[PHP] Security issues with file uploads
Hi, I was wondering if anyone would care to comment on the following. I am currently building a business directory using PHPand MySQL for a client who wants to be able to maintain the site themselves. The site will be hosted on Apache (of course) and I have built an admin section where they can add or delete entries in the database, and upload image files for the logos of listed businesses. I plan to use HTTP authentication to allow access to this area by the site owner only, however the directory containing the images will need public write permissions for move_uploaded_file() to work. Both the size and mime types of the uploaded file will be restricted. Does anyone have any comments on the security issues involved here? Is it sufficient to password-protect the admin area? Does the permissions for the images directory compromise the rest of the site or indeed the server, and would it make any difference if this directory was also password-protected? Is there anything else I have not covered or should be aware of? Thanks Steve -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Session variables
Thanks Justin, your solution is spot-on! Regards Steve Justin French wrote: > > ?>> > > > ?>> > } ?>> > ?>> > > > > > Obviously this is labourios to code... you can do this a lot smarter/quicker > with an array for the entire select box... have an array of days, and do a > foreach loop which writes the all the options for you, with the if > statements, etc etc. > > By the way, this has nothing to do with sessions :) > > It's purely about how to populate drop-down menus from an array, and how to > have the correct value selected if it exists, else showing a default > selection. > > Cheers, > > Justin French > > on 08/07/02 9:36 PM, Steve Fitzgerald ([EMAIL PROTECTED]) wrote: > > > I am designing a form using sessions in which the user inputs their > > details on page 1 and after submitting they are directed to page 2 for > > confirmation. They then have the option of editing their input (ie they > > are returned to page 1) where their previous input is reflected in the > > form fields by > > value ='' > > This works fine except if the input type is a drop down box, in which > > case the default is shown. Is there any way around this? How > > can I show the user their previous choice in these boxes? > > Any insights would be appreciated. > > Steve > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Session variables
I am designing a form using sessions in which the user inputs their details on page 1 and after submitting they are directed to page 2 for confirmation. They then have the option of editing their input (ie they are returned to page 1) where their previous input is reflected in the form fields by value ='' This works fine except if the input type is a drop down box, in which case the default is shown. Is there any way around this? How can I show the user their previous choice in these boxes? Any insights would be appreciated. Steve -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: preg_match or not?
Thanks, thats hit the nail on the head, and my headache is a whole lot better!
Steve
Cc Zona wrote:
> In article <[EMAIL PROTECTED]>,
> [EMAIL PROTECTED] (Steve Fitzgerald) wrote:
>
> > I have been struggling for a couple of hours now trying to write a
> > preg_match expression to validate a dollar amount - the user may or may
> > not put in the decimals so I want to allow only digits plus a possible
> > period followed by two more digits. My eyes are now swimming and I just
> > can't seem to get right. This is what I have at the moment:
> >
> > if (!preg_match("/[\d]+([\.]{1}[\d]{2})?/", $form_data[amount])) //
> > wrong amount
> >
> > but it still allows invalid input. Can anyone help or is there a better
> > way to do it?
>
> It sounds like you need an exact match; note that your regex is matching
> against substrings, thus additional invalid characters are allowed to pass.
> Anchor the pattern, so that it essentially says "From beginning to end, the
> only chars allowed are one or more digits, optionally followed by the
> combination of a period then two more digits." (The "^" and "$" special
> chars are anchors.)
>
> A regex special character loses it "specialness" when it's either escaped
> with a backslash, or included within a square-bracketed character class;
> you don't need to do both.
>
> The {1} is implied; you don't need it.
>
> if (preg_match("/^\d+(\.\d{2})?$/", $form_data[amount]))
>{echo "Validated!";}
> else
> {exit("That's not a dollar amount.");}
>
> --
> CC
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] preg_match or not?
I have been struggling for a couple of hours now trying to write a
preg_match expression to validate a dollar amount - the user may or may
not put in the decimals so I want to allow only digits plus a possible
period followed by two more digits. My eyes are now swimming and I just
can't seem to get right. This is what I have at the moment:
if (!preg_match("/[\d]+([\.]{1}[\d]{2})?/", $form_data[amount])) //
wrong amount
but it still allows invalid input. Can anyone help or is there a better
way to do it?
Thanks
Steve
Re: [PHP] netscape wont show form result
I know what you are both saying and it was a poor explanation from me as to what happened. let me explain it further because although the code is working now i would like to know what happened. We know the code should work the same regardless of browser since the server is interpreting the code not the browser, however; 1. the tables were all properly formatted. The script called for different includes depending on the situation - these were all complete individual tables (remember ns would display correctly, but only if the script excecuted to the end, ie corect input from the user) 2. the memory cache on ns was set to 5MG and the disk cache to over7MG - ample for this situation. I currently have the memory cache set to 1MG and it still works. 3. the only change i made between the first and second messages yesterday was to remove the 'exit' line, which i had placed in the script at a point after user input errors had been detected and before the email was sent. 4.ns threw up blank pages whenever i deliberately made an error on the form 5.once this line was removed ns worked as expected. ie worked as expected both before and after the amendment Any thoughts??? Steve Stuart Dallas wrote: > On Wednesday, June 12, 2002 at 5:48:02 AM, you wrote: > > > An 'exit' directive had secretly sneaked into the script! which caused ns to > > abort the rest of the script (as it should) while ie blissfully ignored > > it(??). Anyway it all works now. Thanks again. > > Just thought I'd point out an error in your explanation. PHP is executed by the > server, not by the browser. Therefore, IE cannot have "blissfully ignored" an > exit directive since it never saw one. I think you've solved your problem by > coincidence rather than logic - a very bad way to write code. > > -- > Stuart -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] netscape wont show form result
Thanks for your reply, but it was neither of these things :) An 'exit' directive had secretly sneaked into the script! which caused ns to abort the rest of the script (as it should) while ie blissfully ignored it(??). Anyway it all works now. Thanks again. Chris Shiflett wrote: > You are experiencing two different problems. > > 1) The blank page you are seeing is possibly due to incorrect HTML > markup, where you are using tables incorrectly (most common problem for > people). Check to make sure you have the same number of data cells in > each row, that all your tag are properly ended, etc. Internet Explorer > gives a best effort to render improper tables, and thus you might see > content with IE and not Netscape. As a test, you might want to just > remove all tables. > > 2) The source you are getting is *not* source that would produce a blank > page. What you are seeing is likely due to your cache settings not being > high enough to cache the response, so Netscape would have to reload the > resource to get the source. Since it was generated from a POST > operation, you receive that warning. It doesn't make much sense to give > you the *source* of that warning like it does, but that's the basic > explanation. In short, seeing that in your source is similar to being > unable to view the source, unless of course you are staring at a page > that says "Data Missing" at the top with a brief explanation. :) > > Hope that helps. > > Chris > > Steve Fitzgerald wrote: > > >I. am testing a feedback form which consists of a single file with the > >standard '>' > >It has problems when using ns4.7. If the form is filled in correctly it > >works and sends email, but it checks for required fields and correct > >email address and if there is a mistake ns shows a blank page with the > >following source: > >-- > >Missing Post reply data > >Data Missing > >This document resulted from a POST operation and has expired from the > >cache. If you wish you can repost the form data to recreate the > >document by pressing the reload button. > >-- > >The whole thing works fine in ie5.5 with correct output of error or > >success messages and sending of email. Same result on localhost > >(win98se/apache1.3.2/php4.0.6) and public (unix/zeus/php4.1.2) > >What am i missing? Have i got some setting in ns that is preventing this > >from working? > > > > > > > > > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] netscape wont show form result
I. am testing a feedback form which consists of a single file with the standard '>' It has problems when using ns4.7. If the form is filled in correctly it works and sends email, but it checks for required fields and correct email address and if there is a mistake ns shows a blank page with the following source: -- Missing Post reply data Data Missing This document resulted from a POST operation and has expired from the cache. If you wish you can repost the form data to recreate the document by pressing the reload button. -- The whole thing works fine in ie5.5 with correct output of error or success messages and sending of email. Same result on localhost (win98se/apache1.3.2/php4.0.6) and public (unix/zeus/php4.1.2) What am i missing? Have i got some setting in ns that is preventing this from working? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Sessions and Opera
Cookies it was. Thanks
Julio Nobrega Trabalhando wrote:
> Cookies disabled? Or cache? Have you tried a 'fresh' Opera install or a
> newer version?
>
> --
>
> Julio Nobrega.
>
> Um dia eu chego lá:
> http://sourceforge.net/projects/toca
>
> Ajudei? Salvei? Que tal um presentinho?
> http://www.submarino.com.br/wishlistclient.asp?wlid=664176742884
>
> "Steve Fitzgerald" <[EMAIL PROTECTED]> wrote in message
> [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > While testing a login page with different browsers I noticed that Opera
> > (vers5.02)
> > didn't allow me access to the site despite using the correct input, so I
> > wrote the
> > following pages to test Opera's performance. It seems that Opera doesn't
> >
> > pass registered variables to the new page. IE & NS both print the output
> >
> > as expected, but in Opera all variables are empty.
> > Has anyone got any thoughts/solutions/experiences?
> >
> > regards
> > Steve
> >
> > --
> > ## login page
> >
> > > $password = "letmein";
> > if (isset($input)){
> > if ($input == $password){
> > $auth = 1;
> > session_start();
> > session_register(enter,input,password,auth);
> > header("Location: 2.php");
> > exit;
> > }
> > }
> > ?>
> >
> > method="POST">
> > Enter password:
> >
> >
> >
> > > print "The value of \$enter is \"$enter\"";
> > print "The value of \$input is \"$input\"";
> > print "The value of \$password is \"$password\"";
> > print "The value of \$auth is \"$auth\"";
> > ?>
> >
> > --
> > ## 2.php
> >
> > > session_start();
> >
> > print "The value of \$enter is \"$enter\""; // empty
> > print "The value of \$input is \"$input\""; // should print
> > 'letmein'
> > print "The value of \$password is \"$password\""; // should print
> > 'letmein'
> > print "The value of \$auth is \"$auth\""; // should print '1'
> > ?>
> >
> >
> >
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Sessions and Opera
While testing a login page with different browsers I noticed that Opera (vers5.02) didn't allow me access to the site despite using the correct input, so I wrote the following pages to test Opera's performance. It seems that Opera doesn't pass registered variables to the new page. IE & NS both print the output as expected, but in Opera all variables are empty. Has anyone got any thoughts/solutions/experiences? regards Steve -- ## login page method="POST"> Enter password: "; print "The value of \$input is \"$input\""; print "The value of \$password is \"$password\""; print "The value of \$auth is \"$auth\""; ?> -- ## 2.php "; // empty print "The value of \$input is \"$input\""; // should print 'letmein' print "The value of \$password is \"$password\""; // should print 'letmein' print "The value of \$auth is \"$auth\""; // should print '1' ?> -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: printf
Use number_format() to put a comma between the thousands $foo = 123456789; print number_format($foo); //will print 123,456,789 Ron Allen wrote: > I am looking at how to format output > > Here is what I have. There is a simple currency conversion that I do and > the output is just a string of numbers > I would like it so that it puts a comma for every 3 spaces...Any > clues..oh knowing newsgroup -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
