php-general Digest 24 Sep 2012 07:46:10 -0000 Issue 7977
Topics (messages 319208 through 319218):
Re: Day after Friday
319208 by: tamouse mailing lists
319209 by: Samuel Lopes Grigolato
319215 by: Paul M Foster
Images can execute php script?
319210 by: admin
319211 by: Bastien
319212 by: shiplu
319213 by: admin
319214 by: Maciek Sokolewicz
Array & unset()
319216 by: Ron Piggott
319217 by: Ken Robinson
319218 by: Ashley Sheridan
Administrivia:
To subscribe to the digest, e-mail:
php-general-digest-subscr...@lists.php.net
To unsubscribe from the digest, e-mail:
php-general-digest-unsubscr...@lists.php.net
To post to the list, e-mail:
php-gene...@lists.php.net
----------------------------------------------------------------------
--- Begin Message ---
On Sun, Sep 23, 2012 at 8:33 AM, Tedd Sperling <t...@sperling.com> wrote:
> On Sep 22, 2012, at 3:59 PM, Paul M Foster <pa...@quillandmouse.com> wrote:
>> On Sat, Sep 22, 2012 at 01:05:51PM -0400, Tedd Sperling wrote:
>>
>>> Hi gang:
>>>
>>> I know it's the Day after Friday, but I'm asking a off-topic question
>>> anyway -- sorry.
>>>
>>> Normally, I teach a PHP class at the local college, but it got canceled
>>> (don't ask why) -- now I'm teaching Java.
>>>
>>> So, can anyone recommend a Java list that is similar to this list?
>>
>> Off off topic...
>>
>> Who the hell cancels a PHP class? Do they not realize damn near the
>> whole internet runs on PHP? Wordpress, Drupal, Joomla, Facebook ad
>> nauseum, not to mention Symfony, CakePHP, Code Igniter, etc.
>> Administrators! Ach!
>>
>> Paul
>
> Paul:
>
> The class was canceled by administration and they have absolutely no
> conception of the technology and scope that PHP brings to the table. In fact,
> they were so opposed to PHP that when I first started teaching there they had
> PHP removed from their servers because of security concerns. So, for me to
> teach PHP, they were forced to install PHP/MySQL.
>
> Now that you asked, here's the story about my PHP class.
>
> The college moved the entire CIT (Computer Information Technology) department
> five miles from the downtown campus, where it has always been, to the new
> West campus. It's a nice campus, but no Macs -- admin said Mac don't meet
> their ROI requirement, but that's another story.
>
> Of course, most students don't have transportation and there is no
> established public transportation from main campus to west campus -- that's
> not good.
>
> Knowing that the students were going to have problems with transportation and
> that would result in a reduction in class sizes, the administration agreed to
> allow "smaller than norma"l classes for the Fall semester. Furthermore, the
> administration agreed to allow registration to be for a longer period than
> normal, namely from a couple of weeks before the semester started to a week
> after the semester started.
>
> Everything sounds ok, right?
>
> My PHP class had six students register two weeks before the class started. I
> expected, as is custom, to pick up a couple of students after the semester
> started thus exceeding the minimum number of student required. Furthermore, I
> agreed to teach the class at a reduced rate if there wasn't a sufficient
> number of students attending. BTW, administration had not made a
> determination as to exactly what the minimum class-size should be -- keep in
> mind, they only had two years to decide and these things take time.
>
> So what happened?
>
> Well we (the teachers) have a new contract and in that contract is a
> provision that allows for a reduced class size IF the teacher agrees to teach
> it at a reduced rate -- which I agreed to do. However, administration became
> confused as to how to pay a full time teacher IF they taught an undersized
> class. So, their solution was to cancel ALL under sized classes before the
> semester started. That way there would be no confusion as to what to pay.
>
> Now, in my case I am the only teacher to teaches PHP, so there would be no
> full time teacher that might teach it. I am also an adjunct (part time)
> teacher and as such there is no confusion as to my pay. I am simply paid
> hourly and a reduced class size would result in my rate being reduced. So,
> there was absolutely no reason what-so-ever for my class to be cancelled.
> Leaps and bounds of illogic.
>
> This is just another example of how administration makes decisions. It would
> be nice if administration decisions were made with respect to "what is best
> for the student" as compared to this type of nonsense.
>
> Cheers,
>
> tedd
>
> _____________________
> t...@sperling.com
> http://sperling.com
Oh, Administrators!! The bane of teachers everywhere. The anti-teacher.
Maybe you could slip a little PHP in on the Java kids... :)
Unfortunately, I have no Java list resources...
--- End Message ---
--- Begin Message ---
Independent of programming language, good teaching skills will lead to
self-taught developers with a bunch of best practices under the hood. I hope
you are such a good teacher =). We need not PHP or Java developers, we need
good and creative designers that can adapt to new tools.
One language is only a path among others with the same goal, software with
quality. Remember Brooks (1986, yes, that old!), the real problem (essence of
software engineering) is capture business requirements as specifications, and
not translate specifications to software.
The point is, you, as a teacher, has a wider responsibility, you need to find
and incentive creative talents, not just teach one or another native function.
Cheers.
Samuel.
-----Mensagem original-----
De: tamouse mailing lists [mailto:tamouse.li...@gmail.com]
Enviada em: domingo, 23 de setembro de 2012 10:55
Para: php-gene...@lists.php.net
Assunto: Re: [PHP] Day after Friday
On Sun, Sep 23, 2012 at 8:33 AM, Tedd Sperling <t...@sperling.com> wrote:
> On Sep 22, 2012, at 3:59 PM, Paul M Foster <pa...@quillandmouse.com> wrote:
>> On Sat, Sep 22, 2012 at 01:05:51PM -0400, Tedd Sperling wrote:
>>
>>> Hi gang:
>>>
>>> I know it's the Day after Friday, but I'm asking a off-topic question
>>> anyway -- sorry.
>>>
>>> Normally, I teach a PHP class at the local college, but it got canceled
>>> (don't ask why) -- now I'm teaching Java.
>>>
>>> So, can anyone recommend a Java list that is similar to this list?
>>
>> Off off topic...
>>
>> Who the hell cancels a PHP class? Do they not realize damn near the
>> whole internet runs on PHP? Wordpress, Drupal, Joomla, Facebook ad
>> nauseum, not to mention Symfony, CakePHP, Code Igniter, etc.
>> Administrators! Ach!
>>
>> Paul
>
> Paul:
>
> The class was canceled by administration and they have absolutely no
> conception of the technology and scope that PHP brings to the table. In fact,
> they were so opposed to PHP that when I first started teaching there they had
> PHP removed from their servers because of security concerns. So, for me to
> teach PHP, they were forced to install PHP/MySQL.
>
> Now that you asked, here's the story about my PHP class.
>
> The college moved the entire CIT (Computer Information Technology) department
> five miles from the downtown campus, where it has always been, to the new
> West campus. It's a nice campus, but no Macs -- admin said Mac don't meet
> their ROI requirement, but that's another story.
>
> Of course, most students don't have transportation and there is no
> established public transportation from main campus to west campus -- that's
> not good.
>
> Knowing that the students were going to have problems with transportation and
> that would result in a reduction in class sizes, the administration agreed to
> allow "smaller than norma"l classes for the Fall semester. Furthermore, the
> administration agreed to allow registration to be for a longer period than
> normal, namely from a couple of weeks before the semester started to a week
> after the semester started.
>
> Everything sounds ok, right?
>
> My PHP class had six students register two weeks before the class started. I
> expected, as is custom, to pick up a couple of students after the semester
> started thus exceeding the minimum number of student required. Furthermore, I
> agreed to teach the class at a reduced rate if there wasn't a sufficient
> number of students attending. BTW, administration had not made a
> determination as to exactly what the minimum class-size should be -- keep in
> mind, they only had two years to decide and these things take time.
>
> So what happened?
>
> Well we (the teachers) have a new contract and in that contract is a
> provision that allows for a reduced class size IF the teacher agrees to teach
> it at a reduced rate -- which I agreed to do. However, administration became
> confused as to how to pay a full time teacher IF they taught an undersized
> class. So, their solution was to cancel ALL under sized classes before the
> semester started. That way there would be no confusion as to what to pay.
>
> Now, in my case I am the only teacher to teaches PHP, so there would be no
> full time teacher that might teach it. I am also an adjunct (part time)
> teacher and as such there is no confusion as to my pay. I am simply paid
> hourly and a reduced class size would result in my rate being reduced. So,
> there was absolutely no reason what-so-ever for my class to be cancelled.
> Leaps and bounds of illogic.
>
> This is just another example of how administration makes decisions. It would
> be nice if administration decisions were made with respect to "what is best
> for the student" as compared to this type of nonsense.
>
> Cheers,
>
> tedd
>
> _____________________
> t...@sperling.com
> http://sperling.com
Oh, Administrators!! The bane of teachers everywhere. The anti-teacher.
Maybe you could slip a little PHP in on the Java kids... :)
Unfortunately, I have no Java list resources...
--
PHP General Mailing List (http://www.php.net/) To unsubscribe, visit:
http://www.php.net/unsub.php
--- End Message ---
--- Begin Message ---
On Sun, Sep 23, 2012 at 09:33:33AM -0400, Tedd Sperling wrote:
> On Sep 22, 2012, at 3:59 PM, Paul M Foster <pa...@quillandmouse.com>
> wrote:
> > On Sat, Sep 22, 2012 at 01:05:51PM -0400, Tedd Sperling wrote:
> >
> >> Hi gang:
> >>
> >> I know it's the Day after Friday, but I'm asking a off-topic
> >> question anyway -- sorry.
> >>
> >> Normally, I teach a PHP class at the local college, but it got
> >> canceled (don't ask why) -- now I'm teaching Java.
> >>
> >> So, can anyone recommend a Java list that is similar to this list?
> >
> > Off off topic...
> >
> > Who the hell cancels a PHP class? Do they not realize damn near the
> > whole internet runs on PHP? Wordpress, Drupal, Joomla, Facebook ad
> > nauseum, not to mention Symfony, CakePHP, Code Igniter, etc.
> > Administrators! Ach!
> >
> > Paul
>
[snip]
>
> This is just another example of how administration makes decisions. It
> would be nice if administration decisions were made with respect to
> "what is best for the student" as compared to this type of nonsense.
You know, I never had much respect for academia (no offense, Tedd;
that's not aimed at you), and this just confirms my contempt.
Administrators tend to completely lack common sense. And professors tend
to be arrogant and suffer from a lack of understanding of the real world
and real people. Add to this the skyrocketing cost of higher education.
Particularly when many of the things learned in school are either
unnecessary or could be learned just as well by the diligent student
through books and research on the internet. (Incidentally, when I was a
kid, my best friend's father was a university professor. Brilliant
economist who hated tenure.)
And from what I've seen, even at the primary level, decisions are rarely
made on the basis of "what is best for the student". We're dealing with
this currently with my granddaughter (11 years old). The only saving
grace of the whole system appears to be individual teachers who manage
to look past all the crap and hold the line for students.
What a pity.
Paul
--
Paul M. Foster
http://noferblatz.com
http://quillandmouse.com
--- End Message ---
--- Begin Message ---
Today I seen a hack into php that has rocked me to my foundation.
I seen a picture uploaded onto a server using php and when php displayed the
image, phpinfo() was executed and displayed.
Does this problem exist in PHP 5.2.17 +?
How do you stop it?
Sorry, I have never known of this before today.
--- End Message ---
--- Begin Message ---
Bastien Koert
On 2012-09-23, at 11:57 AM, "admin" <ad...@buskirkgraphics.com> wrote:
> Today I seen a hack into php that has rocked me to my foundation.
> I seen a picture uploaded onto a server using php and when php displayed the
> image, phpinfo() was executed and displayed.
>
> Does this problem exist in PHP 5.2.17 +?
> How do you stop it?
>
> Sorry, I have never known of this before today.
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
Jpgs can hold other data rather than image data
One thing to try is to run strip_tags($image) to remove any php code
http://stackoverflow.com/questions/3499173/my-php-site-was-hacked-by-codes-uploaded-as-image
http://josephkeeler.com/2009/04/php-upload-security-the-1x1-jpeg-hack/
Bastien
--- End Message ---
--- Begin Message ---
On Sun, Sep 23, 2012 at 9:57 PM, admin <ad...@buskirkgraphics.com> wrote:
> Today I seen a hack into php that has rocked me to my foundation.
> I seen a picture uploaded onto a server using php and when php displayed
> the
> image, phpinfo() was executed and displayed.
>
> Does this problem exist in PHP 5.2.17 +?
> How do you stop it?
>
> Sorry, I have never known of this before today.
>
>
How PHP is displaying the image? If it includes then its certainly possible?
--
Shiplu.Mokadd.im
ImgSign.com | A dynamic signature machine
Innovation distinguishes between follower and leader
--- End Message ---
--- Begin Message ---
> Jpgs can hold other data rather than image data
> One thing to try is to run strip_tags($image) to remove any php code
>
http://stackoverflow.com/questions/3499173/my-php-site-was-hacked-by-codes-u
ploaded-as-image
> http://josephkeeler.com/2009/04/php-upload-security-the-1x1-jpeg-hack/
>
> Bastien
I understand the principle behind
include('pages/' . $_GET['page'] . '.php');
http://www.mysite.com/index.php?page=../upload/image.jpg?cmd=somecode%00
Which I find ridiculous if anyone did that.
I am not sure how he was calling the image to be sure. I watched him upload
the image and then
Do what looked like a normal echo UPLOADED_IMAGES.$_FILE["name"]; You seen
phpinfo() called but it was not in the script rather in the image.
He opened the test.jpg in a text editor and sure enough there was <?php
phpinfo(); ?> in the code of the jpeg.
This bothers me because I am not sure what all he did. He was proving PHP is
not a safe language in front of a rather large group or people in the
meeting.
I could only look on in disbelief that it just happened in front of me.
Everything inside of me wants to say he was doing something outside of what
I consider normal circumstances.
My question is this:
If someone uploads a image through a form or whatever and they have embedded
a code in can that code inside the image be executed by viewing the file?
$image = 'uploaded.jpg';
Echo "<IMG SRC='".$image."'>";
Read this:
http://php.webtutor.pl/en/2011/05/13/php-code-injection-a-simple-virus-writt
en-in-php-and-carried-in-a-jpeg-image/
That was written a couple months ago.
--- End Message ---
--- Begin Message ---
On 23-09-2012 21:30, admin wrote:
Jpgs can hold other data rather than image data
One thing to try is to run strip_tags($image) to remove any php code
http://stackoverflow.com/questions/3499173/my-php-site-was-hacked-by-codes-u
ploaded-as-image
http://josephkeeler.com/2009/04/php-upload-security-the-1x1-jpeg-hack/
Bastien
I understand the principle behind
include('pages/' . $_GET['page'] . '.php');
http://www.mysite.com/index.php?page=../upload/image.jpg?cmd=somecode%00
Which I find ridiculous if anyone did that.
I am not sure how he was calling the image to be sure. I watched him upload
the image and then
Do what looked like a normal echo UPLOADED_IMAGES.$_FILE["name"]; You seen
phpinfo() called but it was not in the script rather in the image.
He opened the test.jpg in a text editor and sure enough there was <?php
phpinfo(); ?> in the code of the jpeg.
This bothers me because I am not sure what all he did. He was proving PHP is
not a safe language in front of a rather large group or people in the
meeting.
I could only look on in disbelief that it just happened in front of me.
Everything inside of me wants to say he was doing something outside of what
I consider normal circumstances.
My question is this:
If someone uploads a image through a form or whatever and they have embedded
a code in can that code inside the image be executed by viewing the file?
The answer to this is both yes and no. It all depends on:
a) what you do with the file
b) how your webserver is set up / configured
PHP scripts are executed using the PHP interpreter. This means, that for
a PHP script to be executed, the server needs to:
1. assume the requested file is a PHP script
2. run the PHP interpreter, and provide it the requested file
3. return the output from the PHP interpreter
Most sane servers, when they get a request for a .jpg file, do not
assume it's a PHP script, and simply return the raw image, which might
include PHP script, but which will never be run by any sane person.
Some servers however, are configured to run everything through the PHP
interpreter, before returning its output. In this case: yes, bad stuff
will happen.
Alternatively, it's possible to run code in files from within other
files. An example of this was given above, where you showed that
including a file containing PHP code will execute that code. Regardless
of what the file is exactly.
In practice I must admit I have very rarely seen this exploit in action,
since most proper servers and scripts are configured / coded by sane
enough people for this not to be possible. Unfortunately, if you come
across a novice coder, (s)he might use the include 'someImage.jpg'
technique to return images, instead of echo
file_get_contents('someImage.jpg'), which under these circumstances is
a much safer way of doing the same thing.
- Tul
--- End Message ---
--- Begin Message ---
I am wondering if there is a way to remove from an array where the value is 0
(“zero”)
Array example:
$total_points_awarded = array( 1 => 17, 3 => 14, 4 => 0, 5 => 1, 6 => 0 );
In this example I would like to remove element # 4 and # 6.
The “key” ( 1,3,4,5,6 ) represents the member’s account #. It is an
auto_increment value in a mySQL table
The “value” ( 17,14,0,1,0 ) represents their score.
The application for this is a list of the top users. If someone has 0 points I
don’t want to include them.
Any thoughts? Any help is appreciated.
Ron
Ron Piggott
www.TheVerseOfTheDay.info
--- End Message ---
--- Begin Message ---
At 08:50 PM 9/23/2012, Ron Piggott wrote:
I am wondering if there is a way to remove from
an array where the value is 0 (âzeroâ)
Array example:
$total_points_awarded = array( 1 => 17, 3 => 14, 4 => 0, 5 => 1, 6 => 0 );
In this example I would like to remove element # 4 and # 6.
The âkeyâ ( 1,3,4,5,6 ) represents the
memberâs account #. It is an auto_increment value in a mySQL table
The âvalueâ ( 17,14,0,1,0 ) represents their score.
The application for this is a list of the top
users. If someone has 0 points I donât want to include them.
Any thoughts? Any help is appreciated.
Look at array_filter() ... http://php.net/array_filter
<?php
$total_points_awarded = array( 1 => 17, 3 => 14, 4 => 0, 5 => 1, 6 => 0 );
print_r(array_filter($total_points_awarded));
Ken
--- End Message ---
--- Begin Message ---
Ken Robinson <kenrb...@rbnsn.com> wrote:
>At 08:50 PM 9/23/2012, Ron Piggott wrote:
>
>>I am wondering if there is a way to remove from
>>an array where the value is 0 (âzeroâ)
>>
>>Array example:
>>
>>$total_points_awarded = array( 1 => 17, 3 => 14, 4 => 0, 5 => 1, 6 =>
>0 );
>>
>>In this example I would like to remove element # 4 and # 6.
>>
>>The âkeyâ ( 1,3,4,5,6 ) represents the
>>memberâs account #. It is an auto_increment value in a mySQL table
>>The âvalueâ ( 17,14,0,1,0 ) represents their score.
>>
>>The application for this is a list of the top
>>users. If someone has 0 points I donât want to include them.
>>
>>Any thoughts? Any help is appreciated.
>
>Look at array_filter() ... http://php.net/array_filter
>
><?php
>$total_points_awarded = array( 1 => 17, 3 => 14, 4 => 0, 5 => 1, 6 =>
>0 );
>print_r(array_filter($total_points_awarded));
>
>
>Ken
>
>
>--
>PHP General Mailing List (http://www.php.net/)
>To unsubscribe, visit: http://www.php.net/unsub.php
Wouldn't it be far easier to do this at the database level in the query?
--
Sent from my Android phone with K-9 Mail. Please excuse my brevity.
--- End Message ---
