Re: [PHP] Spam opinions please
On Tue, 20 Oct 2009 14:31:53 -0400
"Gary" wrote:
> I have several sites that are getting hit with form spam. I have the
> script set up to capture the IP address so I know from where they
> come. I found a short script that is supposed to stop these IP
> addresses from accessing the form page, it redirects the spammer to
> another page (I was going to redirect to a page that has lots of
> pop-ups, scantily clad men and offers of joy beyond imagination), but
> someone suggested I redirect to the Federal Trade Commission or
> perhpas the FBI.
>
> Any thoughts on the script and its effectivness?
>
> $deny = array("111.111.111", "222.222.222", "333.333.333");
> if (in_array ($_SERVER['REMOTE_ADDR'], $deny)) {
>header("location: http://www.google.com/";);
>exit();
> } ?>Gary
>
>
There are several options to stop spammers, although none of them will
completely eliminate all spam. For a forum I prefer the .htaccess
method.
There is a website dedicated to keeping track of forum spammers,
http://stopforumspam.com and depending on your forum you could add an
anti-spam mod that will query their database. On the site they have
mods for phpbb, vBulletin and SMF.
I wrote a Python script that uses a Python Library that's also posted
on their site. The Python program basically use an Apache log file for
the IP's checks them at Stop Forum Spam and adds spam IP in
the .htaccess file. I have it set up in cron to run daily.
For a little bit more detailed description and the program itself:
http://blog.avirtualhome.com/2009/10/08/stop-spammers-in-your-htaccess/
--
Peter van der Does
GPG key: E77E8E98
IRC: Ganseki on irc.freenode.net
Twitter: @petervanderdoes
WordPress Plugin Developer
Blog: http://blog.avirtualhome.com
Forums: http://forums.avirtualhome.com
Twitter: @avhsoftware
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sanitizing potential MySQL strings with no database connection
- Original Message - From: "Ashley Sheridan" To: "Dotan Cohen" Cc: "Jim Lucas" ; "php-general." Sent: Tuesday, October 20, 2009 4:02 AM Subject: Re: [PHP] Sanitizing potential MySQL strings with no database connection On Tue, 2009-10-20 at 12:58 +0200, Dotan Cohen wrote: > Dotan, > > You are making this thing harder then it has to be. > > All you need is to replicate the escaping of the same characters that > mysql_real_escape_string() escapes. Simply do that. They are listed > on the > functions manual page on php.net > > http://php.net/mysql_real_escape_string > This thread is so long, I am suprised to see that nobody has yet recommended the use of the OWASP php filters. It is still very good. http://www.owasp.org/index.php/OWASP_PHP_Filters If by chance someone already mentioned it, my bad. Best Regards -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] How to pronounce PHP code over the phone?
> -Original Message- > From: Dotan Cohen [mailto:dotanco...@gmail.com] > Sent: Friday, October 16, 2009 8:46 AM > To: php-general. > Subject: [PHP] How to pronounce PHP code over the phone? > > How would you read this out loud if you were to read it to someone > over the phone? > > ($item->getServiceId() ? $item->getServiceId() : $item->getId(; Open paren. Dollar-sign "item" de-ref getServiceID method. Question mark. Dollar-sign "item" de-ref getServiceID method again. Colon. Dollar-sign "item" de-ref getID method. Close up matching parenthesis. http://en.wikipedia.org/wiki/Reference_%28computer_science%29 I would also suggest s/he and I use a tool such as: http://snipt.org/oGg http://pastebin.com/m5b1d82b2 http://pastie.org/662703 http://gist.github.com/214652 For more real-time collaboration and sharing of code fragments. Daevid. http://daevid.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Spam opinions please
Gary wrote on 2009-10-20 22:55: I like that idea,so in other words they have to get to the form from another page on the site, and you set a time limit for a minimum amount of time they spend on the page(5-10 seconds)? I don't set any time, just the session to prevent direct hits from a spam script. But if you wanna improve the solution using a time check you could save a microtime() value in the session and the test it against current time on the form page and the have a min. threshold that is accepted. -- Kind regards Kim Emax - masterminds.dk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Spam opinions please
I like that idea,so in other words they have to get to the form from another page on the site, and you set a time limit for a minimum amount of time they spend on the page(5-10 seconds)? Gary "Kim Madsen" wrote in message news:4ade206f.6030...@emax.dk... > Hey Gary > > Gary wrote on 2009-10-20 20:31: >> I have several sites that are getting hit with form spam. I have the >> script set up to capture the IP address so I know from where they come. > > I see that a lot suggested CAPTCHA, I don't like those either. > > The IP solution will give you a constant maintaince problem unless you > save the submissions in database and look for similar postings, then > blocks the IPs. Or just block them right away if they suggests the usual > sheiitee like 400 euro casino rewards etc... > > What I've done to fix those issues when I had them was to set a session > var on the frontpage of the site and check on that. If it doesn't exists > when the user enters the page with the form, then I tell them and just > don't show the form. Of course the clever programmer can create a script > that first goes to the frontpage, then the form page, but so far I'm > pretty happy with the solution, no spam for 3 years :-) > > -- > Kind regards > Kim Emax - masterminds.dk > > __ Information from ESET Smart Security, version of virus > signature database 4527 (20091020) __ > > The message was checked by ESET Smart Security. > > http://www.eset.com > > > __ Information from ESET Smart Security, version of virus signature database 4527 (20091020) __ The message was checked by ESET Smart Security. http://www.eset.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Please don't kick me!
Philip Thompson wrote on 2009-10-20 21:58: I got it to draw the different background colors successfully. However, drawing borders is not as straight forward. I'm sure I could get it working as well... but I'd rather it work *out of the box*. Thanks for the suggestion. ;) Well, you're always welcome to contribute to an open source project you take advantage of ;o) -- Kind regards Kim Emax - masterminds.dk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Spam opinions please
I have a honeypot in there already, another reason I think it is human spam and not da bot. Gary "Bastien Koert" wrote in message news:d7b6cab70910201337v5c18284aya022f48e13943...@mail.gmail.com... > On Tue, Oct 20, 2009 at 4:12 PM, Ashley Sheridan > wrote: >> On Tue, 2009-10-20 at 21:01 +0200, John Black wrote: >> >>> Gary wrote: >>> > I believe they are human spammers as all the input fields are >>> > correctly >>> > filled out (phone in phone, address in address etc). >>> > As I said they are mostly the same IP. >>> > Would it be better to include this script in the processing script >>> > rather >>> > than at the top of the page? >>> >>> >>> If it is fixed list of IPs you could add them to the .htaccess file like >>> this: >>> >>> order allow,deny >>> deny from xxx.xxx.xxx.xxx >>> allow from all >>> >>> This way it is handled by your webserver and you don't need to run a >>> script on every page. >>> >>> Keep in mind that a lot of comment spam is sent out from infected >>> machines. So if the IPs belong to a big ISP it is possible to block a >>> lot of users if you block the proxy. >>> Check the IPs via Arin to be sure >>> http://ws.arin.net/whois/ >>> I have noticed that a blocked spammer will sometimes reconnect from a >>> totally different IP and resubmit the same information. >>> >>> Regarding the properly filled out forms, spam bots are pretty good about >>> placing valid data into the correct fields, some are better then others. >>> >>> -- >>> John >>> >> >> >> I'd go with this method if you can, as it will take quite a load off of >> your servers. However, try not to be too liberal with it, as it may end >> up preventing genuine access if the spammers are coming from dynamic IP >> addresses. >> >> Thanks, >> Ash >> http://www.ashleysheridan.co.uk >> >> >> > > Add a hidden field that should not hold a value. Spam bots will try to > fill all fields with that value, so if there is one send back a 404 > message to the bot and dump the record > > -- > > Bastien > > Cat, the other other white meat > > __ Information from ESET Smart Security, version of virus > signature database 4527 (20091020) __ > > The message was checked by ESET Smart Security. > > http://www.eset.com > > > __ Information from ESET Smart Security, version of virus signature database 4527 (20091020) __ The message was checked by ESET Smart Security. http://www.eset.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Spam opinions please
Hey Gary Gary wrote on 2009-10-20 20:31: I have several sites that are getting hit with form spam. I have the script set up to capture the IP address so I know from where they come. I see that a lot suggested CAPTCHA, I don't like those either. The IP solution will give you a constant maintaince problem unless you save the submissions in database and look for similar postings, then blocks the IPs. Or just block them right away if they suggests the usual sheiitee like 400 euro casino rewards etc... What I've done to fix those issues when I had them was to set a session var on the frontpage of the site and check on that. If it doesn't exists when the user enters the page with the form, then I tell them and just don't show the form. Of course the clever programmer can create a script that first goes to the frontpage, then the form page, but so far I'm pretty happy with the solution, no spam for 3 years :-) -- Kind regards Kim Emax - masterminds.dk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Spam opinions please
On Tue, Oct 20, 2009 at 4:12 PM, Ashley Sheridan wrote: > On Tue, 2009-10-20 at 21:01 +0200, John Black wrote: > >> Gary wrote: >> > I believe they are human spammers as all the input fields are correctly >> > filled out (phone in phone, address in address etc). >> > As I said they are mostly the same IP. >> > Would it be better to include this script in the processing script rather >> > than at the top of the page? >> >> >> If it is fixed list of IPs you could add them to the .htaccess file like >> this: >> >> order allow,deny >> deny from xxx.xxx.xxx.xxx >> allow from all >> >> This way it is handled by your webserver and you don't need to run a >> script on every page. >> >> Keep in mind that a lot of comment spam is sent out from infected >> machines. So if the IPs belong to a big ISP it is possible to block a >> lot of users if you block the proxy. >> Check the IPs via Arin to be sure >> http://ws.arin.net/whois/ >> I have noticed that a blocked spammer will sometimes reconnect from a >> totally different IP and resubmit the same information. >> >> Regarding the properly filled out forms, spam bots are pretty good about >> placing valid data into the correct fields, some are better then others. >> >> -- >> John >> > > > I'd go with this method if you can, as it will take quite a load off of > your servers. However, try not to be too liberal with it, as it may end > up preventing genuine access if the spammers are coming from dynamic IP > addresses. > > Thanks, > Ash > http://www.ashleysheridan.co.uk > > > Add a hidden field that should not hold a value. Spam bots will try to fill all fields with that value, so if there is one send back a 404 message to the bot and dump the record -- Bastien Cat, the other other white meat -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Spam opinions please
On Tue, 2009-10-20 at 21:01 +0200, John Black wrote: > Gary wrote: > > I believe they are human spammers as all the input fields are correctly > > filled out (phone in phone, address in address etc). > > As I said they are mostly the same IP. > > Would it be better to include this script in the processing script rather > > than at the top of the page? > > > If it is fixed list of IPs you could add them to the .htaccess file like > this: > > order allow,deny > deny from xxx.xxx.xxx.xxx > allow from all > > This way it is handled by your webserver and you don't need to run a > script on every page. > > Keep in mind that a lot of comment spam is sent out from infected > machines. So if the IPs belong to a big ISP it is possible to block a > lot of users if you block the proxy. > Check the IPs via Arin to be sure > http://ws.arin.net/whois/ > I have noticed that a blocked spammer will sometimes reconnect from a > totally different IP and resubmit the same information. > > Regarding the properly filled out forms, spam bots are pretty good about > placing valid data into the correct fields, some are better then others. > > -- > John > I'd go with this method if you can, as it will take quite a load off of your servers. However, try not to be too liberal with it, as it may end up preventing genuine access if the spammers are coming from dynamic IP addresses. Thanks, Ash http://www.ashleysheridan.co.uk
Re: [PHP] Spam opinions please
On Tue, 2009-10-20 at 15:46 -0300, Jonathan Tapicer wrote: > On Tue, Oct 20, 2009 at 3:39 PM, Ashley Sheridan > wrote: > > > > On Tue, 2009-10-20 at 15:36 -0300, Jonathan Tapicer wrote: > > > > That will work just for one IP, but they could spam you from another > > IP. I suggest you add a good captcha to the form and that way you can > > avoid spam forever. > > > > Regards, > > > > Jonathan > > > > Firstly, in_array() is used in his example, so it will look for all the IP > > addresses in the array, not just one. > > > > Secondly, even the best captchas can be got around. Just look at what > > happened to Google a while back. And then what if you make the captcha too > > hard to discern? You'd essentially be breaking the law by impeding hard of > > seeing or blind users... > > > > Thanks, > > Ash > > http://www.ashleysheridan.co.uk > > > > > > Even if he puts a list or range of IPs he could always be attacked > from an IP not in that list/range. > > About the blind users, he can use recaptcha (recently aquired by > Google), http://recaptcha.net/, which has an audio version captcha. > > I'm not saying that the filter by IP won't work, but it won't be 100% > effective, and a captcha will. > > Regards, > > Jonathan > You still missed the point I made about Googles captcha being circumvented by bots. Also, as he's stated a few times, the entries are made by humans. I know of no captchas which stop only spammers... Thanks, Ash http://www.ashleysheridan.co.uk
Re: [PHP] Please don't kick me!
On Oct 20, 2009, at 2:40 PM, Floyd Resler wrote: As far as I know ezPDF can't do what you want it to do. Of course, you could always modify the code the suite your needs. Since it already draws tables it probably wouldn't be too difficult to modify it draw row backgrounds of different colors. Take care, Floyd I got it to draw the different background colors successfully. However, drawing borders is not as straight forward. I'm sure I could get it working as well... but I'd rather it work *out of the box*. Thanks for the suggestion. ;) ~Phil On Oct 20, 2009, at 3:25 PM, Philip Thompson wrote: On Oct 19, 2009, at 4:21 PM, Floyd Resler wrote: Nope. I've never had any troubles with it. I've been able to produce all kinds of PDFs including loan agreements, inventory pick lists with barcodes, and various others. I find it incredibly powerful and easy to use. Take care, Floyd Sorry if this is slightly OT. I've been messing around with ezPdf for a little bit and it doesn't appear to be able to allow for custom background colors or borders on a per-row basis. Meaning, I have the option to color every other line a single color... but I can't color every line a different color if I want. Am I missing something here? Basically, with the reports I'm currently generating, every row could be a different color than the previous - it depends on various factors. This is easy to accomplish with HTML/CSS. If this isn't possible (or at least easily-accomplishable), then ezPdf may not be for me. Thanks, ~Philip -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sanitizing potential MySQL strings with no database connection
Jim Lucas wrote:
> Dotan Cohen wrote:
>> 2009/10/19 Kim Madsen :
>>> Dotan Cohen wrote on 2009-10-18 21:21:
>>>
I thought that one could not test if a database connection is
established or not, this is the most relevant thing that I found while
googling that:
http://bugs.php.net/bug.php?id=29645
>>> from http://www.php.net/manual/en/function.mysql-connect.php
>>>
>>> $link = mysql_connect('localhost', 'mysql_user', 'mysql_password');
>>> if (!$link) {
>>>die('Could not connect: ' . mysql_error());
>>> }
>>>
>>> So just test if $link is available
>>>
>> I need to know if there is _any_ connection available, not a specific
>> connection. In one script it may be $link but in another $connection.
>>
>
> Dotan,
>
> You are making this thing harder then it has to be.
>
> All you need is to replicate the escaping of the same characters that
> mysql_real_escape_string() escapes. Simply do that. They are listed on the
> functions manual page on php.net
>
> http://php.net/mysql_real_escape_string
>
> Here is a function that I mocked up really quick.
>
> I have no idea if it will work, but it is a start down the right road to solve
> your problem(s)...
>
>
> function clean_string($input) {
>
> /**
>* Character to escape...
>* \x0 \n \r \ ' " \x1a
> **/
>
> $patterns = array( "\x0", "\n", "\r", "\\", "'","\"", "\x1a");
> $replace = array( '\\\x0', '\n', '\r', '', '\\\'', '\\"', '\\\x1a');
> return str_replace($patterns, $replace, $input);
> }
>
> ?>
>
> Jim Lucas
>
So, actually taking a minute to read up on addcslashes(), it is a rather handy
little function.
Taking the list of characters that mysql_real_escape_string() says it escapes:
http://us3.php.net/mysql_real_escape_string
Which it lists: \x00, \n, \r, \, ', " and \x1a
\0 = \x0
\10 = \n
\13 = \r
\92 = \
\44 = '
\34 = "
\26 = \x1a
You could do something like this.
function cleaner($input) {
return addcslashes($input, "\0\10\13\92\44\34\26");
}
Maybe this will help...
Jim
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sanitizing potential MySQL strings with no database connection
On Tue, 20 Oct 2009 20:04:51 +0200, Nisse Engström wrote: > On Mon, 19 Oct 2009 15:39:40 -0700, Jim Lucas wrote: > >> /** >>* Character to escape... >>* \x0 \n \r \ ' " \x1a >> **/ >> >> $patterns = array( "\x0", "\n", "\r", "\\", "'","\"", "\x1a"); >> $replace = array( '\\\x0', '\n', '\r', '', '\\\'', '\\"', '\\\x1a'); >> return str_replace($patterns, $replace, $input); >> } > > Not only does this not do quite what mysql_escape_string() Brain fart. I was looking at the wrong list of characters that should be escaped. > does, but it also fails to not do so spectacularly. Still... /Nisse -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Please don't kick me!
As far as I know ezPDF can't do what you want it to do. Of course, you could always modify the code the suite your needs. Since it already draws tables it probably wouldn't be too difficult to modify it draw row backgrounds of different colors. Take care, Floyd On Oct 20, 2009, at 3:25 PM, Philip Thompson wrote: On Oct 19, 2009, at 4:21 PM, Floyd Resler wrote: Nope. I've never had any troubles with it. I've been able to produce all kinds of PDFs including loan agreements, inventory pick lists with barcodes, and various others. I find it incredibly powerful and easy to use. Take care, Floyd Sorry if this is slightly OT. I've been messing around with ezPdf for a little bit and it doesn't appear to be able to allow for custom background colors or borders on a per-row basis. Meaning, I have the option to color every other line a single color... but I can't color every line a different color if I want. Am I missing something here? Basically, with the reports I'm currently generating, every row could be a different color than the previous - it depends on various factors. This is easy to accomplish with HTML/CSS. If this isn't possible (or at least easily-accomplishable), then ezPdf may not be for me. Thanks, ~Philip -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Using setters/getters with array of objects
Hi Tommy,
I've found both approaches (using setter/getter) as
recommended/non-recommended in documentation so this will be a difficult
decision.Unfortunately I'll not be able to take your way since the Email
class (simplified in the example) is going to be used in other classes as
well.
On Sun, Oct 18, 2009 at 1:24 PM, Tommy Pham wrote:
> - Original Message
> > From: mbneto
> > To: php-general@lists.php.net
> > Sent: Sun, October 18, 2009 8:31:53 AM
> > Subject: [PHP] Using setters/getters with array of objects
> >
> > Hi,
> >
> > I have two classes User and Email where one User can have many Emails so
> > I've done like this
> >
> > class Email
> > {
> > protected $_email;
> >
> > public function __get($name)
> > {
> > $property = '_' . $name;
> > return $this->$property;
> > }
> >
> > public function __set($name, $value)
> > {
> > $property = '_' . $name;
> > $this->$property = $value;
> > }
> > }
> >
> >
> > class User
> > {
> > protected $_name;
> > protected $_emails = array();
> >
> > public function __get($name)
> > {
> > $property = '_' . $name;
> > return $this->$property;
> > }
> >
> > public function __set($name, $value)
> > {
> > $property = '_' . $name;
> > $this->$property = $value;
> > }
> >
> > }
> >
> > So I'd like to
> >
> > $u = new User();
> > $u->name = '';
> >
> > $e = new Email();
> > $e->email = 'x...@.com';
> >
> > $u->emails[] = $e;
> >
> > But that does not work. I've managed to achieve similar result using a
> > different setter in User
>
> Of course it doesn't work because you didn't have 'set' method for the
> protected $_emails.
> http://www.php.net/manual/en/language.oop5.visibility.php
>
> >
> > public function __set($name, $value)
> > {
> > $property = '_' . $name;
> >
> > switch($name)
> > {
> > case 'emails':
> > array_push($this->$property, $value);
> > break;
> >
> > default:
> >$this->$property = $value;
> > }
> > }
> >
> > And then
> >
> > $u = new User();
> > $u->name = '';
> >
> > $e = new Email();
> > $e->email = 'x...@.com';
> >
> > $u->emails = $e;
> >
> > But this can confuse the programmer. Any ideas of why it is not working?
>
> I suggest you don't use magic methods as it's too ambiguous and hard to
> expand your code later. Your 2 classes could be summarized as 1 class
> below:
>
> class User
> {
>protected $_name;
>protected $_emails = array();
>
> public function getName()
>{
>return $this->_name;
>}
>
>public function setName($value)
>{
>$this->_name = $value;
>}
>
>public function getEmails() {
>return $this->_emails();
>}
>
>public function setEmails($arrayList) {
> $this->_emails = $arrayList;
>}
>
> public function setEmail($name, $value) {
> $this->_emails[$name] = $value;
> }
>
> public fuction getEmail($name) {
> if (isset($this->_emails[$name]))
> return $this->_emails[$name];
> else
> return null;
> }
> }
>
> $u = new User();
> $u->setName('jon doe');
> $u->setEmail('email1', 'j...@inter.net');
>
> Regards,
> Tommy
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
RE: [PHP] Spam opinions please
I agree, o good captcha will be better, but the idea to redirect can be better,
you can save in db the ip, and send then to fbi in a periodic time.
Yuri Yarlei.
www.yuriyarlei.net (under construction)
Programmer PHP, CSS, Java, PostregreSQL;
Today PHP, tomorrow Java, after the world.
Kyou wa PHP, ashita wa Java, sono ato sekai desu.
> Date: Tue, 20 Oct 2009 15:36:04 -0300
> From: tapi...@gmail.com
> To: gwp...@ptd.net
> CC: php-general@lists.php.net
> Subject: Re: [PHP] Spam opinions please
>
> That will work just for one IP, but they could spam you from another
> IP. I suggest you add a good captcha to the form and that way you can
> avoid spam forever.
>
> Regards,
>
> Jonathan
>
> On Tue, Oct 20, 2009 at 3:31 PM, Gary wrote:
> > I have several sites that are getting hit with form spam. I have the script
> > set up to capture the IP address so I know from where they come. I found a
> > short script that is supposed to stop these IP addresses from accessing the
> > form page, it redirects the spammer to another page (I was going to redirect
> > to a page that has lots of pop-ups, scantily clad men and offers of joy
> > beyond imagination), but someone suggested I redirect to the Federal Trade
> > Commission or perhpas the FBI.
> >
> > Any thoughts on the script and its effectivness?
> >
> > > $deny = array("111.111.111", "222.222.222", "333.333.333");
> > if (in_array ($_SERVER['REMOTE_ADDR'], $deny)) {
> > header("location: http://www.google.com/";);
> > exit();
> > } ?>Gary
> >
> >
> >
> > __ Information from ESET Smart Security, version of virus signature
> > database 4526 (20091020) __
> >
> > The message was checked by ESET Smart Security.
> >
> > http://www.eset.com
> >
> >
> >
> >
> >
> > --
> > PHP General Mailing List (http://www.php.net/)
> > To unsubscribe, visit: http://www.php.net/unsub.php
> >
> >
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
_
Acesse o Portal MSN do seu celular e se mantenha sempre atualizado. Clique aqui.
http://www.windowslive.com.br/celular/home.asp?utm_source=MSN_Hotmail&utm_medium=Tagline&utm_campaign=MobileServices200908
Re: [PHP] Sanitizing potential MySQL strings with no database connection
> if(@mysql_real_escape_string($variable) === false) > Perfect! The @ symbol suppresses the error and I can structure the code according to whether or not there is a connection. Thank you! -- Dotan Cohen http://what-is-what.com http://gibberish.co.il -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Please don't kick me!
On Oct 19, 2009, at 4:21 PM, Floyd Resler wrote: Nope. I've never had any troubles with it. I've been able to produce all kinds of PDFs including loan agreements, inventory pick lists with barcodes, and various others. I find it incredibly powerful and easy to use. Take care, Floyd Sorry if this is slightly OT. I've been messing around with ezPdf for a little bit and it doesn't appear to be able to allow for custom background colors or borders on a per-row basis. Meaning, I have the option to color every other line a single color... but I can't color every line a different color if I want. Am I missing something here? Basically, with the reports I'm currently generating, every row could be a different color than the previous - it depends on various factors. This is easy to accomplish with HTML/CSS. If this isn't possible (or at least easily-accomplishable), then ezPdf may not be for me. Thanks, ~Philip -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Using setters/getters with array of objects
Hi,
Thanks. I'll probably do the addEmail method. I was hoping to do as with
the other "non-array" properties.
On Sun, Oct 18, 2009 at 1:00 PM, Andy Shellam (Mailing Lists)
wrote:
> Hi,
>
>
> $u->emails[] = $e;
>
>
> I would hazard a guess because $u->emails isn't a concrete object (whereas
> $u->_emails is, but is private.) It's sort of a virtual reference - PHP has
> no way of knowing that $u->emails actually translates into _emails which is
> an array, if you see what I mean (it's difficult to explain.)
>
>
> But that does not work. I've managed to achieve similar result using a
> different setter in User
>
>public function __set($name, $value)
>{
>$property = '_' . $name;
>
>switch($name)
>{
>case 'emails':
>array_push($this->$property, $value);
>break;
>
>default:
> $this->$property = $value;
>}
>}
>
>
> You could also have done:
>
> if (is_array($this->$property))
> {
> array_push($this->$property, $value);
> }
> else
> {
> $this->$property = $value;
> }
>
> which would handle any array property, not just the e-mails property.
>
> If this was me, I would probably create a concrete method, called
> "addEmail" which would do $this->_emails[] = $value, but allow a programmer
> to call $user->emails to get the e-mails (not set.)
>
>
Re: [PHP] Sanitizing potential MySQL strings with no database connection
Dotan Cohen wrote:
> 2009/10/20 Andrea Giammarchi :
>> even better
>>
>> $error_reporting = error_reporting(0);
>> if(mysql_real_escape_string($variable) === false)
>> {
>> error_reporting($error_reporting);
>>
>> // create a default DB connection
>>
>> } else
>> error_reporting($error_reporting);
>> unset($error_reporting);
>>
>
> Thanks, I will try that this evening. I may not have permissions for
> that, but we'll see.
>
I stole this from ZF:
function dotan_real_escape_string($value)
{
if (is_int($value)) {
return $value;
} elseif (is_float($value)) {
return sprintf('%F', $value);
}
return "'" . addcslashes($value, "\000\n\r\\'\"\032") . "'";
}
--
Thanks!
-Shawn
http://www.spidean.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sanitizing potential MySQL strings with no database connection
> If you're sure that all your data is UTF-8, and that > all user-supplied data is *actually valid* UTF-8 (and > not deliberately or accidentally malformed), then > mysql_escape_string() should be just fine [1]. > I cannot ensure that the users will not be malicious, even if it is all internal users. -- Dotan Cohen http://what-is-what.com http://gibberish.co.il -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Spam opinions please
I had once by mistake had an include that included itself, so an endless
loop was created and it crashed my machine, my other thought was to redirect
to a page like that. (of course revengful visions of entire 3rd world
servers crashing and entire annoying industries imploding soon follow...but
I digress).
Gary
""Gary"" wrote in message
news:da.85.39240.d220e...@pb1.pair.com...
>I have several sites that are getting hit with form spam. I have the
>script set up to capture the IP address so I know from where they come. I
>found a short script that is supposed to stop these IP addresses from
>accessing the form page, it redirects the spammer to another page (I was
>going to redirect to a page that has lots of pop-ups, scantily clad men and
>offers of joy beyond imagination), but someone suggested I redirect to the
>Federal Trade Commission or perhpas the FBI.
>
> Any thoughts on the script and its effectivness?
>
> $deny = array("111.111.111", "222.222.222", "333.333.333");
> if (in_array ($_SERVER['REMOTE_ADDR'], $deny)) {
> header("location: http://www.google.com/";);
> exit();
> } ?>Gary
>
>
> __ Information from ESET Smart Security, version of virus
> signature database 4526 (20091020) __
>
> The message was checked by ESET Smart Security.
>
> http://www.eset.com
>
>
>
>
>
> __ Information from ESET Smart Security, version of virus
> signature database 4527 (20091020) __
>
> The message was checked by ESET Smart Security.
>
> http://www.eset.com
>
>
>
__ Information from ESET Smart Security, version of virus signature
database 4527 (20091020) __
The message was checked by ESET Smart Security.
http://www.eset.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Spam opinions please
Gary wrote: I believe they are human spammers as all the input fields are correctly filled out (phone in phone, address in address etc). As I said they are mostly the same IP. Would it be better to include this script in the processing script rather than at the top of the page? If it is fixed list of IPs you could add them to the .htaccess file like this: order allow,deny deny from xxx.xxx.xxx.xxx allow from all This way it is handled by your webserver and you don't need to run a script on every page. Keep in mind that a lot of comment spam is sent out from infected machines. So if the IPs belong to a big ISP it is possible to block a lot of users if you block the proxy. Check the IPs via Arin to be sure http://ws.arin.net/whois/ I have noticed that a blocked spammer will sometimes reconnect from a totally different IP and resubmit the same information. Regarding the properly filled out forms, spam bots are pretty good about placing valid data into the correct fields, some are better then others. -- John -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Spam opinions please
I believe they are human spammers as all the input fields are correctly
filled out (phone in phone, address in address etc).
As I said they are mostly the same IP.
Would it be better to include this script in the processing script rather
than at the top of the page?
Gary
"Ashley Sheridan" wrote in message
news:1256063819.2359.4.ca...@localhost...
> On Tue, 2009-10-20 at 14:31 -0400, Gary wrote:
>
>> I have several sites that are getting hit with form spam. I have the
>> script
>> set up to capture the IP address so I know from where they come. I found
>> a
>> short script that is supposed to stop these IP addresses from accessing
>> the
>> form page, it redirects the spammer to another page (I was going to
>> redirect
>> to a page that has lots of pop-ups, scantily clad men and offers of joy
>> beyond imagination), but someone suggested I redirect to the Federal
>> Trade
>> Commission or perhpas the FBI.
>>
>> Any thoughts on the script and its effectivness?
>>
>> > $deny = array("111.111.111", "222.222.222", "333.333.333");
>> if (in_array ($_SERVER['REMOTE_ADDR'], $deny)) {
>>header("location: http://www.google.com/";);
>>exit();
>> } ?>Gary
>>
>>
>>
>> __ Information from ESET Smart Security, version of virus
>> signature database 4526 (20091020) __
>>
>> The message was checked by ESET Smart Security.
>>
>> http://www.eset.com
>>
>>
>>
>>
>>
>
>
> A few things immediately spring to mind:
>
> How are you being hit? Is it through an automated process (bot) on your
> form, or a real person?
> If you are being hit from bots, is it from a zombie network or a few
> machines?
>
> If you are being hit by bots from a zombie, then this solution won't
> work well, as the list of IP addresses you'll have will be huge, and
> will potentially include many of your real visitors who didn't realise
> their computer was not their own any more.
>
> If you are being hit by bots that are not part of a botnet, then
> redirecting them to another page is essentially fruitless, as the bots
> really don't care.
>
> If you are being hit by humans, then are the IP addresses always going
> to relate to those same persons, or are they part of a dynamic range
> that and ISP serves out amongst all of its customers?
>
> Thanks,
> Ash
> http://www.ashleysheridan.co.uk
>
>
>
>
>
> __ Information from ESET Smart Security, version of virus
> signature database 4526 (20091020) __
>
> The message was checked by ESET Smart Security.
>
> http://www.eset.com
>
>
__ Information from ESET Smart Security, version of virus signature
database 4526 (20091020) __
The message was checked by ESET Smart Security.
http://www.eset.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Spam opinions please
Jonathan Tapicer wrote: I suggest you add a good captcha to the form and that way you can avoid spam forever. You can find a question/answer based CAPTCHA system here. http://www.network-technologies.org/tiny.php?id=1 The system can be used to protect comment forms, email forms or act as a bot trap. The system works by writing the IP of the offender to the .htaccess file, blocking the bot from the entire site. A page is displayed where someone can remove his/her IP from the blocklist and regain access to the page. The class also checks the DNS record before blocking to prevent a good bot, like Googlebot, from being blocked. Comment spam has been reduced to almost zero on all my pages thanks to CAPTCHAv2. The only ones getting through now are the ones submitted by humans. -- John -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Spam opinions please
NO I have not, I think my issue is I hate when I run across one, it usually
takes me more than one try to actually figure out what the charactor is, so
hence my disdain.
GAry
"Paul M Foster" wrote in message
news:20091020184001.gi3...@quillandmouse.com...
> On Tue, Oct 20, 2009 at 02:31:53PM -0400, Gary wrote:
>
>> I have several sites that are getting hit with form spam. I have the
>> script
>> set up to capture the IP address so I know from where they come. I found
>> a
>> short script that is supposed to stop these IP addresses from accessing
>> the
>> form page, it redirects the spammer to another page (I was going to
>> redirect
>> to a page that has lots of pop-ups, scantily clad men and offers of joy
>> beyond imagination), but someone suggested I redirect to the Federal
>> Trade
>> Commission or perhpas the FBI.
>>
>> Any thoughts on the script and its effectivness?
>>
>> > $deny = array("111.111.111", "222.222.222", "333.333.333");
>> if (in_array ($_SERVER['REMOTE_ADDR'], $deny)) {
>>header("location: http://www.google.com/";);
>>exit();
>> } ?>Gary
>>
>
> Have you tried CAPTCHA?
>
> Paul
>
> --
> Paul M. Foster
>
> __ Information from ESET Smart Security, version of virus
> signature database 4526 (20091020) __
>
> The message was checked by ESET Smart Security.
>
> http://www.eset.com
>
>
>
__ Information from ESET Smart Security, version of virus signature
database 4526 (20091020) __
The message was checked by ESET Smart Security.
http://www.eset.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Spam opinions please
On Tue, Oct 20, 2009 at 3:39 PM, Ashley Sheridan wrote: > > On Tue, 2009-10-20 at 15:36 -0300, Jonathan Tapicer wrote: > > That will work just for one IP, but they could spam you from another > IP. I suggest you add a good captcha to the form and that way you can > avoid spam forever. > > Regards, > > Jonathan > > Firstly, in_array() is used in his example, so it will look for all the IP > addresses in the array, not just one. > > Secondly, even the best captchas can be got around. Just look at what > happened to Google a while back. And then what if you make the captcha too > hard to discern? You'd essentially be breaking the law by impeding hard of > seeing or blind users... > > Thanks, > Ash > http://www.ashleysheridan.co.uk > > Even if he puts a list or range of IPs he could always be attacked from an IP not in that list/range. About the blind users, he can use recaptcha (recently aquired by Google), http://recaptcha.net/, which has an audio version captcha. I'm not saying that the filter by IP won't work, but it won't be 100% effective, and a captcha will. Regards, Jonathan -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Spam opinions please
On Tue, 2009-10-20 at 15:36 -0300, Jonathan Tapicer wrote: > That will work just for one IP, but they could spam you from another > IP. I suggest you add a good captcha to the form and that way you can > avoid spam forever. > > Regards, > > Jonathan Firstly, in_array() is used in his example, so it will look for all the IP addresses in the array, not just one. Secondly, even the best captchas can be got around. Just look at what happened to Google a while back. And then what if you make the captcha too hard to discern? You'd essentially be breaking the law by impeding hard of seeing or blind users... Thanks, Ash http://www.ashleysheridan.co.uk
Re: [PHP] Spam opinions please
On Tue, Oct 20, 2009 at 02:31:53PM -0400, Gary wrote:
> I have several sites that are getting hit with form spam. I have the script
> set up to capture the IP address so I know from where they come. I found a
> short script that is supposed to stop these IP addresses from accessing the
> form page, it redirects the spammer to another page (I was going to redirect
> to a page that has lots of pop-ups, scantily clad men and offers of joy
> beyond imagination), but someone suggested I redirect to the Federal Trade
> Commission or perhpas the FBI.
>
> Any thoughts on the script and its effectivness?
>
> $deny = array("111.111.111", "222.222.222", "333.333.333");
> if (in_array ($_SERVER['REMOTE_ADDR'], $deny)) {
>header("location: http://www.google.com/";);
>exit();
> } ?>Gary
>
Have you tried CAPTCHA?
Paul
--
Paul M. Foster
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Spam opinions please
Thanks, and I understand, however I am trying to avoid the captcha if
possible. They are all or mostly coming from the same IP which is why I
thought this would help.
Gary
"Jonathan Tapicer" wrote in message
news:4603e2db0910201136q5e835193he4abbac75ef11...@mail.gmail.com...
That will work just for one IP, but they could spam you from another
IP. I suggest you add a good captcha to the form and that way you can
avoid spam forever.
Regards,
Jonathan
On Tue, Oct 20, 2009 at 3:31 PM, Gary wrote:
> I have several sites that are getting hit with form spam. I have the
> script
> set up to capture the IP address so I know from where they come. I found a
> short script that is supposed to stop these IP addresses from accessing
> the
> form page, it redirects the spammer to another page (I was going to
> redirect
> to a page that has lots of pop-ups, scantily clad men and offers of joy
> beyond imagination), but someone suggested I redirect to the Federal Trade
> Commission or perhpas the FBI.
>
> Any thoughts on the script and its effectivness?
>
> $deny = array("111.111.111", "222.222.222", "333.333.333");
> if (in_array ($_SERVER['REMOTE_ADDR'], $deny)) {
> header("location: http://www.google.com/";);
> exit();
> } ?>Gary
>
>
>
> __ Information from ESET Smart Security, version of virus
> signature database 4526 (20091020) __
>
> The message was checked by ESET Smart Security.
>
> http://www.eset.com
>
>
>
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
__ Information from ESET Smart Security, version of virus signature
database 4526 (20091020) __
The message was checked by ESET Smart Security.
http://www.eset.com
__ Information from ESET Smart Security, version of virus signature
database 4526 (20091020) __
The message was checked by ESET Smart Security.
http://www.eset.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Spam opinions please
On Tue, 2009-10-20 at 14:31 -0400, Gary wrote:
> I have several sites that are getting hit with form spam. I have the script
> set up to capture the IP address so I know from where they come. I found a
> short script that is supposed to stop these IP addresses from accessing the
> form page, it redirects the spammer to another page (I was going to redirect
> to a page that has lots of pop-ups, scantily clad men and offers of joy
> beyond imagination), but someone suggested I redirect to the Federal Trade
> Commission or perhpas the FBI.
>
> Any thoughts on the script and its effectivness?
>
> $deny = array("111.111.111", "222.222.222", "333.333.333");
> if (in_array ($_SERVER['REMOTE_ADDR'], $deny)) {
>header("location: http://www.google.com/";);
>exit();
> } ?>Gary
>
>
>
> __ Information from ESET Smart Security, version of virus signature
> database 4526 (20091020) __
>
> The message was checked by ESET Smart Security.
>
> http://www.eset.com
>
>
>
>
>
A few things immediately spring to mind:
How are you being hit? Is it through an automated process (bot) on your
form, or a real person?
If you are being hit from bots, is it from a zombie network or a few
machines?
If you are being hit by bots from a zombie, then this solution won't
work well, as the list of IP addresses you'll have will be huge, and
will potentially include many of your real visitors who didn't realise
their computer was not their own any more.
If you are being hit by bots that are not part of a botnet, then
redirecting them to another page is essentially fruitless, as the bots
really don't care.
If you are being hit by humans, then are the IP addresses always going
to relate to those same persons, or are they part of a dynamic range
that and ISP serves out amongst all of its customers?
Thanks,
Ash
http://www.ashleysheridan.co.uk
Re: [PHP] Spam opinions please
On Tue, Oct 20, 2009 at 2:36 PM, Jonathan Tapicer wrote:
> That will work just for one IP, but they could spam you from another
> IP. I suggest you add a good captcha to the form and that way you can
> avoid spam forever.
>
> Regards,
>
> Jonathan
>
> On Tue, Oct 20, 2009 at 3:31 PM, Gary wrote:
> > I have several sites that are getting hit with form spam. I have the
> script
> > set up to capture the IP address so I know from where they come. I found
> a
> > short script that is supposed to stop these IP addresses from accessing
> the
> > form page, it redirects the spammer to another page (I was going to
> redirect
> > to a page that has lots of pop-ups, scantily clad men and offers of joy
> > beyond imagination), but someone suggested I redirect to the Federal
> Trade
> > Commission or perhpas the FBI.
> >
> > Any thoughts on the script and its effectivness?
> >
> > > $deny = array("111.111.111", "222.222.222", "333.333.333");
> > if (in_array ($_SERVER['REMOTE_ADDR'], $deny)) {
> > header("location: http://www.google.com/";);
> > exit();
> > } ?>Gary
> >
> >
> >
> > __ Information from ESET Smart Security, version of virus
> signature database 4526 (20091020) __
> >
> > The message was checked by ESET Smart Security.
> >
> > http://www.eset.com
> >
> >
> >
> >
> >
> > --
> > PHP General Mailing List (http://www.php.net/)
> > To unsubscribe, visit: http://www.php.net/unsub.php
> >
> >
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
Here is a tutorial on captcha
http://blog.sankhomallik.com/2008/12/17/tutorial-using-zend_captcha_image/
--
"Good Enough" is not good enough.
To give anything less than your best is to sacrifice the gift.
Quality First. Measure Twice. Cut Once.
Re: [PHP] Spam opinions please
That will work just for one IP, but they could spam you from another
IP. I suggest you add a good captcha to the form and that way you can
avoid spam forever.
Regards,
Jonathan
On Tue, Oct 20, 2009 at 3:31 PM, Gary wrote:
> I have several sites that are getting hit with form spam. I have the script
> set up to capture the IP address so I know from where they come. I found a
> short script that is supposed to stop these IP addresses from accessing the
> form page, it redirects the spammer to another page (I was going to redirect
> to a page that has lots of pop-ups, scantily clad men and offers of joy
> beyond imagination), but someone suggested I redirect to the Federal Trade
> Commission or perhpas the FBI.
>
> Any thoughts on the script and its effectivness?
>
> $deny = array("111.111.111", "222.222.222", "333.333.333");
> if (in_array ($_SERVER['REMOTE_ADDR'], $deny)) {
> header("location: http://www.google.com/";);
> exit();
> } ?>Gary
>
>
>
> __ Information from ESET Smart Security, version of virus signature
> database 4526 (20091020) __
>
> The message was checked by ESET Smart Security.
>
> http://www.eset.com
>
>
>
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Spam opinions please
I have several sites that are getting hit with form spam. I have the script set up to capture the IP address so I know from where they come. I found a short script that is supposed to stop these IP addresses from accessing the form page, it redirects the spammer to another page (I was going to redirect to a page that has lots of pop-ups, scantily clad men and offers of joy beyond imagination), but someone suggested I redirect to the Federal Trade Commission or perhpas the FBI. Any thoughts on the script and its effectivness? http://www.google.com/";); exit(); } ?>Gary __ Information from ESET Smart Security, version of virus signature database 4526 (20091020) __ The message was checked by ESET Smart Security. http://www.eset.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sanitizing potential MySQL strings with no database connection
Dotan Cohen wrote on 2009-10-20 20:06:
if(mysql_real_escape_string($variable) === false)
{
// create a default DB connection
}
Here, the key seems to be to turn the warning level down, which I do
not have privileges to do on this server. But it fact this seems to be
the key that I was missing, and even though I cannot make use of it at
least I know in general what needs to be done.
if(@mysql_real_escape_string($variable) === false)
Well?
--
Kind regards
Kim Emax - masterminds.dk
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sanitizing potential MySQL strings with no database connection
2009/10/20 Andrea Giammarchi :
> even better
>
> $error_reporting = error_reporting(0);
> if(mysql_real_escape_string($variable) === false)
> {
> error_reporting($error_reporting);
>
> // create a default DB connection
>
> } else
> error_reporting($error_reporting);
> unset($error_reporting);
>
Thanks, I will try that this evening. I may not have permissions for
that, but we'll see.
--
Dotan Cohen
http://what-is-what.com
http://gibberish.co.il
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sanitizing potential MySQL strings with no database connection
> No, and you clearly missed the point about that function being pretty much
> dead anyway.
>
I understand that mysql_escape_string() is depreciated. Asking about
other similar functions does not seem out of line.
> You mentioned also in your last email that you would make a DB connection if
> none existed. That should be very easy
> if you read the page on mysql_real_escape_string()
>
> If says:
>
> Returns the escaped string, or FALSE on error.
>
> So all you have to do, is have warnings turned off (as it generates an
> E_WARNING if you have no active connection) and then look at the return value
> of a call to the function:
>
> if(mysql_real_escape_string($variable) === false)
> {
> // create a default DB connection
> }
>
Here, the key seems to be to turn the warning level down, which I do
not have privileges to do on this server. But it fact this seems to be
the key that I was missing, and even though I cannot make use of it at
least I know in general what needs to be done.
Thanks.
--
Dotan Cohen
http://what-is-what.com
http://gibberish.co.il
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sanitizing potential MySQL strings with no database connection
On Mon, 19 Oct 2009 15:39:40 -0700, Jim Lucas wrote:
> I have no idea if it will work, [...]
Well, you're right so far...
>
> function clean_string($input) {
>
> /**
>* Character to escape...
>* \x0 \n \r \ ' " \x1a
> **/
>
> $patterns = array( "\x0", "\n", "\r", "\\", "'","\"", "\x1a");
> $replace = array( '\\\x0', '\n', '\r', '', '\\\'', '\\"', '\\\x1a');
> return str_replace($patterns, $replace, $input);
> }
Not only does this not do quite what mysql_escape_string()
does, but it also fails to not do so spectacularly.
Hint:
echo str_replace (array('a','b'), array('b','c'), 'a'), "\n";
/Nisse
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sanitizing potential MySQL strings with no database connection
On Tue, 20 Oct 2009 14:58:32 +0200, Dotan Cohen wrote:
>> Yes, the mysql_real_escape_string() function uses the databases
>> character encoding to determine how to encode the string, whereas the
>> older deprecated version mysql_escape_string() required no connection
>> as it always assumed Latin-1 (as far as I know)
>
> Is there such a function that always assumes UTF-8? That's what it
> always will be.
If you're sure that all your data is UTF-8, and that
all user-supplied data is *actually valid* UTF-8 (and
not deliberately or accidentally malformed), then
mysql_escape_string() should be just fine [1].
It should be fine for any character set that leave
ASCII characters unchanged and do not contain any
characters that could (partially) be mistaken for one of
the "dangerous" ASCII characters.
Of course, mysql_escape_string() is deprecated and will
be removed in PHP6 [2], in which case you could fix all
the bugs in the hand-rolled function posted earlier and
use that.
> I am not requiring the data to be sanitised before a connection has been
> made to the DB. The function that calls mysql_real_escape_string() is in
> an include file of commonly-reused functions. Scripts that connect to
> databases and scripts that do not connect to databases include this
> file.
>
> To clarify, the include file contains these funtions: function
> clean_mysql ($dirty) function clean_html ($dirty) function
> make_paginated_links_menu ($pages, $difference) function
> obfuscate_email_address ($address)
*Or*, you could do the *obvious* thing [3]:
function clean_mysql ($dirty, $connection) { ... }
But then, you'll end up having to rewrite a lot of
function calls [4].
/Nisse
[1]: Unless it's not.
[2]: Unless it isn't.
[3]: Well, one of them anyway.
[4]: Unless you don't.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Get rid of warning massage
Ashley Sheridan wrote: > On Tue, 2009-10-20 at 19:01 +0300, Thodoris wrote: > >> >>> >>> >>> >>> How do you mean an invalid URL? A URL that is not valid as in $url = >>> "poo" or a valid formed URL that doesn't exist? >>> >>> Thanks, >>> Ash >>> http://www.ashleysheridan.co.uk >>> >>> >>> >>> >> >> Does it really matter? In both cases the file_get_contents() wont be >> able to open the URL and it will produce a warning or an error. >> >> -- >> Thodoris > > > Matters a hell of a lot! If the url is not even partially validated at > all ($url="poo") then it could potentially be open to all manner of > attacks. > > Thanks, > Ash > http://www.ashleysheridan.co.uk > > > Yes, and depending upon how many URLs you're looping through, you could be wasting lots of time and resources for absolutely no reason. -- Thanks! -Shawn http://www.spidean.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Get rid of warning massage
http://php.net/manual/en/language.operators.errorcontrol.php ?
A better idea would be suppressing the error messages in a production site:
ini_set('display_errors',0);
--
Thodoris
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Get rid of warning massage
resea soul wrote: I'm using the function file_get_contents($url). If the url is invalid the function displays a warning message while I am using my own customized message. I want to get rid of the warning message. This should do it: @file_get_contents($url) -- John Gott ist eine faustgrobe Antwort, eine Undelikatesse gegen uns Denker -, im Grunde sogar bloß ein faustgrobes Verbot an uns: ihr sollt nicht denken! [Friedrich Nietzsche] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Get rid of warning massage
On Tue, 2009-10-20 at 19:01 +0300, Thodoris wrote: > > > > > > > > > > > > How do you mean an invalid URL? A URL that is not valid as in $url = > > "poo" or a valid formed URL that doesn't exist? > > > > Thanks, > > Ash > > http://www.ashleysheridan.co.uk > > > > > > > > > > > Does it really matter? In both cases the file_get_contents() wont be > able to open the URL and it will produce a warning or an error. > > -- > Thodoris Matters a hell of a lot! If the url is not even partially validated at all ($url="poo") then it could potentially be open to all manner of attacks. Thanks, Ash http://www.ashleysheridan.co.uk
Re: [PHP] Get rid of warning massage
How do you mean an invalid URL? A URL that is not valid as in $url = "poo" or a valid formed URL that doesn't exist? Thanks, Ash http://www.ashleysheridan.co.uk Does it really matter? In both cases the file_get_contents() wont be able to open the URL and it will produce a warning or an error. -- Thodoris
Re: [PHP] Get rid of warning massage
On Tue, 2009-10-20 at 11:34 -0400, resea soul wrote: > Hi, > > I'm using the function file_get_contents($url). If the url is invalid the > function displays a warning message while I am using my own customized > message. I want to get rid of the warning message. > > Thank you How do you mean an invalid URL? A URL that is not valid as in $url = "poo" or a valid formed URL that doesn't exist? Thanks, Ash http://www.ashleysheridan.co.uk
Re: [PHP] Get rid of warning massage
On Oct 20, 2009, at 10:34 AM, resea soul wrote: Hi, I'm using the function file_get_contents($url). If the url is invalid the function displays a warning message while I am using my own customized message. I want to get rid of the warning message. Thank you @file_get_contents(...)
Re: [PHP] Get rid of warning massage
http://php.net/manual/en/language.operators.errorcontrol.php ? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Get rid of warning massage
Hi, I'm using the function file_get_contents($url). If the url is invalid the function displays a warning message while I am using my own customized message. I want to get rid of the warning message. Thank you
RE: [PHP] Sanitizing potential MySQL strings with no database connection
even better
$error_reporting = error_reporting(0);
if(mysql_real_escape_string($variable) === false)
{
error_reporting($error_reporting);
// create a default DB connection
} else
error_reporting($error_reporting);
unset($error_reporting);
> From: an_...@hotmail.com
> To: a...@ashleysheridan.co.uk; dotanco...@gmail.com
> CC: php-general@lists.php.net
> Date: Tue, 20 Oct 2009 15:50:52 +0200
> Subject: RE: [PHP] Sanitizing potential MySQL strings with no database
> connection
>
>
> > If says:
> >
> > Returns the escaped string, or FALSE on error.
> >
> > So all you have to do, is have warnings turned off (as it generates an
> > E_WARNING if you have no active connection) and then look at the return
> > value of a call to the function:
> >
> > if(mysql_real_escape_string($variable) === false)
> > {
> > // create a default DB connection
> > }
>
> I would rather suggest:
>
> $error_reporting = error_reporting(0);
> if(mysql_real_escape_string($variable) === false)
> {
> // create a default DB connection
> }
> error_reporting($error_reporting);
> unset($error_reporting);
>
>
> _
> Windows Live: Keep your friends up to date with what you do online.
> http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_1:092010
_
Windows Live: Keep your friends up to date with what you do online.
http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_1:092010
RE: [PHP] Sanitizing potential MySQL strings with no database connection
> If says:
>
> Returns the escaped string, or FALSE on error.
>
> So all you have to do, is have warnings turned off (as it generates an
> E_WARNING if you have no active connection) and then look at the return
> value of a call to the function:
>
> if(mysql_real_escape_string($variable) === false)
> {
> // create a default DB connection
> }
I would rather suggest:
$error_reporting = error_reporting(0);
if(mysql_real_escape_string($variable) === false)
{
// create a default DB connection
}
error_reporting($error_reporting);
unset($error_reporting);
_
Windows Live: Keep your friends up to date with what you do online.
http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_1:092010
Re: [PHP] Sanitizing potential MySQL strings with no database connection
On Tue, 2009-10-20 at 14:58 +0200, Dotan Cohen wrote:
> > Yes, the mysql_real_escape_string() function uses the databases character
> > encoding to determine how to encode the
> > string, whereas the older deprecated version mysql_escape_string() required
> > no connection as it always assumed
> > Latin-1 (as far as I know)
>
> Is there such a function that always assumes UTF-8? That's what it
> always will be.
>
>
> > The data itself only needs to be sanitised just prior to being inserted
> > into the DB anyway, it
> > shouldn't be used to validate data in any way, there are functions
> > specifically for that. To me, it just seems that the logic
> > of the script is flawed if you require the data to be sanitised before a
> > connection has been made to the DB.
> >
>
> I am not requiring the data to be sanitised before a connection has
> been made to the DB. The function that calls
> mysql_real_escape_string() is in an include file of commonly-reused
> functions. Scripts that connect to databases and scripts that do not
> connect to databases include this file.
>
> To clarify, the include file contains these funtions:
> function clean_mysql ($dirty)
> function clean_html ($dirty)
> function make_paginated_links_menu ($pages, $difference)
> function obfuscate_email_address ($address)
>
> Not all of the functions are used in all scripts, however, this file
> of reusable functions is included in all of them. Only the clean_mysql
> function gives me trouble because it calls mysql_real_escape_string().
>
> --
> Dotan Cohen
>
> http://what-is-what.com
> http://gibberish.co.il
>
No, and you clearly missed the point about that function being pretty
much dead anyway.
You mentioned also in your last email that you would make a DB
connection if none existed. That should be very easy if you read the
page on mysql_real_escape_string()
If says:
Returns the escaped string, or FALSE on error.
So all you have to do, is have warnings turned off (as it generates an
E_WARNING if you have no active connection) and then look at the return
value of a call to the function:
if(mysql_real_escape_string($variable) === false)
{
// create a default DB connection
}
Thanks,
Ash
http://www.ashleysheridan.co.uk
[PHP] "Securing PHP Web Applications" book
Hi, did anybody read the book "Securing PHP Web Applications" by Tricia Ballad & William Ballad? (http://www.amazon.com/Securing-PHP-Applications-Tricia-Ballad/dp/0321534344/ref=sr_1_1?ie=UTF8&s=books&qid=1256042083&sr=8-1) Any opinions? L -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sanitizing potential MySQL strings with no database connection
> Yes, the mysql_real_escape_string() function uses the databases character > encoding to determine how to encode the > string, whereas the older deprecated version mysql_escape_string() required > no connection as it always assumed > Latin-1 (as far as I know) Is there such a function that always assumes UTF-8? That's what it always will be. > The data itself only needs to be sanitised just prior to being inserted into > the DB anyway, it > shouldn't be used to validate data in any way, there are functions > specifically for that. To me, it just seems that the logic > of the script is flawed if you require the data to be sanitised before a > connection has been made to the DB. > I am not requiring the data to be sanitised before a connection has been made to the DB. The function that calls mysql_real_escape_string() is in an include file of commonly-reused functions. Scripts that connect to databases and scripts that do not connect to databases include this file. To clarify, the include file contains these funtions: function clean_mysql ($dirty) function clean_html ($dirty) function make_paginated_links_menu ($pages, $difference) function obfuscate_email_address ($address) Not all of the functions are used in all scripts, however, this file of reusable functions is included in all of them. Only the clean_mysql function gives me trouble because it calls mysql_real_escape_string(). -- Dotan Cohen http://what-is-what.com http://gibberish.co.il -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sanitizing potential MySQL strings with no database connection
> Your only option might be to do something "smart". You can't use the proper > mysql functions without a connection to a > database, but you refuse to connect to a database until after you perform > validation... > More accurate to say that the file in which the function is stored does not know if there is a connection or not. I would make such a connection if I knew that none exist, but I do not want to interfere with a possibly existing connection. > You do realise you can have several db connections open at one time, so you > could have one always open for the > purpose of validation? Potentially wasteful, but the architecture in this > idea is a little different from the norm. > Very wasteful indeed, I cannot be so irresponsible with this server. -- Dotan Cohen http://what-is-what.com http://gibberish.co.il -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Sanitizing potential MySQL strings with no database connection
On Tue, 2009-10-20 at 08:43 -0400, Bob McConnell wrote: > From: Ashley Sheridan > > > On Tue, 2009-10-20 at 14:20 +0200, Andrea Giammarchi wrote: > >> > Your only option might be to do something "smart". You can't use > the > >> > proper mysql functions without a connection to a database, but you > >> > refuse to connect to a database until after you perform > validation... > >> > > >> > You do realise you can have several db connections open at one > time, so > >> > you could have one always open for the purpose of validation? > >> > Potentially wasteful, but the architecture in this idea is a little > >> > different from the norm. > >> > >> I also thought mysql_real_escape_string was dead since every DAL such > >> PDO or others uses bindings to properly escape variables and a > database > >> related sanitize without database is quite useless, imho. > >> > > > > Not everyone uses something like PDO, so yes, sanitising data with > > mysql_real_escape_string does still happen. > > > > The function clearly states that it needs an open connection to work, > so > > that leaves two choices really: 1) open a damn connection! or 2) > > reinvent the wheel and create a function which mimics the behavior of > > this one. > > Is the database connection used to determine the character encoding to > be used before it inserts new characters into the strings? Would that > make a difference in this case? > > Bob McConnell > Yes, the mysql_real_escape_string() function uses the databases character encoding to determine how to encode the string, whereas the older deprecated version mysql_escape_string() required no connection as it always assumed Latin-1 (as far as I know) The data itself only needs to be sanitised just prior to being inserted into the DB anyway, it shouldn't be used to validate data in any way, there are functions specifically for that. To me, it just seems that the logic of the script is flawed if you require the data to be sanitised before a connection has been made to the DB. Thanks, Ash http://www.ashleysheridan.co.uk
RE: [PHP] Sanitizing potential MySQL strings with no database connection
From: Ashley Sheridan > On Tue, 2009-10-20 at 14:20 +0200, Andrea Giammarchi wrote: >> > Your only option might be to do something "smart". You can't use the >> > proper mysql functions without a connection to a database, but you >> > refuse to connect to a database until after you perform validation... >> > >> > You do realise you can have several db connections open at one time, so >> > you could have one always open for the purpose of validation? >> > Potentially wasteful, but the architecture in this idea is a little >> > different from the norm. >> >> I also thought mysql_real_escape_string was dead since every DAL such >> PDO or others uses bindings to properly escape variables and a database >> related sanitize without database is quite useless, imho. >> > > Not everyone uses something like PDO, so yes, sanitising data with > mysql_real_escape_string does still happen. > > The function clearly states that it needs an open connection to work, so > that leaves two choices really: 1) open a damn connection! or 2) > reinvent the wheel and create a function which mimics the behavior of > this one. Is the database connection used to determine the character encoding to be used before it inserts new characters into the strings? Would that make a difference in this case? Bob McConnell -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Sanitizing potential MySQL strings with no database connection
On Tue, 2009-10-20 at 14:20 +0200, Andrea Giammarchi wrote: > > > Your only option might be to do something "smart". You can't use the > > proper mysql functions without a connection to a database, but you > > refuse to connect to a database until after you perform validation... > > > > You do realise you can have several db connections open at one time, so > > you could have one always open for the purpose of validation? > > Potentially wasteful, but the architecture in this idea is a little > > different from the norm. > > I also thought mysql_real_escape_string was dead since every DAL such PDO or > others uses bindings to properly escape variables and a database related > sanitize without database is quite useless, imho. > > Regards > > _ > Windows Live: Friends get your Flickr, Yelp, and Digg updates when they > e-mail you. > http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_3:092010 Not everyone uses something like PDO, so yes, sanitising data with mysql_real_escape_string does still happen. The function clearly states that it needs an open connection to work, so that leaves two choices really: 1) open a damn connection! or 2) reinvent the wheel and create a function which mimics the behavior of this one. Thanks, Ash http://www.ashleysheridan.co.uk
RE: [PHP] Sanitizing potential MySQL strings with no database connection
> Your only option might be to do something "smart". You can't use the > proper mysql functions without a connection to a database, but you > refuse to connect to a database until after you perform validation... > > You do realise you can have several db connections open at one time, so > you could have one always open for the purpose of validation? > Potentially wasteful, but the architecture in this idea is a little > different from the norm. I also thought mysql_real_escape_string was dead since every DAL such PDO or others uses bindings to properly escape variables and a database related sanitize without database is quite useless, imho. Regards _ Windows Live: Friends get your Flickr, Yelp, and Digg updates when they e-mail you. http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_3:092010
Re: [PHP] Sanitizing potential MySQL strings with no database connection
> Dotan,
>
> You are making this thing harder then it has to be.
>
> All you need is to replicate the escaping of the same characters that
> mysql_real_escape_string() escapes. Simply do that. They are listed on the
> functions manual page on php.net
>
> http://php.net/mysql_real_escape_string
>
> Here is a function that I mocked up really quick.
>
> I have no idea if it will work, but it is a start down the right road to solve
> your problem(s)...
>
>
> function clean_string($input) {
>
> /**
> * Character to escape...
> * \x0 \n \r \ ' " \x1a
> **/
>
> $patterns = array( "\x0", "\n", "\r", "\\", "'", "\"", "\x1a");
> $replace = array( '\\\x0', '\n', '\r', '', '\\\'', '\\"', '\\\x1a');
> return str_replace($patterns, $replace, $input);
> }
>
> ?>
>
I think that I would rather trust the built-in functions. I don't need
to do anything "smart" and get attacked. Anybody else have an opinion
on this?
--
Dotan Cohen
http://what-is-what.com
http://gibberish.co.il
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sanitizing potential MySQL strings with no database connection
On Tue, 2009-10-20 at 12:58 +0200, Dotan Cohen wrote:
> > Dotan,
> >
> > You are making this thing harder then it has to be.
> >
> > All you need is to replicate the escaping of the same characters that
> > mysql_real_escape_string() escapes. Simply do that. They are listed on the
> > functions manual page on php.net
> >
> > http://php.net/mysql_real_escape_string
> >
> > Here is a function that I mocked up really quick.
> >
> > I have no idea if it will work, but it is a start down the right road to
> > solve
> > your problem(s)...
> >
> > >
> > function clean_string($input) {
> >
> > /**
> > * Character to escape...
> > *\x0 \n \r \ ' " \x1a
> > **/
> >
> > $patterns = array( "\x0", "\n", "\r", "\\", "'","\"", "\x1a");
> > $replace = array( '\\\x0', '\n', '\r', '', '\\\'', '\\"', '\\\x1a');
> > return str_replace($patterns, $replace, $input);
> > }
> >
> > ?>
> >
>
> I think that I would rather trust the built-in functions. I don't need
> to do anything "smart" and get attacked. Anybody else have an opinion
> on this?
>
>
> --
> Dotan Cohen
>
> http://what-is-what.com
> http://gibberish.co.il
>
Your only option might be to do something "smart". You can't use the
proper mysql functions without a connection to a database, but you
refuse to connect to a database until after you perform validation...
You do realise you can have several db connections open at one time, so
you could have one always open for the purpose of validation?
Potentially wasteful, but the architecture in this idea is a little
different from the norm.
Thanks,
Ash
http://www.ashleysheridan.co.uk
Re: [PHP] Please don't kick me!
Hi all. I know this question has been asked a thousand times on the list, but my searches in the archives are not being nice to me. So... please don't kick me. Currently, we use DOMPDF to generate PDFs from HTML. However, it's no longer maintained and it has a few bugs that we just can no longer live with. What PDF generating software do you use? It does not have to be free, but it must run on linux and may be command line or run through code. Some of the ones I have researched are... html2pdf html2ps html2fpdf xhtml2pdf fpdf tcpdf You're thoughts would be appreciated. Oh, my preference would be to send HTML/CSS to a script and it just automagically convert to PS/PDF. Thanks, ~Philip I find tcpdf very useful although ezpdf seems faster after a first look. I am using tcpdf though because it has a native utf-8 support that most pdf classes don't and that is vital to me. I wasn't able to print greek for example with some other classes I 've tried. I am not sure if ezpdf does that. -- Thodoris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP broadcast mailer
2009/10/18 Paul M Foster > On Sat, Oct 17, 2009 at 01:41:03AM -0400, Brian Hazelton wrote: > > > I am in charge of an email newsletter list and making sure it gets sent > > out in time. My problem is I have never done broadcast emailing and > > right now we have 400 subscribers but want to build a system that can > > scale well regardless of the number of subscribers. Right now I use > > mysql to store the email and use phpmailer in a loop to send an email to > > each of the emails in the db, it is already slow with just 400(takes > > around 10 min (i think that's slow isnt it?). Has anyone built a > > broadcast email script and willing to help me? > > > > Use PHPList. It's free. > > Paul > > I second that and make sure you add an SPF Key to your domain: http://old.openspf.org/wizard.html You should be able to get the SMTP limits from your host and these can be configured in PHPlist. The bounce handling takes away a lot of admin work once your list starts getting larger and people's email addresses change/stop working. Tom
