[PHP] Linux PHP CLI and Environment variables
Hello, I am running php 4.3.7 with ncurses support. I want to create a small app using php and ncurses but I will need to get some information from the shell environment variables. I have searched every where ...is this possible ? Michael. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Call-time pass-by-reference ??
Hello, I am trying to start a small php ncurses app but the documenatation is not helping. What does the following mean: PHP Warning: Call-time pass-by-reference has been deprecated - argument passed by value; If you would like to pass it by reference, modify the declaration of ncurses_getmaxyx(). If you would like to enable call-time pass-by-reference, you can set allow_call_time_pass_reference to true in your INI file. However, future versions may not support this any longer. in /home/michael/gsmenu/gsmenu on line 10 Here is my code: #!/usr/local/bin/php ?php $y=0; $x=0; $ncurses_session = ncurses_init(); $main = ncurses_newwin(0,0,0,0); ncurses_getmaxyx ($main,$y,$x ); ncurses_border(1,1,1,1, 1,1,1,1); ncurses_wrefresh($main); ncurses_end(); ? If I remove the from main nothing happens at all, the php documentation says that the variables should be passed from reference. Any help would be appreciated. Michael. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] PHP date returns wrong value ??
Hello,
I have a web page that loads php code from another file using include,
the second file calls a function from a third file after doing a include
on it.
I am running php 4.3.7
Below is the snip of code that gets called to update the database. The
problem is with the tentry_time value.
The part of the code:
$query .= tentry_time = ' . date(H:j:s) . ',;
For some reason ... the value for seconds is always off, if I do a
update, then another one right way, the value that gets stored in the
database for the second entry will occure before the first according to
the number of seconds.
Here is some data from the DB after a select statement, you can see that
the times do not follow the auto-increment value (first field).
26 |15 | 2005-01-15 | 23:15:27| 1 | 90 |
Testing updates|
27 |15 | 2005-01-15 | 23:15:33| 1 | 90 |
Another update ... |
28 |15 | 2005-01-15 | 23:15:07| 1 | 90 |
Testing a 4 entry
--snip--
if (($_POST) AND (isset($_POST['newentry']))) {
$check=0;
if ($_POST['ticket_id'] != $ticket) {
$check=1;
$status=li class=errorERROR -- YOU DO NOT HAVE ACCESS TO THIS
TICKET !/li\n;
}
if ($check==0) {
$query=INSERT INTO tentry_table SET ticket_id = ' . $ticket . ',;
$query .= tentry_date = ' . date(Y-m-d) . ',;
$query .= tentry_time = ' . date(H:j:s) . ',;
$query .= tentry_rep = ' . $_SESSION['userid'] . ',;
if ((isset($_POST['tentry_ctime'])) AND $_POST['tentry_ctime'] 5
and $_POST['tentry_ctime'] 90) {
$query .= tentry_ctime = ' .
mysql_real_escape_string($_POST['tentry_ctime']) . ',;
} else {
$query .= tentry_ctime = '90',;
}
if ((isset($_POST['tentry_body'])) AND strlen($_POST['tentry_body'])
5) {
$query .= tentry_body = ' .
mysql_real_escape_string($_POST['tentry_body']) . ';
} else {
$status=li class=errorERROR with entry -- appears to be empty
!/li\n;
$check=1;
}
--snip--
Anyone have any ideas ??
Michael.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Performance of magic_quotes_gpc ??
Hello,
I am working on a ticket tracking system and using htmlentities and
htmlspecialchars on text that gets inserted into the database.
code I have:
--snip--
if ((isset($_POST['tentry_body'])) AND strlen($_POST['tentry_body']) 5) {
$query .= tentry_body = ' .
htmlentities(htmlspecialchars($_POST['tentry_body'])) . ';
} else {
$status=li class=errorERROR with entry -- appears to be empty
!/li\n;
$check=1;
}
--snip--
In the archives people suggest that using mysql_escape_string should be
used, I then found that you could globally enable magic_quotes_gpc.
What is the best method ? Does magic_quotes have a large performance
issue ??
Would it not just be safer to turn it on ??
Thanks.
Michael.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Performance of magic_quotes_gpc ??
Hello, Thanks for all of the responses ... I am going to use mysql_real_escape_string. Michael. Jordi Canals wrote: Hi, a couple of comments: --snip-- htmlentities(htmlspecialchars($_POST['tentry_body'])) . '; --snip-- Why are you using both htmlentities and htmlspecialchars? Think that html only converts some entities while htmlentities converts all ... so, for your purposes, apliying only one could do the job. In the archives people suggest that using mysql_escape_string should be used, I then found that you could globally enable magic_quotes_gpc. magic_quotes_gpc is a generic way to getting the user data escaped, but is not the recommended way. It's better to have magic_quotes_gpc disabled and use a database specific method for scaping. If you use mysql, I would recommend mysql_real_escape_string. (mysql_escape_string is deprecated since 4.3.0) Best regards, Jordi. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] PHP mail redirect ??
Hello, I have been playing around with a web mail app called NOCC (http://nocc.sourceforge.net/) It has some nice features and is quick. I want to add in a redirect button for mail, there is a forward button but it forwards mail just like a regular client for ... as expected. But I want a redirect button so I could send the exact same message to the same user and from the same person just but to another mail box on a different machine. Is there a easy to do this with out having to create some thing from scratch. Thanks .. Michael. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP mail redirect ??
Hello, There is another smtp server ... I should of provided more info ... I set up a postfix server to do the following: 1. Receives mail from outside ... if it is NOT spam 2. Virus scanned and then forward to exchange if it IS SPAM 2. Sent to a virtual type mail box and virus scanned. This way users would never get mail that is considered SPAM in there Exchange Inbox. Each morning they will get 1 e-mail containing a out line of new mail in the virtual account that is considered spam. That e-mail will be automatically deleted after 30 days. They can login via the web interface and download mail, formail to them selves only. I was hopping to add in a redirect type of feature where the e-mail would get sent to their actual Inbox on Exchange and not look like it was forwarded from the virtual account if the user clicks the a button. Thanks for the reply. Michael. Vail, Warren wrote: But I want a redirect button so I could send the exact same message to the same user and from the same person just but to another mail box on a different machine. Not sure I've ever hear the term redirect used in reference to email. Understand that email cannot be received on just any machine (there needs to be a pop (or imap or smtp) deamon running on that machine. But to answer you question, you can often send email to a specific machine if you know the machine name in the following form; [EMAIL PROTECTED] - but keep in mind that there needs to be a daemon running on that machine AND there needs to be a mailbox for bert set up on that server. HTH Warren Vail -Original Message- From: Michael Gale [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 01, 2004 7:26 PM To: [EMAIL PROTECTED] Subject: [PHP] PHP mail redirect ?? Hello, I have been playing around with a web mail app called NOCC (http://nocc.sourceforge.net/) It has some nice features and is quick. I want to add in a redirect button for mail, there is a forward button but it forwards mail just like a regular client for ... as expected. But I want a redirect button so I could send the exact same message to the same user and from the same person just but to another mail box on a different machine. Is there a easy to do this with out having to create some thing from scratch. Thanks .. Michael. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP mail redirect ??
I am using bogofilter and it works well ... so far. Postfix is taking care of the redirection with regards to redirecting spam mail to the virtual account. What I need now is a way for the user to say ... wait this is not spam, redirect / forward back to my Inbox. The web interface provides a decent method and forwards the mail like a regular mail client. I was hoping to make the moving of e-mails in the spam account to the Exchange Inbox a little smoother .. Michael. Vail, Warren wrote: OK, now we are getting somewhere. On my machines, this is referred to as an email forwarder and yes SMTP handles it, however, I am not sure how you are handling your spam detection. On my servers I use spam assassin and it's detection is not fool proof. If people send images in their email with a signature, spam assassin will sometimes miss identify their email as spam. I would check the documentation for your spam filter for most of the redirection you would like to do. Warren Vail (415) 667-0240 SF211-07-434 -Original Message- From: Michael Gale [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 01, 2004 7:48 PM To: Vail, Warren; [EMAIL PROTECTED] Subject: Re: [PHP] PHP mail redirect ?? Hello, There is another smtp server ... I should of provided more info ... I set up a postfix server to do the following: 1. Receives mail from outside ... if it is NOT spam 2. Virus scanned and then forward to exchange if it IS SPAM 2. Sent to a virtual type mail box and virus scanned. This way users would never get mail that is considered SPAM in there Exchange Inbox. Each morning they will get 1 e-mail containing a out line of new mail in the virtual account that is considered spam. That e-mail will be automatically deleted after 30 days. They can login via the web interface and download mail, formail to them selves only. I was hopping to add in a redirect type of feature where the e-mail would get sent to their actual Inbox on Exchange and not look like it was forwarded from the virtual account if the user clicks the a button. Thanks for the reply. Michael. Vail, Warren wrote: But I want a redirect button so I could send the exact same message to the same user and from the same person just but to another mail box on a different machine. Not sure I've ever hear the term redirect used in reference to email. Understand that email cannot be received on just any machine (there needs to be a pop (or imap or smtp) deamon running on that machine. But to answer you question, you can often send email to a specific machine if you know the machine name in the following form; [EMAIL PROTECTED] - but keep in mind that there needs to be a daemon running on that machine AND there needs to be a mailbox for bert set up on that server. HTH Warren Vail -Original Message- From: Michael Gale [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 01, 2004 7:26 PM To: [EMAIL PROTECTED] Subject: [PHP] PHP mail redirect ?? Hello, I have been playing around with a web mail app called NOCC (http://nocc.sourceforge.net/) It has some nice features and is quick. I want to add in a redirect button for mail, there is a forward button but it forwards mail just like a regular client for ... as expected. But I want a redirect button so I could send the exact same message to the same user and from the same person just but to another mail box on a different machine. Is there a easy to do this with out having to create some thing from scratch. Thanks .. Michael. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Meta refresh best answer ??
Hello, I am working on a site where people will be updating information in a database and should have up to date info. Now since HTTP is stateless the user will not know about any new information until they click on a link or hit a button on the page. My question is -- if I want to keep a user up to date about changes to any information they might want to know would it be best to create a hidden frame of some sort which does a mete-refresh to a page looking for updates, and if found display a java popup window with a small FYI ? If so would a meta-refresh of 3-5 seconds be to aggressive ? What about server load ? Is there a better way ? Hope I was clear, thanks. Michael. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Meta refresh best answer ??
Hello, I really wanted to know if there was a better way to do this using PHP ? That is why I e-mailed the list. Michael. Michael Gale wrote: Hello, I am working on a site where people will be updating information in a database and should have up to date info. Now since HTTP is stateless the user will not know about any new information until they click on a link or hit a button on the page. My question is -- if I want to keep a user up to date about changes to any information they might want to know would it be best to create a hidden frame of some sort which does a mete-refresh to a page looking for updates, and if found display a java popup window with a small FYI ? If so would a meta-refresh of 3-5 seconds be to aggressive ? What about server load ? Is there a better way ? Hope I was clear, thanks. Michael. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Session understanding
Hello, Morning .. at least it is where I am :) I have a small issue with sessions, at the moment I am using sessions on our web site and storing the session information in a db_table. It is working great. Right now I am only storing the users ID, name and role in the session data, but I would like to store other information as well. The problem is ... that if that person opens another browser window and connects to the site another session is not created. So if I try and store a variable that would be unique to each window it would get over written. Is this a configuration problem ? Thanks. -- Michael Gale Network Administrator Utilitran Corporation -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Session understanding
Hello, The site is for a ticket tracking system, if a CSR has a window open and is working on company A - I would like to save some information about company A in a session variable. Since the session is stored in the DB I figured it was save. Then if the CSR need to look up another company and opens another window I want to make sure that the session variable I just set containing company A is not over written. ... Is there a better way to do this ... I was hoping to not have to pass variables between each page by including them in the URL. Michael. On Thu, 2 Sep 2004 11:11:37 -0400 John Holmes [EMAIL PROTECTED] wrote: From: Michael Gale [EMAIL PROTECTED] I have a small issue with sessions, at the moment I am using sessions on our web site and storing the session information in a db_table. It is working great. Right now I am only storing the users ID, name and role in the session data, but I would like to store other information as well. The problem is ... that if that person opens another browser window and connects to the site another session is not created. So if I try and store a variable that would be unique to each window it would get over written. Is this a configuration problem ? Session are identified by a cookie (by default). No matter what window or how many windows the user has, the same session ID is going to be sent in a cookie when a request is made to your site. So there's no way to tell the requests from different windows apart. Why do you really need to know if a new window is opened or not? ---John Holmes... -- Michael Gale Network Administrator Utilitran Corporation -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] html tabs
Hello I was working on a web site that will be using TABS, the page will have three TABS. All the data will be dynamic on all the pages, the first tab will be a search page. After submit is hit the page will be reloaded to display the results. Each result will be a link to detailed information about the result you clicked on. Can I make is so the link loads the page in the second tab ? Thanks. -- Hand over the Slackware CD's and back AWAY from the computer, your geek rights have been revoked !!! Michael Gale Slackware user :) Bluesuperman.com -- Hand over the Slackware CD's and back AWAY from the computer, your geek rights have been revoked !!! Michael Gale Slackware user :) Bluesuperman.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Browser back button
Hello, I am sure this has been asked more then a few times but ... I have a web site where almost every page is dynamically created. So if at some point in the site if you hit your browsers back button a popup window occurs and asks if you want to resubmit the data. Upon clicking yes the page is properly displayed. That is a pain in the a$$ and I get many user complaints -- so far I have thought about saving the requested URL and query string in a session variable and loading a back button on every page. This seems to work create if the previous page can be loaded using a GET request but if the previous page was loaded using a HTTP POST it seems I an up the creek with out a paddle :( Any one have any ideas ... Thanks .. -- Michael Gale Network Administrator Utilitran Corporation -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Detecting if browser is using a HTTP or HTTPS connection to view the page
Hello, What about the following variables: On phpinfo I have: SCRIPT_URI https://host.mydomain.com/phpinfo.php _SERVER[SCRIPT_URI] https://host.mydomain.com/phpinfo.php Michael. On Tue, 13 Jul 2004 20:37:07 +0100 Jamie [EMAIL PROTECTED] wrote: Thanks for your reply Dan, I have tried the $_SERVER['HTTPS'] on windows and it works fine. It replys off when HTTPS isnt working and on when it is. But on linux it does nothing. Can someone please confirm if this works or it does not work as i need a method that is cross platform compatitable. Thanks Jamie -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- Michael Gale Network Administrator Utilitran Corporation -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Cannot send session cookie
Hello, Do you have output buffering enabled in your php.ini file ? --snip-- ; Output buffering allows you to send header lines (including cookies) even ; after you send body content, at the price of slowing PHP's output layer a ; bit. You can enable output buffering during runtime by calling the output ; buffering functions. You can also enable output buffering for all files by ; setting this directive to On. If you wish to limit the size of the buffer ; to a certain size - you can use a maximum number of bytes instead of 'On', as ; a value for this directive (e.g., output_buffering=4096). output_buffering = 4096 --snip-- The session_start() does not have to be the first line of PHP code on the page if you have output buffering enabled. But it should be near the top. Michael. On Tue, 13 Jul 2004 00:40:04 +1000 Michael Purdy [EMAIL PROTECTED] wrote: Folks I am a new to php. I am currently learning about session handling and would appreciate some assistance with the following: I am using php 4.3.7 and I am using the default values in the php.ini for session.use_cookies = 1 session.cache_limiter = nocache When experimenting with a few simple lines of code script language='php' This is line 14 session_start(); /script I get the following errors: Warning: session_start(): Cannot send session cookie - headers already sent by (output started at e:\http\cgi\a.php:14) in e:\http\cgi\a.php on line 15 Warning: session_start(): Cannot send session cache limiter - headers already sent (output started at e:\http\cgi\a.php:14) in e:\http\cgi\a.php on line 15 Can anyone offer me a insight on the reason for the error. Mike -- Michael Gale Network Administrator Utilitran Corporation -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP Hosting
Don't you require Windows 3.1.11 for proper network support :) - at least 3.1 was stable. *continue flawewar Michael. On Fri, 09 Jul 2004 08:48:00 -0400 John Nichel [EMAIL PROTECTED] wrote: Curt Zirzow wrote: * Thus wrote Ed Lazor: Hey, does anyone have experience hosting PHP / MySQL apps on EV1servers.net, ServerBeach.net, or CIhost.com? I'm looking for value, reliability, and quality support. Any other recommendations are also greatly appreciated. Out of 1000's of solutions I'd probably suggest: pair.com They operate on the *proper* OS :) Curt *throws a grenade because it's a slow Friday* Bah That watered down OS X excuse for an OS?!?!?! I refuse to use any hosting company that isn't running Windows 3.1. ;) *and let the flamewar begin* -- John C. Nichel KegWorks.com 716.856.9675 [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- Michael Gale Network Administrator Utilitran Corporation -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] post without form
Hello, Use a token and a database, I am using the following: 1. I setup a table called token_table with columns: 1. token_id - primary DB key -- auto incremented 2. token_name - actual token string 3. token_date - date created 4. token_userd - user id that created the token - since all my users require logins 5. token_data - data stored in the token. Then on the first page if you have some data that you need to pass between pages or multiple pages you create a token like: $token_name=md5(uniqid(rand(), true)); Then store the token plus all the added values in the db, now just pass the token between the pages with a form and hidden value or directly in the url (http://www.mydomain.com/nextpage.php?token_name='584358430548543043') Then on the nextpage.php $_GET['token_name'] will be the token_name you have stored in the DB. You can now pull all the information you need from the DB. I could store all the info in the $_SESSION variables but that would cause them to be loaded on every page regardless if you need them or not. Plus if you had a lot of users you should try and keep the $_SESSION variables as small as possible. I use $_SESSION for userid, username, email, role and the rest of the site data is transmitted via HTTP POST on form pages and via the token if it needs to be secured from the user. Michael. On Wed, 7 Jul 2004 08:49:01 -0500 Josh Close [EMAIL PROTECTED] wrote: How can I post data without having it submitted from within a form? With get I can just add it to the url. Is there a php function for this? -- -Josh -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- Michael Gale Network Administrator Utilitran Corporation -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] uniqid function
Thanks for the reply. Michael. On Tue, 6 Jul 2004 06:38:57 + Curt Zirzow [EMAIL PROTECTED] wrote: * Thus wrote Michael Gale: Hello, I have a question about the uniqid function ... on a loaded system ... lets say 60 people connected with each person making 2-3 web request per second. Each request running the following php command: $token_name=md5(uniqid(rand(), true)); What would the odds be of the $token_name being repeated ? Is this something I would have to worry about ?. The odds are very low. uniqid() by itself is based of of time to the microsecond. The lcg paremater randomized a psudo number to avoid collisions at the same microsecond. And the rand(), depending on you're system, defaults to seeding itself with including the PID. So the seed to rand() should, in theory, be different for each differnt request. The md5() is rather pointless in the uniqness of the token, it will basically prevent intruders from predicting a token. Nonetheless, it's probably still desired in your token generation. Curt -- First, let me assure you that this is not one of those shady pyramid schemes you've been hearing about. No, sir. Our model is the trapezoid! -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] user tracking
What type of tracking ? ... number of hits ? pages visited by # of times ?? If you use sessions ... which I am assuming you are. You could create a table: user-id,page,times Then when you do the session check you could update: INSET INTO webwatch_table SET user-id=' . $_SESSSION['userid'] . ', page=' . $_SERVER[REQUEST_URI] . ', time=' ... and somehow increment the times column ... Mysql has a INSERT / UPDATE combo command .. which may help. Michael On Tue, 6 Jul 2004 12:15:06 +0100 Christian Calloway [EMAIL PROTECTED] wrote: Hey everybody, I am looking for some type of user tracking/stat collecting package. I am sure there's a million; any recommendations? We have some specific needs as well, so mostly likely I will be have to make some code changes. So the simpler package the better. Christian -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- Michael Gale Network Administrator Utilitran Corporation -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] PHP page memory usage
Hello, Is there a way to monitor or test out how much CPU / memory a php page uses ? I would like to find out how intensive some of my scripts are. Thanks. Michael -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] uniqid function
Hello, I have a question about the uniqid function ... on a loaded system ... lets say 60 people connected with each person making 2-3 web request per second. Each request running the following php command: $token_name=md5(uniqid(rand(), true)); What would the odds be of the $token_name being repeated ? Is this something I would have to worry about ?. Michael. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] user-defined superglobals
Hello, I am not a programmer so I do not know if you can create a superglobal variable. I am sure there is a problem with this ... any ways I user: require(db_access.php); at the top of all my pages that require db access for a application that way the db access gets set on a per page bases. Which would be safe then a superglobal one. Michael. On Sun, 4 Jul 2004 14:22:09 +0800 Michael Collins [EMAIL PROTECTED] wrote: I am relatively new at PHP and wondering why there is no mechanism to create user-defined superglobals? For example in ASP.Net I can setup a global.asa to define database connections or any named value I want to be available anywhere in an application. It would be great to have something like that in PHP. -- Michael __ ||| Michael Collins ||| Kuwago Inc ||| Singapore and Seattle USA -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Session tracking and multiple form updates
Hello, I am working on a web site that is available only over HTTPS and am using session tracking. So far I am only saving the person's display name (different then login), site role and e-mail address in the $_SESSION data. The rest of the site is dynamic, now the question is on three particular pages the user fills in a form and hit's submit. Now at the moment on each page is a hidden variable containing a db primary key for which the data is getting updated. I know that hidden values are not a good idea since the user can change them ... so I was going to store the hidden value in a $_SESSION variable but then the problem is ... what happens when the user has two - three windows open and they are updating two - three different items. Each having it's own db key ? If I stored the key in a session variable the last one opened would over write any previous one. I hope I explained this correctly ... multiple updates and access to the site is allowed and can not be changed. Thanks. Michael. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Session tracking and multiple form updates
Hello,
Thanks for the replies ... I valid all the data and input from the
user. So if the user changes the value nothing bad will happen:
I have in the code:
if ($var != $hiddenvar) {
e-mail blank saying Blank has been updated
}
That is it ... I made a mistake in my last e-mail .. the value of hidden
is not a DB primary key just a important column in a table.
Michael.
On Sun, 04 Jul 2004 23:41:24 -0400
John W. Holmes [EMAIL PROTECTED] wrote:
Michael Gale wrote:
Now at the moment on
each page is a hidden variable containing a db primary key for which
the data is getting updated.
I know that hidden values are not a good idea since the user can
change them ... so I was going to store the hidden value in a
$_SESSION variable but then the problem is ... what happens when
the user has two- three windows open and they are updating two -
three different items. Each having it's own db key ?
What's the impact if the variable is changed? There should still be
some validation of the value on the server side, so changing it should
be detected. If it's changed to another valid ID that the user has
access to, then who cares if they change it? If they change it to an
invalid value, you're validation will catch it and spit out an error.
If they try to change it to an ID that they do not have access to,
you're validation should catch and log that, also.
The security problem isn't in the hidden form elements, it's in how
you're validating them.
--
---John Holmes...
Amazon Wishlist: www.amazon.com/o/registry/3BEXC84AB3A5E/
php|architect: The Magazine for PHP Professionals www.phparch.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
