php-general Digest 18 Aug 2010 08:44:24 -0000 Issue 6899
Topics (messages 307507 through 307518):
Re: How safe is a .htaccess file?
307507 by: Robert Cummings
307508 by: Peter Lind
307509 by: Robert Cummings
307510 by: Peter Lind
307511 by: Robert Cummings
307512 by: tedd
307514 by: Peter Lind
Re: mysqldump
307513 by: Jason Pruim
How verify whether browser arrived via IPv6, IPv4, domain or number
307515 by: Leith Bade
307516 by: Per Jessen
Re: Including files on NFS mount slow with APC enabled
307517 by: Mark Hunting
tutorial failure
307518 by: e-letter
Administrivia:
To subscribe to the digest, e-mail:
[email protected]
To unsubscribe from the digest, e-mail:
[email protected]
To post to the list, e-mail:
[email protected]
----------------------------------------------------------------------
--- Begin Message ---
On 10-08-17 04:17 PM, tedd wrote:
Hi gang:
The subject line says it all.
How secure is a .htaccess file to store passwords and other sensitive stuff?
Can a .htaccess file be viewed remotely?
It depends on the server configuration. I think for the most part apache
servers disable viewing these files by default. But, in any event, when
these include access restriction, I always point it at a user/password
file outside the web tree.
Cheers,
Rob.
--
E-Mail Disclaimer: Information contained in this message and any
attached documents is considered confidential and legally protected.
This message is intended solely for the addressee(s). Disclosure,
copying, and distribution are prohibited unless authorized.
--- End Message ---
--- Begin Message ---
On 17 August 2010 22:17, tedd <[email protected]> wrote:
> Hi gang:
>
> The subject line says it all.
>
> How secure is a .htaccess file to store passwords and other sensitive stuff?
>
> Can a .htaccess file be viewed remotely?
No, Apache won't serve it.
Regards
Peter
--
<hype>
WWW: http://plphp.dk / http://plind.dk
LinkedIn: http://www.linkedin.com/in/plind
BeWelcome/Couchsurfing: Fake51
Twitter: http://twitter.com/kafe15
</hype>
--- End Message ---
--- Begin Message ---
On 10-08-17 04:23 PM, Peter Lind wrote:
On 17 August 2010 22:17, tedd<[email protected]> wrote:
Hi gang:
The subject line says it all.
How secure is a .htaccess file to store passwords and other sensitive stuff?
Can a .htaccess file be viewed remotely?
No, Apache won't serve it.
It's a configuration setting though, and not a hard-coded feature.
#
# The following lines prevent .htaccess and .htpasswd files from being
# viewed by Web clients.
#
<FilesMatch "^\.ht">
Order allow,deny
Deny from all
Satisfy All
</FilesMatch>
Cheers,
Rob.
--
E-Mail Disclaimer: Information contained in this message and any
attached documents is considered confidential and legally protected.
This message is intended solely for the addressee(s). Disclosure,
copying, and distribution are prohibited unless authorized.
--- End Message ---
--- Begin Message ---
On 17 August 2010 22:35, Robert Cummings <[email protected]> wrote:
>
>
> On 10-08-17 04:23 PM, Peter Lind wrote:
>>
>> On 17 August 2010 22:17, tedd<[email protected]> wrote:
>>>
>>> Hi gang:
>>>
>>> The subject line says it all.
>>>
>>> How secure is a .htaccess file to store passwords and other sensitive
>>> stuff?
>>>
>>> Can a .htaccess file be viewed remotely?
>>
>> No, Apache won't serve it.
>
> It's a configuration setting though, and not a hard-coded feature.
Set by default in your apache2.conf file which you're rather unlikely
to mess with as that is not how you're setting up sites.
Regards
Peter
--
<hype>
WWW: http://plphp.dk / http://plind.dk
LinkedIn: http://www.linkedin.com/in/plind
BeWelcome/Couchsurfing: Fake51
Twitter: http://twitter.com/kafe15
</hype>
--- End Message ---
--- Begin Message ---
On 10-08-17 04:39 PM, Peter Lind wrote:
On 17 August 2010 22:35, Robert Cummings<[email protected]> wrote:
On 10-08-17 04:23 PM, Peter Lind wrote:
On 17 August 2010 22:17, tedd<[email protected]> wrote:
Hi gang:
The subject line says it all.
How secure is a .htaccess file to store passwords and other sensitive
stuff?
Can a .htaccess file be viewed remotely?
No, Apache won't serve it.
It's a configuration setting though, and not a hard-coded feature.
Set by default in your apache2.conf file which you're rather unlikely
to mess with as that is not how you're setting up sites.
Totally agreed... but I've seen worse in my travels :)
Cheers,
Rob.
--
E-Mail Disclaimer: Information contained in this message and any
attached documents is considered confidential and legally protected.
This message is intended solely for the addressee(s). Disclosure,
copying, and distribution are prohibited unless authorized.
--- End Message ---
--- Begin Message ---
At 4:23 PM -0400 8/17/10, Robert Cummings wrote:
On 10-08-17 04:17 PM, tedd wrote:
Hi gang:
The subject line says it all.
How secure is a .htaccess file to store passwords and other sensitive stuff?
Can a .htaccess file be viewed remotely?
It depends on the server configuration. I think for the most part
apache servers disable viewing these files by default. But, in any
event, when these include access restriction, I always point it at a
user/password file outside the web tree.
Cheers,
Rob.
--
Rob:
When you're on a shared hosting account, they typically prohibit
files being outside of the web root. Some do, some don't. For
example, GoDaddy.com prohibits files outside of the web root while
Parasane.net doesn't, at least my experience with my accounts.
I'm simply trying to find the "best" method to hide sensitive
information on a shared hosting environment. Thus far, it appears
that .htaccess files are the safest bet, but I understand that
nothing is certain -- every method has risks.
GoDaddy.com brags about not being hacked in 6 years and thus offers
some verbal assurances that they are secure. However, I am not sure
as to what they would do if they were hacked and sensitive
information was made public. I'll ask them in writing and see what
they say.
In the meantime, I think I'll use .htaccess files for secure stuff.
Cheers,
tedd
--
-------
http://sperling.com/
--- End Message ---
--- Begin Message ---
On 18 August 2010 01:41, tedd <[email protected]> wrote:
> At 4:23 PM -0400 8/17/10, Robert Cummings wrote:
>>
>> On 10-08-17 04:17 PM, tedd wrote:
>>>
>>> Hi gang:
>>>
>>> The subject line says it all.
>>>
>>> How secure is a .htaccess file to store passwords and other sensitive
>>> stuff?
>>>
>>> Can a .htaccess file be viewed remotely?
>>
>> It depends on the server configuration. I think for the most part apache
>> servers disable viewing these files by default. But, in any event, when
>> these include access restriction, I always point it at a user/password file
>> outside the web tree.
>>
>> Cheers,
>> Rob.
>> --
>
> Rob:
>
> When you're on a shared hosting account, they typically prohibit files being
> outside of the web root. Some do, some don't. For example, GoDaddy.com
> prohibits files outside of the web root while Parasane.net doesn't, at least
> my experience with my accounts.
>
> I'm simply trying to find the "best" method to hide sensitive information on
> a shared hosting environment. Thus far, it appears that .htaccess files are
> the safest bet, but I understand that nothing is certain -- every method has
> risks.
Try accessing a .htaccess file that you have created - if you get a
403 or anything to that effect, you're safe. You might also want to
try the same with .htpasswd and .htgroups (they'll likely be blocked
as well, but better safe than sorry). That way you'll actually know if
they're safe instead of just relying on our guesses about your
servers.
Regards
Peter
--
<hype>
WWW: http://plphp.dk / http://plind.dk
LinkedIn: http://www.linkedin.com/in/plind
BeWelcome/Couchsurfing: Fake51
Twitter: http://twitter.com/kafe15
</hype>
--- End Message ---
--- Begin Message ---
On Aug 17, 2010, at 3:19 PM, tedd <[email protected]> wrote:
> At 11:45 AM -0700 8/17/10, Mari Masuda wrote:
>> Actually,
>>
>> mysqldump -u user -p password database_name > outfile.sql
>>
>> is also the incorrect command. When providing the password in the command,
>> there should not be a space between the "-p" and the actual password. Try
>>
>> mysqldump -u user -ppassword database_name > outfile.sql
>>
>> and see if that gets you anywhere.
>
> Bingo -- that worked.
>
> It's interesting that a space is optional between -u and user, but required
> to be absent between -p and password. Seems not symmetrical to me
Tedd... Goad you got the answer you needed as far as safely attacking the
command line if my memory serves me correctly you are on a Mac so What you are
looking for is a program called terminal.
It's in the utilities folder of your harddrive. Then what you would do is
assuming your host supports ssh is simply type into the terminal application:
ssh youruzern...@yourdomain
Say yes when it asks if you want to store the encryption key (I think that's
what it's called) and then enter your password. Once all of that is done then
just type in the command that was given and it will create the file just as you
requested.
Now I typed all that for the archives since you found a way to do t with exec
but I'm always happy to help the archives where I can :)
Have a great night!
--- End Message ---
--- Begin Message ---
I want to take $_SERVER['SERVER_NAME'] and figure out whether the user
arrived by typing an IPv6-only, IPv4-only or dual IPv4/IPv6 DNS address.
It should also handle the case where the user enters a numeric address in
one of the formats the sockets inet_addr() function can handle. Such as
IPv4/IPv6 dotted decimal, octal, hex, DWORD, etc.
So far I have thought up this:
1. Use gethostbyname($_SERVER['SERVER_NAME']) to get an address
2. Check this address to see if it is IPv4/IPv6
Will this always work?
Also what is the best way in php to check if an address is IPv4 or IPv6?
Some people scan for ":" or ".", others use filter_var(), but these both
seem clunky to me.
Can anyone think of a better way?
Thanks,
Leith Bade
[email protected]
--- End Message ---
--- Begin Message ---
Leith Bade wrote:
> I want to take $_SERVER['SERVER_NAME'] and figure out whether the user
> arrived by typing an IPv6-only, IPv4-only or dual IPv4/IPv6 DNS
> address.
>
> It should also handle the case where the user enters a numeric address
> in one of the formats the sockets inet_addr() function can handle.
> Such as IPv4/IPv6 dotted decimal, octal, hex, DWORD, etc.
>
> So far I have thought up this:
>
> 1. Use gethostbyname($_SERVER['SERVER_NAME']) to get an address
> 2. Check this address to see if it is IPv4/IPv6
>
> Will this always work?
gethostbyname() does not return any IPv6 addresses. You need
getaddrinfo(), but that is AFAIK not yet implemented for php.
> Also what is the best way in php to check if an address is IPv4 or
> IPv6?
preg_match() ?
--
Per Jessen, Zürich (16.2°C)
--- End Message ---
--- Begin Message ---
Bug reported, see http://pecl.php.net/bugs/bug.php?id=18154
On 08/17/2010 01:13 PM, Colin Guthrie wrote:
> I don't know the internals of APC but that smells like a bug to me.
>
> Can you post the bug number here if you report one?
>
> Cheers
>
> Col
>
>
--- End Message ---
--- Begin Message ---
Readers,
Copy below of message sent 15 August to php install digest list, but
to date not including in mail archive?
The tutorial example:
<html>
<head>
<title>php test
</title
</head>
<body>
<?php
echo '<p>Hi, I am a PHP script</p>';
?>
<p>
this is a test
</p>
</body>
</html>
is saved to the normal user temporary folder as 'test.php' and then
copied to the folder '/var/www/html/' using the root user account. The
web browser is directed to url 'http://localhost.test.php, to show:
Hi, I am a PHP script
'; ?>
this is a test
What is the error please?
Urpmi was used to install so the php version installed is not known.
How to obtain this please
--- End Message ---
