php-general Digest 23 Jan 2008 13:54:36 -0000 Issue 5252
php-general Digest 23 Jan 2008 13:54:36 - Issue 5252 Topics (messages 267879 through 267903): Re: password hashing and crypt() 267879 by: Richard Lynch 267880 by: Chris 267885 by: Richard Lynch 267887 by: Chris 267894 by: Nathan Nobbe 267895 by: Robert Cummings Re: including files outside of document root 267881 by: Richard Lynch Re: Using mysql_real_escape_string without connecting to mysql 267882 by: Richard Lynch 267884 by: Dotan Cohen Re: Posting Summary for Week Ending 18 January, 2008: [EMAIL PROTECTED] 267883 by: Richard Lynch 267897 by: Per Jessen sessions/cookies 267886 by: nihilism machine 267890 by: Eric Butera 267892 by: Nathan Nobbe Re: mssql and latin characters 267888 by: Eric Butera Re: PHP SOAP Client formats 267889 by: Samisa Abeysinghe Re: Upgrade to PHP5 and having issues with mysql 267891 by: Robert Cummings Re: Tool for programmer team 267893 by: Nathan Nobbe Re: Foreach 267896 by: Nathan Nobbe 267900 by: Eric Butera successful compiled, but errors at use 267898 by: Andre Hübner Re: Resetting drop-downlists in input-fields for texts 267899 by: Tor Vidvei Re: Best Approach 267901 by: Al Re: re-compiling PHP on Mac OS X 267902 by: mbneto DOM API Namespaces - help? 267903 by: Nathan Rixham Administrivia: To subscribe to the digest, e-mail: [EMAIL PROTECTED] To unsubscribe from the digest, e-mail: [EMAIL PROTECTED] To post to the list, e-mail: [EMAIL PROTECTED] -- ---BeginMessage--- On Sat, January 19, 2008 8:24 pm, Eric Butera wrote: I always make sure that I use a site specific salt which is just appended on the user supplied value. I started doing that when I read that people had created huge databases of hashed values that they can just search on. At least this way no matter what the password isn't a dictionary word. As for if that really adds value in the end I can't say as I'm not really a security expert. Eg. hash('sha256', $input.$salt); The Bad Guys create humongous databases of every dictionary word with every possible salt... So what salt you use does not matter... So I don't think you are really adding any extra security here... -- Some people have a gift link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/from/lynch Yeah, I get a buck. So? ---End Message--- ---BeginMessage--- Richard Lynch wrote: On Sat, January 19, 2008 8:24 pm, Eric Butera wrote: I always make sure that I use a site specific salt which is just appended on the user supplied value. I started doing that when I read that people had created huge databases of hashed values that they can just search on. At least this way no matter what the password isn't a dictionary word. As for if that really adds value in the end I can't say as I'm not really a security expert. Eg. hash('sha256', $input.$salt); The Bad Guys create humongous databases of every dictionary word with every possible salt... So what salt you use does not matter... Sure it does. I could use my server name or the application's url, the current time, whatever I like and put all of that in the salt. There's no way they'll have that in their dictionary. As long as I store the salt I know how to compare it again later. -- Postgresql php tutorials http://www.designmagick.com/ ---End Message--- ---BeginMessage--- On Tue, January 22, 2008 7:43 pm, Chris wrote: Richard Lynch wrote: On Sat, January 19, 2008 8:24 pm, Eric Butera wrote: I always make sure that I use a site specific salt which is just appended on the user supplied value. I started doing that when I read that people had created huge databases of hashed values that they can just search on. At least this way no matter what the password isn't a dictionary word. As for if that really adds value in the end I can't say as I'm not really a security expert. Eg. hash('sha256', $input.$salt); The Bad Guys create humongous databases of every dictionary word with every possible salt... So what salt you use does not matter... Sure it does. I could use my server name or the application's url, the current time, whatever I like and put all of that in the salt. There's no way they'll have that in their dictionary. As long as I store the salt I know how to compare it again later. For the algorithms used by crypt(), the salt is IN the crypted value. If the Bad Guy has the crypted value, they already have the salt. They can maybe make a dictionary that is MUCH larger with every possible salt, and do a simple comparison. Or they can quickly write up a crypt()-based script that extracts the salt and tries the Top 10,000 passwords for each. Most Un*x systems come with /usr/share/dict/web2,
[PHP] successful compiled, but errors at use
Hi List, my Situation is as follows. I use on suse 10.1 apache2 and php5 as modul and php5 as cgi using mod_fcgid For some tests i also want to have a php4 as second cgi I compiled with this configure-line: ./configure --prefix=/usr/ --datadir=/usr/share/php/ --bindir=/usr/bin/ --libdir=/usr/share/ --with-exec-dir=/usr/lib/php/bin/ \ --with-config-file-path=/etc/php4Cgi --with-config-file-scan-dir=/etc/php4-config --enable-force-cgi-redirect --enable-memory-limit \ --enable-sigchild --enable-track-vars --enable-trans-sid --with-mysql=no --enable-bcmath --enable-calendar --enable-ctype \ --enable-dbase --enable-exif --enable-filepro --enable-ftp --enable-magic-quotes --enable-mbstr-enc-trans --enable-mbstring \ --enable-shmop --enable-sysvsem --enable-sysvshm --enable-wddx --with-gettext --with-gmp --with-mcrypt --with-mcal=/usr/ \ --with-iconv --with-mcrypt --with-zlib --with-bz2 --with-openssl=/usr --with-pear --with-pcre-regex --enable-suhosin \ --with-config-file-path=/etc/php4Cgi --enable-discard-path --enable-fastcgi Compiling etc. was successful. After make i renamed sapi/cgi/php to php-4.4.8 and moved it to my location. In apacheconf i activated this php-4.4.8 to some file-extensions with AddHandler/Action The call itself seems to work, but i get an error from php itself if i want to parse a phpinfo(); Warning: Unexpected character in input: '' (ASCII=27) state=1 in /folders/php-4.4.8 on line 3600 Warning: Unexpected character in input: '' (ASCII=8) state=1 in /folders/php-4.4.8 on line 3600 Warning: Unexpected character in input: '' (ASCII=3) state=1 in /folders/php-4.4.8 on line 3600 Warning: Unexpected character in input: ' in /folders/php-4.4.8 on line 3600 Warning: Unexpected character in input: ' in /folders/php-4.4.8 on line 3600 Warning: Unexpected character in input: ' in /folders/php-4.4.8 on line 3600 Parse error: syntax error, unexpected T_STRING in /folders/php-4.4.8 on line 3600 But if i call this php-4.4.8 on console i can parse successful my files. What goes wrong? I have no idea what i id not correctly. Can anybody help please? Thanks Andre
Re: [PHP] Resetting drop-downlists in input-fields for texts
On Mon, 21 Jan 2008 17:23:34 +0100, Daniel Brown [EMAIL PROTECTED] wrote: The only way I can think of that would allow you to do it is to dynamically-name the fields in the form. By doing so, AutoComplete won't be able to recognize the fields, and you should be in good shape. In the example I'm sending, keep in mind that input should still be sanitized properly, and it's by no means as a copy-and-paste-for-production script. ? session_start(); if($_POST isset($_SESSION['target'])) { /*This is just here for demonstration. Do your processing as you'd like with the POST data here. There are two methods shown. Note the use of the curly brackets and square brackets, as well as the order in which they're typed.*/ /* Method 1: for() for($i=0;$icount(${$_SESSION['target']});$i++) { echo ${$_SESSION['target']}[$i].br /\n; } */ /*Method 2: foreach() Further handling would be needed to make the variables valid, because $0, $1, $2, etc., are not valid variables. Again, this is only for demonstration purposes.*/ foreach(${$_SESSION['target']} as $p = $v) { echo $p.: .$v.br /\n; } } // Define the unique field name for the form, based on Epoch time. $_SESSION['target'] = field_.time(); // Adding the brackets after the name will print properly // in HTML to designate the POST fields as an array. $html_field = $_SESSION['target'].[]; ? form method=post action=?=$_SERVER['PHP_SELF'];? / Field 1: input type=text name=?=$html_field;? /br / Field 2: input type=text name=?=$html_field;? /br / Field 3: input type=text name=?=$html_field;? /br / input type=submit value=Post Now / /form Thanks a lot! I have used the method with form autocomplete=off as this method works fine in the browsers I have tested: IE, FireFox and Opera. If a more specific control over the autocomplete is needed, however, I think your method would provide an excellent solution. In my current project: The autocomplete feature is useful as long as the user works with the same set of exercises, but disturbing when they start on a new set of exercises. If an id that identifies the current set of exercises is given with the url like http:/.../exercises.php?id=12345 this id could be used while constructing the field names according to your method. Then autocomplete would work as wanted. I will put in on the ToDo-list! Regards, Tor -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Foreach
On Jan 23, 2008 12:58 AM, Nathan Nobbe [EMAIL PROTECTED] wrote: On Jan 18, 2008 5:24 PM, Richard Lynch [EMAIL PROTECTED] wrote: If you are trying to keep the names and orders in parallel you need to do something not unlike: while (list($key, $name) = each($names)){ $order = $orders[$key]; $query = update whatever set order = $order where name = '$name'; } just as a mention; spl has a DualIterator class that would be perfect for this situation. i hesitate to mention it though, since ive not found it in any php version. its there in the doc, but not in actual php; what a shame. http://www.php.net/~helly/php/ext/spl/classDualIterator.html i can only expect well see it in a subsequent version; that there is a reason its not yet made it.. -nathan Maybe someday SPL will become part of the PHP manual too. ;) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Best Approach
PHP's error handler can be set up to automatically send emails. Send them to a dedicated mailbox and then check that mailbox every day. Miguel Guirao wrote: Hello fellow members of this list, There is a couple of rutinary tasks that our servers (different platforms) perform during the night. Early during the day, we have to check that every task was performed correctly and without errors. Actually, we do this by hand, going first to server A (AIX platform), and verifying that the error logs files have a size of zero (0), which means that there were no errors to report on the logs, verify that some files have been written to a specific directory and so on. As I told you before, this is done by hand, many ls commands, grep’s and more’s here and there!! On the other hand, I have to do this on a another Windows 2003 server!! So, I’m thinking on creating a web page on PHP that performs all this tasks for me, and my fellow co-workers. But, all my experience with PHP is about working with data on MySQL server, wrting files to a harddisk, sending e-mails with or without attachments and so on. Is PHP a correct approach to solve this tedious problem?? Can I access a servers and get the results of a ls command for instance?? Best Regards, __ Miguel Guirao Aguilera, Linux+, ITIL Sistemas de Información Informática R8 - TELCEL Ext. 7540 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] re-compiling PHP on Mac OS X
Hi, I've checked all pages and downloaded the php5.2.5.release1.tar.gz (the latest I found) but I get the same errors httpd: Syntax error on line 484 of /private/etc/apache2/httpd.conf: Syntax error on line 8 of /private/etc/apache2/other/entropy-php.conf: Cannot load /usr/local/php5/libphp5.so into server: dlopen(/usr/local/php5/libphp5.so, 10): Symbol not found: _xmlTextReaderSchemaValidate\n Referenced from: /usr/local/php5/libphp5.so\n Expected in: /usr/lib/libxml2.2.dylib\n Does anyone have a working .dmg/.tar.gz for 10.5.1 Mac Intel with PDO/Mysql working? -thanks. On Dec 17, 2007 1:23 PM, David Powers [EMAIL PROTECTED] wrote: Frank Arensmeier wrote: When you install PHP5 with the package from entropy.ch, the new PHP5 will install under /usr/local/php5. The Mac package from entropy.ch is not compatible with Leopard (Mac OS X 10.5). Marc Liyanage is working on a Leopard-compatible version. Check the forum on his site for the latest details. There's an extremely long thread about PHP on Leopard. A command line installation is somewhere around page 15 of the thread. -- David Powers -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] DOM API Namespaces - help?
Help?? I need to get the namespaces from the root node of a DomDocument.. ?xml version=1.0 ? chapter xmlns:xi=http://www.w3.org/2001/XInclude; para xi:include href=book.xml /xi:include /para /chapter I know I can retrieve the namespaceUri from the xi:include node using lookupNamespaceURI and -prefix but I need to get it from where it's defined in chapter but assuming the above file is: ?xml version=1.0 ? chapter xmlns:xi=http://www.w3.org/2001/XInclude; a / /chapter how would one retrieve xmlns:xi=http://www.w3.org/2001/XInclude; Thanks in advance! Nathan -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] re-compiling PHP on Mac OS X
On 1/23/08, mbneto [EMAIL PROTECTED] wrote: Hi, I've checked all pages and downloaded the php5.2.5.release1.tar.gz (the latest I found) but I get the same errors httpd: Syntax error on line 484 of /private/etc/apache2/httpd.conf: Syntax error on line 8 of /private/etc/apache2/other/entropy-php.conf: Cannot load /usr/local/php5/libphp5.so into server: dlopen(/usr/local/php5/libphp5.so, 10): Symbol not found: _xmlTextReaderSchemaValidate\n Referenced from: /usr/local/php5/libphp5.so\n Expected in: /usr/lib/libxml2.2.dylib\n Does anyone have a working .dmg/.tar.gz for 10.5.1 Mac Intel with PDO/Mysql working? Your existing Entropy PHP install is tring to load things your newly compiled PHP doesn't have support for. Either use Entropy or clean it out completely so it doesn't mess with your new version. Or a third option, supply the missing dependencies Entropy wants. You will find most all of them in Macports. `port search xml|grep lib` shows a lot of results. Here's how I built mine the day I blog'd it: http://destiney.com/blog/php-4-5-macos-x -- Greg Donald http://destiney.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] including files outside of document root
On Jan 22, 2008, at 3:57 PM, Jason Pruim wrote: Hi everyone, Been doing some reading on security and have decided that I should be storing my include files outside of the document root... Which I understand how to do it, but what I'm wondering, is say I write the Next Killer App (tm). How would I port that code easily off of my server and put it into a downloadable file for the millions of people who will download and run the Next Killer App (tm)? Err... That doesn't make it very clear... Is there a program for Macintosh or Unix that I could use to grab all the source code from where ever I have it set? Or would I need to make my own? Or should I just quit being lazy and grab it my self? :) Yes I know I'm answering my own post... :) Thanks for all the suggestions that I received! It's helped me figure out some of the stuff, and now I just need a project to test some of the stuff with! Oh, and for an IDE I discovered that Apple XCode works very well as a php editor and file management system. Looks like it will work perfectly! I do have 2 questions though... #1. When including files outside of the webroot do you need to specify the entire path? Like for me, that would be something like: / volumes/raider/webserver/includes/projectname/includeme.php or can I just stop at: /webserver/includes/projectname/includeme.php? #2. Anyone got any small programming jobs that I can hone my skills with? :) You know, the kind of projects that you guru's don't want to do because you're too busy writting the Next Killer App (tm) but would be perfect learning experience/easy way to put some cash in the pocket? :) -- Jason Pruim Raoset Inc. Technology Manager MQC Specialist 3251 132nd ave Holland, MI, 49424 www.raoset.com [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] including files outside of document root
Quoting Jason Pruim [EMAIL PROTECTED]: On Jan 22, 2008, at 3:57 PM, Jason Pruim wrote: Hi everyone, Been doing some reading on security and have decided that I should be storing my include files outside of the document root... Which I understand how to do it, but what I'm wondering, is say I write the Next Killer App (tm). How would I port that code easily off of my server and put it into a downloadable file for the millions of people who will download and run the Next Killer App (tm)? Err... That doesn't make it very clear... Is there a program for Macintosh or Unix that I could use to grab all the source code from where ever I have it set? Or would I need to make my own? Or should I just quit being lazy and grab it my self? :) Yes I know I'm answering my own post... :) Thanks for all the suggestions that I received! It's helped me figure out some of the stuff, and now I just need a project to test some of the stuff with! Oh, and for an IDE I discovered that Apple XCode works very well as a php editor and file management system. Looks like it will work perfectly! I do have 2 questions though... #1. When including files outside of the webroot do you need to specify the entire path? Like for me, that would be something like: /volumes/raider/webserver/includes/projectname/includeme.php or can I just stop at: /webserver/includes/projectname/includeme.php? It depends. If you set your include_path to /webserver/includes (outside your webroot) Then you can include the files like include projectname/includeme.php; If the files are not in your include_path you either need to provide the full path. Or set the include path in your application and go from there. #2. Anyone got any small programming jobs that I can hone my skills with? :) You know, the kind of projects that you guru's don't want to do because you're too busy writting the Next Killer App (tm) but would be perfect learning experience/easy way to put some cash in the pocket? :) Can't help you with this one :) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] including files outside of document root
2008. 01. 23, szerda keltezéssel 09.37-kor Jason Pruim ezt írta: On Jan 22, 2008, at 3:57 PM, Jason Pruim wrote: Hi everyone, Been doing some reading on security and have decided that I should be storing my include files outside of the document root... Which I understand how to do it, but what I'm wondering, is say I write the Next Killer App (tm). How would I port that code easily off of my server and put it into a downloadable file for the millions of people who will download and run the Next Killer App (tm)? Err... That doesn't make it very clear... Is there a program for Macintosh or Unix that I could use to grab all the source code from where ever I have it set? Or would I need to make my own? Or should I just quit being lazy and grab it my self? :) Yes I know I'm answering my own post... :) Thanks for all the suggestions that I received! It's helped me figure out some of the stuff, and now I just need a project to test some of the stuff with! Oh, and for an IDE I discovered that Apple XCode works very well as a php editor and file management system. Looks like it will work perfectly! I do have 2 questions though... #1.When including files outside of the webroot do you need to specify the entire path? Like for me, that would be something like: / volumes/raider/webserver/includes/projectname/includeme.php or can I just stop at: /webserver/includes/projectname/includeme.php? you need either full path, or put the directory in include_path in php.ini #2. Anyone got any small programming jobs that I can hone my skills with? :) You know, the kind of projects that you guru's don't want to do because you're too busy writting the Next Killer App (tm) but would be perfect learning experience/easy way to put some cash in the pocket? :) as soon as I will have any jobs like that I'll email you :) greets Zoltán Németh -- Jason Pruim Raoset Inc. Technology Manager MQC Specialist 3251 132nd ave Holland, MI, 49424 www.raoset.com [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] including files outside of document root
On Jan 22, 2008 8:48 PM, Richard Lynch [EMAIL PROTECTED] wrote: On Tue, January 22, 2008 7:17 pm, Daniel Brown wrote: You may disagree with me on this here, Rich, but the way I do it is to have a single include_files.php file containing all of the files that need to be included as a whole, and a single configuration variable to set where those files are located. I know that they don't all have to be included in that file, but I find it makes it easier, since I use all of them with every page load. Can I put that include_files.php outside the web-tree as well? Or is the rest of your application bypassing include_path to force it to be inside the web-tree? Yes, the include_files.php file can be put anywhere. I leave it in the web tree, but it certainly doesn't have to be kept there. I also employ a function safe_include($filename) that uses a combination of file_exists($filename), is_file($filename), and is_readable($filename). If the function fails, no PHP error message is output if the file can't be found, and the script doesn't necessarily halt. If it's a critical file, instead a message is dispatched to my email, and a friendly message is placed on the site informing the user that a technical error has been encountered and will be repaired ASAP. This sounds nifty for your own clients, but I don't think it would work well for, say, BB or Cake or phpMyAdmin... No, that's for proprietary, single-production systems, and the systems won't be reused. I'm pretty sure the authors of those don't want an email from every broken install... :-) You got that damn straight! ;-) -- /Dan Daniel P. Brown Senior Unix Geek and #1 Rated Year's Coolest Guy By Self Since Nineteen-Seventy-[mumble]. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Using mysql_real_escape_string without connecting to mysql
Dotan Cohen schreef: On 23/01/2008, Richard Lynch [EMAIL PROTECTED] wrote: On Tue, January 22, 2008 7:01 pm, Dotan Cohen wrote: I have a file of my own functions that I include in many places. One of them uses mysql_real_escape_string, however, it may be called in a context that will or will not connect to a mysql server, and worse, may already be connected. So I must avoid connecting. However, when I run the script without connecting I get this error: Don't do that? :-) Can the file really do anything useful without the DB? The file defines some of my own functions, like these: function clean_html ($dirty) { $dirty=strip_tags($dirty); $clean=htmlentities($dirty); return $clean; } function clean_mysql ($dirty) { $dirty=str_replace (--, , $dirty); $dirty=str_replace (;, , $dirty); $clean=mysql_real_escape_string($dirty); return $clean; } your functions mix 2 concepts - input filtering and output escaping, they should be seperate actions. I use these functions in many places, so I simply put them all in a file and include it in each page. When there *IS* a connection, how do you access it? mysql_fetch_array or mysql_result Can't the file check somehow? I suppose that it could, by checking the return of one of the two functions above. Lucky for me, I always use UTF-8 so I won't get stuck connecting with one encoding yet doing mysql_real_escape_string with another, which would be a problem if I had to deal with multiple encodings. Dotan Cohen http://what-is-what.com http://gibberish.co.il א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Using mysql_real_escape_string without connecting to mysql
On 23/01/2008, Jochem Maas [EMAIL PROTECTED] wrote: The file defines some of my own functions, like these: function clean_html ($dirty) { $dirty=strip_tags($dirty); $clean=htmlentities($dirty); return $clean; } function clean_mysql ($dirty) { $dirty=str_replace (--, , $dirty); $dirty=str_replace (;, , $dirty); $clean=mysql_real_escape_string($dirty); return $clean; } your functions mix 2 concepts - input filtering and output escaping, they should be seperate actions. They are separate actions. One is on (for example) accept.php and the other on display.php. However, there are tens of pages which accept info, and tens of others which display info. And these are just two functions: I have quite a few more. It would be impossible to break them up into separate include pages because I'd be including 90% of them on each page anyway. Dotan Cohen http://what-is-what.com http://gibberish.co.il א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
Re: [PHP] sessions/cookies
others have given good advice, but let's learn to walk before we run shall we. 1. session_start() should be called once per request. 2. checkValidUser() does a select on all the users in the database, this is *wrong* - do a select with a suitable WHERE clause the retrieves the one user that matches the given user name and password. 3. GetAccessLevel() uses an undefined property. 4. all the properties ($UserID, $AdminLevel, etc) are only set during the request where the user's login credentials are checked. subsequent requests will not have that info. 5. use php5? 6. go back and read the other replies regarding seperation of responsibilities and encapsulation. nihilism machine schreef: I wrote an authentication class in php4. The sessions dont seem to be working with internet explorer, just with FF. here is the code below, a cookies notice pops up when you try and login: ?php class auth { var $UserID; var $AdminLevel; var $FirstName; var $LastName; var $DateAdded; var $MobileTelephone; var $LandLineTelephone; // Connect to the database function auth() { mysql_connect('','','') or die('ERROR: Could not connect to database'); mysql_select_db('') or die('ERROR: Could not select database'); } // Attempt to login a user function CheckValidUser($Email,$Password) { $result = mysql_query('SELECT * FROM Users'); $Password = $this-encode($Password); if (mysql_num_rows($result) != 0) { while($row = mysql_fetch_assoc($result)) { if (!strcmp($row['Email'],$Email)) { if (!strcmp($row['Password'],$Password)) { // User info stored in Globals $this-UserID = $row['ID']; $this-AdminLevel = $row['Admin_Level']; $this-FirstName = $row['First_Name']; $this-LastName = $row['Last_Name']; $this-DateAdded = $row['Date_Added']; $this-MobileTelephone = $row['Telephone_Mobile']; $this-LandLineTelephone = $row['Telephone_Land_Line']; // User info stored in Sessions session_start(); $_SESSION['Status'] = loggedIn; $_SESSION['Email'] = $row['Email']; $_SESSION['AdminLevel'] = $row['Admin_Level']; $_SESSION['LandLine'] = $row['Telephone_Land_Line']; $_SESSION['MobileTelephone'] = $row['Telephone_Mobile']; $_SESSION['FirstName'] = $row['First_Name']; $_SESSION['LastName'] = $row['Last_Name']; return true; } } } header(Location: index.php?error=invalidLogin); } else { die('ERROR: No Users in the database!'); } } // Create a new user account function CreateUser($Email, $Password, $AdminLevel, $LandLineTelephone, $MobileTelephone, $FirstName, $LastName) { $Password = $this-encode($Password); $this-AccessLevel = $AdminLevel; $DateAdded = date(Y-m-d H:i:s); mysql_query(INSERT INTO Users (Email, Password, Admin_Level, Date_Added, First_Name, Last_Name, Telephone_Land_Line, Telephone_Mobile) VALUES ('$Email','$Password','$AdminLevel', '$DateAdded', '$FirstName', '$LastName', '$LandLineTelephone', '$MobileTelephone')) or die(mysql_error()); return $this-UserID = mysql_insert_id(); } // Update a users access level function UpdateAccessLevel($ID,$AdminLevel) { mysql_query(UPDATE Users SET Admin_Level='$AdminLevel' WHERE ID=$ID) or die(mysql_error()); return true; } // Delete a user function DeleteUser($ID) { mysql_query(DELETE FROM Users WHERE ID=$ID) or die(mysql_error()); return true; } // Get a users access level function GetAccessLevel() { return $this-AccessLevel; } // Get a users ID function GetUserID() { return $this-UserID; } // Log user out function LogOut() { session_start(); session_unset(); session_destroy(); header(Location: index.php); } // Check users access level to see if they have clearance for a certain page function CheckUserLevel($RequiredLevel) { if ($_SESSION['AdminLevel'] $RequiredLevel) { if ($_SESSION['AdminLevel'] == 2) { header(Location: financial.php); } else if ($_SESSION['AdminLevel'] == 1) { header(Location: user.php); } else { header(Location: index.php); } } } // Check to see if a user is logged in function CheckLoggedIn() { session_start(); if ($_SESSION['Status'] !=
Re: [PHP] Using mysql_real_escape_string without connecting to mysql
On 23/01/2008, Jochem Maas [EMAIL PROTECTED] wrote: you don't understand what I mean. input filtering is a seperate task to output filtering. you filter and validate all input to the script regardless of how you are going to use it. THEN you escape the filtered, validated data for each output (output to mysql, output to browser, etc) Exactly. However, before going to the database, things get a healthy dose of filtering specific to that medium. I don't need no Little Bobby Tables slipping through. Likewise for data being output to HTML: nobody would appreciate getting XSSed on my sites. 2 distinct concepts, which shouldn't be rolled into single functions. imho. They aren't what you saw are two separate functions. Here they are again: function clean_html ($dirty) { $dirty=strip_tags($dirty); $clean=htmlentities($dirty); return $clean; } function clean_mysql ($dirty) { $dirty=str_replace (--, , $dirty); $dirty=str_replace (;, , $dirty); $clean=mysql_real_escape_string($dirty); return $clean; } Dotan Cohen http://what-is-what.com http://gibberish.co.il א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
Re: [PHP] Using mysql_real_escape_string without connecting to mysql
Try using the mysql_ping() command to check to see if your connection is available: http://us2.php.net/manual/en/function.mysql-ping.php something like: ?php if ([EMAIL PROTECTED]()) //Note the @ is because, if mysql_ping cannot get connected, it will display a warning - suppress so users don't see { connectToDB(); } mysql_real_escape_string('stuff'); ? HTH- James On Jan 22, 2008 6:04 PM, Dotan Cohen [EMAIL PROTECTED] wrote: On 23/01/2008, Richard Lynch [EMAIL PROTECTED] wrote: On Tue, January 22, 2008 7:01 pm, Dotan Cohen wrote: I have a file of my own functions that I include in many places. One of them uses mysql_real_escape_string, however, it may be called in a context that will or will not connect to a mysql server, and worse, may already be connected. So I must avoid connecting. However, when I run the script without connecting I get this error: Don't do that? :-) Can the file really do anything useful without the DB? The file defines some of my own functions, like these: function clean_html ($dirty) { $dirty=strip_tags($dirty); $clean=htmlentities($dirty); return $clean; } function clean_mysql ($dirty) { $dirty=str_replace (--, , $dirty); $dirty=str_replace (;, , $dirty); $clean=mysql_real_escape_string($dirty); return $clean; } I use these functions in many places, so I simply put them all in a file and include it in each page. When there *IS* a connection, how do you access it? mysql_fetch_array or mysql_result Can't the file check somehow? I suppose that it could, by checking the return of one of the two functions above. Lucky for me, I always use UTF-8 so I won't get stuck connecting with one encoding yet doing mysql_real_escape_string with another, which would be a problem if I had to deal with multiple encodings. Dotan Cohen http://what-is-what.com http://gibberish.co.il א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
Re: [PHP] Using mysql_real_escape_string without connecting to mysql
Dotan Cohen schreef: On 23/01/2008, Jochem Maas [EMAIL PROTECTED] wrote: The file defines some of my own functions, like these: function clean_html ($dirty) { $dirty=strip_tags($dirty); $clean=htmlentities($dirty); return $clean; } function clean_mysql ($dirty) { $dirty=str_replace (--, , $dirty); $dirty=str_replace (;, , $dirty); $clean=mysql_real_escape_string($dirty); return $clean; } your functions mix 2 concepts - input filtering and output escaping, they should be seperate actions. They are separate actions. One is on (for example) accept.php and the other on display.php. However, there are tens of pages which accept info, and tens of others which display info. And these are just two functions: I have quite a few more. It would be impossible to break them up into separate include pages because I'd be including 90% of them on each page anyway. you don't understand what I mean. input filtering is a seperate task to output filtering. you filter and validate all input to the script regardless of how you are going to use it. THEN you escape the filtered, validated data for each output (output to mysql, output to browser, etc) 2 distinct concepts, which shouldn't be rolled into single functions. imho. Dotan Cohen http://what-is-what.com http://gibberish.co.il א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Using mysql_real_escape_string without connecting to mysql
On 23/01/2008, James Ausmus [EMAIL PROTECTED] wrote: Try using the mysql_ping() command to check to see if your connection is available: http://us2.php.net/manual/en/function.mysql-ping.php something like: ?php if ([EMAIL PROTECTED]()) //Note the @ is because, if mysql_ping cannot get connected, it will display a warning - suppress so users don't see { connectToDB(); } mysql_real_escape_string('stuff'); ? HTH- James I was thinking about that, but the problem is that if there is no connection, then the include is called and doesn't provide the mysql_clean function that I expect that it would. Then, I make a connection and use the function, expecting it to clean my data and it doesn't. Dotan Cohen http://what-is-what.com http://gibberish.co.il א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
Re: [PHP] Using mysql_real_escape_string without connecting to mysql
On Jan 23, 2008 10:03 AM, Dotan Cohen [EMAIL PROTECTED] wrote: On 23/01/2008, James Ausmus [EMAIL PROTECTED] wrote: Try using the mysql_ping() command to check to see if your connection is available: http://us2.php.net/manual/en/function.mysql-ping.php something like: ?php if ([EMAIL PROTECTED]()) //Note the @ is because, if mysql_ping cannot get connected, it will display a warning - suppress so users don't see { connectToDB(); } mysql_real_escape_string('stuff'); ? HTH- James I was thinking about that, but the problem is that if there is no connection, then the include is called and doesn't provide the mysql_clean function that I expect that it would. Then, I make a connection and use the function, expecting it to clean my data and it doesn't. You should be able to have the best of both worlds - it shouldn't have to be an either/or: function clean_mysql ($dirty) { $dirty=str_replace (--, , $dirty); $dirty=str_replace (;, , $dirty); if ([EMAIL PROTECTED]()) { functionThatConnectsToMySQL(); } $clean=mysql_real_escape_string($dirty); return $clean; } This will connect if not connected, but either way it will still run the mysql_real_escape_string function - it's not inside an else statement... -James Dotan Cohen http://what-is-what.com http://gibberish.co.il א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
Re: [PHP] Using mysql_real_escape_string without connecting to mysql
On Jan 22, 2008 8:01 PM, Dotan Cohen [EMAIL PROTECTED] wrote: I have a file of my own functions that I include in many places. One of them uses mysql_real_escape_string, however, it may be called in a context that will or will not connect to a mysql server, and worse, may already be connected. So I must avoid connecting. However, when I run the script without connecting I get this error: Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user: '[EMAIL PROTECTED]' (Using password: NO) I was thinking about checking if there is a connection, and if not then connecting. This seems redundant to me, however. What is the list's opinion of this situation? Thanks in advance. Dotan Cohen http://what-is-what.com http://gibberish.co.il א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? By not connecting to the server you don't have the correct context for using mysql real escape string, therefore it is pointless.
Re: [PHP] Using mysql_real_escape_string without connecting to mysql
On 23/01/2008, Eric Butera [EMAIL PROTECTED] wrote: On Jan 22, 2008 8:01 PM, Dotan Cohen [EMAIL PROTECTED] wrote: I have a file of my own functions that I include in many places. One of them uses mysql_real_escape_string, however, it may be called in a context that will or will not connect to a mysql server, and worse, may already be connected. So I must avoid connecting. However, when I run the script without connecting I get this error: Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user: '[EMAIL PROTECTED]' (Using password: NO) I was thinking about checking if there is a connection, and if not then connecting. This seems redundant to me, however. What is the list's opinion of this situation? Thanks in advance. Dotan Cohen http://what-is-what.com http://gibberish.co.il א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? By not connecting to the server you don't have the correct context for using mysql real escape string, therefore it is pointless. Yes, I realize this. Note that I _always_ connect via UTF-8, so I'd like to tell mysql_real_escape_string to do it's magic as if I were connected via UTF-8. I realize that this is impossible. However, I do not think that the script should throw an error until I actually call mysql_clean. Merely having it in an include should not throw an error if the function is not being used. Dotan Cohen http://what-is-what.com http://gibberish.co.il א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
Re: [PHP] Using mysql_real_escape_string without connecting to mysql
On Wed, January 23, 2008 11:47 am, Dotan Cohen wrote: On 23/01/2008, Jochem Maas [EMAIL PROTECTED] wrote: for each output (output to mysql, output to browser, etc) Back to the original question... I suppose you could use mysql_escape_string (note the lack of real) in the short term... It would be Real Nifty (tm) if the MySQL API had a function that let you specify the charset without a connection and did the escaping. Presumably you don't NEED a connection if you already know what charset thingie you are aiming at... Or maybe I'm not understanding something... -- Some people have a gift link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Using mysql_real_escape_string without connecting to mysql
On 23/01/2008, Richard Lynch [EMAIL PROTECTED] wrote: Back to the original question... I suppose you could use mysql_escape_string (note the lack of real) in the short term... I'd rather not. There is no short term. It would be Real Nifty (tm) if the MySQL API had a function that let you specify the charset without a connection and did the escaping. Presumably you don't NEED a connection if you already know what charset thingie you are aiming at... Or maybe I'm not understanding something... You are understanding. I'm heading over to the mysql bugzilla now... Dotan Cohen http://what-is-what.com http://gibberish.co.il א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
Re: [PHP] Using mysql_real_escape_string without connecting to mysql
On Wed, January 23, 2008 12:47 pm, Dotan Cohen wrote: On 23/01/2008, Eric Butera [EMAIL PROTECTED] wrote: On Jan 22, 2008 8:01 PM, Dotan Cohen [EMAIL PROTECTED] wrote: However, I do not think that the script should throw an error until I actually call mysql_clean. Merely having it in an include should not throw an error if the function is not being used. If you get it to throw an error for a connection not present, then you ARE calling the function. You may not know where you called it in your rats' nest of OOP, but you are calling it. :-) :-) :-) The only errors PHP throws without calling functions are parse errors. -- Some people have a gift link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Using mysql_real_escape_string without connecting to mysql
It would be Real Nifty (tm) if the MySQL API had a function that let you specify the charset without a connection and did the escaping. Presumably you don't NEED a connection if you already know what charset thingie you are aiming at... I concur - it would be nice to have the capability to have a normal string escape function and give it a character set. I mean we should all be using utf-8 anyway, right? Right now I still use mysql_escape_string and it seems to work fine, but it makes me nervous as everything else I use is mysqli and I know it is not 100% compatible (just haven't had anything break it yet) - but I hate having to have a connection handle open just to escape things. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] including files outside of document root
On Wed, January 23, 2008 8:37 am, Jason Pruim wrote: On Jan 22, 2008, at 3:57 PM, Jason Pruim wrote: Hi everyone, #1.When including files outside of the webroot do you need to specify the entire path? Like for me, that would be something like: / volumes/raider/webserver/includes/projectname/includeme.php or can I just stop at: /webserver/includes/projectname/includeme.php? Neither. :-) Figure out how PHP's include_path feature works and use that. http://php.net/set_include_path You should use set_include_path to define what directory[ies] PHP should search, and then just do: include 'includeme.php'; #2. Anyone got any small programming jobs that I can hone my skills with? :) You know, the kind of projects that you guru's don't want to do because you're too busy writting the Next Killer App (tm) but would be perfect learning experience/easy way to put some cash in the pocket? :) Non-profits/Charities often have programming needs not being met by traditional (costly) developers. They may have SOME cash, but not a lot. And there's always somebody wanting yet another shopping cart store-front installation... -- Some people have a gift link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] successful compiled, but errors at use
On Wed, January 23, 2008 4:13 am, Andre Hübner wrote: Warning: Unexpected character in input: '' (ASCII=27) state=1 in /folders/php-4.4.8 on line 3600 Warning: Unexpected character in input: '' (ASCII=8) state=1 in /folders/php-4.4.8 on line 3600 Warning: Unexpected character in input: '' (ASCII=3) state=1 in /folders/php-4.4.8 on line 3600 Warning: Unexpected character in input: ' in /folders/php-4.4.8 on line 3600 Warning: Unexpected character in input: ' in /folders/php-4.4.8 on line 3600 Warning: Unexpected character in input: ' in /folders/php-4.4.8 on line 3600 Parse error: syntax error, unexpected T_STRING in /folders/php-4.4.8 on line 3600 But if i call this php-4.4.8 on console i can parse successful my files. What goes wrong? I have no idea what i id not correctly. Can anybody help please? Do you have/need ASCII 27, 8, and 3 on line 3600? The CLI may have error display set to off or logging it elsewhere. Try: php -d display_errors=1 -d error_reporting=2047 phpinfo.php -- Some people have a gift link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] including files outside of document root
Jason Pruim wrote: Been doing some reading on security and have decided that I should be storing my include files outside of the document root... Which I understand how to do it, but what I'm wondering, is say I write the Next Killer App (tm). How would I port that code easily off of my server and put it into a downloadable file for the millions of people who will download and run the Next Killer App (tm)? I tend to keep the directories in the document root, but I deny access via an .htaccess file. This keeps the code in a simple directory structure. Anyone else doing that? -Roberto -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] including files outside of document root
On Jan 23, 2008, at 2:50 PM, Roberto Mansfield wrote: Jason Pruim wrote: Been doing some reading on security and have decided that I should be storing my include files outside of the document root... Which I understand how to do it, but what I'm wondering, is say I write the Next Killer App (tm). How would I port that code easily off of my server and put it into a downloadable file for the millions of people who will download and run the Next Killer App (tm)? I tend to keep the directories in the document root, but I deny access via an .htaccess file. This keeps the code in a simple directory structure. Anyone else doing that? -Roberto I used to just throw everything in the same directory, include files, config files, pictures, css, html, php etc. etc. etc... When I made my decision to put the includes out side of the webroot it was because of a article I read by Chris Shiflett[1] that said basically that this way of including files was safer then using a .htaccess file to block access to it. that's why I made my decision. Not to say it's the right one, just a step in the right direction. To me it also seems more portable across hosts to have access outside of your webroot vs. access to .htaccess files. But I could be wrong, I have been lucky enough to always have a company server with php at my full control so I could use what ever I needed when I needed it. [1]http://shiflett.org/articles/secure-design -- Jason Pruim Raoset Inc. Technology Manager MQC Specialist 3251 132nd ave Holland, MI, 49424 www.raoset.com [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] including files outside of document root
On Jan 23, 2008 2:50 PM, Roberto Mansfield [EMAIL PROTECTED] wrote: I tend to keep the directories in the document root, but I deny access via an .htaccess file. This keeps the code in a simple directory structure. Anyone else doing that? My fear on that is if there's changes to the server. Say, for example, someone takes over my job (which will happen someday, one way or another), and they are charged with upgrading services on the server. While doing Apache, they accidentally (for argument's sake) forget to properly configure the AllowOverrides and AddHandler/AddType directives. Now .htaccess isn't read and doesn't bar access to the directory, and the files have full source disclosure - including any database login credentials, et cetera. This is what we like to call a Bad Thing[tm]. -- /Dan Daniel P. Brown Senior Unix Geek and #1 Rated Year's Coolest Guy By Self Since Nineteen-Seventy-[mumble]. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Using mysql_real_escape_string without connecting to mysql
On Jan 23, 2008 2:37 PM, Dotan Cohen [EMAIL PROTECTED] wrote: On 23/01/2008, Richard Lynch [EMAIL PROTECTED] wrote: Back to the original question... I suppose you could use mysql_escape_string (note the lack of real) in the short term... I'd rather not. There is no short term. It would be Real Nifty (tm) if the MySQL API had a function that let you specify the charset without a connection and did the escaping. Presumably you don't NEED a connection if you already know what charset thingie you are aiming at... Or maybe I'm not understanding something... You are understanding. I'm heading over to the mysql bugzilla now... Dotan Cohen http://what-is-what.com http://gibberish.co.il א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? There isn't a reason to go and report a bug as their stuff works fine. If you know you have utf8 and all that jazz then fine. The only reason you should use mysql escaping is right before you put a value into the database. To put a value in the database you must have a connection. So this really is a non-issue in my opinion. Look at mysqli or pdo and start working with prepared statements. :)
Re: [PHP] including files outside of document root
Daniel Brown wrote: On Jan 23, 2008 2:50 PM, Roberto Mansfield [EMAIL PROTECTED] wrote: I tend to keep the directories in the document root, but I deny access via an .htaccess file. This keeps the code in a simple directory structure. Anyone else doing that? My fear on that is if there's changes to the server. Say, for example, someone takes over my job (which will happen someday, one way or another), and they are charged with upgrading services on the server. While doing Apache, they accidentally (for argument's sake) forget to properly configure the AllowOverrides and AddHandler/AddType directives. Now .htaccess isn't read and doesn't bar access to the directory, and the files have full source disclosure - including any database login credentials, et cetera. This is what we like to call a Bad Thing[tm]. Ahh, an excellent point. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] including files outside of document root
On Jan 23, 2008 2:56 PM, Jason Pruim [EMAIL PROTECTED] wrote: that's why I made my decision. Not to say it's the right one, just a step in the right direction. To me it also seems more portable across hosts to have access outside of your webroot vs. access to .htaccess It's far more portable, because every HTTP server out there knows how to handle paths, but only Apache knows how to handle an .htaccess file. So you can forget being able to use that same code on IIS, tinyhttpd, Boa, AnalogX SimpleServer:WWW (an old favorite!), et cetera. If it only works with one specific HTTP server, that's a serious limit. -- /Dan Daniel P. Brown Senior Unix Geek and #1 Rated Year's Coolest Guy By Self Since Nineteen-Seventy-[mumble]. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] including files outside of document root
On Jan 23, 2008, at 3:04 PM, Daniel Brown wrote: On Jan 23, 2008 2:56 PM, Jason Pruim [EMAIL PROTECTED] wrote: that's why I made my decision. Not to say it's the right one, just a step in the right direction. To me it also seems more portable across hosts to have access outside of your webroot vs. access to .htaccess It's far more portable, because every HTTP server out there knows how to handle paths, but only Apache knows how to handle an .htaccess file. So you can forget being able to use that same code on IIS, tinyhttpd, Boa, AnalogX SimpleServer:WWW (an old favorite!), et cetera. If it only works with one specific HTTP server, that's a serious limit. I didn't realize that... That's good info. I always hear people talking about .htaccess files on all the different lists I'm on so I thought it was an industry standard thing :) Now I can shut my brain down because I learned my 1 new thing for today! m Beer -- Jason Pruim Raoset Inc. Technology Manager MQC Specialist 3251 132nd ave Holland, MI, 49424 www.raoset.com [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] including files outside of document root
On Jan 23, 2008 3:28 PM, Jason Pruim [EMAIL PROTECTED] wrote: I didn't realize that... That's good info. I always hear people talking about .htaccess files on all the different lists I'm on so I thought it was an industry standard thing :) Now I can shut my brain down because I learned my 1 new thing for today! Learn more: http://en.wikipedia.org/wiki/.htaccess -- /Dan Daniel P. Brown Senior Unix Geek and #1 Rated Year's Coolest Guy By Self Since Nineteen-Seventy-[mumble]. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] unpack() big endian signed long?
Hi, Is it possible to use unpack() to read a big endian signed long on a little endian machine? http://nl.php.net/pack refers to perl, on wich this function is based. The php function unpack() doesn't seem to support the and modifiers like perl does. Floor Terra
Re: [PHP] Using mysql_real_escape_string without connecting to mysql
Dotan Cohen schreef: On 23/01/2008, Jochem Maas [EMAIL PROTECTED] wrote: you don't understand what I mean. input filtering is a seperate task to output filtering. you filter and validate all input to the script regardless of how you are going to use it. THEN you escape the filtered, validated data for each output (output to mysql, output to browser, etc) Exactly. However, before going to the database, things get a healthy dose of filtering specific to that medium. I don't need no Little Bobby Tables slipping through. Likewise for data being output to HTML: nobody would appreciate getting XSSed on my sites. 2 distinct concepts, which shouldn't be rolled into single functions. imho. They aren't what you saw are two separate functions. Here they are again: I can read, I saw 2 functions the first time. each function cleans *and* escapes. cleaning is filtering of input. escaping is preparing for output. 2 concepts. if the input needs to be stripped of html then it needs that regardless of the output vector. again removing or not-accepting input if it contains '--' is a question of filtering/validation ... besides which '--' is quite acceptable for data stored in a text field but not for a numeric one. filter each piece of data validate each piece of data escape each peice of data for each context in which it will be output. imho your functions are conceptually wrong and not very robust either - don't take it as a personal attack - I'm very sure if we sat down with *some* of my code the same critism could be made to more or lesser extent :-) ... getting better all the time as they sang once ;-) function clean_html ($dirty) { $dirty=strip_tags($dirty); $clean=htmlentities($dirty); return $clean; } function clean_mysql ($dirty) { $dirty=str_replace (--, , $dirty); $dirty=str_replace (;, , $dirty); $clean=mysql_real_escape_string($dirty); return $clean; } Dotan Cohen http://what-is-what.com http://gibberish.co.il א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] unpack() big endian signed long?
On Jan 23, 2008 3:38 PM, Floor Terra [EMAIL PROTECTED] wrote: Hi, Is it possible to use unpack() to read a big endian signed long on a little endian machine? http://nl.php.net/pack refers to perl, on wich this function is based. The php function unpack() doesn't seem to support the and modifiers like perl does. did you see this in the comments on that page? *info at dreystone dot com* 04-May-2005 02:31 http://us.php.net/manual/en/function.unpack.php#52527 Here is my solution to reading a Big-Endian formatted double on an Little-Endian machine. ?php function ToDouble($data) { $t = unpack(C*, pack(S*, 256)); if($t[1] == 1) { $a = unpack(d*, $data); } else { $a = unpack(d*, strrev($data)); } return (double)$a[1]; } ? -nathan
Re: [PHP] unpack() big endian signed long?
On Jan 23, 2008 9:57 PM, Nathan Nobbe [EMAIL PROTECTED] wrote: On Jan 23, 2008 3:38 PM, Floor Terra [EMAIL PROTECTED] wrote: Hi, Is it possible to use unpack() to read a big endian signed long on a little endian machine? http://nl.php.net/pack refers to perl, on wich this function is based. The php function unpack() doesn't seem to support the and modifiers like perl does. did you see this in the comments on that page? Yes. I guess I'm stuck with manual byte reversing. Someone at ##php on freenode.org told me it is possible, but didn't tell me how. It seems like an obvious feature. Thanks for your time. Floor Terra
Re: [PHP] Using mysql_real_escape_string without connecting to mysql
On 23/01/2008, Richard Lynch [EMAIL PROTECTED] wrote: On Wed, January 23, 2008 12:47 pm, Dotan Cohen wrote: On 23/01/2008, Eric Butera [EMAIL PROTECTED] wrote: On Jan 22, 2008 8:01 PM, Dotan Cohen [EMAIL PROTECTED] wrote: However, I do not think that the script should throw an error until I actually call mysql_clean. Merely having it in an include should not throw an error if the function is not being used. If you get it to throw an error for a connection not present, then you ARE calling the function. I just reviewed the code, and you are right. I call the include for the database connection (from outside the public directory) just before the mysql_query, which is _after_ I've cleaned the variables. You may not know where you called it in your rats' nest of OOP, but you are calling it. :-) :-) :-) Yes, I was. The only errors PHP throws without calling functions are parse errors. Good to know. Dotan Cohen http://what-is-what.com http://gibberish.co.il א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
Re: [PHP] Using mysql_real_escape_string without connecting to mysql
On 23/01/2008, mike [EMAIL PROTECTED] wrote: It would be Real Nifty (tm) if the MySQL API had a function that let you specify the charset without a connection and did the escaping. Presumably you don't NEED a connection if you already know what charset thingie you are aiming at... I concur - it would be nice to have the capability to have a normal string escape function and give it a character set. I mean we should all be using utf-8 anyway, right? I'd be interested in hearing an argument against UTF-8, other than the disk space argument. Right now I still use mysql_escape_string and it seems to work fine, but it makes me nervous as everything else I use is mysqli and I know it is not 100% compatible (just haven't had anything break it yet) - but I hate having to have a connection handle open just to escape things. I think it was here on this list that we saw an example of SQL injection despite the use of mysql_escape_string. Some funky Asian charset was used, no? Dotan Cohen http://what-is-what.com http://gibberish.co.il א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
Re: [PHP] including files outside of document root
On Jan 23, 2008, at 2:42 PM, Richard Lynch wrote: On Wed, January 23, 2008 8:37 am, Jason Pruim wrote: On Jan 22, 2008, at 3:57 PM, Jason Pruim wrote: Hi everyone, #1. When including files outside of the webroot do you need to specify the entire path? Like for me, that would be something like: / volumes/raider/webserver/includes/projectname/includeme.php or can I just stop at: /webserver/includes/projectname/includeme.php? Neither. :-) Figure out how PHP's include_path feature works and use that. http://php.net/set_include_path You should use set_include_path to define what directory[ies] PHP should search, and then just do: include 'includeme.php'; Okay, so I have this mostly working now! if I put my ini_set(include_path, blah/to/balh); on each and every page. I know I could include a file that is in the document root which specified that, but I was wondering if I was missing something? Obviously other then changing the php.ini file? -- Jason Pruim Raoset Inc. Technology Manager MQC Specialist 3251 132nd ave Holland, MI, 49424 www.raoset.com [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Using mysql_real_escape_string without connecting to mysql
On 23/01/2008, Eric Butera [EMAIL PROTECTED] wrote: There isn't a reason to go and report a bug as their stuff works fine. I would have filed a wish, not a bug. They are both filed in the bugzillas that I'm familiar with. In any case, I'm not filing as I've no account there and I'll not be filing many bugs for that software. If someone else wants to file a wish, be my guest. If you know you have utf8 and all that jazz then fine. The only reason you should use mysql escaping is right before you put a value into the database. To put a value in the database you must have a connection. So this really is a non-issue in my opinion. No, I sanitize the values, and only then I decide if the value (now sanitized and safe to work with) should go to the database. And only if it's going to the database do I open a connection. Look at mysqli or pdo and start working with prepared statements. :) Thanks, I will take a look at those! Dotan Cohen http://what-is-what.com http://gibberish.co.il א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
Re: [PHP] Using mysql_real_escape_string without connecting to mysql
On 23/01/2008, Jochem Maas [EMAIL PROTECTED] wrote: I can read, I saw 2 functions the first time. each function cleans *and* escapes. cleaning is filtering of input. escaping is preparing for output. 2 concepts. I see your point. if the input needs to be stripped of html then it needs that regardless of the output vector. again removing or not-accepting input if it contains '--' is a question of filtering/validation ... besides which '--' is quite acceptable for data stored in a text field but not for a numeric one. I'm not accepting -- at all until someone can show me a real world case where one would use it, without the intention of SQL injection. How can it be escaped, anyway? filter each piece of data validate each piece of data escape each peice of data for each context in which it will be output. I see that you have more experience than I! imho your functions are conceptually wrong and not very robust either - don't take it as a personal attack - I'm very sure if we sat down with *some* of my code the same critism could be made to more or lesser extent :-) ... getting better all the time as they sang once ;-) I never thought that was a personal attack, not for a second. Rather, I very much appreciate the time you take to explain to me my errors. And I intend to learn from them. For the time being, I'll leave the code as it is. However, for future projects, I will make a point of separating the different functions. Thanks. Dotan Cohen http://what-is-what.com http://gibberish.co.il א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
Re: [PHP] Using mysql_real_escape_string without connecting to mysql
Dotan Cohen wrote: On 23/01/2008, mike [EMAIL PROTECTED] wrote: It would be Real Nifty (tm) if the MySQL API had a function that let you specify the charset without a connection and did the escaping. Presumably you don't NEED a connection if you already know what charset thingie you are aiming at... I concur - it would be nice to have the capability to have a normal string escape function and give it a character set. I mean we should all be using utf-8 anyway, right? I'd be interested in hearing an argument against UTF-8, other than the disk space argument. Right now I still use mysql_escape_string and it seems to work fine, but it makes me nervous as everything else I use is mysqli and I know it is not 100% compatible (just haven't had anything break it yet) - but I hate having to have a connection handle open just to escape things. I think it was here on this list that we saw an example of SQL injection despite the use of mysql_escape_string. Some funky Asian charset was used, no? Nope. This article explains all I think: http://ilia.ws/archives/103-mysql_real_escape_string-versus-Prepared-Statements.html -- Postgresql php tutorials http://www.designmagick.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Using mysql_real_escape_string without connecting to mysql
Right now I still use mysql_escape_string and it seems to work fine, but it makes me nervous as everything else I use is mysqli and I know it is not 100% compatible (just haven't had anything break it yet) - but I hate having to have a connection handle open just to escape things. If you need to escape something you're going to do a query aren't you? Or am I missing something here? -- Postgresql php tutorials http://www.designmagick.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Using mysql_real_escape_string without connecting to mysql
Dotan Cohen wrote: On 23/01/2008, Jochem Maas [EMAIL PROTECTED] wrote: I can read, I saw 2 functions the first time. each function cleans *and* escapes. cleaning is filtering of input. escaping is preparing for output. 2 concepts. I see your point. if the input needs to be stripped of html then it needs that regardless of the output vector. again removing or not-accepting input if it contains '--' is a question of filtering/validation ... besides which '--' is quite acceptable for data stored in a text field but not for a numeric one. I'm not accepting -- at all until someone can show me a real world case where one would use it, without the intention of SQL injection. How can it be escaped, anyway? Depends on your app. -- is an accepted things in emails as a marker for signatures. Also in mysql_query ; is automatically handled, you can't send multiple queries to mysql_query and have them execute. mysql_query() sends an unique query (multiple queries are not supported) Not sure why the php guys have only done that for mysql_query but there you go :) -- Postgresql php tutorials http://www.designmagick.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] including files outside of document root
On Jan 23, 2008 4:19 PM, Jason Pruim [EMAIL PROTECTED] wrote: Okay, so I have this mostly working now! if I put my ini_set(include_path, blah/to/balh); on each and every page. I know I could include a file that is in the document root which specified that, but I was wondering if I was missing something? Obviously other then changing the php.ini file? You do know you can set overrides for PHP in .htaccess, or even have a whole php.ini file in the directory in which you're working, right? You can either set `php_flag include_path path/to/blah` in .htaccess (without the backticks, of course), or you can place a php.ini file in the same directory as the files to override the values (if they're INI_PERDIR or similar, anyway). -- /Dan Daniel P. Brown Senior Unix Geek and #1 Rated Year's Coolest Guy By Self Since Nineteen-Seventy-[mumble]. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Using mysql_real_escape_string without connecting to mysql
Dotan Cohen schreef: On 23/01/2008, Jochem Maas [EMAIL PROTECTED] wrote: I can read, I saw 2 functions the first time. each function cleans *and* escapes. cleaning is filtering of input. escaping is preparing for output. 2 concepts. I see your point. if the input needs to be stripped of html then it needs that regardless of the output vector. again removing or not-accepting input if it contains '--' is a question of filtering/validation ... besides which '--' is quite acceptable for data stored in a text field but not for a numeric one. I'm not accepting -- at all until someone can show me a real world case where one would use it, without the intention of SQL injection. How can it be escaped, anyway? I might just want to put '--' in a textfield used as the basis for content for a webpage. just because I want to. the most pertinent example are wikis, they use '--' as markup (which is usually transformed into an hr / when the results are output for viewing ... but obviously you want the original markup when editing. INSERT INTO foo (textfield) VALUES ('--'); nothing to escape in the case of a those chars being part of a string, the escaping mechanism [hopefully] ensures that a given string will never contain a byte sequence that the query parser will misinterpret as a sign to end the string (before the last intend quote delimiter) prematurely and thereby treat the remainder of the input string as SQL. filter each piece of data validate each piece of data escape each peice of data for each context in which it will be output. I see that you have more experience than I! imho your functions are conceptually wrong and not very robust either - don't take it as a personal attack - I'm very sure if we sat down with *some* of my code the same critism could be made to more or lesser extent :-) ... getting better all the time as they sang once ;-) I never thought that was a personal attack, not for a second. Rather, I very much appreciate the time you take to explain to me my errors. And I intend to learn from them. For the time being, I'll leave the code as it is. However, for future projects, I will make a point of separating the different functions. Thanks. Dotan Cohen http://what-is-what.com http://gibberish.co.il א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Using mysql_real_escape_string without connecting to mysql
On 23/01/2008, Chris [EMAIL PROTECTED] wrote: I'm not accepting -- at all until someone can show me a real world case where one would use it, without the intention of SQL injection. How can it be escaped, anyway? Depends on your app. -- is an accepted things in emails as a marker for signatures. You win that one. Also in mysql_query ; is automatically handled, you can't send multiple queries to mysql_query and have them execute. mysql_query() sends an unique query (multiple queries are not supported) Very nice to know this. Thanks. Dotan Cohen http://what-is-what.com http://gibberish.co.il א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
Re: [PHP] Using mysql_real_escape_string without connecting to mysql
On 23/01/2008, Jochem Maas [EMAIL PROTECTED] wrote: Dotan Cohen schreef: I'm not accepting -- at all until someone can show me a real world case where one would use it, without the intention of SQL injection. How can it be escaped, anyway? I might just want to put '--' in a textfield used as the basis for content for a webpage. just because I want to. the most pertinent example are wikis, they use '--' as markup (which is usually transformed into an hr / when the results are output for viewing ... but obviously you want the original markup when editing. Just because I want to is not a real world example. The wiki bit is. INSERT INTO foo (textfield) VALUES ('--'); nothing to escape in the case of a those chars being part of a string, the escaping mechanism [hopefully] ensures that a given string will never contain a byte sequence that the query parser will misinterpret as a sign to end the string (before the last intend quote delimiter) prematurely and thereby treat the remainder of the input string as SQL. Is the -- here not treated as the beginning of an SQL comment? Dotan Cohen http://what-is-what.com http://gibberish.co.il א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
Re: [PHP] Using mysql_real_escape_string without connecting to mysql
On Jan 22, 2008 7:01 PM, Dotan Cohen [EMAIL PROTECTED] wrote: I have a file of my own functions that I include in many places. One of them uses mysql_real_escape_string, however, it may be called in a context that will or will not connect to a mysql server, and worse, may already be connected. So I must avoid connecting. However, when I run the script without connecting I get this error: Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user: '[EMAIL PROTECTED]' (Using password: NO) I was thinking about checking if there is a connection, and if not then connecting. This seems redundant to me, however. What is the list's opinion of this situation? Thanks in advance. Dotan Cohen http://what-is-what.com http://gibberish.co.il א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? Why not write a function that does the same thing? mysql_real_escape_strings is a very simple function. And if your data is properly normalized and you don't support other charsets its very simple.
[PHP] Dealing with MSXML2.ServerXMLHTTP objects
For a project at work, I'm writing a PHP script that will process XML generated and sent by an MSXML2.ServerXMLHTTP object that lives on another server. The XML will be sent via POST, but I'm not sure how to deal with it. It doesn't look, to me, as though XMLRPC is called for in this case, but I'm not entirely sure how to deal with the incoming data. Any suggestions would be more than welcome. -- Richard S. Crawford ([EMAIL PROTECTED]) http://www.mossroot.com Publisher and Editor in Chief, Daikaijuzine (http://www.daikaijuzine.com)
Re: [PHP] Using mysql_real_escape_string without connecting to mysql
On 24/01/2008, Chuck [EMAIL PROTECTED] wrote: Why not write a function that does the same thing? mysql_real_escape_strings is a very simple function. And if your data is properly normalized and you don't support other charsets its very simple. Maintenance and security seem to be two very good reasons to use the built in function. Do the more experienced in attendance think differently? Should I go ahead and reimplement the function specific to the UTF-8 charset? Dotan Cohen http://what-is-what.com http://gibberish.co.il א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
Re: [PHP] Using mysql_real_escape_string without connecting to mysql
On 1/23/08, Chris [EMAIL PROTECTED] wrote: If you need to escape something you're going to do a query aren't you? Or am I missing something here? true. but i typically have everything in wrapper functions, and i don't keep the actual resource variable exposed to use it (since it needs a resource) would be great just to have a string escape with charset, or just pass it the charset and not the db connection handle. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Using mysql_real_escape_string without connecting to mysql
Chuck schreef: On Jan 22, 2008 7:01 PM, Dotan Cohen [EMAIL PROTECTED] wrote: I have a file of my own functions that I include in many places. One of them uses mysql_real_escape_string, however, it may be called in a context that will or will not connect to a mysql server, and worse, may already be connected. So I must avoid connecting. However, when I run the script without connecting I get this error: Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user: '[EMAIL PROTECTED]' (Using password: NO) I was thinking about checking if there is a connection, and if not then connecting. This seems redundant to me, however. What is the list's opinion of this situation? Thanks in advance. Dotan Cohen http://what-is-what.com http://gibberish.co.il א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? Why not write a function that does the same thing? mysql_real_escape_strings is a very simple function. And if your data is properly normalized and you don't support other charsets its very simple. does simple include detection of characters that are multiple bytes in length? given that he uses UTF-8 which is a using variable byte encoding scheme. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Dealing with MSXML2.ServerXMLHTTP objects
On Wed, January 23, 2008 4:11 pm, Richard S. Crawford wrote: For a project at work, I'm writing a PHP script that will process XML generated and sent by an MSXML2.ServerXMLHTTP object that lives on another server. The XML will be sent via POST, but I'm not sure how to deal with it. It doesn't look, to me, as though XMLRPC is called for in this case, but I'm not entirely sure how to deal with the incoming data. Any suggestions would be more than welcome. Check out the results of searching for raw post data on http://php.net Should be what you want, I think. -- Some people have a gift link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Using mysql_real_escape_string without connecting to mysql
On Wed, January 23, 2008 4:04 pm, Dotan Cohen wrote: Is the -- here not treated as the beginning of an SQL comment? No, because it is inside the apostrophes. The purpose of mysql_real_escape_string (or using prepared statements) is to mark up (or separate) the DATA from the QUERY. The data about to be put into the database being escaped by mysql_real_escape_string is sufficient to be sure nobody is playing games with apostrophe followed by -- which could, in theory, insert an SQL comment or allow them to execute arbitrary SQL code. -- Some people have a gift link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Using mysql_real_escape_string without connecting to mysql
On Wed, January 23, 2008 3:18 pm, Dotan Cohen wrote: I think it was here on this list that we saw an example of SQL injection despite the use of mysql_escape_string. Some funky Asian charset was used, no? I don't know that I'd call it funky, but yes. Without the real MySQL does not know what charset you are using. Without the charset, MySQL does not know what character codes to escape. Without that, characters that it thinks are fine because it assumes Latin-1 (or whatever) are not, in fact, fine because they are NOT Latin-1. -- Some people have a gift link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Using mysql_real_escape_string without connecting to mysql
On Wed, January 23, 2008 3:30 pm, Chris wrote: Right now I still use mysql_escape_string and it seems to work fine, but it makes me nervous as everything else I use is mysqli and I know it is not 100% compatible (just haven't had anything break it yet) - but I hate having to have a connection handle open just to escape things. If you need to escape something you're going to do a query aren't you? Or am I missing something here? One Example: Perhaps you have a zillion chunks of data which you wish to cram into a text file for insertion on a different box at a later time, as quickly as possible, without the encoding happening on that box, for whatever reason... Not, perhaps, the most common scenario, and not, perhaps, the best way to solve whatever led there, but it's not a totally unreasonable thing. -- Some people have a gift link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] including files outside of document root
On Wed, January 23, 2008 1:50 pm, Roberto Mansfield wrote: Jason Pruim wrote: Been doing some reading on security and have decided that I should be storing my include files outside of the document root... Which I understand how to do it, but what I'm wondering, is say I write the Next Killer App (tm). How would I port that code easily off of my server and put it into a downloadable file for the millions of people who will download and run the Next Killer App (tm)? I tend to keep the directories in the document root, but I deny access via an .htaccess file. This keeps the code in a simple directory structure. Anyone else doing that? I used to do that. Then I had to move the site one day. Simple enough... tar -cvf moving.tar httpdocs gzip moving.tar Copy the file over, and untar it: tar -xzvf moving.tar.gz Should be all good to go, right? Wrong! tar didn't snag all the .htaccess files. For a brief moment in time my source code was exposed. And the admin had no password protection. And the images being generated by PHP|GD didn't work. And... I found and fixed it easily enough, but it would have gone undetected for a long time if I hadn't had the other issues. So I don't do that anymore, and I put the .inc files outside the web tree. ymmv -- Some people have a gift link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] including files outside of document root
On Wed, January 23, 2008 3:19 pm, Jason Pruim wrote: Okay, so I have this mostly working now! if I put my ini_set(include_path, blah/to/balh); on each and every page. I know I could include a file that is in the document root which specified that, but I was wondering if I was missing something? Obviously other then changing the php.ini file? Change php.ini or use .htacces (if you use Apache) or have ONE include file in the webtree that does this and include that. -- Some people have a gift link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Posting Summary for Week Ending 25 January, 2008: php-general@lists.php.net
Posting Summary for PHP-General List Week Ending: Friday, 25 January, 2008 Messages| Bytes | Sender +-+-- 697 (100%) 975244 (100%) EVERYONE 690 (98.9%) 974000 (99.8%) Richard Lynch [EMAIL PROTECTED] 7 (1.1%) 1244 (0.2%) everyone else -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Posting Summary for Week Ending 25 January, 2008: php-general@lists.php.net
On Jan 23, 2008 6:57 PM, Jochem Maas [EMAIL PROTECTED] wrote: Posting Summary for PHP-General List Week Ending: Friday, 25 January, 2008 Messages| Bytes | Sender +-+-- 697 (100%) 975244 (100%) EVERYONE 690 (98.9%) 974000 (99.8%) Richard Lynch [EMAIL PROTECTED] 7 (1.1%) 1244 (0.2%) everyone else -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php Aside from the fact that I'm sure to get hate mail from people who think my script just sent that again HA! Dude, I laughed so loud that it echoed in the halls of the Engineering Wing over here. What makes it so funny? That it's not much of an exaggeration! ;-D -- /Dan Daniel P. Brown Senior Unix Geek and #1 Rated Year's Coolest Guy By Self Since Nineteen-Seventy-[mumble]. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Posting Summary for Week Ending 25 January, 2008: php-general@lists.php.net
Daniel Brown schreef: On Jan 23, 2008 6:57 PM, Jochem Maas [EMAIL PROTECTED] wrote: Posting Summary for PHP-General List Week Ending: Friday, 25 January, 2008 Messages| Bytes | Sender +-+-- 697 (100%) 975244 (100%) EVERYONE 690 (98.9%) 974000 (99.8%) Richard Lynch [EMAIL PROTECTED] 7 (1.1%) 1244 (0.2%) everyone else -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php Aside from the fact that I'm sure to get hate mail from people who think my script just sent that again HA! Dude, I laughed so loud that it echoed in the halls of the Engineering Wing over here. What makes it so funny? That it's not much of an exaggeration! ;-D very glad to raise a laugh :-) those without a sense of humour should leave the php highway at the next exit. ;-) I guess I was bored, figured I'd have some fun and artificially boost my post stats while I'm at it ... I've been busy wracking my brain trying to figure out the setup for a load-balanced configuration for one of my major clients ... at least a system capable of migrating to loadbalancing ... global file system, virtual machines, all that jazz. I'm in over my head as usual. nothing like a bit of comic relief to take the edge off. oh and I'm gonna hold you to that beer one day :-) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Posting Summary for Week Ending 25 January, 2008: php-general@lists.php.net
On Jan 23, 2008 7:13 PM, Jochem Maas [EMAIL PROTECTED] wrote: I guess I was bored, figured I'd have some fun and artificially boost my post stats while I'm at it ... I've been busy wracking my brain trying to figure out the setup for a load-balanced configuration for one of my major clients ... at least a system capable of migrating to loadbalancing ... global file system, virtual machines, all that jazz. I'm in over my head as usual. Let me know (privately, of course) if you need a hand with anything. Even just someone to bounce ideas off. I've worked a pretty fair amount with load-balancing for some rather high-profile companies over the years. oh and I'm gonna hold you to that beer one day :-) We should hold an annual convention. Hell, I'd even host it. A houseful of drunk geeks? That's my kind of party (but Debs, the pre-wife, probably won't be invited ;-P ). -- /Dan Daniel P. Brown Senior Unix Geek and #1 Rated Year's Coolest Guy By Self Since Nineteen-Seventy-[mumble]. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] upload issue
i am using this code on my form page: form action=uploadAd2.php enctype=multipart/form-data method=post name=adForm id=adForm input type=hidden name=donorID value=?php echo $_GET['ID']; ? / input type=hidden name=MAX_FILE_SIZE value=30 / input type=file name=upload1 / input type=image src=admin/images/next.png name=Submit alt=Submit Form / my upload code is below: $uploaddir = 'admin/advertisements/'; $uploadfileTmp = basename($_FILES['upload1']['name']); $uploadfile = $uploaddir . basename($_FILES['upload1']['name']); if (move_uploaded_file($_FILES['upload1']['tmp_name'], $uploadfile)) { $FileName = $uploadfileTmp; } else { echo Error!; exit(); } my error is: Internal Server Error The server encountered an internal error or misconfiguration and was unable to complete your request. Please contact the server administrator, [EMAIL PROTECTED] and inform them of the time the error occurred, and anything you might have done that may have caused the error. More information about this error may be available in the server error log. --- any ideas? i have no access to error.log... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] upload issue
On Wed, January 23, 2008 6:55 pm, nihilism machine wrote: i am using this code on my form page: form action=uploadAd2.php enctype=multipart/form-data method=post name=adForm id=adForm input type=hidden name=donorID value=?php echo $_GET['ID']; ? / input type=hidden name=MAX_FILE_SIZE value=30 / input type=file name=upload1 / input type=image src=admin/images/next.png name=Submit alt=Submit Form / my upload code is below: $uploaddir = 'admin/advertisements/'; $uploadfileTmp = basename($_FILES['upload1']['name']); $uploadfile = $uploaddir . basename($_FILES['upload1']['name']); if (move_uploaded_file($_FILES['upload1']['tmp_name'], $uploadfile)) { $FileName = $uploadfileTmp; } else { echo Error!; exit(); } my error is: Internal Server Error The server encountered an internal error or misconfiguration and was unable to complete your request. Please contact the server administrator, [EMAIL PROTECTED] and inform them of the time the error occurred, and anything you might have done that may have caused the error. More information about this error may be available in the server error log. Check the error_log of Apache. It will almost certainly have more info. You'll have to cause the error again or know the time when it happened to find the error. You should also make sure plain simple pages like ?php phpinfo()? work as expected. -- Some people have a gift link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Posting Summary for Week Ending 25 January, 2008: php-general@lists.php.net
On Thu, 2008-01-24 at 01:13 +0100, Jochem Maas wrote: stats while I'm at it ... I've been busy wracking my brain trying to figure out the setup for a load-balanced configuration for one of my major clients ... at least a system capable of migrating to loadbalancing ... global file system, virtual machines, all that jazz. I'm in over my head as usual. Have you taken a look at LVS yet? I presume that you are not attempting this on a Windows cluster - right? http://www.linuxvirtualserver.org/ I just had to do the same thing for my University systems - come up with an architecture at least. If you would like the dox, let me know - they are all CC licensed. --Paul All Email originating from UWC is covered by disclaimer http://www.uwc.ac.za/portal/public/portal_services/disclaimer.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Using mysql_real_escape_string without connecting to mysql
On 24/01/2008, Richard Lynch [EMAIL PROTECTED] wrote: On Wed, January 23, 2008 4:04 pm, Dotan Cohen wrote: Is the -- here not treated as the beginning of an SQL comment? No, because it is inside the apostrophes. The purpose of mysql_real_escape_string (or using prepared statements) is to mark up (or separate) the DATA from the QUERY. The data about to be put into the database being escaped by mysql_real_escape_string is sufficient to be sure nobody is playing games with apostrophe followed by -- which could, in theory, insert an SQL comment or allow them to execute arbitrary SQL code. In that case, the function: function clean_mysql ($dirty) { $dirty=str_replace (--, , $dirty); $dirty=str_replace (;, , $dirty); $clean=mysql_real_escape_string($dirty); return $clean; } Can be reduced to: function clean_mysql ($dirty) { $clean=mysql_real_escape_string($dirty); return $clean; } Which basically is the same as a simple mysql_real_escape_string? In other words, mysql_real_escape_string itself is safe from SQL injection? Dotan Cohen http://what-is-what.com http://gibberish.co.il א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
[PHP] String Issue
I have the following string on the address line HTMLFiles/MenuDisplay.php?var=Thai%20ImageItem=1797Action=add I am trying to delete or replace the 'Item=1797Action=add' (it is at the end of the string) I am not familiar as much with those string functions, and if somebody can give me some suggestions. I will appreciated it. Thank you in advance. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] String Issue
On Wed, 2008-01-23 at 23:30 -0600, Johny Burns wrote: I have the following string on the address line HTMLFiles/MenuDisplay.php?var=Thai%20ImageItem=1797Action=add I am trying to delete or replace the 'Item=1797Action=add' (it is at the end of the string) I am not familiar as much with those string functions, and if somebody can give me some suggestions. I will appreciated it. Thank you in advance. You want the following functions: http://www.php.net/manual/en/function.parse-url.php http://www.php.net/manual/en/function.parse-str.php Cheers, Rob. -- ... SwarmBuy.com - http://www.swarmbuy.com Leveraging the buying power of the masses! ... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] String Issue
Hi, Try this: $str = 'HTMLFiles/MenuDisplay.php?var=Thai%20ImageItem=1797Action=add'; $str = preg_replace(/(\Item.*)$/,REPLACEMENT STRING, $str); this should work. Cheers, V -Original Message- From: Johny Burns [EMAIL PROTECTED] To: php-general@lists.php.net Sent: Thu, 24 Jan 2008 11:00 am Subject: [PHP] String Issue I have the following string on the address line HTMLFiles/MenuDisplay.php?var=Thai%20ImageItem=1797Action=add I am trying to delete or replace the 'Item=1797Action=add' (it is at the end of the string) I am not familiar as much with those string functions, and if somebody can give me some suggestions. I will appreciated it. Thank you in advance. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php You are invited to Get a Free AOL Email ID. - http://webmail.aol.in