Re: [PHP] Nasty DoS in PHP | Windows only?

[DRaGoNLz]

- Original Message -
From: "Jason Murray" <[EMAIL PROTECTED]>
To: "'Jason Soza'" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Wednesday, April 17, 2002 11:36 PM
Subject: RE: [PHP] Nasty DoS in PHP | Windows only?


> > I'd be interested in knowing your versions and the versions
> > of the first guy that posted about this. Maybe he has the same
> > setup as me, or close enough, but both of us are different
> > from you.
>
> Actually, I just thought about it - maybe you guys are both running
> it on Windows (shame on you ;)).
>
> I *have* actually seen PHP bring down IIS with a setcookie command.
> Since a setcookie issues headers, I thought "fine, screw you, I'll
> set the headers myself", and it STILL brought IIS down. And indeed,
> the load *did* skyrocket and require a reboot of the server.

I know what you are saying. I've taken down apache on win32 with setcookie

>
> I asked around here at the time if anyone had experienced this (look
> through the mailing list archive to find it) and at the time got
> more of a congratulatory salute from the list members than any real
> responses :)
>
> Maybe this is more of a PHP-on-IIS issue than an actual security
> issue in PHP.
>

I'm pretty sure they ran PHP on apache, not IIS. Maybe this problem is only
with the win32 version of the PHP module.

Nonetheless, a bug is still a bug. It would be nice if it wasn't there=)

> Jason
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] ImageMagik

[Richard Lynch]

I have used PHP to generate a series of JPEG files, which after doing:

convert -delay 0 *.jpg animated.gif

make a rather nifty animated GIF file.

Just one tiny problem...

How the heck do 8 files, ~24 K each, turn into 3 *MEGS* worth of animation?...

I mean, I've read the GIF spec, and there just ain't that much there...

I've tried all the reasonable flags to convert I can find in "man" 
and Googled, but got nothing so far...

Please Cc: me...

And, I'm not being stupid, right?...  There's no PHP image_frame() 
right?...

Thanks.
-- 

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] Nasty DoS in PHP | Windows only?

[Jason Murray]

> I'd be interested in knowing your versions and the versions 
> of the first guy that posted about this. Maybe he has the same 
> setup as me, or close enough, but both of us are different 
> from you. 

Actually, I just thought about it - maybe you guys are both running
it on Windows (shame on you ;)).

I *have* actually seen PHP bring down IIS with a setcookie command.
Since a setcookie issues headers, I thought "fine, screw you, I'll
set the headers myself", and it STILL brought IIS down. And indeed,
the load *did* skyrocket and require a reboot of the server.

I asked around here at the time if anyone had experienced this (look
through the mailing list archive to find it) and at the time got
more of a congratulatory salute from the list members than any real
responses :)

Maybe this is more of a PHP-on-IIS issue than an actual security
issue in PHP.

Jason

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] Nasty DoS in PHP

[Jason Soza]

Very odd indeed. Well, here's my setup:
Windoze2K
PHP 4.1.2
Apache 1.3.something
Accessing it via IE 6.0, although this should not have any bearing on
anything

I'd be interested in knowing your versions and the versions of the first guy
that posted about this. Maybe he has the same setup as me, or close enough,
but both of us are different from you. My browser just kept loading and
loading like all was well, while task manager was skipping all over the
place and I had to wait 5 - 10 seconds after I moved my mouse for the cursor
to move. I timed the script, and after 30 secs, it was still going (although
I stopped it soon thereafter to keep from having to reboot). So I reset
php.ini's execution time limit down to 5 seconds and ran it twice more, and
both times it went well past 5 seconds.

Of course, none of this bothers me as I won't be putting while(0>1) {
header("A") } into any of my scripts, nor was I ever planning on it! :)

-Original Message-
From: Jason Murray [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, April 17, 2002 10:13 PM
To: 'Jason Soza'; [EMAIL PROTECTED]
Subject: RE: [PHP] Nasty DoS in PHP


> Mine produced the same error message as yours, Jason, but the memory
> and CPU usage continued until I hit the 'stop' button on the browser.
> It seemed to have overridden both time and memory limits, as it had
> racked up 320 megs of my RAM by the time I stopped it.

It certainly didn't do that here, but it could be a difference between
RAM, PHP and Apache versions (simple paranoia ;)) that causes it.

PHP clearly sent the error *to my browser* and the browser stopped loading
immediately (thus, the "fatal" error was indeed fatal, and PHP terminated
at that time).

J


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] PHP and Quicktime...

[Michael Zornek]

Twas 4/18/02 1:48 AM, when "Pusta" <[EMAIL PROTECTED]> said:

> Hello all,
> 
> I'm new at PHP but learning and loving it.  For a school project, I have to
> use PHP to display a video on a web page using QuickTime.  Can anyone point
> me to where I can get some info on how to do this?

http://developer.apple.com/quicktime/compatibility.html

Has some cool notes and sample embed tags so that your quicktime will be
playable on all platforms with ease...

~ Mike
-- 
Mike Zornek | Project Leader
Apple Student Developers
The Insanely Great Site with the Insanely Long URL
http://www.applestudentdevelopers.org

Personal Site: 
http://www.mikezornek.com


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] Nasty DoS in PHP

[Jason Murray]

> Mine produced the same error message as yours, Jason, but the memory 
> and CPU usage continued until I hit the 'stop' button on the browser. 
> It seemed to have overridden both time and memory limits, as it had 
> racked up 320 megs of my RAM by the time I stopped it.

It certainly didn't do that here, but it could be a difference between
RAM, PHP and Apache versions (simple paranoia ;)) that causes it. 

PHP clearly sent the error *to my browser* and the browser stopped loading
immediately (thus, the "fatal" error was indeed fatal, and PHP terminated
at that time).

J

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] Nasty DoS in PHP

[Jason Soza]

Mine produced the same error message as yours, Jason, but the memory and CPU
usage continued until I hit the 'stop' button on the browser. It seemed to
have overridden both time and memory limits, as it had racked up 320 megs of
my RAM by the time I stopped it.

Jason

-Original Message-
From: Jason Murray [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, April 17, 2002 9:57 PM
To: 'CC Zona'; [EMAIL PROTECTED]
Subject: RE: [PHP] Nasty DoS in PHP


> So that was both as an Apache mod and a CGI binary?  Sounds like it's
> reproducible.

Running as an Apache module here, it terminated as expected at 30 seconds.

Jason


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] PHP and Quicktime...

[Martin Towell]

you don't need php to do this - use html's  to do it

-Original Message-
From: Pusta [mailto:[EMAIL PROTECTED]]
Sent: Thursday, April 18, 2002 3:49 PM
To: [EMAIL PROTECTED]
Subject: [PHP] PHP and Quicktime...


Hello all,

I'm new at PHP but learning and loving it.  For a school project, I have to
use PHP to display a video on a web page using QuickTime.  Can anyone point
me to where I can get some info on how to do this?

Thanks,

Chris



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] Nasty DoS in PHP

[Jason Murray]

> So that was both as an Apache mod and a CGI binary?  Sounds like it's 
> reproducible. 

Running as an Apache module here, it terminated as expected at 30 seconds.

Jason

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Nasty DoS in PHP

[CC Zona]

In article <[EMAIL PROTECTED]>,
 [EMAIL PROTECTED] (Jason Soza) wrote:

> Interesting, check out my apache error log:
> [Wed Apr 17 18:35:53 2002] [error] PHP Fatal error:  Maximum execution time
> of 30 seconds exceeded in d:\html\loop.asp on line 7

LOL.  You use *.asp for your PHP scripts?  Wouldn't that be considered 
blaspemous? 

> So PHP recognized the max execution time of 30 seconds being exceeded, but
> neither it nor apache shut down the script.

So that was both as an Apache mod and a CGI binary?  Sounds like it's 
reproducible.  Open a bug report so the developers can track it down 
.  Even though putting header() into an 
infinite loop sounds like something not to do in general, a bug is still a 
bug even if it's a pretty esoteric one.

-- 
CC

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] PHP and Quicktime...

[Pusta]

Hello all,

I'm new at PHP but learning and loving it.  For a school project, I have to
use PHP to display a video on a web page using QuickTime.  Can anyone point
me to where I can get some info on how to do this?

Thanks,

Chris



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] need your help

[Martin Towell]

is this a local server you're connecting to (as in, on the same machine as
the script)
if it is, then the ip address would prob. need to be "127.0.0.1" and not
"172.0.0.1"

-Original Message-
From: Waty [mailto:[EMAIL PROTECTED]]
Sent: Thursday, April 18, 2002 1:29 PM
To: [EMAIL PROTECTED]
Subject: [PHP] need your help


Hi,

i got error when open the imap:
my code : 

$mail_server = "172.0.0.1";
$mail_port = "143";
$utg_box =1;
$mail_id = "username";
$mail_pass = "password";

$open_mail_box = "{".$mail_server.":".$mail_port."}INBOX.".$utf_box;
$mbox = imap_open($open_mail_box, $mail_id, $mail_pass);

error:
Couldn't open stream {172.0.0.1:143}INBOX.1 

Please help thanks a lot

Regards
Waty

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] need your help

[Waty]

Hi,

i got error when open the imap:
my code : 

$mail_server = "172.0.0.1";
$mail_port = "143";
$utg_box =1;
$mail_id = "username";
$mail_pass = "password";

$open_mail_box = "{".$mail_server.":".$mail_port."}INBOX.".$utf_box;
$mbox = imap_open($open_mail_box, $mail_id, $mail_pass);

error:
Couldn't open stream {172.0.0.1:143}INBOX.1 

Please help thanks a lot

Regards
Waty

RE: [PHP] Nasty DoS in PHP

[Jason Murray]

> A big "if", since the OP has not yet verified that the time limit and 
> memory limit are in effect at the outset of the loop as supposed.  
> Someone else want to test for this scenario?  Someone, that is, who 
> can deliberately bring down their server without getting kicked 
> off permanently?

Done. Result:

Fatal error: Maximum execution time of 30 seconds exceeded in
/usr/local/apache/virtual/misc/random.phpdev.mit/htdocs/index.php on line 3

Server: Apache/1.3.12 (Unix) PHP/4.0.6

I think that kind of closes this case...

Jason

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] save html created by loop in variable

[Jason Dulberg]

Thanks for your reply... I just tried it with ob_start(); and I think I'm
almost on the right track. Just one small issue. Since the records are in a
while loop, the results are printed line by line as expected. However, I
need to print something obtained from the sql query just once then the rest
to loop.

//a.agentname displays only once and h.title/h.address will be in a list
SELECT h.title, h.address, a.agentname FROM homes h, agents a WHERE
h.owner=a.id AND a.id=$aid

Basically what I'm after is displaying something like:

Agent: Fred
nice house, 123 street
ugly house, 643 road

Thanks again for your help on this.

Jason

> -Original Message-
> From: Miguel Cruz [mailto:[EMAIL PROTECTED]]
> Sent: April 17, 2002 8:28 PM
> To: Jason Dulberg
> Cc: [EMAIL PROTECTED]
> Subject: Re: [PHP] save html created by loop in variable
> 
> 
> On Wed, 17 Apr 2002, Jason Dulberg wrote:
> > I have a WHILE loop that I am interested in storing the html that is
> > generated based on its results to a variable. This variable 
> would then be
> > echoed later on.
> 
> Check in the manual under Output Buffering.
> 
> miguel
> 
> 

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] Nasty DoS in PHP

[Jason Soza]

Interesting, check out my apache error log:
[Wed Apr 17 18:35:53 2002] [error] PHP Fatal error:  Maximum execution time
of 30 seconds exceeded in d:\html\loop.asp on line 7

So PHP recognized the max execution time of 30 seconds being exceeded, but
neither it nor apache shut down the script.

Jason

-Original Message-
From: CC Zona [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, April 17, 2002 7:04 PM
To: [EMAIL PROTECTED]
Subject: Re: [PHP] Nasty DoS in PHP


Do you have a PHP binary compiled too?  If Apache can be taken out of the
equation and the script still exceed memory/time limits, that would sure
appear to be a PHP bug. (FWIW, I can't find an existing bug report about
this behavior at bugs.php.net.  Perhaps you and the OP could run backtraces
and open a new bug report?)


In article <[EMAIL PROTECTED]>,
 [EMAIL PROTECTED] (Jason Soza) wrote:

> It shows the memory and CPU time being used by apache. I have PHP
> installed as a module, that may be why. (?)
>
> Jason Soza
>
> - Original Message -
> From: Martin Towell <[EMAIL PROTECTED]>
> Date: Wednesday, April 17, 2002 6:37 pm
> Subject: RE: [PHP] Nasty DoS in PHP
>
> > Is that memory usage used by PHP or apache?
> >
> > -Original Message-
> > From: Jason Soza [mailto:[EMAIL PROTECTED]]
> > Sent: Thursday, April 18, 2002 12:35 PM
> > To: CC Zona
> > Cc: [EMAIL PROTECTED]
> > Subject: Re: [PHP] Nasty DoS in PHP
> >
> >
> > For what it's worth, I just ran this script on my server, and despite
> > the 30 second time limit and 8mb memory limit in php.ini, the script
> > ran longer than 30 secs, CPU usage went between 60% and 100% and my
> > memory usage reached 352000 before I stopped it.

--
CC



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Re: Screen Scraping using PHP

[Barry C. Hawkins]

Colleagues,
The term "screen scraping" as I am familiar with it comes from mainframe
terminal circles, and refers to capturing the character-based output in a
terminal window (or, at one point in history, the terminal "screen") as a
text file.  I have seen the term used specifically in respect to file
capture from display produced by 3270 terminal emulators.  Essentially, it's
as if you took the screen's display and "scraped" it off of the terminal to
make a sheet or text file.
Phil, tell us a bit more context regarding your screen scrape, and maybe
we can be of more help.

--
Sincerely,
Barry C. Hawkins
Systems Consultant
All Things Computed
[EMAIL PROTECTED]

"Robert Cummings" <[EMAIL PROTECTED]> wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Richard Baskett wrote:
> >
> > I bet he means when you open up an URL and capture part of the page or
the
> > entire page and post it onto your own site.  I've done that with
weather.com
> > where you capture just part of their webpage.. So basically if I wanted
to
> > know what the weather was like in Egypt, I would go to weather.com and
find
> > the URL that tells me, copy that, write a script that grabs that
information
> > from weather.com and then posts it on my site.  Thus screen scraping...
> >
> > If that's not what he meant then I am in the dark also :)  If so.. Then
> > there you go!
>
> Ah... Page Pillaging ;)
>
> Cheers,
> Rob.
> --
> .-.
> | Robert Cummings |
> :-`.
> | Webdeployer - Chief PHP and Java Programmer  |
> :--:
> | Mail  : mailto:[EMAIL PROTECTED] |
> | Phone : (613) 731-4046 x.109 |
> :--:
> | Website : http://www.webmotion.com   |
> | Fax : (613) 260-9545 |
> `--'



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] trying to use gzlib & ZZIPlib within PHP

[Wo Chang]

Dear PHPers,

I downloaded and compiled the zlib from www.gzip.org/zlib
and recompiled the php and apache, but somehow I get
gzcompress and gzuncompress undefined.

Then I tried with ZZIPlib with --with-zip switch when
compiling PHP then recompile apache.  After restarted
the apache, I do see variables get set for zip but when
I do zip_open ("abc.zip") I got an error saying zip_open
not defined.

How do I get the above gzcompress & zip_open to work?
I checked with httpd.conf for zlib.  I also enable the
compression for php.ini

Any helps would be greatly appreciated.

--Wo



--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] mod_rewrite (solution)

[[ rswfire ]]

Thanks to everyone who tried to help.  Apparently, I'm better at this stuff 
than I thought.  The four lines below provide the perfect solution to the 
problem I was having.

RewriteEngine  on
RewriteBase/
RewriteCond%{REQUEST_FILENAME} !-f
RewriteRule^(.+) /index.php



_
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Nasty DoS in PHP

[Jackson Miller]

I crashed a server yesterday from PHP code that was trying to create an
image with GD.  The same scenerio happened in that my entire box froze. 
No keyboard control, no mouse, no CTRL-ALT-F2, nothing.

This was also due to a header() in an infinite loop.  From my
perspective I thought that was bad code, so I fixed it.  I don't see
this as a security risk.  Allowing someone to execute code on your
server is a security risk.  Writing bad code is writing bad code.

It would be interesting to see how linux handled the load.  I might test
again and see if other services will still accept remote connections
(maybe ssh or something).  But regardless, it is a good idea not to
write bad code, and to test on a development server just in case.

-Jaxn


http://www.jaxn.org





On Wed, 2002-04-17 at 20:25, Dustin E. Childers wrote:
> Hello.
> 
> I have found something interesting that can kill the server. I'm not sure if this is 
>because of Apache or PHP. If you use PHP to send a header() inside of a while loop, 
>the httpd process will begin to use massive CPU and Memory until it is killed, or the 
>server is killed. Here is what I used:
> 
>while(0<1) {
> header("A");
>   }
> ?>
> 
> We have tested this on apache 1.3.22, and apache 2.0.35, using php 4.1.2 and 
>4.2.0RC4. It was able to completly kill our servers (not apache, the entire server). 
>The loads of the server will reach 50+. I have contacted apache about this and they 
>said that it is PHP related.
> 
> Dustin E. Childers
> Security Administrator. CEO, Digitux Security, Inc.
> http://www.digitux.net/



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Nasty DoS in PHP

[CC Zona]

Do you have a PHP binary compiled too?  If Apache can be taken out of the 
equation and the script still exceed memory/time limits, that would sure 
appear to be a PHP bug. (FWIW, I can't find an existing bug report about 
this behavior at bugs.php.net.  Perhaps you and the OP could run backtraces 
and open a new bug report?)


In article <[EMAIL PROTECTED]>,
 [EMAIL PROTECTED] (Jason Soza) wrote:

> It shows the memory and CPU time being used by apache. I have PHP 
> installed as a module, that may be why. (?)
> 
> Jason Soza
> 
> - Original Message -
> From: Martin Towell <[EMAIL PROTECTED]>
> Date: Wednesday, April 17, 2002 6:37 pm
> Subject: RE: [PHP] Nasty DoS in PHP
> 
> > Is that memory usage used by PHP or apache?
> > 
> > -Original Message-
> > From: Jason Soza [mailto:[EMAIL PROTECTED]]
> > Sent: Thursday, April 18, 2002 12:35 PM
> > To: CC Zona
> > Cc: [EMAIL PROTECTED]
> > Subject: Re: [PHP] Nasty DoS in PHP
> > 
> > 
> > For what it's worth, I just ran this script on my server, and despite 
> > the 30 second time limit and 8mb memory limit in php.ini, the script 
> > ran longer than 30 secs, CPU usage went between 60% and 100% and my 
> > memory usage reached 352000 before I stopped it.

-- 
CC

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] Nasty DoS in PHP

[Jason Soza]

It shows the memory and CPU time being used by apache. I have PHP 
installed as a module, that may be why. (?)

Jason Soza

- Original Message -
From: Martin Towell <[EMAIL PROTECTED]>
Date: Wednesday, April 17, 2002 6:37 pm
Subject: RE: [PHP] Nasty DoS in PHP

> Is that memory usage used by PHP or apache?
> 
> -Original Message-
> From: Jason Soza [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, April 18, 2002 12:35 PM
> To: CC Zona
> Cc: [EMAIL PROTECTED]
> Subject: Re: [PHP] Nasty DoS in PHP
> 
> 
> For what it's worth, I just ran this script on my server, and 
> despite 
> the 30 second time limit and 8mb memory limit in php.ini, the 
> script 
> ran longer than 30 secs, CPU usage went between 60% and 100% and 
> my 
> memory usage reached 352000 before I stopped it.
> 
> As far as a DoS, I don't think so. A bug? Possibly. Bad coding? 
> Yep. :)
> 
> Jason Soza


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] Nasty DoS in PHP

[Martin Towell]

Is that memory usage used by PHP or apache?

-Original Message-
From: Jason Soza [mailto:[EMAIL PROTECTED]]
Sent: Thursday, April 18, 2002 12:35 PM
To: CC Zona
Cc: [EMAIL PROTECTED]
Subject: Re: [PHP] Nasty DoS in PHP


For what it's worth, I just ran this script on my server, and despite 
the 30 second time limit and 8mb memory limit in php.ini, the script 
ran longer than 30 secs, CPU usage went between 60% and 100% and my 
memory usage reached 352000 before I stopped it.

As far as a DoS, I don't think so. A bug? Possibly. Bad coding? Yep. :)

Jason Soza

- Original Message -
From: CC Zona <[EMAIL PROTECTED]>
Date: Wednesday, April 17, 2002 6:21 pm
Subject: Re: [PHP] Nasty DoS in PHP

> In article ,
> [EMAIL PROTECTED] (Richard Archer) wrote:
> 
> > At 8:55 PM -0400 17/4/02, Justin Farnsworth wrote:
> > 
> > >This is a rather meaningless thread.  It is a
> > >security issue that is displaced.
> > 
> > If PHP is not honoring the time limit and memory usage directives
> > when outputting headers, then this is a bug in PHP.
> 
> A big "if", since the OP has not yet verified that the time limit 
> and 
> memory limit are in effect at the outset of the loop as supposed.  
> Someone 
> else want to test for this scenario?  Someone, that is, who can 
> deliberately bring down their server without getting kicked off 
> permanently?
> Meanwhile...
> 
> > If this allows a DoS attack, then this is a very real security 
> problem.
> Why should it?  Even if there is a verifiable bug allowing 
> time/memory 
> limits to be exceeded when header() goes into an infinite loop, 
> how could 
> someone exploit this from the outside?  If a scripter is letting 
> any random 
> web visitor put their script into an infinite loop, then the 
> results are at 
> *least* as much the scripter's fault as PHP's.  Ditto for the 
> scripter who 
> sets the infinite loop himself while allowing the web user to 
> specify what 
> function gets executed in the loop.  And if neither of these is 
> happening, 
> then where's the DoS?  As has already been pointed out, someone 
> bringing 
> down their own server with their own code, isn't a DoS.  It's 
> usually poor 
> coding, and _possibly_ (see above) attributable to a bug, but it's 
> not a 
> DoS.
> 
> As far as I can tell, the only security problem here is the usual 
> one: 
> figuring out who is clueful enough and responsible enough to be 
> trusted 
> with access to operations which can compromise the server.
> 
> Whether there is a bug or not remains an open question.  I'll be 
> curious to 
> hear whether anyone is able to reproduce a server crash in spite 
> of 
> set_time_limit(30) and ini_set("memory_limit","8M") conditions.
> 
> -- 
> CC



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Nasty DoS in PHP

[Jason Soza]

For what it's worth, I just ran this script on my server, and despite 
the 30 second time limit and 8mb memory limit in php.ini, the script 
ran longer than 30 secs, CPU usage went between 60% and 100% and my 
memory usage reached 352000 before I stopped it.

As far as a DoS, I don't think so. A bug? Possibly. Bad coding? Yep. :)

Jason Soza

- Original Message -
From: CC Zona <[EMAIL PROTECTED]>
Date: Wednesday, April 17, 2002 6:21 pm
Subject: Re: [PHP] Nasty DoS in PHP

> In article ,
> [EMAIL PROTECTED] (Richard Archer) wrote:
> 
> > At 8:55 PM -0400 17/4/02, Justin Farnsworth wrote:
> > 
> > >This is a rather meaningless thread.  It is a
> > >security issue that is displaced.
> > 
> > If PHP is not honoring the time limit and memory usage directives
> > when outputting headers, then this is a bug in PHP.
> 
> A big "if", since the OP has not yet verified that the time limit 
> and 
> memory limit are in effect at the outset of the loop as supposed.  
> Someone 
> else want to test for this scenario?  Someone, that is, who can 
> deliberately bring down their server without getting kicked off 
> permanently?
> Meanwhile...
> 
> > If this allows a DoS attack, then this is a very real security 
> problem.
> Why should it?  Even if there is a verifiable bug allowing 
> time/memory 
> limits to be exceeded when header() goes into an infinite loop, 
> how could 
> someone exploit this from the outside?  If a scripter is letting 
> any random 
> web visitor put their script into an infinite loop, then the 
> results are at 
> *least* as much the scripter's fault as PHP's.  Ditto for the 
> scripter who 
> sets the infinite loop himself while allowing the web user to 
> specify what 
> function gets executed in the loop.  And if neither of these is 
> happening, 
> then where's the DoS?  As has already been pointed out, someone 
> bringing 
> down their own server with their own code, isn't a DoS.  It's 
> usually poor 
> coding, and _possibly_ (see above) attributable to a bug, but it's 
> not a 
> DoS.
> 
> As far as I can tell, the only security problem here is the usual 
> one: 
> figuring out who is clueful enough and responsible enough to be 
> trusted 
> with access to operations which can compromise the server.
> 
> Whether there is a bug or not remains an open question.  I'll be 
> curious to 
> hear whether anyone is able to reproduce a server crash in spite 
> of 
> set_time_limit(30) and ini_set("memory_limit","8M") conditions.
> 
> -- 
> CC



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] Nasty DoS in PHP

[Martin Towell]

[snip]

> > If this allows a DoS attack, then this is a very real security problem.
> 
> Why should it?  Even if there is a verifiable bug allowing time/memory 
> limits to be exceeded when header() goes into an infinite loop, how could 
> someone exploit this from the outside?  If a scripter is letting any
random 
> web visitor put their script into an infinite loop, then the results are
at 
> *least* as much the scripter's fault as PHP's.  [snip]
> 
> As far as I can tell, the only security problem here is the usual one: 
> figuring out who is clueful enough and responsible enough to be trusted 
> with access to operations which can compromise the server.

A coder could do a lot more damage to a server, than a DoS, if they had
access the PHP. Oh! The fun I would have if I was malicious (but I'm not
BTW). There's more at stake than a simple DoS if someone can upload a PHP
script to a server.

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Nasty DoS in PHP

[CC Zona]

In article ,
 [EMAIL PROTECTED] (Richard Archer) wrote:

> At 8:55 PM -0400 17/4/02, Justin Farnsworth wrote:
> 
> >This is a rather meaningless thread.  It is a
> >security issue that is displaced.
> 
> If PHP is not honoring the time limit and memory usage directives
> when outputting headers, then this is a bug in PHP.

A big "if", since the OP has not yet verified that the time limit and 
memory limit are in effect at the outset of the loop as supposed.  Someone 
else want to test for this scenario?  Someone, that is, who can 
deliberately bring down their server without getting kicked off permanently?

Meanwhile...

> If this allows a DoS attack, then this is a very real security problem.

Why should it?  Even if there is a verifiable bug allowing time/memory 
limits to be exceeded when header() goes into an infinite loop, how could 
someone exploit this from the outside?  If a scripter is letting any random 
web visitor put their script into an infinite loop, then the results are at 
*least* as much the scripter's fault as PHP's.  Ditto for the scripter who 
sets the infinite loop himself while allowing the web user to specify what 
function gets executed in the loop.  And if neither of these is happening, 
then where's the DoS?  As has already been pointed out, someone bringing 
down their own server with their own code, isn't a DoS.  It's usually poor 
coding, and _possibly_ (see above) attributable to a bug, but it's not a 
DoS.

As far as I can tell, the only security problem here is the usual one: 
figuring out who is clueful enough and responsible enough to be trusted 
with access to operations which can compromise the server.

Whether there is a bug or not remains an open question.  I'll be curious to 
hear whether anyone is able to reproduce a server crash in spite of 
set_time_limit(30) and ini_set("memory_limit","8M") conditions.

-- 
CC

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] mod_rewrite

[[ rswfire ]]

I could really use your help with this.  The examples I have received from 
everyone thus far have not worked, including the last one that you posted.  
This is the situation:

I have multiple domains, each with multiple subdomains, all of which 
automatically point to the root of my web environment.  I have only one file 
that does all of the work for all of these websites/webpages, and that is 
the index.php file in the root.  This file is smart enough to parse the url 
being accessed and create an appropriate page based on a very complex set of 
rules.

Originally, I was using the ErrorDocument 404 to make it access the 
index.php file, but this has some inherent flaws.  The biggest problem was 
that forms that were being posted to a page that doesn't really exist never 
maintained the posted variables (due to the 404 redirect.)  Another 
limitation was that it just created a bunch of unnecessary error messages in 
my error log since there are no "real pages" on my network, even though it 
pretends there is.

So, I need to use mod_rewrite.  That is apparent now.  The problem is I know 
nothing about creating regular expressions.  I simply need it to rewrite the 
url for any file that does not exist (it should not try to do so for a file 
that really does exist, say an image file) and it needs to have the 
following rule:

A*.B*.C*/D*.E*

Where A is a subdomain; B is the domain name; C is the top level domain; D/E 
are a file or directory.

Some examples would be:

http://www.swifte.net/
http://www.cao.swifte.net/petition-sign.html
http://hsdnetwork.swifte.net/technicians.html
http://www.hsdnetwork.swifte.net/technicians.html
http://www.caofund.org/
http://www.hsdnetwork.com/

Can you tell me how to do this?  I would appreciate your help so much!!

-Samuel

_
Chat with friends online, try MSN Messenger: http://messenger.msn.com


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Nasty DoS in PHP

[Richard Archer]

At 8:55 PM -0400 17/4/02, Justin Farnsworth wrote:

>This is a rather meaningless thread.  It is a
>security issue that is displaced.

If PHP is not honoring the time limit and memory usage directives
when outputting headers, then this is a bug in PHP. If this allows
a DoS attack, then this is a very real security problem.

Local DoS attacks aren't as serious as remote DoS, local exploits
or remote exploits, but they are nevertheless a real security
concern.

One of the benefits of PHP is that it is widely deployed. Many ISPs
offer PHP access as a standard part of their web hosting package.

And if you think all customers of ISPs are trustworthy, you don't
know much about being an ISP :)

If these ISPs come to see PHP as a security threat and remove access
to PHP, it is only the PHP community which will suffer.

 ...Richard.

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] HTTP_POST_FILES and Mozilla 0.9.9

[Vince LaMonica]

Hi all,

I'm having a difficult time determining if this is a Mozilla .99 bug, or
something in PHP [currently using 4.0.6 under linux 2.4.8]. Using 2 small
test files:

## upload1.html ##

upload test

 






## upload2.php ##



With Mozilla .9.4.1 [eg: Netscape 6.2.2 for windoze], Netscape 4.79, Opera
6.0.1, and IE 5.5sp2, if a user hits the submit button *without*
uploading, the proper string ["nothing was uploaded"] is returned.
However, if a user has Galeon v1.2.0 or Mozilla 0.9.9 [running under
linux], the "a file was uploaded" string will appears since
$HTTP_POST_FILES['incoming']['tmp_name'] is an empty string. From reading
the PHP docs, if no file was uploaded, 'tmp_name' should be "none", which
it is if you're using a non-Mozilla .99 based browser.

If a user does upload a file, all browsers are happy ['tmp_name' is
assigned properly].

Is this a browser/gecko bug, or a PHP bug?

TIA,

/vjl/ [who noticed bugs #11198, 10602, 16426 and 13863, but all are
closed]

-- 
Vince LaMonica   UC Irvine,  School  of  Social Ecology
 W3 Developer   <*>  116 Social Ecology I, Irvine, CA 92697
 [EMAIL PROTECTED] https://www.seweb.uci.edu/~vjl

   Life is what happens to you when you're making other plans.
 - Betty Talmadge



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] Re: HTTP gzip-compression and fopen

[CC Zona]

In article <[EMAIL PROTECTED]>,
 [EMAIL PROTECTED] (Trond Arve Nordheim) wrote:

> I was writing a slashdot RSS-parser for my homepage, and wrote a simple
> function to fetch the slashdot.rdf-file from slashdot, and parse it
> using PEAR's XML/RSS.php.
> 
> Here's the core reading the remote file:
> $fp = @fopen("http://slashdot.org/slashdot.rdf";, "r");
> if (!$fp) { return 0; }
> $raw = fread($fp, 1);
> fclose($fp);
> 
> Now, it seems like slashdot is doing som on-the-fly gzip-compression (it
> sends a "Content-Encoding: gzip"-header), and that fopen can't cope with
> this, and I'm stuck with some binary data. I've tried using
> gzuncompress() on the returned data, but that resulted in an error (not
> valid gzip-data).

Since no one else has responded yet, I'm going to take a wild guess that 
your browser's "Accept" headers are being used on the fopen() request, 
leading the slashdot server to believe that your script can process gzipped 
data...?  FWIW, I'd try using fsockopen() instead, explicitely setting 
"Accept" (probably to text/html, text/xml, and text/rss--if the latter is a 
valid content type).

BTW, you should take out that @ sign, turn error_reporting all the way up 
to E_ALL, and add some error checking.  Just in case PHP already knows what 
the problem is, and you're not letting it tell you...

-- 
CC

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] HTTP gzip-compression and fopen

[Trond Arve Nordheim]

On Thu, Apr 18, 2002 at 01:55:47AM +0200, Trond Arve Nordheim wrote:
> Now, it seems like slashdot is doing som on-the-fly gzip-compression (it
> sends a "Content-Encoding: gzip"-header), and that fopen can't cope with
> this, and I'm stuck with some binary data. I've tried using
> gzuncompress() on the returned data, but that resulted in an error (not
> valid gzip-data).

Hm, sorry, seemed like this was a slashdot-problem, actually.
Works now, and I haven't changed anything ;)

-- 
Trond Arve Nordheim
 - "This message is ROT13-encrypted twice for extra security."




msg58652/pgp0.pgp
Description: PGP signature

Re: [PHP] Nasty DoS in PHP

[Justin Farnsworth]

Guys:

This is a rather meaningless thread.  It is a
security issue that is displaced.

Anybody can take down his own machine with a couple of
lines of code.  It is not the (entire) responsibility of the
language to protect the machine from resource exhaustion
or whatever.

In security, you have the concept of the trusted user,
and the users on my machine I trust.  If you are
running a public server, you just don't let any
code go on to the machine if it is not from a
trusted user.  The only alternative is for the
server owner to inspect the code in order to
trust the code, if he does not trust the user.

If a server owner lets script kiddies on the server,
it is a security issue, not a PHP issue.  If the
originator of this thread thinks this is a weakness
in PHP with the posted code, he is mistaken.

_justin
-- 
Justin Farnsworth
Eye Integrated Communications
321 South Evans - Suite 203
Greenville, NC 27858 | Tel: (252) 353-0722

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] Nasty DoS in PHP

[James Cox]

Well, if you were able to upload a PHP script, you'd also be able to upload
a binary file, which would have the ability to run exec("yourbinary");

...

-Original Message-
From: Dustin E. Childers [mailto:[EMAIL PROTECTED]]
Sent: Thursday, April 18, 2002 3:41 AM
To: James Cox
Cc: [EMAIL PROTECTED]
Subject: Re: [PHP] Nasty DoS in PHP


You can't upload a binary file to a server and access it through a web
browser. The most it will do is either show the 'source' for file or ask you
to download it. Yes, this is probably not a major DoS attack..and there
aren't many free hosts out there that have PHP support. The most you could
probably do is take out your own server, but you never know what script
kiddies are willing to do in order to take down a server.

Dustin E. Childers
Security Administrator. CEO, Digitux Security, Inc.
http://www.digitux.net/

- Original Message -
From: "James Cox" <[EMAIL PROTECTED]>
To: "Dustin E. Childers" <[EMAIL PROTECTED]>; "Jason Murray"
<[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Wednesday, April 17, 2002 5:28 PM
Subject: RE: [PHP] Nasty DoS in PHP


> so why not upload a binary file and execute that ? quick root-kit later
and
> you're in.
>
>
> -Original Message-
> From: Dustin E. Childers [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, April 18, 2002 3:22 AM
> To: Jason Murray
> Cc: [EMAIL PROTECTED]
> Subject: Re: [PHP] Nasty DoS in PHP
>
>
> "If the user has enough access to the server to place files on it" ?
>
> There are hosting places that have PHP and you can just upload the PHP
> script through FTP and access it in your browser.
>
> Dustin E. Childers
> Security Administrator. CEO, Digitux Security, Inc.
> http://www.digitux.net/
>
> - Original Message -
> From: "Jason Murray" <[EMAIL PROTECTED]>
> To: "'Dustin E. Childers'" <[EMAIL PROTECTED]>
> Cc: <[EMAIL PROTECTED]>
> Sent: Wednesday, April 17, 2002 5:14 PM
> Subject: RE: [PHP] Nasty DoS in PHP
>
>
> > > It's a default PHP installation. We aren't calling set_time_limit().
> > > I know its an infinite loop, the point is that if a user wanted to
> > > attack a server (happens every day) they would be able to use this
> > > method to take the server down.
> >
> > But, if the user has enough access to the server to place files on it,
> > then they can do much, much worse stuff than running an infinite loop
> > in PHP. Like I said, if it gets to that point you have bigger problems.
> >
> > Jason
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] document root

[Senih Özkiper]

Thanks Miquel,
I asked it hopeless.

Senih

-Original Message-
From: Miguel Cruz [mailto:[EMAIL PROTECTED]]
Sent: Thursday, April 18, 2002 3:25 AM
To: Senih Özkiper
Cc: [EMAIL PROTECTED]
Subject: Re: [PHP] document root


On Thu, 18 Apr 2002, [iso-8859-9] Senih Özkiper wrote:
> What is the best way, to find out the directory, where web documents
stored,
> on a .nix web server?
> I need that, because I want to install my application files on customers
web
> server directly and automatically from my web server using ftp.
>
> Better to explain;
>
> If for example header("Location:www.someweb.com") would be possible, I
could
> do it with
>
> getenv("DOCUMENT_ROOT");

Well, the only way you'd be able to do that is by running PHP code local
to the server, and you'd only be able to do that once you're already
installed.

Makes more sense to just ask them - since there are all sorts of
possibilities with virtual hosts, etc.

miguel


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Nasty DoS in PHP

[Dustin E. Childers]

You can't upload a binary file to a server and access it through a web
browser. The most it will do is either show the 'source' for file or ask you
to download it. Yes, this is probably not a major DoS attack..and there
aren't many free hosts out there that have PHP support. The most you could
probably do is take out your own server, but you never know what script
kiddies are willing to do in order to take down a server.

Dustin E. Childers
Security Administrator. CEO, Digitux Security, Inc.
http://www.digitux.net/

- Original Message -
From: "James Cox" <[EMAIL PROTECTED]>
To: "Dustin E. Childers" <[EMAIL PROTECTED]>; "Jason Murray"
<[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Wednesday, April 17, 2002 5:28 PM
Subject: RE: [PHP] Nasty DoS in PHP


> so why not upload a binary file and execute that ? quick root-kit later
and
> you're in.
>
>
> -Original Message-
> From: Dustin E. Childers [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, April 18, 2002 3:22 AM
> To: Jason Murray
> Cc: [EMAIL PROTECTED]
> Subject: Re: [PHP] Nasty DoS in PHP
>
>
> "If the user has enough access to the server to place files on it" ?
>
> There are hosting places that have PHP and you can just upload the PHP
> script through FTP and access it in your browser.
>
> Dustin E. Childers
> Security Administrator. CEO, Digitux Security, Inc.
> http://www.digitux.net/
>
> - Original Message -
> From: "Jason Murray" <[EMAIL PROTECTED]>
> To: "'Dustin E. Childers'" <[EMAIL PROTECTED]>
> Cc: <[EMAIL PROTECTED]>
> Sent: Wednesday, April 17, 2002 5:14 PM
> Subject: RE: [PHP] Nasty DoS in PHP
>
>
> > > It's a default PHP installation. We aren't calling set_time_limit().
> > > I know its an infinite loop, the point is that if a user wanted to
> > > attack a server (happens every day) they would be able to use this
> > > method to take the server down.
> >
> > But, if the user has enough access to the server to place files on it,
> > then they can do much, much worse stuff than running an infinite loop
> > in PHP. Like I said, if it gets to that point you have bigger problems.
> >
> > Jason
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] Nasty DoS in PHP

[Jason Murray]

> "If the user has enough access to the server to place files on it" ?
> 
> There are hosting places that have PHP and you can just upload the PHP
> script through FTP and access it in your browser.

... in which case all you'll accomplish is taking out your own server,
which is not a DoS attack. :)

(This is also why its very hard to find free servers with PHP on them)

J

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] Nasty DoS in PHP

[James Cox]

so why not upload a binary file and execute that ? quick root-kit later and
you're in.


-Original Message-
From: Dustin E. Childers [mailto:[EMAIL PROTECTED]]
Sent: Thursday, April 18, 2002 3:22 AM
To: Jason Murray
Cc: [EMAIL PROTECTED]
Subject: Re: [PHP] Nasty DoS in PHP


"If the user has enough access to the server to place files on it" ?

There are hosting places that have PHP and you can just upload the PHP
script through FTP and access it in your browser.

Dustin E. Childers
Security Administrator. CEO, Digitux Security, Inc.
http://www.digitux.net/

- Original Message -
From: "Jason Murray" <[EMAIL PROTECTED]>
To: "'Dustin E. Childers'" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Wednesday, April 17, 2002 5:14 PM
Subject: RE: [PHP] Nasty DoS in PHP


> > It's a default PHP installation. We aren't calling set_time_limit().
> > I know its an infinite loop, the point is that if a user wanted to
> > attack a server (happens every day) they would be able to use this
> > method to take the server down.
>
> But, if the user has enough access to the server to place files on it,
> then they can do much, much worse stuff than running an infinite loop
> in PHP. Like I said, if it gets to that point you have bigger problems.
>
> Jason


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Sending a variable without it being seen

[Miguel Cruz]

You can pass it using POST rather than GET-style arguments, but that will 
require structuring your pages so that people use buttons to get from one 
to the next, and it will only keep really dumb people from seeing the 
variables.

Other than that, look at the manual's section on Sessions.

miguel

On Wed, 17 Apr 2002, Kevin Meredith wrote:
> Is there any way variables can be sent without them being seen?
> 
> I am trying to set a session variable from data that is pulled from MySql.
> I have 2 frames open , the first frame has the options available which when
> selected sends the variable info and opens a page in the second frame.  This
> page then registers the variable showing the selection.
> 
> I am currently sending the info like "pagename.php?variable=what
> target=frame"
> 
> The links are generated from info in MySql and therefore I have not managed
> to send the info in a form using hidden fields.  The main reason for this is
> security.  Users should not know what variables are being passed or needed.
> 
> Thanks
> Kevin
> 
> 
> 


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] save html created by loop in variable

[Miguel Cruz]

On Wed, 17 Apr 2002, Jason Dulberg wrote:
> I have a WHILE loop that I am interested in storing the html that is
> generated based on its results to a variable. This variable would then be
> echoed later on.

Check in the manual under Output Buffering.

miguel


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Arranging Data

[Miguel Cruz]

I'm not going to give you code because that would make it too easy.

Start a counter variable at 0.

Increment it with each cell you draw.

Once it reaches the number of cells you want across, set your counter back 
to zero and draw the appropriate  stuff.

Presto.

miguel

On Wed, 17 Apr 2002, Jason Soza wrote:
> How would I have a script display results in a table, but make it so 
> that once 3 or 4 results are displayed in one table row, a new table 
> row would be started?
> 
> Right now I have something like:
> printf("",$pic1);
> 
> And all the records for $pic1 come out into a single column which, if I 
> had many records, could get unwieldy. I'm looking to do something like:
> print("");
> print("");
> printf("",$pic1>
> 
> Where instead of one table row being created with endless 's, the 
> printf() function would print just 3 records, then another '' tag 
> would be printed to start a new row, where printf() could print the 
> next 3 records, and so on. Is this possible?
> 
> Thanks in advance,
> Jason
> 
> 
> 


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] document root

[Miguel Cruz]

On Thu, 18 Apr 2002, [iso-8859-9] Senih Özkiper wrote:
> What is the best way, to find out the directory, where web documents stored,
> on a .nix web server?
> I need that, because I want to install my application files on customers web
> server directly and automatically from my web server using ftp.
> 
> Better to explain;
> 
> If for example header("Location:www.someweb.com") would be possible, I could
> do it with
> 
> getenv("DOCUMENT_ROOT");

Well, the only way you'd be able to do that is by running PHP code local 
to the server, and you'd only be able to do that once you're already 
installed.

Makes more sense to just ask them - since there are all sorts of 
possibilities with virtual hosts, etc.

miguel


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Nasty DoS in PHP

[Dustin E. Childers]

"If the user has enough access to the server to place files on it" ?

There are hosting places that have PHP and you can just upload the PHP
script through FTP and access it in your browser.

Dustin E. Childers
Security Administrator. CEO, Digitux Security, Inc.
http://www.digitux.net/

- Original Message -
From: "Jason Murray" <[EMAIL PROTECTED]>
To: "'Dustin E. Childers'" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Wednesday, April 17, 2002 5:14 PM
Subject: RE: [PHP] Nasty DoS in PHP


> > It's a default PHP installation. We aren't calling set_time_limit().
> > I know its an infinite loop, the point is that if a user wanted to
> > attack a server (happens every day) they would be able to use this
> > method to take the server down.
>
> But, if the user has enough access to the server to place files on it,
> then they can do much, much worse stuff than running an infinite loop
> in PHP. Like I said, if it gets to that point you have bigger problems.
>
> Jason


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] Nasty DoS in PHP

[Jason Murray]

> It's a default PHP installation. We aren't calling set_time_limit(). 
> I know its an infinite loop, the point is that if a user wanted to 
> attack a server (happens every day) they would be able to use this 
> method to take the server down.

But, if the user has enough access to the server to place files on it,
then they can do much, much worse stuff than running an infinite loop 
in PHP. Like I said, if it gets to that point you have bigger problems.

Jason

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] Nasty DoS in PHP

[James Cox]

but to do so, they would need to be on the box, and there are a bunch of
better methods in that situation.

given that php's default install sets a max time limit of 30 seconds on a
script timeout, it can't have run for 10+ minutes, nor is that a reasonable
length of time for a DoS on a monitored box.

This isn't really an exploit, just bad coding.


-Original Message-
From: Dustin E. Childers [mailto:[EMAIL PROTECTED]]
Sent: Thursday, April 18, 2002 3:10 AM
To: Jason Murray
Cc: [EMAIL PROTECTED]
Subject: Re: [PHP] Nasty DoS in PHP


It's a default PHP installation. We aren't calling set_time_limit(). I know
its an infinite loop, the point is that if a user wanted to attack a server
(happens every day) they would be able to use this method to take the server
down.

Dustin E. Childers
Security Administrator. CEO, Digitux Security, Inc.
http://www.digitux.net/

- Original Message -
From: "Jason Murray" <[EMAIL PROTECTED]>
To: "'Dustin E. Childers'" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Wednesday, April 17, 2002 5:04 PM
Subject: RE: [PHP] Nasty DoS in PHP


> > It does not stop after its execution time.
>
> Is your PHP actually configured to stop running after 30 seconds,
> though? Its the default, but you may have overridden it.
>
> > We have let this run for 10+ minutes to see if it would crash the
> > server, and it did.
>
> Is it possible you're called set_time_limit() to increase the
> script's timeout and thus allow it to run?
>
> > It does not affect the person that loads the code in the browser,
> > just affects the server running the code.
>
> Well ... yeah. This is not surprising :p :)
>
> Either way, the fact still remains it's an infinite loop and you
> just shouldn't write it. :)
>
> J


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Nasty DoS in PHP

[Dustin E. Childers]

It's a default PHP installation. We aren't calling set_time_limit(). I know
its an infinite loop, the point is that if a user wanted to attack a server
(happens every day) they would be able to use this method to take the server
down.

Dustin E. Childers
Security Administrator. CEO, Digitux Security, Inc.
http://www.digitux.net/

- Original Message -
From: "Jason Murray" <[EMAIL PROTECTED]>
To: "'Dustin E. Childers'" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Wednesday, April 17, 2002 5:04 PM
Subject: RE: [PHP] Nasty DoS in PHP


> > It does not stop after its execution time.
>
> Is your PHP actually configured to stop running after 30 seconds,
> though? Its the default, but you may have overridden it.
>
> > We have let this run for 10+ minutes to see if it would crash the
> > server, and it did.
>
> Is it possible you're called set_time_limit() to increase the
> script's timeout and thus allow it to run?
>
> > It does not affect the person that loads the code in the browser,
> > just affects the server running the code.
>
> Well ... yeah. This is not surprising :p :)
>
> Either way, the fact still remains it's an infinite loop and you
> just shouldn't write it. :)
>
> J


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] Nasty DoS in PHP

[Jason Murray]

> It does not stop after its execution time.

Is your PHP actually configured to stop running after 30 seconds, 
though? Its the default, but you may have overridden it.

> We have let this run for 10+ minutes to see if it would crash the 
> server, and it did. 

Is it possible you're called set_time_limit() to increase the
script's timeout and thus allow it to run?

> It does not affect the person that loads the code in the browser, 
> just affects the server running the code.

Well ... yeah. This is not surprising :p :)

Either way, the fact still remains it's an infinite loop and you
just shouldn't write it. :)

J

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Nasty DoS in PHP

[CC Zona]

In article <000401c1e67b$dd64c820$2fa3f318@blackbox>,
 [EMAIL PROTECTED] (Dustin E. Childers) wrote:

> It does not stop after its execution time. We have let this run for 10+
> minutes to see if it would crash the server, and it did. It does not affect
> the person that loads the code in the browser, just affects the server
> running the code.

You say that the script is exceeding both the memory limit and time limit; 
have you run phpinfo() from this script to confirm that those settings are 
in effect?  Perhaps the wrong php.ini file is being used, or the php.ini 
settings are being overridden by settings in httpd.conf, .htaccess, or even 
the script itself...

-- 
CC

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] Re: mod_rewrite (the solution)

[CC Zona]

In article <[EMAIL PROTECTED]>,
 [EMAIL PROTECTED] (Cc Zona) wrote:

> In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] 
> wrote:
> 
> > RewriteEngine  on
> > RewriteBase/
> > RewriteRule$.* index.php
> 
> RewriteRule takes a regular expression as its first parameter 
> .
> 
> The "$" regex meta-character is an end-of-line marker.  It has no special 
> meaning at the beginning of a pattern.  If you want a pattern that matches 
> "anything including nothing", use:
> 
> RewriteRule ^.*$ index.php

I shouldn't have copy/pasted, because "index.php" also is wrong in this 
context.  If one is trying to redirect from, say, 
"/dir_that_may_not_exist/" to "index.php", then how is apache supposed to 
serve up "/dir_that_may_not_exist/index.php".  It can't.  So logically the 
2nd parameter has to be "/index.php".  For clarity's sake, using the "L" 
modifier for parameter #3 is also a good idea:

RewriteRule ^.*$ /index.php [L]

Mod_rewrite is a complex beast, so read the docs closely.  And if all you 
really need is to capture/redirect 404s, check out the ErrorDocument 
directive instead.  Simple to use, easy to learn, and none of the 
mod_rewrite overhead.

-- 
CC

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] HTTP gzip-compression and fopen

[Trond Arve Nordheim]

Hi.

I was writing a slashdot RSS-parser for my homepage, and wrote a simple
function to fetch the slashdot.rdf-file from slashdot, and parse it
using PEAR's XML/RSS.php.

Here's the core reading the remote file:
$fp = @fopen("http://slashdot.org/slashdot.rdf";, "r");
if (!$fp) { return 0; }
$raw = fread($fp, 1);
fclose($fp);

Now, it seems like slashdot is doing som on-the-fly gzip-compression (it
sends a "Content-Encoding: gzip"-header), and that fopen can't cope with
this, and I'm stuck with some binary data. I've tried using
gzuncompress() on the returned data, but that resulted in an error (not
valid gzip-data).

First of all; shouldn't perhaps fopen support decompression of
gzip-compressed http data? That is, is there any reason why it's not
supported ? ;)

Second; how do I decompress that data? I've been reading the manual and
doing some google-searches, but I can't seem to find an answer anywhere.

-- 
Trond Arve Nordheim
 - "This message is ROT13-encrypted twice for extra security."




msg58634/pgp0.pgp
Description: PGP signature

Re: [PHP] Nasty DoS in PHP

[Dustin E. Childers]

It does not stop after its execution time. We have let this run for 10+
minutes to see if it would crash the server, and it did. It does not affect
the person that loads the code in the browser, just affects the server
running the code.

Dustin E. Childers
Security Administrator. CEO, Digitux Security, Inc.
http://www.digitux.net/

- Original Message -
From: "Jason Murray" <[EMAIL PROTECTED]>
To: "'Dustin E. Childers'" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Wednesday, April 17, 2002 4:45 PM
Subject: RE: [PHP] Nasty DoS in PHP


> > I have found something interesting that can kill the server.
> > I'm not sure if this is because of Apache or PHP. If you use
> > PHP to send a header() inside of a while loop, the httpd
> > process will begin to use massive CPU and Memory until it is
> > killed, or the server is killed. Here is what I used:
> >
> >  >   while(0<1) {
> > header("A");
> >   }
> > ?>
>
> Umm, but, this is an infinite loop. It won't stop executing.
>
> Actually, it *should* stop executing once PHP hits its maximum
> execution time limit (usually 30 seconds).
>
> If you code something like this into pages, you've got bigger
> problems than a DoS attack.
>
> It's also not strictly a DoS since you'd be doing it to yourself
> if you ran this code. Of course, if you're silly enough to let
> visitors to your website upload and execute arbitrary code then
> there are, again, bigger problems (such as possibly comprimising
> root access, fetching /etc/passwd and guessing passwords, or
> getting access to other sensitive information on your file
> system).
>
> Unless there's something specifically bad about the Header()
> command (you didn't make it clear if this is what you were
> talking about), inifinite loops are, in general, bad.
>
> Jason
>
> --
> Jason Murray
> [EMAIL PROTECTED]
> Web Developer, Melbourne IT
> "Work now, freak later!"


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] Nasty DoS in PHP

[Jason Murray]

> I have found something interesting that can kill the server. 
> I'm not sure if this is because of Apache or PHP. If you use 
> PHP to send a header() inside of a while loop, the httpd 
> process will begin to use massive CPU and Memory until it is 
> killed, or the server is killed. Here is what I used:
> 
>while(0<1) {
> header("A");
>   }
> ?>

Umm, but, this is an infinite loop. It won't stop executing.

Actually, it *should* stop executing once PHP hits its maximum
execution time limit (usually 30 seconds).

If you code something like this into pages, you've got bigger
problems than a DoS attack.

It's also not strictly a DoS since you'd be doing it to yourself
if you ran this code. Of course, if you're silly enough to let
visitors to your website upload and execute arbitrary code then
there are, again, bigger problems (such as possibly comprimising
root access, fetching /etc/passwd and guessing passwords, or 
getting access to other sensitive information on your file 
system).

Unless there's something specifically bad about the Header()
command (you didn't make it clear if this is what you were
talking about), inifinite loops are, in general, bad.

Jason

-- 
Jason Murray
[EMAIL PROTECTED]
Web Developer, Melbourne IT
"Work now, freak later!"

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] Re: session_is_registered

[Norman Zhang]

Thanks everyone. I solved the problem by upgrading 4.0.6 to 4.1.2.

Norman



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Nasty DoS in PHP

[Dustin E. Childers]

php.ini:
  memory_limit = 8M  ; Maximum amount of memory a script may consume
(8MB)

That is in there, I execute the code from a browser.
ps aux:
  nobody  60155 84.6 16.8 88644 87424  ??  R 5:15PM   0:23.23
/www/bin/httpd

using 84.6% of CPU and 16.8% of Memory.

Dustin E. Childers
Security Administrator. CEO, Digitux Security, Inc.
http://www.digitux.net/

- Original Message -
From: "Rasmus Lerdorf" <[EMAIL PROTECTED]>
To: "Dustin E. Childers" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Wednesday, April 17, 2002 12:58 PM
Subject: Re: [PHP] Nasty DoS in PHP


> Turn on the memory-limit option
>
> On Wed, 17 Apr 2002, Dustin E. Childers wrote:
>
> > Hello.
> >
> > I have found something interesting that can kill the server. I'm not
sure if this is because of Apache or PHP. If you use PHP to send a header()
inside of a while loop, the httpd process will begin to use massive CPU and
Memory until it is killed, or the server is killed. Here is what I used:
> >
> >  >   while(0<1) {
> > header("A");
> >   }
> > ?>
> >
> > We have tested this on apache 1.3.22, and apache 2.0.35, using php 4.1.2
and 4.2.0RC4. It was able to completly kill our servers (not apache, the
entire server). The loads of the server will reach 50+. I have contacted
apache about this and they said that it is PHP related.
> >
> > Dustin E. Childers
> > Security Administrator. CEO, Digitux Security, Inc.
> > http://www.digitux.net/
> >
>


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] hosts, suggestions?

[Dennis Gearon]

I'm looking for good service, uptime, blah blah, plus:

Please respond as to whether you have these features or not
 _
|_| access to '.htaccess' files in our directories.?
|_| ability to put apache 'rewrite' instructions in our '.htacces' file?
|_| -or- sys admin will put a mod rewrite instruction in our virtual
host config?
|_| PHP can execute executables, shell scripts?
|_| do you have an shared encryption certificate for SSL?
|_| do you have the ability to server flash
|_| do you have the ability to server shockwave
|_| do you python installed
|_| do you have the ability to serve java servelets
|_| do you have telephone service and what are the hours of ALL your
support
methods?
|_| is your database MySQL

---

I'm looking at:

http://www.dreamhost.com/
http://www.linuxwebhost.com/
http://www.westhost.com/
http://www.yohost.com/
http://dzones.com/plans.htm/
http://www.mybizhosting.com/
http://www.cqhost.com/
http://www.nebis.com/



Anyone have comments about these or other hosts? 

I have been on http://www.successfulhosting.com/ for quite awhile.
Excellent uptime, good PHONE tech service, almost no complaints. BUT,
they don't completely match the feature set above, so I will have to
move. They are, nicely, a little paranoid about security, so they don't
allow the use of mod_rewrite, even though there are no known attacks
successful using mod_rewrite. They tech staff probably has ONE guy who
really knows what's happening and the rest are really junior. But they
usually give good service in 5 mins for the easy stuff to 36 ours for
the really technical stuff. Great, but not a site for an aspiring guru
to play on.
-- 

If You want to buy computer parts, see the reviews at:
http://www.cnet.com/
**OR EVEN BETTER COMPILATIONS**!!
http://sysopt.earthweb.com/userreviews/products/

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] Re: mod_rewrite (the solution)

[CC Zona]

In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] 
wrote:

> RewriteEngine  on
> RewriteBase/
> RewriteRule$.* index.php

RewriteRule takes a regular expression as its first parameter 
.

The "$" regex meta-character is an end-of-line marker.  It has no special 
meaning at the beginning of a pattern.  If you want a pattern that matches 
"anything including nothing", use:

RewriteRule ^.*$ index.php

-- 
CC

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Would this work? (mod_rewrite)

[CC Zona]

In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] 
wrote:

> But now I am receiving a 404 error message and the following message in my 
> error log:
> 
> [Wed Apr 17 18:31:26 2002] [error] [client 172.131.190.148] File does not 
> exist: /home/swiften/public_html/404.shtml
> 
> [Wed Apr 17 18:31:26 2002] [error] [client 172.131.190.148] File does not 
> exist: /home/swiften/public_html/technicians.html
> 
> The 404.shtml thing has to do with my ISP.  I think that one's out of my 
> control; so is there a work around so it does not try to find that file??

ErrorDocument directive 
.

-- 
CC

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] mod_rewrite (the solution)

[[ rswfire ]]

RewriteEngine  on
RewriteBase/
RewriteRule$.* index.php


Original Message Follows
From: "SHEETS,JASON (Non-HP-Boise,ex1)" <[EMAIL PROTECTED]>
To: "'[ rswfire ]'" <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
CC: [EMAIL PROTECTED]
Subject: RE: [PHP] Would this work? (mod_rewrite)
Date: Wed, 17 Apr 2002 18:29:25 -0400

And I fall victim to my own stupidity/cache again.

You actually want


RewriteEngine on
RewriteBase /
RewriteRule ^$ index.php

This works for me on my domain, you can check it out by going to
http://demo.shadotechdesigns.com and http://bug.shadonet.com

Jason

-Original Message-
From: [ rswfire ] [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, April 17, 2002 4:20 PM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Re: [PHP] Would this work? (mod_rewrite)


This rewrite thing will actually be very good for me; my error log file will

stop having a million "file not found" errors  :-)

I have to tell you guys, I love JTL Networks.  They are the best host I have

ever had ever!


Original Message Follows
From: Miguel Cruz <[EMAIL PROTECTED]>
To: "[ rswfire ]" <[EMAIL PROTECTED]>
CC: [EMAIL PROTECTED]
Subject: Re: [PHP] Would this work? (mod_rewrite)
Date: Wed, 17 Apr 2002 17:14:13 -0500 (CDT)

Do you have access to your server's error_log file? With any luck there'll
be a more informative message there (something like "Miguel was too lazy
to pay sufficient attention to the following Rewrite caveat: xxx").

miguel

On Wed, 17 Apr 2002, [ rswfire ] wrote:

  > mod_bwlimited, mod_php4, mod_log_bytes, mod_frontpage, mod_ssl,
  > mod_setenvif, mod_so, mod_auth, mod_access, mod_rewrite, mod_alias,
  > mod_userdir, mod_actions, mod_imap, mod_asis, mod_cgi, mod_dir,
  > mod_autoindex, mod_include, mod_status, mod_negotiation, mod_mime,
  > mod_log_config, mod_env, http_core
  >
  >
  > Original Message Follows
  > From: Miguel Cruz <[EMAIL PROTECTED]>
  > To: "[ rswfire ]" <[EMAIL PROTECTED]>
  > CC: [EMAIL PROTECTED]
  > Subject: Re: [PHP] Would this work?  (mod_rewrite)
  > Date: Wed, 17 Apr 2002 16:55:33 -0500 (CDT)
  >
  > On Wed, 17 Apr 2002, [ rswfire ] wrote:
  >  > Assume I want *.domain.*/*.* to automatically call index.php (without
the
  >  > user knowing and without any redirecting at all):
  >  >
  >  > RewriteEngine  on
  >  > RewriteBase/
  >  > RewriteRule*.* index.php [R]
  >  >
  >  > I don't know what in the world the [R] is, but it's in almost all of
the
  >  > mod_rewrite examples...  :-)
  >
  > RewriteRule * index.php
  >
  > Don't use the [R] - that tells it to create an external redirect. It's
  > used in many of the examples because in many real-world cases people are
  > using rewrite rules to coax invalid URLs into valid ones, and this way
  > there's at least some chance that the bad ones will get updated.
  >
  > miguel
  >
  >
  >
  >
  >
  > _
  > Send and receive Hotmail on your mobile device: http://mobile.msn.com
  >
  >
  >





_
Chat with friends online, try MSN Messenger: http://messenger.msn.com


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




_
Send and receive Hotmail on your mobile device: http://mobile.msn.com


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] Re: Nasty DoS in PHP

[Michael Kimsal]

Dustin E. Childers wrote:
> Hello.
> 
> I have found something interesting that can kill the server. I'm not sure if this is 
>because of Apache or PHP. If you use PHP to send a header() inside of a while loop, 
>the httpd process will begin to use massive CPU and Memory until it is killed, or the 
>server is killed. Here is what I used:
> 
>while(0<1) {
> header("A");
>   }
> ?>
> 
> We have tested this on apache 1.3.22, and apache 2.0.35, using php 4.1.2 and 
>4.2.0RC4. It was able to completly kill our servers (not apache, the entire server). 
>The loads of the server will reach 50+. I have contacted apache about this and they 
>said that it is PHP related.


Did you have output buffering on or off?  It seems that it would be 
somewhat dependant on the browser as well, but maybe I'm offbase here.

If you just kept letting

while(0<1) {
echo "w";
}

run as well, wouldn't that also lock things up?  Aren't infinite loops 
in general a bad thing?  Or is there something particular about the 
header() that you're thinking is going on?


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] Registration Form

[Vladislav Kulchitski]

Hi,

I am using registration form with a number of different steps. And if,
for instance, the user wants to come back to correct something, I am
using the back img button with the link:

javascript:history.back(1)

I am wondering how many people are actually using the way I do, and if
it's reliable at all or not, I mean whether there are browsers wouldn't
support returning back and keep the information in the fields.

Advice would be greatly appreciated,
Thanks,
Vlad
p.s. probably the best way is to use sessions(?), but I am carrying
values through the steps via 

 
 


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] Arranging Data

[Jason Soza]

How would I have a script display results in a table, but make it so 
that once 3 or 4 results are displayed in one table row, a new table 
row would be started?

Right now I have something like:
printf("",$pic1);

And all the records for $pic1 come out into a single column which, if I 
had many records, could get unwieldy. I'm looking to do something like:
print("");
print("");
printf("",$pic1>

Where instead of one table row being created with endless 's, the 
printf() function would print just 3 records, then another '' tag 
would be printed to start a new row, where printf() could print the 
next 3 records, and so on. Is this possible?

Thanks in advance,
Jason


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] RE: print on top

[Gurhan Ozen]

Hi Jule,
You need to sort your records with "ORDER BY" clause . I don't know what
your table looks like and obviously don't know if you have suitable columd
for it.. Say you have a newsid field defined with int datatype with
auto_increment property, then you can issue your statement as "SELECT ..
FROM table ORDER BY newsid DESC" to make the last inserted row at the very
top. Likewise, if you have a inserted date/time column to keep track of the
times that news are inserted , it may be used for the same purpose as well.

Gurhan

-Original Message-
From: Jule Slootbeek [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, April 17, 2002 6:39 PM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: print on top


Hey guys and gals,
I'm writing this script for my new webpage, and i'm using MySQL to read and
add news articles to a page, but everytime i add a new article it puts it
under the older one, how can i get it on top?

thanks

Jule

$Link = mysql_connect ($Host, $User, $Password);
$Query = "SELECT * from $TableName";
$Result = mysql_db_query ($DBName, $Query, $Link);
while ($Array = mysql_fetch_array ($Result)) {
print ("");
print ("\n");
print ("$Array[header]\n");
print ("\n");
print ("\n");
print ("$Array[article]\n");
print ("\n");
print ("\n");
print ("Posted by: $Array[name] on
$Array[postdate]\n");
print ("\n");
print ("");
--
Jule Slootbeek
[EMAIL PROTECTED]
http://blindtheory.cjb.net

-
Before posting, please check:
   http://www.mysql.com/manual.php   (the manual)
   http://lists.mysql.com/   (the list archive)

To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail
<[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] document root

[Senih Özkiper]

What is the best way, to find out the directory, where web documents stored,
on a .nix web server?
I need that, because I want to install my application files on customers web
server directly and automatically from my web server using ftp.

Better to explain;

If for example header("Location:www.someweb.com") would be possible, I could
do it with

getenv("DOCUMENT_ROOT");


Thanks in advance,
Senih

Re: [PHP] Nasty DoS in PHP

[Rasmus Lerdorf]

Turn on the memory-limit option

On Wed, 17 Apr 2002, Dustin E. Childers wrote:

> Hello.
>
> I have found something interesting that can kill the server. I'm not sure if this is 
>because of Apache or PHP. If you use PHP to send a header() inside of a while loop, 
>the httpd process will begin to use massive CPU and Memory until it is killed, or the 
>server is killed. Here is what I used:
>
>while(0<1) {
> header("A");
>   }
> ?>
>
> We have tested this on apache 1.3.22, and apache 2.0.35, using php 4.1.2 and 
>4.2.0RC4. It was able to completly kill our servers (not apache, the entire server). 
>The loads of the server will reach 50+. I have contacted apache about this and they 
>said that it is PHP related.
>
> Dustin E. Childers
> Security Administrator. CEO, Digitux Security, Inc.
> http://www.digitux.net/
>


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] Nasty DoS in PHP

[Dustin E. Childers]

Hello.

I have found something interesting that can kill the server. I'm not sure if this is 
because of Apache or PHP. If you use PHP to send a header() inside of a while loop, 
the httpd process will begin to use massive CPU and Memory until it is killed, or the 
server is killed. Here is what I used:



We have tested this on apache 1.3.22, and apache 2.0.35, using php 4.1.2 and 4.2.0RC4. 
It was able to completly kill our servers (not apache, the entire server). The loads 
of the server will reach 50+. I have contacted apache about this and they said that it 
is PHP related.

Dustin E. Childers
Security Administrator. CEO, Digitux Security, Inc.
http://www.digitux.net/

[PHP] Re: Using one submit button (long, rambling, near-total rewrite)

[Hugh Bothwell]

"Jennifer Downey" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...

> I have no takers on this one?

You would have more help if you didn't glumph
a whole whack of code in... it takes five minutes
just to sort out what's what.


>  if I have on item it is fine. If I have two items it
> won't update the first items price but will the
> second. if I try to enter a price in the first items
> textbox it doesn't update and then deletes the
> second item's price.

It sounds like you are trying to return multiple
values to a single variable - ie, you need to
return an array, then iterate through the array
to process it.


>$uid = $row['uid'];
>$id = $row['id'];
>$name = $row['name'];
>$image = $row['image'];
>$iquantity = $row['quantity'];
>$itype = $row['type'];
>$iprice = $row['price'];

Look up the documentation on extract()


> if($update)
> {
>  $eprice = '$price[]';
>  $query = "UPDATE {$config["prefix"]}_shop SET price = '$eprice'
> where uid = {$session["uid"]} AND id = '$id'";
>  $ret = mysql_query($query) or die(mysql_error());

if(isset($update) and is_array($price))
foreach($price as $id => $newval)
if ($newval != "") {
$query =
"UPDATE {$config['prefix']}_shop "
."SET price='$newval' "
."WHERE uid='{$session['uid']}' AND id='$id' ";
mysql_query($query) or die(mysql_error());
}



>  echo " CELLSPACING='0'>";
>  echo "";
>  echo "$name";
>  echo " size=2>$iquantity";
>  echo " href='$PHP_SELF?id=$id&remove=yes'>X";
>  echo " value=\"\" name=\"price[]\" size='8'
> MAXLENGTH='8'>";
>  echo "";
>echo "";
> }

(grin)  you realize your column widths add to 130% ?

This is not necessarily a problem; rather, I point it out as
a symptom of poorly formatted and hard-to-follow code.

I often find it useful to write simple table-making functions
just so it's easier to follow what's going on... something
like


// adjustable indentation for prettyprinting
define("BEGINTABLE", "\n\t");
define("ENDTABLE", "\n\t");
define("BEGINROW", "\n\t\t");
define("ENDROW", "\n\t\t");
define("BEGINCELL", "\n\t\t\t");
define("ENDCELL", "");
define("BEGINCONTENTS", "");

function makeTable($content, $width="", $border=0) {
return
BEGINTABLE.""
.$content
.ENDTABLE."<\table>";
}

function makeRow($content) {
return
BEGINROW.""
.$content
.ENDROW."<\tr>";
}

function makeCell($content="", $width="") {
return
BEGINCELL.""
.($content != "" ? $content : " ")
.ENDCELL."";
}


Then your code turns into

// separate out the recurrent formatting
$s = "";
$e = "";

$content = makeRow(
 makeCell($s."Image".$e,"20%")
.makeCell($s."Name".$e,"30%")
.makeCell($s."Quantity".$e,"20%")
.makeCell($s."Remove Item".$e, "30%")
.makeCell($s."Price".$e, "30%")
);
// Wow, the odd total here is a lot more obvious!

$query =
"SELECT uid, id, name, image, type, quantity "
."FROM {$config["prefix"]}_shop "
."WHERE uid = {$session["uid"]}";
$res = mysql_query($query) or die(mysql_error());

while($row = mysql_fetch_array($res)) {
extract($row);
$content .= makeRow(
 makeCell("")
.makeCell($s.$name.$e)
.makeCell($s.$quantity.$e)
.makeCell($s."".$e)
.makeCell($s."".$e)
);
}

echo
"\n"
.makeTable($content, "95%")
.$s
.""
.""
.$e
."\n";



... I have changed a few things; for one, instead
of removing items singly, I have refit a set of
checkboxes, returning an array of selected items
for removal.

Also, note my use of single-quotes inside the double-quoted
strings... I find this much easier to follow, instead of umpteen
dozen escaped double-slashes.

I hope this is of some use to you.
  Hugh.



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] save html created by loop in variable

[Jason Dulberg]

I have a WHILE loop that I am interested in storing the html that is
generated based on its results to a variable. This variable would then be
echoed later on.

Basically the html that is generated from the while loop is a bunch of table
cell definitions and some data from the database - this data is manipulated
with some IF statements in the loop.

So I'd want to store something like this:

while ($row=mysql_fetch_array($result)) {
?>

if ($variable==1) {
//store on

//store off
}
if ($variable==2) {
//store on

//store off
and so on.
}

$variable"; for each time
something needs to be displayed but it didn't display anything.

Any ideas how I could create such a thing? thanks in advance! :)



__
Jason Dulberg


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] print on top

[Jule Slootbeek]

Hey guys and gals,
I'm writing this script for my new webpage, and i'm using MySQL to read and 
add news articles to a page, but everytime i add a new article it puts it 
under the older one, how can i get it on top?

thanks

Jule

$Link = mysql_connect ($Host, $User, $Password);
$Query = "SELECT * from $TableName";
$Result = mysql_db_query ($DBName, $Query, $Link);
while ($Array = mysql_fetch_array ($Result)) {
print ("");
print ("\n");
print ("$Array[header]\n");
print ("\n");
print ("\n");
print ("$Array[article]\n");
print ("\n");
print ("\n");
print ("Posted by: $Array[name] on 
$Array[postdate]\n");
print ("\n");
print ("");
-- 
Jule Slootbeek
[EMAIL PROTECTED]
http://blindtheory.cjb.net

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] Would this work? (mod_rewrite)

[[ rswfire ]]

Well, it's half working  :-(

But now I am receiving a 404 error message and the following message in my 
error log:

[Wed Apr 17 18:31:26 2002] [error] [client 172.131.190.148] File does not 
exist: /home/swiften/public_html/404.shtml

[Wed Apr 17 18:31:26 2002] [error] [client 172.131.190.148] File does not 
exist: /home/swiften/public_html/technicians.html

The 404.shtml thing has to do with my ISP.  I think that one's out of my 
control; so is there a work around so it does not try to find that file??


Original Message Follows
From: "SHEETS,JASON (Non-HP-Boise,ex1)" <[EMAIL PROTECTED]>
To: "'[ rswfire ]'" <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
CC: [EMAIL PROTECTED]
Subject: RE: [PHP] Would this work? (mod_rewrite)
Date: Wed, 17 Apr 2002 18:29:25 -0400

And I fall victim to my own stupidity/cache again.

You actually want


RewriteEngine on
RewriteBase /
RewriteRule ^$ index.php

This works for me on my domain, you can check it out by going to
http://demo.shadotechdesigns.com and http://bug.shadonet.com

Jason

-Original Message-
From: [ rswfire ] [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, April 17, 2002 4:20 PM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Re: [PHP] Would this work? (mod_rewrite)


This rewrite thing will actually be very good for me; my error log file will

stop having a million "file not found" errors  :-)

I have to tell you guys, I love JTL Networks.  They are the best host I have

ever had ever!


Original Message Follows
From: Miguel Cruz <[EMAIL PROTECTED]>
To: "[ rswfire ]" <[EMAIL PROTECTED]>
CC: [EMAIL PROTECTED]
Subject: Re: [PHP] Would this work? (mod_rewrite)
Date: Wed, 17 Apr 2002 17:14:13 -0500 (CDT)

Do you have access to your server's error_log file? With any luck there'll
be a more informative message there (something like "Miguel was too lazy
to pay sufficient attention to the following Rewrite caveat: xxx").

miguel

On Wed, 17 Apr 2002, [ rswfire ] wrote:

  > mod_bwlimited, mod_php4, mod_log_bytes, mod_frontpage, mod_ssl,
  > mod_setenvif, mod_so, mod_auth, mod_access, mod_rewrite, mod_alias,
  > mod_userdir, mod_actions, mod_imap, mod_asis, mod_cgi, mod_dir,
  > mod_autoindex, mod_include, mod_status, mod_negotiation, mod_mime,
  > mod_log_config, mod_env, http_core
  >
  >
  > Original Message Follows
  > From: Miguel Cruz <[EMAIL PROTECTED]>
  > To: "[ rswfire ]" <[EMAIL PROTECTED]>
  > CC: [EMAIL PROTECTED]
  > Subject: Re: [PHP] Would this work?  (mod_rewrite)
  > Date: Wed, 17 Apr 2002 16:55:33 -0500 (CDT)
  >
  > On Wed, 17 Apr 2002, [ rswfire ] wrote:
  >  > Assume I want *.domain.*/*.* to automatically call index.php (without
the
  >  > user knowing and without any redirecting at all):
  >  >
  >  > RewriteEngine  on
  >  > RewriteBase/
  >  > RewriteRule*.* index.php [R]
  >  >
  >  > I don't know what in the world the [R] is, but it's in almost all of
the
  >  > mod_rewrite examples...  :-)
  >
  > RewriteRule * index.php
  >
  > Don't use the [R] - that tells it to create an external redirect. It's
  > used in many of the examples because in many real-world cases people are
  > using rewrite rules to coax invalid URLs into valid ones, and this way
  > there's at least some chance that the bad ones will get updated.
  >
  > miguel
  >
  >
  >
  >
  >
  > _
  > Send and receive Hotmail on your mobile device: http://mobile.msn.com
  >
  >
  >





_
Chat with friends online, try MSN Messenger: http://messenger.msn.com


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




_
Join the world’s largest e-mail service with MSN Hotmail. 
http://www.hotmail.com


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] Would this work? (mod_rewrite)

[SHEETS,JASON (Non-HP-Boise,ex1)]

And I fall victim to my own stupidity/cache again.

You actually want


RewriteEngine on
RewriteBase /
RewriteRule ^$ index.php

This works for me on my domain, you can check it out by going to
http://demo.shadotechdesigns.com and http://bug.shadonet.com

Jason

-Original Message-
From: [ rswfire ] [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, April 17, 2002 4:20 PM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Re: [PHP] Would this work? (mod_rewrite)


This rewrite thing will actually be very good for me; my error log file will

stop having a million "file not found" errors  :-)

I have to tell you guys, I love JTL Networks.  They are the best host I have

ever had ever!


Original Message Follows
From: Miguel Cruz <[EMAIL PROTECTED]>
To: "[ rswfire ]" <[EMAIL PROTECTED]>
CC: [EMAIL PROTECTED]
Subject: Re: [PHP] Would this work? (mod_rewrite)
Date: Wed, 17 Apr 2002 17:14:13 -0500 (CDT)

Do you have access to your server's error_log file? With any luck there'll
be a more informative message there (something like "Miguel was too lazy
to pay sufficient attention to the following Rewrite caveat: xxx").

miguel

On Wed, 17 Apr 2002, [ rswfire ] wrote:

 > mod_bwlimited, mod_php4, mod_log_bytes, mod_frontpage, mod_ssl,
 > mod_setenvif, mod_so, mod_auth, mod_access, mod_rewrite, mod_alias,
 > mod_userdir, mod_actions, mod_imap, mod_asis, mod_cgi, mod_dir,
 > mod_autoindex, mod_include, mod_status, mod_negotiation, mod_mime,
 > mod_log_config, mod_env, http_core
 >
 >
 > Original Message Follows
 > From: Miguel Cruz <[EMAIL PROTECTED]>
 > To: "[ rswfire ]" <[EMAIL PROTECTED]>
 > CC: [EMAIL PROTECTED]
 > Subject: Re: [PHP] Would this work?  (mod_rewrite)
 > Date: Wed, 17 Apr 2002 16:55:33 -0500 (CDT)
 >
 > On Wed, 17 Apr 2002, [ rswfire ] wrote:
 >  > Assume I want *.domain.*/*.* to automatically call index.php (without 
the
 >  > user knowing and without any redirecting at all):
 >  >
 >  > RewriteEngine  on
 >  > RewriteBase/
 >  > RewriteRule*.* index.php [R]
 >  >
 >  > I don't know what in the world the [R] is, but it's in almost all of 
the
 >  > mod_rewrite examples...  :-)
 >
 > RewriteRule * index.php
 >
 > Don't use the [R] - that tells it to create an external redirect. It's
 > used in many of the examples because in many real-world cases people are
 > using rewrite rules to coax invalid URLs into valid ones, and this way
 > there's at least some chance that the bad ones will get updated.
 >
 > miguel
 >
 >
 >
 >
 >
 > _
 > Send and receive Hotmail on your mobile device: http://mobile.msn.com
 >
 >
 >





_
Chat with friends online, try MSN Messenger: http://messenger.msn.com


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] Would this work? (mod_rewrite)

[SHEETS,JASON (Non-HP-Boise,ex1)]

You actually want

RewriteEngine on
RewriteBase /
RewriteRule *$ index.php

Jason

-Original Message-
From: [ rswfire ] [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, April 17, 2002 4:20 PM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Re: [PHP] Would this work? (mod_rewrite)


This rewrite thing will actually be very good for me; my error log file will

stop having a million "file not found" errors  :-)

I have to tell you guys, I love JTL Networks.  They are the best host I have

ever had ever!


Original Message Follows
From: Miguel Cruz <[EMAIL PROTECTED]>
To: "[ rswfire ]" <[EMAIL PROTECTED]>
CC: [EMAIL PROTECTED]
Subject: Re: [PHP] Would this work? (mod_rewrite)
Date: Wed, 17 Apr 2002 17:14:13 -0500 (CDT)

Do you have access to your server's error_log file? With any luck there'll
be a more informative message there (something like "Miguel was too lazy
to pay sufficient attention to the following Rewrite caveat: xxx").

miguel

On Wed, 17 Apr 2002, [ rswfire ] wrote:

 > mod_bwlimited, mod_php4, mod_log_bytes, mod_frontpage, mod_ssl,
 > mod_setenvif, mod_so, mod_auth, mod_access, mod_rewrite, mod_alias,
 > mod_userdir, mod_actions, mod_imap, mod_asis, mod_cgi, mod_dir,
 > mod_autoindex, mod_include, mod_status, mod_negotiation, mod_mime,
 > mod_log_config, mod_env, http_core
 >
 >
 > Original Message Follows
 > From: Miguel Cruz <[EMAIL PROTECTED]>
 > To: "[ rswfire ]" <[EMAIL PROTECTED]>
 > CC: [EMAIL PROTECTED]
 > Subject: Re: [PHP] Would this work?  (mod_rewrite)
 > Date: Wed, 17 Apr 2002 16:55:33 -0500 (CDT)
 >
 > On Wed, 17 Apr 2002, [ rswfire ] wrote:
 >  > Assume I want *.domain.*/*.* to automatically call index.php (without 
the
 >  > user knowing and without any redirecting at all):
 >  >
 >  > RewriteEngine  on
 >  > RewriteBase/
 >  > RewriteRule*.* index.php [R]
 >  >
 >  > I don't know what in the world the [R] is, but it's in almost all of 
the
 >  > mod_rewrite examples...  :-)
 >
 > RewriteRule * index.php
 >
 > Don't use the [R] - that tells it to create an external redirect. It's
 > used in many of the examples because in many real-world cases people are
 > using rewrite rules to coax invalid URLs into valid ones, and this way
 > there's at least some chance that the bad ones will get updated.
 >
 > miguel
 >
 >
 >
 >
 >
 > _
 > Send and receive Hotmail on your mobile device: http://mobile.msn.com
 >
 >
 >





_
Chat with friends online, try MSN Messenger: http://messenger.msn.com


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Would this work? (mod_rewrite)

[[ rswfire ]]

This rewrite thing will actually be very good for me; my error log file will 
stop having a million "file not found" errors  :-)

I have to tell you guys, I love JTL Networks.  They are the best host I have 
ever had ever!


Original Message Follows
From: Miguel Cruz <[EMAIL PROTECTED]>
To: "[ rswfire ]" <[EMAIL PROTECTED]>
CC: [EMAIL PROTECTED]
Subject: Re: [PHP] Would this work? (mod_rewrite)
Date: Wed, 17 Apr 2002 17:14:13 -0500 (CDT)

Do you have access to your server's error_log file? With any luck there'll
be a more informative message there (something like "Miguel was too lazy
to pay sufficient attention to the following Rewrite caveat: xxx").

miguel

On Wed, 17 Apr 2002, [ rswfire ] wrote:

 > mod_bwlimited, mod_php4, mod_log_bytes, mod_frontpage, mod_ssl,
 > mod_setenvif, mod_so, mod_auth, mod_access, mod_rewrite, mod_alias,
 > mod_userdir, mod_actions, mod_imap, mod_asis, mod_cgi, mod_dir,
 > mod_autoindex, mod_include, mod_status, mod_negotiation, mod_mime,
 > mod_log_config, mod_env, http_core
 >
 >
 > Original Message Follows
 > From: Miguel Cruz <[EMAIL PROTECTED]>
 > To: "[ rswfire ]" <[EMAIL PROTECTED]>
 > CC: [EMAIL PROTECTED]
 > Subject: Re: [PHP] Would this work?  (mod_rewrite)
 > Date: Wed, 17 Apr 2002 16:55:33 -0500 (CDT)
 >
 > On Wed, 17 Apr 2002, [ rswfire ] wrote:
 >  > Assume I want *.domain.*/*.* to automatically call index.php (without 
the
 >  > user knowing and without any redirecting at all):
 >  >
 >  > RewriteEngine  on
 >  > RewriteBase/
 >  > RewriteRule*.* index.php [R]
 >  >
 >  > I don't know what in the world the [R] is, but it's in almost all of 
the
 >  > mod_rewrite examples...  :-)
 >
 > RewriteRule * index.php
 >
 > Don't use the [R] - that tells it to create an external redirect. It's
 > used in many of the examples because in many real-world cases people are
 > using rewrite rules to coax invalid URLs into valid ones, and this way
 > there's at least some chance that the bad ones will get updated.
 >
 > miguel
 >
 >
 >
 >
 >
 > _
 > Send and receive Hotmail on your mobile device: http://mobile.msn.com
 >
 >
 >





_
Chat with friends online, try MSN Messenger: http://messenger.msn.com


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Would this work? (mod_rewrite)

[[ rswfire ]]

[Wed Apr 17 18:04:19 2002] [alert] [client 172.131.190.148] 
/home/swiften/public_html/.htaccess: RewriteRule: cannot compile regular 
expression '*'


Original Message Follows
From: Miguel Cruz <[EMAIL PROTECTED]>
To: "[ rswfire ]" <[EMAIL PROTECTED]>
CC: [EMAIL PROTECTED]
Subject: Re: [PHP] Would this work? (mod_rewrite)
Date: Wed, 17 Apr 2002 17:14:13 -0500 (CDT)

Do you have access to your server's error_log file? With any luck there'll
be a more informative message there (something like "Miguel was too lazy
to pay sufficient attention to the following Rewrite caveat: xxx").

miguel

On Wed, 17 Apr 2002, [ rswfire ] wrote:

 > mod_bwlimited, mod_php4, mod_log_bytes, mod_frontpage, mod_ssl,
 > mod_setenvif, mod_so, mod_auth, mod_access, mod_rewrite, mod_alias,
 > mod_userdir, mod_actions, mod_imap, mod_asis, mod_cgi, mod_dir,
 > mod_autoindex, mod_include, mod_status, mod_negotiation, mod_mime,
 > mod_log_config, mod_env, http_core
 >
 >
 > Original Message Follows
 > From: Miguel Cruz <[EMAIL PROTECTED]>
 > To: "[ rswfire ]" <[EMAIL PROTECTED]>
 > CC: [EMAIL PROTECTED]
 > Subject: Re: [PHP] Would this work?  (mod_rewrite)
 > Date: Wed, 17 Apr 2002 16:55:33 -0500 (CDT)
 >
 > On Wed, 17 Apr 2002, [ rswfire ] wrote:
 >  > Assume I want *.domain.*/*.* to automatically call index.php (without 
the
 >  > user knowing and without any redirecting at all):
 >  >
 >  > RewriteEngine  on
 >  > RewriteBase/
 >  > RewriteRule*.* index.php [R]
 >  >
 >  > I don't know what in the world the [R] is, but it's in almost all of 
the
 >  > mod_rewrite examples...  :-)
 >
 > RewriteRule * index.php
 >
 > Don't use the [R] - that tells it to create an external redirect. It's
 > used in many of the examples because in many real-world cases people are
 > using rewrite rules to coax invalid URLs into valid ones, and this way
 > there's at least some chance that the bad ones will get updated.
 >
 > miguel
 >
 >
 >
 >
 >
 > _
 > Send and receive Hotmail on your mobile device: http://mobile.msn.com
 >
 >
 >





_
Send and receive Hotmail on your mobile device: http://mobile.msn.com


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Would this work? (mod_rewrite)

[Miguel Cruz]

Do you have access to your server's error_log file? With any luck there'll 
be a more informative message there (something like "Miguel was too lazy 
to pay sufficient attention to the following Rewrite caveat: xxx").

miguel

On Wed, 17 Apr 2002, [ rswfire ] wrote:

> mod_bwlimited, mod_php4, mod_log_bytes, mod_frontpage, mod_ssl, 
> mod_setenvif, mod_so, mod_auth, mod_access, mod_rewrite, mod_alias, 
> mod_userdir, mod_actions, mod_imap, mod_asis, mod_cgi, mod_dir, 
> mod_autoindex, mod_include, mod_status, mod_negotiation, mod_mime, 
> mod_log_config, mod_env, http_core
> 
> 
> Original Message Follows
> From: Miguel Cruz <[EMAIL PROTECTED]>
> To: "[ rswfire ]" <[EMAIL PROTECTED]>
> CC: [EMAIL PROTECTED]
> Subject: Re: [PHP] Would this work?  (mod_rewrite)
> Date: Wed, 17 Apr 2002 16:55:33 -0500 (CDT)
> 
> On Wed, 17 Apr 2002, [ rswfire ] wrote:
>  > Assume I want *.domain.*/*.* to automatically call index.php (without the
>  > user knowing and without any redirecting at all):
>  >
>  > RewriteEngine  on
>  > RewriteBase/
>  > RewriteRule*.* index.php [R]
>  >
>  > I don't know what in the world the [R] is, but it's in almost all of the
>  > mod_rewrite examples...  :-)
> 
> RewriteRule * index.php
> 
> Don't use the [R] - that tells it to create an external redirect. It's
> used in many of the examples because in many real-world cases people are
> using rewrite rules to coax invalid URLs into valid ones, and this way
> there's at least some chance that the bad ones will get updated.
> 
> miguel
> 
> 
> 
> 
> 
> _
> Send and receive Hotmail on your mobile device: http://mobile.msn.com
> 
> 
> 


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] mod_rewrite

[[ rswfire ]]

.htaccess  (returns 500 misconfiguration error message)
{

RewriteEngine  on
RewriteBase/
RewriteRule* index.php

}

http://swifte.net/phpinfo.php

(i did not use braces in the .htaccess file)

_
Join the world’s largest e-mail service with MSN Hotmail. 
http://www.hotmail.com


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] Re: verify file types when uploading to server...

[jas]

Nevermind... =)
"Jas" <[EMAIL PROTECTED]> wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> I am wondering if any one has a good idea on how to do checking based on a
> files extension, what I am trying to accomplish is to be able to upload
> files to a webserver however I only want to have .jpg files uploaded.  If
> anyone has a good way to do this please share.
> Thanks in advance,
> Jas
>
>



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Would this work? (mod_rewrite)

[[ rswfire ]]

mod_bwlimited, mod_php4, mod_log_bytes, mod_frontpage, mod_ssl, 
mod_setenvif, mod_so, mod_auth, mod_access, mod_rewrite, mod_alias, 
mod_userdir, mod_actions, mod_imap, mod_asis, mod_cgi, mod_dir, 
mod_autoindex, mod_include, mod_status, mod_negotiation, mod_mime, 
mod_log_config, mod_env, http_core


Original Message Follows
From: Miguel Cruz <[EMAIL PROTECTED]>
To: "[ rswfire ]" <[EMAIL PROTECTED]>
CC: [EMAIL PROTECTED]
Subject: Re: [PHP] Would this work?  (mod_rewrite)
Date: Wed, 17 Apr 2002 16:55:33 -0500 (CDT)

On Wed, 17 Apr 2002, [ rswfire ] wrote:
 > Assume I want *.domain.*/*.* to automatically call index.php (without the
 > user knowing and without any redirecting at all):
 >
 > RewriteEngine  on
 > RewriteBase/
 > RewriteRule*.* index.php [R]
 >
 > I don't know what in the world the [R] is, but it's in almost all of the
 > mod_rewrite examples...  :-)

RewriteRule * index.php

Don't use the [R] - that tells it to create an external redirect. It's
used in many of the examples because in many real-world cases people are
using rewrite rules to coax invalid URLs into valid ones, and this way
there's at least some chance that the bad ones will get updated.

miguel





_
Send and receive Hotmail on your mobile device: http://mobile.msn.com


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Would this work? (mod_rewrite)

[Miguel Cruz]

Are you sure your server has mod_rewrite installed?

miguel

On Wed, 17 Apr 2002, [ rswfire ] wrote:
> Miguel, if I get this working I am going to be so happy  :-)
> 
> I just tried putting the following in an .htaccess file in my root:
> 
> RewriteEngine  on
> RewriteBase/
> RewriteRule* index.php
> 
> And it came back with a server misconfiguration.  So, did I do something 
> wrong?
> 
> 
> Original Message Follows
> From: Miguel Cruz <[EMAIL PROTECTED]>
> To: "[ rswfire ]" <[EMAIL PROTECTED]>
> CC: [EMAIL PROTECTED]
> Subject: Re: [PHP] Would this work?  (mod_rewrite)
> Date: Wed, 17 Apr 2002 16:55:33 -0500 (CDT)
> 
> On Wed, 17 Apr 2002, [ rswfire ] wrote:
>  > Assume I want *.domain.*/*.* to automatically call index.php (without the
>  > user knowing and without any redirecting at all):
>  >
>  > RewriteEngine  on
>  > RewriteBase/
>  > RewriteRule*.* index.php [R]
>  >
>  > I don't know what in the world the [R] is, but it's in almost all of the
>  > mod_rewrite examples...  :-)
> 
> RewriteRule * index.php
> 
> Don't use the [R] - that tells it to create an external redirect. It's
> used in many of the examples because in many real-world cases people are
> using rewrite rules to coax invalid URLs into valid ones, and this way
> there's at least some chance that the bad ones will get updated.
> 
> miguel
> 
> 
> 
> 
> 
> _
> Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.
> 
> 
> 


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Would this work? (mod_rewrite)

[[ rswfire ]]

Miguel, if I get this working I am going to be so happy  :-)

I just tried putting the following in an .htaccess file in my root:

RewriteEngine  on
RewriteBase/
RewriteRule* index.php

And it came back with a server misconfiguration.  So, did I do something 
wrong?


Original Message Follows
From: Miguel Cruz <[EMAIL PROTECTED]>
To: "[ rswfire ]" <[EMAIL PROTECTED]>
CC: [EMAIL PROTECTED]
Subject: Re: [PHP] Would this work?  (mod_rewrite)
Date: Wed, 17 Apr 2002 16:55:33 -0500 (CDT)

On Wed, 17 Apr 2002, [ rswfire ] wrote:
 > Assume I want *.domain.*/*.* to automatically call index.php (without the
 > user knowing and without any redirecting at all):
 >
 > RewriteEngine  on
 > RewriteBase/
 > RewriteRule*.* index.php [R]
 >
 > I don't know what in the world the [R] is, but it's in almost all of the
 > mod_rewrite examples...  :-)

RewriteRule * index.php

Don't use the [R] - that tells it to create an external redirect. It's
used in many of the examples because in many real-world cases people are
using rewrite rules to coax invalid URLs into valid ones, and this way
there's at least some chance that the bad ones will get updated.

miguel





_
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] form posting to a fake page

[Jaime Bozza]

I've done some testing, and it seems that Apache messes with the server
variables when it sends the error document.

Basically, Apache does *NOT* send an HTTP 302 response.  It sends an
HTTP 404 response, but outputs the full code from the ErrorDocument.
Unfortunately, it changes the REQUEST_METHOD from "POST" to "GET".
Also, it creates the following:

REDIRECT_ERROR_NOTES
REDIRECT_REQUEST_METHOD
REDIRECT_STATUS
REDIRECT_URL

(See http://httpd.apache.org/docs/custom-error.html for more information
on the variables)

REDIRECT_REQUEST_METHOD contains POST.  Also, CONTENT_TYPE is *still*
"application/x-www-form-urlencoded" and CONTENT_LENGTH still equals the
size of the POST data, so the data *IS* still being sent, though PHP is
most likely ignoring the data since the method does not equal POST.

Can anyone from the development team verify this?  (CC'ing to php-dev in
a separate email so additional comments don't get CC'd as well)

If this is the case, this may be a good one for a feature request.

If not, using the RewriteEngine may be your only choice.

(Looking in /main/main.c, it seems that POST data *is* only parsed when
REQUEST_METHOD=POST, so it may end up only being a single line patch)

Let us know if you plan on requesting a new feature.

Jaime Bozza


-Original Message-
From: [ rswfire ] [mailto:[EMAIL PROTECTED]] 
Sent: Wednesday, April 17, 2002 4:04 PM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Re: [PHP] form posting to a fake page


No, the error handler does not have access to the posted data.  The
problem 
in a nutshell:

1. Person fills out form; clicks submit

2. Form action property is called; server notices the page is not real

(Data is lost here)

3. Error handler is called


Original Message Follows
From: Miguel Cruz <[EMAIL PROTECTED]>
To: "[ rswfire ]" <[EMAIL PROTECTED]>
CC: [EMAIL PROTECTED]
Subject: Re: [PHP] form posting to a fake page
Date: Wed, 17 Apr 2002 16:00:17 -0500 (CDT)

Your error handler would read them and then construct a redirect
containing the form data in querystring format.

miguel

On Wed, 17 Apr 2002, [ rswfire ] wrote:
 > $_POST[] variables do not exist on a redirected page; that's the
problem!
 >
 > Original Message Follows
 > From: Miguel Cruz <[EMAIL PROTECTED]>
 > To: "[ rswfire ]" <[EMAIL PROTECTED]>
 > CC: [EMAIL PROTECTED]
 > Subject: Re: [PHP] form posting to a fake page
 > Date: Wed, 17 Apr 2002 15:56:32 -0500 (CDT)
 >
 > On Wed, 17 Apr 2002, [ rswfire ] wrote:
 >  > It would still require some knowledge of the posted data.  If
someone
 > clicks
 >  > a submit button, and it is posting to a page that doesn't really 
exist,
 > then
 >  > when the index.php file gets called as a 404 errordocument, the
posted
 >  > variables are already lost, so it wouldn't be possible to access
the
 > posted
 >  > variables in any fashion.  The only possibility might be if Apache
had
 > some
 >  > way of dealing with this scenario and I am not that familiar with
how
 > Apache
 >  > works.  And so, that leaves me with the only workaround I do know,

post
 > to a
 >  > page that does exist!  It's just not the ideal solution, but it
works.
 >
 > Well, depending on the quantity of posted data, you could go through
 > $_POST[] and turn them into GET args and pass them along to the
 > appropriate page (not that I really understand what you're trying to
do).
 >
 > miguel
 >
 >
 >
 >
 >
 > _
 > Chat with friends online, try MSN Messenger: http://messenger.msn.com
 >
 >





_
Send and receive Hotmail on your mobile device: http://mobile.msn.com


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Would this work? (mod_rewrite)

[Miguel Cruz]

On Wed, 17 Apr 2002, [ rswfire ] wrote:
> Assume I want *.domain.*/*.* to automatically call index.php (without the 
> user knowing and without any redirecting at all):
> 
> RewriteEngine  on
> RewriteBase/
> RewriteRule*.* index.php [R]
> 
> I don't know what in the world the [R] is, but it's in almost all of the 
> mod_rewrite examples...  :-)

RewriteRule * index.php

Don't use the [R] - that tells it to create an external redirect. It's 
used in many of the examples because in many real-world cases people are 
using rewrite rules to coax invalid URLs into valid ones, and this way 
there's at least some chance that the bad ones will get updated.

miguel


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] sorry i forgot something

[[ rswfire ]]

*.domain.*/*.* AUTOMATICALLY goes to the root of my web (my isp set this up 
for me)

_
MSN Photos is the easiest way to share and print your photos: 
http://photos.msn.com/support/worldwide.aspx


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] Would this work? (mod_rewrite)

[[ rswfire ]]

Assume I want *.domain.*/*.* to automatically call index.php (without the 
user knowing and without any redirecting at all):

RewriteEngine  on
RewriteBase/
RewriteRule*.* index.php [R]

I don't know what in the world the [R] is, but it's in almost all of the 
mod_rewrite examples...  :-)

_
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] verify file types when uploading to server...

[jas]

I am wondering if any one has a good idea on how to do checking based on a
files extension, what I am trying to accomplish is to be able to upload
files to a webserver however I only want to have .jpg files uploaded.  If
anyone has a good way to do this please share.
Thanks in advance,
Jas



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] form posting to a fake page (another idea)

[[ rswfire ]]

I'm really not good with the ereg stuff; I wouldn't even know where to 
start.  It's really quite simple what I need to have happen.

*.DOMAIN.COM/*.* needs to access /index.php

My network handles multiple domains/subdomains; so it's important it can 
work with them all.  Any ideas?


Original Message Follows
From: Miguel Cruz <[EMAIL PROTECTED]>
To: "[ rswfire ]" <[EMAIL PROTECTED]>
CC: [EMAIL PROTECTED]
Subject: Re: [PHP] form posting to a fake page (another idea)
Date: Wed, 17 Apr 2002 16:29:40 -0500 (CDT)

Have a look at http://httpd.apache.org/docs/misc/rewriteguide.html which
gives countless examples of using mod_rewrite rules for this sort of
thing.

You can direct all requests to a single page and then let that page sort
things out as it pleases.

These are processed internal to the server without redirects (unless you
want to use a redirect) and POST data is preserved.

miguel

On Wed, 17 Apr 2002, [ rswfire ] wrote:
 > I'm not trying to make the page redirect anywhere.  I'm trying to create 
the
 > illusion of there being many pages when there is only one doing all the
 > work.
 >
 > For example:
 >
 > http://hsdnetwork.swifte.net/technicians.html
 >
 > The page, technicians.html, does not really exist.  The server knows this
 > and so calls(redirects) the root index.php file.  Why must it redirect?  
Why
 > can't Apache just substitute the index.php file without doing anything
 > else??  That's the real problem!  If it did that, the posted variables 
would
 > be available.
 >
 > If you click the submit button on this page, you will see what I have had 
to
 > do to get around this.  The action property is set to
 > "index.php?login=attempt&page=/technicians.html" when I would like the
 > action property to be "?login=attempt".
 >
 > This really shouldn't be so complicated!  :-)
 >
 >
 > Original Message Follows
 > From: Miguel Cruz <[EMAIL PROTECTED]>
 > To: "[ rswfire ]" <[EMAIL PROTECTED]>
 > CC: [EMAIL PROTECTED]
 > Subject: Re: [PHP] form posting to a fake page
 > Date: Wed, 17 Apr 2002 16:00:17 -0500 (CDT)
 >
 > Your error handler would read them and then construct a redirect
 > containing the form data in querystring format.
 >
 > miguel
 >
 > On Wed, 17 Apr 2002, [ rswfire ] wrote:
 >  > $_POST[] variables do not exist on a redirected page; that's the 
problem!
 >  >
 >  > Original Message Follows
 >  > From: Miguel Cruz <[EMAIL PROTECTED]>
 >  > To: "[ rswfire ]" <[EMAIL PROTECTED]>
 >  > CC: [EMAIL PROTECTED]
 >  > Subject: Re: [PHP] form posting to a fake page
 >  > Date: Wed, 17 Apr 2002 15:56:32 -0500 (CDT)
 >  >
 >  > On Wed, 17 Apr 2002, [ rswfire ] wrote:
 >  >  > It would still require some knowledge of the posted data.  If 
someone
 >  > clicks
 >  >  > a submit button, and it is posting to a page that doesn't really
 > exist,
 >  > then
 >  >  > when the index.php file gets called as a 404 errordocument, the 
posted
 >  >  > variables are already lost, so it wouldn't be possible to access 
the
 >  > posted
 >  >  > variables in any fashion.  The only possibility might be if Apache 
had
 >  > some
 >  >  > way of dealing with this scenario and I am not that familiar with 
how
 >  > Apache
 >  >  > works.  And so, that leaves me with the only workaround I do know,
 > post
 >  > to a
 >  >  > page that does exist!  It's just not the ideal solution, but it 
works.
 >  >
 >  > Well, depending on the quantity of posted data, you could go through
 >  > $_POST[] and turn them into GET args and pass them along to the
 >  > appropriate page (not that I really understand what you're trying to 
do).
 >  >
 >  > miguel
 >  >
 >  >
 >  >
 >  >
 >  >
 >  > _
 >  > Chat with friends online, try MSN Messenger: http://messenger.msn.com
 >  >
 >  >
 >
 >
 >
 >
 >
 > _
 > Get your FREE download of MSN Explorer at 
http://explorer.msn.com/intl.asp.
 >
 >
 >





_
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] form posting to a fake page

[Erik Price]

On Wednesday, April 17, 2002, at 04:57  PM, [ rswfire ] wrote:

> $_POST[] variables do not exist on a redirected page; that's the 
> problem!

They would exist if you were using a PHP script with header() to do your 
redirect rather than an Apache feature.  I think this is what Miguel, 
and myself earlier, was suggesting.


Erik






Erik Price
Web Developer Temp
Media Lab, H.H. Brown
[EMAIL PROTECTED]


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] form posting to a fake page (another idea)

[Miguel Cruz]

Have a look at http://httpd.apache.org/docs/misc/rewriteguide.html which 
gives countless examples of using mod_rewrite rules for this sort of 
thing.

You can direct all requests to a single page and then let that page sort 
things out as it pleases.

These are processed internal to the server without redirects (unless you
want to use a redirect) and POST data is preserved.

miguel

On Wed, 17 Apr 2002, [ rswfire ] wrote:
> I'm not trying to make the page redirect anywhere.  I'm trying to create the 
> illusion of there being many pages when there is only one doing all the 
> work.
> 
> For example:
> 
> http://hsdnetwork.swifte.net/technicians.html
> 
> The page, technicians.html, does not really exist.  The server knows this 
> and so calls(redirects) the root index.php file.  Why must it redirect?  Why 
> can't Apache just substitute the index.php file without doing anything 
> else??  That's the real problem!  If it did that, the posted variables would 
> be available.
> 
> If you click the submit button on this page, you will see what I have had to 
> do to get around this.  The action property is set to 
> "index.php?login=attempt&page=/technicians.html" when I would like the 
> action property to be "?login=attempt".
> 
> This really shouldn't be so complicated!  :-)
> 
> 
> Original Message Follows
> From: Miguel Cruz <[EMAIL PROTECTED]>
> To: "[ rswfire ]" <[EMAIL PROTECTED]>
> CC: [EMAIL PROTECTED]
> Subject: Re: [PHP] form posting to a fake page
> Date: Wed, 17 Apr 2002 16:00:17 -0500 (CDT)
> 
> Your error handler would read them and then construct a redirect
> containing the form data in querystring format.
> 
> miguel
> 
> On Wed, 17 Apr 2002, [ rswfire ] wrote:
>  > $_POST[] variables do not exist on a redirected page; that's the problem!
>  >
>  > Original Message Follows
>  > From: Miguel Cruz <[EMAIL PROTECTED]>
>  > To: "[ rswfire ]" <[EMAIL PROTECTED]>
>  > CC: [EMAIL PROTECTED]
>  > Subject: Re: [PHP] form posting to a fake page
>  > Date: Wed, 17 Apr 2002 15:56:32 -0500 (CDT)
>  >
>  > On Wed, 17 Apr 2002, [ rswfire ] wrote:
>  >  > It would still require some knowledge of the posted data.  If someone
>  > clicks
>  >  > a submit button, and it is posting to a page that doesn't really 
> exist,
>  > then
>  >  > when the index.php file gets called as a 404 errordocument, the posted
>  >  > variables are already lost, so it wouldn't be possible to access the
>  > posted
>  >  > variables in any fashion.  The only possibility might be if Apache had
>  > some
>  >  > way of dealing with this scenario and I am not that familiar with how
>  > Apache
>  >  > works.  And so, that leaves me with the only workaround I do know, 
> post
>  > to a
>  >  > page that does exist!  It's just not the ideal solution, but it works.
>  >
>  > Well, depending on the quantity of posted data, you could go through
>  > $_POST[] and turn them into GET args and pass them along to the
>  > appropriate page (not that I really understand what you're trying to do).
>  >
>  > miguel
>  >
>  >
>  >
>  >
>  >
>  > _
>  > Chat with friends online, try MSN Messenger: http://messenger.msn.com
>  >
>  >
> 
> 
> 
> 
> 
> _
> Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.
> 
> 
> 


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] sessions protection

[Erik Price]

On Wednesday, April 17, 2002, at 04:40  PM, Vladislav Kulchitski wrote:

> Basically, let's say the cracker know that in my application I create a
> session variable named "auth_user" for valid users. Is there a way to
> hack into it if he knows this session variable name?
>
> Example:
>
> if($action==edit_personalinformation_update)
>  {
>   if(!session_is_registered("auth_user"))
>  {
>   stop_unauthorized(); // defined function that prints an error
> message
>   return;
>  }
>  //SECURE OPERATIONS
>  }
>

Technically, your scheme should work fine.  Since you are not simply 
testing for the presence of that variable, but whether or not it is 
actually a session variable, the person must have a session ID that says 
that this session variable is in fact a session variable of theirs.  
This is difficult (not impossible) to achieve without having properly 
logged in, so you should be okay.

But, consider turning register_globals off.  You get a lot more 
security, and it works in this same fashion -- checks to make sure that 
the variable doesn't just exist, but is coming from the right source 
(superglobal array, actually).

BTW if you are using PHP 4.1.x, the manual suggests that you use

isset($_SESSION['auth_user'])

rather than session_is_registered().


Erik






Erik Price
Web Developer Temp
Media Lab, H.H. Brown
[EMAIL PROTECTED]


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] (MySql) INSERTing into MULTIPLE tables

[Miguel Cruz]

That's fine, but you don't need the intermediate select step. Just use 
mysql_insert_id() to get the value of userid. auto_increment values are 
guaranteed to be unique no matter how quickly you are inserting.

miguel

On Wed, 17 Apr 2002, Vladislav Kulchitski wrote:
> Hi, I was wondering if the way I am inserting into multiple tables is
> safe as far as when there are many simultaneous insertions at a given
> time.
> 
> Basically, there are two tables, first I insert into main table where
> there's username and password (and first/last name, email) and then I
> get the auto_number from that table for the record and insert that
> auto_number along with more info into secondary table with more info
> about the user.
> 
> 
> 
> $query4accounts="insert into accounts (username, password, fname, lname,
> email) values ('$username', password('$password'), '$fname_eng',
> '$lname_eng', '$email')";
> 
> $result=mysql_query($query4accounts) or die ("ERROR");
> 
> $getid=mysql_query("select * from accounts where username='$username'");
> 
> $tmp=mysql_fetch_array($getid);
> $userid=$tmp['userid'];
> 
> $query4gallery="insert into talkroom_gallery (userid, talkroom_active,
> sex, about_eng, livenow_eng, photograph, emailnopublic, homepage, icq,
> msn, aim, yahoo) values ('$userid', '$talkroom_active_variable', '$sex',
> '$about_eng', '$livenow_eng', '$photograph', '$nopublic', '$homepage',
> '$icq', '$msn', '$aim', '$yahoo')"; 
> 
> mysql_query($query4gallery) or die ("ERROR");
> 
> 
> Thanks in advance for feedback and possible alternatives.
> Vlad
> http://vladik.tripod.com
> 
> 
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
> 
> 


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] form posting to a fake page

[Miguel Cruz]

Gotcha. My bad. Sounds like you're in for a long night's adventure with 
mod_rewrite.

miguel

On Wed, 17 Apr 2002, [ rswfire ] wrote:

> No, the error handler does not have access to the posted data.  The problem 
> in a nutshell:
> 
> 1. Person fills out form; clicks submit
> 
> 2. Form action property is called; server notices the page is not real
> 
> (Data is lost here)
> 
> 3. Error handler is called
> 
> 
> Original Message Follows
> From: Miguel Cruz <[EMAIL PROTECTED]>
> To: "[ rswfire ]" <[EMAIL PROTECTED]>
> CC: [EMAIL PROTECTED]
> Subject: Re: [PHP] form posting to a fake page
> Date: Wed, 17 Apr 2002 16:00:17 -0500 (CDT)
> 
> Your error handler would read them and then construct a redirect
> containing the form data in querystring format.
> 
> miguel
> 
> On Wed, 17 Apr 2002, [ rswfire ] wrote:
>  > $_POST[] variables do not exist on a redirected page; that's the problem!
>  >
>  > Original Message Follows
>  > From: Miguel Cruz <[EMAIL PROTECTED]>
>  > To: "[ rswfire ]" <[EMAIL PROTECTED]>
>  > CC: [EMAIL PROTECTED]
>  > Subject: Re: [PHP] form posting to a fake page
>  > Date: Wed, 17 Apr 2002 15:56:32 -0500 (CDT)
>  >
>  > On Wed, 17 Apr 2002, [ rswfire ] wrote:
>  >  > It would still require some knowledge of the posted data.  If someone
>  > clicks
>  >  > a submit button, and it is posting to a page that doesn't really 
> exist,
>  > then
>  >  > when the index.php file gets called as a 404 errordocument, the posted
>  >  > variables are already lost, so it wouldn't be possible to access the
>  > posted
>  >  > variables in any fashion.  The only possibility might be if Apache had
>  > some
>  >  > way of dealing with this scenario and I am not that familiar with how
>  > Apache
>  >  > works.  And so, that leaves me with the only workaround I do know, 
> post
>  > to a
>  >  > page that does exist!  It's just not the ideal solution, but it works.
>  >
>  > Well, depending on the quantity of posted data, you could go through
>  > $_POST[] and turn them into GET args and pass them along to the
>  > appropriate page (not that I really understand what you're trying to do).
>  >
>  > miguel
>  >
>  >
>  >
>  >
>  >
>  > _
>  > Chat with friends online, try MSN Messenger: http://messenger.msn.com
>  >
>  >
> 
> 
> 
> 
> 
> _
> Send and receive Hotmail on your mobile device: http://mobile.msn.com
> 
> 


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] form posting to a fake page (another idea)

[[ rswfire ]]

I'm not trying to make the page redirect anywhere.  I'm trying to create the 
illusion of there being many pages when there is only one doing all the 
work.

For example:

http://hsdnetwork.swifte.net/technicians.html

The page, technicians.html, does not really exist.  The server knows this 
and so calls(redirects) the root index.php file.  Why must it redirect?  Why 
can't Apache just substitute the index.php file without doing anything 
else??  That's the real problem!  If it did that, the posted variables would 
be available.

If you click the submit button on this page, you will see what I have had to 
do to get around this.  The action property is set to 
"index.php?login=attempt&page=/technicians.html" when I would like the 
action property to be "?login=attempt".

This really shouldn't be so complicated!  :-)


Original Message Follows
From: Miguel Cruz <[EMAIL PROTECTED]>
To: "[ rswfire ]" <[EMAIL PROTECTED]>
CC: [EMAIL PROTECTED]
Subject: Re: [PHP] form posting to a fake page
Date: Wed, 17 Apr 2002 16:00:17 -0500 (CDT)

Your error handler would read them and then construct a redirect
containing the form data in querystring format.

miguel

On Wed, 17 Apr 2002, [ rswfire ] wrote:
 > $_POST[] variables do not exist on a redirected page; that's the problem!
 >
 > Original Message Follows
 > From: Miguel Cruz <[EMAIL PROTECTED]>
 > To: "[ rswfire ]" <[EMAIL PROTECTED]>
 > CC: [EMAIL PROTECTED]
 > Subject: Re: [PHP] form posting to a fake page
 > Date: Wed, 17 Apr 2002 15:56:32 -0500 (CDT)
 >
 > On Wed, 17 Apr 2002, [ rswfire ] wrote:
 >  > It would still require some knowledge of the posted data.  If someone
 > clicks
 >  > a submit button, and it is posting to a page that doesn't really 
exist,
 > then
 >  > when the index.php file gets called as a 404 errordocument, the posted
 >  > variables are already lost, so it wouldn't be possible to access the
 > posted
 >  > variables in any fashion.  The only possibility might be if Apache had
 > some
 >  > way of dealing with this scenario and I am not that familiar with how
 > Apache
 >  > works.  And so, that leaves me with the only workaround I do know, 
post
 > to a
 >  > page that does exist!  It's just not the ideal solution, but it works.
 >
 > Well, depending on the quantity of posted data, you could go through
 > $_POST[] and turn them into GET args and pass them along to the
 > appropriate page (not that I really understand what you're trying to do).
 >
 > miguel
 >
 >
 >
 >
 >
 > _
 > Chat with friends online, try MSN Messenger: http://messenger.msn.com
 >
 >





_
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] file delete...

[Rasmus Lerdorf]

Did you check the manual?  Like php.net/delete perhaps which tells you the
PHP function that does this is actually called unlink().

-Rasmus

On Wed, 17 Apr 2002, jas wrote:

> How can I delete a file in php?
> thanks in advance,
> Jas
>
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] form posting to a fake page

[hugh danaher]

You could try the following but I don't know if it would work on your set
up.

1. have the form go to a php page that has no output to the screen.
2. store the input info in a database or file.
3. use a header("location: index.php") to go to your website index page.
4. use php on your index.php page to pick up the data from the database and
display it.

Hope this helps,
Hugh

- Original Message -
From: "[ rswfire ]" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Wednesday, April 17, 2002 2:03 PM
Subject: Re: [PHP] form posting to a fake page


> No, the error handler does not have access to the posted data.  The
problem
> in a nutshell:
>
> 1. Person fills out form; clicks submit
>
> 2. Form action property is called; server notices the page is not real
>
> (Data is lost here)
>
> 3. Error handler is called
>
>
> Original Message Follows
> From: Miguel Cruz <[EMAIL PROTECTED]>
> To: "[ rswfire ]" <[EMAIL PROTECTED]>
> CC: [EMAIL PROTECTED]
> Subject: Re: [PHP] form posting to a fake page
> Date: Wed, 17 Apr 2002 16:00:17 -0500 (CDT)
>
> Your error handler would read them and then construct a redirect
> containing the form data in querystring format.
>
> miguel
>
> On Wed, 17 Apr 2002, [ rswfire ] wrote:
>  > $_POST[] variables do not exist on a redirected page; that's the
problem!
>  >
>  > Original Message Follows
>  > From: Miguel Cruz <[EMAIL PROTECTED]>
>  > To: "[ rswfire ]" <[EMAIL PROTECTED]>
>  > CC: [EMAIL PROTECTED]
>  > Subject: Re: [PHP] form posting to a fake page
>  > Date: Wed, 17 Apr 2002 15:56:32 -0500 (CDT)
>  >
>  > On Wed, 17 Apr 2002, [ rswfire ] wrote:
>  >  > It would still require some knowledge of the posted data.  If
someone
>  > clicks
>  >  > a submit button, and it is posting to a page that doesn't really
> exist,
>  > then
>  >  > when the index.php file gets called as a 404 errordocument, the
posted
>  >  > variables are already lost, so it wouldn't be possible to access the
>  > posted
>  >  > variables in any fashion.  The only possibility might be if Apache
had
>  > some
>  >  > way of dealing with this scenario and I am not that familiar with
how
>  > Apache
>  >  > works.  And so, that leaves me with the only workaround I do know,
> post
>  > to a
>  >  > page that does exist!  It's just not the ideal solution, but it
works.
>  >
>  > Well, depending on the quantity of posted data, you could go through
>  > $_POST[] and turn them into GET args and pass them along to the
>  > appropriate page (not that I really understand what you're trying to
do).
>  >
>  > miguel
>  >
>  >
>  >
>  >
>  >
>  > _
>  > Chat with friends online, try MSN Messenger: http://messenger.msn.com
>  >
>  >
>
>
>
>
>
> _
> Send and receive Hotmail on your mobile device: http://mobile.msn.com
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] file delete...

[Lars Torben Wilson]

On Wed, 2002-04-17 at 13:12, Leotta, Natalie (NCI/IMS) wrote:
> According to this, you should actually use unlink, but delete is available.
> 
> http://www.php.net/manual/en/function.delete.php
> 
> -Natalie

That's not actually what the page says...;)

> -Original Message-
> From: jas [mailto:[EMAIL PROTECTED]] 
> Sent: Wednesday, April 17, 2002 4:08 AM
> To: [EMAIL PROTECTED]
> Subject: [PHP] file delete...
> 
> 
> How can I delete a file in php?
> thanks in advance,
> Jas

-- 
 Torben Wilson <[EMAIL PROTECTED]>
 http://www.thebuttlesschaps.com
 http://www.hybrid17.com
 http://www.inflatableeye.com
 +1.604.709.0506


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] form posting to a fake page

[[ rswfire ]]

No, the error handler does not have access to the posted data.  The problem 
in a nutshell:

1. Person fills out form; clicks submit

2. Form action property is called; server notices the page is not real

(Data is lost here)

3. Error handler is called


Original Message Follows
From: Miguel Cruz <[EMAIL PROTECTED]>
To: "[ rswfire ]" <[EMAIL PROTECTED]>
CC: [EMAIL PROTECTED]
Subject: Re: [PHP] form posting to a fake page
Date: Wed, 17 Apr 2002 16:00:17 -0500 (CDT)

Your error handler would read them and then construct a redirect
containing the form data in querystring format.

miguel

On Wed, 17 Apr 2002, [ rswfire ] wrote:
 > $_POST[] variables do not exist on a redirected page; that's the problem!
 >
 > Original Message Follows
 > From: Miguel Cruz <[EMAIL PROTECTED]>
 > To: "[ rswfire ]" <[EMAIL PROTECTED]>
 > CC: [EMAIL PROTECTED]
 > Subject: Re: [PHP] form posting to a fake page
 > Date: Wed, 17 Apr 2002 15:56:32 -0500 (CDT)
 >
 > On Wed, 17 Apr 2002, [ rswfire ] wrote:
 >  > It would still require some knowledge of the posted data.  If someone
 > clicks
 >  > a submit button, and it is posting to a page that doesn't really 
exist,
 > then
 >  > when the index.php file gets called as a 404 errordocument, the posted
 >  > variables are already lost, so it wouldn't be possible to access the
 > posted
 >  > variables in any fashion.  The only possibility might be if Apache had
 > some
 >  > way of dealing with this scenario and I am not that familiar with how
 > Apache
 >  > works.  And so, that leaves me with the only workaround I do know, 
post
 > to a
 >  > page that does exist!  It's just not the ideal solution, but it works.
 >
 > Well, depending on the quantity of posted data, you could go through
 > $_POST[] and turn them into GET args and pass them along to the
 > appropriate page (not that I really understand what you're trying to do).
 >
 > miguel
 >
 >
 >
 >
 >
 > _
 > Chat with friends online, try MSN Messenger: http://messenger.msn.com
 >
 >





_
Send and receive Hotmail on your mobile device: http://mobile.msn.com


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] form posting to a fake page

[Miguel Cruz]

Your error handler would read them and then construct a redirect 
containing the form data in querystring format.

miguel

On Wed, 17 Apr 2002, [ rswfire ] wrote:
> $_POST[] variables do not exist on a redirected page; that's the problem!
> 
> Original Message Follows
> From: Miguel Cruz <[EMAIL PROTECTED]>
> To: "[ rswfire ]" <[EMAIL PROTECTED]>
> CC: [EMAIL PROTECTED]
> Subject: Re: [PHP] form posting to a fake page
> Date: Wed, 17 Apr 2002 15:56:32 -0500 (CDT)
> 
> On Wed, 17 Apr 2002, [ rswfire ] wrote:
>  > It would still require some knowledge of the posted data.  If someone 
> clicks
>  > a submit button, and it is posting to a page that doesn't really exist, 
> then
>  > when the index.php file gets called as a 404 errordocument, the posted
>  > variables are already lost, so it wouldn't be possible to access the 
> posted
>  > variables in any fashion.  The only possibility might be if Apache had 
> some
>  > way of dealing with this scenario and I am not that familiar with how 
> Apache
>  > works.  And so, that leaves me with the only workaround I do know, post 
> to a
>  > page that does exist!  It's just not the ideal solution, but it works.
> 
> Well, depending on the quantity of posted data, you could go through
> $_POST[] and turn them into GET args and pass them along to the
> appropriate page (not that I really understand what you're trying to do).
> 
> miguel
> 
> 
> 
> 
> 
> _
> Chat with friends online, try MSN Messenger: http://messenger.msn.com
> 
> 


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] form posting to a fake page

[[ rswfire ]]

$_POST[] variables do not exist on a redirected page; that's the problem!

Original Message Follows
From: Miguel Cruz <[EMAIL PROTECTED]>
To: "[ rswfire ]" <[EMAIL PROTECTED]>
CC: [EMAIL PROTECTED]
Subject: Re: [PHP] form posting to a fake page
Date: Wed, 17 Apr 2002 15:56:32 -0500 (CDT)

On Wed, 17 Apr 2002, [ rswfire ] wrote:
 > It would still require some knowledge of the posted data.  If someone 
clicks
 > a submit button, and it is posting to a page that doesn't really exist, 
then
 > when the index.php file gets called as a 404 errordocument, the posted
 > variables are already lost, so it wouldn't be possible to access the 
posted
 > variables in any fashion.  The only possibility might be if Apache had 
some
 > way of dealing with this scenario and I am not that familiar with how 
Apache
 > works.  And so, that leaves me with the only workaround I do know, post 
to a
 > page that does exist!  It's just not the ideal solution, but it works.

Well, depending on the quantity of posted data, you could go through
$_POST[] and turn them into GET args and pass them along to the
appropriate page (not that I really understand what you're trying to do).

miguel





_
Chat with friends online, try MSN Messenger: http://messenger.msn.com


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] form posting to a fake page

[Miguel Cruz]

On Wed, 17 Apr 2002, [ rswfire ] wrote:
> It would still require some knowledge of the posted data.  If someone clicks 
> a submit button, and it is posting to a page that doesn't really exist, then 
> when the index.php file gets called as a 404 errordocument, the posted 
> variables are already lost, so it wouldn't be possible to access the posted 
> variables in any fashion.  The only possibility might be if Apache had some 
> way of dealing with this scenario and I am not that familiar with how Apache 
> works.  And so, that leaves me with the only workaround I do know, post to a 
> page that does exist!  It's just not the ideal solution, but it works.

Well, depending on the quantity of posted data, you could go through 
$_POST[] and turn them into GET args and pass them along to the 
appropriate page (not that I really understand what you're trying to do).

miguel


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] sessions protection

[Vladislav Kulchitski]

Hi, can anyone advise about another issue that occurred to me.

Basically, let's say the cracker know that in my application I create a
session variable named "auth_user" for valid users. Is there a way to
hack into it if he knows this session variable name?

Example:

if($action==edit_personalinformation_update)
 {
  if(!session_is_registered("auth_user"))
 {
  stop_unauthorized(); // defined function that prints an error
message
  return;
 }
 //SECURE OPERATIONS
 }





--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] Global variable

[Vladislav Kulchitski]

The best way for this is to use sessions.

What you do is you check the identity and if it's valid you create a
session with name 'validuser' or whatever the name you want. Then any
secure operations/actions along the script you'll check for this session
name if it exists. I can demonstrate how I did this on my application.

Vlad

-Original Message-
From: Erich Kolb [mailto:[EMAIL PROTECTED]] 
Sent: Wednesday, April 17, 2002 4:07 PM
To: [EMAIL PROTECTED]
Subject: [PHP] Global variable

I have developed a simple login script.  Right now it will check a
submitted
username and password and verify it against a database.  This part works
fairly well, however I want to know how to assign a variable that will
pass
through to the next page(s) to do something like:

if verified == 1 then {display the page} else {display error message}

My apoligies on the syntax of the above, but hopefully you will get the
idea.



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] mysql quickie..

[Richard Emery]

- Original Message -
From: Robert Cummings <[EMAIL PROTECTED]>
To: Richard Emery <[EMAIL PROTECTED]>
Cc: Kelly Meeks <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Wednesday, April 17, 2002 1:49 PM
Subject: Re: [PHP] mysql quickie..


Richard Emery wrote:
>>
>> I've seen other responses to your request answer with some VERY UGLY
methods
>> to get the last id.

> Hey my method wasn't ugly, perhaps not optimal, but definately not ugly!
> So *ptht* ;)

ROFL...


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php