of the image.
$thumb_width=$width*0.10;
$thumb_height=$height*.10;
Make these real numbers (taking account of aspect ratio), and you'll get
what you're after. There are lots of tutorials out there explaining how
to create thumbnails from images using GD, I suggest you Google for one.
-Stut
--- End Message ---
--- Begin Message ---
$thumb_width=50; //change this number to your preference
$thumb_height=50;
--
itoctopus - http://www.itoctopus.com
""Humani Power"" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
> Hey hi!!.
>
> I have a few pages that uploads images to the apache server and makes a
> registry on a mysql database. Everything is going well just for a few
> details.
>
> When I make the upload for an image, it creates me a thumb image, but not
> as
> I want. For example, if I have an image that its of 2000 x 2000 px, the
> thumb created is 200 x 200, If I upload another with 300x300 px, my thumb
> will be 30x30 px, making look the gallery pretty bad. The only thing that
> I
> need is that all my thumbs were on the same size.
> I've tried to modify the thumb width and height size, but doesnt work..
> Probably I am not undersatnding hoy to use the resampling() tool.
>
> here is my code.
>
> <?php
> include("connection.php");
> //make variables avaliable
> $image_caption = $_POST['image_caption'];
> $image_username = $_POST['image_username'];
> $image_tempname = $_FILES['image_filename']['name'];
> $image_date = date($_POST['image_date']);
> $today= date("Y-m-d");
> //upload image and check for image type
> $ImageDir="/var/www/apache2-default/images/";
> $Imagethumb=$ImageDir."thumbs/";
> $ImageName=$ImageDir . $image_tempname;
> if (move_uploaded_file($_FILES['image_filename']['tmp_name'],
> $ImageName)) {
> //get info about the image being uploaded
>
>
> list($width, $height, $type, $attr)= getimagesize($ImageName);
>
> //insert info into the table
> $insert= "insert into rsiis_images
> (image_caption,image_username,image_date,image_date_upload)
> values
> ('$image_caption','$image_username','$image_date','$today')";
> $insertresults=mysql_query($insert)
> or die(mysql_error());
> $lastpicid=mysql_insert_id();
>
>
> $newfilename=$ImageDir . $lastpicid .".jpg";
> if($type==2){
> rename($ImageName, $newfilename);
> } else {
> if ($type==1){
> $image_old=imagecreatefromgif($ImageName);
> }elseif ($type==3){
> $image_old=imagecreatefrompng($ImageName);
> }
>
> //"convert the image to JPG
>
> $image_jpg=imagecreatetruecolor($width,$height);
> imagecopyresampled($image_jpg,$image_old, 0, 0, 0, 0, $width,
> $height,$width,$height);
>
> imagejpeg($image_jpg,$newfilename);
> imagedestroy($image_old);
> imagedestroy($image_jpg);
> }
>
> $newthumbname=$Imagethumb.$lastpicid.".jpg";
> //get dimensions of the thumbnail
>
> $thumb_width=$width*0.10;
> $thumb_height=$height*.10;
>
> //Create thumbnail
> $largeimage=imagecreatefromjpeg($newfilename);
>
> $thumb=imagecreatetruecolor($thumb_width,$thumb_height);
> imagecopy($thumb, $largeimage, 0, 0, 0, 0,$width,$height);
> imagecopyresampled($thumb, $largeimage, 0, 0, 0, 0,
>
> $thumb_width,$thumb_height,$width,$height);
> imagejpeg($thumb,$newthumbname);
> imagedestroy($largeimage);
> imagedestroy($thumb);
>
>
> $url="location:showimage.php?id=".$lastpicid;
> header($url);
>
>
> }
>
>
> ?>
>
>
>
> thanks for your help
>
--- End Message ---
--- Begin Message ---
At 1:44 AM -0500 6/4/07, Humani Power wrote:
Hey hi!!.
I have a few pages that uploads images to the apache server and makes a
registry on a mysql database. Everything is going well just for a few
details.
When I make the upload for an image, it creates me a thumb image, but not as
I want. For example, if I have an image that its of 2000 x 2000 px, the
thumb created is 200 x 200, If I upload another with 300x300 px, my thumb
will be 30x30 px, making look the gallery pretty bad. The only thing that I
need is that all my thumbs were on the same size.
I've tried to modify the thumb width and height size, but doesnt work..
Probably I am not undersatnding hoy to use the resampling() tool.
here is my code.
Humani:
-snip-
Don't scale, resample. See here:
http://www.webbytedd.com/b/thumb/index.php
Cheers,
tedd
--
-------
http://sperling.com http://ancientstones.com http://earthstones.com
--- End Message ---
--- Begin Message ---
On Mon, 2007-06-04 at 09:50 -0400, tedd wrote:
>
> Don't scale, resample. See here:
>
> http://www.webbytedd.com/b/thumb/index.php
Hi Tedd,
In your script you have:
ini_set( 'register_globals', '0' );
The line is pointless, it can't be reached until after such globals have
been registered.
Also you have:
ob_start();
Why use output buffering? You don't actually do anything with the buffer
other than flushing it :)
Cheers,
Rob.
--
.------------------------------------------------------------.
| InterJinn Application Framework - http://www.interjinn.com |
:------------------------------------------------------------:
| An application and templating framework for PHP. Boasting |
| a powerful, scalable system for accessing system services |
| such as forms, properties, sessions, and caches. InterJinn |
| also provides an extremely flexible architecture for |
| creating re-usable components quickly and easily. |
`------------------------------------------------------------'
--- End Message ---
--- Begin Message ---
On 6/4/07, Greg Donald <[EMAIL PROTECTED]> wrote:
On 6/3/07, Robert Cummings <[EMAIL PROTECTED]> wrote:
> Every host I've ever used has had GD installed. If they didn't offer GD,
> I'd switch. I think it's a safe bet to assume most realistic hosts have
> GD.
Same here. Been using it for years, never had to ask for it to be installed.
--
Greg Donald
http://destiney.com/
For paid hosts, it should be installed, but if you want to use it on
free hosts too, there's a little chance that they have GD installed.
Tijnema
--- End Message ---
--- Begin Message ---
The GD module is an option that most sys admins install with php (It also
installs by default on OS such as Centos, Ubuntu, etc...)
--
itoctopus - http://www.itoctopus.com
"Dave M G" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
> PHP General,
>
> I have been using the imagepng() function in my local testing environment
> for a while now to make CAPTCHA images.
>
> In my testing environment, I hadn't done any customization to my PHP set
> up. I went with the default set of installation options that Ubuntu offers
> for a LAMP server.
>
> Recently, I uploaded my site to a web hosting server, and the CAPTCHA
> would not display.
>
> At first, I didn't understand that it was a module issue, because I
> thought the imagepng() function was standard in PHP.
>
> However, by using the phpinfo() command on my hosting service, I realized
> they don't have the GD module installed.
>
> So my assumption that imagepng() will be available on any standard
> installation of PHP is wrong.
>
> However, I'm surprised that it wouldn't be as common as, say, the MySQL
> module.
>
> Is it that my Ubuntu installation comes with an unusual amount of bells
> and whistles? Is it that my web hosting server is lacking in what can be
> expected for standard PHP features?
>
> I want to write code that most people can expect to run on their hosting
> services without having to reconfigure their PHP installation. So, can I
> expect that most servers would have the GD module? If not, what do people
> usually do to manipulate images?
>
> Thank you for any advice.
>
> --
> Dave M G
> Ubuntu Feisty 7.04
> Kernel 2.6.20-15-386
--- End Message ---
--- Begin Message ---
I suggest each student adds the line
error_reporting(E_ALL);
This will echo the errors and will not affect the php.ini settings.
Hope that will work for you
cheers
On 5/31/07, Clark Alexander <[EMAIL PROTECTED]> wrote:
We have the following php.ini settings:
error_reporting = E_ALL
display_errors = Off
display_startup_errors = Off
log_errors = On
log_errors_max_len = 1024
ignore_repeated_errors = Off
ignore_repeated_source = Off
report_memleaks = On
track_errors = Off
on a SuSE 10.1 server and the errors are being logged to
/var/log/apache2/error_log
(although I can't seem to find a setting that is making that happen.)
parse errors ARE being logged to this file and that would be extremely
useful information for students to be able to have when trying to find
problems in their scripts. I can't just make that file readable to them.
So, I had students create a "logs" directory within their file area and
set
the permissions so that the server can to it. I have them adding the
following to the script(s) that they wish to troubleshoot:
ini_set("log_errors", "On");
ini_set("error_reporting", E_ALL);
ini_set("error_log", "logs/error_log");
Parse errors are not being written to their personal log file, though. Why
not?? About the only going in there are NOTICE level entries.
Thanks.
Clark W. Alexander
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
Tumwijukye Vincent
Programmer & Software Architect
Future Link Technologies
Plot 17 Bukoto Street,
P. O. BOX 14697,
KAMPALA - UGANDA
Tel: +256(0)774638790
Off:+256(0)41531274
Website: www.fl-t.com
--- End Message ---
--- Begin Message ---
At 8:06 AM +0530 6/4/07, Sudheer Satyanarayana wrote:
Hi,
We have three web sites
a) example1.com
b) example2.com
c) my.example2.com
Our sites include exclusive pages for registered users. All user
account management tasks are handled by my.example2.com including
registration, modification, cancellation, etc. We would like to
create a single sign on system for all the three web sites. The user
would sign on with a single username and password to all three web
sites. For example, when the user visits a membership page in
example1.com he would be prompted to sign on to his account. His
credentials are stored in my.example2.com. my.example2.com is now
fully functional. After the successful sign on, the user would be
redirected to original membership page in example1.com.
How would I pass the information from my.example2.com to
example1.com about the authentication status of user?
We use MySQL database to store and retrieve user account details in
my.example2.com. The web host does not allow remote database
connections.
If you have some control over software installation/web server
configuration, you may find Pubcookie -
http://www.pubcookie.org/
- useful.
steve
--
+--------------- my people are the people of the dessert, ---------------+
| Steve Edberg http://pgfsun.ucdavis.edu/ |
| UC Davis Genome Center [EMAIL PROTECTED] |
| Bioinformatics programming/database/sysadmin (530)754-9127 |
+---------------- said t e lawrence, picking up his fork ----------------+
--- End Message ---
--- Begin Message ---
Sudheer,
Another simple alternative is to pass the id to each site, and then make a
cookie out of the id. If the user has the cookie then they authenticate, else,
send them back to sign in at my.example2.com
Sincerely,
rob
http://phpyellow.com
===
Sudheer wrote:
>Date: Mon, 04 Jun 2007 08:06:52 +0530
>From: Sudheer Satyanarayana <[EMAIL PROTECTED]>
>To: [EMAIL PROTECTED]
>Subject: Single Sign On
>Hi,
>
>We have three web sites
>a) example1.com
>b) example2.com
>c) my.example2.com
>
>
>Our sites include exclusive pages for registered users. All user account
>management tasks are handled by my.example2.com including registration,
>modification, cancellation, etc. We would like to create a single sign
>on system for all the three web sites. The user would sign on with a
>single username and password to all three web sites. For example, when
>the user visits a membership page in example1.com he would be prompted
>to sign on to his account. His credentials are stored in
>my.example2.com. my.example2.com is now fully functional. After the
>successful sign on, the user would be redirected to original membership
>page in example1.com.
>
>How would I pass the information from my.example2.com to example1.com
>about the authentication status of user?
>
>We use MySQL database to store and retrieve user account details in
>my.example2.com. The web host does not allow remote database connections.
>
>Thanks,
>Sudheer
--- End Message ---
--- Begin Message ---
Hi All,
I am testing some GD functions, but I'm getting "undefined function" errors.
I checked php.ini and changed
;extension=php_gd2.dll
to
extension=php_gd2.dll
The php.ini file contains: extension_dir = "c:/php/ext"
and this directory does contain php_gd2.dll (version 5.2.0.0)
I am using Windows XP, PHP 5.2.0 and IIS 5.1.
The function getimagesize($filename); is okay,
but imagecreatetruecolor($width, $height); says "undefined function".
I would appreciate some hints.
TIA, Cor
--- End Message ---
--- Begin Message ---
Hi
Well that is weird.
Search the apache log for errors and also look at the phpinfo page to see
which gd version you have.
Have in mind this two notes
*Note: *This function requires GD 2.0.1 or later (2.0.28 or later is
recommended).
*Note: * This function will not work with GIF file formats.
Best regards
--
[EMAIL PROTECTED]
http://www.fernandocosso.com.ar
--- End Message ---
--- Begin Message ---
C.R.Vegelin escreveu:
Hi All,
I am testing some GD functions, but I'm getting "undefined function" errors.
I checked php.ini and changed
;extension=php_gd2.dll
to
extension=php_gd2.dll
The php.ini file contains: extension_dir = "c:/php/ext"
and this directory does contain php_gd2.dll (version 5.2.0.0)
I am using Windows XP, PHP 5.2.0 and IIS 5.1.
The function getimagesize($filename); is okay,
but imagecreatetruecolor($width, $height); says "undefined function".
I would appreciate some hints.
TIA, Cor
----
The function getimagesize() does not require the GD image library.
Check your system with:
----------------------
<style type="text/css">
<!--
.abcv {
font-family: Geneva, Arial, Helvetica, sans-serif;
font-size: 18px;
font-style: italic;
color: #0000FF;
background-color: #CCCCCC;
border: 1px solid #33FF00;
padding-top: 2px;
padding-right: 10px;
padding-bottom: 2px;
padding-left: 10px;
}
-->
</style>
<?php
/* --------------------------------------------------
(E) EXECUTE to see the loaded extensions
-------------------------------------------------- */
$exts = get_loaded_extensions ();
foreach ( $exts as $xt )
{
$funcs10 = get_extension_funcs ($xt);
echo '<br /><br /><span class="abcv">' . $xt . '</span><br /><br />';
echo "<pre>";
print_r ( $funcs10 );
echo "</pre>";
}
?>
IF the GD libray was listed, use:
--------------------------------
<?php
/*
array get_extension_funcs ( string module_name )
*/
$gdfuncs = get_extension_funcs ("gd");
echo "<pre>";
print_r ( $gdfuncs );
echo "</pre>";
?>
To see all the active GD funtions.
--
zerof
http://www.educar.pro.br/
Apache - PHP - MySQL - Boolean Logics - Project Management
----------------------------------------------------------
Você deve, sempre, consultar uma segunda opinião!
----------------------------------------------------------
Deixe todos saberem se esta informação foi-lhe útil.
----------------------------------------------------------
You must hear, always, one second opinion! In all cases.
----------------------------------------------------------
Let the people know if this info was useful for you!
----------------------------------------------------------
--- End Message ---
--- Begin Message ---
On Mon, 2007-06-04 at 10:16 -0300, zerof wrote:
> C.R.Vegelin escreveu:
> > Hi All,
> >
> > I am testing some GD functions, but I'm getting "undefined function" errors.
> > I checked php.ini and changed
> > ;extension=php_gd2.dll
> > to
> > extension=php_gd2.dll
That doesn't mean you actually have the extension installed, only that
if you do have it installed, it's now enabled.
> ----
> The function getimagesize() does not require the GD image library.
> Check your system with:
> ----------------------
[-- PURGED LENGTHY OUTPUT SCRIPT --]
Just use:
<?php
phpinfo();
?>
Then check for the GD extension in the installed extensions list.
Cheers,
Rob.
--
.------------------------------------------------------------.
| InterJinn Application Framework - http://www.interjinn.com |
:------------------------------------------------------------:
| An application and templating framework for PHP. Boasting |
| a powerful, scalable system for accessing system services |
| such as forms, properties, sessions, and caches. InterJinn |
| also provides an extremely flexible architecture for |
| creating re-usable components quickly and easily. |
`------------------------------------------------------------'
--- End Message ---
--- Begin Message ---
I have an application, with mild security, that approved users can upload pdf
files. Obviously, the security for executables with a simple pdf extension
bothers me.
I's like some suggestions on how I can protect against errant files with a pdf
guise?
Thanks.........
--- End Message ---
--- Begin Message ---
Tijnema, Greg, Robert,
Thank you all for your advice.
After the responses here convinced me that the GD libraries should be
expected, I've contacted my hosting service to inquire why it's not
already installed.
My hosting service allows me to make custom configurations to PHP.
Fortunately it turns out it's only a matter of making a check box
selection and then clicking a button to install.
Thank you for helping me understand what to expect out of a normal PHP
installation.
--
Dave M G
Ubuntu Feisty 7.04
Kernel 2.6.20-15-386
--- End Message ---
--- Begin Message ---
PHP General,
I've read on the manual that it's "preferred to code with magic quotes
off and to instead escape the data at runtime, as needed":
Recently, while configuring my PHP so as to install the GD libraries,
that the default option was to have magic quotes turned on.
I just want to double check here what to do. Should I disable magic
quotes on my server?
Also, I'm developing code that I hope others can use. For the purposes
of portability, is it safe to assume that most environments will have
magic quotes off, and build for that?
So I should disable magic quotes on my testing environment and do my own
escaping?
While I'm asking about escaping, is converting characters like
apostrophes and ampersands to hex characters before storing them in a
MySQL database a safe way to go?
Thank you for any advice.
--
Dave M G
Ubuntu Feisty 7.04
Kernel 2.6.20-15-386
--- End Message ---
--- Begin Message ---
On Mon, 2007-06-04 at 23:02 +0900, Dave M G wrote:
> PHP General,
>
> I've read on the manual that it's "preferred to code with magic quotes
> off and to instead escape the data at runtime, as needed":
Indeed this is preferable.
> Recently, while configuring my PHP so as to install the GD libraries,
> that the default option was to have magic quotes turned on.
That's because there's a lot of bad scripts out there.
> I just want to double check here what to do. Should I disable magic
> quotes on my server?
Not unless you're certain you don't have any script that rely on magic
quotes. If you do, then they will become open security holes.
> Also, I'm developing code that I hope others can use. For the purposes
> of portability, is it safe to assume that most environments will have
> magic quotes off, and build for that?
No, you should check the ini setting in your code and react accordingly.
> So I should disable magic quotes on my testing environment and do my own
> escaping?
Yes.
> While I'm asking about escaping, is converting characters like
> apostrophes and ampersands to hex characters before storing them in a
> MySQL database a safe way to go?
No, use the proper escaping mechanism offered for your particular
database.
Cheers,
Rob.
--
.------------------------------------------------------------.
| InterJinn Application Framework - http://www.interjinn.com |
:------------------------------------------------------------:
| An application and templating framework for PHP. Boasting |
| a powerful, scalable system for accessing system services |
| such as forms, properties, sessions, and caches. InterJinn |
| also provides an extremely flexible architecture for |
| creating re-usable components quickly and easily. |
`------------------------------------------------------------'
--- End Message ---
--- Begin Message ---
Robert ,
Thank you for your quick reply.
If it's okay, I'd just like to clarify the points you raise.
I just want to double check here what to do. Should I disable magic
quotes on my server?
Not unless you're certain you don't have any script that rely on magic
quotes. If you do, then they will become open security holes.
The only scripts I have are the ones I put there myself. So if I conform
to the no magic quotes standard, then I should be safe, right?
Also, I'm developing code that I hope others can use. For the purposes
of portability, is it safe to assume that most environments will have
magic quotes off, and build for that?
No, you should check the ini setting in your code and react accordingly.
Sorry, I don't quite follow you here. If I turn magic quotes off on both
my testing environment and my server, as is "preferable" according to
the manual, then my ini file will conform to that.
But I don't see how that relates to the portability of the code. As much
as possible, I'd like to have others be able to run my scripts with
minimum hassle.
If I make my development environment and my own web hosting server
conform to the "preferable" set up, but most servers default to having
magic quotes on, then won't my code break on most people's servers?
So I should disable magic quotes on my testing environment and do my own
escaping?
Yes.
Okay... but I'm still confused as to how this impacts the potential for
my code's portability as described above.
While I'm asking about escaping, is converting characters like
apostrophes and ampersands to hex characters before storing them in a
MySQL database a safe way to go?
No, use the proper escaping mechanism offered for your particular
database.
Since my database is MySQL, does that mean using addslashes() and
stripslashes()? In other words manually doing what magic quotes was
doing automatically?
Just for my own education, is it insecure to use hex codes to store
apostophes and other special characters in the case of MySQL? Can
someone inject a workable MySQL command into my database if all
apostrophes and other non-alphanumeric characters are converted to hex?
--
Dave M G
Ubuntu Feisty 7.04
Kernel 2.6.20-15-386
--- End Message ---
--- Begin Message ---
Hi Dave,
Monday, June 4, 2007, 3:25:25 PM, you wrote:
>> No, you should check the ini setting in your code and react accordingly.
>>
> Sorry, I don't quite follow you here. If I turn magic quotes off on both
> my testing environment and my server, as is "preferable" according to
> the manual, then my ini file will conform to that.
> But I don't see how that relates to the portability of the code. As much
> as possible, I'd like to have others be able to run my scripts with
> minimum hassle.
> If I make my development environment and my own web hosting server
> conform to the "preferable" set up, but most servers default to having
> magic quotes on, then won't my code break on most people's servers?
In your code you check to see if magic quotes is enabled or not:
http://uk2.php.net/manual/en/function.get-magic-quotes-runtime.php
http://uk2.php.net/manual/en/function.get-magic-quotes-gpc.php
You can check if magic quotes is on, and if so you can strip the
incoming data accordingly. You cannot disable GPC quoting unless you
have access to set php values (ini file, htaccess, etc), but you *can*
disable runtime quoting (which is what happens when data is fetched
from a database). On the basis that you can't disable GPC quoting you
only need to know what state the data you receive will be in, and
treat it accordingly.
Cheers,
Rich
--
Zend Certified Engineer
http://www.corephp.co.uk
"Never trust a computer you can't throw out of a window"
--- End Message ---
--- Begin Message ---
On Mon, 2007-06-04 at 23:25 +0900, Dave M G wrote:
> Robert ,
>
> Thank you for your quick reply.
>
> If it's okay, I'd just like to clarify the points you raise.
>
> >> I just want to double check here what to do. Should I disable magic
> >> quotes on my server?
> >>
> >
> > Not unless you're certain you don't have any script that rely on magic
> > quotes. If you do, then they will become open security holes.
> >
> The only scripts I have are the ones I put there myself. So if I conform
> to the no magic quotes standard, then I should be safe, right?
Yes... as long as they all properly escape data.
> >> Also, I'm developing code that I hope others can use. For the purposes
> >> of portability, is it safe to assume that most environments will have
> >> magic quotes off, and build for that?
> >>
> >
> > No, you should check the ini setting in your code and react accordingly.
> >
> Sorry, I don't quite follow you here. If I turn magic quotes off on both
> my testing environment and my server, as is "preferable" according to
> the manual, then my ini file will conform to that.
>
> But I don't see how that relates to the portability of the code. As much
> as possible, I'd like to have others be able to run my scripts with
> minimum hassle.
>
> If I make my development environment and my own web hosting server
> conform to the "preferable" set up, but most servers default to having
> magic quotes on, then won't my code break on most people's servers?
If you want other people to run your scripts then they may come from
different hosting configurations. Some will have magic quotes enabled,
some will not. Since you want a minimum of hassle, and you want to reach
the widest possible group, YOU need to check the magic quotes ini
setting in your script and do the right thing based on what you receive.
For instance if magic quotes are disabled, you know to escape any
questionable data coming from $_GET, $_POST, etc. However if your code
is run on a server with magic quotes enabled, then single quotes and
stuff will already be escaped. This has a couple of issues:
1. It's not safe since it doesn't use your database's specific
escaping policy. This is important due to character sets.
2. If you just balatantly apply the databases escaping policy some
characters will get escaped twice meaning you'll actually see the
escape character added by the magic quotes mess.
The best way to handle this is to remove magic quotes escaping from
retrieved values and then apply your database's escaping mechanism. If
you cannot ascertain the source of the data being used in a query,
you're better safe than sorry and should apply your database's escaping
even if it means you'll get double escaping.
> >> So I should disable magic quotes on my testing environment and do my own
> >> escaping?
> >>
> >
> > Yes.
> >
>
> Okay... but I'm still confused as to how this impacts the potential for
> my code's portability as described above.
Your environment is not necessarily everyone else's environment. See
above :)
> >> While I'm asking about escaping, is converting characters like
> >> apostrophes and ampersands to hex characters before storing them in a
> >> MySQL database a safe way to go?
> >>
> >
> > No, use the proper escaping mechanism offered for your particular
> > database.
> Since my database is MySQL, does that mean using addslashes() and
> stripslashes()? In other words manually doing what magic quotes was
> doing automatically?
Neither! It means using mysql_real_escape_string():
http://www.php.net/manual/en/function.mysql-real-escape-string.php
> Just for my own education, is it insecure to use hex codes to store
> apostophes and other special characters in the case of MySQL? Can
> someone inject a workable MySQL command into my database if all
> apostrophes and other non-alphanumeric characters are converted to hex?
Escaping handles the security implications. If you want to go ahead and
do something weird like converting quotes and stuff to hex codes that's
fine. But understand that'll you're just creating you're own escaping
system since whatever you use to denote a hex converted character will
need to be escaped when it should be considered literal. As such, MySQL
is backed by fast and time/user-tested C code. Your method will be prone
to errors and inefficient implementation and still may have issues due
to character set issues.
Cheers,
Rob.
--
.------------------------------------------------------------.
| InterJinn Application Framework - http://www.interjinn.com |
:------------------------------------------------------------:
| An application and templating framework for PHP. Boasting |
| a powerful, scalable system for accessing system services |
| such as forms, properties, sessions, and caches. InterJinn |
| also provides an extremely flexible architecture for |
| creating re-usable components quickly and easily. |
`------------------------------------------------------------'
--- End Message ---
--- Begin Message ---
Hey - - - - - - --
To do this, I am:
- looping through the array
- copying the rows that I want to *keep* to a temp array, and
- replacing the original array with the "temp' one.
Seems convoluted, but I couldn't find any function to remove a row of
an array. Am I missing something (other than a few brain cells)?
thanks - - -
Ken
--- End Message ---
