subject:"\[PHP\-DOC\] cvs\: phpdoc \/en\/chapters security.xml"

[PHP-DOC] cvs: phpdoc /en/chapters security.xml

2003-06-20 Thread Derick Rethans

derick  Fri Jun 20 15:12:34 2003 EDT

  Removed files:   
/phpdoc/en/chapters security.xml 
  Log:
  - Moved to security/index.xml
  
  



-- 
PHP Documentation Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DOC] cvs: phpdoc /en/chapters security.xml /en/featuresfile-upload.xml /en/language variables.xml /en/reference/oci8/functionsocinewdescriptor.xml /en/reference/yaz reference.xml

2003-06-12 Thread Gabor Hojtsy

Philip Olson rta:
philip		Wed Jun 11 18:03:10 2003 EDT

  Modified files:  
/phpdoc/en/chapters	security.xml 
/phpdoc/en/features	file-upload.xml 
/phpdoc/en/language	variables.xml 
/phpdoc/en/reference/oci8/functions	ocinewdescriptor.xml 
/phpdoc/en/reference/yaz	reference.xml 
  Log:
  Use of proper case
Just a note is that the HTML 4.01 DTD defines the possible values 
(GET|POST) [case insensitive], but the XHTML 1.0 DTD defines it as 
(get|post) [case sensitive].

http://www.w3.org/TR/xhtml1/dtds.html#dtdentry_xhtml1-strict.dtd_form

This section details that in HTML 4.01 these were case insensitive, 
while in XHTML 1, these are case sensitive: 
http://www.w3.org/TR/xhtml1/#h-4.11

So the future compatible method= is get and post, lowercased, not the 
uppercased one you introduced. I know we mostly have HTML examples and 
not XHTML ones, but we are going to have XHTML ones in the future I suppose.

Goba

--
PHP Documentation Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP-DOC] cvs: phpdoc /en/chapters security.xml /en/features file-upload.xml /en/language variables.xml /en/reference/oci8/functions ocinewdescriptor.xml /en/reference/yaz reference.xml

2003-06-11 Thread Philip Olson

philip  Wed Jun 11 18:03:10 2003 EDT

  Modified files:  
/phpdoc/en/chapters security.xml 
/phpdoc/en/features file-upload.xml 
/phpdoc/en/language variables.xml 
/phpdoc/en/reference/oci8/functions ocinewdescriptor.xml 
/phpdoc/en/reference/yazreference.xml 
  Log:
  Use of proper case
  
  
Index: phpdoc/en/chapters/security.xml
diff -u phpdoc/en/chapters/security.xml:1.56 phpdoc/en/chapters/security.xml:1.57
--- phpdoc/en/chapters/security.xml:1.56Wed May 21 06:34:22 2003
+++ phpdoc/en/chapters/security.xml Wed Jun 11 18:03:09 2003
@@ -1,5 +1,5 @@
 ?xml version=1.0 encoding=iso-8859-1?
-!-- $Revision: 1.56 $ --
+!-- $Revision: 1.57 $ --
  chapter id=security
   titleSecurity/title
 
@@ -920,7 +920,7 @@
  titleAttacking Variables with a custom HTML page/title
  programlisting role=php
 ![CDATA[
-form method=post action=attacktarget?username=badfoopassword=badfoo
+form method=POST action=attacktarget?username=badfoopassword=badfoo
 input type=hidden name=username value=badfoo
 input type=hidden name=password value=badfoo
 /form
@@ -947,7 +947,7 @@
  titleExploiting common debugging variables/title
  programlisting role=php
 ![CDATA[
-form method=post action=attacktarget?errors=Yamp;showerrors=1debug=1
+form method=POST action=attacktarget?errors=Yamp;showerrors=1debug=1
 input type=hidden name=errors value=Y
 input type=hidden name=showerrors value=1
 input type=hidden name=debug value=1
Index: phpdoc/en/features/file-upload.xml
diff -u phpdoc/en/features/file-upload.xml:1.61 phpdoc/en/features/file-upload.xml:1.62
--- phpdoc/en/features/file-upload.xml:1.61 Wed Jun 11 17:13:57 2003
+++ phpdoc/en/features/file-upload.xml  Wed Jun 11 18:03:09 2003
@@ -1,5 +1,5 @@
 ?xml version=1.0 encoding=iso-8859-1?
-!-- $Revision: 1.61 $ --
+!-- $Revision: 1.62 $ --
  chapter id=features.file-upload
   titleHandling file uploads/title
 
@@ -40,7 +40,7 @@
  titleFile Upload Form/title
  programlisting role=html
 ![CDATA[
-form enctype=multipart/form-data action=_URL_ method=post
+form enctype=multipart/form-data action=_URL_ method=POST
 input type=hidden name=MAX_FILE_SIZE value=3
 Send this file: input name=userfile type=file
 input type=submit value=Send File
@@ -355,7 +355,7 @@
  titleUploading multiple files/title
  programlisting role=html
 ![CDATA[
-form action=file-upload.php method=post enctype=multipart/form-data
+form action=file-upload.php method=POST enctype=multipart/form-data
   Send these files:br
   input name=userfile[] type=filebr
   input name=userfile[] type=filebr
Index: phpdoc/en/language/variables.xml
diff -u phpdoc/en/language/variables.xml:1.61 phpdoc/en/language/variables.xml:1.62
--- phpdoc/en/language/variables.xml:1.61   Sat Jun  7 13:40:41 2003
+++ phpdoc/en/language/variables.xmlWed Jun 11 18:03:09 2003
@@ -1,5 +1,5 @@
 ?xml version=1.0 encoding=iso-8859-1?
-!-- $Revision: 1.61 $ --
+!-- $Revision: 1.62 $ --
  chapter id=language.variables
   titleVariables/title
   
@@ -753,7 +753,7 @@
   titleA simple HTML form/title
   programlisting role=html
 ![CDATA[
-form action=foo.php method=post
+form action=foo.php method=POST
 Name:  input type=text name=usernamebr
 Email: input type=text name=emailbr
 input type=submit name=submit value=Submit me!
@@ -859,7 +859,7 @@
 print '/pre';
 } else {
 ?
-form action=?php echo $HTTP_SERVER_VARS['PHP_SELF']; ? method=post
+form action=?php echo $HTTP_SERVER_VARS['PHP_SELF']; ? method=POST
 Name:  input type=text name=personal[name]br
 Email: input type=text name=personal[email]br
 Beer: br
Index: phpdoc/en/reference/oci8/functions/ocinewdescriptor.xml
diff -u phpdoc/en/reference/oci8/functions/ocinewdescriptor.xml:1.3 
phpdoc/en/reference/oci8/functions/ocinewdescriptor.xml:1.4
--- phpdoc/en/reference/oci8/functions/ocinewdescriptor.xml:1.3 Mon Feb 10 22:06:15 
2003
+++ phpdoc/en/reference/oci8/functions/ocinewdescriptor.xml Wed Jun 11 18:03:09 
2003
@@ -1,5 +1,5 @@
 ?xml version=1.0 encoding=iso-8859-1?
-!-- $Revision: 1.3 $ --
+!-- $Revision: 1.4 $ --
 !-- splitted from ./en/functions/oci8.xml, last change in rev 1.2 --
   refentry id=function.ocinewdescriptor
refnamediv
@@ -62,13 +62,13 @@
 ?php
 /* This script demonstrates file upload to LOB columns
  * The formfield used for this example looks like this
- * form action=upload.php method=post enctype=multipart/form-data
+ * form action=upload.php method=POST enctype=multipart/form-data
  * input type=file name=lob_upload
  * ...
  */
   if(!isset($lob_upload) || $lob_upload == 'none'){
 ?
-form action=upload.php method=post enctype=multipart/form-data
+form action=upload.php method=POST enctype=multipart/form-data
 Upload file: input type=file name=lob_uploadbr
 input type=submit value=Upload - input type=reset
 /form
Index: phpdoc/en/reference/yaz/reference.xml
diff -u phpdoc/en/reference/yaz/reference.xml:1.9

[PHP-DOC] cvs: phpdoc /en/chapters security.xml

2003-03-26 Thread Andrew Lindeman

alindeman   Wed Mar 26 21:35:18 2003 EDT

  Modified files:  
/phpdoc/en/chapters security.xml 
  Log:
  fixing bug #22915
  
  
Index: phpdoc/en/chapters/security.xml
diff -u phpdoc/en/chapters/security.xml:1.51 phpdoc/en/chapters/security.xml:1.52
--- phpdoc/en/chapters/security.xml:1.51Sun Jan 19 05:30:14 2003
+++ phpdoc/en/chapters/security.xml Wed Mar 26 21:35:18 2003
@@ -1,5 +1,5 @@
 ?xml version=1.0 encoding=iso-8859-1?
-!-- $Revision: 1.51 $ --
+!-- $Revision: 1.52 $ --
  chapter id=security
   titleSecurity/title
 
@@ -1011,7 +1011,7 @@
 $good_login = 1;
 }
 if ($good_login == 1) { // If above test fails, not initialized or checked before 
usage
-fpassthru (/highly/sensitive/data/index.html);
+readfile (/highly/sensitive/data/index.html);
 }
 ?
 ]]
@@ -1046,7 +1046,7 @@
 }
 
 if ($good_login == 1) { // can be forged by a user in get/post/cookies,
-fpassthru (/highly/sensitive/data/index.html);
+readfile (/highly/sensitive/data/index.html);
 }
 ?
 ]]
@@ -1060,7 +1060,7 @@
 if($_COOKIE['username']){
 // can only come from a cookie, forged or otherwise
 $good_login = 1;
-fpassthru (/highly/sensitive/data/index.html);
+readfile (/highly/sensitive/data/index.html);
 }
 ?
 ]]
@@ -1083,7 +1083,7 @@
 !$_GET['username'] ) {
 // Perform other checks to validate the user name...
 $good_login = 1;
-fpassthru (/highly/sensitive/data/index.html);
+readfile (/highly/sensitive/data/index.html);
 } else {
mail([EMAIL PROTECTED], Possible breakin attempt, $_SERVER['REMOTE_ADDR']);
echo Security violation, admin has been alerted.;



-- 
PHP Documentation Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP-DOC] cvs: phpdoc /en/chapters security.xml

2003-01-19 Thread Thomas Schoefbeck

tom Sun Jan 19 05:30:14 2003 EDT

  Modified files:  
/phpdoc/en/chapters security.xml 
  Log:
  typo
  
Index: phpdoc/en/chapters/security.xml
diff -u phpdoc/en/chapters/security.xml:1.50 phpdoc/en/chapters/security.xml:1.51
--- phpdoc/en/chapters/security.xml:1.50Sat Jan 18 14:58:04 2003
+++ phpdoc/en/chapters/security.xml Sun Jan 19 05:30:14 2003
@@ -1,5 +1,5 @@
 ?xml version=1.0 encoding=iso-8859-1?
-!-- $Revision: 1.50 $ --
+!-- $Revision: 1.51 $ --
  chapter id=security
   titleSecurity/title
 
@@ -561,7 +561,7 @@
  informations in this way will be a hard work.
 /simpara
 !--simpara
- If your database server have native SSL support, consider to use link
+ If your database server has native SSL support, consider to use link
  linkend=ref.opensslOpenSSL functions/link in communication between
  PHP and database via SSL.
 /simpara--



-- 
PHP Documentation Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP-DOC] cvs: phpdoc /en/chapters security.xml

2003-01-18 Thread Alexey Asemov

alexws  Sat Jan 18 14:58:04 2003 EDT

  Modified files:  
/phpdoc/en/chapters security.xml 
  Log:
  Fixed some bugs during translation (added quotes somewhere) and something else.
  
Index: phpdoc/en/chapters/security.xml
diff -u phpdoc/en/chapters/security.xml:1.49 phpdoc/en/chapters/security.xml:1.50
--- phpdoc/en/chapters/security.xml:1.49Wed Sep 18 09:18:34 2002
+++ phpdoc/en/chapters/security.xml Sat Jan 18 14:58:04 2003
@@ -1,5 +1,5 @@
 ?xml version=1.0 encoding=iso-8859-1?
-!-- $Revision: 1.49 $ --
+!-- $Revision: 1.50 $ --
  chapter id=security
   titleSecurity/title
 
@@ -387,7 +387,7 @@
 $username = $_POST['user_submitted_name'];
 $homedir = /home/$username;
 $file_to_delete = $userfile;
-unlink ($homedir/$userfile);
+unlink ($homedir/$userfile);
 echo $file_to_delete has been deleted!;
 ?
 ]]
@@ -561,7 +561,7 @@
  informations in this way will be a hard work.
 /simpara
 !--simpara
- If your database server native SSL support, consider to use link
+ If your database server have native SSL support, consider to use link
  linkend=ref.opensslOpenSSL functions/link in communication between
  PHP and database via SSL.
 /simpara--



-- 
PHP Documentation Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP-DOC] cvs: phpdoc /en/chapters security.xml

2002-09-18 Thread Derick Rethans


derick  Wed Sep 18 09:18:35 2002 EDT

  Modified files:  
/phpdoc/en/chapters security.xml 
  Log:
  - Remove dubble denial
  
  
Index: phpdoc/en/chapters/security.xml
diff -u phpdoc/en/chapters/security.xml:1.48 phpdoc/en/chapters/security.xml:1.49
--- phpdoc/en/chapters/security.xml:1.48Sun Jun 16 03:11:00 2002
+++ phpdoc/en/chapters/security.xml Wed Sep 18 09:18:34 2002
 -1,5 +1,5 
 ?xml version=1.0 encoding=iso-8859-1?
-!-- $Revision: 1.48 $ --
+!-- $Revision: 1.49 $ --
  chapter id=security
   titleSecurity/title
 
 -1037,7 +1037,7 
 to work with PHP, it has been argued that the benefits far
 outweigh the effort.
 example
- titleWorking without register_globals=off/title
+ titleWorking with register_globals=on/title
  programlisting role=php
 ![CDATA[
 ?php



-- 
PHP Documentation Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP-DOC] cvs: phpdoc /en/chapters security.xml

2002-02-27 Thread Thomas Schoefbeck


tom Wed Feb 27 14:05:45 2002 EDT

  Modified files:  
/phpdoc/en/chapters security.xml 
  Log:
  reformatted code for a better html-reading
  
Index: phpdoc/en/chapters/security.xml
diff -u phpdoc/en/chapters/security.xml:1.44 phpdoc/en/chapters/security.xml:1.45
--- phpdoc/en/chapters/security.xml:1.44Wed Feb 27 02:35:51 2002
+++ phpdoc/en/chapters/security.xml Wed Feb 27 14:05:44 2002
@@ -1,5 +1,5 @@
 ?xml version=1.0 encoding=iso-8859-1?
-!-- $Revision: 1.44 $ --
+!-- $Revision: 1.45 $ --
  chapter id=security
   titleSecurity/title
 
@@ -784,7 +784,9 @@
  informalexample
   programlisting role=php
 ![CDATA[
-$query  = SELECT * FROM products WHERE id LIKE '%a%' exec master..xp_cmdshell 'net 
user test testpass /ADD'--;
+$query  = SELECT * FROM products
+WHERE id LIKE '%a%'
+exec master..xp_cmdshell 'net user test testpass /ADD'--;
 $result = mssql_query($query);
 ]]
   /programlisting
@@ -853,10 +855,11 @@
  programlisting role=php
 ![CDATA[
 settype($offset, 'integer');
-$query  = SELECT id, name FROM products ORDER BY name LIMIT 20 OFFSET $offset;;
+$query = SELECT id, name FROM products ORDER BY name LIMIT 20 OFFSET $offset;;
 
 // please note %d in the format string, using %s would be meaningless
-$query  = sprintf(SELECT id, name FROM products ORDER BY name LIMIT 20 OFFSET %d;, 
$offset);
+$query = sprintf(SELECT id, name FROM products ORDER BY name LIMIT 20 OFFSET %d;,
+ $offset);
 ]]
  /programlisting
 /example

[PHP-DOC] cvs: phpdoc /en/chapters security.xml

2002-02-04 Thread Gyozo Papp


gerzson Mon Feb  4 06:51:23 2002 EDT

  Modified files:  
/phpdoc/en/chapters security.xml 
  Log:
  some spelling errors and typos corrected
  
Index: phpdoc/en/chapters/security.xml
diff -u phpdoc/en/chapters/security.xml:1.42 phpdoc/en/chapters/security.xml:1.43
--- phpdoc/en/chapters/security.xml:1.42Mon Jan 21 09:36:58 2002
+++ phpdoc/en/chapters/security.xml Mon Feb  4 06:51:22 2002
@@ -1,5 +1,5 @@
 ?xml version=1.0 encoding=iso-8859-1?
-!-- $Revision: 1.42 $ --
+!-- $Revision: 1.43 $ --
  chapter id=security
   titleSecurity/title
 
@@ -570,13 +570,13 @@
sect2 id=security.database.storage
 titleEncrypted Storage Model/title
 simpara
- SSL/SSH protects data traveling from the client to the server, SSL/SSH
+ SSL/SSH protects data travelling from the client to the server, SSL/SSH
  does not protect the persistent data stored in a database. SSL is an
  on-the-wire protocol.
 /simpara
 simpara
  Once an attacker gains access to your database directly (bypassing the
- webserver), the stored sensitive data may be exposed or misused unless,
+ webserver), the stored sensitive data may be exposed or misused, unless
  the information is protected by the database itself. Encrypting the data
  is a good way to mitigate this threat, but very few databases offer this
  type of data encryption.
@@ -613,7 +613,7 @@
 $result = pg_exec($connection, $query);
 
 if (pg_numrows($result)  0) {
-echo Wellcome, $username!;
+echo Welcome, $username!;
 }
 else {
 echo Authentication failed for $username.;
@@ -653,8 +653,9 @@
 ![CDATA[
 $offset = argv[0]; // beware, no input validation!
 $query  = SELECT id, name FROM products ORDER BY name LIMIT 20 OFFSET $offset;;
+// with PostgreSQL 
 $result = pg_exec($conn, $query);
-// with MySQL:
+// with MySQL
 $result = mysql_query($query);
 ]]
   /programlisting
@@ -663,22 +664,18 @@
   is encoded into the URL. The script expects that the incoming
   varname$offset/varname is decimal number. However, someone tries to
   break in with appending functionurlencode/function'd form of the
-  following to the URL (PostgreSQL):
+  following to the URL 
   informalexample
programlisting
 ![CDATA[
+// in case of PostgreSQL
 0;
 insert into pg_shadow(usename,usesysid,usesuper,usecatupd,passwd)
 select 'crack', usesysid, 't','t','crack'
 from pg_shadow where usename='postgres';
 --
-]]
-   /programlisting
-  /informalexample
-  or in case of using MySQL:
-  informalexample
-   programlisting
-![CDATA[
+
+// in case of MySQL
 0;
 UPDATE user SET Password=PASSWORD('crack') WHERE user='root';
 FLUSH PRIVILEGES;
@@ -698,13 +695,14 @@
 /note
 para
  A feasible way to gain passwords is to circumvent your search result pages.
- What the attacker has to do is only trying if there is a submitted filter
- setting handled not properly. These filters are commonly set in a previous
- form to customize literalWHERE, ORDER BY, LIMIT and OFFSET/literal
- clauses in literalSELECT/literal statements. If your database supports
- the literalUNION/literal construct, the attacker may try to append an
- entire query to the original one to list passwords from an arbitrary table.
- Using encrypted password fields is strongly encouraged.
+ What the attacker needs only is to try if there is any submitted variable
+ used in SQL statement which is not handled properly. These filters can be set 
+ commonly in a preceding form to customize literalWHERE, ORDER BY, 
+ LIMIT/literal and literalOFFSET/literal clauses in 
+literalSELECT/literal
+ statements. If your database supports the literalUNION/literal construct, 
+ the attacker may try to append an entire query to the original one to list 
+ passwords from an arbitrary table. Using encrypted password fields is 
+ strongly encouraged.
  example
   title
Listing out articles ... and some passwords (any database server)
@@ -714,6 +712,7 @@
 $query  = SELECT id, name, inserted, size FROM products
   WHERE size = '$size'
   ORDER BY $order LIMIT $limit, $offset;;
+$result = odbc_exec($conn, $query);
 ]]
   /programlisting
  /example
@@ -760,6 +759,7 @@
 ![CDATA[
 // $uid == ' or uid like'%admin%'; --
 $query = UPDATE usertable SET pwd='...' WHERE uid='' or uid like '%admin%'; --;
+
 // $pwd == hehehe', admin='yes', trusted=100 
 $query = UPDATE usertable SET pwd='hehehe', admin='yes', trusted=100 WHERE ...;
 ]]
@@ -844,7 +844,7 @@
   /listitem
   listitem
para
-If the application waits for numeric input, consider to verify data
+If the application waits for numerical input, consider to verify data
 with functionis_numeric/function, or silently change its type
 using functionsettype/function, or use its numeric representation

[PHP-DOC] cvs: phpdoc /en/chapters security.xml

2002-01-21 Thread Gyozo Papp


gerzson Mon Jan 21 09:36:59 2002 EDT

  Modified files:  
/phpdoc/en/chapters security.xml 
  Log:
  better description of the SQL injection examples
  

Index: phpdoc/en/chapters/security.xml
diff -u phpdoc/en/chapters/security.xml:1.41 phpdoc/en/chapters/security.xml:1.42
--- phpdoc/en/chapters/security.xml:1.41Fri Jan 18 12:25:26 2002
+++ phpdoc/en/chapters/security.xml Mon Jan 21 09:36:58 2002
@@ -1,5 +1,5 @@
 ?xml version=1.0 encoding=iso-8859-1?
-!-- $Revision: 1.41 $ --
+!-- $Revision: 1.42 $ --
  chapter id=security
   titleSecurity/title
 
@@ -498,8 +498,8 @@
simpara
 To retrieve or to store any information you need to connect to the database,
 send a legitimate query, fetch the result, and close the connecion.
-Nowadays, the commonly used interface in the interaction with databases is
-the Structured Query Language (SQL). See how an attacker can link
+Nowadays, the commonly used query language in this interaction is the
+Structured Query Language (SQL). See how an attacker can link
 linkend=security.database.sql-injectiontamper with an SQL query/link.
/simpara
simpara
@@ -636,16 +636,13 @@
  Direct SQL Command Injection is a technique where an attacker creates or
  alters existing SQL commands to expose hidden data, or to override valuable
  ones, or even to execute dangerous system level commands on the database
- host.
-/simpara
-simpara
- This is accomplished by the application taking user input and combining
- it with static parameters to build a SQL query. The following examples
- are based on true stories, unfortunately.
+ host. This is accomplished by the application taking user input and
+ combining it with static parameters to build a SQL query. The following
+ examples are based on true stories, unfortunately.
 /simpara
 para
  Owing to the lack of input validation and connecting to the database on
- behalf of a superuser or the owner who can create users, the attacker
+ behalf of a superuser or the one who can create users, the attacker
  may create a superuser in your database.
  example
   title
@@ -657,6 +654,8 @@
 $offset = argv[0]; // beware, no input validation!
 $query  = SELECT id, name FROM products ORDER BY name LIMIT 20 OFFSET $offset;;
 $result = pg_exec($conn, $query);
+// with MySQL:
+$result = mysql_query($query);
 ]]
   /programlisting
  /example
@@ -670,17 +669,6 @@
 ![CDATA[
 0;
 insert into pg_shadow(usename,usesysid,usesuper,usecatupd,passwd)
-values ('crack', 31, 't','t','crack');
---
-]]
-   /programlisting
-  /informalexample
-  or more precisely:
-  informalexample
-   programlisting
-![CDATA[
-0;
-insert into pg_shadow(usename,usesysid,usesuper,usecatupd,passwd)
 select 'crack', usesysid, 't','t','crack'
 from pg_shadow where usename='postgres';
 --
@@ -709,14 +697,23 @@
  /para
 /note
 para
- A feasible way to gain passwords:
+ A feasible way to gain passwords is to circumvent your search result pages.
+ What the attacker has to do is only trying if there is a submitted filter
+ setting handled not properly. These filters are commonly set in a previous
+ form to customize literalWHERE, ORDER BY, LIMIT and OFFSET/literal
+ clauses in literalSELECT/literal statements. If your database supports
+ the literalUNION/literal construct, the attacker may try to append an
+ entire query to the original one to list passwords from an arbitrary table.
+ Using encrypted password fields is strongly encouraged.
  example
   title
Listing out articles ... and some passwords (any database server)
   /title
   programlisting role=php
 ![CDATA[
-$query  = SELECT id, name, inserted, size FROM products WHERE size = '$size';;
+$query  = SELECT id, name, inserted, size FROM products
+  WHERE size = '$size'
+  ORDER BY $order LIMIT $limit, $offset;;
 ]]
   /programlisting
  /example
@@ -725,15 +722,24 @@
  informalexample
   programlisting
 ![CDATA[
-union select '1', concat(uname||'-'||passwd) as name, '1971-01-01', '0' from usertable
+'
+union select '1', concat(uname||'-'||passwd) as name, '1971-01-01', '0' from 
+usertable;
+--
 ]]
   /programlisting
  /informalexample
- If this query were assigned to varname$size/varname (prepended with
- literal'/literal), the query beast awakened.
+ If this query (playing with the literal'/literal and
+ literal--/literal) were assigned to one of the variables used in
+ varname$query/varname, the query beast awakened.
 /para
 para
- SQL UPDATEs are also subject to attacking your database.
+ SQL UPDATEs are also subject to attacking your database. These queries are
+ also threatened by chopping and appending an entirely new query to it. But
+ the attacker might fiddle with the

[PHP-DOC] cvs: phpdoc /en/chapters security.xml

2002-01-16 Thread Gyozo Papp


gerzson Wed Jan 16 05:09:37 2002 EDT

  Modified files:  
/phpdoc/en/chapters security.xml 
  Log:
  new section added about database security
  please someone run a 'make test'
  

Index: phpdoc/en/chapters/security.xml
diff -u phpdoc/en/chapters/security.xml:1.39 phpdoc/en/chapters/security.xml:1.40
--- phpdoc/en/chapters/security.xml:1.39Tue Dec 18 18:18:36 2001
+++ phpdoc/en/chapters/security.xml Wed Jan 16 05:09:37 2002
@@ -1,5 +1,5 @@
 ?xml version=1.0 encoding=iso-8859-1?
-!-- $Revision: 1.39 $ --
+!-- $Revision: 1.40 $ --
  chapter id=security
   titleSecurity/title
 
@@ -484,6 +484,394 @@
 reason, it's usually easier to create a policy where you forbid
 everything except for what you explicitly allow.
/para   
+  /sect1
+
+  sect1 id=security.database
+   titleDatabase Security/title
+
+   simpara
+Nowadays, databases are cardinal components of any web based application by
+enabling websites to provide varying dynamic content. Since very sensitive
+or secret informations  can be stored in such database, you should strongly
+consider to protect them somehow.
+   /simpara
+   simpara
+PHP can be treated as a bridge between the database and client. Your script
+processes the client's request, and propagates it in such manner that the
+database can provide the appropriate response. After that, the script
+generates its output from the supplied data, probably based on customizeable
+user preferences stored in database, too.
+   /simpara
+   simpara
+To retrieve or to store any information you need to connect to the database,
+send a legitimate query, fetch the result, and close the connecion.
+Nowadays, the commonly used interface in the interaction with databases is
+the Structured Query Language (SQL). See how an attacker can link
+linkend=security.database.sql-injectiontamper with an SQL query/link.
+   /simpara
+   simpara
+As you can realize, PHP cannot protect your database by itself. The
+following sections aim to be an introduction into the very basics of how to
+access and manipulate databases within PHP scripts.
+   /simpara
+   simpara
+Keep in my mind this simple rule: defence in depth. In the more place you
+take the more action to increase the protection of your database, the less
+probability of that an attacker succeeds, and exposes or abuse any stored
+secret information. Good design of the database schema and the application
+deals with your greatest fears.
+   /simpara
+
+   sect2 id=security.database.design
+titleDesigning Databases/title
+ simpara
+  The first step is always to create the database, unless you want to use
+  an existing third party's one. When a database is created, it is
+  assigned to an owner, who executed the creation statement. Usually, only
+  the owner (or a superuser) can do anything with the objects in that
+  database, and in order to allow other users to use it, privileges must be
+  granted.
+ /simpara
+ simpara
+  Applications should never connect to the database as its owner or a
+  superuser, because these users can execute any query at will, for
+  example, modifying the schema (e.g. dropping tables) or deleting its
+  entire content.
+ /simpara
+ simpara
+  You may create different database users for every aspect of your
+  application with very limited rights to database objects. The most
+  required privileges should be granted only, and avoid that the same user
+  can interact with the database in different use cases. This means that if
+  intruders gain access to your database using one of these credentials,
+  they can only effect as many changes as your application can.
+ /simpara
+ simpara
+  You are encouraged not to implement all the business logic in the web
+  application (i.e. your script), instead to do it in the database schema
+  using views, triggers or rules. If the system evolves, new ports will be
+  intended to open to the database, and you have to reimplement the logic
+  in each separate database client. Over and above, triggers can be used
+  to transparently and automatically handle fields, which often provides
+  insight when debugging problems with your application or tracing back
+  transactions.
+ /simpara
+   /sect2
+
+   sect2 id=security.database.connection
+titleConnecting to Database/title
+simpara
+ You may want to estabilish the connections over SSL to encrypt
+ client/server communications for increased security, or you can use ssh
+ to encrypt the network connection between clients and the database server.
+ If either of them is done, then monitoring your traffic and gaining
+ informations in this way will be a hard work.
+/simpara
+!--simpara
+ If your database server native SSL support, consider to use link

[PHP-DOC] cvs: phpdoc /en/chapters security.xml

2001-12-05 Thread Derick Rethans


derick  Wed Dec  5 03:30:41 2001 EDT

  Modified files:  
/phpdoc/en/chapters security.xml 
  Log:
  - Typo
  
  
Index: phpdoc/en/chapters/security.xml
diff -u phpdoc/en/chapters/security.xml:1.36 phpdoc/en/chapters/security.xml:1.37
--- phpdoc/en/chapters/security.xml:1.36Fri Nov 23 16:51:22 2001
+++ phpdoc/en/chapters/security.xml Wed Dec  5 03:30:41 2001
@@ -1,5 +1,5 @@
 ?xml version=1.0 encoding=iso-8859-1?
-!-- $Revision: 1.36 $ --
+!-- $Revision: 1.37 $ --
  chapter id=security
   titleSecurity/title
 
@@ -764,7 +764,7 @@
titleHiding PHP/title
para
 A few simple techniques can help to hide PHP, possibly slowing
-down an attacker who is attempting to disover weaknesses in your
+down an attacker who is attempting to discover weaknesses in your
 system. By setting expose_php = off in your php.ini file, you
 reduce the amount of information available to them.
/para

[PHP-DOC] cvs: phpdoc /en/chapters security.xml

2001-11-13 Thread Philip Olson


philip  Tue Nov 13 19:20:50 2001 EDT

  Modified files:  
/phpdoc/en/chapters security.xml 
  Log:
  Fix typo. (on = off)
  
  
Index: phpdoc/en/chapters/security.xml
diff -u phpdoc/en/chapters/security.xml:1.33 phpdoc/en/chapters/security.xml:1.34
--- phpdoc/en/chapters/security.xml:1.33Sat Nov 10 16:49:28 2001
+++ phpdoc/en/chapters/security.xml Tue Nov 13 19:20:50 2001
@@ -1,5 +1,5 @@
 ?xml version=1.0 encoding=iso-8859-1?
-!-- $Revision: 1.33 $ --
+!-- $Revision: 1.34 $ --
  chapter id=security
   titleSecurity/title
 
@@ -653,7 +653,7 @@
 ?gt;
  /programlisting
 /example
-Of course, simply turning on register globals does not mean code
+Of course, simply turning off register_globals does not mean code
 is secure. For every piece of data that is submitted, it
 should also be checked in other ways.
/para

[PHP-DOC] cvs: phpdoc /en/chapters security.xml

2001-11-04 Thread Thomas Schoefbeck


tom Sun Nov  4 04:10:03 2001 EDT

  Modified files:  
/phpdoc/en/chapters security.xml 
  Log:
  reworded intro accoring the new order
  
Index: phpdoc/en/chapters/security.xml
diff -u phpdoc/en/chapters/security.xml:1.30 phpdoc/en/chapters/security.xml:1.31
--- phpdoc/en/chapters/security.xml:1.30Tue Oct 30 20:39:47 2001
+++ phpdoc/en/chapters/security.xml Sun Nov  4 04:10:02 2001
@@ -1,5 +1,5 @@
 ?xml encoding=iso-8859-1?
-!-- $Revision: 1.30 $ --
+!-- $Revision: 1.31 $ --
  chapter id=security
   titleSecurity/title
 
@@ -32,10 +32,10 @@
secure it is, is largely up to the PHP developer.
   /simpara
   simpara
-   This chapter starts by explaining the different configuration
-   option combinations and the situations they can be safely used. It
-   then describes different considerations in coding for different
-   levels of security, and ends with some general security advice.
+   This chapter starts with some general security advice, explains
+   the different configuration option combinations and the situations
+   they can be safely used, and describes different considerations in
+   coding for different levels of security.
   /simpara
 
   sect1 id=security.general

[PHP-DOC] cvs: phpdoc /en/chapters security.xml

2001-10-30 Thread jim winstead


jimwTue Oct 30 20:39:47 2001 EDT

  Modified files:  
/phpdoc/en/chapters security.xml 
  Log:
  putting general security info first, rather than more obscure cgi stuff.
  
Index: phpdoc/en/chapters/security.xml
diff -u phpdoc/en/chapters/security.xml:1.29 phpdoc/en/chapters/security.xml:1.30
--- phpdoc/en/chapters/security.xml:1.29Sat Oct 13 11:52:38 2001
+++ phpdoc/en/chapters/security.xml Tue Oct 30 20:39:47 2001
@@ -1,5 +1,5 @@
 ?xml encoding=iso-8859-1?
-!-- $Revision: 1.29 $ --
+!-- $Revision: 1.30 $ --
  chapter id=security
   titleSecurity/title
 
@@ -38,6 +38,54 @@
levels of security, and ends with some general security advice.
   /simpara
 
+  sect1 id=security.general
+   titleGeneral considerations/title
+   simpara
+A completely secure system is a virtual impossibility, so an
+approach often used in the security profession is one of balancing
+risk and usability. If every variable submitted by a user required
+two forms of biometric validation (such as a retinal scan and a
+fingerprint), you would have an extremely high level of
+accountability. It would also take half an hour to fill out a fairly
+complex form, which would tend to encourage users to find ways of
+bypassing the security.
+   /simpara
+   simpara
+The best security is often inobtrusive enough to suit the
+requirements without the user being prevented from accomplishing
+their work, or over-burdening the code author with excessive
+complexity. Indeed, some security attacks are merely exploits of
+this kind of overly built security, which tends to erode over time.
+   /simpara
+   simpara
+A phrase worth remembering: A system is only as good as the weakest
+link in a chain. If all transactions are heavily logged based on
+time, location, transaction type, etc. but the user is only
+verified based on a single cookie, the validity of tying the users
+to the transaction log is severely weakened.
+   /simpara
+   simpara
+When testing, keep in mind that you will not be able to test all
+possibilities for even the simplest of pages. The input you
+may expect will be completely unrelated to the input given by
+a disgruntled employee, a cracker with months of time on their
+hands, or a housecat walking across the keyboard. This is why it's
+best to look at the code from a logical perspective, to discern
+where unexpected data can be introduced, and then follow how it is
+modified, reduced, or amplified.
+   /simpara
+   simpara
+The Internet is filled with people trying to make a name for
+themselves by breaking your code, crashing your site, posting
+inappropriate content, and otherwise making your day interesting.
+It doesn't matter if you have a small or large site, you are
+a target by simply being online, by having a server that can be
+connected to. Many cracking programs do not discern by size, they
+simply trawl massive IP blocks looking for victims. Try not to
+become one.
+   /simpara
+  /sect1
+
   sect1 id=security.cgi
titleInstalled as CGI binary/title
 
@@ -729,54 +777,6 @@
/para
   /sect1
   
-  sect1 id=security.general
-   titleGeneral considerations/title
-   simpara
-A completely secure system is a virtual impossibility, so an
-approach often used in the security profession is one of balancing
-risk and usability. If every variable submitted by a user required
-two forms of biometric validation (such as a retinal scan and a
-fingerprint), you would have an extremely high level of
-accountability. It would also take half an hour to fill out a fairly
-complex form, which would tend to encourage users to find ways of
-bypassing the security.
-   /simpara
-   simpara
-The best security is often inobtrusive enough to suit the
-requirements without the user being prevented from accomplishing
-their work, or over-burdening the code author with excessive
-complexity. Indeed, some security attacks are merely exploits of
-this kind of overly built security, which tends to erode over time.
-   /simpara
-   simpara
-A phrase worth remembering: A system is only as good as the weakest
-link in a chain. If all transactions are heavily logged based on
-time, location, transaction type, etc. but the user is only
-verified based on a single cookie, the validity of tying the users
-to the transaction log is severely weakened.
-   /simpara
-   simpara
-When testing, keep in mind that you will not be able to test all
-possibilities for even the simplest of pages. The input you
-may expect will be completely unrelated to the input given by
-a disgruntled employee, a cracker with months of time on their
-hands, or a housecat walking across the keyboard. This is why it's
-best to look at the code from a logical perspective, to discern
-where unexpected data

[PHP-DOC] cvs: phpdoc /en/chapters security.xml

2001-09-24 Thread Philip Olson


philip  Mon Sep 24 13:56:35 2001 EDT

  Modified files:  
/phpdoc/en/chapters security.xml 
  Log:
  Adding link to register_globals config setting.
  
  
Index: phpdoc/en/chapters/security.xml
diff -u phpdoc/en/chapters/security.xml:1.26 phpdoc/en/chapters/security.xml:1.27
--- phpdoc/en/chapters/security.xml:1.26Fri Sep 21 18:47:30 2001
+++ phpdoc/en/chapters/security.xml Mon Sep 24 13:56:35 2001
@@ -1,5 +1,5 @@
 ?xml encoding=iso-8859-1?
-!-- $Revision: 1.26 $ --
+!-- $Revision: 1.27 $ --
  chapter id=security
   titleSecurity/title
 
@@ -541,9 +541,9 @@
   sect1 id=security.registerglobals
titleUsing Register Globals/title
para
-One feature of PHP that can be used to enhance security is
-configuring PHP with register_globals = off. By turning off
-the ability for any user-submitted variable to be injected
+One feature of PHP that can be used to enhance security is configuring PHP with 
+link linkend=ini.register-globalsregister_globals/link = off.  
+By turning off the ability for any user-submitted variable to be injected 
 into PHP code, you can reduce the amount of variable
 poisoning a potential attacker may inflict. They will have
 to take the additional time to forge submissions, and your

[PHP-DOC] cvs: phpdoc /en/chapters security.xml

2001-07-28 Thread Ron Chmara


ronabop Sat Jul 28 17:57:49 2001 EDT

  Modified files:  
/phpdoc/en/chapters security.xml 
  Log:
  Enhancing, per recent discussions on PHP-DEV, and adding section on using 
register_globals to increase security.
  

Index: phpdoc/en/chapters/security.xml
diff -u phpdoc/en/chapters/security.xml:1.19 phpdoc/en/chapters/security.xml:1.20
--- phpdoc/en/chapters/security.xml:1.19Tue May  8 17:30:06 2001
+++ phpdoc/en/chapters/security.xml Sat Jul 28 17:57:49 2001
@@ -265,29 +265,37 @@
 nobody user. This means a malicious script could access and modify
 the database, even without a username and password. It's entirely
 possible that a web spider could stumble across a database
-adminisitror's web page, and drop all of your databases. You can
+administrator's web page, and drop all of your databases. You can
 protect against this with Apache authorization, or you can design
 your own access model using LDAP, .htaccess files, etc. and include
 that code as part of your PHP scripts.
/simpara
simpara
 Often, once security is established to the point where the PHP user
-(in this case, the apache user) has very little risk, it is
-discovered that PHP now has been prevented from writing virus files
+(in this case, the apache user) has very little risk attached to it,
+it is discovered that PHP is now prevented from writing any files
 to user directories. Or perhaps it has been prevented from accessing
-or changing a non-public database. It has equally been secured from
-writing files that it should, or entering database transactions.
+or changing databases. It has equally been secured from writing
+good and bad files, or entering good and bad database transactions.
/simpara
simpara
 A frequent security mistake made at this point is to allow apache
-root permissions.
+root permissions, or to escalate apache's abilitites in some other
+way.
/simpara
simpara
 Escalating the Apache user's permissions to root is extremely
 dangerous and may compromise the entire system, so sudo'ing,
-chroot'ing ,or otherwise running as root should not be considered by
+chroot'ing, or otherwise running as root should not be considered by
 those who are not security professionals.
/simpara
+   simpara
+There are some simpler solutions. By using 
+functionopen_basedir()/function you can control and restrict what
+directories are allowed to be used for PHP. You can also set up
+apache-only areas, to restrict all web based activity to non-user,
+or non-system, files.
+   /simpara
   /sect1
 
   sect1 id=security.filesystem
@@ -369,7 +377,7 @@
 lt;?php
 // removes a file from the hard drive that
 // the PHP user has access to. 
-$username = $HTTP_REMOTE_USER; // use an authentication mechanisim
+$username = $HTTP_REMOTE_USER; // using an authentication mechanisim
 
 $homedir = /home/$username;
 
@@ -385,21 +393,28 @@
 ?gt;
  /programlisting
 /example
-Alternately, you may prefer to write a more customized check:
+However, even this is not without it's flaws. If your authentication
+system allowed users to create their own user logins, and a user
+chose the login ../etc/, the system is once again exposed. For
+this reason, you may prefer to write a more customized check:
 example
  titleMore secure file name checking/title
  programlisting role=php
 lt;?php
-$username = getenv(REMOTE_USER);
+$username = $HTTP_REMOTE_USER; // using an authentication mechanisim
 $homedir = /home/$username;
 
 if (!ereg('^[^./][^/]*$', $userfile))
-die('bad filename'); //die, do not process
-
+ die('bad filename'); //die, do not process
+ 
+if (!ereg('^[^./][^/]*$', $username))
+ die('bad username'); //die, do not process
 //etc...
 ?gt;
  /programlisting
 /example 
+   /para
+   para
 Depending on your operating system, there are a wide variety of files
 which you should be concerned about, including device entries (/dev/
 or COM1), configuration files (/etc/ files and the .ini files),
@@ -411,13 +426,29 @@
 
   sect1 id=security.errors
titleError Reporting/title
-   simpara
+   para
+With PHP security, there are two sides to error reporting. One is
+beneficial to increasing security, the other is detrimental.
+   /para
+   para
 A standard attack tactic involves profiling a system by feeding
 it improper data, and checking for the kinds, and contexts, of the
 errors which are returned. This allows the system cracker to probe
 for information about the server, to determine possible weaknesses.
-   /simpara
-   simpara
+For example, if an attacker had gleaned information about a page
+based on a prior form submission, they may attempt to override
+variables, or modify them:
+example
+ titleAttacking Variables with a custom HTML page/title
+

[PHP-DOC] cvs: phpdoc /en/chapters security.xml

2001-05-08 Thread Jim Winstead


jimwTue May  8 14:30:06 2001 EDT

  Modified files:  
/phpdoc/en/chapters security.xml 
  Log:
  fix typo
  
Index: phpdoc/en/chapters/security.xml
diff -u phpdoc/en/chapters/security.xml:1.18 phpdoc/en/chapters/security.xml:1.19
--- phpdoc/en/chapters/security.xml:1.18Sat Jan 20 11:13:22 2001
+++ phpdoc/en/chapters/security.xml Tue May  8 14:30:06 2001
@@ -263,7 +263,7 @@
 PHP to access a database, unless that database has built-in access
 control, you will have to make the database accessable to the
 nobody user. This means a malicious script could access and modify
-the databse, even without a username and password. It's entirely
+the database, even without a username and password. It's entirely
 possible that a web spider could stumble across a database
 adminisitror's web page, and drop all of your databases. You can
 protect against this with Apache authorization, or you can design

[PHP-DOC] cvs: phpdoc /en/chapters security.xml

2001-01-20 Thread Hojtsy Gabor


gobaSat Jan 20 11:13:22 2001 EDT

  Modified files:  
/phpdoc/en/chapters security.xml 
  Log:
  .php3 - .php
  
  
Index: phpdoc/en/chapters/security.xml
diff -u phpdoc/en/chapters/security.xml:1.17 phpdoc/en/chapters/security.xml:1.18
--- phpdoc/en/chapters/security.xml:1.17Mon Jan 15 00:36:44 2001
+++ phpdoc/en/chapters/security.xml Sat Jan 20 11:13:22 2001
@@ -83,15 +83,15 @@
Usually some web server configuration directives (Apache:
Action) are used to redirect requests to documents like
filename
-   role="url"http://my.host/secret/script.php3/filename to the
+   role="url"http://my.host/secret/script.php/filename to the
PHP interpreter.  With this setup, the web server first checks
the access permissions to the directory filename
role="uri"/secret/filename, and after that creates the
redirected request filename
-   role="url"http://my.host/cgi-bin/php/secret/script.php3/filename.
+   role="url"http://my.host/cgi-bin/php/secret/script.php/filename.
Unfortunately, if the request is originally given in this form,
no access checks are made by web server for file filename
-   role="uri"/secret/script.php3/filename, but only for the
+   role="uri"/secret/script.php/filename, but only for the
filename role="uri"/cgi-bin/php/filename file.  This way
any user able to access filename
role="uri"/cgi-bin/php/filename is able to access any
@@ -125,9 +125,9 @@
  to the configure script.  You still have to make sure your PHP
  scripts do not rely on one or another way of calling the script,
  neither by directly filename
- role="php"http://my.host/cgi-bin/php/dir/script.php3/filename
+ role="php"http://my.host/cgi-bin/php/dir/script.php/filename
  nor by redirection filename
- role="php"http://my.host/dir/script.php3/filename.
+ role="php"http://my.host/dir/script.php/filename.
 /simpara
 simpara
  Redirection can be configured in Apache by using AddHandler and
@@ -140,7 +140,7 @@
 simpara
  This compile-time option prevents anyone from calling PHP
  directly with a url like filename
- role="php"http://my.host/cgi-bin/php/secretdir/script.php3/filename.
+ role="php"http://my.host/cgi-bin/php/secretdir/script.php/filename.
  Instead, PHP will only parse in this mode if it has gone through
  a web server redirect rule.
 /simpara
@@ -149,8 +149,8 @@
  the following directives:
 /simpara
 programlisting role="apache-conf"
-Action php3-script /cgi-bin/php
-AddHandler php3-script .php3
+Action php-script /cgi-bin/php
+AddHandler php-script .php
 /programlisting
 simpara
  This option has only been tested with the Apache web server, and
@@ -199,21 +199,21 @@
  linkend="ini.user-dir"user_dir/link.  When user_dir is unset,
  only thing controlling the opened file name is
  parameterdoc_root/parameter.  Opening an url like filename
- role="url"http://my.host/~user/doc.php3/filename does not
+ role="url"http://my.host/~user/doc.php/filename does not
  result in opening a file under users home directory, but a file
- called filename role="uri"~user/doc.php3/filename under
+ called filename role="uri"~user/doc.php/filename under
  doc_root (yes, a directory name starting with a tilde
  [literal~/literal]).
 /simpara  
 simpara
  If user_dir is set to for example filename
  role="dir"public_php/filename, a request like filename
- role="url"http://my.host/~user/doc.php3/filename will open a
- file called filenamedoc.php3/filename under the directory
+ role="url"http://my.host/~user/doc.php/filename will open a
+ file called filenamedoc.php/filename under the directory
  named filename role="dir"public_php/filename under the home
  directory of the user.  If the home of the user is filename
  role="dir"/home/user/filename, the file executed is
- filename/home/user/public_php/doc.php3/filename.
+ filename/home/user/public_php/doc.php/filename.
 /simpara
 simpara
  parameteruser_dir/parameter expansion happens regardless of
@@ -254,22 +254,6 @@
   
   /sect1
 
-  sect1 id="security.current"
-   titleKeeping Current/title
-   simpara
-PHP, like any other large system, is under constant scrutiny and
-improvement. Each new version will often include both major and
-minor changes to enhance and repair security flaws, configuration
-mishaps, and other issues that will affect the overall security
-and stability of your system.
-   /simpara
-   simpara
-Like other system-level scripting languages and programs, the best
-approach is to update often, and maintain awareness of the latest
-versions and their changes.
-   /simpara
-  /sect1
-
   sect1 id="security.apache"
titleInstalled as an Apache module/title
simpara
@@ -406,7 +390,7 @@

[PHP-DOC] cvs: phpdoc /en/chapters security.xml

Re: [PHP-DOC] cvs: phpdoc /en/chapters security.xml /en/featuresfile-upload.xml /en/language variables.xml /en/reference/oci8/functionsocinewdescriptor.xml /en/reference/yaz reference.xml

[PHP-DOC] cvs: phpdoc /en/chapters security.xml /en/features file-upload.xml /en/language variables.xml /en/reference/oci8/functions ocinewdescriptor.xml /en/reference/yaz reference.xml

[PHP-DOC] cvs: phpdoc /en/chapters security.xml

[PHP-DOC] cvs: phpdoc /en/chapters security.xml

[PHP-DOC] cvs: phpdoc /en/chapters security.xml

[PHP-DOC] cvs: phpdoc /en/chapters security.xml

[PHP-DOC] cvs: phpdoc /en/chapters security.xml

[PHP-DOC] cvs: phpdoc /en/chapters security.xml

[PHP-DOC] cvs: phpdoc /en/chapters security.xml

[PHP-DOC] cvs: phpdoc /en/chapters security.xml

[PHP-DOC] cvs: phpdoc /en/chapters security.xml

[PHP-DOC] cvs: phpdoc /en/chapters security.xml

[PHP-DOC] cvs: phpdoc /en/chapters security.xml

[PHP-DOC] cvs: phpdoc /en/chapters security.xml

[PHP-DOC] cvs: phpdoc /en/chapters security.xml

[PHP-DOC] cvs: phpdoc /en/chapters security.xml

[PHP-DOC] cvs: phpdoc /en/chapters security.xml

[PHP-DOC] cvs: phpdoc /en/chapters security.xml

19 matches

Site Navigation

Mail list logo

Footer information