OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
php-general Digest 8 Dec 2005 04:19:17 -0000 Issue 3838

php-general-digest-helplists.php.net
Date: Wed Dec 07 2005 - 22:19:17 CST

php-general Digest 8 Dec 2005 04:19:17 -0000 Issue 3838

Topics (messages 227057 through 227104):

Re: What software do you use for writing PHP?
        227057 by: John Nichel
        227058 by: Jay Blanchard
        227060 by: Miles Thompson
        227065 by: Leif Gregory
        227066 by: John Nichel
        227067 by: Jesús Fernández
        227069 by: Jochem Maas
        227070 by: Mark Steudel
        227078 by: Ben
        227079 by: Ben
        227088 by: Roman Ivanov
        227096 by: Mark Charette

Eval To String
        227059 by: Shaun
        227061 by: Jay Blanchard
        227062 by: David Grant

Call to undefined function mysql_real_escape_string()
        227063 by: Paul Hickey
        227064 by: John Nichel

Re: Anyone getting bounces from
        227068 by: Jesús Fernández
        227071 by: Stephen Leaf

Re: XmlWriter::writeDTD bug...
        227072 by: Rob Richards
        227074 by: Jared Williams

Class Constant PHP 5
        227073 by: Jeffrey Sambells
        227075 by: Stephen Leaf
        227076 by: Jay Blanchard
        227077 by: comex
        227080 by: Jay Blanchard
        227081 by: Jay Blanchard
        227090 by: Roman Ivanov
        227099 by: Jeffrey Sambells

Preventing Cross Site Scripting Vulnerbilities
        227082 by: Michael B Allen
        227083 by: comex
        227084 by: Chris Shiflett
        227085 by: Jason Gerfen
        227086 by: Ray Hauge
        227087 by: Chris Shiflett
        227094 by: Roman Ivanov

PHP 5 XML Dom, set doctype and system
        227089 by: Mariano Guadagnini

Non-trivial task of converting text to HTML
        227091 by: Roman Ivanov
        227092 by: Eric Gorr
        227093 by: Roman Ivanov
        227095 by: tg-php.gryffyndevelopment.com

Does the extension php_printer.dll work with php version 5.1.1 on a XP System
        227097 by: james crooks

Re: Inserting a NULL value into MySQL via PHP
        227098 by: benc11.gmail.com

Re: PHP Warning: imagettftext() expects parameter 2 to be double
        227100 by: Jeffrey Sambells

Re: references, circular references, oop, and garbage collection in PHP5
        227101 by: Alan Pinstein
        227102 by: Alan Pinstein
        227103 by: Alan Pinstein

ob_start & session_start
        227104 by: Joe Harman

Administrivia:

To subscribe to the digest, e-mail:
        php-general-digest-subscribelists.php.net

To unsubscribe from the digest, e-mail:
        php-general-digest-unsubscribelists.php.net

To post to the list, e-mail:
        php-generallists.php.net

----------------------------------------------------------------------

attached mail follows:

Jay Blanchard wrote:
> [snip]
>
>>>>man you guys are wimps.. gvim on windows... :)
>>>>
>>>
>>>Pffffttttt....'Edit' in DOS. ;)
>>>
>>>
>>
>>(Pfffft * 2) 'edlin' in DOS. :)
>
>
> Infinitely recursive pfffffft.... A pencil and a piece of paper and
> ringing people to describe the cool web site you've just drawn,
> [/snip]
>
> Two words .... punch cards. 'Nuff said.
>

Come on now Jay, we know you're old and all, but everyone knows that you
cannot edit php with punch cards. Hanging chads will cause too many
fatal errors. ;)

--
John C. Nichel IV
Programmer/System Admin (ÜberGeek)
Dot Com Holdings of Buffalo
716.856.9675
jnicheldotcomholdingsofbuffalo.com

attached mail follows:

[snip]
> Two words .... punch cards. 'Nuff said.
>

Come on now Jay, we know you're old and all, but everyone knows that you
cannot edit php with punch cards. Hanging chads will cause too many
fatal errors. ;)
[/snip]

ROFLMMFAO!!!!

attached mail follows:

At 11:45 AM 12/7/2005, Jay Blanchard wrote:
>[snip]
> > Two words .... punch cards. 'Nuff said.
> >
>
>Come on now Jay, we know you're old and all, but everyone knows that you
>cannot edit php with punch cards. Hanging chads will cause too many
>fatal errors. ;)
>[/snip]
>
>
>ROFLMMFAO!!!!

Why these clumsy interfaces?

Just plug the Firewire in your ear!

Miles

attached mail follows:

Hello Miles,

Wednesday, December 7, 2005, 8:56:23 AM, you wrote:
> Why these clumsy interfaces?
> Just plug the Firewire in your ear!

So that's where it's supposed to go!?!?!? I've been doing it wrong all
this time, not to mention it made sitting so very uncomfortable.
<grin>

--
                          TBUDL/BETA/DEV/TECH Lists Moderator / PGP 0x6C0AB16B
 __ ____ ____ ____ Geocaching: http://gps.PCWize.com
( ) ( ___)(_ _)( ___) TBUDP Wiki Site: http://www.PCWize.com/thebat/tbudp
 )(__ )__) _)(_ )__) Roguemoticons & Smileys: http://PCWize.com/thebat
(____)(____)(____)(__) PHP Tutorials and snippets: http://www.DevTek.org

Sometimes the majority just means all the fools are on the same side.

attached mail follows:

Miles Thompson wrote:
> At 11:45 AM 12/7/2005, Jay Blanchard wrote:
>
>> [snip]
>> > Two words .... punch cards. 'Nuff said.
>> >
>>
>> Come on now Jay, we know you're old and all, but everyone knows that you
>> cannot edit php with punch cards. Hanging chads will cause too many
>> fatal errors. ;)
>> [/snip]
>>
>>
>> ROFLMMFAO!!!!
>
>
> Why these clumsy interfaces?
>
> Just plug the Firewire in your ear!

n00b

;)

--
John C. Nichel IV
Programmer/System Admin (ÜberGeek)
Dot Com Holdings of Buffalo
716.856.9675
jnicheldotcomholdingsofbuffalo.com

attached mail follows:

I'm using quanta on linux, it those nice things like code completion,
syntax highlighting, upload the pages, etc...

--
http://esu.proyectoanonimo.com
http://www.proyectoanonimo.com

attached mail follows:

John Nichel wrote:
> Miles Thompson wrote:
>
>> At 11:45 AM 12/7/2005, Jay Blanchard wrote:
>>
>>> [snip]
>>> > Two words .... punch cards. 'Nuff said.
>>> >
>>>
>>> Come on now Jay, we know you're old and all, but everyone knows that you
>>> cannot edit php with punch cards. Hanging chads will cause too many
>>> fatal errors. ;)
>>> [/snip]
>>>
>>>
>>> ROFLMMFAO!!!!
>>
>>
>>
>> Why these clumsy interfaces?
>>
>> Just plug the Firewire in your ear!
>
>
> n00b

at least he is past the oral-phase :-)

>
> ;)
>

attached mail follows:

It's not a full FTP client, you can't set permissions in it. I think that's
a major minus in DW's favor. Especially if you don't have access to ssh into
your machine ...

-----Original Message-----
From: Michael Hulse [mailto:mickyambiguism.com]
Sent: Tuesday, December 06, 2005 10:09 PM
To: 'php'
Subject: Re: [PHP] What software do you use for writing PHP?

On Dec 6, 2005, at 9:25 AM, Mark Steudel wrote:
> I primarily code in Dreamweaver 8. Two of my favorite features that
> were added from MX are as follows:
> 1. Code folding, basically you can collapse blocks of code. If you
> have to work with other peoples code, matching braces and code folding
> is an awesome way of just seeing the logical flow of the code, and
> hide all the details.
> DW 8 code folding is great because you can select any amount of code
> and collapse it. The bummer about dreamweaver is that it doesn't
> detect functions and add a collapse handle to it like Zend Studio, or
> have the default to automatically collapse functions when you open a
> page like Zend Studio.

Sah-weeeet! I have yet to upgrade. Waiting to get a new puter. :)

Code-folding sound fricken cool!

I am pretty stoked that they finally fixed the crappy built-in ftp.
But, can you set permissions?

I wonder if there is a plugin for DW8 that will detect functions? Me =
googling.

M

--
PHP General Mailing List (http://www.php.net/) To unsubscribe, visit:
http://www.php.net/unsub.php

attached mail follows:

Murray PlanetThoughtful said the following on 12/07/2005 07:31 AM:
> Jim Moseby wrote:
>>> Pffffttttt....'Edit' in DOS. ;)
>>>
>>>
>>
>>
>> (Pfffft * 2) 'edlin' in DOS. :)
>
>
> Infinitely recursive pfffffft.... A pencil and a piece of paper and
> ringing people to describe the cool web site you've just drawn,

What, can't you use punch cards?

- Ben

attached mail follows:

Murray PlanetThoughtful said the following on 12/07/2005 07:31 AM:
> Jim Moseby wrote:
>>> Pffffttttt....'Edit' in DOS. ;)
>>>
>>>
>>
>>
>> (Pfffft * 2) 'edlin' in DOS. :)
>
>
> Infinitely recursive pfffffft.... A pencil and a piece of paper and
> ringing people to describe the cool web site you've just drawn,

What, can't you use punch cards?

- Ben

attached mail follows:

I use JEdit with code browser plug-in. Once it's started, it's quite
fast. It's Java-based, so it runs both on windows and linux. Very easy
to configure, has many useful coding features. If you need more, just
install some plug-ins.

attached mail follows:

TECO rox!

attached mail follows:

Hi,

Is it possible to return the result of eval function to a string rather than
outputting directly to the browser?

Thanks for your advice

attached mail follows:

[snip]
Is it possible to return the result of eval function to a string rather than

outputting directly to the browser?

Thanks for your advice
[/snip]

Yes.

You're welcome.

The first freakin' example in TFM http://www.php.net/eval is this;

<?php
$string = 'cup';
$name = 'coffee';
$str = 'This is a $string with my $name in it.';
echo $str. "\n";
eval("\$str = \"$str\";");
echo $str. "\n";
?>

attached mail follows:

Shaun

Shaun wrote:
> Is it possible to return the result of eval function to a string rather than
> outputting directly to the browser?

ob_start();
eval('$eval = "evil";');
$output = ob_get_clean();

Cheers,

David Grant
--
David Grant
http://www.grant.org.uk/

attached mail follows:

Can someone help me overcome this recurring problem? I am using the
Joomla content management system and I keep coming across the following
errors.

Fatal error: Call to undefined function mysql_real_escape_string()
in /usr/local/apache2/htdocs/common.php on line 24

Fatal error: Call to undefined function mysql_real_escape_string()
in /usr/local/apache2/htdocs/class.inputfilter.php on line 344

I notice in my Dynamic Extensions section of php.ini there are no
extensions called for; if that helps. Joomla works fine, but when adding
components or modules the problems start. One component author made a
test for the mysql_real_escape_string and I think avoided using it then
the component worked. I think that's probably not the best solution.

Fedora Core 3

Apache 2.0.55

PHP 5.0.5 (compiled with mysqli vice mysql)
'./configure' '--with-apxs2=/usr/local/apache2/bin/apxs' '--enable-ftp'
'--enable-inline-optimization' '--enable-magic-quotes' '--enable-
mbstring' '--enable-track-vars' '--enable-trans-sid' '--enable-
wddx=shared' '--enable-xml' '--with-dom' '--with-gd' '--with-gettext'
'--with-mysqli=/usr/local/mysql/bin/mysql_config' '--with-regex=system'
'--with-xml' '--with-zlib-dir=/usr/lib'

MySQL 4.1.15

TIA,

Paul Hickey
Christian Patriot
Palm Bay Fl

attached mail follows:

Paul Hickey wrote:
> Can someone help me overcome this recurring problem? I am using the
> Joomla content management system and I keep coming across the following
> errors.
>
> Fatal error: Call to undefined function mysql_real_escape_string() in
> /usr/local/apache2/htdocs/common.php on line 24
>
> Fatal error: Call to undefined function mysql_real_escape_string() in
> /usr/local/apache2/htdocs/class.inputfilter.php on line 344
>
> I notice in my Dynamic Extensions section of php.ini there are no
> extensions called for; if that helps. Joomla works fine, but when adding
> components or modules the problems start. One component author made a
> test for the mysql_real_escape_string and I think avoided using it then
> the component worked. I think that's probably not the best solution.
>
> Fedora Core 3
>
> Apache 2.0.55
>
> PHP 5.0.5 (compiled with mysqli vice mysql)
> './configure' '--with-apxs2=/usr/local/apache2/bin/apxs' '--enable-ftp'
> '--enable-inline-optimization' '--enable-magic-quotes'
> '--enable-mbstring' '--enable-track-vars' '--enable-trans-sid'
> '--enable-wddx=shared' '--enable-xml' '--with-dom' '--with-gd'
> '--with-gettext' '--with-mysqli=/usr/local/mysql/bin/mysql_config'
> '--with-regex=system' '--with-xml' '--with-zlib-dir=/usr/lib'
>
> MySQL 4.1.15

mysql_real_escape_string() is a MySQL function, and you're server is
compiled with the 'improved' MySQL functions. You want
mysqli_real_escape_string()

http://us3.php.net/manual/en/function.mysqli-real-escape-string.php

--
John C. Nichel IV
Programmer/System Admin (ÃœberGeek)
Dot Com Holdings of Buffalo
716.856.9675
jnicheldotcomholdingsofbuffalo.com

attached mail follows:

4 here

--
http://esu.proyectoanonimo.com
http://www.proyectoanonimo.com

attached mail follows:

had about 15 in my inbox this morning :)

On Wednesday 07 December 2005 08:36, Jay Blanchard wrote:
> MAILER-DAEMONmlm.mariotti.lan ?
>
> I am getting failure notices out the wazoo for some very old messages to
> the general list.

attached mail follows:

Jared Williams wrote:
>
> PS.
> Yeah, thought it was libxml, hence didn't file a pecl bug report. But there does seem a problem with this method as can't
> just have a publicId or a systemId, libxml function uses NULL as a parameter to specify which id you don't want to use. Which we've
> lost with the PHP wrapper, as can only specify two strings.
>
Have you tried passing NULL for publicId? :)
And systemId can only be NULL if there is no publicId (publicId requires
a systemId).

Rob

attached mail follows:

>
> Jared Williams wrote:
> >
> > PS.
> > Yeah, thought it was libxml, hence didn't file a pecl
> bug report. But
> > there does seem a problem with this method as can't just have a
> > publicId or a systemId, libxml function uses NULL as a
> parameter to specify which id you don't want to use. Which
> we've lost with the PHP wrapper, as can only specify two strings.
> >
> Have you tried passing NULL for publicId? :) And systemId can
> only be NULL if there is no publicId (publicId requires a systemId).
>

Ah, yes, I blame it time, 3am, when was tinkering with XmlWriter :)

Jared

attached mail follows:

is there a way to dynamically define a class constant during runtime
in PHP 5?

for example I would like to achieve the result of something like:

class Example {
        const FOO = bar();
}

However this would obviously give a parse error.

I know it is possible with variables but I would like it to be a
constant.

Thanks.

- Jeff

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Jeffrey Sambells
Director of Research and Development
Zend Certified Engineer (ZCE)

We-Create Inc.
jeffwecreate.com email
519.745.7374 office
519.897.2552 mobile

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Get Mozilla Firefox at
http://spreadfirefox.com

attached mail follows:

From: Stephen Leaf <smileafsmileaf.org>
To: php-generallists.php.net
Date: Wed, 7 Dec 2005 12:20:34 -0600
MIME-Version: 1.0
Content-Type: text/plain;
        charset="utf-8"
Content-Transfer-Encoding: 7bit
Message-Id: <200512071220.34914.smileafsmileaf.org>
Subject: Re: [PHP] Class Constant PHP 5

Dynamically setting a constant would break the very rule of it being a
constant in the first place.
a constant is something that does not change it cannot be dynamic.

On Wednesday 07 December 2005 12:00, Jeffrey Sambells wrote:
> is there a way to dynamically define a class constant during runtime
> in PHP 5?
>
> for example I would like to achieve the result of something like:
>
> class Example {
> const FOO = bar();
> }
>
> However this would obviously give a parse error.
>
> I know it is possible with variables but I would like it to be a
> constant.
>
> Thanks.
>
> - Jeff
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Jeffrey Sambells
> Director of Research and Development
> Zend Certified Engineer (ZCE)
>
> We-Create Inc.
> jeffwecreate.com email
> 519.745.7374 office
> 519.897.2552 mobile
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Get Mozilla Firefox at
> http://spreadfirefox.com

attached mail follows:

[snip]
is there a way to dynamically define a class constant during runtime
in PHP 5?

for example I would like to achieve the result of something like:

class Example {
        const FOO = bar();
}

However this would obviously give a parse error.

I know it is possible with variables but I would like it to be a
constant.
[/snip]

Well, first of all the syntax you describe above does not define a constant
at all, you would need to use define()

The second thing is good old basic OOP theory, you should declare a private
static variable

http://us3.php.net/private
http://us3.php.net/manual/en/language.oop5.static.php

Of course you could define a global constant and then pass it into your
object when instantiating it, but that is a bad idea generally.

Thirdly, you could never use a function to derive your constant value...it
would then be an oxymoron. If the value generated by the function bar()
changes, FOO is a variable. Constants are for simple values. For instance,
we can all agree that pi is 3.14159 (to 5 decimal places, so defining a
constant pi makes sense;

define("PI", 3.14159);

If we do not know what the outcome of a function will be it makes the value
of the outcome a variable, always. It would be foolish (and would fail
anyhow) to do something like this;

define("RANDOM", rand(5,12));

attached mail follows:

> It would be foolish (and would fail anyhow) to do something like this;
Nope. :P
<?php
define("RANDOM", rand(5,12));
var_dump(RANDOM);
?>
int(12)

attached mail follows:

[snip]
> It would be foolish (and would fail anyhow) to do something like this;
Nope. :P
<?php
define("RANDOM", rand(5,12));
var_dump(RANDOM);
?>
int(12)
[/snip]

Wow, that should fail. But you did have use var_dump() to get it, which may
be slightly counter-intuitive. I just did this....

function realRand($x){
        $x = $x * rand(5,10);
        return $x;
}
 define("RANDOM", realRand(1.2));
var_dump(RANDOM);

and it returns floats. Well, I'll be jiggered.

attached mail follows:

[snip]
Wow, that should fail. But you did have use var_dump() to get it, which may
be slightly counter-intuitive. I just did this....

function realRand($x){
        $x = $x * rand(5,10);
        return $x;
}
 define("RANDOM", realRand(1.2));
var_dump(RANDOM);

and it returns floats. Well, I'll be jiggered.
[/snip]

From http://us3.php.net/manual/en/language.constants.php

"Only scalar data (boolean, integer, float and string) can be contained in
constants."

attached mail follows:

Stephen Leaf wrote:
> Dynamically setting a constant would break the very rule of it being a
> constant in the first place.

Did you say something about my Java?

attached mail follows:

The point was more that the constant's value is 'defined' at the
beginning of the script, and is constant and non changing throughout
the entire execution of the script. But I was looking for a way to give
it a namespace inside a class rather than just defining in in the
global scope so that I do not have to worry about conflicting names
with other packages such as PEAR et al.

I wanted to do something like:

<?
define('ClassName::ConstantName',$valueDeterminedAtStartOfScript);
?>

so that I I could later use the notation

$value = ClassName::ConstantName

or from within the class

$value = self::ConstantName

and ensure other developers could not change the value of the constant.
To achieve the result I want I could do:

<?

define ('foo',$valueDeterminedAtStartOfScript);
class ClassName {
        const ConstantName = foo;
}

?>

But that just seems pointless and messy. I will assume that the simple
answer to my original question was 'No that it is not possible'.

Thanks

- Jeff

Jeffrey Sambells
cell 519.897.2552
phone 905.878.4701
web http://www.sambells.info

On 7-Dec-05, at 1:22 PM, Jay Blanchard wrote:

> [snip]
> is there a way to dynamically define a class constant during runtime
> in PHP 5?
>
> for example I would like to achieve the result of something like:
>
> class Example {
> const FOO = bar();
> }
>
> However this would obviously give a parse error.
>
> I know it is possible with variables but I would like it to be a
> constant.
> [/snip]
>
> Well, first of all the syntax you describe above does not define a
> constant
> at all, you would need to use define()
>
> The second thing is good old basic OOP theory, you should declare a
> private
> static variable
>
> http://us3.php.net/private
> http://us3.php.net/manual/en/language.oop5.static.php
>
> Of course you could define a global constant and then pass it into your
> object when instantiating it, but that is a bad idea generally.
>
> Thirdly, you could never use a function to derive your constant
> value...it
> would then be an oxymoron. If the value generated by the function bar()
> changes, FOO is a variable. Constants are for simple values. For
> instance,
> we can all agree that pi is 3.14159 (to 5 decimal places, so defining a
> constant pi makes sense;
>
> define("PI", 3.14159);
>
> If we do not know what the outcome of a function will be it makes the
> value
> of the outcome a variable, always. It would be foolish (and would fail
> anyhow) to do something like this;
>
> define("RANDOM", rand(5,12));
>

attached mail follows:

Date: Wed, 7 Dec 2005 14:13:49 -0500
From: Michael B Allen <mba2000ioplex.com>
To: php-generallists.php.net
Message-Id: <20051207141349.3ae9f1bf.mba2000ioplex.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Subject: Preventing Cross Site Scripting Vulnerbilities

Can someone recommend a general method for avoiding / eliminating XSS
vulnerbilities with PHP?

Specifically is there a library function for validating fields? If not,
can someone recommend a regex that detects HTML tags?

Similarly is there a library function for escaping database content for
inclusion in HTML pages?

Thanks,
Mike

attached mail follows:

> Similarly is there a library function for escaping database content for
> inclusion in HTML pages?
http://php.net/htmlspecialchars
http://php.net/htmlentities

attached mail follows:

Michael B Allen wrote:
> Can someone recommend a general method for avoiding / eliminating XSS
> vulnerbilities with PHP?

Yeah, escape output. It's really that simple.

Curt Zirzow made a nice post related to this topic yesterday., and
here's a simple example:

http://phpsecurity.org/code/ch01-4

Hope that helps!

Chris

--
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/

attached mail follows:

comex wrote:

>>Similarly is there a library function for escaping database content for
>>inclusion in HTML pages?
>>
>>
>http://php.net/htmlspecialchars
>http://php.net/htmlentities
>
>
>
Or roll your own and replace the eregi regex with data that is valid to
your application:

function chk_input( $string ) {
 if( eregi( "^[0-9a-z_ -]$", $string ) ) {
  return 0;
 } else {
  return 1;
 }
}

if( chk_input( $string ) == 0 ) {
 echo "valid";
} else {
 echo "invalid";
}

--
Jason Gerfen

"Oh I have seen alot of what
 the world can do, and its
 breaking my heart in two..."
 ~ Wild World, Cat Stevens

attached mail follows:

There's been a lot of great articles in the PHP|Architect magazine over
the past 3 months or so about this (http://www.phparch.com) You do have
to purchase back-issues though. Very good articles though. They cover
how to make functions to filter what variables should be sent in, and
how to make sure all the data is what you expect.

Jason Gerfen wrote:

> comex wrote:
>
>>> Similarly is there a library function for escaping database content for
>>> inclusion in HTML pages?
>>>
>>
>> http://php.net/htmlspecialchars
>> http://php.net/htmlentities
>>
>>
>>
> Or roll your own and replace the eregi regex with data that is valid
> to your application:
>
> function chk_input( $string ) {
> if( eregi( "^[0-9a-z_ -]$", $string ) ) {
> return 0;
> } else {
> return 1;
> }
> }
>
> if( chk_input( $string ) == 0 ) {
> echo "valid";
> } else {
> echo "invalid";
> }
>

attached mail follows:

Ray Hauge wrote:
> There's been a lot of great articles in the PHP|Architect magazine
> over the past 3 months or so about this (http://www.phparch.com)
> You do have to purchase back-issues though.

Past editions of Security Corner are eventually available for free from
my web site:

http://shiflett.org/articles

Hope that helps!

Chris

--
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/

attached mail follows:

Michael B Allen wrote:
> Can someone recommend a general method for avoiding / eliminating XSS
> vulnerbilities with PHP?

IMO, the best way to avoid XSS is to filter _output_.

My script:
http://nengine.korsengineering.com/files/src/misc/HtmlFilter.phps

attached mail follows:

Hello,
I need to set the doctype and the system dtd of a document created
directly with the xml DOM.
I couldn´t find any function or property to set this, i saw some
examples that directly wrote onto the file manually, but i´m pretty sure
thare must be a way to do this with the dom (i remembered that libxml c
api has such capability, so, if php dom is based on such, then it would
be able to).
Any ideas?

Thanks in advance,

cheers.

Mariano.

--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.371 / Virus Database: 267.13.12/193 - Release Date: 06/12/2005

attached mail follows:

Task:
Create a script that converts text into HTML with paragraphs.

Problem:
Input text could use the book notation, as well as the web notation,
plus it can contain HTML.

==
<h1>This is a title</h1>

    This is a Book paragraph.
    This is another book paragraph.
This is yet another book paragraph, but it's not indented with spaces,
because user wrote it in OpenOffice.
==

==
This is a web paragraph.

This is another web paragraph.

    This is yet another web paragraph, which is indented with spaces for
some unknown reason.
==

Output text should be correctly formatted without using lots of br's and
&nbsp;'s. Doing so manually is not a problem, I would just use <p> for
web paragraphs, and <p class="book"> for book paragraphs. However,
formatting such text with a scrip is very difficult. Does anyone knows a
good exaple of such script?

attached mail follows:

Quoting Roman Ivanov <gamblergluckyahoo.com>:

> Output text should be correctly formatted without using lots of br's
> and &nbsp;'s. Doing so manually is not a problem, I would just use
> <p> for web paragraphs, and <p class="book"> for book paragraphs.
> However, formatting such text with a scrip is very difficult. Does
> anyone knows a good exaple of such script?

How do you intend to distinguish between a web paragraph and a book paragraph?
How can you even accomplish this manually?

attached mail follows:

Eric Gorr wrote:
> Quoting Roman Ivanov <gamblergluckyahoo.com>:
>
>> Output text should be correctly formatted without using lots of br's
>> and &nbsp;'s. Doing so manually is not a problem, I would just use <p>
>> for web paragraphs, and <p class="book"> for book paragraphs. However,
>> formatting such text with a scrip is very difficult. Does anyone knows
>> a good exaple of such script?
>
>
> How do you intend to distinguish between a web paragraph and a book
> paragraph?

Good question. I don't know. If I would know, than writing scipt would
be simple. It would be interesting to hear how other developers deal
with such kind of things.

> How can you even accomplish this manually?

By reading the text. *smiley*

attached mail follows:

Maybe I'm missing some requirement, but what if you just used HTML "<pre>" tags. You can still use other HTML for formatting within the <pre> tags but it'll pay attention to carriage returns/line feeds and spaces without having to use <br>s

For example, if you did the following... is it what you need or what's wrong with it still?

<pre>
<h1>This is a title</h1>

    This is a Book paragraph.
    This is another book paragraph.
This is yet another book paragraph, but it's not indented with spaces,
because user wrote it in OpenOffice.
==

==
This is a web paragraph.

This is another web paragraph.

    This is yet another web paragraph, which is indented with spaces for
some unknown reason.
==
</pre>

= = = Original message = = =

Task:
Create a script that converts text into HTML with paragraphs.

Problem:
Input text could use the book notation, as well as the web notation,
plus it can contain HTML.

==
<h1>This is a title</h1>

    This is a Book paragraph.
    This is another book paragraph.
This is yet another book paragraph, but it's not indented with spaces,
because user wrote it in OpenOffice.
==

==
This is a web paragraph.

This is another web paragraph.

    This is yet another web paragraph, which is indented with spaces for
some unknown reason.
==

Output text should be correctly formatted without using lots of br's and
&nbsp;'s. Doing so manually is not a problem, I would just use <p> for
web paragraphs, and <p class="book"> for book paragraphs. However,
formatting such text with a scrip is very difficult. Does anyone knows a
good exaple of such script?

___________________________________________________________
Sent by ePrompter, the premier email notification software.
Free download at http://www.ePrompter.com.

attached mail follows:

I trying to get php_printer.dll extension to work on a xp system . I
downloaded correct version of php_printer.dll to match php version 5.1.1 .
The extension_dir is set correctly , because other extensions load and work
perfectly.
When I execute the following code, I get ...
<?php/*
$handle = printer_open();
printer_write($handle, "Text to print");
printer_close($handle);*/
?>

an undefined function call error , even though the extension loaded at boot
time without any errors. php_printer.dll is
in the extension directory. Does anyone have a solution to my problem.
Thanks , Jim Crooks

attached mail follows:

I tried this and it didn't work using PHP it just leaves a blank instead of
a NULL setting. Any other ideas?

On 11/11/05, Richard Lynch <ceol-i-e.com> wrote:
>
> On Thu, November 10, 2005 11:15 pm, Curt Zirzow wrote:
> > <?php
> >
> > $sql_quoted = array(); // shiflett' -- style
> >
> > $myFieldValue = isset($POST['myFieldValue'])? $_POST['myFieldValue']:
> > '';
> >
> > if (strlen(trim($myFieldValue)) {
> > $sql_quoted['myField'] = "'" .
> > mysql_real_escape_string($myFieldValue) . "'";
> > } else {
> > $sql_quoted['myField'] = 'NULL';
> > }
>
> I personally would do this part all in one shot:
>
> $field = (isset($_CLEAN['field']) && strlen($_CLEAN['field'])) ?
> "'$_CLEAN[field]" : 'NULL';
>
> Otherwise, I find myself too distracted by all the assignments and
> if/else logic, and too likely to mess them up later with code changes
> in earlier/later lines.
>
> Note that you already have the apostrophes in $field for non-NULL, so
> you would just do:
>
> $query = "insert into foo (field) values($_CLEAN[field])";
>
> with no apostrophes
>
> $_CLEAN represents an escaped and filtered string, or an unset index,
> if nothing was in $_POST to start with. Or you can just use the empty
> string '' in $_CLEAN if you find that easier to process.
>
> More than one way to skin a cat.
>
> --
> Like Music?
> http://l-i-e.com/artists.htm
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>

--
**********************************************************************
The content of this e-mail message and any attachments are confidential and
may be legally privileged, intended solely for the addressee. If you are not
the intended recipient, be advised that any use, dissemination,
distribution, or copying of this e-mail is strictly prohibited. If you
receive this message in error, please notify the sender immediately by reply
email and destroy the message and its attachments.
*********************************************************************

attached mail follows:

Mime-Version: 1.0 (Apple Message framework v623)
Content-Type: multipart/alternative; boundary ple-Mail-10--1064580664
Message-Id: <31e2c1382043bdb89da51c2242f47187wecreate.com>
Cc: php-generallists.php.net
From: Jeffrey Sambells <jeffwecreate.com>
Date: Wed, 7 Dec 2005 21:28:45 -0500
To: James <jamesbig-muff.com>
Subject: Re: [PHP] PHP Warning: imagettftext() expects parameter 2 to be double

--Apple-Mail-10--1064580664
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
        charset=WINDOWS-1252;
        delsp=yes;
        formatowed

You've got 83px in you XML file for the fontsize. the 'px' is messing
it up change it to just 83 in the XML file or cast the value to (float)
which will extract the 83 and remove the px:

<snip>
        foreach ($xml->textblock as $text) {
        
                $fontsize=(float)$text->fontsize;
                $fontangle=(float)$text->fontangle;
                $fontxpos=(int)$text->fontxpos;
                $fontypos=(int)$text->fontypos;
                $text=$text->text;
                
                 
imagettftext($image['png'],$fontsize,$fontangle,$fontxpos,$fontypos,$fon
t['color'],$font['type'],"$text",array());
        
        }
</snip>

- Jeff

On 7-Dec-05, at 7:06 AM, James wrote:

> Hi,
>
> Thank you for getting back to me, your the first.
>
> The array works fine – I have tested it using var_dump().
>
> Attached are the two files – xml.test – this holds the array of the
> text blocks which is being parsed by image.php.
>
> Line 38 is the problem, if you comment around the foreach() statement
> and un-comment the commented lines you should see it working fine, its
> when its within the foreach statement when it errors.
>
> Regards,
>
> James
>
>
> Jochem Maas Wrote:
>
>> James wrote:
>> > Hi there,
>> >
>> > I have been using the GD functions from PHP5.0 on Mac OS X.
>> >
>> > I have a simple script that creates a PNG image with text on the
>> image using
>> > fonts using FreeType 2.
>> >
>> > I am trying to use the imagettftext() function within a foreach
>> loop – but I
>> > get the following error:
>> >
>> > PHP Warning:  imagettftext() expects parameter 2 to be double
>>
>> what does paramter 2 contain in each case? var_dump(), print_r(),
>> echo ?!?
>>
>> >
>> > The code is as follows:
>> >
>> >     $font['type']="./fonts/font.ttf”;
>> >
>> >     
>> >
>> $font['color']=imageColorAllocate($card['png'],$font['hexcolor']['r'],
>> $font[
>> > 'hexcolor']['g'],$font['hexcolor']['b']);
>> >
>> >     imageFill($card['png'],0,0,$card['color']);
>> >
>> >     foreach ($xml->textblock as $text) {
>> > $fontsize=$text->fontsize;        $fontangle=$text->fontangle;
>> > $fontxpos=$text->fontxpos;        $fontypos=$text->fontypos;
>> > $text=$text->text;
>>
>> try var_dump($text); or print_r($text); to see what you have
>> (if its an XML node object - dump $fontsize, $fontxpos instead!!!)
>>
>> >
>> imagettftext($image['png'],$fontsize,$fontangle,$fontxpos,$fontypos,$f
>> ont['c
>> > olor'],$font['type'],$text);        }
>> >
>> > It works fine if I add just one line outside of the loop – but as
>> soon as
>> > its within the loop it errors.
>> >
>> > Cheers,
>> >
>> > James
>> >
>
> <image.php><test.xml>--
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
--Apple-Mail-10--1064580664--

attached mail follows:

[ man.. I just realized that "reply" to this list doesn't send to the
list... replies being re-sent... thanks for the help! ]

On Dec 6, 2005, at 10:45 PM, Curt Zirzow wrote:

> I'm going to jump to the code as fast as possible to explain what I
> can, the key thing to remember in php5 is that the old &$var
> declaration has no real meaning in objects. php5's objects exist
> outside of the old oop reference. Consider:
>
> class Object {
> public $val;
> function __construct($v) {
> $this->val = $v;
> }
> }
>
> In PHP5:
>
> $o = new Object(2);
> $b = $o;
> $b->val = 3;
> print $o->val; // echos 3
>
> in PHP4 (assuming var is used instead of public)
>
> $o = new Object(2);
> $b = $o;
> $b->val = 3;
> print $o->val; // echos 2
>
> This is cause objects in php5 exist all on there own, that get
> referenced to a php variable.
>
>
> On Tue, Dec 06, 2005 at 05:23:45PM -0500, Alan Pinstein wrote:
>>
>> Question #1: Is the fact that references to objects in the form
>> $objRef = &$obj don't bump the refcount of $obj an intended behavior
>> that can be counted on? If so, cool!
>>
>> So, now that we have a way to do weak references, we should be able
>> to implement a reasonable memory management scheme for parent-child
>> objects.
>>
>> Normally from the client side the interface should look something
>> like:
>>
>> $parent = new Parent();
>> $child = new Child();
>> $parent->addChild($child);
>
> Ok, i get to the code and well what I mentioned above explains why
> there is no
> need to use the $o = &$object;
>
> If I take your code and run it against one of the latest version's
> of php 5.1 i will get a var_dump($child) of:
>
> object(pChild)#2 (1) {
> ["parent"]=>
> object(pParent)#1 (1) {
> ["children"]=>
> array(1) {
> [0]=>
> object(pChild)#2 (1) {
> ["parent"]=>
> object(pParent)#1 (1) {
> ["children"]=>
> array(1) {
> [0]=>
> *RECURSION*
> }
> }
> }
> }
> }
> }
>
> Which is what I see as expected results.
>
> Curt.
> --
> cat .signature: No such file or directory
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>

attached mail follows:

Hey Ray-

Thanks for the link!

Actually, the article didn't help directly, but it did spark an idea.

My main problem all along was trying to get a true reference to
$this. For some reason reading the article led me to try "$this-
>this", which works, to my surprise!

So, I now have a complete solution to my problem.... code follows...

ONE QUESTION REMAINS: is what I'm doing intended / publicly exposed
behavior, or am I hacking and at risk of failure in future versions?

Thanks,
Alan

<?php

/**
* Playing around with proper reference counting of nested objects in
PHP.
*
* The proper way to handle refCounting of nested objects is to have
parents "retain" their kids, and have the kids use "weak references"
to the parent.
*
*/

$mem0 = memory_get_usage();

for ($i=0;$i<10;$i++) {
     $a = new A;
     $b = new B;
     $a->addB($b);
     $b = NULL; // kill the ref from a to b so as to GC b. If
we've done things right, b will still exist and the next line will
not fail.
     $a->printBs();
     $a = NULL; // kill the local ref to a, which should be the
only ref-counted ref to a if we've done things right; this should
cause a (and thus b) to be gc'd NOW.
}

print "Leaked: " . (memory_get_usage() - $mem0) . "\n";
print "Done\n";
exit;

class A
{
     public $b = array();
     private $memWaste;

     function __construct()
     {
         $this->memWaste = "";
         for ($i = 0; $i < 1000; $i++) {
             $this->memWaste .= "1234567890";
         }
         print "new A{$this}\n";
     }
     function __destruct()
     {
         print "kill A{$this}\n";
     }

     // add a child B to our list. We want a ref-counted instance here.
     function addB($b)
     {
         $this->b[] = $b; // refCounted desired in parent->child link
         $b->setA($this->this); // so, this is apparently how you
access a true reference to $this, because &$this doens't work.
     }

     function printBs()
     {
         foreach ($this->b as $b) {
             $b->sayHi();
         }
     }
}

class B
{
     public $a;
     private $memWaste;
     function __construct()
     {
         $this->memWaste = "";
         for ($i = 0; $i < 1000; $i++) {
             $this->memWaste .= "1234567890";
         }
         print "new B{$this}\n";
     }
     function __destruct()
     {
         print "kill B{$this}\n";
     }
     // refCount NOT desired in child->parent link, so use ref vars
     function setA(&$a)
     {
         $this->a = &$a;
     }

     function sayHi()
     {
         print "HI from {$this}\n";
     }
}
?>

On Dec 6, 2005, at 7:10 PM, Ray Hauge wrote:

> I am uncertain on this, but I believe that the $this variable is
> already just a reference to the class you are calling it from.
> Then passing the reference by-reference to the addParent() method
> of the Child class could be what is causing your issue. I'd be
> curious to see what would happen if you took out the pass-by-
> reference and instead pass-by-value for the addParent() method.
> Then again, that doesn't particularly sound correct either.
>
> This link might help. They cover a lot of advanced reference usage
> for PHP.
>
> http://www.onlamp.com/pub/a/php/2002/09/12/php_foundations.html
>
> Alan Pinstein wrote:
>
>> So.. I am having PHP5 memory management problems.
>>
>> They are similar to those described in this thread:
>>
>> http://aspn.activestate.com/ASPN/Mail/Message/php-Dev/1555640
>>
>> (so maybe this question belongs on php-dev but I figured I'd try
>> here first... seems like a userland question)
>>
>> Basically I have an object model to represent db objects, and I
>> am bulk-loading the objects via some PHP scripts. Sadly the
>> scripts consume unbounded memory because of this problem.
>>
>> I have done a lot of programming in C++ and Obj-C and the normal
>> way to handle circular references is to have parents
>> "retain" (keep ref- counted links) to their kids, and have the
>> kids have "weak references" (non-ref-counted) links to their
>> parents. This way, when the parent is no longer used, it will
>> automatically 0-out the ref counts to all children it links too
>> and things GC correctly.
>>
>> Now, how to do this in PHP?
>>
>> Well, there are no "documented" weak references. However, I
>> figured out by trial that if you obtain a php-reference to an
>> object, it doesn't bump the refcount.
>>
>> Question #1: Is the fact that references to objects in the form
>> $objRef = &$obj don't bump the refcount of $obj an intended
>> behavior that can be counted on? If so, cool!
>>
>> So, now that we have a way to do weak references, we should be
>> able to implement a reasonable memory management scheme for
>> parent-child objects.
>>
>> Normally from the client side the interface should look something
>> like:
>>
>> $parent = new Parent();
>> $child = new Child();
>> $parent->addChild($child);
>>
>> Where parent can have 0,n children and child can have 0,1 parent.
>>
>> And all of parent's internal links to child should be refcounted,
>> and the internal links from child to parent are weak (not ref-
>> counted).
>>
>> So based on the above discovery about references, I tried to
>> implement this as such:
>>
>> class Parent
>> {
>> public $children = array();
>>
>> // add a child to our list. We want a ref-counted link here.
>> function addChild($child)
>> {
>> $this->children[] = $child; // refCounted desired in
>> parent->child link
>> $child->setParent($this);
>> }
>> }
>>
>> class Child
>> {
>> public $parent;
>>
>> // set the parent object. We want a non-ref-counted link here.
>> function setParent(&$parent)
>> {
>> // refCount NOT desired in child->parent link
>> $this->parent = &$parent;
>> }
>> }
>>
>> Now, you'd expect this would work, but it doesn't. On a hunch, I
>> changed the client code to:
>>
>> $parent = new Parent();
>> $child = new Child();
>> $parent->addChild($child);
>> $child->setParent($child); // new line here - you can
>> successfully create a reference to the object when not passed in
>> as $this
>>
>> Now, this works! However, it's not practical. The setParent call
>> should work from within the parent object....
>>
>> So what I figured out is that $this is a "pseudo variable"
>> according to the docs, but I don't know what that means.
>> Empirically I have figured out that it means you cannot create a
>> reference to it.
>>
>> Is this a feature or a bug? What's the workaround?
>>
>> This is a serious problem for PHP scripts that need to do things
>> that require large amounts of memory.
>>
>> Please advise.
>>
>> Thanks,
>> Alan
>>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>

attached mail follows:

On Dec 7, 2005, at 12:36 AM, Curt Zirzow wrote:

> My original statement was to show how the the php4 = &$o is
> different.

Oh, well, sure I believe that! :)

> In php5 variables are just containers that point to objects, so
> when you make
> a variable a reference to another variable all you are doing is
> saying these variables are the same thing.
>

That's good to know... one thing that's difficult about PHP is that
everything's opaque and not well documented. In C/C++ I know what
things actually are b/c you can see the typedefs. In php I just don't
know how objects are represented, what references are, etc.

So, knowing that an "object" variable is really just a "special
container object" that points to the real instance, this is useful.
That isn't clear from the php docs. Thanks!

> php5's objects dont know any such thing as a reference, they just
> know of instances of themselves. The variables ($o, $a, $b)
> existance is just a container for the instance of the object. So in
> the case when I do a:
>
> $b = &$o;
>
> All that is happening is the container is identical, so when I say:
>
> $o = null;
>
> Since $b is the same thing as $o , $b is set to null as well and
> thus, there are now more variable (containers) that reference to
> the instance of the object, thus the object will get destroyed,
> but.. if i say we have two containers:
>
> $o = new stcClass;
> $b = $o;
>
> Now the instance of that 'new StdClass' is contained in two vars,
> when I set $o to null, $b still exists since it doesn't know about
> $o whats so ever, and the instance of the stdClass still exists.

Yes, this makes sense, too. It's tricky, with so many levels of
indirection. So at the core level, you've got the "real" object
instance. Then, you've got N container "object variables" that point
to the real instance. PHP refcounts the number of object variables
pointing at the real instance. Then, on top of that, you have
references, which are "aliases" to "object variables" and thus don't
affect the ref count. So good this all makes sense and agrees with
the behavior I see.

> I guess it comes down to objects are treated the same way as you
> would expect these results:
>
> <?php
>
> $i = 1; /* aka new object */
> $k = $i;
>
> $i = null;
> var_dump($i); /* null */
> var_dump($k); /* int(1) */
>
> $i = 1; /* aka new object */
> $j = &$i;
>
> $i = null;
> var_dump($i); /* null */
> var_dump($j); /* null */
>

Yes...

>> The sample code below shows that indeed, in practice, on 5.0.4, that
>> & will create another reference (ie a weak reference) to an object
>> WITHOUT incrementing the refcount....
>
> I'm not sure how you mean a weak reference, and well a refcount is
> rather meaning less in php userland.

So, this gets interesting. I don't know if you're familiar with the
circular-reference problem. But if you have two instances that have
references to each other, even once you remove all references to the
objects, they will not be GC'd since they have a mutual deadlock on
each other:

$a = new MyObj;
$b = new MyObj;
$a->setB($b); // does $this->b = $b;
$b->setA($a); // does $this->a = $a;

$a = NULL;
$b = NULL;

The actual instances pointed to by $a and $b WILL NOT GET FREED HERE
as you would *wish*. However this is expected behavior.

Only by changing MyObj to store "weak references", that is references
to the objects that are NOT reference-counted, can you get the GC to
free the instances.

function setB(&$B) { $this->b = &$a; }
function setA(&$B) { $this->a = &$b; }

Now, the instances will be freed when the $a and $b are null'd out.

So, while I now feel more confident of how references act with
respect to objects (which is, they act the same as they do for any
variable), I still am not sure what "$this->this" is and why it
worked so magically.

Thanks for the explanations! I feel better about this now.

Alan

attached mail follows:

Hello,

Something just crossed my mind about using output buffering.... is
there any reason why you should start a session before calling
ob_start() ???

Just curious which way would be the proper way of doing it... or
doesn't it matter?

Thanks

--
Joe Harman
---------
* My programs never have bugs, they just develop random features.