RE: [PHP] Files upload - Encrypt into a variable - Do not injectinto db (PHP/Apache/MySQL)
Got packet bigger than 'max_allowed_packet' ... Gotta love mysql_error(); If I find out what causes this, I'll bring it over to this list too.. since it's been pretty quiet, I guess I've gotten folks stumped. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Files upload - Encrypt into a variable - Do not injectinto db (PHP/Apache/MySQL)
Updated : It ain't MCRYPT. [code] http://www.w3.org/TR/html4/loose.dtd";> Untitled Document [/code] -Original Message- From: Marek Kilimajer [mailto:[EMAIL PROTECTED] Sent: Friday, March 18, 2005 4:26 AM To: [EMAIL PROTECTED] Cc: php-general@lists.php.net Subject: Re: [PHP] Files upload - Encrypt into a variable - Do not injectinto db (PHP/Apache/MySQL) Steven Altsman wrote: > Yes, the link is http://www.radinks.com/upload/config.php > > file_uploads = On > upload_max_filesize = 40M > max_input_time = 9000 (seconds) > memory_limit (not limited, per handload config, from source) > max_execution_time = 9000 (seconds) > post_max_size = 40M > > also, hidden INPUT tag MAX_FILE_SIZE with value="4", which I'm guessing > needs it in kilobytes. It's in bytes. Check apache's config, namely LimitRequestBody directive. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Files upload - Encrypt into a variable - Do not injectinto db (PHP/Apache/MySQL)
[code] http://www.w3.org/TR/html4/loose.dtd";> Untitled Document [/code] Here is a proof of concept.. I loaded up the nVidia drivers to my default tmp directory, then echoed out the strlen of the file when opened in file_get_contents function. It gave out the correct size. >From here, I'm just going to see if it encrypts and spits out a different (or no) number. -Original Message- From: Marek Kilimajer [mailto:[EMAIL PROTECTED] Sent: Friday, March 18, 2005 4:26 AM To: [EMAIL PROTECTED] Cc: php-general@lists.php.net Subject: Re: [PHP] Files upload - Encrypt into a variable - Do not injectinto db (PHP/Apache/MySQL) Steven Altsman wrote: > Yes, the link is http://www.radinks.com/upload/config.php > > file_uploads = On > upload_max_filesize = 40M > max_input_time = 9000 (seconds) > memory_limit (not limited, per handload config, from source) > max_execution_time = 9000 (seconds) > post_max_size = 40M > > also, hidden INPUT tag MAX_FILE_SIZE with value="4", which I'm guessing > needs it in kilobytes. It's in bytes. Check apache's config, namely LimitRequestBody directive. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Files upload - Encrypt into a variable - Do not inject into db (PHP/Apache/MySQL)
Yes, the link is http://www.radinks.com/upload/config.php file_uploads = On upload_max_filesize = 40M max_input_time = 9000 (seconds) memory_limit (not limited, per handload config, from source) max_execution_time = 9000 (seconds) post_max_size = 40M also, hidden INPUT tag MAX_FILE_SIZE with value="4", which I'm guessing needs it in kilobytes. Radditha has a pretty sweet upload script going on there.. however, not sure if it contains the same security requirements I've got. Per GLBA requirements, my data has to be stored no more than 48 hours and must be encrypted with 128-bit or higher algorithms. I'm starting to suspect that I have more lists I've got to sign up with, as it may be MCRYPT or MySQL that is barfing because of it. If that is all I can tweak in PHP, then I'm definitely hitting a dead-end on this list. Thank you for your time. -Original Message- From: Jason Barnett [mailto:[EMAIL PROTECTED] Sent: Thursday, March 17, 2005 10:35 AM To: php-general@lists.php.net Subject: Re: [PHP] Encrypted 2.5+M files do upload, but don't create a recordwhen stored as LongBlobs (PHP/Apache/MySQL) Steven Altsman wrote: > This may be a stupid question. If it is, could somebody do a one line reply > of "it is." That way I will know to turn my attention elsewhere. > ... It's not a stupid question, it's just that the people that have read it so far (including me) don't really know the answer. I seem to recall that Raditha Dissanayake had an upload script that let you do larger uploads... just look in the archives for his messages and look for the link in his signature. HTH -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Encrypted 2.5+M files do upload, but don't create a record when stored as LongBlobs (PHP/Apache/MySQL)
This may be a stupid question. If it is, could somebody do a one line reply of "it is." That way I will know to turn my attention elsewhere. I've gone through about 45 pages of archives trying to glean anything useful out of it, and either it's the same answer or the version is about 4 years out of date. -Original Message- From: Steven Altsman [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 16, 2005 12:15 PM To: php-general@lists.php.net; users@httpd.apache.org Subject: [PHP] Encrypted 2.5+M files do upload, but don't create a record when stored as LongBlobs (PHP/Apache/MySQL) Files under 2.5 megs will go into the database just fine, any thing over that will return the page without errors, but will not be injected into the database. Not even a record is created. Edited PHP.INI to allow up to 40M of data to be uploaded. Set the script timeout to be 9000 seconds. Set the script operational memory to 80M. I did a print_r of $_FILES and the results show that there is a file in the tmp directory, but I'm not sure after that if there is a problem with mcrypt or MySQL. I did read something about a limitation of MySQL and max packet size between server and client, but only 4.1 or less is mentioned with that. I also switched from the fopen/fread combo and did file_get_contents instead, as it was recommended to be more efficient. http://us4.php.net/fopen http://us4.php.net/fread http://us4.php.net/file_get_contents http://us3.php.net/mcrypt http://us3.php.net/features.file-upload http://us3.php.net/print_r http://www.ispirer.com/doc/sqlways38/Output/SQLWays-1-195.html http://www.totalchoicehosting.com/forums/lofiversion/index.php/t10276.html http://www.chipmunk-scripts.com/board/index.php?forumID=27&ID=1674 http://scripts.franciscocharrua.com/database-file-upload-download.php http://www.hotscripts.com/Detailed/33694.html http://www.google.com If there is any other links to M's that I haven't R'ed, please let me know. Otherwise I'm clueless. Google gives me a metric tonne of information, but it is mostly people asking the same question I am with recommendations on editing the PHP.INI. Obviously this is a useful script that many people have written in their own way for their own needs, and I'm sure they've run into the same problem I'm encountering now. Using MySQL 5.0.2, PHP 5, newest mcrypt, mhash, Apache 2, FC 3, it is on port 443 with a valid SSL cert, and if you need to know any other version or variable info I will gladly provide it. -=-=-=-=-=-=- /docs/phpinfo.php -=-=-=-=-=- allow_call_time_pass_reference On On allow_url_fopen On On always_populate_raw_post_data Off Off 8< -- Snip Snip --- 8< version_comment Official MySQL RPM version_compile_machine i686 version_compile_os pc-linux wait_timeout 28800 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Encrypted 2.5+M files do upload, but don't create a record when stored as LongBlobs (PHP/Apache/MySQL)
Files under 2.5 megs will go into the database just fine, any thing over
that will return the page without errors, but will not be injected into the
database. Not even a record is created.
Edited PHP.INI to allow up to 40M of data to be uploaded. Set the script
timeout to be 9000 seconds. Set the script operational memory to 80M. I
did a print_r of $_FILES and the results show that there is a file in the
tmp directory, but I'm not sure after that if there is a problem with mcrypt
or MySQL. I did read something about a limitation of MySQL and max packet
size between server and client, but only 4.1 or less is mentioned with that.
I also switched from the fopen/fread combo and did file_get_contents
instead, as it was recommended to be more efficient.
http://us4.php.net/fopen
http://us4.php.net/fread
http://us4.php.net/file_get_contents
http://us3.php.net/mcrypt
http://us3.php.net/features.file-upload
http://us3.php.net/print_r
http://www.ispirer.com/doc/sqlways38/Output/SQLWays-1-195.html
http://www.totalchoicehosting.com/forums/lofiversion/index.php/t10276.html
http://www.chipmunk-scripts.com/board/index.php?forumID=27&ID=1674
http://scripts.franciscocharrua.com/database-file-upload-download.php
http://www.hotscripts.com/Detailed/33694.html
http://www.google.com
If there is any other links to M's that I haven't R'ed, please let me know.
Otherwise I'm clueless. Google gives me a metric tonne of information, but
it is mostly people asking the same question I am with recommendations on
editing the PHP.INI. Obviously this is a useful script that many people
have written in their own way for their own needs, and I'm sure they've run
into the same problem I'm encountering now.
Using MySQL 5.0.2, PHP 5, newest mcrypt, mhash, Apache 2, FC 3, it is on
port 443 with a valid SSL cert, and if you need to know any other version or
variable info I will gladly provide it.
-=-=-=-=-=-=- /docs/phpinfo.php -=-=-=-=-=-
allow_call_time_pass_reference On On
allow_url_fopen On On
always_populate_raw_post_data Off Off
arg_separator.input & &
arg_separator.output & &
asp_tags Off Off
auto_append_file no value no value
auto_globals_jit On On
auto_prepend_file no value no value
browscap no value no value
default_charset no value no value
default_mimetype text/html text/html
define_syslog_variables Off Off
disable_classes no value no value
disable_functions no value no value
display_errors On On
display_startup_errors Off Off
doc_root no value no value
docref_ext no value no value
docref_root no value no value
enable_dl On On
error_append_string no value no value
error_log no value no value
error_prepend_string no value no value
error_reporting 2039 2039
expose_php On On
extension_dir ./ ./
file_uploads On On
>8 - >8 - >8
html_errors On On
ignore_repeated_errors Off Off
ignore_repeated_source Off Off
ignore_user_abort Off Off
implicit_flush Off Off
include_path .:/usr/local/php//lib/php .:/usr/local/php//lib/php
log_errors On On
log_errors_max_len 1024 1024
magic_quotes_gpc On On
magic_quotes_runtime Off Off
magic_quotes_sybase Off Off
mail.force_extra_parameters no value no value
max_execution_time 9000 9000
max_input_time 9000 9000
open_basedir no value no value
output_buffering no value no value
output_handler no value no value
post_max_size 40M 40M
precision 12 12
register_argc_argv On On
register_globals Off Off
register_long_arrays On On
report_memleaks On On
report_zend_debug On On
safe_mode Off Off
safe_mode_exec_dir no value no value
safe_mode_gid Off Off
safe_mode_include_dir no value no value
>8 - >8 - >8
serialize_precision 100 100
short_open_tag On On
SMTP localhost localhost
smtp_port 25 25
sql.safe_mode Off Off
track_errors Off Off
unserialize_callback_func no value no value
upload_max_filesize 40M 40M
upload_tmp_dir no value no value
user_dir no value no value
variables_order EGPCS EGPCS
-=-=-=-=-=-=-=- My Script -=-=-=-=-=-=-=-=-
foreach($_FILES['binFile']['name'] as $k => $v)
{
// Variable-ize all of the attributes of the file object
$binFile[$k] = $_FILES['binFile'][$k];
$binFile_name[$k] = $_FILES['binFile']['name'][$k];
$binFile_size[$k] = $_FILES['binFile']['size'][$k];
$binFile_type[$k] = $_FILES['binFile']['type'][$k];
$binFile_tmp[$k] = $_FILES['binFile']['tmp_name'][$k];
// Get sender information
$author = $_SESSION['tehNam'];
$recipient = strtolower($_POST['email']);
// Tracking information on the file
$date_submitted[$k] = date('Y-m-d H:i:s');
$txtDescription[$k] = $_POST['txtDescription'][$k];
$binFile_unique[$k] =
md5($author.$txtDescription[$k].$binFile_name[$k]);
}
foreach($_FILES['binFile']['name'] as $k => $v)
{
// Generate hash for user-logn
$access_name = md5(strtolower($_POST['e
RE: [PHP] LibMcrypt and Mcrypt and Mhash - OH MY!
I found it! The current ports.tar.gz file is hosed for the three things I can auto load. We had an older OpenBSD box that had a previous version of ports, so I copied that over and it installed with no headaches. Thanks to Jeff for making me stick to ports.. I just had to get a version that worked right. :) Steven Altsman Webmaster and Program Analyst EFast Funding, LLC. 713.983.4069 - work 832.527.3786 - cell [EMAIL PROTECTED] -Original Message- From: Jeffery Fernandez [mailto:[EMAIL PROTECTED] Sent: Friday, February 11, 2005 6:52 PM To: Steven Altsman Cc: php-general@lists.php.net Subject: Re: [PHP] LibMcrypt and Mcrypt and Mhash - OH MY! Steven Altsman wrote: > I've beaten my head against the desk repeatedly, RTFM'ing until my > eyes are sore, the boss is still at my back.. and I'm completely lost. > I'd love to grok intricacies of compiling C code and setting > environment variables.. but I am dead once February 15^th rolls around > and may have to find another job soon. > > All I'm trying to do is get an OpenBSD 3.6 box with the following > components installed: > > MySQL 4.1 (or 5.0.2) > > Apache 2 > > Mcrypt > > Mhash > > Libmcrypt > > PHP > > OpenSSL > > And that's it. Nothing fancy, just something that is highly secure and 8< -- snip snip -- 8< -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] LibMcrypt and Mcrypt and Mhash - OH MY!
I’ve beaten my head against the desk repeatedly, RTFM’ing until my eyes are sore, the boss is still at my back.. and I’m completely lost. I’d love to grok intricacies of compiling C code and setting environment variables.. but I am dead once February 15th rolls around and may have to find another job soon. All I’m trying to do is get an OpenBSD 3.6 box with the following components installed: MySQL 4.1 (or 5.0.2) Apache 2 Mcrypt Mhash Libmcrypt PHP OpenSSL And that’s it. Nothing fancy, just something that is highly secure and easy to lock down to 2 ports. I’ve gotten a bunch of shell scripts written up for each portion of the install.. most of them are ./configure –prefix=/usr/local/(program name) with the configuration files in the conf directory for each. I’m currently hung up on Mcrypt. It’s a total monster! It’s a key component in so many programs and libraries, and yet Googl’ing news groups, checking out the main site for them, and going through the config.log files I can’t understand a darn thing anyone is saying. I’m an intro PHP fella.. I can tie into databases, loop through if statements, store images, handle usernames and passwords.. but encryption is something completely alien to me. I’ve done ASP before and installing the packages may not be as secure/customizable/reliable/intelligent.. it involved double-clicking and maybe doing something in DOS like adding a “-v” at the end. Don’t get me wrong, I’d kindly RTFM and leave the vicious cerebral types be, but I don’t have that luxury. Surely someone else out there has experienced something like this before and can bestow a nugget of wisdom upon me. Steven Altsman Webmaster and Program Analyst EFast Funding, LLC. 713.983.4069 - work 832.527.3786 - cell [EMAIL PROTECTED] “Only two things are infinite, the universe and human stupidity, and I'm not sure about the former.” - Albert Einstein (1879 – 1955)
