NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > PHP Discussion Digest> 2006-06

php-general Digest 18 Jun 2006 15:06:23 -0000 Issue 4192

php-general-digest-helplists.php.net
Date: Sun Jun 18 2006 - 10:06:23 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

php-general Digest 18 Jun 2006 15:06:23 -0000 Issue 4192

Topics (messages 238212 through 238227):

WINDOW/OFFICE àÃÒÃÑº«×éÍ - ÃÑº¨Ó¹Ó §èÒÂ æ à§Ô¹´èÇ¹·Ñ¹·Õ ·Ñ¹ã¨
        238212 by: WINDOW/OFFICE àÃÒÃÑº«×éÍ - ÃÑº¨Ó¹Ó §èÒÂ æ à§Ô¹´èÇ¹·Ñ¹·Õ ·Ñ¹ã¨
        238214 by: WINDOW/OFFICE àÃÒÃÑº«×éÍ - ÃÑº¨Ó¹Ó §èÒÂ æ à§Ô¹´èÇ¹·Ñ¹·Õ ·Ñ¹ã¨
        238215 by: WINDOW/OFFICE àÃÒÃÑº«×éÍ - ÃÑº¨Ó¹Ó §èÒÂ æ à§Ô¹´èÇ¹·Ñ¹·Õ ·Ñ¹ã¨

Re: GET, POST, REQUEST
        238213 by: David Tulloh
        238217 by: Satyam
        238219 by: Tom Rogers
        238220 by: Manuel Lemos
        238221 by: Satyam

ImageCopyResized() function
238216 by: BBC
238223 by: Jochem Maas

best solution for page acess right
238218 by: Alain Roger
238227 by: João Cândido de Souza Neto

Want some PHP e-book
        238222 by: prolibertine
        238224 by: Jochem Maas
        238225 by: tedd
        238226 by: tedd

Administrivia:

To subscribe to the digest, e-mail:
php-general-digest-subscribelists.php.net

To unsubscribe from the digest, e-mail:
php-general-digest-unsubscribelists.php.net

To post to the list, e-mail:
php-generallists.php.net

----------------------------------------------------------------------

attached mail follows:

WINDOW/OFFICE àÃÒÃÑº«×éÍ - ÃÑº¨Ó¹Ó §èÒÂ æ à§Ô¹´èÇ¹·Ñ¹·Õ ·Ñ¹ã¨
¢ÒÂ¶Ù¡ Licensed Windows XP Pro, win 98, 98 se, Office XP Small, Office
XP Professional, Office Pro 2003 ¶Ù¡ÁÒ¡ ¢Í§á·éá¹è¹Í¹ 100 %
µÔ´µèÍ Paisarn 06-5881135
- Windows 95 áººÁÕ CD ¤ÃºªØ´ 200 bath
- Windows 98 book+COA only 800 bath
- Windows 98 book+COA+CD 1,000 bath
- Windows 98 SE book + COA + CD ÊÕ¢ÒÇãËÁè 1,500 bath
- Windows 2000 Professional + CD 2,700 bath
- Windows ME ¤ÙèÁ×Í + COA + CD 1,800 bath
- Windows XP Home Edition ¤ÙèÁ×Í + COA 2,000 bath
- Windows XP Home Edition ¤ÙèÁ×Í + COA + CD 2,700 bath
- Windows XP Professional ¤ÙèÁ×Í + COA 2,400 bath
- Windows XP Professional ¤ÙèÁ×Í + COA+CD 3,500bath
- Microsoft Office Pro 2003 7,500 bath
- Microsoft Office Basic 5500
µÔ´µèÍ Paisarn 06-5881135, 02-8966280
pkhotboomyahoo.com
«×éÍËÅÒÂªØ´ÊèÇ¹Å´ÂÔè§à¾ÔèÁ¤ÃÑº ºÃÔ¡ÒÃÊè§¶Ö§·Õè ¡·Á.-µ¨Ç.¾ÃéÍÁãºàÊÃç¨ãËé

attached mail follows:

I don't think that using request over post adds anything in the way of
security, at the most it's going to delay an attacker for up to a
minute. I advocate using request if it's convenient, it can also open a
few nice tricks for advanced users. Using request allows me to bookmark
a login page, so hitting the bookmark will log me in and take me
straight to the main page. Passing data through get instead of post is
not necessarily a malicious attack.

David

Ben Ramsey wrote:
> On 6/17/06 3:07 PM, Anthony Ettinger wrote:
>
>> it's more like painting the color of your front door, but still
>> leaving it unlocked. It doesn't change the fact that people can still
>> open the door.
>>
>> every input field needs to be validated regardless of get vs. post.
>> the web developer toolbar for firefox can easily convert all form
>> fields to one or the other, so it's trivial to send a get request as
>> post, and vice-versa.
>>
>
> Which is why, if you read the last paragraph of my post, it said that
> there are two things you must do: 1) always check the origin of the
> input and 2) always filter (validate) the input.
>

attached mail follows:

----- Original Message -----
From: "Rory Browne" <rory.brownegmail.com>

>
> Good code won't be vulnerable to register_globals either, but having
> register_globals on is a security problem because there are security flaws
> that can only be exploited when register_globals is enabled.
>

Actually, code quality cannot overcome the vulnerability of
register_globals. Every program will have global variables.
register_globals=on may overwrite a valid global variable, one totally
unrelated to user input, with a value coming from the request, and there is
nothing good coding can do about it. The chances that an external user might
hit the right variable name are slim (unless a disgruntled former
programmer) but they exist.

Satyam

attached mail follows:

Hi,

Sunday, June 18, 2006, 5:19:20 PM, you wrote:
S> ----- Original Message -----
S> From: "Rory Browne" <rory.brownegmail.com>

>>
>> Good code won't be vulnerable to register_globals either, but having
>> register_globals on is a security problem because there are security flaws
>> that can only be exploited when register_globals is enabled.
>>

S> Actually, code quality cannot overcome the vulnerability of
S> register_globals. Every program will have global variables.
S> register_globals=on may overwrite a valid global variable, one totally
S> unrelated to user input, with a value coming from the request, and there is
S> nothing good coding can do about it. The chances that an external user might
S> hit the right variable name are slim (unless a disgruntled former
S> programmer) but they exist.

S> Satyam

Just get into the habit of setting all variables to known values
before using them will take care of this problem. Set the warning
level to E_ALL and get warned when using variables that have not been
set to good values while in the development phase.

--
regards,
Tom

attached mail follows:

Hello,

on 06/18/2006 04:19 AM Satyam said the following:
>> Good code won't be vulnerable to register_globals either, but having
>> register_globals on is a security problem because there are security
>> flaws
>> that can only be exploited when register_globals is enabled.
>>
>
> Actually, code quality cannot overcome the vulnerability of
> register_globals. Every program will have global variables.
> register_globals=on may overwrite a valid global variable, one totally
> unrelated to user input, with a value coming from the request, and there
> is nothing good coding can do about it. The chances that an external
> user might hit the right variable name are slim (unless a disgruntled
> former programmer) but they exist.

There is a big misunderstanding about this matter. Having register
globals on does not make PHP overwrite global variables. It rather may
initialize global variables with values related to the request.

There may only be a problem with scripts that assumed those global
variables would not be initialized before the start of a script. Even if
there is a problem due to a distraction of the developer, it may not
even be necessarily a security problem.

If you initialize your script global variables properly, having register
globals on will never be a problem to you. You may also read this as, if
you are a competent developer, you will not make these silly mistakes,
especially by now when we all are so over the issue and triple checked
our code bases.

Regards,
Manuel Lemos

Metastorage - Data object relational mapping layer generator
http://www.metastorage.net/

PHP Classes - Free ready to use OOP components written in PHP
http://www.phpclasses.org/

attached mail follows:

----- Original Message -----
From: "Manuel Lemos" <mlemosacm.org>
To: "PHP List" <php-generallists.php.net>
Sent: Sunday, June 18, 2006 10:12 AM
Subject: Re: [PHP] GET, POST, REQUEST

> Hello,
>
> on 06/18/2006 04:19 AM Satyam said the following:
>>> Good code won't be vulnerable to register_globals either, but having
>>> register_globals on is a security problem because there are security
>>> flaws
>>> that can only be exploited when register_globals is enabled.
>>>
>>
>> Actually, code quality cannot overcome the vulnerability of
>> register_globals. Every program will have global variables.
>> register_globals=on may overwrite a valid global variable, one totally
>> unrelated to user input, with a value coming from the request, and there
>> is nothing good coding can do about it. The chances that an external
>> user might hit the right variable name are slim (unless a disgruntled
>> former programmer) but they exist.
>
> There is a big misunderstanding about this matter. Having register
> globals on does not make PHP overwrite global variables. It rather may
> initialize global variables with values related to the request.
>
> There may only be a problem with scripts that assumed those global
> variables would not be initialized before the start of a script. Even if
> there is a problem due to a distraction of the developer, it may not
> even be necessarily a security problem.
>
> If you initialize your script global variables properly, having register
> globals on will never be a problem to you. You may also read this as, if
> you are a competent developer, you will not make these silly mistakes,
> especially by now when we all are so over the issue and triple checked
> our code bases.
>
> --
>

Indeed, you are absolutely right, sorry I caused any confusion about this.

Satyam

attached mail follows:

Hi all.
is any one know how to use these functions, and what for are they:
imagecreatetruecolor();
imagecreatefromjpeg();
ImageCopyResized();
ImageDestroy();

Best regard
BBC

attached mail follows:

BBC wrote:
> Hi all.
> is any one know how to use these functions, and what for are they:
> imagecreatetruecolor();
> imagecreatefromjpeg();

creating image resource.

> ImageCopyResized();

copy and resize image resource.

> ImageDestroy();

destroy image resource.

RTFM: http://php.net/gd

>
>
> Best regard
> BBC

attached mail follows:

Hi,

I have a web administration application which allow particular users to
store into DB some information.
Information will be later on displayed dynamically on the website.

However, among these users, some should be able just to see information,
some others just to write, and so on...

therefore i need a system how to grant access right to these users.
I know that there are several solutions for such situation, but i would like
to know your feedback on these solutions and what is for you the best one to
implement.

one that i know, i can create 3 tables in my DB : account, module and
accessright.
-in account are stored all user accounts
-in module are stored all php pages belonging to each module
-in accessright are stored a join of user's account, pages and their
relative access right to each page.

But maybe it exists a simpler solution and also good enough.

thanks a lot,

Alain

attached mail follows:

Sometimes i've been used this solution pointed out by you. I think it's a
good way, though has more detailed way, it depends on your level care.

""Alain Roger"" <raf.newsgmail.com> escreveu na mensagem
news:75645bbb0606180029g578840eelfca48b418c618414mail.gmail.com...
> Hi,
>
> I have a web administration application which allow particular users to
> store into DB some information.
> Information will be later on displayed dynamically on the website.
>
> However, among these users, some should be able just to see information,
> some others just to write, and so on...
>
> therefore i need a system how to grant access right to these users.
> I know that there are several solutions for such situation, but i would
> like
> to know your feedback on these solutions and what is for you the best one
> to
> implement.
>
> one that i know, i can create 3 tables in my DB : account, module and
> accessright.
> -in account are stored all user accounts
> -in module are stored all php pages belonging to each module
> -in accessright are stored a join of user's account, pages and their
> relative access right to each page.
>
> But maybe it exists a simpler solution and also good enough.
>
> thanks a lot,
>
> Alain
>

attached mail follows:

i am a newbie of php .i want get some php ebook to read.
who can send me some
thx
--
/**********************************************************
* Love in AJAX J2ME and Python
* Look at my website and my blog
* http://www.pinzui.cn
* Ï£Íû±¦±¦¿ÉÒÔÓÀÔ¶¿ìÀÖ£¬ÄãÊÇ×î°ôµÄ¡£
**********************************************************/

attached mail follows:

prolibertine wrote:
> i am a newbie of php .i want get some php ebook to read.

http://php.net/docs.php

> who can send me some
> thx

attached mail follows:

At 5:27 PM +0800 6/18/06, prolibertine wrote:
>i am a newbie of php .i want get some php ebook to read.
>who can send me some
>thx

Amazon.com

tedd
--
------------------------------------------------------------------------------------
http://sperling.com http://ancientstones.com http://earthstones.com

attached mail follows:

At 5:27 PM +0800 6/18/06, prolibertine wrote:
>i am a newbie of php .i want get some php ebook to read.
>who can send me some
>thx

Sorry for other post, I misread "ebook". I thought you were asking for free books.

In any event, you might review these links:

http://www.htmlgoodies.com/beyond/php/article.php/3472391
http://www.w3schools.com/php/default.asp
http://www.weberdev.com/ViewArticle/433
http://www.weberdev.com/Manuals/
http://www.unf.edu/~rita0001/eresources/php_tutorials/index.htm
http://www.phpit.net/article/back-to-basics-arrays/

hth's

tedd
--
------------------------------------------------------------------------------------
http://sperling.com http://ancientstones.com http://earthstones.com

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]