php-general Digest 23 Jan 2008 13:54:36 -0000 Issue 5252

2008-01-23 Thread php-general-digest-help 

php-general Digest 23 Jan 2008 13:54:36 - Issue 5252

Topics (messages 267879 through 267903):

Re: password hashing and crypt()
267879 by: Richard Lynch
267880 by: Chris
267885 by: Richard Lynch
267887 by: Chris
267894 by: Nathan Nobbe
267895 by: Robert Cummings

Re: including files outside of document root
267881 by: Richard Lynch

Re: Using mysql_real_escape_string without connecting to mysql
267882 by: Richard Lynch
267884 by: Dotan Cohen

Re: Posting Summary for Week Ending 18 January, 2008: [EMAIL PROTECTED]
267883 by: Richard Lynch
267897 by: Per Jessen

sessions/cookies
267886 by: nihilism machine
267890 by: Eric Butera
267892 by: Nathan Nobbe

Re: mssql and latin characters
267888 by: Eric Butera

Re: PHP SOAP Client formats
267889 by: Samisa Abeysinghe

Re: Upgrade to PHP5 and having issues with mysql
267891 by: Robert Cummings

Re: Tool for programmer team
267893 by: Nathan Nobbe

Re: Foreach
267896 by: Nathan Nobbe
267900 by: Eric Butera

successful compiled, but errors at use
267898 by: Andre Hübner

Re: Resetting drop-downlists in input-fields for texts
267899 by: Tor Vidvei

Re: Best Approach
267901 by: Al

Re: re-compiling PHP on Mac OS X
267902 by: mbneto

DOM API Namespaces - help?
267903 by: Nathan Rixham

Administrivia:

To subscribe to the digest, e-mail:
[EMAIL PROTECTED]

To unsubscribe from the digest, e-mail:
[EMAIL PROTECTED]

To post to the list, e-mail:
[EMAIL PROTECTED]


--
---BeginMessage---
On Sat, January 19, 2008 8:24 pm, Eric Butera wrote:
 I always make sure that I use a site specific salt which is just
 appended on the user supplied value.  I started doing that when I read
 that people had created huge databases of hashed values that they can
 just search on.  At least this way no matter what the password isn't a
 dictionary word.  As for if that really adds value in the end I can't
 say as I'm not really a security expert.

 Eg. hash('sha256', $input.$salt);

The Bad Guys create humongous databases of every dictionary word with
every possible salt...  So what salt you use does not matter...

So I don't think you are really adding any extra security here...

-- 
Some people have a gift link here.
Know what I want?
I want you to buy a CD from some indie artist.
http://cdbaby.com/from/lynch
Yeah, I get a buck. So?
---End Message---
---BeginMessage---

Richard Lynch wrote:

On Sat, January 19, 2008 8:24 pm, Eric Butera wrote:

I always make sure that I use a site specific salt which is just
appended on the user supplied value.  I started doing that when I read
that people had created huge databases of hashed values that they can
just search on.  At least this way no matter what the password isn't a
dictionary word.  As for if that really adds value in the end I can't
say as I'm not really a security expert.

Eg. hash('sha256', $input.$salt);


The Bad Guys create humongous databases of every dictionary word with
every possible salt...  So what salt you use does not matter...


Sure it does. I could use my server name or the application's url, the 
current time, whatever I like and put all of that in the salt. There's 
no way they'll have that in their dictionary.


As long as I store the salt I know how to compare it again later.

--
Postgresql  php tutorials
http://www.designmagick.com/
---End Message---
---BeginMessage---


On Tue, January 22, 2008 7:43 pm, Chris wrote:
 Richard Lynch wrote:
 On Sat, January 19, 2008 8:24 pm, Eric Butera wrote:
 I always make sure that I use a site specific salt which is just
 appended on the user supplied value.  I started doing that when I
 read
 that people had created huge databases of hashed values that they
 can
 just search on.  At least this way no matter what the password
 isn't a
 dictionary word.  As for if that really adds value in the end I
 can't
 say as I'm not really a security expert.

 Eg. hash('sha256', $input.$salt);

 The Bad Guys create humongous databases of every dictionary word
 with
 every possible salt...  So what salt you use does not matter...

 Sure it does. I could use my server name or the application's url, the
 current time, whatever I like and put all of that in the salt. There's
 no way they'll have that in their dictionary.

 As long as I store the salt I know how to compare it again later.

For the algorithms used by crypt(), the salt is IN the crypted value.

If the Bad Guy has the crypted value, they already have the salt.

They can maybe make a dictionary that is MUCH larger with every
possible salt, and do a simple comparison.

Or they can quickly write up a crypt()-based script that extracts the
salt and tries the Top 10,000 passwords for each.

Most Un*x systems come with /usr/share/dict/web2,

[PHP] successful compiled, but errors at use

2008-01-23 Thread Andre Hübner 
Hi List,

my Situation is as follows. I use on suse 10.1 apache2 and php5 as modul and 
php5 as cgi using mod_fcgid
For some tests i also want to have a php4 as second cgi
I compiled with this configure-line:

./configure --prefix=/usr/ --datadir=/usr/share/php/ --bindir=/usr/bin/ 
--libdir=/usr/share/ 
 --with-exec-dir=/usr/lib/php/bin/ \
--with-config-file-path=/etc/php4Cgi 
--with-config-file-scan-dir=/etc/php4-config 
 --enable-force-cgi-redirect --enable-memory-limit \
--enable-sigchild --enable-track-vars --enable-trans-sid --with-mysql=no 
--enable-bcmath 
 --enable-calendar --enable-ctype \
--enable-dbase --enable-exif --enable-filepro --enable-ftp 
--enable-magic-quotes 
 --enable-mbstr-enc-trans --enable-mbstring \
--enable-shmop --enable-sysvsem --enable-sysvshm --enable-wddx --with-gettext 
 --with-gmp --with-mcrypt --with-mcal=/usr/ \
--with-iconv --with-mcrypt --with-zlib --with-bz2 --with-openssl=/usr 
--with-pear 
 --with-pcre-regex --enable-suhosin \
--with-config-file-path=/etc/php4Cgi --enable-discard-path --enable-fastcgi


Compiling etc. was successful. After make i renamed sapi/cgi/php to 
php-4.4.8 and moved it to my location. In apacheconf i activated this 
php-4.4.8 to some file-extensions with AddHandler/Action
The call itself seems to work, but i get an error from php itself if i want 
to parse a phpinfo();

Warning: Unexpected character in input: '' (ASCII=27) state=1 in 
/folders/php-4.4.8 on line 3600

Warning: Unexpected character in input: '' (ASCII=8) state=1 in 
/folders/php-4.4.8 on line 3600

Warning: Unexpected character in input: '' (ASCII=3) state=1 in 
/folders/php-4.4.8 on line 3600

Warning: Unexpected character in input: ' in /folders/php-4.4.8 on line 3600

Warning: Unexpected character in input: ' in /folders/php-4.4.8 on line 3600

Warning: Unexpected character in input: ' in /folders/php-4.4.8 on line 3600

Parse error: syntax error, unexpected T_STRING in /folders/php-4.4.8 on line 
3600

But if i call this php-4.4.8 on console i can parse successful my files.
What goes wrong? I have no idea what i id not correctly.
Can anybody help please?

Thanks
Andre

Re: [PHP] Resetting drop-downlists in input-fields for texts

2008-01-23 Thread Tor Vidvei 
On Mon, 21 Jan 2008 17:23:34 +0100, Daniel Brown [EMAIL PROTECTED]  
wrote:



The only way I can think of that would allow you to do it is to
dynamically-name the fields in the form.  By doing so, AutoComplete
won't be able to recognize the fields, and you should be in good
shape.  In the example I'm sending, keep in mind that input should
still be sanitized properly, and it's by no means as a
copy-and-paste-for-production script.

?

session_start();

if($_POST  isset($_SESSION['target'])) {
/*This is just here for demonstration.
Do your processing as you'd like with the
POST data here.  There are two methods
shown.  Note the use of the curly brackets
and square brackets, as well as the order
in which they're typed.*/

/* Method 1: for()
for($i=0;$icount(${$_SESSION['target']});$i++) {
echo ${$_SESSION['target']}[$i].br /\n;
}
*/

/*Method 2: foreach()
Further handling would be needed to make the
variables valid, because $0, $1, $2, etc.,
are not valid variables. Again, this is only
for demonstration purposes.*/
foreach(${$_SESSION['target']} as $p = $v) {
echo $p.: .$v.br /\n;
}
}

// Define the unique field name for the form, based on Epoch time.
$_SESSION['target'] = field_.time();

// Adding the brackets after the name will print properly
// in HTML to designate the POST fields as an array.
$html_field = $_SESSION['target'].[];

?

form method=post action=?=$_SERVER['PHP_SELF'];? /
Field 1: input type=text name=?=$html_field;? /br /
Field 2: input type=text name=?=$html_field;? /br /
Field 3: input type=text name=?=$html_field;? /br /
input type=submit value=Post Now /
/form



Thanks a lot!

I have used the method with  form autocomplete=off as this method  
works fine in the browsers I have tested: IE, FireFox and Opera.


If a more specific control over the autocomplete is needed, however, I  
think your method would provide an excellent solution.  In my current  
project: The autocomplete feature is useful as long as the user works with  
the same set of exercises, but disturbing when they start on a new set of  
exercises.  If an id that identifies the current set of exercises is given  
with the url like

http:/.../exercises.php?id=12345
this id could be used while constructing the field names according to your  
method.  Then autocomplete would work as wanted.  I will put in on the  
ToDo-list!


Regards,
Tor

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Foreach

2008-01-23 Thread Eric Butera 
On Jan 23, 2008 12:58 AM, Nathan Nobbe [EMAIL PROTECTED] wrote:
 On Jan 18, 2008 5:24 PM, Richard Lynch [EMAIL PROTECTED] wrote:

  If you are trying to keep the names and orders in parallel you need
  to do something not unlike:
 
  while (list($key, $name) = each($names)){
   $order = $orders[$key];
   $query = update whatever set order = $order where name = '$name';
  }


 just as a mention; spl has a DualIterator class that would be perfect for
 this
 situation.  i hesitate to mention it though, since ive not found it in any
 php
 version.  its there in the doc, but not in actual php; what a shame.
 http://www.php.net/~helly/php/ext/spl/classDualIterator.html

 i can only expect well see it in a subsequent version; that there is a
 reason
 its not yet made it..

 -nathan


Maybe someday SPL will become part of the PHP manual too. ;)

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] Re: Best Approach

2008-01-23 Thread Al 
PHP's error handler can be set up to automatically send emails. Send them to a 
dedicated mailbox and then check that mailbox every day.


Miguel Guirao wrote:

Hello fellow members of this list,

There is a couple of rutinary tasks that our servers (different platforms)
perform during the night. Early during the day, we have to check that every
task was performed correctly and without errors. Actually, we do this by
hand, going first to server A (AIX platform), and verifying that the error
logs files have a size of zero (0), which means that there were no errors to
report on the logs, verify that some files have been written to a specific
directory and so on. As I told you before, this is done by hand, many ls
commands, grep’s and more’s here and there!!

On the other hand, I have to do this on a another Windows 2003 server!!

So, I’m thinking on creating a web page on PHP that performs all this tasks
for me, and my fellow co-workers. But, all my experience with PHP is about
working with data on MySQL server, wrting files to a harddisk, sending
e-mails with or without attachments and so on.

Is PHP a correct approach to solve this tedious problem?? Can I access a
servers and get the results of a ls command for instance??

Best Regards,

__
Miguel Guirao Aguilera, Linux+, ITIL
Sistemas de Información
Informática R8 - TELCEL
Ext. 7540




--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] re-compiling PHP on Mac OS X

2008-01-23 Thread mbneto 
Hi,

I've checked all pages and downloaded the php5.2.5.release1.tar.gz (the
latest I found) but I get the same errors

httpd: Syntax error on line 484 of /private/etc/apache2/httpd.conf: Syntax
error on line 8 of /private/etc/apache2/other/entropy-php.conf: Cannot load
/usr/local/php5/libphp5.so into server: dlopen(/usr/local/php5/libphp5.so,
10): Symbol not found: _xmlTextReaderSchemaValidate\n  Referenced from:
/usr/local/php5/libphp5.so\n  Expected in: /usr/lib/libxml2.2.dylib\n

Does anyone have a working .dmg/.tar.gz for 10.5.1 Mac Intel with PDO/Mysql
working?

-thanks.

On Dec 17, 2007 1:23 PM, David Powers [EMAIL PROTECTED] wrote:

 Frank Arensmeier wrote:
  When you install PHP5 with the package from entropy.ch, the new PHP5
  will install under /usr/local/php5.

 The Mac package from entropy.ch is not compatible with Leopard (Mac OS X
 10.5). Marc Liyanage is working on a Leopard-compatible version. Check
 the forum on his site for the latest details. There's an extremely long
 thread about PHP on Leopard. A command line installation is somewhere
 around page 15 of the thread.

 --
 David Powers

 --
 PHP General Mailing List (http://www.php.net/)
 To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] DOM API Namespaces - help?

2008-01-23 Thread Nathan Rixham 

Help??

I need to get the namespaces from the root node of a DomDocument..

?xml version=1.0 ?
chapter xmlns:xi=http://www.w3.org/2001/XInclude;
para
  xi:include href=book.xml
  /xi:include
 /para
/chapter
I know I can retrieve the namespaceUri from the xi:include node using 
lookupNamespaceURI and -prefix but I need to get it from where it's 
defined in chapter


but assuming the above file is:
?xml version=1.0 ?
chapter xmlns:xi=http://www.w3.org/2001/XInclude;
a /
/chapter

how would one retrieve xmlns:xi=http://www.w3.org/2001/XInclude;

Thanks in advance!

Nathan

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] re-compiling PHP on Mac OS X

2008-01-23 Thread Greg Donald 
On 1/23/08, mbneto [EMAIL PROTECTED] wrote:
 Hi,

 I've checked all pages and downloaded the php5.2.5.release1.tar.gz (the
 latest I found) but I get the same errors

 httpd: Syntax error on line 484 of /private/etc/apache2/httpd.conf: Syntax
 error on line 8 of /private/etc/apache2/other/entropy-php.conf: Cannot load
 /usr/local/php5/libphp5.so into server: dlopen(/usr/local/php5/libphp5.so,
 10): Symbol not found: _xmlTextReaderSchemaValidate\n  Referenced from:
 /usr/local/php5/libphp5.so\n  Expected in: /usr/lib/libxml2.2.dylib\n

 Does anyone have a working .dmg/.tar.gz for 10.5.1 Mac Intel with PDO/Mysql
 working?

Your existing Entropy PHP install is tring to load things your newly
compiled PHP doesn't have support for.  Either use Entropy or clean it
out completely so it doesn't mess with your new version.  Or a third
option, supply the missing dependencies Entropy wants.  You will find
most all of them in Macports.  `port search xml|grep lib` shows a lot
of results.

Here's how I built mine the day I blog'd it:

http://destiney.com/blog/php-4-5-macos-x


-- 
Greg Donald
http://destiney.com/

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] including files outside of document root

2008-01-23 Thread Jason Pruim 


On Jan 22, 2008, at 3:57 PM, Jason Pruim wrote:


Hi everyone,

Been doing some reading on security and have decided that I should  
be storing my include files outside of the document root... Which I  
understand how to do it, but what I'm wondering, is say I write the  
Next Killer App (tm). How would I port that code easily off of my  
server and put it into a downloadable file for the millions of  
people who will download and run  the Next Killer App (tm)?


Err... That doesn't make it very clear...  Is there a program for  
Macintosh or Unix that I could use to grab all the source code from  
where ever I have it set? Or would I need to make my own? Or should  
I just quit being lazy and grab it my self? :)



Yes I know I'm answering my own post... :)

Thanks for all the suggestions that I received! It's helped me figure  
out some of the stuff, and now I just need a project to test some of  
the stuff with!


Oh, and for an IDE I discovered that Apple XCode works very well as a  
php editor and file management system. Looks like it will work  
perfectly!


I do have 2 questions though...

#1.	 When including files outside of the webroot do you need to  
specify the entire path? Like for me, that would be something like: / 
volumes/raider/webserver/includes/projectname/includeme.php or can I  
just stop at: /webserver/includes/projectname/includeme.php?


#2.	Anyone got any small programming jobs that I can hone my skills  
with? :) You know, the kind of projects that you guru's don't want to  
do because you're too busy writting the Next Killer App (tm) but would  
be perfect learning experience/easy way to put some cash in the  
pocket? :)



--

Jason Pruim
Raoset Inc.
Technology Manager
MQC Specialist
3251 132nd ave
Holland, MI, 49424
www.raoset.com
[EMAIL PROTECTED]

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] including files outside of document root

2008-01-23 Thread Thijs Lensselink 

Quoting Jason Pruim [EMAIL PROTECTED]:



On Jan 22, 2008, at 3:57 PM, Jason Pruim wrote:


Hi everyone,

Been doing some reading on security and have decided that I should   
be storing my include files outside of the document root... Which I  
 understand how to do it, but what I'm wondering, is say I write  
the  Next Killer App (tm). How would I port that code easily off of  
my  server and put it into a downloadable file for the millions of   
people who will download and run  the Next Killer App (tm)?


Err... That doesn't make it very clear...  Is there a program for   
Macintosh or Unix that I could use to grab all the source code from  
 where ever I have it set? Or would I need to make my own? Or  
should  I just quit being lazy and grab it my self? :)



Yes I know I'm answering my own post... :)

Thanks for all the suggestions that I received! It's helped me figure
out some of the stuff, and now I just need a project to test some of
the stuff with!

Oh, and for an IDE I discovered that Apple XCode works very well as a
php editor and file management system. Looks like it will work
perfectly!

I do have 2 questions though...

#1.  When including files outside of the webroot do you need to specify
the entire path? Like for me, that would be something like:
/volumes/raider/webserver/includes/projectname/includeme.php or can I
just stop at: /webserver/includes/projectname/includeme.php?


It depends.
If you set your include_path to /webserver/includes (outside your webroot)
Then you can include the files like include projectname/includeme.php;

If the files are not in your include_path you either need to provide  
the full path. Or set the include path in your application and go from  
there.




#2. Anyone got any small programming jobs that I can hone my skills
with? :) You know, the kind of projects that you guru's don't want to
do because you're too busy writting the Next Killer App (tm) but would
be perfect learning experience/easy way to put some cash in the pocket?
:)



Can't help you with this one :)

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] including files outside of document root

2008-01-23 Thread Zoltán Németh 
2008. 01. 23, szerda keltezéssel 09.37-kor Jason Pruim ezt írta:
 On Jan 22, 2008, at 3:57 PM, Jason Pruim wrote:
 
  Hi everyone,
 
  Been doing some reading on security and have decided that I should  
  be storing my include files outside of the document root... Which I  
  understand how to do it, but what I'm wondering, is say I write the  
  Next Killer App (tm). How would I port that code easily off of my  
  server and put it into a downloadable file for the millions of  
  people who will download and run  the Next Killer App (tm)?
 
  Err... That doesn't make it very clear...  Is there a program for  
  Macintosh or Unix that I could use to grab all the source code from  
  where ever I have it set? Or would I need to make my own? Or should  
  I just quit being lazy and grab it my self? :)
 
 
 Yes I know I'm answering my own post... :)
 
 Thanks for all the suggestions that I received! It's helped me figure  
 out some of the stuff, and now I just need a project to test some of  
 the stuff with!
 
 Oh, and for an IDE I discovered that Apple XCode works very well as a  
 php editor and file management system. Looks like it will work  
 perfectly!
 
 I do have 2 questions though...
 
 #1.When including files outside of the webroot do you need to  
 specify the entire path? Like for me, that would be something like: / 
 volumes/raider/webserver/includes/projectname/includeme.php or can I  
 just stop at: /webserver/includes/projectname/includeme.php?

you need either full path, or put the directory in include_path in
php.ini

 
 #2.   Anyone got any small programming jobs that I can hone my skills  
 with? :) You know, the kind of projects that you guru's don't want to  
 do because you're too busy writting the Next Killer App (tm) but would  
 be perfect learning experience/easy way to put some cash in the  
 pocket? :)

as soon as I will have any jobs like that I'll email you :)

greets
Zoltán Németh

 
 
 --
 
 Jason Pruim
 Raoset Inc.
 Technology Manager
 MQC Specialist
 3251 132nd ave
 Holland, MI, 49424
 www.raoset.com
 [EMAIL PROTECTED]
 

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] including files outside of document root

2008-01-23 Thread Daniel Brown 
On Jan 22, 2008 8:48 PM, Richard Lynch [EMAIL PROTECTED] wrote:
 On Tue, January 22, 2008 7:17 pm, Daniel Brown wrote:
  You may disagree with me on this here, Rich, but the way I do it
  is to have a single include_files.php file containing all of the files
  that need to be included as a whole, and a single configuration
  variable to set where those files are located.  I know that they don't
  all have to be included in that file, but I find it makes it easier,
  since I use all of them with every page load.

 Can I put that include_files.php outside the web-tree as well?

 Or is the rest of your application bypassing include_path to force it
 to be inside the web-tree?

Yes, the include_files.php file can be put anywhere.  I leave it
in the web tree, but it certainly doesn't have to be kept there.

  I also employ a function safe_include($filename) that uses a
  combination of file_exists($filename), is_file($filename), and
  is_readable($filename).  If the function fails, no PHP error message
  is output if the file can't be found, and the script doesn't
  necessarily halt.  If it's a critical file, instead a message is
  dispatched to my email, and a friendly message is placed on the site
  informing the user that a technical error has been encountered and
  will be repaired ASAP.

 This sounds nifty for your own clients, but I don't think it would
 work well for, say, BB or Cake or phpMyAdmin...

No, that's for proprietary, single-production systems, and the
systems won't be reused.

 I'm pretty sure the authors of those don't want an email from every
 broken install... :-)

You got that damn straight!  ;-)

-- 
/Dan

Daniel P. Brown
Senior Unix Geek and #1 Rated Year's Coolest Guy By Self Since
Nineteen-Seventy-[mumble].

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Using mysql_real_escape_string without connecting to mysql

2008-01-23 Thread Jochem Maas 

Dotan Cohen schreef:

On 23/01/2008, Richard Lynch [EMAIL PROTECTED] wrote:


On Tue, January 22, 2008 7:01 pm, Dotan Cohen wrote:

I have a file of my own functions that I include in many places. One
of them uses mysql_real_escape_string, however, it may be called in a
context that will or will not connect to a mysql server, and worse,
may already be connected. So I must avoid connecting. However, when I
run the script without connecting I get this error:

Don't do that?
:-)

Can the file really do anything useful without the DB?


The file defines some of my own functions, like these:

function clean_html ($dirty) {
$dirty=strip_tags($dirty);
$clean=htmlentities($dirty);
return $clean;
}

function clean_mysql ($dirty) {
$dirty=str_replace (--, , $dirty);
$dirty=str_replace (;, , $dirty);
$clean=mysql_real_escape_string($dirty);
return $clean;
}


your functions mix 2 concepts - input filtering and output escaping,
they should be seperate actions.



I use these functions in many places, so I simply put them all in a
file and include it in each page.


When there *IS* a connection, how do you access it?


mysql_fetch_array or mysql_result


Can't the file check somehow?


I suppose that it could, by checking the return of one of the two
functions above. Lucky for me, I always use UTF-8 so I won't get stuck
connecting with one encoding yet doing mysql_real_escape_string with
another, which would be a problem if I had to deal with multiple
encodings.

Dotan Cohen

http://what-is-what.com
http://gibberish.co.il
א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת

A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Using mysql_real_escape_string without connecting to mysql

2008-01-23 Thread Dotan Cohen 
On 23/01/2008, Jochem Maas [EMAIL PROTECTED] wrote:
  The file defines some of my own functions, like these:
 
  function clean_html ($dirty) {
  $dirty=strip_tags($dirty);
  $clean=htmlentities($dirty);
  return $clean;
  }
 
  function clean_mysql ($dirty) {
  $dirty=str_replace (--, , $dirty);
  $dirty=str_replace (;, , $dirty);
  $clean=mysql_real_escape_string($dirty);
  return $clean;
  }

 your functions mix 2 concepts - input filtering and output escaping,
 they should be seperate actions.

They are separate actions. One is on (for example) accept.php and the
other on display.php. However, there are tens of pages which accept
info, and tens of others which display info. And these are just two
functions: I have quite a few more. It would be impossible to break
them up into separate include pages because I'd be including 90% of
them on each page anyway.

Dotan Cohen

http://what-is-what.com
http://gibberish.co.il
א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת

A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

Re: [PHP] sessions/cookies

2008-01-23 Thread Jochem Maas 

others have given good advice, but let's learn to walk before we run shall we.


1. session_start() should be called once per request.
2. checkValidUser() does a select on all the users in the database, this is 
*wrong* -
do a select with a suitable WHERE clause the retrieves the one user that 
matches the
given user name and password.
3. GetAccessLevel() uses an undefined property.
4. all the properties ($UserID, $AdminLevel, etc) are only set during the 
request where
the user's login credentials are checked. subsequent requests will not have 
that info.
5. use php5?
6. go back and read the other replies regarding seperation of responsibilities 
and encapsulation.


nihilism machine schreef:
I wrote an authentication class in php4. The sessions dont seem to be 
working with internet explorer, just with FF. here is the code below, a 
cookies notice pops up when you try and login:


?php



class auth {

var $UserID;
var $AdminLevel;
var $FirstName;
var $LastName;
var $DateAdded;
var $MobileTelephone;
var $LandLineTelephone;

// Connect to the database
function auth() {
mysql_connect('','','') or die('ERROR: Could not connect to 
database');

mysql_select_db('') or die('ERROR: Could not select database');
}

// Attempt to login a user
function CheckValidUser($Email,$Password) {
$result = mysql_query('SELECT * FROM Users');
$Password = $this-encode($Password);

if (mysql_num_rows($result) != 0) {
while($row = mysql_fetch_assoc($result)) {
if (!strcmp($row['Email'],$Email)) {
if (!strcmp($row['Password'],$Password)) {
// User info stored in Globals
$this-UserID = $row['ID'];
$this-AdminLevel = $row['Admin_Level'];
$this-FirstName = $row['First_Name'];
$this-LastName = $row['Last_Name'];
$this-DateAdded = $row['Date_Added'];
$this-MobileTelephone = $row['Telephone_Mobile'];
$this-LandLineTelephone = 
$row['Telephone_Land_Line'];

// User info stored in Sessions
session_start();
$_SESSION['Status'] = loggedIn;
$_SESSION['Email'] = $row['Email'];
$_SESSION['AdminLevel'] = $row['Admin_Level'];
$_SESSION['LandLine'] = 
$row['Telephone_Land_Line'];
$_SESSION['MobileTelephone'] = 
$row['Telephone_Mobile'];

$_SESSION['FirstName'] = $row['First_Name'];
$_SESSION['LastName'] = $row['Last_Name'];
return true;
}
}
}
header(Location: index.php?error=invalidLogin);
} else {
die('ERROR: No Users in the database!');
}
}

// Create a new user account
function CreateUser($Email, $Password, $AdminLevel, 
$LandLineTelephone, $MobileTelephone, $FirstName, $LastName) {

$Password = $this-encode($Password);
$this-AccessLevel = $AdminLevel;
$DateAdded = date(Y-m-d H:i:s);
mysql_query(INSERT INTO Users (Email, Password, Admin_Level, 
Date_Added, First_Name, Last_Name, Telephone_Land_Line, 
Telephone_Mobile) VALUES ('$Email','$Password','$AdminLevel', 
'$DateAdded', '$FirstName', '$LastName', '$LandLineTelephone', 
'$MobileTelephone')) or die(mysql_error());

return $this-UserID = mysql_insert_id();
}

// Update a users access level
function UpdateAccessLevel($ID,$AdminLevel) {
mysql_query(UPDATE Users SET Admin_Level='$AdminLevel' WHERE 
ID=$ID) or die(mysql_error());

return true;
}

// Delete a user
function DeleteUser($ID) {
mysql_query(DELETE FROM Users WHERE ID=$ID) or 
die(mysql_error());

return true;
}

// Get a users access level
function GetAccessLevel() {
return $this-AccessLevel;
}

// Get a users ID
function GetUserID() {
return $this-UserID;
}

// Log user out

function LogOut() {
session_start();
session_unset();
session_destroy();
header(Location: index.php);
}

// Check users access level to see if they have clearance for a 
certain page

function CheckUserLevel($RequiredLevel) {
if ($_SESSION['AdminLevel']  $RequiredLevel) {
if ($_SESSION['AdminLevel'] == 2) {
header(Location: financial.php);
} else if ($_SESSION['AdminLevel'] == 1) {
header(Location: user.php);
} else {
header(Location: index.php);
}
}
}

// Check to see if a user is logged in

function CheckLoggedIn() {
session_start();
if ($_SESSION['Status'] !=

Re: [PHP] Using mysql_real_escape_string without connecting to mysql

2008-01-23 Thread Dotan Cohen 
On 23/01/2008, Jochem Maas [EMAIL PROTECTED] wrote:
 you don't understand what I mean.

 input filtering is a seperate task to output filtering.
 you filter and validate all input to the script regardless of
 how you are going to use it. THEN you escape the filtered, validated data
 for each output (output to mysql, output to browser, etc)

Exactly. However, before going to the database, things get a healthy
dose of filtering specific to that medium. I don't need no Little
Bobby Tables slipping through. Likewise for data being output to HTML:
nobody would appreciate getting XSSed on my sites.

 2 distinct concepts, which shouldn't be rolled into single functions. imho.

They aren't what you saw are two separate functions. Here they are again:

function clean_html ($dirty) {
   $dirty=strip_tags($dirty);
   $clean=htmlentities($dirty);
   return $clean;
}

function clean_mysql ($dirty) {
   $dirty=str_replace (--, , $dirty);
   $dirty=str_replace (;, , $dirty);
   $clean=mysql_real_escape_string($dirty);
   return $clean;
}

Dotan Cohen

http://what-is-what.com
http://gibberish.co.il
א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת

A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

Re: [PHP] Using mysql_real_escape_string without connecting to mysql

2008-01-23 Thread James Ausmus 
Try using the mysql_ping() command to check to see if your connection
is available:

http://us2.php.net/manual/en/function.mysql-ping.php

something like:

?php

if ([EMAIL PROTECTED]()) //Note the @ is because, if mysql_ping cannot get
connected, it will display a warning - suppress so users don't see
{
  connectToDB();
}

mysql_real_escape_string('stuff');

?

HTH-

James


On Jan 22, 2008 6:04 PM, Dotan Cohen [EMAIL PROTECTED] wrote:
 On 23/01/2008, Richard Lynch [EMAIL PROTECTED] wrote:
 
 
  On Tue, January 22, 2008 7:01 pm, Dotan Cohen wrote:
   I have a file of my own functions that I include in many places. One
   of them uses mysql_real_escape_string, however, it may be called in a
   context that will or will not connect to a mysql server, and worse,
   may already be connected. So I must avoid connecting. However, when I
   run the script without connecting I get this error:
 
  Don't do that?
  :-)
 
  Can the file really do anything useful without the DB?

 The file defines some of my own functions, like these:

 function clean_html ($dirty) {
 $dirty=strip_tags($dirty);
 $clean=htmlentities($dirty);
 return $clean;
 }

 function clean_mysql ($dirty) {
 $dirty=str_replace (--, , $dirty);
 $dirty=str_replace (;, , $dirty);
 $clean=mysql_real_escape_string($dirty);
 return $clean;
 }

 I use these functions in many places, so I simply put them all in a
 file and include it in each page.

  When there *IS* a connection, how do you access it?

 mysql_fetch_array or mysql_result

  Can't the file check somehow?

 I suppose that it could, by checking the return of one of the two
 functions above. Lucky for me, I always use UTF-8 so I won't get stuck
 connecting with one encoding yet doing mysql_real_escape_string with
 another, which would be a problem if I had to deal with multiple
 encodings.


 Dotan Cohen

 http://what-is-what.com
 http://gibberish.co.il
 א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת

 A: Because it messes up the order in which people normally read text.
 Q: Why is top-posting such a bad thing?

Re: [PHP] Using mysql_real_escape_string without connecting to mysql

2008-01-23 Thread Jochem Maas 

Dotan Cohen schreef:

On 23/01/2008, Jochem Maas [EMAIL PROTECTED] wrote:

The file defines some of my own functions, like these:

function clean_html ($dirty) {
$dirty=strip_tags($dirty);
$clean=htmlentities($dirty);
return $clean;
}

function clean_mysql ($dirty) {
$dirty=str_replace (--, , $dirty);
$dirty=str_replace (;, , $dirty);
$clean=mysql_real_escape_string($dirty);
return $clean;
}

your functions mix 2 concepts - input filtering and output escaping,
they should be seperate actions.


They are separate actions. One is on (for example) accept.php and the
other on display.php. However, there are tens of pages which accept
info, and tens of others which display info. And these are just two
functions: I have quite a few more. It would be impossible to break
them up into separate include pages because I'd be including 90% of
them on each page anyway.


you don't understand what I mean.

input filtering is a seperate task to output filtering.
you filter and validate all input to the script regardless of
how you are going to use it. THEN you escape the filtered, validated data
for each output (output to mysql, output to browser, etc)

2 distinct concepts, which shouldn't be rolled into single functions. imho.



Dotan Cohen

http://what-is-what.com
http://gibberish.co.il
א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת

A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Using mysql_real_escape_string without connecting to mysql

2008-01-23 Thread Dotan Cohen 
On 23/01/2008, James Ausmus [EMAIL PROTECTED] wrote:
 Try using the mysql_ping() command to check to see if your connection
 is available:

 http://us2.php.net/manual/en/function.mysql-ping.php

 something like:

 ?php

 if ([EMAIL PROTECTED]()) //Note the @ is because, if mysql_ping cannot get
 connected, it will display a warning - suppress so users don't see
 {
   connectToDB(); }

 mysql_real_escape_string('stuff');

 ?

 HTH-

 James


I was thinking about that, but the problem is that if there is no
connection, then the include is called and doesn't provide the
mysql_clean function that I expect that it would. Then, I make a
connection and use the function, expecting it to clean my data and it
doesn't.

Dotan Cohen

http://what-is-what.com
http://gibberish.co.il
א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת

A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

Re: [PHP] Using mysql_real_escape_string without connecting to mysql

2008-01-23 Thread James Ausmus 
On Jan 23, 2008 10:03 AM, Dotan Cohen [EMAIL PROTECTED] wrote:
 On 23/01/2008, James Ausmus [EMAIL PROTECTED] wrote:
  Try using the mysql_ping() command to check to see if your connection
  is available:
 
  http://us2.php.net/manual/en/function.mysql-ping.php
 
  something like:
 
  ?php
 
  if ([EMAIL PROTECTED]()) //Note the @ is because, if mysql_ping cannot get
  connected, it will display a warning - suppress so users don't see
  {
connectToDB(); }
 
  mysql_real_escape_string('stuff');
 
  ?
 
  HTH-
 
  James
 

 I was thinking about that, but the problem is that if there is no
 connection, then the include is called and doesn't provide the
 mysql_clean function that I expect that it would. Then, I make a
 connection and use the function, expecting it to clean my data and it
 doesn't.

You should be able to have the best of both worlds - it shouldn't have
to be an either/or:

function clean_mysql ($dirty) {
   $dirty=str_replace (--, , $dirty);
   $dirty=str_replace (;, , $dirty);
   if ([EMAIL PROTECTED]())
   {
 functionThatConnectsToMySQL();
   }
   $clean=mysql_real_escape_string($dirty);
   return $clean;
}

This will connect if not connected, but either way it will still run
the mysql_real_escape_string function - it's not inside an else
statement...

-James







 Dotan Cohen

 http://what-is-what.com
 http://gibberish.co.il
 א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת

 A: Because it messes up the order in which people normally read text.
 Q: Why is top-posting such a bad thing?

Re: [PHP] Using mysql_real_escape_string without connecting to mysql

2008-01-23 Thread Eric Butera 
On Jan 22, 2008 8:01 PM, Dotan Cohen [EMAIL PROTECTED] wrote:
 I have a file of my own functions that I include in many places. One
 of them uses mysql_real_escape_string, however, it may be called in a
 context that will or will not connect to a mysql server, and worse,
 may already be connected. So I must avoid connecting. However, when I
 run the script without connecting I get this error:

 Warning: mysql_real_escape_string()
 [function.mysql-real-escape-string]: Access denied for user:
 '[EMAIL PROTECTED]' (Using password: NO)

 I was thinking about checking if there is a connection, and if not
 then connecting. This seems redundant to me, however. What is the
 list's opinion of this situation? Thanks in advance.

 Dotan Cohen

 http://what-is-what.com
 http://gibberish.co.il
 א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת

 A: Because it messes up the order in which people normally read text.
 Q: Why is top-posting such a bad thing?


By not connecting to the server you don't have the correct context for
using mysql real escape string, therefore it is pointless.

Re: [PHP] Using mysql_real_escape_string without connecting to mysql

2008-01-23 Thread Dotan Cohen 
On 23/01/2008, Eric Butera [EMAIL PROTECTED] wrote:
 On Jan 22, 2008 8:01 PM, Dotan Cohen [EMAIL PROTECTED] wrote:
  I have a file of my own functions that I include in many places. One
  of them uses mysql_real_escape_string, however, it may be called in a
  context that will or will not connect to a mysql server, and worse,
  may already be connected. So I must avoid connecting. However, when I
  run the script without connecting I get this error:
 
  Warning: mysql_real_escape_string()
  [function.mysql-real-escape-string]: Access denied for user:
  '[EMAIL PROTECTED]' (Using password: NO)
 
  I was thinking about checking if there is a connection, and if not
  then connecting. This seems redundant to me, however. What is the
  list's opinion of this situation? Thanks in advance.
 
  Dotan Cohen
 
  http://what-is-what.com
  http://gibberish.co.il
  א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת
 
  A: Because it messes up the order in which people normally read text.
  Q: Why is top-posting such a bad thing?
 

 By not connecting to the server you don't have the correct context for
 using mysql real escape string, therefore it is pointless.


Yes, I realize this. Note that I _always_ connect via UTF-8, so I'd
like to tell mysql_real_escape_string to do it's magic as if I were
connected via UTF-8. I realize that this is impossible.

However, I do not think that the script should throw an error until I
actually call mysql_clean. Merely having it in an include should not
throw an error if the function is not being used.

Dotan Cohen

http://what-is-what.com
http://gibberish.co.il
א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת

A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

Re: [PHP] Using mysql_real_escape_string without connecting to mysql

2008-01-23 Thread Richard Lynch 
On Wed, January 23, 2008 11:47 am, Dotan Cohen wrote:
 On 23/01/2008, Jochem Maas [EMAIL PROTECTED] wrote:
 for each output (output to mysql, output to browser, etc)

Back to the original question...

I suppose you could use mysql_escape_string (note the lack of real)
in the short term...

It would be Real Nifty (tm) if the MySQL API had a function that let
you specify the charset without a connection and did the escaping.

Presumably you don't NEED a connection if you already know what
charset thingie you are aiming at...

Or maybe I'm not understanding something...

-- 
Some people have a gift link here.
Know what I want?
I want you to buy a CD from some indie artist.
http://cdbaby.com/from/lynch
Yeah, I get a buck. So?

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Using mysql_real_escape_string without connecting to mysql

2008-01-23 Thread Dotan Cohen 
On 23/01/2008, Richard Lynch [EMAIL PROTECTED] wrote:
 Back to the original question...

 I suppose you could use mysql_escape_string (note the lack of real)
 in the short term...

I'd rather not. There is no short term.

 It would be Real Nifty (tm) if the MySQL API had a function that let
 you specify the charset without a connection and did the escaping.

 Presumably you don't NEED a connection if you already know what
 charset thingie you are aiming at...

 Or maybe I'm not understanding something...

You are understanding. I'm heading over to the mysql bugzilla now...

Dotan Cohen

http://what-is-what.com
http://gibberish.co.il
א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת

A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

Re: [PHP] Using mysql_real_escape_string without connecting to mysql

2008-01-23 Thread Richard Lynch 
On Wed, January 23, 2008 12:47 pm, Dotan Cohen wrote:
 On 23/01/2008, Eric Butera [EMAIL PROTECTED] wrote:
 On Jan 22, 2008 8:01 PM, Dotan Cohen [EMAIL PROTECTED] wrote:
 However, I do not think that the script should throw an error until I
 actually call mysql_clean. Merely having it in an include should not
 throw an error if the function is not being used.

If you get it to throw an error for a connection not present, then you
ARE calling the function.

You may not know where you called it in your rats' nest of OOP, but
you are calling it. :-) :-) :-)

The only errors PHP throws without calling functions are parse errors.

-- 
Some people have a gift link here.
Know what I want?
I want you to buy a CD from some indie artist.
http://cdbaby.com/from/lynch
Yeah, I get a buck. So?

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Using mysql_real_escape_string without connecting to mysql

2008-01-23 Thread mike 
  It would be Real Nifty (tm) if the MySQL API had a function that let
  you specify the charset without a connection and did the escaping.
 
  Presumably you don't NEED a connection if you already know what
  charset thingie you are aiming at...

I concur - it would be nice to have the capability to have a normal
string escape function and give it a character set. I mean we should
all be using utf-8 anyway, right?

Right now I still use mysql_escape_string and it seems to work fine,
but it makes me nervous as everything else I use is mysqli and I know
it is not 100% compatible (just haven't had anything break it yet) -
but I hate having to have a connection handle open just to escape
things.

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] including files outside of document root

2008-01-23 Thread Richard Lynch 
On Wed, January 23, 2008 8:37 am, Jason Pruim wrote:

 On Jan 22, 2008, at 3:57 PM, Jason Pruim wrote:

 Hi everyone,

 #1.When including files outside of the webroot do you need to
 specify the entire path? Like for me, that would be something like: /
 volumes/raider/webserver/includes/projectname/includeme.php or can I
 just stop at: /webserver/includes/projectname/includeme.php?

Neither. :-)

Figure out how PHP's include_path feature works and use that.
http://php.net/set_include_path

You should use set_include_path to define what directory[ies] PHP
should search, and then just do:
include 'includeme.php';


 #2.   Anyone got any small programming jobs that I can hone my skills
 with? :) You know, the kind of projects that you guru's don't want to
 do because you're too busy writting the Next Killer App (tm) but would
 be perfect learning experience/easy way to put some cash in the
 pocket? :)

Non-profits/Charities often have programming needs not being met by
traditional (costly) developers.

They may have SOME cash, but not a lot.

And there's always somebody wanting yet another shopping cart
store-front installation...

-- 
Some people have a gift link here.
Know what I want?
I want you to buy a CD from some indie artist.
http://cdbaby.com/from/lynch
Yeah, I get a buck. So?

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] successful compiled, but errors at use

2008-01-23 Thread Richard Lynch 
On Wed, January 23, 2008 4:13 am, Andre Hübner wrote:
 Warning: Unexpected character in input: '' (ASCII=27) state=1 in
 /folders/php-4.4.8 on line 3600

 Warning: Unexpected character in input: '' (ASCII=8) state=1 in
 /folders/php-4.4.8 on line 3600

 Warning: Unexpected character in input: '' (ASCII=3) state=1 in
 /folders/php-4.4.8 on line 3600

 Warning: Unexpected character in input: ' in /folders/php-4.4.8 on
 line 3600

 Warning: Unexpected character in input: ' in /folders/php-4.4.8 on
 line 3600

 Warning: Unexpected character in input: ' in /folders/php-4.4.8 on
 line 3600

 Parse error: syntax error, unexpected T_STRING in /folders/php-4.4.8
 on line
 3600

 But if i call this php-4.4.8 on console i can parse successful my
 files.
 What goes wrong? I have no idea what i id not correctly.
 Can anybody help please?

Do you have/need ASCII 27, 8, and 3 on line 3600?

The CLI may have error display set to off or logging it elsewhere.

Try:

php -d display_errors=1 -d error_reporting=2047 phpinfo.php

-- 
Some people have a gift link here.
Know what I want?
I want you to buy a CD from some indie artist.
http://cdbaby.com/from/lynch
Yeah, I get a buck. So?

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] including files outside of document root

2008-01-23 Thread Roberto Mansfield 
Jason Pruim wrote:
 
 Been doing some reading on security and have decided that I should be
 storing my include files outside of the document root... Which I
 understand how to do it, but what I'm wondering, is say I write the
 Next Killer App (tm). How would I port that code easily off of my
 server and put it into a downloadable file for the millions of people
 who will download and run  the Next Killer App (tm)?

I tend to keep the directories in the document root, but I deny access
via an .htaccess file. This keeps the code in a simple directory
structure. Anyone else doing that?

-Roberto

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] including files outside of document root

2008-01-23 Thread Jason Pruim 


On Jan 23, 2008, at 2:50 PM, Roberto Mansfield wrote:


Jason Pruim wrote:


Been doing some reading on security and have decided that I should  
be

storing my include files outside of the document root... Which I
understand how to do it, but what I'm wondering, is say I write the
Next Killer App (tm). How would I port that code easily off of my
server and put it into a downloadable file for the millions of  
people

who will download and run  the Next Killer App (tm)?


I tend to keep the directories in the document root, but I deny access
via an .htaccess file. This keeps the code in a simple directory
structure. Anyone else doing that?

-Roberto



I used to just throw everything in the same directory, include files,  
config files, pictures, css, html, php etc. etc. etc...


When I made my decision to put the includes out side of the webroot it  
was because of a article I read by Chris Shiflett[1] that said  
basically that this way of including files was safer then using  
a .htaccess file to block access to it.


that's why I made my decision. Not to say it's the right one, just a  
step in the right direction. To me it also seems more portable across  
hosts to have access outside of your webroot vs. access to .htaccess  
files. But I could be wrong, I have been lucky enough to always have a  
company server with php at my full control so I could use what ever I  
needed when I needed it.





[1]http://shiflett.org/articles/secure-design


--

Jason Pruim
Raoset Inc.
Technology Manager
MQC Specialist
3251 132nd ave
Holland, MI, 49424
www.raoset.com
[EMAIL PROTECTED]

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] including files outside of document root

2008-01-23 Thread Daniel Brown 
On Jan 23, 2008 2:50 PM, Roberto Mansfield [EMAIL PROTECTED] wrote:
 I tend to keep the directories in the document root, but I deny access
 via an .htaccess file. This keeps the code in a simple directory
 structure. Anyone else doing that?

My fear on that is if there's changes to the server.  Say, for
example, someone takes over my job (which will happen someday, one way
or another), and they are charged with upgrading services on the
server.  While doing Apache, they accidentally (for argument's sake)
forget to properly configure the AllowOverrides and AddHandler/AddType
directives.  Now .htaccess isn't read and doesn't bar access to the
directory, and the files have full source disclosure - including any
database login credentials, et cetera.

This is what we like to call a Bad Thing[tm].

-- 
/Dan

Daniel P. Brown
Senior Unix Geek and #1 Rated Year's Coolest Guy By Self Since
Nineteen-Seventy-[mumble].

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Using mysql_real_escape_string without connecting to mysql

2008-01-23 Thread Eric Butera 
On Jan 23, 2008 2:37 PM, Dotan Cohen [EMAIL PROTECTED] wrote:
 On 23/01/2008, Richard Lynch [EMAIL PROTECTED] wrote:
  Back to the original question...
 
  I suppose you could use mysql_escape_string (note the lack of real)
  in the short term...

 I'd rather not. There is no short term.

  It would be Real Nifty (tm) if the MySQL API had a function that let
  you specify the charset without a connection and did the escaping.
 
  Presumably you don't NEED a connection if you already know what
  charset thingie you are aiming at...
 
  Or maybe I'm not understanding something...

 You are understanding. I'm heading over to the mysql bugzilla now...


 Dotan Cohen

 http://what-is-what.com
 http://gibberish.co.il
 א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת

 A: Because it messes up the order in which people normally read text.
 Q: Why is top-posting such a bad thing?


There isn't a reason to go and report a bug as their stuff works fine.

If you know you have utf8 and all that jazz then fine.  The only
reason you should use mysql escaping is right before you put a value
into the database.  To put a value in the database you must have a
connection.  So this really is a non-issue in my opinion.

Look at mysqli or pdo and start working with prepared statements. :)

Re: [PHP] including files outside of document root

2008-01-23 Thread Roberto Mansfield 
Daniel Brown wrote:
 On Jan 23, 2008 2:50 PM, Roberto Mansfield [EMAIL PROTECTED] wrote:
 I tend to keep the directories in the document root, but I deny access
 via an .htaccess file. This keeps the code in a simple directory
 structure. Anyone else doing that?
 
 My fear on that is if there's changes to the server.  Say, for
 example, someone takes over my job (which will happen someday, one way
 or another), and they are charged with upgrading services on the
 server.  While doing Apache, they accidentally (for argument's sake)
 forget to properly configure the AllowOverrides and AddHandler/AddType
 directives.  Now .htaccess isn't read and doesn't bar access to the
 directory, and the files have full source disclosure - including any
 database login credentials, et cetera.
 
 This is what we like to call a Bad Thing[tm].
 

Ahh, an excellent point.

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] including files outside of document root

2008-01-23 Thread Daniel Brown 
On Jan 23, 2008 2:56 PM, Jason Pruim [EMAIL PROTECTED] wrote:
 that's why I made my decision. Not to say it's the right one, just a
 step in the right direction. To me it also seems more portable across
 hosts to have access outside of your webroot vs. access to .htaccess

It's far more portable, because every HTTP server out there knows
how to handle paths, but only Apache knows how to handle an .htaccess
file.  So you can forget being able to use that same code on IIS,
tinyhttpd, Boa, AnalogX SimpleServer:WWW (an old favorite!), et
cetera.  If it only works with one specific HTTP server, that's a
serious limit.

-- 
/Dan

Daniel P. Brown
Senior Unix Geek and #1 Rated Year's Coolest Guy By Self Since
Nineteen-Seventy-[mumble].

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] including files outside of document root

2008-01-23 Thread Jason Pruim 


On Jan 23, 2008, at 3:04 PM, Daniel Brown wrote:


On Jan 23, 2008 2:56 PM, Jason Pruim [EMAIL PROTECTED] wrote:

that's why I made my decision. Not to say it's the right one, just a
step in the right direction. To me it also seems more portable across
hosts to have access outside of your webroot vs. access to .htaccess


   It's far more portable, because every HTTP server out there knows
how to handle paths, but only Apache knows how to handle an .htaccess
file.  So you can forget being able to use that same code on IIS,
tinyhttpd, Boa, AnalogX SimpleServer:WWW (an old favorite!), et
cetera.  If it only works with one specific HTTP server, that's a
serious limit.



I didn't realize that... That's good info. I always hear people  
talking about .htaccess files on all the different lists I'm on so I  
thought it was an industry standard thing :)


Now I can shut my brain down because I learned my 1 new thing for today!

m Beer

--

Jason Pruim
Raoset Inc.
Technology Manager
MQC Specialist
3251 132nd ave
Holland, MI, 49424
www.raoset.com
[EMAIL PROTECTED]

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] including files outside of document root

2008-01-23 Thread Daniel Brown 
On Jan 23, 2008 3:28 PM, Jason Pruim [EMAIL PROTECTED] wrote:
 I didn't realize that... That's good info. I always hear people
 talking about .htaccess files on all the different lists I'm on so I
 thought it was an industry standard thing :)

 Now I can shut my brain down because I learned my 1 new thing for today!

Learn more:
http://en.wikipedia.org/wiki/.htaccess

-- 
/Dan

Daniel P. Brown
Senior Unix Geek and #1 Rated Year's Coolest Guy By Self Since
Nineteen-Seventy-[mumble].

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] unpack() big endian signed long?

2008-01-23 Thread Floor Terra 
Hi,

Is it possible to use unpack() to read a big endian signed long
on a little endian machine?
http://nl.php.net/pack refers to perl, on wich this function is based.
The php function unpack() doesn't seem to support the  and 
modifiers like perl does.

Floor Terra

Re: [PHP] Using mysql_real_escape_string without connecting to mysql

2008-01-23 Thread Jochem Maas 

Dotan Cohen schreef:

On 23/01/2008, Jochem Maas [EMAIL PROTECTED] wrote:

you don't understand what I mean.

input filtering is a seperate task to output filtering.
you filter and validate all input to the script regardless of
how you are going to use it. THEN you escape the filtered, validated data
for each output (output to mysql, output to browser, etc)


Exactly. However, before going to the database, things get a healthy
dose of filtering specific to that medium. I don't need no Little
Bobby Tables slipping through. Likewise for data being output to HTML:
nobody would appreciate getting XSSed on my sites.


2 distinct concepts, which shouldn't be rolled into single functions. imho.


They aren't what you saw are two separate functions. Here they are again:


I can read, I saw 2 functions the first time. each function cleans *and* 
escapes.

cleaning is filtering of input.
escaping is preparing for output.

2 concepts.

if the input needs to be stripped of html then it needs that regardless
of the output vector. again removing or not-accepting input if it contains
'--' is a question of filtering/validation ... besides which '--' is quite
acceptable for data stored in a text field but not for a numeric one.

filter each piece of data
validate each piece of data
escape each peice of data for each context in which it will be output.

imho your functions are conceptually wrong and not very robust either -
don't take it as a personal attack - I'm very sure if we sat down with *some*
of my code the same critism could be made to more or lesser extent :-) ...
getting better all the time as they sang once ;-)



function clean_html ($dirty) {
   $dirty=strip_tags($dirty);
   $clean=htmlentities($dirty);
   return $clean;
}

function clean_mysql ($dirty) {
   $dirty=str_replace (--, , $dirty);
   $dirty=str_replace (;, , $dirty);
   $clean=mysql_real_escape_string($dirty);
   return $clean;
}

Dotan Cohen

http://what-is-what.com
http://gibberish.co.il
א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת

A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] unpack() big endian signed long?

2008-01-23 Thread Nathan Nobbe 
On Jan 23, 2008 3:38 PM, Floor Terra [EMAIL PROTECTED] wrote:

 Hi,

 Is it possible to use unpack() to read a big endian signed long
 on a little endian machine?
 http://nl.php.net/pack refers to perl, on wich this function is based.
 The php function unpack() doesn't seem to support the  and 
 modifiers like perl does.


did you see this in the comments on that page?

 *info at dreystone dot com*
04-May-2005 02:31
http://us.php.net/manual/en/function.unpack.php#52527 Here is my
solution to reading a Big-Endian formatted double on an
Little-Endian machine.

?php

function ToDouble($data) {
$t = unpack(C*, pack(S*, 256));
if($t[1] == 1) {
$a = unpack(d*, $data);
} else {
$a = unpack(d*, strrev($data));
}
return (double)$a[1];
}

?

-nathan

Re: [PHP] unpack() big endian signed long?

2008-01-23 Thread Floor Terra 
On Jan 23, 2008 9:57 PM, Nathan Nobbe [EMAIL PROTECTED] wrote:

 On Jan 23, 2008 3:38 PM, Floor Terra [EMAIL PROTECTED] wrote:

  Hi,
 
  Is it possible to use unpack() to read a big endian signed long
  on a little endian machine?
  http://nl.php.net/pack refers to perl, on wich this function is based.
  The php function unpack() doesn't seem to support the  and 
  modifiers like perl does.


 did you see this in the comments on that page?

Yes.
I guess I'm stuck with manual byte reversing.
Someone at ##php on freenode.org told me it is possible, but didn't tell me
how.

It seems like an obvious feature.

Thanks for your time.

Floor Terra

Re: [PHP] Using mysql_real_escape_string without connecting to mysql

2008-01-23 Thread Dotan Cohen 
On 23/01/2008, Richard Lynch [EMAIL PROTECTED] wrote:
 On Wed, January 23, 2008 12:47 pm, Dotan Cohen wrote:
  On 23/01/2008, Eric Butera [EMAIL PROTECTED] wrote:
  On Jan 22, 2008 8:01 PM, Dotan Cohen [EMAIL PROTECTED] wrote:
  However, I do not think that the script should throw an error until I
  actually call mysql_clean. Merely having it in an include should not
  throw an error if the function is not being used.

 If you get it to throw an error for a connection not present, then you
 ARE calling the function.

I just reviewed the code, and you are right. I call the include for
the database connection (from outside the public directory) just
before the mysql_query, which is _after_ I've cleaned the variables.

 You may not know where you called it in your rats' nest of OOP, but
 you are calling it. :-) :-) :-)

Yes, I was.

 The only errors PHP throws without calling functions are parse errors.

Good to know.

Dotan Cohen

http://what-is-what.com
http://gibberish.co.il
א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת

A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

Re: [PHP] Using mysql_real_escape_string without connecting to mysql

2008-01-23 Thread Dotan Cohen 
On 23/01/2008, mike [EMAIL PROTECTED] wrote:
   It would be Real Nifty (tm) if the MySQL API had a function that let
   you specify the charset without a connection and did the escaping.
  
   Presumably you don't NEED a connection if you already know what
   charset thingie you are aiming at...

 I concur - it would be nice to have the capability to have a normal
 string escape function and give it a character set. I mean we should
 all be using utf-8 anyway, right?

I'd be interested in hearing an argument against UTF-8, other than the
disk space argument.

 Right now I still use mysql_escape_string and it seems to work fine,
 but it makes me nervous as everything else I use is mysqli and I know
 it is not 100% compatible (just haven't had anything break it yet) -
 but I hate having to have a connection handle open just to escape
 things.

I think it was here on this list that we saw an example of SQL
injection despite the use of mysql_escape_string. Some funky Asian
charset was used, no?

Dotan Cohen

http://what-is-what.com
http://gibberish.co.il
א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת

A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

Re: [PHP] including files outside of document root

2008-01-23 Thread Jason Pruim 


On Jan 23, 2008, at 2:42 PM, Richard Lynch wrote:


On Wed, January 23, 2008 8:37 am, Jason Pruim wrote:


On Jan 22, 2008, at 3:57 PM, Jason Pruim wrote:


Hi everyone,


#1.  When including files outside of the webroot do you need to
specify the entire path? Like for me, that would be something like:  
/

volumes/raider/webserver/includes/projectname/includeme.php or can I
just stop at: /webserver/includes/projectname/includeme.php?


Neither. :-)

Figure out how PHP's include_path feature works and use that.
http://php.net/set_include_path

You should use set_include_path to define what directory[ies] PHP
should search, and then just do:
include 'includeme.php';


Okay, so I have this mostly working now! if I put my  
ini_set(include_path, blah/to/balh); on each and every page. I  
know I could include a file that is in the document root which  
specified that, but I was wondering if I was missing something?  
Obviously other then changing the php.ini file?




--

Jason Pruim
Raoset Inc.
Technology Manager
MQC Specialist
3251 132nd ave
Holland, MI, 49424
www.raoset.com
[EMAIL PROTECTED]

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Using mysql_real_escape_string without connecting to mysql

2008-01-23 Thread Dotan Cohen 
On 23/01/2008, Eric Butera [EMAIL PROTECTED] wrote:
 There isn't a reason to go and report a bug as their stuff works fine.

I would have filed a wish, not a bug. They are both filed in the
bugzillas that I'm familiar with. In any case, I'm not filing as I've
no account there and I'll not be filing many bugs for that software.
If someone else wants to file a wish, be my guest.

 If you know you have utf8 and all that jazz then fine.  The only
 reason you should use mysql escaping is right before you put a value
 into the database.  To put a value in the database you must have a
 connection.  So this really is a non-issue in my opinion.

No, I sanitize the values, and only then I decide if the value (now
sanitized and safe to work with) should go to the database. And only
if it's going to the database do I open a connection.

 Look at mysqli or pdo and start working with prepared statements. :)

Thanks, I will take a look at those!

Dotan Cohen

http://what-is-what.com
http://gibberish.co.il
א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת

A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

Re: [PHP] Using mysql_real_escape_string without connecting to mysql

2008-01-23 Thread Dotan Cohen 
On 23/01/2008, Jochem Maas [EMAIL PROTECTED] wrote:
 I can read, I saw 2 functions the first time. each function cleans *and* 
 escapes.

 cleaning is filtering of input.
 escaping is preparing for output.

 2 concepts.

I see your point.

 if the input needs to be stripped of html then it needs that regardless
 of the output vector. again removing or not-accepting input if it contains
 '--' is a question of filtering/validation ... besides which '--' is quite
 acceptable for data stored in a text field but not for a numeric one.

I'm not accepting -- at all until someone can show me a real world
case where one would use it, without the intention of SQL injection.
How can it be escaped, anyway?

 filter each piece of data
 validate each piece of data
 escape each peice of data for each context in which it will be output.

I see that you have more experience than I!

 imho your functions are conceptually wrong and not very robust either -
 don't take it as a personal attack - I'm very sure if we sat down with *some*
 of my code the same critism could be made to more or lesser extent :-) ...
 getting better all the time as they sang once ;-)

I never thought that was a personal attack, not for a second. Rather,
I very much appreciate the time you take to explain to me my errors.
And I intend to learn from them. For the time being, I'll leave the
code as it is. However, for future projects, I will make a point of
separating the different functions. Thanks.

Dotan Cohen

http://what-is-what.com
http://gibberish.co.il
א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת

A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

Re: [PHP] Using mysql_real_escape_string without connecting to mysql

2008-01-23 Thread Chris 

Dotan Cohen wrote:

On 23/01/2008, mike [EMAIL PROTECTED] wrote:

It would be Real Nifty (tm) if the MySQL API had a function that let
you specify the charset without a connection and did the escaping.

Presumably you don't NEED a connection if you already know what
charset thingie you are aiming at...

I concur - it would be nice to have the capability to have a normal
string escape function and give it a character set. I mean we should
all be using utf-8 anyway, right?


I'd be interested in hearing an argument against UTF-8, other than the
disk space argument.


Right now I still use mysql_escape_string and it seems to work fine,
but it makes me nervous as everything else I use is mysqli and I know
it is not 100% compatible (just haven't had anything break it yet) -
but I hate having to have a connection handle open just to escape
things.


I think it was here on this list that we saw an example of SQL
injection despite the use of mysql_escape_string. Some funky Asian
charset was used, no?


Nope.

This article explains all I think:

http://ilia.ws/archives/103-mysql_real_escape_string-versus-Prepared-Statements.html

--
Postgresql  php tutorials
http://www.designmagick.com/

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Using mysql_real_escape_string without connecting to mysql

2008-01-23 Thread Chris 



Right now I still use mysql_escape_string and it seems to work fine,
but it makes me nervous as everything else I use is mysqli and I know
it is not 100% compatible (just haven't had anything break it yet) -
but I hate having to have a connection handle open just to escape
things.


If you need to escape something you're going to do a query aren't you? 
Or am I missing something here?


--
Postgresql  php tutorials
http://www.designmagick.com/

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Using mysql_real_escape_string without connecting to mysql

2008-01-23 Thread Chris 

Dotan Cohen wrote:

On 23/01/2008, Jochem Maas [EMAIL PROTECTED] wrote:

I can read, I saw 2 functions the first time. each function cleans *and* 
escapes.

cleaning is filtering of input.
escaping is preparing for output.

2 concepts.


I see your point.


if the input needs to be stripped of html then it needs that regardless
of the output vector. again removing or not-accepting input if it contains
'--' is a question of filtering/validation ... besides which '--' is quite
acceptable for data stored in a text field but not for a numeric one.


I'm not accepting -- at all until someone can show me a real world
case where one would use it, without the intention of SQL injection.
How can it be escaped, anyway?


Depends on your app.

-- is an accepted things in emails as a marker for signatures.


Also in mysql_query ; is automatically handled, you can't send multiple 
queries to mysql_query and have them execute.


mysql_query() sends an unique query (multiple queries are not supported)



Not sure why the php guys have only done that for mysql_query but there 
you go :)


--
Postgresql  php tutorials
http://www.designmagick.com/

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] including files outside of document root

2008-01-23 Thread Daniel Brown 
On Jan 23, 2008 4:19 PM, Jason Pruim [EMAIL PROTECTED] wrote:
 Okay, so I have this mostly working now! if I put my
 ini_set(include_path, blah/to/balh); on each and every page. I
 know I could include a file that is in the document root which
 specified that, but I was wondering if I was missing something?
 Obviously other then changing the php.ini file?

You do know you can set overrides for PHP in .htaccess, or even
have a whole php.ini file in the directory in which you're working,
right?

You can either set `php_flag include_path path/to/blah` in
.htaccess (without the backticks, of course), or you can place a
php.ini file in the same directory as the files to override the values
(if they're INI_PERDIR or similar, anyway).

-- 
/Dan

Daniel P. Brown
Senior Unix Geek and #1 Rated Year's Coolest Guy By Self Since
Nineteen-Seventy-[mumble].

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Using mysql_real_escape_string without connecting to mysql

2008-01-23 Thread Jochem Maas 

Dotan Cohen schreef:

On 23/01/2008, Jochem Maas [EMAIL PROTECTED] wrote:

I can read, I saw 2 functions the first time. each function cleans *and* 
escapes.

cleaning is filtering of input.
escaping is preparing for output.

2 concepts.


I see your point.


if the input needs to be stripped of html then it needs that regardless
of the output vector. again removing or not-accepting input if it contains
'--' is a question of filtering/validation ... besides which '--' is quite
acceptable for data stored in a text field but not for a numeric one.


I'm not accepting -- at all until someone can show me a real world
case where one would use it, without the intention of SQL injection.
How can it be escaped, anyway?


I might just want to put '--' in a textfield used as the basis for content
for a webpage. just because I want to. the most pertinent example are wikis,
they use '--' as markup (which is usually transformed into an hr / when the
results are output for viewing ... but obviously you want the original markup
when editing.

INSERT INTO foo (textfield) VALUES ('--');

nothing to escape in the case of a those chars being part of a string, the 
escaping
mechanism [hopefully] ensures that a given string will never contain a byte 
sequence that
the query parser will misinterpret as a sign to end the string (before the last 
intend quote
delimiter) prematurely and thereby treat the remainder of the input string as 
SQL.




filter each piece of data
validate each piece of data
escape each peice of data for each context in which it will be output.


I see that you have more experience than I!


imho your functions are conceptually wrong and not very robust either -
don't take it as a personal attack - I'm very sure if we sat down with *some*
of my code the same critism could be made to more or lesser extent :-) ...
getting better all the time as they sang once ;-)


I never thought that was a personal attack, not for a second. Rather,
I very much appreciate the time you take to explain to me my errors.
And I intend to learn from them. For the time being, I'll leave the
code as it is. However, for future projects, I will make a point of
separating the different functions. Thanks.

Dotan Cohen

http://what-is-what.com
http://gibberish.co.il
א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת

A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Using mysql_real_escape_string without connecting to mysql

2008-01-23 Thread Dotan Cohen 
On 23/01/2008, Chris [EMAIL PROTECTED] wrote:
  I'm not accepting -- at all until someone can show me a real world
  case where one would use it, without the intention of SQL injection.
  How can it be escaped, anyway?

 Depends on your app.

 -- is an accepted things in emails as a marker for signatures.

You win that one.

 Also in mysql_query ; is automatically handled, you can't send multiple
 queries to mysql_query and have them execute.

 mysql_query() sends an unique query (multiple queries are not supported)

Very nice to know this. Thanks.

Dotan Cohen

http://what-is-what.com
http://gibberish.co.il
א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת

A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

Re: [PHP] Using mysql_real_escape_string without connecting to mysql

2008-01-23 Thread Dotan Cohen 
On 23/01/2008, Jochem Maas [EMAIL PROTECTED] wrote:
 Dotan Cohen schreef:
  I'm not accepting -- at all until someone can show me a real world
  case where one would use it, without the intention of SQL injection.
  How can it be escaped, anyway?

 I might just want to put '--' in a textfield used as the basis for content
 for a webpage. just because I want to. the most pertinent example are wikis,
 they use '--' as markup (which is usually transformed into an hr / when the
 results are output for viewing ... but obviously you want the original markup
 when editing.

Just because I want to is not a real world example. The wiki bit is.

 INSERT INTO foo (textfield) VALUES ('--');

 nothing to escape in the case of a those chars being part of a string, the 
 escaping
 mechanism [hopefully] ensures that a given string will never contain a byte 
 sequence that
 the query parser will misinterpret as a sign to end the string (before the 
 last intend quote
 delimiter) prematurely and thereby treat the remainder of the input string as 
 SQL.

Is the -- here not treated as the beginning of an SQL comment?

Dotan Cohen

http://what-is-what.com
http://gibberish.co.il
א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת

A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

Re: [PHP] Using mysql_real_escape_string without connecting to mysql

2008-01-23 Thread Chuck 
On Jan 22, 2008 7:01 PM, Dotan Cohen [EMAIL PROTECTED] wrote:
 I have a file of my own functions that I include in many places. One
 of them uses mysql_real_escape_string, however, it may be called in a
 context that will or will not connect to a mysql server, and worse,
 may already be connected. So I must avoid connecting. However, when I
 run the script without connecting I get this error:

 Warning: mysql_real_escape_string()
 [function.mysql-real-escape-string]: Access denied for user:
 '[EMAIL PROTECTED]' (Using password: NO)

 I was thinking about checking if there is a connection, and if not
 then connecting. This seems redundant to me, however. What is the
 list's opinion of this situation? Thanks in advance.

 Dotan Cohen

 http://what-is-what.com
 http://gibberish.co.il
 א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת

 A: Because it messes up the order in which people normally read text.
 Q: Why is top-posting such a bad thing?


Why not write a function that does the same thing?
mysql_real_escape_strings is a very simple function. And if your data
is properly normalized and you don't support other charsets its very
simple.

[PHP] Dealing with MSXML2.ServerXMLHTTP objects

2008-01-23 Thread Richard S. Crawford 
For a project at work, I'm writing a PHP script that will process XML
generated and sent by an MSXML2.ServerXMLHTTP object that lives on another
server.  The XML will be sent via POST, but I'm not sure how to deal with
it.  It doesn't look, to me, as though XMLRPC is called for in this case,
but I'm not entirely sure how to deal with the incoming data.

Any suggestions would be more than welcome.

-- 
Richard S. Crawford ([EMAIL PROTECTED])
http://www.mossroot.com
Publisher and Editor in Chief, Daikaijuzine (http://www.daikaijuzine.com)

Re: [PHP] Using mysql_real_escape_string without connecting to mysql

2008-01-23 Thread Dotan Cohen 
On 24/01/2008, Chuck [EMAIL PROTECTED] wrote:

 Why not write a function that does the same thing?
 mysql_real_escape_strings is a very simple function. And if your data
 is properly normalized and you don't support other charsets its very
 simple.


Maintenance and security seem to be two very good reasons to use the
built in function. Do the more experienced in attendance think
differently? Should I go ahead and reimplement the function specific
to the UTF-8 charset?

Dotan Cohen

http://what-is-what.com
http://gibberish.co.il
א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת

A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

Re: [PHP] Using mysql_real_escape_string without connecting to mysql

2008-01-23 Thread mike 
On 1/23/08, Chris [EMAIL PROTECTED] wrote:

 If you need to escape something you're going to do a query aren't you?
 Or am I missing something here?

true. but i typically have everything in wrapper functions, and i
don't keep the actual resource variable exposed to use it (since it
needs a resource)

would be great just to have a string escape with charset, or just pass
it the charset and not the db connection handle.

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Using mysql_real_escape_string without connecting to mysql

2008-01-23 Thread Jochem Maas 

Chuck schreef:

On Jan 22, 2008 7:01 PM, Dotan Cohen [EMAIL PROTECTED] wrote:

I have a file of my own functions that I include in many places. One
of them uses mysql_real_escape_string, however, it may be called in a
context that will or will not connect to a mysql server, and worse,
may already be connected. So I must avoid connecting. However, when I
run the script without connecting I get this error:

Warning: mysql_real_escape_string()
[function.mysql-real-escape-string]: Access denied for user:
'[EMAIL PROTECTED]' (Using password: NO)

I was thinking about checking if there is a connection, and if not
then connecting. This seems redundant to me, however. What is the
list's opinion of this situation? Thanks in advance.

Dotan Cohen

http://what-is-what.com
http://gibberish.co.il
א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת

A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?



Why not write a function that does the same thing?
mysql_real_escape_strings is a very simple function. And if your data
is properly normalized and you don't support other charsets its very
simple.


does simple include detection of characters that are multiple bytes in length?
given that he uses UTF-8 which is a using variable byte encoding scheme.

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Dealing with MSXML2.ServerXMLHTTP objects

2008-01-23 Thread Richard Lynch 
On Wed, January 23, 2008 4:11 pm, Richard S. Crawford wrote:
 For a project at work, I'm writing a PHP script that will process XML
 generated and sent by an MSXML2.ServerXMLHTTP object that lives on
 another
 server.  The XML will be sent via POST, but I'm not sure how to deal
 with
 it.  It doesn't look, to me, as though XMLRPC is called for in this
 case,
 but I'm not entirely sure how to deal with the incoming data.

 Any suggestions would be more than welcome.

Check out the results of searching for raw post data on http://php.net

Should be what you want, I think.

-- 
Some people have a gift link here.
Know what I want?
I want you to buy a CD from some indie artist.
http://cdbaby.com/from/lynch
Yeah, I get a buck. So?

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Using mysql_real_escape_string without connecting to mysql

2008-01-23 Thread Richard Lynch 
On Wed, January 23, 2008 4:04 pm, Dotan Cohen wrote:
 Is the -- here not treated as the beginning of an SQL comment?

No, because it is inside the apostrophes.

The purpose of mysql_real_escape_string (or using prepared statements)
is to mark up (or separate) the DATA from the QUERY.

The data about to be put into the database being escaped by
mysql_real_escape_string is sufficient to be sure nobody is playing
games with apostrophe followed by -- which could, in theory, insert an
SQL comment or allow them to execute arbitrary SQL code.

-- 
Some people have a gift link here.
Know what I want?
I want you to buy a CD from some indie artist.
http://cdbaby.com/from/lynch
Yeah, I get a buck. So?

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Using mysql_real_escape_string without connecting to mysql

2008-01-23 Thread Richard Lynch 
On Wed, January 23, 2008 3:18 pm, Dotan Cohen wrote:
 I think it was here on this list that we saw an example of SQL
 injection despite the use of mysql_escape_string. Some funky Asian
 charset was used, no?

I don't know that I'd call it funky, but yes.

Without the real MySQL does not know what charset you are using.

Without the charset, MySQL does not know what character codes to escape.

Without that, characters that it thinks are fine because it assumes
Latin-1 (or whatever) are not, in fact, fine because they are NOT
Latin-1.

-- 
Some people have a gift link here.
Know what I want?
I want you to buy a CD from some indie artist.
http://cdbaby.com/from/lynch
Yeah, I get a buck. So?

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Using mysql_real_escape_string without connecting to mysql

2008-01-23 Thread Richard Lynch 


On Wed, January 23, 2008 3:30 pm, Chris wrote:

 Right now I still use mysql_escape_string and it seems to work fine,
 but it makes me nervous as everything else I use is mysqli and I
 know
 it is not 100% compatible (just haven't had anything break it yet) -
 but I hate having to have a connection handle open just to escape
 things.

 If you need to escape something you're going to do a query aren't you?
 Or am I missing something here?

One Example:
Perhaps you have a zillion chunks of data which you wish to cram into
a text file for insertion on a different box at a later time, as
quickly as possible, without the encoding happening on that box, for
whatever reason...

Not, perhaps, the most common scenario, and not, perhaps, the best way
to solve whatever led there, but it's not a totally unreasonable
thing.

-- 
Some people have a gift link here.
Know what I want?
I want you to buy a CD from some indie artist.
http://cdbaby.com/from/lynch
Yeah, I get a buck. So?

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] including files outside of document root

2008-01-23 Thread Richard Lynch 
On Wed, January 23, 2008 1:50 pm, Roberto Mansfield wrote:
 Jason Pruim wrote:

 Been doing some reading on security and have decided that I should
 be
 storing my include files outside of the document root... Which I
 understand how to do it, but what I'm wondering, is say I write the
 Next Killer App (tm). How would I port that code easily off of my
 server and put it into a downloadable file for the millions of
 people
 who will download and run  the Next Killer App (tm)?

 I tend to keep the directories in the document root, but I deny access
 via an .htaccess file. This keeps the code in a simple directory
 structure. Anyone else doing that?

I used to do that.

Then I had to move the site one day.

Simple enough...

tar -cvf moving.tar httpdocs
gzip moving.tar

Copy the file over, and untar it:

tar -xzvf moving.tar.gz

Should be all good to go, right?

Wrong!

tar didn't snag all the .htaccess files.

For a brief moment in time my source code was exposed.

And the admin had no password protection.

And the images being generated by PHP|GD didn't work.

And...

I found and fixed it easily enough, but it would have gone undetected
for a long time if I hadn't had the other issues.

So I don't do that anymore, and I put the .inc files outside the web
tree.

ymmv

-- 
Some people have a gift link here.
Know what I want?
I want you to buy a CD from some indie artist.
http://cdbaby.com/from/lynch
Yeah, I get a buck. So?

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] including files outside of document root

2008-01-23 Thread Richard Lynch 
On Wed, January 23, 2008 3:19 pm, Jason Pruim wrote:
 Okay, so I have this mostly working now! if I put my
 ini_set(include_path, blah/to/balh); on each and every page. I
 know I could include a file that is in the document root which
 specified that, but I was wondering if I was missing something?
 Obviously other then changing the php.ini file?

Change php.ini or use .htacces (if you use Apache) or have ONE include
file in the webtree that does this and include that.

-- 
Some people have a gift link here.
Know what I want?
I want you to buy a CD from some indie artist.
http://cdbaby.com/from/lynch
Yeah, I get a buck. So?

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] Posting Summary for Week Ending 25 January, 2008: php-general@lists.php.net

2008-01-23 Thread Jochem Maas 


Posting Summary for PHP-General List
Week Ending: Friday, 25 January, 2008

Messages| Bytes   | Sender
+-+--
697  (100%) 975244  (100%)  EVERYONE
690 (98.9%) 974000 (99.8%)  Richard Lynch [EMAIL PROTECTED]
  7  (1.1%)   1244  (0.2%)  everyone else

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Posting Summary for Week Ending 25 January, 2008: php-general@lists.php.net

2008-01-23 Thread Daniel Brown 
On Jan 23, 2008 6:57 PM, Jochem Maas [EMAIL PROTECTED] wrote:

 Posting Summary for PHP-General List
 Week Ending: Friday, 25 January, 2008

 Messages| Bytes   | Sender
 +-+--
 697  (100%) 975244  (100%)  EVERYONE
 690 (98.9%) 974000 (99.8%)  Richard Lynch [EMAIL 
 PROTECTED]
   7  (1.1%)   1244  (0.2%)  everyone else

 --
 PHP General Mailing List (http://www.php.net/)
 To unsubscribe, visit: http://www.php.net/unsub.php




Aside from the fact that I'm sure to get hate mail from people who
think my script just sent that again HA!

Dude, I laughed so loud that it echoed in the halls of the
Engineering Wing over here.  What makes it so funny?  That it's not
much of an exaggeration!  ;-D

-- 
/Dan

Daniel P. Brown
Senior Unix Geek and #1 Rated Year's Coolest Guy By Self Since
Nineteen-Seventy-[mumble].

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Posting Summary for Week Ending 25 January, 2008: php-general@lists.php.net

2008-01-23 Thread Jochem Maas 

Daniel Brown schreef:

On Jan 23, 2008 6:57 PM, Jochem Maas [EMAIL PROTECTED] wrote:

Posting Summary for PHP-General List
Week Ending: Friday, 25 January, 2008

Messages| Bytes   | Sender
+-+--
697  (100%) 975244  (100%)  EVERYONE
690 (98.9%) 974000 (99.8%)  Richard Lynch [EMAIL PROTECTED]
  7  (1.1%)   1244  (0.2%)  everyone else

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php





Aside from the fact that I'm sure to get hate mail from people who
think my script just sent that again HA!

Dude, I laughed so loud that it echoed in the halls of the
Engineering Wing over here.  What makes it so funny?  That it's not
much of an exaggeration!  ;-D



very glad to raise a laugh :-) those without a sense of humour should
leave the php highway at the next exit. ;-)

I guess I was bored, figured I'd have some fun and artificially boost my post
stats while I'm at it ... I've been busy wracking my brain trying to figure out
the setup for a load-balanced configuration for one of my major clients ... at 
least
a system capable of migrating to loadbalancing ... global file system, virtual 
machines,
all that jazz. I'm in over my head as usual.

nothing like a bit of comic relief to take the edge off.

oh and I'm gonna hold you to that beer one day :-)

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Posting Summary for Week Ending 25 January, 2008: php-general@lists.php.net

2008-01-23 Thread Daniel Brown 
On Jan 23, 2008 7:13 PM, Jochem Maas [EMAIL PROTECTED] wrote:
 I guess I was bored, figured I'd have some fun and artificially boost my post
 stats while I'm at it ... I've been busy wracking my brain trying to figure 
 out
 the setup for a load-balanced configuration for one of my major clients ... 
 at least
 a system capable of migrating to loadbalancing ... global file system, 
 virtual machines,
 all that jazz. I'm in over my head as usual.

Let me know (privately, of course) if you need a hand with
anything.  Even just someone to bounce ideas off.  I've worked a
pretty fair amount with load-balancing for some rather high-profile
companies over the years.

 oh and I'm gonna hold you to that beer one day :-)

We should hold an annual convention.  Hell, I'd even host it.  A
houseful of drunk geeks?  That's my kind of party (but Debs, the
pre-wife, probably won't be invited ;-P ).

-- 
/Dan

Daniel P. Brown
Senior Unix Geek and #1 Rated Year's Coolest Guy By Self Since
Nineteen-Seventy-[mumble].

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] upload issue

2008-01-23 Thread nihilism machine 

i am using this code on my form page:

form action=uploadAd2.php enctype=multipart/form-data  
method=post name=adForm id=adForm
input type=hidden name=donorID value=?php echo $_GET['ID']; ? 
 /

input type=hidden name=MAX_FILE_SIZE value=30 /
input type=file name=upload1 /
input type=image src=admin/images/next.png name=Submit  
alt=Submit Form /




my upload code is below:


$uploaddir = 'admin/advertisements/';
$uploadfileTmp = basename($_FILES['upload1']['name']);
$uploadfile = $uploaddir . basename($_FILES['upload1']['name']);
if (move_uploaded_file($_FILES['upload1']['tmp_name'], $uploadfile)) {
$FileName = $uploadfileTmp;
} else {
echo Error!;
exit();
}





my error is:


Internal Server Error

The server encountered an internal error or misconfiguration and was  
unable to complete your request.


Please contact the server administrator, [EMAIL PROTECTED] and  
inform them of the time the error occurred, and anything you might  
have done that may have caused the error.


More information about this error may be available in the server error  
log.


---


any ideas? i have no access to error.log...

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] upload issue

2008-01-23 Thread Richard Lynch 
On Wed, January 23, 2008 6:55 pm, nihilism machine wrote:
 i am using this code on my form page:

 form action=uploadAd2.php enctype=multipart/form-data
 method=post name=adForm id=adForm
 input type=hidden name=donorID value=?php echo $_GET['ID']; ?
   /
 input type=hidden name=MAX_FILE_SIZE value=30 /
 input type=file name=upload1 /
 input type=image src=admin/images/next.png name=Submit
 alt=Submit Form /



 my upload code is below:


 $uploaddir = 'admin/advertisements/';
 $uploadfileTmp = basename($_FILES['upload1']['name']);
 $uploadfile = $uploaddir . basename($_FILES['upload1']['name']);
 if (move_uploaded_file($_FILES['upload1']['tmp_name'], $uploadfile)) {
   $FileName = $uploadfileTmp;
 } else {
   echo Error!;
   exit();
 }





 my error is:


 Internal Server Error

 The server encountered an internal error or misconfiguration and was
 unable to complete your request.

 Please contact the server administrator, [EMAIL PROTECTED] and
 inform them of the time the error occurred, and anything you might
 have done that may have caused the error.

 More information about this error may be available in the server error
 log.

Check the error_log of Apache.

It will almost certainly have more info.

You'll have to cause the error again or know the time when it happened
to find the error.

You should also make sure plain simple pages like ?php phpinfo()?
work as expected.

-- 
Some people have a gift link here.
Know what I want?
I want you to buy a CD from some indie artist.
http://cdbaby.com/from/lynch
Yeah, I get a buck. So?

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Posting Summary for Week Ending 25 January, 2008: php-general@lists.php.net

2008-01-23 Thread Paul Scott 

On Thu, 2008-01-24 at 01:13 +0100, Jochem Maas wrote:
 stats while I'm at it ... I've been busy wracking my brain trying to
 figure out
 the setup for a load-balanced configuration for one of my major
 clients ... at least
 a system capable of migrating to loadbalancing ... global file system,
 virtual machines,
 all that jazz. I'm in over my head as usual.

Have you taken a look at LVS yet? I presume  that you are not attempting
this on a Windows cluster - right?

http://www.linuxvirtualserver.org/

I just had to do the same thing for my University systems - come up with
an architecture at least. If you would like the dox, let me know - they
are all CC licensed.

--Paul

All Email originating from UWC is covered by disclaimer 
http://www.uwc.ac.za/portal/public/portal_services/disclaimer.htm 

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Using mysql_real_escape_string without connecting to mysql

2008-01-23 Thread Dotan Cohen 
On 24/01/2008, Richard Lynch [EMAIL PROTECTED] wrote:
 On Wed, January 23, 2008 4:04 pm, Dotan Cohen wrote:
  Is the -- here not treated as the beginning of an SQL comment?

 No, because it is inside the apostrophes.

 The purpose of mysql_real_escape_string (or using prepared statements)
 is to mark up (or separate) the DATA from the QUERY.

 The data about to be put into the database being escaped by
 mysql_real_escape_string is sufficient to be sure nobody is playing
 games with apostrophe followed by -- which could, in theory, insert an
 SQL comment or allow them to execute arbitrary SQL code.

In that case, the function:

function clean_mysql ($dirty) {
  $dirty=str_replace (--, , $dirty);
  $dirty=str_replace (;, , $dirty);
  $clean=mysql_real_escape_string($dirty);
  return $clean;
}

Can be reduced to:

function clean_mysql ($dirty) {
  $clean=mysql_real_escape_string($dirty);
  return $clean;
}

Which basically is the same as a simple mysql_real_escape_string? In
other words, mysql_real_escape_string itself is safe from SQL
injection?

Dotan Cohen

http://what-is-what.com
http://gibberish.co.il
א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת

A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

[PHP] String Issue

2008-01-23 Thread Johny Burns 
I have the following string on the address line

HTMLFiles/MenuDisplay.php?var=Thai%20ImageItem=1797Action=add

I am trying to delete or replace the 'Item=1797Action=add' (it is at the 
end of the string)

I am not familiar as much with those string functions, and if somebody can 
give me some suggestions. I will appreciated it.

Thank you in advance. 

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] String Issue

2008-01-23 Thread Robert Cummings 

On Wed, 2008-01-23 at 23:30 -0600, Johny Burns wrote:
 I have the following string on the address line
 
 HTMLFiles/MenuDisplay.php?var=Thai%20ImageItem=1797Action=add
 
 I am trying to delete or replace the 'Item=1797Action=add' (it is at the 
 end of the string)
 
 I am not familiar as much with those string functions, and if somebody can 
 give me some suggestions. I will appreciated it.
 
 Thank you in advance. 

You want the following functions:

http://www.php.net/manual/en/function.parse-url.php
http://www.php.net/manual/en/function.parse-str.php

Cheers,
Rob.
-- 
...
SwarmBuy.com - http://www.swarmbuy.com

Leveraging the buying power of the masses!
...

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] String Issue

2008-01-23 Thread venkatk 

 Hi,

Try this:

$str = 'HTMLFiles/MenuDisplay.php?var=Thai%20ImageItem=1797Action=add';
$str = preg_replace(/(\Item.*)$/,REPLACEMENT STRING, $str);

this should work.

Cheers,
V


 


 

-Original Message-
From: Johny Burns [EMAIL PROTECTED]
To: php-general@lists.php.net
Sent: Thu, 24 Jan 2008 11:00 am
Subject: [PHP] String Issue










I have the following string on the address line

HTMLFiles/MenuDisplay.php?var=Thai%20ImageItem=1797Action=add

I am trying to delete or replace the 'Item=1797Action=add' (it is at the 
end of the string)

I am not familiar as much with those string functions, and if somebody can 
give me some suggestions. I will appreciated it.

Thank you in advance. 

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




 



You are invited to Get a Free AOL Email ID. - http://webmail.aol.in