|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
php-general Digest 9 Aug 2005 04:20:45 -0000 Issue 3614
php-general-digest-help
lists.php.net
Date: Mon Aug 08 2005 - 23:20:45 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
php-general Digest 9 Aug 2005 04:20:45 -0000 Issue 3614
Topics (messages 220224 through 220269):
Re: parallel execution of php code?
220224 by: Edward Vermillion
220225 by: Richard Davey
220227 by: Michael Sims
220230 by: M Saleh EG
220269 by: Raj Shekhar
currency class?
220226 by: Jon Hill
220240 by: Nathan Tobik
220246 by: l0t3k
Environment Variable contamination between vhosts - 1.3.33
220228 by: Marc Powell
220229 by: Rasmus Lerdorf
220232 by: Marc Powell
220261 by: Tom Rogers
Re: Can I retrieve a stored php session variable from within a javascript function?
220231 by: Mauricio Pellegrini
220233 by: Mauricio Pellegrini
Logging fatal errors and timeout
220234 by: RPG Gamer
220238 by: Richard Davey
220252 by: RPG Gamer
220256 by: Richard Davey
220265 by: RPG Gamer
220267 by: Richard Davey
Possible to read JavaScript results into a string?
220235 by: Brian Dunning
220236 by: Richard Davey
set variables based on HTTP_HOST
220237 by: Joe Szilagyi
220239 by: Richard Davey
220264 by: Joe Szilagyi
220266 by: Richard Davey
220268 by: Chris
lack of understanding of sessions
220241 by: Sabine
220242 by: Richard Davey
A bug with RecursiveIteratorIterator?
220243 by: Chris
220245 by: Chris
220248 by: Jochem Maas
220262 by: Chris
oci8 recursive call in log
220244 by: Ivonne Trejo Silva
220263 by: James R.
Re: Error Suppression with ''
220247 by: Mike Milano
Re: A question on the term CFG.
220249 by: Jochem Maas
Report Generator
220250 by: JM
Re: About Get_meta_tags()
220251 by: Jasper Bryant-Greene
Generating a 404 status message with header()
220253 by: Eric Gorr
220257 by: John Nichel
220258 by: Richard Davey
PHP Install with MySQL in 64 bit libraries.
220254 by: Martin McGinn
220255 by: Joseph Oaks
220260 by: Hans Zaunere
Class / app for reading web pages and storing in a mySQL DB
220259 by: Alan Milnes
Administrivia:
To subscribe to the digest, e-mail:
php-general-digest-subscribelists.php.net
To unsubscribe from the digest, e-mail:
php-general-digest-unsubscribelists.php.net
To post to the list, e-mail:
php-generallists.php.net
----------------------------------------------------------------------
attached mail follows:
Martin van den Berg wrote:
> I have this piece of php-code which inserts data into a database.
> Before inserting it must verify if the data is unique. The php code
> looks something like:
>
> $query = "SELECT id FROM mytable WHERE bla LIKE " . $x .";
> $rows = execute( $query )
> if ( $rows == 0 )
> {
> /* some more processing */
> $query = "INSERT INTO mytable ...... etc etc
> execute( $query )
> }
>
> Now here is the problem: when the user enters the page, and directly
> refreshes the record is inserted twice.... Is is possible that both
> requests are processed simulatiounsly by the server (apache on linux)?
> And can I add something like a critical section or semaphore to
> overcome this problem.
>
> Thanx,
>
> Martin
>
It's my understanding that a SELECT has a higher priority than an INSERT
on most MySQL setups.
I've ran into this problem on a site I hobby-code on also. It's my guess
that the write isn't hitting the DB in time for the second read to pick
it up, but that's a guess. As far as what to do about it if that's the
problem, I'll let someone else come up with that answer. ;) It's not
*that* critical in my app and it doesn't happen often enough to be a
real problem for me, but I would like to know if there's a way around it.
attached mail follows:
Hello Martin,
Monday, August 8, 2005, 4:07:47 PM, you wrote:
MvdB> Now here is the problem: when the user enters the page, and
MvdB> directly refreshes the record is inserted twice.... Is is
MvdB> possible that both requests are processed simulatiounsly by the
MvdB> server (apache on linux)? And can I add something like a
MvdB> critical section or semaphore to overcome this problem.
What data type does the execute function return? You're doing a
loose type comparison between $rows and zero (== rather than ===),
because it's a loose comparison a number of different results could
equal zero in this case. For example if execute() returned false your
code would assume an insert is required, which might not be the case.
If you're using MySQL then you may want to look at using a different
method for checking / inserting this data. Rather than a SELECT
followed by INSERT you could use an INSERT IGNORE which won't
duplicate data if it already exists. Or possibly REPLACE INTO -
depends how you need this to work (i.e. retain the oldest copy of the
data, or keep the newest). Look in the MySQL manual for those two
functions for more info.
Best regards,
Richard Davey
--
http://www.launchcode.co.uk - PHP Development Services
Zend Certified Engineer
"I do not fear computers. I fear the lack of them." - Isaac Asimov
attached mail follows:
Martin van den Berg wrote:
> I have this piece of php-code which inserts data into a database.
> Before inserting it must verify if the data is unique. The php code
> looks something like:
>
> $query = "SELECT id FROM mytable WHERE bla LIKE " . $x .";
> $rows = execute( $query )
> if ( $rows == 0 )
> {
> /* some more processing */
> $query = "INSERT INTO mytable ...... etc etc
> execute( $query )
> }
>
> Now here is the problem: when the user enters the page, and directly
> refreshes the record is inserted twice.... Is is possible that both
> requests are processed simulatiounsly by the server (apache on linux)?
> And can I add something like a critical section or semaphore to
> overcome this problem.
The problem with the approach above is that a race condition exists between the
check for the existence of the row in question, and the insertion of that row. It's
possible that the two requests can come so close together that both of them execute
their selects before either do their inserts. It's not very likely in the simplest
cases, but as the amount of traffic (or the number of users you have who like to
quickly click refresh) increases there is a greater chance that this race condition
will cause a problem.
In my opinion it's best to let your RDBMS handle this concurrency problem, since
it's best equipped to do that. Ideally you would be using some sort of constraint
to prevent duplicate rows in your table...whether this is a primary key, unique
index, foreign key, etc. Inserting a duplicate row should result in an error from
the database. In that case you can trap for the error in your PHP code (using
functions like mysql_error()) and handle it appropriately (for example, displaying a
friendly error message, or simply ignoring the query).
Another approach would be to start a transaction with a high isolation level before
executing the select, but to me this is less desirable because depending on your
database system it may cause contention problems if the entire table has to be
locked. Simply attempting the insert and catching the error should be much lighter,
assuming it's possible to create the appropriate constraint in your database.
HTH
attached mail follows:
Check if you're using MySQL 4.1. If Yes use the subquery functionality.
So you could have your query as following:
"Insert into sometable where not id=NULL and id=Select id from mytable where
bla like 'some pattern';"
Not really sure if it would work thogh. Havent tried it yet.
HTH.
On 8/8/05, Michael Sims <michaelscrye-leike.com> wrote:
>
> Martin van den Berg wrote:
> > I have this piece of php-code which inserts data into a database.
> > Before inserting it must verify if the data is unique. The php code
> > looks something like:
> >
> > $query = "SELECT id FROM mytable WHERE bla LIKE " . $x .";
> > $rows = execute( $query )
> > if ( $rows == 0 )
> > {
> > /* some more processing */
> > $query = "INSERT INTO mytable ...... etc etc
> > execute( $query )
> > }
> >
> > Now here is the problem: when the user enters the page, and directly
> > refreshes the record is inserted twice.... Is is possible that both
> > requests are processed simulatiounsly by the server (apache on linux)?
> > And can I add something like a critical section or semaphore to
> > overcome this problem.
>
> The problem with the approach above is that a race condition exists
> between the
> check for the existence of the row in question, and the insertion of that
> row. It's
> possible that the two requests can come so close together that both of
> them execute
> their selects before either do their inserts. It's not very likely in the
> simplest
> cases, but as the amount of traffic (or the number of users you have who
> like to
> quickly click refresh) increases there is a greater chance that this race
> condition
> will cause a problem.
>
> In my opinion it's best to let your RDBMS handle this concurrency problem,
> since
> it's best equipped to do that. Ideally you would be using some sort of
> constraint
> to prevent duplicate rows in your table...whether this is a primary key,
> unique
> index, foreign key, etc. Inserting a duplicate row should result in an
> error from
> the database. In that case you can trap for the error in your PHP code
> (using
> functions like mysql_error()) and handle it appropriately (for example,
> displaying a
> friendly error message, or simply ignoring the query).
>
> Another approach would be to start a transaction with a high isolation
> level before
> executing the select, but to me this is less desirable because depending
> on your
> database system it may cause contention problems if the entire table has
> to be
> locked. Simply attempting the insert and catching the error should be much
> lighter,
> assuming it's possible to create the appropriate constraint in your
> database.
>
> HTH
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
--
M.Saleh.E.G
97150-4779817
attached mail follows:
Martin van den Berg <martinvdberggmail.com> writes:
> I have this piece of php-code which inserts data into a database.
> Before inserting it must verify if the data is unique. The php code
> looks something like:
>
> $query = "SELECT id FROM mytable WHERE bla LIKE " . $x .";
> $rows = execute( $query )
> if ( $rows = 0 )
> {
> /* some more processing */
> $query = "INSERT INTO mytable ...... etc etc
> execute( $query )
> }
>
> Now here is the problem: when the user enters the page, and directly
> refreshes the record is inserted twice.... Is is possible that both
> requests are processed simulatiounsly by the server (apache on linux)?
> And can I add something like a critical section or semaphore to
> overcome this problem.
>
There are 2 ways to handle this problem -
- create a UNIQUE index on whatever columns you want to be unique in
your database. This way, when the user refreshes the page, the second
insertion will fail. Of course, it means you will need to handle the
"duplicate key" error that the database will throw up gracefully.
- When the page loads, check if the $_SESSION["_insert_success"] is
set. If not, then do the insert part and if the insert is successful,
set $_SESSION["_insert_success"]=true. If the variable is set, then
do not do the insert part , simply display the page again.
--
Raj Shekhar
blog : http://rajshekhar.net/blog home : http://rajshekhar.net
Disclaimer : http://rajshekhar.net/disclaimer
attached mail follows:
Hi
Does anyone know of a simple PHP Currency Class that is similar to the one in
Java (java.util.currency)?
I just need something that will provide methods such as
getSymbol() and getDefaultFractionDigits()
regards
Jon
attached mail follows:
Have you ever considered using the Java class within PHP using something
like the PHP-Java bridge? Here is a link for the bridge, PHP can call
the Java objects natively. It's pretty cool.
http://php-java-bridge.sourceforge.net/
I would use the bridge in a few situations:
1. The Java classes do a lot of under the hood things that are
to slow in PHP or PHP is unable to accomplish the task
2. The PHP class that does the same thing as the Java class is
unwritten and would require a lot of work to port it to PHP. If this
is the case and it might be easier/cheaper to just use the Java class
Nate Tobik
(412)661-5700 x206
VigilantMinds
-----Original Message-----
From: Jon Hill [mailto:jonfoneport.com]
Sent: Monday, August 08, 2005 11:22 AM
To: php-generallists.php.net
Subject: [PHP] currency class?
Hi
Does anyone know of a simple PHP Currency Class that is similar to the
one in
Java (java.util.currency)?
I just need something that will provide methods such as
getSymbol() and getDefaultFractionDigits()
regards
Jon
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
attached mail follows:
Jon,
i'm not for sure if this has it, but check out PEAR::I18N_V2
FYI, one should be included in PHP 5.2, whenever it arrives.
l0t3k
"Jon Hill" <jonfoneport.com> wrote in message
news:200508081622.20853.jonfoneport.com...
> Hi
>
> Does anyone know of a simple PHP Currency Class that is similar to the one
> in
> Java (java.util.currency)?
>
> I just need something that will provide methods such as
>
> getSymbol() and getDefaultFractionDigits()
>
> regards
>
> Jon
attached mail follows:
Hi all,
First time poster here so I apologize in advance for any gaffs. I've
Googled, searched the archives and the FAQ but can't find anything close
to what I'm experiencing.
I have apache-1.3.33, mod_ssl-2.8.22 (with patches), php-4.3.2 (with
patches, 4.4.0 tested as well), mod_perl-1.29-5 (with patches) running
with the following additional modules --
mod_jk.c, mod_ssl.c, mod_php4.c, mod_perl.c, mod_setenvif.c, mod_so.c,
mod_unique_id.c, mod_headers.c, mod_expires.c, mod_auth_db.c,
mod_auth_anon.c, mod_auth.c, mod_access.c, mod_rewrite.c, mod_alias.c,
mod_userdir.c, mod_actions.c, mod_imap.c, mod_asis.c, mod_cgi.c,
mod_dir.c, mod_autoindex.c, mod_include.c, mod_info.c, mod_status.c,
mod_negotiation.c, mod_mime.c, mod_log_referer.c, mod_log_agent.c,
mod_log_config.c, mod_env.c, mod_vhost_alias.c, http_core.c
all on RHEL 3.5. This server is handling a half dozen HTTP/HTTPS vhost
pairs. Each vhost is running on a separate IP ala --
Listen 1.1.1.1:80
Listen 1.1.1.1:443
<VirtualHost 1.1.1.1:80>
...
</VirtualHost>
<VirtualHost 1.1.1.1:443>
...
</VirtualHost>
Listen 1.1.1.2:80
Listen 1.1.1.2:443
<VirtualHost 1.1.1.2:80>
...
</VirtualHost>
<VirtualHost 1.1.1.2:443>
...
</VirtualHost>
And so forth... We discovered a problem where the HTTPS environment
variable was incorrectly being set to ON for normal HTTP requests for
one of our vhosts running SquirrelMail. Further investigation revealed
that a number of environment variables were being cross-contaminated
between virtual hosts. For example, running phpinfo() under VirtualHost
1.1.1.1 would yield the following on one request (with no contamination)
--
_SERVER["REMOTE_ADDR"] 172.27.a.a
_SERVER["REMOTE_PORT"] 3477
_SERVER["SCRIPT_FILENAME"] /path/to/phpinfo.php
_SERVER["SERVER_ADDR"] 1.1.1.1
_SERVER["SERVER_ADMIN"] nocena.com
_SERVER["SERVER_NAME"] my.vhost1.foo
_SERVER["SERVER_PORT"] 80
_SERVER["SERVER_SIGNATURE"] no value
_SERVER["SERVER_SOFTWARE"] Apache
_SERVER["UNIQUE_ID"] QvPfa38AAAEAAEgoDnc
_SERVER["GATEWAY_INTERFACE"] CGI/1.1
_SERVER["SERVER_PROTOCOL"] HTTP/1.0
_SERVER["REQUEST_METHOD"] GET
_SERVER["QUERY_STRING"] no value
_SERVER["REQUEST_URI"] /phpinfo.php
_SERVER["SCRIPT_NAME"] /phpinfo.php
_SERVER["PATH_TRANSLATED"] /path/to/phpinfo.php
_SERVER["PHP_SELF"] /phpinfo.php
And a few _ENV[] variables set such as HOSTNAME, etc... A refresh
however might return the following additions --
_SERVER["REMOTE_ADDR"] 172.27.a.a
_SERVER["REMOTE_PORT"] 2901
_SERVER["SCRIPT_FILENAME"] /path/to/phpinfo.php
_SERVER["SERVER_ADDR"] 1.1.1.1
_SERVER["SERVER_ADMIN"] nocena.com
_SERVER["SERVER_NAME"] my.vhost1.foo
_SERVER["SERVER_PORT"] 80
_ENV["HTTPS"] on
_ENV["REMOTE_ADDR"] 66.5.b.b
_ENV["REMOTE_PORT"] 4947
_ENV["SCRIPT_FILENAME"] /path/to/some/other/site/login
_ENV["SERVER_ADDR"] 1.1.1.2
_ENV["SERVER_ADMIN"] nocena.com
_ENV["SERVER_NAME"] my.vhost2.foo
_ENV["SERVER_PORT"] 443
_ENV["SERVER_SIGNATURE"] no value
_ENV["SERVER_SOFTWARE"] Apache
_ENV["ssl-unclean-shutdown"] 1
_ENV["UNIQUE_ID"] QvPfr38AAAEAAEgqEyQ
_ENV["GATEWAY_INTERFACE"] CGI-Perl/1.1
_ENV["SERVER_PROTOCOL"] HTTP/1.1
_ENV["REQUEST_METHOD"] POST
_ENV["QUERY_STRING"] no value
_ENV["REQUEST_URI"] /login
_ENV["SCRIPT_NAME"] /login
Essentially, I am seeing the environment variables (at the least) for
someone else's request to a completely different vhost on a completely
different Listen IP. Has anyone seen this before? Any direction where to
look? I've tried disabling mod_env just to see if that was it but it had
no effect. I can't easily disable mod_perl or mod_php for testing
purposes as this is a production machine. I actually have two machines
that are experiencing this. Both are identical. I've been searching for
a about a week now but I apparently can't hit on the right combination
of terms ;) This is the first time I've ever seen this in many years of
using Apache and php and I'm concerned about the security implications
of this beyond as well as fixing SquirrelMail ;) I've bounced this off
the apache-users list and they say that since their included printenv
script only shows the appropriate environment information that it's a
php problem. I have a general lack of understanding of the interaction
between Apache and PHP when it comes to the environment variables but it
seems to me that php has to be getting those from Apache. *shrug*
Any hints or guidance would really be appreciated.
Thanks.
--
Marc Powell
Senior Systems Engineer
ENA/ConnecTEN
marcena.com
attached mail follows:
Marc Powell wrote:
> Hi all,
>
> First time poster here so I apologize in advance for any gaffs. I've
> Googled, searched the archives and the FAQ but can't find anything close
> to what I'm experiencing.
>
> I have apache-1.3.33, mod_ssl-2.8.22 (with patches), php-4.3.2 (with
> patches, 4.4.0 tested as well), mod_perl-1.29-5 (with patches) running
> with the following additional modules --
>
> mod_jk.c, mod_ssl.c, mod_php4.c, mod_perl.c, mod_setenvif.c, mod_so.c,
> mod_unique_id.c, mod_headers.c, mod_expires.c, mod_auth_db.c,
> mod_auth_anon.c, mod_auth.c, mod_access.c, mod_rewrite.c, mod_alias.c,
> mod_userdir.c, mod_actions.c, mod_imap.c, mod_asis.c, mod_cgi.c,
> mod_dir.c, mod_autoindex.c, mod_include.c, mod_info.c, mod_status.c,
> mod_negotiation.c, mod_mime.c, mod_log_referer.c, mod_log_agent.c,
> mod_log_config.c, mod_env.c, mod_vhost_alias.c, http_core.c
>
> all on RHEL 3.5. This server is handling a half dozen HTTP/HTTPS vhost
> pairs. Each vhost is running on a separate IP ala --
>
> Listen 1.1.1.1:80
> Listen 1.1.1.1:443
> <VirtualHost 1.1.1.1:80>
> ...
> </VirtualHost>
> <VirtualHost 1.1.1.1:443>
> ...
> </VirtualHost>
>
> Listen 1.1.1.2:80
> Listen 1.1.1.2:443
> <VirtualHost 1.1.1.2:80>
> ...
> </VirtualHost>
> <VirtualHost 1.1.1.2:443>
> ...
> </VirtualHost>
>
> And so forth... We discovered a problem where the HTTPS environment
> variable was incorrectly being set to ON for normal HTTP requests for
> one of our vhosts running SquirrelMail. Further investigation revealed
> that a number of environment variables were being cross-contaminated
> between virtual hosts. For example, running phpinfo() under VirtualHost
> 1.1.1.1 would yield the following on one request (with no contamination)
> --
>
> _SERVER["REMOTE_ADDR"] 172.27.a.a
> _SERVER["REMOTE_PORT"] 3477
> _SERVER["SCRIPT_FILENAME"] /path/to/phpinfo.php
> _SERVER["SERVER_ADDR"] 1.1.1.1
> _SERVER["SERVER_ADMIN"] nocena.com
> _SERVER["SERVER_NAME"] my.vhost1.foo
> _SERVER["SERVER_PORT"] 80
> _SERVER["SERVER_SIGNATURE"] no value
> _SERVER["SERVER_SOFTWARE"] Apache
> _SERVER["UNIQUE_ID"] QvPfa38AAAEAAEgoDnc
> _SERVER["GATEWAY_INTERFACE"] CGI/1.1
> _SERVER["SERVER_PROTOCOL"] HTTP/1.0
> _SERVER["REQUEST_METHOD"] GET
> _SERVER["QUERY_STRING"] no value
> _SERVER["REQUEST_URI"] /phpinfo.php
> _SERVER["SCRIPT_NAME"] /phpinfo.php
> _SERVER["PATH_TRANSLATED"] /path/to/phpinfo.php
> _SERVER["PHP_SELF"] /phpinfo.php
>
> And a few _ENV[] variables set such as HOSTNAME, etc... A refresh
> however might return the following additions --
>
> _SERVER["REMOTE_ADDR"] 172.27.a.a
> _SERVER["REMOTE_PORT"] 2901
> _SERVER["SCRIPT_FILENAME"] /path/to/phpinfo.php
> _SERVER["SERVER_ADDR"] 1.1.1.1
> _SERVER["SERVER_ADMIN"] nocena.com
> _SERVER["SERVER_NAME"] my.vhost1.foo
> _SERVER["SERVER_PORT"] 80
> _ENV["HTTPS"] on
> _ENV["REMOTE_ADDR"] 66.5.b.b
> _ENV["REMOTE_PORT"] 4947
> _ENV["SCRIPT_FILENAME"] /path/to/some/other/site/login
> _ENV["SERVER_ADDR"] 1.1.1.2
> _ENV["SERVER_ADMIN"] nocena.com
> _ENV["SERVER_NAME"] my.vhost2.foo
> _ENV["SERVER_PORT"] 443
> _ENV["SERVER_SIGNATURE"] no value
> _ENV["SERVER_SOFTWARE"] Apache
> _ENV["ssl-unclean-shutdown"] 1
> _ENV["UNIQUE_ID"] QvPfr38AAAEAAEgqEyQ
> _ENV["GATEWAY_INTERFACE"] CGI-Perl/1.1
> _ENV["SERVER_PROTOCOL"] HTTP/1.1
> _ENV["REQUEST_METHOD"] POST
> _ENV["QUERY_STRING"] no value
> _ENV["REQUEST_URI"] /login
> _ENV["SCRIPT_NAME"] /login
>
> Essentially, I am seeing the environment variables (at the least) for
> someone else's request to a completely different vhost on a completely
> different Listen IP. Has anyone seen this before? Any direction where to
> look? I've tried disabling mod_env just to see if that was it but it had
> no effect. I can't easily disable mod_perl or mod_php for testing
> purposes as this is a production machine. I actually have two machines
> that are experiencing this. Both are identical. I've been searching for
> a about a week now but I apparently can't hit on the right combination
> of terms ;) This is the first time I've ever seen this in many years of
> using Apache and php and I'm concerned about the security implications
> of this beyond as well as fixing SquirrelMail ;) I've bounced this off
> the apache-users list and they say that since their included printenv
> script only shows the appropriate environment information that it's a
> php problem. I have a general lack of understanding of the interaction
> between Apache and PHP when it comes to the environment variables but it
> seems to me that php has to be getting those from Apache. *shrug*
>
> Any hints or guidance would really be appreciated.
These variables are set by Apache and PHP repopulates them on each
request, so I don't really see how PHP could be causing this.
-Rasmus
attached mail follows:
> -----Original Message-----
> From: replies-lists-phplistmail.innovate.net [mailto:replies-lists-
> phplistmail.innovate.net]
> Sent: Monday, August 08, 2005 11:49 AM
> To: Marc Powell
> Subject: Re: [PHP] Environment Variable contamination between vhosts -
> 1.3.33
>
>
>
>
> > Date: Monday, August 08, 2005 09:34:50 AM -0700
> > From: Rasmus Lerdorf <rasmuslerdorf.com>
> >
> > Marc Powell wrote:
> >> Hi all,
> >>
> >> First time poster here so I apologize in advance for any gaffs.
I've
> >> Googled, searched the archives and the FAQ but can't find anything
> >> close to what I'm experiencing.
> >>
> >> I have apache-1.3.33, mod_ssl-2.8.22 (with patches), php-4.3.2
(with
> >> patches, 4.4.0 tested as well), mod_perl-1.29-5 (with patches)
running
> >> with the following additional modules --
> >>
> >> mod_jk.c, mod_ssl.c, mod_php4.c, mod_perl.c, mod_setenvif.c,
mod_so.c,
> >> mod_unique_id.c, mod_headers.c, mod_expires.c, mod_auth_db.c,
> >> mod_auth_anon.c, mod_auth.c, mod_access.c, mod_rewrite.c,
mod_alias.c,
> >> mod_userdir.c, mod_actions.c, mod_imap.c, mod_asis.c, mod_cgi.c,
> >> mod_dir.c, mod_autoindex.c, mod_include.c, mod_info.c,
mod_status.c,
> >> mod_negotiation.c, mod_mime.c, mod_log_referer.c, mod_log_agent.c,
> >> mod_log_config.c, mod_env.c, mod_vhost_alias.c, http_core.c
> >>
> >> all on RHEL 3.5. This server is handling a half dozen HTTP/HTTPS
vhost
> >> pairs. Each vhost is running on a separate IP ala --
> >>
> >> Listen 1.1.1.1:80
> >> Listen 1.1.1.1:443
> >> <VirtualHost 1.1.1.1:80>
> >> ...
> >> </VirtualHost>
> >> <VirtualHost 1.1.1.1:443>
> >> ...
> >> </VirtualHost>
> >>
> >> Listen 1.1.1.2:80
> >> Listen 1.1.1.2:443
> >> <VirtualHost 1.1.1.2:80>
> >> ...
> >> </VirtualHost>
> >> <VirtualHost 1.1.1.2:443>
> >> ...
> >> </VirtualHost>
> >>
> >> And so forth... We discovered a problem where the HTTPS environment
> >> variable was incorrectly being set to ON for normal HTTP requests
for
> >> one of our vhosts running SquirrelMail. Further investigation
revealed
> >> that a number of environment variables were being
cross-contaminated
> >> between virtual hosts. For example, running phpinfo() under
> >> VirtualHost 1.1.1.1 would yield the following on one request (with
no
> >> contamination) --
> >>
> >> _SERVER["REMOTE_ADDR"] 172.27.a.a
> >> _SERVER["REMOTE_PORT"] 3477
> >> _SERVER["SCRIPT_FILENAME"] /path/to/phpinfo.php
> >> _SERVER["SERVER_ADDR"] 1.1.1.1
> >> _SERVER["SERVER_ADMIN"] nocena.com
> >> _SERVER["SERVER_NAME"] my.vhost1.foo
> >> _SERVER["SERVER_PORT"] 80
> >> _SERVER["SERVER_SIGNATURE"] no value
> >> _SERVER["SERVER_SOFTWARE"] Apache
> >> _SERVER["UNIQUE_ID"] QvPfa38AAAEAAEgoDnc
> >> _SERVER["GATEWAY_INTERFACE"] CGI/1.1
> >> _SERVER["SERVER_PROTOCOL"] HTTP/1.0
> >> _SERVER["REQUEST_METHOD"] GET
> >> _SERVER["QUERY_STRING"] no value
> >> _SERVER["REQUEST_URI"] /phpinfo.php
> >> _SERVER["SCRIPT_NAME"] /phpinfo.php
> >> _SERVER["PATH_TRANSLATED"] /path/to/phpinfo.php
> >> _SERVER["PHP_SELF"] /phpinfo.php
> >>
> >> And a few _ENV[] variables set such as HOSTNAME, etc... A refresh
> >> however might return the following additions --
> >>
> >> _SERVER["REMOTE_ADDR"] 172.27.a.a
> >> _SERVER["REMOTE_PORT"] 2901
> >> _SERVER["SCRIPT_FILENAME"] /path/to/phpinfo.php
> >> _SERVER["SERVER_ADDR"] 1.1.1.1
> >> _SERVER["SERVER_ADMIN"] nocena.com
> >> _SERVER["SERVER_NAME"] my.vhost1.foo
> >> _SERVER["SERVER_PORT"] 80
> >> _ENV["HTTPS"] on
> >> _ENV["REMOTE_ADDR"] 66.5.b.b
> >> _ENV["REMOTE_PORT"] 4947
> >> _ENV["SCRIPT_FILENAME"] /path/to/some/other/site/login
> >> _ENV["SERVER_ADDR"] 1.1.1.2
> >> _ENV["SERVER_ADMIN"] nocena.com
> >> _ENV["SERVER_NAME"] my.vhost2.foo
> >> _ENV["SERVER_PORT"] 443
> >> _ENV["SERVER_SIGNATURE"] no value
> >> _ENV["SERVER_SOFTWARE"] Apache
> >> _ENV["ssl-unclean-shutdown"] 1
> >> _ENV["UNIQUE_ID"] QvPfr38AAAEAAEgqEyQ
> >> _ENV["GATEWAY_INTERFACE"] CGI-Perl/1.1
> >> _ENV["SERVER_PROTOCOL"] HTTP/1.1
> >> _ENV["REQUEST_METHOD"] POST
> >> _ENV["QUERY_STRING"] no value
> >> _ENV["REQUEST_URI"] /login
> >> _ENV["SCRIPT_NAME"] /login
> >>
> >> Essentially, I am seeing the environment variables (at the least)
for
> >> someone else's request to a completely different vhost on a
completely
> >> different Listen IP. Has anyone seen this before? Any direction
where
> >> to look? I've tried disabling mod_env just to see if that was it
but
> >> it had no effect. I can't easily disable mod_perl or mod_php for
> >> testing purposes as this is a production machine. I actually have
two
> >> machines that are experiencing this. Both are identical. I've been
> >> searching for a about a week now but I apparently can't hit on the
> >> right combination of terms ;) This is the first time I've ever seen
> >> this in many years of using Apache and php and I'm concerned about
> >> the security implications of this beyond as well as fixing
> >> SquirrelMail ;) I've bounced this off the apache-users list and
they
> >> say that since their included printenv script only shows the
> >> appropriate environment information that it's a php problem. I have
a
> >> general lack of understanding of the interaction between Apache and
> >> PHP when it comes to the environment variables but it seems to me
> >> that php has to be getting those from Apache. *shrug*
> >>
> >> Any hints or guidance would really be appreciated.
> >
> > These variables are set by Apache and PHP repopulates them on each
> > request, so I don't really see how PHP could be causing this.
> >
> > -Rasmus
> >
>
> since these variables come from apache you might want to write a quick
> perl cgi script and see if you can replicate this issue.
Using --
#!/usr/bin/perl
##
## printenv -- demo CGI program which just prints its environment
##
print "Content-type: text/plain\n\n";
foreach $var (sort(keys(%ENV))) {
$val = $ENV{$var};
$val =~ s|\n|\\n|g;
$val =~ s|"|\\"|g;
print "${var}=\"${val}\"\n";
}
I do not see the issue. This is why the apache guys thought it was a php
issue.
--
Marc
p.s. I changed the reply-to to keep it on-list. I don't know where
'replies-lists-phplistmail.innovate.net' goes.
attached mail follows:
Hi,
Tuesday, August 9, 2005, 3:04:41 AM, you wrote:
MP> Using --
MP> #!/usr/bin/perl
MP> ##
MP> ## printenv -- demo CGI program which just prints its environment
MP> ##
MP> print "Content-type: text/plain\n\n";
MP> foreach $var (sort(keys(%ENV))) {
MP> $val = $ENV{$var};
MP> $val =~ s|\n|\\n|g;
MP> $val =~ s|"|\\"|g;
MP> print "${var}=\"${val}\"\n";
MP> }
MP> I do not see the issue. This is why the apache guys thought it was a php
MP> issue.
MP> --
MP> Marc
MP> p.s. I changed the reply-to to keep it on-list. I don't know where
MP> 'replies-lists-phplistmail.innovate.net' goes.
MP> --
MP> PHP General Mailing List (http://www.php.net/)
MP> To unsubscribe, visit: http://www.php.net/unsub.php
Do you get the same problem if you run php as a cgi?
It maybe something related to apache child processes retaining the
previous env ??
I gave up using pconnect because of something similar with it
remembering a previous unrelated db access.
--
regards,
Tom
attached mail follows:
Thanks for your advice.
I've heard of this technique before but wanted to know if there was
another way to do it from Javascript.
Regards
Mauricio
On Sat, 2005-08-06 at 11:05, Burhan Khalid wrote:
> Mauricio Pellegrini wrote:
> > Hi ,
> > I wonder if it's possible to retrieve the value from a php session
> > variable from within a javascript function.
> >
> > Does anyone have any ideas about this?
>
> No. You cannot retrieve it, restore it, read it, send it, anything else.
>
> You can write it from PHP :
>
> echo '<script type="text/javascript">var sess =
> '.$_SESSION['somevar'].'</script>';
>
> But that's it.
attached mail follows:
Thanks Rick, it helped.
also I'll do some reading about AJAX (as soon as I can..)
Regards
Mauricio
On Sat, 2005-08-06 at 11:58, Rick Emery wrote:
> Quoting Mauricio Pellegrini <hrrg-infspeedy.com.ar>:
>
> > Hi ,
> > I wonder if it's possible to retrieve the value from a php session
> > variable from within a javascript function.
>
> I'm no PHP expert, but I'll give it a try (there are plenty of smart
> people on this list who will correct me if Im wrong :-)
>
> > Does anyone have any ideas about this?
>
> Yes, two of the top of my head.
>
> 1. You can send the session variable to the client along with the script.
>
> ex.
> function doSomething()
> {
> sessVar = <?php print($_SESSION['variable']); ?>;
>
> // Do some stuff.
> }
>
> Of course, sessVar won't be updated if the session variable changes
> unless the script is reloaded.
>
> 2. My favorite, but probably overkill. Write a php page that outputs
> the session variables (as XML would be cool). Then use xmlhttprequest
> to retrieve them from javascript (Google AJAX for more information).
>
> Hope this helps,
> Rick
> --
> Rick Emery
>
> "When once you have tasted flight, you will forever walk the Earth
> with your eyes turned skyward, for there you have been, and there
> you will always long to return"
> -- Leonardo Da Vinci
attached mail follows:
I use the error handler function found at
http://www.php.net/manual/en/ref.errorfunc.php . Whenever a fatal
error has occurred, it does not log the error. I tried adding
E_CORE_ERROR, E_CORE_WARNING, E_COMPILE_WARNING, E_COMPILE_ERROR and
so that whenever they occur, it will log itself to a log file.
Another question related to that is how do I log a timeout error for
the fopen() function? When fopen() times out, it produces a fatal
error and fatal error is not being logged.
attached mail follows:
Hello RPG,
Monday, August 8, 2005, 6:05:47 PM, you wrote:
RG> I use the error handler function found at
RG> http://www.php.net/manual/en/ref.errorfunc.php . Whenever a fatal
RG> error has occurred, it does not log the error. I tried adding
RG> E_CORE_ERROR, E_CORE_WARNING, E_COMPILE_WARNING, E_COMPILE_ERROR
RG> and so that whenever they occur, it will log itself to a log file.
Where did you add the error level flags? and have you enabled the
error log entry in the php.ini? It should look like this:
error_reporting = E_ALL|E_NOTICE|E_CORE_ERROR
log_errors = On
error_log = "D:/php4_error_log.txt" (or where-ever)
Stick display errors on for your dev machine too if you want:
display_errors = On
display_startup_errors = On
RG> Another question related to that is how do I log a timeout error
RG> for the fopen() function? When fopen() times out, it produces a
RG> fatal error and fatal error is not being logged.
Fix the above :)
Best regards,
Richard Davey
--
http://www.launchcode.co.uk - PHP Development Services
Zend Certified Engineer
"I do not fear computers. I fear the lack of them." - Isaac Asimov
attached mail follows:
I set my error report to 0 just like the ones at
http://www.php.net/manual/en/ref.errorfunc.php:
error_reporting (0);
... so that I can use the custom error handler function at
http://www.php.net/manual/en/ref.errorfunc.php.
I'm on a shared server, by the way.
>Hello RPG,
>
>Where did you add the error level flags? and have you enabled the
>error log entry in the php.ini? It should look like this:
>
>error_reporting = E_ALL|E_NOTICE|E_CORE_ERROR
>log_errors = On
>error_log = "D:/php4_error_log.txt" (or where-ever)
>
>Stick display errors on for your dev machine too if you want:
>
>display_errors = On
>display_startup_errors = On
attached mail follows:
Hello RPG,
Monday, August 8, 2005, 9:34:52 PM, you wrote:
RG> I set my error report to 0 just like the ones at
RG> http://www.php.net/manual/en/ref.errorfunc.php: error_reporting
RG> (0);
RG> ... so that I can use the custom error handler function at
RG> http://www.php.net/manual/en/ref.errorfunc.php.
RG> I'm on a shared server, by the way.
You cannot catch Fatal run-time errors with that method of error
handling. The error has occurred before the script settings have had a
chance to be picked up.
Check to see if your host allows you to use .htaccess settings to
over-ride PHP ini settings - for trapping Fatal run-times on a shared
server that's most likely your only option. I've seen some hosts dump
PHP errors to an error_log in the same directory as the script that
caused the error. This might be an option (although not very secure,
it's better than displaying the error across the middle of your site)
Best regards,
Richard Davey
--
http://www.launchcode.co.uk - PHP Development Services
Zend Certified Engineer
"I do not fear computers. I fear the lack of them." - Isaac Asimov
attached mail follows:
Thanks. How do I override PHP settings using .htaccess?
>Hello RPG,
>
>You cannot catch Fatal run-time errors with that method of error
>handling. The error has occurred before the script settings have had a
>chance to be picked up.
>
>Check to see if your host allows you to use .htaccess settings to
>over-ride PHP ini settings - for trapping Fatal run-times on a shared
>server that's most likely your only option. I've seen some hosts dump
>PHP errors to an error_log in the same directory as the script that
>caused the error. This might be an option (although not very secure,
>it's better than displaying the error across the middle of your site)
>
>Best regards,
>
>Richard Davey
attached mail follows:
Hello RPG,
Tuesday, August 9, 2005, 12:52:48 AM, you wrote:
RG> Thanks. How do I override PHP settings using .htaccess?
php_value include_path ".:/usr/local/lib/php"
php_admin_flag safe_mode on
etc
Look at the manual section titled "How to change configuration
settings" for more details (it's in the install section somewhere)
Best regards,
Richard Davey
--
http://www.launchcode.co.uk - PHP Development Services
Zend Certified Engineer
"I do not fear computers. I fear the lack of them." - Isaac Asimov
attached mail follows:
I have an external JavaScript that I use on several of my sites. It
returns a web counter and does some other logging. It's accessed like
this:
<script language="javascript" src="http://www.mydomain.com/log.js"></
script>
No rocket science there, this is common and it works great. That call
returns a block like this:
document.write('<a bunch of html>')
What I want to know is: is it possible to retrieve the above
outputted code into a string, rather than outputting it directly to
the browser? Nothing I've tried works, and I also tried this using a
Google AdSense call to make sure there was not a problem in my
JavaScript. Here's what I tried and what happened:
<?php
$x = file_get_contents('http://www.mydomain.com/log.js');
// also tried urlencode() but that did not help
?>
The result:
Warning: main(http://www.mydomain.com/log.js) [function.main]: failed
to open stream: HTTP request failed! HTTP/1.1 400 Bad Request in c:
\Inetpub\wwwroot\test.php on line 2
attached mail follows:
Hello Brian,
Monday, August 8, 2005, 6:38:54 PM, you wrote:
BD> <?php
BD> $x = file_get_contents('http://www.mydomain.com/log.js');
BD> // also tried urlencode() but that did not help
?>>
BD> The result:
BD> Warning: main(http://www.mydomain.com/log.js) [function.main]: failed
BD> to open stream: HTTP request failed! HTTP/1.1 400 Bad Request in c:
BD> \Inetpub\wwwroot\test.php on line 2
Your code will work providing that PHP is not running in Safe Mode
and allow_url_fopen is enabled in your php.ini file.
Best regards,
Richard Davey
--
http://www.launchcode.co.uk - PHP Development Services
Zend Certified Engineer
"I do not fear computers. I fear the lack of them." - Isaac Asimov
attached mail follows:
Is this potentially bad, security wise, to do something like this? Can
you guys recommend any way to tighten this up a bit or do this sort of
thing better/more eloquently?
<?
$Host1 = array ('name1.host.com');
if (in_array ($_SERVER['HTTP_HOST'], $Host1))
{
$HeaderImg = "/headers/name1_header.gif"; // define graphic
$SiteCSS = "/css/name1_css.css"; // define css
}
$Host2 = array ('name2.host.com');
if (in_array ($_SERVER['HTTP_HOST'], $Host1))
{
$HeaderImg = "/headers/name2_header.gif"; // define graphic
$SiteCSS = "/css/name2_css.css"; // define css
}
$Host3 = array ('name3.host.com');
if (in_array ($_SERVER['HTTP_HOST'], $Host1))
{
$HeaderImg = "/headers/name3_header.gif"; // define graphic
$SiteCSS = "/css/name3_css.css"; // define css
}
$Host4 = array ('name4.host.com');
if (in_array ($_SERVER['HTTP_HOST'], $Host1))
{
$HeaderImg = "/headers/name4_header.gif"; // define graphic
$SiteCSS = "/css/name4_css.css"; // define css
}
else
{
$HeaderImg = "/headers/main_header.gif"; // define graphic
$SiteCSS = "/css/main_css.css"; // define css
}
?>
<link rel="stylesheet" href="<? echo $SiteCSS ?>" type="text/css" />
<img src="<? echo $HeaderImg ?>">
The idea is to use this in the global header of a site that may be
invoked through up to 20-30 different third level subdomains, for the
same content. Standard stuff, one site, one set of tools to run it,
but each subdomain's slightly unique content pulls based on host.
thanks,
Joe
attached mail follows:
Hello Joe,
Monday, August 8, 2005, 6:40:37 PM, you wrote:
JS> Is this potentially bad, security wise, to do something like this?
JS> Can you guys recommend any way to tighten this up a bit or do this
JS> sort of thing better/more eloquently?
$_SERVER is, thankfully, _mostly_ populated by the web server, not the
client. HTTP_HOST certainly falls into this category. The only thing
you probably shouldn't do is rely on it always being there, so have
some catch-all set of headers / css if it's not set (mind you, if that
happens you've got a bigger problem on your hands! but it'd stop your
site breaking).
JS> <?
JS> $Host1 = array ('name1.host.com');
JS> if (in_array ($_SERVER['HTTP_HOST'], $Host1))
JS> {
JS> $HeaderImg = "/headers/name1_header.gif"; // define graphic
JS> $SiteCSS = "/css/name1_css.css"; // define css
JS> }
Why are you creating lots of arrays and then using in_array to check
them? Just seems a little pointless in this instance as it gives you
no real benefit - comparing a one element array against a variable is
just... well.. comparing a variable with a variable! So why not do
that? Perhaps a switch block would serve your needs better?
switch ($_SERVER['HTTP_HOST'])
{
case 'name1.host.com':
$header = ..
break;
}
etc - then you can combine multiple hosts into one section and have a
default set at the bottom.
Best regards,
Richard Davey
--
http://www.launchcode.co.uk - PHP Development Services
Zend Certified Engineer
"I do not fear computers. I fear the lack of them." - Isaac Asimov
attached mail follows:
Hi!
On 8/8/05, Richard Davey <richlaunchcode.co.uk> wrote:
> Why are you creating lots of arrays and then using in_array to check
> them? Just seems a little pointless in this instance as it gives you
> no real benefit - comparing a one element array against a variable is
> just... well.. comparing a variable with a variable! So why not do
> that? Perhaps a switch block would serve your needs better?
I took your advice and put this up--any thoughts or advice would be
appreciated. Is the switch setup below the sort of thing you were
talking about? I altered it slightly overall to set a specific header
file, instead of a graphic, which is more useful.
<?
// header generation script
// define path to includes & header folder where
// include files live
$includepath = '/home/user/public_html/inc';
(( would be in a global include file, just here for clarity ))
// see what host is invoked
switch ($_SERVER['HTTP_HOST']) // check hostname
{
case 'domain.com': // define host
$Header = '/inc/main.header.inc'; // define header file
break; // next
case 'www.domain.com':
$Header = '/inc/main.header.inc';
break;
case 'host1.domain.com':
$Header = '/inc/host1.header.inc';
break;
case 'host2.domain.com':
$Header = '/inc/host2.header.inc';
break;
case 'host3.domain.com':
$Header = '/inc/host3.header.inc';
break;
case 'host4.domain.com':
$Header = '/inc/host4.header.inc';
break;
case 'host5.domain.com':
$Header = '/inc/host5.header.inc';
break;
// etc., etc.
default:
$Header = '/inc/illegalhost.header.inc'; // define header
}
// call the include header file for that host
if (file_exists("$includepath/$Header")) { // include valid?
include stripslashes("$includepath/$Header"); // yup, include
} else {
echo "FAILURE MESSAGE OF SOME SORT"; // nope
exit;
}
?>
(rest of page)
I figure I can get a regexp in there somehow so I don't need two
entries for the main domain.com and it's www c name, either... need to
add that.
I'm also sort of paranoid about unchecked includes in PHP and getting
compromised--is doing a check like I am here for the include file's
existence worthwhile or even useful to protect against possible
problems?
thanks,
Joe
attached mail follows:
Hello Joe,
Tuesday, August 9, 2005, 12:57:17 AM, you wrote:
JS> // call the include header file for that host
JS> if (file_exists("$includepath/$Header")) { // include valid?
JS> include stripslashes("$includepath/$Header"); // yup, include
JS> } else {
JS> echo "FAILURE MESSAGE OF SOME SORT"; // nope
JS> exit;
JS> }
?>>
JS> (rest of page)
JS> I figure I can get a regexp in there somehow so I don't need two
JS> entries for the main domain.com and it's www c name, either... need to
JS> add that.
You can just do this:
switch ($_SERVER['HTTP_HOST']) // check hostname
{
case 'www.domain.com':
case 'domain.com': // define host
$Header = '/inc/main.header.inc'; // define header file
break; // next
}
Stack 'em up as much as you need.
JS> I'm also sort of paranoid about unchecked includes in PHP and
JS> getting compromised--is doing a check like I am here for the
JS> include file's existence worthwhile or even useful to protect
JS> against possible problems?
You're not doing an un-checked include - it's definitely checked.
You've pre-defined the $includepath at the start of your script, so
no-one can over-write this. You've forced $header to be one of the
switch options and *nothing* else. So those two things are certainly
clean.
If someone manages to inject bogus variables into your
$_SERVER['HTTP_HOST'] element then you've got bigger things to worry
about than your code :) (i.e. someone has compromised your server) but
with your switch block and pre-set values even if they had managed
that, you'd still only ever include a valid header.
You have to draw the line somewhere with security - nothing will ever
be 100% safe because there are so many chains in the loop (firewall,
network, server, apache, php, etc). I would say that as it stands
you've done the best you can for this little section of code, but
perhaps some others might post more ideas if they have them.
Best regards,
Richard Davey
--
http://www.launchcode.co.uk - PHP Development Services
Zend Certified Engineer
"I do not fear computers. I fear the lack of them." - Isaac Asimov
attached mail follows:
Richard Davey wrote:
>Hello Joe,
>
>Tuesday, August 9, 2005, 12:57:17 AM, you wrote:
>
>
>JS> // call the include header file for that host
>JS> if (file_exists("$includepath/$Header")) { // include valid?
>JS> include stripslashes("$includepath/$Header"); // yup, include
>JS> } else {
>JS> echo "FAILURE MESSAGE OF SOME SORT"; // nope
>JS> exit;
>JS> }
>
>?>>
>
>JS> (rest of page)
>
>JS> I figure I can get a regexp in there somehow so I don't need two
>JS> entries for the main domain.com and it's www c name, either... need to
>JS> add that.
>
>You can just do this:
>
>switch ($_SERVER['HTTP_HOST']) // check hostname
>{
> case 'www.domain.com':
> case 'domain.com': // define host
> $Header = '/inc/main.header.inc'; // define header file
> break; // next
>}
>
>Stack 'em up as much as you need.
>
>JS> I'm also sort of paranoid about unchecked includes in PHP and
>JS> getting compromised--is doing a check like I am here for the
>JS> include file's existence worthwhile or even useful to protect
>JS> against possible problems?
>
>You're not doing an un-checked include - it's definitely checked.
>
>You've pre-defined the $includepath at the start of your script, so
>no-one can over-write this. You've forced $header to be one of the
>switch options and *nothing* else. So those two things are certainly
>clean.
>
>If someone manages to inject bogus variables into your
>$_SERVER['HTTP_HOST'] element then you've got bigger things to worry
>about than your code :) (i.e. someone has compromised your server) but
>with your switch block and pre-set values even if they had managed
>that, you'd still only ever include a valid header.
>
>You have to draw the line somewhere with security - nothing will ever
>be 100% safe because there are so many chains in the loop (firewall,
>network, server, apache, php, etc). I would say that as it stands
>you've done the best you can for this little section of code, but
>perhaps some others might post more ideas if they have them.
>
>Best regards,
>
>Richard Davey
>
>
Security-wise, you can't count on $_SERVER['HTTP_HOST'] , it is passed
to PHP by Apache, but Apache is just passing through the user-supplied
Host header.
So don't depend on that for any security related information (like
restricting logins), but, if it's jsut page layout, and they are all
similarly accessible site, that shouldn't be a problem.
Chris
attached mail follows:
Hello to all,
I think, I have a basic problem of understanding sessions and the
storing of variables in sessions.
I have a simple script I tested on 3 Apache-servers, one with PHP 5.0,
one with 4.3.10 and one with 4.0.6.
I have to develop for the 4.0.6 !!! server.
The output is different for every server.
All servers have session.auto_start off (irrelevant, cause I start the
session myself?) and session.use_cookies on
The PHP4-servers have register_globals on, on the PHP5 it is set to off.
My script is as follows:
session_start();
$test = "";
if (!isset($HTTP_SESSION_VARS['test'])) {
$test = "test";
$HTTP_SESSION_VARS['test'] = $test;
echo "if, test: " . $test . "<br>";
echo "if, sesstest: " . $HTTP_SESSION_VARS['test'] . "<br>";
} else {
$test = $HTTP_SESSION_VARS['test'];
echo "else, test: " . $test . "<br>";
echo "else, sesstest: " . $HTTP_SESSION_VARS['test'] . "<br>";
}
echo "test: " . $test . "<br>";
echo "sesstest: " . $HTTP_SESSION_VARS['test'] . "<br>";
$test2 = "";
if (!session_is_registered('test2')) {
$test2 = "test2";
session_register('test2');
echo "if, test2: " . $test2 . "<br>";
} else {
echo "else, test2: " . $test2 . "<br>";
}
echo "test2: " . $test2 . "<br>";
When I call the script for the first time the output is:
if, test: test
if, sesstest: test
test: test
sesstest: test
if, test2: test2
test2: test2
on all servers.
Additionaly I get a warning for the session_register-part on the
PHP5-server. Thats ok.
But when refreshing the script, I get different output:
PHP5:
else, test: test
else, sesstest: test
test: test
sesstest: test
else, test2:
test2:
That's, what I would have expected.
PHP4.3.10:
else, test:
else, sesstest:
test:
sesstest:
else, test2:
test2:
I don't understand, why the variables seem to be empty.
PHP4.0.6:
if, test: test
if, sesstest: test
test: test
sesstest: test
else, test2:
test2:
I don't understand, why it won't go to the else in the
HTTP_SESSION_VARS-part.
In the session_is_registered-part, the var seems to be empty, too. Why?
I don't want to make use of the register_globals on, so think I should
prefer the HTTP_SESSION_VARS-part.
But what do I get wrong?
It would be very, very nice of you to explain it to me or to give me a
tip where to read more to approach my understanding.
Thank you in advance
Sabine
attached mail follows:
Hello Sabine,
Monday, August 8, 2005, 7:17:51 PM, you wrote:
S> When I call the script for the first time the output is:
S> if, test: test
S> if, sesstest: test
S> test: test
S> sesstest: test
S> if, test2: test2
S> test2: test2
S> on all servers.
S> Additionaly I get a warning for the session_register-part on the
S> PHP5-server. Thats ok.
You shouldn't really be using it even on 4.0.6, best remove it now and
the warning will go too.
S> PHP4.3.10:
S> else, test:
S> else, sesstest:
S> test:
S> sesstest:
S> else, test2:
S> test2:
S> I don't understand, why the variables seem to be empty.
Dump out the session contents and see what's in there (if anything):
print_r($_SESSION);
Equally, dump out the cookie super global to see if the session cookie
even got set
print_r($_COOKIE);
Or use the Web Developer extension for Firefox and "Display cookies"
after the first page load - you should see the PHPSESSID cookie in
existence. If not, that's the problem. If so, what does it say?
S> In the session_is_registered-part, the var seems to be empty, too. Why?
Because even 4.0.6 shouldn't be using that function. If you want to
check for the existence of a variable, use isset().
Best regards,
Richard Davey
--
http://www.launchcode.co.uk - PHP Development Services
Zend Certified Engineer
"I do not fear computers. I fear the lack of them." - Isaac Asimov
attached mail follows:
I'm trying to extend the RecursiveIteratorIterator class, to limit which
children it recurses through.
The documentation here:
http://www.php.net/~helly/php/ext/spl/classRecursiveIteratorIterator.html
says that there is a ahapublic method callHasChildren(), which I figured
was a good place to start. It seemed like it made sense, except for the
fact that that callHasChildren() does not exist. Overloading the
function does nothing, and instantiating my extended object, then
manually calling callHasChildren() results in a method not found error.
Call to undefined method RecursiveIteratorIterator::callhaschildren()
I'm including my complete extension class below
Thanks,
Chris
class CPage_TreeMenuIterator extends RecursiveIteratorIterator
{
function __construct(CPage_Node $it)
{
parent::__construct($it,RIT_SELF_FIRST);
}
function callHasChildren()
{
echo "CPage_TreeMenuIterator::callHasChildren();<br />\n";
return parent::callHasChildren();
}
}
attached mail follows:
In further looking at the SPL classes, I'm thinking I want to use the
RecursiveFilterIterator class to filter my nodes.
But I ran into another problem: the class RecursiveFilterIterator does
not exist.
Am I missing something here?
Confused,
Chris
attached mail follows:
Chris wrote:
> In further looking at the SPL classes, I'm thinking I want to use the
> RecursiveFilterIterator class to filter my nodes.
>
> But I ran into another problem: the class RecursiveFilterIterator does
> not exist.
>
> Am I missing something here?
your out on the bleeding edge so to speak - not many people have played with
this stuff yet - alot will depend on the php build your using - best bet is to try the
latest RC of 5.1 and see what that has in it .... I have a felling you will
have to make a bit of use of the following funcs (and maybe even the reflection API)
to figure out _exactly_ what is available in your build:
http://php.net/manual/en/function.get-declared-classes.php
http://php.net/manual/en/function.get-declared-interfaces.php
http://php.net/manual/en/function.get-class-methods.php
>
> Confused,
> Chris
>
attached mail follows:
Jochem Maas wrote:
> Chris wrote:
>
>> In further looking at the SPL classes, I'm thinking I want to use the
>> RecursiveFilterIterator class to filter my nodes.
>>
>> But I ran into another problem: the class RecursiveFilterIterator
>> does not exist.
>>
>> Am I missing something here?
>
>
> your out on the bleeding edge so to speak - not many people have
> played with
> this stuff yet - alot will depend on the php build your using - best
> bet is to try the
> latest RC of 5.1 and see what that has in it .... I have a felling you
> will
> have to make a bit of use of the following funcs (and maybe even the
> reflection API)
> to figure out _exactly_ what is available in your build:
>
> http://php.net/manual/en/function.get-declared-classes.php
> http://php.net/manual/en/function.get-declared-interfaces.php
> http://php.net/manual/en/function.get-class-methods.php
>
>
Thanks for the response. I'm really in love with most of the SPL stuff,
it's most unfortunate that some parts aren't ready yet. Upgrading would
be OK for my test server, but I was hoping to put this code on a PHP
5.0.3 server (upgrading there is an option, but a very undesirable one).
I'll look into precisely what is working on my 5.0.3 development server
at the moment. Any ideas if this functionality is likely to change?
Right now I'm specifically looking the Iterator and RecursiveIterator stuff.
I'll explain my precise situation in more detail in the hopes that
someone can make some suggestions or point out another way I might be
able to do this without filtering the RecursiveIterator.
I'm essentially storing the navigation of a Website in an object tree.
The root node (Home) has children, each of those has children, etc. My
tree definition file (an include that uses method calls to the CPage
object) creates the tree, and assigns different target areas for the
navigation to appear in.
So one CPage_Node might reside in the Top target, but send it's children
to the Left target. and One of those children might Send *it's* children
to the Tab target, while the rest jsut send theirs to the Left target.
So, for each target that is a Tree (displays a tree structure) I
Recursively Iterate the Full page tree, starting at the Root Node point,
but I have to stop displaying children that are being shown in another
target.
I can get it to work with the follwing code (using the
RecursiveIterator, but not the RecursiveFilterIterator)
$iTarget = $oPage->GetMenu(CPAGE_TARGET_LEFT)->GetTarget();
foreach($oPage->GetMenu(CPAGE_TARGET_LEFT)->GetRecursiveNodes() as $oNode)
{
if($oNode->GetTarget() != $iTarget) continue;
// Display the node here
echo str_repeat(' ',$oNode->GetLevel()),$oNode->GetName(),"\n";
}
Thanks,
Chris
attached mail follows:
Hi! Please excuse my poor English.
I have this error in PHP 4.2.3 with oracle 8.1.7:
[14-Jul-2005 16:25:36] PHP Warning: OCI8 Recursive call!
in /ariadna/cgi-bin/dara/pucmatico/config/conecta_bd.php on line 50
[14-Jul-2005 16:25:36] PHP Warning: OCI8 Recursive call!
in /ariadna/cgi-bin/dara/pucmatico/config/conecta_bd.php on line 50
[14-Jul-2005 16:25:37] PHP Warning: OCI8 Recursive call!
in /ariadna/cgi-bin/dara/pucmatico/config/conecta_bd.php on line 50
[14-Jul-2005 16:25:38] PHP Warning: OCI8 Recursive call!
in /ariadna/cgi-bin/dara/pucmatico/config/conecta_bd.php on line 50
conecta_bd.php scripts :
session_start();
if((!isset($SESSION))&&(!isset($flag))) {
echo"
<SCRIPT LANGUAGE='JavaScript'>
<!--
top.location = 'https://www.puc.cl/pucmatico';
//-->
</SCRIPT>";
exit;
} # fin del if ...
clearstatcache();
$Dir_app = "/ariadna/cgi-bin/dara/pucmatico";
include_once ($Dir_app.'/programa/libs/decrypt.php');
$User = "web_pucmat";
$Pass = file($Dir_app."/config/clave1.php");
$User_r = "pucmat";
$Pass_r = file($Dir_app."/config/clave2.php");
$yyy=decrypt($key,$Pass[0]);
$xxx=decrypt($key,$Pass_r[0]);
$db = "(DESCRIPTION_LIST=
(DESCRIPTION=
(ADDRESS=(PROTOCOL=TCP)(HOST=pucmatuc.puc.cl) (PORT=1705))
(CONNECT_DATA=(SID=ora73)(SERVER=DEDICATED))
)
(DESCRIPTION=
(ADDRESS=(PROTOCOL=TCP)(HOST=pucmatuc.puc.cl) (PORT=1706))
(CONNECT_DATA=(SID=ora73)(SERVER=DEDICATED))
)
(DESCRIPTION=
(ADDRESS=(PROTOCOL=TCP)(HOST=pucmatuc.puc.cl) (PORT=1707))
(CONNECT_DATA=(SID=ora73)(SERVER=DEDICATED))
)
(DESCRIPTION=
(ADDRESS=(PROTOCOL=TCP)(HOST=pucmatuc.puc.cl) (PORT=1708))
(CONNECT_DATA=(SID=ora73)(SERVER=DEDICATED))
)
(DESCRIPTION=
(ADDRESS=(PROTOCOL=TCP)(HOST=pucmatuc.puc.cl) (PORT=1709))
(CONNECT_DATA=(SID=ora73)(SERVER=DEDICATED))
)
)";
# Se agrego esta linea para tener debug de las conexiones Oracle
# 20050724 fgcpuc.cl
#OCIInternalDebug(1);
$Conexion = OCILogon($User,$yyy,$db);
$Consulta = OCIParse ($Conexion, "SET ROLE $User_r IDENTIFIED BY
\"$xxx\" ");
OCIExecute($Consulta);
OCIFreeStatement($Consulta);
?>
Any ideas for this?
--
Ivonne Trejo Silva
mailto:itrejouc.cl
attached mail follows:
It seems to be that last line of your code which is causing the error. I've
no idea why though.
-James
----- Original Message -----
From: "Ivonne Trejo Silva" <itrejopuc.cl>
To: <php-generallists.php.net>
Sent: Monday, August 08, 2005 2:46 PM
Subject: [PHP] oci8 recursive call in log
> Hi! Please excuse my poor English.
>
> I have this error in PHP 4.2.3 with oracle 8.1.7:
>
> [14-Jul-2005 16:25:36] PHP Warning: OCI8 Recursive call!
> in /ariadna/cgi-bin/dara/pucmatico/config/conecta_bd.php on line 50
> [14-Jul-2005 16:25:36] PHP Warning: OCI8 Recursive call!
> in /ariadna/cgi-bin/dara/pucmatico/config/conecta_bd.php on line 50
> [14-Jul-2005 16:25:37] PHP Warning: OCI8 Recursive call!
> in /ariadna/cgi-bin/dara/pucmatico/config/conecta_bd.php on line 50
> [14-Jul-2005 16:25:38] PHP Warning: OCI8 Recursive call!
> in /ariadna/cgi-bin/dara/pucmatico/config/conecta_bd.php on line 50
>
>
> conecta_bd.php scripts :
>
> session_start();
> if((!isset($SESSION))&&(!isset($flag))) {
> echo"
> <SCRIPT LANGUAGE='JavaScript'>
> <!--
> top.location = 'https://www.puc.cl/pucmatico';
> //-->
> </SCRIPT>";
> exit;
> } # fin del if ...
> clearstatcache();
> $Dir_app = "/ariadna/cgi-bin/dara/pucmatico";
> include_once ($Dir_app.'/programa/libs/decrypt.php');
> $User = "web_pucmat";
> $Pass = file($Dir_app."/config/clave1.php");
> $User_r = "pucmat";
> $Pass_r = file($Dir_app."/config/clave2.php");
> $yyy=decrypt($key,$Pass[0]);
> $xxx=decrypt($key,$Pass_r[0]);
> $db = "(DESCRIPTION_LIST=
> (DESCRIPTION=
> (ADDRESS=(PROTOCOL=TCP)(HOST=pucmatuc.puc.cl) (PORT=1705))
> (CONNECT_DATA=(SID=ora73)(SERVER=DEDICATED))
> )
> (DESCRIPTION=
> (ADDRESS=(PROTOCOL=TCP)(HOST=pucmatuc.puc.cl) (PORT=1706))
> (CONNECT_DATA=(SID=ora73)(SERVER=DEDICATED))
> )
> (DESCRIPTION=
> (ADDRESS=(PROTOCOL=TCP)(HOST=pucmatuc.puc.cl) (PORT=1707))
> (CONNECT_DATA=(SID=ora73)(SERVER=DEDICATED))
> )
> (DESCRIPTION=
> (ADDRESS=(PROTOCOL=TCP)(HOST=pucmatuc.puc.cl) (PORT=1708))
> (CONNECT_DATA=(SID=ora73)(SERVER=DEDICATED))
> )
> (DESCRIPTION=
> (ADDRESS=(PROTOCOL=TCP)(HOST=pucmatuc.puc.cl) (PORT=1709))
> (CONNECT_DATA=(SID=ora73)(SERVER=DEDICATED))
> )
> )";
> # Se agrego esta linea para tener debug de las conexiones Oracle
> # 20050724 fgcpuc.cl
> #OCIInternalDebug(1);
> $Conexion = OCILogon($User,$yyy,$db);
> $Consulta = OCIParse ($Conexion, "SET ROLE $User_r IDENTIFIED BY \"$xxx\"
> ");
> OCIExecute($Consulta);
> OCIFreeStatement($Consulta);
> ?>
>
> Any ideas for this?
>
> --
> Ivonne Trejo Silva mailto:itrejouc.cl
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
attached mail follows:
my guess is that he is just trying to avoid errors in case the variable
is not an actual array.
arrays can easily be tested for by using: is_array( $myarray );
another way to manage arrays is to initialize them before you do
anything with them. i.e.: $myarray = array();
this way if you need to call an array specific function which would
normally throw an error because it's expecting an array as an argument,
it won't choke.
everyone is entitled to their own opinion, but i would just call
suppressing errors on EVERY array function just plain lazy and very poor
coding practice.
Justin Burger wrote:
> Good Morning,
> I was having a discussion with a fellow PHP Developer this morning and he
> mentioned that he put's an '' sign in front of all function calls, and
> every time he accesses an array;
>
> I know that this is sloppy, and dangerous, but I don't know exactly what
> this exposes him to, can any one give me any real world examples of why
> this is bad, so I can relate it to his code?
>
> php.net does not have much information about this. It seems like
> suppressing errors, rather then catching them is problematic.
>
>
> Thanks Again.
>
> Justin.
attached mail follows:
wayne wrote:
> On Mon, 2005-08-08 at 13:48 +0200, Jochem Maas wrote:
>
>>wayne wrote:
>>
>>>On Sun, 2005-08-07 at 23:14 +0200, Jochem Maas wrote:
>>>Hi Jochem,
>
> <SNIP>
> Hi Jochem,
> Would you mine if I send you the beginning part of the
> php script,about 20 lines of code, to see if I'm missing
> something?
I would as it happens - but send to the list and I'll have a look :-)
> Thanks.
>
attached mail follows:
I need to make a report engine using a couple of mySQL tables.
What I'm working on is a "add/remove" select-option list with the
column names so the user can customize their own report. They can
add/remove the columns in the order that they want, then order by a
column asc/desc. The report page will have the column headers then the
data.
It's taking me a little time to write this and I'm wondering if their
is something like this out there already I can use?
John
attached mail follows:
Jimmie wrote:
> Warning: get_meta_tags(): php_network_getaddresses: gethostbyname
> failed in d:\apache\htdocs\meta_tag.php on line 3
Looks like your DNS is failing or that host does not have a DNS record.
Have you tried going to that URL in a browser on the same machine the
PHP script is running on?
Jasper
attached mail follows:
I've got an ErrorDocument directive defined in my htaccess file.
If I, for example, enter into my browser:
http://mydomain.com/doesnotexist.html
the 404 directive is triggered and 404 document correctly comes up.
I have another file (doesexist.php) with the contents:
<?PHP
header("HTTP/1.0 404 Not Found");
?>
If I enter into my browser:
http://mydomain.com/doesexist.php
I get a blank page. Apparently, this does not trigger the 404 directive.
Should it? Is it possible to write a doesexists.php script which would
cause the 404 directive to be triggered?
I also tried: header("Status: 404 Not Found"); but this did not work either.
--
== Eric Gorr =============================== http://www.ericgorr.net ===
"I believe each individual is naturally entitled to do as he pleases
with himself and the fruits of his labor, so far as it in no way
interferes with any other man's rights." - Abraham Lincoln
== Insults, like violence, are the last refuge of the incompetent... ===
attached mail follows:
Eric Gorr wrote:
> I've got an ErrorDocument directive defined in my htaccess file.
>
> If I, for example, enter into my browser:
>
> http://mydomain.com/doesnotexist.html
>
> the 404 directive is triggered and 404 document correctly comes up.
>
> I have another file (doesexist.php) with the contents:
>
> <?PHP
> header("HTTP/1.0 404 Not Found");
> ?>
>
> If I enter into my browser:
>
> http://mydomain.com/doesexist.php
>
> I get a blank page. Apparently, this does not trigger the 404 directive.
>
> Should it? Is it possible to write a doesexists.php script which would
> cause the 404 directive to be triggered?
>
> I also tried: header("Status: 404 Not Found"); but this did not work
> either.
Are you looking in Apache's error logs to ensure that the 404 is not
being triggered, or just based on what is displayed in your browser?
--
John C. Nichel
ÜberGeek
KegWorks.com
716.856.9675
johnkegworks.com
attached mail follows:
Hello Eric,
Monday, August 8, 2005, 9:37:12 PM, you wrote:
EG> I have another file (doesexist.php) with the contents:
EG> <?PHP
EG> header("HTTP/1.0 404 Not Found");
?>>
EG> If I enter into my browser:
EG> http://mydomain.com/doesexist.php
EG> I get a blank page. Apparently, this does not trigger the 404
EG> directive.
The header 404 is correct - check to see if your script contains any
extra white-space somewhere that is causing the header to fail? (i.e.
a carriage return after the closing php tag).
Best regards,
Richard Davey
--
http://www.launchcode.co.uk - PHP Development Services
Zend Certified Engineer
"I do not fear computers. I fear the lack of them." - Isaac Asimov
attached mail follows:
I installed MySQL 4.23 using SuSE provided rpms so it loads to /usr/lib64
....
How do I configure the php 5.0 configure script so that it finds the mysql
client in here while finding other objects in the /urs/local/.....
Currently the link fails as it does not find the mysql client so files.
Thanks
Martin
attached mail follows:
Martin,
Make a symlink from /usr/lib64 to /usr/lib and it should work just fine.
Joe
Martin McGinn (martinmgmgjani.com) wrote:
>
> I installed MySQL 4.23 using SuSE provided rpms so it loads to /usr/lib64
> ....
>
> How do I configure the php 5.0 configure script so that it finds the mysql
> client in here while finding other objects in the /urs/local/.....
>
> Currently the link fails as it does not find the mysql client so files.
>
> Thanks
>
> Martin
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
--
"Computers are like air conditioners - they stop working properly when you
open Windows"
attached mail follows:
Martin McGinn wrote:
> I installed MySQL 4.23 using SuSE provided rpms so it loads
> to /usr/lib64
> ....
>
> How do I configure the php 5.0 configure script so that it
> finds the mysql
> client in here while finding other objects in the /urs/local/.....
>
> Currently the link fails as it does not find the mysql client
> so files.
You need to use PHP 5.1 and the --with-libdir configure option, or could can do a symlink.
See: http://marc.theaimsgroup.com/?l=php-dev&w=2&r=1&s=with-libdir&q=b
---
Hans Zaunere
President, Founder
New York PHP
http://www.nyphp.org
AMP Technology
Supporting Apache, MySQL and PHP
attached mail follows:
I'm interested in extracting a series of web pages from a Yahoo forum
and storing them in a MySQL database so I can generate things like most
number of posts etc. I've searched on Google but most of the links seem
to be for email harversters!
Anyone have any tips for where to look?
Alan
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]