Hi,
Try this:
$str = 'HTMLFiles/MenuDisplay.php?var=Thai%20Image&Item=1797&Action=add';
$str = preg_replace("/(\&Item.*)$/","", $str);
this should work.
Cheers,
V
-Original Message-
From: Johny Burns <[EMAIL PROTECTED]>
To: php-general@lists.php.net
Sent: Thu, 24 Jan 2008 11:
On Wed, 2008-01-23 at 23:30 -0600, Johny Burns wrote:
> I have the following string on the address line
>
> HTMLFiles/MenuDisplay.php?var=Thai%20Image&Item=1797&Action=add
>
> I am trying to delete or replace the '&Item=1797&Action=add' (it is at the
> end of the string)
>
> I am not familiar
I have the following string on the address line
HTMLFiles/MenuDisplay.php?var=Thai%20Image&Item=1797&Action=add
I am trying to delete or replace the '&Item=1797&Action=add' (it is at the
end of the string)
I am not familiar as much with those string functions, and if somebody can
give me some
On 24/01/2008, Richard Lynch <[EMAIL PROTECTED]> wrote:
> On Wed, January 23, 2008 4:04 pm, Dotan Cohen wrote:
> > Is the "--" here not treated as the beginning of an SQL comment?
>
> No, because it is inside the apostrophes.
>
> The purpose of mysql_real_escape_string (or using prepared statements
On Thu, 2008-01-24 at 01:13 +0100, Jochem Maas wrote:
> stats while I'm at it ... I've been busy wracking my brain trying to
> figure out
> the setup for a load-balanced configuration for one of my major
> clients ... at least
> a system capable of migrating to loadbalancing ... global file system
On Wed, January 23, 2008 6:55 pm, nihilism machine wrote:
> i am using this code on my form page:
>
> method="post" name="adForm" id="adForm">
>
>
>
> alt="Submit Form" />
>
>
>
> my upload code is below:
>
>
> $uploaddir = 'admin/advertisements/';
> $uploadfileTmp = basename($_FILES['upload1'
i am using this code on my form page:
method="post" name="adForm" id="adForm">
alt="Submit Form" />
my upload code is below:
$uploaddir = 'admin/advertisements/';
$uploadfileTmp = basename($_FILES['upload1']['name']);
$uploadfile = $uploaddir . basename($_FILES['upload1']['name']);
if (
On Jan 23, 2008 7:13 PM, Jochem Maas <[EMAIL PROTECTED]> wrote:
> I guess I was bored, figured I'd have some fun and artificially boost my post
> stats while I'm at it ... I've been busy wracking my brain trying to figure
> out
> the setup for a load-balanced configuration for one of my major clie
Daniel Brown schreef:
On Jan 23, 2008 6:57 PM, Jochem Maas <[EMAIL PROTECTED]> wrote:
Posting Summary for PHP-General List
Week Ending: Friday, 25 January, 2008
Messages| Bytes | Sender
+-+--
On Jan 23, 2008 6:57 PM, Jochem Maas <[EMAIL PROTECTED]> wrote:
>
> Posting Summary for PHP-General List
> Week Ending: Friday, 25 January, 2008
>
> Messages| Bytes | Sender
> +-+--
> 697 (100
Posting Summary for PHP-General List
Week Ending: Friday, 25 January, 2008
Messages| Bytes | Sender
+-+--
697 (100%) 975244 (100%) EVERYONE
690 (98.9%) 974000 (99.
On Wed, January 23, 2008 3:19 pm, Jason Pruim wrote:
> Okay, so I have this mostly working now! if I put my
> ini_set("include_path", "blah/to/balh"); on each and every page. I
> know I could include a file that is in the document root which
> specified that, but I was wondering if I was missing so
On Wed, January 23, 2008 1:50 pm, Roberto Mansfield wrote:
> Jason Pruim wrote:
>>
>>> Been doing some reading on security and have decided that I should
>>> be
>>> storing my include files outside of the document root... Which I
>>> understand how to do it, but what I'm wondering, is say I write t
On Wed, January 23, 2008 3:30 pm, Chris wrote:
>
>> Right now I still use mysql_escape_string and it seems to work fine,
>> but it makes me nervous as everything else I use is mysqli and I
>> know
>> it is not 100% compatible (just haven't had anything break it yet) -
>> but I hate having to have
On Wed, January 23, 2008 3:18 pm, Dotan Cohen wrote:
> I think it was here on this list that we saw an example of SQL
> injection despite the use of mysql_escape_string. Some funky Asian
> charset was used, no?
I don't know that I'd call it funky, but yes.
Without the "real" MySQL does not know w
On Wed, January 23, 2008 4:04 pm, Dotan Cohen wrote:
> Is the "--" here not treated as the beginning of an SQL comment?
No, because it is inside the apostrophes.
The purpose of mysql_real_escape_string (or using prepared statements)
is to mark up (or separate) the DATA from the QUERY.
The data a
On Wed, January 23, 2008 4:11 pm, Richard S. Crawford wrote:
> For a project at work, I'm writing a PHP script that will process XML
> generated and sent by an MSXML2.ServerXMLHTTP object that lives on
> another
> server. The XML will be sent via POST, but I'm not sure how to deal
> with
> it. It
Chuck schreef:
On Jan 22, 2008 7:01 PM, Dotan Cohen <[EMAIL PROTECTED]> wrote:
I have a file of my own functions that I include in many places. One
of them uses mysql_real_escape_string, however, it may be called in a
context that will or will not connect to a mysql server, and worse,
may alread
On 1/23/08, Chris <[EMAIL PROTECTED]> wrote:
> If you need to escape something you're going to do a query aren't you?
> Or am I missing something here?
true. but i typically have everything in wrapper functions, and i
don't keep the actual resource variable exposed to use it (since it
needs a res
On 24/01/2008, Chuck <[EMAIL PROTECTED]> wrote:
>
> Why not write a function that does the same thing?
> mysql_real_escape_strings is a very simple function. And if your data
> is properly normalized and you don't support other charsets its very
> simple.
>
Maintenance and security seem to be two
For a project at work, I'm writing a PHP script that will process XML
generated and sent by an MSXML2.ServerXMLHTTP object that lives on another
server. The XML will be sent via POST, but I'm not sure how to deal with
it. It doesn't look, to me, as though XMLRPC is called for in this case,
but I'
On Jan 22, 2008 7:01 PM, Dotan Cohen <[EMAIL PROTECTED]> wrote:
> I have a file of my own functions that I include in many places. One
> of them uses mysql_real_escape_string, however, it may be called in a
> context that will or will not connect to a mysql server, and worse,
> may already be conne
On 23/01/2008, Jochem Maas <[EMAIL PROTECTED]> wrote:
> Dotan Cohen schreef:
> > I'm not accepting "--" at all until someone can show me a real world
> > case where one would use it, without the intention of SQL injection.
> > How can it be escaped, anyway?
>
> I might just want to put '--' in a te
On 23/01/2008, Chris <[EMAIL PROTECTED]> wrote:
> > I'm not accepting "--" at all until someone can show me a real world
> > case where one would use it, without the intention of SQL injection.
> > How can it be escaped, anyway?
>
> Depends on your app.
>
> -- is an accepted things in emails as a m
Dotan Cohen schreef:
On 23/01/2008, Jochem Maas <[EMAIL PROTECTED]> wrote:
I can read, I saw 2 functions the first time. each function cleans *and*
escapes.
cleaning is filtering of input.
escaping is preparing for output.
2 concepts.
I see your point.
if the input needs to be stripped of
On Jan 23, 2008 4:19 PM, Jason Pruim <[EMAIL PROTECTED]> wrote:
> Okay, so I have this mostly working now! if I put my
> ini_set("include_path", "blah/to/balh"); on each and every page. I
> know I could include a file that is in the document root which
> specified that, but I was wondering if I was
Dotan Cohen wrote:
On 23/01/2008, Jochem Maas <[EMAIL PROTECTED]> wrote:
I can read, I saw 2 functions the first time. each function cleans *and*
escapes.
cleaning is filtering of input.
escaping is preparing for output.
2 concepts.
I see your point.
if the input needs to be stripped of h
Right now I still use mysql_escape_string and it seems to work fine,
but it makes me nervous as everything else I use is mysqli and I know
it is not 100% compatible (just haven't had anything break it yet) -
but I hate having to have a connection handle open just to escape
things.
If you need
Dotan Cohen wrote:
On 23/01/2008, mike <[EMAIL PROTECTED]> wrote:
It would be Real Nifty (tm) if the MySQL API had a function that let
you specify the charset without a connection and did the escaping.
Presumably you don't NEED a connection if you already know what
charset thingie you are aimin
On 23/01/2008, Jochem Maas <[EMAIL PROTECTED]> wrote:
> I can read, I saw 2 functions the first time. each function cleans *and*
> escapes.
>
> cleaning is filtering of input.
> escaping is preparing for output.
>
> 2 concepts.
I see your point.
> if the input needs to be stripped of html then i
On 23/01/2008, Eric Butera <[EMAIL PROTECTED]> wrote:
> There isn't a reason to go and report a bug as their stuff works fine.
I would have filed a wish, not a bug. They are both filed in the
bugzillas that I'm familiar with. In any case, I'm not filing as I've
no account there and I'll not be fil
On Jan 23, 2008, at 2:42 PM, Richard Lynch wrote:
On Wed, January 23, 2008 8:37 am, Jason Pruim wrote:
On Jan 22, 2008, at 3:57 PM, Jason Pruim wrote:
Hi everyone,
#1. When including files outside of the webroot do you need to
specify the entire path? Like for me, that would be somet
On 23/01/2008, mike <[EMAIL PROTECTED]> wrote:
> > > It would be Real Nifty (tm) if the MySQL API had a function that let
> > > you specify the charset without a connection and did the escaping.
> > >
> > > Presumably you don't NEED a connection if you already know what
> > > charset thingie you ar
On 23/01/2008, Richard Lynch <[EMAIL PROTECTED]> wrote:
> On Wed, January 23, 2008 12:47 pm, Dotan Cohen wrote:
> > On 23/01/2008, Eric Butera <[EMAIL PROTECTED]> wrote:
> >> On Jan 22, 2008 8:01 PM, Dotan Cohen <[EMAIL PROTECTED]> wrote:
> > However, I do not think that the script should throw an
On Jan 23, 2008 9:57 PM, Nathan Nobbe <[EMAIL PROTECTED]> wrote:
> On Jan 23, 2008 3:38 PM, Floor Terra <[EMAIL PROTECTED]> wrote:
>
> > Hi,
> >
> > Is it possible to use unpack() to read a big endian signed long
> > on a little endian machine?
> > http://nl.php.net/pack refers to perl, on wich th
On Jan 23, 2008 3:38 PM, Floor Terra <[EMAIL PROTECTED]> wrote:
> Hi,
>
> Is it possible to use unpack() to read a big endian signed long
> on a little endian machine?
> http://nl.php.net/pack refers to perl, on wich this function is based.
> The php function unpack() doesn't seem to support the "
Dotan Cohen schreef:
On 23/01/2008, Jochem Maas <[EMAIL PROTECTED]> wrote:
you don't understand what I mean.
input filtering is a seperate task to output filtering.
you filter and validate all input to the script regardless of
how you are going to use it. THEN you escape the filtered, validated
Hi,
Is it possible to use unpack() to read a big endian signed long
on a little endian machine?
http://nl.php.net/pack refers to perl, on wich this function is based.
The php function unpack() doesn't seem to support the "<" and ">"
modifiers like perl does.
Floor Terra
On Jan 23, 2008 3:28 PM, Jason Pruim <[EMAIL PROTECTED]> wrote:
> I didn't realize that... That's good info. I always hear people
> talking about .htaccess files on all the different lists I'm on so I
> thought it was an industry standard thing :)
>
> Now I can shut my brain down because I learned
On Jan 23, 2008, at 3:04 PM, Daniel Brown wrote:
On Jan 23, 2008 2:56 PM, Jason Pruim <[EMAIL PROTECTED]> wrote:
that's why I made my decision. Not to say it's the right one, just a
step in the right direction. To me it also seems more portable across
hosts to have access outside of your webro
On Jan 23, 2008 2:56 PM, Jason Pruim <[EMAIL PROTECTED]> wrote:
> that's why I made my decision. Not to say it's the right one, just a
> step in the right direction. To me it also seems more portable across
> hosts to have access outside of your webroot vs. access to .htaccess
It's far more po
Daniel Brown wrote:
> On Jan 23, 2008 2:50 PM, Roberto Mansfield <[EMAIL PROTECTED]> wrote:
>> I tend to keep the directories in the document root, but I deny access
>> via an .htaccess file. This keeps the code in a simple directory
>> structure. Anyone else doing that?
>
> My fear on that is
On Jan 23, 2008 2:37 PM, Dotan Cohen <[EMAIL PROTECTED]> wrote:
> On 23/01/2008, Richard Lynch <[EMAIL PROTECTED]> wrote:
> > Back to the original question...
> >
> > I suppose you could use mysql_escape_string (note the lack of "real")
> > in the short term...
>
> I'd rather not. There is no short
On Jan 23, 2008 2:50 PM, Roberto Mansfield <[EMAIL PROTECTED]> wrote:
> I tend to keep the directories in the document root, but I deny access
> via an .htaccess file. This keeps the code in a simple directory
> structure. Anyone else doing that?
My fear on that is if there's changes to the se
On Jan 23, 2008, at 2:50 PM, Roberto Mansfield wrote:
Jason Pruim wrote:
Been doing some reading on security and have decided that I should
be
storing my include files outside of the document root... Which I
understand how to do it, but what I'm wondering, is say I write the
Next Killer Ap
Jason Pruim wrote:
>
>> Been doing some reading on security and have decided that I should be
>> storing my include files outside of the document root... Which I
>> understand how to do it, but what I'm wondering, is say I write the
>> Next Killer App (tm). How would I port that code easily off of
On Wed, January 23, 2008 4:13 am, Andre Hübner wrote:
> Warning: Unexpected character in input: '' (ASCII=27) state=1 in
> /folders/php-4.4.8 on line 3600
>
> Warning: Unexpected character in input: '' (ASCII=8) state=1 in
> /folders/php-4.4.8 on line 3600
>
> Warning: Unexpected character in inp
On Wed, January 23, 2008 8:37 am, Jason Pruim wrote:
>
> On Jan 22, 2008, at 3:57 PM, Jason Pruim wrote:
>
>> Hi everyone,
>>
> #1.When including files outside of the webroot do you need to
> specify the entire path? Like for me, that would be something like: "/
> volumes/raider/webserver/inclu
> > It would be Real Nifty (tm) if the MySQL API had a function that let
> > you specify the charset without a connection and did the escaping.
> >
> > Presumably you don't NEED a connection if you already know what
> > charset thingie you are aiming at...
I concur - it would be nice to have the c
On Wed, January 23, 2008 12:47 pm, Dotan Cohen wrote:
> On 23/01/2008, Eric Butera <[EMAIL PROTECTED]> wrote:
>> On Jan 22, 2008 8:01 PM, Dotan Cohen <[EMAIL PROTECTED]> wrote:
> However, I do not think that the script should throw an error until I
> actually call mysql_clean. Merely having it in a
On 23/01/2008, Richard Lynch <[EMAIL PROTECTED]> wrote:
> Back to the original question...
>
> I suppose you could use mysql_escape_string (note the lack of "real")
> in the short term...
I'd rather not. There is no short term.
> It would be Real Nifty (tm) if the MySQL API had a function that le
On Wed, January 23, 2008 11:47 am, Dotan Cohen wrote:
> On 23/01/2008, Jochem Maas <[EMAIL PROTECTED]> wrote:
>> for each output (output to mysql, output to browser, etc)
Back to the original question...
I suppose you could use mysql_escape_string (note the lack of "real")
in the short term...
I
On 23/01/2008, Eric Butera <[EMAIL PROTECTED]> wrote:
> On Jan 22, 2008 8:01 PM, Dotan Cohen <[EMAIL PROTECTED]> wrote:
> > I have a file of my own functions that I include in many places. One
> > of them uses mysql_real_escape_string, however, it may be called in a
> > context that will or will no
On Jan 22, 2008 8:01 PM, Dotan Cohen <[EMAIL PROTECTED]> wrote:
> I have a file of my own functions that I include in many places. One
> of them uses mysql_real_escape_string, however, it may be called in a
> context that will or will not connect to a mysql server, and worse,
> may already be conne
On Jan 23, 2008 10:03 AM, Dotan Cohen <[EMAIL PROTECTED]> wrote:
> On 23/01/2008, James Ausmus <[EMAIL PROTECTED]> wrote:
> > Try using the mysql_ping() command to check to see if your connection
> > is available:
> >
> > http://us2.php.net/manual/en/function.mysql-ping.php
> >
> > something like:
On 23/01/2008, James Ausmus <[EMAIL PROTECTED]> wrote:
> Try using the mysql_ping() command to check to see if your connection
> is available:
>
> http://us2.php.net/manual/en/function.mysql-ping.php
>
> something like:
>
>
> if ([EMAIL PROTECTED]()) //Note the @ is because, if mysql_ping cannot g
Try using the mysql_ping() command to check to see if your connection
is available:
http://us2.php.net/manual/en/function.mysql-ping.php
something like:
HTH-
James
On Jan 22, 2008 6:04 PM, Dotan Cohen <[EMAIL PROTECTED]> wrote:
> On 23/01/2008, Richard Lynch <[EMAIL PROTECTED]> wrote:
> >
>
On 23/01/2008, Jochem Maas <[EMAIL PROTECTED]> wrote:
> you don't understand what I mean.
>
> input filtering is a seperate task to output filtering.
> you filter and validate all input to the script regardless of
> how you are going to use it. THEN you escape the filtered, validated data
> for eac
others have given good advice, but let's learn to walk before we run shall we.
1. session_start() should be called once per request.
2. checkValidUser() does a select on all the users in the database, this is
*wrong* -
do a select with a suitable WHERE clause the retrieves the one user that
ma
Dotan Cohen schreef:
On 23/01/2008, Jochem Maas <[EMAIL PROTECTED]> wrote:
The file defines some of my own functions, like these:
function clean_html ($dirty) {
$dirty=strip_tags($dirty);
$clean=htmlentities($dirty);
return $clean;
}
function clean_mysql ($dirty) {
$dirty=str_r
On 23/01/2008, Jochem Maas <[EMAIL PROTECTED]> wrote:
> > The file defines some of my own functions, like these:
> >
> > function clean_html ($dirty) {
> > $dirty=strip_tags($dirty);
> > $clean=htmlentities($dirty);
> > return $clean;
> > }
> >
> > function clean_mysql ($dirty) {
> >
Dotan Cohen schreef:
On 23/01/2008, Richard Lynch <[EMAIL PROTECTED]> wrote:
On Tue, January 22, 2008 7:01 pm, Dotan Cohen wrote:
I have a file of my own functions that I include in many places. One
of them uses mysql_real_escape_string, however, it may be called in a
context that will or will
On Jan 22, 2008 8:48 PM, Richard Lynch <[EMAIL PROTECTED]> wrote:
> On Tue, January 22, 2008 7:17 pm, Daniel Brown wrote:
> > You may disagree with me on this here, Rich, but the way I do it
> > is to have a single include_files.php file containing all of the files
> > that need to be included
2008. 01. 23, szerda keltezéssel 09.37-kor Jason Pruim ezt írta:
> On Jan 22, 2008, at 3:57 PM, Jason Pruim wrote:
>
> > Hi everyone,
> >
> > Been doing some reading on security and have decided that I should
> > be storing my include files outside of the document root... Which I
> > understan
Quoting Jason Pruim <[EMAIL PROTECTED]>:
On Jan 22, 2008, at 3:57 PM, Jason Pruim wrote:
Hi everyone,
Been doing some reading on security and have decided that I should
be storing my include files outside of the document root... Which I
understand how to do it, but what I'm wondering,
On Jan 22, 2008, at 3:57 PM, Jason Pruim wrote:
Hi everyone,
Been doing some reading on security and have decided that I should
be storing my include files outside of the document root... Which I
understand how to do it, but what I'm wondering, is say I write the
Next Killer App (tm). Ho
On 1/23/08, mbneto <[EMAIL PROTECTED]> wrote:
> Hi,
>
> I've checked all pages and downloaded the php5.2.5.release1.tar.gz (the
> latest I found) but I get the same errors
>
> httpd: Syntax error on line 484 of /private/etc/apache2/httpd.conf: Syntax
> error on line 8 of /private/etc/apache2/other/
Help??
I need to get the namespaces from the root node of a DomDocument..
http://www.w3.org/2001/XInclude";>
I know I can retrieve the namespaceUri from the "xi:include" node using
lookupNamespaceURI and ->prefix but I need to get it from where it's
defined in "chapter"
but assumi
Hi,
I've checked all pages and downloaded the php5.2.5.release1.tar.gz (the
latest I found) but I get the same errors
httpd: Syntax error on line 484 of /private/etc/apache2/httpd.conf: Syntax
error on line 8 of /private/etc/apache2/other/entropy-php.conf: Cannot load
/usr/local/php5/libphp5.so i
PHP's error handler can be set up to automatically send emails. Send them to a
dedicated mailbox and then check that mailbox every day.
Miguel Guirao wrote:
Hello fellow members of this list,
There is a couple of rutinary tasks that our servers (different platforms)
perform during the night. E
On Jan 23, 2008 12:58 AM, Nathan Nobbe <[EMAIL PROTECTED]> wrote:
> On Jan 18, 2008 5:24 PM, Richard Lynch <[EMAIL PROTECTED]> wrote:
>
> > If you are trying to keep the names and orders in "parallel" you need
> > to do something not unlike:
> >
> > while (list($key, $name) = each($names)){
> > $o
On Mon, 21 Jan 2008 17:23:34 +0100, "Daniel Brown" <[EMAIL PROTECTED]>
wrote:
The only way I can think of that would allow you to do it is to
dynamically-name the fields in the form. By doing so, AutoComplete
won't be able to recognize the fields, and you should be in good
shape. In the
Hi List,
my Situation is as follows. I use on suse 10.1 apache2 and php5 as modul and
php5 as cgi using mod_fcgid
For some tests i also want to have a php4 as second cgi
I compiled with this configure-line:
./configure --prefix=/usr/ --datadir=/usr/share/php/ --bindir=/usr/bin/
--libdir=/usr/sh
73 matches
Mail list logo