php-general Digest 22 Jul 2007 08:40:28 -0000 Issue 4917
Topics (messages 259311 through 259323):
Re: filter input; escape output; Email Text
259311 by: Manuel Lemos
Re: Pirate PHP books online?
259312 by: Dotan Cohen
259313 by: Stut
259316 by: Chris Shiflett
259318 by: AmirBehzad Eslami
259321 by: Dotan Cohen
Re: Denial of Service Attack
259314 by: Jim Lucas
259315 by: Jim Lucas
259322 by: Dotan Cohen
Bundled GD compiling?
259317 by: Hayden Livingston
Re: session_decode from session handler
259319 by: Jeffery Fernandez
259320 by: Jeffery Fernandez
About XSLT/XML Pagination
259323 by: Kelvin Park
Administrivia:
To subscribe to the digest, e-mail:
[EMAIL PROTECTED]
To unsubscribe from the digest, e-mail:
[EMAIL PROTECTED]
To post to the list, e-mail:
[EMAIL PROTECTED]
----------------------------------------------------------------------
--- Begin Message ---
Hello,
on 07/20/2007 06:03 PM Richard Lynch said the following:
> So, I'm trying to be more consistent about escaping my output.
>
> I do something like this (only prettier):
>
> if (!isset($_REQUEST['blah_id'])) error_out("Bad blah_id input");
> $blah_id = (int) $_REQUEST['blah_id'];
> $blah_id_sql = mysql_real_escape_string($blah_id, $connection);
> $query = "select title from blah where blah_id = $blah_id_sql";
> $blah = mysql_query($query, $connection) or die("DB Error");
> list($title) = mysql_fetch_row($blah);
> $title_html = htmlentities($title);
> $title_email = SOME_FUNCTION_HERE($title);
>
> What function should be used to escape output to make it 100% kosher
> for an email Subject and/or Body, in a plain-text email?
>
> The original title came from the outside world, had
> mysql_real_escape_string() applied to it, and was crammed into the DB.
>
> It could have ANY kind of malicious text in it.
>
> We do NOT send (and will NEVER send) HTML enhanced (cough, cough) emails.
>
> For simplicity sake, I'd probably be happy with a more restrictive
> function that covered both Subject and Body in this instance.
Message headers should be encoded with q-encoding, which is a variant of
quoted-printable that includes character set information.
This is a bit complicated (too many RFCs to read) but you can use this
MIME message composing class to encode your message headers properly.
This class also escapes properly line breaks in headers. Malicious line
breaks are used by spammers to attack form mail like scripts. They
inject line breaks to insert new headers to the message that can make
the messages be sent to other addresses.
http://www.phpclasses.org/mimemessage
--
Regards,
Manuel Lemos
Metastorage - Data object relational mapping layer generator
http://www.metastorage.net/
PHP Classes - Free ready to use OOP components written in PHP
http://www.phpclasses.org/
--- End Message ---
--- Begin Message ---
On 21/07/07, Larry Garfield <[EMAIL PROTECTED]> wrote:
I never said that "artificial laws" should all be thrown out. They should,
however, be understood in their proper context.
A physical object can only be in the possession of one person at a time, per
the laws of physics. Property law enhances and structures that natural
situation.
Uh, what was all that about quantum mechanics and superposition? Could
you please run that by me again?
Information, which includes both ideas and their creative expression, by
nature becomes known to anyone it touches without depriving the originator of
it. It can be possessed by more than one person simultaneously. Copyright
law artificially creates such a restriction on movement in an attempt to make
its creation more economically attractive. It is not, however, directly
based on physical laws.
Note that I am not making a statement about right or wrong about either of the
above sorts of laws. I am simply explaining them in proper context, because
one cannot make a viable statement about whether they are right or wrong
without understanding them in proper context.
Speeding while driving is also an "artificial law" in that regard, as there is
no physical law that says a car can only go 30 mph. That doesn't make
speeding OK or less illegal, it just means that it is not a natural law.
In Germany, there is. Get up to 250 KPH and the speed limiter kicks
in. It also almost kicks you out of your seat.
In every online copyright debate I've gotten into, people always seem to
assume that "either you're with us or you're with the evil terr'ist pirates".
Nothing could be further from the truth, nor further from actual sense.
That's why I keep getting into these debates; to point out that it's not a
simple "copyright is moral and eternal vs. rampant theft and economic
downfall" question.
M$ has already stated how they depend upon the pirates. If eveybody
who could not afford Windows as a student switched to linux, then they
would have nobody to sell Windows to when those students grow up.
Dotan Cohen
http://lyricslist.com/
http://what-is-what.com/
--- End Message ---
--- Begin Message ---
Dotan Cohen wrote:
On 21/07/07, Larry Garfield <[EMAIL PROTECTED]> wrote:
Speeding while driving is also an "artificial law" in that regard, as
there is
no physical law that says a car can only go 30 mph. That doesn't make
speeding OK or less illegal, it just means that it is not a natural law.
In Germany, there is. Get up to 250 KPH and the speed limiter kicks
in. It also almost kicks you out of your seat.
If you can't see that that's also an artificial limit and not an actual
law of physics...!!
-Stut
--
http://stut.net/
--- End Message ---
--- Begin Message ---
David Powers wrote:
> I suspect that your estimate of the advances paid by Apress/friends of
> Ed is inflated. Royalties are no secret: Apress publishes its standard
> contract on the web for prospective authors to see. The basic rate is
> 10% of the net income received by the publisher. Since heavy discounting
> is prevalent in the publishing industry, this means the author ends up
> with less than 5% of the book's cover price. So on a book with a cover
> price of $40, the author gets less than $2.
Based on the fact that this is almost identical to every other publisher
(O'Reilly, Sams, etc.), and based on the fact that Richard said he has a
lot of experience in this industry, I suspect his estimate was spot on.
You're right, though, it's difficult to get any return on your time
investment. :-)
Chris
--
Chris Shiflett
http://shiflett.org/
--- End Message ---
--- Begin Message ---
I'm living in a country where people do not afford to buy real books.
Most people earn $250~$400 per month. $50 for a book is too damn
expensive. In addition, since US has restricted business with us,
no body ships books to us. And we don't have Credit Card, since
Master Card, Visa, Paypal do not offer services to us.
How can we read books in such a country?
I would like to know your opinions. Thank you.
On 7/22/07, Chris Shiflett <[EMAIL PROTECTED]> wrote:
David Powers wrote:
> I suspect that your estimate of the advances paid by Apress/friends of
> Ed is inflated. Royalties are no secret: Apress publishes its standard
> contract on the web for prospective authors to see. The basic rate is
> 10% of the net income received by the publisher. Since heavy discounting
> is prevalent in the publishing industry, this means the author ends up
> with less than 5% of the book's cover price. So on a book with a cover
> price of $40, the author gets less than $2.
Based on the fact that this is almost identical to every other publisher
(O'Reilly, Sams, etc.), and based on the fact that Richard said he has a
lot of experience in this industry, I suspect his estimate was spot on.
You're right, though, it's difficult to get any return on your time
investment. :-)
Chris
--
Chris Shiflett
http://shiflett.org/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--- End Message ---
--- Begin Message ---
On 22/07/07, AmirBehzad Eslami <[EMAIL PROTECTED]> wrote:
I'm living in a country where people do not afford to buy real books.
Most people earn $250~$400 per month. $50 for a book is too damn
expensive. In addition, since US has restricted business with us,
no body ships books to us. And we don't have Credit Card, since
Master Card, Visa, Paypal do not offer services to us.
How can we read books in such a country?
I would like to know your opinions. Thank you.
Pirate them?
As the books are unavailable for sale in your country, it would be
tough for the publisher to make an argument about a lost sale.
Dotan Cohen
http://lyricslist.com/
http://what-is-what.com/
--- End Message ---
--- Begin Message ---
Crayon Shin Chan wrote:
On Saturday 21 July 2007 10:24, Jim Lucas wrote:
So, I guess to sum up what the guy is talking about, I think he is
right. Some of us might have been DDOSed from making posts on this
list.
my email address points right back to my web server.....
What does everybody else think?
There are some mailing list archive websites that goes to the website
derived from your email address domain and links the favicon (if any) for
display next to your posts. Whether that is enough to lead to a DOS is
debatable.
Problem with your answer is, is that there would then be logs entires in
apache. There were none at all.
--
Jim Lucas
"Some men are born to greatness, some achieve greatness,
and some have greatness thrust upon them."
Twelfth Night, Act II, Scene V
by William Shakespeare
--- End Message ---
--- Begin Message ---
Dotan Cohen wrote:
On 21/07/07, Crayon Shin Chan <[EMAIL PROTECTED]> wrote:
On Saturday 21 July 2007 10:24, Jim Lucas wrote:
> So, I guess to sum up what the guy is talking about, I think he is
> right. Some of us might have been DDOSed from making posts on this
> list.
>
> my email address points right back to my web server.....
>
> What does everybody else think?
There are some mailing list archive websites that goes to the website
derived from your email address domain and links the favicon (if any) for
display next to your posts. Whether that is enough to lead to a DOS is
debatable.
It might also query SPF records. That could lead to server load as
well, as could anything else that 'leads to your server'. But I doubt
that a favicon, even if requested by 1000 clients going over the
archives in an hour, would cause heavy enough traffic to DDoS a
serious webserver.
Dotan Cohen
http://lyricslist.com/
http://what-is-what.com/
You don't fetch SPF records form port 80 do you?
--
Jim Lucas
"Some men are born to greatness, some achieve greatness,
and some have greatness thrust upon them."
Twelfth Night, Act II, Scene V
by William Shakespeare
--- End Message ---
--- Begin Message ---
On 22/07/07, Jim Lucas <[EMAIL PROTECTED]> wrote:
> It might also query SPF records. That could lead to server load as
> well, as could anything else that 'leads to your server'. But I doubt
> that a favicon, even if requested by 1000 clients going over the
> archives in an hour, would cause heavy enough traffic to DDoS a
> serious webserver.
>
> Dotan Cohen
>
> http://lyricslist.com/
> http://what-is-what.com/
>
You don't fetch SPF records form port 80 do you?
I was referring to server load, not apache load.
Dotan Cohen
http://lyricslist.com/
http://what-is-what.com/
--- End Message ---
--- Begin Message ---
I'm confused as to certain issues regarding the bundled version.
The documentation says::
"To use the recommended bundled version of the GD library (which was
first bundled in PHP 4.3.0), use the configure option --with-gd. GD
library requires libpng and libjpeg to compile."
"Note: When compiling PHP with libpng, you must use the same version
that was linked with the GD library."
This (to me) seems ambiguous. How am I suppose to know which libpng
the bundled GD library used? So how should I configure?
http://www.libgd.org/FAQ_PHP
"./configure --with-gd -with-png-dir=/usr --with-jpeg-dir=/usr
--with-freetype-dir=/usr'"
The FAQ says this is "all" the features?
Thanks a bunch.
--- End Message ---
--- Begin Message ---
I have a similar problem I am facing with session data stored in the database
from the set_session_handler.
What I am trying to do is show a list of online users and the page they are
currenlty viewing. For this purpose I am query the sessions table to get the
list of session and from that I loop through to get the session data of each
online user. But for some reason, I cannot decode/un-serialise the session
data. Any pointers ?
cheers,
Jeffery
On Friday 20 July 2007 08:25, Ryan Graciano wrote:
> PHP passed $data to my write($id) function, and then I wrote it to the
> database. In the code below, I have retrieved it from the database. I
> presume that it used encode_session to generate $data.
>
> I tried calling unserialize() on it for good measure, but it wasn't able to
> parse the data. When I return $data from my method, though, PHP is able to
> turn it into a $_SESSION.
>
> Thanks,
> - Ryan
>
> ----- Original Message ----
> From: Tijnema <[EMAIL PROTECTED]>
> To: Ryan Graciano <[EMAIL PROTECTED]>
> Cc: [EMAIL PROTECTED]
> Sent: Thursday, July 19, 2007 5:28:32 PM
> Subject: Re: [PHP] session_decode from session handler
>
> On 7/19/07, Ryan Graciano <[EMAIL PROTECTED]> wrote:
> > I'm having an issue getting session_decode to work from my session
> > handler in PHP 5.2.3. Here's a short code snippet that demonstrates what
> > I'm trying to do (from my read handler) -
> >
> > public function read($id) {
> > ....
> > var_dump($data); // prints out the serialized session correctly
> > $retval = session_decode($data);
> > var_dump($_SESSION); // prints out "array(0) {}"
> > echo $retval; // prints false
> > return $data;
> > }
> >
> > In my calling function, $_SESSION is updated with everything that was
> > held in $data, which means that $data was not corrupt - it worked when I
> > returned it, but it did not work when I used session_decode. This is a
> > problem because I want to change my read($id) function so that it decodes
> > $data, adds something extra to the $_SESSION, then re-encodes $data and
> > returns it.
> >
> > Thanks,
> > - Ryan
>
> How did you get $data?
>
> If it's just serialized data, you can simply call unserialize instead
> of session_decode.
>
> Tijnema
--
Powered by openSUSE 10.2 (i586) Kernel: 2.6.18.8-0.5-default
KDE: 3.5.5 "release 45.4"
2:19pm up 11 days 18:32, 7 users, load average: 0.42, 0.58, 0.54
--- End Message ---
--- Begin Message ---
On Sunday 22 July 2007 14:19, Jeffery Fernandez wrote:
> I have a similar problem I am facing with session data stored in the
> database from the set_session_handler.
>
> What I am trying to do is show a list of online users and the page they are
> currenlty viewing. For this purpose I am query the sessions table to get
> the list of session and from that I loop through to get the session data of
> each online user. But for some reason, I cannot decode/un-serialise the
> session data. Any pointers ?
just following up on this problem. I am using PHP 5.2.3. I also do remember
that previously in older versions of PHP, I used to see the session data was
the actual serialised data. But now with my testing it just seems to be one
long string. Which leads me to beleive that there is some kind of encoding
taking place.
>
> cheers,
> Jeffery
>
> On Friday 20 July 2007 08:25, Ryan Graciano wrote:
> > PHP passed $data to my write($id) function, and then I wrote it to the
> > database. In the code below, I have retrieved it from the database. I
> > presume that it used encode_session to generate $data.
> >
> > I tried calling unserialize() on it for good measure, but it wasn't able
> > to parse the data. When I return $data from my method, though, PHP is
> > able to turn it into a $_SESSION.
> >
> > Thanks,
> > - Ryan
> >
> > ----- Original Message ----
> > From: Tijnema <[EMAIL PROTECTED]>
> > To: Ryan Graciano <[EMAIL PROTECTED]>
> > Cc: [EMAIL PROTECTED]
> > Sent: Thursday, July 19, 2007 5:28:32 PM
> > Subject: Re: [PHP] session_decode from session handler
> >
> > On 7/19/07, Ryan Graciano <[EMAIL PROTECTED]> wrote:
> > > I'm having an issue getting session_decode to work from my session
> > > handler in PHP 5.2.3. Here's a short code snippet that demonstrates
> > > what I'm trying to do (from my read handler) -
> > >
> > > public function read($id) {
> > > ....
> > > var_dump($data); // prints out the serialized session correctly
> > > $retval = session_decode($data);
> > > var_dump($_SESSION); // prints out "array(0) {}"
> > > echo $retval; // prints false
> > > return $data;
> > > }
> > >
> > > In my calling function, $_SESSION is updated with everything that was
> > > held in $data, which means that $data was not corrupt - it worked when
> > > I returned it, but it did not work when I used session_decode. This is
> > > a problem because I want to change my read($id) function so that it
> > > decodes $data, adds something extra to the $_SESSION, then re-encodes
> > > $data and returns it.
> > >
> > > Thanks,
> > > - Ryan
> >
> > How did you get $data?
> >
> > If it's just serialized data, you can simply call unserialize instead
> > of session_decode.
> >
> > Tijnema
>
> --
> Powered by openSUSE 10.2 (i586) Kernel: 2.6.18.8-0.5-default
> KDE: 3.5.5 "release 45.4"
> 2:19pm up 11 days 18:32, 7 users, load average: 0.42, 0.58, 0.54
--
Powered by openSUSE 10.2 (i586) Kernel: 2.6.18.8-0.5-default
KDE: 3.5.5 "release 45.4"
2:24pm up 11 days 18:38, 7 users, load average: 0.45, 0.42, 0.47
pgpvvL87Bhgdp.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
This site generally explains how pagination is done with xslt and xml.
However it does not fully explain how to paginate the data when a
certain number of rows are printed.
For example, it wouldn't make another page after 100 item names were
printed out where total there are 1000 items that need to be printed
out, making it total 10 pages.
Do you know what should be added in order to make it work?
--- End Message ---
