Re: [PHP] securing a script that exec()s
On Fri, Mar 30, 2012 at 7:05 AM, David OBrien wrote: > Find a way to do it using PHP's imagemagick extensions > > http://php.net/manual/en/book.imagick.php > > On Fri, Mar 30, 2012 at 5:56 AM, rene7705 wrote: > >> Hi. >> >> I have a script that uses imagemagick's convert command on the commandline >> to get it's work done. >> These calls to exec('convert [params]') take params from the end-user via a >> html form, so is very unsecure. >> >> The intention is that the end-user only runs this script on localhost, from >> localhost. >> >> So now i'm checking $_SERVER['REMOTE_ADDR']===$_SERVER['SERVER_ADDR'] to >> see if I can allow the script to be used. >> >> But unfortunately, $_SERVER['REMOTE_ADDR'] is my external IP, and >> $_SERVER['SERVER_ADDR'] is my internal IP. >> >> How would I best fix this? >> I, too, would suggest you use the PHP extensions rather than shell out a command for various reasons, security being possibly the highest. There is also the cost of another process on the box, and doing the translation in and out. And David, please bottom post responses. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Could apc_fetch return a pointer to data in shared memory ?
Or: Why doesn't PHP have Applications variables like ASP.NET (and node.js) ? Hi, I'm working on optimising a php application (Drupal). The best optimisation I've found so far is to use APC to store various bits of Drupal data in RAM. The problem with this is that with Drupal requiring say 50Mb of data* per request is that lots of cpu cycles are wasted de-serialising data out of apc_fetch. Also 50Mb of data per http process !! is wasted by each one re-creating it's own copy of the shared data. If it were possible for apc_fetch (or similar function) to return a pointer to the data rather than a copy of the data this would enable incredible reduction in cpu and memory usage. This is essentially how ASP.NET Application variables and node.js work. I'm surprised PHP doesn't already have Application variables, given that they are so similar to Session Variables and that it's been around for a long time in ASP / ASP.NET. I just wondered if there was a reason for not having this functionality or if it's on a road map somewhere or I've missed something :) ?
Re: [PHP] Node.PHP
Because "normal" PHP is not asynchronous. Also, I kind of doubt you can outperform node.js with standard PHP. On Sat, Mar 31, 2012 at 11:56 AM, German Geek wrote: > Maybe stupid question, but is node.php really necessary? If you can program > PHP and it performs better than node.js, why would you need to have another > wrapper around things. Why not just program "normal" PHP? > > twitter: geekdenz > Blog: http://www.thheuer.com > > On Sat, Mar 31, 2012 at 10:39 AM, Hiyarli Baba wrote: >> >> As like Micheal's said said just keep up alive the project >> I was preferes node.js to pho only when i needed send millions of ssl >> api requests. >> nodejs sends 1k https request in onky 2 second including parsing >> required elements from database , check the returned source write to >> file >> >> if you want develope / clone more modules for that please start from >> http|s.req :p and let me coninue at php >> >> http://stackoverflow.com/a/9199961 my nodejs + php thing >> >> 2012/3/22, Michael Save : >> > Very nice! >> > >> > I'll have a proper look at this in the morning, and I'll try it out >> > for myself. Looking forward to seeing more development on this. >> > >> > Michael >> > >> > On Thu, Mar 22, 2012 at 11:40 AM, Joseph Moniz >> > wrote: >> >> Hey, >> >> >> >> So i had my first Hackathon at work last week and my project was to >> >> prototype making a node.js clone using PHP instead of V8. So i >> >> snatched up libuv and joyent's HTTP parser and set off on a 24 hour >> >> coding spree to get something workable. By the time the sun was coming >> >> out the next morning the following code was working. >> >> >> >> > >> >> >> $http = new node_http(); >> >> >> >> $http->listen(8080, function($request, $response) { >> >> $response->end("yay, super awesome response"); >> >> }); >> >> >> >> nodephp_run(); >> >> >> >> ?> >> >> >> >> The C code that powers it was whipped together really fast and is kind >> >> of hackish as a result. The code has some memory leaks that i haven't >> >> had time to fully track down yet. Some small portions of the code were >> >> borrowed from the phode project. >> >> >> >> In a naive benchmark on this simple server VS an equally simple server >> >> in node.js this implementation already out performs node.js in >> >> throughput by being able to serve just under 200% the amount of >> >> requests per second that node.js could. Take that with a grain of salt >> >> though because node.js has much more feature and is much more hardend >> >> from production use. I do believe the PHP binary will have some major >> >> performance gains over V8 as crossing the PHP <--> C barrier seems to >> >> be a much lighter operation then crossing the V8 <--> C++ barrier. >> >> >> >> Any help or feedback will be greatly appreciated. The projects source >> >> code can be found here: https://github.com/JosephMoniz/node.php >> >> >> >> - Joseph Moniz >> >> >> >> -- >> >> PHP General Mailing List (http://www.php.net/) >> >> To unsubscribe, visit: http://www.php.net/unsub.php >> >> >> > >> > -- >> > PHP General Mailing List (http://www.php.net/) >> > To unsubscribe, visit: http://www.php.net/unsub.php >> > >> > >> >> -- >> PHP General Mailing List (http://www.php.net/) >> To unsubscribe, visit: http://www.php.net/unsub.php >> > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Node.PHP
Maybe stupid question, but is node.php really necessary? If you can program PHP and it performs better than node.js, why would you need to have another wrapper around things. Why not just program "normal" PHP? twitter: geekdenz Blog: http://www.thheuer.com On Sat, Mar 31, 2012 at 10:39 AM, Hiyarli Baba wrote: > As like Micheal's said said just keep up alive the project > I was preferes node.js to pho only when i needed send millions of ssl > api requests. > nodejs sends 1k https request in onky 2 second including parsing > required elements from database , check the returned source write to > file > > if you want develope / clone more modules for that please start from > http|s.req :p and let me coninue at php > > http://stackoverflow.com/a/9199961 my nodejs + php thing > > 2012/3/22, Michael Save : > > Very nice! > > > > I'll have a proper look at this in the morning, and I'll try it out > > for myself. Looking forward to seeing more development on this. > > > > Michael > > > > On Thu, Mar 22, 2012 at 11:40 AM, Joseph Moniz > > wrote: > >> Hey, > >> > >> So i had my first Hackathon at work last week and my project was to > >> prototype making a node.js clone using PHP instead of V8. So i > >> snatched up libuv and joyent's HTTP parser and set off on a 24 hour > >> coding spree to get something workable. By the time the sun was coming > >> out the next morning the following code was working. > >> > >> >> > >>$http = new node_http(); > >> > >>$http->listen(8080, function($request, $response) { > >>$response->end("yay, super awesome response"); > >>}); > >> > >>nodephp_run(); > >> > >>?> > >> > >> The C code that powers it was whipped together really fast and is kind > >> of hackish as a result. The code has some memory leaks that i haven't > >> had time to fully track down yet. Some small portions of the code were > >> borrowed from the phode project. > >> > >> In a naive benchmark on this simple server VS an equally simple server > >> in node.js this implementation already out performs node.js in > >> throughput by being able to serve just under 200% the amount of > >> requests per second that node.js could. Take that with a grain of salt > >> though because node.js has much more feature and is much more hardend > >> from production use. I do believe the PHP binary will have some major > >> performance gains over V8 as crossing the PHP <--> C barrier seems to > >> be a much lighter operation then crossing the V8 <--> C++ barrier. > >> > >> Any help or feedback will be greatly appreciated. The projects source > >> code can be found here: https://github.com/JosephMoniz/node.php > >> > >> - Joseph Moniz > >> > >> -- > >> PHP General Mailing List (http://www.php.net/) > >> To unsubscribe, visit: http://www.php.net/unsub.php > >> > > > > -- > > PHP General Mailing List (http://www.php.net/) > > To unsubscribe, visit: http://www.php.net/unsub.php > > > > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > >
Re: [PHP] Node.PHP
As like Micheal's said said just keep up alive the project I was preferes node.js to pho only when i needed send millions of ssl api requests. nodejs sends 1k https request in onky 2 second including parsing required elements from database , check the returned source write to file if you want develope / clone more modules for that please start from http|s.req :p and let me coninue at php http://stackoverflow.com/a/9199961 my nodejs + php thing 2012/3/22, Michael Save : > Very nice! > > I'll have a proper look at this in the morning, and I'll try it out > for myself. Looking forward to seeing more development on this. > > Michael > > On Thu, Mar 22, 2012 at 11:40 AM, Joseph Moniz > wrote: >> Hey, >> >> So i had my first Hackathon at work last week and my project was to >> prototype making a node.js clone using PHP instead of V8. So i >> snatched up libuv and joyent's HTTP parser and set off on a 24 hour >> coding spree to get something workable. By the time the sun was coming >> out the next morning the following code was working. >> >>> >>$http = new node_http(); >> >>$http->listen(8080, function($request, $response) { >>$response->end("yay, super awesome response"); >>}); >> >>nodephp_run(); >> >>?> >> >> The C code that powers it was whipped together really fast and is kind >> of hackish as a result. The code has some memory leaks that i haven't >> had time to fully track down yet. Some small portions of the code were >> borrowed from the phode project. >> >> In a naive benchmark on this simple server VS an equally simple server >> in node.js this implementation already out performs node.js in >> throughput by being able to serve just under 200% the amount of >> requests per second that node.js could. Take that with a grain of salt >> though because node.js has much more feature and is much more hardend >> from production use. I do believe the PHP binary will have some major >> performance gains over V8 as crossing the PHP <--> C barrier seems to >> be a much lighter operation then crossing the V8 <--> C++ barrier. >> >> Any help or feedback will be greatly appreciated. The projects source >> code can be found here: https://github.com/JosephMoniz/node.php >> >> - Joseph Moniz >> >> -- >> PHP General Mailing List (http://www.php.net/) >> To unsubscribe, visit: http://www.php.net/unsub.php >> > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Thinking out loud - a continuation...
On 12-03-27 11:11 AM, Jay Blanchard wrote: [snip]On 3/27/2012 12:21 AM, Robert Cummings wrote: >> [-- SNIP --] Essentially, entries at the root and entries for the children are just auto indexed array items but the actual entries in those arrays retain the associative index structure for retrieval of the specific information. let me know and I can probably whip you up something. Robert that looks correct. Here is an example of the JSON that the guy provided for me - var json = { id: "node02", name: "0.2", data: {}, children: [{ id: "node13", name: "1.3", data: {}, children: [{ id: "node24", name: "2.4", data: {}, children: [{ id: "node35", name: "3.5", data: {}, children: [{ id: "node46", name: "4.6", data: {}, children: [] }] }, { id: "node37", name: "3.7", data: {}, children: [{ id: "node48", name: "4.8", data: {}, children: [] }, { id: "node49", name: "4.9", data: {}, children: [] }, { id: "node410", name: "4.10", data: {}, children: [] }, { id: "node411", name: "4.11", data: {}, children: [] }] }, Of course he properly closes up the JSON. I inserted id's (just an auto-incrementing number) and the data portion where needed. The name: is the part that has been the result of what you did before. Here's the code... I did a bit of shuffling and actually tested against a test db table: And here's the code: getConnectionRef(); $query = "SELECT DISTINCT " ." * " ."FROM " ." tiers " ."WHERE " ." company = {$company} "; $root = array(); if( $db->query( $query ) ) { while( ($row = $db->fetchRow()) ) { $focus = &$root; for( $i = 1; $i <= 14; $i++ ) { $name = trim( $row['tier'.$i] ); if( $name === '' ) { break; } if( !isset( $focus[$name] ) ) { $focus[$name] = array ( 'name' => $name, 'children' => array(), ); } $focus = &$focus[$name]['children']; } } } $wrapper = array ( 'children' => &$root ); postProcessTiers( $wrapper ); return $root; } function postProcessTiers( &$root ) { $root['children'] = array_values( $root['children'] ); foreach( array_keys( $root['children'] ) as $index ) { postProcessTiers( $root['children'][$index] ); } } function getTiersJson( $company ) { $tiers = getTiers( $company ); $json = JSON_encode( $tiers ); } $tiersJson = getTiersJson( 1 ); ?> This will output JSON with the following structure: PHP is smart enough to detect an array that only has consecutive integer keys and create the appropriate JavaScript array object. So we don't have to do any special processing of the JSON after we've post processed the tier structure itself. Cheers, Rob -- E-Mail Disclaimer: Information contained in this message and any attached documents is considered confidential and legally protected. This message is intended solely for the addressee(s). Disclosure, copying, and distribution are prohibited unless authorized. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] PHP preg_replace_callback with unicode
I wrote a simple script below to simulate my problem. Both my string and pattern contain unicode characters. Basically, if I run it from command line (php -f test.php), it prints "match" as expected. But if I run it through web server (apache, http://localhost/test.php), it prints "no match". I am using PHP 5.3. I am sure both use the same php.ini. Any idea why it behaves differently? How do I make it work through web server? Thanks - 0) { echo "match"; } else { echo 'no match'; } ?> -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] securing a script that exec()s
On Mar 30, 2012, at 9:25 AM, rene7705 wrote: > On Fri, Mar 30, 2012 at 3:16 PM, Peter Bauer wrote: > >> On Fri, Mar 30, 2012 at 11:56:41AM +0200, rene7705 wrote: >>> ... >>> But unfortunately, $_SERVER['REMOTE_ADDR'] is my external IP, and >>> $_SERVER['SERVER_ADDR'] is my internal IP. >>> >>> How would I best fix this? >> >> Simply log on your box via ssh (if its a unix system) and run your script >> from console or with textmode browser lynx. >> >> But the best solution would be to secure the exec call. >> >> How would I best secure the exec call? What would the form input look like? Mike Mackintosh PHP, the drug of choice - www.highonphp.com
[PHP] Surge 2012 CFP is Open!
Surge 2012, the scalability conference, September 27-28, Baltimore, MD has opened its CFP. Please visit http://omniti.com/surge/2012/cfp for details. -- Katherine Jeschke Director of Marketing and Creative Services OmniTI Computer Consulting, Inc. 7070 Samuel Morse Drive, Ste.150 Columbia, MD 21046 O: 443-325-1357, 222 F: 410/872-4911 C: 443/643-6140 omniti.com Surge2012: http://omniti.com/surge/2012 PG Corridor Days - DC: http://pgday.bwpug.org/ The information contained in this electronic message and any attached documents is privileged, confidential, and protected from disclosure. If you are not the intended recipient, note that any review, disclosure, copying, distribution, or use of the contents of this electronic message or any attached documents is prohibited. If you have received this communication in error, please destroy it and notify us immediately by telephone (1-443-325-1360) or by electronic mail (i...@omniti.com). Thank you. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] securing a script that exec()s
On Fri, Mar 30, 2012 at 3:16 PM, Peter Bauer wrote: > On Fri, Mar 30, 2012 at 11:56:41AM +0200, rene7705 wrote: > > ... > > But unfortunately, $_SERVER['REMOTE_ADDR'] is my external IP, and > > $_SERVER['SERVER_ADDR'] is my internal IP. > > > > How would I best fix this? > > Simply log on your box via ssh (if its a unix system) and run your script > from console or with textmode browser lynx. > > But the best solution would be to secure the exec call. > > How would I best secure the exec call?
Re: [PHP] securing a script that exec()s
Sender: dgobr...@gmail.com Subject: Re: [PHP] securing a script that exec()s Message-Id: Recipient: adam.nicho...@hl.co.uk __ This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com __--- Begin Message --- Find a way to do it using PHP's imagemagick extensions http://php.net/manual/en/book.imagick.php On Fri, Mar 30, 2012 at 5:56 AM, rene7705 wrote: > Hi. > > I have a script that uses imagemagick's convert command on the commandline > to get it's work done. > These calls to exec('convert [params]') take params from the end-user via a > html form, so is very unsecure. > > The intention is that the end-user only runs this script on localhost, from > localhost. > > So now i'm checking $_SERVER['REMOTE_ADDR']===$_SERVER['SERVER_ADDR'] to > see if I can allow the script to be used. > > But unfortunately, $_SERVER['REMOTE_ADDR'] is my external IP, and > $_SERVER['SERVER_ADDR'] is my internal IP. > > How would I best fix this? > --- End Message --- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] securing a script that exec()s
On Fri, Mar 30, 2012 at 11:56:41AM +0200, rene7705 wrote: > ... > But unfortunately, $_SERVER['REMOTE_ADDR'] is my external IP, and > $_SERVER['SERVER_ADDR'] is my internal IP. > > How would I best fix this? Simply log on your box via ssh (if its a unix system) and run your script from console or with textmode browser lynx. But the best solution would be to secure the exec call. -- Regards, Peter Bauer PHP developer -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: request for feedback on logAndHandler
bit bad timing, but i've decided to try out ubuntu instead of windows on that skatescene.biz machine.. i'll try to have the test url up asap or move it to my hoster within a few hours.
Re: [PHP] securing a script that exec()s
Find a way to do it using PHP's imagemagick extensions http://php.net/manual/en/book.imagick.php On Fri, Mar 30, 2012 at 5:56 AM, rene7705 wrote: > Hi. > > I have a script that uses imagemagick's convert command on the commandline > to get it's work done. > These calls to exec('convert [params]') take params from the end-user via a > html form, so is very unsecure. > > The intention is that the end-user only runs this script on localhost, from > localhost. > > So now i'm checking $_SERVER['REMOTE_ADDR']===$_SERVER['SERVER_ADDR'] to > see if I can allow the script to be used. > > But unfortunately, $_SERVER['REMOTE_ADDR'] is my external IP, and > $_SERVER['SERVER_ADDR'] is my internal IP. > > How would I best fix this? >
Re: [PHP] securing a script that exec()s
Bastien Koert On 2012-03-30, at 5:56 AM, rene7705 wrote: > Hi. > > I have a script that uses imagemagick's convert command on the commandline > to get it's work done. > These calls to exec('convert [params]') take params from the end-user via a > html form, so is very unsecure. > > The intention is that the end-user only runs this script on localhost, from > localhost. > > So now i'm checking $_SERVER['REMOTE_ADDR']===$_SERVER['SERVER_ADDR'] to > see if I can allow the script to be used. > > But unfortunately, $_SERVER['REMOTE_ADDR'] is my external IP, and > $_SERVER['SERVER_ADDR'] is my internal IP. > > How would I best fix this? Validate the data? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: [PHP-DEV] PHP 5.4.1 RC1 Released
On Fri, Mar 30, 2012 at 8:23 AM, Stas Malyshev wrote: > Hi! > > We would like to announce the first RC of the 5.4.1 version. This will > be mainly a bugfix version, including all bugfixes that did not make the > cut for 5.4.0 and new issues since then. Please test it and notify us of > any problems you may encounter. Hey Stas! Does this mean that the 5.4 branch is frozen now and one should ask a PM before committing? Nikita -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] securing a script that exec()s
Hi. I have a script that uses imagemagick's convert command on the commandline to get it's work done. These calls to exec('convert [params]') take params from the end-user via a html form, so is very unsecure. The intention is that the end-user only runs this script on localhost, from localhost. So now i'm checking $_SERVER['REMOTE_ADDR']===$_SERVER['SERVER_ADDR'] to see if I can allow the script to be used. But unfortunately, $_SERVER['REMOTE_ADDR'] is my external IP, and $_SERVER['SERVER_ADDR'] is my internal IP. How would I best fix this?
Re: [PHP] request for feedback on logAndHandler
rene7705 hat am 30. März 2012 um 11:29 geschrieben: > I thought now would be a good time to get some early feedback on what else > I can improve for this component, at least from an end-user perspective (I > haven't yet updated the download zip on http://mediabeez.ws with these > latest changes). First of all this is only my opinion but you should not mistaken this maillist for a "review my extension" list. This a discussion group about PHP. I think there are proper places on the internet for that. Most people reading this list will have no interest in reading a discussion about stuff they are not interested in it. I suggest you set up a github project, groogle group or whatever wiki/forum you like where people interested in it can post and discuss. Then you can send a mail to this list where you announce your discussion group. So there is no dicussion on this list and you can promote your work to be discussed. Just my 2 cents on that. Regards, Marco -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Watch out for automatic type casting
-Original Message- From: Simon Schick [mailto:simonsimc...@googlemail.com] Sent: 29 March 2012 07:19 PM To: a...@dotcontent.net Cc: php-general@lists.php.net Subject: Re: [PHP] Watch out for automatic type casting Hi, Arno FYI: I found a page in the php-manual that's exactly for that: http://www.php.net/manual/en/language.operators.precedence.php p.s. some of them were also new to me Thanks for getting me to read it. Bye Simon Thanks Simon and others, thought it was typecasting, but precedence makes more sense. I remember seeing that table when I first started using php, which is why I always use AND and OR rather than && and || because it's lower precedence than the assignment and the ternary operators, but I couldn't remember where I'd seen it. So thanks for linking to it. Cheers Arno -- BTW interesting to note on that precedence page that "!" has a higher precedence than "=" (which you'd expect it to be) but you can still do if (!$a = foo()) I use that form often (as I'm sure many others do) and just took it for granted that it works even though the order of precedence says it shouldn't. It could be expanded to if ($a = foo() != TRUE) But that wouldn't get the expected result due to order of precedence, though at first glance you could reasonably expect it to work because of if (!$a = foo()) being valid. I think that's why it's so easy to be caught out (at least for me) by the similar form of if ( $pos = strpos($sText, "test") !== FALSE) Cheers Arno -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] PHP 5.4.1 RC1 Released
Hi! We would like to announce the first RC of the 5.4.1 version. This is mainly a bugfix release, including all fixes that did not make the cut for 5.4.0 and new issues since then. Please test it and notify us of any problems you may encounter. The full list of the fixes is as always in the NEWS file. You can download the packages from: http://downloads.php.net/stas The Windows team provides windows binaries for the release. As always you find them at: http://windows.php.net/qa/ This is also the first release we are making from our brand new Git setup, please tell us if you notice any glitches. You can read more about the Git migration here: http://www.php.net/archive/2012.php#id2012-03-20-1 We plan the next RC for 5.4.1 in two weeks, on April 12th. Regards, Stas & David -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php