[PHP-DOC] cvs: phpdoc /en/reference/session reference.xml
sas Tue Dec 17 05:17:30 2002 EDT Modified files: /phpdoc/en/reference/sessionreference.xml Log: remove the unfounded paranoia from the documentation. also improve some paragraphs further. Index: phpdoc/en/reference/session/reference.xml diff -u phpdoc/en/reference/session/reference.xml:1.25 phpdoc/en/reference/session/reference.xml:1.26 --- phpdoc/en/reference/session/reference.xml:1.25 Tue Dec 3 13:21:04 2002 +++ phpdoc/en/reference/session/reference.xml Tue Dec 17 05:17:29 2002 @@ -1,5 +1,5 @@ ?xml version=1.0 encoding=iso-8859-1? -!-- $Revision: 1.25 $ -- +!-- $Revision: 1.26 $ -- reference id=ref.session titleSession handling functions/title titleabbrevSessions/titleabbrev @@ -59,38 +59,29 @@ section id=session.security titleSessions and security/title para - Using sessions, does not mean, you can be absolutely sure, that - the session data can only be viewed by that user. This is important - to keep in mind, when storing and displaying sensitive - information. When storing data into a session, one should always - ask themselves, what the damage is, when somebody else views that - information, or how your application is affected when this session - is actually somebody else. -/para -para - For instance, if somebody else takes a session, can he then post - a message in a forum, as that user and how big of a problem is - that? Or perhaps he can view what the original user was thinking - of ordering, because he gets access to that user's shopping cart. - Obviously for a flowershop, this is less dramatic, than for a - pharmacy. -/para -para - Therefore, when dealing with sensitive information, there should - always be additional methods to decide whether it is a valid - session. Sessions are not reliable as a secure authentication - mechanism. -/para -para - Sessions rely on the session ID, meaning one can 'steal' a - session, by stealing the session ID. This can be made harder, by - using a cookie specifically a session cookie, but does not in any - way make it impossible and still relies on the user closing all - browser windows, to expire the session cookie. - Besides that, even session cookies can be sniffed on a network or - logged by a proxyserver. + The session module cannot guarantee that the information you store + in a session is only viewed by the user who created the session. You need + to take additional measures to actively protect the integrity of the + session, depending on the value associated with it. +/para +para + Assess the importance of the data carried by your sessions and deploy + addditional protections -- this usually comes at a price, reduced + convenience for the user. For example, if you want to protect users from + simple social engineering tactics, you need to enable + session.use_only_cookies. In that case, cookies must be enabled + unconditionally. +/para +para + There are several ways to leak an existing session id to third parties. + A leaked session id enables the third party to access all resources which + are associated with a specific id. First, URLs carrying session ids. If + you link to an external site, the URL including the session id might be + stored in the external site's referrer logs. Second, a more active + attacker might listen to your network traffic. If it is not encrypted, + session ids will flow in plain text over the network. The solution here + is to implement SSL on your server and make it mandatory for users. /para - /section section id=session.requirements reftitle.required; @@ -100,7 +91,11 @@ Optionally you can use shared memory allocation (mm), developed by Ralf S. Engelschall, for session storage. You have to download ulink url=url.mm;mm/ulink and install it. This option is not - available for Windows platforms. + available for Windows platforms. Note that the session storage module + for mm does not guarantee that concurrent accesses to the same session + are properly locked. It might be more appropiate to use a shared memory + based filesystem (such as tmpfs on Solaris/Linux, or /dev/md on BSD) to + store sessions in files, because they are properly locked. /para /note /section @@ -265,18 +260,16 @@ linkend=ini.register-globalsliteralregister_globals/literal/link is enabled, then the global variables and the varname$_SESSION/varname entries will automatically reference the - same value for session variables which were registered in prior session - instances. + same values which were registered in the prior session instance. /para para - Additionally, if you register a new session variable by using -
[PHP-DOC] cvs: phpdoc /en/reference/session/functions session-is-registered.xml session-register.xml session-unregister.xml
sas Tue Dec 17 05:30:05 2002 EDT Modified files: /phpdoc/en/reference/session/functions session-is-registered.xml session-register.xml session-unregister.xml Log: improvements Index: phpdoc/en/reference/session/functions/session-is-registered.xml diff -u phpdoc/en/reference/session/functions/session-is-registered.xml:1.3 phpdoc/en/reference/session/functions/session-is-registered.xml:1.4 --- phpdoc/en/reference/session/functions/session-is-registered.xml:1.3 Sun Jun 16 03:11:03 2002 +++ phpdoc/en/reference/session/functions/session-is-registered.xml Tue Dec 17 +05:30:05 2002 @@ -1,11 +1,11 @@ ?xml version=1.0 encoding=iso-8859-1? -!-- $Revision: 1.3 $ -- +!-- $Revision: 1.4 $ -- !-- splitted from ./en/functions/session.xml, last change in rev 1.8 -- refentry id=function.session-is-registered refnamediv refnamesession_is_registered/refname refpurpose - Find out if a variable is registered in a session + Find out whether a global variable is registered in a session /refpurpose /refnamediv refsect1 @@ -16,7 +16,7 @@ /methodsynopsis para functionsession_is_registered/function returns true; if there - is a variable with the name parametername/parameter + is a global variable with the name parametername/parameter registered in the current session. /para note Index: phpdoc/en/reference/session/functions/session-register.xml diff -u phpdoc/en/reference/session/functions/session-register.xml:1.5 phpdoc/en/reference/session/functions/session-register.xml:1.6 --- phpdoc/en/reference/session/functions/session-register.xml:1.5 Fri Oct 4 05:44:35 2002 +++ phpdoc/en/reference/session/functions/session-register.xml Tue Dec 17 05:30:05 +2002 @@ -1,11 +1,11 @@ ?xml version=1.0 encoding=iso-8859-1? -!-- $Revision: 1.5 $ -- +!-- $Revision: 1.6 $ -- !-- splitted from ./en/functions/session.xml, last change in rev 1.2 -- refentry id=function.session-register refnamediv refnamesession_register/refname refpurpose - Register one or more variables with the current session + Register one or more global variables with the current session /refpurpose /refnamediv refsect1 @@ -24,6 +24,14 @@ /para caution para + If you want your script to work regardless of register_globals, you need + to use the $_SESSION array. All $_SESSION entries are automatically + registered. If your script uses session_register(), it will not work in + environments where register_globals is disabled. + /para +/caution +caution + para This registers a emphasisglobal/emphasis variable. If you want to register a session variable from within a function, you need to make sure to make it global using the @@ -70,21 +78,21 @@ /para note para - It is not currently possible to register resource variables in a - session. For example, you can not create a connection to a + It is currently impossible to register resource variables in a + session. For example, you cannot create a connection to a database and store the connection id as a session variable and expect the connection to still be valid the next time the session is restored. PHP functions that return a resource are identified by having a return type of - literalresource/literal in their function definitions. A + literalresource/literal in their function definition. A list of functions that return resources are available in the link linkend=resourceresource types/link appendix. /para para If varname$_SESSION/varname (or varname$HTTP_SESSION_VARS/varname for PHP 4.0.6 or less) is - used, assign variable to - varname$_SESSION/varname. i.e. $_SESSION['var'] = 'ABC'; + used, assign values to + varname$_SESSION/varname. For example: $_SESSION['var'] = 'ABC'; /para /note para Index: phpdoc/en/reference/session/functions/session-unregister.xml diff -u phpdoc/en/reference/session/functions/session-unregister.xml:1.3 phpdoc/en/reference/session/functions/session-unregister.xml:1.4 --- phpdoc/en/reference/session/functions/session-unregister.xml:1.3Sun Jun 16 03:11:03 2002 +++ phpdoc/en/reference/session/functions/session-unregister.xmlTue Dec 17 +05:30:05 2002 @@ -1,11 +1,11 @@ ?xml version=1.0 encoding=iso-8859-1? -!-- $Revision: 1.3 $ -- +!-- $Revision: 1.4 $ -- !-- splitted from ./en/functions/session.xml, last change in rev 1.2 -- refentry id=function.session-unregister refnamediv refnamesession_unregister/refname refpurpose - Unregister a variable from the current session + Unregister a global variable from the current session /refpurpose /refnamediv refsect1 @@
[PHP-DOC] cvs: phpdoc /en/reference/session/functions session-cache-expire.xml session-cache-limiter.xml
sas Tue Dec 17 05:36:58 2002 EDT Modified files: /phpdoc/en/reference/session/functions session-cache-expire.xml session-cache-limiter.xml Log: improvements Index: phpdoc/en/reference/session/functions/session-cache-expire.xml diff -u phpdoc/en/reference/session/functions/session-cache-expire.xml:1.3 phpdoc/en/reference/session/functions/session-cache-expire.xml:1.4 --- phpdoc/en/reference/session/functions/session-cache-expire.xml:1.3 Sun Nov 17 06:57:29 2002 +++ phpdoc/en/reference/session/functions/session-cache-expire.xml Tue Dec 17 +05:36:58 2002 @@ -1,5 +1,5 @@ ?xml version=1.0 encoding=iso-8859-1? -!-- $Revision: 1.3 $ -- +!-- $Revision: 1.4 $ -- !-- splitted from ./en/functions/session.xml, last change in rev 1.38 -- refentry id='function.session-cache-expire' refnamediv @@ -19,7 +19,7 @@ current cache expire is replaced with parameternew_cache_expire/parameter. /para para - See also the link linkend=ini.session.cache-expiresession.cache_expire/link + Also see the link linkend=ini.session.cache-expiresession.cache_expire/link configuration directive. /para /refsect1 Index: phpdoc/en/reference/session/functions/session-cache-limiter.xml diff -u phpdoc/en/reference/session/functions/session-cache-limiter.xml:1.4 phpdoc/en/reference/session/functions/session-cache-limiter.xml:1.5 --- phpdoc/en/reference/session/functions/session-cache-limiter.xml:1.4 Sun Nov 17 08:52:05 2002 +++ phpdoc/en/reference/session/functions/session-cache-limiter.xml Tue Dec 17 +05:36:58 2002 @@ -1,5 +1,5 @@ ?xml version=1.0 encoding=iso-8859-1? -!-- $Revision: 1.4 $ -- +!-- $Revision: 1.5 $ -- !-- splitted from ./en/functions/session.xml, last change in rev 1.62 -- refentry id=function.session-cache-limiter refnamediv @@ -19,13 +19,13 @@ new value. /para para - The cache limiter controls the cache control HTTP headers sent to the - client. These headers determine the rules by which the page content - may be cached. Setting the cache limiter to literalnocache/literal, - for example, would disallow any client-side caching. A value of - literalpublic/literal, however, would permit caching. It can also - be set to literalprivate/literal, which is slightly more restrictive - than literalpublic/literal. + The cache limiter defines which cache control HTTP headers are sent to + the client. These headers determine the rules by which the page content + may be cached by the client and intermediate proxies. Setting the cache + limiter to literalnocache/literal disallows any client/proxy caching. + A value of literalpublic/literal permits caching by proxies and the + client, whereas literalprivate/literal disallows caching by proxies + and permits the client to cache the contents. /para para In literalprivate/literal mode, the Expire header sent to the @@ -36,7 +36,7 @@ /para note para - literalprivate_no_expire/literal was added in PHP 4.2.0dev. + literalprivate_no_expire/literal was added in PHP 4.2.0. /para /note para @@ -63,7 +63,7 @@ /programlisting /example para - See also the link linkend=ini.session.cache-limitersession.cache_limiter/link + Also see the link +linkend=ini.session.cache-limitersession.cache_limiter/link configuration directive. /para /refsect1 -- PHP Documentation Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DOC] #21066 [NEW]: Bug in PHP-Manual (German Translation)
From: [EMAIL PROTECTED] Operating system: --- PHP version: 4.2.3 PHP Bug Type: Documentation problem Bug description: Bug in PHP-Manual (German Translation) Hallo, please contact the German translators of the php manual. There is a mistake in the translation (while-command) in der php_manual_de.chm beim while-Befehl ist mir ein Fehler aufgefallen. Es heißt: Sie weist PHP an, einen in ihr eingebetteten Befehl so lange zu wiederholen, bis die while-Bedingung als TRUE ausgewertet wird. Ein kleiner Übersetzungsfehler, aber genau das Gegenteil zum wahren Sachverhalt. Richtig wäre: ... so lange zu wiederholen, _wie_ die while-Bedingung als TRUE ausgewertet wird. Greetings Andreas -- Edit bug report at http://bugs.php.net/?id=21066edit=1 -- Try a CVS snapshot: http://bugs.php.net/fix.php?id=21066r=trysnapshot Fixed in CVS: http://bugs.php.net/fix.php?id=21066r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=21066r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=21066r=needtrace Try newer version: http://bugs.php.net/fix.php?id=21066r=oldversion Not developer issue:http://bugs.php.net/fix.php?id=21066r=support Expected behavior: http://bugs.php.net/fix.php?id=21066r=notwrong Not enough info:http://bugs.php.net/fix.php?id=21066r=notenoughinfo Submitted twice:http://bugs.php.net/fix.php?id=21066r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=21066r=globals PHP 3 support discontinued: http://bugs.php.net/fix.php?id=21066r=php3 Daylight Savings: http://bugs.php.net/fix.php?id=21066r=dst IIS Stability: http://bugs.php.net/fix.php?id=21066r=isapi -- PHP Documentation Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DOC] #21066 [Opn-Asn]: Bug in PHP-Manual (German Translation)
ID: 21066 Updated by: [EMAIL PROTECTED] Reported By: [EMAIL PROTECTED] -Status: Open +Status: Assigned Bug Type: Documentation problem Operating System: --- PHP Version: 4.2.3 Previous Comments: [2002-12-17 08:16:59] [EMAIL PROTECTED] Hallo, please contact the German translators of the php manual. There is a mistake in the translation (while-command) in der php_manual_de.chm beim while-Befehl ist mir ein Fehler aufgefallen. Es heißt: Sie weist PHP an, einen in ihr eingebetteten Befehl so lange zu wiederholen, bis die while-Bedingung als TRUE ausgewertet wird. Ein kleiner Übersetzungsfehler, aber genau das Gegenteil zum wahren Sachverhalt. Richtig wäre: ... so lange zu wiederholen, _wie_ die while-Bedingung als TRUE ausgewertet wird. Greetings Andreas -- Edit this bug report at http://bugs.php.net/?id=21066edit=1 -- PHP Documentation Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DOC] #21066 [Asn-Csd]: Bug in PHP-Manual (German Translation)
ID: 21066 Updated by: [EMAIL PROTECTED] Reported By: [EMAIL PROTECTED] -Status: Assigned +Status: Closed Bug Type: Documentation problem Operating System: --- PHP Version: 4.2.3 Assigned To: [EMAIL PROTECTED] New Comment: Changed. Previous Comments: [2002-12-17 08:16:59] [EMAIL PROTECTED] Hallo, please contact the German translators of the php manual. There is a mistake in the translation (while-command) in der php_manual_de.chm beim while-Befehl ist mir ein Fehler aufgefallen. Es heißt: Sie weist PHP an, einen in ihr eingebetteten Befehl so lange zu wiederholen, bis die while-Bedingung als TRUE ausgewertet wird. Ein kleiner Übersetzungsfehler, aber genau das Gegenteil zum wahren Sachverhalt. Richtig wäre: ... so lange zu wiederholen, _wie_ die while-Bedingung als TRUE ausgewertet wird. Greetings Andreas -- Edit this bug report at http://bugs.php.net/?id=21066edit=1 -- PHP Documentation Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DOC] #21066 [Asn-Csd]: Bug in PHP-Manual (German Translation)
ID: 21066 Updated by: [EMAIL PROTECTED] Reported By: [EMAIL PROTECTED] -Status: Assigned +Status: Closed Bug Type: Documentation problem Operating System: --- PHP Version: 4.2.3 Assigned To: [EMAIL PROTECTED] Dear Tix, please only provide your CVS user name in the assigned field, as it is capable then to mail notices to you, etc. Goba -- PHP Documentation Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DOC] #20601 [Opn]: A simple syntax parse error
ID: 20601 Updated by: [EMAIL PROTECTED] Reported By: [EMAIL PROTECTED] Status: Open Bug Type: Documentation problem Operating System: Windows ME PHP Version: 4.3.0RC1 Assigned To: philip New Comment: Sort of. This is a feature I was not aware of in PHP and imho is sort of a bug :) As it turns out, constants are only seen in strings if: a) It's an array key b) {braces} are around the array So for example, NO E_NOTICE is generated from a $arr[foo] but a {$arr[foo]} does! And btw, a {foo} does not look for the constant foo. And because multidimensional arrays inside strings require {braces} this is an important point. IMHO this behavior of constants inside strings is inconsistent and I'm writing php-dev now! :) Previous Comments: [2002-12-17 10:37:35] [EMAIL PROTECTED] Philip, please do not change that part of the documentation. **It is correct!**. Try with this script: ?php error_reporting(E_ALL); ini_set(display_errors, TRUE); $arr['foo'][3] = 14; echo This is wrong: {$arr[foo][3]}; echo This is good: {$arr['foo'][3]}; ? For the first echo line, a NOTICE error is echoed out... So the documentation is correct. It may not be clear enough, but it is correct, the example is right. [2002-12-05 13:49:27] [EMAIL PROTECTED] As it turns out, the string docs are wrong and contain the following in the example: // This is wrong for the same reason // as $foo[bar] is wrong outside a string. echo This is wrong: {$arr[foo][3]}; I'll rewrite this part of the documention too. $foo[bar] is perfectly fine inside strings, CONSTANTS aren't seen in strings. Anyway, this will be further explained with a more specific example too. And a faq entry :) This question comes up waaay too much these days. [2002-12-05 13:26:22] [EMAIL PROTECTED] The string type description includes a lengthy explanation of this AFAIK. [2002-12-04 19:03:14] [EMAIL PROTECTED] Btw, this happens when you do: print a foo $bar['blah'] eh; Don't do that. You can do either: print a foo {$bar['blah']} eh; print a foo $bar[blah] eh; print a foo . $bar['blah'] . eh; But when outside of strings always quote your keys: print $bar[blah]; // bad print $bar['blah']; // good Unless of course you defined blah as a constant earlier. Anyway I'm making a faq out of this question and marking as a doc bug because this question comes up a lot especially since 4.1.0 (autoglobals) and 4.2.0 (register_globals default change). [2002-12-04 18:17:54] [EMAIL PROTECTED] No feedback was provided. The bug is being suspended because we assume that you are no longer experiencing the problem. If this is not the case and you are able to provide the information that was requested earlier, please do so and change the status of the bug back to Open. Thank you. The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/20601 -- Edit this bug report at http://bugs.php.net/?id=20601edit=1 -- PHP Documentation Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DOC] Create directory using DSSSL
I'm trying to make a custom DSSSL stylesheet to create a BBEdit Glossary. In BBEdit, you can group similar functions inside a directory, so I want to create: Apache-specific Functions/ apache-foo apache-bar Other Functions/ ... I can get jade to make the correct chunks and place them in the correct place, but they fail if the directory doesn't already exist. How do I get jade to automatically create the directory? Or, how do I get jade to let me tell it to create a directory from within the DSSSL stylesheet? (Or, how can I get jade to let me call a remote program, like mkdir?) I've searched all over for this, but DSSSL isn't quite in vogue any more, so documentation is hard to find. -adam PS: I'd prefer not to need to create the directories manually, because then they'll fail if we modify the docs to add or remove new sections. -- [EMAIL PROTECTED] author of o'reilly's php cookbook avoid the holiday rush, buy your copy today! -- PHP Documentation Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DOC] cvs: phpdoc /en/reference/mssql configure.xml reference.xml
fmk Wed Dec 18 02:27:10 2002 EDT Modified files: /phpdoc/en/reference/mssql configure.xml reference.xml Log: Updating documentation to match the code Index: phpdoc/en/reference/mssql/configure.xml diff -u phpdoc/en/reference/mssql/configure.xml:1.1 phpdoc/en/reference/mssql/configure.xml:1.2 --- phpdoc/en/reference/mssql/configure.xml:1.1 Sat Nov 30 10:33:22 2002 +++ phpdoc/en/reference/mssql/configure.xml Wed Dec 18 02:27:10 2002 @@ -1,10 +1,15 @@ ?xml version=1.0 encoding=iso-8859-1? -!-- $Revision: 1.1 $ -- +!-- $Revision: 1.2 $ -- section id=mssql.installation reftitle.install; para The MSSQL extension is enabled by adding extension=php_mssql.dll to php.ini;. + /para + para + To get these functions to work, you have to compile PHP with + option role=configure--with-mssql=[DIR]/option, where DIR is the + FreeTDS install prefix. /para /section Index: phpdoc/en/reference/mssql/reference.xml diff -u phpdoc/en/reference/mssql/reference.xml:1.7 phpdoc/en/reference/mssql/reference.xml:1.8 --- phpdoc/en/reference/mssql/reference.xml:1.7 Sat Nov 30 10:33:22 2002 +++ phpdoc/en/reference/mssql/reference.xml Wed Dec 18 02:27:10 2002 @@ -1,5 +1,5 @@ ?xml version=1.0 encoding=iso-8859-1? -!-- $Revision: 1.7 $ -- +!-- $Revision: 1.8 $ -- reference id=ref.mssql titleMicrosoft SQL Server functions/title titleabbrevMS SQL Server/titleabbrev @@ -10,18 +10,14 @@ para These functions allow you to access MS SQL Server database. /para -note - para - The MSSQL extension is available on Win32 systems only. You can - use the link linkend=ref.sybaseSybase extension/link to connect to - MSSQL databases from other platforms. - /para -/note /section section id=mssql.requirements reftitle.required; para + Requirements for WIn32 platforms. +/para +para The extension requires the MS SQL Client Tools to be installed on the system where PHP is installed. The Client Tools can be installed from the MS SQL Server CD or by copying @@ -30,6 +26,15 @@ filename\winnt\system32/filename on the PHP box. Copying filenamentwdblib.dll/filename will only provide access. Configuration of the client will require installation of all the tools. +/para +para + Requirements for Unix/Linux platforms. +/para +para + To use the MSSQL extension on Unix/Linux, you first need to build and + install the FreeTDS library. Source code and installation instructions + are available at the FreeTDS home page: + ulink url=url.freetds;url.freetds;/ulink /para /section -- PHP Documentation Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php