php-general Digest 12 Oct 2009 18:10:52 -0000 Issue 6387
Topics (messages 298849 through 298870):
Re: security/deployment issue
298849 by: James McLean
Re: Need unrounded precision
298850 by: Arno Kuhl
298851 by: Chetan Rane
298858 by: Diogo Neves
298862 by: Jaime Bozza
298865 by: Andrea Giammarchi
298866 by: Jaime Bozza
298868 by: Andrea Giammarchi
298869 by: Jaime Bozza
Re: php exception handling
298852 by: kranthi
VC9 x86 Non Thread Safe or VC9 x86 Thread Safe ?
298853 by: loki
298855 by: Tommy Pham
Re: Insult my code!
298854 by: David Otton
Re: How do YOU set default function/method params?
298856 by: Stephan Ebelt
298857 by: David Otton
Wrighting to $_POST array
298859 by: hessiess.hessiess.com
298860 by: Jay Ess
298861 by: Jim Lucas
298863 by: Andrea Giammarchi
exec() confused by a specially crafted string
298864 by: Soner Tari
298867 by: Jonathan Tapicer
298870 by: Soner Tari
Administrivia:
To subscribe to the digest, e-mail:
php-general-digest-subscr...@lists.php.net
To unsubscribe from the digest, e-mail:
php-general-digest-unsubscr...@lists.php.net
To post to the list, e-mail:
php-gene...@lists.php.net
----------------------------------------------------------------------
--- Begin Message ---
On Mon, Oct 12, 2009 at 4:06 PM, Augusto Flavio <afla...@gmail.com> wrote:
> i have a doubt about my security and deployment methods. Today i manage
> several projects and these projects are versioned with subversion. My
> environment is something like this:
>
> 1. The developer make some update in the source code of a project. (from
> your IDE, generally netbeans)
> 2. The developer commit the modifications to the subversion server after
> test it(sure).
> 3. The project manager sync the files from the dev server to the prod
> server(using rsync).
Sounds mostly fine. I assume you have other testing going on before
deployment to production, though.
> Well, my questions are 2. All about the rsync:
>
> 1. For each project we have a ssh user that is used to sync the files(source
> code) to the prod server. The problem that i see here is that for each
> project i need to have a ssh account to sync these files. This is not so
> cool because i need to have severals actived ssh accounts in my prod server.
> I'm thinking about the root account to do this work. Is this a good
> practice?
The root account is not a very good idea for this. You could create a
'service' account that is used exclusively for transferring the files
to the server. To allow this user access to the various source
directories you can use something like ACL's or perhaps even regular
UNIX file permissions may work if your needs aren't very complex.
> 2. Does have some another way, more better than the rsync for this
> deployment issue?
Rsync should work fine, but personally I like to see exactly which
changes are being deployed especially when deploying to production.
While I realise this recommendation is not Open Source software, I
have found it to be an excellent piece of software for this task. I
use Beyond Compare which has the ability to connect over SFTP or SCP
as well as regular FTP. It allows you to 'diff' the files as you go
and view exact changes and you can transfer only the changes you want
or whole files if you choose to. I would not be surprised if an Open
Source equivalent exists.
Cheers,
James
--- End Message ---
--- Begin Message ---
-----Original Message-----
From: Andre Dubuc [mailto:aajdu...@webhart.net]
Sent: 02 January 2010 03:20 AM
To: php-gene...@lists.php.net
Subject: [PHP] Need unrounded precision
Hi,
I need to extract the first digit after the decimal point from a number such
as 28.56018, which should be '5'.
I've tried a few methods to accomplish this. If I use 'ini_set' I would need
to know the number of digits before the decimal (which, unfortunately, I
would not have access to).
Then I've tried:
<?php
$elapsed = 28.56018;
$digit = round($elapsed, 1); // rounds result is '6'
$digit = number_format($elapsed, 1); // still rounds result to '6'
?>
What I need is only the first digit after the decimal -- all the rest could
be 'chopped' or discarded but without rounding the first digit after the
decimal point.
Is there any way of doing this?
I'm stumped.
Tia,
Andre
--
One way that should work regardless the number of digits before/after the
decimal is:
- convert to string (sprintf or typecast)
- strpos the decimal
- grab the char from the next position
Cheers
Arno
--- End Message ---
--- Begin Message ---
May be this will work
$elapsed = 28.56018;
$elapsed_rel = (int) 28.56018;
$elapsed_deci = $elapsed - $elapsed_rel;
$deci = ((int) ($elapsed_deci * 10))/10;
$final = $elapsed_rel + $deci;
With regards,
Chetan Dattaram Rane | Software Engineer | Persistent Systems
chetan_r...@persistent.co.in | Cell: +91 9766646714 | Tel: +91 (0832) 30 79228
Innovation in software product design, development and delivery-
www.persistentsys.com
-----Original Message-----
From: Arno Kuhl [mailto:ak...@telkomsa.net]
Sent: Monday, October 12, 2009 12:07 PM
To: 'Andre Dubuc'; php-gene...@lists.php.net
Subject: RE: [PHP] Need unrounded precision
-----Original Message-----
From: Andre Dubuc [mailto:aajdu...@webhart.net]
Sent: 02 January 2010 03:20 AM
To: php-gene...@lists.php.net
Subject: [PHP] Need unrounded precision
Hi,
I need to extract the first digit after the decimal point from a number such
as 28.56018, which should be '5'.
I've tried a few methods to accomplish this. If I use 'ini_set' I would need
to know the number of digits before the decimal (which, unfortunately, I
would not have access to).
Then I've tried:
<?php
$elapsed = 28.56018;
$digit = round($elapsed, 1); // rounds result is '6'
$digit = number_format($elapsed, 1); // still rounds result to '6'
?>
What I need is only the first digit after the decimal -- all the rest could
be 'chopped' or discarded but without rounding the first digit after the
decimal point.
Is there any way of doing this?
I'm stumped.
Tia,
Andre
--
One way that should work regardless the number of digits before/after the
decimal is:
- convert to string (sprintf or typecast)
- strpos the decimal
- grab the char from the next position
Cheers
Arno
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
DISCLAIMER
==========
This e-mail may contain privileged and confidential information which is the
property of Persistent Systems Ltd. It is intended only for the use of the
individual or entity to which it is addressed. If you are not the intended
recipient, you are not authorized to read, retain, copy, print, distribute or
use this message. If you have received this communication in error, please
notify the sender and delete all copies of this message. Persistent Systems
Ltd. does not accept any liability for virus infected mails.
--- End Message ---
--- Begin Message ---
A simple way to do that would be:
$elapsed = strval( 28.56018 );
$pos = strpos( $elapsed, '.' );
echo $elapsed[ ++$pos ];
On Sat, Jan 2, 2010 at 2:20 AM, Andre Dubuc <aajdu...@webhart.net> wrote:
> Hi,
>
> I need to extract the first digit after the decimal point from a number
> such
> as 28.56018, which should be '5'.
>
> I've tried a few methods to accomplish this. If I use 'ini_set' I would
> need
> to know the number of digits before the decimal (which, unfortunately, I
> would not have access to).
>
> Then I've tried:
>
> <?php
>
> $elapsed = 28.56018;
>
> $digit = round($elapsed, 1); // rounds result is '6'
> $digit = number_format($elapsed, 1); // still rounds result to '6'
>
> ?>
>
> What I need is only the first digit after the decimal -- all the rest could
> be 'chopped' or discarded but without rounding the first digit after the
> decimal point.
>
> Is there any way of doing this?
>
> I'm stumped.
>
> Tia,
> Andre
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
--
Thanks,
Diogo Neves
Web Developer @ SAPO.pt by PrimeIT.pt
--- End Message ---
--- Begin Message ---
> -----Original Message-----
> From: Diogo Neves [mailto:dafne...@gmail.com]
> Sent: Monday, October 12, 2009 9:19 AM
> To: Andre Dubuc
> Cc: php-gene...@lists.php.net
> Subject: Re: [PHP] Need unrounded precision
>
> A simple way to do that would be:
>
> $elapsed = strval( 28.56018 );
> $pos = strpos( $elapsed, '.' );
> echo $elapsed[ ++$pos ];
>
> On Sat, Jan 2, 2010 at 2:20 AM, Andre Dubuc <aajdu...@webhart.net>
> wrote:
>
> > Hi,
> >
> > I need to extract the first digit after the decimal point from a
> number
> > such
> > as 28.56018, which should be '5'.
Couldn't this be done with just simple math functions?
$a = 28.56018;
$b = intval(($a*10)-(intval($a)*10));
or:
$a = 28.56018;
$b = intval(($a-intval($a))*10);
Jaime
--- End Message ---
--- Begin Message ---
> Couldn't this be done with just simple math functions?
indeed:
$a = 28.56018;
$b = $a * 10 % 10 >> 0;
Regards
_________________________________________________________________
Windows Live Hotmail: Your friends can get your Facebook updates, right from
Hotmail®.
http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_4:092009
--- End Message ---
--- Begin Message ---
>> Couldn't this be done with just simple math functions?
>
>indeed:
>
>$a = 28.56018;
>$b = $a * 10 % 10 >> 0;
Hmmm... Didn't think about this, but % only works with int values, so
$b = $a * 10 % 10;
Should work as well.
Jaime
--- End Message ---
--- Begin Message ---
> Hmmm... Didn't think about this, but % only works with int values
it was just future prof precaution since this statement is false for many other
languages.
In few words I am not sure PHP6 does the same ... never mind so far
Regards
_________________________________________________________________
Keep your friends updated—even when you’re not signed in.
http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_5:092010
--- End Message ---
--- Begin Message ---
>> Hmmm... Didn't think about this, but % only works with int values
>
>it was just future prof precaution since this statement is false for many
>other languages.
>In few words I am not sure PHP6 does the same ... never mind so far
Good to know. In that case, I would probably just use intval() instead of >>
since it's clearer and bitwise shifts aren't necessarily integer only either.
Jaime
--- End Message ---
--- Begin Message ---
cant http://us3.php.net/manual/en/function.set-exception-handler.php be used ?
<?php
function exception_handler($e) {
//mail('to', 'exception', $e->getMessage());
}
set_exception_handler('exception_handler');
--- End Message ---
--- Begin Message ---
Hello,
We use Php-cgi.exe as FastCGI with our own custom WebServer on Windows
Server
What to choose, VC9 x86 Non Thread Safe or VC9 x86 Thread Safe ?
We have these enviroment variable :
PHP_FCGI_CHILDREN: 8
Thanks you by advance
stephane
--
Http://www.arkadia.com/fra/
Http://www.arkadia.com/usa/
Http://www.arkadia.com/rus/
--- End Message ---
--- Begin Message ---
----- Original Message ----
> From: loki <loki5100-newsgr...@yahoo.fr>
> To: php-gene...@lists.php.net
> Sent: Mon, October 12, 2009 3:13:41 AM
> Subject: [PHP] VC9 x86 Non Thread Safe or VC9 x86 Thread Safe ?
>
> Hello,
>
> We use Php-cgi.exe as FastCGI with our own custom WebServer on Windows Server
> What to choose, VC9 x86 Non Thread Safe or VC9 x86 Thread Safe ?
>
> We have these enviroment variable :
>
> PHP_FCGI_CHILDREN: 8
>
> Thanks you by advance
> stephane
>
> --
>
> Http://www.arkadia.com/fra/
> Http://www.arkadia.com/usa/
> Http://www.arkadia.com/rus/
>
> -- PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
Stephane,
If my memory serves, use NTS.
Regards,
Tommy
--- End Message ---
--- Begin Message ---
2009/10/11 Eric Bauman <baum...@livejournal.dk>:
> As before, please feel free to insult my code. ;-) Any and all feedback is
> of course most appreciated.
I know you're more concerned with structure, but your checkInt()
method is arguably buggy/has an un-noted assumption. It accepts ints
formatted as ints and strings, but not floats:
<?php
require_once 'PHPUnit/Framework/TestCase.php';
require_once 'BankModel.php';
class BankModelTest extends PHPUnit_Framework_TestCase
{
function testSetBalanceAcceptsInts()
{
$fixture = new BankModel();
$int = 1351236;
$this->assertNull( $fixture->setBalance($int) );
}
function testSetBalanceAcceptsFloats()
{
$fixture = new BankModel();
$float = (float)1351236;
$this->assertNull( $fixture->setBalance($float) );
}
function testSetBalanceAcceptsStrings()
{
$fixture = new BankModel();
$string = (string)1351236;
$this->assertNull( $fixture->setBalance($string) );
}
}
--- End Message ---
--- Begin Message ---
On Sun, Oct 11, 2009 at 01:17:00PM -0700, Jim Lucas wrote:
> Stephan Ebelt wrote:
> > On Mon, Oct 05, 2009 at 05:48:32PM -0700, Jim Lucas wrote:
> >> Here is a problem that I have had for years now. I have been trying to
> >> come up
> >> with the perfect solution for this problem. But, I have come down to two
> >> different methods for solving it.
> >>
> >> Here is the problem...
> >
> > [...]
> >
> >> Now, we all have a function or method like this floating around somewhere.
> >>
> >> My question is, how do YOU go about setting the required entries of the
> >> $headers
> >> array() ?
> >>
> >
> > [...]
> >
> >> END of examples...
> >>
> >> Now, IMO, the last one is the simplest one and for me, I think it will be
> >> the
> >> new way that I solve this type of problem.
> >>
> >> But, my question that I put out to all of you is...
> >>
> >> How would you solve this problem?
> >
> > I have use this array_merge() approach mentioned in other posts for
> > quite some time but found that it introduced many bugs when fieldnames
> > changed.
> > Ie. if the defaults come from a database table and I changed the schema it
> > caused undefined values during the merging and - worse - sometimes messed
> > up the
> > inner workings of functions...
> >
> > Then I heard of the "value object" approach somewhere and found that much
> > more
> > solid. One would basically define a class where default values are
> > represented
> > by its properties. Ie:
> >
> > class vo_email extends vo {
> > public $to = '';
> > public $from = '';
> > public $subject = '(no subject)';
> > public $body = '';
> > ...
> > }
> >
> > the constructor can make sure that absolutly necessary values are required
> > and
> > set properly - and could complain if something is not right. There could be
> > methods that add() or set() or change() things. These could also be
> > inherited
> > from a very generic class "vo" so that this stuff is written once and
> > applies
> > to all sorts of defaults in the program.
> > In my app the inherited constructor accepts arrays as parameter and assigns
> > their elements to the object properties and - by that - overwrites the
> > default
> > settings. If elements do not match with the defined properties it will
> > trigger
> > a very visible call trace.
> >
> > A function like sendEmail() would then require a object of type vo_email as
> > parameter and would work with its properties internally and can rely on it
> > as
> > the vo's constructor should have catched anything bad.
> >
> > If additional logic for the input values is required, it can be added
> > easily:
> >
> > class dao_email extends vo_email {
> > ...
> > public function encode_body() {
> > ...
> > }
> >
> > public function sanitize_mail_address() {
> >
> > }
> > ...
> > }
> >
>
> This is a very interesting approach. How would you initialize the class?
> Using
> a Singleton Method, or a Globally available class variable
as far as I understood/use it: I try to hardcode as many workable defaults in
the vo class as possible (ie. see $subject in the example). Then I create
objects
by passing result records from the database (arrays) to the constructor. That
either returns a object or crashes the application if something is wrong.
Optionally I can create objects without any passed-in parameter which will give
one with only the defaults set. Depending on the class' definition those may
have empty properties. These can be set by subsequent code like
$object->empty_property='bla'. This way its not much different than using plain
arrays except that its still an object which might have additional
functionality.
in the email example the constructor should probably refuse to return a object
unless $to and $from are given. I can't see much use without these two.
stephan
>
>
> > sendEmail() would then require a dao_email object (dao=data access object)
> > as
> > input.
> >
> > stephan
> >
> >> TIA
> >>
> >> Jim Lucas
> >>
> >> --
> >> PHP General Mailing List (http://www.php.net/)
> >> To unsubscribe, visit: http://www.php.net/unsub.php
> >
--- End Message ---
--- Begin Message ---
2009/10/12 Stephan Ebelt <s...@shared-files.de>:
> as far as I understood/use it: I try to hardcode as many workable defaults in
> the vo class as possible (ie. see $subject in the example). Then I create
> objects
> by passing result records from the database (arrays) to the constructor. That
> either returns a object or crashes the application if something is wrong.
> Optionally I can create objects without any passed-in parameter which will
> give
> one with only the defaults set. Depending on the class' definition those may
Ok, I'm going to make a case against the use of default values
hard-coded within the class here:
a) Default values mean more code.
The less code you have, the less bugs. Just strip the defaults out,
and they'll never cause errors.
b) Default values hide missing values.
If a value gets mislaid during the build process, the class will still
work, kinda, sortof, but it won't behave as expected. Better to exit
loudly and let the build manager fix the missing value, rather than
try to muddle through on partial data, and fail /really/ impressively
further down the road.
c) You should store all your config options in the same place.
This is simply good practice - it makes life easier for anyone coming
after you who knows that /everything/ is in one place. Zend_Config is
a nice approach - the Config object parses an ini file, and you pass
fragments of the config object to your class constructors. Eg:
$conf = new Zend_Config_Ini( 'config/settings.ini', 'live' );
$db = Zend_Db::factory( $conf->application->databasesettings );
d) Default values lead to assumptions.
MyClass assumes that DbClass connects to localhost if nothing is
passed. This means that MyClass is relying on a feature of DbClass
where it doesn't strictly have to, and DbClass is a little bit less of
a black box.
e) Defaults aren't.
What makes sense on one machine (eg a default of 'localhost' for the
db) may not make sense on another. Rather than tweak the class
defaults to fit the local conditions every time you deploy it, and
have dozens of slightly different versions hanging around, just be
explicit and push the parameters in from outside.
Comments welcome of course, but I've strayed off PHP and into OO design, here.
--- End Message ---
--- Begin Message ---
I have some code which will loop over the whole $_POST array, runs it
through mysql_real_escape_string and then writes it all back to the array
again, which seams to work. Are there any incompatibility problems or such
like with writing into the $_POST or $_GET array?
function clean_post()
{
$npost = array();
while ($value = current($_POST))
{
$key = key($_POST);
$npost += array("$key" => mysql_real_escape_string($value));
next($_POST);
}
$_POST = $npost;
}
--- End Message ---
--- Begin Message ---
hessi...@hessiess.com wrote:
I have some code which will loop over the whole $_POST array, runs it
through mysql_real_escape_string and then writes it all back to the array
again, which seams to work. Are there any incompatibility problems or such
like with writing into the $_POST or $_GET array?
function clean_post()
{
$npost = array();
while ($value = current($_POST))
{
$key = key($_POST);
$npost += array("$key" => mysql_real_escape_string($value));
next($_POST);
}
$_POST = $npost;
}
There could be problems when introducing slashes if you use other
peoples codes. But if this is for your own code it probably wont matter.
And here is a shorter version of your code :
foreach($_POST as $key=>$val)
$_POST[$key] = mysql_real_escape_string($val);
--- End Message ---
--- Begin Message ---
Jay Ess wrote:
> hessi...@hessiess.com wrote:
>> I have some code which will loop over the whole $_POST array, runs it
>> through mysql_real_escape_string and then writes it all back to the array
>> again, which seams to work. Are there any incompatibility problems or
>> such
>> like with writing into the $_POST or $_GET array?
>>
>> function clean_post()
>> {
>> $npost = array();
>>
>> while ($value = current($_POST))
>> {
>> $key = key($_POST);
>> $npost += array("$key" => mysql_real_escape_string($value));
>> next($_POST);
>> }
>>
>> $_POST = $npost;
>> }
>>
>>
>>
>
> There could be problems when introducing slashes if you use other
> peoples codes. But if this is for your own code it probably wont matter.
>
> And here is a shorter version of your code :
> foreach($_POST as $key=>$val)
> $_POST[$key] = mysql_real_escape_string($val);
>
But, first, you need to use get_magic_quotes_gpc() to see if magic_quotes_gpc is
turned on. If so, you need to run stripslashes() on your variables before you
run the mysql_real_escape_string() on them.
if ( get_magic_quotes_gpc() ) {
$_POST = array_map('stripslashes', $_POST);
}
$_POST = array_map('mysql_real_escape_string', $_POST);
--- End Message ---
--- Begin Message ---
> But, first, you need to use get_magic_quotes_gpc() to see if magic_quotes_gpc
> is
> turned on. If so, you need to run stripslashes() on your variables before you
> run the mysql_real_escape_string() on them.
>
>
> if ( get_magic_quotes_gpc() ) {
> $_POST = array_map('stripslashes', $_POST);
> }
> $_POST = array_map('mysql_real_escape_string', $_POST);
I would totally remove magic_quotes_gpc rather than this for each request:
if ( get_magic_quotes_gpc() ) {
$_GET = array_map('stripslashes', $_GET);
$_POST = array_map('stripslashes', $_POST);
// $_REQUEST = array_map('stripslashes', $_REQUEST);
$_COOKIES = array_map('stripslashes', $_COOKIES);
}
there is a reason if magic_quotes has been removed by PHP defaults since ages
Regards
_________________________________________________________________
Windows Live: Make it easier for your friends to see what you’re up to on
Facebook.
http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_2:092009
--- End Message ---
--- Begin Message ---
When shell command returns a specially crafted string, I get an empty
array as $output of exec(), instead of the string. I can very easily
reproduce this issue as follows:
Put the following lines in bug.php:
<?php
exec('php echostr.php', $output);
print_r($output);
echo "\n";
?>
Then put the following in echostr.php (the string is just one line
actually, new lines may be inserted by this mail agent, I provide a link
below):
<?php
echo 'a:25:{i:0;a:4:{s:4:"Date";s:6:"Aug
7";s:4:"Time";s:8:"16:00:01";s:7:"Process";s:16:"newsyslog[23117]";s:3:"Log";s:19:"logfile
turned over";}i:1;a:4:{s:4:"Date";s:6:"Aug
10";s:4:"Time";s:8:"22:43:55";s:7:"Process";s:12:"openvpn[226]";s:3:"Log";s:76:"OpenVPN
2.1_rc18 x86_64-unknown-openbsd4.5 [SSL] [LZO1] built on Jun 26
2009";}i:2;a:4:{s:4:"Date";s:6:"Aug
10";s:4:"Time";s:8:"22:43:55";s:7:"Process";s:12:"openvpn[226]";s:3:"Log";s:102:"NOTE:
OpenVPN 2.1 requires \'--script-security 2\' or higher to call user-defined
scripts or executables";}i:3;a:4:{s:4:"Date";s:6:"Aug
10";s:4:"Time";s:8:"22:43:55";s:7:"Process";s:12:"openvpn[226]";s:3:"Log";s:27:"LZO
compression initialized";}i:4;a:4:{s:4:"Date";s:6:"Aug
10";s:4:"Time";s:8:"22:43:55";s:7:"Process";s:12:"openvpn[226]";s:3:"Log";s:63:"Control
Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0
]";}i:5;a:4:{s:4:"Date";s:6:"Aug
10";s:4:"Time";s:8:"22:43:55";s:7:"Process";s:12:"openvpn[226]";s:3:"Log";s:70:"Data
Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1
]";}i:6;a:4:{s:4:"Date";s:6:"Aug
10";s:4:"Time";s:8:"22:43:55";s:7:"Process";s:12:"openvpn[226]";s:3:"Log";s:39:"Local
Options hash (VER=V4): \'41690919\'";}i:7;a:4:{s:4:"Date";s:6:"Aug
10";s:4:"Time";s:8:"22:43:55";s:7:"Process";s:12:"openvpn[226]";s:3:"Log";s:49:"Expected
Remote Options hash (VER=V4): \'530fdded\'";}i:8;a:4:{s:4:"Date";s:6:"Aug
10";s:4:"Time";s:8:"22:43:55";s:7:"Process";s:14:"openvpn[31938]";s:3:"Log";s:48:"Socket
Buffers: R=[41600->65536] S=[9216->65536]";}i:9;a:4:{s:4:"Date";s:6:"Aug
10";s:4:"Time";s:8:"22:43:55";s:7:"Process";s:14:"openvpn[31938]";s:3:"Log";s:25:"UDPv4
link local: [undef]";}i:10;a:4:{s:4:"Date";s:6:"Aug
10";s:4:"Time";s:8:"22:43:55";s:7:"Process";s:14:"openvpn[31938]";s:3:"Log";s:38:"UDPv4
link remote: 81.215.105.114:1194";}i:11;a:4:{s:4:"Date";s:6:"Aug
10";s:4:"Time";s:8:"22:44:55";s:7:"Process";s:14:"openvpn[31938]";s:3:"Log";s:98:"TLS
Error: TLS key negotiation failed to occur within 60 seconds (check your
network connectivity)";}i:12;a:4:{s:4:"Date";s:6:"Aug
10";s:4:"Time";s:8:"22:44:55";s:7:"Process";s:14:"openvpn[31938]";s:3:"Log";s:31:"TLS
Error: TLS handshake failed";}i:13;a:4:{s:4:"Date";s:6:"Aug
10";s:4:"Time";s:8:"22:44:55";s:7:"Process";s:14:"openvpn[31938]";s:3:"Log";s:23:"TCP/UDP:
Closing socket";}i:14;a:4:{s:4:"Date";s:6:"Aug
10";s:4:"Time";s:8:"22:44:55";s:7:"Process";s:14:"openvpn[31938]";s:3:"Log";s:52:"SIGUSR1[soft,tls-error]
received, process restarting";}i:15;a:4:{s:4:"Date";s:6:"Aug
10";s:4:"Time";s:8:"22:44:55";s:7:"Process";s:14:"openvpn[31938]";s:3:"Log";s:26:"Restart
pause, 2 second(s)";}i:16;a:4:{s:4:"Date";s:6:"Aug
10";s:4:"Time";s:8:"22:44:57";s:7:"Process";s:14:"openvpn[31938]";s:3:"Log";s:102:"NOTE:
OpenVPN 2.1 requires \'--script-security 2\' or higher to call user-defined
scripts or executables";}i:17;a:4:{s:4:"Date";s:6:"Aug
10";s:4:"Time";s:8:"22:44:57";s:7:"Process";s:14:"openvpn[31938]";s:3:"Log";s:24:"Re-using
SSL/TLS context";}i:18;a:4:{s:4:"Date";s:6:"Aug
10";s:4:"Time";s:8:"22:44:57";s:7:"Process";s:14:"openvpn[31938]";s:3:"Log";s:27:"LZO
compression initialized";}i:19;a:4:{s:4:"Date";s:6:"Aug
10";s:4:"Time";s:8:"22:44:57";s:7:"Process";s:14:"openvpn[31938]";s:3:"Log";s:63:"Control
Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0
]";}i:20;a:4:{s:4:"Date";s:6:"Aug
10";s:4:"Time";s:8:"22:44:57";s:7:"Process";s:14:"openvpn[31938]";s:3:"Log";s:70:"Data
Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1
]";}i:21;a:4:{s:4:"Date";s:6:"Aug
10";s:4:"Time";s:8:"22:44:57";s:7:"Process";s:14:"openvpn[31938]";s:3:"Log";s:39:"Local
Options hash (VER=V4): \'41690919\'";}i:22;a:4:{s:4:"Date";s:6:"Aug
10";s:4:"Time";s:8:"22:44:57";s:7:"Process";s:14:"openvpn[31938]";s:3:"Log";s:49:"Expected
Remote Options hash (VER=V4): \'530fdded\'";}i:23;a:4:{s:4:"Date";s:6:"Aug
10";s:4:"Time";s:8:"22:44:57";s:7:"Process";s:14:"openvpn[31938]";s:3:"Log";s:48:"Socket
Buffers: R=[41600->65536] S=[9216->65536]";}i:24;a:4:{s:4:"Date";s:6:"Aug
10";s:4:"Time";s:8:"22:44:57";s:7:"Process";s:14:"openvpn[31938]";s:3:"Log";s:25:"UDPv4
link local: [undef]";}}';
?>
When you execute bug.php, you will get an empty array printed out:
Array
(
)
But actually, $output should have contained the string above as element
0 of the array.
If you delete or add a character in the string, exec() runs
correctly and you get the intended result. So the issue is specific to
this special string. You can download echostr.php contents at this link:
http://comixwall.org/dmdocuments/echostr
The problem is not with the size of the string, because much longer
strings are fine.
Also this issue does *not* exists with passthru(), shell_exec()
functions and backtick operator. Furthermore, exec() return value, i.e.
the last line of shell command output seems fine too (it contains the
string correctly). So I believe the issue is internal to exec(),
effecting $output contents only.
As you can guess, this string is in fact serialized openvpn startup log
lines (I just escaped the single quotes for testing purposes, that's
all), it is not some manually crafted string. Therefore, the chances are
quite high that I will get more than one similar situation in the
future, specifically every time the openvpn logs are rotated, and I
start openvpn.
I have confirmed this issue on OpenBSD, Linux, and Windows. Here are the
versions:
OpenBSD:
PHP 5.2.8 with Suhosin-Patch 0.9.6.3 (cli) (built: Mar 1 2009
10:26:06)
Copyright (c) 1997-2008 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2008 Zend Technologies
with Suhosin v0.9.27, Copyright (c) 2007, by SektionEins GmbH
Linux:
PHP 5.2.6-3ubuntu4.2 with Suhosin-Patch 0.9.6.2 (cli) (built: Aug 21
2009 21:43:13)
Copyright (c) 1997-2008 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2008 Zend Technologies
Windows:
PHP 5.2.11 (cli) (built: Sep 16 2009 19:39:46)
Copyright (c) 1997-2009 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2009 Zend Technologies
Since Windows version is without Suhosin patch, suhosin as culprit is
ruled out. (Also to test on Windows, I changed the exec shell command as
'php.exe echostr.php' of course.)
I would appreciate if somebody could also confirm my observations, so
that I can file a bug report (please use the link above to download
echostr.php contents to be sure we are testing the same string). Or
else, if you have an explanation, I'd like to hear about it.
--- End Message ---
--- Begin Message ---
Confirmed, it also happens to me on Linux, PHP version:
PHP 5.2.4-2ubuntu5.7 with Suhosin-Patch 0.9.6.2 (cli) (built: Aug 21
2009 19:52:39)
Copyright (c) 1997-2007 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2007 Zend Technologies
And adding a single character to the echoed string makes it work fine,
seems like a bug to me.
Regards,
Jonathan
On Mon, Oct 12, 2009 at 1:10 PM, Soner Tari <so...@comixwall.org> wrote:
> When shell command returns a specially crafted string, I get an empty
> array as $output of exec(), instead of the string. I can very easily
> reproduce this issue as follows:
>
> Put the following lines in bug.php:
>
> <?php
> exec('php echostr.php', $output);
> print_r($output);
> echo "\n";
> ?>
>
> Then put the following in echostr.php (the string is just one line
> actually, new lines may be inserted by this mail agent, I provide a link
> below):
>
> <?php
> echo 'a:25:{i:0;a:4:{s:4:"Date";s:6:"Aug
> 7";s:4:"Time";s:8:"16:00:01";s:7:"Process";s:16:"newsyslog[23117]";s:3:"Log";s:19:"logfile
> turned over";}i:1;a:4:{s:4:"Date";s:6:"Aug
> 10";s:4:"Time";s:8:"22:43:55";s:7:"Process";s:12:"openvpn[226]";s:3:"Log";s:76:"OpenVPN
> 2.1_rc18 x86_64-unknown-openbsd4.5 [SSL] [LZO1] built on Jun 26
> 2009";}i:2;a:4:{s:4:"Date";s:6:"Aug
> 10";s:4:"Time";s:8:"22:43:55";s:7:"Process";s:12:"openvpn[226]";s:3:"Log";s:102:"NOTE:
> OpenVPN 2.1 requires \'--script-security 2\' or higher to call user-defined
> scripts or executables";}i:3;a:4:{s:4:"Date";s:6:"Aug
> 10";s:4:"Time";s:8:"22:43:55";s:7:"Process";s:12:"openvpn[226]";s:3:"Log";s:27:"LZO
> compression initialized";}i:4;a:4:{s:4:"Date";s:6:"Aug
> 10";s:4:"Time";s:8:"22:43:55";s:7:"Process";s:12:"openvpn[226]";s:3:"Log";s:63:"Control
> Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0
> ]";}i:5;a:4:{s:4:"Date";s:6:"Aug
> 10";s:4:"Time";s:8:"22:43:55";s:7:"Process";s:12:"openvpn[226]";s:3:"Log";s:70:"Data
> Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1
> ]";}i:6;a:4:{s:4:"Date";s:6:"Aug
> 10";s:4:"Time";s:8:"22:43:55";s:7:"Process";s:12:"openvpn[226]";s:3:"Log";s:39:"Local
> Options hash (VER=V4): \'41690919\'";}i:7;a:4:{s:4:"Date";s:6:"Aug
> 10";s:4:"Time";s:8:"22:43:55";s:7:"Process";s:12:"openvpn[226]";s:3:"Log";s:49:"Expected
> Remote Options hash (VER=V4): \'530fdded\'";}i:8;a:4:{s:4:"Date";s:6:"Aug
> 10";s:4:"Time";s:8:"22:43:55";s:7:"Process";s:14:"openvpn[31938]";s:3:"Log";s:48:"Socket
> Buffers: R=[41600->65536] S=[9216->65536]";}i:9;a:4:{s:4:"Date";s:6:"Aug
> 10";s:4:"Time";s:8:"22:43:55";s:7:"Process";s:14:"openvpn[31938]";s:3:"Log";s:25:"UDPv4
> link local: [undef]";}i:10;a:4:{s:4:"Date";s:6:"Aug
> 10";s:4:"Time";s:8:"22:43:55";s:7:"Process";s:14:"openvpn[31938]";s:3:"Log";s:38:"UDPv4
> link remote: 81.215.105.114:1194";}i:11;a:4:{s:4:"Date";s:6:"Aug
> 10";s:4:"Time";s:8:"22:44:55";s:7:"Process";s:14:"openvpn[31938]";s:3:"Log";s:98:"TLS
> Error: TLS key negotiation failed to occur within 60 seconds (check your
> network connectivity)";}i:12;a:4:{s:4:"Date";s:6:"Aug
> 10";s:4:"Time";s:8:"22:44:55";s:7:"Process";s:14:"openvpn[31938]";s:3:"Log";s:31:"TLS
> Error: TLS handshake failed";}i:13;a:4:{s:4:"Date";s:6:"Aug
> 10";s:4:"Time";s:8:"22:44:55";s:7:"Process";s:14:"openvpn[31938]";s:3:"Log";s:23:"TCP/UDP:
> Closing socket";}i:14;a:4:{s:4:"Date";s:6:"Aug
> 10";s:4:"Time";s:8:"22:44:55";s:7:"Process";s:14:"openvpn[31938]";s:3:"Log";s:52:"SIGUSR1[soft,tls-error]
> received, process restarting";}i:15;a:4:{s:4:"Date";s:6:"Aug
> 10";s:4:"Time";s:8:"22:44:55";s:7:"Process";s:14:"openvpn[31938]";s:3:"Log";s:26:"Restart
> pause, 2 second(s)";}i:16;a:4:{s:4:"Date";s:6:"Aug
> 10";s:4:"Time";s:8:"22:44:57";s:7:"Process";s:14:"openvpn[31938]";s:3:"Log";s:102:"NOTE:
> OpenVPN 2.1 requires \'--script-security 2\' or higher to call user-defined
> scripts or executables";}i:17;a:4:{s:4:"Date";s:6:"Aug
> 10";s:4:"Time";s:8:"22:44:57";s:7:"Process";s:14:"openvpn[31938]";s:3:"Log";s:24:"Re-using
> SSL/TLS context";}i:18;a:4:{s:4:"Date";s:6:"Aug
> 10";s:4:"Time";s:8:"22:44:57";s:7:"Process";s:14:"openvpn[31938]";s:3:"Log";s:27:"LZO
> compression initialized";}i:19;a:4:{s:4:"Date";s:6:"Aug
> 10";s:4:"Time";s:8:"22:44:57";s:7:"Process";s:14:"openvpn[31938]";s:3:"Log";s:63:"Control
> Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0
> ]";}i:20;a:4:{s:4:"Date";s:6:"Aug
> 10";s:4:"Time";s:8:"22:44:57";s:7:"Process";s:14:"openvpn[31938]";s:3:"Log";s:70:"Data
> Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1
> ]";}i:21;a:4:{s:4:"Date";s:6:"Aug
> 10";s:4:"Time";s:8:"22:44:57";s:7:"Process";s:14:"openvpn[31938]";s:3:"Log";s:39:"Local
> Options hash (VER=V4): \'41690919\'";}i:22;a:4:{s:4:"Date";s:6:"Aug
> 10";s:4:"Time";s:8:"22:44:57";s:7:"Process";s:14:"openvpn[31938]";s:3:"Log";s:49:"Expected
> Remote Options hash (VER=V4): \'530fdded\'";}i:23;a:4:{s:4:"Date";s:6:"Aug
> 10";s:4:"Time";s:8:"22:44:57";s:7:"Process";s:14:"openvpn[31938]";s:3:"Log";s:48:"Socket
> Buffers: R=[41600->65536] S=[9216->65536]";}i:24;a:4:{s:4:"Date";s:6:"Aug
> 10";s:4:"Time";s:8:"22:44:57";s:7:"Process";s:14:"openvpn[31938]";s:3:"Log";s:25:"UDPv4
> link local: [undef]";}}';
> ?>
>
> When you execute bug.php, you will get an empty array printed out:
>
> Array
> (
> )
>
> But actually, $output should have contained the string above as element
> 0 of the array.
>
> If you delete or add a character in the string, exec() runs
> correctly and you get the intended result. So the issue is specific to
> this special string. You can download echostr.php contents at this link:
> http://comixwall.org/dmdocuments/echostr
>
> The problem is not with the size of the string, because much longer
> strings are fine.
>
> Also this issue does *not* exists with passthru(), shell_exec()
> functions and backtick operator. Furthermore, exec() return value, i.e.
> the last line of shell command output seems fine too (it contains the
> string correctly). So I believe the issue is internal to exec(),
> effecting $output contents only.
>
> As you can guess, this string is in fact serialized openvpn startup log
> lines (I just escaped the single quotes for testing purposes, that's
> all), it is not some manually crafted string. Therefore, the chances are
> quite high that I will get more than one similar situation in the
> future, specifically every time the openvpn logs are rotated, and I
> start openvpn.
>
> I have confirmed this issue on OpenBSD, Linux, and Windows. Here are the
> versions:
>
> OpenBSD:
> PHP 5.2.8 with Suhosin-Patch 0.9.6.3 (cli) (built: Mar 1 2009
> 10:26:06)
> Copyright (c) 1997-2008 The PHP Group
> Zend Engine v2.2.0, Copyright (c) 1998-2008 Zend Technologies
> with Suhosin v0.9.27, Copyright (c) 2007, by SektionEins GmbH
>
> Linux:
> PHP 5.2.6-3ubuntu4.2 with Suhosin-Patch 0.9.6.2 (cli) (built: Aug 21
> 2009 21:43:13)
> Copyright (c) 1997-2008 The PHP Group
> Zend Engine v2.2.0, Copyright (c) 1998-2008 Zend Technologies
>
> Windows:
> PHP 5.2.11 (cli) (built: Sep 16 2009 19:39:46)
> Copyright (c) 1997-2009 The PHP Group
> Zend Engine v2.2.0, Copyright (c) 1998-2009 Zend Technologies
>
> Since Windows version is without Suhosin patch, suhosin as culprit is
> ruled out. (Also to test on Windows, I changed the exec shell command as
> 'php.exe echostr.php' of course.)
>
> I would appreciate if somebody could also confirm my observations, so
> that I can file a bug report (please use the link above to download
> echostr.php contents to be sure we are testing the same string). Or
> else, if you have an explanation, I'd like to hear about it.
>
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
--- End Message ---
--- Begin Message ---
On Mon, 2009-10-12 at 13:21 -0300, Jonathan Tapicer wrote:
> Confirmed, it also happens to me on Linux, PHP version:
>
> PHP 5.2.4-2ubuntu5.7 with Suhosin-Patch 0.9.6.2 (cli) (built: Aug 21
> 2009 19:52:39)
> Copyright (c) 1997-2007 The PHP Group
> Zend Engine v2.2.0, Copyright (c) 1998-2007 Zend Technologies
>
> And adding a single character to the echoed string makes it work fine,
> seems like a bug to me.
Thanks, filed the bug report:
http://bugs.php.net/bug.php?id=49847
--- End Message ---
