|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
php-general Digest 7 Apr 2006 02:07:33 -0000 Issue 4057
php-general-digest-help
lists.php.net
Date: Thu Apr 06 2006 - 21:07:33 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
php-general Digest 7 Apr 2006 02:07:33 -0000 Issue 4057
Topics (messages 233349 through 233411):
Re: int to string
233349 by: Kevin Waterson
233381 by: tedd
Re: Magic quotes good or Bad?
233350 by: Kevin Waterson
Re: Faking Boolean
233351 by: Paul Novitski
Re: simple regex query
233352 by: Jochem Maas
233358 by: Angelo Zanetti
233362 by: Robin Vickery
233375 by: Joe Henry
233382 by: Paul Scott
Re: PHP post data
233353 by: Chris Shiflett
Re: IF or SWITCH
233354 by: Joe Wollard
233378 by: tedd
233379 by: ray.hauge.americanstudentloan.com
233385 by: Robert Cummings
233386 by: Robert Cummings
233390 by: Paul Novitski
233394 by: tedd
233403 by: Robert Cummings
233404 by: John Nichel
233406 by: Ray Hauge
233409 by: Miles Thompson
233411 by: Kevin Waterson
Re: help with some logic.
233355 by: Dallas Cahker
Re: php, sessions and ie
233356 by: Dallas Cahker
php security
233357 by: Dallas Cahker
233364 by: Dan McCullough
233368 by: Kevin Kinsey
233370 by: Chris Shiflett
233374 by: Dan McCullough
233376 by: Dan McCullough
233377 by: Jim Moseby
Color matching magic?
233359 by: Ashley M. Kirchner
233371 by: tedd
233373 by: Al
<?=?> style
233360 by: Dallas Cahker
233363 by: Dan McCullough
233365 by: Brad Bonkoski
server/PHP security
233361 by: Wolf
233367 by: Dan McCullough
233369 by: Dan McCullough
233372 by: Chris Shiflett
233380 by: Wolf
233383 by: Dallas Cahker
Re: Php Script Stumped!
233366 by: M. Sokolewicz
Re: PHP Form Help
233384 by: tedd
Re: Oracle stored procedures
233387 by: Jay Blanchard
233388 by: Brad Bonkoski
233389 by: Jay Blanchard
Omit warnings per script?
233391 by: Brian Dunning
233392 by: Jay Blanchard
233395 by: John Nichel
233401 by: Jim Moseby
233405 by: Al
Re: session_start
233393 by: Anthony Ettinger
Argument passed by reference?
233396 by: Chris Boget
233397 by: Joe Henry
233398 by: Chris Boget
Bug Apache/PHP/Oracle on Debian
233399 by: David BERCOT
233408 by: Chris
how to kill session id without closing the window?
233400 by: afan.afan.net
233410 by: Chris
Re: Problems creating images
233402 by: Age Bosma
233407 by: Tom Rogers
Administrivia:
To subscribe to the digest, e-mail:
php-general-digest-subscribelists.php.net
To unsubscribe from the digest, e-mail:
php-general-digest-unsubscribelists.php.net
To post to the list, e-mail:
php-generallists.php.net
----------------------------------------------------------------------
attached mail follows:
This one time, at band camp, Peter Hoskin <peterhcriten.org> wrote:
> Want a complete solution? $88 AUD/hr.
Or simply use this function...
http://phpro.org/examples/Numbers-to-Words.html
and my rates are only $85 AUD/hr ;)
Kevin
--
"Democracy is two wolves and a lamb voting on what to have for lunch.
Liberty is a well-armed lamb contesting the vote."
attached mail follows:
At 4:27 PM -0700 4/5/06, Tanner Postert wrote:
>I don't think it's built in, so I was wondering ya'll would recommend as the
>best way to convert int to string, not basic type casting, but converting to
>the english word the int represents.
>
>Something like this:
>
>5 = "Five" or 20 = "Twenty"
Tanner:
The following demo will work "as-is", but needs to be expanded and
optimized. But, this should give you the basic framework.
<?php
$num = 123;
$a = round($num/100);
$num = $num - ($a*100);
$text = numtext($a) . " hundred, ";
$a = round($num/10);
$num = $num - ($a*10);
$text .= numtext($a) . " tens, and ";
$a = round($num/1);
$num = $num - ($a*1);
$text .= numtext($a);
echo($text);
?>
<?php
function numtext($a)
{
$b="";
switch ($a)
{
case 1;
$b = "one";
break;
case 2;
$b = "two";
break;
case 3;
$b = "three";
break;
}
return ($b);
}
?>
tedd
--
--------------------------------------------------------------------------------
http://sperling.com
attached mail follows:
This one time, at band camp, Angelo Zanetti <angelozlogic.co.za> wrote:
should I enable magic_quotes_gpc or should I use
> addslashes() and stripslashes()?
magic quotes is disabled by default these days, and does not make for portable code.
It is removed in PHP6
Kevin
--
"Democracy is two wolves and a lamb voting on what to have for lunch.
Liberty is a well-armed lamb contesting the vote."
attached mail follows:
At 11:08 PM 4/5/2006, John Taylor-Johnston wrote:
>How can I take enquiry:
>
><input name="searchenquiry" type="text" value="john">
>or
><input name="searchenquiry" type="text" value="john johnston">
>
>and parse its value to come up with this to do a boolean search
>
>+"john"
>or
>+"john" +"johnston"
John,
If you're splitting your search string into discrete words, most
search engine logic doesn't require quotes. Typically, quotation
marks combine multiple words into single expressions, which makes
sense with "John Johnston" but not with "John" "Johnston".
But since you requested the quotes I'll include them:
Here's one way to convert an incoming word series for a search:
// get the entered text
$sEnquiry = $_GET["searchenquiry"];
RESULT: [ john johnston ]
// protect against input attacks here
...
// remove whitespace from beginning & end
$sEnquiry = trim($sEnquiry);
RESULT: [john johnston]
// replace internal whitespace with single spaces
$sEnquiry = preg_replace("/\s+/", " ", $sEnquiry);
RESULT: [john johnston]
// replace each space with quote-space-plus-quote
$sEnquiry = str_replace(" ", "\" +\"", $sEnquiry);
RESULT: [john" +"johnston]
// add beginning & ending delimiters
$sEnquiry = "+\"" . $sEnquiry . "\"";
RESULT: [+"john" +"johnston"]
Another technique that's worth exploring uses explode & implode to
isolate the words and the join them again with different delimiters, e.g.:
// remove extraneous whitespace
$sEnquiry = ...
// split string into array of words on each space
$aWords = explode(" ", $sEnquiry);
RESULT: array(
john
johnston
)
// concatenate the array back into a string using desired delimiters
$sSearch = implode(" +", $aWords);
RESULT: [john +johnston]
Paul
attached mail follows:
Angelo Zanetti wrote:
> Hi guys
>
> Been tryin to figure out regex and have found some tutorials but some
> have made things clear and others have confused me.
>
> Anyway for a simple query, if I just wanted to check that a variable has
> only text and numeric characters would I do something like this
> (i want it to fail if it finds a symbol eg: + - { " etc...):
>
> echo "REG result: " . preg_match('/[a-zA-Z0-9]*/', '{d-fg');
you're on the right path, whats needed is start and end [string] delimiters
in the regexp (note I used a different regexp delimiter, '#', which is irrelevant):
echo "REG 1 result: ", preg_match("#[a-zA-Z0-9]*#", "{d-fg"), "\n",
"REG 2 result: ", preg_match("#^[a-zA-Z0-9]*$#", "{d-fg"), "\n";
the magic characters are '^' andf '$' as explained in more detail here:
http://php.net/manual/en/reference.pcre.pattern.syntax.php
<quote>
^
assert start of subject (or line, in multiline mode)
$
assert end of subject (or line, in multiline mode)
</quote>
>
> however this resolves to true because there are normal characters
> (alphabetical characters) so how do I make the expression fail because
> of the { and - characters in the string?
>
> You can also list which characters you DON'T want -- just use a '^' as
> the first symbol in a bracket expression
> (i.e., "%[^a-zA-Z]%" matches a string with a character that is not a
> letter between two percent signs). But that would mean that I would have
> to list each symbol I dont want and that would be undesireable as it
> would be better to list exactly what the acceptable characters are.
>
> Can anyone give me some insight as to where I'm going wrong?
>
> thanks
>
attached mail follows:
Jochem Maas wrote:
> Angelo Zanetti wrote:
>
>> Hi guys
>>
>> Been tryin to figure out regex and have found some tutorials but some
>> have made things clear and others have confused me.
>>
>> Anyway for a simple query, if I just wanted to check that a variable
>> has only text and numeric characters would I do something like this
>> (i want it to fail if it finds a symbol eg: + - { " etc...):
>>
>> echo "REG result: " . preg_match('/[a-zA-Z0-9]*/', '{d-fg');
>
>
> you're on the right path, whats needed is start and end [string] delimiters
> in the regexp (note I used a different regexp delimiter, '#', which is
> irrelevant):
>
> echo "REG 1 result: ", preg_match("#[a-zA-Z0-9]*#", "{d-fg"), "\n",
> "REG 2 result: ", preg_match("#^[a-zA-Z0-9]*$#", "{d-fg"), "\n";
>
> the magic characters are '^' andf '$' as explained in more detail here:
> http://php.net/manual/en/reference.pcre.pattern.syntax.php
>
> <quote>
> ^
>
> assert start of subject (or line, in multiline mode)
> $
>
> assert end of subject (or line, in multiline mode)
> </quote>
>
thanks but I think I kinda got working the other way around:
if (!preg_match('/[^a-zA-Z0-9]/', 'gf-5'))
echo "valid";
else
echo "invalid";
then if I wanted to list any symbols I could just change it to:
preg_match('/[^a-zA-Z0-9\,\.]/', 'gf-5'))
if I wanted . and , to be accepted.
tx
attached mail follows:
On 06/04/06, Angelo Zanetti <angelozlogic.co.za> wrote:
>
> Anyway for a simple query, if I just wanted to check that a variable has only text and numeric characters would I do something like this
> (i want it to fail if it finds a symbol eg: + - { " etc...):
>
> echo "REG result: " . preg_match('/[a-zA-Z0-9]*/', '{d-fg');
>
> however this resolves to true because there are normal characters (alphabetical characters) so how do I make the expression fail because of the { and - characters in the string?
>
> You can also list which characters you DON'T want -- just use a '^' as the first symbol in a bracket expression
> (i.e., "%[^a-zA-Z]%" matches a string with a character that is not a letter between two percent signs). But that would mean that I would have to list each symbol I dont want and that would be
> undesireable as it would be better to list exactly what the acceptable characters are.
You're pretty much there. Your first example resolved to true because
you didn't anchor the start and end of the expression.
/^[a-z0-9]*$/i
It would be a bit more efficient to use the negated character class
you mentioned.
/[^a-z0-9]/i
All you need to bear in mind is that preg_match() would then return
true if the string contains an illegal character and false if it is OK
rather than the other way around.
So these should both produce the same result:
preg_match('/^[a-z0-9]*$/i', '{d-fg');
!preg_match('/[^a-z0-9]/i', '{d-fg');
-robin
attached mail follows:
On Thursday 06 April 2006 6:19 am, Angelo Zanetti wrote:
> Hi guys
>
> Been tryin to figure out regex and have found some tutorials but some have
> made things clear and others have confused me.
>
> Anyway for a simple query, if I just wanted to check that a variable has
> only text and numeric characters would I do something like this (i want it
> to fail if it finds a symbol eg: + - { " etc...):
>
> echo "REG result: " . preg_match('/[a-zA-Z0-9]*/', '{d-fg');
>
> however this resolves to true because there are normal characters
> (alphabetical characters) so how do I make the expression fail because of
> the { and - characters in the string?
>
> You can also list which characters you DON'T want -- just use a '^' as the
> first symbol in a bracket expression (i.e., "%[^a-zA-Z]%" matches a string
> with a character that is not a letter between two percent signs). But that
> would mean that I would have to list each symbol I dont want and that would
> be undesireable as it would be better to list exactly what the acceptable
> characters are.
>
> Can anyone give me some insight as to where I'm going wrong?
>
> thanks
>
> --
>
> Angelo
I found an AJAX regex tester the other day. It'll check PCRE, Posix, and
Javascript. Don't know how useful this is, but thought I'd throw it into this
thread.
http://rexv.org/
--
Joe Henry
www.celebrityaccess.com
jhenrycelebrityaccess.com
attached mail follows:
On Thu, 2006-04-06 at 15:36 +0200, Jochem Maas wrote:
> >
> > Been tryin to figure out regex and have found some tutorials but some
> > have made things clear and others have confused me.
> >
We are busy building up a library of commonly used regex's on a wiki,
check it out at http://fsiu.uwc.ac.za/ If its not there, please add a
method once you figure it out!
--Paul
attached mail follows:
John Taylor-Johnston wrote:
> Scrolling back and forward through my PHP generated search
> engine, my browser (FF) alerts to remind me that I have post
> data. What kind of header can I add to avoid it doing that?
I have a pretty detailed article about this on my web site:
http://shiflett.org/articles/guru-speak-nov2004
In your case, you want to use what some people call the PRG pattern
(POST, Redirect, GET). The redirect you want is a 3xx response, because
those are excluded from the history mechanism, and PHP handles this for
you when you add a Location header to a response.
Chris
attached mail follows:
On 4/6/06, Robert Cummings <robertinterjinn.com> wrote:
>
> On Thu, 2006-04-06 at 02:29, Joe Wollard wrote:
> > The main perk to using switch over if
> > statements is speed (Google can back this up). The reason it's faster is
> > because it's simpler by design and is able to jump directly to the case
> that
> > evaluates to true, whereas an if statement needs to evaluate every
> if/elseif
> > condition until it finds one that evalutates to true.
>
> I'm gonna go out on a limb here and say WRONG!
>
> Run yourself a benchmark.
>
> Cheers,
> Rob.
> --
> .------------------------------------------------------------.
> | InterJinn Application Framework - http://www.interjinn.com |
> :------------------------------------------------------------:
> | An application and templating framework for PHP. Boasting |
> | a powerful, scalable system for accessing system services |
> | such as forms, properties, sessions, and caches. InterJinn |
> | also provides an extremely flexible architecture for |
> | creating re-usable components quickly and easily. |
> `------------------------------------------------------------'
>
>
um. Did you just stick you tounge out at me? (jk) Actually, Rob brings up a
good point. switch statements are not always faster. Here's an example from
http://www.php.net/manual/en/control-structures.switch.php - note that it
says that in certain circumstances switch may be faster than an if.
"In a switch statement, the condition is evaluated only once and the result
is compared to each case statement. In an elseif statement, the condition is
evaluated again. If your condition is more complicated than a simple compare
and/or is in a tight loop, a switch may be faster."
Thanks for making me research that one Rob - I learned something there, and
Ray I hope that helps.
attached mail follows:
At 7:48 PM -0700 4/5/06, Ray Hauge wrote:
>Hello World! wait, not coding... (sorry, long night)
>
>Okay, I finally finished hashing out all the logic for a very complex set of
>rules to determine what "type" an application should be set to. I won't bore
>you with the details of it, but the question is...
>
>I have 57 if/elseif/else statements because of all the different criteria. Is
>it considered better programming practice to use if/elseif/else statements
>over a switch(true) case (true && false || true || false) syntax?
>
>Basically, I'm not too happy with the readability of the code, but I'm afraid
>that at this point there's not much I can do...
>
>code snippet:
>
>if($numFFELP > 1 && count($FFELP_Lenders) > 1 && $numFFELP = $numTotal){
> $retVal = array(TRUE, 'A');
>}elseif($numFFELP > 0 && $enumFFELP > 0 && count($FFELP_Lenders) > 1 &&
>$enumFFELP + $numFFELP = $numTotal){
> $retVal = array(TRUE, 'A');
>}elseif($numFFELP > 0 && $numCONS > 0 && count($FFELP_Lenders) > 1 &&
>$numFFELP + $numCONS = $numTotal){
>etc.
>
>Any suggestions?
Switch.
Regardless of speed, I find that switch is much easier to write and
debug than if/elseif -- which, regardless of my shortcomings, I never
use.
I can't stand using elseif's and have never ran into a problem that
required their use -- can anyone show me one where a switch would not
do just as well, if not better?
As for the above, what's wrong with the following?
$who_cares = 1;
switch ($who_cares)
{
case $numFFELP > 1 && count($FFELP_Lenders) > 1 && $numFFELP = $numTotal:
$retVal = array(TRUE, 'A');
break;
case $numFFELP > 0 && $enumFFELP > 0 && count($FFELP_Lenders) > 1 &&
$enumFFELP + $numFFELP = $numTotal:
$retVal = array(TRUE, 'A');
break;
...
}
OR
switch ($numTotal)
{
case $numFFELP > 1 && count($FFELP_Lenders) > 1 && $numFFELP:
$retVal = array(TRUE, 'A');
break;
case $numFFELP > 0 && $enumFFELP > 0 && count($FFELP_Lenders) > 1 &&
$enumFFELP + $numFFELP:
$retVal = array(TRUE, 'A');
break;
...
}
<running for cover>
tedd
</running for cover>
--
--------------------------------------------------------------------------------
http://sperling.com
attached mail follows:
> -------- Original Message --------
> Subject: Re: [PHP] IF or SWITCH
> From: "John Wells" <wellsdjohngmail.com>
> Date: Thu, April 06, 2006 6:08 am
> To: php-generallists.php.net
>
> > ...Either way,
> > internally, switch behaves like if/elseif/else and generally only
> > provides an advantage with respect to code organization or if you want a
> > particular condition to drop through to other case blocks.
> >
>
> Considering this is regarding an if/else with ***57*** conditional
> checks, wouldn't we be wise in suggesting switch/case if one of its
> benefits is code organization and readability?
>
> Imagine having to come back to this code block in a months time to trace a bug.
>
> *shudder*
>
> I would look very long and hard at how the solution may be simplified,
> although it's hard to offer ideas without understanding the business
> logic. I'm just hoping for your sake that there is a way.
>
> Good luck!
>
> John W
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
Thanks for all the info. I think I am going to take a lot of this
information in mind to make it more readable... possibly even use a
switch statement, because I know that this logic is going to change,
and I WILL have to come back to this. Such a pain to completely cover
every possibility under the sun for so many permutations...
Ray
attached mail follows:
On Thu, 2006-04-06 at 09:08, John Wells wrote:
> > ...Either way,
> > internally, switch behaves like if/elseif/else and generally only
> > provides an advantage with respect to code organization or if you want a
> > particular condition to drop through to other case blocks.
> >
>
> Considering this is regarding an if/else with ***57*** conditional
> checks, wouldn't we be wise in suggesting switch/case if one of its
> benefits is code organization and readability?
No! Due to the complexity of the conditionals in question nothing but an
extra indentation level would be gained by using switch semantics.
> Imagine having to come back to this code block in a months time to trace a bug.
>
> *shudder*
Comments are a tool, and should be used as such. Syntax highlighting can
make the experience much easier to swallow since your comments should
stand out if written clearly and concisely.
Cheers,
Rob.
--
.------------------------------------------------------------.
| InterJinn Application Framework - http://www.interjinn.com |
:------------------------------------------------------------:
| An application and templating framework for PHP. Boasting |
| a powerful, scalable system for accessing system services |
| such as forms, properties, sessions, and caches. InterJinn |
| also provides an extremely flexible architecture for |
| creating re-usable components quickly and easily. |
`------------------------------------------------------------'
attached mail follows:
On Thu, 2006-04-06 at 11:50, tedd wrote:
>
> Regardless of speed, I find that switch is much easier to write and
> debug than if/elseif -- which, regardless of my shortcomings, I never
> use.
Umm, that you NEVER use elseif I think is strongly coupled with your
shortcomings :l But I'm not judging, to each his own :|
Cheers,
Rob.
--
.------------------------------------------------------------.
| InterJinn Application Framework - http://www.interjinn.com |
:------------------------------------------------------------:
| An application and templating framework for PHP. Boasting |
| a powerful, scalable system for accessing system services |
| such as forms, properties, sessions, and caches. InterJinn |
| also provides an extremely flexible architecture for |
| creating re-usable components quickly and easily. |
`------------------------------------------------------------'
attached mail follows:
At 07:48 PM 4/5/2006, Ray Hauge wrote:
>I have 57 if/elseif/else statements because of all the different
>criteria. Is
>it considered better programming practice to use if/elseif/else statements
>over a switch(true) case (true && false || true || false) syntax?
Here are two seemingly contradictory bits of advice:
a) Spend more time making your script easy for humans to read than
you spend trying to make it machine-friendly. Servers are bloody
fast and will process your complex set of If-tests faster than you
can click your mouse. Script languages like PHP are purely for the
benefit of us humans; they're easier for us to read and write than
binary machine language. You might be able to slow down a server
with excess disk access and enormous memory demands, but I wouldn't
lay awake at night worrying about how to shave a few thousand machine
cycles off your code. Instead, think of someone (perhaps yourself)
six months or six years from now trying to make sense of your
code. Comment prolifically, name your variables and functions
sensibly, and use plenty of whitespace.
b) Still, there's something to be said for elegance in code-writing,
and efficiency as an aesthetic goal even when it's not a practical
issue. Since you're using it so much, count your array size once and
keep the result in a variable. The computer may or may not be
significantly affected but your code will be much cleaner.
That said, one thing to keep in mind with regard to conditional
processing is that PHP will stop processing a complex conditional if
the conclusion is determined early on. Consider this:
if ($bCondition == true || count($aThings) > 1)
If $bCondition is true, the entire expression will evaluate true, so
it's not necessary for the script interpreter to evaluate
"count($aThings) > 1".
Therefore if you're concerned about processing speed & efficiency you
can improve things by putting first the expressions that will
evaluate more quickly or will eliminate the most possibilities.
Here's a little program that demonstrates this point:
____________________
if (2 == 2 && say("this will appear"))
{
say("test 1 = true");
}else{
say("test 1 = false");
}
if (1 == 2 && say("this won't appear"))
{
say("test 2 = true");
}else{
say("test 2 = false");
}
function say($msg)
{
echo "<p>$msg</p>";
return true;
}
____________________
OUTPUT:
this will appear
test 1 = true
test 2 = false
____________________
The expression "this won't appear" does not appear because PHP stops
evaluating the second if-test after determining "1 == 2" to be false.
My surmise is that the parser first reduces the syntax to "if (A &&
B)" so it knows the number of expressions and their Boolean
relationships, so that when it begins evaluating the granular
expressions in sequence it knows when the overall conclusion is determined.
Regards,
Paul
attached mail follows:
At 1:04 PM -0400 4/6/06, Robert Cummings wrote:
>On Thu, 2006-04-06 at 11:50, tedd wrote:
>>
>> Regardless of speed, I find that switch is much easier to write and
>> debug than if/elseif -- which, regardless of my shortcomings, I never
>> use.
>
>Umm, that you NEVER use elseif I think is strongly coupled with your
>shortcomings :l But I'm not judging, to each his own :|
>
>Cheers,
>Rob.
Rob:
Yes NEVER -- as for my shortcomings, they remain as obvious as is my
lack of pretense otherwise. Whereas, my abilities, like most, are not
as obvious. As Will Roger's once said "We're all ignorant, only in
different subjects."
But regardless of my limitations, I still have never had to use an
if/elseif for anything -- and I wrote my first line of code in 1966.
I don't remember specifically just when if/elseif and switch-like
conditionals first appeared in programming (they haven't always been
there and my old Fortran books have been long stored) but I have one
in front of me that's dated 1976 where it just mentions "The Logical
IF Statement" with no if/else or switch-like statements.
So, my programming probably predates both conditions -- however -- in
40 years I have NEVER used an if/elseif control structure by any name
and I always found a way around it -- and one that was usually faster
and with better readability.
If your strong-comings are better than my shortcomings, then perhaps
you could provide an example of where a switch could not preform what
an if/elseif could -- do you have one?
My gut feeling is that you can't -- as well as my gut feeling that
when language developers first thought of if/elseif control, they
realized that it was confusing and provided a switch to get around
it. But, then again, maybe I'm wrong -- been there before. :-)
tedd
--
--------------------------------------------------------------------------------
http://sperling.com
attached mail follows:
On Thu, 2006-04-06 at 14:20, tedd wrote:
> At 1:04 PM -0400 4/6/06, Robert Cummings wrote:
>
> So, my programming probably predates both conditions -- however -- in
> 40 years I have NEVER used an if/elseif control structure by any name
> and I always found a way around it -- and one that was usually faster
> and with better readability.
I think I may have read too much into your previous post. Are you saying
specifically that you never use the elseif construct or any of the if,
elseif, else constructs? If the latter then I think your methodology is
somewhat asinine since I'm sure 99% of the programmers out there would
view code consisting entirely of switches in place of ifs with a huge
grain of WTF :)
Cheers,
Rob.
--
.------------------------------------------------------------.
| InterJinn Application Framework - http://www.interjinn.com |
:------------------------------------------------------------:
| An application and templating framework for PHP. Boasting |
| a powerful, scalable system for accessing system services |
| such as forms, properties, sessions, and caches. InterJinn |
| also provides an extremely flexible architecture for |
| creating re-usable components quickly and easily. |
`------------------------------------------------------------'
attached mail follows:
tedd wrote:
> At 1:04 PM -0400 4/6/06, Robert Cummings wrote:
>> On Thu, 2006-04-06 at 11:50, tedd wrote:
>>>
>>> Regardless of speed, I find that switch is much easier to write and
>>> debug than if/elseif -- which, regardless of my shortcomings, I never
>>> use.
>>
>> Umm, that you NEVER use elseif I think is strongly coupled with your
>> shortcomings :l But I'm not judging, to each his own :|
>>
>> Cheers,
>> Rob.
>
> Rob:
>
> Yes NEVER -- as for my shortcomings, they remain as obvious as is my
> lack of pretense otherwise. Whereas, my abilities, like most, are not as
> obvious. As Will Roger's once said "We're all ignorant, only in
> different subjects."
>
> But regardless of my limitations, I still have never had to use an
> if/elseif for anything -- and I wrote my first line of code in 1966. I
> don't remember specifically just when if/elseif and switch-like
> conditionals first appeared in programming (they haven't always been
> there and my old Fortran books have been long stored) but I have one in
> front of me that's dated 1976 where it just mentions "The Logical IF
> Statement" with no if/else or switch-like statements.
>
> So, my programming probably predates both conditions -- however -- in 40
> years I have NEVER used an if/elseif control structure by any name and I
> always found a way around it -- and one that was usually faster and with
> better readability.
>
I remember IF constructs from BASIC and PASCAL, but no switch statements
(somebody correct me if I'm wrong). But what I'm wondering is how in
the world did you do conditional checking if there were no switches, and
you don't use IF's? Did you not code error handling, different cases
based on user input, status of a data stream, etc in all the years prior
to something like switch being introduced???
--
John C. Nichel IV
Programmer/System Admin (ÜberGeek)
Dot Com Holdings of Buffalo
716.856.9675
jnicheldotcomholdingsofbuffalo.com
attached mail follows:
On Thursday 06 April 2006 11:20, tedd wrote:
> At 1:04 PM -0400 4/6/06, Robert Cummings wrote:
> >On Thu, 2006-04-06 at 11:50, tedd wrote:
> >> Regardless of speed, I find that switch is much easier to write and
> >> debug than if/elseif -- which, regardless of my shortcomings, I never
> >> use.
> >
> >Umm, that you NEVER use elseif I think is strongly coupled with your
> >shortcomings :l But I'm not judging, to each his own :|
> >
> >Cheers,
> >Rob.
>
> Rob:
>
> Yes NEVER -- as for my shortcomings, they remain as obvious as is my
> lack of pretense otherwise. Whereas, my abilities, like most, are not
> as obvious. As Will Roger's once said "We're all ignorant, only in
> different subjects."
>
> But regardless of my limitations, I still have never had to use an
> if/elseif for anything -- and I wrote my first line of code in 1966.
> I don't remember specifically just when if/elseif and switch-like
> conditionals first appeared in programming (they haven't always been
> there and my old Fortran books have been long stored) but I have one
> in front of me that's dated 1976 where it just mentions "The Logical
> IF Statement" with no if/else or switch-like statements.
>
> So, my programming probably predates both conditions -- however -- in
> 40 years I have NEVER used an if/elseif control structure by any name
> and I always found a way around it -- and one that was usually faster
> and with better readability.
>
> If your strong-comings are better than my shortcomings, then perhaps
> you could provide an example of where a switch could not preform what
> an if/elseif could -- do you have one?
>
> My gut feeling is that you can't -- as well as my gut feeling that
> when language developers first thought of if/elseif control, they
> realized that it was confusing and provided a switch to get around
> it. But, then again, maybe I'm wrong -- been there before. :-)
>
> tedd
> --
> ---------------------------------------------------------------------------
>----- http://sperling.com
I'm pretty sure he's ONLY talking about IF/ELSEIF and not IF in general.
That's what I got from the message. Correct me if I'm wrong.
I ended up deciding to stay with the IF/ELSEIF statements... mostly because I
was already done. I did clean up the COUNT()ing though.
Always nice when the list helps out :)
--
Ray Hauge
Programmer/Systems Administrator
American Student Loan Services
www.americanstudentloan.com
1.800.575.1099
attached mail follows:
At 05:56 PM 4/6/2006, John Nichel wrote:
><snip>
>I remember IF constructs from BASIC and PASCAL, but no switch statements
>(somebody correct me if I'm wrong). But what I'm wondering is how in the
>world did you do conditional checking if there were no switches, and you
>don't use IF's? Did you not code error handling, different cases based on
>user input, status of a data stream, etc in all the years prior to
>something like switch being introduced???
>
>--
>John C. Nichel IV
Ye gods -- I'm getting old. I had to look this up.
Yup - Pascal has
case operator of
.. statements ...
otherwise
.. statement
end;
And you can group cases.
Forgotten all that - had to look it up.
What I think happens is that we are merrily noodling along in our code,
and a condition rears its head. Simple - if .. else. Then things get a bit
more complicated, and so we end up with nested if .. elseif .. else constructs.
Personally I like the clarity of switch, but don't use it often because I
generally try to avoid messy nests of conditions.
Cheers - Miles
--
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.1.385 / Virus Database: 268.3.5/302 - Release Date: 4/5/2006
attached mail follows:
This one time, at band camp, Robert Cummings <robertinterjinn.com> wrote:
> I'm gonna go out on a limb here and say WRONG!
>
> Run yourself a benchmark.
benchmarks can be hazardous, but lets look at them at their most basic level. By this
I mean how folks use them every day...
http://www.phpro.org/benchmarks/if-switch-benchmark.html
Kind regards
Kevin
--
"Democracy is two wolves and a lamb voting on what to have for lunch.
Liberty is a well-armed lamb contesting the vote."
attached mail follows:
Thanks makes it alot easier to follow.
On 4/4/06, Dallas Cahker <christmasfruitcakegmail.com> wrote:
>
> Okay I'll look at that.
>
> What about switching to setting the password in md5 format in the cookie
> rather then a regular id. I might not call the cookie password but to me in
> thinking about it seems like the same thing as setting a random id and then
> saving the random id in the db.
>
>
> On 4/4/06, Dan McCullough <dan.mcculloughgmail.com> wrote:
> >
> > hey Dallas,
> >
> > have you thought about breaking this up and making two seperate
> > functions one the checks the cookie and one that checks the session
> > information? I'm not sure if that is what you were looking for as far
> > as an answer but it might be a good start.
> >
> > On 4/4/06, Dallas Cahker <christmasfruitcakegmail.com> wrote:
> > > I've been looking at this code for a few hours now and I get the
> > nagging
> > > feeling that I am overcomplicating something, something I never ever
> > do. I
> > > have a login that puts some information on the session, and if the
> > customer
> > > wants they can ask to be remembered, the cookie is given the customers
> > user
> > > name and another cookie stores a unique id, similar to a password I
> > could do
> > > the password in a cookie as its md5 encrypted, but I went with an a
> > unique
> > > id which is store in the user db.
> > >
> > > Anyway here is what I am trying to do with the code below. The
> > authorized
> > > user section requires 4 pieces of information, userid, password,
> > username
> > > and user level, a person who logs in each time gets that information
> > > assigned to their session, that part works *knock on wood*
> > perfectly. When
> > > a customer says "remember me" they go away and come back a while later
> > they
> > > are remembered, so that part works perfectly, however I need to get
> > the
> > > persons information and put that on the session, however I would like
> > the
> > > function to behave in such a way as to not overwrite the information
> > each
> > > time the page load. So for example the cookie is read the information
> > is
> > > valid, the query to the db, the information set to the session. You
> > might
> > > wonder why I dont set the userlevel to the cookie, well I dont want
> > someone
> > > changing the value of a cookie and getting admin access, which reminds
> > me I
> > > should add that as a check.
> > > Thats about it. getCookieInfo() the function inside the checkLogin
> > function
> > > just looks up the information for the cookie in the db. I know that
> > someone
> > > is going to say something really simple that I am going to slap my
> > forehead
> > > over, I would like to thank that person before hand.
> > >
> > > function checkLogin () {
> > > /* Check if user has been remembered */
> > > if (isset($_COOKIE['cookname']) && isset($_COOKIE['cookid'])) {
> > > if (!isset($_SESSION['name']) && !isset($_SESSION['id']) &&
> > > !isset($_SESSION['level']) && !isset($_SESSION['password'])) {
> > > $cookieInfo=getCookieInfo($_COOKIE['cookname'], $_COOKIE['cookid']);
> >
> > > if ($cookieInfo==0) {
> > > return 0;
> > > }
> > > if ($cookieInfo==1) {
> > > setcookie("cookname", "", time()-60*60*24*100, "/");
> > > setcookie("cookid", "", time()-60*60*24*100, "/");
> > > return 1;
> > > }
> > > if ($cookieInfo==2) {
> > > setcookie("cookname", "", time()-60*60*24*100, "/");
> > > setcookie("cookid", "", time()-60*60*24*100, "/");
> > > return 2;
> > > }
> > > }
> > > }
> > >
> > > if (isset($_SESSION['name']) && isset($_SESSION['id']) &&
> > > isset($_SESSION['level']) && isset($_SESSION['password'])) {
> > > if (loginUser($_SESSION['username'], $_SESSION['password'],'') != 1)
> > {
> > > unset($_SESSION['name']);
> > > unset($_SESSION['id']);
> > > unset($_SESSION['level']);
> > > unset($_SESSION['password']);
> > > $_SESSION = array(); // reset session array
> > > session_destroy(); // destroy session.
> > > // incorrect information, user not logged in
> > > return 0;
> > > }
> > > // information valid, user okay
> > > return 1;
> > > } else {
> > > // user not logged in
> > > return 2;
> > > }
> > > }
> > >
> > >
> >
> > --
> > PHP General Mailing List (http://www.php.net/)
> > To unsubscribe, visit: http://www.php.net/unsub.php
> >
> >
>
attached mail follows:
Thanks for the information
On 4/4/06, Chrome <adminchrome.me.uk> wrote:
>
> I let GC and cookie expiration handle ending the session... The cookie was
> only set for 15 minutes
>
> Dan
>
>
> -------------------
> http://chrome.me.uk
>
>
> -----Original Message-----
> From: Dallas Cahker [mailto:christmasfruitcakegmail.com]
> Sent: 04 April 2006 19:41
> To: php-generallists.php.net
> Subject: Re: [PHP] php, sessions and ie
>
> How are you destroying the sessions if they leave the site (dont logout).
> do
> you check on activity or something else?
>
> On 4/4/06, Dan Parry <danvirtuawebtech.co.uk> wrote:
> >
> > I have had some issues with sessions and IE in the past and used the
> > following code to start the session
> >
> > <?php
> > if (isset($SessID)){ session_id($SessID); }
> > session_start();
> > header("Cache-control: private"); // IE 6 Fix.
> > setcookie("SessID", session_id(), time() + 60 * 15);
> > ?>
> >
> > Now, though, I always use a DB to store sessions... Much nicer
> >
> > HTH
> >
> > Dan
> >
> > -----------------------------------------------------
> > Dan Parry
> > Senior Developer
> > Virtua Webtech Ltd
> > http://www.virtuawebtech.co.uk
> > -----Original Message-----
> > From: Dallas Cahker [mailto:christmasfruitcakegmail.com]
> > Sent: 04 April 2006 16:19
> > To: php-generallists.php.net
> > Subject: [PHP] php, sessions and ie
> >
> > I've been hearing some of my friends saying there is an issue with
> Session
> > in PHP and IE having problems with them. Is that true? If it is how do
> > people get around this? Session information saved to db? Session id in
> > cookie?
> >
> >
> > __________ NOD32 1.1454 (20060321) Information __________
> >
> > This message was checked by NOD32 antivirus system.
> > http://www.eset.com
> >
> >
> >
>
>
attached mail follows:
I was looking to see if there was a quick checklist of settings for php to
be disabled/enabled in the ini file to make the application more secure.
I'm making sure the apps we come out with dont allow sql injections, or form
injections and so forth, I have just seen some posts about magic quotes and
so on and so I was curious.
attached mail follows:
I would look here for an idea. http://phpsec.org/projects/guide/
I think you'll find many opinions on the matter. One thing to
remember is that once the app goes live your job doesnt stop there
you'll need to be just as stringent about security and checking logs
and errors as you were when you were developing.
On 4/6/06, Dallas Cahker <christmasfruitcakegmail.com> wrote:
> I was looking to see if there was a quick checklist of settings for php to
> be disabled/enabled in the ini file to make the application more secure.
> I'm making sure the apps we come out with dont allow sql injections, or form
> injections and so forth, I have just seen some posts about magic quotes and
> so on and so I was curious.
>
>
attached mail follows:
Dallas Cahker wrote:
>I was looking to see if there was a quick checklist of settings for php to
>be disabled/enabled in the ini file to make the application more secure.
>I'm making sure the apps we come out with dont allow sql injections, or form
>injections and so forth, I have just seen some posts about magic quotes and
>so on and so I was curious.
>
>
Well, generally php comes with a "php.ini-dist" and a "php.ini-recommended";
for tighter security, use the "recommended" version. Examining a diff
of the
files could help shed some light, as well.
Of course, some of us could be waiting for the day when they ship with a
"php.ini-ironclad", "php.ini-stealthmode", or
"php.ini-anal-retentive-paranoid",
but I'm not sure those are slated, even for PHP6.... ;-)
HTH,
Kevin Kinsey
attached mail follows:
Dallas Cahker wrote:
> I was looking to see if there was a quick checklist of settings
> for php to be disabled/enabled in the ini file to make the
> application more secure.
Although there are some directives worth disabling (register_globals,
magic_quotes_gpc, allow_url_fopen), most vulnerabilities in PHP
applications are a result of flaws in the PHP code. There are no magic
php.ini configuration directives that can make your applications secure
- not that you were suggesting this, but it's woth explicitly stating.
A couple of years ago, I tried to summarize several good practices into
a single mantra - filter input, escape output (FIEO). These practices
don't eliminate everything, but they're a very good first step and can
provide a solid foundation for secure PHP programming.
I made a movie (webcast, screencast, or whatever you call them) about
auditing PHP applications, and it also covers filtering input and
escaping output:
http://brainbulb.com/php-security-audit-howto.mov
There's also the PHP Security Guide:
http://phpsec.org/projects/guide/
We're in the process of writing a second version of the guide, in order
to address the following shortcomings:
1. The guide is several years old, so some techniques have been refined
and/or simplified in the meantime.
2. The vocabulary is slightly inconsistent with the rest of the industry
in some cases.
3. Not all major areas are covered, so it is incomplete.
4. Some explanations are ambiguous and can yield misinterpretations.
Lastly, I want to point out two of the primary attacks that are not
prevented with FIEO:
1. Cross-Site Request Forgeries (CSRF)
2. Session Fixation
Hope that helps get you started.
Chris
attached mail follows:
php.ini-anal-retentive-paranoid.
I'm editing mine for that right now, everything is off, the sever has
a keyboard, mouse, monitor no cd/dvd, no floppy, no usb and is
unplugged from the network, there are 6 security guards that surround
you and they give you 5 minutes on a timer.
On 4/6/06, Kevin Kinsey <kdkdaleco.biz> wrote:
> Dallas Cahker wrote:
>
> >I was looking to see if there was a quick checklist of settings for php to
> >be disabled/enabled in the ini file to make the application more secure.
> >I'm making sure the apps we come out with dont allow sql injections, or form
> >injections and so forth, I have just seen some posts about magic quotes and
> >so on and so I was curious.
> >
> >
>
>
> Well, generally php comes with a "php.ini-dist" and a "php.ini-recommended";
> for tighter security, use the "recommended" version. Examining a diff
> of the
> files could help shed some light, as well.
>
> Of course, some of us could be waiting for the day when they ship with a
> "php.ini-ironclad", "php.ini-stealthmode", or
> "php.ini-anal-retentive-paranoid",
> but I'm not sure those are slated, even for PHP6.... ;-)
>
> HTH,
>
> Kevin Kinsey
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
attached mail follows:
Cool Chris I'm going to take a look at that movie. Dallas there is a
section at the top of the ini file that lists some directives and
their status to address security or performance issues, but as Chris
mentioned your code could be as big of a risk as anything so pay
attention to that.
On 4/6/06, Chris Shiflett <shiflettphp.net> wrote:
> Dallas Cahker wrote:
> > I was looking to see if there was a quick checklist of settings
> > for php to be disabled/enabled in the ini file to make the
> > application more secure.
>
> Although there are some directives worth disabling (register_globals,
> magic_quotes_gpc, allow_url_fopen), most vulnerabilities in PHP
> applications are a result of flaws in the PHP code. There are no magic
> php.ini configuration directives that can make your applications secure
> - not that you were suggesting this, but it's woth explicitly stating.
>
> A couple of years ago, I tried to summarize several good practices into
> a single mantra - filter input, escape output (FIEO). These practices
> don't eliminate everything, but they're a very good first step and can
> provide a solid foundation for secure PHP programming.
>
> I made a movie (webcast, screencast, or whatever you call them) about
> auditing PHP applications, and it also covers filtering input and
> escaping output:
>
> http://brainbulb.com/php-security-audit-howto.mov
>
> There's also the PHP Security Guide:
>
> http://phpsec.org/projects/guide/
>
> We're in the process of writing a second version of the guide, in order
> to address the following shortcomings:
>
> 1. The guide is several years old, so some techniques have been refined
> and/or simplified in the meantime.
> 2. The vocabulary is slightly inconsistent with the rest of the industry
> in some cases.
> 3. Not all major areas are covered, so it is incomplete.
> 4. Some explanations are ambiguous and can yield misinterpretations.
>
> Lastly, I want to point out two of the primary attacks that are not
> prevented with FIEO:
>
> 1. Cross-Site Request Forgeries (CSRF)
> 2. Session Fixation
>
> Hope that helps get you started.
>
> Chris
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
attached mail follows:
>
> Cool Chris I'm going to take a look at that movie. Dallas there is a
> section at the top of the ini file that lists some directives and
> their status to address security or performance issues, but as Chris
> mentioned your code could be as big of a risk as anything so pay
> attention to that.
The code is the thing, right? Regardless of how my server's
register_globals (for instance) is set, if I do not use the globals in my
code, it is not in and of itself insecure. Correct?
Which brings the question, are there any php.ini settings that, in and of
themselves, create security problems? I mean other than display_errors,
which is obvious.
JM
attached mail follows:
I'm trying to figure out if there's a tool that can do this
(programmatically) or if someone has some script idea/suggestion for
what I'd like to do. I have several 130px X 130px images (one per day)
that I collect. I'd like to have a script run that will read in the
folder(d) where these images are stored and with ImageMagick, create a
montage of them. I need to be able to set how many images wide by how
many tall I'd like it to be, and I'd also like the script to organize
the images in a rainbow pattern based on their color. Very much like
what a PhotoMosaic program would do with images, create a color index of
each one, then build a larger image with these little ones.
Anyone have a suggestion of how to, or where to start with this?
Thanks.
--
H | I haven't lost my mind; it's backed up on tape somewhere.
+--------------------------------------------------------------------
Ashley M. Kirchner <mailto:ashleypcraft.com> . 303.442.6410 x130
IT Director / SysAdmin / WebSmith . 800.441.3873 x130
Photo Craft Imaging . 3550 Arapahoe Ave. #6
http://www.pcraft.com ..... . . . Boulder, CO 80303, U.S.A.
attached mail follows:
At 8:01 AM -0600 4/6/06, Ashley M. Kirchner wrote:
> I'm trying to figure out if there's a tool that can do this
>(programmatically) or if someone has some script idea/suggestion for
>what I'd like to do. I have several 130px X 130px images (one per
>day) that I collect. I'd like to have a script run that will read
>in the folder(d) where these images are stored and with ImageMagick,
>create a montage of them. I need to be able to set how many images
>wide by how many tall I'd like it to be, and I'd also like the
>script to organize the images in a rainbow pattern based on their
>color. Very much like what a PhotoMosaic program would do with
>images, create a color index of each one, then build a larger image
>with these little ones.
>
> Anyone have a suggestion of how to, or where to start with this?
Ashley:
Well... you can start here:
http://www.weberdev.com/get_example-3937.html
Then purchase a few books on the subject, I like "PHP Graphics
Generating Images On the fly Handbook" by Allan Kent el al.
Then read, search for pieces of code that will help, and spend a few
weeks programming it.
tedd
--
--------------------------------------------------------------------------------
http://sperling.com
attached mail follows:
Ashley M. Kirchner wrote:
>
> I'm trying to figure out if there's a tool that can do this
> (programmatically) or if someone has some script idea/suggestion for
> what I'd like to do. I have several 130px X 130px images (one per day)
> that I collect. I'd like to have a script run that will read in the
> folder(d) where these images are stored and with ImageMagick, create a
> montage of them. I need to be able to set how many images wide by how
> many tall I'd like it to be, and I'd also like the script to organize
> the images in a rainbow pattern based on their color. Very much like
> what a PhotoMosaic program would do with images, create a color index of
> each one, then build a larger image with these little ones.
>
> Anyone have a suggestion of how to, or where to start with this?
>
> Thanks.
>
Start on ImageMagick's website. It has all the tools you need.
attached mail follows:
What is that called and where in the php.ini file do I enable it? Sorry if
this is a stupid question but since I dont know what its called it makes it
difficult to google it.
attached mail follows:
Short tags in the php.ini file.
On 4/6/06, Dallas Cahker <christmasfruitcakegmail.com> wrote:
> What is that called and where in the php.ini file do I enable it? Sorry if
> this is a stupid question but since I dont know what its called it makes it
> difficult to google it.
>
>
attached mail follows:
short_open_tag
Dallas Cahker wrote:
>What is that called and where in the php.ini file do I enable it? Sorry if
>this is a stupid question but since I dont know what its called it makes it
>difficult to google it.
>
>
>
attached mail follows:
I woke up on thanksgiving morning to find my server hacked through a
hole left by a file upload area of my site. I restored the backup and
placed a few blocks in place on the server, so they can get in, but they
can't get out.... ;)
What I am interested in finding out is what the best way is to make sure
that I can rework the upload area to allow upload and download from it
while keeping script kiddies from exploiting it again.
I can post the scripts (if you are interested in pulling them apart or
such) as I have accumulated 3 different versions now, but I am wondering
what you guys use currently as "standard" PHP security and still do file
parsing and such.
Thanks,
Wolf
attached mail follows:
http://www.hardened-php.net/advisory_202005.79.html
check this out
On 4/6/06, Wolf <LoneWolfnc.rr.com> wrote:
> I woke up on thanksgiving morning to find my server hacked through a
> hole left by a file upload area of my site. I restored the backup and
> placed a few blocks in place on the server, so they can get in, but they
> can't get out.... ;)
>
> What I am interested in finding out is what the best way is to make sure
> that I can rework the upload area to allow upload and download from it
> while keeping script kiddies from exploiting it again.
>
> I can post the scripts (if you are interested in pulling them apart or
> such) as I have accumulated 3 different versions now, but I am wondering
> what you guys use currently as "standard" PHP security and still do file
> parsing and such.
>
> Thanks,
> Wolf
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
attached mail follows:
WHat types of files were they, if you dont mind me asking?
On 4/6/06, Wolf <LoneWolfnc.rr.com> wrote:
> I woke up on thanksgiving morning to find my server hacked through a
> hole left by a file upload area of my site. I restored the backup and
> placed a few blocks in place on the server, so they can get in, but they
> can't get out.... ;)
>
> What I am interested in finding out is what the best way is to make sure
> that I can rework the upload area to allow upload and download from it
> while keeping script kiddies from exploiting it again.
>
> I can post the scripts (if you are interested in pulling them apart or
> such) as I have accumulated 3 different versions now, but I am wondering
> what you guys use currently as "standard" PHP security and still do file
> parsing and such.
>
> Thanks,
> Wolf
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
attached mail follows:
Wolf wrote:
> What I am interested in finding out is what the best way is to
> make sure that I can rework the upload area to allow upload and
> download from it while keeping script kiddies from exploiting
> it again.
>
> I can post the scripts
If your scripts are very long, most of us won't take the time to read
through all the code. However, we do need a few more details to
understand what you're doing, otherwise we can't even make educated
guesses about how you were attacked.
Can you show or describe to us exactly what you do with a file once it
is uploaded? Can you give us a basic overview of the problem you're
trying to solve?
Chris
attached mail follows:
They all ended in .rar
Files named:
b.php.rar
jpg.php.rar
c99.php.rar
Dan McCullough wrote:
> WHat types of files were they, if you dont mind me asking?
>
> On 4/6/06, Wolf <LoneWolfnc.rr.com> wrote:
>> I woke up on thanksgiving morning to find my server hacked through a
>> hole left by a file upload area of my site. I restored the backup and
>> placed a few blocks in place on the server, so they can get in, but they
>> can't get out.... ;)
>>
>> What I am interested in finding out is what the best way is to make sure
>> that I can rework the upload area to allow upload and download from it
>> while keeping script kiddies from exploiting it again.
>>
>> I can post the scripts (if you are interested in pulling them apart or
>> such) as I have accumulated 3 different versions now, but I am wondering
>> what you guys use currently as "standard" PHP security and still do file
>> parsing and such.
>>
>> Thanks,
>> Wolf
>>
>> --
>> PHP General Mailing List (http://www.php.net/)
>> To unsubscribe, visit: http://www.php.net/unsub.php
>>
>>
>
attached mail follows:
Is there a certain file type that you are looking for? You could restrict
it to that, also you could chown the uploaded files to a no/low privelage
user.
On 4/6/06, Wolf <LoneWolfnc.rr.com> wrote:
>
> They all ended in .rar
>
> Files named:
> b.php.rar
> jpg.php.rar
> c99.php.rar
>
> Dan McCullough wrote:
> > WHat types of files were they, if you dont mind me asking?
> >
> > On 4/6/06, Wolf <LoneWolfnc.rr.com> wrote:
> >> I woke up on thanksgiving morning to find my server hacked through a
> >> hole left by a file upload area of my site. I restored the backup and
> >> placed a few blocks in place on the server, so they can get in, but
> they
> >> can't get out.... ;)
> >>
> >> What I am interested in finding out is what the best way is to make
> sure
> >> that I can rework the upload area to allow upload and download from it
> >> while keeping script kiddies from exploiting it again.
> >>
> >> I can post the scripts (if you are interested in pulling them apart or
> >> such) as I have accumulated 3 different versions now, but I am
> wondering
> >> what you guys use currently as "standard" PHP security and still do
> file
> >> parsing and such.
> >>
> >> Thanks,
> >> Wolf
> >>
> >> --
> >> PHP General Mailing List (http://www.php.net/)
> >> To unsubscribe, visit: http://www.php.net/unsub.php
> >>
> >>
> >
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
attached mail follows:
marvin hunkin wrote:
> Hi.
> doing this script for an assignment, and got it basically working.
> the only problems are:
>
>
> 1. wen i load the user form, the focus goes to the login button, and not
> the first form field.
> did try putting one it, did not like it.
> so how do i do this?
> is there a basic dom example, how to set focus on a form field, when the
> form loads?
JavaScript. But I won't bore you with the exact way of doing it,
basically search google (or view source on the google page, since that
uses it too. It has to do with an onload handler setting focus() on a
specific element)
> 2. got a user name and password.
> and enter username and password, and when the php script loads, it shows
> the user name and the password.
> want to hide this, and only have the message, now how do i accomplish this?
> tried things on the web and tried on google, but could not find any
> thing for this.
well... you *could* "potentialy" remove your
> echo $_POST['username'];
> echo $_POST['password'];
bit? :)
> 3. and got to provide the time, but how do i format it say for
> australian east standard time?
> just got the standard time, and jaws reads it out, as one line of text.
> will paste the user form and php code.
> if any one can offer code snippets, or point me to links, and examples,
> let me know.
> sorry about this, but these are stumping me and banging my head up
> against the brick wall, so, would ask.
> cheers Marvin.
use gmdate() to format it into "human-readable" format. If you want to
adjust it to your time, simply add your GMT offset to it, making:
gmdate('d-m-Y', time()+(10*60*60));
This adds 10 hours (10 hours x 60 min x 60 seconds) to your "base" GMT
timestamp, and then formats it. Not sure how big the offset it for
Australian East standard time, but it'll be something between 9 and 11
hours.
>
>
>
>
> User Form:
>
> <html>
> <head>
> <title>User Login Form</title>
> </head>
> <body>
> <form action="UserDetails.php" method="post">
> <p>User Name: <input type="text" name="username"> </p> <br>
> <p>Password: <input type="text" name="password"> </p> <br>
> <p><input type="submit" value="Login"> </p>
> </form>
> </body>
> </html>
>
>
> Php Script:
>
> <?php
> echo $_POST['username'];
> echo $_POST['password'];
> echo "Marvin Hunkin has successfully logged into the Tafe network. <br>\n";
> echo "Please Wait ... Loading Your Personal Settings ... <br>\n";
> echo time();
> ?>but
-- tul
attached mail follows:
At 7:01 PM -0700 4/5/06, Jai Rangi wrote:
>Greeting,
>I hope this is the right place for this. If not please guide me.
>I am having problem with my "Form". Code is below. I want to
>generate an error message if the required fields are not filled. If
>they are filled then I want to add them to the database and display
>the form again to make another entry. Database part is working fine.
>But when it exist with an error for blank entry, it wipe out all the
>values the user has entered, how can I save user input in case user
>does not have to enter all the values again.
>Thank you for help.
>
You might want to review:
http://www.weberdev.com/get_example-320.html
http://www.weberdev.com/get_example-4321.html
tedd
--
--------------------------------------------------------------------------------
http://sperling.com
attached mail follows:
[snip]
I have a stored procedure in Oracle;
p_BILL_TO_ADDRESS1 IN CONT_ADDRESS.ADDRESS1%TYPE
Default NULL, --VC(50)
With a condition;
IF p_BILL_TO_ADDRESS1 is NULL THEN
Raise_Application_Error(-20100,'BILL TO Address cannot be a NULL
Value');
END IF;
I have some PHP code that tries to insert the data;
$addr = '1234 Main';
$sth = oci_parse($conn, "begin D_ACCT_NEW(:p_BILL_TO_ADDRESS1,
:P_Error_Return );end;");
oci_bind_by_name($sth, ":p_BILL_TO_ADDRESS1", $addr, -1);
oci_bind_by_name($sth, ":P_Error_Return", $errorcode, -1);
oci_execute($sth);
echo $errorcode;
And I always get the following error;
Warning: oci_execute() [function.oci-execute]: ORA-06502: PL/SQL:
numeric or value error ORA-06512: at "SYSADM.D_ACCT_NEW", line 483
ORA-20100: BILL TO Address cannot be a NULL Value ORA-06512: at line 1
in /home/foo/bar/glorp.php on line 25
If anyone on the list understands the intricacies of Oracle, could you
sooth my aching head and help me to understand what is going on here? I
have RTFM and the following article from the PHP Oracle Cookbook;
http://www.oracle.com/technology/pub/articles/oracle_php_cookbook/fuecks
_sps.html
;and I still am clueless. Thanks a million in advance!
[/snip]
I hate to bring this up again, but is anyone on the list using PHP with
Oracle?
attached mail follows:
I am using PHP with Oracle, but not executing stored procedures.....
I assume you are already validating the contents of the $addr variable
before you bind it?
Otherwise, no real ideas here...
-B
Jay Blanchard wrote:
>[snip]
>I have a stored procedure in Oracle;
>
>p_BILL_TO_ADDRESS1 IN CONT_ADDRESS.ADDRESS1%TYPE
>Default NULL, --VC(50)
>
>With a condition;
>IF p_BILL_TO_ADDRESS1 is NULL THEN
> Raise_Application_Error(-20100,'BILL TO Address cannot be a NULL
>Value');
> END IF;
>
>
>I have some PHP code that tries to insert the data;
>
>$addr = '1234 Main';
>$sth = oci_parse($conn, "begin D_ACCT_NEW(:p_BILL_TO_ADDRESS1,
>:P_Error_Return );end;");
>
>oci_bind_by_name($sth, ":p_BILL_TO_ADDRESS1", $addr, -1);
>oci_bind_by_name($sth, ":P_Error_Return", $errorcode, -1);
>oci_execute($sth);
>
>echo $errorcode;
>
>And I always get the following error;
>
>Warning: oci_execute() [function.oci-execute]: ORA-06502: PL/SQL:
>numeric or value error ORA-06512: at "SYSADM.D_ACCT_NEW", line 483
>ORA-20100: BILL TO Address cannot be a NULL Value ORA-06512: at line 1
>in /home/foo/bar/glorp.php on line 25
>
>If anyone on the list understands the intricacies of Oracle, could you
>sooth my aching head and help me to understand what is going on here? I
>have RTFM and the following article from the PHP Oracle Cookbook;
>
>http://www.oracle.com/technology/pub/articles/oracle_php_cookbook/fuecks
>_sps.html
>
>
>;and I still am clueless. Thanks a million in advance!
>[/snip]
>
>I hate to bring this up again, but is anyone on the list using PHP with
>Oracle?
>
>
>
attached mail follows:
[snip]
I am using PHP with Oracle, but not executing stored procedures.....
I assume you are already validating the contents of the $addr variable
before you bind it?
Otherwise, no real ideas here...
[/snip]
Yes, I am validating the contents of the variable. I have ton some
reading, but details are sketchy at best. I strongly suspect that it has
to do with how the TYPE is declared;
p_BILL_TO_ADDRESS1 IN CONT_ADDRESS.ADDRESS1%TYPE Default NULL,
--VC(50)
attached mail follows:
Is there a way to get PHP to not throw warnings on a per-script basis?
attached mail follows:
[snip]
Is there a way to get PHP to not throw warnings on a per-script basis?
[/snip]
ITFM http://www.php.net/manual/en/ref.errorfunc.php
error_reporting(0);
attached mail follows:
Brian Dunning wrote:
> Is there a way to get PHP to not throw warnings on a per-script basis?
>
Yes.
ini_set()
--
John C. Nichel IV
Programmer/System Admin (ÜberGeek)
Dot Com Holdings of Buffalo
716.856.9675
jnicheldotcomholdingsofbuffalo.com
attached mail follows:
> Brian Dunning wrote:
> > Is there a way to get PHP to not throw warnings on a
> per-script basis?
> >
>
> Yes.
>
> ini_set()
>
or error_reporting()
JM
attached mail follows:
Brian Dunning wrote:
> Is there a way to get PHP to not throw warnings on a per-script basis?
Why not just fix the code.
attached mail follows:
because you have nothing in $session_id.
On 4/6/06, Diana Castillo <dianahotelkey.com> wrote:
> If I have nothing in $session_id, why do I get this message when I do a
> session_start() ?
> Warning: session_start(): The session id contains invalid characters, valid
> characters are only a-z, A-Z and 0-9 at
> C:\Inetpub\wwwroot\usr\local\global\php\online\InterfaceManager.php line
> 149.
>
>
> --
> Diana Castillo
> Destinia.com
> C/Granvia 22 dcdo 4-dcha
> 28013 Madrid-Spain
> Tel : 00-34-913604039 Ext 216
> Fax : 00-34-915228673
> email: dianahotelkey.com
> Web : http://www.hotelkey.com
> http://www.destinia.com
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
>
--
Anthony Ettinger
Signature: http://chovy.dyndns.org/hcard.html
attached mail follows:
Is there a way to test to see if a function argument was passed by reference
instead of by value?
thnx,
Chris
attached mail follows:
On Thursday 06 April 2006 12:24 pm, Chris Boget wrote:
> Is there a way to test to see if a function argument was passed by
> reference instead of by value?
>
> thnx,
> Chris
The way I understand it, pass by reference in php is determined in the
function definition and not the function call. Something like:
function foo (&$bar) {
...
}
Here's a link to that section of the php manual:
http://us3.php.net/manual/en/language.references.pass.php
Hope that helps.
--
Joe Henry
www.celebrityaccess.com
jhenrycelebrityaccess.com
attached mail follows:
> The way I understand it, pass by reference in php is determined in the
> function definition and not the function call. Something like:
You used to be able to pass by reference at run time. But I see that is
no longer allowed... :| So I guess that makes my question moot.
Thanks for your help.
thnx,
Chris
attached mail follows:
Hi,
I have a server with Apache 2, PHP 5.1.1 and Oracle Instant Client
10.2.0.1.
As I have a little bug [http://bugs.php.net/bug.php?id=29779], I've
tried the solution (in oci8.c) and recompiled ! But then, everything was
broken. So, I get the source of PHP 5.1.2 and recompiled again.
Everything seems ok, with Apache and PHP, but it was impossible to use
oci !!! I thought about an environment problem (LD_LIBRARY_PATH), but
after some manipulations, I can see this variable in phpinfo(), but
nothing about oci8 !!! I've looked into logs but I couldn't find any
problem. It was like Oracle was not installed !!!
So, I am completly blocked !!!
Do you have any idea ? anu clue ?
Thank you very much.
David.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
iD8DBQBENWPkvSnthbGI8ygRAsowAKCYIrce1hxj1KVQ1jDz4dMs/wOpOACeOG1W
o2UAUEIEUYwFGTGZPr652Ts=
=Vhra
-----END PGP SIGNATURE-----
attached mail follows:
David BERCOT wrote:
> Hi,
>
> I have a server with Apache 2, PHP 5.1.1 and Oracle Instant Client
> 10.2.0.1.
> As I have a little bug [http://bugs.php.net/bug.php?id=29779], I've
> tried the solution (in oci8.c) and recompiled ! But then, everything was
> broken. So, I get the source of PHP 5.1.2 and recompiled again.
> Everything seems ok, with Apache and PHP, but it was impossible to use
> oci !!! I thought about an environment problem (LD_LIBRARY_PATH), but
> after some manipulations, I can see this variable in phpinfo(), but
> nothing about oci8 !!! I've looked into logs but I couldn't find any
> problem. It was like Oracle was not installed !!!
You might be better off asking the internals list.
http://www.php.net/mailing-lists.php
They deal with this sort of stuff, we're more for general php help..
--
Postgresql & php tutorials
http://www.designmagick.com/
attached mail follows:
Hi to all,
session_start();
$_SESSION['sessid'] = session_id;
echo $_SESSION['sessid']; will show e.g. 699e506bd42ea402985dce24a0ef9
After:
unset($_SESSION['sessid']);
$_SESSION['sessid'] = session_id();
I'm getting the same SID again.
I tried with session_unregister() and session_destroy() but same result.
How can I create new, other sesssion id (after I, for example, click on
'Log Out' button) without closing window?
Thanks for any help.
attached mail follows:
afanafan.net wrote:
> Hi to all,
>
> session_start();
> $_SESSION['sessid'] = session_id;
>
> echo $_SESSION['sessid']; will show e.g. 699e506bd42ea402985dce24a0ef9
>
> After:
>
> unset($_SESSION['sessid']);
>
> $_SESSION['sessid'] = session_id();
>
> I'm getting the same SID again.
>
> I tried with session_unregister() and session_destroy() but same result.
>
> How can I create new, other sesssion id (after I, for example, click on
> 'Log Out' button) without closing window?
http://www.php.net/session_regenerate_id
Start a new thread! Stop replying to old messages with new subjects!
--
Postgresql & php tutorials
http://www.designmagick.com/
attached mail follows:
Tom Rogers wrote:
>
>
> Make sure you don't have any blank lines before the <?php
>
There isn't. I've got the suspicion it's got to do with the UTF-8
character encoding because of the characters '', I've seen this
before with HTML pages. Because of this I asked the person who's having
the problems to upload and test three different files versions of the
php file:
- ANSI
- UTF-8
- ANSI UTF-8 without BOM
None had any effect what so ever. What else can I try?
Philip Hallstrom pointed out that the returning header is set to
'Content-Type: text/html; charset=iso-8859-1' instead of 'Content-type:
image/jpeg'. What could be the cause of this?
Yours,
Age
attached mail follows:
Hi,
Friday, April 7, 2006, 6:20:41 AM, you wrote:
AB> Tom Rogers wrote:
AB> There isn't. I've got the suspicion it's got to do with the UTF-8
AB> character encoding because of the characters '', I've seen this
AB> before with HTML pages. Because of this I asked the person who's having
AB> the problems to upload and test three different files versions of the
AB> php file:
AB> - ANSI
AB> - UTF-8
AB> - ANSI UTF-8 without BOM
AB> None had any effect what so ever. What else can I try?
AB> Philip Hallstrom pointed out that the returning header is set to
AB> 'Content-Type: text/html; charset=iso-8859-1' instead of 'Content-type:
AB> image/jpeg'. What could be the cause of this?
AB> Yours,
AB> Age
put
error_reporting( E_ALL);
at the top of the script and see if any error messages show up.
The fact that the mime type is text seems to indicate some output has gone to