php-general Digest 19 Aug 2010 09:03:49 -0000 Issue 6901
Topics (messages 307545 through 307556):
Re: Can't read $_POST array
307545 by: Ashley Sheridan
307546 by: Marc Guay
307547 by: Brian Dunning
307548 by: Adam Richardson
307549 by: Adam Richardson
307550 by: Ashley Sheridan
307551 by: chris h
307552 by: Brian Dunning
307553 by: Daevid Vincent
307554 by: Andrew Mason
required return on pecl install pam
307555 by: fakessh
Re: How safe is a .htaccess file?
307556 by: Nathan Rixham
Administrivia:
To subscribe to the digest, e-mail:
[email protected]
To unsubscribe from the digest, e-mail:
[email protected]
To post to the list, e-mail:
[email protected]
----------------------------------------------------------------------
--- Begin Message ---
On Wed, 2010-08-18 at 13:45 -0700, Brian Dunning wrote:
> I'm trying to write a VERY simple script that does nothing but store all the
> submitted GET and POST vars in a string and echo it out.
>
> $response = print_r($_REQUEST, true);
> echo $response;
>
> The problem is it only shows GET vars. I've tried $POST instead of $_REQUEST
> and it always gives an empty array. I've got it on two different servers, and
> we have three guys trying various methods of submitting forms to it, trying
> to eliminate all potential problems, like the possibility that the request
> might not actually have any POST vars. I think we've safely eliminated these
> possibilities.
>
> Can anyone see a reason why the above should not see POST vars? Is there some
> security setting I don't know about?
Is there any code before the print_r() call, i.e. code that might be
setting it to an empty array?
If not, then are you sure your form is definitely sending post
variables? It sounds a stupid question, but a small typo could be
sending the data as GET by accident. Firefox has a useful extension
called Firebug which might be able to show you the data being sent to
the browser. If you really need to bring out the big guns, then
Wireshark will show all the network traffic, including that sent from
your form to the server.
Thanks,
Ash
http://www.ashleysheridan.co.uk
--- End Message ---
--- Begin Message ---
> $response = print_r($_REQUEST, true);
> echo $response;
I'm sorry I don't have any input on your actual question but tohuhgt
I'd mention that this can be shortened to:
print_r($_REQUEST);
... if I'm not mistaken.
Marc
--- End Message ---
--- Begin Message ---
Sorry, my typo, $_POST is one of the options we tried, not $POST. It returns an
empty array also.
On Aug 18, 2010, at 1:50 PM, Joshua Kehn wrote:
> On Aug 18, 2010, at 4:45 PM, Brian Dunning wrote:
>
>> I'm trying to write a VERY simple script that does nothing but store all the
>> submitted GET and POST vars in a string and echo it out.
>>
>> $response = print_r($_REQUEST, true);
>> echo $response;
>>
>> The problem is it only shows GET vars. I've tried $POST instead of $_REQUEST
>> and it always gives an empty array. I've got it on two different servers,
>> and we have three guys trying various methods of submitting forms to it,
>> trying to eliminate all potential problems, like the possibility that the
>> request might not actually have any POST vars. I think we've safely
>> eliminated these possibilities.
>>
>> Can anyone see a reason why the above should not see POST vars? Is there
>> some security setting I don't know about?
>> --
>> PHP General Mailing List (http://www.php.net/)
>> To unsubscribe, visit: http://www.php.net/unsub.php
>>
>
> You have to use $_POST for the post data.
>
> Regards,
>
> -Josh
> ____________________________________
> Joshua Kehn | [email protected]
> http://joshuakehn.com
>
--- End Message ---
--- Begin Message ---
On Wed, Aug 18, 2010 at 4:49 PM, Ashley Sheridan
<[email protected]>wrote:
> On Wed, 2010-08-18 at 13:45 -0700, Brian Dunning wrote:
>
> > I'm trying to write a VERY simple script that does nothing but store all
> the submitted GET and POST vars in a string and echo it out.
> >
> > $response = print_r($_REQUEST, true);
> > echo $response;
> >
> > The problem is it only shows GET vars. I've tried $POST instead of
> $_REQUEST and it always gives an empty array. I've got it on two different
> servers, and we have three guys trying various methods of submitting forms
> to it, trying to eliminate all potential problems, like the possibility that
> the request might not actually have any POST vars. I think we've safely
> eliminated these possibilities.
> >
> > Can anyone see a reason why the above should not see POST vars? Is there
> some security setting I don't know about?
>
>
> Is there any code before the print_r() call, i.e. code that might be
> setting it to an empty array?
>
> If not, then are you sure your form is definitely sending post
> variables? It sounds a stupid question, but a small typo could be
> sending the data as GET by accident. Firefox has a useful extension
> called Firebug which might be able to show you the data being sent to
> the browser. If you really need to bring out the big guns, then
> Wireshark will show all the network traffic, including that sent from
> your form to the server.
>
> Thanks,
> Ash
> http://www.ashleysheridan.co.uk
>
>
>
Check php.ini for this setting:
variables_order
--
Nephtali: PHP web framework that functions beautifully
http://nephtaliproject.com
--- End Message ---
--- Begin Message ---
On Wed, Aug 18, 2010 at 4:55 PM, Adam Richardson <[email protected]>wrote:
> On Wed, Aug 18, 2010 at 4:49 PM, Ashley Sheridan <[email protected]
> > wrote:
>
>> On Wed, 2010-08-18 at 13:45 -0700, Brian Dunning wrote:
>>
>> > I'm trying to write a VERY simple script that does nothing but store all
>> the submitted GET and POST vars in a string and echo it out.
>> >
>> > $response = print_r($_REQUEST, true);
>> > echo $response;
>> >
>> > The problem is it only shows GET vars. I've tried $POST instead of
>> $_REQUEST and it always gives an empty array. I've got it on two different
>> servers, and we have three guys trying various methods of submitting forms
>> to it, trying to eliminate all potential problems, like the possibility that
>> the request might not actually have any POST vars. I think we've safely
>> eliminated these possibilities.
>> >
>> > Can anyone see a reason why the above should not see POST vars? Is there
>> some security setting I don't know about?
>>
>>
>> Is there any code before the print_r() call, i.e. code that might be
>> setting it to an empty array?
>>
>> If not, then are you sure your form is definitely sending post
>> variables? It sounds a stupid question, but a small typo could be
>> sending the data as GET by accident. Firefox has a useful extension
>> called Firebug which might be able to show you the data being sent to
>> the browser. If you really need to bring out the big guns, then
>> Wireshark will show all the network traffic, including that sent from
>> your form to the server.
>>
>> Thanks,
>> Ash
>> http://www.ashleysheridan.co.uk
>>
>>
>>
> Check php.ini for this setting:
> variables_order
>
>
> --
> Nephtali: PHP web framework that functions beautifully
> http://nephtaliproject.com
>
And I suppose post_max_size could cause issues, too.
--
Nephtali: PHP web framework that functions beautifully
http://nephtaliproject.com
--- End Message ---
--- Begin Message ---
On Wed, 2010-08-18 at 16:55 -0400, Adam Richardson wrote:
> On Wed, Aug 18, 2010 at 4:49 PM, Ashley Sheridan
> <[email protected]>wrote:
>
> > On Wed, 2010-08-18 at 13:45 -0700, Brian Dunning wrote:
> >
> > > I'm trying to write a VERY simple script that does nothing but store all
> > the submitted GET and POST vars in a string and echo it out.
> > >
> > > $response = print_r($_REQUEST, true);
> > > echo $response;
> > >
> > > The problem is it only shows GET vars. I've tried $POST instead of
> > $_REQUEST and it always gives an empty array. I've got it on two different
> > servers, and we have three guys trying various methods of submitting forms
> > to it, trying to eliminate all potential problems, like the possibility that
> > the request might not actually have any POST vars. I think we've safely
> > eliminated these possibilities.
> > >
> > > Can anyone see a reason why the above should not see POST vars? Is there
> > some security setting I don't know about?
> >
> >
> > Is there any code before the print_r() call, i.e. code that might be
> > setting it to an empty array?
> >
> > If not, then are you sure your form is definitely sending post
> > variables? It sounds a stupid question, but a small typo could be
> > sending the data as GET by accident. Firefox has a useful extension
> > called Firebug which might be able to show you the data being sent to
> > the browser. If you really need to bring out the big guns, then
> > Wireshark will show all the network traffic, including that sent from
> > your form to the server.
> >
> > Thanks,
> > Ash
> > http://www.ashleysheridan.co.uk
> >
> >
> >
> Check php.ini for this setting:
> variables_order
>
>
If the $_POST array appears empty in a print_r() statement, then the
variable order won't be the cause. It's more likely that the array is
being emptied before it gets to the print_r() or it is not being sent at
all.
Thanks,
Ash
http://www.ashleysheridan.co.uk
--- End Message ---
--- Begin Message ---
Does $_SERVER['HTTP_METHOD'] show a GET or POST?
On Wed, Aug 18, 2010 at 4:58 PM, Adam Richardson <[email protected]>wrote:
> On Wed, Aug 18, 2010 at 4:55 PM, Adam Richardson <[email protected]
> >wrote:
>
> > On Wed, Aug 18, 2010 at 4:49 PM, Ashley Sheridan <
> [email protected]
> > > wrote:
> >
> >> On Wed, 2010-08-18 at 13:45 -0700, Brian Dunning wrote:
> >>
> >> > I'm trying to write a VERY simple script that does nothing but store
> all
> >> the submitted GET and POST vars in a string and echo it out.
> >> >
> >> > $response = print_r($_REQUEST, true);
> >> > echo $response;
> >> >
> >> > The problem is it only shows GET vars. I've tried $POST instead of
> >> $_REQUEST and it always gives an empty array. I've got it on two
> different
> >> servers, and we have three guys trying various methods of submitting
> forms
> >> to it, trying to eliminate all potential problems, like the possibility
> that
> >> the request might not actually have any POST vars. I think we've safely
> >> eliminated these possibilities.
> >> >
> >> > Can anyone see a reason why the above should not see POST vars? Is
> there
> >> some security setting I don't know about?
> >>
> >>
> >> Is there any code before the print_r() call, i.e. code that might be
> >> setting it to an empty array?
> >>
> >> If not, then are you sure your form is definitely sending post
> >> variables? It sounds a stupid question, but a small typo could be
> >> sending the data as GET by accident. Firefox has a useful extension
> >> called Firebug which might be able to show you the data being sent to
> >> the browser. If you really need to bring out the big guns, then
> >> Wireshark will show all the network traffic, including that sent from
> >> your form to the server.
> >>
> >> Thanks,
> >> Ash
> >> http://www.ashleysheridan.co.uk
> >>
> >>
> >>
> > Check php.ini for this setting:
> > variables_order
> >
> >
> > --
> > Nephtali: PHP web framework that functions beautifully
> > http://nephtaliproject.com
> >
>
> And I suppose post_max_size could cause issues, too.
>
> --
> Nephtali: PHP web framework that functions beautifully
> http://nephtaliproject.com
>
--- End Message ---
--- Begin Message ---
This was the complete code of the page (this is the POST version not the
REQUEST version):
<?php
$response = print_r($_POST, true);
echo $response;
?>
Returns an empty array no matter what POST vars are sent. We fixed it by
changing it to this, which I've never even heard of, but so far is working
perfectly:
<?php
$response = file_get_contents('php://input');
echo $response;
?>
I have no idea what the problem was. Thanks to everyone for your help.
--- End Message ---
--- Begin Message ---
You've got something jacked. DO NOT proceed with your coding using this
hack.
Put this in a blank file named whatever_you_want.php and hit it with your
web browser.
---------------------------------------------------------------------------
-----
<?php if ($_POST['action'] == 'Go') print_r($_POST); ?>
<form action="<?=$_SERVER['SCRIPT_NAME']?>" method="POST">
<select name="my_select">
<option value="foo">foo</option>
<option value="bar">bar</option>
</select>
<input type="submit" value="Go" name="action" class="button
submit"/>
</form>
---------------------------------------------------------------------------
-----
> -----Original Message-----
> From: Brian Dunning [mailto:[email protected]]
> Sent: Wednesday, August 18, 2010 2:23 PM
> To: PHP-General
> Subject: Re: [PHP] Can't read $_POST array
>
> This was the complete code of the page (this is the POST
> version not the REQUEST version):
>
> <?php
> $response = print_r($_POST, true);
> echo $response;
> ?>
>
> Returns an empty array no matter what POST vars are sent. We
> fixed it by changing it to this, which I've never even heard
> of, but so far is working perfectly:
>
> <?php
> $response = file_get_contents('php://input');
> echo $response;
> ?>
>
> I have no idea what the problem was. Thanks to everyone for your help.
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
<?php if ($_POST['action'] == 'Go') print_r($_POST); ?>
<form action="<?=$_SERVER['SCRIPT_NAME']?>" method="POST">
<select name="my_select">
<option value="foo">foo</option>
<option value="bar">bar</option>
</select>
<input type="submit" value="Go" name="action" class="button submit"/>
</form>
--- End Message ---
--- Begin Message ---
On Thu, Aug 19, 2010 at 7:41 AM, Daevid Vincent <[email protected]> wrote:
> You've got something jacked. DO NOT proceed with your coding using this
> hack.
>
> Put this in a blank file named whatever_you_want.php and hit it with your
> web browser.
>
> ---------------------------------------------------------------------------
> -----
> <?php if ($_POST['action'] == 'Go') print_r($_POST); ?>
>
> <form action="<?=$_SERVER['SCRIPT_NAME']?>" method="POST">
> <select name="my_select">
> <option value="foo">foo</option>
> <option value="bar">bar</option>
> </select>
> <input type="submit" value="Go" name="action" class="button
> submit"/>
> </form>
> ---------------------------------------------------------------------------
> -----
>
>> -----Original Message-----
>> From: Brian Dunning [mailto:[email protected]]
>> Sent: Wednesday, August 18, 2010 2:23 PM
>> To: PHP-General
>> Subject: Re: [PHP] Can't read $_POST array
>>
>> This was the complete code of the page (this is the POST
>> version not the REQUEST version):
>>
>> <?php
>> $response = print_r($_POST, true);
>> echo $response;
>> ?>
>>
>> Returns an empty array no matter what POST vars are sent. We
>> fixed it by changing it to this, which I've never even heard
>> of, but so far is working perfectly:
>>
>> <?php
>> $response = file_get_contents('php://input');
>> echo $response;
>> ?>
>>
>> I have no idea what the problem was. Thanks to everyone for your help.
>>
>>
>> --
>> PHP General Mailing List (http://www.php.net/)
>> To unsubscribe, visit: http://www.php.net/unsub.php
>>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
Does what your posting contain any content like '<' '>' my guess is
that you need to access the content using the filter_ functions.
Andrew
--- End Message ---
--- Begin Message ---
hello guru off php
pecl pam seems little buggy
http://pecl.php.net/bugs/bug.php?id=16995
you are coming to run this extension
I'm listening and indication of any return
please help me
--- End Message ---
--- Begin Message ---
tedd wrote:
Hi gang:
The subject line says it all.
How secure is a .htaccess file to store passwords and other sensitive
stuff?
Can a .htaccess file be viewed remotely?
Semi-safe,
.htaccess is prevented from being served by configuration options (which
come as default), however these can be overwritten so best to check by
doing a GET on the resource URI.
This doesn't prevent them from being exposed via other processes though,
for instance a poorly coded 'download.php?path=/path/to/.htaccess' could
still expose the file.
Typically, its obviously better to store only a hash of a password
rather than the pass in plain text, choosing the strongest algorithm you
can; password security is of course relative though, a sha-512 of
'password1' is far from secure.
A good way to approach encryption for files is to openssl_seal them
using a public key which is only available to your application - this
doesn't negate insecure code, but it at least ensures the raw files are
encrypted securely enough to negate any of these worries. (just keep
your private key safe, preferably in a pkcs12 w/a strong 64char+ pass)
Best,
Nathan
--- End Message ---
