php-general Digest 18 Jul 2008 08:52:15 -0000 Issue 5575
Topics (messages 276997 through 277017):
Re: is there a problem with php script pulling HTML out of database as it
writes the page??
276997 by: Robert Cummings
276999 by: Micah Gersten
277000 by: Stut
277001 by: Micah Gersten
277013 by: Jason Norwood-Young
Re: Randomly missing a function
276998 by: Shawn McKenzie
277003 by: Miles Thompson
Re: OpenID
277002 by: Kevin Waterson
277009 by: Per Jessen
277011 by: Børge Holen
277012 by: Alex Chamberlain
277014 by: Aschwin Wesselius
277016 by: Bipin Upadhyay
277017 by: Kevin Waterson
Re: What font/size do you use for programming?
277004 by: Yi Wang
Class 'PDO' not found in .... PHP 5.2.5
277005 by: Stephen
277006 by: Ted Wood
PHP Development Team
277007 by: AvPHP
277008 by: Nathan Nobbe
277010 by: Børge Holen
277015 by: Robert Cummings
Administrivia:
To subscribe to the digest, e-mail:
[EMAIL PROTECTED]
To unsubscribe from the digest, e-mail:
[EMAIL PROTECTED]
To post to the list, e-mail:
[EMAIL PROTECTED]
----------------------------------------------------------------------
--- Begin Message ---
On Thu, 2008-07-17 at 15:46 -0500, Micah Gersten wrote:
> What can help is if one app only has access to it's own DB. Also, for
> mysql, there is the mysql_real_escape_string function for a reason.
Well I agree with that of course... but the post by Stut indicated the
interviewee thought he could punt all DB security to the DBA. Obviously
it's important that the app developer use appropriate programming
techniques to achieve security in conjunction with the DBA.
Cheers,
Rob.
--
http://www.interjinn.com
Application and Templating Framework for PHP
--- End Message ---
--- Begin Message ---
What can help is if one app only has access to it's own DB. Also, for
mysql, there is the mysql_real_escape_string function for a reason.
Also, for the web app, you can usually disable Administrative functions
and grant a minimal set of permissions.
Thank you,
Micah Gersten
onShore Networks
Internal Developer
http://www.onshore.com
Robert Cummings wrote:
> On Thu, 2008-07-17 at 12:32 -0400, Andrew Ballard wrote:
>
>> On Thu, Jul 17, 2008 at 12:02 PM, Stut <[EMAIL PROTECTED]> wrote:
>>
>>> On 17 Jul 2008, at 15:31, David Giragosian wrote:
>>>
>>>
>>>> On 7/17/08, Stut <[EMAIL PROTECTED]> wrote:
>>>>
>>>>> On 17 Jul 2008, at 14:10, tedd wrote:
>>>>>
>>>>>
>>>>>> At 10:28 PM +0100 7/16/08, Stut wrote:
>>>>>>
>>>>>>
>>>>>>> Oh, and you'd be working for me so bear that in mind ;)
>>>>>>>
>>>>>>> -Stut
>>>>>>>
>>>>>>>
>>>>>> It's no wonder why you haven't found anyone. :-)
>>>>>>
>>>>>>
>>>>> Thanks for that tedd.
>>>>>
>>>>> Seriously though, I'm wondering if my expectations are too high... I
>>>>> expect
>>>>> them to know that addslashes is not adequate protection against SQL
>>>>> injection. I even had one tell me "SQL injection? I can't remember but
>>>>> I'm
>>>>> sure I've used it before". And I won't even go into the guy who asserted
>>>>> that he's always worked with DB administrators who've dealt with security
>>>>> issues so he'd never needed to learn about it.
>>>>>
>>>>> Am I expecting too much?!?
>>>>>
>>>>> -Stut
>>>>>
>>>> Surely you're being rhetorical, Stut, but no, you're not expecting too
>>>> much.
>>>> However the guy(s) who worked in a larger organization likely did have a
>>>> very clear delineation of roles and responsibilities, as I am experiencing
>>>> in a new position, and therefore may not be current on best practices in
>>>> areas outside of their role. When my group leader instituted the current
>>>> policy regarding job functions, a number of the open source guys decided
>>>> their unused skills were eroding and/or they were not being exposed to new
>>>> learning, and they left the company.
>>>>
>>> There's no way I would ever hire anyone who says "security was somebody
>>> else's responsibility". I don't care what their previous managers have said,
>>> that's never a valid statement in my book. When you then add the fact that
>>> no DB admin no matter how good they are can implement adequate security to
>>> prevent SQL injection you get a developer who doesn't care about security
>>> issues much less know anything about them.
>>>
>>> -Stut
>>>
>>>
>> A DBA can go pretty far to prevent SQL injection by setting
>> appropriate rights on the accounts that applications will use to
>> interact with the database: denying direct access to tables, allowing
>> access to only the necessary stored procedures, thereby forcing
>> developers to design products using only those procedures for all data
>> access. Of course, a lot of developers would complain under this level
>> of security, and I suspect a lot of frameworks that are out there
>> would be much less "useful" to lazy programmers.
>>
>
> So are you suggesting a web app make multiple different user account
> connections to the SQL server depending on whether it wants to SELECT,
> INSERT, DELETE, ETC.? I means that's a fair proposition... just seems a
> tad heavy duty. Once again though... there's a programmer responsibility
> here to implement the application with such a scenario in mind. most
> applications need access to SEELCT, INSERT, and DELETE. In such a case,
> a single account with restricted access permissions that allow all three
> isn't going to do anything for the application if a programmer let's an
> SQL injection through.
>
> Cheers,
> Rob.
>
--- End Message ---
--- Begin Message ---
On 17 Jul 2008, at 21:56, Robert Cummings wrote:
On Thu, 2008-07-17 at 15:46 -0500, Micah Gersten wrote:
What can help is if one app only has access to it's own DB. Also,
for
mysql, there is the mysql_real_escape_string function for a reason.
Well I agree with that of course... but the post by Stut indicated the
interviewee thought he could punt all DB security to the DBA.
Obviously
it's important that the app developer use appropriate programming
techniques to achieve security in conjunction with the DBA.
My main point was that security is the responsibility of everyone on
the team whether it's explicitly part of their job spec or not. A
candidate who doesn't see that without prompting will not be getting
any further in my interview process.
-Stut
--
http://stut.net/
--- End Message ---
--- Begin Message ---
For anyone interested, here's a nice book to get anyone started on PHP
Security:
http://oreilly.com/catalog/9780596006563/index.html
Thank you,
Micah Gersten
onShore Networks
Internal Developer
http://www.onshore.com
Stut wrote:
> On 17 Jul 2008, at 21:56, Robert Cummings wrote:
>> On Thu, 2008-07-17 at 15:46 -0500, Micah Gersten wrote:
>>> What can help is if one app only has access to it's own DB. Also, for
>>> mysql, there is the mysql_real_escape_string function for a reason.
>>
>> Well I agree with that of course... but the post by Stut indicated the
>> interviewee thought he could punt all DB security to the DBA. Obviously
>> it's important that the app developer use appropriate programming
>> techniques to achieve security in conjunction with the DBA.
>
> My main point was that security is the responsibility of everyone on
> the team whether it's explicitly part of their job spec or not. A
> candidate who doesn't see that without prompting will not be getting
> any further in my interview process.
>
> -Stut
>
--- End Message ---
--- Begin Message ---
On Thu, 2008-07-17 at 10:41 -0400, Daniel Brown wrote:
> 9.) NEVER store passwords in a PHP script. Instead, store them in
> a file named `inc/config.inc` in the web directory, and include them.
Dude! You forgot the most important bit:
inc/config.inc:
$dbusername="root";
$dbpassword="r00t"; //By combining letters and numbers, this password
becomes unhackable
It's important to also set your server root password the same as your DB
password so that when you hand passwords out to your outsourced
developers, secretaries, tea ladies and janitors they can have full
access to the system and don't waste your time setting up permissions.
--- End Message ---
--- Begin Message ---
Micah Gersten wrote:
Try returning a value from CreateUser and checking it before sending the
E-Mail.
Thank you,
Micah Gersten
onShore Networks
Internal Developer
http://www.onshore.com
Exactly! You'll find that CreateUser() is called, however for whatever
reason the user isn't created. Do as Micah suggests and also add so
error checking to CreateUser() to find out why the user isn't created.
-Shawn
--- End Message ---
--- Begin Message ---
MIcah,
Duh!! So damned obvious.
We'll try that.
Thanks - Miles
On Thu, Jul 17, 2008 at 5:42 PM, Micah Gersten <[EMAIL PROTECTED]> wrote:
> Try returning a value from CreateUser and checking it before sending the
> E-Mail.
>
> Thank you,
> Micah Gersten
> onShore Networks
> Internal Developer
> http://www.onshore.com
>
>
>
> Miles Thompson wrote:
> > An online signup script is randomly missing part of the task. These
> scripts
> > are involved:
> > sub_signup.php
> > include/cc_proc.php - does the CC (credit card) processing
> > include/user_maint.php - inserts the new subscriber into the database
> >
> > When the CC processing finishes, with the success flag, user_maint.php is
> > included, and a few lines later the createUser($params) function therein
> is
> > called to create the user. Every mysql_ function in user_maint.php is
> > backstopped with a die() if it fails. But sometimes it appears that the
> call
> > to this script, or the createUser() function just isn't made.
> >
> > What seems to happen, randomly, is that the script "charges on" so to
> speak,
> > sending an advisory email to the office manager that there is a new
> > subscriber, and calling sub_signup_thanks.php, which displays a
> completion
> > message, etc.
> >
> > In all of these cases the credit card processing has succeeded. Sometimes
> > people have tried to sign up two or three times, the card processes, but
> no
> > addition is made to the database. It's driving us nuts! Any thoughts?
> >
> > Regards - Miles
> >
> > Infrastructure: Apache 2.2, PHP 5.x, MySQL 5
> >
> > Code:
> > switch ($ret) {
> > case CC_SUCCESS:
> > require 'include/user_maint.php';
> > $cctype = cc_getCardType($cc);
> > if ($cctype == 'Visa') $cctype = 'VISA';
> > elseif ($cctype == 'MasterCard') $cctype = 'M-C';
> > //Shouldn't happen in case CC_SUCCESS, but better safe than sorry
> > else die('We don\'t support this credit card');
> >
> > $params = array(
> > 'firstname' => $first,
> > // various fields
> > 'postal_code' => $postal_code,
> > 'pay_method' => $cctype
> > );
> > // createUser is a function in user_maint
> > createUser($params);
> > // sendEmail is func in user_maint, advises office manager
> > sendEmail('New subscriber!!!', "Already paid $amount by credit
> > card", $fields);
> > require 'sub_signup_thanks.php'; //Grabs authCode from $result
> > return;
> >
> > } //other situations dealt with, and properly closed
> >
> >
>
--- End Message ---
--- Begin Message ---
This one time, at band camp, "Alex Chamberlain" <[EMAIL PROTECTED]> wrote:
> Has anybody had any success implementing an OpenID server in PHP??
Sure, I had mine all set up on oceania.net and then the domain got
stolen. So, all my OpenID info went with it.. not as good an idea as
it first seems.
Kevin
--- End Message ---
--- Begin Message ---
Kevin Waterson wrote:
> This one time, at band camp, "Alex Chamberlain"
> <[EMAIL PROTECTED]> wrote:
>
>> Has anybody had any success implementing an OpenID server in PHP??
>
> Sure, I had mine all set up on oceania.net and then the domain got
> stolen. So, all my OpenID info went with it.. not as good an idea as
> it first seems.
I'm curious, how does a domain "get stolen" ?
/Per Jessen, Zürich
--- End Message ---
--- Begin Message ---
On Friday 18 July 2008 08:37:14 Per Jessen wrote:
> Kevin Waterson wrote:
> > This one time, at band camp, "Alex Chamberlain"
> >
> > <[EMAIL PROTECTED]> wrote:
> >> Has anybody had any success implementing an OpenID server in PHP??
> >
> > Sure, I had mine all set up on oceania.net and then the domain got
> > stolen. So, all my OpenID info went with it.. not as good an idea as
> > it first seems.
>
> I'm curious, how does a domain "get stolen" ?
he forgot to pay the bills ;)
>
>
> /Per Jessen, Zürich
--
---
Børge Holen
http://www.arivene.net
--- End Message ---
--- Begin Message ---
> This one time, at band camp, "Alex Chamberlain"
> <[EMAIL PROTECTED]> wrote:
>
>
> > Has anybody had any success implementing an OpenID server in PHP??
>
> Sure, I had mine all set up on oceania.net and then the domain got
> stolen. So, all my OpenID info went with it.. not as good an idea as
> it first seems.
>
>
> Kevin
Other than the mystery of the stolen domain, what software did you run?? Did
you write it yourself??
Alex
No virus found in this outgoing message. Scanned by AVG Free 8.0
Checked by AVG - http://www.avg.com
Version: 8.0.138 / Virus Database: 270.5.0/1557 - Release Date: 17/07/2008
05:36
--- End Message ---
--- Begin Message ---
Per Jessen wrote:
Kevin Waterson wrote:
This one time, at band camp, "Alex Chamberlain"
<[EMAIL PROTECTED]> wrote:
Has anybody had any success implementing an OpenID server in PHP??
Sure, I had mine all set up on oceania.net and then the domain got
stolen. So, all my OpenID info went with it.. not as good an idea as
it first seems.
I'm curious, how does a domain "get stolen" ?
/Per Jessen, Zürich
Is it per accident that he mentioned 'oceania.net' while it's about an
identification topic?
The only thing I can relate Oceania to, is not such a funny story about
knowing everything about people.
--
Aschwin Wesselius
/'What you would like to be done to you, do that to the other....'/
--- End Message ---
--- Begin Message ---
Clamshell -- http://wiki.guruj.net/Clamshell!Home
HTH
On Fri, Jul 18, 2008 at 1:36 AM, Alex Chamberlain
<[EMAIL PROTECTED]> wrote:
> Hi,
>
>
>
> Has anybody had any success implementing an OpenID server in PHP??
>
>
>
> Alex
>
>
>
>
>
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
-- Bipin Upadhyay
I'd love to change the world,
but they won't gimme the source code.
http://projectbee.org/
--- End Message ---
--- Begin Message ---
This one time, at band camp, Per Jessen <[EMAIL PROTECTED]> wrote:
> I'm curious, how does a domain "get stolen" ?
This is a process I am now looking in to. The domain was registered
via a reseller who I also had an email address with. The reseller had access to
to both my domain registration details, and my email address. With both of these
they were able to simply enact a transfer and intercept the mail agreeing to the
deal.
I now have documentary proof of this from the gandi and have contacted the
Australian
Police regarding the matter. I am also trying to get the domain back via icann
and
mediation, which has so far cost me over $1k.
Kevin
--- End Message ---
--- Begin Message ---
On Sat, Jul 12, 2008 at 12:40 AM, Eric Butera <[EMAIL PROTECTED]> wrote:
> On Thu, Jul 10, 2008 at 5:29 PM, Philip Thompson <[EMAIL PROTECTED]> wrote:
>> On Jul 10, 2008, at 3:35 PM, Omar Noppe wrote:
>>
>>> Is there any reason to pick a black background en white fonts in your
>>> editor (for example writability)?
>>
>> I think a black background is much easier on the eyes....
>
> I use a big font on a black background because it doesn't strain my
> eyes as much. I started out with Monaco 9pt (or bitstream vera sans
> mono 9pt on linux) on white. Slowly though I kept getting more
> frequent headaches. Now I use black with big fonts and I'm fine. I
> have really good vision and all that, but just hours of coding will
> get to me.
>
> As a side bonus, using a bigger font also helps me adhere to wrapping
> at the 80 character margin too.
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
Consolas 14pt editplus on server 2008
--
Regards,
Wang Yi
--- End Message ---
--- Begin Message ---
I am with a new host and just tried to upload new files that use PHP and
the class PDO for database access.
I get the error in the subject.
I thought PDO was in the base code of PHP 5*
My host is on 5.2.5 according to PHP info
I have created a ticket
I fear that this is one of those "not supported" things.
So I am asking for any advise.
Thanks
Stephen
--- End Message ---
--- Begin Message ---
PDO is distributed with PHP 5.1 and higher by default, but it can
still be excluded during the compile stage. This may be the case for
your installation. Run php_info() to find out, and if PDO is not
listed, ask your host to install it.
http://ca3.php.net/manual/en/pdo.installation.php
~Ted
On 17-Jul-08, at 8:07 PM, Stephen wrote:
I am with a new host and just tried to upload new files that use PHP
and the class PDO for database access.
I get the error in the subject.
I thought PDO was in the base code of PHP 5*
My host is on 5.2.5 according to PHP info
I have created a ticket
I fear that this is one of those "not supported" things.
So I am asking for any advise.
Thanks
Stephen
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--- End Message ---
--- Begin Message ---
We represent an established team of 15 PHP developers, with extensive
experience in OOP Lamp development, including multiyear projects with
thousand of total programming hours. They have also worked on numerous
customized Content Management Systems (CMS) for various websites, including
E-Commerce sites, websites for startup companies and sites for large firms.
The team is in South America, so the rates are substantially below typical
US standards while the developers are vertically below US time zones, making
communication much easier than with India. They can work with both Agile and
Waterfall development methodologies. The team is fluent in Spanish and has
excellent written English with good spoken English.
If desired, DreamStaffing can also supplement this team with a fluent
bi-lingual project manager, HTML/CSS developers, user interface designers,
or any other skill sets that are needed for a project.
Please contact us at [EMAIL PROTECTED] for more information.
--
View this message in context:
http://www.nabble.com/PHP-Development-Team-tp18522291p18522291.html
Sent from the PHP - General mailing list archive at Nabble.com.
--- End Message ---
--- Begin Message ---
On Thu, Jul 17, 2008 at 10:11 PM, AvPHP <[EMAIL PROTECTED]> wrote:
>
> We represent an established team of 15 PHP developers, with extensive
> experience in OOP Lamp development, including multiyear projects with
> thousand of total programming hours. They have also worked on numerous
> customized Content Management Systems (CMS) for various websites, including
> E-Commerce sites, websites for startup companies and sites for large firms.
> The team is in South America, so the rates are substantially below typical
> US standards while the developers are vertically below US time zones,
> making
> communication much easier than with India. They can work with both Agile
> and
> Waterfall development methodologies. The team is fluent in Spanish and has
> excellent written English with good spoken English.
>
> If desired, DreamStaffing can also supplement this team with a fluent
> bi-lingual project manager, HTML/CSS developers, user interface designers,
> or any other skill sets that are needed for a project.
>
> Please contact us at [EMAIL PROTECTED] for more information.
nice pitch ;)
-nathan
--- End Message ---
--- Begin Message ---
On Friday 18 July 2008 07:34:22 Nathan Nobbe wrote:
> On Thu, Jul 17, 2008 at 10:11 PM, AvPHP <[EMAIL PROTECTED]> wrote:
> > We represent an established team of 15 PHP developers, with extensive
> > experience in OOP Lamp development, including multiyear projects with
> > thousand of total programming hours. They have also worked on numerous
> > customized Content Management Systems (CMS) for various websites,
> > including E-Commerce sites, websites for startup companies and sites for
> > large firms. The team is in South America, so the rates are substantially
> > below typical US standards while the developers are vertically below US
> > time zones, making
> > communication much easier than with India. They can work with both Agile
> > and
> > Waterfall development methodologies. The team is fluent in Spanish and
> > has excellent written English with good spoken English.
> >
> > If desired, DreamStaffing can also supplement this team with a fluent
> > bi-lingual project manager, HTML/CSS developers, user interface
> > designers, or any other skill sets that are needed for a project.
> >
> > Please contact us at [EMAIL PROTECTED] for more information.
>
> nice pitch ;)
>
> -nathan
I liked the dreamstaffing stuff. It kinda sounds... yeah whatever really ;D
--
---
Børge Holen
http://www.arivene.net
--- End Message ---
--- Begin Message ---
On Fri, 2008-07-18 at 09:15 +0200, Børge Holen wrote:
> On Friday 18 July 2008 07:34:22 Nathan Nobbe wrote:
> > On Thu, Jul 17, 2008 at 10:11 PM, AvPHP <[EMAIL PROTECTED]> wrote:
> > > We represent an established team of 15 PHP developers, with extensive
> > > experience in OOP Lamp development, including multiyear projects with
> > > thousand of total programming hours. They have also worked on numerous
> > > customized Content Management Systems (CMS) for various websites,
> > > including E-Commerce sites, websites for startup companies and sites for
> > > large firms. The team is in South America, so the rates are substantially
> > > below typical US standards while the developers are vertically below US
> > > time zones, making
> > > communication much easier than with India. They can work with both Agile
> > > and
> > > Waterfall development methodologies. The team is fluent in Spanish and
> > > has excellent written English with good spoken English.
> > >
> > > If desired, DreamStaffing can also supplement this team with a fluent
> > > bi-lingual project manager, HTML/CSS developers, user interface
> > > designers, or any other skill sets that are needed for a project.
> > >
> > > Please contact us at [EMAIL PROTECTED] for more information.
> >
> > nice pitch ;)
> >
> > -nathan
>
> I liked the dreamstaffing stuff. It kinda sounds... yeah whatever really ;D
Dreamy... oh my!
Cheers,
Rob.
--
http://www.interjinn.com
Application and Templating Framework for PHP
--- End Message ---
