php-general-digest-helplists.php.net
Date: Sat Jul 09 2005 - 16:48:16 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

php-general Digest 9 Jul 2005 21:48:16 -0000 Issue 3558

Topics (messages 218377 through 218392):

GD library
        218377 by: Mike Bellerby
        218378 by: Mike Bellerby
        218381 by: Rasmus Lerdorf

upload file problem
        218379 by: Ahmed Abdel-Aliem

Re: Apache 1.3x/PHP 5.0.3 404 error handler & posted data...
        218380 by: Rasmus Lerdorf

Re: file function
        218382 by: Rory Browne

Template Engine with Event Handlers
        218383 by: Rory Browne

if(true && false) //??
        218384 by: Sam Smith
        218385 by: Marco Tabini
        218386 by: André Medeiros
        218387 by: André Medeiros
        218392 by: Daevid Vincent

Re: Security, Late Nights and Overall Paranoia
        218388 by: Richard Davey
        218389 by: Greg Donald
        218390 by: Richard Davey
        218391 by: Richard Davey

Administrivia:

To subscribe to the digest, e-mail:
        php-general-digest-subscribelists.php.net

To unsubscribe from the digest, e-mail:
        php-general-digest-unsubscribelists.php.net

To post to the list, e-mail:
        php-generallists.php.net

----------------------------------------------------------------------

attached mail follows:

Where is the best place to get php_gd2.php

Thanks

Mike

attached mail follows:

Where is the best place to get php_gd2.dll

Thanks

Mike

attached mail follows:

Mike Bellerby wrote:
> Where is the best place to get php_gd2.dll

It's in the ext/ directory of the Win32 zip file you downloaded. Or if
you didn't, go grab it from
http://uk.php.net/get/php-5.0.4-Win32.zip/from/this/mirror

-Rasmus

attached mail follows:

Hi
i have a problem with a code to upload files on server
here is the code

$f =& $HTTP_POST_FILES['News_Pic'];

$dst_file_name = generateUniqueId();

$arr = split("\.",$f['name']);

$f['name'] = $dst_file_name;

$f['name'] .= ".".$arr[count($arr)-1];

$dest_dir = 'main/pictures';

$dest = $dest_dir . '/' .$f['name'];

$r = move_uploaded_file($f['tmp_name'], $dest);

$News_Pic = $f['name'];
chmod($dest, 777);

after uploading a file i check the folder and i find nothing uploaded
and when i check the MySQL Table for the filed of the name of the
picture i find this
ef26fc32a2855a4edb6ef389b8b621af.
it should be that random number followed by the extension, for example :
ef26fc32a2855a4edb6ef389b8b621af.jpg
but this deosn't happen and the file is not uploaded
can anyone help me with this plz ?
--
Ahmed Abdel-Aliem
Web Developer
www.ApexScript.com
0101108551
registered Linux user number 382789

attached mail follows:

Raymond C. Rodgers wrote:
> I'm trying to write an error handler in PHP to try to avoid sending the
> browser a 404 error message. Basically, if someone
> requests /whatever.html on the server and it doesn't exist, my 404 error
> handler checks to see if /whatever.php exists, if so, it then includes
> that file.
>
> That part works fine.
>
> The part that I'm having trouble with is if /whatever.html happens to be
> the target of a form POST. With GET requests, the data is available in
> either $_SERVER['REDIRECT_QUERY_STRING'] or (worst case)
> $_SERVER['REQUEST_URI']. That's easy enough to parse and turn into
> $_REQUEST and/or $_GET. However, it seems that POSTed data just vanishes
> into thin air. $_POST is not set, of course, and I've been trying to
> read data using file_get_contents('php://input') but nothing is
> returned... Is this a bug in PHP, Apache, not a bug but an unimplemented
> feature, security precaution, or what? Am I missing something simple to
> get the POSTed data?

No, you can't do what you are trying to do the way you are trying to do
it. Apache changes the original POST to a GET request on the internal
errordocument redirect so PHP can't get at the original posted data.
Well, it probably could with some hacking, but the web server has
specifically told us that this is not a POST request anymore, so we
respect that.

With Apache2 you could use Multiviews to do this by setting PHP up as a
handler and telling Apache that it returns type text/html (we don't do
this by default because PHP doesn't always return text/html) and then
let multiviews take care of turning your request for /whatever.html into
a real request for /whatever.php. And the POST data would be intact.

For Apache1 you could probably use a type-map file. Have a read through
http://httpd.apache.org/docs/content-negotiation.html

A better option may be to just use mod_rewrite. Something along the
lines of:

RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*)\.html$ $1.php [T=application/x-httpd-php,L]

You should verify this with the mod_rewrite docs, but this should only
rewrite a request for whatever.html to whatever.php if whatever.html
doesn't exist. I suppose you could also add a condition to only do the
rewrite if $1.php exists.

-Rasmus

attached mail follows:

On 7/9/05, Joseph Lee <joe_sun_leeyahoo.com> wrote:
> Hi,
>
> I tried file() in the following lines:
>
> <?php
> $authFile = file("/tmp/authenticate.txt");
> print "authFile = $authFile";
> ?>
>
> However, it only gave me
> authFile = Array
>
> What's wrong with this file function? I tried single
> quotes, but got the same answer, too.

Trying single quotes should have gotten you >authFile = $authFile<
(without the arrows).

There is nothing wrong with the file function. It´s supposed to return
an array. If you want it to spit out every element in the array, then
perhaps you could use the print_r, var_dump or var_export functions.
If you simply want to get the contents of the file into a string, then
use file_get_contents().

>
> Thanks,
> Joe
>
>
>
> ____________________________________________________
> Sell on Yahoo! Auctions – no fees. Bid on great items.
> http://auctions.yahoo.com/
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>

attached mail follows:

Hi
Anyone know if any of the current PHP templating solutions implement
event handling?

I mean something similar to ASP.NET's onClick events, etc. I was
thinking maybe a js-triggered ajax system, which allowed php to access
some of the JS Objects?

I was thinking about doing something like this, and just want to make
sure that there isn´t already something done like this.

attached mail follows:

I have some code that I barrowed that works but I don't get how it could
possible work, obviously I don't understand how "false" works:

How can this ever pass?:
if (isset($_SESSION['PrevUrl']) && false) {
....

Thanks

attached mail follows:

It can't -- that looks like some leftover debugging code to me.

Marco

On 7/9/05 10:50 AM, "Sam Smith" <phpitab.com> wrote:

>
> I have some code that I barrowed that works but I don't get how it could
> possible work, obviously I don't understand how "false" works:
>
> How can this ever pass?:
> if (isset($_SESSION['PrevUrl']) && false) {
> ....
>
>
> Thanks

attached mail follows:

That's the same as having

if( !isset( $_SESSION['PrevUrl'] ) ) {
//do something here
}

On 7/9/05, Marco Tabini <marcottabini.ca> wrote:
> It can't -- that looks like some leftover debugging code to me.
>
>
> Marco
>
>
> On 7/9/05 10:50 AM, "Sam Smith" <phpitab.com> wrote:
>
> >
> > I have some code that I barrowed that works but I don't get how it could
> > possible work, obviously I don't understand how "false" works:
> >
> > How can this ever pass?:
> > if (isset($_SESSION['PrevUrl']) && false) {
> > ....
> >
> >
> > Thanks
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>

attached mail follows:

Oops.... my bad... misread it :(

On 7/9/05, André Medeiros <andre.caumgmail.com> wrote:
> That's the same as having
>
> if( !isset( $_SESSION['PrevUrl'] ) ) {
> //do something here
> }
>
> On 7/9/05, Marco Tabini <marcottabini.ca> wrote:
> > It can't -- that looks like some leftover debugging code to me.
> >
> >
> > Marco
> >
> >
> > On 7/9/05 10:50 AM, "Sam Smith" <phpitab.com> wrote:
> >
> > >
> > > I have some code that I barrowed that works but I don't get how it could
> > > possible work, obviously I don't understand how "false" works:
> > >
> > > How can this ever pass?:
> > > if (isset($_SESSION['PrevUrl']) && false) {
> > > ....
> > >
> > >
> > > Thanks
> >
> > --
> > PHP General Mailing List (http://www.php.net/)
> > To unsubscribe, visit: http://www.php.net/unsub.php
> >
> >
>

attached mail follows:

I don't think so.

The "&& false" guarantees the code in the 'if' portion will never execute.
It's effectively commenting it out. I agree it was probably left over
'debug' code.

The "if( !isset( $_SESSION['PrevUrl'] ) )" has a very good chance of being
true. ANDing with boolean false NEVER has a chance of being true.

> -----Original Message-----
> From: André Medeiros [mailto:andre.caumgmail.com]
> Sent: Saturday, July 09, 2005 9:19 AM
> To: Marco Tabini
> Cc: Sam Smith; php
> Subject: Re: [PHP] if(true && false) //??
>
> That's the same as having
>
> if( !isset( $_SESSION['PrevUrl'] ) ) {
> //do something here
> }
>
> On 7/9/05, Marco Tabini <marcottabini.ca> wrote:
> > It can't -- that looks like some leftover debugging code to me.
> >
> >
> > Marco
> >
> >
> > On 7/9/05 10:50 AM, "Sam Smith" <phpitab.com> wrote:
> >
> > >
> > > I have some code that I barrowed that works but I don't
> get how it could
> > > possible work, obviously I don't understand how "false" works:
> > >
> > > How can this ever pass?:
> > > if (isset($_SESSION['PrevUrl']) && false) {
> > > ....
> > >
> > >
> > > Thanks
> >
> > --
> > PHP General Mailing List (http://www.php.net/)
> > To unsubscribe, visit: http://www.php.net/unsub.php
> >
> >
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>

attached mail follows:

Hello Greg,

Friday, July 8, 2005, 5:00:23 PM, you wrote:

GD> On 7/8/05, Ryan A <ryancoinpass.com> wrote:
>> Yep, but this has no way of breaking my html....

GD> If [/i] is missing, it'd be the same as </i> being missing.

I have to say I disagree, because with all modern BBcode parsers it
would never get to that stage.

If the user misses out the closing [/i] tag then when it comes to
parse the BBcode into HTML it'd never happen. All decent BBcode
parsers search for both pairs of tag. If an opening [i] is found but
no corresponding close tag, both would be ignored and skip onto the
next check. I haven't seen one that did a straight str_replace for a
long time now (although I guess they still exist! and in those cases I
agree with you, they are pointless and utterly insecure).

If you allow direct HTML as user input, you HAVE to check and validate
every single aspect of their HTML for all possible errors, typos,
included XSS attacks, etc - and if you fail in even one of these
checks, they can break the layout of your site, or worse. Whereas with
BBcode the worst that can happen (in this instance) is that the user
looks like an idiot because [i] tags are left in their input.

Another benefit IMHO is that you control what [i] gets turned into,
for example I don't use <i> tags in my HTML as I don't believe they
are semantically descriptive. But not everyone will know what the heck
an <em> does, just as with [b] to <strong>, etc. The second you allow
<&> for direct use you do open, imho, a whole can of worms that you'd
better be absolutely sure you have faultlessly checked and
double-checked, because as you know there's no room for error these
days.

Best regards,

Richard Davey
--
 http://www.launchcode.co.uk - PHP Development Services
 "I do not fear computers. I fear the lack of them." - Isaac Asimov

attached mail follows:

On 7/9/05, Richard Davey <richlaunchcode.co.uk> wrote:
> I have to say I disagree, because with all modern BBcode parsers it
> would never get to that stage.

The same regular expression magic that keeps you from forgetting your
[/i] can just as easily keep you from forgetting your </i>.

--
Greg Donald
Zend Certified Engineer
MySQL Core Certification
http://destiney.com/

attached mail follows:

Hello Greg,

Saturday, July 9, 2005, 6:40:06 PM, you wrote:

GD> The same regular expression magic that keeps you from forgetting your
GD> [/i] can just as easily keep you from forgetting your </i>.

The difference is the extra hoops your reg exps will have to jump
through, and have to jump through perfectly. You will have to disallow
all <'s and >'s, but do allow them for <i>, <b>, etc etc. Then check
there has been nothing malicious inserted inside every one of those
tags in any shape or form, and all combinations thereof. I'm sorry but
I fail to see how *having* to perform masses of flawless reg-ex
kung-fu is a good thing, in my mind it just widens the margin for
developer error, which is a never a plus point.

It's horses for courses though, in the CMS I built for myself I allow
any damn thing I want ;) In the forum built for thousands of
teenagers, you'd have to be out of your mind to allow it. May as well
just give them your server reboot button while you're at it and ask
not to touch.

Best regards,

Richard Davey
--
 http://www.launchcode.co.uk - PHP Development Services
 "I do not fear computers. I fear the lack of them." - Isaac Asimov

attached mail follows:

To follow-up my own post... which is sad I know, but hey...

Saturday, July 9, 2005, 7:08:37 PM, I wrote:

RD> The difference is the extra hoops your reg exps will have to jump
RD> through, and have to jump through perfectly. You will have to disallow
RD> all <'s and >'s, but do allow them for <i>, <b>, etc etc. Then check

I forgot to add that BB style codes come into real use for things a
little more advanced than <i>. For example [red] to colour some text.
If you wish to allow this in HTML format you can either invalidate
your XHTML and allow <font> tags, otherwise allow spans with embedded
CSS?! Even if you do allow <font> you're then parsing for color="" and
nothing else, with potential variable width colours. After a short
while you'll find yourself having to write an HTML validator tool (and
I'm sorry but I have *never* seen one that worked flawlessly yet).

Best regards,

Richard Davey
--
 http://www.launchcode.co.uk - PHP Development Services
 "I do not fear computers. I fear the lack of them." - Isaac Asimov

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]