RE: [PHP] Automatic PHP Security tool

2010-05-20 Thread Bob McConnell
From: Juan Rodriguez Monti

> I would like to know if there´s some App that run automatic test
> against a PHP Application to detect security issues, potential bugs
> and so on.
> 
> I know this kind of applications exists for other fields of IT, but I
> don´t know if there are some application or tests to run against a PHP
> App. Might be some security suite or tests written in Python or Perl,
> I don´t know, but I guess you might know.
> 
> In this case, I just finished the development of an application
> developed in PHP with XHTML and that works with Sqlite. And I would
> like to include some security tests before it goes online. It´s not
> actually working in production environment, but it´s ready to use it.

You probably want to start by looking at the OWASP project.



Bob McConnell

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



[PHP] Question about a security function

2010-05-20 Thread Al
I have a password-protected, user, on-line editor that I'm hardening against 
hackers just in case a user's pw is stolen or local PC is infected.


The user can enter html tags; but, I restrict the acceptable tags to benign 
ones. e.g., , , , etc.  e.g., no 

Just to be extra safe, I've added a function that parses for executables in the 
raw, entered text. If found, I post and nasty error message and ignore the entry 
altogether.


Here are my regex patterns. I tried finding a complete list of browser 
executables; but was unsuccessful, probably because I didn't use the right key 
words.


Anyone have suggestions for additional patterns?

$securityPatternsArray=array(
"\"error_reporting\(0\)",//Most hacks I've seen make certain they turn of error 
reporting

"\http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP] Question about a security function

2010-05-20 Thread Peter Lind
On 20 May 2010 14:53, Al  wrote:
> I have a password-protected, user, on-line editor that I'm hardening against
> hackers just in case a user's pw is stolen or local PC is infected.
>
> The user can enter html tags; but, I restrict the acceptable tags to benign
> ones. e.g., , , , etc.  e.g., no 
> Just to be extra safe, I've added a function that parses for executables in
> the raw, entered text. If found, I post and nasty error message and ignore
> the entry altogether.
>
> Here are my regex patterns. I tried finding a complete list of browser
> executables; but was unsuccessful, probably because I didn't use the right
> key words.
>
> Anyone have suggestions for additional patterns?
>
> $securityPatternsArray=array(
> "\ "\ "\ 'language="javascript"',
> 'type="text/javascript"',
> 'language="vbscript\"',
> 'type="text/vbscript"',
> 'language="vbscript"',
> 'type="text/tcl"',
> "error_reporting\(0\)",//Most hacks I've seen make certain they turn of
> error reporting
> "\ );
>

Rolling your own when it comes to this is a very bad idea: chances are
you'll miss something even if asking a list like this. Much better to
use an existing tool like htmlpurifier.

Regards
Peter


-- 

WWW: http://plphp.dk / http://plind.dk
LinkedIn: http://www.linkedin.com/in/plind
Flickr: http://www.flickr.com/photos/fake51
BeWelcome: Fake51
Couchsurfing: Fake51


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP] Question about a security function

2010-05-20 Thread David Otton
On 20 May 2010 13:53, Al  wrote:
>
> I have a password-protected, user, on-line editor that I'm hardening against
> hackers just in case a user's pw is stolen or local PC is infected.
>
> The user can enter html tags; but, I restrict the acceptable tags to benign
> ones. e.g., , , , etc.  e.g., no 
> Just to be extra safe, I've added a function that parses for executables in
> the raw, entered text. If found, I post and nasty error message and ignore
> the entry altogether.

That's not really going to work. See:

http://ha.ckers.org/xss.html

Blacklisting is a fundamentally flawed approach. I suggest using
http://htmlpurifier.org/ instead.

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



[PHP] Some undefined function errors

2010-05-20 Thread Giancarlo Boaron
Hi all.

Recently, I wrote an email about the problem I was having with some Postgres 
functions that when those functions were called, I received the following 
error: "Call to undefined function ".

After some answers, I decided to rebuild a brand new linux virtual machine with 
Apache + PHP + Postgres, but I still get this annoying error messege with some 
functions like pg_prepare() and pg_escape_string().

I compiled Postgres with --without-readline option.
I compiled PHP with --with-apxs2=/usr/local/apache2/bin/apxs and 
--with-pgsql=/usr/local/pgsql/

And the compilation process has no errors.

What am I doing wrong? Do I have to change something in php_config.h file? If 
so, what do I have to change?

Thank you.




--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP] Question about a security function

2010-05-20 Thread Ashley Sheridan
On Thu, 2010-05-20 at 14:27 +0100, David Otton wrote:

> On 20 May 2010 13:53, Al  wrote:
> >
> > I have a password-protected, user, on-line editor that I'm hardening against
> > hackers just in case a user's pw is stolen or local PC is infected.
> >
> > The user can enter html tags; but, I restrict the acceptable tags to benign
> > ones. e.g., , , , etc.  e.g., no  >
> > Just to be extra safe, I've added a function that parses for executables in
> > the raw, entered text. If found, I post and nasty error message and ignore
> > the entry altogether.
> 
> That's not really going to work. See:
> 
> http://ha.ckers.org/xss.html
> 
> Blacklisting is a fundamentally flawed approach. I suggest using
> http://htmlpurifier.org/ instead.
> 


I agree wth Peter and David, it's not generally a good idea to roll your
own in this case, as the repercussions can be quite large if things go
wrong!

If you absolutely must though, don't allow any HTML at all, and use
BBCode instead, which you can replace afterwards. Before entering the
data into a database run it through mysql_real_escape_string(), and if
you are displaying any user-entered data, run that through
htmlentities() or something similar.

Thanks,
Ash
http://www.ashleysheridan.co.uk




Re: [PHP] Content question

2010-05-20 Thread tedd

At 1:07 PM -0400 5/19/10, Ernie Kemp wrote:

This is not a direct PHP question but I will be using PHP in the website.

After a website has been created there will a need to changes say a 
product or service page over time.

The client asking how he will be able to make changes to these pages.
Yes, I'm a newbie at this and the only way I can think of is to edit 
the page in say a HTML editor.


Please comment how you might do it another way.

Thanks very much,
/Ernie


Hire one of us to do it. That's what many of us do for a living.

Cheers,

tedd
--
---
http://sperling.com  http://ancientstones.com  http://earthstones.com

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP] Question about a security function

2010-05-20 Thread Al



On 5/20/2010 10:07 AM, Ashley Sheridan wrote:

On Thu, 2010-05-20 at 14:27 +0100, David Otton wrote:


On 20 May 2010 13:53, Al  wrote:


I have a password-protected, user, on-line editor that I'm hardening against
hackers just in case a user's pw is stolen or local PC is infected.

The user can enter html tags; but, I restrict the acceptable tags to benign
ones. e.g. etc.  e.g., no

That's not really going to work. See:

http://ha.ckers.org/xss.html

Blacklisting is a fundamentally flawed approach. I suggest using
http://htmlpurifier.org/ instead.




I agree wth Peter and David, it's not generally a good idea to roll your
own in this case, as the repercussions can be quite large if things go
wrong!

If you absolutely must though, don't allow any HTML at all, and use
BBCode instead, which you can replace afterwards. Before entering the
data into a database run it through mysql_real_escape_string(), and if
you are displaying any user-entered data, run that through
htmlentities() or something similar.

Thanks,
Ash
http://www.ashleysheridan.co.uk





I agree blacklisting is a flawed approach in general. My approach is to strictly 
confine entry text to a whitelist of benign, acceptable tags. The blacklist is 
sort of a backup and won't even save the entry. The user's entry has no ability 
to affect anything outside of the stuff within the body tags, including the css 
file.


Thanks for the heads up about htmlpurifier. I'll take a more detailed look.

I briefly looked at it earlier; but, found it was gross overkill for my needs. 
My objective is to not let bad stuff into my server to start with, and not to 
parse existing html and css files.


The ha.hackers site is most interesting. I plan to work with it in detail.

Al..


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP] Question about a security function

2010-05-20 Thread David Otton
On 20 May 2010 15:52, Al  wrote:

> I agree blacklisting is a flawed approach in general. My approach is to
> strictly confine entry text to a whitelist of benign, acceptable tags. The

But that's not what you've done. You've blacklisted the following patterns:

"\

 would sail straight through that list.

I can't tell from that list alone, but are your checks
case-insensitive? Because 

Re: [PHP] Some undefined function errors

2010-05-20 Thread Fernando

 Sorry I miss read the question.

It does seem that php is not picking up the pg module and cannot find 
the functions.


I assume Postgresql is in fact installed at /usr/local/pgsql.  If you 
run phpinfo(); can you see that PG is installed?


On 20/05/2010 10:46, Giancarlo Boaron wrote:

**
I make the function call in a php file. I'm not using stored procedures.
If I create an empty php file and put only some of these functions, 
Apache reports de 'call to undefined function XXX'.


--- Em *qui, 20/5/10, Fernando //* escreveu:


De: Fernando 
Assunto: Re: [GENERAL] [PHP] Some undefined function errors
Para: pgsql-gene...@postgresql.org
Data: Quinta-feira, 20 de Maio de 2010, 11:25

Are you calling store procedures that return cursors?  I had this
problem with cursors because the transaction gets committed and
the cursor closed after they return.  Mind you I had the problem
on .NET using npgsql, so I might be way off.

Cheers

On 20/05/2010 10:05, Giancarlo Boaron wrote:

Hi all.

Recently, I wrote an email about the problem I was having with some Postgres functions that 
when those functions were called, I received the following error: "Call to undefined 
function".

After some answers, I decided to rebuild a brand new linux virtual machine 
with Apache + PHP + Postgres, but I still get this annoying error messege with 
some functions like pg_prepare() and pg_escape_string().

I compiled Postgres with --without-readline option.
I compiled PHP with --with-apxs2=/usr/local/apache2/bin/apxs and 
--with-pgsql=/usr/local/pgsql/

And the compilation process has no errors.

What am I doing wrong? Do I have to change something in php_config.h file? 
If so, what do I have to change?

Thank you.




   





Re: [PHP] Question about a security function

2010-05-20 Thread Al



On 5/20/2010 11:23 AM, David Otton wrote:

On 20 May 2010 15:52, Al  wrote:


I agree blacklisting is a flawed approach in general. My approach is to
strictly confine entry text to a whitelist of benign, acceptable tags. The


But that's not what you've done. You've blacklisted the following patterns:

"\

  would sail straight through that list.

I can't tell from that list alone, but are your checks
case-insensitive? Because

Re: [PHP] Question about a security function

2010-05-20 Thread Ashley Sheridan
On Thu, 2010-05-20 at 11:51 -0400, Al wrote:

> 
> On 5/20/2010 11:23 AM, David Otton wrote:
> > On 20 May 2010 15:52, Al  wrote:
> >
> >> I agree blacklisting is a flawed approach in general. My approach is to
> >> strictly confine entry text to a whitelist of benign, acceptable tags. The
> >
> > But that's not what you've done. You've blacklisted the following patterns:
> >
> > "\ > "\ > "\ > 'language="javascript"',
> > 'type="text/javascript"',
> > 'language="vbscript\"',
> > 'type="text/vbscript"',
> > 'language="vbscript"',
> > 'type="text/tcl"',
> > "error_reporting\(0\)",//Most hacks I've seen make certain they turn
> > of error reporting
> > "\ >
> > and allowed everything else. A couple of examples:
> >
> > You haven't blacklisted
> >
> >   would sail straight through that list.
> >
> > I can't tell from that list alone, but are your checks
> > case-insensitive? Because

Re: [PHP] Question about a security function

2010-05-20 Thread Jim Lucas
Al wrote:
> 
> 
> On 5/20/2010 11:23 AM, David Otton wrote:
>> On 20 May 2010 15:52, Al  wrote:
>>
>>> I agree blacklisting is a flawed approach in general. My approach is to
>>> strictly confine entry text to a whitelist of benign, acceptable
>>> tags. The
>>
>> But that's not what you've done. You've blacklisted the following
>> patterns:
>>
>> "\> "\> "\> 'language="javascript"',
>> 'type="text/javascript"',
>> 'language="vbscript\"',
>> 'type="text/vbscript"',
>> 'language="vbscript"',
>> 'type="text/tcl"',
>> "error_reporting\(0\)",//Most hacks I've seen make certain they turn
>> of error reporting
>> "\>
>> and allowed everything else. A couple of examples:
>>
>> You haven't blacklisted
>>
>>   would sail straight through that
>> list.
>>
>> I can't tell from that list alone, but are your checks
>> case-insensitive? Because

Re: [PHP] Some undefined function errors

2010-05-20 Thread Jim Lucas
Giancarlo Boaron wrote:
> Hi all.
> 
> Recently, I wrote an email about the problem I was having with some Postgres 
> functions that when those functions were called, I received the following 
> error: "Call to undefined function ".
> 
> After some answers, I decided to rebuild a brand new linux virtual machine 
> with Apache + PHP + Postgres, but I still get this annoying error messege 
> with some functions like pg_prepare() and pg_escape_string().
> 
> I compiled Postgres with --without-readline option.
> I compiled PHP with --with-apxs2=/usr/local/apache2/bin/apxs and 
> --with-pgsql=/usr/local/pgsql/
> 
> And the compilation process has no errors.
> 
> What am I doing wrong? Do I have to change something in php_config.h file? If 
> so, what do I have to change?
> 
> Thank you.
> 
> 
>   
> 

Depending on what version of apache you are running, you need to make sure that
you are loading the pgsql.so file or have the psql.ini file in your
/var/www/conf/php5/ directory.

This way it knows to load pg.

-- 
Jim Lucas

   "Some men are born to greatness, some achieve greatness,
   and some have greatness thrust upon them."

Twelfth Night, Act II, Scene V
by William Shakespeare

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP] Some undefined function errors

2010-05-20 Thread Giancarlo Boaron
Yes. Phpinfo() tells me it's ok:

pgsql
PostgreSQL Support enabled 
PostgreSQL(libpq) Version  8.4.4  
Multibyte character support  disabled  
SSL support  enabled  
Active Persistent Links  0  
Active Links  0  

Directive Local Value Master Value 
pgsql.allow_persistent On On 
pgsql.auto_reset_persistent Off Off 
pgsql.ignore_notice Off Off 
pgsql.log_notice Off Off 
pgsql.max_links Unlimited Unlimited 
pgsql.max_persistent Unlimited Unlimited 

My PHP version is 5.3.2.
My PostgreSQL version is 8.4.4 and I'm running the server under the restrict 
'postgres' user privileges since I can't run the daemon process as 'root'.

Thank you for some help.


--- Em qui, 20/5/10, Fernando  escreveu:

> De: Fernando 
> Assunto: Re: [PHP] Some undefined function errors
> Para: php-general@lists.php.net
> Data: Quinta-feira, 20 de Maio de 2010, 12:23
>   Sorry I miss read the
> question.
> 
> It does seem that php is not picking up the pg module and
> cannot find 
> the functions.
> 
> I assume Postgresql is in fact installed at
> /usr/local/pgsql.  If you 
> run phpinfo(); can you see that PG is installed?
> 
> On 20/05/2010 10:46, Giancarlo Boaron wrote:
> > **
> > I make the function call in a php file. I'm not using
> stored procedures.
> > If I create an empty php file and put only some of
> these functions, 
> > Apache reports de 'call to undefined function XXX'.
> >
> > --- Em *qui, 20/5/10, Fernando //*
> escreveu:
> >
> >
> >     De: Fernando 
> >     Assunto: Re: [GENERAL] [PHP]
> Some undefined function errors
> >     Para: pgsql-gene...@postgresql.org
> >     Data: Quinta-feira, 20 de Maio
> de 2010, 11:25
> >
> >     Are you calling store
> procedures that return cursors?  I had this
> >     problem with cursors because
> the transaction gets committed and
> >     the cursor closed after they
> return.  Mind you I had the problem
> >     on .NET using npgsql, so I
> might be way off.
> >
> >     Cheers
> >
> >     On 20/05/2010 10:05, Giancarlo
> Boaron wrote:
> >>     Hi all.
> >>
> >>     Recently, I wrote an email
> about the problem I was having with some Postgres functions
> that when those functions were called, I received the
> following error: "Call to undefined
> function".
> >>
> >>     After some answers, I
> decided to rebuild a brand new linux virtual machine with
> Apache + PHP + Postgres, but I still get this annoying error
> messege with some functions like pg_prepare() and
> pg_escape_string().
> >>
> >>     I compiled Postgres with
> --without-readline option.
> >>     I compiled PHP with
> --with-apxs2=/usr/local/apache2/bin/apxs and
> --with-pgsql=/usr/local/pgsql/
> >>
> >>     And the compilation
> process has no errors.
> >>
> >>     What am I doing wrong? Do
> I have to change something in php_config.h file? If so, what
> do I have to change?
> >>
> >>     Thank you.
> >>
> >>
> >>
> >>
> >>        
> >
> >
> 




--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP] Some undefined function errors

2010-05-20 Thread Giancarlo Boaron
Hi Jim.

I think it depends on each server configuration but I checked in my server and 
I don't have the 'pgsql.so' and 'psql.ini' files and neither the 'www' 
directory.

My Apache version is 2.2.15 and my root directory is /usr/local/apache2/htdocs.

Thank you.


--- Em qui, 20/5/10, Jim Lucas  escreveu:

> De: Jim Lucas 
> Assunto: Re: [PHP] Some undefined function errors
> Para: "Giancarlo Boaron" 
> Cc: pgsql-gene...@postgresql.org, php-general@lists.php.net, 
> pgsql-nov...@postgresql.org
> Data: Quinta-feira, 20 de Maio de 2010, 13:04
> Giancarlo Boaron wrote:
> > Hi all.
> > 
> > Recently, I wrote an email about the problem I was
> having with some Postgres functions that when those
> functions were called, I received the following error: "Call
> to undefined function ".
> > 
> > After some answers, I decided to rebuild a brand new
> linux virtual machine with Apache + PHP + Postgres, but I
> still get this annoying error messege with some functions
> like pg_prepare() and pg_escape_string().
> > 
> > I compiled Postgres with --without-readline option.
> > I compiled PHP with
> --with-apxs2=/usr/local/apache2/bin/apxs and
> --with-pgsql=/usr/local/pgsql/
> > 
> > And the compilation process has no errors.
> > 
> > What am I doing wrong? Do I have to change something
> in php_config.h file? If so, what do I have to change?
> > 
> > Thank you.
> > 
> > 
> >       
> > 
> 
> Depending on what version of apache you are running, you
> need to make sure that
> you are loading the pgsql.so file or have the psql.ini file
> in your
> /var/www/conf/php5/ directory.
> 
> This way it knows to load pg.
> 
> -- 
> Jim Lucas
> 
>    "Some men are born to greatness, some
> achieve greatness,
>        and some have greatness
> thrust upon them."
> 
> Twelfth Night, Act II, Scene V
>     by William Shakespeare
> 




--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP] Some undefined function errors

2010-05-20 Thread Ashley Sheridan
On Thu, 2010-05-20 at 09:21 -0700, Giancarlo Boaron wrote:

> Hi Jim.
> 
> I think it depends on each server configuration but I checked in my server 
> and I don't have the 'pgsql.so' and 'psql.ini' files and neither the 'www' 
> directory.
> 
> My Apache version is 2.2.15 and my root directory is 
> /usr/local/apache2/htdocs.
> 
> Thank you.
> 
> 
> --- Em qui, 20/5/10, Jim Lucas  escreveu:
> 
> > De: Jim Lucas 
> > Assunto: Re: [PHP] Some undefined function errors
> > Para: "Giancarlo Boaron" 
> > Cc: pgsql-gene...@postgresql.org, php-general@lists.php.net, 
> > pgsql-nov...@postgresql.org
> > Data: Quinta-feira, 20 de Maio de 2010, 13:04
> > Giancarlo Boaron wrote:
> > > Hi all.
> > > 
> > > Recently, I wrote an email about the problem I was
> > having with some Postgres functions that when those
> > functions were called, I received the following error: "Call
> > to undefined function ".
> > > 
> > > After some answers, I decided to rebuild a brand new
> > linux virtual machine with Apache + PHP + Postgres, but I
> > still get this annoying error messege with some functions
> > like pg_prepare() and pg_escape_string().
> > > 
> > > I compiled Postgres with --without-readline option.
> > > I compiled PHP with
> > --with-apxs2=/usr/local/apache2/bin/apxs and
> > --with-pgsql=/usr/local/pgsql/
> > > 
> > > And the compilation process has no errors.
> > > 
> > > What am I doing wrong? Do I have to change something
> > in php_config.h file? If so, what do I have to change?
> > > 
> > > Thank you.
> > > 
> > > 
> > >   
> > > 
> > 
> > Depending on what version of apache you are running, you
> > need to make sure that
> > you are loading the pgsql.so file or have the psql.ini file
> > in your
> > /var/www/conf/php5/ directory.
> > 
> > This way it knows to load pg.
> > 
> > -- 
> > Jim Lucas
> > 
> >"Some men are born to greatness, some
> > achieve greatness,
> >and some have greatness
> > thrust upon them."
> > 
> > Twelfth Night, Act II, Scene V
> > by William Shakespeare
> > 
> 
> 
>   
> 


I've generally found these sorts of things to be in /etc/php, /etc/php5
or something similar. Within /etc you should see directories for both
Apache and PHP. If you have shell access to the machine, try calling a
whereis command, which might give you a better idea of where things are
kept in your system.

Thanks,
Ash
http://www.ashleysheridan.co.uk




Re: [PHP] Question about a security function

2010-05-20 Thread Al



On 5/20/2010 12:02 PM, Jim Lucas wrote:

Al wrote:



On 5/20/2010 11:23 AM, David Otton wrote:

On 20 May 2010 15:52, Al   wrote:


I agree blacklisting is a flawed approach in general. My approach is to
strictly confine entry text to a whitelist of benign, acceptable
tags. The


But that's not what you've done. You've blacklisted the following
patterns:

"\

   would sail straight through that
list.

I can't tell from that list alone, but are your checks
case-insensitive? Because

Re: [PHP] Question about a security function

2010-05-20 Thread Ashley Sheridan
On Thu, 2010-05-20 at 12:40 -0400, Al wrote:

> 
> On 5/20/2010 12:02 PM, Jim Lucas wrote:
> > Al wrote:
> >>
> >>
> >> On 5/20/2010 11:23 AM, David Otton wrote:
> >>> On 20 May 2010 15:52, Al   wrote:
> >>>
>  I agree blacklisting is a flawed approach in general. My approach is to
>  strictly confine entry text to a whitelist of benign, acceptable
>  tags. The
> >>>
> >>> But that's not what you've done. You've blacklisted the following
> >>> patterns:
> >>>
> >>> "\ >>> "\ >>> "\ >>> 'language="javascript"',
> >>> 'type="text/javascript"',
> >>> 'language="vbscript\"',
> >>> 'type="text/vbscript"',
> >>> 'language="vbscript"',
> >>> 'type="text/tcl"',
> >>> "error_reporting\(0\)",//Most hacks I've seen make certain they turn
> >>> of error reporting
> >>> "\ >>>
> >>> and allowed everything else. A couple of examples:
> >>>
> >>> You haven't blacklisted
> >>>
> >>>would sail straight through that
> >>> list.
> >>>
> >>> I can't tell from that list alone, but are your checks
> >>> case-insensitive? Because

Re: [PHP] Question about a security function

2010-05-20 Thread Al



On 5/20/2010 12:43 PM, Ashley Sheridan wrote:

On Thu, 2010-05-20 at 12:40 -0400, Al wrote:



On 5/20/2010 12:02 PM, Jim Lucas wrote:

Al wrote:



On 5/20/2010 11:23 AM, David Otton wrote:

On 20 May 2010 15:52, Alwrote:


I agree blacklisting is a flawed approach in general. My approach is to
strictly confine entry text to a whitelist of benign, acceptable
tags. The


But that's not what you've done. You've blacklisted the following
patterns:

"\

would sail straight through that
list.

I can't tell from that list alone, but are your checks
case-insensitive? Because

Re: [PHP] Some undefined function errors

2010-05-20 Thread Fernando
So php is loading pg.  How are you calling these functions?  Can you 
connect or does pg_connect() gives the same error?



On 20/05/2010 12:10, Giancarlo Boaron wrote:

Yes. Phpinfo() tells me it's ok:

pgsql
PostgreSQL Support enabled
PostgreSQL(libpq) Version  8.4.4
Multibyte character support  disabled
SSL support  enabled
Active Persistent Links  0
Active Links  0

Directive Local Value Master Value
pgsql.allow_persistent On On
pgsql.auto_reset_persistent Off Off
pgsql.ignore_notice Off Off
pgsql.log_notice Off Off
pgsql.max_links Unlimited Unlimited
pgsql.max_persistent Unlimited Unlimited

My PHP version is 5.3.2.
My PostgreSQL version is 8.4.4 and I'm running the server under the restrict 
'postgres' user privileges since I can't run the daemon process as 'root'.

Thank you for some help.


--- Em qui, 20/5/10, Fernando  escreveu:

   

De: Fernando
Assunto: Re: [PHP] Some undefined function errors
Para: php-general@lists.php.net
Data: Quinta-feira, 20 de Maio de 2010, 12:23
   Sorry I miss read the
question.

It does seem that php is not picking up the pg module and
cannot find
the functions.

I assume Postgresql is in fact installed at
/usr/local/pgsql.  If you
run phpinfo(); can you see that PG is installed?

On 20/05/2010 10:46, Giancarlo Boaron wrote:
 

**
I make the function call in a php file. I'm not using
   

stored procedures.
 

If I create an empty php file and put only some of
   

these functions,
 

Apache reports de 'call to undefined function XXX'.

--- Em *qui, 20/5/10, Fernando //*
   

escreveu:
 


  De: Fernando
  Assunto: Re: [GENERAL] [PHP]
   

Some undefined function errors
 

  Para: pgsql-gene...@postgresql.org
  Data: Quinta-feira, 20 de Maio
   

de 2010, 11:25
 

  Are you calling store
   

procedures that return cursors?  I had this
 

  problem with cursors because
   

the transaction gets committed and
 

  the cursor closed after they
   

return.  Mind you I had the problem
 

  on .NET using npgsql, so I
   

might be way off.
 

  Cheers

  On 20/05/2010 10:05, Giancarlo
   

Boaron wrote:
 

  Hi all.

  Recently, I wrote an email
 

about the problem I was having with some Postgres functions
that when those functions were called, I received the
following error: "Call to undefined
function".
 

  After some answers, I
 

decided to rebuild a brand new linux virtual machine with
Apache + PHP + Postgres, but I still get this annoying error
messege with some functions like pg_prepare() and
pg_escape_string().
 

  I compiled Postgres with
 

--without-readline option.
 

  I compiled PHP with
 

--with-apxs2=/usr/local/apache2/bin/apxs and
--with-pgsql=/usr/local/pgsql/
 

  And the compilation
 

process has no errors.
 

  What am I doing wrong? Do
 

I have to change something in php_config.h file? If so, what
do I have to change?
 

  Thank you.





 


   
 




   


Re: [PHP] How to get input from socket client

2010-05-20 Thread Ryan Sun
Thanks for your reply

> First, I don't think feof() will do what you think it does. I
> wouldn't expect it to show up until after the other end has actually
> closed the connection.

I found unread_bytes in stream_get_meta_data should be more reliable

> TCP is a stream protocol, there
> are no guarantees about delivering a complete message in one read, or
> that two writes won't be read together. It only guarantees that all
> octets will eventually be delivered in the same order they were sent, or
> you will get an error.

thanks 4 pointing out the difference between tcp and udp, I had learnt a lot ^^

>The other problem has to do with thinking an fread() will always give
>you everything you sent in an fwrite()
Interestingly, I use 'telnet 127.0.0.1 1037' for testing later(on
windows) and everything works, the php server got the input from
telnet client, so I assume there is something wrong in the php client,
the fwrite statement...

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



[PHP] Re: [GENERAL] [PHP] Some undefined function errors

2010-05-20 Thread Ketema Harris
you might want to also check your architecture flags for your compiler.

i ran into this problem on a mac when I was compiling php and by default it 
tries to make a 32 bit and 64 bit binary, but pg was compiled as 64 bit only.  
I found that the php compile did not fail, but i was "missing" some functions 
just like you.  when I recompiled php only 64 bit everything was picked up.

I found that watching the configure output gave indication as to whether or not 
certain functions will be picked up:

PQescapeString
PQunescapeBytea
PQsetnonblocking
PQcmdTuples 
PQoidValue 
PQclientEncoding 
PQparameterStatus 
PQprotocolVersion 
PQtransactionStatus 
PQexecParams 
PQprepare 
PQexecPrepared 
PQresultErrorField 
PQsendQueryParams 
PQsendPrepare 
PQsendQueryPrepared 
PQputCopyData 
PQputCopyEnd 
PQgetCopyData 
PQfreemem 
PQsetErrorVerbosity 
PQftable 
PQescapeStringConn 
PQescapeByteaConn 
pg_encoding_to_char 

If you see these thigns set to NO even after PostgreSQL support says yes, then 
you know you wont be getting all the functions.


Ketema J. Harris
ket...@ketema.net
ket...@jabber.ketema.net (Jabber)
http://www.ketema.net
ket...@voip.ketema.net  - VoIP
407-459-4809- main
603-413-2882- fax

On May 20, 2010, at 12:26 PM, Ashley Sheridan wrote:

> On Thu, 2010-05-20 at 09:21 -0700, Giancarlo Boaron wrote:
>> 
>> Hi Jim.
>> 
>> I think it depends on each server configuration but I checked in my server 
>> and I don't have the 'pgsql.so' and 'psql.ini' files and neither the 'www' 
>> directory.
>> 
>> My Apache version is 2.2.15 and my root directory is 
>> /usr/local/apache2/htdocs.
>> 
>> Thank you.
>> 
>> 
>> --- Em qui, 20/5/10, Jim Lucas  escreveu:
>> 
>> > De: Jim Lucas 
>> > Assunto: Re: [PHP] Some undefined function errors
>> > Para: "Giancarlo Boaron" 
>> > Cc: pgsql-gene...@postgresql.org, php-general@lists.php.net, 
>> > pgsql-nov...@postgresql.org
>> > Data: Quinta-feira, 20 de Maio de 2010, 13:04
>> > Giancarlo Boaron wrote:
>> > > Hi all.
>> > > 
>> > > Recently, I wrote an email about the problem I was
>> > having with some Postgres functions that when those
>> > functions were called, I received the following error: "Call
>> > to undefined function ".
>> > > 
>> > > After some answers, I decided to rebuild a brand new
>> > linux virtual machine with Apache + PHP + Postgres, but I
>> > still get this annoying error messege with some functions
>> > like pg_prepare() and pg_escape_string().
>> > > 
>> > > I compiled Postgres with --without-readline option.
>> > > I compiled PHP with
>> > --with-apxs2=/usr/local/apache2/bin/apxs and
>> > --with-pgsql=/usr/local/pgsql/
>> > > 
>> > > And the compilation process has no errors.
>> > > 
>> > > What am I doing wrong? Do I have to change something
>> > in php_config.h file? If so, what do I have to change?
>> > > 
>> > > Thank you.
>> > > 
>> > > 
>> > >   
>> > > 
>> > 
>> > Depending on what version of apache you are running, you
>> > need to make sure that
>> > you are loading the pgsql.so file or have the psql.ini file
>> > in your
>> > /var/www/conf/php5/ directory.
>> > 
>> > This way it knows to load pg.
>> > 
>> > -- 
>> > Jim Lucas
>> > 
>> >"Some men are born to greatness, some
>> > achieve greatness,
>> >and some have greatness
>> > thrust upon them."
>> > 
>> > Twelfth Night, Act II, Scene V
>> > by William Shakespeare
>> > 
>> 
>> 
>>   
>> 
> 
> I've generally found these sorts of things to be in /etc/php, /etc/php5 or 
> something similar. Within /etc you should see directories for both Apache and 
> PHP. If you have shell access to the machine, try calling a whereis command, 
> which might give you a better idea of where things are kept in your system.
> 
> Thanks,
> Ash
> http://www.ashleysheridan.co.uk
> 
> 



[PHP] Re: PDO don't know which is mysql server charset?

2010-05-20 Thread cleverpig
But if I use PDO's query function,there is all right without set charset:
$result=$myPDO->query("SELECT * FROM guests ORDER BY lname,fname");
while($row=$result->fetch(PDO::FETCH_ASSOC)){
echo $row["fname"]." ". $row["lname"];
}

2010/5/21 cleverpig :
> hi, everybody!
>
> I encountered a problem using the PDO:
> My mysql charset is utf-8, when using PDO's prepare () and statement's
> execute() methods,
> there is not the correct encoding resultset:
> $ Statement = $ pdo-> prepare ("SELECT * FROM guests ORDER BY?");
> $ Statement-> execute (array ('lname'));
> while ($ row = $ statement-> fetch (PDO:: FETCH_ASSOC)) (
>echo $ row ['fname']. "". $ row ['lname'];
> )
>
> But when I was make charset_set_results to be gbk, everything was normal:
> $ Pdo-> exec ('SET character_set_results = gbk');
>
> If PDO don't know which charset is fit to me,it will use default
> charset(utf-8)?This is really mysql server charset!
>
> Anybody help me?Thanks!
>
> PS: I am using wamp (php5.3.1)
>
> --
> cleverpig(Dan)
> Location: Beijing
> Address: Room 4018,No.A2 South Avenue Fuxingmen Beijing,P.R.China
> Zipcode: 100031
> MSN: great_liu...@hotmail.com
> QQ: 149291732
> Skype: cleverpigatmatrix
> Facebook ID:cleverpig
> Blog: cleverpig.name/dan/
> Tags: del.icio.us/cleverpig
> Twitter: twitter.com/cleverpig
> 新浪微博: t.sina.com.cn/cleverpig
> Organization: www.beijing-open-party.org
> or...@facebook: http://www.facebook.com/group.php?gid=8159558294
>



-- 
cleverpig(Dan)
Location: Beijing
Address: Room 4018,No.A2 South Avenue Fuxingmen Beijing,P.R.China
Zipcode: 100031
MSN: great_liu...@hotmail.com
QQ: 149291732
Skype: cleverpigatmatrix
Facebook ID:cleverpig
Blog: cleverpig.name/dan/
Tags: del.icio.us/cleverpig
Twitter: twitter.com/cleverpig
新浪微博: t.sina.com.cn/cleverpig
Organization: www.beijing-open-party.org
or...@facebook: http://www.facebook.com/group.php?gid=8159558294

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP] Brandon Rampersad wants to chat

2010-05-20 Thread Jochen Schultz

You are inviting the whole general list at once?

"Powerful spam protection" doesn't work for outgoing mails?


Brandon Rampersad schrieb:

---

Brandon Rampersad wants to stay in better touch using some of Google's
coolest new
products.

If you already have Gmail or Google Talk, visit:
http://mail.google.com/mail/b-b89a7a894d-04fb7fdbad-NeHRsydO6kBsIkVOT8hXbjPA1ZU
You'll need to click this link to be able to chat with Brandon Rampersad.

To get Gmail - a free email account from Google with over 2,800 megabytes of
storage - and chat with Brandon Rampersad, visit:
http://mail.google.com/mail/a-b89a7a894d-04fb7fdbad-NeHRsydO6kBsIkVOT8hXbjPA1ZU

Gmail offers:
- Instant messaging right inside Gmail
- Powerful spam protection
- Built-in search for finding your messages and a helpful way of organizing
  emails into "conversations"
- No pop-up ads or untargeted banners - just text ads and related information
  that are relevant to the content of your messages

All this, and its yours for free. But wait, there's more! By opening a Gmail
account, you also get access to Google Talk, Google's instant messaging
service:

http://www.google.com/talk/

Google Talk offers:
- Web-based chat that you can use anywhere, without a download
- A contact list that's synchronized with your Gmail account
- Free, high quality PC-to-PC voice calls when you download the Google Talk
  client

We're working hard to add new features and make improvements, so we might also
ask for your comments and suggestions periodically. We appreciate your help in
making our products even better!

Thanks,
The Google Team

To learn more about Gmail and Google Talk, visit:
http://mail.google.com/mail/help/about.html
http://www.google.com/talk/about.html

(If clicking the URLs in this message does not work, copy and paste them into
the address bar of your browser).



--
 Sport Import GmbH   - Amtsgericht Oldenburg  - Tel:   +49-4405-9280-63
 Industriestrasse 39 - HRB 1202900-
 26188 Edewecht  - GF: Michael Müllmann

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php