RE: [PHP] Limitation to URL params on Include()?
Hi Alex,
I'm going on the assumption that since you're using a URL parameter
in the include, you have fopen_wrappers enabled, and the URL is
external to your current site. Otherwise you'd just be doing a file
system based include.
I'm not certain if PHP is clipping the parameters. Though I would
discourage this form of include for several reasons described below.
Depending on the intent of your application, you may be using the
wrong function.
What are you trying to do? Pull the code of a php script into your
script, or display the HTML output of a web page embedded in existing
content?
If you're trying to display the contents of another web page within
your own, you may want to look at readfile(), read(), fopen() or even
make a direct HTTP call to the server using sockets. Readfile() will
read and output the HTML generated by the called page. read() and
fopen() will get the output of that page and make it available to you
for your own processing. These may be more suited for such a call,
since you'll likely need to strip HTMLHEAD.../HEADBODY and
/BODY tags out of the returned document (presuming your existing
document has already displayed these).
If you're trying to actually include the *script* code for execution
within your program, this is a really dangerous thing to do. It means
the called server gets to execute arbitrary code on your server. The
code might not be arbitrary since you control it- but if your DNS were
hacked, it means a clever hacker could actually insert a different
script.
Another point to consider- if you just want to display the HTML output
of the included page, don't use include. If the external site were
misconfigured, it may output raw php source rather than the interpreted
HTML page. If this happens, that code will be run on your server in
your current execution context. Again exposing you to arbitrary code
being run on your server.
Hope this helps,
James Harrell
http://celestia.cbstech.com
-Original Message-
From: Alex Hogan [mailto:[EMAIL PROTECTED]
Sent: Wednesday, July 14, 2004 1:47 PM
To: PHP General list
Subject: [PHP] Limitation to URL params on Include()?
Hi All,
Is there a limit to the number of url parameters(other than the 256
limit) that you can have on a file that you are including?
I have a file that I'm calling..,
include('http://mydomain.com/block_display.php?id=1ttl=1011cnt=268lnk
=129prv=202');
where the parameter values are record sets.
What happens is that I get the first three params and then nothing.
Any ideas?
alex hogan
*
The contents of this e-mail and any files transmitted with it are
confidential and
intended solely for the use of the individual or entity to whom it is
addressed. The
views stated herein do not necessarily represent the view of the company. If
you are
not the intended recipient of this e-mail you may not copy, forward,
disclose, or
otherwise use it or any part of it in any form whatsoever. If you have
received this
e-mail in error please e-mail the sender.
*
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Limitation to URL params on Include()?
Hi Alex,
In that case, make your include file local; don't use the
URL, use a relative path to the file. Make the include
file have a function you can call or be an object you
can instantiate.
ex: block.php
?php
function display_block($header,$content,$link,$andsuch)
{
// php code here to output HTML using echo... or
?
... direct html output here ... and a
variable output such as ?php echo $header; ? and
some more html, blah blah blah
?php
} // end of display_block function
?
Then in your main program do:
?php
...
include_once(block.php);
...
...
display_block($header,$content,$link,$andsuch);
...
...
display_block($header2,$content2,$link2,$andsuch2);
...
...
?
Or as an object:
...
$block=new Block($header,$content,$link,$andsuch);
$block-display();
...
Regards,
James Harrell
http://celestia.cbstech.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] protecting your source code?
Hi Edward, Check out the Zend Encoder: www.zend.com To run encoded/compiled programs, the server will need the (free) Zend Optimizer, available for download at the same location. Zend has a small-business program that if your yearly revenues are less than some magic number, you get a major discount on the Zend Suite which includes the encoder and the development environment. The Zend Development Environment is fantastic- includes a debugger and profiler, code completion, etc. After 10+ years as a vi-guy, I actually made the switch recently. :) James -Original Message- From: Edward Peloke [mailto:[EMAIL PROTECTED] Sent: Monday, June 14, 2004 3:50 PM To: Php-General Subject: [PHP] protecting your source code? I wrote a bunch of code that will be used for a local site. I usually do all my hosting with a friend who I trust...the new site will be hosted by another company in town (not my choosing) who I don't necessarily trust to not copy the code and reuse it for other sites. How can I protect the code? I know there are some encoders but I have never used them. Thanks, Eddie WARNING: The information contained in this message and any attachments is intended only for the use of the individual or entity to which it is addressed. This message may contain information that is privileged, confidential and exempt from disclosure under applicable law. It may also contain trade secrets and other proprietary information for which you and your employer may be held liable for disclosing. You are hereby notified that any unauthorized dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify [EMAIL PROTECTED] by E-Mail and then destroy this communication in a manner appropriate for privileged information. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Load Data
Hi Juan Pablo, LOAD DATE INFILE requires the FILE privelege, and the MySQL server process must have permissions to read the file in the named directory. Most times one or both of these requirements cannot be satisfied easily, particularly in a web environment. You can get around both permissions issues using LOAD DATA LOCAL INFILE, which sends the contents of the infile over the MySQL socket to the MySQL server. In this case your running application (ie: apache, assuming PHP is running as a module) must have read permissions on the file, which is much easier to control. Regards, James -Original Message- From: Juan Pablo Herrera [mailto:[EMAIL PROTECTED] Sent: Thursday, June 10, 2004 4:15 PM To: [EMAIL PROTECTED] Subject: [PHP] Load Data Hello! I need a problem with mysql Load Data. PHP say: Access denied for user: '[EMAIL PROTECTED]' (Using password: YES), but my user and password is correct.The sql query is: $query_string2 = LOAD DATA INFILE '/usr/local/psa/home/vhosts/allaria.com.ar/httpdocs/XLS/precios' REPLACE INTO TABLE precio FIELDS TERMINATED BY ',' ENCLOSED BY '\' LINES TERMINATED BY '\n'; I used a vhost, what's a problem? Regards. Juan Pablo -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] session.use_trans_sid = 0 does not work!!!
Hi Robert, The initial links have session id's appended since upon the very first entry into the site, no PHPSESSION cookie is available. PHP appends the session id in the event no cookies are available- it doesn't know yet whether you have cookies on or not. If you want to forcefully remove this PHPSESSION (which is sometimes a good idea since search engine spiders will catalog the links with the session id if you don't remove it), try this: ini_set(session.use_only_cookies,1); James -Original Message- From: Robert Winter [mailto:[EMAIL PROTECTED] Sent: Thursday, June 10, 2004 4:51 PM To: [EMAIL PROTECTED] Subject: [PHP] session.use_trans_sid = 0 does not work!!! Hi. My www provider has set session.use_trans_sid default to ON. I tried changing it in .htaccess or in the .php before session_start() but relative links are always renamed to xxx?PHPSESSION= I'm also printing the value of session_use_trans_sid with ini_get and it always returns 1 (on)! I don't know if this is important but I have a RewriteRule to parse HTM as PHP so, my links are always xxx.htm and never xxx.php. What it's happening? I noticed that this happens only in the welcome page. The following pages never (nor the welcome page if I refresh) include the ?PHPSESSION= (maybe because it detects the browser has cookies enabled). Thanks Robert -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Remote include
Greetings Tumurbaatar, That would work- and you shouldn't need any special mime types; URL_fopen must be on and you simply use include() to get the remote file read into the current one and executed. But I highly suggest you find an alternative method- since this can expose you to several security issues. The biggest of which is that if someone can convince your application to include their file instead of yours... you've supplied a remote code execution hack onto the machine. Very dangerous. James -Original Message- From: Tumurbaatar S. [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 09, 2004 5:31 AM To: [EMAIL PROTECTED] Subject: [PHP] Remote include I need to include in my PHP code a script located at a remote web server. The script is also PHP and contains some functions and class definitions. Because the remote server also use PHP, I've changed my include file extension (php) to something other (e.g. inc). Because I'm afraid that the server will execute the script (which produces nothing) instead of sending its content. Am I doing right? Also, when the remote server sends this file back to my local server, what MIME type is returned in the response header? Anybody know it? Do I need to specify some type? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Simple cms type system
Hi Ryan, Ours isn't open source, but does come with source available for the display modules: http://celestia.cbstech.com You can strip down what features are available by removing modules from the core system. Only replying with a plug of our own product since it was specifically asked for. Is this within the ettiquette rules of this particular list? James -Original Message- From: Ryan A [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 09, 2004 2:29 PM To: [EMAIL PROTECTED] Subject: [PHP] Simple cms type system Hi, A while back I started a thread for lasso as a client wanted a site translated to english, still in talks with that client and he is willing to let me do it in pure PHP instead as I dont know lasso and not very keen on buying one of their licences. Anyway, it seems that the client has a control panel where he can make changes to the site (nothing major, just add products, edit paragraphs etc...NO shopping cart) he wants the same kind of functionality for his new pages. Have not seen his control panel but I dont think its anything major. Instead of programming this from scratch was wondering if anybody can recomend any package/open source project etc that can do this, I'm sure this must have come up before with other clients. Searched google/phpresource/hot scripts/ script archive but most cms's are offering far far too much for my needs, and actually stripping them down would take as much as making a new one and some are just not worth it (in mho). Any suggestions? Thanks, -Ryan -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Expedia.com
Hi Rene, Here's a thought- make your animated gif that's a grow-bar that fills from left to right. Maybe it maxes out at 99% or loops back around to 0 after reaching 100. :) Display this at the top of the screen - but not within a table that is part of the results display. More on why shortly. Send about 256 characters of HTML (including the IMG SRC link to your gif), then issue a flush(). At this point begin your long-running query, displaying output as it becomes avialable. Once the output is complete, issue a javascript that changes the gif to a different one that's not animated (ex: 100%). A few things to keep in mind: - Some IE browsers won't display anything until 255 chars have been output- hence the 256 number above. - Some NS browsers won't display a portion of a table until the entire table including closing tag has been written. Hence, don't put your grow-bar inside a table unless it's completed before issuing the long-running query. Hope this helps, james -Original Message- From: Ren Fournier [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 09, 2004 3:35 PM To: php Subject: [PHP] Expedia.com When Expedia.com is searching for flights, it displays a page with a little animated GIF progress bar, then display the results. How do they do that? How does the page sit idle until the query is finished, and then sends a new page with the results? I was thinking that they might use HTTP-REFRESH or something, and just keep hitting the database until the result is there. But is there a best way to do this? In my application, when the user clicks a certain button, it will take 10-20 seconds for the operation to completeduring that time I need the web browser to waiit for the data. I looked around for an article on this, but I'm not sure how to characterize this operation. ...Rene -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Simple cms type system
Hey James, If its not open source...is it at least free? Thanks, -Ryan No, it's a commercial product. James -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Can I set a different include path per Apache Virtual host?
Hi Mike, I'm not certain if it can be configured in a VirtualHost block, though I know it can be configured in a Directory block (which is equally as useful). The problem I see below is you're using the wrong declaration; instead of php_value, use php_admin_value, ie: php_admin_value include_path If that doesn't fix it, add a Directory ... /Directory block within the virthost declaration, and use php_admin_value there. Regards, James -Original Message- From: Mike Zornek [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 09, 2004 5:33 PM To: [EMAIL PROTECTED] Subject: [PHP] Can I set a different include path per Apache Virtual host? Can I set a different PHP include path per Apache Virtual host? I am trying this: VirtualHost * ServerAdmin [EMAIL PROTECTED] DocumentRoot /Library/WebServer/Websites/stage/content ServerName stage.asmpweb.org ErrorLog /Library/WebServer/Websites/stage/logs/error_log CustomLog /Library/WebServer/Websites/stage/logs/access_log common IfModule mod_php4.c php_value include_path .:/usr/local/php/lib/php:/Library/WebServer/Websites/stage/content/includes /IfModule /VirtualHost VirtualHost * ServerAdmin [EMAIL PROTECTED] DocumentRoot /Library/WebServer/Websites/dev/content ServerName dev.asmpweb.org ErrorLog /Library/WebServer/Websites/dev/logs/error_log CustomLog /Library/WebServer/Websites/dev/logs/access_log common IfModule mod_php4.c php_value include_path .:/usr/local/php/lib/php:/Library/WebServer/Websites/dev/content/includes /IfModule /VirtualHost But I don¹t think its working. ~ Mike - Mike Zornek Web Designer, Media Developer, Programmer and Geek Personal site: http://MikeZornek.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Can I set a different include path per Apache Virtual host?
Oh- and don't forget to restart apache after your changes. james -Original Message- From: James Harrell [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 09, 2004 5:44 PM To: Mike Zornek; [EMAIL PROTECTED] Subject: RE: [PHP] Can I set a different include path per Apache Virtual host? Hi Mike, I'm not certain if it can be configured in a VirtualHost block, though I know it can be configured in a Directory block (which is equally as useful). The problem I see below is you're using the wrong declaration; instead of php_value, use php_admin_value, ie: php_admin_value include_path If that doesn't fix it, add a Directory ... /Directory block within the virthost declaration, and use php_admin_value there. Regards, James -Original Message- From: Mike Zornek [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 09, 2004 5:33 PM To: [EMAIL PROTECTED] Subject: [PHP] Can I set a different include path per Apache Virtual host? Can I set a different PHP include path per Apache Virtual host? I am trying this: VirtualHost * ServerAdmin [EMAIL PROTECTED] DocumentRoot /Library/WebServer/Websites/stage/content ServerName stage.asmpweb.org ErrorLog /Library/WebServer/Websites/stage/logs/error_log CustomLog /Library/WebServer/Websites/stage/logs/access_log common IfModule mod_php4.c php_value include_path .:/usr/local/php/lib/php:/Library/WebServer/Websites/stage/content/includes /IfModule /VirtualHost VirtualHost * ServerAdmin [EMAIL PROTECTED] DocumentRoot /Library/WebServer/Websites/dev/content ServerName dev.asmpweb.org ErrorLog /Library/WebServer/Websites/dev/logs/error_log CustomLog /Library/WebServer/Websites/dev/logs/access_log common IfModule mod_php4.c php_value include_path .:/usr/local/php/lib/php:/Library/WebServer/Websites/dev/content/includes /IfModule /VirtualHost But I don¹t think its working. ~ Mike - Mike Zornek Web Designer, Media Developer, Programmer and Geek Personal site: http://MikeZornek.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] script location
See the parse_url() function. -Original Message- From: Matt Matijevich [mailto:[EMAIL PROTECTED] Sent: Friday, June 04, 2004 9:57 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [PHP] script location [snip] http://www.nowhere.com/test/whatever/testing.php All I want out of that URL is this: /test/whatever/ [/snip] http://php.net/dirname I think that will do it -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] When did mysql_query quit allowing multiple queries separated by a semicolon
Hi PHP gurus, Asked this question on the PHP-DB list, no response there. Hoping someone here may have the answer. :) Mostly a research question. I recall (a long time ago - php3?) that some php packages could be compromised by injecting a secondary query though GET/POST variables when they were not properly sanitized. ex: $query=select a from $b; mysql_query($query); Inject $b=tablename; insert into a set col='c' Even the current PHP manual includes a fairly recent comment warning of such attacks, though the manual clearly states that only one query can be issued and a semicolon should not be included. My testing confirms that the second query isn't executed. Some web research leads me to believe this was changed, though I cannot find when. I'm pretty certain it was there at one point, since I found a vulnerability like this in an application I was auditing for security. Anyone recall or know if this change occurred in a specific PHP version? Is it reasonable to assume it will not be added back in? Thanks, James Harrell http://www.copernicusllc.com http://celestia.cbstech.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
