php-general Digest 22 Mar 2004 13:23:02 -0000 Issue 2661
Topics (messages 181109 through 181135):
Re: Zend Optimiser -- wide spread??
181109 by: Filip de Waard
181118 by: Kim Steinhaug
Re: SQL Injection check (mysql)
181110 by: Chris Shiflett
181111 by: trlists.clayst.com
181112 by: Chris Shiflett
181114 by: Evan Nemerson
181134 by: trlists.clayst.com
Re: Array problem
181113 by: Firman Wandayandi
181122 by: noginn
what is the best idea to make mirror for mysql database
181115 by: QT
181116 by: Burhan Khalid
181135 by: QT
Peculiar number_format() behaviour
181117 by: Paul Hopkins
181119 by: Ford, Mike [LSS]
building CLI version only
181120 by: neko
Re: Decoding a URL without decoding values
181121 by: Ford, Mike [LSS]
Question for PHP.net
181123 by: Florian Hoenl
181125 by: Red Wingate
Fill strings with
181124 by: Merlin
181127 by: Red Wingate
181128 by: Dave G
181129 by: Firman Wandayandi
Re: Scheduling PHP on Windows
181126 by: imran asghar
Client does not support authentication protocol requested
181130 by: Khalid Judeh
String Length ??
181131 by: gordon stewart
181132 by: Filip de Waard
181133 by: gordon stewart
Administrivia:
To subscribe to the digest, e-mail:
[EMAIL PROTECTED]
To unsubscribe from the digest, e-mail:
[EMAIL PROTECTED]
To post to the list, e-mail:
[EMAIL PROTECTED]
----------------------------------------------------------------------
--- Begin Message ---
On Mar 22, 2004, at 1:16 AM, Justin French wrote:
Hi all,
I'm close to releasing my first widely distributed (I hope) PHP
application, and I wish to protect the source with Zend Encoder.
Seems easy enough.
However, this is a low-cost app that was intended to work on basic
installs of PHP, running on almost any server -- it uses no external
libraries, and required no special compiles.
Is Zend Optimiser (required to run encoded PHP files) part of a base
installation, or at the very least, is it widely spread in use
(available on most hosts)?
Seems like there's no point encoding if only half of the servers out
there can run the scripts. I know optimiser is available on *my*
host, but that's not enough in this case!
It's not available on every PHP aware webserver, since it's not part of
PHP itself.
You can give your clients two options: a. encoded file (cheaper) and b.
source code (expensive). If you don't want to give them your source you
can always make an reseller arrangement with a specific hosting company
and forward clients who's current provider doesn't support the Zend
Optimizer to that reseller account :-)
Regards,
Filip de Waard
--- End Message ---
--- Begin Message ---
As other people mention here PHP Zend Optimizer is usually NOT installed
on any systems unless they have encountered a customer which needed it.
Were selling a shoppingcart system and *every* host were encountered did
not have it installed.
Another sollution comes up, since a lot of the hosting companies for some
reason dont want to install this, IonCube. Purchasing this is much more
affordable prize aswell. The IonCube loader however can be included and
loaded at runtime, meaning you dont have to install anything on the server,
:)
I have yet to meet a server that doesnt support the runtime loader by
default.
You should check it out, www.ioncube.com
--
--
Kim Steinhaug
----------------------------------------------------------------------
There are 10 types of people when it comes to binary numbers:
those who understand them, and those who don't.
----------------------------------------------------------------------
www.steinhaug.com - www.easywebshop.no - www.webkitpro.com
----------------------------------------------------------------------
"Justin French" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
> Hi all,
>
> I'm close to releasing my first widely distributed (I hope) PHP
> application, and I wish to protect the source with Zend Encoder. Seems
> easy enough.
>
> However, this is a low-cost app that was intended to work on basic
> installs of PHP, running on almost any server -- it uses no external
> libraries, and required no special compiles.
>
> Is Zend Optimiser (required to run encoded PHP files) part of a base
> installation, or at the very least, is it widely spread in use
> (available on most hosts)?
>
> Seems like there's no point encoding if only half of the servers out
> there can run the scripts. I know optimiser is available on *my* host,
> but that's not enough in this case!
>
>
> ---
> Justin French
> http://indent.com.au
--- End Message ---
--- Begin Message ---
--- Michael Rasmussen <[EMAIL PROTECTED]> wrote:
> > To be clear: make sure the data that the user submitted only
> > contains the characters you think are valid (don't bother trying
> > to guess malicious characters - you're sure to miss one) and is a
> > valid length. Once you've done this, and your design helps you to
> > make sure that this step can't be bypassed by the user, you're
> > protected against SQL injection.
>
> Or even better: Use only prepared statements.
Can you explain that (and defend it)?
Chris
=====
Chris Shiflett - http://shiflett.org/
PHP Security - O'Reilly
Coming mid-2004
HTTP Developer's Handbook - Sams
http://httphandbook.org/
PHP Community Site
http://phpcommunity.org/
--- End Message ---
--- Begin Message ---
On 21 Mar 2004 Chris Shiflett wrote:
> SQL injection vulnerabilities exist when you use data that the user gave
> you to create your SQL statement. So, anytime that this happens, simply
> make absolutely sure that the data you are using from the user fits a very
> specific format that you are expecting.
> To be clear: make sure the data that the user submitted only contains the
> characters you think are valid (don't bother trying to guess malicious
> characters - you're sure to miss one) and is a valid length. Once you've
> done this, and your design helps you to make sure that this step can't be
> bypassed by the user, you're protected against SQL injection.
Recently I've been in the middle of trying to build defenses against
SQL injection on a site I'm working on (proactively, we haven't had a
problem). While this principle seems exactly right, I find it's not as
easy to implement as it sounds, and I'd argue that the results aren't
as absolute as you suggest, though you certainly have more experience
with it than I do so perhaps I'm missing something.
Here's how I'm looking at it.
Pretty much any useful site tied to a database will use user data in
SQL statements, either in WHERE clauses or SET clauses or both. This
means all input must be checked for maliciousness, and the primary
kinds of malicious input seem to be SQL injection, or on another front
HTML injection / XSS.
The problem is that there are some well-defined attacks with
protections against them that can be logically defended. But there is
no list of all possible attacks, so I'm not sure it's really possible
to say "you're protected against SQL injection" at some point. Do you
feel differently? If so I'd be interested to hear why.
I agree with you that checking for valid characters is safer than
checking for malicious characters, but even the former is not absolute.
Also it is not possible to make the set of characters with syntactic
significance have no overlap with the set of valid input characters --
a single quote used as an apostrophe is the obvious example, so
checking for valid characters may still leave characters in the data
that could also be part of an attack.
As for specifics, at the moment I am simply forcing every element of
_POST to be truncated to a known maximum length, then run through
strip_tags, stripslashes, and htmlspecialchars (in that order) before I
use it. Then every input form element is validated against an
appropriate regexp depending on the type of input expected. I also use
mysql_real_escape_string on all strings prior to writing them to the
database, and I use single quotes around all integer values. If you're
game, I'm curious if you see any flaws in this approach. I am still
contemplating whether there is any value to running input through
htmlspecialchars, or whether I should instead simply be using
htmlentities on output. I also haven't looked at what this does to
nested attacks of various kinds and whether there is a way to use
multiple iterations or escapes in the input data to bypass the
filtering (pointers to articles which discuss this would be welcome).
Thanks,
--
Tom
--- End Message ---
--- Begin Message ---
--- [EMAIL PROTECTED] wrote:
> Recently I've been in the middle of trying to build defenses against
> SQL injection on a site I'm working on (proactively, we haven't had a
> problem). While this principle seems exactly right, I find it's not as
> easy to implement as it sounds, and I'd argue that the results aren't
> as absolute as you suggest, though you certainly have more experience
> with it than I do so perhaps I'm missing something.
I would never argue that something is an absolute defense, but I would
characterize my recommendation as a best practice.
> The problem is that there are some well-defined attacks with
> protections against them that can be logically defended. But there is
> no list of all possible attacks, so I'm not sure it's really possible
> to say "you're protected against SQL injection" at some point. Do you
> feel differently? If so I'd be interested to hear why.
The reason why is the difference in approach. If any approach depends on
exhaustive knowledge of all possible attacks, the approach is
fundamentally flawed and could never be considered secure. There is only
one you, and there are an unlimited number of potential attackers. You
cannot hope to second guess every single one of them.
> I agree with you that checking for valid characters is safer than
> checking for malicious characters, but even the former is not absolute.
Not absolute in what sense? Making sure something is valid is pretty
absolute; the only possible flaws are flaws in "making sure something is
valid." For example, I feel confident that no one can show me a string
that I would consider a valid first name that is also an SQL injection
attack.
> Also it is not possible to make the set of characters with syntactic
> significance have no overlap with the set of valid input characters --
> a single quote used as an apostrophe is the obvious example, so
> checking for valid characters may still leave characters in the data
> that could also be part of an attack.
I would never suggest that you should not escape data properly according
to your database of choice. In fact, I included a very helpful link that
addresses this, and I will include it again:
http://phundamentals.nyphp.org/PH_storingretrieving.php
If you are using MySQL, there is a nice function that escapes your data
for you:
http://www.php.net/mysql_escape_string
If you make sure data is valid and then properly escape it for use in an
SQL statement, you're adhering to what I am suggesting is a best practice
against SQL injection. This is under the assumption that you surround all
literal values with single quotes.
> As for specifics, at the moment I am simply forcing every element of
> _POST to be truncated to a known maximum length, then run through
> strip_tags, stripslashes, and htmlspecialchars (in that order) before I
> use it.
This doesn't work for everyone. I can think of several examples where
users would be submitting HTML and/or PHP code. I wouldn't want to delete
some of their data.
I applaud your efforts in data filtering, because almost all PHP
vulnerabilities that I read about are a result of the author completely
failing to perform any data filtering at all (which is inexcusable).
However, might I suggest that you take a slightly different approach.
Verify that the data is exactly what you expect it to be, and then escape
and/or encode it when necessary.
For example, for storing valid data, use mysql_escape_string() or an
equivalent function for your database of choice. For displaying valid
data, use htmlentities(). If you want some user-submitted tags
interpreted, you can use str_replace() to convert those HTML entities back
(this makes sure that only specific uses of specific tags are
interpreted).
For unvalidated data, do nothing with it until you have validated it with
your data filtering logic. A good software architecture should make it
easy for the developer to keep up with this (naming conventions are also
very helpful for this).
> Then every input form element is validated against an appropriate
> regexp depending on the type of input expected. I also use
> mysql_real_escape_string on all strings prior to writing them to
> the database, and I use single quotes around all integer values.
> If you're game, I'm curious if you see any flaws in this approach.
I'm always game. :-)
This actually sounds like a strong approach to me. I assume that you
surround all data in an SQL statement with single quotes (not just integer
values). In fact, this is almost exactly what I am suggesting. I do not
think you have an SQL injection vulnerability, unless what your code does
strays from this description somehow.
Also, if your applications never allow the user to submit HTML or PHP,
stripping tags is fine. But, you might be interested in letting your
regular expression catch this, so that you can log attacks. Attackers
certainly profile your applications - why not profile their attacks? It
can potentially help us all.
> I am still contemplating whether there is any value to running input
> through htmlspecialchars, or whether I should instead simply be using
> htmlentities on output.
I prefer htmlentities(), but I think this is a small point.
> I also haven't looked at what this does to nested attacks of various
> kinds and whether there is a way to use multiple iterations or escapes
> in the input data to bypass the filtering (pointers to articles which
> discuss this would be welcome).
The point of escaping or encoding would be lost if it didn't work for all
possible data. I know of no articles for this, nor can I think of anyone
who would bother writing one. :-)
Anyway, I hope that helps.
Chris
=====
Chris Shiflett - http://shiflett.org/
PHP Security - O'Reilly
Coming mid-2004
HTTP Developer's Handbook - Sams
http://httphandbook.org/
PHP Community Site
http://phpcommunity.org/
--- End Message ---
--- Begin Message ---
On Sunday 21 March 2004 06:39 pm, Chris Shiflett wrote:
> --- Michael Rasmussen <[EMAIL PROTECTED]> wrote:
> > > To be clear: make sure the data that the user submitted only
> > > contains the characters you think are valid (don't bother trying
> > > to guess malicious characters - you're sure to miss one) and is a
> > > valid length. Once you've done this, and your design helps you to
> > > make sure that this step can't be bypassed by the user, you're
> > > protected against SQL injection.
> >
> > Or even better: Use only prepared statements.
>
> Can you explain that (and defend it)?
Maybe he's talking about stored procedures?
"Banks, for instance, use stored procedures for all common operations. This
provides a consistent and secure environment, and procedures can ensure that
each operation is properly logged. In such a setup, applications and users
would not get any access to the database tables directly, but may only
execute specific stored procedures."
- http://www.mysql.com/doc/en/Stored_Procedures.html
>
> Chris
>
> =====
> Chris Shiflett - http://shiflett.org/
>
> PHP Security - O'Reilly
> Coming mid-2004
> HTTP Developer's Handbook - Sams
> http://httphandbook.org/
> PHP Community Site
> http://phpcommunity.org/
--
Evan Nemerson
[EMAIL PROTECTED]
http://coeusgroup.com/en
--
"To achieve adjustment and sanity and the conditions that follow from them, we
must study the structural characteristics of this world first and, then only,
build languages of similar structure, instead of habitually ascribing to the
world the primitive structure of our language."
-Alfred Korzybski
--- End Message ---
--- Begin Message ---
On 21 Mar 2004 Chris Shiflett wrote:
> I would never argue that something is an absolute defense, but I would
> characterize my recommendation as a best practice.
Fair enough.
> > I agree with you that checking for valid characters is safer than
> > checking for malicious characters, but even the former is not absolute.
>
> Not absolute in what sense? Making sure something is valid is pretty
> absolute;
Yes, agreed. It just that validation against input criteria doesn't
guarantee that it's not an attack.
> the only possible flaws are flaws in "making sure something is
> valid." For example, I feel confident that no one can show me a string
> that I would consider a valid first name that is also an SQL injection
> attack.
I'm sure that's correct. However I'm not sure the algorithm to
definitively decide which is which is so obvious.
> http://phundamentals.nyphp.org/PH_storingretrieving.php
FYI, this site seems to be down. I've tried it several times over the
last few days and it always times out.
> This doesn't work for everyone. I can think of several examples where
> users would be submitting HTML and/or PHP code. I wouldn't want to delete
> some of their data.
Of course. I was only referring to my specific case, where that's not
an issue.
> I applaud your efforts in data filtering, because almost all PHP
> vulnerabilities that I read about are a result of the author completely
> failing to perform any data filtering at all (which is inexcusable).
> However, might I suggest that you take a slightly different approach.
> Verify that the data is exactly what you expect it to be, and then escape
> and/or encode it when necessary.
Just to clarify ... are you saying that you feel it's better to
specifically validate and encode each field according to its own
requirements rather than use a global algorithm? I can understand that
... right now I do both, global checks first followed by field-specific
validation and encoding / escaping.
> For unvalidated data, do nothing with it until you have validated it with
> your data filtering logic. A good software architecture should make it
> easy for the developer to keep up with this (naming conventions are also
> very helpful for this).
Good point on the naming conventions. I tend to keep the raw data in
_POST and the validated data inside an array of "control" objects
within my data entry "form" object, so the differentiation is
structural rather than by name.
> This actually sounds like a strong approach to me. I assume that you
> surround all data in an SQL statement with single quotes (not just integer
> values). In fact, this is almost exactly what I am suggesting. I do not
> think you have an SQL injection vulnerability, unless what your code does
> strays from this description somehow.
Yes, I use single quotes on everything. I was doing it only for
strings and dates, but after reading some of the MySQL security info I
added single quotes to the numeric values as well.
> Also, if your applications never allow the user to submit HTML or PHP,
> stripping tags is fine. But, you might be interested in letting your
> regular expression catch this, so that you can log attacks. Attackers
> certainly profile your applications - why not profile their attacks? It
> can potentially help us all.
Good point ... but then I am vulnerable to errors in my own algorithm,
I figured the folks writing PHP were likely to have more experience
with it than I did. However it would be fairly easy to check if
strip_tags did anything by comparing string lengths, and log the change
if there was one.
> > I also haven't looked at what this does to nested attacks of various
> > kinds and whether there is a way to use multiple iterations or escapes
> > in the input data to bypass the filtering (pointers to articles which
> > discuss this would be welcome).
>
> The point of escaping or encoding would be lost if it didn't work for all
> possible data. I know of no articles for this, nor can I think of anyone
> who would bother writing one. :-)
That's true, but as there is no mention in the documentation, I have no
idea whether functions like mysql_escape_string properly handle things
like strings which have already been escaped, whether strip_tags will
take care of something like <t<tagag, and so on. stripslashes is
specifically documented as handling only one round of backslashes -- do
I need to call it in a loop? Thinking through whether this matters is
tricky. In other words I can imagine classes of problems that the
existing tools may or may not solve, and it's a bit of a chore to
investigate so I was hoping someone else had already done so :-).
Thanks for all of the comments.
--
Tom
--- End Message ---
--- Begin Message ---
Hi noginn,
$columntotals[$count] = $columntotals[$count] + $sum;
^---------------------^
ERROR HERE
Seem you tried to assign columntotal[index] with itself and you never
defined it. You should tried this one.
=> $columntotals[$count] = $sum;
Is right?
Sorry, I confuse with your words "total of totals"?
Good Luck,
Firman
----- Original Message -----
From: "noginn" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, March 22, 2004 12:33 AM
Subject: [PHP] Array problem
> This has been confusing me a little for a few hours now.
>
> Heres a snip of my code which is causing the problem:
>
> $content = "<table border='0' cellspacing='0' cellpadding='5'>\n";
> $content .= "<tr>\n";
> $content .= "<td> </td>\n";
>
> $tasks = new dbconnect;
> $tasks->connect();
> $tasks->query("SELECT tid, tname FROM tasks");
> while(list($tid, $tname) = $tasks->fetch_rows()) {
> $content .= "<td valign='top' align='center'><span
> class='highlight'>$tname</span></td>\n";
> }
> $content .= "<td> </td>\n";
> $content .= "</tr>\n";
>
> $projects = new dbconnect;
> $projects->connect();
> $projects->query("SELECT pid, pname FROM projects");
>
> * $columntotals = array();*
> $colour = 0;
>
> while(list($pid, $pname) = $projects->fetch_rows()) {
> $tasks->data_seek(0);
> $rowtotal = 0;
> $count = 0;
> if ($colour % 2) {
> $bgcolour = "#FFFFFF";
> }
> else {
> $bgcolour = "#F9F9F9";
> }
> $colour++;
> $content .= "<tr>\n";
> $content .= "<td valign='top' align='center'><span
> class='highlight'>$pname</span></td>\n";
>
> while(list($tid, $tname) = $tasks->fetch_rows()) {
> $logs = new dbconnect;
> $logs->connect();
> $logs->query("SELECT SUM(hours) from logs WHERE pid = '$pid'
> AND tid = '$tid' AND date >= '$sdate' AND date <= '$edate'");
> list($sum) = $logs->fetch_rows();
>
> if (!$sum) {
> $sum = 0;
> }
>
> $rowtotal = $rowtotal + $sum;
> *$columntotals[$count] = $columntotals[$count] + $sum;*
> $count++;
>
> $content .= "<td bgcolor='$bgcolour'
> align='center'>$sum</td>\n";
> }
> $content .= "<td align='center'><b>$rowtotal</b></td>\n";
> }
> $content .= "</tr>\n";
> $content .= "<tr>\n";
> $content .= "<td> </td>\n";
>
> $sumofcolumntotals = 0;
>
> for ($i=0; $i<sizeof($columntotals); $i++)
> {
> $sumofcolumntotals = $sumofcolumntotals + $columntotals[$i];
> $content .= "<td align='center'><b>$columntotals[$i]</b></td>\n";
> }
>
> $content .= "<td align='center'><b>$sumofcolumntotals</b></td>\n";
> $content .= "</tr>\n";
> $content .= "</table>\n";
>
> I have made the lines inwhich I know are causing problems in bold.
> Basicly, I am creating a report of some data and need to count up totals
> of each column and then again total the totals if you get me.
> Here is the errors I am getting.
> *Notice*: Undefined offset: 0 in
> *C:\WWW\Apache2\htdocs\php\coursework\reports_projects.php* on line *58*
> *Notice*: Undefined offset: 1 in
> *C:\WWW\Apache2\htdocs\php\coursework\reports_projects.php* on line *58*
> *Notice*: Undefined offset: 2 in
> *C:\WWW\Apache2\htdocs\php\coursework\reports_projects.php* on line *58*
> *Notice*: Undefined offset: 3 in
> *C:\WWW\Apache2\htdocs\php\coursework\reports_projects.php* on line *58
>
> *Now I understand in a way why its happening, because im trying to
> insert into $columntotals something which isnt valid, but I can't think
> of a way to stop this at the moment.
> Hope to hear soon, thanks in advance guys.
>
> -noginn
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
--- End Message ---
--- Begin Message ---
Ye that is true, however to create the totals of each columns I had to
somehow do this.
I have fixed the problem in a way, but it was probably a very crude way
of doing so.
$rowtotal = $rowtotal + $sum;
if(!empty($columntotals[$count])) {
$columntotals[$count] = $columntotals[$count] + $sum;
}
else {
$columntotals[$count] = $sum;
}
$count++;
So now it won't try and add itself if it is empty.
But if anyone has more ideas of how I can create a cleaner piece of code
then please let me know! :)
-noginn
Firman Wandayandi wrote:
Hi noginn,
$columntotals[$count] = $columntotals[$count] + $sum;
^---------------------^
ERROR HERE
Seem you tried to assign columntotal[index] with itself and you never
defined it. You should tried this one.
=> $columntotals[$count] = $sum;
Is right?
Sorry, I confuse with your words "total of totals"?
Good Luck,
Firman
----- Original Message -----
From: "noginn" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, March 22, 2004 12:33 AM
Subject: [PHP] Array problem
This has been confusing me a little for a few hours now.
Heres a snip of my code which is causing the problem:
$content = "<table border='0' cellspacing='0' cellpadding='5'>\n";
$content .= "<tr>\n";
$content .= "<td> </td>\n";
$tasks = new dbconnect;
$tasks->connect();
$tasks->query("SELECT tid, tname FROM tasks");
while(list($tid, $tname) = $tasks->fetch_rows()) {
$content .= "<td valign='top' align='center'><span
class='highlight'>$tname</span></td>\n";
}
$content .= "<td> </td>\n";
$content .= "</tr>\n";
$projects = new dbconnect;
$projects->connect();
$projects->query("SELECT pid, pname FROM projects");
* $columntotals = array();*
$colour = 0;
while(list($pid, $pname) = $projects->fetch_rows()) {
$tasks->data_seek(0);
$rowtotal = 0;
$count = 0;
if ($colour % 2) {
$bgcolour = "#FFFFFF";
}
else {
$bgcolour = "#F9F9F9";
}
$colour++;
$content .= "<tr>\n";
$content .= "<td valign='top' align='center'><span
class='highlight'>$pname</span></td>\n";
while(list($tid, $tname) = $tasks->fetch_rows()) {
$logs = new dbconnect;
$logs->connect();
$logs->query("SELECT SUM(hours) from logs WHERE pid = '$pid'
AND tid = '$tid' AND date >= '$sdate' AND date <= '$edate'");
list($sum) = $logs->fetch_rows();
if (!$sum) {
$sum = 0;
}
$rowtotal = $rowtotal + $sum;
*$columntotals[$count] = $columntotals[$count] + $sum;*
$count++;
$content .= "<td bgcolor='$bgcolour'
align='center'>$sum</td>\n";
}
$content .= "<td align='center'><b>$rowtotal</b></td>\n";
}
$content .= "</tr>\n";
$content .= "<tr>\n";
$content .= "<td> </td>\n";
$sumofcolumntotals = 0;
for ($i=0; $i<sizeof($columntotals); $i++)
{
$sumofcolumntotals = $sumofcolumntotals + $columntotals[$i];
$content .= "<td align='center'><b>$columntotals[$i]</b></td>\n";
}
$content .= "<td align='center'><b>$sumofcolumntotals</b></td>\n";
$content .= "</tr>\n";
$content .= "</table>\n";
I have made the lines inwhich I know are causing problems in bold.
Basicly, I am creating a report of some data and need to count up totals
of each column and then again total the totals if you get me.
Here is the errors I am getting.
*Notice*: Undefined offset: 0 in
*C:\WWW\Apache2\htdocs\php\coursework\reports_projects.php* on line *58*
*Notice*: Undefined offset: 1 in
*C:\WWW\Apache2\htdocs\php\coursework\reports_projects.php* on line *58*
*Notice*: Undefined offset: 2 in
*C:\WWW\Apache2\htdocs\php\coursework\reports_projects.php* on line *58*
*Notice*: Undefined offset: 3 in
*C:\WWW\Apache2\htdocs\php\coursework\reports_projects.php* on line *58
*Now I understand in a way why its happening, because im trying to
insert into $columntotals something which isnt valid, but I can't think
of a way to stop this at the moment.
Hope to hear soon, thanks in advance guys.
-noginn
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--- End Message ---
--- Begin Message ---
Dear Sirs,
I have a web site which is keeping user data in mysql. I am afraiding that
to collapse of existing server without my control.
I want to use another server to keep in standby and I want to set new server
DNS as a third and forth server.
As far as I know if primary and secondary server will not work, internic
divert to third and forth server.
But I need to keep new server mysql database refreshed. Where can I find
best idea to make such a mirror with my existing server and new server?
Best Regards
--- End Message ---
--- Begin Message ---
QT wrote:
Dear Sirs,
I have a web site which is keeping user data in mysql. I am afraiding that
to collapse of existing server without my control.
I want to use another server to keep in standby and I want to set new server
DNS as a third and forth server.
As far as I know if primary and secondary server will not work, internic
divert to third and forth server.
But I need to keep new server mysql database refreshed. Where can I find
best idea to make such a mirror with my existing server and new server?
This is a PHP list. You need to ask on a MySQL list.
--- End Message ---
--- Begin Message ---
do you know best mysql newsgroup address?
"Burhan Khalid" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
> QT wrote:
> > Dear Sirs,
> >
> > I have a web site which is keeping user data in mysql. I am afraiding
that
> > to collapse of existing server without my control.
> >
> > I want to use another server to keep in standby and I want to set new
server
> > DNS as a third and forth server.
> >
> > As far as I know if primary and secondary server will not work, internic
> > divert to third and forth server.
> >
> > But I need to keep new server mysql database refreshed. Where can I find
> > best idea to make such a mirror with my existing server and new server?
>
> This is a PHP list. You need to ask on a MySQL list.
--- End Message ---
--- Begin Message ---
Here's the code:
<?php
$a = 676.6;
$b = 0.175;
$y = $a * (1 + $b);
echo("y: " . $a . " * (1 + " . $b . ") = $y<BR>");
$z = $a + ($a * $b);
echo("z: " . $a . " + ( " . $a . " * " . $b . ") = $z<BR>");
echo("number format(y)=".number_format($y, 2)."<BR>");
echo("number format(z)=".number_format($z, 2)."<BR>");
?>
Here's the output:
y: 676.6 * (1 + 0.175) = 795.005
z: 676.6 + ( 676.6 * 0.175) = 795.005
number format(y)=795.01
number format(z)=795.00
In other words, using two logically equivalent (?) formulae to derive
exactly the same result from the same two values results in somehow
different results (I guess it's not an issue with number_format() per se,
but with associativity or summat...).
Hope it's not an obvious schoolboy error - any ideas?
PHP 4.2.2
Apache 2.0.40
Redhat 7.3
-------------------------------------------------------
Paul Hopkins - Senior Web Developer, Doctor Net - http://www.doc-net.com/
The information transmitted is intended only for the person or entity to
which it is
addressed and may contain confidential and/or privileged material. If you
received
this in error, please contact the sender and delete the material.
--- End Message ---
--- Begin Message ---
On 22 March 2004 10:31, Paul Hopkins wrote:
> Here's the code:
>
> <?php
> $a = 676.6;
> $b = 0.175;
>
> $y = $a * (1 + $b);
> echo("y: " . $a . " * (1 + " . $b . ") = $y<BR>");
>
> $z = $a + ($a * $b);
> echo("z: " . $a . " + ( " . $a . " * " . $b . ") = $z<BR>");
>
> echo("number format(y)=".number_format($y, 2)."<BR>");
> echo("number format(z)=".number_format($z, 2)."<BR>");
> >
>
>
> Here's the output:
>
> y: 676.6 * (1 + 0.175) = 795.005
> z: 676.6 + ( 676.6 * 0.175) = 795.005
> number format(y)=795.01
> number format(z)=795.00
This is because of the inherent minor imprecision in the way floating point numbers
are represented in a computer -- please see the big fat note headed "Floating point
precision" at http://www.php.net/manual/en/language.types.float.php. You should never
rely on the absolute accuracy of floating point numbers -- even very simple
calculations can be off by an infinitesimal but nonetheless significant amount (for
example, 10.0/3*3 almost never equals 10.0 ;).
Cheers!
Mike
---------------------------------------------------------------------
Mike Ford, Electronic Information Services Adviser,
Learning Support Services, Learning & Information Services,
JG125, James Graham Building, Leeds Metropolitan University,
Beckett Park, LEEDS, LS6 3QS, United Kingdom
Email: [EMAIL PROTECTED]
Tel: +44 113 283 2600 extn 4730 Fax: +44 113 283 3211
--- End Message ---
--- Begin Message ---
Hey guys,
A server I'm using has PHP compiled into Apache, and I want to leave
that alone and just build a CLI version of php. Can I get away with just
going:
./configure --with-mysql --prefix=/some/home/dir
make
make install
? I dont' want to upset the existing apache installation of PHP or
anything, just want a CLI exe in my home dir to do some stuff with.
thanks,
neko
--- End Message ---
--- Begin Message ---
On 21 March 2004 16:03, Ben Ramsey wrote:
> I've got a querystring that looks like this:
> ?url=http%3A%2F%2Ftest.alpharetta.ga.us%2Findex.php%3Fm%3Dlink
> s%26category%3DRecreation%2B%2526%2BParks%26go.x%3D22%26go.y%3D7
>
> As you can gather, I'm trying to pass a URL to another script
> for some
> processing. Before I urlencode() the URL and pass it to the query
> string, it looks like this:
>
> http://test.alpharetta.ga.us/index.php?m=links&category=Recrea
> tion+%26+Parks&go.x=22&go.y=7
>
> As you can see, there are already encoded entities in the
> URL, which are
> further encoded when passed through urlencode(). The problem
> I'm having
> is that when I urldecode() the string from $_GET["url"], I get the
> following string:
Don't. GET values are automatically urldecoded once by the Web server
before they ever reach your script.
Cheers!
Mike
---------------------------------------------------------------------
Mike Ford, Electronic Information Services Adviser,
Learning Support Services, Learning & Information Services,
JG125, James Graham Building, Leeds Metropolitan University,
Beckett Park, LEEDS, LS6 3QS, United Kingdom
Email: [EMAIL PROTECTED]
Tel: +44 113 283 2600 extn 4730 Fax: +44 113 283 3211
--- End Message ---
--- Begin Message ---
Dear PHP.net,
I have got a question!!!
I`ll develop a new PHP Site and threr is a problem with Hyperlinks!!!
How can I use "index?nav=Webmaster"??
Whats the source code for this funktion????
Best Regards
Florian Hoenl
--- End Message ---
--- Begin Message ---
Hi,
> Dear PHP.net,
> I have got a question!!!
> I`ll develop a new PHP Site and threr is a problem with Hyperlinks!!!
First of all, there is no problem with hyperlinks, you maybe have an
problem understanding how to use hyperlinks.
> How can I use "index?nav=Webmaster"??
> Whats the source code for this funktion????
How about ... RTFM ?
-- red
--- End Message ---
--- Begin Message ---
Hi there,
I was searching for a php function which fills empty spaces in string
varibales with " ", but could not find one.
Is there such thing?
Thanx for any help,
Merlin
--- End Message ---
--- Begin Message ---
Hi Merlin,
guess there is no php function which handles this, but you can easily
use str_replace to do this.
http://php.net/str_replace
-- red
Am Montag, 22. März 2004 13:02 schrieb Merlin:
> Hi there,
>
> I was searching for a php function which fills empty spaces in string
> varibales with " ", but could not find one.
>
> Is there such thing?
>
> Thanx for any help,
>
> Merlin
--- End Message ---
--- Begin Message ---
> I was searching for a php function which fills empty spaces in string
> varibales with " ", but could not find one.
Wouldn't str_replace do it?
http://jp2.php.net/str_replace
--
Yoroshiku!
Dave G
[EMAIL PROTECTED]
--- End Message ---
--- Begin Message ---
$str = str_replace(' ', ' ', $str);
$str = preg_replace('/\s+/', ' ', $str);
$str = ereg_replace('[[:space:]]+', ' ', $str);
Good Luck,
Firman
----- Original Message -----
From: "Merlin" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, March 22, 2004 7:02 PM
Subject: [PHP] Fill strings with
> Hi there,
>
> I was searching for a php function which fills empty spaces in string
> varibales with " ", but could not find one.
>
> Is there such thing?
>
> Thanx for any help,
>
> Merlin
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
--- End Message ---
--- Begin Message ---
hi,
I do this task on window thru schedule task as,
First I create BATCH file
File.bat::
@ECHO OFF
c:\php\php -q c:\dailyscript\script.php
then I added this file.bat path into schedule Task for specify time
interval
imran
----- Original Message -----
From: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Sunday, March 21, 2004 9:52 PM
Subject: Re: [PHP] Scheduling PHP on Windows
> On 20 Mar 2004 Ben Ramsey wrote:
>
> > I know how to run a PHP script as a cron job on a *nix machine. So,
> > does anyone know how to use the Task Scheduler on Windows to do the
> > same? Or is it even possible?
>
> The fundamental idea is simple -- work out a command line from a
> regular command prompt that does what you want. Then set it up under
> Control Panel / Scheduled Tasks. You will have to specifically invoke
> cmd.exe if you want to redirect the output, for example here's a
> command line I just tried that worked properly:
>
> m:\winnt\system32\cmd.exe /c h:\php\cli\php.exe test4.php >> c:\x.txt
>
> --
> Tom
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
--- End Message ---
--- Begin Message ---
i psoted a message here before few days asking how to solve this problem, fortunately
i found the solution on a website, i reseted the pass and all worked.
MySQL 4.1 uses an authentication protocal based on a password hashing algorithm that
is incompatible with that used by older clients. If you upgrade the server to 4.1,
attempts to connect to a it with an older client may fail with the following message:
shell> mysql
Client does not support authentication protocol requested
by server; consider upgrading MySQL client
To solve this problem you should do one of the following:
Upgrade all client programs to use the 4.1.1 or newer client library.
Use a user account with an old password when connecting from a pre 4.1 client.
Reset the user that needs a pre-4.1 client to use an old password:
mysql> UPDATE user SET Password = OLD_PASSWORD('mypass')
-> WHERE Host = 'some_host' AND User = 'some_user';
mysql> FLUSH PRIVILEGES;
Tell the server to use the older password hashing algorithm:
Start mysqld with --old-passwords.
Set the password for all users that has a long password. You can find these users
with:
SELECT * FROM mysql.user WHERE LEN(password) > 16;
Do you Yahoo!?
Yahoo! Finance Tax Center - File online. File on time.
--- End Message ---
--- Begin Message ---
Hi there
I'm new to PHP (as some may know)...
ive spotted / Found the answers to 2-3 problems
tonight - By looking through the PHP documentation..
but this problem is perplexing..
Ok - Ive got a FORM - Which basically, I put lots of
text into it (For testing purposes, I go to news
websites & copy entire articles).
The PHP script chops up the paragraphs - into one long
line of text (one line per paragraph..), & its in an
array $text.
Ok - I loop through the array, & all the text is how
it should be - displaying properly..
PROBLEM :-
Now - All I want to know - Is how long each line is -
(eg number of characters - Ive already removed
double-spaces & its now single-spacing (if any)..)
EG - Is a line 34 characters long, 127, 945 ?
Ive looked through the PHP 'Functions' & the PHP
'documentation' for "length" (couldnt find anything..
??)
Ive found this command :-
http://nz2.php.net/strlen
Which seems perfectly fine...
Ive got this code (without the === signs)
=======
foreach ($text as $color) {
echo "SAF '$color' - ";
echo "<B>".strlen($color)."</B><BR>\n";
}
=======
the SAF is only for my reference - See it on the
screen..
QUESTION :-
Is this the right code to use ? to find the length of
each line ? ($color) - No worries - Ive just copied
code from the web..)
PROBLEM :-
It looks fine - EXCEPT when I see a 3-line paragraph -
& the PHP code is telling me its over 1,200 characters
long..
(assuming 80 characters per line, 100 AT MAXIMUM) -
thats only 240 -300 characters...
If the paragraph were 1200 characters - That would
need 8-10 lines of text...
So - Im asking here (see above)... - If Ive got the
correct code / Command...
Thanks for the help...
G
__________________________________
Do you Yahoo!?
Yahoo! Finance Tax Center - File online. File on time.
http://taxes.yahoo.com/filing.html
--- End Message ---
--- Begin Message ---
On Mar 22, 2004, at 1:46 PM, gordon stewart wrote:
=======
foreach ($text as $color) {
echo "SAF '$color' - ";
echo "<B>".strlen($color)."</B><BR>\n";
}
=======
QUESTION :-
Is this the right code to use ? to find the length of
each line ? ($color) - No worries - Ive just copied
code from the web
strlen() is the correct function to use here. Use it like:
echo strlen($_POST['input_name']);
Where $_POST['input_name'] should be replaced by the variable you want
to check. strlen() is always right, but it counts the actual charactars
of the string (which may differ from those who are shown in the
browser, please look at the HTML source instead).
Secondly, please use lowercase for HTML tags and use <br /> instead of
<BR>...
Regards,
Filip de Waard
--- End Message ---
--- Begin Message ---
--- Filip de Waard <[EMAIL PROTECTED]> wrote:
> strlen() is the correct function to use here. Use it
> like:
>
> echo strlen($_POST['input_name']);
Thanks...
> Where $_POST['input_name'] should be replaced by the
> variable you want
> to check. strlen() is always right, but it counts
> the actual charactars
> of the string (which may differ from those who are
> shown in the
> browser, please look at the HTML source instead).
Ok - Will do...
> Secondly, please use lowercase for HTML tags and use
> <br /> instead of
> <BR>...
Hmm - why <br /> ???
Is that PHP code - or HTML code ? - Ive seen it around
a few places - But havnt bothered to ask (till now)
- Or is there a 'hidden' process that PHP
uses the " / " for ??
- Ok - Off to look at HTML source, then off to bed...
Thanks
G
__________________________________
Do you Yahoo!?
Yahoo! Finance Tax Center - File online. File on time.
http://taxes.yahoo.com/filing.html
--- End Message ---