php-general Digest 13 Sep 2010 08:34:51 -0000 Issue 6938
Topics (messages 307996 through 308013):
Re: 1984 (Big Brother)
307996 by: Tamara Temple
308001 by: tedd
308005 by: Tamara Temple
308008 by: Paul M Foster
308009 by: Paul M Foster
Re: How to handle a submitted form with no changes -- best practices sought
307997 by: Tamara Temple
307998 by: Ashley Sheridan
307999 by: Michael Shadle
308000 by: Robert Cummings
308002 by: Tamara Temple
308003 by: Michael Shadle
308004 by: Ashley Sheridan
Re: Standalone WebServer for PHP
308006 by: Paul M Foster
308012 by: Pete Ford
308013 by: Dotan Cohen
Re: New to PHP and the list
308007 by: Paul M Foster
Re: workflow system design
308010 by: Sridhar Pandurangiah
308011 by: Sridhar Pandurangiah
Administrivia:
To subscribe to the digest, e-mail:
[email protected]
To unsubscribe from the digest, e-mail:
[email protected]
To post to the list, e-mail:
[email protected]
----------------------------------------------------------------------
--- Begin Message ---
Sounds like there are some security concerns here.
On Sep 12, 2010, at 11:32 AM, tedd wrote:
I have a client who wants his employees' access to their online
business database restricted to only times when he is logged on.
(Don't ask why)
I do wonder why, though. Perhaps this is an opportunity to educate
someone about security and privacy and web applications? Does he feel
that by being logged in, he can control every aspect of connection to
the data base? Or even be aware of every access to the data base? What
is he hoping to accomplish be being logged in? Does he propose to
actively monitor the data base transactions in real time while he's at
work? What is he hoping to avoid by requiring his logged in state
before anyone else can access the data base? Just being logged in
won't dissuade a cracker from attacking his data if they so choose,
nor will it prevent a disgruntled employee from damaging the data
while he's logged in if they have the expertise and means.
Also, what happens when he's sick or incapacitated some day and can't
log in to the data base. Does he expect his business to continue
without his presence or does it also shut down for the day?
This just seems like an excessive amount of paranoia that his solution
won't provide an answer for. It seems like a poor business decision on
his part.
In other words, when the boss is not logged on, then his employees
cannot access the business database in any fashion whatsoever
including checking to see if the boss is logged on, or not. No
access whatsoever!
What about access to the web application while he's not logged in? Do
they still have that? If someone is determined, they can still learn a
lot.
Normally, I would just set up a field in the database and have that
set to "yes" or "no" as to if the employees could access the
database, or not. But in this case, the boss does not want even that
type of access to the database permitted. Repeat -- No access
whatsoever!
I was thinking of the boss' script writing to a file that
accomplished the "yes" or "no" thing, but if the boss did not log
off properly then the file would remain in the "yes" state allowing
employees undesired access. That would not be acceptable.
So, what methods would you suggest?
What about access to a parallel data base that only contains
information pertaining to access? i.e. separate out the application's
authentication and access control from the main data base and put it
in a parallel data base.
--- End Message ---
--- Begin Message ---
At 4:05 PM -0500 9/12/10, Tamara Temple wrote:
Sounds like there are some security concerns here.
On Sep 12, 2010, at 11:32 AM, tedd wrote:
I have a client who wants his employees' access to their online
business database restricted to only times when he is logged on.
(Don't ask why)
I do wonder why, though. Perhaps this is an opportunity to educate
someone about security and privacy and web applications? Does he
feel that by being logged in, he can control every aspect of
connection to the data base? Or even be aware of every access to the
data base? What is he hoping to accomplish be being logged in? Does
he propose to actively monitor the data base transactions in real
time while he's at work? What is he hoping to avoid by requiring his
logged in state before anyone else can access the data base? Just
being logged in won't dissuade a cracker from attacking his data if
they so choose, nor will it prevent a disgruntled employee from
damaging the data while he's logged in if they have the expertise
and means.
Tamara:
I said "Don't ask why"
You see, people often have strange notions about "their" business or
unusual ideas about how to do things, That goes with consulting.
While many may find that odd, but some of the most revolutionary
ideas come from such unusual thinking.
For example, take a look at Henry Ford at his investigation and
research to control not only what people work on, but how they
perform their work. Without his efforts, I would think the idea of
the assembly line would have surfaced many years later by someone
else with similar ideas.
I'm sure that many people would look upon Steve Jobs and what he
expects from his employees and think that odd, but look at the
results.
I don't pass judgement. I simply advise (based upon my limited
understanding of things) and let the client make the calls. After
all, he's the one paying the bills and he has answers for the
remainder of your questions.
Cheers,
tedd
--
-------
http://sperling.com/
--- End Message ---
--- Begin Message ---
On Sep 12, 2010, at 4:48 PM, tedd wrote:
At 4:05 PM -0500 9/12/10, Tamara Temple wrote:
Sounds like there are some security concerns here.
On Sep 12, 2010, at 11:32 AM, tedd wrote:
I have a client who wants his employees' access to their online
business database restricted to only times when he is logged on.
(Don't ask why)
I do wonder why, though. Perhaps this is an opportunity to educate
someone about security and privacy and web applications? Does he
feel that by being logged in, he can control every aspect of
connection to the data base? Or even be aware of every access to
the data base? What is he hoping to accomplish be being logged in?
Does he propose to actively monitor the data base transactions in
real time while he's at work? What is he hoping to avoid by
requiring his logged in state before anyone else can access the
data base? Just being logged in won't dissuade a cracker from
attacking his data if they so choose, nor will it prevent a
disgruntled employee from damaging the data while he's logged in if
they have the expertise and means.
Tamara:
I said "Don't ask why"
Wondering isn't asking. I don't personally care why. It's not my
client, not my business, not my problem.
You see, people often have strange notions about "their" business or
unusual ideas about how to do things, That goes with consulting.
While many may find that odd, but some of the most revolutionary
ideas come from such unusual thinking.
I've been in business and technology consulting for years and years,
and very successful at getting customer's desired outcomes. I don't
think their notions "strange" or "unusual" -- just that without
further elicitation, one cannot understand what they are truly
desiring, and to find out what they don't want as an outcome of their
up-front stated goals.
I don't pass judgement. I simply advise (based upon my limited
understanding of things) and let the client make the calls. After
all, he's the one paying the bills and he has answers for the
remainder of your questions.
It's not a question of passing judgement on someone's ideas. It's a
question of finding the best solution for the customer's actual needs
and desires. It's almost always the case that further exploration of
the customer's concerns behind their thoughts has proven to give them
a much more robust and useful solution and gets them what they are
really after. Most people aren't aware of the assumptions and
conclusions they have. Eliciting more information can lead to better
solutions for all. Blind faith in the customer's stated requirements
can lead one to a disastrous conclusion. It's been said all over the
net that customers don't really know what they want until they see it.
Further, that they don't know what they don't want until it happens to
them. I believe in delivering the most value to the customer for their
money, and that means understanding their needs as best as possible,
and that is done by exploring their business models, assumptions, and
needs.
--- End Message ---
--- Begin Message ---
On Sun, Sep 12, 2010 at 06:07:57PM -0500, Tamara Temple wrote:
<snip>
>
> I've been in business and technology consulting for years and years,
> and very successful at getting customer's desired outcomes. I don't
> think their notions "strange" or "unusual" -- just that without
> further elicitation, one cannot understand what they are truly
> desiring, and to find out what they don't want as an outcome of their
> up-front stated goals.
>
> >I don't pass judgement. I simply advise (based upon my limited
> >understanding of things) and let the client make the calls. After
> >all, he's the one paying the bills and he has answers for the
> >remainder of your questions.
>
> It's not a question of passing judgement on someone's ideas. It's a
> question of finding the best solution for the customer's actual needs
> and desires. It's almost always the case that further exploration of
> the customer's concerns behind their thoughts has proven to give them
> a much more robust and useful solution and gets them what they are
> really after. Most people aren't aware of the assumptions and
> conclusions they have. Eliciting more information can lead to better
> solutions for all. Blind faith in the customer's stated requirements
> can lead one to a disastrous conclusion. It's been said all over the
> net that customers don't really know what they want until they see it.
> Further, that they don't know what they don't want until it happens to
> them. I believe in delivering the most value to the customer for their
> money, and that means understanding their needs as best as possible,
> and that is done by exploring their business models, assumptions, and
> needs.
+1
I won't argue with Tedd about this, but perhaps this is why I don't do
business consulting any more. When I would come across a customer like
this, I would argue with them and probe until I found out what they
where *really* trying to do. It was usually some confused idea they had
about something, or something they were doing which wasn't entirely
ethical they were trying to cover.
But again, it's Tedd's client. He can do as he likes.
Paul
--
Paul M. Foster
--- End Message ---
--- Begin Message ---
On Sun, Sep 12, 2010 at 12:32:21PM -0400, tedd wrote:
> Hi gang:
>
> I have a client who wants his employees' access to their online
> business database restricted to only times when he is logged on.
> (Don't ask why)
>
> In other words, when the boss is not logged on, then his employees
> cannot access the business database in any fashion whatsoever
> including checking to see if the boss is logged on, or not. No access
> whatsoever!
>
> Normally, I would just set up a field in the database and have that
> set to "yes" or "no" as to if the employees could access the
> database, or not. But in this case, the boss does not want even that
> type of access to the database permitted. Repeat -- No access
> whatsoever!
>
> I was thinking of the boss' script writing to a file that
> accomplished the "yes" or "no" thing, but if the boss did not log off
> properly then the file would remain in the "yes" state allowing
> employees undesired access. That would not be acceptable.
>
> So, what methods would you suggest?
I hate to seem flippant, but here would be my conversation with this
customer:
Customer: "My employees got access to the database while I was gone
yesterday!"
Consultant: "Well, let's see. Oh, it appears you didn't properly log
out."
Customer: "Yes, but I was *gone*. They weren't supposed to be able to
access the database unless I'm *here*."
Consultant: "The only way we know that is if you log in and log out
properly. Now, if you like, we can put a nanny-cam in your office, and
whenever you're not there (like in the bathroom), the whole thing shuts
down. That will cost $x. Your choice. We've been working on the
mind-reading extension to PHP, but it's not finished yet."
Other than the "boss file", I don't see another way. And as you said, if
he doesn't log out properly, the boss file will allow access when he
didn't intend to allow it.
Paul
--
Paul M. Foster
--- End Message ---
--- Begin Message ---
On Sep 12, 2010, at 3:34 PM, Robert Cummings wrote:
On 10-09-11 12:52 PM, Tamara Temple wrote:
I have a general question and am looking for best practices.
Suppose I present a user with a form for editing an entry in a table,
i.e., the form has filled in values from the existing table entry.
Now, suppose they click on 'submit' without making any changes in the
form. (Perhaps, say, rather than clicking 'Cancel' or 'Return to
Main'
or some other option which would get them out of that screen without
submitting the form).
Is it worth the overhead of passing along the previous values in the
table in hidden fields so that fields can be checked to see if
they've
been updated or not after the submit? Or is it worth reloading the
old
values from the table to check against the newly submitted form? Or
is
all that overhead not worth the time because an update that
overwrites
existing values with the same values is not that onerous?
(Is that question clear enough?)
I use database table to object mapping classes. The base class sets
a dirty bit if a field actually changes. If an attempt is made to
save the data and no dirty bits are set, then the save method
returns true for a successful save, but no commit to database is
made since nothing has changed. In this way I never think about the
problem beyond the original implementation of the base class.
Ok, but how do you detect if a field changes? The specific
implementation between application and data storage is probably moot
until you figure that part out.
--- End Message ---
--- Begin Message ---
On Sun, 2010-09-12 at 16:12 -0500, Tamara Temple wrote:
> On Sep 12, 2010, at 3:34 PM, Robert Cummings wrote:
>
> > On 10-09-11 12:52 PM, Tamara Temple wrote:
> >> I have a general question and am looking for best practices.
> >>
> >> Suppose I present a user with a form for editing an entry in a table,
> >> i.e., the form has filled in values from the existing table entry.
> >>
> >> Now, suppose they click on 'submit' without making any changes in the
> >> form. (Perhaps, say, rather than clicking 'Cancel' or 'Return to
> >> Main'
> >> or some other option which would get them out of that screen without
> >> submitting the form).
> >>
> >> Is it worth the overhead of passing along the previous values in the
> >> table in hidden fields so that fields can be checked to see if
> >> they've
> >> been updated or not after the submit? Or is it worth reloading the
> >> old
> >> values from the table to check against the newly submitted form? Or
> >> is
> >> all that overhead not worth the time because an update that
> >> overwrites
> >> existing values with the same values is not that onerous?
> >>
> >> (Is that question clear enough?)
> >
> > I use database table to object mapping classes. The base class sets
> > a dirty bit if a field actually changes. If an attempt is made to
> > save the data and no dirty bits are set, then the save method
> > returns true for a successful save, but no commit to database is
> > made since nothing has changed. In this way I never think about the
> > problem beyond the original implementation of the base class.
>
> Ok, but how do you detect if a field changes? The specific
> implementation between application and data storage is probably moot
> until you figure that part out.
>
If you're worried about how much data needs to be sent back and forth,
then compare the data sent to what exists already on the server side,
and don't send the previous values. To be honest, you can't rely on what
the client says anyway, so you really ought to do the checking
server-side before issuing an update.
Having said that, if you're not too worried about traffic, then sending
the previous values would allow you to give visual indicators to the
user with client-side techniques (javascript, etc) which could be nice
for the user.
Thanks,
Ash
http://www.ashleysheridan.co.uk
--- End Message ---
--- Begin Message ---
On Sun, Sep 12, 2010 at 2:12 PM, Tamara Temple <[email protected]> wrote:
> Ok, but how do you detect if a field changes? The specific implementation
> between application and data storage is probably moot until you figure that
> part out.
+1
without talking to the server, or accessing it in the DOM somewhere,
the client has no access to the data. is it done via ajax/javascript?
some action onchange/onkeypress/etc. and check it against a variable
that was set on pageload?
--- End Message ---
--- Begin Message ---
On 10-09-12 05:19 PM, Michael Shadle wrote:
On Sun, Sep 12, 2010 at 2:12 PM, Tamara Temple<[email protected]> wrote:
Ok, but how do you detect if a field changes? The specific implementation
between application and data storage is probably moot until you figure that
part out.
+1
without talking to the server, or accessing it in the DOM somewhere,
the client has no access to the data. is it done via ajax/javascript?
some action onchange/onkeypress/etc. and check it against a variable
that was set on pageload?
Sorry, I thought this was about committing to the database versus
sending back to the web server. I must have misread the original
requirement. If trying to trap before submitting the form to the
webserver then JavaScript is necessary. You can't do this on upload
fields though.
Cheers,
Rob.
--
E-Mail Disclaimer: Information contained in this message and any
attached documents is considered confidential and legally protected.
This message is intended solely for the addressee(s). Disclosure,
copying, and distribution are prohibited unless authorized.
--- End Message ---
--- Begin Message ---
On Sep 12, 2010, at 4:28 PM, Robert Cummings wrote:
On 10-09-12 05:19 PM, Michael Shadle wrote:
On Sun, Sep 12, 2010 at 2:12 PM, Tamara Temple<[email protected]
> wrote:
Ok, but how do you detect if a field changes? The specific
implementation
between application and data storage is probably moot until you
figure that
part out.
+1
without talking to the server, or accessing it in the DOM somewhere,
the client has no access to the data. is it done via ajax/javascript?
some action onchange/onkeypress/etc. and check it against a variable
that was set on pageload?
Sorry, I thought this was about committing to the database versus
sending back to the web server. I must have misread the original
requirement. If trying to trap before submitting the form to the
webserver then JavaScript is necessary. You can't do this on upload
fields though.
Actually, even the client-side aspect isn't good enough -- they could
simply retype the same value in the field. Also, I'd like to not rely
on JavaScript alone to indicate that there's been a change, since, as
Ashley points out, someone could simply send up a form without
bothering with JavaScript. I'm talking about checking whether the
field has changed on the server-side of things, specifically.
So far, it seems the contenders are:
1) just update the record if there's not a big load on the server
2) use a checksum before populating the form for display and after
receiving the post from the client, storing the initial checksum in a
session variable
3) compare the submitted values against the values in the data base,
since you can't trust what is coming from the client, although this
does put an additional load on the server which might not be good if
there's already a big load on the server
--- End Message ---
--- Begin Message ---
On Sun, Sep 12, 2010 at 3:04 PM, Tamara Temple <[email protected]> wrote:
> Actually, even the client-side aspect isn't good enough -- they could simply
> retype the same value in the field. Also, I'd like to not rely on JavaScript
> alone to indicate that there's been a change, since, as Ashley points out,
> someone could simply send up a form without bothering with JavaScript. I'm
> talking about checking whether the field has changed on the server-side of
> things, specifically.
Correct, javascript is simply useful for a nice user experience.
Always enforce on the server side, period.
--- End Message ---
--- Begin Message ---
On Sun, 2010-09-12 at 17:04 -0500, Tamara Temple wrote:
> On Sep 12, 2010, at 4:28 PM, Robert Cummings wrote:
>
> > On 10-09-12 05:19 PM, Michael Shadle wrote:
> >> On Sun, Sep 12, 2010 at 2:12 PM, Tamara Temple<[email protected]
> >> > wrote:
> >>> Ok, but how do you detect if a field changes? The specific
> >>> implementation
> >>> between application and data storage is probably moot until you
> >>> figure that
> >>> part out.
> >>
> >> +1
> >>
> >> without talking to the server, or accessing it in the DOM somewhere,
> >> the client has no access to the data. is it done via ajax/javascript?
> >> some action onchange/onkeypress/etc. and check it against a variable
> >> that was set on pageload?
> >
> > Sorry, I thought this was about committing to the database versus
> > sending back to the web server. I must have misread the original
> > requirement. If trying to trap before submitting the form to the
> > webserver then JavaScript is necessary. You can't do this on upload
> > fields though.
>
> Actually, even the client-side aspect isn't good enough -- they could
> simply retype the same value in the field. Also, I'd like to not rely
> on JavaScript alone to indicate that there's been a change, since, as
> Ashley points out, someone could simply send up a form without
> bothering with JavaScript. I'm talking about checking whether the
> field has changed on the server-side of things, specifically.
>
> So far, it seems the contenders are:
>
> 1) just update the record if there's not a big load on the server
> 2) use a checksum before populating the form for display and after
> receiving the post from the client, storing the initial checksum in a
> session variable
> 3) compare the submitted values against the values in the data base,
> since you can't trust what is coming from the client, although this
> does put an additional load on the server which might not be good if
> there's already a big load on the server
>
>
>
>
I didnt quite mean it like that. What I was saying that a client-side
technology could be used for showing things to the user purely for
nice-ness, and the server deals with determine what has changed. As I
see it, the form should be sent with the existing values once only, and
then when submitted, the server can grab the stored data from wherever
it was stored (db, file, etc) and then determine what changed.
It may be of interest to everyone that phpMyAdmin sends the form data
twice, once in the edit fields and once in a hidden field, and uses the
hidden field to determine if a change has been made, without checking
the actual data stored on the server.
Thanks,
Ash
http://www.ashleysheridan.co.uk
--- End Message ---
--- Begin Message ---
On Sun, Sep 12, 2010 at 02:07:12PM -0400, tedd wrote:
> At 1:47 PM -0400 9/12/10, Jason Pruim wrote:
> >>On Sep 12, 2010, at 1:33 PM, tedd wrote:
> >>So, can I do what I do (i.e., programming) without having a host?
> >>Can I install a local server at my clients location and interface
> >>all their computers to use the server without them ever being
> >>connected to the Internet?
> >
> >I may not know all the possibilities but the only way I can think of
> >to accomplish that would be to have a server setup in their office
> >with a bank of modems and have everyone call into the server.
> >Basically like an old school internet provider.
> >
> >If the main server can be secured to your clients liking there are
> >ways that it can be on the net and still as safe as possible... But
> >obviously not as safe as hard lines being dialed in...
> >
> >You'ld also have to take into account possibly long distance charges
> >if everyone wasn't local...
>
> Forget modems or other such outside access -- everything would be
> done internally with computers and users being physically located
> within the office's physical location.
>
> So, could a server be set up in an office that would run
> web-languages such that users in the office could access their server
> and run scripts using browsers?
I just think I couldn't possibly be fully understanding what you're
asking. But in case I *do* understand it, it would be like this:
Set up a switch in the server room and connect everyone to it. Connect
the switch to the internal webserver. Give the webserver an internal
(non-routable) IP and hostname. Anyone can access it via
http://internal_hostname/my_script.php
No one outside the LAN can access it, something you can enforce with
Apache or with iptables (Linux).
I have one of these set up in my house/office.
Hope this helps.
Paul
--
Paul M. Foster
--- End Message ---
--- Begin Message ---
On 12/09/10 18:33, tedd wrote:
At 5:57 PM +0100 9/12/10, Ashley Sheridan wrote:
On Sun, 2010-09-12 at 12:55 -0400, tedd wrote:
Can a business have a server connected to the Internet but limit
access to just their employees? I don't mean a password protected
scheme, but rather the server being totally closed to the outside
world other than to their internal employees? Or is this something
that can only be provided by a LAN with no Internet connection?
Not entirely sure what you're asking, but could you maybe achieve
something like this with a WAN using a VPN?
Thanks,
Ash
Ash:
I'm sure this is an obvious question for many on this list, but I'm not
above showing my ignorance.
I guess what I am asking -- if a client wanted an application written
(in web languages) so that their employees could link all their
different computers together and share/use information using browsers,
is that possible using a server that is not connected to the Internet?
Look, I know that I can solve my clients problems by finding a host and
writing scripts to do what they want -- that's not a problem. But
everything I do is open to the world. Sure I can provide some level of
security, but nothing like the security that can be provided behind
closed and locked doors.
So, can I do what I do (i.e., programming) without having a host? Can I
install a local server at my clients location and interface all their
computers to use the server without them ever being connected to the
Internet?
Maybe I should ask my grandson. :-)
Cheers,
tedd
If the network is set up (as most business and home networks are these days) to
use Network Address Translation (NAT) at the connection point to the world, then
you shold be able to achieve this.
NAT is where you have an internal network using private addresses (often in the
192.168.xxx.xxx range) but all outgoing traffic appears on the internet to come
from one public address.
So you configure your web server to accept requests from only the internal
addresses. With Apache you could do this on a per-directory basis, even, so the
web server could have public content (visible to all client addresses) and then
have private content in subdirectories which only accept clients on the internal
network addresses.
There is a possible loophole due to IP address spoofing, but I suspect that your
gateway device (firewall, ADSL or cable router that connects you to the world)
will block those sort of clients.
--
Peter Ford, Developer phone: 01580 893333 fax: 01580 893399
Justcroft International Ltd. www.justcroft.com
Justcroft House, High Street, Staplehurst, Kent TN12 0AH United Kingdom
Registered in England and Wales: 2297906
Registered office: Stag Gates House, 63/64 The Avenue, Southampton SO17 1XS
--- End Message ---
--- Begin Message ---
On Sun, Sep 12, 2010 at 18:55, tedd <[email protected]> wrote:
> A question, to clarify my fuzzy thinking about such things:
>
> Can a business have a server connected to the Internet but limit access to
> just their employees? I don't mean a password protected scheme, but rather
> the server being totally closed to the outside world other than to their
> internal employees? Or is this something that can only be provided by a LAN
> with no Internet connection?
>
Filter on IP address. Not foolproof, but mostly there.
--
Dotan Cohen
http://gibberish.co.il
http://what-is-what.com
--- End Message ---
--- Begin Message ---
On Sat, Sep 11, 2010 at 06:37:41PM -0500, MikeB wrote:
> Hello, I'm new to PHP and also new to using newsgroups/mailing lists
> directly. So if I make a mistake, please forgive me this once and I'll
> try to do better in the future.
>
> Please help me understand, my head is absolutely spinning and I can't
> get my mind around this.
>
> In the php.net site there is an example on uploading a file via a
> form. http://www.php.net/manual/en/features.file-upload.post-method.php
>
> This is the sample code for the form:
>
> <form enctype="multipart/form-data" action="__URL__" method="POST">
> <!-- MAX_FILE_SIZE must precede the file input field -->
> <input type="hidden" name="MAX_FILE_SIZE" value="30000" />
> <!-- Name of input element determines name in $_FILES array -->
> Send this file: <input name="userfile" type="file" />
> <input type="submit" value="Send File" />
> </form>
>
> Is MAX_FILE_SIZE passed to PHP as $MAX_FILE_SIZE?
No. It's passed as: $_POST['MAX_FILE_SIZE'], as are all variables in a
form which uses "post" as its method attribute.
>
> Assuming I want to make it a variable in my PHP code, can I do this:
>
> <?php
>
> $MAX_FILE_SIZE = 30000;
>
> echo <<<_END
> <form enctype="multipart/form-data" action="__URL__" method="POST">
> <!-- MAX_FILE_SIZE must precede the file input field -->
> <input type="hidden" name="MAX_FILE_SIZE" />
> <!-- Name of input element determines name in $_FILES array -->
> Send this file: <input name="userfile" type="file" />
> <input type="submit" value="Send File" />
> </form>
> <<<_END
> <?
>
> In other words, simply omitting the "value" clause in the form field?
No. Better is this:
<?php
$max_file_size = 30000;
echo <<<_END
<form enctype="multipart/form-data" action="__URL__" method="POST">
<!-- MAX_FILE_SIZE must precede the file input field -->
<input type="hidden" name="<?php echo $max_file_size; ?>" />
<!-- Name of input element determines name in $_FILES array -->
Send this file: <input name="userfile" type="file" />
<input type="submit" value="Send File" />
</form>
<<<_END
Remember that the data HTML/values you're sending are being sent back
when the form returns to the server for processing. So the
information must be contained in POST/GET variables, just the way I did
it above. (There are other ways to do the syntax, but the meaning is the
same.)
>
> And can I make that value a global constant somehow so that I can
> later also test the actual size of the uploaded file in another
> function?
>
> Or do I have to do this:
>
> <?php
>
> $MAX_UPLOAD_SIZE = 30000;
>
> echo <<<_END
> <form enctype="multipart/form-data" action="__URL__" method="POST">
> <!-- MAX_FILE_SIZE must precede the file input field -->
> <input type="hidden" name="MAX_FILE_SIZE"
> value="$MAX_UPLOAD_SIZE"/>
> <!-- Name of input element determines name in $_FILES array -->
> Send this file: <input name="userfile" type="file" />
> <input type="submit" value="Send File" />
> </form>
> <<<_END
> <?
You can make it a global constant if you want, but remember that,
because of the HTTP protocol, the server doesn't know anything about
what you've declared "global" until it processes the form on its return.
And then the only thing it knows is what you've put in the values of
your HTML fields. The exception is $_SESSION variables, which can store
values *across* calls to a page.
>
> I'm also concerned that in the first instance, a malicious user can
> modify the value and I will be hosed. Am I correct?
Yes, a malicious user can do this. They can stand off somewhere and
submit a copy of your form with different values. Then they can upload a
file of larger size. However, if you keep that 30000 value somewhere,
you can refuse to "process" files which exceed that size. When I say
"process", I mean store the file in a more permanent place and actually
*do* something with it. Uploading files puts them in a temporary
location controlled by the server and inaccessible to you using "normal"
methods. You probably know you have to go through a couple of extra
steps to get to that file someone uploaded. You can't just say, "Give me
the file at /tmp/phpuploads/uploadedfile.txt."
Paul
--
Paul M. Foster
--- End Message ---
--- Begin Message ---
Hi
Try BPEL. You can look at Intalio which supports BPEL and has a
community edition. You can download and try out a few examples.
I guess the big players like IBM, Oracle etc should have some BPEL based
tools.
Best regards
Sridhar
-------- Original Message --------
Subject: workflow system design
From: [email protected] (gato chlr)
To:
Date: Tue Sep 07 2010 01:17:01 GMT+0530 (IST)
Hi, i know it is not the right place, but, does anybody know a workflow
system development process? or methodology?
thanks!
--- End Message ---
--- Begin Message ---
Hi
Try BPEL. You can look at Intalio which supports BPEL and has a
community edition. You can download and try out a few examples.
I guess the big players like IBM, Oracle etc should have some BPEL based
tools.
Best regards
Sridhar
-------- Original Message --------
Subject: workflow system design
From: [email protected] (gato chlr)
To:
Date: Tue Sep 07 2010 01:17:01 GMT+0530 (IST)
Hi, i know it is not the right place, but, does anybody know a workflow
system development process? or methodology?
thanks!
--- End Message ---
