php-general Digest 23 May 2011 08:14:00 -0000 Issue 7324
Topics (messages 313072 through 313087):
Re: Script ID?
313072 by: tedd
Re: Queries and Common Practices
313073 by: tedd
313074 by: Dotan Cohen
Re: context when calling non static method of class in a static way
313075 by: Mike Mackintosh
313076 by: admin.buskirkgraphics.com
313078 by: Simon Hilz
313079 by: Simon Hilz
313080 by: admin.buskirkgraphics.com
313081 by: admin.buskirkgraphics.com
313082 by: Simon Hilz
313083 by: Peter Lind
313085 by: Simon Hilz
313086 by: Richard Quadling
Re: A Review Request
313077 by: Nisse Engström
313084 by: tedd
313087 by: Ford, Mike
Administrivia:
To subscribe to the digest, e-mail:
php-general-digest-subscr...@lists.php.net
To unsubscribe from the digest, e-mail:
php-general-digest-unsubscr...@lists.php.net
To post to the list, e-mail:
php-gene...@lists.php.net
----------------------------------------------------------------------
--- Begin Message ---
At 1:47 PM -0400 5/21/11, Adam Richardson wrote:
On Sat, May 21, 2011 at 10:11 AM, tedd
<<mailto:t...@sperling.com>t...@sperling.com> wrote:
Hi gang:
Okay, so,what's the "best" (i.e., most secure) way for your script
to identify itself *IF* you plan on using that information later,
such as the value in an action attribute in a form?
For example, I was using:
$self = basename($_SERVER['SCRIPT_NAME']);
<form name="my_form" action="<?php echo($self); ?>" method="post" >
However, that was susceptible to XSS.
<http://www.mc2design.com/blog/php_self-safe-alternatives>http://www.mc2design.com/blog/php_self-safe-alternatives
says a simple action="#" would work.
But is there a better way?
What would do you do solve this?
Cheers,
tedd
Tedd, I'm sorry for the confusion.
When I referenced that article, I was speaking to Alex as to why it
wouldn't be prudent for you to use PHP_SELF (as he had suggested to
avoid an additional function call) as opposed to what you were
currently using, basename($_SERVER['SCRIPT_FILENAME']).
My point, and the point of the article, was that PHP_SELF requires
special precautions. However, script_filename is not susceptible to
this type of attack, as it does not include data from the user:
<http://php.about.com/od/learnphp/qt/_SERVER_PHP.htm>http://php.about.com/od/learnphp/qt/_SERVER_PHP.htm
In fact, basename($_SERVER['SCRIPT_FILENAME']), and
basename(__FILE__) were two of the mitigation methods mentioned in
the closing of the article.
<http://php.about.com/od/learnphp/qt/_SERVER_PHP.htm>Try it out on
your server:
<h1>PHP_SELF (dangerous)</h1>
<p><?php echo $_SERVER['PHP_SELF']; ?></p>
<h1>$_SERVER['SCRIPT_FILENAME']</h1>
<p><?php echo $_SERVER['SCRIPT_FILENAME']; ?></p>
<h1>$_SERVER['REQUEST_URI'] (dangerous)</h1>
<p><?php echo $_SERVER['REQUEST_URI']; ?></p>
<h1>__FILE__</h1>
<p><?php echo __FILE__; ?></p>
<h1>basename(__FILE__)</h1>
<p><?php echo basename(__FILE__); ?></p>
<h1>basename($_SERVER['SCRIPT_NAME'])</h1>
<p><?php echo basename($_SERVER['SCRIPT_NAME']); ?></p>
Try to enter the attack vector and you'll see PHP_SELF could be
terrible, but the basename option for script_filename and __FILE__
are immune.
Again, sorry for the confusion.
Adam
Adam:
Very interesting.
As I understand things, to remove a XSS threat from the method, you
have to get the script name from something other than a SuperGlobal
because SuperGlobals are subject to XXS attacks, right?
As such, using a predefined constant should be safe. I don't know
how, nor where, PHP gets the value, but I'm assuming it's not from
something that can be altered by someone outside the server.
So, is that the reason why you say that using __FILE__ is better at
getting the running script's name than using $_SERVER['PHP_SELF']?
Cheers,
tedd
--
-------
http://sperling.com/
--- End Message ---
--- Begin Message ---
At 10:50 AM +0100 5/22/11, Ashley Sheridan wrote:
-snip-
but I also give the table a moniker which lets me shorten the
queries as I type:
SELECT p.id, p.name FROM people p WHERE p.gender = 'male'
This way, I can easily join in other tables, my typing is kept to a
minimum as I do it also.
Ash:
Whenever I see p.id (or similar) I think there is a join coming.
So, I always use:
SELECT id, name FROM people WHERE gender = 'male'
Unless there a join, such as:
SELECT p.id, p.name, a.total FROM people p, accounts.a WHERE gender = 'male'
Cheers,
tedd
--
-------
http://sperling.com/
--- End Message ---
--- Begin Message ---
On Sun, May 22, 2011 at 17:38, tedd <tedd.sperl...@gmail.com> wrote:
> SELECT p.id, p.name, a.total FROM people p, accounts.a WHERE gender = 'male'
>
Finding the error in the above code is fun. I'm surprised I spotted,
it shows how sensitive one gets to debugging.
For that matter, I like the OP's practice of redundancy in the name of
consistency. If nothing at the least, it gets us used to looking at
the code to debug as above.
--
Dotan Cohen
http://gibberish.co.il
http://what-is-what.com
--- End Message ---
--- Begin Message ---
Simon,
You may want to be careful with the way you declare your class methods.
Example:
public function bar() != static function bar(), even if you use
pnysudsfksdljfasdjfsd (::)
See the example below.
class Foo{
static function barStatic()
{
echo get_class($this);
}
public function barPublic()
{
echo get_class($this);
}
}
class Foobar{
public function callBarStatic()
{
Foo::barStatic();
}
public function callBarPublic()
{
Foo::barPublic();
}
}
$oo = new Foobar;
$oo->callBarStatic(); // returns only Foo
$oo->callBarPublic(); // returns Foobar
On May 22, 2011, at 10:17 AM, Simon Hilz wrote:
> hi,
>
> lets assume the following classes:
>
> class Foo{
>
> public function bar()
> {
> echo get_class($this);
> }
>
> }
>
> class Foobar{
>
> public function callBarStatic()
> {
> Foo::bar();
> }
>
> }
>
> the following code results in the output "Foobar":
>
> $obj = new Foobar();
> $obj->callBarStatic();
>
> That means that the static call of bar() is executed in the context of
> Foobar. Is this behavior deliberate? If so, it would open a great way of
> object composition patterns. But only if it will be retained in future
> versions :) (i've tested with 5.3.5)
>
>
> Simon Hilz
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
--- End Message ---
--- Begin Message ---
Simon,
So without extending foo you can run bar in another class?
Richard L. Buskirk
-----Original Message-----
From: Simon Hilz [mailto:simon.h...@gmx.de]
Sent: Sunday, May 22, 2011 10:18 AM
To: php-gene...@lists.php.net
Subject: [PHP] context when calling non static method of class in a static
way
hi,
lets assume the following classes:
class Foo{
public function bar()
{
echo get_class($this);
}
}
class Foobar{
public function callBarStatic()
{
Foo::bar();
}
}
the following code results in the output "Foobar":
$obj = new Foobar();
$obj->callBarStatic();
That means that the static call of bar() is executed in the context of
Foobar. Is this behavior deliberate? If so, it would open a great way of
object composition patterns. But only if it will be retained in future
versions :) (i've tested with 5.3.5)
Simon Hilz
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--- End Message ---
--- Begin Message ---
Richard,
yes! at least my example works. i didn't test it any further; i doubt it
is intended that way.
Simon Hilz
Am 22.05.2011 16:42, schrieb ad...@buskirkgraphics.com:
Simon,
So without extending foo you can run bar in another class?
Richard L. Buskirk
-----Original Message-----
From: Simon Hilz [mailto:simon.h...@gmx.de]
Sent: Sunday, May 22, 2011 10:18 AM
To: php-gene...@lists.php.net
Subject: [PHP] context when calling non static method of class in a static
way
hi,
lets assume the following classes:
class Foo{
public function bar()
{
echo get_class($this);
}
}
class Foobar{
public function callBarStatic()
{
Foo::bar();
}
}
the following code results in the output "Foobar":
$obj = new Foobar();
$obj->callBarStatic();
That means that the static call of bar() is executed in the context of
Foobar. Is this behavior deliberate? If so, it would open a great way of
object composition patterns. But only if it will be retained in future
versions :) (i've tested with 5.3.5)
Simon Hilz
--- End Message ---
--- Begin Message ---
Mike,
yes i know the difference. I actually discovered that by accident when
i've forgot to write the static keyword. my code lead to an exception. i
wondered about the details of that exception and came to the solution
that the behavior as decribed exists. in my opinion one could really use
that behavior for a design pattern in order to dynamically add abilities
to objects. (e.g. implement __call interceptor and statically call the
method of another "ability provider"-class statically. it would behave
just like a native function of that object.)
Am 22.05.2011 16:47, schrieb Mike Mackintosh:
Simon,
You may want to be careful with the way you declare your class methods.
Example:
public function bar() != static function bar(), even if you use
pnysudsfksdljfasdjfsd (::)
See the example below.
class Foo{
static function barStatic()
{
echo get_class($this);
}
public function barPublic()
{
echo get_class($this);
}
}
class Foobar{
public function callBarStatic()
{
Foo::barStatic();
}
public function callBarPublic()
{
Foo::barPublic();
}
}
$oo = new Foobar;
$oo->callBarStatic(); // returns only Foo
$oo->callBarPublic(); // returns Foobar
On May 22, 2011, at 10:17 AM, Simon Hilz wrote:
hi,
lets assume the following classes:
class Foo{
public function bar()
{
echo get_class($this);
}
}
class Foobar{
public function callBarStatic()
{
Foo::bar();
}
}
the following code results in the output "Foobar":
$obj = new Foobar();
$obj->callBarStatic();
That means that the static call of bar() is executed in the context of Foobar.
Is this behavior deliberate? If so, it would open a great way of object
composition patterns. But only if it will be retained in future versions :)
(i've tested with 5.3.5)
Simon Hilz
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--- End Message ---
--- Begin Message ---
Simon,
To be honest if it works, I hope they do not fix it.
My only problem is that my classes are typically not in the same file but
they are extended.
I am going to try that on an extended class and see if I can instantiate a
method from another class in a separate file.
Richard L. Buskirk
-----Original Message-----
From: Simon Hilz [mailto:simon.h...@gmx.de]
Sent: Sunday, May 22, 2011 11:56 AM
To: php-gene...@lists.php.net
Subject: Re: [PHP] context when calling non static method of class in a
static way
Richard,
yes! at least my example works. i didn't test it any further; i doubt it
is intended that way.
Simon Hilz
Am 22.05.2011 16:42, schrieb ad...@buskirkgraphics.com:
> Simon,
> So without extending foo you can run bar in another class?
>
>
> Richard L. Buskirk
>
>
> -----Original Message-----
> From: Simon Hilz [mailto:simon.h...@gmx.de]
> Sent: Sunday, May 22, 2011 10:18 AM
> To: php-gene...@lists.php.net
> Subject: [PHP] context when calling non static method of class in a static
> way
>
> hi,
>
> lets assume the following classes:
>
> class Foo{
>
> public function bar()
> {
> echo get_class($this);
> }
>
> }
>
> class Foobar{
>
> public function callBarStatic()
> {
> Foo::bar();
> }
>
> }
>
> the following code results in the output "Foobar":
>
> $obj = new Foobar();
> $obj->callBarStatic();
>
> That means that the static call of bar() is executed in the context of
> Foobar. Is this behavior deliberate? If so, it would open a great way of
> object composition patterns. But only if it will be retained in future
> versions :) (i've tested with 5.3.5)
>
>
> Simon Hilz
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--- End Message ---
--- Begin Message ---
Correct that.
I do not know what I was even thinking when I wrote that response.
It does not make any sense what so ever. The class is already extended of
course I can call a method from it.
Sorry
Richard L. Buskirk
-----Original Message-----
From: Simon Hilz [mailto:simon.h...@gmx.de]
Sent: Sunday, May 22, 2011 11:56 AM
To: php-gene...@lists.php.net
Subject: Re: [PHP] context when calling non static method of class in a
static way
Richard,
yes! at least my example works. i didn't test it any further; i doubt it
is intended that way.
Simon Hilz
Am 22.05.2011 16:42, schrieb ad...@buskirkgraphics.com:
> Simon,
> So without extending foo you can run bar in another class?
>
>
> Richard L. Buskirk
>
>
> -----Original Message-----
> From: Simon Hilz [mailto:simon.h...@gmx.de]
> Sent: Sunday, May 22, 2011 10:18 AM
> To: php-gene...@lists.php.net
> Subject: [PHP] context when calling non static method of class in a static
> way
>
> hi,
>
> lets assume the following classes:
>
> class Foo{
>
> public function bar()
> {
> echo get_class($this);
> }
>
> }
>
> class Foobar{
>
> public function callBarStatic()
> {
> Foo::bar();
> }
>
> }
>
> the following code results in the output "Foobar":
>
> $obj = new Foobar();
> $obj->callBarStatic();
>
> That means that the static call of bar() is executed in the context of
> Foobar. Is this behavior deliberate? If so, it would open a great way of
> object composition patterns. But only if it will be retained in future
> versions :) (i've tested with 5.3.5)
>
>
> Simon Hilz
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--- End Message ---
--- Begin Message ---
the good thing about this "bug" would be, that it's not neccesary to
extend a class to use its methods as if they would be defined in the
extending class. this way i think it would be possible to implement
something like multiple inheritance, which is currently not (that easy)
possible. when i'll find time i'll test how attributes behave that way.
Am 22.05.2011 22:31, schrieb ad...@buskirkgraphics.com:
Correct that.
I do not know what I was even thinking when I wrote that response.
It does not make any sense what so ever. The class is already extended of
course I can call a method from it.
Sorry
Richard L. Buskirk
-----Original Message-----
From: Simon Hilz [mailto:simon.h...@gmx.de]
Sent: Sunday, May 22, 2011 11:56 AM
To: php-gene...@lists.php.net
Subject: Re: [PHP] context when calling non static method of class in a
static way
Richard,
yes! at least my example works. i didn't test it any further; i doubt it
is intended that way.
Simon Hilz
Am 22.05.2011 16:42, schrieb ad...@buskirkgraphics.com:
Simon,
So without extending foo you can run bar in another class?
Richard L. Buskirk
-----Original Message-----
From: Simon Hilz [mailto:simon.h...@gmx.de]
Sent: Sunday, May 22, 2011 10:18 AM
To: php-gene...@lists.php.net
Subject: [PHP] context when calling non static method of class in a static
way
hi,
lets assume the following classes:
class Foo{
public function bar()
{
echo get_class($this);
}
}
class Foobar{
public function callBarStatic()
{
Foo::bar();
}
}
the following code results in the output "Foobar":
$obj = new Foobar();
$obj->callBarStatic();
That means that the static call of bar() is executed in the context of
Foobar. Is this behavior deliberate? If so, it would open a great way of
object composition patterns. But only if it will be retained in future
versions :) (i've tested with 5.3.5)
Simon Hilz
--- End Message ---
--- Begin Message ---
class A {
public function b() {
echo get_class($this);
}
static function c() {
echo get_class($this);
}
}
class B {
public function test(){
A::b();
A::c();
}
}
$b = new B;
$b->test();
Generates:
Strict Standards: Non-static method A::b() should not be called
statically, assuming $this from incompatible context in /tmp/test.php
on line 14
B
Notice: Undefined variable: this in /tmp/test.php on line 8
A
I would never use code generating warnings and notices like that. I'd
look into late static bindings instead:
http://php.net/manual/en/language.oop5.late-static-bindings.php
Regards
Peter
--
<hype>
WWW: plphp.dk / plind.dk
LinkedIn: plind
BeWelcome/Couchsurfing: Fake51
Twitter: kafe15
</hype>
--- End Message ---
--- Begin Message ---
i cant reproduce that error. which php version do you use?
i've coded an example for a "behavior"-pattern:
=========================================================
error_reporting(E_ALL & E_STRICT);
class Car {
private $fuel = 0;
private $drivenDistance = 0;
private $consumption = 0;
private $behaviors = array();
public function __construct($consumption)
{
$this->consumption = $consumption/100;
}
public function setFuel($fuel)
{
$this->fuel = $fuel;
}
public function getFuel()
{
return $this->fuel;
}
public function getConsumption()
{
return $this->consumption;
}
public function getDrivenDistance()
{
return $this->drivenDistance;
}
public function setDrivenDistance($drivenDistance)
{
$this->drivenDistance = $drivenDistance;
}
public function __call($name,$arguments)
{
foreach($this->behaviors as $behavior)
{
if(in_array($name,get_class_methods($behavior)))
{
echo "call $behavior::$name
(".implode(",",$arguments).")<br>";
$behavior::$name($arguments[0]);
break;
}
}
}
public function addBehavior($name)
{
if(class_exists($name))
{
$this->behaviors[] = $name;
}
}
}
class DriveBehavior
{
public function drive($distance)
{
$this->setDrivenDistance($this->getDrivenDistance()+$distance);
$this->setFuel($this->getFuel()-$distance*$this->getConsumption());
}
}
class TankUpBehavior
{
public function tankUp($fuel)
{
$this->setFuel($this->getFuel()+$fuel);
}
}
$bmw = new Car(7.2);
$bmw->addBehavior("TankUpBehavior");
$bmw->addBehavior("DriveBehavior");
echo "Fuel of my new BMW with consumption 7.2l/100km:
".$bmw->getFuel()."<br>";
$bmw->tankUp(100);
echo "Fuel after tank up 100 l: ".$bmw->getFuel()."<br>";
$bmw->drive(24);
echo "Fuel after driving 24 km: ".$bmw->getFuel()."<br>";
=================== OUTPUT: ==============================
Fuel of my new BMW with consumption 7.2l/100km: 0
call TankUpBehavior::tankUp (100)
Fuel after tank up 100 l: 100
call DriveBehavior::drive (24)
Fuel after driving 24 km: 98.272
=========================================================
the strange thing: var_dump($this) always outputs the same object (as
identified by id) but the "Behaviors" could only call the methods
defined in Car if they are defined public. if they are protected or
private they dont get called. no warning/error/whatever. just no call.
attributes are not accessible too if defined protected or private but
throws that error: Cannot access private property
(more or less like expected)
Simon Hilz
Am 22.05.2011 23:18, schrieb Peter Lind:
class A {
public function b() {
echo get_class($this);
}
static function c() {
echo get_class($this);
}
}
class B {
public function test(){
A::b();
A::c();
}
}
$b = new B;
$b->test();
Generates:
Strict Standards: Non-static method A::b() should not be called
statically, assuming $this from incompatible context in /tmp/test.php
on line 14
B
Notice: Undefined variable: this in /tmp/test.php on line 8
A
I would never use code generating warnings and notices like that. I'd
look into late static bindings instead:
http://php.net/manual/en/language.oop5.late-static-bindings.php
Regards
Peter
--- End Message ---
--- Begin Message ---
On 22 May 2011 22:44, Simon Hilz <simon.h...@gmx.de> wrote:
> i cant reproduce that error. which php version do you use?
> i've coded an example for a "behavior"-pattern:
>
Try with ...
<?php
error_reporting(-1);
ini_set('display_errors', 1);
class Car {
...
I get output of ...
Fuel of my new BMW with consumption 7.2l/100km: 0<br>call
TankUpBehavior::tankUp (100)<br>
Strict Standards: Non-static method TankUpBehavior::tankUp() should
not be called statically, assuming $this from incompatible context in
D:\Work\t1.php on line 50
Fuel after tank up 100 l: 100<br>call DriveBehavior::drive (24)<br>
Strict Standards: Non-static method DriveBehavior::drive() should not
be called statically, assuming $this from incompatible context in
D:\Work\t1.php on line 50
Fuel after driving 24 km: 98.272<br>
--
Richard Quadling
Twitter : EE : Zend : PHPDoc
@RQuadling : e-e.com/M_248814.html : bit.ly/9O8vFY : bit.ly/lFnVea
--- End Message ---
--- Begin Message ---
On Sat, 21 May 2011 09:26:02 -0400, tedd wrote:
> The function strcmp() simply evaluates two strings and reports back
> -1, 0, or 1 depending upon their alphabetical relationship.
It might do that, but don't bet your horse on it.
<http://se.php.net/manual/en/function.strcmp.php>
/Nisse
--- End Message ---
--- Begin Message ---
At 5:50 PM +0200 5/22/11, Nisse =?utf-8?Q?Engstr=C3=B6m?= wrote:
On Sat, 21 May 2011 09:26:02 -0400, tedd wrote:
The function strcmp() simply evaluates two strings and reports back
-1, 0, or 1 depending upon their alphabetical relationship.
It might do that, but don't bet your horse on it.
<http://se.php.net/manual/en/function.strcmp.php>
/Nisse
It works that way for me.
Cheers,
tedd
--
-------
http://sperling.com/
--- End Message ---
--- Begin Message ---
> -----Original Message-----
> From: tedd [mailto:tedd.sperl...@gmail.com]
> Sent: 22 May 2011 22:33
>
> At 5:50 PM +0200 5/22/11, Nisse =?utf-8?Q?Engstr=C3=B6m?= wrote:
> >On Sat, 21 May 2011 09:26:02 -0400, tedd wrote:
> >
> >> The function strcmp() simply evaluates two strings and reports
> back
> >> -1, 0, or 1 depending upon their alphabetical relationship.
> >
> >It might do that, but don't bet your horse on it.
> >
> ><http://se.php.net/manual/en/function.strcmp.php>
> >
> >/Nisse
>
> It works that way for me.
Are you absolutely certain about that?
echo strcmp('These are nearly equal', 'These are almost equal'), "\n";
echo strcmp('different', 'unequal'), "\n";
echo strcmp('b', 'a'), "<br />\n";
Result:
13
-17
1
The description of the function merely says that the result is <0, 0 or >0
-- it makes no promises about the actual value when it is non-zero.
Cheers!
Mike
--
Mike Ford,
Electronic Information Developer, Libraries and Learning Innovation,
Leeds Metropolitan University, C507 City Campus,
Woodhouse Lane, LEEDS, LS1 3HE, United Kingdom
Email: m.f...@leedsmet.ac.uk
Tel: +44 113 812 4730
To view the terms under which this email is distributed, please go to
http://disclaimer.leedsmet.ac.uk/email.htm
--- End Message ---