php-general Digest 15 Feb 2009 03:30:39 -0000 Issue 5959
Topics (messages 288257 through 288276):
Re: for the security minded web developer - secure way to login?
288257 by: German Geek
288259 by: Michael A. Peters
288265 by: Sudheer
288266 by: Sudheer
288267 by: Michael A. Peters
Heredoc inside eval?
288258 by: Michael
288261 by: Nitsan Bin-Nun
288262 by: Michael
288263 by: Nitsan Bin-Nun
288264 by: Michael
Google Apps AuthSub = missing $_GET element
288260 by: John Corry
Sorting times
288268 by: tedd
288269 by: John Corry
288270 by: Shawn McKenzie
288271 by: Shawn McKenzie
288272 by: Shawn McKenzie
Re: Sorting times (SOLVED)
288273 by: tedd
288276 by: Shawn McKenzie
Simple Search Logic Issue...
288274 by: revDAVE
Re: list all constitute group of array ?
288275 by: Clancy
Administrivia:
To subscribe to the digest, e-mail:
php-general-digest-subscr...@lists.php.net
To unsubscribe from the digest, e-mail:
php-general-digest-unsubscr...@lists.php.net
To post to the list, e-mail:
php-gene...@lists.php.net
----------------------------------------------------------------------
--- Begin Message ---
Hi gang,
Was just thinking of a cheap solution for sites that don't require absolute
security. A SSL cert cost about $150 a year. Sites like facebook could use
this... Of course it's not for banks etc.
You could degrade gracefully when javascript is turned off to just sending
the form and checking the password normally if the first test fails which
would happen anyway wouldnt it? ...
Mainly this was just ment to be a proof of concept. An alternative to SSL
for those who have more time than $$ and not quite so high a security
requirement.
Of course SSL is better! Duh! Just wanted to give you guys something to
think about. The password would not be given away like this would it? It
just makes it a little more difficult for script kiddies. They would have to
have a keylogger running or steal the session. :P
Regards,
Tim
Tim-Hinnerk Heuer
http://www.ihostnz.com
Mike Ditka - "If God had wanted man to play soccer, he wouldn't have given
us arms."
2009/2/15 Michael A. Peters <mpet...@mac.com>
> Dotan Cohen wrote:
>
>
>> Have you seen the fit Firefox 3 makes for self-signed certs? So far as
>> the end user is concerned, the site is inaccesible.
>>
>>
> Yes I have.
> That's why on my site I have an instruction page - and a demonstration of
> how Opera does it, which is just as secure and less of a PITA, and a
> suggestion that users go ahead and try Opera - something I never did before
> FF messed up the self signed SSL process.
>
> The FF3 really bugged me -
>
> 1) The purpose of SSL is to provide public/private key encryption.
> 2) The purpose of signing is so that they know you are really you on future
> visits.
> 3) The purpose of certificate authorities is so that they know you are you
> on the first visit.
>
> Many web sites benefit from the first two without needing the complexity of
> the third, a concept FireFox seems to have lost.
>
> I don't need the paperwork hassle etc. for the few sites I run - I just
> need a way for a user to authenticate so I can give 'em a session cookie, no
> sensitive data is ever collected. Ah well.
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
--- End Message ---
--- Begin Message ---
German Geek wrote:
Hi gang,
Was just thinking of a cheap solution for sites that don't require absolute
security. A SSL cert cost about $150 a year. Sites like facebook could use
this...
Sites (like mine) that don't want to pay a certificate authority can use
a self-signed cert. Even Red Hat does for some of their stuff (IE I
believe their bugzilla server)
--- End Message ---
--- Begin Message ---
Michael A. Peters wrote:
German Geek wrote:
Hi gang,
Was just thinking of a cheap solution for sites that don't require
absolute
security. A SSL cert cost about $150 a year. Sites like facebook
could use
this...
Sites (like mine) that don't want to pay a certificate authority can
use a self-signed cert. Even Red Hat does for some of their stuff (IE
I believe their bugzilla server)
Firefox scares its users when they encounter a website with self signed
certificate. If your website users aren't worried about the warning
Firefox throws at them, self signed cert works well.
--
With warm regards,
Sudheer. S
Business: http://binaryvibes.co.in, Tech stuff: http://techchorus.net,
Personal: http://sudheer.net
--- End Message ---
--- Begin Message ---
Firefox scares its users when they encounter a website with self
signed certificate. If your website users aren't worried about the
warning Firefox throws at them, self signed cert works well.
I just realized Dotan Cohen already mentioned this.
--
With warm regards,
Sudheer. S
Business: http://binaryvibes.co.in, Tech stuff: http://techchorus.net,
Personal: http://sudheer.net
--- End Message ---
--- Begin Message ---
Sudheer wrote:
Michael A. Peters wrote:
Sites (like mine) that don't want to pay a certificate authority can
use a self-signed cert. Even Red Hat does for some of their stuff (IE
I believe their bugzilla server)
Firefox scares its users when they encounter a website with self signed
certificate. If your website users aren't worried about the warning
Firefox throws at them, self signed cert works well.
Yeah it does, hopefully they fix it.
What scares me is allowing sites I have no reason to trust as non
malicious and have no reason to trust as properly secured against XSS
injection to load scripts that execute on my machine.
People who use Firefox may be scared by the absurd warning FireFox 3
uses (something I've complained about to them) - other than informing
users of the issue and hoping some read it, not much I can do about
that. Hopefully FireFox will fix the issue and do something like what
opera does (except the cert for session if you just click OK, accept it
permanently if you click the security tab and check a box first).
--- End Message ---
--- Begin Message ---
I have a html template with php variables. I then run it through eval().
All that works fine. Problem is that when I add simple html attributes
or javascript calls I need to use single or double quotes. And this is
where eval throws an error. So I then used htmlspecialchars to mask all
the non-php code and then decode after eval. Then I remembered the
heredoc syntax which allows both single and double quotes. So I wrote
this line:
eval("\$html=<<<hds\n\r$html;\n\rhds;");
But eval keeps giving me a parse error:
Parse error: syntax error, unexpected $end in index.php(33) :
eval()'d code on line 13
I have tried using \r\n instead which returns error at line 11.
If I wrap the variable in {} as it should results in line 11 also.
If I insert a space after the 'hds' I get a T_SL error.
I have tried to make a wrapper heredoc variable for $html but that
didn't have any effect.
I am running out of ideas...
--- End Message ---
--- Begin Message ---
For instance you have:
<html><bla><?php echo "abcd";?></bla></html>
The simplest way to eval() it is to use:
eval("?>" . $string_of_html_and_php . "<?php");
And for what you asked, try this one:
eval("\$html = <<<hds
$html;
hds;");
It might work.
HTH,
Nitsan
>
On Sat, Feb 14, 2009 at 3:58 PM, Michael <m...@criion.net> wrote:
> I have a html template with php variables. I then run it through eval().
> All that works fine. Problem is that when I add simple html attributes or
> javascript calls I need to use single or double quotes. And this is where
> eval throws an error. So I then used htmlspecialchars to mask all the
> non-php code and then decode after eval. Then I remembered the heredoc
> syntax which allows both single and double quotes. So I wrote this line:
>
> eval("\$html=<<<hds\n\r$html;\n\rhds;");
>
> But eval keeps giving me a parse error:
>
> Parse error: syntax error, unexpected $end in index.php(33) :
> eval()'d code on line 13
>
> I have tried using \r\n instead which returns error at line 11.
> If I wrap the variable in {} as it should results in line 11 also.
> If I insert a space after the 'hds' I get a T_SL error.
> I have tried to make a wrapper heredoc variable for $html but that didn't
> have any effect.
>
> I am running out of ideas...
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
--- End Message ---
--- Begin Message ---
Sorry for not including a a code example of the template.
<html>
..
<div>{$content}</div>
This template I read into a variable using file_get_contents() so I
don't think escaping php will work but I will have to test this.
Your suggestion for the heredoc problem is simple, yet I didn't think of
it :D
Thanks for help, I'll post back when I have tested it.
For others who come across this situation, the way I solved it was to
simply use the addslashes()/stripslashes() functions as they only target
double quotes by default. Should be (much?) less cpu intensive then
using htmlspecialchars() as most of the html template would be altered.
--- End Message ---
--- Begin Message ---
I haven't figured from your sayings if my solutions worked? I haven't tested
them so I thought you would check them out ;)
Nitsan
On Sat, Feb 14, 2009 at 6:59 PM, Michael N. Madsen <m...@criion.net> wrote:
> Sorry for not including a a code example of the template.
>
> <html>
> ..
> <div>{$content}</div>
>
> This template I read into a variable using file_get_contents() so I don't
> think escaping php will work but I will have to test this.
>
> Your suggestion for the heredoc problem is simple, yet I didn't think of it
> :D
>
> Thanks for help, I'll post back when I have tested it.
>
> For others who come across this situation, the way I solved it was to
> simply use the addslashes()/stripslashes() functions as they only target
> double quotes by default. Should be (much?) less cpu intensive then using
> htmlspecialchars() as most of the html template would be altered.
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
--- End Message ---
--- Begin Message ---
Hehe ok..
First problem was that eval() was giving error because there was
double-quotes in the template.
Second problem an attempt to fix problem 1 by wrapping the template in a
heredoc syntax.
Problem 1 I solved as described with add/strip-slashes().
Out of curiosity I will test your suggestions to see if they would have
worked and this I will post back on :)
--- End Message ---
--- Begin Message ---
I am completely baffled by this.
I have a PHP script that is using Cameron Hinkle's
LightweightPicasaAPIv3 to authenticate with the Google Picasa service
using the AuthSub method.
Basically, if we're not authenticated, redirect to the google authsub
URL:
(https://www.google.com/accounts/AuthSubRequest?next=http%3A%2F%2Ftwozerowest.com%2Fsnowdog%2520gallery%2Fadmin.php&scope=http%3A%2F%2Fpicasaweb.google.com%2Fdata%2Ffeed%2Fapi&session=1
)
This page requests that the user either grant access or deny access.
Grant access takes us to the URL specified (my authentication script)
with a ?token=xxxxx added to the end of the URL.
This all works. We get back to my URL with ?token=xxxxx appended to
the URL.
That's when it starts getting weirder than anything I've seen in PHP:
My debugging output confirms that:
1. $_SERVER['request_method'] = GET
2. strlen($_GET['token']) = 0
3. $_GET - array()...but it's empty!
4. $_REQUEST[] contains no 'token' element
5. echo($_GET['token']) prints the value of ?token= from the URL
So WTF?
My code:
Note the comments inside/around the try/catch statement inside the if
block.
WTF? This evaluates to false...or seems to anyway. Code that is inside
it's if{} statement does not execute.
if(strlen($_GET['token']) > 0)
But then, other code that IS in it's if{} statement DOES execute...and
the $_GET['token'] that has a 0 strlen in the if() statement now echos
as a 16 character string!
WTF!!???
if(strlen($_GET['token']) > 0) {
// evaluates ???...
$firephp->info('got a token: ' . $_GET['token']); #this
doesn't happen
echo ('echo $_GET[\'token\'] output: ' . $_GET['token']);
#this doesn't happen
// try to authenticate with it
# this try/catch block DOES NOT happen!
try{
$token = $pic->authorizeWithAuthSub($_GET['token']);
$firephp->info('running authorizeWithAuthSub() with
token: ' . $_GET['token']);
if($pic->isAuthenticated()){
$firephp->info('there we go...authenticated!');
$firephp->info('token :' . $pic->getAuthToken());
echo 'inside try/catch :' . $_GET['token']; #this
echo statement inside the try/catch DOES happen...WTF!?
}
} catch (Picasa_Exception_FailedAuthorizationException $e){
$firephp->log($e, 'error');
}
} else {
$pic->redirectToLoginPage('http://twozerowest.com/snowdog%20gallery/admin.php'
, 1);
}
Anyone have ANY idea what's going on?
John Corry
email: jco...@gmail.com
--- End Message ---
--- Begin Message ---
Hi gang:
Anyone have/know a routine that will sort an array of times?
For example, a function that would take an array like this:
time[0] ~ '1:30pm'
time[1] ~ '7:30am'
time[2] ~ '12:30pm'
and order it to:
time[0] ~ '7:30am'
time[1] ~ '12:30pm'
time[2] ~ '1:30pm'
Cheers,
tedd
--
-------
http://sperling.com http://ancientstones.com http://earthstones.com
--- End Message ---
--- Begin Message ---
1. convert the string representation of times to timestamps using
strtotime()
2. sort the timestamps
3. display the timestamps as strings using date('format', timestamp)
Would that work?
John Corry
email: jco...@gmail.com
On Feb 14, 2009, at 4:07 PM, tedd wrote:
Hi gang:
Anyone have/know a routine that will sort an array of times?
For example, a function that would take an array like this:
time[0] ~ '1:30pm'
time[1] ~ '7:30am'
time[2] ~ '12:30pm'
and order it to:
time[0] ~ '7:30am'
time[1] ~ '12:30pm'
time[2] ~ '1:30pm'
Cheers,
tedd
--
-------
http://sperling.com http://ancientstones.com http://earthstones.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--- End Message ---
--- Begin Message ---
tedd wrote:
> Hi gang:
>
> Anyone have/know a routine that will sort an array of times?
>
> For example, a function that would take an array like this:
>
> time[0] ~ '1:30pm'
> time[1] ~ '7:30am'
> time[2] ~ '12:30pm'
>
> and order it to:
>
> time[0] ~ '7:30am'
> time[1] ~ '12:30pm'
> time[2] ~ '1:30pm'
>
>
> Cheers,
>
> tedd
>
>
Not tested:
function time_sort($a, $b)
{
if (strtotime($a) == strtotime($b)) {
return 0;
}
return (strtotime($a) < strtotime($b) ? -1 : 1;
}
usort($time, "time_sort");
--
Thanks!
-Shawn
http://www.spidean.com
--- End Message ---
--- Begin Message ---
John Corry wrote:
> 1. convert the string representation of times to timestamps using
> strtotime()
> 2. sort the timestamps
> 3. display the timestamps as strings using date('format', timestamp)
>
> Would that work?
>
> John Corry
> email: jco...@gmail.com
>
>
>
>
> On Feb 14, 2009, at 4:07 PM, tedd wrote:
>
>> Hi gang:
>>
>> Anyone have/know a routine that will sort an array of times?
>>
>> For example, a function that would take an array like this:
>>
>> time[0] ~ '1:30pm'
>> time[1] ~ '7:30am'
>> time[2] ~ '12:30pm'
>>
>> and order it to:
>>
>> time[0] ~ '7:30am'
>> time[1] ~ '12:30pm'
>> time[2] ~ '1:30pm'
>>
>>
>> Cheers,
>>
>> tedd
>>
>>
>> --
>> -------
>> http://sperling.com http://ancientstones.com http://earthstones.com
>>
>> --
>> PHP General Mailing List (http://www.php.net/)
>> To unsubscribe, visit: http://www.php.net/unsub.php
>>
>
Yes, I would probably store and manipulate times as a timestamp and then
format them for printing, but then there would always be a date
associated with the timestamp as well (whether you need it or not). So
you could store them in 24hr time format and sort those and then format
to display in the 12 hour format.
--
Thanks!
-Shawn
http://www.spidean.com
--- End Message ---
--- Begin Message ---
Shawn McKenzie wrote:
> tedd wrote:
>> Hi gang:
>>
>> Anyone have/know a routine that will sort an array of times?
>>
>> For example, a function that would take an array like this:
>>
>> time[0] ~ '1:30pm'
>> time[1] ~ '7:30am'
>> time[2] ~ '12:30pm'
>>
>> and order it to:
>>
>> time[0] ~ '7:30am'
>> time[1] ~ '12:30pm'
>> time[2] ~ '1:30pm'
>>
>>
>> Cheers,
>>
>> tedd
>>
>>
>
> Not tested:
>
> function time_sort($a, $b)
> {
> if (strtotime($a) == strtotime($b)) {
> return 0;
> }
> return (strtotime($a) < strtotime($b) ? -1 : 1;
> }
>
> usort($time, "time_sort");
>
Well, I just thought, since the strtotime() uses the current timestamp
to calculate the new timestamp, if you only give it a time then the
returned timestamp is today's date with the new time you passed. If you
had a large array and the callback started at 23:59:59 then you could
end up with some times from the date it started and some from the next
day, which of course would not be sorted correctly with respect to times
only. So, this might be better (not tested):
function time_sort($a, $b)
{
static $now = time();
if (strtotime($a, $now) == strtotime($b, $now)) {
return 0;
}
return (strtotime($a, $now) < strtotime($b, $now) ? -1 : 1;
}
--
Thanks!
-Shawn
http://www.spidean.com
--- End Message ---
--- Begin Message ---
At 4:15 PM -0500 2/14/09, John Corry wrote:
1. convert the string representation of times to timestamps using strtotime()
2. sort the timestamps
3. display the timestamps as strings using date('format', timestamp)
Would that work?
John Corry
email: jco...@gmail.com
John:
Bingo -- that worked!
Thanks.
tedd
---
Here's the code.
<?php
// ====== returns a time array sorted
function sortTime($in_times)
{
$time = array();
foreach ($in_times as $t)
{
$time [] = strtotime($t);
}
sort($time);
$sort_time = array();
foreach ($time as $t)
{
$sort_time[] = date('g:ia', $t);
}
return $sort_time;
}
?>
--
-------
http://sperling.com http://ancientstones.com http://earthstones.com
--- End Message ---
--- Begin Message ---
tedd wrote:
> At 4:15 PM -0500 2/14/09, John Corry wrote:
>> 1. convert the string representation of times to timestamps using
>> strtotime()
>> 2. sort the timestamps
>> 3. display the timestamps as strings using date('format', timestamp)
>>
>> Would that work?
>>
>> John Corry
>> email: jco...@gmail.com
>
>
> John:
>
> Bingo -- that worked!
>
> Thanks.
>
> tedd
>
> ---
>
> Here's the code.
>
> <?php
> // ====== returns a time array sorted
>
> function sortTime($in_times)
> {
> $time = array();
> foreach ($in_times as $t)
> {
> $time [] = strtotime($t);
> }
>
> sort($time);
>
> $sort_time = array();
> foreach ($time as $t)
> {
> $sort_time[] = date('g:ia', $t);
> }
> return $sort_time;
> }
> ?>
>
>
Yeah, hif I had known that you wanted a function where you loop through
your array twice, that would have done it. Bravo.
--
Thanks!
-Shawn
http://www.spidean.com
--- End Message ---
--- Begin Message ---
Newbie question...
I have a search page with multi lines of search criteria:
Name
Topic
Message
Etc...
I'm hoping to get results based on what criteria I type - but I'm not
getting what I expect. I think it's just getting results where in addition
to getting search criteria I type - ALSO none of the search fields can be
blank (not what I hoped) ...
Like I type just 'c' in the name field and it shows 3 records (other search
fields filled up) ... But I have many more records with name containing 'c'
Goal: to search for what I type in whatever search fields and not worry
about whether others are blank or not - like:
Name contains 'c'
Charles
Chuck
Chuck
Chas
Or
Name contains 'c' and topic contains 'test1'
Maybe just charles fits this criteria
----------
I made a simple results page,
... More code here ... ( DW CS3 )
$name_list1 = "-1";
if (isset($_GET['Name'])) {
$name_list1 = $_GET['Name'];
}
$top_list1 = "-1";
if (isset($_GET['Topic'])) {
$top_list1 = $_GET['Topic'];
}
$mess_list1 = "-1";
if (isset($_GET['Message'])) {
$mess_list1 = $_GET['Message'];
}
mysql_select_db($database_test1, $test1);
$query_list1 = sprintf("SELECT * FROM mytable WHERE Name LIKE %s and Message
LIKE %s and Topic LIKE %s ORDER BY mytable.id desc", GetSQLValueString("%" .
$name_list1 . "%", "text"),GetSQLValueString("%" . $mess_list1 . "%",
"text"),GetSQLValueString("%" . $top_list1 . "%", "text"));
--
Thanks - RevDave
Cool @ hosting4days . com
[db-lists 09]
--- End Message ---
--- Begin Message ---
On Sat, 14 Feb 2009 07:41:28 +0800, a...@pc86.com ("LKSunny") wrote:
><?
>$a = array("a", "b", "c", "d");
>
>/*
>how to list:
>abcd
>abc
>ab
>ac
>ad
>bcd
>bc
>bd
>cd
>a
>b
>c
>d
>
>who have idea ? thank you very much !!
>*/
>?>
>
If you are talking about arrays of strings,use my function larec (list array
recursively).
This has proved to be one of the most useful things I have ever written. The
first
parameter is the name of the array (or subsection of an array) you wish to
list, and the
second parameter is the arbitrary name used for the array in the listing. (it
would be
quite easy to modify the procedure to use the actual name of the array, but I
wrote it
this way, and it is quite handy to be able to use different names if you are
listing
different sections of the same array. It will work with an array of almost any
complexity.
I have seen it choof out (almost instantly!) several thousand lines.
<?php
// Expand string array, & list all terms
function larec($array, $line) // List array recursive
{
if (is_array($array))
{
$j = count ($array);
$temp = array_keys($array);
$i = 0; while ($i < $j)
{
if(isset($array[$temp[$i]]))
{
$new_line = $line."['".$temp[$i]."']";
larec ($array[$temp[$i]], $new_line);
}
$i++;
}
}
else
{
echo '<p>'.$line.' = '.$array.'</p>';
}
}
?>
This is a sample of part of a listing. The call for this would have been 'larec
($wkg_data[$entry], 'Entry');
Entry['phone']['ph_o'] = 9978 4749
Entry['phone']['ph_h'] =
Entry['phone']['ph_m'] =
Entry['phone']['ph_f'] = 9978 4516
Entry['phone']['ph_a'] = 02
Entry['phone']['ph_e'] =
Entry['phone']['ph_w'] =
Entry['phone']['ph_b'] =
Entry['bursary']['CY']['b_name'] = Cybec Scholarship
Entry['bursary']['CY']['b_status'] =
Entry['bursary']['EB']['b_name'] = Evan Burge Scholarship
Entry['bursary']['EB']['b_status'] =
Entry['bursary']['MAP']['b_name'] = Cybec MAP Scholarship
Entry['bursary']['MAP']['b_status'] =
--- End Message ---
