Re: [PHP] Re: Secure File Paths, File System - (simplified question)
Shawn McKenzie wrote: Daniel Kolbo wrote: Shawn McKenzie wrote: Daniel Kolbo wrote: Hello PHPers, I am quite ignorant about file system security. I was hoping you all could help me understand things. How does one restrict php script from going (reading, writing) files in the file system? As I see it, a php programmer could change the include_path, with ini_set(), use "../" etc..., and browse all the files on the server to which the php engine has access. This would clearly not be acceptable to a web host company, so how do most hosts restrict this kind of behaviour? Now, suppose i only have php access to my 'files' as defined by my host somehow. (again, my first part of the question is how do they do this?). Is it possible for me to further restrict this file accessibility for different sub-folders? Let me provide an example folder hierarchy and user scenario. Suppose there are two php programmers (me and you). I want full access, but I want to restrict you to your subdomain (subdomain2). +AllUsers (me and you) +Domain1 ++Subdomain1 (me only) ++Subdomain2 (me and you) ++SharedDomain (me and you) +ServerFile1 (me only) +ServerFile2 (me only) +SecretFile (no user) Thanks for helping understand how to restrict/limit different php programmers from going into places I'd rather them not go. dK Two methods come to mind, chroot and just setting perms for specific dirs. Hello, 1) chroot I don't understand how to specify to the php engine to chroot upon different scripts being executed (scripts that i don't control). Would you please clarify? 2)perms The php engine is what has access to specific dirs (not users, scripts,). That i know of, the php engine doesn't allow per user permissions. That is, it is one engine, one set of perms. Are you suggesting i have a separate php engine for each user? 3) Maybe i can simplify this question: How does a hosting company, in a shared virtual host server environment, prevent all their clients (php programmers) from snooping into all the other clients' folders? I am assuming we are all using the same php engine, as it is a shared apache host. O.K. I read and typed too fast. In short, suexec with apache will run a user's scripts as that user so long as php is run as cgi and not the apache mod. Also, virtual hosts in apache define the docroot for a virtual host (user/domain/etc.), so other virtual hosts can't access outside of that docroot into other virtual hosts. So the perms part of my previous reply was related to suexec and chroot was out of my ass because many times you would chroot apache for extra security from the webserver in general. thx for the reply shawn.
Re: [PHP] Two troublesome fields
From: Terion Miller
Date: February 19, 2009 5:34:50 PM EST
To: Bastien Koert
Cc: PHP General
Subject: Re: [PHP] Two troublesome fields
I just tried this and now it's not inserting at all where before
everything
EXCEPT two fields go in...
$sql = "INSERT INTO workorders ( CreatedDate, Location, WorkOrderName,
AdminID, FormName, Status, Notes) VALUES (";
$sql .= "Now(), ";
$sql .= "'". mysql_real_escape_string($Location) ."', ";
$sql .= "'". mysql_real_escape_string($WorkOrderName) ."', ";
$sql .= "'". mysql_real_escape_string($AdminID) ."', ";
$sql .= "'". mysql_real_escape_string("WorkOrder") ."', ";
$sql .= "'". mysql_real_escape_string("New Order") ."', ";
$sql .= "'". mysql_real_escape_string($Notes) ."', ";
$WorkOrderID = mysql_insert_id();
mysql_query($sql);
There's no closing parethesis to VALUES, try...
$sql .= "'". mysql_real_escape_string($Notes) ."')";
Sean DeNigris
s...@clipperadams.com
[PHP] XML -> XSLT transformation using XSLTProcessor class
Hi All, We are trying to import some xml data into the database. My idea was to make an xslt and then transform the xml to php code which generates the queries necessary and then gets evaled as php code for the actual import... Anyway, i got it working (mostly)! But i need to get the current element name with x-path. So i have the following: some data 1 some data 2 some data 3 some data 4 some data 5 // WORKS and gives the value of childOfA (e.g. some data 1) //... the php code... In the php code, I need to get the element tag name of the current element, so either elementA or elementB. How can i get that in an x-path expression? I know, this is not strictly a php question, but since the project is in php and this list has a very good response rate, i decided to ask here. I already looked on the web for hours, but maybe i just don't have the right keywords. Please help. Thanks. Regards, Tim Tim-Hinnerk Heuer http://www.ihostnz.com P. J. O'Rourke - "Everybody knows how to raise children, except the people who have them."
[PHP] mobile texting app question
All, I am working on the design for an app that uses mobile phone texting to make payments, but I am having some trouble finding out how the whole mobile process works. I grow the CSC (common short code) set up and them acting as a clearing house, but can anyone point me to some docs on how the process works. From the user attempting to text a payment to my site getting the data? Its kinda off topic, other than the entire site / app will be php based. Googling doesn't get me that far, but it might be more of a not knowing exactly what its called to be able to narrow the search. Appreciate any replies. -- Bastien Cat, the other other white meat
Re: [PHP] Zend Guard/Optimizer alternatives?
Brian Dunning schreef: > I should mention that I did try the ionCube online encoder, which I > think is a great idea... but its runtimes failed to load on both of my > test systems, requiring editing of php.ini. That's over the top for my > users. I need something that's rock-solid and that will never require my > users to have to know anything or do anything special (they are business > people, not developers or server admins). use a legal contract. or make the functionality dependent on a webservice hosted on your server (and stick the meat of the functionality on your end). or get a client you can trust not to rape you. > On Feb 16, 2009, at 9:10 AM, Brian Dunning wrote: > >> Is there a cheaper alternative to Guard/Optimizer? I have a single >> small PHP file that is part of a larger solution I sell, and I want it >> to be protected - and it has to be a runtime so it will run on >> anyone's standard PHP server. Zend's $600 was a little bit of sticker >> shock. Any alternatives? > > > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] XML -> XSLT transformation using XSLTProcessor class
> -Original Message- > From: th.he...@gmail.com [mailto:th.he...@gmail.com] On Behalf Of > German Geek > Sent: Friday, February 20, 2009 9:18 AM > To: PHP General list > Subject: [PHP] XML -> XSLT transformation using XSLTProcessor class > > Hi All, > > We are trying to import some xml data into the database. My idea was to > make > an xslt and then transform the xml to php code which generates the > queries > necessary and then gets evaled as php code for the actual import... > > Anyway, i got it working (mostly)! > > But i need to get the current element name with x-path. So i have the > following: > > > some data 1 > some data 2 > some data 3 > some data 4 > some data 5 > > > > // WORKS and gives the value of > childOfA (e.g. some data 1) > //... the php code... > > > In the php code, I need to get the element tag name of the current > element, > so either elementA or elementB. How can i get that in an x-path > expression? > > I know, this is not strictly a php question, but since the project is > in php > and this list has a very good response rate, i decided to ask here. I > already looked on the web for hours, but maybe i just don't have the > right > keywords. > > Please help. Thanks. I believe the name() XPath function is what you are looking for. It's been a while since I've worked with XPath query strings, but I believe ".[name()]" will get you the current element's tag name. Keep in mind: I'm not sure if this works with namespaced tags (like ), but I have not tested this to be sure. HTH, // Todd
Re: [PHP] XML -> XSLT transformation using XSLTProcessor class
Thanks a lot. Sorry but 5 minutes after sending this email i figured it out myself. I didn't know how to answer my own message because i didn't get my own message... Anyway, this worked for me: Hope this helps someone else... Thanks again. Tim Tim-Hinnerk Heuer http://www.ihostnz.com Bill Watterson - "There is not enough time to do all the nothing we want to do." 2009/2/21 Boyd, Todd M. > > -Original Message- > > From: th.he...@gmail.com [mailto:th.he...@gmail.com] On Behalf Of > > German Geek > > Sent: Friday, February 20, 2009 9:18 AM > > To: PHP General list > > Subject: [PHP] XML -> XSLT transformation using XSLTProcessor class > > > > Hi All, > > > > We are trying to import some xml data into the database. My idea was to > > make > > an xslt and then transform the xml to php code which generates the > > queries > > necessary and then gets evaled as php code for the actual import... > > > > Anyway, i got it working (mostly)! > > > > But i need to get the current element name with x-path. So i have the > > following: > > > > > > some data 1 > > some data 2 > > some data 3 > > some data 4 > > some data 5 > > > > > > > > // WORKS and gives the value of > > childOfA (e.g. some data 1) > > //... the php code... > > > > > > In the php code, I need to get the element tag name of the current > > element, > > so either elementA or elementB. How can i get that in an x-path > > expression? > > > > I know, this is not strictly a php question, but since the project is > > in php > > and this list has a very good response rate, i decided to ask here. I > > already looked on the web for hours, but maybe i just don't have the > > right > > keywords. > > > > Please help. Thanks. > > I believe the name() XPath function is what you are looking for. It's been > a while since I've worked with XPath query strings, but I believe > ".[name()]" will get you the current element's tag name. Keep in mind: I'm > not sure if this works with namespaced tags (like ), > but I have not tested this to be sure. > > HTH, > > > // Todd >
Re: [PHP] Unique User Hashes
Martin Zvarík wrote: Ashley Sheridan napsal(a): On Thu, 2009-02-19 at 23:34 +0100, Martin Zvarík wrote: Chris napsal(a): Martin Zvarík wrote: Chris napsal(a): Martin Zvarík wrote: tedd napsal(a): At 5:28 PM +0100 2/19/09, Martin Zvarík wrote: tedd napsal(a): At 5:10 PM +0100 2/19/09, Martin Zvarík wrote: tedd napsal(a): At 1:49 AM +0100 2/19/09, Martin Zvarík wrote: Guys, I have not seen a poll where you need to input your email address - and if I would I would not vote - because it's a waste of my time... if you want me to vote you do everything you can to make it as pleasant as possible -- certainly that isn't requirement of an email validation. Btw. google "free temporary email address" to see how unique email addresses really are - in case you meant it in reference to the poll voting - where you care about uniqueness of votes = people. So instead of trolling, offer a better suggestion. Chris, if you would read the whole thread (my first comment), I bet you would consider more wisely your patronizing comment. "Use the ip" - which we've all said is useless. Where's the better suggestion? Nevermind, I was wrong - thank you for making me realize I am wasting time here. This useless IP solution is used by 80% of websites. I was trying to convice you that requirement of an email validation is just, let's say, unwise. So, don't bark if you don't agree. So you;'e saying that unless we agree with you, not to mention anything? Ash www.ashleysheridan.co.uk I meant: You don't have to bark, if you don't agree. = We can discuss. it's all a bit pointless, the only way to ensure only one vote per person is to get take and test a dns sample from each user. anything else is going to be flawed -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Unique User Hashes
Nathan Rixham wrote: it's all a bit pointless, the only way to ensure only one vote per person is to get take and test a dns sample from each user. anything else is going to be flawed Hey now, what do you have against us clones? ;) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Unique User Hashes
Michael A. Peters wrote: Nathan Rixham wrote: it's all a bit pointless, the only way to ensure only one vote per person is to get take and test a dns sample from each user. anything else is going to be flawed Hey now, what do you have against us clones? ;) and nobody noticed I said DNS sample not DNA sample - jesus thought somebody would have jumped on that one :p -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Unique User Hashes
At 11:09 PM + 2/20/09, Nathan Rixham wrote: Michael A. Peters wrote: Nathan Rixham wrote: it's all a bit pointless, the only way to ensure only one vote per person is to get take and test a dns sample from each user. anything else is going to be flawed Hey now, what do you have against us clones? ;) and nobody noticed I said DNS sample not DNA sample - jesus thought somebody would have jumped on that one :p I saw it -- I just didn't want to get into the debate again with a troll lurking about. Some people are so focused on the point they want to make that they don't hear what others are saying. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: mysql_real_escape_string("asdasddas") ??? wtf
On Sat, 21 Feb 2009 19:19:44 +1300, t...@ihostnz.com wrote:
>Can anyone here tell me why mysql_real_escape_string("asdasddas") returns an
>empty string?
Have you opened a connection to a MySQL database? It won't work without
an open connection.
--
Ross McKay, Toronto, NSW Australia
"Let the laddie play wi the knife - he'll learn"
- The Wee Book of Calvin
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] mysql_real_escape_string("asdasddas") ??? wtf
Hi everyone,
Can anyone here tell me why mysql_real_escape_string("asdasddas") returns an
empty string?
Just writing a data import...
Anyway, for security but also simply because i might have a ' in the string,
i need to escape it. Apparently it is good practice to use
mysql_real_escape_string() but it simply doesn't work at all on this
machine. I thought it's a rather standard function.
Is it maybe my Apache server setup? But i thought the function wouldn't
exist then and throw an error in the php script, but it runs through fine.
Please help, we need this data import by next week hence i'm working now...
I can send you details of the server setup if required. Please let me know
what as there are quite a few things... It's xampp on windows xp
(testing/dev machine).
Regards,
Tim
Tim-Hinnerk Heuer
http://www.ihostnz.com
P. J. O'Rourke - "Everybody knows how to raise children, except the people
who have them."
