php-general Digest 16 Feb 2010 20:42:17 -0000 Issue 6594
Topics (messages 302103 through 302117):
Re: importNode issue
302103 by: Michael A. Peters
Storing user entered data in the session
302104 by: Mike Alaimo
302105 by: Mike Alaimo
302106 by: Ashley Sheridan
302107 by: Ashley Sheridan
DocBlocking SOAP types.
302108 by: Richard Quadling
302109 by: Nathan Rixham
302110 by: Nathan Rixham
302111 by: Richard Quadling
302112 by: Nathan Rixham
FTP Site
302113 by: Ben Miller
302114 by: Robert Cummings
302115 by: Ryan Sun
302116 by: Ashley Sheridan
302117 by: Rene Veerman
Administrivia:
To subscribe to the digest, e-mail:
[email protected]
To unsubscribe from the digest, e-mail:
[email protected]
To post to the list, e-mail:
[email protected]
----------------------------------------------------------------------
--- Begin Message ---
Michael A. Peters wrote:
I'm experiencing a slight problem with importNODE putting unwanted
carriage returns in the the output.
Here's my function:
// syntax highlighting
include_once('Text/Highlighter.php');
function syntaxHighlight($dom,$lang,$code) {
$hl =& Text_Highlighter::factory($lang);
$out = $hl->highlight($code);
//die($out);
$tmpDOM = new DOMDocument('1.0','UTF-8');
$tmpDOM->loadXML($out);
$foo = $tmpDOM->saveXML();
//die($foo);
$nodeList = $tmpDOM->getElementsByTagName('div');
$impDIV = $nodeList->item(0);
$returnDIV = $dom->importNode($impDIV,true);
return $returnDIV;
}
-=-
Here's my test:
$code ="<?php" . "\n\n";
$code .="require_once('/path/to/something');" . "\n";
$code .="function somefunc(\$myfoo,\$mybar) {" . "\n";
$code .=" \$myfoobar = \$myfoo . \$mybar;" . "\n";
$code .=" return \$myfoobar;" . "\n";
$code .=" }" . "\n";
$code .="?>" . "\n";
$fooTest = syntaxHighlight($dom,'PHP',$code);
-=-
If I uncomment the die($out) - I get what I expect spit to the screen,
view source shows code that will do what I want.
If instead I uncomment die($foo) - I also get what I expect spit to
screen. view source shows code that will do what I want.
However, if the function is allowed to continue, the imported div has
carriage returns between each and every </span><span> which of course
completely breaks the browser display because they are inside a
<pre></pre> node.
Anyone know why importNode does this and how to fix it?
The only (untried) solution I can think of is to replace each carriage
return with a <br /> and every space with   and then replace the
<pre> with a <div class='monospace'> or some such hackery before running
loadXML() on it. But I would rather not do that.
php 5.2.12 built against libxml 2.6.26
Found the solution - the problem was where Text/Highlighter.php was
putting the newline in the code it generates.
$out = preg_replace("/<span class=\"hl-code\">\n/","\n<span
class=\"hl-code\">",$out);
fixes the issue, I don't have to set
$dom->formatOutput = false;
to avoid broken display now.
I think it's a DOMDocument bug, well, maybe, it shouldn't do any
modifications with newlines inside a pre node with formatOutput - but I
suppose it has no way of knowing what the pre node is use for since html
5 doctype doesn't identify itself as html.
But anyway, that preg_replace fixes it.
I may send a demo of problem and patch to the pear Text/Highlighter.php
maintainer so that the preg_replace isn't needed.
--- End Message ---
--- Begin Message ---
Can anyone guide me here? I have the desire to store user entered
data into the session. I am regexing it to be only a-zA-z0-9 and a
space. The data is stored in an object and then serialized before
storing it into the session. Does anyone see any potential security
risks here?
Thanks,
Mike
--- End Message ---
--- Begin Message ---
The data is displayed on the screen, and the user can change it as many
times as they want.
What do you think now Ash?
Mike
On Tue, Feb 16, 2010 at 9:29 AM, Ashley Sheridan
<[email protected]>wrote:
> On Tue, 2010-02-16 at 09:07 -0500, Mike Alaimo wrote:
>
> Can anyone guide me here? I have the desire to store user entered
> data into the session. I am regexing it to be only a-zA-z0-9 and a
> space. The data is stored in an object and then serialized before
> storing it into the session. Does anyone see any potential security
> risks here?
>
> Thanks,
>
> Mike
>
>
>
> I think you're fine, I can't see any problems. I think most of the time you
> have to worry when you're actually doing something with the data, like
> inserting it into a file or database, or outputting it to a screen, as these
> are the times that injections can take place.
>
> Thanks,
> Ash
> http://www.ashleysheridan.co.uk
>
>
>
--- End Message ---
--- Begin Message ---
On Tue, 2010-02-16 at 09:36 -0500, Mike Alaimo wrote:
> The data is displayed on the screen, and the user can change it as many
> times as they want.
> What do you think now Ash?
>
>
> Mike
>
> On Tue, Feb 16, 2010 at 9:29 AM, Ashley Sheridan
> <[email protected]>wrote:
>
> > On Tue, 2010-02-16 at 09:07 -0500, Mike Alaimo wrote:
> >
> > Can anyone guide me here? I have the desire to store user entered
> > data into the session. I am regexing it to be only a-zA-z0-9 and a
> > space. The data is stored in an object and then serialized before
> > storing it into the session. Does anyone see any potential security
> > risks here?
> >
> > Thanks,
> >
> > Mike
> >
> >
> >
> > I think you're fine, I can't see any problems. I think most of the time you
> > have to worry when you're actually doing something with the data, like
> > inserting it into a file or database, or outputting it to a screen, as these
> > are the times that injections can take place.
> >
> > Thanks,
> > Ash
> > http://www.ashleysheridan.co.uk
> >
> >
> >
Well, if it's only alpha-numerica data with spaces, I don't see any
problems still. Anything input from the user that gets output to the
screen should be carefully parsed to ensure that any HTML it contains is
either removed or escaped to make it safe.
Data stored in a database should be filtered out to make sure that the
user isn't shoving in their own queries, otherwise you'll end up with
situations like this: http://xkcd.com/327/
Thanks,
Ash
http://www.ashleysheridan.co.uk
--- End Message ---
--- Begin Message ---
On Tue, 2010-02-16 at 09:07 -0500, Mike Alaimo wrote:
> Can anyone guide me here? I have the desire to store user entered
> data into the session. I am regexing it to be only a-zA-z0-9 and a
> space. The data is stored in an object and then serialized before
> storing it into the session. Does anyone see any potential security
> risks here?
>
> Thanks,
>
> Mike
>
I think you're fine, I can't see any problems. I think most of the time
you have to worry when you're actually doing something with the data,
like inserting it into a file or database, or outputting it to a screen,
as these are the times that injections can take place.
Thanks,
Ash
http://www.ashleysheridan.co.uk
--- End Message ---
--- Begin Message ---
Hi.
I want to docblock a set of properties to be xml primitive datatypes [1].
Considering that this is the correct type for the XML/SOAP/WSDL
communication, how do I "bypass" Zend_WSDL / Zend_AutoDiscovery so
that these types go through cleanly. I know that as far as PHP is
concerned, the type is loose and it will be my responsibility to
encode the values accordingly. It is in the WSDL generation, and hence
the docblocks, that I want these types to be valid.
I think I can achieve this by the following steps.
1 - Create a new concrete class from the
Zend_Soap_Wsdl_Strategy_Abstract abstract class, say
Zend_Soap_Wsdl_Strategy_W3C (as the type are defined by W3C).
2 - Implement the addComplexType() method to validate the type against
the list and return it if is OK.
What I am stuck on is how do I cascade from the new class so that I
can still drop back to the Zend_Soap_Wsdl_Strategy_ArrayOfTypeComplex.
I think the Zend_Soap_Wsdl_Strategy_Composite is of use here, but I
can't quite work out how to use it.
Any ideas would be appreciated.
Regards,
Richard Quadling.
[1] http://www.w3.org/TR/xmlschema11-2/#built-in-primitive-datatypes
--
-----
Richard Quadling
"Standing on the shoulders of some very clever giants!"
EE : http://www.experts-exchange.com/M_248814.html
EE4Free : http://www.experts-exchange.com/becomeAnExpert.jsp
Zend Certified Engineer : http://zend.com/zce.php?c=ZEND002498&r=213474731
ZOPA : http://uk.zopa.com/member/RQuadling
--- End Message ---
--- Begin Message ---
Richard Quadling wrote:
> Hi.
>
> I want to docblock a set of properties to be xml primitive datatypes [1].
>
> Considering that this is the correct type for the XML/SOAP/WSDL
> communication, how do I "bypass" Zend_WSDL / Zend_AutoDiscovery so
> that these types go through cleanly. I know that as far as PHP is
> concerned, the type is loose and it will be my responsibility to
> encode the values accordingly. It is in the WSDL generation, and hence
> the docblocks, that I want these types to be valid.
>
> I think I can achieve this by the following steps.
>
> 1 - Create a new concrete class from the
> Zend_Soap_Wsdl_Strategy_Abstract abstract class, say
> Zend_Soap_Wsdl_Strategy_W3C (as the type are defined by W3C).
> 2 - Implement the addComplexType() method to validate the type against
> the list and return it if is OK.
>
> What I am stuck on is how do I cascade from the new class so that I
> can still drop back to the Zend_Soap_Wsdl_Strategy_ArrayOfTypeComplex.
>
> I think the Zend_Soap_Wsdl_Strategy_Composite is of use here, but I
> can't quite work out how to use it.
>
> Any ideas would be appreciated.
>
> Regards,
>
> Richard Quadling.
>
> [1] http://www.w3.org/TR/xmlschema11-2/#built-in-primitive-datatypes
>
AFAIK the Zend Soap WSDL accessor already maps up php types to xsd
types; a PHP String maps to an xsd:string, integer to xsd:int and so forth.
XML schema 1.1 datatypes are pretty much the same as; and backwards
compatible with the current xml schema datatypes (which are still the
recommended standard, as 1.1 isn't a recommendation yet, work in
progress) and use the same namespace. Thus the existing implementation
should be xml w3c complaint both now and in the future.
All that's said purely based on the zend docs [1] and not through
practically using Zend_Soap_Wsdl_* though!
[1] http://schemas.xmlsoap.org/soap/encoding/
Regards :)
--- End Message ---
--- Begin Message ---
Nathan Rixham wrote:
> Richard Quadling wrote:
>> Hi.
>>
>> I want to docblock a set of properties to be xml primitive datatypes [1].
>>
>> Considering that this is the correct type for the XML/SOAP/WSDL
>> communication, how do I "bypass" Zend_WSDL / Zend_AutoDiscovery so
>> that these types go through cleanly. I know that as far as PHP is
>> concerned, the type is loose and it will be my responsibility to
>> encode the values accordingly. It is in the WSDL generation, and hence
>> the docblocks, that I want these types to be valid.
>>
>> I think I can achieve this by the following steps.
>>
>> 1 - Create a new concrete class from the
>> Zend_Soap_Wsdl_Strategy_Abstract abstract class, say
>> Zend_Soap_Wsdl_Strategy_W3C (as the type are defined by W3C).
>> 2 - Implement the addComplexType() method to validate the type against
>> the list and return it if is OK.
>>
>> What I am stuck on is how do I cascade from the new class so that I
>> can still drop back to the Zend_Soap_Wsdl_Strategy_ArrayOfTypeComplex.
>>
>> I think the Zend_Soap_Wsdl_Strategy_Composite is of use here, but I
>> can't quite work out how to use it.
>>
>> Any ideas would be appreciated.
>>
>> Regards,
>>
>> Richard Quadling.
>>
>> [1] http://www.w3.org/TR/xmlschema11-2/#built-in-primitive-datatypes
>>
>
> AFAIK the Zend Soap WSDL accessor already maps up php types to xsd
> types; a PHP String maps to an xsd:string, integer to xsd:int and so forth.
>
> XML schema 1.1 datatypes are pretty much the same as; and backwards
> compatible with the current xml schema datatypes (which are still the
> recommended standard, as 1.1 isn't a recommendation yet, work in
> progress) and use the same namespace. Thus the existing implementation
> should be xml w3c complaint both now and in the future.
>
> All that's said purely based on the zend docs [1] and not through
> practically using Zend_Soap_Wsdl_* though!
sigh.. [1] = http://framework.zend.com/manual/en/zend.soap.wsdl.html
(specifically Type mapping) - might make more sense now!
--- End Message ---
--- Begin Message ---
On 16 February 2010 16:41, Nathan Rixham <[email protected]> wrote:
> Nathan Rixham wrote:
>> Richard Quadling wrote:
>>> Hi.
>>>
>>> I want to docblock a set of properties to be xml primitive datatypes [1].
>>>
>>> Considering that this is the correct type for the XML/SOAP/WSDL
>>> communication, how do I "bypass" Zend_WSDL / Zend_AutoDiscovery so
>>> that these types go through cleanly. I know that as far as PHP is
>>> concerned, the type is loose and it will be my responsibility to
>>> encode the values accordingly. It is in the WSDL generation, and hence
>>> the docblocks, that I want these types to be valid.
>>>
>>> I think I can achieve this by the following steps.
>>>
>>> 1 - Create a new concrete class from the
>>> Zend_Soap_Wsdl_Strategy_Abstract abstract class, say
>>> Zend_Soap_Wsdl_Strategy_W3C (as the type are defined by W3C).
>>> 2 - Implement the addComplexType() method to validate the type against
>>> the list and return it if is OK.
>>>
>>> What I am stuck on is how do I cascade from the new class so that I
>>> can still drop back to the Zend_Soap_Wsdl_Strategy_ArrayOfTypeComplex.
>>>
>>> I think the Zend_Soap_Wsdl_Strategy_Composite is of use here, but I
>>> can't quite work out how to use it.
>>>
>>> Any ideas would be appreciated.
>>>
>>> Regards,
>>>
>>> Richard Quadling.
>>>
>>> [1] http://www.w3.org/TR/xmlschema11-2/#built-in-primitive-datatypes
>>>
>>
>> AFAIK the Zend Soap WSDL accessor already maps up php types to xsd
>> types; a PHP String maps to an xsd:string, integer to xsd:int and so forth.
>>
>> XML schema 1.1 datatypes are pretty much the same as; and backwards
>> compatible with the current xml schema datatypes (which are still the
>> recommended standard, as 1.1 isn't a recommendation yet, work in
>> progress) and use the same namespace. Thus the existing implementation
>> should be xml w3c complaint both now and in the future.
>>
>> All that's said purely based on the zend docs [1] and not through
>> practically using Zend_Soap_Wsdl_* though!
>
>
> sigh.. [1] = http://framework.zend.com/manual/en/zend.soap.wsdl.html
> (specifically Type mapping) - might make more sense now!
>
>
>
I think you've missed the point.
I want to tell the outside world, via the WSDL, that property X is an
xsd:datetime (hmm ok, for that to make sense forget PHP's DateTime
builtin class)
How do I do that using AutoDiscovery?
PHP doesn't have all the types that I can ask for.
If I use PHP's types, they are all strings. So any junk can be put in.
The consumer of the service isn't PHP, but (I believe) C#. So strongly typed.
It isn't about mapping PHP "types" to W3C types.
--
-----
Richard Quadling
"Standing on the shoulders of some very clever giants!"
EE : http://www.experts-exchange.com/M_248814.html
EE4Free : http://www.experts-exchange.com/becomeAnExpert.jsp
Zend Certified Engineer : http://zend.com/zce.php?c=ZEND002498&r=213474731
ZOPA : http://uk.zopa.com/member/RQuadling
--- End Message ---
--- Begin Message ---
Richard Quadling wrote:
> On 16 February 2010 16:41, Nathan Rixham <[email protected]> wrote:
>> Nathan Rixham wrote:
>>> Richard Quadling wrote:
>>>> Hi.
>>>>
>>>> I want to docblock a set of properties to be xml primitive datatypes [1].
>>>>
>>>> Considering that this is the correct type for the XML/SOAP/WSDL
>>>> communication, how do I "bypass" Zend_WSDL / Zend_AutoDiscovery so
>>>> that these types go through cleanly. I know that as far as PHP is
>>>> concerned, the type is loose and it will be my responsibility to
>>>> encode the values accordingly. It is in the WSDL generation, and hence
>>>> the docblocks, that I want these types to be valid.
>>>>
>>>> I think I can achieve this by the following steps.
>>>>
>>>> 1 - Create a new concrete class from the
>>>> Zend_Soap_Wsdl_Strategy_Abstract abstract class, say
>>>> Zend_Soap_Wsdl_Strategy_W3C (as the type are defined by W3C).
>>>> 2 - Implement the addComplexType() method to validate the type against
>>>> the list and return it if is OK.
>>>>
>>>> What I am stuck on is how do I cascade from the new class so that I
>>>> can still drop back to the Zend_Soap_Wsdl_Strategy_ArrayOfTypeComplex.
>>>>
>>>> I think the Zend_Soap_Wsdl_Strategy_Composite is of use here, but I
>>>> can't quite work out how to use it.
>>>>
>>>> Any ideas would be appreciated.
>>>>
>>>> Regards,
>>>>
>>>> Richard Quadling.
>>>>
>>>> [1] http://www.w3.org/TR/xmlschema11-2/#built-in-primitive-datatypes
>>>>
>>> AFAIK the Zend Soap WSDL accessor already maps up php types to xsd
>>> types; a PHP String maps to an xsd:string, integer to xsd:int and so forth.
>>>
>>> XML schema 1.1 datatypes are pretty much the same as; and backwards
>>> compatible with the current xml schema datatypes (which are still the
>>> recommended standard, as 1.1 isn't a recommendation yet, work in
>>> progress) and use the same namespace. Thus the existing implementation
>>> should be xml w3c complaint both now and in the future.
>>>
>>> All that's said purely based on the zend docs [1] and not through
>>> practically using Zend_Soap_Wsdl_* though!
>>
>> sigh.. [1] = http://framework.zend.com/manual/en/zend.soap.wsdl.html
>> (specifically Type mapping) - might make more sense now!
>>
>>
>>
>
> I think you've missed the point.
totally!
> I want to tell the outside world, via the WSDL, that property X is an
> xsd:datetime (hmm ok, for that to make sense forget PHP's DateTime
> builtin class)
>
> How do I do that using AutoDiscovery?
>
> PHP doesn't have all the types that I can ask for.
>
> If I use PHP's types, they are all strings. So any junk can be put in.
>
> The consumer of the service isn't PHP, but (I believe) C#. So strongly typed.
>
>
> It isn't about mapping PHP "types" to W3C types.
and now i completely follow after downloading the Zend code - which
strategy are you currently using / need to use? either way I guess the
two simplest approaches would either be:
1: create a class which extends
Zend_Soap_Wsdl_Strategy_YOURCURRENTSTRATEGYCHOICE , and implement the
addComplexType() method adding in all the xsd extra types and then
calling parent::addComplexType when not found.
2: create a class which extends Zend_Soap_Wsdl and overrides the
getType() method adding in all the xsd extra types and then calling
parent::getType when not found.
regards!
--- End Message ---
--- Begin Message ---
Hi,
I'm building a site for a client that has a need to allow their users to
upload large files (up to 100mb or more) and store them on the server. I've
never had a need to work with PHP's FTP functions until now and, before I go
reading the manual to learn how, I wanted to see if this something that I
can handle with just PHP, or if I'm going to need to adopt a third party
Ajax app or something like that? Any thoughts or even a point in the right
direction would be greatly appreciated. Thanks,
Ben
--- End Message ---
--- Begin Message ---
Ben Miller wrote:
Hi,
I'm building a site for a client that has a need to allow their users to
upload large files (up to 100mb or more) and store them on the server. I've
never had a need to work with PHP's FTP functions until now and, before I go
reading the manual to learn how, I wanted to see if this something that I
can handle with just PHP, or if I'm going to need to adopt a third party
Ajax app or something like that? Any thoughts or even a point in the right
direction would be greatly appreciated. Thanks,
The PHP FTP functions are for client access to a remote server, not so
that PHP can act as an FTP server. To resolve the issue you'll have to
either give them FTP access, SSH access, or allow huge uploads. If you
insist on doing it via PHP, you can use a .htaccess configuration in the
directory containing the upload script to override the upload/post
maximum sizes for PHP. Similarly, you'll need to increase max execution
time. Since these are clients, I presume they have been authenticated
first (otherwise you're opening yourself up to DoS). Alternatively you
could use a Flash plugin or Java applet to facilitate the upload.
Cheers,
Rob.
--
http://www.interjinn.com
Application and Templating Framework for PHP
--- End Message ---
--- Begin Message ---
I think you will need the help from a client side app, like java
applet or flash, php can transfer file from your web server to your
ftp server but people will have difficulty uploading file via bare
browser
On Tue, Feb 16, 2010 at 3:12 PM, Ben Miller <[email protected]> wrote:
> Hi,
>
>
>
> I'm building a site for a client that has a need to allow their users to
> upload large files (up to 100mb or more) and store them on the server. I've
> never had a need to work with PHP's FTP functions until now and, before I go
> reading the manual to learn how, I wanted to see if this something that I
> can handle with just PHP, or if I'm going to need to adopt a third party
> Ajax app or something like that? Any thoughts or even a point in the right
> direction would be greatly appreciated. Thanks,
>
>
>
> Ben
>
>
--- End Message ---
--- Begin Message ---
On Tue, 2010-02-16 at 15:21 -0500, Robert Cummings wrote:
> Ben Miller wrote:
> > Hi,
> >
> > I'm building a site for a client that has a need to allow their users to
> > upload large files (up to 100mb or more) and store them on the server. I've
> > never had a need to work with PHP's FTP functions until now and, before I go
> > reading the manual to learn how, I wanted to see if this something that I
> > can handle with just PHP, or if I'm going to need to adopt a third party
> > Ajax app or something like that? Any thoughts or even a point in the right
> > direction would be greatly appreciated. Thanks,
>
> The PHP FTP functions are for client access to a remote server, not so
> that PHP can act as an FTP server. To resolve the issue you'll have to
> either give them FTP access, SSH access, or allow huge uploads. If you
> insist on doing it via PHP, you can use a .htaccess configuration in the
> directory containing the upload script to override the upload/post
> maximum sizes for PHP. Similarly, you'll need to increase max execution
> time. Since these are clients, I presume they have been authenticated
> first (otherwise you're opening yourself up to DoS). Alternatively you
> could use a Flash plugin or Java applet to facilitate the upload.
>
> Cheers,
> Rob.
> --
> http://www.interjinn.com
> Application and Templating Framework for PHP
>
Flash or Java are the best way to go for this. The browser isn't good
for large file uploads, I've had too many fail when the files got too
large, even when the server was set up to allow them.
Thanks,
Ash
http://www.ashleysheridan.co.uk
--- End Message ---
--- Begin Message ---
The only 1 i ever got to work properly for files > 100 mb is
http://jumploader.com/
It's java, and free.
On Tue, Feb 16, 2010 at 9:12 PM, Ben Miller <[email protected]> wrote:
> Hi,
>
>
>
> I'm building a site for a client that has a need to allow their users to
> upload large files (up to 100mb or more) and store them on the server. I've
> never had a need to work with PHP's FTP functions until now and, before I go
> reading the manual to learn how, I wanted to see if this something that I
> can handle with just PHP, or if I'm going to need to adopt a third party
> Ajax app or something like that? Any thoughts or even a point in the right
> direction would be greatly appreciated. Thanks,
>
>
>
> Ben
>
>
--- End Message ---
