RE: [PHP] Files upload - Encrypt into a variable - Do not injectinto db (PHP/Apache/MySQL)
Got packet bigger than 'max_allowed_packet' ... Gotta love mysql_error(); If I find out what causes this, I'll bring it over to this list too.. since it's been pretty quiet, I guess I've gotten folks stumped. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Files upload - Encrypt into a variable - Do not injectinto db (PHP/Apache/MySQL)
Updated : It ain't MCRYPT. [code] http://www.w3.org/TR/html4/loose.dtd";> Untitled Document [/code] -Original Message- From: Marek Kilimajer [mailto:[EMAIL PROTECTED] Sent: Friday, March 18, 2005 4:26 AM To: [EMAIL PROTECTED] Cc: php-general@lists.php.net Subject: Re: [PHP] Files upload - Encrypt into a variable - Do not injectinto db (PHP/Apache/MySQL) Steven Altsman wrote: > Yes, the link is http://www.radinks.com/upload/config.php > > file_uploads = On > upload_max_filesize = 40M > max_input_time = 9000 (seconds) > memory_limit (not limited, per handload config, from source) > max_execution_time = 9000 (seconds) > post_max_size = 40M > > also, hidden INPUT tag MAX_FILE_SIZE with value="4", which I'm guessing > needs it in kilobytes. It's in bytes. Check apache's config, namely LimitRequestBody directive. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Files upload - Encrypt into a variable - Do not injectinto db (PHP/Apache/MySQL)
[code] http://www.w3.org/TR/html4/loose.dtd";> Untitled Document [/code] Here is a proof of concept.. I loaded up the nVidia drivers to my default tmp directory, then echoed out the strlen of the file when opened in file_get_contents function. It gave out the correct size. >From here, I'm just going to see if it encrypts and spits out a different (or no) number. -Original Message- From: Marek Kilimajer [mailto:[EMAIL PROTECTED] Sent: Friday, March 18, 2005 4:26 AM To: [EMAIL PROTECTED] Cc: php-general@lists.php.net Subject: Re: [PHP] Files upload - Encrypt into a variable - Do not injectinto db (PHP/Apache/MySQL) Steven Altsman wrote: > Yes, the link is http://www.radinks.com/upload/config.php > > file_uploads = On > upload_max_filesize = 40M > max_input_time = 9000 (seconds) > memory_limit (not limited, per handload config, from source) > max_execution_time = 9000 (seconds) > post_max_size = 40M > > also, hidden INPUT tag MAX_FILE_SIZE with value="4", which I'm guessing > needs it in kilobytes. It's in bytes. Check apache's config, namely LimitRequestBody directive. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Files upload - Encrypt into a variable - Do not inject into db (PHP/Apache/MySQL)
Yes, the link is http://www.radinks.com/upload/config.php file_uploads = On upload_max_filesize = 40M max_input_time = 9000 (seconds) memory_limit (not limited, per handload config, from source) max_execution_time = 9000 (seconds) post_max_size = 40M also, hidden INPUT tag MAX_FILE_SIZE with value="4", which I'm guessing needs it in kilobytes. Radditha has a pretty sweet upload script going on there.. however, not sure if it contains the same security requirements I've got. Per GLBA requirements, my data has to be stored no more than 48 hours and must be encrypted with 128-bit or higher algorithms. I'm starting to suspect that I have more lists I've got to sign up with, as it may be MCRYPT or MySQL that is barfing because of it. If that is all I can tweak in PHP, then I'm definitely hitting a dead-end on this list. Thank you for your time. -Original Message- From: Jason Barnett [mailto:[EMAIL PROTECTED] Sent: Thursday, March 17, 2005 10:35 AM To: php-general@lists.php.net Subject: Re: [PHP] Encrypted 2.5+M files do upload, but don't create a recordwhen stored as LongBlobs (PHP/Apache/MySQL) Steven Altsman wrote: > This may be a stupid question. If it is, could somebody do a one line reply > of "it is." That way I will know to turn my attention elsewhere. > ... It's not a stupid question, it's just that the people that have read it so far (including me) don't really know the answer. I seem to recall that Raditha Dissanayake had an upload script that let you do larger uploads... just look in the archives for his messages and look for the link in his signature. HTH -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Encrypted 2.5+M files do upload, but don't create a record when stored as LongBlobs (PHP/Apache/MySQL)
This may be a stupid question. If it is, could somebody do a one line reply of "it is." That way I will know to turn my attention elsewhere. I've gone through about 45 pages of archives trying to glean anything useful out of it, and either it's the same answer or the version is about 4 years out of date. -Original Message- From: Steven Altsman [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 16, 2005 12:15 PM To: php-general@lists.php.net; users@httpd.apache.org Subject: [PHP] Encrypted 2.5+M files do upload, but don't create a record when stored as LongBlobs (PHP/Apache/MySQL) Files under 2.5 megs will go into the database just fine, any thing over that will return the page without errors, but will not be injected into the database. Not even a record is created. Edited PHP.INI to allow up to 40M of data to be uploaded. Set the script timeout to be 9000 seconds. Set the script operational memory to 80M. I did a print_r of $_FILES and the results show that there is a file in the tmp directory, but I'm not sure after that if there is a problem with mcrypt or MySQL. I did read something about a limitation of MySQL and max packet size between server and client, but only 4.1 or less is mentioned with that. I also switched from the fopen/fread combo and did file_get_contents instead, as it was recommended to be more efficient. http://us4.php.net/fopen http://us4.php.net/fread http://us4.php.net/file_get_contents http://us3.php.net/mcrypt http://us3.php.net/features.file-upload http://us3.php.net/print_r http://www.ispirer.com/doc/sqlways38/Output/SQLWays-1-195.html http://www.totalchoicehosting.com/forums/lofiversion/index.php/t10276.html http://www.chipmunk-scripts.com/board/index.php?forumID=27&ID=1674 http://scripts.franciscocharrua.com/database-file-upload-download.php http://www.hotscripts.com/Detailed/33694.html http://www.google.com If there is any other links to M's that I haven't R'ed, please let me know. Otherwise I'm clueless. Google gives me a metric tonne of information, but it is mostly people asking the same question I am with recommendations on editing the PHP.INI. Obviously this is a useful script that many people have written in their own way for their own needs, and I'm sure they've run into the same problem I'm encountering now. Using MySQL 5.0.2, PHP 5, newest mcrypt, mhash, Apache 2, FC 3, it is on port 443 with a valid SSL cert, and if you need to know any other version or variable info I will gladly provide it. -=-=-=-=-=-=- /docs/phpinfo.php -=-=-=-=-=- allow_call_time_pass_reference On On allow_url_fopen On On always_populate_raw_post_data Off Off 8< -- Snip Snip --- 8< version_comment Official MySQL RPM version_compile_machine i686 version_compile_os pc-linux wait_timeout 28800 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Encrypted 2.5+M files do upload, but don't create a record when stored as LongBlobs (PHP/Apache/MySQL)
Files under 2.5 megs will go into the database just fine, any thing over that will return the page without errors, but will not be injected into the database. Not even a record is created. Edited PHP.INI to allow up to 40M of data to be uploaded. Set the script timeout to be 9000 seconds. Set the script operational memory to 80M. I did a print_r of $_FILES and the results show that there is a file in the tmp directory, but I'm not sure after that if there is a problem with mcrypt or MySQL. I did read something about a limitation of MySQL and max packet size between server and client, but only 4.1 or less is mentioned with that. I also switched from the fopen/fread combo and did file_get_contents instead, as it was recommended to be more efficient. http://us4.php.net/fopen http://us4.php.net/fread http://us4.php.net/file_get_contents http://us3.php.net/mcrypt http://us3.php.net/features.file-upload http://us3.php.net/print_r http://www.ispirer.com/doc/sqlways38/Output/SQLWays-1-195.html http://www.totalchoicehosting.com/forums/lofiversion/index.php/t10276.html http://www.chipmunk-scripts.com/board/index.php?forumID=27&ID=1674 http://scripts.franciscocharrua.com/database-file-upload-download.php http://www.hotscripts.com/Detailed/33694.html http://www.google.com If there is any other links to M's that I haven't R'ed, please let me know. Otherwise I'm clueless. Google gives me a metric tonne of information, but it is mostly people asking the same question I am with recommendations on editing the PHP.INI. Obviously this is a useful script that many people have written in their own way for their own needs, and I'm sure they've run into the same problem I'm encountering now. Using MySQL 5.0.2, PHP 5, newest mcrypt, mhash, Apache 2, FC 3, it is on port 443 with a valid SSL cert, and if you need to know any other version or variable info I will gladly provide it. -=-=-=-=-=-=- /docs/phpinfo.php -=-=-=-=-=- allow_call_time_pass_reference On On allow_url_fopen On On always_populate_raw_post_data Off Off arg_separator.input & & arg_separator.output & & asp_tags Off Off auto_append_file no value no value auto_globals_jit On On auto_prepend_file no value no value browscap no value no value default_charset no value no value default_mimetype text/html text/html define_syslog_variables Off Off disable_classes no value no value disable_functions no value no value display_errors On On display_startup_errors Off Off doc_root no value no value docref_ext no value no value docref_root no value no value enable_dl On On error_append_string no value no value error_log no value no value error_prepend_string no value no value error_reporting 2039 2039 expose_php On On extension_dir ./ ./ file_uploads On On >8 - >8 - >8 html_errors On On ignore_repeated_errors Off Off ignore_repeated_source Off Off ignore_user_abort Off Off implicit_flush Off Off include_path .:/usr/local/php//lib/php .:/usr/local/php//lib/php log_errors On On log_errors_max_len 1024 1024 magic_quotes_gpc On On magic_quotes_runtime Off Off magic_quotes_sybase Off Off mail.force_extra_parameters no value no value max_execution_time 9000 9000 max_input_time 9000 9000 open_basedir no value no value output_buffering no value no value output_handler no value no value post_max_size 40M 40M precision 12 12 register_argc_argv On On register_globals Off Off register_long_arrays On On report_memleaks On On report_zend_debug On On safe_mode Off Off safe_mode_exec_dir no value no value safe_mode_gid Off Off safe_mode_include_dir no value no value >8 - >8 - >8 serialize_precision 100 100 short_open_tag On On SMTP localhost localhost smtp_port 25 25 sql.safe_mode Off Off track_errors Off Off unserialize_callback_func no value no value upload_max_filesize 40M 40M upload_tmp_dir no value no value user_dir no value no value variables_order EGPCS EGPCS -=-=-=-=-=-=-=- My Script -=-=-=-=-=-=-=-=- foreach($_FILES['binFile']['name'] as $k => $v) { // Variable-ize all of the attributes of the file object $binFile[$k] = $_FILES['binFile'][$k]; $binFile_name[$k] = $_FILES['binFile']['name'][$k]; $binFile_size[$k] = $_FILES['binFile']['size'][$k]; $binFile_type[$k] = $_FILES['binFile']['type'][$k]; $binFile_tmp[$k] = $_FILES['binFile']['tmp_name'][$k]; // Get sender information $author = $_SESSION['tehNam']; $recipient = strtolower($_POST['email']); // Tracking information on the file $date_submitted[$k] = date('Y-m-d H:i:s'); $txtDescription[$k] = $_POST['txtDescription'][$k]; $binFile_unique[$k] = md5($author.$txtDescription[$k].$binFile_name[$k]); } foreach($_FILES['binFile']['name'] as $k => $v) { // Generate hash for user-logn $access_name = md5(strtolower($_POST['e
RE: [PHP] LibMcrypt and Mcrypt and Mhash - OH MY!
I found it! The current ports.tar.gz file is hosed for the three things I can auto load. We had an older OpenBSD box that had a previous version of ports, so I copied that over and it installed with no headaches. Thanks to Jeff for making me stick to ports.. I just had to get a version that worked right. :) Steven Altsman Webmaster and Program Analyst EFast Funding, LLC. 713.983.4069 - work 832.527.3786 - cell [EMAIL PROTECTED] -Original Message- From: Jeffery Fernandez [mailto:[EMAIL PROTECTED] Sent: Friday, February 11, 2005 6:52 PM To: Steven Altsman Cc: php-general@lists.php.net Subject: Re: [PHP] LibMcrypt and Mcrypt and Mhash - OH MY! Steven Altsman wrote: > I've beaten my head against the desk repeatedly, RTFM'ing until my > eyes are sore, the boss is still at my back.. and I'm completely lost. > I'd love to grok intricacies of compiling C code and setting > environment variables.. but I am dead once February 15^th rolls around > and may have to find another job soon. > > All I'm trying to do is get an OpenBSD 3.6 box with the following > components installed: > > MySQL 4.1 (or 5.0.2) > > Apache 2 > > Mcrypt > > Mhash > > Libmcrypt > > PHP > > OpenSSL > > And that's it. Nothing fancy, just something that is highly secure and 8< -- snip snip -- 8< -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] LibMcrypt and Mcrypt and Mhash - OH MY!
I’ve beaten my head against the desk repeatedly, RTFM’ing until my eyes are sore, the boss is still at my back.. and I’m completely lost. I’d love to grok intricacies of compiling C code and setting environment variables.. but I am dead once February 15th rolls around and may have to find another job soon. All I’m trying to do is get an OpenBSD 3.6 box with the following components installed: MySQL 4.1 (or 5.0.2) Apache 2 Mcrypt Mhash Libmcrypt PHP OpenSSL And that’s it. Nothing fancy, just something that is highly secure and easy to lock down to 2 ports. I’ve gotten a bunch of shell scripts written up for each portion of the install.. most of them are ./configure –prefix=/usr/local/(program name) with the configuration files in the conf directory for each. I’m currently hung up on Mcrypt. It’s a total monster! It’s a key component in so many programs and libraries, and yet Googl’ing news groups, checking out the main site for them, and going through the config.log files I can’t understand a darn thing anyone is saying. I’m an intro PHP fella.. I can tie into databases, loop through if statements, store images, handle usernames and passwords.. but encryption is something completely alien to me. I’ve done ASP before and installing the packages may not be as secure/customizable/reliable/intelligent.. it involved double-clicking and maybe doing something in DOS like adding a “-v” at the end. Don’t get me wrong, I’d kindly RTFM and leave the vicious cerebral types be, but I don’t have that luxury. Surely someone else out there has experienced something like this before and can bestow a nugget of wisdom upon me. Steven Altsman Webmaster and Program Analyst EFast Funding, LLC. 713.983.4069 - work 832.527.3786 - cell [EMAIL PROTECTED] “Only two things are infinite, the universe and human stupidity, and I'm not sure about the former.” - Albert Einstein (1879 – 1955)