Re: [PHP] Re: need some regex help to strip out // comments but not http:// urls

2013-05-30 Thread Sebastian Krebs 
2013/5/29 Matijn Woudt 

>
>
> On Wed, May 29, 2013 at 10:51 PM, Sebastian Krebs wrote:
>
>>
>>
>>
>> 2013/5/29 Matijn Woudt 
>>
>>> On Wed, May 29, 2013 at 6:08 PM, Sean Greenslade >> >wrote:
>>>
>>> > On Wed, May 29, 2013 at 9:57 AM, Jonesy  wrote:
>>> > > On Tue, 28 May 2013 14:17:06 -0700, Daevid Vincent wrote:
>>> > >> I'm adding some minification to our cache.class.php and am running
>>> into
>>> > an
>>> > >> edge case that is causing me grief.
>>> > >>
>>> > >> I want to remove all comments of the // variety, HOWEVER I don't
>>> want to
>>> > >> remove URLs...
>>> > >
>>> > > KISS.
>>> > >
>>> > > To make it simple, straight-forward, and understandable next year
>>> when I
>>> > > have to re-read what I've written:
>>> > >
>>> > > I'd change all "://" to "QqQ"  -- or any unlikely text string.
>>> > >
>>> > > Then I'd do whatever needs to be done to the "//" occurances.
>>> > >
>>> > > Finally, I'd change all "QqQ" back to "://".
>>> > >
>>> > > Jonesy
>>> >
>>> > Wow. This is just a spectacularly bad suggestion.
>>> >
>>> > First off, this task is probably a bit beyond the capabilities of a
>>> > regex. Yes, you may be able to come up with something that works 99%
>>> > of the time, but this is really a job for a parser of some sort. I'm
>>> > sorry I don't have any suggestions on exactly where to go with that,
>>> > however I'm sure Google can be of assistance. The main problem is that
>>> > regex doesn't understand context. It just blindly finds patterns. A
>>> > parser understands context, and can figure out which //'s are comments
>>> > and which are something else. As a bonus, it can probably understand
>>> > other forms of comments like /* */, which regex would completely die
>>> > on.
>>> >
>>> >
>>> It is possible to write a whole parser as a single regex, being it
>>> terribly
>>> long and complex.
>>>
>>
>> No, it isn't.
>>
>
>
> It's better if you throw some smart words on the screen if you want to
> convince someone. Just thinking about it, it makes sense as a true regular
> expression can only describe a regular language, and I think all the
> programming languages are not regular languages.
> But, We have PHP PCRE with extensions like Recursive patterns[1] and Back
> references[2], which can describe much more than just a regular language.
> And I do believe it would be able to handle it.
> Too bad it probably takes months to complete a regular expression like
> this.
>

Then you start as soon as possible, so that you not realitze, that this is
wrong, when it is too late. I am not going to start explaining this again,
because it becomes a waste of time. You call it "smart words on the
screen", I call it "advice".


> - Matijn
>
> [1] http://php.net/manual/en/regexp.reference.recursive.php
> [2] http://php.net/manual/en/regexp.reference.back-references.php
>



-- 
github.com/KingCrunch

[PHP] Include/Require limit?

2013-05-30 Thread Julian Wanke 

Hi,

I use the pretty large Library PHP Image Workshop  
(http://phpimageworkshop.com/) at my project. It is about 75,5 KB.   
Everything works fine but if I try to include a 15 KB file with country  
codes, it fails.
With the other files I easily get over 100 KB inclusion size, so my  
question;

Is there a size limitation for include?

Best regards

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Include/Require limit?

2013-05-30 Thread Julian Wanke 

Hi,it outputs a corrupt image (I think the function imagepng)Am 30.05.2013, 11:17 Uhr, schrieb Alex Pojarsky :Hey.Afaik - only in case if your PHP process instance exeeds allowed memory limit.Other then this - explain how does it fail exactly. Any error messages? Errorous behavior?
On Thu, May 30, 2013 at 12:49 PM, Julian Wanke  wrote:
Hi,

I use the pretty large Library PHP Image Workshop (http://phpimageworkshop.com/) at my project. It is about 75,5 KB.  Everything works fine but if I try to include a 15 KB file with country codes, it fails.

With the other files I easily get over 100 KB inclusion size, so my question;
Is there a size limitation for include?

Best regards

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


-- Erstellt mit Operas E-Mail-Modul: http://www.opera.com/mail/

[PHP] Re: Include/Require limit?

2013-05-30 Thread David Robley 
"Julian Wanke" wrote:

> Hi,
> 
> I use the pretty large Library PHP Image Workshop
> (http://phpimageworkshop.com/) at my project. It is about 75,5 KB.
> Everything works fine but if I try to include a 15 KB file with country
> codes, it fails.
> With the other files I easily get over 100 KB inclusion size, so my
> question;
> Is there a size limitation for include?
> 
> Best regards


Do you get an error message? Try removing the header() in the image output 
and see what happens.

-- 
Cheers
David Robley

PARANOID:Paying MORE for Surge-Protectors than Computers

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Re: limit access to php page

2013-05-30 Thread Jim Giner 

On 5/29/2013 9:38 PM, tamouse mailing lists wrote:



Okay, first off, your application *has* to have some entry point that
*is* accessible to a browser; otherwise nothing will find it.



Once again - I was wrong in my suggestion as Ashley has pointed out so 
correctly.  Had to test it out this morning only to discover that I had 
never done quite that kind of Header redirect before.


So - the include method still works, as would the single script 
'controller' method.  Within a php script any file is accessible (within 
your domain at least) and may therefore be included and executed.  On 
the other hand, if you must have the target script in your 
web-accessible tree, simply establish some kind of security handler and 
add logic to your page(s) to check permissions before displaying 
anything.  This handler could be based upon session vars, cookies, db 
entries (my pref).  Once established it can be a universal addition to 
any and all of your appls.


My personal method is to create a db table containing an appl name, page 
name, and a non-unique security level (I use an integer).  Then have an 
admin screen for creating userids for an appl with multiple recs each 
containing a security level for that user for that appl. Then have a 
signon method that validates credentials and builds a session array 
containing all the user's security levels.  In every page that I want 
secured, I call a function with that script's internal pagename and appl 
name and confirm that the page's sec level is contained in the user's 
session array.  I also have a master level (99) that if present gives 
global access for myself as administrator.  There's a bit more to it, 
but that's my security method.




--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Re: limit access to php page

2013-05-30 Thread tamouse mailing lists 
On May 30, 2013 8:10 AM, "Jim Giner"  wrote:
>
> On 5/29/2013 9:38 PM, tamouse mailing lists wrote:
>
>>
>> Okay, first off, your application *has* to have some entry point that
>> *is* accessible to a browser; otherwise nothing will find it.
>>
>
> Once again - I was wrong in my suggestion as Ashley has pointed out so
correctly.  Had to test it out this morning only to discover that I had
never done quite that kind of Header redirect before.
>
> So - the include method still works, as would the single script
'controller' method.  Within a php script any file is accessible (within
your domain at least) and may therefore be included and execute.

I want to throw in a caveat here, and that is the open_basedir directive,
wbicb limits where you can include files from.

On the other hand, if you must have the target script in your
web-accessible tree, simply establish some kind of security handler and add
logic to your page(s) to check permissions before displaying anything.
 This handler could be based upon session vars, cookies, db entries (my
pref).  Once established it can be a universal addition to any and all of
your appls.
>
> My personal method is to create a db table containing an appl name, page
name, and a non-unique security level (I use an integer).  Then have an
admin screen for creating userids for an appl with multiple recs each
containing a security level for that user for that appl. Then have a signon
method that validates credentials and builds a session array containing all
the user's security levels.  In every page that I want secured, I call a
function with that script's internal pagename and appl name and confirm
that the page's sec level is contained in the user's session array.  I also
have a master level (99) that if present gives global access for myself as
administrator.  There's a bit more to it, but that's my security method.
>
>
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>

Re: [PHP] Re: limit access to php page

2013-05-30 Thread Jim Giner 

On 5/30/2013 10:22 AM, tamouse mailing lists wrote:


So - the include method still works, as would the single script

'controller' method.  Within a php script any file is accessible (within
your domain at least) and may therefore be included and execute.

I want to throw in a caveat here, and that is the open_basedir directive,
wbicb limits where you can include files from.

Once again - an additional truth provided.  In my case, upon checking I 
see that setting was provided by my hoster and was set to null, so I was 
never aware of a possible restriction.


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Re: need some regex help to strip out // comments but not http:// urls

2013-05-30 Thread David Harkness 
On Wed, May 29, 2013 at 10:20 AM, Matijn Woudt  wrote:

> It is possible to write a whole parser as a single regex, being it terribly
> long and complex.
>

While regular expressions are often used in the lexer--the part that scans
the input stream and breaks it up into meaningful tokens like

{ keyword: "function" }
{ operator: "+" }

and

{ identifier: "$foo" }

that form the building blocks of the language--they aren't combined into a
single expression. Instead, a lexer generator is used to build a state
machine that switches the active expressions to check based on the previous
tokens and context. Each expression recognizes a different type of token,
and many times these aren't even regular expressions.

The second stage--combining tokens based on the rules of the grammar--is
more complex and beyond the abilities of regular expressions. There are
plenty of books on the subject and tools [1] to build the pieces such as
Lex, Yacc, Flex, and Bison. Someone even asked this question on Stack
Overflow [2] a few years ago. And I'm sure if you look you can find someone
that did a masters thesis proving that regular expressions cannot handle a
context-free grammar. And finally I leave you with Jeff Atwood's article
about (not) parsing HTML with regex. [3]

Peace,
David

[1] http://dinosaur.compilertools.net/
[2]
http://stackoverflow.com/questions/3487089/are-regular-expressions-used-to-build-parsers
[3]
http://www.codinghorror.com/blog/2009/11/parsing-html-the-cthulhu-way.html

Re: [PHP] limit access to php page

2013-05-30 Thread Tedd Sperling 
On May 29, 2013, at 11:05 PM, Paul M Foster  wrote:
>> http://sperling.com/php/authorization/log-on.php
> 
> I realize this is example code.
> 
> My question is, in a real application where that $_SESSION['auth'] token
> would be used subsequently to gain entry to other pages, what would you
> use instead of the simple TRUE/FALSE value? It seems that someone (with
> far more knowledge of hacking than I have) could rather easily hack the
> session value to change its value. But then again, I pretty much suck
> when it comes to working out how you'd "hack" (crack) things.
> 
> Paul

Paul:

While the above link may be example code, it is still sound for production.

Keep in mind that everything in security comes down to a true/false condition. 
Do you let the person in or not!

Certainly there are attacks on session ids and one must deal with that. But 
that's the level of security we have today.

I could go through all the things you need to consider in protecting your 
session id (e.g., not accessing your bank accounts while having coffee at 
StartBucks) but that would defeat the purpose of attending one of my classes on 
the subject. :-)

If you are very concerned about security, then jump to a https protocol for 
those transactions; change session ids frequently; monitor the user's local 
environmental changes; time the session, and do a bunch of other stuff that 
will make it more and more difficult for your user to use your service. But for 
*most things* using a session id will  keep things relatively safe.

Cheers,

tedd

_
tedd.sperl...@gmail.com
http://sperling.com

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] limit access to php page

2013-05-30 Thread Paul M Foster 
On Thu, May 30, 2013 at 12:06:02PM -0400, Tedd Sperling wrote:

> On May 29, 2013, at 11:05 PM, Paul M Foster 
> wrote:
> >> http://sperling.com/php/authorization/log-on.php
> > 
> > I realize this is example code.
> > 
> > My question is, in a real application where that $_SESSION['auth']
> > token would be used subsequently to gain entry to other pages, what
> > would you use instead of the simple TRUE/FALSE value? It seems that
> > someone (with far more knowledge of hacking than I have) could
> > rather easily hack the session value to change its value. But then
> > again, I pretty much suck when it comes to working out how you'd
> > "hack" (crack) things.
> > 
> > Paul
> 
> Paul:
> 
> While the above link may be example code, it is still sound for
> production.
> 
> Keep in mind that everything in security comes down to a true/false
> condition. Do you let the person in or not!
> 
> Certainly there are attacks on session ids and one must deal with
> that. But that's the level of security we have today.
> 
> I could go through all the things you need to consider in protecting
> your session id (e.g., not accessing your bank accounts while having
> coffee at StartBucks) but that would defeat the purpose of attending
> one of my classes on the subject. :-)

Yep, next time I'm up at the North Pole, I'll drop in and see you.
Meantime, the beach is heating up. Better go get some more ice for my
margueritas. [grin]

Paul

-- 
Paul M. Foster
http://noferblatz.com
http://quillandmouse.com

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] Looking for a good working PDO and/or mysqli database class to get started with OOP

2013-05-30 Thread dealTek 
Hi all, Thanks for your help...

I'm looking for a very good, pre made, working PDO and/or mysqli database class 
(in a wrapper) - to get started with, that has all the basic needs like UPDATE 
- INSERT - DELETE - QUERY etc. That would be very helpful. I'm also trying to 
learn OOP, and creating my own class to start out is over my head, so one that 
is recommended here would be a good start. 

There are many examples on the net - The problem is that commenters often have 
issues with the code, and as a beginner in this area - these issues are 
sometimes over my head and it would be best for me if someone could recommend a 
good working standard model to start.


Q: DOES ANYONE HAVE ANY OPINIONS ON THE ONES BELOW?

- - - - - MySQLi

https://github.com/ajillion/PHP-MySQLi-Database-Class

http://www.phpclasses.org/package/2359-PHP-MySQL-database-wrapper-using-MySQLi-extension.html

http://snipplr.com/view/22992/

Jeffrey Way...
http://forrst.com/posts/Mysqli_Database_Class-hxb

http://www.dotred.be/blog/database-classes-for-mysql-mysqli-and-mssql/

- - - - - PDO

Jeffrey Way - some issues here in comments
http://net.tutsplus.com/tutorials/php/php-database-access-are-you-doing-it-correctly/

http://www.phpclasses.org/package/7533-PHP-Access-SQL-databases-using-PDO.html

http://www.doctrine-project.org/projects/dbal.html

http://pear.php.net/package/MDB2


--
Thanks,
Dave - DealTek
deal...@gmail.com
[db-3]

Re: [PHP] Looking for a good working PDO and/or mysqli database class to get started with OOP

2013-05-30 Thread Stephen 

On 13-05-30 09:36 PM, dealTek wrote:

Hi all, Thanks for your help...

I'm looking for a very good, pre made, working PDO and/or mysqli database class 
(in a wrapper) - to get started with, that has all the basic needs like UPDATE 
- INSERT - DELETE - QUERY etc. That would be very helpful. I'm also trying to 
learn OOP, and creating my own class to start out is over my head, so one that 
is recommended here would be a good start.

Hmmm.  PDO   **IS** an OOP implementation. Why would you want to 
encapsulate it?


Accessing a database requires SQL with arguments dependant on YOUR 
database schema.


You have to do that work; there is no way around it.

--
Stephen


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Looking for a good working PDO and/or mysqli database class to get started with OOP

2013-05-30 Thread tamouse mailing lists 
On Thu, May 30, 2013 at 8:45 PM, Stephen  wrote:
> On 13-05-30 09:36 PM, dealTek wrote:
>>
>> Hi all, Thanks for your help...
>>
>> I'm looking for a very good, pre made, working PDO and/or mysqli database
>> class (in a wrapper) - to get started with, that has all the basic needs
>> like UPDATE - INSERT - DELETE - QUERY etc. That would be very helpful. I'm
>> also trying to learn OOP, and creating my own class to start out is over my
>> head, so one that is recommended here would be a good start.
>>
> Hmmm.  PDO   **IS** an OOP implementation. Why would you want to
> encapsulate it?
>
> Accessing a database requires SQL with arguments dependant on YOUR database
> schema.
>
> You have to do that work; there is no way around it.

Sounds like the OP is asking for a pre-built CRUD interface that
adapts to his tables and their relationships. It's a fair question,
just one I don't have an answer to. There must be some kind of ORM for
PHP?

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Looking for a good working PDO and/or mysqli database class to get started with OOP

2013-05-30 Thread Bastien 


Bastien Koert

On 2013-05-30, at 10:30 PM, tamouse mailing lists  
wrote:

> On Thu, May 30, 2013 at 8:45 PM, Stephen  wrote:
>> On 13-05-30 09:36 PM, dealTek wrote:
>>> 
>>> Hi all, Thanks for your help...
>>> 
>>> I'm looking for a very good, pre made, working PDO and/or mysqli database
>>> class (in a wrapper) - to get started with, that has all the basic needs
>>> like UPDATE - INSERT - DELETE - QUERY etc. That would be very helpful. I'm
>>> also trying to learn OOP, and creating my own class to start out is over my
>>> head, so one that is recommended here would be a good start.
>> Hmmm.  PDO   **IS** an OOP implementation. Why would you want to
>> encapsulate it?
>> 
>> Accessing a database requires SQL with arguments dependant on YOUR database
>> schema.
>> 
>> You have to do that work; there is no way around it.
> 
> Sounds like the OP is asking for a pre-built CRUD interface that
> adapts to his tables and their relationships. It's a fair question,
> just one I don't have an answer to. There must be some kind of ORM for
> PHP?

Propel? Eloquent? Doctrine?

And others ...

Bastien
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] mcrypt_create_iv - why so slow?

2013-05-30 Thread Nathan Nobbe 
Hi folks,

This code:

[PHP] Re: mcrypt_create_iv - why so slow?

2013-05-30 Thread Nathan Nobbe 
Interesting, using MCRYPT_DEV_URANDOM instead of MCRYPT_DEV_RANDOM seems
practically instantaneous.

Another less elegant solution I've found is to simply str_pad to the length
returned by mcrypt_get_iv_size.

Still begs the question though, any idea what's holding up the show w/
MCRYPT_DEV_RANDOM?  #morbidcuriosity

-nathan


On Fri, May 31, 2013 at 12:40 AM, Nathan Nobbe wrote:

> Hi folks,
>
> This code:
>
>  $iv = mcrypt_create_iv(mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256,
> MCRYPT_MODE_CBC), MCRYPT_DEV_RANDOM);
> var_dump($iv);
>
> Takes just over a minute to run on my laptop and roughly 45 seconds on a
> capable server, any idea why?
>
> time php test-iv.php
> string(32) "'???H??y?PJ?U?1O;6???ѧ"
>
> real 0m44.917s
> user 0m0.024s
> sys 0m0.036s
>
> Also, I've noticed the mcrypt_encypt & mcrypt_decrypt complain with
>
> The IV parameter must be as long as the blocksize
>
> when not using mcrypt_create_iv, however, if the value of the IV parameter
> is consistent in both calls, the decryption seems to succeed despite the
> warning.
>
> So wondering:
> * can the call to mcrypt_create_iv be sped up
> * is there an alternative (faster) way to create a proper iv
> * how big a risk is it to 'ride dirty' here and not use mcrypt_create_iv
>
> thanks,
>
> -nathan
>