Re: [PHP] Array & unset()
At 08:50 PM 9/23/2012, Ron Piggott wrote: I am wondering if there is a way to remove from an array where the value is 0 (âzeroâ) Array example: $total_points_awarded = array( 1 => 17, 3 => 14, 4 => 0, 5 => 1, 6 => 0 ); In this example I would like to remove element # 4 and # 6. The âkeyâ ( 1,3,4,5,6 ) represents the memberâs account #. It is an auto_increment value in a mySQL table The âvalueâ ( 17,14,0,1,0 ) represents their score. The application for this is a list of the top users. If someone has 0 points I donât want to include them. Any thoughts? Any help is appreciated. Look at array_filter() ... http://php.net/array_filter 17, 3 => 14, 4 => 0, 5 => 1, 6 => 0 ); print_r(array_filter($total_points_awarded)); Ken -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Array & unset()
I am wondering if there is a way to remove from an array where the value is 0 (“zero”) Array example: $total_points_awarded = array( 1 => 17, 3 => 14, 4 => 0, 5 => 1, 6 => 0 ); In this example I would like to remove element # 4 and # 6. The “key” ( 1,3,4,5,6 ) represents the member’s account #. It is an auto_increment value in a mySQL table The “value” ( 17,14,0,1,0 ) represents their score. The application for this is a list of the top users. If someone has 0 points I don’t want to include them. Any thoughts? Any help is appreciated. Ron Ron Piggott www.TheVerseOfTheDay.info
Re: [PHP] Day after Friday
On Sun, Sep 23, 2012 at 09:33:33AM -0400, Tedd Sperling wrote: > On Sep 22, 2012, at 3:59 PM, Paul M Foster > wrote: > > On Sat, Sep 22, 2012 at 01:05:51PM -0400, Tedd Sperling wrote: > > > >> Hi gang: > >> > >> I know it's the Day after Friday, but I'm asking a off-topic > >> question anyway -- sorry. > >> > >> Normally, I teach a PHP class at the local college, but it got > >> canceled (don't ask why) -- now I'm teaching Java. > >> > >> So, can anyone recommend a Java list that is similar to this list? > > > > Off off topic... > > > > Who the hell cancels a PHP class? Do they not realize damn near the > > whole internet runs on PHP? Wordpress, Drupal, Joomla, Facebook ad > > nauseum, not to mention Symfony, CakePHP, Code Igniter, etc. > > Administrators! Ach! > > > > Paul > [snip] > > This is just another example of how administration makes decisions. It > would be nice if administration decisions were made with respect to > "what is best for the student" as compared to this type of nonsense. You know, I never had much respect for academia (no offense, Tedd; that's not aimed at you), and this just confirms my contempt. Administrators tend to completely lack common sense. And professors tend to be arrogant and suffer from a lack of understanding of the real world and real people. Add to this the skyrocketing cost of higher education. Particularly when many of the things learned in school are either unnecessary or could be learned just as well by the diligent student through books and research on the internet. (Incidentally, when I was a kid, my best friend's father was a university professor. Brilliant economist who hated tenure.) And from what I've seen, even at the primary level, decisions are rarely made on the basis of "what is best for the student". We're dealing with this currently with my granddaughter (11 years old). The only saving grace of the whole system appears to be individual teachers who manage to look past all the crap and hold the line for students. What a pity. Paul -- Paul M. Foster http://noferblatz.com http://quillandmouse.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Images can execute php script?
On 23-09-2012 21:30, admin wrote:
Jpgs can hold other data rather than image data
One thing to try is to run strip_tags($image) to remove any php code
http://stackoverflow.com/questions/3499173/my-php-site-was-hacked-by-codes-u
ploaded-as-image
http://josephkeeler.com/2009/04/php-upload-security-the-1x1-jpeg-hack/
Bastien
I understand the principle behind
include('pages/' . $_GET['page'] . '.php');
http://www.mysite.com/index.php?page=../upload/image.jpg?cmd=somecode%00
Which I find ridiculous if anyone did that.
I am not sure how he was calling the image to be sure. I watched him upload
the image and then
Do what looked like a normal echo UPLOADED_IMAGES.$_FILE["name"]; You seen
phpinfo() called but it was not in the script rather in the image.
He opened the test.jpg in a text editor and sure enough there was in the code of the jpeg.
This bothers me because I am not sure what all he did. He was proving PHP is
not a safe language in front of a rather large group or people in the
meeting.
I could only look on in disbelief that it just happened in front of me.
Everything inside of me wants to say he was doing something outside of what
I consider normal circumstances.
My question is this:
If someone uploads a image through a form or whatever and they have embedded
a code in can that code inside the image be executed by viewing the file?
The answer to this is both yes and no. It all depends on:
a) what you do with the file
b) how your webserver is set up / configured
PHP scripts are executed using the PHP interpreter. This means, that for
a PHP script to be executed, the server needs to:
1. assume the requested file is a PHP script
2. run the PHP interpreter, and provide it the requested file
3. return the output from the PHP interpreter
Most sane servers, when they get a request for a .jpg file, do not
assume it's a PHP script, and simply return the raw image, which might
include PHP script, but which will never be run by any sane person.
Some servers however, are configured to run everything through the PHP
interpreter, before returning its output. In this case: yes, bad stuff
will happen.
Alternatively, it's possible to run code in files from within other
files. An example of this was given above, where you showed that
including a file containing PHP code will execute that code. Regardless
of what the file is exactly.
In practice I must admit I have very rarely seen this exploit in action,
since most proper servers and scripts are configured / coded by sane
enough people for this not to be possible. Unfortunately, if you come
across a novice coder, (s)he might use the include 'someImage.jpg'
technique to return images, instead of echo
file_get_contents('someImage.jpg'), which under these circumstances is
a much safer way of doing the same thing.
- Tul
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Images can execute php script?
> Jpgs can hold other data rather than image data
> One thing to try is to run strip_tags($image) to remove any php code
>
http://stackoverflow.com/questions/3499173/my-php-site-was-hacked-by-codes-u
ploaded-as-image
> http://josephkeeler.com/2009/04/php-upload-security-the-1x1-jpeg-hack/
>
> Bastien
I understand the principle behind
include('pages/' . $_GET['page'] . '.php');
http://www.mysite.com/index.php?page=../upload/image.jpg?cmd=somecode%00
Which I find ridiculous if anyone did that.
I am not sure how he was calling the image to be sure. I watched him upload
the image and then
Do what looked like a normal echo UPLOADED_IMAGES.$_FILE["name"]; You seen
phpinfo() called but it was not in the script rather in the image.
He opened the test.jpg in a text editor and sure enough there was in the code of the jpeg.
This bothers me because I am not sure what all he did. He was proving PHP is
not a safe language in front of a rather large group or people in the
meeting.
I could only look on in disbelief that it just happened in front of me.
Everything inside of me wants to say he was doing something outside of what
I consider normal circumstances.
My question is this:
If someone uploads a image through a form or whatever and they have embedded
a code in can that code inside the image be executed by viewing the file?
$image = 'uploaded.jpg';
Echo "";
Read this:
http://php.webtutor.pl/en/2011/05/13/php-code-injection-a-simple-virus-writt
en-in-php-and-carried-in-a-jpeg-image/
That was written a couple months ago.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Images can execute php script?
On Sun, Sep 23, 2012 at 9:57 PM, admin wrote: > Today I seen a hack into php that has rocked me to my foundation. > I seen a picture uploaded onto a server using php and when php displayed > the > image, phpinfo() was executed and displayed. > > Does this problem exist in PHP 5.2.17 +? > How do you stop it? > > Sorry, I have never known of this before today. > > How PHP is displaying the image? If it includes then its certainly possible? -- Shiplu.Mokadd.im ImgSign.com | A dynamic signature machine Innovation distinguishes between follower and leader
Re: [PHP] Images can execute php script?
Bastien Koert On 2012-09-23, at 11:57 AM, "admin" wrote: > Today I seen a hack into php that has rocked me to my foundation. > I seen a picture uploaded onto a server using php and when php displayed the > image, phpinfo() was executed and displayed. > > Does this problem exist in PHP 5.2.17 +? > How do you stop it? > > Sorry, I have never known of this before today. > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > Jpgs can hold other data rather than image data One thing to try is to run strip_tags($image) to remove any php code http://stackoverflow.com/questions/3499173/my-php-site-was-hacked-by-codes-uploaded-as-image http://josephkeeler.com/2009/04/php-upload-security-the-1x1-jpeg-hack/ Bastien
[PHP] Images can execute php script?
Today I seen a hack into php that has rocked me to my foundation. I seen a picture uploaded onto a server using php and when php displayed the image, phpinfo() was executed and displayed. Does this problem exist in PHP 5.2.17 +? How do you stop it? Sorry, I have never known of this before today. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RES: [PHP] Day after Friday
Independent of programming language, good teaching skills will lead to self-taught developers with a bunch of best practices under the hood. I hope you are such a good teacher =). We need not PHP or Java developers, we need good and creative designers that can adapt to new tools. One language is only a path among others with the same goal, software with quality. Remember Brooks (1986, yes, that old!), the real problem (essence of software engineering) is capture business requirements as specifications, and not translate specifications to software. The point is, you, as a teacher, has a wider responsibility, you need to find and incentive creative talents, not just teach one or another native function. Cheers. Samuel. -Mensagem original- De: tamouse mailing lists [mailto:tamouse.li...@gmail.com] Enviada em: domingo, 23 de setembro de 2012 10:55 Para: php-general@lists.php.net Assunto: Re: [PHP] Day after Friday On Sun, Sep 23, 2012 at 8:33 AM, Tedd Sperling wrote: > On Sep 22, 2012, at 3:59 PM, Paul M Foster wrote: >> On Sat, Sep 22, 2012 at 01:05:51PM -0400, Tedd Sperling wrote: >> >>> Hi gang: >>> >>> I know it's the Day after Friday, but I'm asking a off-topic question >>> anyway -- sorry. >>> >>> Normally, I teach a PHP class at the local college, but it got canceled >>> (don't ask why) -- now I'm teaching Java. >>> >>> So, can anyone recommend a Java list that is similar to this list? >> >> Off off topic... >> >> Who the hell cancels a PHP class? Do they not realize damn near the >> whole internet runs on PHP? Wordpress, Drupal, Joomla, Facebook ad >> nauseum, not to mention Symfony, CakePHP, Code Igniter, etc. >> Administrators! Ach! >> >> Paul > > Paul: > > The class was canceled by administration and they have absolutely no > conception of the technology and scope that PHP brings to the table. In fact, > they were so opposed to PHP that when I first started teaching there they had > PHP removed from their servers because of security concerns. So, for me to > teach PHP, they were forced to install PHP/MySQL. > > Now that you asked, here's the story about my PHP class. > > The college moved the entire CIT (Computer Information Technology) department > five miles from the downtown campus, where it has always been, to the new > West campus. It's a nice campus, but no Macs -- admin said Mac don't meet > their ROI requirement, but that's another story. > > Of course, most students don't have transportation and there is no > established public transportation from main campus to west campus -- that's > not good. > > Knowing that the students were going to have problems with transportation and > that would result in a reduction in class sizes, the administration agreed to > allow "smaller than norma"l classes for the Fall semester. Furthermore, the > administration agreed to allow registration to be for a longer period than > normal, namely from a couple of weeks before the semester started to a week > after the semester started. > > Everything sounds ok, right? > > My PHP class had six students register two weeks before the class started. I > expected, as is custom, to pick up a couple of students after the semester > started thus exceeding the minimum number of student required. Furthermore, I > agreed to teach the class at a reduced rate if there wasn't a sufficient > number of students attending. BTW, administration had not made a > determination as to exactly what the minimum class-size should be -- keep in > mind, they only had two years to decide and these things take time. > > So what happened? > > Well we (the teachers) have a new contract and in that contract is a > provision that allows for a reduced class size IF the teacher agrees to teach > it at a reduced rate -- which I agreed to do. However, administration became > confused as to how to pay a full time teacher IF they taught an undersized > class. So, their solution was to cancel ALL under sized classes before the > semester started. That way there would be no confusion as to what to pay. > > Now, in my case I am the only teacher to teaches PHP, so there would be no > full time teacher that might teach it. I am also an adjunct (part time) > teacher and as such there is no confusion as to my pay. I am simply paid > hourly and a reduced class size would result in my rate being reduced. So, > there was absolutely no reason what-so-ever for my class to be cancelled. > Leaps and bounds of illogic. > > This is just another example of how administration makes decisions. It would > be nice if administration decisions were made with respect to "what is best > for the student" as compared to this type of nonsense. > > Cheers, > > tedd > > _ > t...@sperling.com > http://sperling.com Oh, Administrators!! The bane of teachers everywhere. The anti-teacher. Maybe you could slip a little PHP in on the Java kids... :) Unfortunately, I have no Java list resources... -- PHP Gen
Re: [PHP] Day after Friday
On Sun, Sep 23, 2012 at 8:33 AM, Tedd Sperling wrote: > On Sep 22, 2012, at 3:59 PM, Paul M Foster wrote: >> On Sat, Sep 22, 2012 at 01:05:51PM -0400, Tedd Sperling wrote: >> >>> Hi gang: >>> >>> I know it's the Day after Friday, but I'm asking a off-topic question >>> anyway -- sorry. >>> >>> Normally, I teach a PHP class at the local college, but it got canceled >>> (don't ask why) -- now I'm teaching Java. >>> >>> So, can anyone recommend a Java list that is similar to this list? >> >> Off off topic... >> >> Who the hell cancels a PHP class? Do they not realize damn near the >> whole internet runs on PHP? Wordpress, Drupal, Joomla, Facebook ad >> nauseum, not to mention Symfony, CakePHP, Code Igniter, etc. >> Administrators! Ach! >> >> Paul > > Paul: > > The class was canceled by administration and they have absolutely no > conception of the technology and scope that PHP brings to the table. In fact, > they were so opposed to PHP that when I first started teaching there they had > PHP removed from their servers because of security concerns. So, for me to > teach PHP, they were forced to install PHP/MySQL. > > Now that you asked, here's the story about my PHP class. > > The college moved the entire CIT (Computer Information Technology) department > five miles from the downtown campus, where it has always been, to the new > West campus. It's a nice campus, but no Macs -- admin said Mac don't meet > their ROI requirement, but that's another story. > > Of course, most students don't have transportation and there is no > established public transportation from main campus to west campus -- that's > not good. > > Knowing that the students were going to have problems with transportation and > that would result in a reduction in class sizes, the administration agreed to > allow "smaller than norma"l classes for the Fall semester. Furthermore, the > administration agreed to allow registration to be for a longer period than > normal, namely from a couple of weeks before the semester started to a week > after the semester started. > > Everything sounds ok, right? > > My PHP class had six students register two weeks before the class started. I > expected, as is custom, to pick up a couple of students after the semester > started thus exceeding the minimum number of student required. Furthermore, I > agreed to teach the class at a reduced rate if there wasn't a sufficient > number of students attending. BTW, administration had not made a > determination as to exactly what the minimum class-size should be -- keep in > mind, they only had two years to decide and these things take time. > > So what happened? > > Well we (the teachers) have a new contract and in that contract is a > provision that allows for a reduced class size IF the teacher agrees to teach > it at a reduced rate -- which I agreed to do. However, administration became > confused as to how to pay a full time teacher IF they taught an undersized > class. So, their solution was to cancel ALL under sized classes before the > semester started. That way there would be no confusion as to what to pay. > > Now, in my case I am the only teacher to teaches PHP, so there would be no > full time teacher that might teach it. I am also an adjunct (part time) > teacher and as such there is no confusion as to my pay. I am simply paid > hourly and a reduced class size would result in my rate being reduced. So, > there was absolutely no reason what-so-ever for my class to be cancelled. > Leaps and bounds of illogic. > > This is just another example of how administration makes decisions. It would > be nice if administration decisions were made with respect to "what is best > for the student" as compared to this type of nonsense. > > Cheers, > > tedd > > _ > t...@sperling.com > http://sperling.com Oh, Administrators!! The bane of teachers everywhere. The anti-teacher. Maybe you could slip a little PHP in on the Java kids... :) Unfortunately, I have no Java list resources... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Day after Friday
On Sep 22, 2012, at 3:59 PM, Paul M Foster wrote: > On Sat, Sep 22, 2012 at 01:05:51PM -0400, Tedd Sperling wrote: > >> Hi gang: >> >> I know it's the Day after Friday, but I'm asking a off-topic question anyway >> -- sorry. >> >> Normally, I teach a PHP class at the local college, but it got canceled >> (don't ask why) -- now I'm teaching Java. >> >> So, can anyone recommend a Java list that is similar to this list? > > Off off topic... > > Who the hell cancels a PHP class? Do they not realize damn near the > whole internet runs on PHP? Wordpress, Drupal, Joomla, Facebook ad > nauseum, not to mention Symfony, CakePHP, Code Igniter, etc. > Administrators! Ach! > > Paul Paul: The class was canceled by administration and they have absolutely no conception of the technology and scope that PHP brings to the table. In fact, they were so opposed to PHP that when I first started teaching there they had PHP removed from their servers because of security concerns. So, for me to teach PHP, they were forced to install PHP/MySQL. Now that you asked, here's the story about my PHP class. The college moved the entire CIT (Computer Information Technology) department five miles from the downtown campus, where it has always been, to the new West campus. It's a nice campus, but no Macs -- admin said Mac don't meet their ROI requirement, but that's another story. Of course, most students don't have transportation and there is no established public transportation from main campus to west campus -- that's not good. Knowing that the students were going to have problems with transportation and that would result in a reduction in class sizes, the administration agreed to allow "smaller than norma"l classes for the Fall semester. Furthermore, the administration agreed to allow registration to be for a longer period than normal, namely from a couple of weeks before the semester started to a week after the semester started. Everything sounds ok, right? My PHP class had six students register two weeks before the class started. I expected, as is custom, to pick up a couple of students after the semester started thus exceeding the minimum number of student required. Furthermore, I agreed to teach the class at a reduced rate if there wasn't a sufficient number of students attending. BTW, administration had not made a determination as to exactly what the minimum class-size should be -- keep in mind, they only had two years to decide and these things take time. So what happened? Well we (the teachers) have a new contract and in that contract is a provision that allows for a reduced class size IF the teacher agrees to teach it at a reduced rate -- which I agreed to do. However, administration became confused as to how to pay a full time teacher IF they taught an undersized class. So, their solution was to cancel ALL under sized classes before the semester started. That way there would be no confusion as to what to pay. Now, in my case I am the only teacher to teaches PHP, so there would be no full time teacher that might teach it. I am also an adjunct (part time) teacher and as such there is no confusion as to my pay. I am simply paid hourly and a reduced class size would result in my rate being reduced. So, there was absolutely no reason what-so-ever for my class to be cancelled. Leaps and bounds of illogic. This is just another example of how administration makes decisions. It would be nice if administration decisions were made with respect to "what is best for the student" as compared to this type of nonsense. Cheers, tedd _ t...@sperling.com http://sperling.com . -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
