I think it still works with the old one, its not yet release a stable
version for 5.0 and i think for 4.3.6? only in beta.
hmm, better check their site out to know the full details.
thanks
On Mon, 16 Aug 2004 09:32:52 +0300, Octavian Rasnita <[EMAIL PROTECTED]> wrote:
> From: "raditha dissanayak
zend allows you to compile your code
On Mon, 16 Aug 2004 15:04:48 +0800, Louie Miranda <[EMAIL PROTECTED]> wrote:
> I think it still works with the old one, its not yet release a stable
> version for 5.0 and i think for 4.3.6? only in beta.
>
> hmm, better check their site out to know the full
I'm looking for PHP code that will produce diff's between two texts, and
render them "inline". By that I mean not the standard *nix diff output,
which compares and outputs lines, but a diff that compares inline text
and outputs the bits before and after in place, marked with a custom
or something.
I've been using func "imagecreatefromstring" for
creating JPEGs obtained from MySQL database.
The function sometimes fails terminating script
with no error message.
Has somebody reached such problem?
I don't want to save images to temp files.
Linux 2.4.26, PHP 4.3.8, gd 2.0 or higher
--
PHP Gen
Hello all!
I have a frustrating problem with PHP and am hoping someone on the list might
know a solution.
I need to set up an apache server with php on Linux and AIX machines, and it
all has to be in a chrooted environment. Most things work very well except
for the mail() function. It appear
raditha dissanayake wrote:
This mail probably shows how little you know about matt wright's
FormMail more than anything else - just to give you an idea it's banned
on all shared servers of our ISP.
I'm very aware of the FormMail.pl's problems and bugs, and I'm
definetely not going to use it...
Hi Markus,
do I get you right, you can't invoke mail() because php can't find the
sendmail executable?
perhaps this does the trick:
function my_mail_inject($mail)
{
$sendmail = ini_get("sendmail_path");
if(!$sendmail) $sendmail = "/var/qmail/bin/qmail-inject";
$p = popen($sendmail, "w");
if($
Hi all.
I just wanted to throw this message in here and get some opinions before I
go off developing something So will post in the correct newsgroup later
(when I find which newsgroup I need).
Before I post a more thorough thread in the correct area I just wanted to
find out if this was achievabl
Hi php-general,
I am trying to make my web server (Apache 2 + mod_ssl) connect to my ldap server with
mutual authentication using PHP. This means I want them to exchange their certificate.
For this purpose, I connect to ldap on port 389 then start TLS using ldap_start_tls().
This works perfectly
[snip]
I just wanted to throw this message in here and get some opinions before
I
go off developing something So will post in the correct newsgroup later
(when I find which newsgroup I need).
Before I post a more thorough thread in the correct area I just wanted
to
find out if this was achievable
Juan Nin wrote:
raditha dissanayake wrote:
This mail probably shows how little you know about matt wright's
FormMail more than anything else - just to give you an idea it's
banned on all shared servers of our ISP.
I'm very aware of the FormMail.pl's problems and bugs, and I'm
definetely not go
Harlequin wrote:
Hi all.
I just wanted to throw this message in here and get some opinions before I
go off developing something So will post in the correct newsgroup later
(when I find which newsgroup I need).
Before I post a more thorough thread in the correct area I just wanted to
find out if thi
Hi Stephan,
On Monday 16 August 2004 15:16, Stephan Fiedler wrote:
> do I get you right, you can't invoke mail() because php can't find the
> sendmail executable?
Indeed you get me right. As I said in my post, alternatives such as qmail,
exim, postfix and similar full featured MTA's in the chro
On Mon, 2004-08-16 at 02:31, Octavian Rasnita wrote:
> Hi,
>
> I took a look to Smarty and Savant templating systems, and I like a few
> things from both of them.
> However, none of them are satisfactory.
>
> I don't like Smarty because it needs another language and I find Savant more
> easy to
[snip]
Can anybody help me to open all subdirectories in a directory, I used
is_dir() to check whether it is a dir, and if yes, I recursively called
it with the new dir name. But all subdirectories are not open the
recursion is not working for more than 1 level. I tested it in windows
server. Exp
Hi all,
I have a simple PHP store, and it appears that someone is using it to
test credit card numbers. I'm getting a very high number of small
orders every day, but a lot more declines. My merchant provider
suggests blocking that person's IP address, but that's not practical
since it's dynamic
I was wondering if there was a block of code I could place at the bottom of
the file that would write the page's source code to an html file. I need
this because I'm posting pages to a server sans a PHP compiler. Basically,
I'd like for every time I run a page its source code to be saved in the
f
Hi,
Im running a win2k with apache and PHP 4.3.4 and I have gone through
the installation readme for PHP. I have copied the necessary files to
the correct directories. I have also set register_globals= Off (default)
I have set my session path (it exists).
Now my problem is that I cant get my se
I think VB or some MS dev tool will do the job.
>>> John Nichel <[EMAIL PROTECTED]> 8/16/2004 3:48:11 PM >>>
Harlequin wrote:
> Hi all.
>
> I just wanted to throw this message in here and get some opinions before I
> go off developing something So will post in the correct newsgroup later
> (when
> if (session_is_registered($_SESSION['login']))
> echo("seesion is reg");
> else
> echo("seesion not reg");
try
if (isset($_SESSION['login']))
echo("seesion is reg");
else
echo("seesion not reg");
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe,
Brian,
The best thing that I can suggest is to take a look at the actual orders
themselves and find out if there are any one or two things that seem to be
common about them.
Once you can find some sort of pattern, you can then code against it.
For example, if you find that he seems to send 20 r
[snip]
Ok here is what I do:
$_SESSION['login']="true";
if (session_is_registered($_SESSION['login']))
echo("seesion is reg");
else
echo("seesion not reg");
I have not used the session_register function as the manual says the
following:
[/snip]
Have
On Mon, 2004-08-16 at 07:26, Brian Dunning wrote:
> Hi all,
>
> I have a simple PHP store, and it appears that someone is using it to
> test credit card numbers. I'm getting a very high number of small
> orders every day, but a lot more declines. My merchant provider
> suggests blocking that pe
"Angelo Zanetti" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
> Hi,
>
> Im running a win2k with apache and PHP 4.3.4 and I have gone through
> the installation readme for PHP. I have copied the necessary files to
> the correct directories. I have also set register_globals= Off (defau
> [reply]
> Please try if those changes solve your problem. Whenever one of
> your values
> will contain a single quote you will get an SQL error - so use
> addslashes()
> or (better) mysql_real_escape_string() on all insert values.
> [/reply]
>
>
> That is my whole point though, is that it doe
Hi Brian,
One possibility is to use a MySQL database which records all failures with the
credit card verifications, the IP address of the failure, and when the
failure was. Write a script which looks at the failures and if it detects
three or more failures from any IP in a set time frame (24 h
Hi all,
I want to create an html cache of a page, like when that page is saved to
the disk and let the visitors download that static page and not a dynamic
one.
Of course, a dynamic PHP program will load that static page and display it,
but without need to connect to databases, to make calculation
Thanks to all of you for your suggestions. Yes I have been logging IP
address in my orders database.
I think I may have solved it by an even simpler method: I emailed the
perpetrator to "thank him for all of his orders" to see what he'd say.
His first few orders came with real email addresses,
thanks MATT it appears that the isset function worked!
>>> "Jay Blanchard" <[EMAIL PROTECTED]> 8/16/2004
4:46:16 PM >>>
[snip]
Ok here is what I do:
$_SESSION['login']="true";
if (session_is_registered($_SESSION['login']))
echo("seesion is reg");
else
Hi Brian,
One possibility is to use a MySQL database which records all failures with the
credit card verifications, the IP address of the failure, and when the
failure was. Write a script which looks at the failures and if it detects
three or more failures from any IP in a set time frame (24 h
"Octavian Rasnita" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
> Hi all,
>
> I want to create an html cache of a page, like when that page is saved to
> the disk and let the visitors download that static page and not a dynamic
> one.
> Of course, a dynamic PHP program will load that
On 14 August 2004 15:50, raditha dissanayake wrote:
> Ford, Mike [LSS] wrote:
>
> >
> > (And, BTW, the HTTP definition says that the Location:
> header should specify a full absolute URL, so that should be:
> >
> > header("Location:
> http://your.server.name/path/to/errors/servererror.php";);
Hi
I have a site that uses a large number of data arrays that are nearly
static (change once a week or less) they are used on almost every page
in the site Currently I have them as a separate file that is included at
the top of each script page. I would like a way to cache? them at the
server lev
ok I thought the problem was fixed but its not. The session variable
gets registered correctly however when I go to the next page and too see
if its still registered using the isset() function its not registered
anymore. I do have session_start(); at the top of the new page.
I cant think why its n
Hello,
I'm sending a custom request to a server using CURL, which may contain
some high-ascii characters. Are there certain characters that would
cause CURL not to send the complete custom request? Are there some CURL
options that can help make sure the request is sent in its entirity?
Here is
Hi, what my goal is is to be able to authenticate a user by they SSH acount on the
system using php. I tried looking on google, but didn't see anything with ssh. What
i've tried to do is use the exec() and just do:
exec("ssh [EMAIL PROTECTED]".escapleshellard("password"));
but that didn't seem
"Angelo Zanetti" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
> ok I thought the problem was fixed but its not. The session variable
> gets registered correctly however when I go to the next page and too see
> if its still registered using the isset() function its not registered
> an
On Mon, 16 Aug 2004 17:39:21 +0200, Angelo Zanetti <[EMAIL PROTECTED]> wrote:
> ok I thought the problem was fixed but its not. The session variable
> gets registered correctly however when I go to the next page and too see
> if its still registered using the isset() function its not registered
> a
Hi Matt,
The session_id() is correct on both pages. Some info I forgot to add is
this:
on my first page:
session_write_close();
header("Location: franchise_menu.php?".SID);
exit();
however on my franchise_menu.php page, no SID is displayed in the
browser address. could that be a reason? Or hav
no I'm not using cookies.
Session configuration values from php.ini:
session.save_handler = files
session.save_path = c:\temp\sessions
session.use_cookies = 0
session.name = PHPSESSID
session.auto_start = 0
session.cookie_lifetime = 0
session.cookie_path = /
session.cookie_domain =
sessio
> session_write_close();
> header("Location: franchise_menu.php?".SID);
> exit();
SID will be empty if session ID was set in an appropriate session cookie
if you do a print_r($_SESSION) on franchise_menu.php do you see anything?
If you have access to the webserver you could just go in and look a
On Mon, 2004-08-16 at 08:39, Teren wrote:
> Hi, what my goal is is to be able to authenticate a user by they SSH acount on the
> system using php. I tried looking on google, but didn't see anything with ssh. What
> i've tried to do is use the exec() and just do:
>
> exec("ssh [EMAIL PROTECTED]".
Is it true that turck is faster than Zend?
> i think you are looking for something like turck mmcache.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[snip]
Is it true that turck is faster than Zend?
> i think you are looking for something like turck mmcache.
[/snip]
What about something like http://www.priadoblender.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Wow. I just saw the $2,880 price tag on the Zend Encoder. I guess Turck is
better?! Who cares if it's a little bit slower than Zend (or even faster
according to the Turck site). That's a lot of moola!
> -Original Message-
> http://www.zend.com/store/products/zend-encoder.php
>
> On Mo
Geesh, this sounds scary. Are you requiring account login before processing
payments?
> -Original Message-
> I have a simple PHP store, and it appears that someone is using it to
> test credit card numbers. I'm getting a very high number of small
> orders every day, but a lot more decline
> > Hi, what my goal is is to be able to authenticate a user by they SSH
> > acount on the system using php. I tried looking on google, but didn't
> > see anything with ssh. What i've tried to do is use the exec() and
> > just do:
> >
> > exec("ssh [EMAIL PROTECTED]".escapleshellard("password"));
>
http://www.php.net/manual/en/ref.outcontrol.php
On Mon, 16 Aug 2004 10:35:42 -0400
[EMAIL PROTECTED] (Doug Parker) wrote:
> I was wondering if there was a block of code I could place at the bottom of
> the file that would write the page's source code to an html file. I need
> this because I'm po
On Aug 16, 2004, at 10:07 AM, Ed Lazor wrote:
Geesh, this sounds scary. Are you requiring account login before
processing
payments?
Not on this store, it's a really competitive market.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
On Mon, 2004-08-16 at 10:15, Michal Migurski wrote:
> > > Hi, what my goal is is to be able to authenticate a user by they SSH
> > > acount on the system using php. I tried looking on google, but didn't
> > > see anything with ssh. What i've tried to do is use the exec() and
> > > just do:
> > >
>
Brian Dunning wrote:
On Aug 16, 2004, at 10:07 AM, Ed Lazor wrote:
Geesh, this sounds scary. Are you requiring account login before
processing
payments?
Not on this store, it's a really competitive market.
Requiring an account to purchase would more than likely cut down on
fraud orders.
--
Joh
Ok, here's the whole project, I have an openbsd box using authpf which uses
authentication via ssh login. So, i'm trying to create a weblogin using php
so people just have to enter their username/password (which would be a
restricted unix account) to gain access to the internet. I have authpf all
s
Am 2004-08-16 08:03:51, schrieb Brian Dunning:
> Anyone know who the "proper authorities" are, to whom I could give my
> logs? Amazingly, my CardService rep didn't know. He also didn't seem to
> care or think it was a very big deal. The total orders that went
> through are about 100 orders at $
Hello All,
I am working on securing an application that uses CDSSO (Cross Domain
Single Sign On).
I am trying to reproduce the CSRF (Cross Site Request Forgery) attack
(using TAG) in I.E. 6.01, but am unable to do so. However the
attack works on Mozilla and other older browsers.
My questio
Hmm,
Simply make a RSS feed or something, md5 the last changed date of all files
combined every say 30 mins and put that in the rss file, have the systray
icon program look at that file every 5 mins or so, if the file has changed,
flash..
"John Nichel" <[EMAIL PROTECTED]> wrote in message
news:[EMA
[snip]
I am working on securing an application that uses CDSSO (Cross Domain
Single Sign On).
I am trying to reproduce the CSRF (Cross Site Request Forgery) attack
(using TAG) in I.E. 6.01, but am unable to do so. However the
attack works on Mozilla and other older browsers.
My question: Is
Perhaps the question could be asked another way and be more on topic.
Is there a fix in I.E. 6.01 that would interfere with PHP being able to
generate different mime types on the fly, like .png or .jpg
Thanks,
Warren Vail
-Original Message-
From: Jay Blanchard [mailto:[EMAIL PROTEC
[snip]
Perhaps the question could be asked another way and be more on topic.
Is there a fix in I.E. 6.01 that would interfere with PHP being able to
generate different mime types on the fly, like .png or .jpg
[/snip]
a. But that wasn't what he asked.
2. Top-posting === bad
--
PHP General Mai
Ah, you should try to authenticate differently then. You're going about
this the wrong wa. :-)
> The PEAR::Auth package provides methods for creating an authentication
> system using PHP.
>
> Currently it supports the following storage containers to read/write
> the login data:
>
> * All databas
Hello,
On 08/16/2004 12:40 PM, Dominic Schanen wrote:
I'm sending a custom request to a server using CURL, which may contain
some high-ascii characters. Are there certain characters that would
cause CURL not to send the complete custom request? Are there some CURL
options that can help make sure
> Ok, here's the whole project, I have an openbsd box using authpf which
> uses authentication via ssh login. So, i'm trying to create a weblogin
> using php so people just have to enter their username/password (which
> would be a restricted unix account) to gain access to the internet. I
> have au
--- Jay Blanchard <[EMAIL PROTECTED]> wrote:
> You would have to ask the Microsoft Development Group, who
> probably does not subscribe to this list. Crossposting is bad.
> Being OT during a crosspost is even worse. I can hear the
> falmethrowers warming up in the wings.
>
> FYI -> This is (or use
>> Ok, here's the whole project, I have an openbsd box using authpf which
>> uses authentication via ssh login. So, i'm trying to create a weblogin
>> using php so people just have to enter their username/password (which
>> would be a restricted unix account) to gain access to the internet. I
>> ha
Jay Blanchard wrote:
FYI -> This is (or use to be) a PHP list
If I have a web server running php, how do I change the oil in my car?
--
John C. Nichel
ÜberGeek
KegWorks.com
716.856.9675
[EMAIL PROTECTED]
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/uns
--- [EMAIL PROTECTED] wrote:
> My question: Is I.E. 6.01 SP1 doing something to foil the CSRF
> attack, i.e. only allow image extensions .gif .png .jpeg?
This seems highly unlikely. Can you show us the code you're using to test?
Chris
=
Chris Shiflett - http://shiflett.org/
PHP Security
--- Jay Blanchard <[EMAIL PROTECTED]> wrote:
> [snip]
> Perhaps the question could be asked another way and be more on
> topic.
>
> Is there a fix in I.E. 6.01 that would interfere with PHP being
> able to generate different mime types on the fly, like .png or
> .jpg
> [/snip]
>
> a. But that
Thanks Chris,
Yup I think my posting is very on-topic. The application that I am working
on is written in PHP.
And I m sure all PHP developers check their applications for CSRF
vulnerability, in various browsers (including I.E. ).
As a PHP/Java developer, I would be interested to know what I
[snip]
Yup I think my posting is very on-topic. The application that
I am working on is written in PHP.
[/snip]
Thanks for stating that in your original post.
Hello Chris,
I can't share the exact code ;) , but here is something very similar:
http://slashdot.org/my/logout"; height="1" width="1">
If I load a web page with the above code, it should log me out of
slashdot. It works in Mozilla (and netscape), but not in I.E. 6.01 SP1
downloads.seagate.co
Hi,
some newbie questions about PEAR:
1. How do I know if its already installed? (via
phpinfo() ? )
2. Can I install it myself if its not already
installed or do I have to contact my host?
Thanks,
Mag
=
--
- The faulty interface lies between the chair and the keyboard.
- Creativity is g
Hello,
On 08/16/2004 10:00 AM, Markus Mayer wrote:
- Does anyone know of a way to make PHP on *nix use an external smtp server
without having to hack around in the source code of PHP?
- Has anyone got either ssmtp or esmtp working with PHP?
You may want to try this class that can be used to do pre
--- [EMAIL PROTECTED] wrote:
> And I m sure all PHP developers check their applications for
> CSRF vulnerability, in various browsers (including I.E. ).
I speak about CSRF in many of the talks I give, and I think you'd be
surprised by how many people haven't even heard of it.
> As a PHP/Java deve
--- [EMAIL PROTECTED] wrote:
> I can't share the exact code ;) , but here is something very
> similar:
>
> http://slashdot.org/my/logout"; height="1" width="1">
>
> If I load a web page with the above code, it should log me out
> of slashdot. It works in Mozilla (and netscape), but not in I.E.
>
> -Original Message-
> Jay Blanchard wrote:
> > FYI -> This is (or use to be) a PHP list
>
> If I have a web server running php, how do I change the oil in my car?
Have you tried the OilChange class from PHPClasses.org? ;)
-Ed
--
PHP General Mailing List (http://www.php.net/)
To unsubs
What if you add a random seed to the URL?
> -Original Message-
> Hello Chris,
>
> I can't share the exact code ;) , but here is something very similar:
>
> http://slashdot.org/my/logout"; height="1" width="1">
>
> If I load a web page with the above code, it should log me out of
> s
"Watty" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
> Is it possible to compile a PHP script? And if so, how?
there is a roadsend php compiler, but I have not used it myself.
rush
--
http://www.templatetamer.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe,
> -Original Message-
> The best information would be if you can capture the exact HTTP
> transactions involved. For example, using something like ethereal, capture
> the request and response for Mozilla, and then do the same for IE 6.01
> SP1.
>
> Short of that, you could create a URL spec
--- Ed Lazor <[EMAIL PROTECTED]> wrote:
> Wouldn't it work to just make the script spit out a mime type
> header and a small (1x1) image when it's done to satisfy the
> browser's mime type requirements?
Definitely, but most CSRF attacks are meant to spoof a request from the
legitimate user to some
> -Original Message-
> Definitely, but most CSRF attacks are meant to spoof a request from the
> legitimate user to some Web site where he/she already has privilege. Thus,
> the receiving site is usually as much the victim as the user.
>
> I'm not sure if that makes any sense... :-)
It do
"Angelo Zanetti" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
> Hi Matt,
>
> The session_id() is correct on both pages. Some info I forgot to add is
> this:
>
> on my first page:
>
> session_write_close();
> header("Location: franchise_menu.php?".SID);
> exit();
>
> however on my fra
Hi all!
Can you please help me with the following;
I've got a form (that comes in 'three parts' a1.php a2.php and a3.php)with sessions
that refuses to go back!
On A2.php and A3.php i made a back button like:
and
And i've added the follwing line directly after Session_start();
header("Cac
"Mag" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
> Hi,
> some newbie questions about PEAR:
>
> 1. How do I know if its already installed? (via
> phpinfo() ? )
>
> 2. Can I install it myself if its not already
> installed or do I have to contact my host?
>
> Thanks,
> Mag
You will
Why is so important if Internet Explorer allows URLS of images where the
file name is only .jpg, .png, or .gif?
A url can be something like:
http://www.site.com/script.php/image.jpg?logout=true
Internet Explorer might think that the file is a .jpg and that script.php is
a directory but only the
Hello,
I m not saying the I.E. completely fixed the CSRF attacks, by only
allowing .jpg .gif .png files.
But it "might" be one possible way to minimize CSRF attack, just like
using POST vs GET can help minimize the chances of that attack.
BTW, using POST instead of GET does NOT guarantee that
Hello Chris,
Upon your suggestion, I used a sniffer to sniff traffic for the web app
that I am working on.
To my surprise, the data captured during the sniff for both browsers was
exactly the same. Which mean my theory of limiting the TAG to .gif
.jpeg .png is NOT true.
So now I am completel
--- Octavian Rasnita <[EMAIL PROTECTED]> wrote:
> Why is so important if Internet Explorer allows URLS of images
> where the file name is only .jpg, .png, or .gif?
>
> A url can be something like:
>
> http://www.site.com/script.php/image.jpg?logout=true
This is definitely true, but as I mentiond
--- [EMAIL PROTECTED] wrote:
> Upon your suggestion, I used a sniffer to sniff traffic for
> the web app that I am working on.
>
> To my surprise, the data captured during the sniff for both
> browsers was exactly the same.
Can you elaborate or post the exact requests sent from each browser? I'm
Hello Curt,
Yes, the /. system depends on cookies to keep the user logged in.
However a CSRF attack is NOT trying to access a third party cookie.
The web browser make the same GET request whether it is using TAG
or the user clicking on a link. So in either case the cookies are in the
context
* Thus wrote [EMAIL PROTECTED]:
> Hello Chris,
>
> I can't share the exact code ;) , but here is something very similar:
>
> http://slashdot.org/my/logout"; height="1" width="1">
>
> If I load a web page with the above code, it should log me out of
> slashdot. It works in Mozilla (and netscape)
> -Original Message-
> So now I am completely clueless as to why this particular attacks works in
> Mozilla but not in IE.
Could you describe the problem again and give full detail? I think we need
to better model the problem in order to present a more effective solution.
The link below
Hello Ed,
To give some details:
I am unable to re-produce a CSRF attack when the victim is using a I.E.
6.01 SP1 (all patches applied). However the attack works in Mozilla and
other older browsers.
I can't give you the exact code for attack (for security reasons), but it
is similar to the fo
--- [EMAIL PROTECTED] wrote:
> Hello Curt,
>
> Yes, the /. system depends on cookies to keep the user logged
> in.
>
> However a CSRF attack is NOT trying to access a third party
> cookie.
>
> The web browser make the same GET request whether it is using
> TAG or the user clicking on a link. So
--- Curt Zirzow <[EMAIL PROTECTED]> wrote:
> I'm not sure how the /. logout system works, but my guess is
> that they rely on cookies to do this. Since that is a different
> site than from the originating file, those cookies would be
> considered third party. I know in IE you can disable third
> pa
--- Ed Lazor <[EMAIL PROTECTED]> wrote:
> The link below goes to a page I found that describes CSRF a
> little differently than what Chris was presenting - to give a
> different perspective on things.
>
> http://www.squarefree.com/securitytips/web-developers.html
It doesn't seem to be different,
--- [EMAIL PROTECTED] wrote:
> To give some details:
>
> I am unable to re-produce a CSRF attack when the victim is
> using a I.E. 6.01 SP1 (all patches applied). However the
> attack works in Mozilla and other older browsers.
>
> I can't give you the exact code for attack (for security
> reasons
I was able to confirm / reproduce what you're experiencing. I was also able
to confirm that toggling IE 6's acceptance of 3rd party cookies changes the
behavior.
Create an HTML on your local machine with the following line:
http://www.atfantasy.com/test/image_status.php";>
It'll load an image t
> -Original Message-
> However a CSRF attack is NOT trying to access a third party cookie.
>
> The web browser make the same GET request whether it is using TAG
> or the user clicking on a link. So in either case the cookies are in the
> context of the website to which the cookies belong.
I've recently encountered a problem with hidden (POST) form fields being
ignored when an html textarea (or text) tag value contains the following
character: '
It seems when you paste text from outlook, to an html 'textarea', it
converts the apostrophe character (') to this character ('), which th
--- Sean O'Donnell <[EMAIL PROTECTED]> wrote:
> I've recently encountered a problem with hidden (POST) form fields being
> ignored when an html textarea (or text) tag value contains the following
> character: '
My guess is that you're displaying this data in HTML and delimiting it
with the same c
the ’ character...
*damn outlook rewrote it in my email. =/
SEAN O'DONNELL
PROGRAMMER/ANALYST
The Design People, Inc.
Your Future in Site.
[ phone 310.577.9111 ext. 104 | fax 310.577.9444 ]
12 WASHINGTON BLVD. | SECOND FLOOR | MARINA DEL REY | CA 90292-5124
--
PHP General Mailing List (http:/
1 - 100 of 108 matches
Mail list logo
