php-general Digest 14 Mar 2009 16:11:17 -0000 Issue 6011

[php-general-digest-help]

php-general Digest 14 Mar 2009 16:11:17 -0000 Issue 6011

Topics (messages 290029 through 290036):

Re: The PHP filter class I'm working on (securiity)
        290029 by: Michael A. Peters
        290035 by: Martin Zvarík
        290036 by: Jochem Maas

Re: English Website That Can Display Some Chinese Text
        290030 by: 9el

Re: htmlentities is incomplete: does not cover rsquo etc
        290031 by: Lester Caine
        290032 by: mike

Re: Knowledge Base software - looking for opinions
        290033 by: mike

Re: Anyone fancy getting paid to improve my PHP in London?
        290034 by: Robert Cummings

Administrivia:

To subscribe to the digest, e-mail:
        php-general-digest-subscr...@lists.php.net

To unsubscribe from the digest, e-mail:
        php-general-digest-unsubscr...@lists.php.net

To post to the list, e-mail:
        php-gene...@lists.php.net


----------------------------------------------------------------------

--- Begin Message ---

Michael A. Peters wrote:

I would appreciate feedback.

First php class I've written myself (the little tiny ones that are just over-glorified functions don't count.)

Probably has bugs.

iframes and objects aren't working even for white listed where they should - I know why on the latter, I need to look at the former.
--- End Message ---

--- Begin Message ---

What's the point?

If user puts in a search input something like <script>alert('I am super hacker');</script>

And the website outputs:
You are searching for: <script>....</script>

then what? it shows an alert(), who cares?

I, as an owner of this website, don't mind AT ALL.

Aha, forget to mention the XSS on MySQL or inside comments right? Isn't mysql_real_escape_string(), strip_tags() enough?

Martin

--- End Message ---

--- Begin Message ---

Martin Zvarík schreef:
> What's the point?
> 
> If user puts in a search input something like <script>alert('I am super
> hacker');</script>
> 
> And the website outputs:
> You are searching for: <script>....</script>
> 
> then what? it shows an alert(), who cares?

replace the alert() with some code that passes the cookie to a hacker controlled
domain. now create a URL that includes the given javascript:

echo 'http://mzvarik.com/foo?somevar='.urlencode('<script 
type="text/javascript">/*evil code here*/</script>');

send url to unsuspecting users of your site. anyone know clicks the URL
has just had their cookies hijacked.

still don't mind?

> I, as an owner of this website, don't mind AT ALL.
> 
> Aha, forget to mention the XSS on MySQL or inside comments right? Isn't
> mysql_real_escape_string(), strip_tags() enough?
> 
> Martin
> 

--- End Message ---

--- Begin Message ---

-----------------------------------------------------------------------
Use FreeOpenSourceSoftwares, Stop piracy, Let the developers live. Get
a Free CD of Ubuntu mailed to your door without any cost. Visit :
www.ubuntu.com
----------------------------------------------------------------------


On Sat, Mar 14, 2009 at 5:01 AM, revDAVE <c...@hosting4days.com> wrote:

> I have an English website done using PHP & mySQL.
>
> In addition I would like to be able to store in mySQL and display/edit
> (php)
> some extra fields that have some basic Chinese text.
>
> I imagine I would have to update the main site to use English & Chinese
> somehow...
>
> Q: Is something like this possible? If so how is this done...? Is there
> something special that needs to be done with PHP & mySQL?


Did you try  UTF-8 for both  HTML mode and MySQL

>
>
>
> --
> Thanks - RevDave
> Cool @ hosting4days . com
> [db-lists 09]
>
>
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>

--- End Message ---

--- Begin Message ---

Heddon's Gate Hotel wrote:

Thanks Jan, it's much clearer now. My knowledge about character encodings has multiplied 100-fold in the last 24 hours' research.

Would it be a good idea for the PHP Manual to address some of these issues, by explaining good practice in encoding arbitrary user input in forms (for example), for the benefit of those, like me, for whom character sets are a bit of a black art?

Also I still cannot persuade get_html_translation_table to list those non-Latin1 entities. This is not an important issue, since it appears to be only an information function, but it would be nice if it were consistent with htmlentities and html_entity_decode.

This probably one of the reasons some of us think that getting a stable PHP6 based on unicode out of the door would probably be a lot more use to people than PHP5.3 ;)

Eliminate character sets and the black art goes away?

--
Lester Caine - G8HFL
-----------------------------
Contact - http://lsces.co.uk/wiki/?page=contact
L.S.Caine Electronic Services - http://lsces.co.uk
EnquirySolve - http://enquirysolve.com/
Model Engineers Digital Workshop - http://medw.co.uk//
Firebird - http://www.firebirdsql.org/index.php

--- End Message ---

--- Begin Message ---

On Sat, Mar 14, 2009 at 12:18 AM, Lester Caine <les...@lsces.co.uk> wrote:

> This probably one of the reasons some of us think that getting a stable PHP6
> based on unicode out of the door would probably be a lot more use to people
> than PHP5.3 ;)

+1

I cannot wait for full unicode. mbstring, iconv, all this wacky stuff,
no thanks. having to feed 'utf-8' to functions all over too...
everything should be UTF-8 now, period.

--- End Message ---

--- Begin Message ---

Or, a very simple CMS so I don't have to code it that has the concept
of basic ACLs (user-based or group-based is fine)

Hierarchial directory of documents

Allow anyone with the right privileges to edit it

Keep an audit of who edited it, when, and the previous content

I really don't want to have to code one myself but at the moment I
might have to put a couple hours into it tomorrow.

On Thu, Mar 12, 2009 at 2:58 PM, mike <mike...@gmail.com> wrote:
>> http://kbpublisher.sourceforge.net/ - actually is almost perfect i think but 
>> $398 ...
>

--- End Message ---

--- Begin Message ---

On Fri, 2009-03-13 at 17:39 -0500, Shawn McKenzie wrote:
> Tom Chubb wrote:
> > 2009/3/13 Robert Cummings <rob...@interjinn.com>
> > 
> >> On Fri, 2009-03-13 at 17:16 +0000, Tom Chubb wrote:
> >>> Do any experienced PHP programmers in London fancy helping me improve my
> >>> PHP?
> >>> I'd like to know where my code could be improved and to be shown how an
> >>> experienced programmer would approach a new site.
> >>> I'd rather pay the right person a high amount than find someone cheap!
> >>> Thanks,
> >> Send me a blank cheque-- if it clears then I'll get back to you... from
> >> someplace warm... by a beach while drinking martinis... and getting a
> >> massage... from more than one lady...
> >>
> >> Cheers,
> >> Rob.
> >> --
> >> http://www.interjinn.com
> >> Application and Templating Framework for PHP
> >>
> >>
> > 
> > Rob,
> > 
> > if ($blank_cheque == "cleared")
> > {
> > $set_temp = "warm";
> > $drinks_order = "martini";
> > $service = "massage";
> > $num_ladies = $tasty . " & " . $robs_wife;
> > }
> > else
> > {
> > $blank_cheque = 0;
> > }
> > 
> > Think you should be looking at the latter ;)
> > 
> 
> Notice: Undefined variable: tasty on line 7
> 
> Notice: Undefined variable: robs_wife on line 7

You forgot to configure the auto_prepend:

php.ini:

auto_prepend = "robs_harem.php"

:B

Cheers,
Rob.
-- 
http://www.interjinn.com
Application and Templating Framework for PHP

--- End Message ---