php-general Digest 4 Dec 2006 07:54:00 -0000 Issue 4495

Topics (messages 245466 through 245474):

Random pictures - not twice
        245466 by: Gustav Wiberg
        245467 by: tg-php.gryffyndevelopment.com
        245468 by: Gustav Wiberg

Re: problem with register globals on new server
        245469 by: Richard Lynch

Re: Error in php doc?
        245470 by: Richard Lynch

Re: security and .htaccess
        245471 by: Richard Lynch
        245472 by: Anas Mughal
        245473 by: Frank Reichenbacher

Help me about audio stream...
        245474 by: Le Phuoc Canh

Administrivia:

To subscribe to the digest, e-mail:
        [EMAIL PROTECTED]

To unsubscribe from the digest, e-mail:
        [EMAIL PROTECTED]

To post to the list, e-mail:
        php-general@lists.php.net


----------------------------------------------------------------------
--- Begin Message ---
Hi there!

I have created a script the generates random pictures...

<?php
//Random pictures
//
$pictures[0] = "bil1.gif";
$pictures[1] = "bil2.gif";
$pictures[2] = "bil3.gif";
$pictures[3] = "bil4.gif";


for ($i=0;$i<3;$i++) {
 $r = rand(0,3);
?>
<p>&nbsp;&nbsp;<img src="<?php echo $pictures[$r];?>"></p>
<?php

}
?>


With this above script the same picture can be shown twice. Is there any smart way of avoiding this without having to rely on cookies/sessionids?

Best regards
/Gustav Wiberg
Stammis Internet - http://www.stammis.com/ - pedigrees on the net

--- End Message ---
--- Begin Message ---
Without using cookies or session information, you're going to go through your 
picture list faster depending on how many users are accessing the random pic 
page.  If you don't make it user-specific, then it doesn't really matter if you 
go through the images sequentially.. it may appear random on the user end 
because other users are going to be grabbing sequential pics as well.

If you want to stir the waters a bit, you could run them sequentially but 
randomize the sequence.  This is what some music playlist programs do when you 
randomize a playlist.  Instead of pulling a random song from the list and 
risking playing the same song back to back, it just shuffles the playlist and 
plays it sequentially.  When you get to the end of your randomized list, you 
can re-shuffle it and start over.  This gives some semblance of randomness.

If you want to make sure each image gets its fair amount of time in the 
spotlight,  you could keep track of how many times each image has been 
displayed.  Having a database table with a list of all the image names and 
their 'served' count would let you weight your list a bit to give preference to 
the images that havn't been displayed that often.


And if you want to give each user the total package, you can keep track of how 
many times each image was served to a specific user and weight your shuffling 
that way.


I'm sure there are other ways, but there are just a few that may be viable for 
you, depending on the level of randomness per user you need.

Let us know what solution you come up with.  I'm sure others have had similar 
questions and just havn't asked.

-TG

= = = Original message = = =

Hi there!

I have created a script the generates random pictures...

<?php
//Random pictures
//
$pictures[0] = "bil1.gif";
$pictures[1] = "bil2.gif";
$pictures[2] = "bil3.gif";
$pictures[3] = "bil4.gif";


for ($i=0;$i<3;$i++) 
  $r = rand(0,3);
?>
<p>&nbsp;&nbsp;<img src="<?php echo $pictures[$r];?>"></p>
<?php


?>


With this above script the same picture can be shown twice. Is there any 
smart way of avoiding this without having to rely on cookies/sessionids?

Best regards
/Gustav Wiberg
Stammis Internet - http://www.stammis.com/ - pedigrees on the net



___________________________________________________________
Sent by ePrompter, the premier email notification software.
Free download at http://www.ePrompter.com.

--- End Message ---
--- Begin Message --- ----- Original Message ----- From: <[EMAIL PROTECTED]>
To: <php-general@lists.php.net>
Cc: <[EMAIL PROTECTED]>
Sent: Sunday, December 03, 2006 11:52 PM
Subject: Re: [PHP] Random pictures - not twice


Without using cookies or session information, you're going to go through your picture list faster depending on how many users are accessing the random pic page. If you don't make it user-specific, then it doesn't really matter if you go through the images sequentially.. it may appear random on the user end because other users are going to be grabbing sequential pics as well.

If you want to stir the waters a bit, you could run them sequentially but randomize the sequence. This is what some music playlist programs do when you randomize a playlist. Instead of pulling a random song from the list and risking playing the same song back to back, it just shuffles the playlist and plays it sequentially. When you get to the end of your randomized list, you can re-shuffle it and start over. This gives some semblance of randomness.

If you want to make sure each image gets its fair amount of time in the spotlight, you could keep track of how many times each image has been displayed. Having a database table with a list of all the image names and their 'served' count would let you weight your list a bit to give preference to the images that havn't been displayed that often.


And if you want to give each user the total package, you can keep track of how many times each image was served to a specific user and weight your shuffling that way.


I'm sure there are other ways, but there are just a few that may be viable for you, depending on the level of randomness per user you need.

Let us know what solution you come up with. I'm sure others have had similar questions and just havn't asked.

-TG

= = = Original message = = =

Hi there!

I have created a script the generates random pictures...

<?php
//Random pictures
//
$pictures[0] = "bil1.gif";
$pictures[1] = "bil2.gif";
$pictures[2] = "bil3.gif";
$pictures[3] = "bil4.gif";


for ($i=0;$i<3;$i++)
 $r = rand(0,3);
?>
<p>&nbsp;&nbsp;<img src="<?php echo $pictures[$r];?>"></p>
<?php


?>


With this above script the same picture can be shown twice. Is there any
smart way of avoiding this without having to rely on cookies/sessionids?

Best regards
/Gustav Wiberg
Stammis Internet - http://www.stammis.com/ - pedigrees on the net



___________________________________________________________
Sent by ePrompter, the premier email notification software.
Free download at http://www.ePrompter.com.

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


Hi again!

I've solved it with array_rand. It wasn't that hard at all, just had to know which function to use! :-)

code:
<?php
//Random pictures
//
$pictures[0] = "bil1.gif";
$pictures[1] = "bil2.gif";
$pictures[2] = "bil3.gif";
$pictures[3] = "bil4.gif";

$randomNr = array_rand($pictures, count($pictures));
$occurences = 3;

for ($i=0;$i<$occurences;$i++) {
?>
<img src="<?php echo $pictures[$randomNr[$i]];?>">
<?php
}

?>
Best regards
/Gustav Wiberg
Stammis Internet - http://www.stammis.com/ - pedigrees on the net

--- End Message ---
--- Begin Message ---
On Sun, December 3, 2006 5:22 am, Tony Marston wrote:
>
> ""Richard Lynch"" <[EMAIL PROTECTED]> wrote in message
> news:[EMAIL PROTECTED]
>> On Sat, December 2, 2006 5:31 am, Tony Marston wrote:
>> I think it is quite possible for a sysAdmin to configure
>> AllowOverride
>> and .htaccess in such a way that "too much" latitude is granted to
>> their clients to access each others' data...
>
> I disagree. What directives can give you access to other people's
> data?

I believe I once managed to track down a bit of data using
FollowSymlink for a client that wasn't available otherwise.

In our case, it was data they actually had a legal/moral right to see,
but technical snafus were in the way.

Presumably all the other combinations of AllowOverride are not there
just for the sheer fun of complexity by the Apache team.

I'm betting that at least some of them have security trade-offs in
mind, and are not just about random features nor performance.

>> And there is alleged to be a significant performance loss to
>> .htaccess, so a hurried sysAdmin may have over-simplified their
>> decision process...
>
> "Alleged" is the word. Where are the figures to support this? While
> there is
> "some" performance loss, with the speed of today;'s PCs can this
> really be
> considered as "significant"?

I don't have benchmarks.

Do you?

-- 
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some starving artist.
http://cdbaby.com/browse/from/lynch
Yeah, I get a buck. So?

--- End Message ---
--- Begin Message ---
On Sun, December 3, 2006 4:39 am, MS P wrote:
> Hi. There seems to be a minor error in the page
> http://www.php.net/manual/en/features.file-upload.php. In Example 38-2
> "Validating file uploads", there is a line:
>
> $uploadfile = $uploaddir . basename($_FILES['userfile']['name']);
>
> It looks like basename() is not required there. Because i found that
> when i
> upload a file using IE6 (IE6 includes the whole path to the uploaded
> file,
> see
> http://jakarta.apache.org/commons/fileupload/faq.html#whole-path-from-IE),
> the value of $_FILES['userfile']['name'] is a file name but not a
> path. It
> looks like php has taken the file name from the path automatically. (I
> am
> using php 5.2.0 and win2k.) Can someone check if i am correct? Thanks.

There are probably other reasons to keep that there...

For starters, IE is not the only browser, much less the only User Agent.

In particular, I would presume somebody out there has crafted an evil
uploader that sends paths like, oh, "../../../../../../etc/passwd" as
the 'name' of the upload.

If you are silly enough to blindly use that and overwrite your passwd
file, well, there ya go.

The 'name' field should not be trusted.  It comes from tbe user, and
anybody who can count past 10 with their shoes on could spoof it to
any value they like, including malicious values.

Plus, unless you check every single minor release version of PHP, you
can't be sure it ALWAYS stripped the path out.

-- 
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some starving artist.
http://cdbaby.com/browse/from/lynch
Yeah, I get a buck. So?

--- End Message ---
--- Begin Message ---
On Sun, December 3, 2006 9:57 am, tedd wrote:
> At 10:35 PM +0100 12/2/06, Alain Roger wrote:
>>I'm working on .htaccess file for improving security.
>>Based on documentation from PHPSEC.org, we should be able to store
>> DB_USER
>>login and DB_PASS password in some secret-stuff (for example) file,
>> which
>>should be located outside root of web document root. (for example in
>> some
>>/path_to_secret folder)
>
> The "path_to_secret folder" thing -- I have a question about.
>
> I'm working with what a host provides me and I've seen paths that I
> can traverse/access and paths in a .htpacess file that I can't. For
> example, in one site I see a .htaccess file that contains:
>
> AuthUserFile /home/admin/public_html/_vit_pvt/service.pwd
>
> But, the "_vit_pvt" folder is not apparent. I can't get to it -- is
> this a host file that only they can access, or is there a secret
> handshake I need to get to it, or what?

That's a bull-crap made-up directory reference that FrontPage or
something of that ilk added because everybody uses FrontPage, and
everybody uses their lame-brained "security" layout of weird directory
names.

Replace it with a real AuthUserFile reference.

:-)

-- 
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some starving artist.
http://cdbaby.com/browse/from/lynch
Yeah, I get a buck. So?

--- End Message ---
--- Begin Message ---
Sample ".htaccess" file that uses an authentication file:

Options -Indexes

AuthName "Photo Access"
AuthType Basic
AuthUserFile /home/me/BasicAuth/photo_users.txt

require valid-user

Hope this helps.
--
Anas Mughal




On 12/3/06, Richard Lynch <[EMAIL PROTECTED]> wrote:

On Sun, December 3, 2006 9:57 am, tedd wrote:
> At 10:35 PM +0100 12/2/06, Alain Roger wrote:
>>I'm working on .htaccess file for improving security.
>>Based on documentation from PHPSEC.org, we should be able to store
>> DB_USER
>>login and DB_PASS password in some secret-stuff (for example) file,
>> which
>>should be located outside root of web document root. (for example in
>> some
>>/path_to_secret folder)
>
> The "path_to_secret folder" thing -- I have a question about.
>
> I'm working with what a host provides me and I've seen paths that I
> can traverse/access and paths in a .htpacess file that I can't. For
> example, in one site I see a .htaccess file that contains:
>
> AuthUserFile /home/admin/public_html/_vit_pvt/service.pwd
>
> But, the "_vit_pvt" folder is not apparent. I can't get to it -- is
> this a host file that only they can access, or is there a secret
> handshake I need to get to it, or what?

That's a bull-crap made-up directory reference that FrontPage or
something of that ilk added because everybody uses FrontPage, and
everybody uses their lame-brained "security" layout of weird directory
names.

Replace it with a real AuthUserFile reference.

:-)

--
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some starving artist.
http://cdbaby.com/browse/from/lynch
Yeah, I get a buck. So?

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




--
Anas Mughal

--- End Message ---
--- Begin Message ---
That is the MS FrontPage auth system. Directories beginning with _ underscores 
cannot be viewed in your browser. Unless you want to
dump FrontPage, you do not want to be messing with this setup.

If you can't view these directories in FrontPage, it's because you do not have 
the website set to show hidden files. Tools>Site
Settings.

Frank


> -----Original Message-----
> From: tedd [mailto:[EMAIL PROTECTED]
> Sent: Sunday, December 03, 2006 08:57
> To: PHP General List
> Subject: Re: [PHP] security and .htaccess
> 
> At 10:35 PM +0100 12/2/06, Alain Roger wrote:
> >I'm working on .htaccess file for improving security.
> >Based on documentation from PHPSEC.org, we should be able to store DB_USER
> >login and DB_PASS password in some secret-stuff (for example) file, which
> >should be located outside root of web document root. (for example in some
> >/path_to_secret folder)
> 
> The "path_to_secret folder" thing -- I have a question about.
> 
> I'm working with what a host provides me and I've seen paths that I
> can traverse/access and paths in a .htpacess file that I can't. For
> example, in one site I see a .htaccess file that contains:
> 
> AuthUserFile /home/admin/public_html/_vit_pvt/service.pwd
> 
> But, the "_vit_pvt" folder is not apparent. I can't get to it -- is
> this a host file that only they can access, or is there a secret
> handshake I need to get to it, or what?
> 
> Thanks.
> 
> tedd
> 
> --
> -------
> http://sperling.com  http://ancientstones.com  http://earthstones.com
> 
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php

--- End Message ---
--- Begin Message ---
Dears,
I want to make a web app about music online. But i don't know how to use
streaming in PHP to load a music file for playing. Please help me for the
best direction.
Thanks alot and best regard.

--- End Message ---

Reply via email to