php-general Digest 15 Mar 2009 04:31:22 -0000 Issue 6012
Topics (messages 290037 through 290070):
Re: The PHP filter class I'm working on (securiity)
290037 by: Shawn McKenzie
290038 by: Martin Zvarík
290040 by: Shawn McKenzie
290041 by: Michael A. Peters
290058 by: Jochem Maas
290060 by: Martin Zvarík
290064 by: Jan G.B.
290066 by: Martin Zvarík
Issues with mcrypt (Rijndael 128) and external C application.
290039 by: Brad Broerman
Fatal error: Call to undefined function: mysqli_connect() in
290042 by: Gary
290043 by: Per Jessen
290044 by: Daniel Brown
290045 by: Gary
290046 by: Per Jessen
290047 by: Gary
290048 by: Per Jessen
290050 by: Gary
290051 by: Jan G.B.
290052 by: Jan G.B.
290053 by: Gary
290054 by: Per Jessen
290055 by: Gary
290056 by: Gary
290057 by: Shawn McKenzie
290059 by: revDAVE
290061 by: Shawn McKenzie
290062 by: Shawn McKenzie
290063 by: Gary
Re: Anyone fancy getting paid to improve my PHP in London?
290049 by: Kevin Kinsey
left join does not work, why?
290065 by: PJ
290067 by: Daniel Brown
Re: Knowledge Base software - looking for opinions
290068 by: haliphax
Problem with passing and Area in a $_POST
290069 by: Richard Kurth
Re: Summary Report With Details - Newbie Question
290070 by: Paul M Foster
Administrivia:
To subscribe to the digest, e-mail:
[email protected]
To unsubscribe from the digest, e-mail:
[email protected]
To post to the list, e-mail:
[email protected]
----------------------------------------------------------------------
--- Begin Message ---
Jochem Maas wrote:
> Martin Zvarík schreef:
>> What's the point?
>>
>> If user puts in a search input something like <script>alert('I am super
>> hacker');</script>
>>
>> And the website outputs:
>> You are searching for: <script>....</script>
>>
>> then what? it shows an alert(), who cares?
>
> replace the alert() with some code that passes the cookie to a hacker
> controlled
> domain. now create a URL that includes the given javascript:
>
> echo 'http://mzvarik.com/foo?somevar='.urlencode('<script
> type="text/javascript">/*evil code here*/</script>');
>
> send url to unsuspecting users of your site. anyone know clicks the URL
> has just had their cookies hijacked.
>
> still don't mind?
>
>> I, as an owner of this website, don't mind AT ALL.
>>
>> Aha, forget to mention the XSS on MySQL or inside comments right? Isn't
>> mysql_real_escape_string(), strip_tags() enough?
>>
>> Martin
>>
>
A little off topic, but I was testing some exploits like this on my dev
box and no matter what I did all quotes in the URL were escaped with \
even if I urlencoded the quotes (single or double). I have
magic_quotes_gpc = on but I wouldn't think this would escape urlencoded
quotes. Is it the suhosin patch maybe or something elese?
--
Thanks!
-Shawn
http://www.spidean.com
--- End Message ---
--- Begin Message ---
Jochem Maas napsal(a):
Martin Zvarík schreef:
What's the point?
If user puts in a search input something like <script>alert('I am super
hacker');</script>
And the website outputs:
You are searching for: <script>....</script>
then what? it shows an alert(), who cares?
replace the alert() with some code that passes the cookie to a hacker controlled
domain. now create a URL that includes the given javascript:
echo 'http://mzvarik.com/foo?somevar='.urlencode('<script
type="text/javascript">/*evil code here*/</script>');
send url to unsuspecting users of your site. anyone know clicks the URL
has just had their cookies hijacked.
still don't mind?
AHA, I see.
There's a PHP configuration that cookies are available on HTTP side
only, that should provide the desired security in this case, right?
--- End Message ---
--- Begin Message ---
Shawn McKenzie wrote:
> Jochem Maas wrote:
>> Martin Zvarík schreef:
>>> What's the point?
>>>
>>> If user puts in a search input something like <script>alert('I am super
>>> hacker');</script>
>>>
>>> And the website outputs:
>>> You are searching for: <script>....</script>
>>>
>>> then what? it shows an alert(), who cares?
>> replace the alert() with some code that passes the cookie to a hacker
>> controlled
>> domain. now create a URL that includes the given javascript:
>>
>> echo 'http://mzvarik.com/foo?somevar='.urlencode('<script
>> type="text/javascript">/*evil code here*/</script>');
>>
>> send url to unsuspecting users of your site. anyone know clicks the URL
>> has just had their cookies hijacked.
>>
>> still don't mind?
>>
>>> I, as an owner of this website, don't mind AT ALL.
>>>
>>> Aha, forget to mention the XSS on MySQL or inside comments right? Isn't
>>> mysql_real_escape_string(), strip_tags() enough?
>>>
>>> Martin
>>>
>
> A little off topic, but I was testing some exploits like this on my dev
> box and no matter what I did all quotes in the URL were escaped with \
> even if I urlencoded the quotes (single or double). I have
> magic_quotes_gpc = on but I wouldn't think this would escape urlencoded
> quotes. Is it the suhosin patch maybe or something elese?
>
Answered my own question by turning off magic_quotes_gpc. Now it works.
--
Thanks!
-Shawn
http://www.spidean.com
--- End Message ---
--- Begin Message ---
Martin Zvarík wrote:
What's the point?
The point is detailed on the (not fully complete) description page I
just put up -
http://www.clfsrpm.net/xss/
Namely, a lot of people who have web sites do not have the technical
capability to prevent their site from being used as an XSS vector to
attack other people.
By setting a simple security policy, browsers that implement CSP can see
that something funny is being tried because the web site has instructed
the browser it will not try to do that action from that domain.
By implementing CSP server side, even users without CSP enabled browsers
(just about everyone currently) will have some measure of protection.
That's the point.
--- End Message ---
--- Begin Message ---
Martin Zvarík schreef:
> Jochem Maas napsal(a):
>> Martin Zvarík schreef:
>>
>>> What's the point?
>>>
>>> If user puts in a search input something like <script>alert('I am super
>>> hacker');</script>
>>>
>>> And the website outputs:
>>> You are searching for: <script>....</script>
>>>
>>> then what? it shows an alert(), who cares?
>>>
>>
>> replace the alert() with some code that passes the cookie to a hacker
>> controlled
>> domain. now create a URL that includes the given javascript:
>>
>> echo 'http://mzvarik.com/foo?somevar='.urlencode('<script
>> type="text/javascript">/*evil code here*/</script>');
>>
>> send url to unsuspecting users of your site. anyone know clicks the URL
>> has just had their cookies hijacked.
>>
>> still don't mind?
>>
> AHA, I see.
> There's a PHP configuration that cookies are available on HTTP side
> only, that should provide the desired security in this case, right?
>
only if you assume there is no bug in the browser allowing the attacker to
circumvent that (the http cookie exists by definition on the client), and
only if you assume stealing cookies is the only malign action an attacker
might wish to take.
--- End Message ---
--- Begin Message ---
Michael A. Peters napsal(a):
Martin Zvarík wrote:
What's the point?
The point is detailed on the (not fully complete) description page I
just put up -
http://www.clfsrpm.net/xss/
Yeah, I just had a quick look...
"The browser will only execute script in source files from the
white-listed domains and will disregard everything else, including
embedded and inline scripts. "
wtf, can't you just take care of the INPUT and type
strip_tags($_GET['my_name']) ??
This won't be implemented in any browser, can't be.
Namely, a lot of people who have web sites do not have the technical
capability to prevent their site from being used as an XSS vector to
attack other people.
By setting a simple security policy, browsers that implement CSP can
see that something funny is being tried because the web site has
instructed the browser it will not try to do that action from that
domain.
By implementing CSP server side, even users without CSP enabled
browsers (just about everyone currently) will have some measure of
protection.
That's the point.
--- End Message ---
--- Begin Message ---
2009/3/15 Martin Zvarík <[email protected]>:
> "The browser will only execute script in source files from the white-listed
> domains and will disregard everything else, including embedded and inline
> scripts. "
>
> wtf, can't you just take care of the INPUT and type
> strip_tags($_GET['my_name']) ??
>
> This won't be implemented in any browser, can't be.
>
strip_tags() isn't good. it only removes correct markup, IIRC. for
example "<b >>foo>" wouldn't be interpreted as a valid tag.
Often XSS attackers split their scripts to bypass such filters, common
regex patterns and alike. bypassing strip_tags() is easy.
the bad thing: browsers tend to accept a lot of mad markup.
take a look at this: http://ha.ckers.org/xss.html
regards
--- End Message ---
--- Begin Message ---
Jan G.B. napsal(a):
2009/3/15 Martin Zvarík <[email protected]>:
"The browser will only execute script in source files from the white-listed
domains and will disregard everything else, including embedded and inline
scripts. "
wtf, can't you just take care of the INPUT and type
strip_tags($_GET['my_name']) ??
This won't be implemented in any browser, can't be.
strip_tags() isn't good. it only removes correct markup, IIRC. for
example "<b >>foo>" wouldn't be interpreted as a valid tag.
Often XSS attackers split their scripts to bypass such filters, common
regex patterns and alike. bypassing strip_tags() is easy.
the bad thing: browsers tend to accept a lot of mad markup.
take a look at this: http://ha.ckers.org/xss.html
regards
Forget to mention htmlspecialchars(), that should take care of everything.
--- End Message ---
--- Begin Message ---
Hi, I am trying to encode a string using Rijndael-128 using a C application
that I wrote, based on the BSD crypt/rijndael libarary and decode it in PHP
using mcrypt_decrypt. Each part of the program works separately (I can
encrypt with the c app, and decrypt with it, and I can encrypt with
mcrypt_encrypt and decrypt with the mcrypt_decrypt method).
Both use CBC mode, and I have the C process generate a random IV that is
also sent to the PHP process. I have verified that the IV is correctly
picked off of the stream, and stored.
Additionally, the key is stored in hex, and converted to binary for both
processes. The output strings are converted to Base64.
Both applications are currently running on the same system.
Demo app is at http://www.bbroerman.net/aestest.php
The PHP code for the decode is:
// Base64 decode the input (turn into binary)
$decoded = base64_decode($decrypt);
// Get the size of the IV
$iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_128, MCRYPT_MODE_CBC);
// Split the incoming message into the original IV and the cryptext
$iv = substr($decoded,0,$iv_size);
$string = substr($decoded,$iv_size);
// Decode the cryptext.
$decrypted = mcrypt_decrypt(MCRYPT_RIJNDAEL_128, pack('H*',$key), $string,
MCRYPT_MODE_CBC, $iv);
and the C code for encrypt is (unnecessary helper methods removed):
// Convert key to binary from a hex string.
char* binkey = NULL;
int tmpkeylen;
hex2dec( key, &binkey, &tmpkeylen );
// Make sure the message is padded to the correct block length.
unsigned int msglen = strlen(messageSrc);
char* paddedMsg = NULL;
if( msglen % 16 != 0 )
{
int padding = 16 - msglen % 16;
paddedMsg = malloc( msglen + padding + 1 );
memset( paddedMsg, 0, msglen + padding + 1 );
strncpy( paddedMsg, messageSrc, msglen );
msglen = msglen + padding;
}
else
{
paddedMsg = malloc( msglen+1 );
memset( paddedMsg, 0, msglen+1 );
strncpy( paddedMsg, messageSrc, msglen );
}
// Build a random IV block.
int idx;
char iv[RIJNDAEL_MAX_IV_SIZE];
for(idx = 0; idx < RIJNDAEL_MAX_IV_SIZE; ++idx)
{
iv[idx] = get_random() & 0xFF;
}
// Initialize the cypher instance, in CBC mode.
int retCd = rijndael_cipherInit(&ci, MODE_CBC, iv);
// Make the key.
rijndael_makeKey(&ki, DIR_ENCRYPT, 128, binkey);
// Encrypt the message.
out = (char*)malloc(msglen*8);
retCd = rijndael_blockEncrypt(&ci, &ki, paddedMsg, msglen * 8, out);
// Now, take the IV and the output cryptext, and compose the output message.
char* fullmsgbuff = malloc( RIJNDAEL_MAX_IV_SIZE + msglen + 1);
for( idx = 0; idx < RIJNDAEL_MAX_IV_SIZE; ++idx )
fullmsgbuff[idx] = iv[idx];
for(; idx < RIJNDAEL_MAX_IV_SIZE + msglen; ++idx )
fullmsgbuff[idx] = out[idx - RIJNDAEL_MAX_IV_SIZE];
// Base64 encode the output.
char* buffout;
base64encode(fullmsgbuff, msglen + RIJNDAEL_MAX_IV_SIZE, &buffout);
// and print it all out.
fprintf(stdout, "%s", buffout);
--- End Message ---
--- Begin Message ---
I am recieving a fatal error trying to connect to my server/mysql. This is
my first attempt at connecting to a remote server, have been successful with
localhost (apache). I had the variation of not putting the hostname & others
into a variable, but that did not work either.
I have also genericised the username and password for this post. Host name
is correct.
Can anyone enlighted me as to what I am not doing correctly?
Fatal error: Call to undefined function: mysqli_connect() in
<?php
// Receiving variables
@$pfw_ip= $_SERVER['REMOTE_ADDR'];
@$first_name = addslashes($_POST['first_name']);
@$last_name = addslashes($_POST['last_name']);
@$company = addslashes($_POST['company']);
@$phone = addslashes($_POST['phone']);
@$email = addslashes($_POST['email']);
@$url = addslashes($_POST['url']);
@$comments = addslashes($_POST['comments']);
// Validation
if (strlen($phone) <8)
{
die("<p align='center'><font face='Arial' size='3' color='#FF0000'>Please
enter a valid phone</font></p>");
}
if (strlen($phone) >15)
{
die("<p align='center'><font face='Arial' size='3' color='#FF0000'>Please
enter a valid phone</font></p>");
}
if (! ereg('[a-za-z0-9_-...@[a-za-z0-9_-]+\.[a-za-z0-9_-]+', $email))
{
die("<p align='center'><font face='Arial' size='3' color='#FF0000'>Please
enter a valid email</font></p>");
}
// checks if bot
if ($_POST['address'] != '' ){
die("Changed field");
}
//Connect To Database
$hostname='h50mysql43.secureserver.net';
$username='myusername';
$password='mypassword';
$dbname='mydbname';
$usertable='tablename';
$dbc = mysqli_connect('$hostname','$username','$password')
or die('Error connecting to MySQL server');
mysql_select_db('$usertable');
$query = "INSERT INTO contact(first_name, last_name, company, phone, email,
url, comments) ".
"VALUES
('$first_name','$last_name','$company','$phone','$email','$url','$comments')
";
$result = mysqli_query($dbc, $query)
or die('Error querying database.');
mysqli_close($dbc);
//Sending Email to form owner
$pfw_header = "From: $email\n"
. "Reply-To: $email\n";
$pfw_subject = "Subject Message";
$pfw_email_to = "[email protected]";
$pfw_message = "Visitor's IP: $pfw_ip\n"
. "name: $first_name . ' '.$last_name\n"
. "company: $company\n"
. "phone: $phone\n"
. "email: $email\n"
. "url: $url\n"
. "comments: $comments\n"
@mail($pfw_email_to, $pfw_subject ,$pfw_message ,$pfw_header ) ;
echo("<p align='center'><font face='Arial' size='3' color='#FF0000'>Thank
you for your submission, we will respond shortly!</font></p>");
echo "Thank you $first_name for your request<br />";
echo "We have the following information from you.<br />";?>
<br />
<?php
echo "First Name $first_name<br />";
echo "Last Name: $last_name<br />";
echo "Company Name: $company<br />";
echo "Phone Number: $phone<br />";
echo "Web Address: $url<br />";
echo "Email Address: $email.<br />";?>
<br />
<?php
echo "Your Comment: $comments<br />";
?>
<br ? />
<?php
echo 'Please review your information and feel free to correct any that may
be incorrect.<br />';?>
<br ? />
<?php
echo 'We will contact your shortly!';
?>
--- End Message ---
--- Begin Message ---
Gary wrote:
> I am recieving a fatal error trying to connect to my server/mysql.
> This is my first attempt at connecting to a remote server, have been
> successful with localhost (apache). I had the variation of not putting
> the hostname & others into a variable, but that did not work either.
>
> I have also genericised the username and password for this post. Host
> name is correct.
>
> Can anyone enlighted me as to what I am not doing correctly?
>
>
> Fatal error: Call to undefined function: mysqli_connect() in
Check if the mysqli extension has been loaded.
/Per
--
Per Jessen, Zürich (10.9°C)
--- End Message ---
--- Begin Message ---
On Sat, Mar 14, 2009 at 13:41, Per Jessen <[email protected]> wrote:
>
> Check if the mysqli extension has been loaded.
Also check this page:
http://us.php.net/manual/en/mysqli.connect.php
For some of the mirrors, trying to hit
http://php.net/mysqli_connect erroneously takes you to the
mysql_connect() function documentation. It's a bug of which we *are*
aware and are working to repair.
--
</Daniel P. Brown>
[email protected] || [email protected]
http://www.parasane.net/ || http://www.pilotpig.net/
50% Off All Shared Hosting Plans at PilotPig: Use Coupon DOW10000
--- End Message ---
--- Begin Message ---
Thanks for your quick reply, but I do not know what that means... Where
would I find this out and how would I accomplish this if it is not done?
Thanks again.
"Per Jessen" <[email protected]> wrote in message
news:[email protected]...
Gary wrote:
> I am recieving a fatal error trying to connect to my server/mysql.
> This is my first attempt at connecting to a remote server, have been
> successful with localhost (apache). I had the variation of not putting
> the hostname & others into a variable, but that did not work either.
>
> I have also genericised the username and password for this post. Host
> name is correct.
>
> Can anyone enlighted me as to what I am not doing correctly?
>
>
> Fatal error: Call to undefined function: mysqli_connect() in
Check if the mysqli extension has been loaded.
/Per
--
Per Jessen, Zürich (10.9°C)
--- End Message ---
--- Begin Message ---
Gary wrote:
> Thanks for your quick reply, but I do not know what that means...
> Where would I find this out and how would I accomplish this if it is
> not done?
>
> Thanks again.
Hi Gary
see what phpinfo() says - if the extension is loaded, it'll show up
there. To load the extension, add "extension=mysqli.so" to your
php.ini (if it's not already there).
/Per
--
Per Jessen, Zürich (10.9°C)
--- End Message ---
--- Begin Message ---
Ok, I know how to access the php.ini for the local host, is this the same
file that would control the remote server? Or do I need to look for it on
my remote host?
Again, thanks for your help.
"Per Jessen" <[email protected]> wrote in message
news:[email protected]...
Gary wrote:
> Thanks for your quick reply, but I do not know what that means...
> Where would I find this out and how would I accomplish this if it is
> not done?
>
> Thanks again.
Hi Gary
see what phpinfo() says - if the extension is loaded, it'll show up
there. To load the extension, add "extension=mysqli.so" to your
php.ini (if it's not already there).
/Per
--
Per Jessen, Zürich (10.9°C)
--- End Message ---
--- Begin Message ---
Gary wrote:
> Ok, I know how to access the php.ini for the local host, is this the
> same file that would control the remote server? Or do I need to look
> for it on my remote host?
The php.ini you need to look at is the one one the server where you're
running your PHP code. The remote host is just your database server I
assume?
Your code does look a little odd though:
$dbc = mysqli_connect('$hostname','$username','$password')
or die('Error connecting to MySQL server');
mysql_select_db('$usertable');
I would have written this as:
$dbc = mysqli_connect($hostname,$username,$password,$usertable)
or die('Error connecting to MySQL server');
/Per
--
Per Jessen, Zürich (10.7°C)
--- End Message ---
--- Begin Message ---
I had the code written the way you suggested, but changed it to the way the
hosting company suggested.
I am unclear. I have php 5.2.8.8 on my local machine, I also have MySQL
5.1.30 set up locally as well.
I am using godaddy.com as a host. I assumed that the php was running on the
host server and the local php that I have/use is only for the testing
server.
Does this sound correct to you?
Again, many thanks.
"Per Jessen" <[email protected]> wrote in message
news:[email protected]...
Gary wrote:
> Ok, I know how to access the php.ini for the local host, is this the
> same file that would control the remote server? Or do I need to look
> for it on my remote host?
The php.ini you need to look at is the one one the server where you're
running your PHP code. The remote host is just your database server I
assume?
Your code does look a little odd though:
$dbc = mysqli_connect('$hostname','$username','$password')
or die('Error connecting to MySQL server');
mysql_select_db('$usertable');
I would have written this as:
$dbc = mysqli_connect($hostname,$username,$password,$usertable)
or die('Error connecting to MySQL server');
/Per
--
Per Jessen, Zürich (10.7°C)
--- End Message ---
--- Begin Message ---
Gary,
you can check this by either creating a file containing this:
<?php phpinfo(); ?>
and putting it up on your webserver, then open in with your browser,
or you could look at the output of "php -i | less" on the command
line.
After you enabled the mysqli extension on your host, you might change
mysqli_connect('$var', '$var2', ...); to
mysqli_connect($var, $var2, ...)
One side node.. you should apply addslashes() also to
$_SERVER['REMOTE_ADDR'), because an evil person could manipulate the
value of that variable to execute SQL-Injections.
Bye
2009/3/14 Gary <[email protected]>:
> Thanks for your quick reply, but I do not know what that means... Where
> would I find this out and how would I accomplish this if it is not done?
>
> Thanks again.
>
> "Per Jessen" <[email protected]> wrote in message
> news:[email protected]...
> Gary wrote:
>
>> I am recieving a fatal error trying to connect to my server/mysql.
>> This is my first attempt at connecting to a remote server, have been
>> successful with localhost (apache). I had the variation of not putting
>> the hostname & others into a variable, but that did not work either.
>>
>> I have also genericised the username and password for this post. Host
>> name is correct.
>>
>> Can anyone enlighted me as to what I am not doing correctly?
>>
>>
>> Fatal error: Call to undefined function: mysqli_connect() in
>
> Check if the mysqli extension has been loaded.
>
>
> /Per
>
>
> --
> Per Jessen, Zürich (10.9°C)
>
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
--- End Message ---
--- Begin Message ---
2009/3/14 Jan G.B. <[email protected]>:
> One side node.. you should apply addslashes() also to
> $_SERVER['REMOTE_ADDR'), because an evil person could manipulate the
> value of that variable to execute SQL-Injections.
forget that part - i didn't see that this var is only used in the
email, not in the query.
--- End Message ---
--- Begin Message ---
Thanks again to everyone.
I have just checked the servers phpinfo, and turns out they are running PHP
Version 4.3.11 while I have verstion 5.2.8, could this change any of the
advice?
""Jan G.B."" <[email protected]> wrote in message
news:[email protected]...
Gary,
you can check this by either creating a file containing this:
<?php phpinfo(); ?>
and putting it up on your webserver, then open in with your browser,
or you could look at the output of "php -i | less" on the command
line.
After you enabled the mysqli extension on your host, you might change
mysqli_connect('$var', '$var2', ...); to
mysqli_connect($var, $var2, ...)
One side node.. you should apply addslashes() also to
$_SERVER['REMOTE_ADDR'), because an evil person could manipulate the
value of that variable to execute SQL-Injections.
Bye
2009/3/14 Gary <[email protected]>:
> Thanks for your quick reply, but I do not know what that means... Where
> would I find this out and how would I accomplish this if it is not done?
>
> Thanks again.
>
> "Per Jessen" <[email protected]> wrote in message
> news:[email protected]...
> Gary wrote:
>
>> I am recieving a fatal error trying to connect to my server/mysql.
>> This is my first attempt at connecting to a remote server, have been
>> successful with localhost (apache). I had the variation of not putting
>> the hostname & others into a variable, but that did not work either.
>>
>> I have also genericised the username and password for this post. Host
>> name is correct.
>>
>> Can anyone enlighted me as to what I am not doing correctly?
>>
>>
>> Fatal error: Call to undefined function: mysqli_connect() in
>
> Check if the mysqli extension has been loaded.
>
>
> /Per
>
>
> --
> Per Jessen, Zürich (10.9°C)
>
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
--- End Message ---
--- Begin Message ---
Gary wrote:
> I had the code written the way you suggested, but changed it to the
> way the hosting company suggested.
I think your hosting company might be smoking something they shouldn't
be. Your way is the right one.
> I am unclear. I have php 5.2.8.8 on my local machine, I also have
> MySQL 5.1.30 set up locally as well.
Okay.
> I am using godaddy.com as a host. I assumed that the php was running
> on the host server and the local php that I have/use is only for the
> testing server.
>
> Does this sound correct to you?
Let me paraphrase - you've been developing an application in your local
environment, and you're now moving it to your hosting environment. It
sounds very much like the mysqli extension isn't loaded (by default) in
your hosting environment.
Find out by calling phpinfo() - if there is no information from mysqli,
the extension wasn't loaded. Or try using extension_loaded('mysqli')
and see what that says.
To load the extension, you could use dl() in your code although it might
have been disabled. Otherwise you need to modify the correct php.ini
and add the extension=mysqli.so line.
/Per
--
Per Jessen, Zürich (10.4°C)
--- End Message ---
--- Begin Message ---
Ok.. I have added
[MySQL]
;Gary, this is the code from the forum.
extension=mysqli.so
to the php.ini file on my machine, I saved the file. Is there anything else
I need to do?
Thanks again.
"Per Jessen" <[email protected]> wrote in message
news:[email protected]...
Gary wrote:
> I had the code written the way you suggested, but changed it to the
> way the hosting company suggested.
I think your hosting company might be smoking something they shouldn't
be. Your way is the right one.
> I am unclear. I have php 5.2.8.8 on my local machine, I also have
> MySQL 5.1.30 set up locally as well.
Okay.
> I am using godaddy.com as a host. I assumed that the php was running
> on the host server and the local php that I have/use is only for the
> testing server.
>
> Does this sound correct to you?
Let me paraphrase - you've been developing an application in your local
environment, and you're now moving it to your hosting environment. It
sounds very much like the mysqli extension isn't loaded (by default) in
your hosting environment.
Find out by calling phpinfo() - if there is no information from mysqli,
the extension wasn't loaded. Or try using extension_loaded('mysqli')
and see what that says.
To load the extension, you could use dl() in your code although it might
have been disabled. Otherwise you need to modify the correct php.ini
and add the extension=mysqli.so line.
/Per
--
Per Jessen, Zürich (10.4°C)
--- End Message ---
--- Begin Message ---
Ok.. I have added
[MySQL]
;Gary, this is the code from the forum.
extension=mysqli.so
to the php.ini file on my machine, I saved the file. Is there anything else
I need to do?
Thanks again.
"Per Jessen" <[email protected]> wrote in message
news:[email protected]...
Gary wrote:
> I had the code written the way you suggested, but changed it to the
> way the hosting company suggested.
I think your hosting company might be smoking something they shouldn't
be. Your way is the right one.
> I am unclear. I have php 5.2.8.8 on my local machine, I also have
> MySQL 5.1.30 set up locally as well.
Okay.
> I am using godaddy.com as a host. I assumed that the php was running
> on the host server and the local php that I have/use is only for the
> testing server.
>
> Does this sound correct to you?
Let me paraphrase - you've been developing an application in your local
environment, and you're now moving it to your hosting environment. It
sounds very much like the mysqli extension isn't loaded (by default) in
your hosting environment.
Find out by calling phpinfo() - if there is no information from mysqli,
the extension wasn't loaded. Or try using extension_loaded('mysqli')
and see what that says.
To load the extension, you could use dl() in your code although it might
have been disabled. Otherwise you need to modify the correct php.ini
and add the extension=mysqli.so line.
/Per
--
Per Jessen, Zürich (10.4°C)
--- End Message ---
--- Begin Message ---
Gary wrote:
> Thanks again to everyone.
>
> I have just checked the servers phpinfo, and turns out they are running PHP
> Version 4.3.11 while I have verstion 5.2.8, could this change any of the
> advice?
Yes, the mysqli extension is only available for PHP5. Use the mysql_x()
functions or move to a host that supports PHP5/mysqli extension.
--
Thanks!
-Shawn
http://www.spidean.com
--- End Message ---
--- Begin Message ---
On 3/14/2009 10:36 AM, "Gary" <[email protected]> wrote:
> Can anyone enlighted me as to what I am not doing correctly?
Hi Gary,
I am hosted using a basic cpanel interface ... There's a button = Remote
MySQL which brings up a page: Remote Database Access Hosts
And I put in my HOME IP and all works fine now ...
Not sure how godaddy does it... Maybe ask tech support.... How to set up
Remote MySQL access....
--
Thanks - RevDave
Cool @ hosting4days . com
[db-lists 09]
--- End Message ---
--- Begin Message ---
revDAVE wrote:
> On 3/14/2009 10:36 AM, "Gary" <[email protected]> wrote:
>
>> Can anyone enlighted me as to what I am not doing correctly?
>
>
> Hi Gary,
>
> I am hosted using a basic cpanel interface ... There's a button = Remote
> MySQL which brings up a page: Remote Database Access Hosts
>
> And I put in my HOME IP and all works fine now ...
>
> Not sure how godaddy does it... Maybe ask tech support.... How to set up
> Remote MySQL access....
>
> --
> Thanks - RevDave
> Cool @ hosting4days . com
> [db-lists 09]
>
>
>
That web interface isn't using the mysqli functions, it probably
phpMyAdmin using the mysql functions. If you would read my previous
post you'd see that mysqli isn't supported under PHP4.
I guess I need to reply all instead of replying to the newsgroup as
people seem to not read anything I post to the newsgroup.
--
Thanks!
-Shawn
http://www.spidean.com
--- End Message ---
--- Begin Message ---
Shawn McKenzie wrote:
> revDAVE wrote:
>> On 3/14/2009 10:36 AM, "Gary" <[email protected]> wrote:
>>
>>> Can anyone enlighted me as to what I am not doing correctly?
>>
>> Hi Gary,
>>
>> I am hosted using a basic cpanel interface ... There's a button = Remote
>> MySQL which brings up a page: Remote Database Access Hosts
>>
>> And I put in my HOME IP and all works fine now ...
>>
>> Not sure how godaddy does it... Maybe ask tech support.... How to set up
>> Remote MySQL access....
>>
>> --
>> Thanks - RevDave
>> Cool @ hosting4days . com
>> [db-lists 09]
>>
>>
>>
>
> That web interface isn't using the mysqli functions, it probably
> phpMyAdmin using the mysql functions. If you would read my previous
> post you'd see that mysqli isn't supported under PHP4.
>
> I guess I need to reply all instead of replying to the newsgroup as
> people seem to not read anything I post to the newsgroup.
>
FYI from previous post...
Yes, the mysqli extension is only available for PHP5. Use the mysql_x()
functions or move to a host that supports PHP5/mysqli extension.
--
Thanks!
-Shawn
http://www.spidean.com
--- End Message ---
--- Begin Message ---
Thank you to everybody, turns out that in the godaddy control panel, you
have the option of php4 or php5, and they have 4 as the default. A call to
gd and I was able to switch and it now works.
Thanks again for all your help!
Gary
""Gary"" <[email protected]> wrote in message
news:[email protected]...
>I am recieving a fatal error trying to connect to my server/mysql. This is
>my first attempt at connecting to a remote server, have been successful
>with localhost (apache). I had the variation of not putting the hostname &
>others into a variable, but that did not work either.
>
> I have also genericised the username and password for this post. Host name
> is correct.
>
> Can anyone enlighted me as to what I am not doing correctly?
>
>
> Fatal error: Call to undefined function: mysqli_connect() in
>
> <?php
>
> // Receiving variables
> @$pfw_ip= $_SERVER['REMOTE_ADDR'];
> @$first_name = addslashes($_POST['first_name']);
> @$last_name = addslashes($_POST['last_name']);
> @$company = addslashes($_POST['company']);
> @$phone = addslashes($_POST['phone']);
> @$email = addslashes($_POST['email']);
> @$url = addslashes($_POST['url']);
> @$comments = addslashes($_POST['comments']);
>
> // Validation
> if (strlen($phone) <8)
> {
> die("<p align='center'><font face='Arial' size='3' color='#FF0000'>Please
> enter a valid phone</font></p>");
> }
> if (strlen($phone) >15)
> {
> die("<p align='center'><font face='Arial' size='3' color='#FF0000'>Please
> enter a valid phone</font></p>");
> }
>
> if (! ereg('[a-za-z0-9_-...@[a-za-z0-9_-]+\.[a-za-z0-9_-]+', $email))
> {
> die("<p align='center'><font face='Arial' size='3' color='#FF0000'>Please
> enter a valid email</font></p>");
> }
> // checks if bot
>
> if ($_POST['address'] != '' ){
>
>
> die("Changed field");
>
> }
> //Connect To Database
> $hostname='h50mysql43.secureserver.net';
> $username='myusername';
> $password='mypassword';
> $dbname='mydbname';
> $usertable='tablename';
>
> $dbc = mysqli_connect('$hostname','$username','$password')
> or die('Error connecting to MySQL server');
> mysql_select_db('$usertable');
>
> $query = "INSERT INTO contact(first_name, last_name, company, phone,
> email, url, comments) ".
> "VALUES
> ('$first_name','$last_name','$company','$phone','$email','$url','$comments')
> ";
>
> $result = mysqli_query($dbc, $query)
> or die('Error querying database.');
>
> mysqli_close($dbc);
>
> //Sending Email to form owner
> $pfw_header = "From: $email\n"
> . "Reply-To: $email\n";
> $pfw_subject = "Subject Message";
> $pfw_email_to = "[email protected]";
> $pfw_message = "Visitor's IP: $pfw_ip\n"
> . "name: $first_name . ' '.$last_name\n"
> . "company: $company\n"
> . "phone: $phone\n"
> . "email: $email\n"
> . "url: $url\n"
> . "comments: $comments\n"
>
> @mail($pfw_email_to, $pfw_subject ,$pfw_message ,$pfw_header ) ;
>
> echo("<p align='center'><font face='Arial' size='3' color='#FF0000'>Thank
> you for your submission, we will respond shortly!</font></p>");
> echo "Thank you $first_name for your request<br />";
> echo "We have the following information from you.<br />";?>
> <br />
> <?php
> echo "First Name $first_name<br />";
> echo "Last Name: $last_name<br />";
> echo "Company Name: $company<br />";
> echo "Phone Number: $phone<br />";
> echo "Web Address: $url<br />";
> echo "Email Address: $email.<br />";?>
> <br />
> <?php
> echo "Your Comment: $comments<br />";
> ?>
> <br ? />
> <?php
> echo 'Please review your information and feel free to correct any that may
> be incorrect.<br />';?>
> <br ? />
> <?php
> echo 'We will contact your shortly!';
> ?>
>
--- End Message ---
--- Begin Message ---
Robert Cummings wrote:
You forgot to configure the auto_prepend:
php.ini:
auto_prepend = "robs_harem.php"
<?php
system("/bin/cat robs_harem.php | /usr/bin/mail -s 'looky here' $robs_wife");
if (!defined($robs_wife_is_extremely_rare_woman)) {
die($rob);
} else {
$days=rand(7,365);
$n=1;
chmod($wife,0600);
while ($n<$days) {
fputs($rob,$couch);
sleep(28800);
}
}
?>
Good luck, buddy ;-)
Kevin Kinsey
PS > why are all the trolls in this thread named some
variant of Kenzie?
--
Iowa State -- the high school after high school!
-- Crow T. Robot
--- End Message ---
--- Begin Message ---
$sql1 = "SELECT b.id, b.title, b.sub_title, b.descr, b.comment,
b.bk_cover, b.copyright, b.ISBN, b.language, b.sellers, c.publisher, <---
CONCAT_WS(' ', first_name, last_name) AS Author
FROM book AS b
LEFT JOIN book_author AS ab ON b.id = ab.bookID
LEFT JOIN author AS a ON ab.authID=a.id
LEFT JOIN book_publisher as abc ON b.id = abc.bookID // <---
LEFT JOIN publishers AS c ON abc.publishers_id = c.id // <---
ORDER BY title ASC ";
$result1 = mysql_query($sql1, $db);
$bookCount = mysql_num_rows($result1);
If I remove "c.publisher," and comment out the two lines marked <---
the $result returns empty and I get the warning : mysql_numb_rows() not
a valid result.
What am I missing here?
--
unheralded genius: "A clean desk is the sign of a dull mind. "
-------------------------------------------------------------
Phil Jourdan --- [email protected]
http://www.ptahhotep.com
http://www.chiccantine.com/andypantry.php
--- End Message ---
--- Begin Message ---
On Sat, Mar 14, 2009 at 19:51, PJ <[email protected]> wrote:
> $sql1 = "SELECT b.id, b.title, b.sub_title, b.descr, b.comment,
> b.bk_cover, b.copyright, b.ISBN, b.language, b.sellers, c.publisher, <---
> CONCAT_WS(' ', first_name, last_name) AS Author
> FROM book AS b
> LEFT JOIN book_author AS ab ON b.id = ab.bookID
> LEFT JOIN author AS a ON ab.authID=a.id
> LEFT JOIN book_publisher as abc ON b.id = abc.bookID // <---
> LEFT JOIN publishers AS c ON abc.publishers_id = c.id // <---
> ORDER BY title ASC ";
> $result1 = mysql_query($sql1, $db);
> $bookCount = mysql_num_rows($result1);
For this and future problems of a similar nature, the quickest and
easiest way to start debugging is to change the mysql_query() line to
output the error. Like so:
<?php
// ....
$result1 = mysql_query($sql1,$db) or die("SQL: ".$sql1."\n".mysql_error());
// ....
?>
If the query fails on $sql1, PHP runs the 'or' as a failure
fallback and dies by printing the SQL query given and MySQL's error
response.
--
</Daniel P. Brown>
[email protected] || [email protected]
http://www.parasane.net/ || http://www.pilotpig.net/
50% Off All Shared Hosting Plans at PilotPig: Use Coupon DOW10000
--- End Message ---
--- Begin Message ---
On Sat, Mar 14, 2009 at 4:34 AM, mike <[email protected]> wrote:
> Or, a very simple CMS so I don't have to code it that has the concept
> of basic ACLs (user-based or group-based is fine)
>
> Hierarchial directory of documents
>
> Allow anyone with the right privileges to edit it
>
> Keep an audit of who edited it, when, and the previous content
>
> I really don't want to have to code one myself but at the moment I
> might have to put a couple hours into it tomorrow.
>
Seriously, man... give TWiki a shot. It's hierarchal, it has an ACL,
and it's simple. Save yourself a LOT of time. :)
--
// Todd
--- End Message ---
--- Begin Message ---
I have a script that is passing a area in a $_POST and it does not pass
the data. When I try to look at the data with $_POST['fieldorder'] it
its empty but when I look at it with $_REQUEST['fieldorder'] the data is
there. This seams very strange to me. It has been working for about 6
months with no problem and then all of a sudden it does not pass the
data anymore. The real funny thing is the rest of the data that is sent
that is not an area gets past in a $_POST works just fine.Would there be
something in the php.ini file that I have changed that would case this.
--- End Message ---
--- Begin Message ---
On Fri, Mar 13, 2009 at 03:29:00PM -0700, revDAVE wrote:
> Hi Folks,
>
> I would like to make a summary report with details for a products inventory
> list - so it could list:
>
> A - the product & a few summaries like total count on 1 line
> B - ------- below that: the details of a multi line sub list with inventory
> data like:
>
> A - PRODUCT #1 - count = 25
> B ---------- id 56 - condition = good
> ------------ id 98 - condition = new
> A - PRODUCT #2 - count = 18
> B ---------- id 205 - condition = new
> ------------ id 381 - condition = poor
>
> and repeat for all inventory products....
>
> -----
>
> The way I'm doing it now is :
>
> main query #1
>
> SELECT name,model, count(prid) as thecount FROM inventory group by model
>
> then do a repeat region table to display 1 of each
>
> - then - on each row - do sub query#2 :
>
> SELECT name,model, condition (etc....) FROM inventory where model =
> quety#1.model....
>
> - then display these details in a sub table....
>
>
> Q: This seems to work fine. I was just wondering if there is a better way to
> construct queries to get the same result?
>
>
> Thanks in advance for your help...
I'm not an expert, but the way I normally do something like this is with
a join that would give name, model and condition on each row (so you
have a lot of duplicate fields which are the same for a series of
records). I make sure they're ordered properly, and then process them in
a loop. Something like:
$product = '';
$count = 0;
while ($a = fetch_array()) {
if ($product != $a['name']) {
// do whatever for prior product
// do whatever for new product
// $count will be the number of a given product
$product = $a['name'];
}
else {
$count++;
// print out whatever you need to
}
}
If anyone knows a better way to do this with just SQL, I'm interested.
Paul
--
Paul M. Foster
--- End Message ---
