php-general Digest 8 Jun 2012 06:20:41 -0000 Issue 7845
php-general Digest 8 Jun 2012 06:20:41 - Issue 7845 Topics (messages 318179 through 318191): Re: A Question of SESSION 318179 by: Daniel P. Brown 318180 by: Daniel P. Brown 318185 by: Matijn Woudt help with query 318181 by: Jack 318186 by: Ashley Sheridan 318187 by: Jim Lucas 318188 by: Jack Sasportas test 318182 by: Sven Kowalski 318183 by: Camilo Sperberg 318184 by: Jay Blanchard A problem about sessions 318189 by: Tazio Ceri 318190 by: Stuart Dallas 318191 by: As'ad Djamalilleil Administrivia: To subscribe to the digest, e-mail: php-general-digest-subscr...@lists.php.net To unsubscribe from the digest, e-mail: php-general-digest-unsubscr...@lists.php.net To post to the list, e-mail: php-gene...@lists.php.net -- ---BeginMessage--- On Thu, Jun 7, 2012 at 11:15 AM, Tedd Sperling t...@sperling.com wrote: 3. Looking for an explanation, I came across Daniel's post to the PHP manual, which follows: http://www.webbytedd.com/b/sessions3 Now I am totally bonkers. What am I not getting? Anything. Because that page 404's. ;-P Chances are, what you may be seeing as a post I made is, in fact, just someone else's user note submission which I edited. -- /Daniel P. Brown Dedicated Servers, Cloud and Cloud Hybrid Solutions, VPS, Hosting (866-) 725-4321 http://www.parasane.net/ ---End Message--- ---BeginMessage--- On Thu, Jun 7, 2012 at 11:20 AM, Daniel P. Brown daniel.br...@parasane.net wrote: On Thu, Jun 7, 2012 at 11:15 AM, Tedd Sperling t...@sperling.com wrote: 3. Looking for an explanation, I came across Daniel's post to the PHP manual, which follows: http://www.webbytedd.com/b/sessions3 I see: http://www.webbytedd.com/b/sessions2/ (not 3). And yes, I edited the note, I didn't submit it. Now I am totally bonkers. What am I not getting? Anything. Because that page 404's. ;-P Chances are, what you may be seeing as a post I made is, in fact, just someone else's user note submission which I edited. -- /Daniel P. Brown Dedicated Servers, Cloud and Cloud Hybrid Solutions, VPS, Hosting (866-) 725-4321 http://www.parasane.net/ -- /Daniel P. Brown Dedicated Servers, Cloud and Cloud Hybrid Solutions, VPS, Hosting (866-) 725-4321 http://www.parasane.net/ ---End Message--- ---BeginMessage--- On Thu, Jun 7, 2012 at 5:15 PM, Tedd Sperling t...@sperling.com wrote: Hi Daniel and gang: Considering I'm never afraid to show my ignorance, please review the following example. Because of the way I normally use sessions and considering this way works for me, I thought I knew what sessions were about -- but my faith is eroding. Cases in point 1. The following is the way I normally use sessions (with COOKIES turned ON): http://www.webbytedd.com/b/sessions It works. 2. Considering that people may have their COOKIES turned OFF, I tried this: http://www.webbytedd.com/b/sessions1/ It works when COOKIES are turned ON, but the SID does not appear in the URL -- I find that odd. However, if COOKIES are turned OFF, then SID does appear in the URL, but the process of passing session variables doesn't work -- I find that confusing. What's the point of passing the SID if it isn't going to be used? 3. Looking for an explanation, I came across Daniel's post to the PHP manual, which follows: http://www.webbytedd.com/b/sessions3 Now I am totally bonkers. What am I not getting? Cheers, tedd Hi Tedd, I assume you're running PHP 5.3 or later, then session.use_only_cookies in php.ini is default set to 1, which means it doesn't accept PHPSESSID. Change that to 0, and it will probably work. - Matijn ---End Message--- ---BeginMessage--- Hello All, I have this string defined for my query and it shows the different types of categories fine, but when I change a.categoryid = c.categoryid to a.categoryid = 1 which is only one of the categories It shows me the same record twice. $query = select a.startdate, a.articleid, c.name, a.title, a.intro, a.datecreated from articles as a, categories as c where (a.startdate = -1 or a.startdate = {$now}) and (a.enddate = -1 or a.enddate = {$now}) and a.categoryid = c.categoryid order by a.startdate DESC; while ( $row = mysql_fetch_array($res) ) { $tpldata['articles'][] = array( 'title' = $row['title'], 'intro' = makeLinks($row['intro']), 'id'= $row['articleid'], 'categoryname' = $row['name'], 'created' = date('n/j/Y', $row['datecreated']) ); //echo $row['datecreated']; } Any Ideas??? Thanks! ---End Message--- ---BeginMessage--- Jack
php-general Digest 8 Jun 2012 18:26:47 -0000 Issue 7846
php-general Digest 8 Jun 2012 18:26:47 - Issue 7846 Topics (messages 318192 through 318200): Re: Read dynamic variable from HTML form into PHP 318192 by: ioannes.btinternet.com Re: A problem about sessions 318193 by: Tazio Ceri Your Amazon.com order confirmation. 318194 by: digital-no-reply.amazon.com 318195 by: Dan McCullough SQL Injection 318196 by: Ethan Rosenberg 318197 by: Adam Richardson 318198 by: Jen Rasmussen 318199 by: Govinda 318200 by: Jim Lucas Administrivia: To subscribe to the digest, e-mail: php-general-digest-subscr...@lists.php.net To unsubscribe from the digest, e-mail: php-general-digest-unsubscr...@lists.php.net To post to the list, e-mail: php-gene...@lists.php.net -- ---BeginMessage--- There are essentially 2 ways: 1. All POSTed data is present in the $_POST superglobal array. So you could just loop over that, ignore the fields you already knew were there, and the data remaining is then essentially the data you seek. The keys in the $_POST array are the fieldnames you are looking for. 2. There's a special trick in PHP, when you name a field name[] in HTML and then POST it to a PHP script, it will turn into an array field. So input name=a[] value=1 input name=a[] value=2 will then end up in: $_POST = [ 'a' = [ 0 = '1', 1 = '2' ] ] If you had not added the square-brackets, you would have: input name=a value=1 input name=a value=2 ending up in: $_POST = [ 'a' = '2' ] Thus not ever seeing the value '1'. form checkbox field name=input_1 value=y checkbox field name=input_2 value=y field name input_n .. /form ? //checkboxes return on submit only if ticked $query=SELECT id FROM table WHERE etc; $result=mysql_db_query($db, $query,$connection); $count=mysql_num_rows($result); while($row=mysql_fetch_row($result)) { $id=$row[0]; //dynamic variable //if form uses textfield that returns on submit //if(${input_.$id}==1){ //if checkbox that only returns if ticked if(ISSET(${input_.$id})){ echo checked 1; } } ? ---End Message--- ---BeginMessage--- Stuart Dallas stu...@3ft9.com ha scritto: On 8 Jun 2012, at 00:39, Tazio Ceri wrote: I have a PHP script that takes very long time to execute. I manage it using the following structure: ob_start(); // some code session_start(); // some code header(Content-length: .ob_get_length()); ob_end_flush(); // some other, very long, code! The problem I am facing is that, after having set up a session, often I have error as I don't find any simple variable that I wrote in $_SESSION. Correct my if I am wrong, but I think that $_SESSION get saved to disk only at the end of the script, after the very long code has been executed. There is a way to save the session manually just after ob_end_flush()? http://php.net/session_write_close -Stuart -- Stuart Dallas 3ft9 Ltd http://3ft9.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php Thank you, I don't know how I overlooked that function. Tazio Ceri ---End Message--- ---BeginMessage--- Your Order with Amazon.com Thanks for your order, php-db-h...@lists.php.net!Did you know you can view and edit your orders online, 24 hours a day? Visit Your Account.Order Information: E-mail Address: php-db-h...@lists.php.netBillingAddress: Av.GAHANNAUnited States Phone: 1-747-517-7595 Order Grand
Re: [PHP] A problem about sessions
i can't undersans much of your question,, but i think you supposed to write the statement to set the variable's value after the session_start() called, like this ... session_start(); . some codes $_SESSION['some_var']; --- don't put it before the session_start() On Thu, Jun 7, 2012 at 5:51 PM, Stuart Dallas stu...@3ft9.com wrote: On 8 Jun 2012, at 00:39, Tazio Ceri wrote: I have a PHP script that takes very long time to execute. I manage it using the following structure: ob_start(); // some code session_start(); // some code header(Content-length: .ob_get_length()); ob_end_flush(); // some other, very long, code! The problem I am facing is that, after having set up a session, often I have error as I don't find any simple variable that I wrote in $_SESSION. Correct my if I am wrong, but I think that $_SESSION get saved to disk only at the end of the script, after the very long code has been executed. There is a way to save the session manually just after ob_end_flush()? http://php.net/session_write_close -Stuart -- Stuart Dallas 3ft9 Ltd http://3ft9.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Read dynamic variable from HTML form into PHP
There are essentially 2 ways: 1. All POSTed data is present in the $_POST superglobal array. So you could just loop over that, ignore the fields you already knew were there, and the data remaining is then essentially the data you seek. The keys in the $_POST array are the fieldnames you are looking for. 2. There's a special trick in PHP, when you name a field name[] in HTML and then POST it to a PHP script, it will turn into an array field. So input name=a[] value=1 input name=a[] value=2 will then end up in: $_POST = [ 'a' = [ 0 = '1', 1 = '2' ] ] If you had not added the square-brackets, you would have: input name=a value=1 input name=a value=2 ending up in: $_POST = [ 'a' = '2' ] Thus not ever seeing the value '1'. form checkbox field name=input_1 value=y checkbox field name=input_2 value=y field name input_n .. /form ? //checkboxes return on submit only if ticked $query=SELECT id FROM table WHERE etc; $result=mysql_db_query($db, $query,$connection); $count=mysql_num_rows($result); while($row=mysql_fetch_row($result)) { $id=$row[0]; //dynamic variable //if form uses textfield that returns on submit //if(${input_.$id}==1){ //if checkbox that only returns if ticked if(ISSET(${input_.$id})){ echo checked 1; } } ? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] A problem about sessions
Stuart Dallas stu...@3ft9.com ha scritto: On 8 Jun 2012, at 00:39, Tazio Ceri wrote: I have a PHP script that takes very long time to execute. I manage it using the following structure: ob_start(); // some code session_start(); // some code header(Content-length: .ob_get_length()); ob_end_flush(); // some other, very long, code! The problem I am facing is that, after having set up a session, often I have error as I don't find any simple variable that I wrote in $_SESSION. Correct my if I am wrong, but I think that $_SESSION get saved to disk only at the end of the script, after the very long code has been executed. There is a way to save the session manually just after ob_end_flush()? http://php.net/session_write_close -Stuart -- Stuart Dallas 3ft9 Ltd http://3ft9.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php Thank you, I don't know how I overlooked that function. Tazio Ceri -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Your Amazon.com order confirmation.
I was hoping for a TV On Fri, Jun 8, 2012 at 10:19 AM, wrote: Your Order with Amazon.com Thanks for your order, php-db-h...@lists.php.net!Did you know you can view and edit your orders online, 24 hours a day? Visit Your Account. Order Information: E-mail Address: php-db-h...@lists.php.net BillingAddress: Av. GAHANNAUnited States Phone: 1-747-517-7595 Order Grand Total: $60.99 Earn 3% rewards on yourAmazon.com orders with the AmazonVisa Card. Learn More Order Summary: Details: Order #: Y09-7318668-6213012 Subtotal of items: $ 60.99 -- Total before tax: $ 60.99 Tax Collected: $0.00 -- Grand Total: $ 60.00 Gift Certificates: $ 0.99 -- Total for this Order:$ 60.99 The following item is auto-delivered to your Kindle or other device. You can view more information about this order by clicking on the title on the Manage Your Kindle page at Amazon.com. The Witness by Nora Roberts [Kindle Edition] $ 60.99 Sold By: Random House Digital, Inc. You can review your orders in Your Account. If you've explored the links on that page but still have a question, please visit our online Help Department. Please note: This e-mail was sent from a notification-only address that cannot accept incoming e-mail. Please do not reply to this message.Thanks again for shopping with us.Amazon.com Earth's Biggest SelectionPrefer not to receive HTML mail? Click here -- Thank you, Dan Cell: 484-459-2856 https://www.facebook.com/dpmccullough http://www.linkedin.com/in/danmccullough
[PHP] SQL Injection
Dear List - I am aware of a long email trail on this subject, but there does not seem to be a resolution. Is it possible to have a meeting of the minds to come up with (an) appropriate method(s)? Thanks. Ethan Rosenberg -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] SQL Injection
On Fri, Jun 8, 2012 at 12:37 PM, Ethan Rosenberg eth...@earthlink.net wrote: Is it possible to have a meeting of the minds to come up with (an) appropriate method(s)? Minds, meet prepared statements :) Adam -- Nephtali: A simple, flexible, fast, and security-focused PHP framework http://nephtaliproject.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] SQL Injection
-Original Message- From: Adam Richardson [mailto:simples...@gmail.com] Sent: Friday, June 08, 2012 11:50 AM To: PHP-General Subject: Re: [PHP] SQL Injection On Fri, Jun 8, 2012 at 12:37 PM, Ethan Rosenberg eth...@earthlink.net wrote: Is it possible to have a meeting of the minds to come up with (an) appropriate method(s)? Minds, meet prepared statements :) Adam -- Nephtali: A simple, flexible, fast, and security-focused PHP framework http://nephtaliproject.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php PDO is the way to go :D Jen -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] SQL Injection
Is it possible to have a meeting of the minds to come up with (an) appropriate method(s)? Minds, meet prepared statements :) PDO is the way to go :D Not to refute the above advice one bit (not to mention oppose the arguments against escaping in general) ... but just curious - can anyone demo a hack that effectively injects past mysqli_real_escape_string(), while using utf-8 ? It may just be a matter of time (or already?) before mysqli_real_escape_string is *proven* ineffective (w/utf-8) ... but here I am just attempting to gather facts. Thanks -Govinda -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] SQL Injection
On 06/08/2012 10:31 AM, Govinda wrote: Is it possible to have a meeting of the minds to come up with (an) appropriate method(s)? Minds, meet prepared statements :) PDO is the way to go :D Not to refute the above advice one bit (not to mention oppose the arguments against escaping in general) ... but just curious - can anyone demo a hack that effectively injects past mysqli_real_escape_string(), while using utf-8 ? It may just be a matter of time (or already?) before mysqli_real_escape_string is *proven* ineffective (w/utf-8) ... but here I am just attempting to gather facts. Thanks -Govinda Ah, but what if I use sqlite or postgres? IMHO, the discussion needs to be a the best way to prevent SQL injection across all possible DB types. Not just mysql. -- Jim Lucas http://www.cmsws.com/ http://www.cmsws.com/examples/ http://www.bendsource.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] SQL Injection
Jim Lucas wrote: Not to refute the above advice one bit (not to mention oppose the arguments against escaping in general) ... but just curious - can anyone demo a hack that effectively injects past mysqli_real_escape_string(), while using utf-8 ? It may just be a matter of time (or already?) before mysqli_real_escape_string is *proven* ineffective (w/utf-8) ... but here I am just attempting to gather facts. Ah, but what if I use sqlite or postgres? Or Firebird ;) IMHO, the discussion needs to be a the best way to prevent SQL injection across all possible DB types. Not just mysql. The main thing to avoid is building queries from elements that are directly loaded from the form inputs. While it is difficult to build sort elements for queries that use parameters, having a mechanism like ADOdb's datadict where one can filter SQL based on the identified field names does make life easier. While the problems of dealing with student names such as 'Delete from student' are easily solved by only using them in parameter arrays. A few simple basics cover the vast majority of traditional SQL injection problems? -- Lester Caine - G8HFL - Contact - http://lsces.co.uk/wiki/?page=contact L.S.Caine Electronic Services - http://lsces.co.uk EnquirySolve - http://enquirysolve.com/ Model Engineers Digital Workshop - http://medw.co.uk// Firebird - http://www.firebirdsql.org/index.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] SQL Injection
Ah, but what if I use sqlite or postgres? Or Firebird ;) good point. IMHO, the discussion needs to be a the best way to prevent SQL injection across all possible DB types. Not just mysql. The main thing to avoid is building queries from elements that are directly loaded from the form inputs. While it is difficult to build sort elements for queries that use parameters, having a mechanism like ADOdb's datadict where one can filter SQL based on the identified field names does make life easier. While the problems of dealing with student names such as 'Delete from student' are easily solved by only using them in parameter arrays. A few simple basics cover the vast majority of traditional SQL injection problems? Yes, apparently. Part of why I even asked is to get a sense of the shelf life on legacy code (that relies on escaping) which I am not keen to have to re-write, for free, until I really must. -Govinda -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] SQL Injection
Govinda govinda.webdnat...@gmail.com wrote: Ah, but what if I use sqlite or postgres? Or Firebird ;) good point. IMHO, the discussion needs to be a the best way to prevent SQL injection across all possible DB types. Not just mysql. The main thing to avoid is building queries from elements that are directly loaded from the form inputs. While it is difficult to build sort elements for queries that use parameters, having a mechanism like ADOdb's datadict where one can filter SQL based on the identified field names does make life easier. While the problems of dealing with student names such as 'Delete from student' are easily solved by only using them in parameter arrays. A few simple basics cover the vast majority of traditional SQL injection problems? Yes, apparently. Part of why I even asked is to get a sense of the shelf life on legacy code (that relies on escaping) which I am not keen to have to re-write, for free, until I really must. -Govinda -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php I think you can happily sanitise data where it makes sense, and use bound parameters elsewise. So when you expect a number, its easy to check for and force a sensible default. Likewise for things like dates, or names of articles (probably a popular need with a CMS) you can check and enforce particular characters. Outside of that, without bound params you run a potential risk (even if only slight). You can do stuff like base64 encode values, but then you lose a lot of the ability to search through your DB after. Thanks, Ash http://ashleysheridan.co.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] SQL Injection
I think you can happily sanitise data where it makes sense, and use bound parameters elsewise. So when you expect a number, its easy to check for and force a sensible default. Likewise for things like dates, or names of articles (probably a popular need with a CMS) you can check and enforce particular characters. Outside of that, without bound params you run a potential risk (even if only slight). You can do stuff like base64 encode values, but then you lose a lot of the ability to search through your DB after. What would you say in the case of having used CodeIgniter (w/it's modified 'Active Record Class', before PDO was an (easy/built-in) option in CodeIgniter) to develop an app that serves content in dozen(s) of languages through a custom international CMS... and now they want a search box so end users can search all the pages (db data) of the site for that country (in that country's main language)? IOW form input that I cannot just force/sanitize to e.g. (english) alphanumeric (+ spaces), and I cannot just switch to using PDO without rewriting all the code in all the model files. Thanks -Govinda -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php