NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > PHP Discussion Digest> 2001-07

From: php-general-digest-helplists.php.net
Date: Wed Aug 01 2001 - 10:14:17 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

php-general Digest 1 Aug 2001 15:14:17 -0000 Issue 790

Topics (messages 60565 through 60666):

dynamic variable names?
60565 by: Matthew Delmarter

How to compile PHP with IMAP option?
60566 by: Christopher Cheng
60630 by: Jeremy Maziarz

Re: Content Management Systems
60567 by: Marty Landman

Re: REPOST: DB logic help...
60568 by: Chris Cocuzzo

MAgic Quotes
60569 by: Ralph Guzman
60599 by: Richard Lynch

Share Session Vars on 2 servers
60570 by: Paul R. Jackson
60572 by: Philip Murray

mod_perl php4 DBI->connect MySQL bomb segfault solved.
60571 by: ard.waikato.ac.nz
60624 by: ard.waikato.ac.nz

Re: Example high-profile PHP sites
        60573 by: Ralph Guzman
        60603 by: CC Zona
        60664 by: scott [gts]

What would you want in a PHP web host?
        60574 by: Derek Del Conte
        60576 by: Soeren Nielsen
        60653 by: pierre-yves

Hmmm?
        60575 by: Kyle Smith
        60582 by: Lawrence.Sheed.dfait-maeci.gc.ca
        60584 by: elias
        60607 by: Maxim Maletsky
        60661 by: Keith Jeffery

Re: Trying to avoid code exploits..
        60577 by: Meir Kriheli
        60589 by: Richard Lynch
        60602 by: Meir Kriheli
        60614 by: Richard Lynch
        60619 by: Yasuo Ohgaki
        60622 by: Yasuo Ohgaki
        60628 by: Meir Kriheli
        60638 by: Meir Kriheli
        60639 by: Phil Driscoll
        60640 by: Meir Kriheli
        60641 by: Phil Driscoll
        60643 by: Yasuo Ohgaki
        60646 by: Yasuo Ohgaki

warnings in php4
        60578 by: Melania Popescu
        60581 by: Chris Fry
        60583 by: elias
        60634 by: Phil Driscoll
        60637 by: Phil Driscoll

Re: Counting Multidimensional Arrays
60579 by: Tim Ward

Re: storing array in mysql
60580 by: elias

Re: Very OT for a lot of you put just asking.
60585 by: Charles Williams

Re: exec problem
60586 by: Richard Lynch

Re: php3 -> php4
60587 by: Richard Lynch

Re: Pear
60588 by: Richard Lynch

Re: Good Tutorial
60590 by: Richard Lynch

Re: Worldpay module an Exchange Project e-commerce site
60591 by: Richard Lynch

Re: emailing the contents of a form in PDF format
60592 by: Richard Lynch

Re: Execute mixed php code from mysql?
60593 by: Richard Lynch

Re: issues with __sleep() and __wakeup()
        60594 by: Richard Lynch
        60654 by: Thies C. Arntzen
        60655 by: scott [gts]

Re: whats wrong?
60595 by: Richard Lynch

Re: Visual Login
60596 by: Richard Lynch
60659 by: scott [gts]

Re: Another simple question (dont hurt me)
60597 by: Richard Lynch

Re: PHP Execute as User ???
60598 by: Richard Lynch

Re: path_info
60600 by: Richard Lynch

Re: Sort by bigger count(*)
60601 by: Richard Lynch

Re: Sorry... but a good PHP editor for Linux/Unix
        60604 by: Rouvas Stathis
        60621 by: Chris Schneck
        60665 by: Mauricio T?llez Jim?nez

PHP and MySQL Insert ID
        60605 by: John Monfort
        60606 by: Daniel Rezny
        60620 by: John Monfort

How can i make it so....
        60608 by: Steve Wright
        60611 by: Chris Fry
        60613 by: Richard Lynch

Re: Can't write to file via php, just via ftp...Cananyonehelp?
60609 by: Richard Lynch

ADV. Natural penis enlargement -without surgery-!
60610 by: Guaranteed !
60617 by: Jeffrey Paul

how can i send SMS from Php Scripts ?
        60612 by: Damien CAMUS
        60645 by: elias
        60650 by: Tom Carter

Re: How can i make it so.
60615 by: Chris Fry

PHP and Apache 1.3.12
60616 by: Peter Yung

Re: Newbie: Site search, more than one directory
60618 by: Jeffrey Paul

wish list
60623 by: Erick Calder

PHP EDITOR 4 WINDOWS?
        60625 by: Kyle Smith
        60627 by: Jon Haworth
        60629 by: Henrik Hansen
        60652 by: Owen Rudge
        60658 by: Keith Jeffery

FAQ
60626 by: Marius Andreiana
60632 by: Henrik Hansen

Web site counter
        60631 by: Kyle Smith
        60633 by: Henrik Hansen
        60636 by: Werner Stuerenburg
        60651 by: B. van Ouwerkerk

writing while reading
60635 by: Rui Barreiros
60666 by: scott [gts]

Re: [PHP-INST] How to compile PHP with IMAP option?
60642 by: Jani Taskinen

Make associative array from two arrays
60644 by: elias

Re: Trouble creating a list on months
60647 by: Mark Roedel

CGI installation
60648 by: Sheni R. Meledath

SetLocal() problem
60649 by: Frédéric Mériot

PHP, C++, and LAN
60656 by: Keith Jeffery

Re: Attitude of B van Ouwerkerk
60657 by: scott [gts]
60662 by: Alexander Wagner

fopen(fd, "w") doesn't work?
60660 by: Ibrahim Noor
60663 by: Keith Jeffery

Administrivia:

To subscribe to the digest, e-mail:
php-general-digest-subscribelists.php.net

To unsubscribe from the digest, e-mail:
php-general-digest-unsubscribelists.php.net

To post to the list, e-mail:
php-generallists.php.net

----------------------------------------------------------------------

attached mail follows:

I'll try again... my explanation of my exact problem was not too good
last time :P

I am working with the following code:

$text = "##firstname##";
$text = ereg_replace("##([^#]+)##", $row["\\1"], $text);

$row[] is a result of using mysql_fetch_array. I would expect it to
replace ##firstname## with the value of $row["firstname"]... but
nothing happens.

Matthew

attached mail follows:

I am new to using PHP with IMAP?
As I recompile PHP, I use

rm config.cache
./configure --enable-track-vars --enable-force-cgi-redirect --with-gettext -
-with-mysql --with-sybase=/opt/sybase --with-apxs --with-imap
make
make install

After I restart Apache, it says that
Cannot load /www/libexec/libphp4.so into server: /www/libexec/libphp4.so:
undefined symbol: gss_mech_krb5

Does it mean that I miss the DIR option after "--with-imap"? I am using
Redhat 6.2, what should it always be?

attached mail follows:

Christopher

Quoted directly from the PHP documentation at:

http://www.php.net/manual/en/ref.imap.php

"To get these functions to work, you have to compile PHP
with --with-imap. That requires the c-client library to be installed.
Grab the latest version from ftp://ftp.cac.washington.edu/imap/ and
compile it. Then copy c-client/c-client.a to
/usr/local/lib/libc-client.a or some other directory on your link path
and copy c-client/rfc822.h, mail.h and linkage.h to /usr/local/include
or some other directory in your include path."

-Jeremy
Email: jer2475home.com

attached mail follows:

>"Ralph Guzman" <raguzmannetraiser.com> wrote in message

> > I am looking for new alternatives in web development and maintenance.
> > Anybody have any suggestions or comments on any open source/commercial
> > PHP+mySQL based CMS programs?

You could check out my web-based CMS SIMPL. It's written in Perl and only
the driver installed on the customer's site is source-readable, but on the
bright side it has:

1. easy webmaster interface
2. ability to change site design at the click of the mouse
3. allows up to a three level hierarchy
4. page renderings are quick, usually under 12 seconds on my voice modem
5. owner viewable page view log including referers
6. cheap; it's bundled with my basic hosting plan and I'm running a
promotional special right now

Check out http://newdiets.com for an example of a SIMPL website, and the
SIMPL demo which is on my business site, http://face2interface.com/Demo

hth,

Marty

Face 2 Interface Web Solutions
Website Creation Made SIMPL(tm)
http://face2interface.com/Demo

attached mail follows:

thanks jon. I think that's a step in the right direction. I've included a
sample of the HTML of the links page so you can get a better idea as to how
i want things to look. Your code below looks awesome, the only thing I was
curious about though was that it would create a table with only one column
when it's running through the loop. maybe I'm wrong, what are your
thoughts?..

here's the html:
<tr>
  <td width="160" valign="top" bgcolor="#08296b">
   <font face="verdana" size="1">
    <a href="http://www.soulive.com" class="hov1"
target="_blank">Soulive</a>
    <br><br>
    <a href="http://www.addisongroove.com" class="hov1"
target="_blank">Addison Groove Project</a>
    <br><br>
    <a href="http://www.deepbananablackout.com" class="hov1"
target="_blank">Deep Banana Blackout</a>
    <br><br>
    <a href="http://www.theslip.com" class="hov1" target="_blank">The
Slip</a>
    <br><br>
    <a href="http://www.miracleorchestra.com" class="hov1"
target="_blank">Miracle Orchestra</a>
    <br><Br>
    <a href="http://www.ulu.net" class="hov1" target="_blank">ulu</a>
    <br><br>
    <a href="http://www.jemstatic.com" class="hov1" target="_blank">Jem
Static</a>
    <br><br>
    <a href="http://members.aol.com/weezer1029/" class="hov1"
target="_blank">Premiere</a>
    <br><br>
    <a href="http://www.tgqonline.com" class="hov1" target="_blank">Todd
Gaynor Quartet</a>
   </font>
  </td>
  <td width="160" valign="top" bgcolor="#08296b">
   <font face="verdana" size="1">
    <a href="http://www.mp3.com" class="hov1" target="_blank">MP3.com</a>
    <br><br>
    <a href="http://www.soundclick.com" class="hov1"
target="_blank">Soundclick</a>
    <br><br>
    <a href="http://www.jambase.com" class="hov1"
target="_blank">Jambase</a>
    <br><br>
    <a href="http://www.jambands.com" class="hov1"
target="_blank">Jambands.com</a>
    <br><br>
    <a href="http://www.gigcity.com" class="hov1"
target="_blank">GigCity</a>
    <br><br>
    <a href="http://www.thesoundboard.com" class="hov1"
target="_blank">thesoundboard</a>
   </font>
  </td>
  <td width="160" valign="top" bgcolor="#08296b">
   <font face="verdana" size="1">
    <a href="http://www.velourmusic.com" class="hov1" target="_blank">Velour
Music</a>
    <br><br>
    <a href="http://www.gamelan.tv" class="hov1" target="_blank">Gamelan
Productions</a>
    <br><br>
    <a href="http://www.supersonicrecording.com" class="hov1"
target="_blank">Supersonic Studios</a>
    <br><br>
    <a href="http://www.ccnow.com" class="hov1" target="_blank">CCNow</a>
    <br><br>
    <a href="http://www.unionst.com" class="hov1" target="_blank">The
Attic</a>
   </font>
  </td>
</tr>
</table>

I realize all that is very long, but I wanted you to see it all. that's how
I need it to come out from the db.

thanks a lot, and I'll be working on it myself.

chris

----- Original Message -----
From: Jon Haworth <jhaworthwitanjardine.co.uk>
To: 'Chris Cocuzzo' <cuzomediaone.net>; <php-generallists.php.net>
Sent: Tuesday, July 31, 2001 11:57 AM
Subject: RE: [PHP]REPOST: DB logic help...

> What about something like:
>
> <?php
>
> $sql_bands = "SELECT Link FROM Table WHERE Category='band'";
> $sql_sites = "SELECT Link FROM Table WHERE Category='site'";
> $sql_other = "SELECT Link FROM Table WHERE Category='other'";
>
> $query_bands = mysql_query($sql_bands);
> $query_sites = mysql_query($sql_sites);
> $query_other = mysql_query($sql_other);
>
> echo "<table>";
> echo "<tr><td>Bands</td><td>Sites</td><td>Other</td></tr>";
>
> do {
> $data = false;
> echo "<tr>";
> if ($row_bands = mysql_fetch_array($query_bands)) {
> echo "<td>". $row_bands["Link"]. "</td>";
> $data = true;
> } else {
> echo "<td> </td>";
> }
> if ($row_sites = mysql_fetch_array($query_sites)) {
> echo "<td>". $row_sites["Link"]. "</td>";
> $data = true;
> } else {
> echo "<td> </td>";
> }
> if ($row_other = mysql_fetch_array($query_other)) {
> echo "<td>". $row_other["Link"]. "</td>";
> $data = true;
> } else {
> echo "<td> </td>";
> }
> echo "</tr>";
> } while ($data == true);
>
> echo "</table>";
>
> ?>
>
> It's untested, and fairly inelegant in that you get an empty row at the
> bottom, so you could count the rows for each set beforehand as part of the
> SQL instead of using $data as I have - but it may be a good starting
point.
>
> HTH
> Jon
>
>
> -----Original Message-----
> From: Chris Cocuzzo [mailto:cuzomediaone.net]
> Sent: 31 July 2001 16:36
> To: php-generallists.php.net
> Subject: [PHP]REPOST: DB logic help...
>
>
> hey-
>
> I have a few pages on my website which need to be divided up into
different
> columns and rows based on a category in a table. for example, on a links
> page, I have three different columns, one for bands, one for sites, and
one
> for other things. I'm storing those things in the table with a category
> field, so that when I output the data, it goes to the right place. However
> I'm a little unsure of the actual code to do this...
>
> can someone lend me an example or give me some ideas?
>
> thanks
> chris
>
>
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, e-mail: php-general-unsubscribelists.php.net
> For additional commands, e-mail: php-general-helplists.php.net
> To contact the list administrators, e-mail: php-list-adminlists.php.net

attached mail follows:

How do you turn on/off magic quotes through .htaccess? Is it this posible?

attached mail follows:

> How do you turn on/off magic quotes through .htaccess? Is it this posible?

php_value magic_quotes off

-- WARNING richard

zend.com address is an endangered species -- Use ceo

l-i-e.com Wanna help me out? Like Music? Buy a CD: http://l-i-e.com/artists.htm Volunteer a little time: http://chatmusic.com/volunteer.htm

attached mail follows:

I have developed a well tested password protection system using session vars. We have 2 web servers with half of our pages on each (for reasons I wont go into). What I need to be able to do is have a single login that would then work on both servers. Which basically means sharing session vars on 2 servers.

Yes sure I could use just straight cookies because both servers live under the same main domain but I have the system already in place and I dont want to change it.

I think it could be done by forcing the 2 servers to use the session temp same directory with 'session.save_path' variable by using a NFS share. But we would prefer not to do that. And in fact if that was the only solution we would just do without.

Is there soemthing else I can do.

Paul

attached mail follows:

Hi Paul,

If you have a single database between the 2 servers you could implement your own session handlers using PostgreSQL, Mysql or any other db for that matter.

http://php.net/manual/en/function.session-set-save-handler.php

Shouldn't be to difficult to do at all I imagine.

Hope this helps!

-------------------------------- - -- - - - Philip Murray - webmasteropen2view.com http://www.open2view.com - Open2View.com ------------- - -- - -

----- Original Message ----- From: "Paul R. Jackson" <pauljpsy.uq.edu.au> > I have developed a well tested password protection system using session > vars. We have 2 web servers with half of our pages on each (for reasons I > wont go into). What I need to be able to do is have a single login that > would then work on both servers. Which basically means sharing session vars > on 2 servers. > > Yes sure I could use just straight cookies because both servers live under > the same main domain but I have the system already in place and I dont want > to change it. > > I think it could be done by forcing the 2 servers to use the session temp > same directory with 'session.save_path' variable by using a NFS share. But > we would prefer not to do that. And in fact if that was the only solution we > would just do without. > > Is there soemthing else I can do. > > Paul > > >

attached mail follows:

Apache mod_perl children were segfaulting on this:

DBI->connect('DBI:mysql:irrelevant:irrelevant', 'irrelevant', 'irrelevant');

(Literally)

I fixed it by recompiling Msql-Mysql-modules against a newer version of the MySQL client library. If you are suffering from this problem, make sure you don't have libmysqlclient.so.9 lying about.

Easily diagnosed with "strace httpd -X"

I guess the moral of the story is to delete all your old libraries when you upgrade your DB, and whip around recompiling everything that breaks (sometimes a brave move).

This is fodder for the search engines, in case you couldn't tell. I'm crossing it to the PHP group because this problem has been mentioned there before, because it only crops up when PHP is compiled into Apache.

-- _________________________________________________________________________ Andrew Donkin Waikato University, Hamilton, New Zealand

attached mail follows:

Apache mod_perl children were segfaulting on this:

DBI->connect('DBI:mysql:irrelevant:irrelevant', 'irrelevant', 'irrelevant');

(Literally)

I fixed it by recompiling Msql-Mysql-modules against a newer version of the MySQL client library. If you are suffering from this problem, make sure you don't have libmysqlclient.so.9 lying about.

Easily diagnosed with "strace httpd -X"

I guess the moral of the story is to delete all your old libraries when you upgrade your DB, and whip around recompiling everything that breaks (sometimes a brave move).

-- _________________________________________________________________________ Andrew Donkin Waikato University, Hamilton, New Zealand

attached mail follows:

Incase you still need it. Here is a big one I forgot to mention:

http://www.dialpad.com/

Not sure how much of their site is PHP, but their user registration and member backend is PHP driven.

-----Original Message----- From: Ralph Guzman [mailto:raguzmannetraiser.com] Sent: Tuesday, July 31, 2001 1:59 AM To: Maurice Rickard; php-generallists.php.net Subject: RE: [PHP] Example high-profile PHP sites

here are a few:

http://www.marketplayer.com: they provide the real-time stock market simulations for sites like etrade.com and smartmoney.com that have these games.

http://www.chek.com/

-----Original Message----- From: Maurice Rickard [mailto:mauricemauricerickard.com] Sent: Thursday, July 26, 2001 9:36 AM To: php-generallists.php.net Subject: [PHP] Example high-profile PHP sites

For a number of reasons, I need to offer a client a list of big, impressive-sounding, high-profile sites using PHP. I went looking for the list on PHP.net, and the closest I could find is http://pt2.php.net/sites.php which, as you'll see, is suffering from a fatal error.

I did find a list at http://php.datalogica.com/sites.php which, while helpful, seems a bit dated. Does anyone have some favorite examples that aren't on this list?

I've been preparing other arguments as well, but the "all the cool people are doing it" examples will help.

Thanks!

-- Maurice Rickard http://mauricerickard.com/

-- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: php-general-unsubscribelists.php.net For additional commands, e-mail: php-general-helplists.php.net To contact the list administrators, e-mail: php-list-adminlists.php.net

attached mail follows:

In article <DGEILLMLDFCLCLGOEKMIMEJMCPAA.raguzmannetraiser.com>, raguzmannetraiser.com (Ralph Guzman) wrote:

> Incase you still need it. Here is a big one I forgot to mention: > > http://www.dialpad.com/ > > Not sure how much of their site is PHP, but their user registration and > member backend is PHP driven.

Entertainment site thewb.com uses PHP for the interactive areas (mesage boards, polls, etc.).

-- CC

attached mail follows:

www.audiogalaxy.com is almost entirely PHP

> -----Original Message----- > From: CC Zona [mailto:cczonanospam.invalid] > Sent: Wednesday, August 01, 2001 4:57 AM > To: php-generallists.php.net > Subject: Re: [PHP] Example high-profile PHP sites > > > In article <DGEILLMLDFCLCLGOEKMIMEJMCPAA.raguzmannetraiser.com>, > raguzmannetraiser.com (Ralph Guzman) wrote: > > > Incase you still need it. Here is a big one I forgot to mention: > > > > http://www.dialpad.com/ > > > > Not sure how much of their site is PHP, but their user registration and > > member backend is PHP driven. > > Entertainment site thewb.com uses PHP for the interactive areas (mesage > boards, polls, etc.). > > -- > CC > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, e-mail: php-general-unsubscribelists.php.net > For additional commands, e-mail: php-general-helplists.php.net > To contact the list administrators, e-mail: php-list-adminlists.php.net >

attached mail follows:

I have been developing PHP for a while now, and I am wondering how other developers find their PHP hosting company. So far this has not been an issue for me because I am always in full control of my servers (well, as much control as possible with any web server :), but recently we have begun to host other PHP sites.

We want to make sure that we are providing appropriate support to our PHP developers. I see too many hosting companies saying that they support PHP, but not having anyone familiar with PHP on hand. We want to have actual support, a developer to call when you have a PHP issue.

What do you think a medium sized hosting company could do to give you (the developer) better service and support?

Is access to professional PHP developers useful when an issue arises?

Are hosting companies reluctant to give you more access rights?

Are they willing to re-compile their PHP build to add other options?

How long do requested changes to the server take?

What other suggestions do you have for improving the relationship between the server administrator and the PHP developer?

I spent some time going through the PHP site looking at the list of hosts supporting PHP, but I didn't find any real discussion about what people want in a host (although I did find plenty of things they don't want :).

I just figured that I would ask the PHP community exactly what they wanted. Thank you for any insight that you can give me.

--derek

---------------------------------------- Derek Del Conte <derekgambitdesign.com> Gambit Design Internet Services 610.444.2443 610.368.9845 cellular 110 East State Street, Suite 18, Kennett Square, PA 19348

attached mail follows:

"Derek Del Conte" <derekgambitdesign.com> wrote a lot that I snipped :-)

Dear Derek To give you some input I can tell you about some recently experienced things in my php world...

I: My homepage is running on a server which host a lot of other domains. Therefor I contacted the company to know if they had any plans about the security issues that arise when many php developers can "steal" anything they want from other sites on the same server. The response was that there they knew the security wasn't ok but nobody could access sensitive information (?!). a) They dont know better/Dont have a person that actually know php. Or b) They lie hopeing that I won't notice They also told me that they would not do a thing about it

What I wanted was: a) An honest answer b) A promise to look into it, report back and maybe fix the problem or warn about the risk. Not just look the other way pretending that there's no problem.

II: As a developer I want access to several databases - not just one. The company that hosts my site refuse to create more than one database because of the ressources (human and technical) it takes.

I hope you could this.

Regards Soeren Nielsen

attached mail follows:

I am not shure a php developer would need help from another php developer at the hosting company. What we need is: -Sys Admin that understand php. -Sys Admin that knows how to secure the server and be able to tell the developer what to follow in order to built secure code. If system command are disable, developers should kwnow. The developpers should know exactly their options and access rights. Then they have the choice to built around that or host elsewhere. -Time, we need fast, fast and very fast response. (2 days to create a databases is 47 hours too much!) -The ability to put some stuff out of the web server tree. (like file with passwords or secret hash string) -Honesty! I got a lot of "we will look into that..." or "no our server was never spammed or attacked..." with some company that where pure lies.

----- Original Message ----- From: "Derek Del Conte" <derekgambitdesign.com> To: <php-generallists.php.net> Sent: Wednesday, August 01, 2001 3:06 AM Subject: [PHP] What would you want in a PHP web host?

> I have been developing PHP for a while now, and I am wondering how other > developers find their PHP hosting company. So far this has not been an > issue for me because I am always in full control of my servers (well, as > much control as possible with any web server :), but recently we have begun > to host other PHP sites. > > We want to make sure that we are providing appropriate support to our PHP > developers. I see too many hosting companies saying that they support PHP, > but not having anyone familiar with PHP on hand. We want to have actual > support, a developer to call when you have a PHP issue. > > > What do you think a medium sized hosting company could do to give you (the > developer) better service and support? > > Is access to professional PHP developers useful when an issue arises? > > Are hosting companies reluctant to give you more access rights? > > Are they willing to re-compile their PHP build to add other options? > > How long do requested changes to the server take? > > What other suggestions do you have for improving the relationship between > the server administrator and the PHP developer? > > > I spent some time going through the PHP site looking at the list of hosts > supporting PHP, but I didn't find any real discussion about what people want > in a host (although I did find plenty of things they don't want :). > > I just figured that I would ask the PHP community exactly what they wanted. > Thank you for any insight that you can give me. > > --derek > > ---------------------------------------- > Derek Del Conte <derekgambitdesign.com> > Gambit Design Internet Services > 610.444.2443 610.368.9845 cellular > 110 East State Street, Suite 18, Kennett Square, PA 19348 > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, e-mail: php-general-unsubscribelists.php.net > For additional commands, e-mail: php-general-helplists.php.net > To contact the list administrators, e-mail: php-list-adminlists.php.net >

attached mail follows:

Whenever i get a php script off a website why is it that most of the main parts in the script have a space from the left border. eg

<?php echo"spazzzzzzz"; ?>

????

-lk6- http://www.StupeedStudios.f2s.com Home of the burning lego man!

ICQ: 115852509 MSN: dbzno1fanhotmail.com AIM: legokiller666

attached mail follows:

I presume you mean code layout Its there to make code easier to read.

eg some silly code

for ($x$x<100;$x++) { while ($i<50) { print $i; } }

This is more legible than

for ($x$x<100;$x++) { while ($i<50) { print $i; } }

Indentation makes it easier to spot where your code constructs - if ,switch, while etc start and end.

Hope that explains it a little. Do a search for code layout in google, and read up on it, and check out a few examples. There are a number of coding styles, find one that you like, and be consistent. Remember to also comment your code, as well as making it presentable. If you look back at old code in a few years time you'll be grateful you did.

Cheers,

Lawrence. -----Original Message----- From: Kyle Smith [mailto:dbzno1fanhotmail.com] Sent: August 1, 2001 11:42 PM To: php-generallists.php.net Subject: [PHP] Hmmm?

Whenever i get a php script off a website why is it that most of the main parts in the script have a space from the left border. eg

<?php echo"spazzzzzzz"; ?>

????

-lk6- http://www.StupeedStudios.f2s.com Home of the burning lego man!

ICQ: 115852509 MSN: dbzno1fanhotmail.com AIM: legokiller666

attached mail follows:

It's called identing. It's just there to make the script more readable. That's common to almost all programming languages. Some programmers doesn't ident they code anyhow. Basically you increase the ident whenever you enter in a deeper code block.

"Kyle Smith" <dbzno1fanhotmail.com> wrote in message news:OE67QR7Ia6XH4WdMCAR0000652ehotmail.com... Whenever i get a php script off a website why is it that most of the main parts in the script have a space from the left border. eg

<?php echo"spazzzzzzz"; ?>

????

-lk6- http://www.StupeedStudios.f2s.com Home of the burning lego man!

ICQ: 115852509 MSN: dbzno1fanhotmail.com AIM: legokiller666

attached mail follows:

It's called readability. The reason to use it is for a better programming style.

-maxim maletsky

-----Original Message----- From: Kyle Smith [mailto:dbzno1fanhotmail.com] Sent: Thursday, August 02, 2001 12:42 AM To: php-generallists.php.net Subject: [PHP] Hmmm?

Whenever i get a php script off a website why is it that most of the main parts in the script have a space from the left border. eg

<?php echo"spazzzzzzz"; ?>

????

-lk6- http://www.StupeedStudios.f2s.com Home of the burning lego man!

ICQ: 115852509 MSN: dbzno1fanhotmail.com AIM: legokiller666

attached mail follows:

Simply indent formatting for readability. I personally don't indent after the <? tag, but to each his/her own.

<?php echo"spazzzzzzz"; ?>

????

-lk6- http://www.StupeedStudios.f2s.com Home of the burning lego man!

ICQ: 115852509 MSN: dbzno1fanhotmail.com AIM: legokiller666

attached mail follows:

On Wednesday 01 August 2001 02:02, Yasuo Ohgaki wrote: > "Meir Kriheli" <mksoftnetvision.net.il> wrote in message > news:200107311305.QAA02887mailgw1.netvision.net.il... > > > Hi, > > I need another pair of eyes to see if I've overlooked something. > > SNIP > > > so > > '{pass1}=={pass2}' > > > > is converted to > > '$GLOBALS['pass1']==$GLOBALS['pass2']' > > > > When to form is validated I'm running eval() to evaluate the > > expression. I'm > > > concerned that there's an exploit somewhere, maybe a user entering > > some > > > malicious data (I don't like using eval that often). But I'm not > > using eval() > > > directly on user entered data, and I can't see where it is possible. > > Where pass1,pass2,etc came from? I guess from user and you set

They come from the form.

> register_globals=on in your php.ini. If this is the case, your script > is exploitable probably. > "register_globals=off" in your php.ini and use $HTTP_*_VARS. > > If you want to protect values set by PHP also, I've posted sample > function at zend.com recently. > http://www.zend.com/codex.php?id=626&single=1 > (Protect values (GET/POST/COOKIE) set by PHP) > > Regards, > -- > Yasuo Ohgaki

I don't think this is much of a problem. I unset() all the global session variables before I use them so this should be no problem.

Even if an attacker tries to set some value for a script variable, this var will be unset() and then read from the session, so no harm is done.

On the other hand there should be no probelem to change GLOBALS to HTTP_XXX_VARS.

But as i've said this isn't a problem. Can you see some way to exploit the eval() function ?

Thank you

-- Kriheli Meir

attached mail follows:

>> But I'm not >> using eval() >> directly on user entered data, and I can't see where it is possible.

Yes, you are.

pass1 is coming from the user, is it not?

You are using eval() to decide if pass1 and pass2 are equal, are you not?

You are therefore directly eval-ing user code.

> "register_globals=off" in your php.ini and use $HTTP_*_VARS.

Sigh. This does *NOT* provide *ANY* protection *WHATSOEVER*.

The user can *STILL* POST malicious data, and you are *STILL* going to eval() it.

I dunno *WHY* so many people are running around saying register_globals Off and HTTP_xxx_VARS makes your data "safe".

IT DOESN'T.

It *ONLY* keeps a hacker from using GET URL's to over-write POST data, which they can edit in a text editor and send any damn thing they want anyway. (And vice versa.) Ditto for COOKIE data.

It does *NOT* stop a hacker from using GET/POST to initialize variables that were never set. Turn on E_NOTICE, damnit.

I REPEAT:

register_globals off and HTTP_xxx_VARS being more "secure" is a gross exaggeration.

It will only trip the dumbest of the dumb trying to crack your site -- We're talking lower than script-kiddies. Think Joe Sixpack and Betsy Buick here. Normal users who have noticed those funky things in URLs and decided to play around with them on FORMs to see what they can do.

A *REAL* script-kiddie (did I just say that?) would take your HTML FORM, edit it in NotePad, and then POST their malicious data and your HTTP_POST_VARS have *bad* things in it.

-- WARNING richard

zend.com address is an endangered species -- Use ceo

l-i-e.com Wanna help me out? Like Music? Buy a CD: http://l-i-e.com/artists.htm Volunteer a little time: http://chatmusic.com/volunteer.htm

attached mail follows:

On Wednesday 01 August 2001 10:20, Richard Lynch wrote: > >> But I'm not > >> using eval() > >> directly on user entered data, and I can't see where it is possible. > > Yes, you are. > > pass1 is coming from the user, is it not? > > You are using eval() to decide if pass1 and pass2 are equal, are you not? > > You are therefore directly eval-ing user code. > > > "register_globals=off" in your php.ini and use $HTTP_*_VARS. > > Sigh. This does *NOT* provide *ANY* protection *WHATSOEVER*. > > The user can *STILL* POST malicious data, and you are *STILL* going to > eval() it.

Aactually the eval()ed string would be:

eval('$a = $GLOBALS["pass1"]==$GLOBALS["pass2"]')

So there is no direct eval on the user data. I'm also using single quotes so no special meaning chars would be expanded.

> I REPEAT: > > register_globals off and HTTP_xxx_VARS being more "secure" is a gross > exaggeration. > > It will only trip the dumbest of the dumb trying to crack your site -- > We're talking lower than script-kiddies. Think Joe Sixpack and Betsy Buick > here. Normal users who have noticed those funky things in URLs and decided > to play around with them on FORMs to see what they can do. > > A *REAL* script-kiddie (did I just say that?) would take your HTML FORM, > edit it in NotePad, and then POST their malicious data and your > HTTP_POST_VARS have *bad* things in it.

Yes and I agree with you (see the answer to Yauso). The only concern is GPC vars overwriting script vars, and as mentioned I unset those var before assigning them a value or before using session register to get their values.

-- Kriheli Meir

attached mail follows:

> It does *NOT* stop a hacker from using GET/POST to initialize variables that > were never set. Turn on E_NOTICE, damnit.

Whoops. That part of my rant was patently false. I was on a roll, though :-)

If register_globals is off, of course POST 'i' can't over-ride your uninitialized $i variable.

You *still* oughta have E_NOTICE on and test every line of code anyway, though :-)

And I still think sanitizing user-input, which you have to do anyway, and initializing every non-user-input variable, which you ought to do, is the Right Way to go instead of cluttering up your code with HTTP_xxx_VARS and making life difficult for newbies. YMMV.

Sorry for the multiple posts.

-- WARNING richard

zend.com address is an endangered species -- Use ceo

l-i-e.com Wanna help me out? Like Music? Buy a CD: http://l-i-e.com/artists.htm Volunteer a little time: http://chatmusic.com/volunteer.htm

attached mail follows:

Hi Richard,

I guess you miss my point. I always suggest to check all user inputs (GET/POST/COOKIE), they are all unsafe unless they are checked. Anyone can spoof these variables easily with little knowledge and attackers do not have to be experienced to attack PHP scripts. Elementally school kids can attack effectively poorly written codes :)

Take a look at my tip at zend.com that is posted months ago

http://www.zend.com/tips/tips.php?id=195&single=1 (There are many reasons why PHP user should set register_globals=off, enable_track_vars=on default from PHP4.0.3, error_reporting=E_ALL. With these settings, writing secure code is a lot easier. In addition, register_globals=off would be default for PHP4.1 or PHP5.0. )

and

Recent discussion in php-dev list. There is long thread regarding register_globals and others. This is one of them. The thread is really long.... So I didn't bother to find the first one.

http://marc.theaimsgroup.com/?l=php-dev&m=99631966717767&w=2

will see what I mean. It needs too many typing to explain fully...............

Regards,

-- Yasuo Ohgaki

attached mail follows:

> I don't think this is much of a problem. I unset() all the global session > variables before I use them so this should be no problem.

All inputs (GET/POST/COOKIE) from users must be checked if you worriy about security. You might done already.

> Even if an attacker tries to set some value for a script variable, this var > will be unset() and then read from the session, so no harm is done. > > On the other hand there should be no probelem to change GLOBALS to > HTTP_XXX_VARS.

The reason why I recommend to set register_globals=off, is it's a lot easier to write secure code with register_globals=off.

I also recommend you use error_reporting=E_ALL, since it seems you care about security. Scripts that I write will catch all error/warning/notice as fatal error and displays a page telling "There is critical error. Details are sent to system administrator." They catch most of errors including malformed user inputs, system errors like cannot open connections, etc and display appropriate error page. They never raise any PHP error/warning/notice unless there is something really wrong.

By the way, my codes posted at zend.com will not catch all errors. I didn't put complete sources there. It will be too long for an example :)

> But as i've said this isn't a problem. Can you see some way to exploit the > eval() function ?

I cannot tell if your script is exploitable or not. Just too little info to tell that.

Refer to another my reply, I guess you'll get my point.

Regards,

-- Yasuo Ohgaki

attached mail follows:

Aactually the eval()ed string would be:

eval('$a = $GLOBALS["pass1"]==$GLOBALS["pass2"]')

So there is no direct eval on the user data. I'm also using single quotes so no special meaning chars would be expanded.

-- Kriheli Meir

attached mail follows:

On Wednesday 01 August 2001 13:54, Yasuo Ohgaki wrote: > > I don't think this is much of a problem. I unset() all the global > > session > > > variables before I use them so this should be no problem. > > All inputs (GET/POST/COOKIE) from users must be checked if you worriy > about security. You might done already. > > > Even if an attacker tries to set some value for a script variable, > > this var > > > will be unset() and then read from the session, so no harm is done. > > > > On the other hand there should be no probelem to change GLOBALS to > > HTTP_XXX_VARS. > > The reason why I recommend to set register_globals=off, is it's a lot > easier to write secure code with register_globals=off.

Yes I know, but if those scripts are going to be used on different servers, with differnet type of php coders, you can't be sure what is the value of register_globals (actually, some scripts need it to be on). So it is a little work, but you can be sure that your script will work everywhere.

Basically it is a good idea not to write scripts that depent on php's settings to make sure that they'll work everywhere.

Take for example the value of magic_quote_gpc. To be sure that your script will work correctly, don't assume that it is alywas on (or off). So you can write

if (!get_magic_qoute_gpc()) addslashes($var);

or write a function myaddslashes that does the same thing.

> I also recommend you use error_reporting=E_ALL, since it seems you > care about security. Scripts that I write will catch all > error/warning/notice as fatal error and displays a page telling "There > is critical error. Details are sent to system administrator." They > catch most of errors including malformed user inputs, system errors > like cannot open connections, etc and display appropriate error page. > They never raise any PHP error/warning/notice unless there is > something really wrong.

Thanks of this tip :-)

> By the way, my codes posted at zend.com will not catch all errors. I > didn't put complete sources there. It will be too long for an example > > :) > : > > But as i've said this isn't a problem. Can you see some way to > > exploit the > > > eval() function ? > > I cannot tell if your script is exploitable or not. > Just too little info to tell that.

Is this staement safe ?

eval('$a = $GLOBALS["pass1"]==$GLOBALS["pass2"]');

I've tried different kind of inputs to execute arbitrary php code, but found no such exploit. Maybe you can see something that I can't.

> Refer to another my reply, I guess you'll get my point. > > Regards, > -- > Yasuo Ohgaki

Thanks

-- Kriheli Meir

attached mail follows:

> Is this staement safe ? > > eval('$a = $GLOBALS["pass1"]==$GLOBALS["pass2"]'); > Maybe I'm missing the point, but why not just go: $a = $GLOBALS["pass1"]==$GLOBALS["pass2"];

-- Phil Driscoll

attached mail follows:

On Wednesday 01 August 2001 15:46, Phil Driscoll wrote: > > Is this staement safe ? > > > > eval('$a = $GLOBALS["pass1"]==$GLOBALS["pass2"]'); > > Maybe I'm missing the point, but why not just go: > $a = $GLOBALS["pass1"]==$GLOBALS["pass2"];

I'm writing a form class which can also validate the form and I want to define the rules for validating the forms, so when defining the form I can add

$form->AddRule('{pass1}=={pass2}','The 2 passowrd must be equal');

And this rule will be expanded to

$a = $GLOBALS["pass1"]==$GLOBALS["pass2"]

and validated through eval.

When I call the

$form->validate();

The class iterates through the rules array and in case of unmet condition (!$a) will return the error string associate with the rule.

This method gives a great flexibility, ans as a result I can define any rule as long as it is a valid php code.

Hope you get the idea

-- Kriheli Meir

attached mail follows:

On Wednesday 01 August 2001 13:51, Meir Kriheli wrote:

> I'm writing a form class which can also validate the form and I want to > define the rules for validating the forms, so when defining the form I can > add...

Sorry - I should have read your earlier post :)

I suspect that you are probably safe in this instance, however I always play safe on this kind of thing and sacrifice functionality for security. I'm sure you can devise rules which will be be obviously unsafe, but you may also be able to devise rules which look safe on the surface, but may be exploitable after careful study. If it was my project, I think I would devise a system which avoided the use of eval - even if it meant losing some performance and versatility.

Cheers

-- Phil Driscoll

attached mail follows:

> Take for example the value of magic_quote_gpc. To be sure that your script > will work correctly, don't assume that it is alywas on (or off). So > you can write > > > if (!get_magic_qoute_gpc()) addslashes($var); > > or write a function myaddslashes that does the same thing.

Right. I don't like magic qoute at all. I think this feature is encoraging to write insecure code for PHP users. I mean magic quote feature hides a little security issue, but it seems the feature makes difficult to understand why and how unquoted strings can be dangarous in scripts for many PHP users. It's confusing for new users. It also slows things down a little, since I need to check if the feature is turned on or off, do stripslashes() when escape is not needed if it is on. I wish this feature is going to disapper in next major release, at least default to off.

> Is this staement safe ? > > eval('$a = $GLOBALS["pass1"]==$GLOBALS["pass2"]'); > > I've tried different kind of inputs to execute arbitrary php code, but found > no such exploit. Maybe you can see something that I can't.

If you are sure one of them is actually loaded from DB or else and if your code checks null values for system's value, it's safe.

BTW, are you using CHAP like method for password? If your code doesn't, I suggest to use it.

Regards,

-- Yasuo Ohgaki

attached mail follows:

Sorry

> difficult to understand why and how unquoted strings can be dangarous

This line should be

difficult to understand why and how unescaped strings can be dangerous

Regards,

-- Yasuo Ohgaki

attached mail follows:

I have a lot of php scripts developed with php3. I've installed php4 and I get some warnings when I evaluate variables there are not set (are empty). In php3 there was no problem (no warning). If I modify the code by using empty($var) or isset($var) it's ok, but there are lots of such issues. How could I manage this without major changes?

__________________________________________________ Do You Yahoo!? Make international calls for as low as $.04/minute with Yahoo! Messenger http://phonecard.yahoo.com/

attached mail follows:

Just set warnings to off in your php.ini - it's on by default

Chris

Melania Popescu wrote:

> I have a lot of php scripts developed with php3. > I've installed php4 and I get some warnings when I > evaluate variables there are not set (are empty). > In php3 there was no problem (no warning). > If I modify the code by using empty($var) or > isset($var) it's ok, but there are lots of such > issues. > How could I manage this without major changes? > > __________________________________________________ > Do You Yahoo!? > Make international calls for as low as $.04/minute with Yahoo! Messenger > http://phonecard.yahoo.com/ > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, e-mail: php-general-unsubscribelists.php.net > For additional commands, e-mail: php-general-helplists.php.net > To contact the list administrators, e-mail: php-list-adminlists.php.net

Chris Fry Quillsoft Pty Ltd Specialists in Secure Internet Services and E-Commerce Solutions 10 Gray Street Kogarah NSW 2217 Australia

Phone: +61 2 9553 1691 Fax: +61 2 9553 1692 Mobile: 0419 414 323 eMail: chrisquillsoft.com.au http://www.quillsoft.com.au

You can download our Public CA Certificate from:- https://ca.secureanywhere.com/htdocs/cacert.crt

**********************************************************************

This information contains confidential information intended only for the use of the authorised recipient. If you are not an authorised recipient of this e-mail, please contact Quillsoft Pty Ltd by return e-mail. In this case, you should not read, print, re-transmit, store or act in reliance on this e-mail or any attachments, and should destroy all copies of them. This e-mail and any attachments may also contain copyright material belonging to Quillsoft Pty Ltd. The views expressed in this e-mail or attachments are the views of the author and not the views of Quillsoft Pty Ltd. You should only deal with the material contained in this e-mail if you are authorised to do so.

This notice should not be removed.

attached mail follows:

check php.ini and the key "error_reporting"

"Melania Popescu" <melania_popescuyahoo.com> wrote in message news:20010801080104.35221.qmailweb20107.mail.yahoo.com... > I have a lot of php scripts developed with php3. > I've installed php4 and I get some warnings when I > evaluate variables there are not set (are empty). > In php3 there was no problem (no warning). > If I modify the code by using empty($var) or > isset($var) it's ok, but there are lots of such > issues. > How could I manage this without major changes? > > > __________________________________________________ > Do You Yahoo!? > Make international calls for as low as $.04/minute with Yahoo! Messenger > http://phonecard.yahoo.com/

attached mail follows:

On Wednesday 01 August 2001 09:21, Chris Fry wrote: > Just set warnings to off in your php.ini - it's on by default

NO NO NO! On your development machine, set your warning levels to E_ALL in php.ini, and then fix your code! Every warning message you get represents an opportunity for a malicious user to find a secutiry hole in your code.

As a general and safe rul, any code which reports warnings when error reporting is set to E_ALL is just not good enough!

This may mean a lot of work, but it will probably be less than the work involved in fixing up your system after it has been compromised.

Cheers

-- Phil Driscoll

attached mail follows:

On Wednesday 01 August 2001 13:29, Phil Driscoll wrote: >Every warning message you get represents an > opportunity for a malicious user to find a secutiry hole in your code. Oops - I meant to say 'security hole' - I wish both my hands would type at the same speed :)

-- Phil Driscoll

attached mail follows:

I assume that

$m = 07; $y = 2001; $d = 31; echo count($this->arrEvents[$y][$m][$d]);

is in a method of the class that $someclass is a method of, something like:

class fred { function dispcount() { $m = 07; $y = 2001; $d = 31; echo count($this->arrEvents[$y][$m][$d]); } }

$Events[2001][07][31][0] = 12; $Events[2001][07][31][1] = 13; $Events[2001][07][31][2] = 45; $Events[2001][08][01][0] = 35;

$someclass = new fred();

$someclass->arrEvents = $Events; $someclass->dispcount();

this works, is your code working differently to this?

Tim ---------- From: Johnny Nguyen [SMTP:johnnyzugara.com] Sent: 31 July 2001 23:58 To: php-generallists.php.net Subject: [PHP] Counting Multidimensional Arrays

Given

//////////////////////////////////////////////////////////////////////////// ////////////// $Events[2001][07][31][0] = new ZEvent("Some Event 0", "Some Description 0", "07-31-2001"); $Events[2001][07][31][1] = new ZEvent("Some Event 1", "Some Description 1", "07-31-2001"); $Events[2001][07][31][2] = new ZEvent("Some Event 2", "Some Description 2", "07-31-2001"); $Events[2001][08][01][0] = new ZEvent("Some Event 0", "Some Description 0", "08-01-2001");

if I set.

$someclass->arrEvents = $Events;

and then inside of some class i say.

$m = 07; $y = 2001; $d = 31; echo count($this->arrEvents[$y][$m][$d]);

Shouldn't I get 3 as my output? For some reason I am getting 0.

However, if I do:

foreach ($someclass->arrEvents[2001][07][31] as $someevent) { echo $someevent->getName(); }

I get the correct output:

"Some Event 0Some Event 1Some Event 2"

Any ideas on how to get the correct count within someclass?

Regards, Johnny Nguyen

attached mail follows:

Well, you have to treat all the user's input as a string actually. So basically only one data type. Now as for splitting and joining, you can make up a splitting character let's say: |*^| and see if the user entered this in some of his input. It's really rare to have such weird combination of characters to be inputed by users. Use javascript to validate before submitting.

well yes, The size of string produced by serialize is huge, why not trying to compress it before storining it? bzcompress()

"Warren Vail" <warrennetbacca.com> wrote in message news:001a01c119ce$88a8b640$b5887ed8nicker... > I never seem to be lucky enough to be sure of the type of data stored in a > php array, since php handles mixtures of types so forgivingly, and because > most of my data comes from forms, with users key in what they like, > including double and single quotes, parentheses (and especially commas, how > do you prevent breaking up your array and putting it back together with a > different row count because someone keyed in a comma?), etc. I would think > you would have to go to a lot of trouble to make sure that an array contains > only numeric data, or only strings that did not contain problem causing > characters. > > You are right about more space being required for serialize, I often have to > resort to TEXT data types to provide enough space in the column for data > (65k runs out fast), and that is a bit slower as well. > > Warren > > -----Original Message----- > From: elias [mailto:elias_bachaalanyyahoo.com] > Sent: Tuesday, July 31, 2001 8:09 AM > To: php-generallists.php.net > Subject: Re: [PHP] Re: storing array in mysql > > Yes true, you can use serialize. > > But since you know the format of your $array variable (which is simply > holding one data type) you can safely use split() and join() > better and smaller when stored in that field because they are comma > seperated. > > "Warren Vail" <warrenavailabletech.com> wrote in message > news:001701c119c8$562b0ca0$b5887ed8nicker... > > What I have used to store an array in mysql is; > > > > $value = addslashes(serialize($array)); > > $query = "INSERT INTO table (column) VALUES (\"$value\")" > > > > and upon retrieval > > $query = "SELECT column FROM table"; > > ..... > > while($row = mysql_fetch_array($result)) { > > $value = unserialize(stripslashes($row["column"])); > > } > > > > Note: serialize allows me to store the array in a single column and > > addslashes makes the data mysql safe (i.e. allows me to store quotes in > the > > column, just in case they are in the array). > > > > Warren Vail > > > > -----Original Message----- > > From: elias [mailto:elias_bachaalanyyahoo.com] > > Sent: Tuesday, July 31, 2001 4:05 AM > > To: php-generallists.php.net > > Subject: [PHP] Re: storing array in mysql > > > > when you submit this form, PHP will give a array variable called $name > > > > you can store in in MySql as: > > > > <? > > // will make the $name as a comma seperated string > > $str = join(",", $name); > > insert into tablename(id, value) VALUES(null, '$str'); > > ?> > > > > now to reget the array, you can select it back from MySql and split it as: > > <? > > $name = split(",", $str); > > ?> > > > > //elias > > "Matthew Delmarter" <mattadplusonline.com> wrote in message > > news:NDBBKBIHLCDMDICHLDKGIECOCGAA.mattadplusonline.com... > > > Hi all, > > > > > > I want to store the results of a multiple select input box in a mysql > > > db. The box looks like this: > > > <select name='name[]' size='5' multiple> > > > <option value='id'>name</option> > > > </select> > > > > > > I cannot seem to store the array in a database and then output the > > > result using foreach. Any tips? > > > > > > Regards, > > > > > > Matthew Delmarter > > > Web Developer > > > > > > AdplusOnline.com Ltd > > > www.adplusonline.com > > > > > > Phone: 06 8357684 > > > Cell: 025 2303630 > > > > > > > > > > > -- > > PHP General Mailing List (http://www.php.net/) > > To unsubscribe, e-mail: php-general-unsubscribelists.php.net > > For additional commands, e-mail: php-general-helplists.php.net > > To contact the list administrators, e-mail: php-list-adminlists.php.net > > > > > > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, e-mail: php-general-unsubscribelists.php.net > For additional commands, e-mail: php-general-helplists.php.net > To contact the list administrators, e-mail: php-list-adminlists.php.net > >

attached mail follows:

----- Original Message ----- From: "Charles Williams" <hosting.mailing.list.accountacnshosting.com> To: <tomcat-userjakarta.apache.org>; <phpliblists.netuse.de>; <php-general-helplists.php.net>; "Php-General (E-mail)" <php-generallists.php.net>; <majordomo-usersGreatCircle.COM>; <majordomoragweed.psionic.com>; <Majordomonl.linux.org>; <Majordomolugwash.org>; "LinuxSA" <linuxsalinuxsa.org.au>; <isp-softwareisp-software.com>; <freeradius-userslists.cistron.nl>; <freeradius-devellists.cistron.nl>; <apache-serveryahoogroups.com>; <Majordomoeast.balius.com>; <cobalt-userslist.cobalt.com> Sent: Monday, July 30, 2001 1:36 PM Subject: [apache-server] Very OT for a lot of you put just asking.

> OK, sorry if you feel this is WAY OT. > > I am wanting to compile a list of the best one-liner Linux commands out > there. So all you admins and users out there feel free to send me a copy of > your best one-liner commands with a brief explanation as to what they > accomplish. > > It doesn't matter if it's for sendmail or procmail or ipchains or grep or > whatever. All commands will be sorted per usage and all credit will be > given. > > The sooner that I can get a bunch together the sooner I will post them on my > site. And again, sorry if this is way OT for you folks, but I am really > curious as to what will show up. > > thanks, > chuck > http://www.acnsnet.com/~slydder

OK, last time cross posting. hehe. I promise. I have added a link to my site that will allow you to send in you Linux ONE-LINERS. PLEASE USE THIS LINK! I have setup outlook to sort all the mail by the subject line and thus make my life a bit easier.

OH, just so you know I have recieved over 500 replies until now. Some are funny as hell and not actually commands. So I'm thinking about starting a list for Linux ONE-LINER joke commands. hehe.

Anyways, thanks. And the url is http://www.acnsnet.com/~slydder

chuck

attached mail follows:

> Hi I'm trying to create a script which my cron will run once a day to backup > my MySQL database, but the exec command doesn't want to work no matter what I > try...

Uhhhhh.

cron + PHP is cool, but using cron to run PHP to run mysqldump is kinda silly... :-)

Just put the mysqldump line in your cron job, or create a "shell script" to do what you need.

Basically, a shell script:

1. Starts with #!/usr/bin/sh (You can use any "shell" [bash, csh, ash, smrsh] instead of sh that feels good.]

2. Has stuff you would normally type on the command line, like: mysqldump -h localhost -u user -p pass --opt DataBase > BACKUPS/backup.mysql

3. Has permission to be run by one or more users: chmod 700 backup.sh

You can then use /path/to/backup.sh as a command, or use that in a cron job.

> exec("mysqldump -h localhost -u user -p pass --opt DataBase > > BACKUPS/backup.mysql") or die("Problem"); > > I have tried adding the full path to mysqldump,

You need that.

> I have tried using my root > access,

machine root, or MySQL root? The former is a BAD IDEA... The latter ain't so hot either. Certainly don't be putting a script with database passwords in your web-tree.

> I have tried using a different dir to store the files, changed > permissions all sorts and nothing works. It always returns "Problem" and if I > take out the or die then it just returns a blank screen.

You can add more args to exec() to get more info about what went wrong/right:

exec("...", $results, $errorcode); while (list(,$line) = each($results)){ echo $line, "<BR>\n"; } if ($errorcode){ echo "OS Error: $errorcode. Usually paths/permissions. Use 'man errno' to look it up.<BR>\n"; }

attached mail follows:

> "Liviu Popescu" <xliviuxyahoo.com> wrote in message > news:20010731124001.85614.qmailweb20101.mail.yahoo.com... > > I have a lot of php scripts developed with php3. > > I've installed php4 and I get some warnings when I > > evaluate variables there are not set (are empty). > > In php3 there was no problem (no warning). > > If I modify the code by using empty($var) or > > isset($var) it's ok, but there are lots of such > > issues. > > How could I manage this without major changes?

> Edit your PHP.ini file and change the error_reporting to: > > error_reporting=E_COMPILE_ERROR|E_ERROR|E_CORE_ERROR ; show only errors >

Yes, do this for now.

But long-term, start using isset() and turn on E_NOTICE script by script until all your code is clean.

Every one of those un-initialized variables you use is a potential hole for a hacker to feed in some value your script isn't expecting.

It also means your programming algorithm is probably not really as organized as it could be.

-- WARNING richard

zend.com address is an endangered species -- Use ceo

l-i-e.com Wanna help me out? Like Music? Buy a CD: http://l-i-e.com/artists.htm Volunteer a little time: http://chatmusic.com/volunteer.htm

attached mail follows:

> Is it worth the while to read up on PEAR? I have seen much of it but I > don't know much about it. I am not a complete newbie anymore and I have > developed quite a few DB driven sites. Any good readings that you know of?

The basic idea behind PEAR is a sort of "souped-up" code archive of working libraries of scripts you can just steal^H^H^H^H^H use instead of scoring the 'Net and having to re-write/tweak user-contributed scripts.

If this sounds like a good idea to you, start reading. If not, don't :-)

PEAR is still pretty early in the development cycle, so now is your chance to speak up and have a big impact on what makes good quality library code that you'll probably have to use 6 months from now to keep up with the Joneses. :-)

Disclosure: I ain't found time to read up on it either :-(

PEAR Wish List: Some schema for keeping the number of packages implementing feature X to a reasonable number...

-- WARNING richard

zend.com address is an endangered species -- Use ceo

l-i-e.com Wanna help me out? Like Music? Buy a CD: http://l-i-e.com/artists.htm Volunteer a little time: http://chatmusic.com/volunteer.htm

attached mail follows:

>I have done a few tutorials, but they aren't very long, and have only covered a small amount >of what i need to know.

Dunno how long it is, but the webmonkey tutorial used to get good reviews here...

I've been out of the loop for awhile though.

>Can anyone recommend any good comprehensive tutorials out thier, and/or any good books that >would be worth purchasing.

Uhhhhh.

A truly comprehensive tutorial on PHP would be the size of an encyclopaedia...

I mean, there's like 107 different PHP-extensions to cover, each of which probably needs a book-length format to explain.

The nice thing is, you can safely ignore 100 of those extensions until you need one of them :-)

-- WARNING richard

zend.com address is an endangered species -- Use ceo

l-i-e.com Wanna help me out? Like Music? Buy a CD: http://l-i-e.com/artists.htm Volunteer a little time: http://chatmusic.com/volunteer.htm

attached mail follows:

> I recently just started using PHP. I searched this list's archives first, > but couldn't find an answer to my question: > > Whenever I get a "syntax error" it's always reported "on line 1", even > when it's obviously not on line 1. I *never* get an error reported on any > other line #.

Your file is Mac or PC format, and it's all one line as far as Unix is concerned.

Save As... Unix format in your editor

-- WARNING richard

zend.com address is an endangered species -- Use ceo

l-i-e.com Wanna help me out? Like Music? Buy a CD: http://l-i-e.com/artists.htm Volunteer a little time: http://chatmusic.com/volunteer.htm

attached mail follows:

> 1) Prompt the user for a target e-mail address. > 2) Create a PDF document from the form fields on the current page (I wish to > specify the design of the form) and e-mail it to the e-mail address gathered > form (1). > > I'm hoping there's either a module or two that can accomplish this or > perhaps, someone has already gone through the hassle and would be willing to > share. Otherwise, some pointers to head me in the correct direction would > be appreciated.

You want the fDF Dev Toolkit from http://adobe.com and the --with-pdf configuration flag.

For attachments, you can roll your own and lose lots of hair or snag something like Manuel Lemos' UpperDesign.com (.org?) mail class that will do it for you.

You now know as much about how to do it as I do, since I'm just repeating answers from previous threads... May want to search the archives for more detail.

-- WARNING richard

zend.com address is an endangered species -- Use ceo

l-i-e.com Wanna help me out? Like Music? Buy a CD: http://l-i-e.com/artists.htm Volunteer a little time: http://chatmusic.com/volunteer.htm

attached mail follows:

> echo $row[code];

You want eval, but since your code starts off with HTML, and eval expects to be doing PHP, you need to do more like:

$html = $row['code'] eval("?>$html<?php");

In essence, you are sorta doing the opposite of how include automatically switches back to HTML mode, and you break out of PHP to "eval" your HTML...

WARNING: This $html isn't coming from untrusted web-surfers, is it?... [shudder]

That would be *really* dangerous, as you're giving them complete access to installing any PHP scripts they like on your server...

-- WARNING richard

zend.com address is an endangered species -- Use ceo

l-i-e.com Wanna help me out? Like Music? Buy a CD: http://l-i-e.com/artists.htm Volunteer a little time: http://chatmusic.com/volunteer.htm

attached mail follows:

> class Scott { > var $svar = array(); // free-form hash for whatever data > function Scott( ) > { > return $this;

Like, I don't think you're supposed to return $this from your constructor...

> } > function __sleep() > {

According to the manual, this is supposed to return an array of the variable names you want serialized.

return(array('svar'));

in this case, I think, would be what you want...

> } > function __wakeup() > { > $this->svar['sleep'] = "I am waking up"; > } > }// end class

Once you get it working, post your sample to the User Contributed notes please :-)

attached mail follows:

On Tue, Jul 31, 2001 at 02:48:48PM -0600, mike cullerton wrote: > on 7/31/01 1:48 PM, scott [gts] at scottgraphictype.com wrote: > > > I am having a problem with __sleep(); > > there mere existance of it is causing my object > > to not get serialized at all. __wakeup() works fine. > > > > i am using PHP v4.0.6 / apache / win2k. > > > > If i keep __sleep() in the object, it will not serialize, > > but if i remove it, it serialized fine. Does anyone > > know why this happens? > > i asked this about a month ago and didn't hear anything. i too have never > been able to get __sleep to work. i think it's because i couldn't figure out > what needed to be returned (or how to return it :) > > at http://www.php.net/manual/en/language.oop.magic-functions.php it says > that __sleep is "supposed to return an array with the names of all variables > of that object that should be serialized", but there are no examples of > this. > > in a current project, i have an object that is registed as a session > variable. it contains three objects and an array. one of the objects is a > PEAR db object, and i don't need to serialize it. i do want to maintain the > other two objects and the array. > > i tried a number of ideas inside __sleep, to no avail. without __sleep, it > works. with __sleep, i break it. > > i do use __wakeup to reinitialize my db object, but i just use > $db->disconnect(); at the end of my index file to disconnect . > > does anyone know the proper way to "clean up the object" in __sleep and how > to return the variables that should be serialized? can this even be used > when one (or more) of the variables is an object itself? >

see sample - it should be self-explaining.

<? error_reporting(-1); class test { var $filename; var $mode; var $fd;

function test($filename=NULL,$mode=NULL) { echo "------------------constructor called\n"; $this->filename = $filename; $this->mode = $mode;

// we could call $this->_wakeup() instead! if ($this->filename && $this->mode) { $this->fd = fopen($this->filename,$this->mode); }

}

function _sleep() { echo "------------------sleep\n"; // return list of instance-variables to be serialized return array("filename","mode"); }

function _wakeup() { echo "------------------wakeup\n"; // all serialized instance variables are set now, inititalize the non-serializeable ones if ($this->filename && $this->mode) { $this->fd = fopen($this->filename,$this->mode); } } }

$a = new test("/tmp/thies.tcsh","r"); echo $a; var_dump($a); $b = serialize($a); var_dump($b); $a = unserialize($b); var_dump($a);

$b = wddx_serialize_value($a); var_dump($b); $a = wddx_deserialize($b); var_dump($a);

attached mail follows:

> -----Original Message----- > From: Richard Lynch [mailto:ceol-i-e.com] > Sent: Wednesday, August 01, 2001 3:52 AM > To: php-generallists.php.net > Subject: [PHP] Re: issues with __sleep() and __wakeup() > > > > class Scott { > > var $svar = array(); // free-form hash for whatever data > > function Scott( ) > > { > > return $this; > > Like, I don't think you're supposed to return $this from your constructor...

thanks for letting me know, it's an outdated habit from perl... > > } > > function __sleep() > > { > > According to the manual, this is supposed to return an array of the variable > names you want serialized. > > return(array('svar'));

so it seems that there's no way to specify *all* my variables without naming them explicitly in __sleep() ? > in this case, I think, would be what you want... > > > } > > function __wakeup() > > { > > $this->svar['sleep'] = "I am waking up"; > > } > > }// end class > > Once you get it working, post your sample to the User Contributed notes > please :-)

i definately will.

thanks for the suggestions everyone.

attached mail follows:

> <FORM METHOD="post" ACTION="userinfolistbycompany2.php"> > <INPUT TYPE="hidden" name="uid" value="<? echo "$uid"; ?>">

You are using the "short open tag" of <? instead of <?php is the only thing really wrong I can see... That won't work in PHP4 --with-xml, or if php.ini has short tags "off" etc.

The "$uid" is silly, but not "wrong" per se.

It's also possible you mis-spelled that file name in the ACTION, or that you have a *REALLY* lame OS that won't let you use a file name that long.

It's even remotely possible that you don't have PHP enabled, or that the file in which the above code appears is not a .php file...

Could you give us more of a clue what's happening?...

-- WARNING richard

zend.com address is an endangered species -- Use ceo

l-i-e.com Wanna help me out? Like Music? Buy a CD: http://l-i-e.com/artists.htm Volunteer a little time: http://chatmusic.com/volunteer.htm

attached mail follows:

>How can i go about doing a visual login on a web page... instead of the pop up window i have >at the min like with .htaccess ?? > >I apologize if this is in the manual, but i couldn't see it

If you use HTTP Authentication, you get that popup. Period.

If you don't, you don't. Period.

So, ditch the HTTP Authentication and roll up a database with username/password and a FORM to login.

-- WARNING richard

zend.com address is an endangered species -- Use ceo

l-i-e.com Wanna help me out? Like Music? Buy a CD: http://l-i-e.com/artists.htm Volunteer a little time: http://chatmusic.com/volunteer.htm

attached mail follows:

if you go this route, you would, however, have to check for valid-login users on every page that you want to have security on.

> -----Original Message----- > From: Ben Bleything [mailto:bleythbemailbox.orst.edu] > Subject: RE: [PHP] Visual Login > > One way would be to use a database (of any type) to store > username/password data, present the user with a form to fill out, > authenticate against the database, set session variable if they are > valid, and let them use the application.. if they fail, do whatever. > > => EXTREMELY brief. Can give more detail if you like => > > Ben

attached mail follows:

>In php, oh wait well this is really 2 questions...... 1 in a form how do i make it email a >file to someone, and the second how do i make it get recieved as an attatchement...?

You want to read the "file upload feature" page on http://php.net

And you want to snag Manuel Lemos' UpperDesign.com mail class to send the attachment.

While you're on php.net, read the through all the "Feature" pages, and the top page of the various extensions. (EG, not every function the MySQL section, just the first page.)

You'll then know where 90% of what you need lives without waiting for the mailing list to respond. :-)

Oh yeah. Read the FAQ again, while you're at it :-) :-) :-)

-- WARNING richard

zend.com address is an endangered species -- Use ceo

l-i-e.com Wanna help me out? Like Music? Buy a CD: http://l-i-e.com/artists.htm Volunteer a little time: http://chatmusic.com/volunteer.htm

attached mail follows:

> I have php files which run on various VirtualHost's and there is suexec on > those VirtualHosts, however, when I look at the user/group which PHP runs > under it always seems to be the main web user (nobody, www, or whatever we > set it to). Is there any way for PHP to be able to execute as the > User/Group of the VirtualHost? > > Please forgive me if this subject has been explained elsewhere, I did a > search and it revealed nothing.

Only if you execute PHP as a "CGI" with suExec.

PHP as a Module is a part of Apache, and has its same User/Group.

Apache 2.0 will (allegedly) allow mod_php to run as different user in different hosts.

Not sure how to set up suExec, but suExec + PHP-CGI *can* be made to work and run PHP as any user you choose. My ISP did it to me.

-- WARNING richard

zend.com address is an endangered species -- Use ceo

l-i-e.com Wanna help me out? Like Music? Buy a CD: http://l-i-e.com/artists.htm Volunteer a little time: http://chatmusic.com/volunteer.htm

attached mail follows:

> I am running win2k sp1. The following code works with php 4.0.3 installed > however fails with versions php 4.0.5 and 4.0.6. > > Any assistance would be appreciated > > <?php > echo $PATH_INFO; > echo "<br>"; > echo $HTTP_SERVER_VARS["PATH_INFO"]; > ?>

Define "fails"...

What are your php.ini settings for register_globals and track_vars?

-- WARNING richard

zend.com address is an endangered species -- Use ceo

l-i-e.com Wanna help me out? Like Music? Buy a CD: http://l-i-e.com/artists.htm Volunteer a little time: http://chatmusic.com/volunteer.htm

attached mail follows:

> I made a query that uses count(*) > now how can i get the results sorted following the biggest count(*) result?

select count(*) as score from foo group by y order by score desc

may do the trick...

I often have trouble with aggregates not being allowed where I want them or not being able to aggregate on all records, but only display a subset (or vice versa).

-- WARNING richard

zend.com address is an endangered species -- Use ceo

l-i-e.com Wanna help me out? Like Music? Buy a CD: http://l-i-e.com/artists.htm Volunteer a little time: http://chatmusic.com/volunteer.htm

attached mail follows:

Try vim instead of vi.

-Stathis.

Ben Bleything wrote: > > I can't speak for terminal usage... I use pico and or vi... pico on > console, vi over ssh. > > When working locally, I use nedit (www.nedit.org) on *nix (with custom > PHP syntax highlighting) and EditPlus on windows. > > Good luck, > Ben > > -----Original Message----- > From: Augusto Cesar Castoldi [mailto:castoldiinf.ufsc.br] > Sent: Tuesday, July 31, 2001 7:07 PM > To: php-generallists.php.net > Subject: [PHP] Sorry... but a good PHP editor for Linux/Unix > > Sorry about talking about this subject, but a really wanna know if any > one > nows a good editor for linux/unix. > > Sometimes I need to work by SSH and I have to use the program pico. > > I can't use vi, to use it, i'll need to see the manual!! > > thanks, > > Augusto

attached mail follows:

Joe has always been my favorite linux text editor.

----- Original Message ----- From: "Augusto Cesar Castoldi" <castoldiinf.ufsc.br> To: <php-generallists.php.net> Sent: Tuesday, July 31, 2001 7:07 PM Subject: [PHP] Sorry... but a good PHP editor for Linux/Unix

> Sorry about talking about this subject, but a really wanna know if any one > nows a good editor for linux/unix. > > Sometimes I need to work by SSH and I have to use the program pico. > > I can't use vi, to use it, i'll need to see the manual!! > > thanks, > > Augusto > > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, e-mail: php-general-unsubscribelists.php.net > For additional commands, e-mail: php-general-helplists.php.net > To contact the list administrators, e-mail: php-list-adminlists.php.net >

attached mail follows:

I think EMACS is the best choice for any language you like. Just install de php suport for EMACS. Bye

On Tue, Jul 31, 2001 at 11:07:14PM -0300, Augusto Cesar Castoldi wrote: > Sorry about talking about this subject, but a really wanna know if any one > nows a good editor for linux/unix. > > Sometimes I need to work by SSH and I have to use the program pico. > > I can't use vi, to use it, i'll need to see the manual!! > > thanks, > > Augusto > > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, e-mail: php-general-unsubscribelists.php.net > For additional commands, e-mail: php-general-helplists.php.net > To contact the list administrators, e-mail: php-list-adminlists.php.net

-- Mauricio Téllez Jiménez Seguimiento Técnico EDUMEXICO edumexico

speedy.coacade.uv.mx edumexico

yupimail.com Zamora No. 25, Col Centro C.P. 91000, Xalapa, Ver. Tel. 52(28)17-86-87, 17-73-80 Fax. 52(28)18-64-13

attached mail follows:

Hello everyone !

Question:

I'm building an online membership registration system, for a 'membership section' of a website. As it stands, I have a registration form that insert the data into MySQL, then generate a confirmation page--with member ID number, username, and password.

I want to use PHP's mysql_insert_id to capture the last ID that was entered...and that's where my question lies.

In an environment where it's possible to have multiple users register at the same time (relatively speaking), how can I be sure that the 'last ID' is indeed the 'intended' last user's ID?

Ex. Say that user A submit a registration form at 00:00:01, but mysql_inserted_id is not called (for user A) until 00:00:03.

If user B submits a registration for at 00:00:02, then would the call to mysql_insert_id (for user A---called at 00:00:03) return the ID for user B?

Technically, it sounds like it would, unless mysql_insert_id implements some type of session and/or state recognition. Is that how it works?

--How can I be sure that it returns the ID for user A and not B?

--Does mysql_insert_id implement some internal session function, or something to that effect? How does it account for that?

Please help.

Thanks in advance.

-John

__________John Monfort_________________ _+-----------------------------------+_ P E P I E D E S I G N S www.pepiedesigns.com "The world is waiting, are you ready?" -+___________________________________+-

attached mail follows:

Hello John,

Wednesday, August 01, 2001, 11:06:06 AM, you wrote:

JM> In an environment where it's possible to have multiple JM> users register at the same time (relatively speaking), how can I be sure JM> that the 'last ID' is indeed the 'intended' last user's ID?

JM> Ex. JM> Say that user A submit a registration form at 00:00:01, but JM> mysql_inserted_id is not called (for user A) until 00:00:03.

JM> If user B submits a registration for at 00:00:02, then would JM> the call to mysql_insert_id (for user A---called at 00:00:03) return JM> the ID for user B?

JM> Technically, it sounds like it would, unless mysql_insert_id implements JM> some type of session and/or state recognition. JM> Is that how it works?

JM> --How can I be sure that it returns the ID for user A and not B?

You can be 100% sure, 'cause mysql_insert_id() returning last inserted id in current connection to database.

User A has another connection ID as user B.

I hope it helps

-- Best regards, Daniel mailto:daniel

rezny.sk

attached mail follows:

Many thanks, Daniel!

I trully appreciate it.

-john

On Wed, 1 Aug 2001, Daniel Rezny wrote:

> Hello John, > > Wednesday, August 01, 2001, 11:06:06 AM, you wrote: > > > JM> In an environment where it's possible to have multiple > JM> users register at the same time (relatively speaking), how can I be sure > JM> that the 'last ID' is indeed the 'intended' last user's ID? > > JM> Ex. > JM> Say that user A submit a registration form at 00:00:01, but > JM> mysql_inserted_id is not called (for user A) until 00:00:03. > > JM> If user B submits a registration for at 00:00:02, then would > JM> the call to mysql_insert_id (for user A---called at 00:00:03) return > JM> the ID for user B? > > JM> Technically, it sounds like it would, unless mysql_insert_id implements > JM> some type of session and/or state recognition. > JM> Is that how it works? > > JM> --How can I be sure that it returns the ID for user A and not B? > > You can be 100% sure, 'cause mysql_insert_id() returning last inserted > id in current connection to database. > > User A has another connection ID as user B. > > I hope it helps > > -- > Best regards, > Daniel mailto:danielrezny.sk > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, e-mail: php-general-unsubscribelists.php.net > For additional commands, e-mail: php-general-helplists.php.net > To contact the list administrators, e-mail: php-list-adminlists.php.net >

attached mail follows:

Hi,

I have modified an authentication script to my own liking, but being new, don't know how to go about my next stage.

Once the user has inserted the UN, and PW, it is campared against the MySQL database, nowm what i want to do is get rid of the login form which still appears, and is very annoying. I can't seem to see anything on this particular subject, but if their is any, can u point me in the right direction.

It can be viewed at: http://www.stevewrightonline.co.uk/auth/auth.php UN: guest PW: guest

Here's the code: <P> <FORM ACTION="<? echo "$PHP_SELF"; ?>" METHOD="POST"> <P>UserName:<br> <input type="text" name="PHP_AUTH_USER" size=15> </p>

<P>Password:<br> <input type="password" name="PHP_AUTH_PW" size=15> </p>

<?php

$auth = false; // user is not authenticated yet

if (isset( $PHP_AUTH_USER ) && isset($PHP_AUTH_PW)) {

// Connect the MySQL Database

mysql_connect( **************.net', '**********', '***********' ) or die ( 'Unable to connect to server.' );

// Select database on MySQL server

mysql_select_db( 'Demonstration' ) or die ( 'Unable to select database.' );

// the query

$sql = "SELECT * FROM users WHERE UserName = '$PHP_AUTH_USER' AND Password = '$PHP_AUTH_PW'";

// Execute query and put results in $result

$result = mysql_query( $sql ) or die ( 'Unable to execute query.' );

// Get number of rows in $result.

$num = mysql_numrows( $result );

if ( $num != 0 ) {

// matching row was found - user authenticated.

$auth = true;

}

if ( ! $auth ) { echo 'Sign In Required.'; exit;

} else {

echo '<p>You are Signed In!</p>'; }

attached mail follows:

Steve,

If you move your validation code to the top of the script you can use the

header ("Location: loggedin.php"); exit;

to go to the next page if the user is validated

Chris

Steve Wright wrote:

> Hi, > > I have modified an authentication script to my own liking, but being new, don't know how to go about my next stage. > > Once the user has inserted the UN, and PW, it is campared against the MySQL database, nowm what i want to do is get rid of the login form which still appears, and is very annoying. I can't seem to see anything on this particular subject, but if their is any, can u point me in the right direction. > > It can be viewed at: http://www.stevewrightonline.co.uk/auth/auth.php > UN: guest > PW: guest > > Here's the code: > <P> > <FORM ACTION="<? echo "$PHP_SELF"; ?>" METHOD="POST"> > <P>UserName:<br> > <input type="text" name="PHP_AUTH_USER" size=15> > </p> > > <P>Password:<br> > <input type="password" name="PHP_AUTH_PW" size=15> > </p> > > <input type="submit" value="Log In"> > </form> > </P> > > <?php > > $auth = false; // user is not authenticated yet > > if (isset( $PHP_AUTH_USER ) && isset($PHP_AUTH_PW)) { > > // Connect the MySQL Database > > mysql_connect( **************.net', '**********', '***********' ) > or die ( 'Unable to connect to server.' ); > > // Select database on MySQL server > > mysql_select_db( 'Demonstration' ) > or die ( 'Unable to select database.' ); > > // the query > > $sql = "SELECT * FROM users WHERE UserName = '$PHP_AUTH_USER' AND Password = '$PHP_AUTH_PW'"; > > // Execute query and put results in $result > > $result = mysql_query( $sql ) > or die ( 'Unable to execute query.' ); > > // Get number of rows in $result. > > $num = mysql_numrows( $result ); > > if ( $num != 0 ) { > > // matching row was found - user authenticated. > > $auth = true; > > } > > } > > if ( ! $auth ) { > > echo 'Sign In Required.'; > exit; > > } else { > > echo '<p>You are Signed In!</p>'; > } > > ?>

Chris Fry Quillsoft Pty Ltd Specialists in Secure Internet Services and E-Commerce Solutions 10 Gray Street Kogarah NSW 2217 Australia

Phone: +61 2 9553 1691 Fax: +61 2 9553 1692 Mobile: 0419 414 323 eMail: chrisquillsoft.com.au http://www.quillsoft.com.au

You can download our Public CA Certificate from:- https://ca.secureanywhere.com/htdocs/cacert.crt

**********************************************************************

This notice should not be removed.

attached mail follows:

>Once the user has inserted the UN, and PW, it is campared against the MySQL database, nowm >what i want to do is get rid of the login form which still appears, and is very annoying. I >can't seem to see anything on this particular subject, but if their is any, can u point me in >the right direction.

Re-arrange your code so you *CHECK* their username/password *before* you start showing the FORM.

If they've entered username/password, and it's valid, don't show the form, do something else.

Also, the variables $PHP_AUTH_USER and PHP_AUTH_PW are going to be set by the browser as part of HTTP Authentication, even though you're not using HTTP Authentication, so you can't use those variables with your form. Pick different variable names.

-- WARNING richard

zend.com address is an endangered species -- Use ceo

l-i-e.com Wanna help me out? Like Music? Buy a CD: http://l-i-e.com/artists.htm Volunteer a little time: http://chatmusic.com/volunteer.htm

attached mail follows:

> How is it, if I would create the file itself from the php-script itself?

To do *that* you need world-writable permissions on the DIRECTORY to create files inside of it.

That means any other user on your computer can *also* create any files they like in that directory.

> Would I be able to read the file next time it is called from the website?

If that directory is in your web tree, yes, the file would then be available...

Along with any other files your co-users have decided to throw into your web-site!

This is probably worse than having a single world-writable file. :-(

Constructive Suggestions: Move the file[s] *OUT* of the web tree. If you want them visible to the outside world, write a PHP script to display the non-web files.

As each file is created, record it in your DB, and only allow the display of files in your DB. Now a hacker needs to create a file in that direcotry *AND* hack your DB to mess up your web-site.

Check the contents of the files before you display them. Odds are pretty good that there are all sorts of things you can check to be sure the files you have "look" like they should. Page yourself with a 911 if a suspicious file shows up.

Give the files (and their containing directory) the *MINIMUM* permissions required to make it all work. No eXecute. No user-readable/writable. *ONLY* the world readable/writable. Or, if you control the server, change that around and make the files owned by "nobody" and *ONLY* user readable/writable.

Run a cron job to "chmod 006 *" (or whatever you chose above) on that directory every few minutes, so if a hacker manages to force a bad file in there, you'll make it less usable.

Run a cron job every once in a while to check that every file in the DB has a file in the directory and vice-versa. Page yourself if files appear mysteriously. So no file can get added in either place alone without setting off an alarm.

Actually, you'll need to be careful that no false alarms happen in the midst of files being added... So, do the INSERT into your DB before the copy(), timestamp the insertion, and don't alarm for any file added to the DB but not the directory in the past minute or two.

This is hardly rock-solid, and any reasonably intelligent malicious user sharing your machine will eventually be able to figure out how to mess you up, but is closer to "acceptable risk" than world-writable files laying around in your web tree.

Hopefully, though, your pro-active measures will have you catching them in the act of trying to figure out how to break in, rather than them catching you with your pants down.

The idea is to keep a very, very close eye on what goes in there, and be sure it's what is *supposed* to be there.

All this won't stop a determined, smart hacker. But it will catch the script-kiddies and wannabes.

Disclaimer: I'm no security expert...

-- WARNING richard

zend.com address is an endangered species -- Use ceo

l-i-e.com Wanna help me out? Like Music? Buy a CD: http://l-i-e.com/artists.htm Volunteer a little time: http://chatmusic.com/volunteer.htm

attached mail follows:

================ Removal Information ========================= This message is sent in compliance of the new email bill section 301. Per Section 301, Paragraph (a)(2)(C) of S. 1618, further transmissions to you by the sender of this email will be stopped at no cost to you. This message is not intended for residents in the State of WA, NV, CA & VA. Screening of addresses has been done to the best of our technical ability. If you are a Washington, Virginia,or California resident please remove yourself. We respect all removal requests. To Be Removed: mailto:s_health13consultant.com?subject=remove. If you DID NOT "opt-in", meaning -at some time- signed up to receive health and/or sexual health related information, please send removal request. =================================================================

This is for adult men only !!!

****************** If you did not 'opt-in', please delete now! ***

****************** IF YOU ARE NOT AN ADULT, DELETE NOW !! ********

We are a serious company, offering a program that will enhance your sex life, and enlarge your penis in a totally natural way.

We realize many men -and their women- are unhappy with their penis size. The truth is that size matters, not only it affects many men's performance, but their self-esteem as well.

Penis enlargement is POSSIBLE; just as you can exercise almost any part of your body, you CAN exercise your penis.

Our program is totally PROVEN and GUARANTEED !!!

Our company has the techniques! Totally NATURAL techniques; no gadgets, no pumps, no surgery!

If you want more information, please send an email with 'more info'in the subject to: info129usa.com -mailto:info129usa.com?subject=moreinfo-.. This is an automated answer, for removal use s_health13consultant.com.

If the above link has been removed, just reply to this message with 'more info' on the subject line.

This IS NOT UNSOLICITED; you appear in an opt-in list, if in error, please remove yourself. Please let those who suffer from erectile dysfunction, similar problems or small penis size receive this information!

=============== DISPONIBLE TAMBIEN EN ESPAÑOL ===================

attached mail follows:

At 09:00 PM 7/31/2001, Guaranteed ! wrote: >We are a serious company, offering a program that will enhance your sex >life, and enlarge your penis in a totally natural way.

I think they got the ASP mailinglist mixed up with the PHP one......

-j

-------------------------------------------------- sneakdatavibe.net - 0xF5