Re: [PHP] Possible hacker using php script to send e-mails?
Merlin wrote: > Hi there, > > I am running php 4.x on a suse 9.x machine. There is a php script > which resides > on a webapp that is responsible for sending e-mail to myself in case > of errors like db-errors or similar. Called error.php > This script does include phpmailer and uses it to send the e-mails to me. > Now I am receiving on the e-mail specified as TO: e-mails with > different subject > than specified and different text?! All english text with wired > sentences, must be a bot or so. How is this possible? The subject line > is fixed and right after that commend send is executed. So no idea how > they do it and how I can prevent it. It looks like this: > $mail->Subject = 'Fehlerbericht'; > $mail->Send(); > How is it possible that they change this subject line? I checked the > server log and each time an e-mail has been sent to me of that kind > there is a logentry in apache log that says that this script has been > executed. So the e-mails definatelly come from that script?! > > Can anybody help? > > Regards, Merlin > Simply check whether the script using the error.php is including it (I think you include the error.php, right?). E. g. you can set a variable in your other script and check in the error.php wether the variable is set or not. This way only your script can use the error.php and noboy can abuse it :) -- Regards Julius Hacker http://www.julius-hacker.de [EMAIL PROTECTED] OpenPGP-Key-ID: 0x4B4A486E -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP/CSS/Javascript question
On 3/11/06, Paul Goepfert <[EMAIL PROTECTED]> wrote: > > Hi all, > > Is it possible to modify a table using JavaScript to control CSS > visabilty when the entire table is developed dynamically using PHP? http://www.google.es/search?q=javascript+change+visibility&start=0&ie=utf-8&oe=utf-8&client=firefox&rls=org.mozilla:en-US:unofficial It shows some good examples. Look the firsts results. I think PHP has nothing to do here, it just writes the table to html, but if you do a good JS function and your PHP'd html has id's, it should work fine. Thanks, > Paul > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > -- Esú - http://esu.proyectoanonimo.com http://www.proyectoanonimo.com
Re: [PHP] Re: Possible hacker using php script to send e-mails?
Hello, on 03/11/2006 04:12 PM Rasmus Lerdorf said the following: >>> I am running php 4.x on a suse 9.x machine. There is a php script which >>> resides >>> on a webapp that is responsible for sending e-mail to myself in case of >>> errors like db-errors or similar. Called error.php >>> This script does include phpmailer and uses it to send the e-mails to >>> me. >>> Now I am receiving on the e-mail specified as TO: e-mails with different >>> subject >>> than specified and different text?! All english text with wired >>> sentences, must be a bot or so. How is this possible? The subject line >>> is fixed and right after that commend send is executed. So no idea how >>> they do it and how I can prevent it. It looks like this: >>> $mail->Subject = 'Fehlerbericht'; >>> $mail->Send(); >>> How is it possible that they change this subject line? I checked the >>> server log and each time an e-mail has been sent to me of that kind >>> there is a logentry in apache log that says that this script has been >>> executed. So the e-mails definatelly come from that script?! >> >> If you are setting message headers with untrusted values that may >> contain line breaks, that is your problem. Line breaks make mail systems >> interpret the next line as a new header. That header may be used to >> inject new recipients for instance using Bcc: . >> >> You can have line breaks in header but you need to escape them properly >> so they are interpreted as continuation lines rather than new headers. > > That is only true for the additional_headers (4th) argument to the mail > function. That argument is specifically for doing free-form headers, so > as long as you only use the to, subject and message arguments to the > mail function you are safe. That is what I said, sending headers with untrusted values, so people have to use the 4th argument to set for instance the From: header. This From: header is often set to values set in forms to the e-mail address and name of the person that is trying to contact the site people. That is usually from where most the PHP mail form abuses come from. As I said line breaks in the From: or other headers are not invalid. Actually line breaks should be used to comply with RFC recommendations and do not exceed the 78/998 line length limit. When these limits are exceeded, messages may arrive corrupted. The mail function is a better than nothing solution. It can still be used but to send RFC compliant messages, often it is necessary to correctly format message contents. That is why I always recommend this or other class that takes care of those (many) details: http://www.phpclasses.org/mimemessage -- Regards, Manuel Lemos Metastorage - Data object relational mapping layer generator http://www.metastorage.net/ PHP Classes - Free ready to use OOP components written in PHP http://www.phpclasses.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] PHP/CSS/Javascript question
Hi all, Is it possible to modify a table using JavaScript to control CSS visabilty when the entire table is developed dynamically using PHP? Thanks, Paul -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] recommendations for good breacrumbs script
At 3:35 PM -0500 3/11/06, Bruce Gilbert wrote:
Hello,
I am looking around for a good PHP breadcrumbs navigation script that
would out put a path based on file structure. For instance if I had a
folder called Portfolio and within that folder I had a index.php file
and another file called Websites.php. When I was on the websites.php
page, the breadcrumbs path would display Home >> Portfolio >> Websites
and Home and Portfolio would be hyperlinks. I don't want the
breadcrumbs to display a .php extension. I could of course hard code
this, but would rather find an automated solution.
Thanks in advance for any assistance!
I wrote this script quite a while ago (in PHP3.0, if I recall
correctly); it could probably stand to be cleaned up, but it works OK.
You can tell it the URL path you'd like referenced as the top level
of the trail, the default separator (in your case, '>>'), any
extra attributes you want in your A HREF tag, and what file names it
should ignore. By default, it ignores anything starting with index -
eg index.php, index.html. It also replaces underscores with spaces in
the current directory/filename, and uppercases the resulting words.
Of course, you could remove/alter that functionality if you want.
Hope that email client linewraps don't muck it up too badly...
steve
function path_to_crumbtrail($TopLevel='',
$Separator=' | ', $LinkAttr='', $IgnoreName='index') {
$IgnoreNameRegEx = $IgnoreName ? '/'.$IgnoreName.'[.]?[a-z]*$/i' : '';
$CrumbBits= array();
$Crumbs = '';
$LinkAttrString = '';
$CurrPath = $TopLevel;
$X= preg_replace('#^/#', '',
preg_replace("'^$TopLevel'U", '', $_SERVER['SCRIPT_NAME']));
$X= preg_replace('#/$#', '', $X);
if ($IgnoreNameRegEx) {
$X = preg_replace($IgnoreNameRegEx, '', $X);
}
$X = preg_replace('#/$#', '', $X);
$PathBits = preg_split("'/'", $X);
if (is_array($LinkAttr)) {
foreach ($LinkAttr as $Att=>$Val) {
$LinkAttrString .= " $Att=".'"'.$Val.'"';
}
} elseif ($LinkAttr) {
$LinkAttrString = ' '.trim($LinkAttr);
}
if (is_array($PathBits)) {
$PathCount = count($PathBits);
for ($i=0; $i<$PathCount; $i++) {
$ThisLevel = trim($PathBits[$i]);
if ($ThisLevel) {
$CurrPath .= "/$ThisLevel";
$ThisLevel = preg_replace('/\..*$/U', '', $ThisLevel);
$ThisLevel = preg_replace('/ /', ' ',
ucwords(preg_replace('/_/', ' ', $ThisLevel)));
$CrumbBits[] = ($i == $PathCount-1 ? $ThisLevel : 'href="'.$CurrPath.'"'.$LinkAttrString.'>'.$ThisLevel.'');
}
}
$Crumbs = implode($Separator, $CrumbBits);
}
return $Crumbs;
}
?>
--
+--- my people are the people of the dessert, ---+
| Steve Edberghttp://pgfsun.ucdavis.edu/ |
| UC Davis Genome Center[EMAIL PROTECTED] |
| Bioinformatics programming/database/sysadmin (530)754-9127 |
+ said t e lawrence, picking up his fork +
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] recommendations for good breacrumbs script
Hello, I am looking around for a good PHP breadcrumbs navigation script that would out put a path based on file structure. For instance if I had a folder called Portfolio and within that folder I had a index.php file and another file called Websites.php. When I was on the websites.php page, the breadcrumbs path would display Home >> Portfolio >> Websites and Home and Portfolio would be hyperlinks. I don't want the breadcrumbs to display a .php extension. I could of course hard code this, but would rather find an automated solution. Thanks in advance for any assistance! -- ::Bruce:: -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Possible hacker using php script to send e-mails?
Manuel Lemos wrote: Hello, on 03/11/2006 09:39 AM Merlin said the following: I am running php 4.x on a suse 9.x machine. There is a php script which resides on a webapp that is responsible for sending e-mail to myself in case of errors like db-errors or similar. Called error.php This script does include phpmailer and uses it to send the e-mails to me. Now I am receiving on the e-mail specified as TO: e-mails with different subject than specified and different text?! All english text with wired sentences, must be a bot or so. How is this possible? The subject line is fixed and right after that commend send is executed. So no idea how they do it and how I can prevent it. It looks like this: $mail->Subject = 'Fehlerbericht'; $mail->Send(); How is it possible that they change this subject line? I checked the server log and each time an e-mail has been sent to me of that kind there is a logentry in apache log that says that this script has been executed. So the e-mails definatelly come from that script?! If you are setting message headers with untrusted values that may contain line breaks, that is your problem. Line breaks make mail systems interpret the next line as a new header. That header may be used to inject new recipients for instance using Bcc: . You can have line breaks in header but you need to escape them properly so they are interpreted as continuation lines rather than new headers. That is only true for the additional_headers (4th) argument to the mail function. That argument is specifically for doing free-form headers, so as long as you only use the to, subject and message arguments to the mail function you are safe. -Rasmus -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Possible hacker using php script to send e-mails?
Hello, on 03/11/2006 09:39 AM Merlin said the following: > I am running php 4.x on a suse 9.x machine. There is a php script which > resides > on a webapp that is responsible for sending e-mail to myself in case of > errors like db-errors or similar. Called error.php > This script does include phpmailer and uses it to send the e-mails to me. > Now I am receiving on the e-mail specified as TO: e-mails with different > subject > than specified and different text?! All english text with wired > sentences, must be a bot or so. How is this possible? The subject line > is fixed and right after that commend send is executed. So no idea how > they do it and how I can prevent it. It looks like this: > $mail->Subject = 'Fehlerbericht'; > $mail->Send(); > How is it possible that they change this subject line? I checked the > server log and each time an e-mail has been sent to me of that kind > there is a logentry in apache log that says that this script has been > executed. So the e-mails definatelly come from that script?! If you are setting message headers with untrusted values that may contain line breaks, that is your problem. Line breaks make mail systems interpret the next line as a new header. That header may be used to inject new recipients for instance using Bcc: . You can have line breaks in header but you need to escape them properly so they are interpreted as continuation lines rather than new headers. You may want to take a look at this class that can encode header values to make line breaks be interpreted as continuation lines, so they cannot be abused by spammers: http://www.phpclasses.org/mimemessage -- Regards, Manuel Lemos Metastorage - Data object relational mapping layer generator http://www.metastorage.net/ PHP Classes - Free ready to use OOP components written in PHP http://www.phpclasses.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Possible hacker using php script to send e-mails?
It's possible that they are including in email headers in the body. On 3/11/06, João Cândido de Souza Neto <[EMAIL PROTECTED]> wrote: > > If possible, i like to see this script to try to know exactly wath's > happen. > > Merlin wrote: > > > Hi there, > > > > I am running php 4.x on a suse 9.x machine. There is a php script which > > resides on a webapp that is responsible for sending e-mail to myself in > > case of errors like db-errors or similar. Called error.php > > This script does include phpmailer and uses it to send the e-mails to > me. > > Now I am receiving on the e-mail specified as TO: e-mails with different > > subject than specified and different text?! All english text with wired > > sentences, must be a bot or so. How is this possible? The subject line > is > > fixed and right after that commend send is executed. So no idea how they > > do it and how I can prevent it. It looks like this: > > $mail->Subject = 'Fehlerbericht'; > > $mail->Send(); > > How is it possible that they change this subject line? I checked the > > server log and each time an e-mail has been sent to me of that kind > there > > is a logentry in apache log that says that this script has been > executed. > > So the e-mails definatelly come from that script?! > > > > Can anybody help? > > > > Regards, Merlin > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > > -- Anthony Ettinger Signature: http://chovy.dyndns.org/hcard.html
Re: [PHP] session register()
- Original Message - From: "suresh kumar" <[EMAIL PROTECTED]> To: "php" Sent: Saturday, March 11, 2006 4:51 PM Subject: [PHP] session register() i am facing two problems in my project. 1) whether i can store variable as session variable inside javascript function You can echo code such as: echo 'var sessionVariable ="' , $SESSION['thisVariable'],'"'; 2)Is there any function available to calculate idle time of user . Not that I know of and probably there won't be anyway since that is knowing things about the user that is not your business to know. Satyam i am waiting for reply from u - Jiyo cricket on Yahoo! India cricket Yahoo! Messenger Mobile Stay in touch with your buddies all the time. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] session register()
i am facing two problems in my project. 1) whether i can store variable as session variable inside javascript function 2)Is there any function available to calculate idle time of user . i am waiting for reply from u - Jiyo cricket on Yahoo! India cricket Yahoo! Messenger Mobile Stay in touch with your buddies all the time.
[PHP] Why Session can't be timed out!
Excuse me,when i develop programe php in linux FC3 , i want the life time of the session to be 20 minutes ,i do the follow things in the php.ini file 1.change session.gc_maxlifetime = 1200 2.change session.gc_probability = 100 3.change session.use_cookies = 0 4. restart the apache server and it does work happily, how can i troubeshooting this problem ? _ 享用世界上最大的电子邮件系统― MSN Hotmail。 http://www.hotmail.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Possible hacker using php script to send e-mails?
If possible, i like to see this script to try to know exactly wath's happen. Merlin wrote: > Hi there, > > I am running php 4.x on a suse 9.x machine. There is a php script which > resides on a webapp that is responsible for sending e-mail to myself in > case of errors like db-errors or similar. Called error.php > This script does include phpmailer and uses it to send the e-mails to me. > Now I am receiving on the e-mail specified as TO: e-mails with different > subject than specified and different text?! All english text with wired > sentences, must be a bot or so. How is this possible? The subject line is > fixed and right after that commend send is executed. So no idea how they > do it and how I can prevent it. It looks like this: > $mail->Subject = 'Fehlerbericht'; > $mail->Send(); > How is it possible that they change this subject line? I checked the > server log and each time an e-mail has been sent to me of that kind there > is a logentry in apache log that says that this script has been executed. > So the e-mails definatelly come from that script?! > > Can anybody help? > > Regards, Merlin -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] equivalent of perl's ithread
At 06:33 AM 3/11/2006, Khai wrote: As of perl 5.6, perl has a concept of interpreter thread (called ithread). Basically, any variable that you want to be shared across threads, you have to explicitly shared it. This apply not only to regular variables, but also apply to super global variables such as $_, making it easy to write threadsafe modules in perl. Does PHP has an equivalent concept? If I am developing php pages that are to be run under apache2 threaded worker mpm, can I use $_SERVER variable ? Thanks Khai Check the archives for thread safety and running PHP under Apache 2. The URL is: http://marc.theaimsgroup.com/?l=php-general&r=1&w=2 My information may be out of date, but the last I read was that PHP itself was OK, but some modules were not thread-safe. Regards - Miles -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.1.375 / Virus Database: 268.2.1/279 - Release Date: 3/10/2006 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Possible hacker using php script to send e-mails?
Hi there, I am running php 4.x on a suse 9.x machine. There is a php script which resides on a webapp that is responsible for sending e-mail to myself in case of errors like db-errors or similar. Called error.php This script does include phpmailer and uses it to send the e-mails to me. Now I am receiving on the e-mail specified as TO: e-mails with different subject than specified and different text?! All english text with wired sentences, must be a bot or so. How is this possible? The subject line is fixed and right after that commend send is executed. So no idea how they do it and how I can prevent it. It looks like this: $mail->Subject = 'Fehlerbericht'; $mail->Send(); How is it possible that they change this subject line? I checked the server log and each time an e-mail has been sent to me of that kind there is a logentry in apache log that says that this script has been executed. So the e-mails definatelly come from that script?! Can anybody help? Regards, Merlin -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] database connection pool
At 06:17 AM 3/11/2006, Khai wrote: Hello, My name is Khai. I am new to PHP. I am well versed with mod_perl and apache. With mod_perl, I can use Apache::DBI to cache database connections. Is there a module for PHP that does the same thing ? Thank you, Khai -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php Do you mean persistent connections? That depends on the database and the functions provided for it in PHP. Check the connection function(s) in the manual for the database you use. Regards - Miles Thompson -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.1.375 / Virus Database: 268.2.1/279 - Release Date: 3/10/2006 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] equivalent of perl's ithread
As of perl 5.6, perl has a concept of interpreter thread (called ithread). Basically, any variable that you want to be shared across threads, you have to explicitly shared it. This apply not only to regular variables, but also apply to super global variables such as $_, making it easy to write threadsafe modules in perl. Does PHP has an equivalent concept? If I am developing php pages that are to be run under apache2 threaded worker mpm, can I use $_SERVER variable ? Thanks Khai -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] database connection pool
Hello, My name is Khai. I am new to PHP. I am well versed with mod_perl and apache. With mod_perl, I can use Apache::DBI to cache database connections. Is there a module for PHP that does the same thing ? Thank you, Khai -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
