|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
php-general Digest 11 Jul 2005 02:25:18 -0000 Issue 3560
php-general-digest-help
lists.php.net
Date: Sun Jul 10 2005 - 21:25:18 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
php-general Digest 11 Jul 2005 02:25:18 -0000 Issue 3560
Topics (messages 218404 through 218413):
Re: Apache 1.3x/PHP 5.0.3 404 error handler & posted data...
218404 by: Raymond C. Rodgers
218405 by: Rasmus Lerdorf
Re: SESSION
218406 by: Richard Lynch
218409 by: Thomas Bonham
218410 by: Thomas Bonham
Re: quickForm
218407 by: Richard Lynch
Re: upload file problem
218408 by: Richard Lynch
Re: back slashes
218411 by: Richard Lynch
Re: Security, Late Nights and Overall Paranoia
218412 by: Richard Lynch
Re: Register globals and ini_set
218413 by: Richard Lynch
Administrivia:
To subscribe to the digest, e-mail:
php-general-digest-subscribelists.php.net
To unsubscribe from the digest, e-mail:
php-general-digest-unsubscribelists.php.net
To post to the list, e-mail:
php-generallists.php.net
----------------------------------------------------------------------
attached mail follows:
On Sat, 2005-07-09 at 02:04 -0700, Rasmus Lerdorf wrote:
> Raymond C. Rodgers wrote:
> > I'm trying to write an error handler in PHP to try to avoid sending the
> > browser a 404 error message. Basically, if someone
> > requests /whatever.html on the server and it doesn't exist, my 404 error
> > handler checks to see if /whatever.php exists, if so, it then includes
> > that file.
> >
> > That part works fine.
> >
> > The part that I'm having trouble with is if /whatever.html happens to be
> > the target of a form POST. With GET requests, the data is available in
> > either $_SERVER['REDIRECT_QUERY_STRING'] or (worst case)
> > $_SERVER['REQUEST_URI']. That's easy enough to parse and turn into
> > $_REQUEST and/or $_GET. However, it seems that POSTed data just vanishes
> > into thin air. $_POST is not set, of course, and I've been trying to
> > read data using file_get_contents('php://input') but nothing is
> > returned... Is this a bug in PHP, Apache, not a bug but an unimplemented
> > feature, security precaution, or what? Am I missing something simple to
> > get the POSTed data?
>
> No, you can't do what you are trying to do the way you are trying to do
> it. Apache changes the original POST to a GET request on the internal
> errordocument redirect so PHP can't get at the original posted data.
> Well, it probably could with some hacking, but the web server has
> specifically told us that this is not a POST request anymore, so we
> respect that.
Thanks for the information. I would have thought the information would
still be available some where, some how, since $_SERVER provides a great
deal of information about the redirected request. (Such as the
REDIRECT_REQUEST_METHOD, REDIRECT_QUERY_STRING, etc. indexes.) Oh well,
live and learn. :-)
Raymond
attached mail follows:
Raymond C. Rodgers wrote:
> On Sat, 2005-07-09 at 02:04 -0700, Rasmus Lerdorf wrote:
>>No, you can't do what you are trying to do the way you are trying to do
>>it. Apache changes the original POST to a GET request on the internal
>>errordocument redirect so PHP can't get at the original posted data.
>>Well, it probably could with some hacking, but the web server has
>>specifically told us that this is not a POST request anymore, so we
>>respect that.
>
> Thanks for the information. I would have thought the information would
> still be available some where, some how, since $_SERVER provides a great
> deal of information about the redirected request. (Such as the
> REDIRECT_REQUEST_METHOD, REDIRECT_QUERY_STRING, etc. indexes.) Oh well,
> live and learn. :-)
Yeah, you would think so. But keep in mind that all of those are
provided by the web server. It's not PHP doing it. We tend to try to
play by the rules of the web server we are running under. Not doing so
tends to get us into all sorts of trouble.
-Rasmus
attached mail follows:
On Sat, July 9, 2005 8:27 pm, Thomas Bonham said:
> If someone can send me a example of a login sesson.
http://php.net/session_start
--
Like Music?
http://l-i-e.com/artists.htm
attached mail follows:
Using the examples for php and my book.
This is the error that I get with the following code.
ERROR:
[client 127.0.0.1] PHP Warning: session_start(): Cannot send session
cookie - headers already sent by (output started at
/var/www/html/thomas/cis166ae/data/login.php:2) in
/var/www/html/thomas/cis166ae/data/login.php on line 3, referer:
http://localhost/thomas/cis166ae/data/
[client 127.0.0.1] PHP Warning: session_start(): Cannot send session
cache limiter - headers already sent (output started at
/var/www/html/thomas/cis166ae/data/login.php:2) in
/var/www/html/thomas/cis166ae/data/login.php on line 3, referer:
http://localhost/thomas/cis166ae/data/
[client 127.0.0.1] PHP Warning: session_start(): Cannot send session
cookie - headers already sent by (output started at
/var/www/html/thomas/cis166ae/data/login.php:2) in
/var/www/html/thomas/cis166ae/data/login.php on line 3, referer:
http://localhost/thomas/cis166ae/data/login.php
[client 127.0.0.1] PHP Warning: session_start(): Cannot send session
cache limiter - headers already sent (output started at
/var/www/html/thomas/cis166ae/data/login.php:2) in
/var/www/html/thomas/cis166ae/data/login.php on line 3, referer:
http://localhost/thomas/cis166ae/data/login.php
[client 127.0.0.1] PHP Fatal error: Call to a member function on a
non-object in /var/www/html/thomas/cis166ae/data/login.php on line 23,
referer: http://localhost/thomas/cis166ae/data/login.php
[Sun Jul 10 18:33:02 2005] [error] [client 127.0.0.1] File does not
exist: /var/www/html/favicon.ico
[rootthomas httpd]#
CODE:
<?php
session_start();
if(isset($_POST['username']) && isset($_POST['passwd']))
{
$username = $_POST['username'];
$passwd = $_POST['passwd'];
/* Connecting to database */
$db = pg_connect ("
dbname=auth
user=auth
hostaddr=127.0.01
");
$query = "SELECT * FROM auth_user
WHERE name='$username'
AND
password='$passwd'";
/* Running query */
$result->pg_query($query);
$rows = pg_num_rows($result);
if($rows > 0)
{
$_SESSION['valid_user'] = $name;
}
else
{
echo 'Failed';
}
}
?>
<html><head><title>Login</title>
<link rel="stylesheet" type="text/css" href="../css/table.css">
<link rel="stylesheet" type="text/css" href="../css/font.css">
</head>
<body>
<table class="center_100">
<tr>
<td class="td_100_center">
<?php
if(isset($_SESSION['valid_user']))
{
echo 'You are logged in as: '.$_SESSION['valid_user'].'<br>';
}
else
{
if(isset($username))
{
echo 'Could not log you in';
}
else
{
echo 'You are not login in.<br>';
}
echo '<form method="post" action="login.php">';
echo 'User Name:';
echo '<input type="text" name="username">';
echo 'Password:';
echo '<input type="text" name="passwd">';
echo '<input type="submit" value="Log in">';
echo '</font>';
}
?>
</td>
</tr>
</table>
</body>
</html>
Thanks
Thomas
Richard Lynch wrote:
> On Sat, July 9, 2005 8:27 pm, Thomas Bonham said:
>
>>If someone can send me a example of a login sesson.
>
>
> http://php.net/session_start
>
attached mail follows:
Using the examples for php and my book.
This is the error that I get with the following code.
ERROR:
[client 127.0.0.1] PHP Warning: session_start(): Cannot send session
cookie - headers already sent by (output started at
/var/www/html/thomas/cis166ae/data/login.php:2) in
/var/www/html/thomas/cis166ae/data/login.php on line 3, referer:
http://localhost/thomas/cis166ae/data/
[client 127.0.0.1] PHP Warning: session_start(): Cannot send session
cache limiter - headers already sent (output started at
/var/www/html/thomas/cis166ae/data/login.php:2) in
/var/www/html/thomas/cis166ae/data/login.php on line 3, referer:
http://localhost/thomas/cis166ae/data/
[client 127.0.0.1] PHP Warning: session_start(): Cannot send session
cookie - headers already sent by (output started at
/var/www/html/thomas/cis166ae/data/login.php:2) in
/var/www/html/thomas/cis166ae/data/login.php on line 3, referer:
http://localhost/thomas/cis166ae/data/login.php
[client 127.0.0.1] PHP Warning: session_start(): Cannot send session
cache limiter - headers already sent (output started at
/var/www/html/thomas/cis166ae/data/login.php:2) in
/var/www/html/thomas/cis166ae/data/login.php on line 3, referer:
http://localhost/thomas/cis166ae/data/login.php
[client 127.0.0.1] PHP Fatal error: Call to a member function on a
non-object in /var/www/html/thomas/cis166ae/data/login.php on line 23,
referer: http://localhost/thomas/cis166ae/data/login.php
[Sun Jul 10 18:33:02 2005] [error] [client 127.0.0.1] File does not
exist: /var/www/html/favicon.ico
[rootthomas httpd]#
CODE:
<?php
session_start();
if(isset($_POST['username']) && isset($_POST['passwd']))
{
$username = $_POST['username'];
$passwd = $_POST['passwd'];
/* Connecting to database */
$db = pg_connect ("
dbname=auth
user=auth
hostaddr=127.0.01
");
$query = "SELECT * FROM auth_user
WHERE name='$username'
AND
password='$passwd'";
/* Running query */
$result->pg_query($query);
$rows = pg_num_rows($result);
if($rows > 0)
{
$_SESSION['valid_user'] = $name;
}
else
{
echo 'Failed';
}
}
?>
<html><head><title>Login</title>
<link rel="stylesheet" type="text/css" href="../css/table.css">
<link rel="stylesheet" type="text/css" href="../css/font.css">
</head>
<body>
<table class="center_100">
<tr>
<td class="td_100_center">
<?php
if(isset($_SESSION['valid_user']))
{
echo 'You are logged in as: '.$_SESSION['valid_user'].'<br>';
}
else
{
if(isset($username))
{
echo 'Could not log you in';
}
else
{
echo 'You are not login in.<br>';
}
echo '<form method="post" action="login.php">';
echo 'User Name:';
echo '<input type="text" name="username">';
echo 'Password:';
echo '<input type="text" name="passwd">';
echo '<input type="submit" value="Log in">';
echo '</font>';
}
?>
</td>
</tr>
</table>
</body>
</html>
Thanks
Thomas
On 7/10/05, Richard Lynch <ceol-i-e.com> wrote:
> On Sat, July 9, 2005 8:27 pm, Thomas Bonham said:
> > If someone can send me a example of a login sesson.
>
> http://php.net/session_start
>
> --
> Like Music?
> http://l-i-e.com/artists.htm
>
>
>
--
------------------------------------------------------------------
Thomas Bonham
thomasbbonhamgmail.com
bonhamlinux.org
Cell 602-402-9786
attached mail follows:
On Sat, July 9, 2005 7:46 pm, Will said:
> Hi, can someone say where I might post this.
> Hi, I am using a quickform form and it works well except when I use it by
> using an include in another file. In that case when the file is called in
> (by way of the include statement in the parent file) it seems that the
> quickform gets processed as though it had been submitted. Does anyone know
> why that is?
Somewhere in the quickform (whatever that is) near the top of the code,
there is some kind of "if" statement that determines whether to display
the blank form, or if this is the "second" time on this page, after the
form was submitted.
Whatever you've done in your script *before* the quickform, is triggering
that "if" statement into believing that it was submitted.
EXAMPLE:
------- yourscript.php -------
<?php
$name = "Will"; //Probably came from POST or GET, actually...
include 'quickform.inc';
?>
------------------------------
------- quickform.inc ---------
<?php
if (isset($name)){
//Process form code here
}
else{
//Display form code/html here
}
?>
-------------------------------
If 'yourscript.php' hadn't set $name, then the quickform would behave
differently.
It could also be the case that your page has POST or GET data -- Either a
form of its own, or some ?variable1=value1&variable2=value2 stuff.
Your POST/GET or other variables are "confusing" quickform.
You might be able to just change all your variable names to less common
names.
--
Like Music?
http://l-i-e.com/artists.htm
attached mail follows:
On Sat, July 9, 2005 1:39 am, Ahmed Abdel-Aliem said:
> Hi
> i have a problem with a code to upload files on server
> here is the code
>
> $f =& $HTTP_POST_FILES['News_Pic'];
Use $_FILES to stay current...
> $dst_file_name = generateUniqueId();
>
> $arr = split("\.",$f['name']);
>
> $f['name'] = $dst_file_name;
>
> $f['name'] .= ".".$arr[count($arr)-1];
>
> $dest_dir = 'main/pictures';
>
> $dest = $dest_dir . '/' .$f['name'];
So, what happened to $dst_file_name?
Far as I can tell, you've never used it...
> $r = move_uploaded_file($f['tmp_name'], $dest);
> $News_Pic = $f['name'];
> chmod($dest, 777);
Nooooooooooooooo!
You should *NOT* be trying to make the files 777.
And it should be 0777 anyway.
--
Like Music?
http://l-i-e.com/artists.htm
attached mail follows:
On Fri, July 8, 2005 12:48 pm, Jay Blanchard said:
> [snip]
> Lets say I have a string:
>
> "c:\www\test"
>
> I want to insert it into a database, but what ends up getting inserted
> is:
PHP3 and earlier:
http://php.net/addslashes
PHP4 (?) and later:
http://php.net/myqsl_escape_string
> c:wwwtest
>
> I can not get php to double the back slashes no matter what I do!
>
> $string = str_replace("\\", "\\\\", $string);
This "should" have worked, for \, but there are other characters to worry
about...
So you must have made a typo or something when you tried this.
--
Like Music?
http://l-i-e.com/artists.htm
attached mail follows:
On Fri, July 8, 2005 11:25 am, Ezra Nugroho said:
>
> Here is one security measure that you HAVE to do if you allow people to
> submit contents to your site.
>
> 1. track client's IP.
> 2. Associate sensitive cookies with the IP, if they don't match, ignore
> it or invalidate the cookie.
>
> We may not stop the information redirection.
> We can make the information invalid.
NO!!!
IP is *USELESS* as identification!
AOL users change IP more often than drummers change their underwear.
EVERY user working at IBM is gonna have the *same* IP address.
You will only break your site for legitimate users, and not make anything
useful to stop Bad Guys.
--
Like Music?
http://l-i-e.com/artists.htm
attached mail follows:
On Fri, July 8, 2005 7:50 am, Terry Romine said:
You *ARE* doing session_start at the top of each page, right?...
Ya gotta do that.
> I was setting the $_SESSION by:
> $_SESSION['var_name'] = "this";
> or
> $my_local = "this";
> $_SESSION['var_name'] = $my_local;
There *WAS* a bug in PHP [mumble] (4.1.10???) where the $_SESSION data was
"leaking" out to PHP as a "string reference" (never mind PHP has no such
data type).
You could detect it by dumping out $_SESSION and you would see an & in
front of all the strings.
So if you later did:
$var_name = '';
Then your $_SESSION['var_name'] was *ALSO* getting set to ''
> I had stopped using session_register() some time back.
>
> "Sporatically" meaning that some of my variables are working fine, while
> others seem to become empty when referenced by a later script. These
> scripts were working fine on the older PHP version. I'm sure it's just a
> quick determination as to what to change, and then I can do a global
> update across the site. There are about 20-30 websites that this affects,
> so you can see my frustration in trying to do this by bits and pieces. I
> had done a test file like this:
>
> test1.php:
> <?php
> $_SESSION['check'] = "test 1";
> echo($_SESSION['check']);
> ?>
> <a href='test2.php'>Click</a>
>
> and
> test2.php:
> <?php
> echo($_SESSION['check']);
> ?>
> test1.php displays "test1" but test2.php displays nothing.
Looks to me more like the more mundane:
You didn't do session_start() at the beginning of both scripts.
Go to Jail. Do not collect $400.
--
Like Music?
http://l-i-e.com/artists.htm
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]