php-general Digest 9 Feb 2009 16:06:05 -0000 Issue 5949
Topics (messages 287946 through 287973):
Re: Class constant inconsistency
287946 by: Paul M Foster
Securing suexec PHP against local attacks by the webserver user
287947 by: Andrew
287969 by: Jochem Maas
Re: maybe we could all?
287948 by: Marcus Gnaß
287951 by: Nathan Rixham
Re: php get rss tag using DOM
287949 by: Rob Richards
xls to pdf conversion in unix
287950 by: Thodoris
Re: php validate user password
287952 by: Andrew Williams
287953 by: Jan G.B.
287954 by: Michael Kubler
287955 by: Stuart
287957 by: Jan G.B.
287959 by: Stuart
287965 by: tedd
287966 by: Bruno Fajardo
Re: PHP usage stats
287956 by: tedd
287960 by: Stuart
287964 by: Andrew Ballard
287972 by: tedd
Re: Adding Records & Capture The New Record ID
287958 by: tedd
287963 by: Andrew Ballard
287967 by: tedd
287970 by: Andrew Ballard
287973 by: tedd
Re: require() causing strange characters ?
287961 by: cr.vegelin.gmail.com
Newbie Help - No .php file extension
287962 by: Hibbert Miller
Re: Interface OOP
287968 by: Andrew Williams
PHP OOP
287971 by: tedd
Administrivia:
To subscribe to the digest, e-mail:
php-general-digest-subscr...@lists.php.net
To unsubscribe from the digest, e-mail:
php-general-digest-unsubscr...@lists.php.net
To post to the list, e-mail:
php-gene...@lists.php.net
----------------------------------------------------------------------
--- Begin Message ---
On Sun, Feb 08, 2009 at 08:04:19PM -0800, leledumbo wrote:
>
> I've read the docs about class constants and found some inconsistency (at
> least according to my knowledge), namely in the following statement:
>
> "The value must be a constant expression, not (for example) a variable, a
> class member, result of a mathematical operation or a function call."
>
> Questions:
> Can't result of a mathematical operation be a constant expression? What is
> the answer of 1 + (2 - 3) * 4 / 5? Does it depend on a value that can't be
> determined immediately (i.e. variable)?
>
> In the name of maintainability, we do need mathematical operation as
> constant expression (based on true story). For example, see the following
> code:
>
> // constants used to add log entry
>
> // authentication related
> const action_login = 1;
> const action_logout = action_login + 1;
> // sco related
> const action_create_sco = action_logout + 1;
> const action_search_sco = action_create_sco + 1;
> const action_list_sco = action_create_sco + 2;
> const action_edit_sco = action_create_sco + 3;
> const action_delete_sco = action_create_sco + 4;
> // eLesson related
> const action_create_lesson = action_delete_sco + 1;
> const action_search_lesson = action_create_lesson + 1;
> const action_list_lesson = action_create_lesson + 2;
> const action_edit_lesson = action_create_lesson + 3;
> const action_delete_lesson = action_create_lesson + 4;
> const action_export_lesson = action_create_lesson + 5;
> const action_import_lesson = action_create_lesson + 6;
> // eCourse related
> const action_create_course = action_import_lesson + 1;
> const action_search_course = action_create_course + 2;
> const action_list_course = action_create_course + 3;
> const action_edit_course = action_create_course + 4;
> const action_delete_course = action_create_course + 5;
> const action_export_course = action_create_course + 6;
> const action_import_course = action_create_course + 7;
> const action_play_course = action_create_course + 8;
> // profile related
> const action_edit_profile = action_play_course + 1;
> const action_edit_password = action_edit_profile + 1;
>
> Does any of them results in a non-constant expression? Well, I can easily
> subtitute each value by hand. But what if I forget to add one (enough to get
> you frustrated) that should be inserted as the second entry? I need to
> adjust the other 23 (there are 24 of them) by hand! Using above code, I only
> need to adjust action_logout to action_login + 2 and everyone's happy.
>
> In case anybody has a solution without altering the implementation, please
> tell me. I'm not a PHP master so I might be coding it in the wrong way.
> Please don't suggest define() since it has global scope (i.e. no
> encapsulation).
>
> P.S.: I think this should work also for other constant expression (e.g.
> string), like: "Hello " . "World"
Since the behavior of PHP is dictated to be this way by the designers
(and may not change in the near future or ever), you could solve this
another way. Make these "constants" into class variables. You could even
make them static if you like. No, it's not as clean as having them be
constants, and you'd have to type $this-> before using them, but it's an
alternative, in case you hadn't thought of it.
Paul
--
Paul M. Foster
--- End Message ---
--- Begin Message ---
Hi,
I am trying to set up a site which can run securely on a shared hosting
environment where users have a choice of running PHP scripts using
suexec and FastCGI, or using mod_php and running the scripts as the same
user as the webserver.
My scripts need to read a local file with the database password, and
create files in a directory, and so I would of course like to use the
suexec FastCGI option.
However, I'm struggling to find a way to do this securely, and none of
the tutorials I found anywhere on setting this sort of environment up
seem to address protection from local attackers running as the web
server user.
I have set a local mock-up of how the site will work as follows:
=> Apache with mod_fastcgi, suexec, and mod_access is set up.
=> All site components resides in /home/wwjargon/, with the userdir in
/home/wwjargon/public_html
=> Most of my PHP code is outside of public_html. The only contents of
public_html are:
php.fcgi, which is the following shell script...
#!/bin/bash
export SERVER_SOFTWARE="Just in case"
export PHP_DOCUMENT_ROOT="/home/wwjargon/public_html/"
/usr/bin/php-cgi -c /home/wwjargon/php.ini
meter.php, which controls access to the other PHP files, and
requires them (from outside of public_html).
.htaccess, which sets up redirects and the PHP action like the
following:
RewriteRule .* - [E=METER_SCRIPT:/~wwjargon/meter.php]
RewriteCond %{REQUEST_URI} !/~wwjargon/meter.php
RewriteRule ^(.*)$ %{ENV:METER_SCRIPT}?q=$1 [L,QSA]
Action php-fcgi /php.fcgi
AddHandler php-fcgi .php
This configuration means that serving files works, but it also allows
anyone who has access as the apache user (i.e. all other customers on
the shared hosting) to run arbitrary PHP scripts as my username. Setting
SERVER_SOFTWARE partially closed the hole, but not completely.
As an example of the attack...
$ whoami
www-data
$ cat >/tmp/myscript.php
<?php passthru('whoami >/tmp/compromised.txt');
$ SCRIPT_FILENAME=/tmp/myscript.php
PATH_INFO=/home/wwjargon/public_html/meter.php /usr/lib/apache2/suexec
"~wwjargon" wwjargon php.fcgi
X-Powered-By: PHP/5.2.6-2ubuntu4
Content-type: text/html
$ cat /tmp/compromised.txt
wwjargon
I could make this attack a bit harder by changing the environment
variables in php.fcgi so it would only work for FastCGI and not for
normal CGI, but a more motivated attacker could just write a fake
FastCGI server to attack my script.
Setting PHP_DOCUMENT_ROOT in the environment and doc_root in php.ini
didn't seem to stop the attack (although setting doc_root stops
meter.php working, but not the attack), because PHP still happily serves
up a document from /tmp/myscript.php, and --enable-force-cgi-redirect
doesn't really have the potential to be of any help either because a
local attacker could just set the same environment variables as the
webserver to fake a redirect. I can't use the #!/usr/bin/php-cgi option
because this is a FastCGI and not a CGI setup.
What can I do to prevent this sort of local attack against my
suexec/PHP/FastCGI environment (short of getting a VPS or installing my
own patched PHP at least)?
Thanks and Best Wishes,
Andrew
--- End Message ---
--- Begin Message ---
Andrew schreef:
> Hi,
>
....
>
> As an example of the attack...
> $ whoami
> www-data
isn't the whole point of suexec/PHP/FastCGI that the local user
has no access to the www-data account ... suexec switches to the
users account from the webserver account not the other way around.
so the attack is moot unless there is a completely different security
hole that allows the user to run stuff as www-data.
or am I being thick? ... could well be, socialists are renowned
for their stupidity ... just look at the eminent socialist George W.
Bush.
so if I am being thick ... I would appreciate an explaination
as to how the webuser account manages to run stuff in the context of
the webserver account, if you have the inclination.
PS - that last bit about socialism is off topic
PPS - I don't think I'm a much of a socialist
PPPS - I'm sure do I suffer from stupidity now and again
PPPPS - but not as much as the guy whose world-view manages to
put Dubya into a socialist pidgeonhole.
> $ cat >/tmp/myscript.php
> <?php passthru('whoami >/tmp/compromised.txt');
> $ SCRIPT_FILENAME=/tmp/myscript.php
> PATH_INFO=/home/wwjargon/public_html/meter.php /usr/lib/apache2/suexec
> "~wwjargon" wwjargon php.fcgi
> X-Powered-By: PHP/5.2.6-2ubuntu4
> Content-type: text/html
>
> $ cat /tmp/compromised.txt
> wwjargon
>
> I could make this attack a bit harder by changing the environment
> variables in php.fcgi so it would only work for FastCGI and not for
> normal CGI, but a more motivated attacker could just write a fake
> FastCGI server to attack my script.
>
> Setting PHP_DOCUMENT_ROOT in the environment and doc_root in php.ini
> didn't seem to stop the attack (although setting doc_root stops
> meter.php working, but not the attack), because PHP still happily serves
> up a document from /tmp/myscript.php, and --enable-force-cgi-redirect
> doesn't really have the potential to be of any help either because a
> local attacker could just set the same environment variables as the
> webserver to fake a redirect. I can't use the #!/usr/bin/php-cgi option
> because this is a FastCGI and not a CGI setup.
>
> What can I do to prevent this sort of local attack against my
> suexec/PHP/FastCGI environment (short of getting a VPS or installing my
> own patched PHP at least)?
>
> Thanks and Best Wishes,
> Andrew
>
>
--- End Message ---
--- Begin Message ---
Nathan Rixham wrote:
Project: PHP Common Objects and Datatypes
Has anything been setup for project COD-pieces yet? I like this name! ;)
--- End Message ---
--- Begin Message ---
Marcus Gnaß wrote:
Nathan Rixham wrote:
Project: PHP Common Objects and Datatypes
Has anything been setup for project COD-pieces yet? I like this name! ;)
Hi Markus,
Actually, yes it has - the project, well working group, has been called
"voom".
So far there are 8 developers including myself; we've got 3 dedicated
servers kindly donated by dan. Mailing list, irc room, single sign on,
multiple svn repos including our own personal repos; fisheye for online
source view, crucible for project reviews, jira as a bugtracker,
confluence as a wiki; all the applications are integrated in with each
other and we've also got a continuous integration build set-up coming
for the main public projects; complete with code coverage, automated
builds, maven integration and quite a lot more.
There are currently multiple projects on the go and all suggestions are
welcome.
The members are all of varying skill levels and experience, with a great
set of skills - infact between us I think we cover about everything ;)
developer list so far:
Dan Brown, Edmund Hertle, Eric Butera, Jason Prium, Kyle Terry, Tedd
Sperling, Myself and Paul (who's actually a bit tentative - ie is on
mailing list but just noted nothing else..)
If you're interested just let me know and we'll get you introduced and
set-up.
regards!
note: paul drop me a mail if you wanna get set-up properly, not heard
from you for a few days.
--- End Message ---
--- Begin Message ---
Morris wrote:
I know rss_php, but it doesn't fit my solution.
Is anyone able to help me with my question?
thx
2009/2/8 Nathan Rixham <nrix...@gmail.com>
Morris wrote:
Hi,
I am trying to write a programme to read a rss xml file.
...
<media:content url="*exampe.jpg*" ...>
...
scan anyone tell me how to get the url attribute? I wrote some codes
similar:
$doc = new DOMDocument;
$doc->load($myFlickrRss);
$r = $doc->getElementsByTagName('media:content');
for($i=0;$i<=$r->length;$i++) {
// help here
}
use http://rssphp.net/ you can view the source online and it's all done
using DOMDocuments :)
First off, you should be using getElementsByTagNameNS since you are
working with a namespaced document. I am assuming its a Yahoo Media RSS
feed, so you would get the elements via:
$r = $doc->getElementsByTagNameNS("http://search.yahoo.com/mrss/";,
"content");
Then to output the url attribute value:
foreach ($r AS $elem) {
echo $elem->getAttribute("url") . "\n";
}
Rob
--- End Message ---
--- Begin Message ---
Hi gang,
I did a little research to find out how can someone convert an xls
file into pdf and I found that you can use openoffice to do that
(already done that in perl). My problem is that I need to find a way for
doing this without openoffice by using just PHP.
I know that I could probably parse the xls using a reader and then write
the data in a pdf with a module (like fpdf or pdflib) but I will get
into complications I cannot resolve.
So is there another way to do such a transformation. Give me your light...
--
Thodoris
--- End Message ---
--- Begin Message ---
Hi,
Can some body help out on how to validate user password from the database?
Thanks
Andrew
--- End Message ---
--- Begin Message ---
2009/2/9 Andrew Williams <andrew4willi...@gmail.com>:
> Hi,
>
Hi,
> Can some body help out on how to validate user password from the database?
There are several possibilities. This would be one.
<?
$query = 'SELECT 1 from `usertable` where `name` = ' .
mysql_real_escape_string(STRIPPED_AND_TRIMMED_REQUEST_VAR_HERE)
. ' AND `pass` = md5("' .
mysql_real_escape_string(STRIPPED_AND_TRIMMED_REQUEST_VAR_HERE) .
'");';
?>
>
> Thanks
> Andrew
>
Bye,bye
--- End Message ---
--- Begin Message ---
These days SHA should really be used instead of MD5, and you should be
SALTing the password as well.
Here's a great guide : http://phpsec.org/articles/2005/password-hashing.html
Michael Kubler
*G*rey *P*hoenix *P*roductions <http://www.greyphoenix.biz>
Jan G.B. wrote:
2009/2/9 Andrew Williams <andrew4willi...@gmail.com>:
Can some body help out on how to validate user password from the database?
There are several possibilities. This would be one.
<?
$query = 'SELECT 1 from `usertable` where `name` = ' .
mysql_real_escape_string(STRIPPED_AND_TRIMMED_REQUEST_VAR_HERE)
. ' AND `pass` = md5("' .
mysql_real_escape_string(STRIPPED_AND_TRIMMED_REQUEST_VAR_HERE) .
'");';
?>
--- End Message ---
--- Begin Message ---
2009/2/9 Michael Kubler <mdk...@gmail.com>:
> These days SHA should really be used instead of MD5, and you should be
> SALTing the password as well.
> Here's a great guide : http://phpsec.org/articles/2005/password-hashing.html
Good advice. I would also advise against stripping and trimming
anything from passwords. By removing characters you're significantly
reducing the number of possible passwords.
-Stuart
> Jan G.B. wrote:
>>
>> 2009/2/9 Andrew Williams <andrew4willi...@gmail.com>:
>>
>>>
>>> Can some body help out on how to validate user password from the
>>> database?
>>>
>>
>> There are several possibilities. This would be one.
>> <?
>> $query = 'SELECT 1 from `usertable` where `name` = ' .
>> mysql_real_escape_string(STRIPPED_AND_TRIMMED_REQUEST_VAR_HERE)
>> . ' AND `pass` = md5("' .
>> mysql_real_escape_string(STRIPPED_AND_TRIMMED_REQUEST_VAR_HERE) .
>> '");';
>> ?>
--
http://stut.net/
--- End Message ---
--- Begin Message ---
2009/2/9 Stuart <stut...@gmail.com>:
> 2009/2/9 Michael Kubler <mdk...@gmail.com>:
>> These days SHA should really be used instead of MD5, and you should be
>> SALTing the password as well.
>> Here's a great guide : http://phpsec.org/articles/2005/password-hashing.html
>
> Good advice.
Absolutley. I used mysqls md5() function only as an example.
> I would also advise against stripping and trimming
> anything from passwords. By removing characters you're significantly
> reducing the number of possible passwords.
Surely, the stripping should only be done when when magic_quotes is
enabled! (e.g. Your Server makes \' out of ').
Trimming could be left out but it minimizes user errors and users
pretending to know their password.
(Like copy/paste from a passwords-file with added spaces on the end, etc..)
Regards
--- End Message ---
--- Begin Message ---
2009/2/9 Jan G.B. <ro0ot.w...@googlemail.com>:
> 2009/2/9 Stuart <stut...@gmail.com>:
>> I would also advise against stripping and trimming
>> anything from passwords. By removing characters you're significantly
>> reducing the number of possible passwords.
>
> Surely, the stripping should only be done when when magic_quotes is
> enabled! (e.g. Your Server makes \' out of ').
If you have this option switched on on your server you really need to
do everything you can to get rid of it. It's evil and has been
completely removed from PHP 6. But yes, if you're stuck with it then
you need to strip them before storage, but the poster did not make
that clear.
> Trimming could be left out but it minimizes user errors and users
> pretending to know their password.
> (Like copy/paste from a passwords-file with added spaces on the end, etc..)
Not sure what you mean by users pretending to know their password, but
if I put a space at the start or end of my password I would expect
that to add to its complexity and make it harder to guess. By
stripping it you're not doing anyone any favours.
-Stuart
--
http://stut.net/
--- End Message ---
--- Begin Message ---
At 2:02 PM +0000 2/9/09, Stuart wrote:
2009/2/9 Michael Kubler <mdk...@gmail.com>:
These days SHA should really be used instead of MD5, and you should be
SALTing the password as well.
Here's a great guide : http://phpsec.org/articles/2005/password-hashing.html
Good advice. I would also advise against stripping and trimming
anything from passwords. By removing characters you're significantly
reducing the number of possible passwords.
I read the article and didn't find any objection to it, but before we
all jump on the SHA bus, why can't we do this:
1. Allow the user to pick whatever password they want.
2. After entry, add a token string to it, such as 'a14fmw9'.
3. Do a M5() hash and store the hash the dB.
When the user wants to log back in:
1. They enter their password.
2. We add the token string ('a14fmw9') to it.
3. Then we M5() the string and compare that hash with what's stored.
That will work.
Furthermore, if the token string is stored in the script, or in a
configuration file, and not in the database (as suggested by the
author), then if someone obtains access to the database, all the
dictionary and other such brute force attacks will be more difficult
because the hashes are more complex than one would normally expect,
right?
If not so, then where am I wrong?
Another scheme would be simply to use the user's password and
generate a hash. Then reverse the users password and generate another
hash. Then shuffle the two hashes, or take pairs, or quads, or any
number of other techniques to obscure the hash. As long at the
process can be reversed, it will work.
From my limited view, a minor amount of work can throw a major monkey
wrench in any method of trying to crack a hash -- am I wrong?
Cheers,
tedd
--
-------
http://sperling.com http://ancientstones.com http://earthstones.com
--- End Message ---
--- Begin Message ---
tedd,
I think that the problem of the "duplicated hashes" in the database
(in the case of two users using the same password) persists with a
constant prefix in the passwords. Although the random salt portion get
stored in the database concatenated to the hash, the attacker don't
know the string length of the salt, making the attack very difficult.
Cheers
2009/2/9 tedd <tedd.sperl...@gmail.com>:
> At 2:02 PM +0000 2/9/09, Stuart wrote:
>>
>> 2009/2/9 Michael Kubler <mdk...@gmail.com>:
>>>
>>> These days SHA should really be used instead of MD5, and you should be
>>> SALTing the password as well.
>>> Here's a great guide :
>>> http://phpsec.org/articles/2005/password-hashing.html
>>
>> Good advice. I would also advise against stripping and trimming
>> anything from passwords. By removing characters you're significantly
>> reducing the number of possible passwords.
>
> I read the article and didn't find any objection to it, but before we all
> jump on the SHA bus, why can't we do this:
>
> 1. Allow the user to pick whatever password they want.
>
> 2. After entry, add a token string to it, such as 'a14fmw9'.
>
> 3. Do a M5() hash and store the hash the dB.
>
> When the user wants to log back in:
>
> 1. They enter their password.
>
> 2. We add the token string ('a14fmw9') to it.
>
> 3. Then we M5() the string and compare that hash with what's stored. That
> will work.
>
> Furthermore, if the token string is stored in the script, or in a
> configuration file, and not in the database (as suggested by the author),
> then if someone obtains access to the database, all the dictionary and other
> such brute force attacks will be more difficult because the hashes are more
> complex than one would normally expect, right?
>
> If not so, then where am I wrong?
>
> Another scheme would be simply to use the user's password and generate a
> hash. Then reverse the users password and generate another hash. Then
> shuffle the two hashes, or take pairs, or quads, or any number of other
> techniques to obscure the hash. As long at the process can be reversed, it
> will work.
>
> From my limited view, a minor amount of work can throw a major monkey wrench
> in any method of trying to crack a hash -- am I wrong?
>
> Cheers,
>
> tedd
>
> --
> -------
> http://sperling.com http://ancientstones.com http://earthstones.com
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
--- End Message ---
--- Begin Message ---
> Now maybe you didn't mean it that way, but IMO that appears more demeaning
of the poster than providing help. I'm surprised, because that's not typical
of you nor this list.
Indeed. Not really sure what I was thinking when I wrote it and I
apologise for the attitude.
We all have off days, no problem -- thanks for the apology.
On my side of the world, it's amazing how ignorant people are.
I have administrators at the college, where I teach, who think that
php is nothing more than a fad and not anything serious. In fact, I
talked to their web guy, who is a avid php/mysql developer, and he
says that the administration is asking to have php and mysql removed
completely from their server. They only want asp and oracle. In the
last 6 years they have spent over $22 million on trying get oracle to
work and it still hasn't.
That's the reason why I've been looking for php stats.
Cheers,
tedd
--
-------
http://sperling.com http://ancientstones.com http://earthstones.com
--- End Message ---
--- Begin Message ---
2009/2/9 tedd <tedd.sperl...@gmail.com>:
>> > Now maybe you didn't mean it that way, but IMO that appears more
>> demeaning
>>>
>>> of the poster than providing help. I'm surprised, because that's not
>>> typical
>>> of you nor this list.
>>
>> Indeed. Not really sure what I was thinking when I wrote it and I
>> apologise for the attitude.
>
> We all have off days, no problem -- thanks for the apology.
>
> On my side of the world, it's amazing how ignorant people are.
>
> I have administrators at the college, where I teach, who think that php is
> nothing more than a fad and not anything serious. In fact, I talked to their
> web guy, who is a avid php/mysql developer, and he says that the
> administration is asking to have php and mysql removed completely from their
> server. They only want asp and oracle. In the last 6 years they have spent
> over $22 million on trying get oracle to work and it still hasn't.
>
> That's the reason why I've been looking for php stats.
I think people are like that everywhere, particularly above a certain
level of management in my experience. I wish you luck in convincing
them but I've found that PHP rarely wins when put up against the sales
and marketing budgets available to Microsoft and Oracle.
It's going to take a while for the majority of people to stop equating
free with worthless or risky when the truth is that products from
closed corporations carry more risk than open source software. You
should tell them your QuickBasic story - that might start some mental
cogs turning in their heads.
-Stuart
--
http://stut.net/
--- End Message ---
--- Begin Message ---
On Sun, Feb 8, 2009 at 3:37 PM, Paul M Foster <pa...@quillandmouse.com> wrote:
> On Sun, Feb 08, 2009 at 03:20:48PM -0500, tedd wrote:
>
>> At 3:54 PM +0000 2/8/09, Stuart wrote:
>>> 2009/2/8 tedd <tedd.sperl...@gmail.com>:
>>>
>>> > I wasn't able to find a lot of information, but here's a useful link:
>>>>
>>> > http://www.tiobe.com/index.php/content/paperinfo/tpci/index.html
>>>
>>> Tedd, that's a list of programming languages, not web development
>>> languages.
>>
>> The list shows php, javascript, ruby, and perl -- are those NOT web
>> development languages?!?
>>
>> -----
>>
>>> I have no doubt that C# + VB accounts for more development
>>> in the world than PHP. Both are used extensively in non-web
>>> development whereas PHP is not.
>>>
>>> > If you find any information of the numbers of php users out there,
>> please
>>> > let me know.
>>>
>>> When you consider how such a thing would be measured it won't take
>>> long to realise why the number is not available. You have to bear in
>>> mind non-public use which will not be insignificant, servers where PHP
>>> is not advertised and a multitude of other reasons why any number you
>>> could come up with *will* be wrong, and therefore pretty useless.
>>>
>>> Why anyone would see value in such a number is beyond me. IMHO the
>>> community that exists around it and the number of jobs out there
>>> requiring PHP should be enough to convince anyone that it's not an
>>> insignificant player.
>>
>> -Stuart
>>
>> I guess I'm not all that bright. To me a programming language is a
>> programming language regardless of platform or purpose -- that was so
>> when I was programming FORTRAN on Phoenix I, or Applesoft on Apple
>> ]['s, or postscript on HI's; or ANSI C on Alphas, or FutureBasic and
>> C/C++ on Macs, or PHP on Apache, or Javascript on IE -- they are all
>> the same to me. I'm just trying to get a handle on the number of
>> people who program in php -- what's wrong with wanting to know that
>> figure?
>>
>> Look, I teach at the local college and am trying to get PHP/MySQL
>> courses to be taught there. I have superiors who are asking "How does
>> PHP stack up against ASP?" which the college teaches AS THE web
>> development language. I really can't go back to them and say "Well,
>> everyone just *knows* PHP is a significant player" -- that's not
>> proof.
>
> Perhaps a better question then might be how many IIS servers are there
> out there compared to Apache. Apache servers uniformly support PHP, but
> I think only IIS servers support ASP (I could be wrong).
We're running PHP under IIS where I currently work. For that matter,
I'm pretty sure the headers spit out that both ASP.NET and PHP are
supported on these machines, even though we're not currently using
ASP.NET.
Andrew
--- End Message ---
--- Begin Message ---
At 2:41 PM +0000 2/9/09, Stuart wrote:
I think people are like that everywhere, particularly above a certain
level of management in my experience. I wish you luck in convincing
them but I've found that PHP rarely wins when put up against the sales
and marketing budgets available to Microsoft and Oracle.
It's going to take a while for the majority of people to stop equating
free with worthless or risky when the truth is that products from
closed corporations carry more risk than open source software. You
should tell them your QuickBasic story - that might start some mental
cogs turning in their heads.
Yes, that's another story.
Cheers,
tedd
--
-------
http://sperling.com http://ancientstones.com http://earthstones.com
--- End Message ---
--- Begin Message ---
At 9:00 AM +1100 2/9/09, Chris wrote:
Person a signs up with em...@example.com
Before you are able to fetch the result (which is possible in a high
traffic site), person b also signs up with em...@example.com
Going back to person a, when you fetch, you get record #2 instead of #1.
They are not the same record.
Not a great example because you probably wouldn't have people using
the same address from different locations, but it's just to
demonstrate the problem of doing it this way.
That's not true, or at least I don't believe it.
If I have a script that has opened and established a communication
link with a dB and has just created a new record with an unique email
address and the code immediately (next few lines in the script)
follows that action with asking the dB to pull the record just
created with that email address, then I AM getting the same record
regardless -- there are no RACE conditions here.
Keep in mind that I AM using unique identifiers, such as a
logon/password or email address. If I create a record using that
unique identifier and then ask the dB to deliver it, then it is
without doubt the same record.
If I was not using an unique identifier, then I would agree with you.
But unique is unique -- it makes no difference if it's a record ID or
email address -- both are unique.
Cheers,
tedd
--
-------
http://sperling.com http://ancientstones.com http://earthstones.com
--- End Message ---
--- Begin Message ---
On Mon, Feb 9, 2009 at 9:25 AM, tedd <tedd.sperl...@gmail.com> wrote:
> At 9:00 AM +1100 2/9/09, Chris wrote:
>>
>> Person a signs up with em...@example.com
>>
>> Before you are able to fetch the result (which is possible in a high
>> traffic site), person b also signs up with em...@example.com
>>
>> Going back to person a, when you fetch, you get record #2 instead of #1.
>>
>> They are not the same record.
>>
>> Not a great example because you probably wouldn't have people using the
>> same address from different locations, but it's just to demonstrate the
>> problem of doing it this way.
>
> That's not true, or at least I don't believe it.
Well, that's your prerogative. :-)
> If I have a script that has opened and established a communication link with
> a dB and has just created a new record with an unique email address and the
> code immediately (next few lines in the script) follows that action with
> asking the dB to pull the record just created with that email address, then
> I AM getting the same record regardless -- there are no RACE conditions
> here.
Yes, there could be race conditions. The race condition won't come
from within the same request, but unless you have *defined* a UNIQUE
INDEX/CONSTRAINT on the column as Chris suggested, it is possible
(however unlikely you believe it is) for another request to come in at
nearly the same time (either another user or someone who manages to
double-submit your form, say, by double-clicking the button) with the
same value. In that case, each request will execute an insert into the
database, and it's anyone's guess which record(s) they will get when
they try to select it back out. The unique index/constraint will
prevent this as it will only allow one of those records in. The other
will fail.
> Keep in mind that I AM using unique identifiers, such as a logon/password or
> email address. If I create a record using that unique identifier and then
> ask the dB to deliver it, then it is without doubt the same record.
>
> If I was not using an unique identifier, then I would agree with you. But
> unique is unique -- it makes no difference if it's a record ID or email
> address -- both are unique.
You are right, but the point is that if you intend something to be
unique then you should declare it as such in the database.
Andrew
--- End Message ---
--- Begin Message ---
At 9:54 AM -0500 2/9/09, Andrew Ballard wrote:
You are right, but the point is that if you intend something to be
unique then you should declare it as such in the database.
We didn't discuss that.
You are saying that if I checked my database for a email address and
find it's not there [1] and then create a record for it [2] that
sometime after [1] and before [2] someone else could create a record
with the exact same email address -- is that it?
If so, then there would be two records with the same email address --
that would be a problem regardless of if I was asking for the email
address or the record's ID. On one hand I would get the record that
someone else just created and on the other hand, I would get the
record I just created. In either case, it would be a mistake -- I see.
Also, if the field was declared as unique, then my script to create
my record would fail.
So the only way to do this properly is to declare the field unique,
lock down the database between [1] and [2] and check for errors
afterwards -- interesting.
Thanks,
tedd
--
-------
http://sperling.com http://ancientstones.com http://earthstones.com
--- End Message ---
--- Begin Message ---
On Mon, Feb 9, 2009 at 10:27 AM, tedd <tedd.sperl...@gmail.com> wrote:
> At 9:54 AM -0500 2/9/09, Andrew Ballard wrote:
>>
>> You are right, but the point is that if you intend something to be
>> unique then you should declare it as such in the database.
>
> We didn't discuss that.
>
> You are saying that if I checked my database for a email address and find
> it's not there [1] and then create a record for it [2] that sometime after
> [1] and before [2] someone else could create a record with the exact same
> email address -- is that it?
Yes. For small sites with little traffice this is probably unlikely,
but it's possible.
> If so, then there would be two records with the same email address -- that
> would be a problem regardless of if I was asking for the email address or
> the record's ID. On one hand I would get the record that someone else just
> created and on the other hand, I would get the record I just created. In
> either case, it would be a mistake -- I see.
>
> Also, if the field was declared as unique, then my script to create my
> record would fail.
Correct, but I believe it does so silently, meaning you'll have to
check for mysql_error() to make sure no errors were returned and/or
mysql_affected_rows() === 1 to make sure that exactly one record was
inserted.
> So the only way to do this properly is to declare the field unique, lock
> down the database between [1] and [2] and check for errors afterwards --
> interesting.
Close, but not exactly. If you declare a UNIQUE INDEX on the column,
you don't need to lock down the database between 1 and 2. The DBMS
should handle that for you internally. You just run your insert
process as normal, except that you add a check afterward to make sure
that it was successful (which you should be doing anyway).
Andrew
--- End Message ---
--- Begin Message ---
At 10:55 AM -0500 2/9/09, Andrew Ballard wrote:
-snip-
Andrew
As I said many times before.
I've learned something new every day of my life -- and I'm getting
damned tried of it.
Thanks for the lesson.
Cheers,
tedd
--
-------
http://sperling.com http://ancientstones.com http://earthstones.com
--- End Message ---
--- Begin Message ---
Thanks Nisse,
----- Original Message -----
From: "Nisse Engström" <news.nospam.0ixbt...@luden.se>
To: <php-gene...@lists.php.net>
Sent: Sunday, February 08, 2009 6:06 PM
Subject: Re: [PHP] Re: require() causing strange characters ?
On Fri, 6 Feb 2009 10:11:49 +0100, cr.vege...@gmail.com wrote:
I saved both scripts with ANSI in stead of UTF-8 and the problem is gone.
So the utf-8 BOM character (Byte Order Mark) caused it.
Unfortunately my editor has no option to store BOM-free scripts.
Is it standard that PHP scripts should be saved without a BOM character ?
This is not a PHP matter, unless PHP 6 (which will have
Unicode support) does something with it. PHP 5 just outputs
it as is.
A BOM character is supposed to be the *first* character in
a text stream. Otherwise it should be treated as a
ZERO WIDTH NON-BREAKING SPACE.
<http://unicode.org/faq/utf_bom.html#bom1>
Test results ...
If "test.php" (utf8) requires "echo.php" (utf8), page source has
"C�testD",
size 9
If "test.php" (ansi) requires "echo.php" (utf8), page source has
"CtestD", size 7
If "test.php" (ansi) requires "echo.php" (ansi), page source has
"CtestD",
size 6
The reason for asking is that sometimes "" is displayed on some pages.
That means you've used a utf-8 BOM in a page using an 8-bit
character encoding (eg. iso-8859-1 or similar), or that you
have utf-8 encoded it twice.
/Nisse
I've tested it again, from scratch with Notepad editor:
echoUTF8.php <?php require("echoUTF8sub.php"); ?>
echoUTF8sub.php <?php echo "test"; ?>
and keep getting strange characters.
Would you be so kind to run these 2 scripts on your pc ?
TIA, Cor
--- End Message ---
--- Begin Message ---
Hello,I have been asked to install an existing PHP/MySQL application on a
system using Windows Vista.
I have installed PHP 5.2.8, MySQL 5.1.31 and IIS 7.0. PHP is working as
expected (I created a test page which displays the output from phpinfo()).
The application in question posts to a login page from an index page called
index.php. However, the form's action is simply set to "login", and not
login.php as expected. Further checking revealed that all links in the
application appear to exclude the file extensions.
I have combed through the php.ini file and have not been able to find any
configuration setting that deal with this. I have also tried configuring IIS
to send all requests to PHP by setting the Handler Mapping to "*" instead of
just "*.php".
Thank you in advance for any information you may be able to provide.
HM
--- End Message ---
--- Begin Message ---
Hi,
I am working on a back end OOP project with about about 18 classes of Object
but some of the Objects shear one or two functions in common, like external
login system . What is the best way to avoid a repeatable function among the
classes without using global object instance.
class a{
function ExtractRawData()
{
global loginObj;
*if($loginObj;->GetLoginSession(){*
///process
}
}
}
class b{
function JohnXchange()
{
global loginObj;
*if($loginObj;->GetLoginSession(){*
///process
}
}
}
class login(
function loginSession($pwd, $acc, $customerAcc)
{
$this ->validate = connect to externalServerObject($pwd, $acc,
$customerAcc);
}
*GetLoginSession()*
{
return $this ->validate;
}
}
Andrew Williams
http//www.willandy.co.uk
--
Best Wishes
Andrew Williams
--- End Message ---
--- Begin Message ---
Hi gang:
At the college where I teach, they are considering teaching OOP, but
they don't want to settle on a specific language.
My thoughts are it's difficult to teach OOP without a language --
while the general concepts of OOP are interesting, people need to see
how concepts are applied to understand how they work -- thus I think
a specific language is required
I lean toward C++ because I wrote in it for a few years AND C++
appears to be the most common, widespread, and popular OOP language.
However, while I don't know PHP OOP, I am open to considering it
because of the proliferation of web based applications. My personal
opinion is that's where all programming is headed anyway, but that's
just my opinion.
With that said, what's the differences and advantages/disadvantages
between C++ and PHP OOP?
Cheers,
tedd
--
-------
http://sperling.com http://ancientstones.com http://earthstones.com
--- End Message ---
