php-general Digest 19 Mar 2004 11:26:30 -0000 Issue 2655
Topics (messages 180926 through 180950):
Re: E-mail account disabling warning.
180926 by: Jeffrey Shaw
180930 by: Chris W. Parker
180931 by: Ryan A
Re: Retain form values...
180927 by: Chris W. Parker
180928 by: Shane McBride
180929 by: Chris W. Parker
180936 by: Shane McBride
180937 by: Tom Rogers
180938 by: John W. Holmes
Passing Access Variables to a Browser
180932 by: Tyger Gilbert
180933 by: Tyger Gilbert
180934 by: Tyger Gilbert
180935 by: Justin Patrin
Re: Javascript Mouseover Help
180939 by: Jake McHenry
180940 by: Tom Rogers
Re: Solution to display the results of an exec/system + rsh command
180941 by: Frédéric Martin
Guru's advice needed ........[Security: SQL injection]
180942 by: Tariq Murtaza
180944 by: Chris Shiflett
DB connection problem
180943 by: Khalid Judeh
Re: Thank you, Microsoft! Now I need an alternate loginmethod
180945 by: Marek Kilimajer
180946 by: Marek Kilimajer
Php mailer
180947 by: Mrs. Geeta Thanu
180948 by: Evan Nemerson
Mysql look up and then rename
180949 by: Brent Clark
Re: too much trimming
180950 by: Marek Kilimajer
Administrivia:
To subscribe to the digest, e-mail:
[EMAIL PROTECTED]
To unsubscribe from the digest, e-mail:
[EMAIL PROTECTED]
To post to the list, e-mail:
[EMAIL PROTECTED]
----------------------------------------------------------------------
--- Begin Message ---
There seems to be a lot of these going around.
Remember:
Don't open attachments unless you are sure of what you are getting!
Keep your Virus Scan program up to date. Any database over 14 days old
should be updated.
Many times, the Headers and addresses of the messages are faked. This is
easy to do. So if there is any doubt, send an e-mail to an address listed
at the website the email originates from and ask for more information.
These virus writers are relying on people to unwittingly open their
attachments so they may go through with their evil plans.
Is there any Php.net official on this list that can shed more light on this
please....
JL Shaw
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.620 / Virus Database: 399 - Release Date: 3/11/2004
--- End Message ---
--- Begin Message ---
Jeffrey Shaw <mailto:[EMAIL PROTECTED]>
on Thursday, March 18, 2004 3:20 PM said:
> Is there any Php.net official on this list that can shed more light
> on this please....
nothing to shed light on really... (unless i've missed something.)
it's not from the people at php.net so your best bet is to just ignore
it.
chris.
--- End Message ---
--- Begin Message ---
On 3/19/2004 12:20:17 AM, Jeffrey Shaw ([EMAIL PROTECTED]) wrote:
> There seems to be a lot of these going around.
>
> Remember:
>
> Don't open attachments unless you are sure of what you are getting!
>
> Keep your Virus Scan program up to date. Any database over 14 days old
> should be updated.
>
> Many times, the Headers and addresses of the messages are faked. This is
> easy to do. So if there is any doubt, send an e-mail to an address listed
> at the website the email originates from and ask for more information.
>
> These virus writers are relying on people to unwittingly open their
> attachments so they may go through with their evil plans.
>
> Is there any Php.net official on this list that can shed more light on
this
> please....
This is not just from the php.net site, I've gotten this email from a number
of our sites and had to
email all our members informing them not to open any attachments even if it
seems we sent it, if
we require them to download anything it will be AT our site and not
attached.
They ARE getting sneakier arnt they?
-Ryan
--- End Message ---
--- Begin Message ---
Shane McBride <mailto:[EMAIL PROTECTED]>
on Thursday, March 18, 2004 2:50 PM said:
> How about passing the form variables to a hidden field on the next
> page? I used this for several page forms before.
that won't work because he's not doing a multi-page form. he just wants
to send the form data back *if* the form fails his validation.
chris.
--- End Message ---
--- Begin Message ---
Gotcha. I typically use javascript to validate before the form is posted to
validate.
shane
-----Original Message-----
From: Chris W. Parker [mailto:[EMAIL PROTECTED]
Sent: Thursday, March 18, 2004 6:23 PM
To: Shane McBride; PHP
Subject: RE: [PHP] Retain form values...
Shane McBride <mailto:[EMAIL PROTECTED]>
on Thursday, March 18, 2004 2:50 PM said:
> How about passing the form variables to a hidden field on the next
> page? I used this for several page forms before.
that won't work because he's not doing a multi-page form. he just wants
to send the form data back *if* the form fails his validation.
chris.
--- End Message ---
--- Begin Message ---
Shane McBride <mailto:[EMAIL PROTECTED]>
on Thursday, March 18, 2004 3:37 PM said:
> Gotcha. I typically use javascript to validate before the form is
> posted to validate.
ok.. but i don't see how that helps. you're still validating on the
server side right? in which case you could still have a failed
validation, thus the need to send the users data back to the original
page.
chris.
--- End Message ---
--- Begin Message ---
Actually all form validation is done before the form action takes place, so
that way we do not loose input.
shane
-----Original Message-----
From: Chris W. Parker [mailto:[EMAIL PROTECTED]
Sent: Thursday, March 18, 2004 6:38 PM
To: Shane McBride; PHP
Subject: RE: [PHP] Retain form values...
Shane McBride <mailto:[EMAIL PROTECTED]>
on Thursday, March 18, 2004 3:37 PM said:
> Gotcha. I typically use javascript to validate before the form is
> posted to validate.
ok.. but i don't see how that helps. you're still validating on the
server side right? in which case you could still have a failed
validation, thus the need to send the users data back to the original
page.
chris.
--- End Message ---
--- Begin Message ---
Hi,
Friday, March 19, 2004, 6:01:00 AM, you wrote:
JV> I want to be able to submit the page to another page vs PHP_SELF. On
JV> that page I want to be able to validate the form, and if it fails,
JV> return the user to the previous page. Now that's easy, but the catch is
JV> that I want to retain/repopulate their field values.
JV> I was thinking of forcing a history.back if possible, but would rather
JV> use some server side code. I tried researching what can be done with
JV> sending headers, but I don't want to use a GET method. I want to use
JV> POST.
JV> thoughts?
This is one of the things sessions are used for. Store $_POST in a
session variable and set another variable as failed. Then on your
page1.php just check for the failed variable and if it is there
populate the form with the previous details. You can even include an
error message. The flow would be:
page1.php
session_start();
if(isset($_SESSION['status']) and $_SESSION['status'] == 'failed'){
$extract($_SEESION['post']);
unset($_SESSION);
//fill in form values ie <input type="text" name="name" value="<?php
echo $name?>">
}else{
//send blank form
}
page2.php
session_start();
//do validation
if($status == 'failed'){
$_SESSION['status'] = 'failed';
$_SESSION['post'] = $_POST;
//send redirect header
exit;
}else{
//do success stuff
}
--
regards,
Tom
--- End Message ---
--- Begin Message ---
Shane McBride wrote:
Actually all form validation is done before the form action takes place, so
that way we do not loose input.
I think you're missing the point. Client side validation is extremely
easy to bypass. If that's all you're relying on, you're in trouble.
--
---John Holmes...
Amazon Wishlist: www.amazon.com/o/registry/3BEXC84AB3A5E/
php|architect: The Magazine for PHP Professionals – www.phparch.com
--- End Message ---
--- Begin Message ---
Situation: I have an HTML page on one server which
has a log-in form that includes just fields for User ID
and Password. This form posts to a PHP script which
authenticates the user against information in a MySQL
database on the same server. Once authenticated,
the script redirects the user to a page on a different
server. This page is in a directory that is protected by
an .htaccess fixed pair of access codes, and is the
gateway to a "Members Only" archive of 700+ pages.
I had accomplished this redirection using a URL like:
http: // username:password @ domain.com/file.htm
Since Microsoft, in its wisdom, decided this method
posed a security risk and disabled its use in IE, this
no longer works. I need to remain with the Basic
Authentication, since I can't add some PHP code to
700+ files to use cookies, or something similar, so
my question is:
How do I pass the Members Only access codes
to the user's browser so it will store, or "remember"
them, so the user can go from one archived page
to another?
The access codes for the Members Only directory
are different from the member's User ID and Password,
so I have to tell the second server to redirect 400 code
responses back to the log-in page on server one, so I
can authenticate the user/member with the database.
The problem is, how do I bypass the Windows pop-up
box for authentication on the client and simply pass
the access codes for server two directly to the browser?
Does anyone have any ideas on how to solve this?
Thanks,
Tyger Gilbert
[EMAIL PROTECTED]
--- End Message ---
--- Begin Message ---
Situation: I have an HTML page on one server which
has a log-in form that includes just fields for User ID
and Password. This form posts to a PHP script which
authenticates the user against information in a MySQL
database on the same server. Once authenticated,
the script redirects the user to a page on a different
server. This page is in a directory that is protected by
an .htaccess fixed pair of access codes, and is the
gateway to a "Members Only" archive of 700+ pages.
I had accomplished this redirection using a URL like:
http: // username:password @ domain.com/file.htm
Since Microsoft, in its wisdom, decided this method
posed a security risk and disabled its use in IE, this
no longer works. I need to remain with the Basic
Authentication, since I can't add some PHP code to
700+ files to use cookies, or something similar, so
my question is:
How do I pass the Members Only access codes
to the user's browser so it will store, or "remember"
them, so the user can go from one archived page
to another?
The access codes for the Members Only directory
are different from the member's User ID and Password,
so I have to tell the second server to redirect 400 code
responses back to the log-in page on server one, so I
can authenticate the user/member with the database.
The problem is, how do I bypass the Windows pop-up
box for authentication on the client and simply pass
the access codes for server two directly to the browser?
Does anyone have any ideas on how to solve this?
Thanks,
Tyger Gilbert
[EMAIL PROTECTED]
--- End Message ---
--- Begin Message ---
Situation: I have an HTML page on one server which
has a log-in form that includes just fields for User ID
and Password. This form posts to a PHP script which
authenticates the user against information in a MySQL
database on the same server. Once authenticated,
the script redirects the user to a page on a different
server. This page is in a directory that is protected by
an .htaccess fixed pair of access codes, and is the
gateway to a "Members Only" archive of 700+ pages.
I had accomplished this redirection using a URL like:
http: // username:password @ domain.com/file.htm
Since Microsoft, in its wisdom, decided this method
posed a security risk and disabled its use in IE, this
no longer works. I need to remain with the Basic
Authentication, since I can't add some PHP code to
700+ files to use cookies, or something similar, so
my question is:
How do I pass the Members Only access codes
to the user's browser so it will store, or "remember"
them, so the user can go from one archived page
to another?
The access codes for the Members Only directory
are different from the member's User ID and Password,
so I have to tell the second server to redirect 400 code
responses back to the log-in page on server one, so I
can authenticate the user/member with the database.
The problem is, how do I bypass the Windows pop-up
box for authentication on the client and simply pass
the access codes for server two directly to the browser?
Surely, someone must have encountered something
similar to this already . . . {:-)
Thanks,
Tyger Gilbert
[EMAIL PROTECTED]
ARIZONA WEB ADVERTISING
www.AzWebAds.com
Website Design / Domain Registration / Hosting
Banner Advertising / Web Promotional Campaigns
--- End Message ---
--- Begin Message ---
Stop posting the same message. The mor eyou post the same message the
less your chances are of getting a response.
--- End Message ---
--- Begin Message ---
No prob. I'm still working on a fix for my problem. I know I don't have a
javascript error, if I copy and paste to another file it works fine. Just
not in the php file. I'll mess with including it with the <script tags, but
it's not how I wanted to do it. I'll mess with it and let everyone know.
I do not get any javascript error messages. I know what was being said about
the error in the bottom left of IE, but that doesn't appear. I even tried
putting in alert("hi"); and it didn't work, which is why I said I think php
is not allowing the javascript to be executed for some reason.
Jake
----- Original Message -----
From: "Five" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, March 18, 2004 11:26 AM
Subject: Re: Re[2]: [PHP] Re: Javascript Mouseover Help
>
> "Tom Rogers" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
> > Hi,
> >
> > Friday, March 19, 2004, 1:11:52 AM, you wrote:
> >
> >
> > F> Doesn't $name = "blah blah"; define it enough?
> >
> >
> > Not if it comes after $table_1 =
"<table><tr><td>".$name."</td></tr></table>";
> > at this point $name does not exist. Try turning on E_ALL error
> > reporting and it will tell you things like this.
> >
> > --
> > regards,
> > Tom
>
> Cool, it works!
> include ("the file where the tables are stored") after the the variables
are defined, and it works.
> I took 3 semesters of C and C++ programming. I should have figured that
out myself.
>
> Thanks Tom. Can you steer me to where the E_ALL error reporting gets
activated?
> Some ini file I imagine?
>
> And oh yeah, I don't know if it helped Jake, but it worked for me.
> Thanks for starting the topic, Jake.
>
> Dale
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
--- End Message ---
--- Begin Message ---
Hi,
Friday, March 19, 2004, 2:57:57 PM, you wrote:
JM> No prob. I'm still working on a fix for my problem. I know I don't have a
JM> javascript error, if I copy and paste to another file it works fine. Just
JM> not in the php file. I'll mess with including it with the <script tags, but
JM> it's not how I wanted to do it. I'll mess with it and let everyone know.
JM> I do not get any javascript error messages. I know what was being said about
JM> the error in the bottom left of IE, but that doesn't appear. I even tried
JM> putting in alert("hi"); and it didn't work, which is why I said I think php
JM> is not allowing the javascript to be executed for some reason.
JM> Jake
Remember you have to put <?php at the top of the include file as well
as the interpreter switches out of php mode for the include.
--
regards,
Tom
--- End Message ---
--- Begin Message ---
Hi guys,
With the help of a guy, we found the solution. So for information, this is
what you have to do to succeed such kind of command.
You have to use the same username in your webserver as the name of the
account in the remote machine you're trying to access with rsh.
typically if you want to do this:
$res = exec("rsh x.x.x.x -l TOTO ping x.x.x.x");
echo "<pre> $res </pre>";
The webserver user should be TOTO (you can change it in your httpd.conf file
on Linux box)
hope it will help!
fred
-----Message d'origine-----
De : Chris W. Parker [mailto:[EMAIL PROTECTED]
Envoyé : jeudi, 18. mars 2004 17:59
À : [EMAIL PROTECTED]; [EMAIL PROTECTED]
Objet : RE: [PHP] Problem to display the results of an exec + rsh
command
Frédéric Martin <mailto:[EMAIL PROTECTED]>
on Thursday, March 18, 2004 7:31 AM said:
> $res = exec("rsh x.x.x.x -l username ping x.x.x.x);
> echo "<pre> $res </pre>";
>
> I cannot display the result of the ping made in the remote host.
> any idea to fix that?
> thank you in advance for your tips ...
i don't have any idea why it's not working and i've never used exec(), but
maybe you'd have better luck with the back tick operator (at least i think
it's an operator)?
$res = `rsh x.x.x.x -l username ping x.x.x.x`;
chris.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--- End Message ---
--- Begin Message ---
*Dear Friends!*
Can someone shed some light on how "SQL injection" attack occurs when
*magic_quotes_gpc *is"ON" and how it prevents when its "OFF". To my
understanding apostrophise are escaped automatically in POST/GET/COOKIE
when its ON, so how it tends towards SQL Injection.
Someone suggested to keep magic_quotes_qpc OFF through .htaccess file
and use following line of codes to prevent attacks at start of the file...
<?php
/**
* Checks for magic_quotes_gpc = On and strips them from incoming
* requests if necessary
*/
if (get_magic_quotes_gpc()) {
$_GET = array_map('stripslashes', $_GET);
$_POST = array_map('stripslashes', $_POST);
$_COOKIE = array_map('stripslashes', $_COOKIE);
}
?>
But unfortunately it does not work for nested POST requests. do anyone
have better idea?
Secondly why we have to stripslashes while DB (mysql for example) is
doing it for us on execution and another question arises doesn't it
prevent from SQL injection attack when apostrophise are escaped in query.
*What is the best practices handling 'quotation marks' in input string
and how to prevent SQL injection.
*Looking forward for some advice from panel of experts on forum.
Thanks and have a nice day!*
*Cheers!
*Tariq*
--- End Message ---
--- Begin Message ---
--- Tariq Murtaza <[EMAIL PROTECTED]> wrote:
> Can someone shed some light on how "SQL injection" attack occurs when
> *magic_quotes_gpc *is"ON" and how it prevents when its "OFF".
I'm not sure what "it" refers to there. In my opinion, relying on
magic_quotes_gpc is very dangerous. In fact, I just remembered a nice
online resource that will do a better job explaining this than I can:
http://phundamentals.nyphp.org/PH_storingretrieving.php
> Secondly why we have to stripslashes while DB (mysql for example) is
> doing it for us on execution
It is? What database are you using? I think you're making an erroneous
assumption. Consider this SQL statement:
select * from foo where bar = 'Don't apostrophes screw things up?'
What does bar need to be in order for the where clause to match? Where
does the SQL statement end?
Hope that helps.
Chris
=====
Chris Shiflett - http://shiflett.org/
PHP Security - O'Reilly
Coming mid-2004
HTTP Developer's Handbook - Sams
http://httphandbook.org/
PHP Community Site
http://phpcommunity.org/
--- End Message ---
--- Begin Message ---
hallo all,
i have a problem connecting to mysql db, i use the following code to connect to the
db:
$DBConn = mysql_connect("localhost", "myusername","mypassword") or die("Could not
connect to database, " . mysql_error());
mysql_select_db("db1", $DBConn);
and i get the following error:
Warning: mysql_connect(): Client does not support authentication protocol requested by
server; consider upgrading MySQL client in c:\inetpub\wwwroot\php\db_test.php on line
33
Could not connect to database, Client does not support authentication protocol
requested by server; consider upgrading MySQL client
thanks in advance
____________________________________________________
Khaled Jouda
cell. phone: 0163-2382758
fax: 1(801)439-1253
alternative email: [EMAIL PROTECTED]
_____________________________________________________
Do you Yahoo!?
Yahoo! Mail - More reliable, more storage, less spam
--- End Message ---
--- Begin Message ---
Chris de Vidal wrote:
I searched this group and someone suggested disabling Apache's keepalives
but I don't have root on this box so that option is out.
Try to send "Connection: close" header, then the connection will be
terminated by the client.
--- End Message ---
--- Begin Message ---
Chris de Vidal wrote:
Can you confirm GET strings are also encrypted?
I'm sure they do. But try to clear the URI from IE's history (using
javascript), both username and password will be there.
--- End Message ---
--- Begin Message ---
Hi all,
I am new to php and want to use php for our mailing program.
At present we have servlet program what the users access it thru web
interface and use for sending,receiving and composing mails.
But it is giving lot of problem and hence I want to shift the entrie
system to PHP .
Please give me advice how to start with or URL of some example scripts
etc.
Thanks and Regds
Geetha
--- End Message ---
--- Begin Message ---
IMP and SquirrelMail are both nice.
http://www.horde.org/imp/
http://www.squirrelmail.org
On Friday 19 March 2004 03:40 pm, Mrs. Geeta Thanu wrote:
> Hi all,
>
> I am new to php and want to use php for our mailing program.
> At present we have servlet program what the users access it thru web
> interface and use for sending,receiving and composing mails.
>
> But it is giving lot of problem and hence I want to shift the entrie
> system to PHP .
>
> Please give me advice how to start with or URL of some example scripts
> etc.
>
>
> Thanks and Regds
> Geetha
--- End Message ---
--- Begin Message ---
Hi all
for some reason I seem to be having a problem having to do a look up in a mysql table
and the take the result of that query and then perform the right action.
Basically I need to do a look up for a file
for example
10006547.pdf.
I then need to:
if no letter of the alphabet is present.
then make it 10006547A.pdf
else if does exist, make it 10006547B.pdf
for some reason I cant seem to pull this off, add I honestly thought is would be a
simple function.
If anyone knows of a URL or can help in anyway
I really would appreciate it
Kind Regards
Brent Clark
--- End Message ---
--- Begin Message ---
Ivan Sergio Borgonovo wrote:
I've simple code like this:
-- begin --
#!/usr/bin/php -q
<?
$pippo='goofy'
?>
hey my name is <?= $pippo ?>
and
I feel good
-- end --
newlines are ignored after php block end tags (?>)
--- End Message ---
