Re: [PHP] Comparing strings... need advice. :)
Micky Hulse wrote: > I am looking for the most secure/efficient way to compare these two > strings: > > /folder1/folder2/folder3/folder4/ > /folder1/folder2/folder3/folder4/file.php > > Basically I am trying to setup as many security features as possible for > a simplistic (home-grown/hand-coded) CMS... > > This appears to work: > > $haystack = '/folder1/folder2/folder3/folder4/someFileName.php'; > $needle = '/folder1/folder2/folder3/folder4/'; > if(substr_count($haystack, $needle) === 1) echo "yea"; > > Before making changes to "someFileName.php" I want to make sure it is > within the allowed path ($needle). First of all make sure you are sending both strings through realpath (http://php.net/realpath) to remove any symbolic links and relative references. Then you can compare the two strings. The way you're doing it will work but it's probably not very efficient. This is what I use... $valid = (strcmp($needle, substr($haystack, 0, strlen($needle))) == 0); -Stut -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] S: function to remove & break URLs
Dear Jon, cheers for your lines ... Am Montag 28 August 2006 02:31 schrieb Jon Anderson: > Guestbook spam (and comment spam) is something I'd like to try to > eliminate altogether myself. I don't think there are any > one-size-fits all solutions out there yet for detection/elimination. > I'd personally like to hear any effective solutions people have found > in PHP to combat this stuff. My approach here is to make a fuzzy decision if an entry is shown by default or needs a further check by myself before being published. > > In reference to the detection part; In my case, 95%+ of the spam > entries have links that contain one of about 5 words (casino, pharm, > drug, stock, or invest), so I could eliminate most spam by > automatically trashing all entries that contains a link with one of > those key words. I don't know if you're lucky enough to have spammers > as predictable as mine, so that may not be an effective solution for > anyone but me. Okay, these words occur also very often - but not exclusively - I could regards occurances of those words an criteria. > > In terms of destroying URLs, what happens when a real guest wants to > put a URL in their entry? Seems to me that you might be > overshooting... Well, my application is not exactly a Guestbook, and the field in question is not meant to display any URLs. There is a separate field to state an URL that is not displayed by default. > > You might be better off finding some way of preventing the data from > even entering the system, for example, a captcha type system. They > have accessibility problems, but I've read about solutions that use > simple JavaScript to automatically enter the captcha code into the > correct field and hide the captcha and the field so that the whole > process is transparent to the user (including users with screen > readers), whereas if JS is disabled, the captcha is shown and the > code must be entered. This is based on the assumption that current > spam robots that don't incorporate a JavaScript execution engine. Not > sure how effective it is, but it's an interesting idea. You are speaking of those skewed letters one has to retype before the action is taken? I'd like to see some code for it - however in my case I have the impression that it is real persons who enter the spam. Can I, by the way, collect the IP of the visitor in a PHP form? You might have realized: I am an absolute beginner with PHP. > > Anyone want to share some spam-fighting success stories? Yes, pleaze ;) Regards Ralf -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Comparing strings... need advice. :)
Stut wrote: First of all make sure you are sending both strings through realpath (http://php.net/realpath) to remove any symbolic links and relative references. Then you can compare the two strings. The way you're doing it will work but it's probably not very efficient. This is what I use... $valid = (strcmp($needle, substr($haystack, 0, strlen($needle))) == 0); Awsome! Thanks for the info. Reading-up on realpath right now. I appreciate the tips/example code. :) Have a great day/night. Cheers, Micky -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Comparing strings... need advice. :)
Micky Hulse wrote:
> Hi,
>
> I am looking for the most secure/efficient way to compare these two
> strings:
>
> /folder1/folder2/folder3/folder4/
> /folder1/folder2/folder3/folder4/file.php
>
> Basically I am trying to setup as many security features as possible for
> a simplistic (home-grown/hand-coded) CMS...
>
> This appears to work:
>
> $haystack = '/folder1/folder2/folder3/folder4/someFileName.php';
> $needle = '/folder1/folder2/folder3/folder4/';
> if(substr_count($haystack, $needle) === 1) echo "yea";
>
> Before making changes to "someFileName.php" I want to make sure it is
> within the allowed path ($needle).
>
> I would appreciate any advice. Even RTFM is cool. :D
>
Using your technique I would try an attack like:
'/etc/passwd;/folder1/folder2/folder3/folder4/' or
'/folder1/folder2/folder3/folder4/../../../../etc/passwd'
or some other variant depending on how you then use the file.
I'm a big fan of lists of allowed files, typically I use aliases too.
$allow_files = array('page' => '/folder/.../filename.php').
This list can be automatically generated and used by mod_rewrite to
boost speed.
By using a fixed list of files like this it's impossible to be attacked
on your filename.
Assuming you don't want to go that strong and want to allow your users
to set the filename you have to try and lock down the path. By not
allowing them to change the path you can hold them in the directory you set.
Check for any / characters and reject or strip them out.
Use '/folder1/folder2/.../'.$file.
It's vital if you do this that you don't allow any way to upload files
in to the directory you execute from.
If you want to allow them to set the path or part of the path then the
check gets far more complicated. You have to catch .. and // patterns,
ensuring that you don't combine to form a // and catch cases like
'.\./'. If you need to have multiple directories I would strongly
suggest using dynamically generated fixed lists.
David
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Comparing strings... need advice. :)
On Mon, 28 Aug 2006 09:47:02 +0100, Stut wrote: > Micky Hulse wrote: >> I am looking for the most secure/efficient way to compare these two >> strings: >> >> /folder1/folder2/folder3/folder4/ >> /folder1/folder2/folder3/folder4/file.php >> >> Basically I am trying to setup as many security features as possible for >> a simplistic (home-grown/hand-coded) CMS... >> >> This appears to work: >> >> $haystack = '/folder1/folder2/folder3/folder4/someFileName.php'; >> $needle = '/folder1/folder2/folder3/folder4/'; >> if(substr_count($haystack, $needle) === 1) echo "yea"; >> >> Before making changes to "someFileName.php" I want to make sure it is >> within the allowed path ($needle). > > First of all make sure you are sending both strings through realpath > (http://php.net/realpath) to remove any symbolic links and relative > references. Then you can compare the two strings. The way you're doing > it will work but it's probably not very efficient. This is what I use... > > $valid = (strcmp($needle, substr($haystack, 0, strlen($needle))) == 0); > Personally, this seems simpler to me: $valid = (dirname($haystack) == $needle); But the way the above folders are presented, it should become $valid = (dirname($haystack) == rtrim($needle, '/')); less simple already... Possibly, this is not the best solution for some reason I don't know. If so, I would like to know :) Ivo -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] getting there- just need to output the data
I have retireved the unique gallery and all the data from the row. I now need to output the data ($row['bin_data']) as a jpg. http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: getting there- just need to output the data
echo "";
But you must change one of the row variable, there are two while one inside
the other using the same var name.
""Ross"" <[EMAIL PROTECTED]> escreveu na mensagem
news:[EMAIL PROTECTED]
>I have retireved the unique gallery and all the data from the row. I now
>need to output the data ($row['bin_data']) as a jpg.
>
> include("includes/config.php");
>
> $link = mysql_connect($host, $user, $password) or die ('somethng went
> wrong:' .mysql_error() );
> mysql_select_db($dbname, $link) or die ('somethng went wrong, DB error:'
> .mysql_error() );
>
> $query = "SELECT DISTINCT gallery FROM thumbnails";
> $result = @mysql_query( $query,$link );
>
> while ($row = @mysql_fetch_assoc($result) ) {
>
> $gallery_id=$row['gallery'];
>
> $query2 = "SELECT * FROM thumbnails WHERE gallery ='$gallery_id' LIMIT 1";
> $result2 = @mysql_query($query2);
>
> while ($row = @mysql_fetch_array($result2, MYSQL_ASSOC)){
> echo $id=$row['id'];
>
> //i want to output the jpeg here
>
>
> }
>
> }
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Comparing strings... need advice. :)
On Mon, 2006-08-28 at 09:47 +0100, Stut wrote: > Micky Hulse wrote: > > I am looking for the most secure/efficient way to compare these two > > strings: > > > > /folder1/folder2/folder3/folder4/ > > /folder1/folder2/folder3/folder4/file.php > > > > Basically I am trying to setup as many security features as possible for > > a simplistic (home-grown/hand-coded) CMS... > > > > This appears to work: > > > > $haystack = '/folder1/folder2/folder3/folder4/someFileName.php'; > > $needle = '/folder1/folder2/folder3/folder4/'; > > if(substr_count($haystack, $needle) === 1) echo "yea"; > > > > Before making changes to "someFileName.php" I want to make sure it is > > within the allowed path ($needle). > > First of all make sure you are sending both strings through realpath > (http://php.net/realpath) to remove any symbolic links and relative > references. Then you can compare the two strings. The way you're doing > it will work but it's probably not very efficient. This is what I use... > > $valid = (strcmp($needle, substr($haystack, 0, strlen($needle))) == 0); It is VERY important that you append the trailing slash onto the needle path returned by realpath otherwise it will match more than you expect. Stut didn't point that out so I thought I'd make sure you caught it. Also I'm not sure why Stut used 3 function calls when one suffices >:) Cheers, Rob. -- .. | InterJinn Application Framework - http://www.interjinn.com | :: | An application and templating framework for PHP. Boasting | | a powerful, scalable system for accessing system services | | such as forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Problems with UTF
Hi, I have a php based script that is called from a html page via ajax. Everything runs fine except when I use characters such as á that ends up like A! After searching and testing I found that if I remove the encodeURIComponentfrom the javascript and replace with escape everything works fine. So the question is what can I do from PHP side to make it play nice with those UTF encoded chars generated from encodeURIComponent? Since escape is deprecated I'd like to find out before I have tons of files to change tks.
Re: [PHP] Problems with UTF
On Mon, 28 Aug 2006 15:57:17 -0400 mbneto <[EMAIL PROTECTED]> wrote: > Hi, > > I have a php based script that is called from a html page via ajax. > Everything runs fine except when I use characters such as á that ends up > like A! A browser will display text according the the charset specified in the HTTP response Content-Type header. That is usually set by the HTTP server (e.g. Apache AddDefaultCharset and AddCharset). So I suspect that in your case, your HTTP server is sending charset=ISO-8859-1 whereas the content is in fact UTF-8 (when one non-ascii character is rendered as two or three usually garbled characters it's an indication that UTF-8 is being rendered as some 8 bit codepage like ISO-8859-1). Note that the charset specified in the META tag within an HTML document is ignored when served over a network. I'm not certain what the charset in the META tag is for. I suspect it's for caching or when you open an HTML file from disk perhaps. Mike -- Michael B Allen PHP Active Directory SSO http://www.ioplex.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] display a single thumb per gallery
http://dev.mysql.com/doc/refman/5.0/en/join.html you could use something like this: SELECT DISTINCT thumbnails.gallery, thumbnails.id, thumbnails.binary_data FROM thumbnails you can insert everything you want from your table after the DISTINCT by writing: table.colName /frank 27 aug 2006 kl. 21.39 skrev <[EMAIL PROTECTED]> <[EMAIL PROTECTED]>: $query = "SELECT distinct gallery FROM thumbnails"; that only returns the numbers 7 & 8. I need the all the info from the rows - id, binary data etcsomething like $query = "SELECT * FROM DISTINCT gallery FROM thumbnails"; any ideas? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Comparing strings... need advice. :)
Wow, thanks for all the great information folks (Stut, Ivo, Rob, and David.) I really appreciate all of the top-notch advice and expert information. :D Looks like I have a lot to think about... Currently, I hard-code the paths to the folders that house the files I want my CMS to edit (via a config file.) The script then iterates through the directory and adds all files of a specific type to a dropdown menu. The user can then choose one of the files to edit and load that file into a textarea... After changes are made, the content/code gets saved back to the same file/location. I do have an uploads folder, but it is in a different location on the server. I do not allow the user to create new files (I would have to do that manually)... it is a /very/ basic CMS. Anyway, looks like I have some great info to work with. Thanks again everyone for sharing your expertise. Much appreciated all. Have an excellent day. Cheers, Micky -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Comparing strings... need advice. :)
On Mon, 2006-08-28 at 16:50 +0200, Ivo F.A.C. Fokkema wrote: > On Mon, 28 Aug 2006 09:47:02 +0100, Stut wrote: > > > Micky Hulse wrote: > >> I am looking for the most secure/efficient way to compare these two > >> strings: > >> > >> /folder1/folder2/folder3/folder4/ > >> /folder1/folder2/folder3/folder4/file.php > >> > >> Basically I am trying to setup as many security features as possible for > >> a simplistic (home-grown/hand-coded) CMS... > >> > >> This appears to work: > >> > >> $haystack = '/folder1/folder2/folder3/folder4/someFileName.php'; > >> $needle = '/folder1/folder2/folder3/folder4/'; > >> if(substr_count($haystack, $needle) === 1) echo "yea"; > >> > >> Before making changes to "someFileName.php" I want to make sure it is > >> within the allowed path ($needle). > > > > First of all make sure you are sending both strings through realpath > > (http://php.net/realpath) to remove any symbolic links and relative > > references. Then you can compare the two strings. The way you're doing > > it will work but it's probably not very efficient. This is what I use... > > > > $valid = (strcmp($needle, substr($haystack, 0, strlen($needle))) == 0); > > > > Personally, this seems simpler to me: > > $valid = (dirname($haystack) == $needle); > > But the way the above folders are presented, it should become > > $valid = (dirname($haystack) == rtrim($needle, '/')); > > less simple already... Possibly, this is not the best solution for some > reason I don't know. If so, I would like to know :) The above technique doesn't allow for sub-directories. It only allows for files within the needle directory. Cheers, Rob. -- .. | InterJinn Application Framework - http://www.interjinn.com | :: | An application and templating framework for PHP. Boasting | | a powerful, scalable system for accessing system services | | such as forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Comparing strings... need advice. :)
On Mon, 2006-08-28 at 16:28 -0700, Micky Hulse wrote: > Wow, thanks for all the great information folks (Stut, Ivo, Rob, and David.) > > I really appreciate all of the top-notch advice and expert information. :D > > Looks like I have a lot to think about... > > Currently, I hard-code the paths to the folders that house the files I > want my CMS to edit (via a config file.) The script then iterates > through the directory and adds all files of a specific type to a > dropdown menu. The user can then choose one of the files to edit and > load that file into a textarea... After changes are made, the > content/code gets saved back to the same file/location. > > I do have an uploads folder, but it is in a different location on the > server. I do not allow the user to create new files (I would have to do > that manually)... it is a /very/ basic CMS. > > Anyway, looks like I have some great info to work with. Thanks again > everyone for sharing your expertise. How are these saved files then imported into the content? Are they included or do you retrieve the contents using something like file(), file_get_contents(), or fread() and then echo it? If you are using include or require on a file whose contents are based on web input content then you are opening up a can of security worms since anyone with access tot he CMS could embed PHP code in the content and do anything for which the webserver has permissions. Cheers, Rob. -- .. | InterJinn Application Framework - http://www.interjinn.com | :: | An application and templating framework for PHP. Boasting | | a powerful, scalable system for accessing system services | | such as forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Comparing strings... need advice. :)
Hi Robert, Robert Cummings wrote: How are these saved files then imported into the content? Are they included or do you retrieve the contents using something like file(), file_get_contents(), or fread() and then echo it? If you are using Currently I am using readfile() (plus some other security checking) to display the contents of the edited files. I setup my script to only allow specific file types (txt, html, htm). include or require on a file whose contents are based on web input content then you are opening up a can of security worms since anyone with access tot he CMS could embed PHP code in the content and do anything for which the webserver has permissions. Thanks for pointing that out. Now that you mention it, I should probably re-work my code to use a different method of page inclusion. I am pretty concerned about security breaches... what are your thoughts on readfile()? Would you suggest I use file(), file_get_contents(), or fread() instead? Thanks for the help Robert, I really appreciate your time. :) Cheers, Micky -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Comparing strings... need advice. :)
On Mon, 2006-08-28 at 17:07 -0700, Micky Hulse wrote: > Hi Robert, > > Robert Cummings wrote: > > How are these saved files then imported into the content? Are they > > included or do you retrieve the contents using something like file(), > > file_get_contents(), or fread() and then echo it? If you are using > > Currently I am using readfile() (plus some other security checking) to > display the contents of the edited files. I setup my script to only > allow specific file types (txt, html, htm). > > > include or require on a file whose contents are based on web input > > content then you are opening up a can of security worms since anyone > > with access tot he CMS could embed PHP code in the content and do > > anything for which the webserver has permissions. > > Thanks for pointing that out. Now that you mention it, I should probably > re-work my code to use a different method of page inclusion. I am pretty > concerned about security breaches... what are your thoughts on > readfile()? Would you suggest I use file(), file_get_contents(), or > fread() instead? Readfile works great, it's the same as file_get_contents() and then issuing an echo. You may want to also stored content generated by web users outside of the web tree. There may not be any issue with how you have things now, but imagine down the road someone using your system enables PHP processing on .html files and then someone created content with PHP tags and accesses it directly from their browser... boom, same security hole. > Thanks for the help Robert, I really appreciate your time. :) No problem :) Cheers, Rob. -- .. | InterJinn Application Framework - http://www.interjinn.com | :: | An application and templating framework for PHP. Boasting | | a powerful, scalable system for accessing system services | | such as forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Problems with UTF
Hi,
Have you set
header('Content-Type: text/html; charset=utf-8');
in your php script that you call via AJAX?
Best regards,
Peter
PS! I assumed you were not sending any variables with the AJAX request? If
so, you would need to do an utf-8 encoding of the variables and then a
base64 encoding to make sure the arrive correctly. Of course you would after
that need to decode the variables with base64_decode in your PHP script DS!
-Original Message-
From: mbneto [mailto:[EMAIL PROTECTED]
Sent: Tuesday, August 29, 2006 2:57 AM
To: php-general@lists.php.net
Subject: [PHP] Problems with UTF
Hi,
I have a php based script that is called from a html page via ajax.
Everything runs fine except when I use characters such as á that ends up
like A!
After searching and testing I found that if I remove the
encodeURIComponentfrom the javascript and replace with
escape everything works fine.
So the question is what can I do from PHP side to make it play nice with
those UTF encoded chars generated from encodeURIComponent? Since escape is
deprecated I'd like to find out before I have tons of files to change
tks.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Comparing strings... need advice. :)
Robert Cummings wrote: Readfile works great, it's the same as file_get_contents() and then Ah, good to hear. :D issuing an echo. You may want to also stored content generated by web users outside of the web tree. There may not be any issue with how you [...] with PHP tags and accesses it directly from their browser... boom, same security hole. Ah! Yes, good idea. :) I think I will work this in to my script/system. Like I said, I am very concerned about security. I would have used a pre-built CMS like Textpattern or Wordpress, but the server I am on does not have database support. :( Anyway, many thanks for the tips Rob and all! You guys/gals rock! Cheers, Micky -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] QUARANTINED: Mail System Error - Returned Mail
The message "Mail System Error - Returned Mail" from , sent on 8/29/2006 06:01 was quarantined because it contained either an executable file, a batch file or a screen saver file. All of these types of attachments are considered security risks. Please consult your mail administrator who can release the message. This message was checked by MailScan for WorkgroupMail. www.workgroupmail.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
