php-general Digest 23 Mar 2003 01:53:33 -0000 Issue 1954
Topics (messages 140678 through 140723):
upload files and file types
140678 by: Dan Rossi
140690 by: Larry E. Ullman
Re: variales within define constants
140679 by: Dan Rossi
140692 by: Jim Lucas
140714 by: Dan Rossi
140719 by: Dan Rossi
Parsing results from mySQL query
140680 by: Charles Kline
Re: [SOAP] web services
140681 by: Bill Kearney
sha1 hash in old php?
140682 by: Bill Kearney
140694 by: Jason Sheets
Password Authentication
140683 by: trlists.clayst.com
140686 by: Justin French
140687 by: trlists.clayst.com
140693 by: David Otton
140720 by: Justin French
140721 by: Jason Sheets
Removing Risky Characters
140684 by: Tom Rawson
140691 by: David Otton
Re: Sessions question
140685 by: Beauford.2002
Session's length.
140688 by: L0vCh1Y
140703 by: Joel Colombo
140704 by: Adam -
140706 by: L0vCh1Y
Re: ob_start problem
140689 by: Larry E. Ullman
Separators in variable values causing MySQL commands to fail
140695 by: rentAweek Ltd
140697 by: Jim Lucas
140698 by: David Otton
140699 by: Jim Lucas
140700 by: Larry E. Ullman
140702 by: L0vCh1Y
Re: Test the server.
140696 by: Vincent M.
140701 by: David Otton
140709 by: Ernest E Vogelsinger
Date Diff
140705 by: Adam -
140708 by: Jason Sheets
creating mailing list in php?
140707 by: Jason Jacobs
140713 by: -{ Rene Brehmer }-
array insert help
140710 by: Jason Dulberg
140711 by: Ernest E Vogelsinger
140712 by: Jason Dulberg
140715 by: Ernest E Vogelsinger
how to pass variable for $_GET
140716 by: DomIntCom
140722 by: DomIntCom
PHP and IIS
140717 by: Beauford.2002
140718 by: Denis L. Menezes
regex
140723 by: Nate
Administrivia:
To subscribe to the digest, e-mail:
[EMAIL PROTECTED]
To unsubscribe from the digest, e-mail:
[EMAIL PROTECTED]
To post to the list, e-mail:
[EMAIL PROTECTED]
----------------------------------------------------------------------
--- Begin Message ---
hi there , i was wondering on security of file uploads , i am currently
using the pear uploader class , i can check for allowed file extensions ,
but it doesnt seem to check for file type , i can currently rename say an
image to zip and it uploads , is there anyway a hacker could rename an
executable to a zip and able to upload it and execute it ?
--- End Message ---
--- Begin Message ---
hi there , i was wondering on security of file uploads , i am currently
using the pear uploader class , i can check for allowed file
extensions ,
but it doesnt seem to check for file type , i can currently rename say
an
image to zip and it uploads , is there anyway a hacker could rename an
executable to a zip and able to upload it and execute it ?
I can't address your specific question but here are a couple of
recommendations:
-Rename the uploaded file so that the user won't know what it's called
on the server.
-Store the file outside of the Web directory so it's not accessible via
HTTP.
Hope that helps,
Larry
--- End Message ---
--- Begin Message ---
?? why would i not try it before posting heh :O
-----Original Message-----
From: Daniel Diehl [mailto:[EMAIL PROTECTED]
Sent: Sunday, March 23, 2003 12:23 AM
To: 'Dan Rossi'; 'Php-General'
Subject: RE: [PHP] variales within define constants
Just try it :)
> -----Original Message-----
> From: Dan Rossi [mailto:[EMAIL PROTECTED]
> Sent: Samstag, 22. März 2003 08:09
> To: Php-General
> Subject: [PHP] variales within define constants
>
>
> hi guys i'm sure i've done this before but is it possible ?
>
> i would like it to show up like this
>
> define('CONSTANT','Hello $var');
>
> $var = "Dan";
>
> echo CONSTANT
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--- End Message ---
--- Begin Message ---
yes, you can do this, but you have the order wrong.
you must set the variable before you use it.
and you must have double quotes around the variable in the define() call
single quotes denotes a literal string which will not include the value of a
variable, you would end up echo'ing "Hello $var" instead of "Hello Dan"
$var = "Dan";
define('CONSTANT', "Hello $var");
echo CONSTANT
Jim Lucas
----- Original Message -----
From: "Dan Rossi" <[EMAIL PROTECTED]>
To: "Daniel Diehl" <[EMAIL PROTECTED]>; "'Php-General'"
<[EMAIL PROTECTED]>
Sent: Saturday, March 22, 2003 4:44 AM
Subject: RE: [PHP] variales within define constants
> ?? why would i not try it before posting heh :O
>
> -----Original Message-----
> From: Daniel Diehl [mailto:[EMAIL PROTECTED]
> Sent: Sunday, March 23, 2003 12:23 AM
> To: 'Dan Rossi'; 'Php-General'
> Subject: RE: [PHP] variales within define constants
>
>
> Just try it :)
>
> > -----Original Message-----
> > From: Dan Rossi [mailto:[EMAIL PROTECTED]
> > Sent: Samstag, 22. März 2003 08:09
> > To: Php-General
> > Subject: [PHP] variales within define constants
> >
> >
> > hi guys i'm sure i've done this before but is it possible ?
> >
> > i would like it to show up like this
> >
> > define('CONSTANT','Hello $var');
> >
> > $var = "Dan";
> >
> > echo CONSTANT
> >
> > --
> > PHP General Mailing List (http://www.php.net/)
> > To unsubscribe, visit: http://www.php.net/unsub.php
> >
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
--- End Message ---
--- Begin Message ---
hmm there is a problem, i set my defines in a defines.php file , i place it
right at the top of my main includes file , which sets the paths for other
include files , i have my funtion within a class , so the order is
include("defines.php");
include("class.php");
$class = new class;
would it work if it switch it ?
include("class.php");
$class = new class;
include("defines.php");
the variable is set within the class , its an internal variable ie
$this->_variable;
-----Original Message-----
From: Jim Lucas [mailto:[EMAIL PROTECTED]
Sent: Sunday, March 23, 2003 3:43 AM
To: Dan Rossi; Daniel Diehl; 'Php-General'
Subject: Re: [PHP] variales within define constants
yes, you can do this, but you have the order wrong.
you must set the variable before you use it.
and you must have double quotes around the variable in the define() call
single quotes denotes a literal string which will not include the value of a
variable, you would end up echo'ing "Hello $var" instead of "Hello Dan"
$var = "Dan";
define('CONSTANT', "Hello $var");
echo CONSTANT
Jim Lucas
----- Original Message -----
From: "Dan Rossi" <[EMAIL PROTECTED]>
To: "Daniel Diehl" <[EMAIL PROTECTED]>; "'Php-General'"
<[EMAIL PROTECTED]>
Sent: Saturday, March 22, 2003 4:44 AM
Subject: RE: [PHP] variales within define constants
> ?? why would i not try it before posting heh :O
>
> -----Original Message-----
> From: Daniel Diehl [mailto:[EMAIL PROTECTED]
> Sent: Sunday, March 23, 2003 12:23 AM
> To: 'Dan Rossi'; 'Php-General'
> Subject: RE: [PHP] variales within define constants
>
>
> Just try it :)
>
> > -----Original Message-----
> > From: Dan Rossi [mailto:[EMAIL PROTECTED]
> > Sent: Samstag, 22. März 2003 08:09
> > To: Php-General
> > Subject: [PHP] variales within define constants
> >
> >
> > hi guys i'm sure i've done this before but is it possible ?
> >
> > i would like it to show up like this
> >
> > define('CONSTANT','Hello $var');
> >
> > $var = "Dan";
> >
> > echo CONSTANT
> >
> > --
> > PHP General Mailing List (http://www.php.net/)
> > To unsubscribe, visit: http://www.php.net/unsub.php
> >
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
--- End Message ---
--- Begin Message ---
ok i need to e able to predefine messages in a settings file , but need
dynamic variables to print out , the variables are within a class ,
basically i want the message settings seperate from the class itself so they
are configurable, this is mostly need for when emailing messages , i need to
be able to go Hello $username or Hello $this->username for example , is
there any way to do this ?
-----Original Message-----
From: Dan Rossi [mailto:[EMAIL PROTECTED]
Sent: Sunday, March 23, 2003 9:09 AM
To: Jim Lucas; Daniel Diehl; 'Php-General'
Subject: RE: [PHP] variales within define constants
hmm there is a problem, i set my defines in a defines.php file , i place it
right at the top of my main includes file , which sets the paths for other
include files , i have my funtion within a class , so the order is
include("defines.php");
include("class.php");
$class = new class;
would it work if it switch it ?
include("class.php");
$class = new class;
include("defines.php");
the variable is set within the class , its an internal variable ie
$this->_variable;
-----Original Message-----
From: Jim Lucas [mailto:[EMAIL PROTECTED]
Sent: Sunday, March 23, 2003 3:43 AM
To: Dan Rossi; Daniel Diehl; 'Php-General'
Subject: Re: [PHP] variales within define constants
yes, you can do this, but you have the order wrong.
you must set the variable before you use it.
and you must have double quotes around the variable in the define() call
single quotes denotes a literal string which will not include the value of a
variable, you would end up echo'ing "Hello $var" instead of "Hello Dan"
$var = "Dan";
define('CONSTANT', "Hello $var");
echo CONSTANT
Jim Lucas
----- Original Message -----
From: "Dan Rossi" <[EMAIL PROTECTED]>
To: "Daniel Diehl" <[EMAIL PROTECTED]>; "'Php-General'"
<[EMAIL PROTECTED]>
Sent: Saturday, March 22, 2003 4:44 AM
Subject: RE: [PHP] variales within define constants
> ?? why would i not try it before posting heh :O
>
> -----Original Message-----
> From: Daniel Diehl [mailto:[EMAIL PROTECTED]
> Sent: Sunday, March 23, 2003 12:23 AM
> To: 'Dan Rossi'; 'Php-General'
> Subject: RE: [PHP] variales within define constants
>
>
> Just try it :)
>
> > -----Original Message-----
> > From: Dan Rossi [mailto:[EMAIL PROTECTED]
> > Sent: Samstag, 22. März 2003 08:09
> > To: Php-General
> > Subject: [PHP] variales within define constants
> >
> >
> > hi guys i'm sure i've done this before but is it possible ?
> >
> > i would like it to show up like this
> >
> > define('CONSTANT','Hello $var');
> >
> > $var = "Dan";
> >
> > echo CONSTANT
> >
> > --
> > PHP General Mailing List (http://www.php.net/)
> > To unsubscribe, visit: http://www.php.net/unsub.php
> >
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--- End Message ---
--- Begin Message ---
Hi everyone,
I have ALMOST gotten this working (mySQL part works).
I have gotten the advice that this is easier to do in PHP then to try
and make this query work in mySQL. Here is the query and a sampling of
the current results (from phpMyAdmin)
SELECT p.fname, p.lname,
w.web_link,
a.dra_id,
dra.area,
t.title
FROM tbl_personnel p
LEFT JOIN tbl_personnel_weblinks w ON p.id = w.person_id
LEFT JOIN tbl_personnel_dras a ON p.id = a.person_id
LEFT JOIN tbl_dra dra ON a.dra_id = dra.id
LEFT JOIN tbl_personnel_titles t ON p.id = t.person_id;
Because some of these people have multiple records in
tbl_personnel_dras AND in tbl_personnel_titles - I get many repeats of
each person (one for every combo). I was told this would be really
messy to deal with in SQL (though I am open) - but I have no idea where
to start in PHP. I would like to display the data to the web like:
fname lname
title(s) - (this would be the list of titles for this person)
Areas: area, area, area (this would be the list of areas in one place
as opposed to making the record repeat)
Thank you for any help.
The above query returns something like this (the first set are the
column names):
fname
lname
web_link
dra_id
area
title
Jeffrey
Whittle
NULL
NULL
NULL
Investigator
Jeffrey
Whittle
NULL
NULL
NULL
Staff Physician
Adam
Gordon
NULL
5
Mental Illness
Staff Physician
Adam
Gordon
NULL
5
Mental Illness
Assistant Professor of Medicine
Adam
Gordon
NULL
5
Mental Illness
Investigator, VISN4 Mental Illness Research, Educa...
Adam
Gordon
NULL
5
Mental Illness
Investigator, Center for Research on Health Care
Adam
Gordon
NULL
5
Mental Illness
Investigator
Adam
Gordon
NULL
8
Special (Underserved, High Risk) Populations
Staff Physician
Adam
Gordon
NULL
8
Special (Underserved, High Risk) Populations
Assistant Professor of Medicine
Adam
Gordon
NULL
8
Special (Underserved, High Risk) Populations
Investigator, VISN4 Mental Illness Research, Educa...
Adam
Gordon
NULL
8
Special (Underserved, High Risk) Populations
Investigator, Center for Research on Health Care
Adam
Gordon
NULL
8
Special (Underserved, High Risk) Populations
Investigator
--- End Message ---
--- Begin Message ---
Unless, of course, you need real text encoding.
XML-RPC *only* supports USASCII. No unicode, not even ISO-8859-1. And it's
spec author actively fights /against/ improving this situation.
-Bill Kearney
"Tony Bibbs" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
> That seems network intensive to me. Offering web services for some basic
> tasks makes sense but not making an entire application that does all
> functionality over the web will be slow and impractical.
>
> Also, consider XML-RPC. Some people insist on hammering a nail with a
> sledgehammer (soap) when a XML-RPC implementation (the hammer) is better
> suited.
>
> That said, I use both raw XML, XML-RPC and SOAP for various tasks.
>
> It doesn't have to be all or the other (not that you implied that)...
--- End Message ---
--- Begin Message ---
Anyone got a php script for generating sha1sum hashes from a short bit of text?
The target platform does not have any of the libraries, let alone the latest
php, installed.
So before I rewrite it in PHP I figured I'd ask....
-Bill Kearney
--- End Message ---
--- Begin Message ---
Chris Monson has written a pure PHP implemntation of SHA. It is
available on PHP Classes at
http://phpclasses.promoxy.com/browse.html/package/65.html.
Jason
Bill Kearney wrote:
Anyone got a php script for generating sha1sum hashes from a short bit of text?
Hi Bill,
The target platform does not have any of the libraries, let alone the latest
php, installed.
So before I rewrite it in PHP I figured I'd ask....
-Bill Kearney
--- End Message ---
--- Begin Message ---
I am trying to build password authentication into a database front end
for a MySQL DB. I find the php docs on this point quite confusing so I
have a lot of questions.
I can use a one-way hash to do this if that's the best way, as I don't
need to retrieve the password. However if I could do so that has some
small advantages. So I am open to either symmetric or one-way
approaches.
First off, there are multiple encryption methods out there -- PHP
crypt() and the mcrypt functions, and MySQL encrypt(), for encryption;
and the md5 etc. functions for hashing. Is there any information on
best practices here, particularly in using PHP's encryption vs MySQL's?
Second, the PHP docs on crypt are, to me, a mess. Much of it suggests
passing the password back in as the salt for crypt, but this appears to
me to only be workable if DES is being used and the first two
characters of the password are the DES salt value. Since the actual
encryption method is installation-dependent the code in the docs:
# You should pass the entire results of crypt() as the salt
# for comparing a password, to avoid problems when different
# hashing algorithms are used. (As it says above, standard
# DES-based password hashing uses a 2-character salt, but
# MD5-based hashing uses 12.)
if (crypt($user_input,$password) == $password) {
echo "Password verified!";
}
seems to me to be exactly wrong -- what it does is *create* problems
with different hashing algorithms. Using $password as the salt here
only works for DES, for md5-based encryption it will fail as the first
12 characters of the password are not the md5 salt (are they?). What
am I missing here?
Third, I am curious as to the repeated statements as to why one must
use a different salt every time. For example, here's a user comment on
the crypt docs from the PHP web site:
The only only important consideration when generating a salt
is to make sure that all salts are unique--that way the same
password will be encrypted differently (i.e. the encrypted
passwords will look different) for different users.
One of the simplest ways to generate a unique salt is to use
some string that will be different every time the procedure
is called. Here's a simple example:
$jumble = md5(time() . getmypid());
$salt = substr($jumble,0,$salt_length);
My question is, why would I do this? If you are going to save the
password you can't use a random salt without saving the salt along with
the password so you can test it later. And if you do that, the
randomness loses its value -- if someone breaks in and finds the
encrypted password, they also get the salt. Again, am I missing
something? Is there some potential attack where the attacker can use
the repeatability of the password encryption or hashing algorithm to
their advantage even if they cannot break into the server to see the
encrypted data? If not, and they have to be able to break in to do the
attack then, again, they can read the salt.
Thanks for any comments or input.
----------
Tom Rawson
--- End Message ---
--- Begin Message ---
I just md5() the passwords, and reset them if needed... rather than
retrieving. The advantage for me on this is that it's portable... md5() is
part of the base PHP install, whereas the mcrypt stuff isn't (or wasn't).
Justin
on 23/03/03 1:31 AM, [EMAIL PROTECTED] ([EMAIL PROTECTED]) wrote:
> I am trying to build password authentication into a database front end
> for a MySQL DB. I find the php docs on this point quite confusing so I
> have a lot of questions.
>
> I can use a one-way hash to do this if that's the best way, as I don't
> need to retrieve the password. However if I could do so that has some
> small advantages. So I am open to either symmetric or one-way
> approaches.
>
> First off, there are multiple encryption methods out there -- PHP
> crypt() and the mcrypt functions, and MySQL encrypt(), for encryption;
> and the md5 etc. functions for hashing. Is there any information on
> best practices here, particularly in using PHP's encryption vs MySQL's?
>
> Second, the PHP docs on crypt are, to me, a mess. Much of it suggests
> passing the password back in as the salt for crypt, but this appears to
> me to only be workable if DES is being used and the first two
> characters of the password are the DES salt value. Since the actual
> encryption method is installation-dependent the code in the docs:
>
> # You should pass the entire results of crypt() as the salt
> # for comparing a password, to avoid problems when different
> # hashing algorithms are used. (As it says above, standard
> # DES-based password hashing uses a 2-character salt, but
> # MD5-based hashing uses 12.)
>
> if (crypt($user_input,$password) == $password) {
> echo "Password verified!";
> }
>
> seems to me to be exactly wrong -- what it does is *create* problems
> with different hashing algorithms. Using $password as the salt here
> only works for DES, for md5-based encryption it will fail as the first
> 12 characters of the password are not the md5 salt (are they?). What
> am I missing here?
>
> Third, I am curious as to the repeated statements as to why one must
> use a different salt every time. For example, here's a user comment on
> the crypt docs from the PHP web site:
>
> The only only important consideration when generating a salt
> is to make sure that all salts are unique--that way the same
> password will be encrypted differently (i.e. the encrypted
> passwords will look different) for different users.
>
> One of the simplest ways to generate a unique salt is to use
> some string that will be different every time the procedure
> is called. Here's a simple example:
>
> $jumble = md5(time() . getmypid());
> $salt = substr($jumble,0,$salt_length);
>
> My question is, why would I do this? If you are going to save the
> password you can't use a random salt without saving the salt along with
> the password so you can test it later. And if you do that, the
> randomness loses its value -- if someone breaks in and finds the
> encrypted password, they also get the salt. Again, am I missing
> something? Is there some potential attack where the attacker can use
> the repeatability of the password encryption or hashing algorithm to
> their advantage even if they cannot break into the server to see the
> encrypted data? If not, and they have to be able to break in to do the
> attack then, again, they can read the salt.
>
> Thanks for any comments or input.
>
> ----------
> Tom Rawson
>
>
>
--- End Message ---
--- Begin Message ---
On 23 Mar 2003 Justin French wrote:
> I just md5() the passwords, and reset them if needed... rather than
> retrieving. The advantage for me on this is that it's portable... md5() is
> part of the base PHP install, whereas the mcrypt stuff isn't (or wasn't).
Something like that was my inclination as it seems simpler.
One could also md5 the combined user / PW string, so the hash doesn't
correspond to a single password.
Do you know why there is all the stuff in the docs about using random
salts? That didn't make much sense to me.
----------
Tom Rawson
--- End Message ---
--- Begin Message ---
On Sat, 22 Mar 2003 09:31:14 -0500, you wrote:
>First off, there are multiple encryption methods out there -- PHP
>crypt() and the mcrypt functions, and MySQL encrypt(), for encryption;
>and the md5 etc. functions for hashing. Is there any information on
>best practices here, particularly in using PHP's encryption vs MySQL's?
I would suggest using the MySQL ENCRYPT(), SHA1(), or MD5() functions,
simply because if you write a new front-end in a different language,
there's no danger of losing native support for the hashing algorithm.
--- End Message ---
--- Begin Message ---
on 23/03/03 2:02 AM, [EMAIL PROTECTED] ([EMAIL PROTECTED]) wrote:
> On 23 Mar 2003 Justin French wrote:
>
>> I just md5() the passwords, and reset them if needed... rather than
>> retrieving. The advantage for me on this is that it's portable... md5() is
>> part of the base PHP install, whereas the mcrypt stuff isn't (or wasn't).
>
> Something like that was my inclination as it seems simpler.
>
> One could also md5 the combined user / PW string, so the hash doesn't
> correspond to a single password.
>
> Do you know why there is all the stuff in the docs about using random
> salts? That didn't make much sense to me.
That's in the user notes... ignor it... md5() does not have to be salted...
infact, you WANT the md5() to be static... because you will compare the
md5()'d password in the database with the md5()'d password that they submit
on a form.
Justin
--- End Message ---
--- Begin Message ---
You can use a static salt from within your application though.
Jason
Justin French wrote:
on 23/03/03 2:02 AM, [EMAIL PROTECTED] ([EMAIL PROTECTED]) wrote:
On 23 Mar 2003 Justin French wrote:
I just md5() the passwords, and reset them if needed... rather than
retrieving. The advantage for me on this is that it's portable... md5() is
part of the base PHP install, whereas the mcrypt stuff isn't (or wasn't).
Something like that was my inclination as it seems simpler.
One could also md5 the combined user / PW string, so the hash doesn't
correspond to a single password.
Do you know why there is all the stuff in the docs about using random
salts? That didn't make much sense to me.
That's in the user notes... ignor it... md5() does not have to be salted...
infact, you WANT the md5() to be static... because you will compare the
md5()'d password in the database with the md5()'d password that they submit
on a form.
Justin
--- End Message ---
--- Begin Message ---
When validating user input to remove quotes and other characters that
can be used for hacks, does one need to be concerned about the high-
ASCII characters which have 'quote' meanings (e.g. 0x91 - 0x94). I
presume not, but just wanted to verify that PHP will not interpret
these as quotes.
----------
Tom Rawson
--- End Message ---
--- Begin Message ---
On Sat, 22 Mar 2003 09:34:03 -0500, you wrote:
>When validating user input to remove quotes and other characters that
>can be used for hacks, does one need to be concerned about the high-
>ASCII characters which have 'quote' meanings (e.g. 0x91 - 0x94). I
>presume not, but just wanted to verify that PHP will not interpret
>these as quotes.
You should probably look at this function:
http://www.php.net/manual/en/function.htmlentities.php
The thing that is most likely to trip you up is people who cut'n'paste
from Word. High-ASCII characters can slip in like that, also some
characters that are common in European languages (accents and umlauts).
All of these need to be translated into HTML entities.
(ISTR there are a few additional characters you should add to the
translation table if you're doing WML, too.)
--- End Message ---
--- Begin Message ---
Why? You wouldn't even know it happened - nor would the site. This is just a
security precaution.
----- Original Message -----
From: "Jason Wong" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Saturday, March 22, 2003 2:25 AM
Subject: Re: [PHP] Sessions question
> On Saturday 22 March 2003 08:09, Beauford.2002 wrote:
> > I don't quite understand this. If a user is on my site and then decides
to
> > go into his favourites and go to yahoo.com - this won't work. I think
you
> > are assuming the user is going to click on something I have set up - I
want
> > this to be invisible - however this user decides to leave my site. It
> > appears though from the answers I have received - that this is not
> > possible....
>
> You're right it is not possible and quite rightly so. I wouldn't want a
site
> to know when I have 'left' their site.
>
> --
> Jason Wong -> Gremlins Associates -> www.gremlins.biz
> Open Source Software Systems Integrators
> * Web Design & Hosting * Internet & Intranet Applications Development *
> ------------------------------------------
> Search the list archives before you post
> http://marc.theaimsgroup.com/?l=php-general
> ------------------------------------------
> /*
> Lee's Law:
> Mother said there would be days like this,
> but she never said that there'd be so many!
> */
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
--- End Message ---
--- Begin Message ---
-> php-general.
I used such code:
$exp = 60*60*24*10; # for ten days.
session_set_cookie_params($exp);
But it works wrong - cookies were removed right after i have rebooted.
The other way is to put session id into the cookies, but...
Isn't it the same?
Thank you.
Yours, L0vCh1Y [EMAIL PROTECTED]
--- End Message ---
--- Begin Message ---
from the user posts at php.net
http://www.php.net/manual/en/function.session-set-cookie-params.php
The idea of a session is that it ends when the user closes the browser
(maybe even before hand). If you want a cookie to last longer, than use the
setcookie() function.
-Kevin
Sent out by
Joel Colombo
"L0vch1y" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
> -> php-general.
>
> I used such code:
>
> $exp = 60*60*24*10; # for ten days.
> session_set_cookie_params($exp);
>
> But it works wrong - cookies were removed right after i have rebooted.
> The other way is to put session id into the cookies, but...
> Isn't it the same?
>
> Thank you.
>
>
> Yours, L0vCh1Y [EMAIL PROTECTED]
>
--- End Message ---
--- Begin Message ---
Hi,
As I belive, the sessions (session cookies) will expire after the
browser has been restarted. So even if you put the session id in a cookie,
after ten days you might have your old session id, but it would be delete
from the server long ago. The server doesn't keep session for that log
periods of time due to the fact it would take up a lot of hard disk...
Session data, is stored on the server, cookies on the browser..
If you wish to use the cookies and keep them for 10 days on the user's
computer you would just want to user normal cookies..
You would want to put this at the top of your page - before any output has
been sent...
<?
setcookie("nameofcookie", "value of cookie", time()+600, "/");
?>
the time()+600 is in seconds 600 = ten mins, so if you wanted in to expire
in ten days do the math.. :)
as for the "/" means that it will be sent to all your files..
hope this helps in some way... I'm no expert...
Adam
At 07:10 PM 3/22/2003 +0300, you wrote:
-> php-general.
I used such code:
$exp = 60*60*24*10; # for ten days.
session_set_cookie_params($exp);
But it works wrong - cookies were removed right after i have rebooted.
The other way is to put session id into the cookies, but...
Isn't it the same?
Thank you.
Yours, L0vCh1Y [EMAIL PROTECTED]
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--- End Message ---
--- Begin Message ---
Hello Joel,
Saturday, March 22, 2003, 9:52:20 PM, you wrote:
JC> from the user posts at php.net
JC> http://www.php.net/manual/en/function.session-set-cookie-params.php
JC> The idea of a session is that it ends when the user closes the browser
JC> (maybe even before hand). If you want a cookie to last longer, than use the
JC> setcookie() function.
JC> -Kevin
JC> Sent out by
JC> Joel Colombo
Manual was the first place i've looked into.
session_set_cookie_params($exp) is function, entered
to able sessions to long as much as needed, as it sets up cookies
sent by sessions (equal to same function, working with cookies). But
it's look like server removes session's data much earlier, then i
need...
--
Best regards,
L0vCh1Y mailto:[EMAIL PROTECTED]
--- End Message ---
--- Begin Message ---
Warning: ob_gzhandler() [ref.outcontrol]: output handler
'ob_gzhandler' cannot
be used twice in /blahblah/includes/bottom.inc on line 25
I can't speak as to why this would only happen occasionally, but I
believe that you should comment out the output_buffering line in the
php.ini file when using the ob_gzhandler function. Or so says a
user-contributed note in the PHP manual...
Larry
--- End Message ---
--- Begin Message ---
In my PHP script I have coded e.g.:
$sql = "INSERT INTO `$owners` ( `FirstName`, `LastName`) VALUES (
'$firstname' , '$lastname' )";
$result = mysql_query($sql);
So along comes e.g. John O'Groats and nothing gets inserted into the
database.
OK, I can bypass my oversight by stripping out apostophes from the
variable values. There has to be a better way please.
TIA
Mike
--- End Message ---
--- Begin Message ---
you must remove the backticks.
Jim
----- Original Message -----
From: "rentAweek Ltd" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Saturday, March 22, 2003 9:50 AM
Subject: [PHP] Separators in variable values causing MySQL commands to fail
> In my PHP script I have coded e.g.:
>
> $sql = "INSERT INTO `$owners` ( `FirstName`, `LastName`) VALUES (
> '$firstname' , '$lastname' )";
>
> $result = mysql_query($sql);
>
> So along comes e.g. John O'Groats and nothing gets inserted into the
> database.
>
> OK, I can bypass my oversight by stripping out apostophes from the
> variable values. There has to be a better way please.
>
> TIA
>
> Mike
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
--- End Message ---
--- Begin Message ---
On Sat, 22 Mar 2003 17:50:30 +0000, you wrote:
>OK, I can bypass my oversight by stripping out apostophes from the
>variable values. There has to be a better way please.
http://www.php.net/manual/en/function.mysql-escape-string.php
--- End Message ---
--- Begin Message ---
and , you need to escape the values that you are inputing
ie. htmlspecialchars() or htmlentities() those values
Jim
----- Original Message -----
From: "rentAweek Ltd" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Saturday, March 22, 2003 9:50 AM
Subject: [PHP] Separators in variable values causing MySQL commands to fail
> In my PHP script I have coded e.g.:
>
> $sql = "INSERT INTO `$owners` ( `FirstName`, `LastName`) VALUES (
> '$firstname' , '$lastname' )";
>
> $result = mysql_query($sql);
>
> So along comes e.g. John O'Groats and nothing gets inserted into the
> database.
>
> OK, I can bypass my oversight by stripping out apostophes from the
> variable values. There has to be a better way please.
>
> TIA
>
> Mike
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
--- End Message ---
--- Begin Message ---
OK, I can bypass my oversight by stripping out apostophes from the
variable values. There has to be a better way please.
Turn on Magic Quotes GPC or use the addslashes() function. Or, if you
want to be more precise and MySQL-specific, use the
mysql_escape_string() or mysql_real_escape_string() functions.
Larry
--- End Message ---
--- Begin Message ---
-> rentAweek,
rL> In my PHP script I have coded e.g.:
rL> $sql = "INSERT INTO `$owners` ( `FirstName`, `LastName`) VALUES (
rL> '$firstname' , '$lastname' )";
rL> $result = mysql_query($sql);
rL> So along comes e.g. John O'Groats and nothing gets inserted into the
rL> database.
rL> OK, I can bypass my oversight by stripping out apostophes from the
rL> variable values. There has to be a better way please.
Why not just use addslashes() (mysql_escape_string()) & check if $result==true?
Yours, L0vCh1Y
--- End Message ---
--- Begin Message ---
Sebastian wrote:
put this in a .php file:
<?php phpinfo(); ?>
it'll tell you what OS, (usually)
check if safe mode is on.. if it's on then usually you can't "exec"
anything.
cheers,
- Sebastian
Yes I know but my aim is to make a php script which checks automaticly
if the php and the shell functions I need are available.
Vincent.
--- End Message ---
--- Begin Message ---
On Sat, 22 Mar 2003 12:59:19 -0800, you wrote:
>Yes I know but my aim is to make a php script which checks automaticly
>if the php and the shell functions I need are available.
If you look at the output of phpinfo() you'll see a whole bunch of
variables that are set differently depending on the OS (eg
SERVER_SOFTWARE, SystemRoot, _SERVER), although personally I would set
the name of the current OS in a configuration file. Less room for error
that way.
To discover whether an application exists, use system() to call it and
check the return value provided by the OS. I think you'll find it
returns FALSE on failure.
--- End Message ---
--- Begin Message ---
At 21:59 22.03.2003, Vincent M. said:
--------------------[snip]--------------------
>Yes I know but my aim is to make a php script which checks automaticly
>if the php and the shell functions I need are available.
--------------------[snip]--------------------
You can use function_exists() and class_exists() o test against needed
implementations. Some extensions may have functions returning the installed
version as well.
--
>O Ernest E. Vogelsinger
(\) ICQ #13394035
^ http://www.vogelsinger.at/
--- End Message ---
--- Begin Message ---
Greetings all,
A while ago I was using asp and when I started using php the harder
thing to learn was "Dealing with dates". There isn't a datediff function
like asp.. Instead you have timestamps. Powerful it may be but a little
hard to learn about and use. Other wise I find php to be very nice and
simple as well powerful.
So what happens if you have two timestamps and you want to find out what
the difference is?
There has to be some function that I don't know about.. I have to be
missing somethig!
Adam
--- End Message ---
--- Begin Message ---
Hello Adam,
Since timestamps are in seconds you just subtract them and then use date
to convert it to a more human readable format.
<?php
$yesterday = time() - 86400;
print date('m/d/y', $yesterday);
?>
You could also use the strtotime function to convert a string to a
timestamp.
PHP has many date and time functions, take a look at
http://www.php.net/manual/en/ref.datetime.php.
Jason
Adam - wrote:
Greetings all,
A while ago I was using asp and when I started using php the harder
thing to learn was "Dealing with dates". There isn't a datediff function
like asp.. Instead you have timestamps. Powerful it may be but a little
hard to learn about and use. Other wise I find php to be very nice and
simple as well powerful.
So what happens if you have two timestamps and you want to find out what
the difference is?
There has to be some function that I don't know about.. I have to be
missing somethig!
Adam
--- End Message ---
--- Begin Message ---
Hi y'all. I am working on a mail list app that's pretty simple...don't need to let
users post, only admins, and it's very straightforward. I tested it out with mail()
on 50 addresses, and it took 78 seconds plus massive server load. Part of that may be
the mail scanner we have, but I also know mail() opens a socket each time, and that's
gonna make it pretty slow too. Does anyone have any suggestions, or even examples of
what you've done for this type of thing? The load is about 3000 emails daily, all at
once (the client emails out daily specials to their clients), which at this rate would
take over an hour to send.
Also, and I might just not be paying attention, but is there any word about this list
going phpBB or the like sometime soon? That would be great.
Thanks again for your help.
-jason
--- End Message ---
--- Begin Message ---
Just don't use PHP for sending the mail like that.
It's better to have the mailserver run the list management. Then you only
send one message to the server, and its distribution list system handles
the delivery of all the messages.
Depending on the mailserver, your PHP would then only have to need to deal
with sending corrections for the dist list.
All mailservers are designed to handle massive mail loads like that. A
HTTP server with PHP definitely ain't. Nomatter what kind of mail actions
you do, you should always try to keep them away from the HTTP and other
webservice servers. HTTP management is alot more complex than mail
handling, since the server has to deal with serving files while processing
requests. A mail server's job is usually done by just trotting through the
message from end to end ... which uses far less resources...
By using the mail listserver method, you also free up the HTTP server for
other tasks. It only has to generate the message once, and not n times...
HTH
Rene
On Sat, 22 Mar 2003 14:20:39 -0500, Jason Jacobs wrote about "[PHP]
creating mailing list in php?" what the universal translator turned into
this:
>Hi y'all. I am working on a mail list app that's pretty simple...don't need to let
>users post, only admins, and it's very straightforward. I tested it out with mail()
>on 50 addresses, and it took 78 seconds plus massive server load. Part of that may
>be the mail scanner we have, but I also know mail() opens a socket each time, and
>that's gonna make it pretty slow too. Does anyone have any suggestions, or even
>examples of what you've done for this type of thing? The load is about 3000 emails
>daily, all at once (the client emails out daily specials to their clients), which at
>this rate would take over an hour to send.
>
>Also, and I might just not be paying attention, but is there any word about this list
>going phpBB or the like sometime soon? That would be great.
>
>Thanks again for your help.
>
>-jason
--
Rene Brehmer
This message was written on 100% recycled spam.
Come see! My brand new site is now online!
http://www.metalbunny.net
--- End Message ---
--- Begin Message ---
I need to create a form where work/home address details need to be entered.
I'd like to have these listed as 2 entries in the mysql db so I'm assuming I
need to create an array and loop through the array to do the insert.
So I have an address[1] and address[2] for example.... for a total of 12
address fields in each set. (6 each)
My problem is that I'm not sure how to set up the array for the fields and
how to take the input fields and insert them. Do I need a multidimensional
array for this?
ie.
<input type="text" name="address[address][]">
<input type="text" name="address[city][]">
How would I decode that to create an insert statement??
Any suggestions are greatly appreciated!
Jason
--- End Message ---
--- Begin Message ---
At 20:59 22.03.2003, Jason Dulberg said:
--------------------[snip]--------------------
>My problem is that I'm not sure how to set up the array for the fields and
>how to take the input fields and insert them. Do I need a multidimensional
>array for this?
>
>ie.
><input type="text" name="address[address][]">
><input type="text" name="address[city][]">
>
>How would I decode that to create an insert statement??
--------------------[snip]--------------------
I believe your example would work. However since you have a definite number
of adresses you could add the index directly, as here:
<b>Home Address:</b><br />
<input type="text" name="address[address][0]">
<input type="text" name="address[city][0]">
<b>Work Address:</b><br />
<input type="text" name="address[address][1]">
<input type="text" name="address[city][1]">
When the form is received you will have an array for adress that looks like
this:
$_REQUEST['address'] = array(
'address' => array(0 => 'home address', 1 => 'work address'),
'city' => array(0 => 'home city', 1 => 'work city'));
To insert the home address you'd create an SQL statement like this:
for($i = 0; $i <= $number_of_addresses; ++$i) {
$sql = "insert into address(adress, city) values (" .
"{$_REQUEST['address']['address'][$i]}," .
"{$_REQUEST['address']['city'][$i]})";
// more code
}
Hope this helps,
--
>O Ernest E. Vogelsinger
(\) ICQ #13394035
^ http://www.vogelsinger.at/
--- End Message ---
--- Begin Message ---
Thanks for your help...
I tried the code as you suggested however when I attempted to echo the
variables for testing but nothing showed.
for($i = 0; $i <= 1; ++$i) {
echo "<p>address".$_POST['address']['address'][$i];
echo "<br>city".$_POST['address']['city'][$i];
}
The form fields are as you suggested as well.
Thanks again!
Jason
> -----Original Message-----
> From: Ernest E Vogelsinger [mailto:[EMAIL PROTECTED]
> Sent: March 22, 2003 4:05 PM
> To: Jason Dulberg
> Cc: [EMAIL PROTECTED]
> Subject: Re: [PHP] array insert help
>
>
> At 20:59 22.03.2003, Jason Dulberg said:
> --------------------[snip]--------------------
> >My problem is that I'm not sure how to set up the array for the
> fields and
> >how to take the input fields and insert them. Do I need a
> multidimensional
> >array for this?
> >
> >ie.
> ><input type="text" name="address[address][]">
> ><input type="text" name="address[city][]">
> >
> >How would I decode that to create an insert statement??
> --------------------[snip]--------------------
>
> I believe your example would work. However since you have a
> definite number
> of adresses you could add the index directly, as here:
>
> <b>Home Address:</b><br />
> <input type="text" name="address[address][0]">
> <input type="text" name="address[city][0]">
>
> <b>Work Address:</b><br />
> <input type="text" name="address[address][1]">
> <input type="text" name="address[city][1]">
>
> When the form is received you will have an array for adress that
> looks like
> this:
>
> $_REQUEST['address'] = array(
> 'address' => array(0 => 'home address', 1 => 'work address'),
> 'city' => array(0 => 'home city', 1 => 'work city'));
>
> To insert the home address you'd create an SQL statement like this:
>
> for($i = 0; $i <= $number_of_addresses; ++$i) {
> $sql = "insert into address(adress, city) values (" .
> "{$_REQUEST['address']['address'][$i]}," .
> "{$_REQUEST['address']['city'][$i]})";
> // more code
> }
>
> Hope this helps,
>
> --
> >O Ernest E. Vogelsinger
> (\) ICQ #13394035
> ^ http://www.vogelsinger.at/
>
>
--- End Message ---
--- Begin Message ---
At 22:24 22.03.2003, Jason Dulberg said:
--------------------[snip]--------------------
>Thanks for your help...
>
>I tried the code as you suggested however when I attempted to echo the
>variables for testing but nothing showed.
>
>for($i = 0; $i <= 1; ++$i) {
> echo "<p>address".$_POST['address']['address'][$i];
> echo "<br>city".$_POST['address']['city'][$i];
>}
--------------------[snip]--------------------
Jason,
I tried the following and it worked:
<form method="post">
<b>Home Address:</b><br />
<input type="text" name="address[address][0]" value="<?php echo
$_POST['address']['address'][0]; ?>">
<input type="text" name="address[city][0]" value="<?php echo
$_POST['address']['city'][0]; ?>">
<br />
<b>Work Address:</b><br />
<input type="text" name="address[address][1]" value="<?php echo
$_POST['address']['address'][1]; ?>">
<input type="text" name="address[city][1]" value="<?php echo
$_POST['address']['city'][1]; ?>">
<br />
<input type="submit">
</form>
<?php
for($i = 0; $i <= 1; ++$i) {
echo "<p>address $i: ".$_POST['address']['address'][$i];
echo "<br>city $i: ".$_POST['address']['city'][$i];
}
--
>O Ernest E. Vogelsinger
(\) ICQ #13394035
^ http://www.vogelsinger.at/
--- End Message ---
--- Begin Message ---
ok - I know how to pass these variables by appending variables to the link.
however, I'm trying to pass the following string;
'2003-1-1 00:00:01' AND '2003-3-20 23:59:59'
now - when I pass it what I get is the following;
date='2003-2-1%2000:00:01'%20AND%20'2003-3-1%2023:59:59'
it seems what I'm going to have to do is replace %20 with a space, but I'm
unclear of how to do that with php.
thanks,
Jeff
--- End Message ---
--- Begin Message ---
ok - found urldecode which is now giving me the following;
\'2003-1-3 00:00:01\' AND \'2003-3-10 23:59:59\'
original string;
'2003-1-3 00:00:01' AND '2003-3-10 23:59:59'
"Domintcom" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
> ok - I know how to pass these variables by appending variables to the
link.
> however, I'm trying to pass the following string;
>
> '2003-1-1 00:00:01' AND '2003-3-20 23:59:59'
>
> now - when I pass it what I get is the following;
>
> date='2003-2-1%2000:00:01'%20AND%20'2003-3-1%2023:59:59'
>
> it seems what I'm going to have to do is replace %20 with a space, but I'm
> unclear of how to do that with php.
>
> thanks,
>
> Jeff
>
>
>
--- End Message ---
--- Begin Message ---
I just installed Win2k server and IIS (need it for a project I am doing) and
get the following error after installing PHP. All permissions are set
correctly. This appears to be a common problem as a search comes up with
hundreds of the same problem - funny though - no answers.
Any help is appreciated.
Technical Information (for support personnel)
a.. Background:
You have attempted to execute a CGI, ISAPI, or other executable program
from a directory that does not allow programs to be executed.
b.. More information:
Microsoft Support
--- End Message ---
--- Begin Message ---
Hi,
Just a thought. Have u put all the dlls in the system32 forlder?
Denis
----- Original Message -----
From: "Beauford.2002" <[EMAIL PROTECTED]>
To: "PHP General" <[EMAIL PROTECTED]>
Sent: Sunday, March 23, 2003 8:03 AM
Subject: [PHP] PHP and IIS
> I just installed Win2k server and IIS (need it for a project I am doing)
and
> get the following error after installing PHP. All permissions are set
> correctly. This appears to be a common problem as a search comes up with
> hundreds of the same problem - funny though - no answers.
>
> Any help is appreciated.
>
>
>
> Technical Information (for support personnel)
>
>
> a.. Background:
> You have attempted to execute a CGI, ISAPI, or other executable program
> from a directory that does not allow programs to be executed.
>
>
> b.. More information:
> Microsoft Support
>
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
--- End Message ---
--- Begin Message ---
hi,
i need to search $final_footer for a string such as
%INCLUDE_FILE[/path/to/file]% (where /path/to/file could be anything) and
delete it from the string. it being %INCLUDE_FILE[/path/to/file]% (not just
/path/to/file)
im new to regexps but im guessing I should use preg_match for this?
Can someone give me a code example?
thanks much
Nate
--- End Message ---