RE: [PHP] BIT OT - preventing double submit
What happens when the refresh? How about this...when the form loads the first time it generates a unique_id, and when you submit the form it has to match that unique_id. That would stop people from being able to refresh because once the unique_id is submitted, it won't accept any more submissions with that unique_id. It makes sense to me, but this is my Friday ramblings -Original Message- From: Randum Ian [mailto:[EMAIL PROTECTED] Sent: Friday, April 04, 2003 9:11 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: [PHP] BIT OT - preventing double submit Isn't it easy just to do an "onClick Disable Button" kinda thing? > i've seen this mentioned here a few times , ok its jsript , but i dont > think there is anyone here who doesnt use any jscript or even html ?? > heh > > basically all u do is disable the button once pressed > > > > > > > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] MySQL Insert with Auto-Increment
Wonderful! Thanks! -Original Message- From: Marek Kilimajer [mailto:[EMAIL PROTECTED] Sent: Friday, April 04, 2003 8:18 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: [PHP] MySQL Insert with Auto-Increment use mysql_insert_id(), it keeps its value per connection so you don't need to worry about anything [EMAIL PROTECTED] wrote: >Ok, here's what I have. I want to insert some values into a table with >an auto_increment field, but I want to get the Serial of the record I >just inserted so I can name an image $Serial.jpg. I could just select >the serial of the last record entered but what happens (and I know it's >unlikely but could happen) if someone else inserted another record a >half a second after this one? Anyone have any ideas? Thanks! > >Brian > > > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] MySQL Insert with Auto-Increment
Ok, here's what I have. I want to insert some values into a table with an auto_increment field, but I want to get the Serial of the record I just inserted so I can name an image $Serial.jpg. I could just select the serial of the last record entered but what happens (and I know it's unlikely but could happen) if someone else inserted another record a half a second after this one? Anyone have any ideas? Thanks! Brian -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] REPLY NEEDED
I know this is OT, but I caught a story somewhere about the American Embassy in Nigeria actually having to REGULARLY rescue Americans who go over there to claim their moneythat's just sad. -Original Message- From: Leif K-Brooks [mailto:[EMAIL PROTECTED] Sent: Thursday, April 03, 2003 8:48 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: [PHP] REPLY NEEDED Based on the information gathered about thousands of people, you believe they would all be in a position to help you? :) PATRICK KOFI wrote: >BASED ON INFORMATION GATHERED ABOUT YOU, WE BELIEVE YOU WOULD BE IN A POSITION TO HELP US IN TRANSFERING THIS FUND (US$31.5M) INTO A SAFE ACCOUNT. IT HAS BEEN AGREED THAT THE OWNER OF THE ACCOUNT WILL BE COMPENSATED WITH 30% OF THE REMITTED FUNDS, WHILE WE KEEP 60% AS THE INITIATORS AND 10% WILL BE SET ASIDE TO OFFSET EXPENSES AND PAY THE NECESSARY TAXES. > -- The above message is encrypted with double rot13 encoding. Any unauthorized attempt to decrypt it will be prosecuted to the full extent of the law. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] chill out
It's really funny that this happened because not more than one week ago I was discussing the professionalism of this list with one of my co-workers. I've been very happy with it, but I remember when I first joined it I asked a pretty dumb question and got slammed by a bunch of people because it was simple, but I was just overlooking the solution. It did make me feel like an idiot, but I dealt with it because this was a GREAT resource for all kinds of other information. I'd have to say that this is one of the best, most informative lists I've had the pleasure of being a part of and I'd say it's worth getting slammed every now and again if that's what I have to deal with to get solutions to my problems. :-) Cheers... Brian -Original Message- From: Tim Thorburn [mailto:[EMAIL PROTECTED] Sent: Thursday, April 03, 2003 2:20 AM To: [EMAIL PROTECTED] Subject: Re: [PHP] chill out Hi, I'd have to agree with the original poster on this topic - I've been on this list for about 3 years now, at times it is helpful - and then there's every other day. Granted, there are guru's out there that know all there is to know about PHP, and then there's the new kid that has no idea what it is, but either wants to learn or has to learn. And it is quite possible that not everyone is as adept at finding information online - if you're new to server-side programming languages in general - how or why would you know of the great many repositories of information available online? Sarcasm is one thing, gawd knows I use it on a by the minute basis ... but when a newbie posts a question that may seem simple to some - yet utterly impossible to others, is it constructive to tell them to go back and RTFM in a violent manner? Suggesting that they review the manual again may help, or better yet - if you think it's not worth your time, that's what the trash can button is for. In general, I've had great luck with this list - it just seems the majority of puter ppl don't have super ppl skills ;) Now back to work -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Humour in programming?
By PHP? The HTML source points to my.server.com/script.php?=PHPE9568F36-D428-11d2-A769-00AA001ACF42 -Original Message- From: Kevin Stone [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 01, 2003 3:43 PM To: Aaron Gould; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [PHP] Humour in programming? The image is grabbed from their servers. - Original Message - From: "Aaron Gould" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Tuesday, April 01, 2003 1:36 PM Subject: Re: [PHP] Humour in programming? > Hehe, I though something was wrong with my machine when I checked out > phpinfo() on one of my boxes today. It didn't even occur to me that it > might be related to April Fools. > > I know it's usually the PHP logo, but how is that picture generated anyway? > > -- > Aaron Gould > Web Developer > Parts Canada > > > - Original Message - > From: <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> > Sent: Tuesday, April 01, 2003 3:32 PM > Subject: RE: [PHP] Humour in programming? > > > > Yeah...check out the phpinfo() function on your machine > > > > > > > > -Original Message- > > From: Liam Gibbs [mailto:[EMAIL PROTECTED] > > Sent: Tuesday, April 01, 2003 3:36 PM > > To: php list > > Subject: [PHP] Humour in programming? > > > > > > Sorry if this is OT, but... heheheh... has anyone taken a look at the > > PHP site? Check out the upper-left corner. Who is that? Nice to know > > the guys at PHP can have a laugh. > > > > > > -- > > PHP General Mailing List (http://www.php.net/) > > To unsubscribe, visit: http://www.php.net/unsub.php > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Humour in programming?
Yeah, same thing happened to me last year. I was freaking out, thought my box had been hacked. Then it hit me...April Fools day... -Original Message- From: Aaron Gould [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 01, 2003 3:37 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [PHP] Humour in programming? Hehe, I though something was wrong with my machine when I checked out phpinfo() on one of my boxes today. It didn't even occur to me that it might be related to April Fools. I know it's usually the PHP logo, but how is that picture generated anyway? -- Aaron Gould Web Developer Parts Canada - Original Message - From: <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Tuesday, April 01, 2003 3:32 PM Subject: RE: [PHP] Humour in programming? > Yeah...check out the phpinfo() function on your machine > > > > -Original Message- > From: Liam Gibbs [mailto:[EMAIL PROTECTED] > Sent: Tuesday, April 01, 2003 3:36 PM > To: php list > Subject: [PHP] Humour in programming? > > > Sorry if this is OT, but... heheheh... has anyone taken a look at the > PHP site? Check out the upper-left corner. Who is that? Nice to know > the guys at PHP can have a laugh. > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Humour in programming?
Yeah...check out the phpinfo() function on your machine -Original Message- From: Liam Gibbs [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 01, 2003 3:36 PM To: php list Subject: [PHP] Humour in programming? Sorry if this is OT, but... heheheh... has anyone taken a look at the PHP site? Check out the upper-left corner. Who is that? Nice to know the guys at PHP can have a laugh. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Checkbox
I agree...and like John said, as long as you don't accept any changes when you process the form you should be good to go... -Original Message- From: Tim Burden [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 26, 2003 2:25 PM To: [EMAIL PROTECTED] Subject: Re: [PHP] Checkbox Just using the readonly flag in the input tag is the easiest method, I think. - Original Message - From: "Reuben D. Budiardja" <[EMAIL PROTECTED]> Newsgroups: php.general To: "CPT John W. Holmes" <[EMAIL PROTECTED]>; "shaun" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Wednesday, March 26, 2003 2:26 PM Subject: Re: [PHP] Checkbox On Wednesday 26 March 2003 02:11 pm, CPT John W. Holmes wrote: > >On Wednesday 26 March 2003 01:43 pm, CPT John W. Holmes wrote: > > > > is it possible to have a checkbox that if it is specified to be > checked > > > > when the page is being formulated then it cannot be unchecked? > > > > > > No. No... No. > > > > > > If you already know you don't want it to be unchecked, then don't show > > > a checkbox. That's why we have PHP, so you can create your page > DYNAMICALLY > > > and not show bits and pieces when you don't need to. > > > > Although that is theoretically correct, there can be some reason why one > would > > want to display a checkbox anyway. Sometimes it can be clearer for the > user> > to see the GUI, asthetic reason, etc, etc. > True. In that case, though, I would just show an image of a checked check > box. The end result will be the same to the user, they will just think it's > a checkbox they cannot uncheck. But isn't it so much easier to type in that one line HTML + javascript than trying to get an image of a checked check box.. unless you have that handy, you'd have to eg. take a snapshot, or draw something, then save the file as an image file...hmm... and as you said, the effect will be the same to the user anyway RDB -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] can't make str_replace work with single quote
Try str_replace(chr(39),.. -Original Message- From: Marek Kilimajer [mailto:[EMAIL PROTECTED] Sent: Monday, March 24, 2003 2:23 PM To: DomIntCom Cc: [EMAIL PROTECTED] Subject: Re: [PHP] can't make str_replace work with single quote works for me: echo str_replace('2003','2002', "'2003-1;1 00:00:01' AND '2003-3-1 23:59:59'"); DomIntCom wrote: >this should be pretty straight forward, but I cannot make this work for some >reason. > >$ndate = str_replace("'",'', "'2003-1;1 00:00:01' AND '2003-3-1 23:59:59'"); > >to extrapolate we have the following string surrounded by double quotes; >'2003-1;1 00:00:01' AND '2003-3-1 23:59:59' > >now - I have even tried the following command and the replace would not take >place; > >str_replace('2003','2002', "'2003-1;1 00:00:01' AND '2003-3-1 23:59:59'"); > >the search & replace would not work. I've tried ereg_replace and >preg_replace, and I get the same results. > > > > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Loop Problem
Yes, my apologies. I call the script by scriptname.php?MasterPage=1 or 2 or whatever... -Original Message- From: Erik Price [mailto:[EMAIL PROTECTED] Sent: Monday, March 17, 2003 4:45 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: [PHP] Loop Problem [EMAIL PROTECTED] wrote: > Ok, here's what I got. I'm trying to create an entire site that grabs > all it's information (Page content, titles, link info, etc.) from a > MySQL database. In this site I would like to have sub pages of master > pages. For instance, Page 1 is a master page, Page 2 is a sub page of > Page 1, and Page 3 is a sub page of Page 2 which is a sub page of page > one. Now I would like to display this entire hierarchy if possible. > Here's what I have but either I get an infinite loop or it doesn't work > worth a damn > > mysql_connect("127.0.0.1","webuser",""); > $query="SELECT * FROM PageInfo WHERE PageID>'0' and PageID=$MasterPage > ORDER BY PageID"; I might be mistaken, but it looks like $MasterPage hasn't been defined at this point. This should be giving you an error. ($MasterPage gets defined later, but...) If you have your error-reporting turned off, it might not throw the error, so you are getting all the way to your DB. Try turning your error-reporting up and seeing if this causes you problems. The other thing is I don't understand your query -- why are you selecting where PageID is greater than something and at the same time where it is equal to something else? That is redundant. Finally, in your query, remove the single quotes around the 0. You don't need them, and it may be asking MySQL to treat the 0 as a character or string rather than an integer (and the column type is an integer). I'm not really definite on that last one though (more talking out the butt, I suppose). Erik -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Loop Problem
Ok, here's what I got. I'm trying to create an entire site that grabs all it's information (Page content, titles, link info, etc.) from a MySQL database. In this site I would like to have sub pages of master pages. For instance, Page 1 is a master page, Page 2 is a sub page of Page 1, and Page 3 is a sub page of Page 2 which is a sub page of page one. Now I would like to display this entire hierarchy if possible. Here's what I have but either I get an infinite loop or it doesn't work worth a damn '0' and PageID=$MasterPage ORDER BY PageID"; $VARS=""; do { $result=mysql_db_query("DynamicDB",$query); $count=(mysql_num_rows($result)); if($count>0) { while($r=mysql_fetch_array($result)) { $LinkText=$r["LinkText"]; $FileName=$r["FileName"]; $LinkAlt=$r["LinkAlt"]; $MasterPage=$r["MasterPage"]; $PageID=$r["PageID"]; $VARS="$PageID ".$VARS; echo "$PageID"; // echo "$VARS"; } } else { } $query="SELECT * FROM PageInfo WHERE PageID>'0' and PageID=$MasterPage"; } while ($MasterPage>0); //echo "$VARS"; $PageIDs=explode(" ",$VARS); $i=0; while(strlen($PageIDs["$i"])>0) { $TheVar=$PageIDs["$i"]; $TheQuery="SELECT LinkText, FileName, LinkAlt FROM PageInfo where PageID=$TheVar"; $TheResult=mysql_db_query("DynamicDB",$TheQuery); $TR=mysql_fetch_array($TheResult); $TheLinkText=$TR["LinkText"]; $TheFileName=$TR["FileName"]; $TheLinkAlt=$TR["LinkAlt"]; echo "$TheLinkText"; $i++; } ?> My table structure looks like this ++--+--+-+--+--- -+ | Field | Type | Null | Key | Default | Extra | ++--+--+-+--+--- -+ | PageID | int(40) | | PRI | NULL | auto_increment | | PageType | varchar(6) | | | master | | | LinkText | varchar(20) | | | linktext | | | FileName | varchar(30) | | PRI | | | | LinkAlt| varchar(100) | YES | | alttext | | | Contents | longblob | | | | | | MasterPage | int(11) unsigned | YES | | 0| | | Active | char(3) | | | yes | | | LinkOrder | mediumint(9) | YES | | 99 | | ++--+--+-+--+--- -+ 9 rows in set (0.03 sec) Thanks in advance... Brian -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] http->https->http redirection causes browser to show alert dialog
Why don't you just leave them in https? Is this a performance issue? -Original Message- From: CPT John W. Holmes [mailto:[EMAIL PROTECTED] Sent: Thursday, March 13, 2003 9:07 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [PHP] http->https->http redirection causes browser to show alert dialog > I have a login page with a form where users enter there login and > password. The form's action is "https://mysite.com/login.php";. > > login.php authenticates the user and if the authentication is successful > it ends with a: > > header("Location: http://mysite.com/welcome.html?a=b&c=etc...";); > > The problem I am facing is that the flow of event is: > > http -> https -> http > > and this causes IE and Netscape to put up an alert box telling > users that they are leaving a secured site. > > The IE messages is: > > "You are about to be redirected to a connection that is not secure. The > information you are sending to the current site might be retransmitted > to a non-secure site. Do you wish to continue?" > > I only want to use HTTPS for the parts of my web site that actually need >it and nothing else. The way I have things set up now I receive the > data through HTTPS, use it, and then put the user back on a "regular" > HTTP connection since I don't need https anymore. But I get browsers > throwing up these warnings > > Is there a way around this? The messages are annoying at best and > probably scary to users ... You'll have to output a message on the HTTPS page, like "Thank you, click here to continue", otherwise there's no way around the message. It's a client side issue, other browsers may or may not do it. ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Hacker problem
Thanks! That's all I needed to know. -Original Message- From: Leif K-Brooks [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 12, 2003 9:04 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: [PHP] Hacker problem That's just not possible. [EMAIL PROTECTED] wrote: Swear filtering is easy, I want to know how to make sure the data is coming from MY formI'm just picky like that. :-) -Original Message- From: Adam Voigt [ mailto:[EMAIL PROTECTED] Sent: Wednesday, March 12, 2003 8:55 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: [PHP] Hacker problem Why don't you just do the swear filtering on shoutb.php, or wherever it's actually being inserted into the database? On Wed, 2003-03-12 at 08:51, [EMAIL PROTECTED] wrote: How would one go about doing this? -Original Message- From: Dan Hardiker [ mailto:[EMAIL PROTECTED] Sent: Wednesday, March 12, 2003 8:44 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: [PHP] Hacker problem This could still be faked easily with a telnet session and some fake http headers. Your only way of making sure is to create a serverside script which filters the data. Yes, theoretically...you could require it to be posted data. In order to do this you would have to make sure "registered_globals" is set to "off" in your php.ini and then for each variable posted from your form you will need to do something like this $name=$_POST["name"]; This will only post the variables if they have been "posted." Then you could use the referrer along with this and it will only allow data from that specific form. Hope this helps! Brian Drexler -Original Message- From: Pag [ mailto:[EMAIL PROTECTED] Sent: Wednesday, March 12, 2003 8:35 AM To: [EMAIL PROTECTED] Subject: [PHP] Hacker problem Been having some hacker problems on my site, and a simple one: I have a shoutbox, a simple form with name and text that adds lines to the database. I do checks for insults, too long words, tags, etc, but its still possible to circumvent those checks by adding the data on the url instead of using the form. something like: www.domain.com/shoutb.php?name=hacker&text=generalnonsenseandbadwords To prevent this, i tried tracing the http_referral so that only data from inside the site goes into the shoutbox. THe problem is that if you do that url above after visiting my site, the http_referral obviously thinks its coming from inside the site. :-P How can i solve this? Is there any way to prevent data adding from outside? Maybe some invisible check on the form or something? Thanks. Pag -- PHP General Mailing List ( http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List ( http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- The above message is encrypted with double rot13 encoding. Any unauthorized attempt to decrypt it will be prosecuted to the full extent of the law. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Hacker problem
So we aren't actually validating "where" the data is coming from, we are just validating the data? -Original Message- From: Leif K-Brooks [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 12, 2003 8:57 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: [PHP] Hacker problem if(stristr($text,'badword') or stristr($text,'badword2') or strlen($text) > maxlength){ die('Invalid!'); } [EMAIL PROTECTED] wrote: So how could you validate it server-side? -Original Message- From: Leif K-Brooks [ mailto:[EMAIL PROTECTED] Sent: Wednesday, March 12, 2003 8:41 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: [PHP] Hacker problem That's can still easily be spoofed. The only safe way is to validate the form server-side. [EMAIL PROTECTED] wrote: Yes, theoretically...you could require it to be posted data. In order to do this you would have to make sure "registered_globals" is set to "off" in your php.ini and then for each variable posted from your form you will need to do something like this $name=$_POST["name"]; This will only post the variables if they have been "posted." Then you could use the referrer along with this and it will only allow data from that specific form. Hope this helps! Brian Drexler -Original Message- From: Pag [ mailto:[EMAIL PROTECTED] Sent: Wednesday, March 12, 2003 8:35 AM To: [EMAIL PROTECTED] Subject: [PHP] Hacker problem Been having some hacker problems on my site, and a simple one: I have a shoutbox, a simple form with name and text that adds lines to the database. I do checks for insults, too long words, tags, etc, but its still possible to circumvent those checks by adding the data on the url instead of using the form. something like: www.domain.com/shoutb.php?name=hacker&text=generalnonsenseandbadwords To prevent this, i tried tracing the http_referral so that only data from inside the site goes into the shoutbox. THe problem is that if you do that url above after visiting my site, the http_referral obviously thinks its coming from inside the site. :-P How can i solve this? Is there any way to prevent data adding from outside? Maybe some invisible check on the form or something? Thanks. Pag -- The above message is encrypted with double rot13 encoding. Any unauthorized attempt to decrypt it will be prosecuted to the full extent of the law. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Hacker problem
Swear filtering is easy, I want to know how to make sure the data is coming from MY formI'm just picky like that. :-) -Original Message- From: Adam Voigt [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 12, 2003 8:55 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: [PHP] Hacker problem Why don't you just do the swear filtering on shoutb.php, or wherever it's actually being inserted into the database? On Wed, 2003-03-12 at 08:51, [EMAIL PROTECTED] wrote: How would one go about doing this? -Original Message- From: Dan Hardiker [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 12, 2003 8:44 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: [PHP] Hacker problem This could still be faked easily with a telnet session and some fake http headers. Your only way of making sure is to create a serverside script which filters the data. > Yes, theoretically...you could require it to be posted data. In order > to do this you would have to make sure "registered_globals" is set to > "off" in your php.ini and then for each variable posted from your form > you will need to do something like this > > $name=$_POST["name"]; > > This will only post the variables if they have been "posted." Then you > could use the referrer along with this and it will only allow data from > that specific form. Hope this helps! > > Brian Drexler > > -Original Message- > From: Pag [mailto:[EMAIL PROTECTED] > Sent: Wednesday, March 12, 2003 8:35 AM > To: [EMAIL PROTECTED] > Subject: [PHP] Hacker problem > > > > Been having some hacker problems on my site, and a simple one: > > I have a shoutbox, a simple form with name and text that adds > lines to the > database. I do checks for insults, too long words, tags, etc, but its > still > possible to circumvent those checks by adding the data on the url > instead > of using the form. something like: > > > www.domain.com/shoutb.php?name=hacker&text=generalnonsenseandbadwords > > To prevent this, i tried tracing the http_referral so that only > data from > inside the site goes into the shoutbox. THe problem is that if you do > that > url above after visiting my site, the http_referral obviously thinks > its > coming from inside the site. :-P > How can i solve this? Is there any way to prevent data adding from > outside? Maybe some invisible check on the form or something? > > Thanks. > > Pag > > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php -- Dan Hardiker [EMAIL PROTECTED] ADAM Software & Systems Engineer First Creative -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- Adam Voigt ([EMAIL PROTECTED]) The Cryptocomm Group My GPG Key: http://64.238.252.49:8080/adam_at_cryptocomm.asc -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Hacker problem
How would one go about doing this? -Original Message- From: Dan Hardiker [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 12, 2003 8:44 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: [PHP] Hacker problem This could still be faked easily with a telnet session and some fake http headers. Your only way of making sure is to create a serverside script which filters the data. > Yes, theoretically...you could require it to be posted data. In order > to do this you would have to make sure "registered_globals" is set to > "off" in your php.ini and then for each variable posted from your form > you will need to do something like this > > $name=$_POST["name"]; > > This will only post the variables if they have been "posted." Then you > could use the referrer along with this and it will only allow data from > that specific form. Hope this helps! > > Brian Drexler > > -Original Message- > From: Pag [mailto:[EMAIL PROTECTED] > Sent: Wednesday, March 12, 2003 8:35 AM > To: [EMAIL PROTECTED] > Subject: [PHP] Hacker problem > > > > Been having some hacker problems on my site, and a simple one: > > I have a shoutbox, a simple form with name and text that adds > lines to the > database. I do checks for insults, too long words, tags, etc, but its > still > possible to circumvent those checks by adding the data on the url > instead > of using the form. something like: > > > www.domain.com/shoutb.php?name=hacker&text=generalnonsenseandbadwords > > To prevent this, i tried tracing the http_referral so that only > data from > inside the site goes into the shoutbox. THe problem is that if you do > that > url above after visiting my site, the http_referral obviously thinks > its > coming from inside the site. :-P > How can i solve this? Is there any way to prevent data adding from > outside? Maybe some invisible check on the form or something? > > Thanks. > > Pag > > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php -- Dan Hardiker [EMAIL PROTECTED] ADAM Software & Systems Engineer First Creative -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Hacker problem
Yes, theoretically...you could require it to be posted data. In order to do this you would have to make sure "registered_globals" is set to "off" in your php.ini and then for each variable posted from your form you will need to do something like this $name=$_POST["name"]; This will only post the variables if they have been "posted." Then you could use the referrer along with this and it will only allow data from that specific form. Hope this helps! Brian Drexler -Original Message- From: Pag [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 12, 2003 8:35 AM To: [EMAIL PROTECTED] Subject: [PHP] Hacker problem Been having some hacker problems on my site, and a simple one: I have a shoutbox, a simple form with name and text that adds lines to the database. I do checks for insults, too long words, tags, etc, but its still possible to circumvent those checks by adding the data on the url instead of using the form. something like: www.domain.com/shoutb.php?name=hacker&text=generalnonsenseandbadwords To prevent this, i tried tracing the http_referral so that only data from inside the site goes into the shoutbox. THe problem is that if you do that url above after visiting my site, the http_referral obviously thinks its coming from inside the site. :-P How can i solve this? Is there any way to prevent data adding from outside? Maybe some invisible check on the form or something? Thanks. Pag -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Shipment Tracking/UPS
Ok, here's what I've got and it's driving me insane. What I want to do is take a tracking number and grab the tracking data from the UPS web site. I have a couple of questions though First of all, does anyone know if this is against UPS' TOS? I read it but I didn't really see anything, of course IANAL, so I might have missed something. Second, I assume this is best done using CURL. I can get the shipment information just fine, but when I try to use the POST method to get the "Detailed Information" it does not display any of the detailed info, just some of the UPS page with some broken images. I'm not concerned about getting images or anything else to show up, all I want is to be able to grab the data from the source. Here's my codeany help would be greatly appreciated //This function gets the dataall you need is the tracking number function GetUPSTrackingInfo($TrackingNumber1, $TrackingNumber2, $TrackingNumber3, $TrackingNumber4, $TrackingNumber5) { $TrackingNumber1=str_replace(" ","",$TrackingNumber1); $TrackingNumber2=str_replace(" ","",$TrackingNumber2); $TrackingNumber3=str_replace(" ","",$TrackingNumber3); $TrackingNumber4=str_replace(" ","",$TrackingNumber4); $TrackingNumber5=str_replace(" ","",$TrackingNumber5); $ch = curl_init(); curl_setopt($ch, CURLOPT_PROXY, "http://my.proxy.server:3128";); curl_setopt($ch, CURLOPT_URL,"http://wwwapps.ups.com/WebTracking/processInputRequest?HTML Version=5.0&sort_by=status&term_warn=yes&tracknums_displayed=5&TypeOfInq uiryNumber=T&loc=en_US&InquiryNumber1=$TrackingNumber1&InquiryNumber2=$T rackingNumber2&InquiryNumber3=$TrackingNumber3&InquiryNumber4=$TrackingN umber4&InquiryNumber5=$TrackingNumber5&AgreeToTermsAndConditions=yes&tra ck.x=30&track.y=4"); curl_setopt($ch, CURLOPT_RETURNTRANSFER,1); $result=curl_exec ($ch); curl_close ($ch); echo $result; } function PostCurlPage ($pageSpec, $data) { $TrackingNumber=str_replace(" ","",$TrackingNumber); $agent = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"; $header[] = "Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plai n;q=0.8,video/x-mng,image/png,image/jpeg,image/gif;q=0.2,*/*;q=0.1"; $header[] = "Pragma: no-cache"; $header[] = "Connection: keep-alive"; $header[] = "Referrer: http://wwwapps.ups.com/WebTracking/processInputRequest";; $ch = curl_init($pageSpec); curl_setopt($ch, CURLOPT_PROXY, "http://my.proxy.server:3128";); curl_setopt($ch, CURLOPT_USERAGENT, $agent); curl_setopt ($ch, CURLOPT_HTTPHEADER, $header); curl_setopt($ch, CURLOPT_POST, 1); curl_setopt($ch, CURLOPT_POSTFIELDS, $data); $tmp=curl_exec ($ch); curl_close ($ch); //return $tmp; echo "$tmp"; } $data="TypeOfInquiryNumber=T&tracknums_displayed=5&HTMLVersion=5.0&Agree ToTermsAndConditions=yes&loc=en_US&sort_by=status&line1=DataSpecificToTr ackingNumber&NumberDetailLines=1&tdts1_x=18&tdts1_y=10"; PostCurlPage("http://wwwapps.ups.com/WebTracking/processRequest",$data); This doesn't workI can't seem to figure it out. I took out DataSpecificToTrackingNumber...but if you need it I'll send it your way. GetUPSTrackingInfo("TheTrackingNumber","","","",""); Works just fine... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Preventing the "hijacking" of pictures
What about using a MySQL database? Insert the picture into a field in a table, then use a php script to call the data. I've been working on something like this. Is it practical, or am I barking up the wrong tree? -Original Message- From: John W. Holmes [mailto:[EMAIL PROTECTED] Sent: Thursday, February 27, 2003 12:20 PM To: 'merlin'; [EMAIL PROTECTED] Subject: RE: [PHP] Preventing the "hijacking" of pictures > I recently discovered the reason why the traffic is rising so high on my > server. Some people are "stealing" bandwidth. They include > the link of an image into a forum posting. Now everytime somebody reads > this > threat on the other site this image is > served by my server!! No one cares about one image, but they become > dramaticly a lot! > > Is there a reason how to find out that the image is not include into my > html > code, but into the other site code? > > A great idea would be showing a kind of a watermark on this images if they > are included inside other websites. > > $_SERVER[HTTP_REFERRER] does not help. But there might be another method I > do not know of. > > Thank you for any help and hints on this topic! The best way to handle this is probably with your web server. There are some rewrite rules that you can apply to the images/ directory that'll redirect a request for an image to another image if the request doesn't come from your site. We used to do this on a site I helped run. If someone tried to hotlink to one of our images, they got an add for some rather queer looking male swimsuits... :) Or, the other option is to implement this in PHP. Store your images outside of the web root. Serve them all up through a PHP page. foo.php will make sure that the request is valid by possibly checking a session value or HTTP_REFERRER. If the request is valid, send the headers and use readfile() to send the image data. If it's not, send the data for another image or nothing. The downside to this is it's harder to manage and all images requests will be running through PHP pages. ---John W. Holmes... PHP Architect - A monthly magazine for PHP Professionals. Get your copy today. http://www.phparch.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Escape Characters
Hi All, I'm running a script that reads the contents of images and stores them in a MySQL database. The problem I'm running into is that my server is seeing "\" as escape characters and stripping them out. I assume this has something to do with "Magic Quotes" or something of that nature but I'm not exactly sure which variable I'm playing with. For the time being I'm replacing any "\" with "\\" so it only escapes one of them, but I'm sure this is not the correct solution. If anyone has any idea what I'm doing wrong any info would be greatly appreciated. I apologize if this has already been discussed but I could not find it in the archive. Maybe I was searching for the wrong thing? Please help. Thanks in advance, Brian Drexler -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] output problem
You could try something like this(did not test) "); print (" $count $user\n"); print (""); -Original Message- From: Chris Grigor [mailto:[EMAIL PROTECTED]] Sent: Thursday, May 23, 2002 9:48 AM To: [EMAIL PROTECTED]; Php-General-List (E-mail) Subject: [PHP] output problem Howdi Alll some of you might laugh at this but I cant get this to work Im doing a count on a field and want to diplay the result here is an example... "); print (" $line->user\n"); print (""); } ?> what am I missing as it returns no value at all from $line->user, should I be doing this differently?? Thankyou Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] uh, oh errors?
What are some benefits to using output buffering versus just letting it generate as it goes? -Original Message- From: Kevin Stone [mailto:[EMAIL PROTECTED]] Sent: Thursday, May 16, 2002 1:24 PM To: PHP-general Subject: Fw: [PHP] uh, oh errors? Don't feel bad about this. This is something that messes a lot of people up. The browser knows where your headers end and where content begins by adding blank line between the headers and the rest of the page. ALL headers must come before any content is printed to the page. PHP will give you that error if you attempt to write a new header. So in fact your problem is not on Line 13.. but is actually on Line 11. There are at least two ways to avoid this... 1. Don't print content before headers. :) 2. Use output buffering to write the whole page before it is outputed to the browser. Hope this helps, -Keivn - Original Message - From: "Jas" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, May 16, 2002 11:10 AM Subject: [PHP] uh, oh errors? > Not sure how to resolve this, looked at php.net for the headers available > and this is the error I am recieving: > > Warning: Cannot add header information - headers already sent by (output > started at /path/to/connection/script/db.php:6) in /path/to/login/checking > file/auth_done.php on line 13 > > Here is the code that is in auth_done.php: > > session_start(); > require '/path/to/login/checking file/db.php'; > $db_table = 'auth_users'; > $sql = "SELECT * from $db_table WHERE un = \"$u_name\" AND pw = > password(\"$p_word\")"; > $result = @mysql_query($sql,$dbh) or die("Couldn't execute query"); > $num = mysql_numrows($result); > if ($num !=0) { > session_register('u_name'); > session_register('p_word'); > $msg_success = "Good freakin job poindexter!!"; > } else { > header ("Location: index.php"); // This is line 13 that is my error > generator > } > > This is the code for the db.php script: > $dbh = mysql_connect('localhost','username','password') or die('Could not > connect to database, please try again later'); > mysql_select_db('db_name') or die('Could not select database, please try > again later'); > ?> > > Any help would be great! I am assuming there is another way to redirect > users besides the header function, just not sure what it is or how to use > it. Thanks in advance, > Jas > > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Self Destruct code
Or you could set up an automated "IMAP Account Creater." That should pretty much take care of things from the way things sound around here:-) -Original Message- From: Cal Evans [mailto:[EMAIL PROTECTED]] Sent: Tuesday, May 07, 2002 11:15 AM To: PHPCoder; php-general Subject: RE: [PHP] Self Destruct code IANAL! It's against the law in most states to create booby-traps in your code. As others have suggested, don't turn over the code until you've received payment. IMHO, you really should have specified the payment schedule in your contract. =C= * * Cal Evans * Journeyman Programmer * Techno-Mage * http://www.calevans.com * -Original Message- From: PHPCoder [mailto:[EMAIL PROTECTED]] Sent: Tuesday, May 07, 2002 3:20 AM To: php-general Subject: [PHP] Self Destruct code Hi I have a funny request; I wrote a system for a client and am rather concerned that I am not going to receive payment for the work done. They want me to hand over the code before they are willing to pay, so basically I will be left at their mercy; if they don't pay, they will still have a working version of the system... So, is there any way I can inconspicuously code in some boo-boo's that are time related etc. Something that will bomb the mysql tables or break some code if it is not "unlocked" within a month etc. I'm not sure if people out tjere might have existing safeguard tools etc, so I'm open for suggestions. PS, I know about Zend's encrypter, but since it will live on their server, I don't think it will help much since they will need the decrypter on there anyway right? Thanks -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Creating mail account on Linux server
Ok, so it's a bad idea :-) I'm aware of the security risks I'm dealing with here, but thanks to all those who gave me some ideas to go with. This WILL NOT be on a production machine, it's on my internal network and I'm just playing with it to see what I can do. Have a nice day and thanks to all for the help. -Original Message- From: Dan Hardiker [mailto:[EMAIL PROTECTED]] Sent: Tuesday, May 07, 2002 10:47 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: [PHP] Creating mail account on Linux server >> I'm curious about the same thing. RedHat 7.2 with default IMAP. >> > How can I create a mail account on Linux server with PHP ? If you check the list, you will see a reply from myself with a list of questions you need to answer for us to begin to help you. > In general, if people need to ask such a question, then they really are > not ready, or do not understand the security implications of creating > mail accounts on a server. I agree with Jason here. 1. An IMAP account != a mail account, thats just a MAA (Mail Access Agent) which allows you to read mail from a file/dir/storage space on your machine. I use Courier IMAP for that (using ./Maildir). 2. We need to know your MTA and MDA in order to even begin to help 3. On a "default" RedHat setup you need root access (as in you need give your php script root access) in order to perform what your asking. If that doesnt ring alarm bells, please type "halt" at your RedHat console now. > The first thing you need to ask yourself is why would you want to do > it? For the most part, I use these sort of functions from a PHP script to administrate my system and give customers automated access to modify their own domains. (This is all done through a MySQL firewall [as in data gets put into MySQL from the interface, and then read by backend scripts that do the dirty work - unconnected to the frontend interface for security ... incase anyone was about to tell me what they think a firewall is]) Although I can't see these two people having the unix know-how in order to build such a system, let alone securely. I would make some bitchy underhanded comments about their Mother's and the local Ameaoba slut relating to their IQ ... but I wont, cuz Im not like that ;) heh Jason: what dya recon on people being licensed to be able to run a unix style operating system? heh Hell lets license people to use computers. -- Dan Hardiker [[EMAIL PROTECTED]] ADAM Software & Systems Engineer First Creative Ltd -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Creating mail account on Linux server
I can create the popuser account, but my problem comes with setting the password. I realize that when you do a "useradd" command you can specify a -p option for password, but it hasn't worked for me. Is there a better way then calling system commands? -Original Message- From: Jason Wong [mailto:[EMAIL PROTECTED]] Sent: Tuesday, May 07, 2002 10:37 AM To: [EMAIL PROTECTED] Subject: Re: [PHP] Creating mail account on Linux server On Tuesday 07 May 2002 22:23, [EMAIL PROTECTED] wrote: > I'm curious about the same thing. RedHat 7.2 with default IMAP. > > How can I create a mail account on Linux server with PHP ? In general, if people need to ask such a question, then they really are not ready, or do not understand the security implications of creating mail accounts on a server. The first thing you need to ask yourself is why would you want to do it? -- Jason Wong -> Gremlins Associates -> www.gremlins.com.hk Open Source Software Systems Integrators * Web Design & Hosting * Internet & Intranet Applications Development * /* I finally went to the eye doctor. I got contacts. I only need them to read, so I got flip-ups. -- Steven Wright */ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Creating mail account on Linux server
I'm curious about the same thing. RedHat 7.2 with default IMAP. -Original Message- From: Jason Wong [mailto:[EMAIL PROTECTED]] Sent: Tuesday, May 07, 2002 10:06 AM To: [EMAIL PROTECTED] Subject: Re: [PHP] Creating mail account on Linux server On Tuesday 07 May 2002 22:02, Rosen wrote: > Hi, > How can I create a mail account on Linux server with PHP ? Depends on what mail server you have and how it is set up. > Can I do it ? In theory yes. -- Jason Wong -> Gremlins Associates -> www.gremlins.com.hk Open Source Software Systems Integrators * Web Design & Hosting * Internet & Intranet Applications Development * /* Don't tell me what you dreamed last night for I've been reading Freud. */ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php