no one should be talking about "performance" and
"reading from the database every time" in the same sentence.
Chris
--
Chris Shiflett
http://shiflett.org/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
does
it
not and is it actually vulnerable to maliciously encoded input?
My guess would be that it doesn't cope. :-) I never use strip_tags(),
so someone else might be able to offer a much better answer.
Hope that helps, and thanks for the discussion.
Chris
--
Chris Shiflett
http://s
On Oct 17, 2008, at 1:58 PM, Lamp Lists wrote:
I'm reading "Essential PHP Security" by Chris Shiflett.
on the very beginning, page 5 & 6, if I got it correct, he said this
is not good:
$search = isset($_GET['search']) ? $_GET['search'] : '&#
publisher
(O'Reilly, Sams, etc.), and based on the fact that Richard said he has a
lot of experience in this industry, I suspect his estimate was spot on.
You're right, though, it's difficult to get any return on your time
investment. :-)
Chris
--
Chris Shiflett
http://shiflett
articles/how-to-avoid-page-has-expired-warnings
Hope that helps.
Chris
--
Chris Shiflett
http://shiflett.org/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Crayon Shin Chan wrote:
> What makes you think any of the authors are subscribed to this list?
I'm subscribed. :-)
Chris
--
Chris Shiflett
http://shiflett.org/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
:
$db->setAttribute(PDO::ATTR_EMULATE_PREPARES, TRUE);
For more information:
http://netevil.org/blog/2006/apr/using-pdo-mysql
Hope that helps.
Chris
--
Chris Shiflett
http://shiflett.org/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
might notice that many leading
PHP and web application security experts highly recommend it:
http://phpsecurity.org/reviews
Are all of these people fools, or is it really a good book?
Chris
--
Chris Shiflett
http://shiflett.org/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
32699X
Disclaimer: I work with the author.
Chris
--
Chris Shiflett
http://shiflett.org/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
http://shiflett.org/blog/2007/mar/allowing-html-and-preventing-xss
If you want to allow a larger subset, or you're just looking for a
packaged solution, try HTML Purifier:
http://htmlpurifier.org/
Hope that helps.
Chris
--
Chris Shiflett
http://shiflett.org/
--
PHP General Mailing
ticles/cross-site-request-forgeries
(I have an update that I need to publish, but this should be enough to
explain the potential problems this technique can help prevent.)
Chris
--
Chris Shiflett
http://shiflett.org/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
s, ie, can this be exploited?
If you ever use htmlentities() to escape data for SQL or
mysql_real_escape_string() to escape data for HTML, then yes, it is
dangerous. Escaping functions are context-dependent.
Hope that helps.
Chris
--
Chris Shiflett
http://shiflett.org/
--
PHP General Mai
that helps.
Chris
--
Chris Shiflett
http://shiflett.org/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
hat "always" doesn't actually mean always, but I
can't remember the exact scenario. Perhaps it doesn't populate that
variable when the Content-Type is application/x-www-form-urlencoded, and
it does in all other cases.
Hope that helps.
Chris
--
Chris Shiflett
http://shiflet
cation: $url");
Almost every problem I can recall someone having with header() was a
result of either:
1. Headers already being sent, as others have guessed.
2. The argument passed to header() being malformed, and the browser
doesn't interpret the malformed header as desired.
Hope that
> > Can you provide a raw HTTP dump of the complete scenario?
>
> Two things:
>
> 1. How do I do that?
Probably the easiest thing to do these days is use a Firefox extension
like Firebug or LiveHTTPHeaders.
Chris
--
Chris Shiflett
http://shiflett.org/
--
PHP General
erstand what
header('Location: ...') does. Or both.
Chris
--
Chris Shiflett
http://shiflett.org/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Hi Chris,
> But sometimes when I'm back at the form page (after the redirect)
> and I refresh the page it does the previous page's actions again.
Can you provide a raw HTTP dump of the complete scenario?
Chris
--
Chris Shiflett
http://shiflett.org/
--
PHP General Ma
ction).
If escaping the entire query actually did anything useful, databases
would do this for us, and we've never be discussing this topic.
Chris
--
Chris Shiflett
http://shiflett.org/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string
Hope that helps.
Chris
--
Chris Shiflett
http://shiflett.org/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Tijnema wrote:
> Did you guys ever noted that little arrow down just right of
> the back button, where you can go back 2 steps at once, so you
> don't have to click very fast?
I think we both remember browsing before that feature was invented.
Chris
--
Chris Shiflett
http:
Robert Cummings wrote:
> I've found clicking really fast can get you back :)
I, too, have successfully used this technique. :-)
Chris
--
Chris Shiflett
http://shiflett.org/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
7;n'] == 'eventname') {
$name = $event;
} elseif ($event['n'] == 'eventnextoccurrencedate') {
$date = date('D, M d Y H:i:s', strtotime($event));
}
}
echo "{$name}{$date}\n";
}
?>
Gotta lov
pz4/
I'd contact them to see what they recommend.
Chris
--
Chris Shiflett
http://shiflett.org/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
do
the trick), then you won't have to worry about it again.
Hope that helps.
Chris
--
Chris Shiflett
http://shiflett.org/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
oblem. Try to see if there's an erroneous Content-Length
header or something that might cause the client to think it has read all
of the response when it hasn't.
Hope that helps.
Chris
--
Chris Shiflett
http://shiflett.org/
--
PHP General Mailing List (http://www.php.net
ll the reasons magic_quotes_gpc is bad...
Chris
--
Chris Shiflett
http://shiflett.org/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
John Nichel wrote:
> I'm just popping in now to let y'all know that I'm off to join
> people like John and Jason in the world of, "what ever happened
> to him".
Thanks for your contributions over the years, John.
Chris
--
Chris Shiflett
http://shiflett.org/
)
Anyway, it's as real as Content-Disposition. :-)
Chris
--
Chris Shiflett
http://shiflett.org/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Richard Lynch wrote:
> The "old school" HTTP-EQUIV of a refresh with a time and URL
> would probably be suitable for this.
>
> YMMV
>
> And it's still not PHP. :-)
It is if you use header(). :-)
Chris
--
Chris Shiflett
http://shiflett.org/
--
PHP General
Tim wrote:
> Considering bruce wants to be able to display the data and then
> change location after a given time, and as stut said you can't
> do this with a header() as it redirects before output
Sure you can. Just use a Refresh header instead of Location.
Chris
--
Chris
okie header has been sent to the browser. The browser can't return
something it has never received.
Chris
--
Chris Shiflett
http://shiflett.org/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
tp://shiflett.org/archive/184
It highlights the importance of character encoding consistency by
demonstrating an SQL injection attack that is immune to addslashes() but
not mysql_real_escape_string().
Hope that helps.
Chris
--
Chris Shiflett
http://shiflett.org/
--
PHP General Mailing List (http:/
Larry Garfield wrote:
> I've run into this sort of issue a few times before, and never
> found a good solution.
Not sure if this is the solution you're looking for, but you can convert
them to regular quotes:
http://shiflett.org/archive/165
Hope that helps.
Chris
--
Chr
ript.txt, and the content
of the response is included just as if it were the content of a local file.
Hope that helps.
Chris
--
Chris Shiflett
http://shiflett.org/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
e response status code to 302.
If you're using an old version of PHP, you should try reversing the
order of the header() calls in your example, if you haven't already.
Hope that helps.
Chris
--
Chris Shiflett
http://shiflett.org/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
l session identifier.
Hope that helps.
Chris
--
Chris Shiflett
http://shiflett.org/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
trivial, your
solution isn't likely to be very useful to me.
Chris
--
Chris Shiflett
http://shiflett.org/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
r invalid XHTML is produced)
I'm sure I could come up with several more with a bit of thought. Of
course, I'd love to be proven wrong and shown a really great solution.
Chris
--
Chris Shiflett
http://shiflett.org/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
ntities
You should really be using this for all output.
Hope that helps.
Chris
--
Chris Shiflett
http://shiflett.org/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
round. It's clean, intuitive syntax for
exactly these types of scenarios.
Hope that helps.
Chris
--
Chris Shiflett
http://shiflett.org/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[EMAIL PROTECTED] wrote:
> I'd like to have the output as "{11: 22}".
My previous example demonstrates that:
> echo "{{$foo}: {$bar}}";
Chris
--
Chris Shiflett
http://shiflett.org/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
"{$var1: $var2}"
of course it doesn't work as some might expect.
To address the original question, a backslash does not escape the brace.
Are you wanting the variables to be evaluated? Here's an example that
demonstrates both:
Hope that helps.
Chris
--
Chris Shifl
documentation of what data should be escaped how as it travels
> through the "glue" that is PHP...
That's a great idea. Want to write it? :-) I'd be happy to help.
Chris
--
Chris Shiflett
http://shiflett.org/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Kevin Murphy wrote:
> I keep getting garbage characters in there, usually
> associated with Smart Quotes.
This might be helpful:
http://shiflett.org/archive/165
Chris
--
Chris Shiflett
http://shiflett.org/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit
ction, and
character encoding consistency is even more important in that context:
http://shiflett.org/archive/178
Hope that helps.
Chris
--
Chris Shiflett
Principal, OmniTI
http://omniti.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Adam Zey wrote:
> $headers .= "Content-Type: application/octet-stream\r\n";
I missed the context of this function, but it seems like you probably
mean to send:
Content-Type: application/x-www-form-urlencoded
Chris
--
Chris Shiflett
Principal, OmniTI
http://omniti.com/
--
PHP Ge
CP connection open until it times out. That's
a pretty big waste in a situation where overhead matters.
Hope that helps.
Chris
--
Chris Shiflett
Principal, OmniTI
http://omniti.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
tedd wrote:
Barry says you can use these three:
header("Content-Type: application/force-download");
header("Content-Type: application/octet-stream");
header("Content-Type: application/download");
Richard says only use this one:
header("Content-type: application/octet-stream");
And, you say us
Richard Lynch wrote:
It is possible that all "modern" browsers have given
in to whichever johnny-come-lately 'standard' made
up the Content-disposition header.
The original RFC for it is dated June 1995, so it's not too recent.
There are plenty of useful aspects of HTTP not defined in RFC 2616
Barry wrote:
You can send every header twice, triple. a zillion
times if you want.
Sure, but you have to know how to use header():
http://php.net/header
"By default it will replace, but if you pass in FALSE as the second
argument you can force multiple headers of the same type."
Regardless
xample and explanation, the header() function only gets called
if there are no errors.
Hope that helps.
Chris
--
Chris Shiflett
Principal, OmniTI
http://omniti.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
I wrote an article on this subject that might help:
http://shiflett.org/articles/guru-speak-nov2004
Chris
--
Chris Shiflett
Principal, OmniTI
http://omniti.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Jochem Maas wrote:
a. php will actually implement static late binding
b. Zend Framework's 'DataObject' class will make use of said late
binding to do cool things like Person::findAll( $myFilter ) with
out having to actually implement a findAll method in the Person
class
I have read indications
Wolf wrote:
What I am interested in finding out is what the best way is to
make sure that I can rework the upload area to allow upload and
download from it while keeping script kiddies from exploiting
it again.
I can post the scripts
If your scripts are very long, most of us won't take the tim
Dallas Cahker wrote:
I was looking to see if there was a quick checklist of settings
for php to be disabled/enabled in the ini file to make the
application more secure.
Although there are some directives worth disabling (register_globals,
magic_quotes_gpc, allow_url_fopen), most vulnerabilitie
John Taylor-Johnston wrote:
Scrolling back and forward through my PHP generated search
engine, my browser (FF) alerts to remind me that I have post
data. What kind of header can I add to avoid it doing that?
I have a pretty detailed article about this on my web site:
http://shiflett.org/articl
Mark Kelly wrote:
> > You can also use something like:
> >
> > echo "";
>
> There's no need to use a meta tag to mimic HTTP headers. PHP
> provides the header() function.
I have been using that method when I got part-way through some
processing that produces output, and hit something that requir
Angelo Zanetti wrote:
So should i avoid magic_quotes_gpc all together?
In my opinion, yes.
my local development server has them enabled and when testing
the input of a textfield that does a select query I input 'hello'
(including single quotes) and it works really well with the
single quotes
Mark Kelly wrote:
You can also use something like:
echo "";
There's no need to use a meta tag to mimic HTTP headers. PHP provides
the header() function.
Chris
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Joe Wollard wrote:
I made fun of Chris and Rasmus specifically because I
know they're on this list.
I appreciate being considered important enough to make fun of.
Thanks! :-)
Chris
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
tedd wrote:
> I usually raise eyebrows with this statement, but you should
> never (with very, very few exceptions) need to unescape
> anything. Ever.
What's this then?
http://us3.php.net/mysql_real_escape_string
That's an escaping function.
Chris
--
PHP General Mailing List (http://www.php
If I perform stripslashes first, then the process doesn't work.
I usually raise eyebrows with this statement, but you should never (with
very, very few exceptions) need to unescape anything. Ever.
Richard was pointing out that the only reason you would need to strip
slashes after retrieving
Merlin wrote:
I am wondering if I am opening a potential security risk by
including files on remote servers.
Yes.
I am doing an include ('http:/www.server.com/file.html') inside
a php script of mine to seperate content from function. Content
is produced by a friend of mine and I do not want t
Jon Anderson wrote:
...
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ...
...
I seem to recall this being due to a bug in Internet Explorer that keeps
the connection open longer than necessary, tying up server resources.
George Schlossnagle has a formula for calculating the win/loss of using
Chris wrote:
If you're doing an exit() or die() or the script stops executing
that's like you closing the connection - so apache is going to
close the connection (as it should).
The connection Jon is talking about is the TCP connection, just in case
that's not clear. I'm not sure what connecti
Jon Anderson wrote:
Keep alives are definitely configured in the server - I can
request scripts multiple times manually from a telnet client.
In that case, I think a good next step would be to examine the HTTP
request. One guess is that the request you type in manually with telnet
is HTTP/1.1
Jon Anderson wrote:
It seems to work okay, except that at the TCP level, the client
keeps initiating new connections for every soap request rather
than using a single connection for multiple requests. One
possible reason for this is that the server sends a "Connection:
close" HTTP header after th
João Cândido de Souza Neto wrote:
> Show us the code.
... Some codes ...
That doesn't count. :-)
You're describing a situation that I seriously doubt is reflected in
your code. Reduce the problem to the simplest example you possibly can,
and then show us the code.
Chris
--
PHP General Ma
João Cândido de Souza Neto wrote:
I tried it yet, if a put a echo $_SESSION["root"] before or
after the include, it works fine, it doesn't work in the
file top.php.
Show us the code. What you're describing should not be possible.
Chris
--
PHP General Mailing List (http://www.php.net/)
To unsu
Rostislav Krasny wrote:
Why there is no newline afer "Hello World"?
Is it a PHP bug or the tutorial should be updated?
I discuss this here: http://shiflett.org/archive/151
It's a feature of PHP that has some advantages and disadvantages, and
it's not likely to change (consistency has merit, r
can just make sure that the value is one
of the few valid values.
Hope that helps.
Chris
--
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Alain Roger wrote:
I have a link in my web page and when user click on this link, i would
like to execute a PHP function with a parameter.
You'll need to initiate a new request. Browsers don't execute PHP code.
Chris
--
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://bra
on;
$v->checkEmpty($_POST["name"]);
If the form is submitted, define the class, else use the class. That
doesn't sound right...
Hope that helps.
Chris
--
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/
--
PHP General Mailing List (http://ww
7;re using data that's been escaped with something like
mysql_real_escape_string(). You want to do that when you're using it in
a MySQL query, not when you use it in an email.
Hope that helps.
Chris
--
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/
--
PHP G
I'm not sure why it matters, but the real Google store appears to use ASP:
http://www.googlestore.com/home.asp
My mistake. Apparently there are different sites for different countries.
Chris
--
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/
--
PHP General Mailing
Dan Lowe wrote:
It's implied right on the front page it's not directly run by Google.
I'm not sure why it matters, but the real Google store appears to use ASP:
http://www.googlestore.com/home.asp
Chris
--
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/
for persistent data.
Chris
--
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Framework is not
for you. In a few months, it might be something to consider.
Hope that helps.
Chris
--
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
ql_real_escape_string() can protect against this vulnerability (in
these cases), and you'll see that I use this function on everything I
use in my SQL queries, even when it seems ridiculous to do so:
$access = time();
$access = mysql_real_escape_string($access);
Hope that help
.phpmag.net/itr/online_artikel/psecom,id,667,nodeid,114.html
Hope that helps.
Chris
--
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
d when the
GET method is indicated in a form's method attribute.
Hope that helps.
Chris
--
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Curt Zirzow wrote:
And in the code that is called in the popup:
Don't forget session_start(). :-)
(You might have session.auto_start enabled, but it's not by default.)
Chris
--
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/
--
PHP General Mailing
Maybe you're getting the buffering and flushing concepts reversed? Think
of a toilet - buffering is the handle up, and flushing is the handle
down. :-)
Hope that helps!
Chris
--
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/
--
PHP General Mailing List (htt
Joe Harman wrote:
Okay...makes sense after you spelled it out to me.
That didn't make sense to me (and I missed the original reply). Mind
elaborating? :-)
Chris
--
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/
--
PHP General Mailing List (http://www.php.net
http://shiflett.org/articles
Hope that helps!
Chris
--
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
ode/ch01-4
Hope that helps!
Chris
--
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
ellent.
Chris
--
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Mathijs wrote:
How can i add more callback_outputs to ob_start?
I want to have both: ob_start('switchContent');
and: ob_start('ob_gzhandler');
I don't think you can, but you could have a single function that calls
both, then specify that function in ob_start().
he answer is no. :-)
Chris
--
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
nconsistent implementations in the industry. This
particular statement attempts to distinguish between the history
mechanism and caches, a distinction that doesn't naturally exist.
I don't really fault Firefox for abiding by the no-store directive, nor
do I fault Internet Explorer for
For example, filter the data you receive from the client before passing
it as arguments to the mail() function.
Hope that helps.
Chris
--
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.ph
oot]/path/to/script.php
I think it's pretty important to understand the difference as well as
the relationship. Once you do, your question might go away.
Hope that helps.
Chris
--
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/
--
PHP General Mailing List (http://www
a cross-site
scripting (XSS) vulnerability.
Hope that helps.
Chris
--
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Angelo Zanetti wrote:
I've been searching for where the time is set for a session to
expire but had little luck.
I think you might be looking for the session.gc_* directives. These
control the session mechanism's garbage collection.
Hope that helps.
Chris
--
Chris Shiflett
Brain
Angelo Zanetti wrote:
I've googled but found so many pages that I'm not sure what to use.
I want to use PHP to make use of SOAP.
If you're using PHP 5, this is a good option:
http://php.net/soap
Hope that helps.
Chris
--
Chris Shiflett
Brain Bulb, The PHP Consultancy
http:
negligible) risk for extra performance. So I sanitize data
on input only.
Sanitizing is an alias for filtering and has nothing to do with
escaping. One should never be considered a substitute for the other,
although this is a common mistake.
Chris
--
Chris Shiflett
Brain Bulb, The PHP
rd third"
"fourth"
"fifth fifth fifth"
I love explode(), too, but this is a job for sscanf():
http://php.net/sscanf
Hope that helps.
Chris
--
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Chris Shiflett wrote:
However, most security issues like XSS and SQL injection aren't
really input filtering problems. Often, input filtering can
effectively eliminate these vulnerabilities (and there's no
excuse to not be filtering input), but escaping addresses the
root cause of t
d I live in $location.";
?>
If you think of this example from the perspective of echo, it's
difficult to tell what part of the string is meant to be only data. In
this case, the data is Chris, Shiflett, New York, and NY. The HTML tags
are meant to be interpreted. As the developer, that
1 - 100 of 1546 matches
Mail list logo
