|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
php-general Digest 30 Nov 2006 22:17:11 -0000 Issue 4489
php-general-digest-help
lists.php.net
Date: Thu Nov 30 2006 - 16:17:11 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
php-general Digest 30 Nov 2006 22:17:11 -0000 Issue 4489
Topics (messages 245340 through 245379):
Re: LDAP password question
245340 by: Alain Roger
245345 by: Ray Hauge
Webbased Visual DOM Training Tool
245341 by: Bernhard Zwischenbrugger
245364 by: Richard Lynch
245376 by: Jochem Maas
Help with strange include problem in PHP 5.2.0
245342 by: Markus Mayer
245365 by: Richard Lynch
turning use session cookies off still uses cookies?
245343 by: blackwater dev
245349 by: Vincent DUPONT
245350 by: Vincent DUPONT
245362 by: Richard Lynch
Re: Tidy HTML source?
245344 by: clive
245363 by: Paul Novitski
245374 by: Sancar Saran
Re: hiding passwd in cmdlines that appear in the process list
245346 by: Jochem Maas
245352 by: Edwin Barrios
245353 by: Jochem Maas
245360 by: Richard Lynch
245366 by: Edwin Barrios
245370 by: Edwin Barrios
245375 by: Jochem Maas
Re: SEGINT, readline extension & clean script exit - how to do it
245347 by: Jochem Maas
245359 by: Richard Lynch
Re: problems with exec()
245348 by: Ray
245351 by: admin.ensifex.nl
Issues with tidy and utf-8 encoding
245354 by: Youri LACAN-BARTLEY
245358 by: Richard Lynch
Re: magic_quotes
245355 by: Johannes Lindenbaum
245356 by: Robert Cummings
245357 by: Eric Butera
245367 by: Richard Lynch
245373 by: Johannes Lindenbaum
245377 by: Chris Shiflett
Re: regular expressions
245361 by: tedd
Re: can't prevent url redirect
245368 by: Richard Lynch
245369 by: Richard Lynch
Re: several sites sharing the same script
245371 by: Richard Lynch
Re: Maybe an HTML prob?
245372 by: Richard Lynch
problem with register globals on new server
245378 by: afan.afan.net
Preg_match - Find URL and convert to lower case
245379 by: Kevin Murphy
Administrivia:
To subscribe to the digest, e-mail:
php-general-digest-subscribelists.php.net
To unsubscribe from the digest, e-mail:
php-general-digest-unsubscribelists.php.net
To post to the list, e-mail:
php-generallists.php.net
----------------------------------------------------------------------
attached mail follows:
Hi Ray,
the question is for which reason you need to know something about the pwd ?
to log on ?
if yes, it's not needed. I personally did like that :
1. with login + pwd given by user, i try to bind.
2. if bind works, it means that user login+pwd are equal to AD login+pwd.
3. if error during bind, so error in pwd or login.
that's all.
Alain
On 11/30/06, Ray Hauge <ray.haugeamericanstudentloan.com> wrote:
>
> I'm working on integrating an application with an AD server, and I was
> wondering if the password is encrypted at all, or if I need to go
> through the troubles of setting up ldaps://
>
>
>
> I checked the documentation, but I couldn't find any information about
> plain-text vs. encrypted.
>
>
>
> Thanks!
>
>
>
> --
>
> Ray Hauge
>
> Application Development Lead
>
> American Student Loan Services
>
> www.americanstudentloan.com
>
>
>
>
>
--
Alain
------------------------------------
Windows XP SP2
PostgreSQL 8.1.4
Apache 2.0.58
PHP 5
attached mail follows:
Hello,
I was actually wondering if the PHP implementation of an LDAP client
encodes the password before being sent, or if it sends the password in
plain-text. The most information I've got on this subject, so far, is
from http://adldap.sourceforge.net/faq.php
Q. Why am I getting poor performance with Windows 2003 Server?
A. Microsoft figured out that plain text passwords aren't a good thing
and tightened the security on Windows 2003 Server. The passwords
floating around with 2000 server were all encrypted but there are some
new timeout problems during negotiation (I think). Anyways, I've set
another LDAP option in version 1.2 to force encrypted passwords, and it
has resolved this issue.
After looking through their source code, this information seems to be
for modifying passwords or creating a user. I would assume that
passwords are plain text without SSL when using ldap_bind().
Thanks,
--
Ray Hauge
Application Development Lead
American Student Loan Services
www.americanstudentloan.com
________________________________
From: Alain Roger [mailto:raf.newsgmail.com]
Sent: Thursday, November 30, 2006 6:15 AM
To: Ray Hauge; PHP General List
Subject: Re: [PHP] LDAP password question
Hi Ray,
the question is for which reason you need to know something about the
pwd ?
to log on ?
if yes, it's not needed. I personally did like that :
1. with login + pwd given by user, i try to bind.
2. if bind works, it means that user login+pwd are equal to AD
login+pwd.
3. if error during bind, so error in pwd or login.
that's all.
Alain
On 11/30/06, Ray Hauge <ray.haugeamericanstudentloan.com> wrote:
I'm working on integrating an application with an AD server, and I was
wondering if the password is encrypted at all, or if I need to go
through the troubles of setting up ldaps://
I checked the documentation, but I couldn't find any information about
plain-text vs. encrypted.
Thanks!
--
Ray Hauge
Application Development Lead
American Student Loan Services
www.americanstudentloan.com
--
Alain
------------------------------------
Windows XP SP2
PostgreSQL 8.1.4
Apache 2.0.58
PHP 5
attached mail follows:
Hi all
I made a web based visual Document Object Model (DOM) Training Tool for
my students:
http://test.datenkueche.com (you need Firefox !!!)
Before I torture my students with this tools, I would like to have some
feedback from php mailinglist.
This tool should help to learn the DOM Object of PHP5
http://www.php.net/manual/de/ref.dom.php
There are 3 demos that shows you the functionality of the tool.
For interactive training there are some html/xml files in a drop down
list. You can also load files from http sources.
There are also some "special" training files. The time you need to
finish an exercise will be stored in a "hi score" list.
have fun, give feedback
Bernhard
attached mail follows:
On Thu, November 30, 2006 6:56 am, Bernhard Zwischenbrugger wrote:
> I made a web based visual Document Object Model (DOM) Training Tool
> for
> my students:
>
> http://test.datenkueche.com (you need Firefox !!!)
I found it annoying that I couldn't break out of "demo1" by clicking
on "demo2"
demo1 demo2 demo3 should probably change cursor or something to appear
more "clickable"
I didn't really understand what I was looking at, or why I'd want it
or what I was supposed to learn from it...
It looked very slick, but had an awful lot of repition of filling in
some DOM field and clicking "do it".
I don't really need to see that more than a couple times to know I can
fill in those fields and click "do it".
What I *do* need to know is what they heck to put in those boxes...
bodylist
listbody
bodyList
listBody
I have no idea which of the above 4, if any, is the "right thing" to
put in the box, and doubt that I'd figure it out any time soon...
> There are also some "special" training files. The time you need to
> finish an exercise will be stored in a "hi score" list.
I'm not sure I even figured out how to START an exercise, much less
finish it...
Maybe I'm just the village idiot, but I needed a bit more instruction
on what the heck I was supposed to be doing... Or maybe that's
covered in a classroom somewhere.
It was definitely very slick though, whatever it was.
--
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some starving artist.
http://cdbaby.com/browse/from/lynch
Yeah, I get a buck. So?
attached mail follows:
Richard Lynch wrote:
> On Thu, November 30, 2006 6:56 am, Bernhard Zwischenbrugger wrote:
>> I made a web based visual Document Object Model (DOM) Training Tool
>> for
>> my students:
>>
>> http://test.datenkueche.com (you need Firefox !!!)
>
> I found it annoying that I couldn't break out of "demo1" by clicking
> on "demo2"
>
> demo1 demo2 demo3 should probably change cursor or something to appear
> more "clickable"
>
> I didn't really understand what I was looking at, or why I'd want it
> or what I was supposed to learn from it...
>
> It looked very slick, but had an awful lot of repition of filling in
> some DOM field and clicking "do it".
>
> I don't really need to see that more than a couple times to know I can
> fill in those fields and click "do it".
>
> What I *do* need to know is what they heck to put in those boxes...
> bodylist
> listbody
> bodyList
> listBody
> I have no idea which of the above 4, if any, is the "right thing" to
> put in the box, and doubt that I'd figure it out any time soon...
>
>> There are also some "special" training files. The time you need to
>> finish an exercise will be stored in a "hi score" list.
>
> I'm not sure I even figured out how to START an exercise, much less
> finish it...
>
> Maybe I'm just the village idiot, but I needed a bit more instruction
> on what the heck I was supposed to be doing... Or maybe that's
> covered in a classroom somewhere.
>
> It was definitely very slick though, whatever it was.
my thoughts exactly.
>
attached mail follows:
Hi all,
I have a strange problem including files in PHP 5.2.0 running on Unix. If I
try to include a file using include 'filename.inc';, everything is fine. As
soon as I try to put a "." in front of the file name, for example
include './filename.inc';, I get a "failed to open stream: No such file or
directory" error. Does anyone have any suggestions as to what is going
wrong?` This all works with php 4.4.4 built with the same environment and
compiler on the same system.
thanks
Markus
The files I am testing are:
include.php:
<?php
$result = include 'filename.inc';
echo "Result of first include = $result";
$result = include './filename.inc';
echo "Result of second include = $result";
$result = include './include_test_dir/filename.inc';
echo "Result of third include = $result";
?>
filename.inc:
<?php
echo "I am the included file...";
?>
# ls -l
total 6
-rw-r--r-- 1 root webservd 44 Nov 30 13:45 filename.inc
-rw-r--r-- 1 root webservd 265 Nov 30 13:45 include.php
drwxr-sr-x 2 root webservd 512 Nov 30 13:44 include_test_dir
# ls -l include_test_dir/
total 2
-rw-r--r-- 1 root webservd 21 Nov 30 13:45 filename.inc
attached mail follows:
On Thu, November 30, 2006 6:49 am, Markus Mayer wrote:
> I have a strange problem including files in PHP 5.2.0 running on Unix.
> If I
> try to include a file using include 'filename.inc';, everything is
> fine. As
> soon as I try to put a "." in front of the file name, for example
> include './filename.inc';, I get a "failed to open stream: No such
> file or
> directory" error. Does anyone have any suggestions as to what is
> going
> wrong?` This all works with php 4.4.4 built with the same environment
> and
> compiler on the same system.
What is your include path in PHP 5.2.0?
I'm going to go out on a limb and bet a dollar that the PHP 4.4.4
include_path has "." as one element within the list and that the PHP
5.2.0 include_path does NOT have "." within the list.
I.e.:
4.4.4 include_path ".:include_test_dir"
5.2.0 include_path "include_test_dir"
In the first case, 4.4.4, you've got . in there, so . combined with ./
will "find" the file you want.
In the second case, 5.2.0, you've got no . in there, so ./ is looking
in a directory, not the directory you expect, and it ain't finding the
file because it's not there.
Rant #24, not directed at Markus, but the world at large :-)
PHP developers should understand and use include_path instead of
hacking up their source with hard-coded paths and weird sub-directory
/ parent-directory hacks in include/require statements.
It drives me nuts when I install nice software packages, but I can't
put their components where I want them.
End result:
rm -rf [insert your nifty project directory name here]
--
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some starving artist.
http://cdbaby.com/browse/from/lynch
Yeah, I get a buck. So?
attached mail follows:
I asked a similar question the other day but I have been having an issue
lately with my sessions and certain browsers. I then tried to set my
session.use_cookies var in php.ini to 0 yet if I log in and don't have
cookies turned on, the sessions still don't seem to work. Can I really use
sessions without using cookies? Below is my code and sessions settings. If
I can use sessions without cookies, seems like that would solve the issue of
people having cookies turned on.
Thanks,
//this is from the login routine
if ($this->db->getField('user_id')){
session_start();
$_SESSION['user']['user_id']=$this->db->getField('user_id');
$_SESSION['user']['email']=$this->db->getField('email');
return true;
}
<?
//only show if they are logged in
if (isset($_SESSION['user']['user_id']) && !$_REQUEST['mlsid']){
//show something
}
?>
Session Support enabled Registered save handlers files user Registered
serializer handlers php php_binary wddx
DirectiveLocal ValueMaster Value session.auto_startOffOff
session.bug_compat_42OffOff session.bug_compat_warnOnOn session.cache_expire
180180 session.cache_limiternocachenocache session.cookie_domain*no value**no
value* session.cookie_lifetime00 session.cookie_path// session.cookie_secure
OffOff session.entropy_file*no value**no value* session.entropy_length00
session.gc_divisor10001000 session.gc_maxlifetime14401440
session.gc_probability11 session.hash_bits_per_character55
session.hash_function00 session.namePHPSESSIDPHPSESSID session.referer_check
*no value**no value* session.save_handlerfilesfiles session.save_path
/var/lib/php/session/var/lib/php/session session.serialize_handlerphpphp
session.use_cookiesOffOff session.use_only_cookiesOffOff
session.use_trans_sid00
attached mail follows:
hello,
you can use sessions without cookies by asking PHP to ad the sessionid into every link on your website.
I don't remember how to do this, but there should be a php_ini directive, and more info on the php.net/manual website.
vincent
-----Original Message-----
From: blackwater dev [mailto:blackwaterdevgmail.com]
Sent: Thu 30/11/2006 14:42
To: php-generallists.php.net
Subject: [PHP] turning use session cookies off still uses cookies?
I asked a similar question the other day but I have been having an issue
lately with my sessions and certain browsers. I then tried to set my
session.use_cookies var in php.ini to 0 yet if I log in and don't have
cookies turned on, the sessions still don't seem to work. Can I really use
sessions without using cookies? Below is my code and sessions settings. If
I can use sessions without cookies, seems like that would solve the issue of
people having cookies turned on.
Thanks,
//this is from the login routine
if ($this->db->getField('user_id')){
session_start();
$_SESSION['user']['user_id']=$this->db->getField('user_id');
$_SESSION['user']['email']=$this->db->getField('email');
return true;
}
<?
//only show if they are logged in
if (isset($_SESSION['user']['user_id']) && !$_REQUEST['mlsid']){
//show something
}
?>
Session Support enabled Registered save handlers files user Registered
serializer handlers php php_binary wddx
DirectiveLocal ValueMaster Value session.auto_startOffOff
session.bug_compat_42OffOff session.bug_compat_warnOnOn session.cache_expire
180180 session.cache_limiternocachenocache session.cookie_domain*no value**no
value* session.cookie_lifetime00 session.cookie_path// session.cookie_secure
OffOff session.entropy_file*no value**no value* session.entropy_length00
session.gc_divisor10001000 session.gc_maxlifetime14401440
session.gc_probability11 session.hash_bits_per_character55
session.hash_function00 session.namePHPSESSIDPHPSESSID session.referer_check
*no value**no value* session.save_handlerfilesfiles session.save_path
/var/lib/php/session/var/lib/php/session session.serialize_handlerphpphp
session.use_cookiesOffOff session.use_only_cookiesOffOff
session.use_trans_sid00
attached mail follows:
look at this inside the PHP.INI
; trans sid support is disabled by default.
; Use of trans sid may risk your users security.
; Use this option with caution.
; - User may send URL contains active session ID
; to other person via. email/irc/etc.
; - URL that contains active session ID may be stored
; in publically accessible computer.
; - User may access your site with the same session ID
; always using URL stored in browser's history or bookmarks.
session.use_trans_sid = 0
vincent
-----Original Message-----
From: blackwater dev [mailto:blackwaterdevgmail.com]
Sent: Thu 30/11/2006 14:42
To: php-generallists.php.net
Subject: [PHP] turning use session cookies off still uses cookies?
I asked a similar question the other day but I have been having an issue
lately with my sessions and certain browsers. I then tried to set my
session.use_cookies var in php.ini to 0 yet if I log in and don't have
cookies turned on, the sessions still don't seem to work. Can I really use
sessions without using cookies? Below is my code and sessions settings. If
I can use sessions without cookies, seems like that would solve the issue of
people having cookies turned on.
Thanks,
//this is from the login routine
if ($this->db->getField('user_id')){
session_start();
$_SESSION['user']['user_id']=$this->db->getField('user_id');
$_SESSION['user']['email']=$this->db->getField('email');
return true;
}
<?
//only show if they are logged in
if (isset($_SESSION['user']['user_id']) && !$_REQUEST['mlsid']){
//show something
}
?>
Session Support enabled Registered save handlers files user Registered
serializer handlers php php_binary wddx
DirectiveLocal ValueMaster Value session.auto_startOffOff
session.bug_compat_42OffOff session.bug_compat_warnOnOn session.cache_expire
180180 session.cache_limiternocachenocache session.cookie_domain*no value**no
value* session.cookie_lifetime00 session.cookie_path// session.cookie_secure
OffOff session.entropy_file*no value**no value* session.entropy_length00
session.gc_divisor10001000 session.gc_maxlifetime14401440
session.gc_probability11 session.hash_bits_per_character55
session.hash_function00 session.namePHPSESSIDPHPSESSID session.referer_check
*no value**no value* session.save_handlerfilesfiles session.save_path
/var/lib/php/session/var/lib/php/session session.serialize_handlerphpphp
session.use_cookiesOffOff session.use_only_cookiesOffOff
session.use_trans_sid00
attached mail follows:
On Thu, November 30, 2006 7:42 am, blackwater dev wrote:
> I asked a similar question the other day but I have been having an
> issue
> lately with my sessions and certain browsers. I then tried to set my
> session.use_cookies var in php.ini to 0 yet if I log in and don't have
> cookies turned on, the sessions still don't seem to work. Can I
> really use
> sessions without using cookies? Below is my code and sessions
> settings.
One can really use session without cookies.
PHP splices the SID (session_id) into every URL, and every ACTION in
FORM tags, every IMG SRC, and various other places I won't try to list
all of.
> If
> I can use sessions without cookies, seems like that would solve the
> issue of
> people having cookies turned on.
If, in fact, the problem is related to browser acceptance/rejection of
cookies, it would have solved that, assuming you had stopped/started
Apache and gotten the right php.ini file changed and so on, so you
really did tell PHP to never use cookies and use the URL to pass the
session ID.
> session.use_cookiesOffOff session.use_only_cookiesOffOff
> session.use_trans_sid00
Here, however, it is clear that you turned OFF cookies, but did not
turn ON trans_sid.
You've got to have at least one or the other "on" to get the session
ID to propogate from page to page.
There is no Session ID Fairy to pass the ID back and forth :-)
Turn trans_sid "ON" and test again, and you'll know if it was, in
fact, a cookie issue.
--
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some starving artist.
http://cdbaby.com/browse/from/lynch
Yeah, I get a buck. So?
attached mail follows:
Mark Kelly wrote:
> Am I crazy to make an extra effort in my code to make the generated HTML
> pretty? By this I mean linebreaks, indentation etc. - stuff that is aimed
> at readability rather than correctness. This is obviously above and beyond
> simply making sure it validates. It's not a huge burden by any means, but
> it *is* extra effort.
tidy? look at http://www.php.net/tidy
attached mail follows:
At 11/30/2006 01:52 AM, Satyam wrote:
>>>>And, stepping back, you're perpetuating the embedding of markup
>>>>with logic so that it will still take a PHP programmer to modify
>>>>the markup of one of your pages. Do you not see the advantage in
>>>>separating the two layers?
>>>
>>>Yes, I do, and I would recommend using templates or similar tools
>>>to provide for separation of code and markup, but sometimes there
>>>are reasons not to do so, for example, web services.
>>
>>Please explain why you think web services promote mixing markup with logic.
>
>I didn't say it promotes but it does not require. In web services
>there is usually no presentation layer, there is no end user to see
>anything at all, then there is no need for a graphics designer
>separate from the application programmer. The application consuming
>that service might have to display the data, but the service does not.
To reach clarity on this point, let's leave presentation out of
it. I was referring to the separation of presentation from markup
merely to suggest an analagous separation that many of us have
accepted as being helpful to design, development, and
maintenance. What I'm really curious about in this discussion is the
separation of markup from logic.
With respect to separating code and markup, you said "sometimes there
are reasons not to do so, for example, web services." What are some
of those reasons?
Cheers,
Paul
attached mail follows:
On Thursday 30 November 2006 18:51, Paul Novitski wrote:
> At 11/30/2006 01:52 AM, Satyam wrote:
> >>>>And, stepping back, you're perpetuating the embedding of markup
> >>>>with logic so that it will still take a PHP programmer to modify
> >>>>the markup of one of your pages. Do you not see the advantage in
> >>>>separating the two layers?
> >>>
> >>>Yes, I do, and I would recommend using templates or similar tools
> >>>to provide for separation of code and markup, but sometimes there
> >>>are reasons not to do so, for example, web services.
> >>
> >>Please explain why you think web services promote mixing markup with
> >> logic.
> >
> >I didn't say it promotes but it does not require. In web services
> >there is usually no presentation layer, there is no end user to see
> >anything at all, then there is no need for a graphics designer
> >separate from the application programmer. The application consuming
> >that service might have to display the data, but the service does not.
>
> To reach clarity on this point, let's leave presentation out of
> it. I was referring to the separation of presentation from markup
> merely to suggest an analagous separation that many of us have
> accepted as being helpful to design, development, and
> maintenance. What I'm really curious about in this discussion is the
> separation of markup from logic.
>
> With respect to separating code and markup, you said "sometimes there
> are reasons not to do so, for example, web services." What are some
> of those reasons?
>
> Cheers,
> Paul
What about performance ? What about compexity ?
Those SO nice seperated template system produces lots of mini TPL files. You
have to include them... You have to parse them.
Also you have to track and manage them.
And I'm not sure those template system gives you freedom. Because you cannot
change your site design with this tpl files. If you change them too much you
have to change your php code.
Plus if I remember correctly there was thing named CSS to change your site
looks.
After 10 years of html coding by hand and 6 years of php coding and from my
uber biased point of view. That template engine thing was flawed.
Look open source cms projects, check open sourced forums etc etc. Then tell me
what is effective use of tpl files for message posting form or blog showing
pages. Or someting like that...
Oh yes I know lots of sites are using them, then what ? People still use
windows... Is that makes Windows best operating system ?
Maybe it useful. when your Designer does not know php and or your programmer
does not know html/css.
And my point of view. Using <html tag <?php echo value ?> > <?php echo
value ?></htmltag> days are over...
These days we have to deal lots of other programming things. handle heavy
loads, do lots of security things etc etc...
Of course you could do nice things for your liddle home page via old style
php.
I believe Satyam's idea was best. I try to implement his idea with my way
function getTab($intTab=1)
{
$strTab = NULL;
for($i=0;$i<$intTab;$i++)
{
$strTab.= "\t";
}
return $strTab;
}
function html($arrOpt)
{
$arrKeys = array_keys($arrOpt['attlist']);
$intSize = sizeof($arrOpt['attlist']);
$strAttlist = null;
for($a=0;$a<$intSize;$a++)
{
$strAttlist.= " ".$arrKeys[$a]."='".$arrOpt['attlist'][$arrKeys[$a]]."'";
}
return getTab($arrOpt['tab'])."<".$arrOpt['tag'].$strAttlist.
$arrOpt['end'].">\n";
}
MY RECENT METHOD
$strReturn.=
html(array('tag'=>'table','attlist'=>array('id'=>'uberTable','border'=>'0','cellpadding'=>'0','cellspacing'=>'1','width'=>'100%','class'=>'cUberTable'),'tab'=>4,'end'=>NULL))
.html(array('tag'=>'tr','attlist'=>array('class'=>'cUberTableTR'),'tab'=>5,'end'=>NULL))
.html(array('tag'=>'td','attlist'=>array('align'=>'center','valign'=>'top','class'=>'cUberTableTD'),'tab'=>6,'end'=>NULL))
."Test Message\n"
.html(array('tag'=>'/td','tab'=>6,'end'=>NULL))
.html(array('tag'=>'/tr','tab'=>5,'end'=>NULL))
.html(array('tag'=>'/table','tab'=>4,'end'=>NULL));
TPL METHOD
uber.tpl
<table id='uberTable' border='0' cellpadding='0' cellspacing='1'
width='100%' class='cUberTable'>
<tr class='cUberTableTR'>
<td align='center' valign='top' class='cUberTableTD'>
|MESSAGE|
</td>
</tr>
</table>
Code
$TPL = new TplClass;
$TPL-> SetTplPath('tpl/meta.tpl',__FILE__,__LINE__);
$TPL-> ReadTpl();
$TPL -> Assign('|MESSAGE| ,'Test Message',__FILE__, __LINE__);
$TPL -> Showtpl();
SATYAM WAY
<table &border '0' &colspan '0' &cellpadding '1' &width '100%'
class 'uberTable';
{
<tr
{
<td &align 'right' &valign 'top';
{
? "Test message ";
}
}
}
(and his curret implementation need pre-compiler)
Those Codes produces html like this
<table id='uberTable' border='0' cellpadding='0' cellspacing='1'
width='100%' class='cUberTable'>
<tr class='cUberTableTR'>
<td align='center' valign='top' class='cUberTableTD'>
Test Message
</td>
</tr>
</table>
I wish to access his works under php via pear or someting like that. And I
believe later or sooner we see this kind of aproach in other languages.
I hope php was first one.
Hope Larsmus see this...
Regards
Sancar
attached mail follows:
Richard Lynch wrote:
> Don't use exec. ;-v
yeah - which is annoying because outside of php/exec() using the `cat /path/2/myqyl/passwd`
trick works (i.e. ps doesn't give the passwd away)
thanks to everyone for there input - I have plenty to read/think about,
I send something back to the list when i have decided upon and tested a working solutions
thanks everyone!
>
> Or, perhaps, write a shell script that reads the password and provides
> it to MySQL somehow without invoking another exec of some kind.
>
> You also could look into other MySQL authentication mechanisms such as
> SSL keys and whatnot -- which I only vaguely recall seeing somewhere
> in the MySQL docs.
>
> That might still end up with a PHP/world readable file that has a
> private key in it, but at least it requires the Bad Guy to take one
> more step to read said file.
>
> On Wed, November 29, 2006 6:10 am, Jochem Maas wrote:
>> I have been using exec() for a number of things recently - one of the
>> things
>> I'm using it for it to run mysql in order to import SQL scripts
>>
>> so I have some code that looks like:
>>
>> // build the cmdline
>> $cmd = sprintf('mysql -h %s --user=%s --password=`cat %s` -D %s <
>> "%s" 2>&1',
>> MYSQL_SERVER, MYSQL_ROOT_USER, $rootPasswdFile,
>> $data['db_name']['value'], $file);
>>
>> // run the mysql command via the cmdline
>> $output = array(); $exit = 0;
>> exec($cmd, $output, $exit);
>>
>> everything works. but there is a security issue - one that I thought I
>> had
>> specifically tackled.
>>
>> the security issue occurs due to the fact that the process list (this
>> is
>> just linux I'm talking about) will show the complete command line,
>> which in
>> my case would look something like (in the processlist):
>>
>>
>> mysql -h localhost --user=admin --password=`cat
>> /my/sql/root/passwd/file` -D somedb < "/my/import/script.sql" 2>&1
>>
>>
>> AH I hear you say but the wily use of "`cat /my/sql/root/passwd/file`"
>> masks the actual
>> password from any looking in the process list. indeed undeer normal
>> shell scripting circumstances
>> that may have been true.
>>
>> BUT in using php's exec() to run the cmdline causes the following to
>> show up in the processlist:
>>
>>
>> sh -c mysql -h localhost --user=admin --password=`cat
>> /my/sql/root/passwd/file` -D somedb < "/my/import/script.sql" 2>&1
>>
>>
>> AND that [sub]shell then lists it's process[s] in the list also, there
>> is only one
>> and it is this:
>>
>>
>> mysql -h localhost --user=admin --password=MYFINGPWD -D somedb
>>
>>
>> does anyone have an idea how to over come this security issue (without
>> resorting to having to
>> type in the mysql admin passwd interactively!)
>>
>> thanks & regards,
>> Jochem
>>
>> --
>> PHP General Mailing List (http://www.php.net/)
>> To unsubscribe, visit: http://www.php.net/unsub.php
>>
>>
>
>
attached mail follows:
Hi !.
I don't know if my solution is better or not. but in one of my programs i
had to make a backup online then my solution was to use shell vars to put
important information like db_password . When we use putenv function those
var only exists on the current shell and on its subshells. In your case the
following code :
<?php
putenv("DBNAME=".DB_NAME);
putenv("DBUSER=".DB_USER);
putenv("DBPASSWD=".DB_PASSWD);
system('mysql -h localhost --user=$DBUSER --password=$DBPASSWD -D $DBNAME
< "/my/import/script.sql" 2>&1');
?>
On 11/30/06, Jochem Maas <jochemiamjochem.com> wrote:
>
> Richard Lynch wrote:
> > Don't use exec. ;-v
>
> yeah - which is annoying because outside of php/exec() using the `cat
> /path/2/myqyl/passwd`
> trick works (i.e. ps doesn't give the passwd away)
>
> thanks to everyone for there input - I have plenty to read/think about,
> I send something back to the list when i have decided upon and tested a
> working solutions
>
> thanks everyone!
>
> >
> > Or, perhaps, write a shell script that reads the password and provides
> > it to MySQL somehow without invoking another exec of some kind.
> >
> > You also could look into other MySQL authentication mechanisms such as
> > SSL keys and whatnot -- which I only vaguely recall seeing somewhere
> > in the MySQL docs.
> >
> > That might still end up with a PHP/world readable file that has a
> > private key in it, but at least it requires the Bad Guy to take one
> > more step to read said file.
> >
> > On Wed, November 29, 2006 6:10 am, Jochem Maas wrote:
> >> I have been using exec() for a number of things recently - one of the
> >> things
> >> I'm using it for it to run mysql in order to import SQL scripts
> >>
> >> so I have some code that looks like:
> >>
> >> // build the cmdline
> >> $cmd = sprintf('mysql -h %s --user=%s --password=`cat %s` -D %s <
> >> "%s" 2>&1',
> >> MYSQL_SERVER, MYSQL_ROOT_USER, $rootPasswdFile,
> >> $data['db_name']['value'], $file);
> >>
> >> // run the mysql command via the cmdline
> >> $output = array(); $exit = 0;
> >> exec($cmd, $output, $exit);
> >>
> >> everything works. but there is a security issue - one that I thought I
> >> had
> >> specifically tackled.
> >>
> >> the security issue occurs due to the fact that the process list (this
> >> is
> >> just linux I'm talking about) will show the complete command line,
> >> which in
> >> my case would look something like (in the processlist):
> >>
> >>
> >> mysql -h localhost --user=admin --password=`cat
> >> /my/sql/root/passwd/file` -D somedb < "/my/import/script.sql" 2>&1
> >>
> >>
> >> AH I hear you say but the wily use of "`cat /my/sql/root/passwd/file`"
> >> masks the actual
> >> password from any looking in the process list. indeed undeer normal
> >> shell scripting circumstances
> >> that may have been true.
> >>
> >> BUT in using php's exec() to run the cmdline causes the following to
> >> show up in the processlist:
> >>
> >>
> >> sh -c mysql -h localhost --user=admin --password=`cat
> >> /my/sql/root/passwd/file` -D somedb < "/my/import/script.sql" 2>&1
> >>
> >>
> >> AND that [sub]shell then lists it's process[s] in the list also, there
> >> is only one
> >> and it is this:
> >>
> >>
> >> mysql -h localhost --user=admin --password=MYFINGPWD -D somedb
> >>
> >>
> >> does anyone have an idea how to over come this security issue (without
> >> resorting to having to
> >> type in the mysql admin passwd interactively!)
> >>
> >> thanks & regards,
> >> Jochem
> >>
> >> --
> >> PHP General Mailing List (http://www.php.net/)
> >> To unsubscribe, visit: http://www.php.net/unsub.php
> >>
> >>
> >
> >
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
attached mail follows:
Edwin Barrios wrote:
> Hi !.
>
> I don't know if my solution is better or not.
neither do I! but I'm certainly going to give the alternative a go and see
what exsact it shows in the process list.
thanks for the tip!
> but in one of my programs i
> had to make a backup online then my solution was to use shell vars to put
> important information like db_password . When we use putenv function those
> var only exists on the current shell and on its subshells. In your case the
> following code :
>
> <?php
> putenv("DBNAME=".DB_NAME);
> putenv("DBUSER=".DB_USER);
> putenv("DBPASSWD=".DB_PASSWD);
>
> system('mysql -h localhost --user=$DBUSER --password=$DBPASSWD -D $DBNAME
> < "/my/import/script.sql" 2>&1');
>
> ?>
>
> On 11/30/06, Jochem Maas <jochemiamjochem.com> wrote:
>>
>> Richard Lynch wrote:
>> > Don't use exec. ;-v
>>
>> yeah - which is annoying because outside of php/exec() using the `cat
>> /path/2/myqyl/passwd`
>> trick works (i.e. ps doesn't give the passwd away)
>>
>> thanks to everyone for there input - I have plenty to read/think about,
>> I send something back to the list when i have decided upon and tested a
>> working solutions
>>
>> thanks everyone!
>>
>> >
>> > Or, perhaps, write a shell script that reads the password and provides
>> > it to MySQL somehow without invoking another exec of some kind.
>> >
>> > You also could look into other MySQL authentication mechanisms such as
>> > SSL keys and whatnot -- which I only vaguely recall seeing somewhere
>> > in the MySQL docs.
>> >
>> > That might still end up with a PHP/world readable file that has a
>> > private key in it, but at least it requires the Bad Guy to take one
>> > more step to read said file.
>> >
>> > On Wed, November 29, 2006 6:10 am, Jochem Maas wrote:
>> >> I have been using exec() for a number of things recently - one of the
>> >> things
>> >> I'm using it for it to run mysql in order to import SQL scripts
>> >>
>> >> so I have some code that looks like:
>> >>
>> >> // build the cmdline
>> >> $cmd = sprintf('mysql -h %s --user=%s --password=`cat %s` -D %s <
>> >> "%s" 2>&1',
>> >> MYSQL_SERVER, MYSQL_ROOT_USER, $rootPasswdFile,
>> >> $data['db_name']['value'], $file);
>> >>
>> >> // run the mysql command via the cmdline
>> >> $output = array(); $exit = 0;
>> >> exec($cmd, $output, $exit);
>> >>
>> >> everything works. but there is a security issue - one that I thought I
>> >> had
>> >> specifically tackled.
>> >>
>> >> the security issue occurs due to the fact that the process list (this
>> >> is
>> >> just linux I'm talking about) will show the complete command line,
>> >> which in
>> >> my case would look something like (in the processlist):
>> >>
>> >>
>> >> mysql -h localhost --user=admin --password=`cat
>> >> /my/sql/root/passwd/file` -D somedb < "/my/import/script.sql" 2>&1
>> >>
>> >>
>> >> AH I hear you say but the wily use of "`cat /my/sql/root/passwd/file`"
>> >> masks the actual
>> >> password from any looking in the process list. indeed undeer normal
>> >> shell scripting circumstances
>> >> that may have been true.
>> >>
>> >> BUT in using php's exec() to run the cmdline causes the following to
>> >> show up in the processlist:
>> >>
>> >>
>> >> sh -c mysql -h localhost --user=admin --password=`cat
>> >> /my/sql/root/passwd/file` -D somedb < "/my/import/script.sql" 2>&1
>> >>
>> >>
>> >> AND that [sub]shell then lists it's process[s] in the list also, there
>> >> is only one
>> >> and it is this:
>> >>
>> >>
>> >> mysql -h localhost --user=admin --password=MYFINGPWD -D somedb
>> >>
>> >>
>> >> does anyone have an idea how to over come this security issue (without
>> >> resorting to having to
>> >> type in the mysql admin passwd interactively!)
>> >>
>> >> thanks & regards,
>> >> Jochem
>> >>
>> >> --
>> >> PHP General Mailing List (http://www.php.net/)
>> >> To unsubscribe, visit: http://www.php.net/unsub.php
>> >>
>> >>
>> >
>> >
>>
>> --
>> PHP General Mailing List (http://www.php.net/)
>> To unsubscribe, visit: http://www.php.net/unsub.php
>>
>>
>
attached mail follows:
On Thu, November 30, 2006 9:59 am, Edwin Barrios wrote:
> I don't know if my solution is better or not. but in one of my
> programs i
> had to make a backup online then my solution was to use shell vars to
> put
> important information like db_password . When we use putenv function
> those
> var only exists on the current shell and on its subshells. In your
> case the
> following code :
>
> <?php
> putenv("DBNAME=".DB_NAME);
> putenv("DBUSER=".DB_USER);
> putenv("DBPASSWD=".DB_PASSWD);
>
> system('mysql -h localhost --user=$DBUSER --password=$DBPASSWD -D
> $DBNAME
> < "/my/import/script.sql" 2>&1');
>
> ?>
This solution, as most good ones, has pros and cons:
Pro:
Does keep the password from being exposed in the normal course of
operations.
Con:
A simple debug statement to dump out all of ENV / $_GLOBALS will
expose the password.
So you have to ask yourself if you and all your employees and all the
scripts you ever install, including any forums etc, are for sure never
ever going to dump that password out in an attempt to debug something
else.
For a solo developer or even a small team, with all custom hand-coded
stuff, this is pretty easy. But once your application blows up and
you have a larger team, or you start caving in to client demands to
install badly-written forums/carts/blogware, you are open to a
potential security hole which:
has two seemingly unrelated contributing causes
the two causes can be years apart in time
both are simple straight-forward "obvious" Right Things to do
So you have to weigh carefully the Risks, and DOCUMENT what you did
and DOCUMENT what *not* to do in the future to expose this sensitive
data.
--
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some starving artist.
http://cdbaby.com/browse/from/lynch
Yeah, I get a buck. So?
attached mail follows:
On 11/30/06, Richard Lynch <ceol-i-e.com> wrote:
>
> On Thu, November 30, 2006 9:59 am, Edwin Barrios wrote:
> > I don't know if my solution is better or not. but in one of my
> > programs i
> > had to make a backup online then my solution was to use shell vars to
> > put
> > important information like db_password . When we use putenv function
> > those
> > var only exists on the current shell and on its subshells. In your
> > case the
> > following code :
> >
> > <?php
> > putenv("DBNAME=".DB_NAME);
> > putenv("DBUSER=".DB_USER);
> > putenv("DBPASSWD=".DB_PASSWD);
> >
> > system('mysql -h localhost --user=$DBUSER --password=$DBPASSWD -D
> > $DBNAME
> > < "/my/import/script.sql" 2>&1');
> >
> > ?>
>
> This solution, as most good ones, has pros and cons:
>
> Pro:
> Does keep the password from being exposed in the normal course of
> operations.
>
> Con:
This is not triue because a shell vars declered on a shell is only exposed
to its subshells, that means that only exec's and system functions calls
into the php itself resive those vars declared into the php !
You can see this argument in the following code
?php
error_reporting(E_ALL);
echo "OLD <pre>";
system("env");
echo "</pre>";
putenv("DBNAME=sidf");
putenv("DBUSER=p");
putenv("DBPASSWD=p");
echo "NEW <pre>";
system("env");
echo "</pre>";
?>
and reloading these a couple of times.
A simple debug statement to dump out all of ENV / $_GLOBALS will
> expose the password.
>
> So you have to ask yourself if you and all your employees and all the
> scripts you ever install, including any forums etc, are for sure never
> ever going to dump that password out in an attempt to debug something
> else.
>
> For a solo developer or even a small team, with all custom hand-coded
> stuff, this is pretty easy. But once your application blows up and
> you have a larger team, or you start caving in to client demands to
> install badly-written forums/carts/blogware, you are open to a
> potential security hole which:
> has two seemingly unrelated contributing causes
> the two causes can be years apart in time
> both are simple straight-forward "obvious" Right Things to do
>
> So you have to weigh carefully the Risks, and DOCUMENT what you did
> and DOCUMENT what *not* to do in the future to expose this sensitive
> data.
>
> --
> Some people have a "gift" link here.
> Know what I want?
> I want you to buy a CD from some starving artist.
> http://cdbaby.com/browse/from/lynch
> Yeah, I get a buck. So?
>
>
attached mail follows:
Hi .!
First of all . Pardon if my last mail was not undestable !!
Then Richrad said that, the following is a cons of my solution :
" A simple debug statement to dump out all of ENV / $_GLOBALS will expose
the password. So you have to ask yourself if you and all your employees
and all the scripts you ever install, including any forums etc, are for sure
never ever going to dump that password out in an attempt to debug something
else. " ...
This is not triue because a shell vars declered on a shell is only exposed
to its subshells, that means that only exec's and system functions calls
into the php itself resive those vars declared into the php !
You can see this argument in the following code
<?php
error_reporting(E_ALL);
echo "OLD <pre>";
system("env");
echo "</pre>";
putenv("DBNAME=sidf");
putenv("DBUSER=p");
putenv("DBPASSWD=p");
echo "NEW <pre>";
system("env");
echo "</pre>";
?>
and reloading these a couple of times.
attached mail follows:
Richard Lynch wrote:
> On Thu, November 30, 2006 9:59 am, Edwin Barrios wrote:
>> I don't know if my solution is better or not. but in one of my
>> programs i
>> had to make a backup online then my solution was to use shell vars to
>> put
>> important information like db_password . When we use putenv function
>> those
>> var only exists on the current shell and on its subshells. In your
>> case the
>> following code :
>>
>> <?php
>> putenv("DBNAME=".DB_NAME);
>> putenv("DBUSER=".DB_USER);
>> putenv("DBPASSWD=".DB_PASSWD);
>>
>> system('mysql -h localhost --user=$DBUSER --password=$DBPASSWD -D
>> $DBNAME
>> < "/my/import/script.sql" 2>&1');
>>
>> ?>
>
> This solution, as most good ones, has pros and cons:
>
> Pro:
> Does keep the password from being exposed in the normal course of
> operations.
>
> Con:
> A simple debug statement to dump out all of ENV / $_GLOBALS will
> expose the password.
>
> So you have to ask yourself if you and all your employees and all the
> scripts you ever install, including any forums etc, are for sure never
> ever going to dump that password out in an attempt to debug something
> else.
the script can only be run by root with the php cli, and all the relevant
files are only readable by root.
so I think it would be fairly safe.
>
> For a solo developer or even a small team, with all custom hand-coded
> stuff, this is pretty easy. But once your application blows up and
> you have a larger team, or you start caving in to client demands to
> install badly-written forums/carts/blogware, you are open to a
> potential security hole which:
> has two seemingly unrelated contributing causes
> the two causes can be years apart in time
> both are simple straight-forward "obvious" Right Things to do
>
> So you have to weigh carefully the Risks, and DOCUMENT what you did
> and DOCUMENT what *not* to do in the future to expose this sensitive
> data.
attached mail follows:
hi Richard,
Richard Lynch wrote:
> On Tue, November 28, 2006 7:25 am, Jochem Maas wrote:
>> so the question is how can I use readline() and handle the SIGINT
>> gracefully whilst not waiting
>> for readline() to return control to my script?
>
> I'm just guessing here, but you probably don't.
I guess so too. would you consider it a bug that php defers the
processing of system signals whilst readline() is waiting to return
control to the script? and what is the likelihood that this has anything
to do with php? if it is down to the readline extension itself I would
be surprised - I would have expected a lib like GNU's readline to take
account of signals and handle them correctly/gracefully.
>
> You could, howver, write your own PHP function similar to readline,
> only without whatever is in readline that ignores/buffers signals.
>
> You'd want something like an fread($x, 1) on a non-blocking stream,
> and then build up the string character by character, until you get a
> newline.
I can live with it the way it is - having followed your battle with non-blocking
madness in various threads in the past I don't feel much for diving into that
abyss myself (it doesn't help that my undertstanding of streams is patchy at best!)
one day the readline annoyance will start to grate so much I'll be forced to
look into it :-) no doubt I'll get stuck and need the help of a Non-Blocking 'expert'
anyway,
thanks for all you input (on every question I posed in last few days!)
regard,
Jochem
>
attached mail follows:
On Thu, November 30, 2006 8:41 am, Jochem Maas wrote:
> hi Richard,
>
> Richard Lynch wrote:
>> On Tue, November 28, 2006 7:25 am, Jochem Maas wrote:
>>> so the question is how can I use readline() and handle the SIGINT
>>> gracefully whilst not waiting
>>> for readline() to return control to my script?
>>
>> I'm just guessing here, but you probably don't.
>
> I guess so too. would you consider it a bug that php defers the
> processing of system signals whilst readline() is waiting to return
> control to the script? and what is the likelihood that this has
> anything
> to do with php? if it is down to the readline extension itself I would
> be surprised - I would have expected a lib like GNU's readline to take
> account of signals and handle them correctly/gracefully.
From the outside looking in, it seems like it shouldn't do that...
My first guess is that it has to for some geeky reason that would take
me weeks and weeks to figure out, assuming I could even manage to read
that C source at all.
But it's entirely possible that it's just a silly simple
mistake/oversight down in the guts of PHP somewhere. A query to
PHP-DEV list followed up by a well-written bug report would probably
take care of that, if it's the case.
>> You could, howver, write your own PHP function similar to readline,
>> only without whatever is in readline that ignores/buffers signals.
>>
>> You'd want something like an fread($x, 1) on a non-blocking stream,
>> and then build up the string character by character, until you get a
>> newline.
>
> I can live with it the way it is - having followed your battle with
> non-blocking
> madness in various threads in the past I don't feel much for diving
> into that
> abyss myself (it doesn't help that my undertstanding of streams is
> patchy at best!)
Keep in mind that my understanding of streams is no better than yours!
I do know that the trick is to use ini_set() to change the timeout of
a stream connection to 0, so it won't block on connection.
My attempts to add that to User Contributed Notes were rebuffed,
however, so I don't see any good way to document it with the
stream_set_blocking function where every newbie always looks for it.
PS
For most of a decade, finding more time to mess with the PHP source
and try to contribute something useful has been on my "To Do" list...
Sigh.
--
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some starving artist.
http://cdbaby.com/browse/from/lynch
Yeah, I get a buck. So?
attached mail follows:
Hi, thanks for your help.
I was using
exec('/path/to/copy', $return);
var_dump($return);
(but I simplified it for posting)
and I was still getting no output.
actually, the return value is the least of my concerns, I just want this
script to move some files around and the script works from the command line.
as for safe_mode, it's off. Also the whoami in the previous line works as
expected.
Any pointers would be appreciared.
Tia
Ray
-----Original Message-----
From: Jan Schröter <schroeter.janweb.de>
To: php-generallists.php.net
Date: Thu, 30 Nov 2006 09:09:49 +0100
Subject: Re: [PHP] problems with exec()
> Think he's not getting an general error - just didn't read the manual
> concerning
> the return value of exec.
>
> kind regards
> jan
>
> Juanjo Pascual wrote:
> > What is the safe_mode value in your php.ini?
> >
> > To run exec the value of your safe_mode has to be OFF.
> >
> >
> > adminensifex.nl escribió:
> >> Try
> >>
> >> exec('/path/to/copy', $return);
> >> print_r($return);
> >>
> >> read the manual : http://nl3.php.net/manual/en/function.exec.php
> >>
> >> Description
> >> string exec ( string command [, array &output [, int &return_var]] )
> >>
> >> gr,
> >> Thijs
> >>
> >> On Wed, 29 Nov 2006 23:22:13 -0700, "Ray" <raymedia32.ca> wrote:
> >>
> >>> hello;
> >>> I am trying to write a script to do some auto configuration of my
> >>> webserver. Part of the process involves copying some configuration
> files
> >>> from other places on the server to a working directory where they
> can be
> >>> modified.
> >>> I am running freeBSD 6.0, Apache 2.2.3, php 5.1.5
> >>> I can't seem to get the exec() command to work.
> >>> I have an external shell script called 'copy' that takes care of
> getting
> >>> files. script is currently set to mode 777 when run from the shell
> it
> >>> works perfectly.
> >>>
> >>> however, in the php script
> >>>
> >>> echo exec('whoami');
> >>> exec('/path/to/copy');
> >>> the only return is
> >>> 'www' (the username correctly returned from whoami) also files
> aren't
> >>> changed.
> >>> any suggestions, pointers, log files to check would be appreciated
> as I
> >>> have spent several hours on google, in manuals, etc. haven't tried
> the
> >>> ougi board, but that's about it ;-)
> >>> tia
> >>> Ray
> >>>
> >>> --
> >>> PHP General Mailing List (http://www.php.net/)
> >>> To unsubscribe, visit: http://www.php.net/unsub.php
> >>>
> >>
> >>
> >
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
attached mail follows:
Output you will only get if something goes wrong with the copy process.
But then again you say the 'whoami' command runs perfect. So the only things that
comes to my sleepy brain is incorrect paths or permissions.
Tried it here with 5.2 and 4.4.4 and seems to work. Maybe somebody else has
a clue what's going on.
On Thu, 30 Nov 2006 07:40:45 -0700, "Ray" <raymedia32.ca> wrote:
> Hi, thanks for your help.
> I was using
>
> exec('/path/to/copy', $return);
> var_dump($return);
> (but I simplified it for posting)
>
> and I was still getting no output.
> actually, the return value is the least of my concerns, I just want this
> script to move some files around and the script works from the command
> line.
> as for safe_mode, it's off. Also the whoami in the previous line works as
> expected.
> Any pointers would be appreciared.
> Tia
> Ray
>
> -----Original Message-----
> From: Jan Schröter <schroeter.janweb.de>
> To: php-generallists.php.net
> Date: Thu, 30 Nov 2006 09:09:49 +0100
> Subject: Re: [PHP] problems with exec()
>
>> Think he's not getting an general error - just didn't read the manual
>> concerning
>> the return value of exec.
>>
>> kind regards
>> jan
>>
>> Juanjo Pascual wrote:
>> > What is the safe_mode value in your php.ini?
>> >
>> > To run exec the value of your safe_mode has to be OFF.
>> >
>> >
>> > adminensifex.nl escribió:
>> >> Try
>> >>
>> >> exec('/path/to/copy', $return);
>> >> print_r($return);
>> >>
>> >> read the manual : http://nl3.php.net/manual/en/function.exec.php
>> >>
>> >> Description
>> >> string exec ( string command [, array &output [, int &return_var]] )
>> >>
>> >> gr,
>> >> Thijs
>> >>
>> >> On Wed, 29 Nov 2006 23:22:13 -0700, "Ray" <raymedia32.ca> wrote:
>> >>
>> >>> hello;
>> >>> I am trying to write a script to do some auto configuration of my
>> >>> webserver. Part of the process involves copying some configuration
>> files
>> >>> from other places on the server to a working directory where they
>> can be
>> >>> modified.
>> >>> I am running freeBSD 6.0, Apache 2.2.3, php 5.1.5
>> >>> I can't seem to get the exec() command to work.
>> >>> I have an external shell script called 'copy' that takes care of
>> getting
>> >>> files. script is currently set to mode 777 when run from the shell
>> it
>> >>> works perfectly.
>> >>>
>> >>> however, in the php script
>> >>>
>> >>> echo exec('whoami');
>> >>> exec('/path/to/copy');
>> >>> the only return is
>> >>> 'www' (the username correctly returned from whoami) also files
>> aren't
>> >>> changed.
>> >>> any suggestions, pointers, log files to check would be appreciated
>> as I
>> >>> have spent several hours on google, in manuals, etc. haven't tried
>> the
>> >>> ougi board, but that's about it ;-)
>> >>> tia
>> >>> Ray
>> >>>
>> >>> --
>> >>> PHP General Mailing List (http://www.php.net/)
>> >>> To unsubscribe, visit: http://www.php.net/unsub.php
>> >>>
>> >>
>> >>
>> >
>>
>> --
>> PHP General Mailing List (http://www.php.net/)
>> To unsubscribe, visit: http://www.php.net/unsub.php
>>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
attached mail follows:
Hi list,
this is my first post and I've only been lurking around these premises
for the past week.
I've been running into some strange issues with tidy.
When I try and output my HTML in utf-8 all the accentuated characters
come out as total gobbledeegook.
I've have no issues echoing a string via utf8_encode(), the browser
picks up the right encoding and everything comes out fine.
The only workaround I've found so far is this :
$tidy = new tidy;
$tidy->parseString(utf8_encode($html), $config, 'utf8');
$tidy->cleanRepair();
echo $tidy;
Which is really dodgy if you ask me.
Has anyone run into the same kind of problem before?
I've set a meta tag as follows, but that seems to be modified by tidy on
the fly if ever the used encoding differs from the one indicated in the
meta tag.
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
Any help would be greatly appreciated.
Cheers,
Youri
attached mail follows:
On Thu, November 30, 2006 10:21 am, Youri LACAN-BARTLEY wrote:
> Which is really dodgy if you ask me.
...
> I've set a meta tag as follows, but that seems to be modified by tidy
> on
> the fly if ever the used encoding differs from the one indicated in
> the
> meta tag.
Errrr. Using an encoding other than what's indicated in the META tag
seems like the dodgy thing to me. :-) :-) :-)
> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
Also make sure that you are sending proper header:
Content-type: text/html; charset=utf-8
Firefox et al trust headers.
IE trusts only META tags, and ignore headers.
Don't ask me why.
If Tidy really is messing up the charset/encoding, I can't help you
with that part of it -- I just know that it will SEEM messed up in a
browser until you get both headers and META tags agreeing with what
you actually send.
--
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some starving artist.
http://cdbaby.com/browse/from/lynch
Yeah, I get a buck. So?
attached mail follows:
Chris schrieb:
> That part is correct.
>
> You shouldn't need to use addslashes - use mysql_real_escape_string or
> mysql_escape_string depending on your (current) php version - they are
> both "locale aware" and will escape things for you depending on mysql
> server (re: language setup).
>
> Then just use htmlentities to display on the frontend rather than
> using stripslashes.
>
> Of course other db's have similar functions, check the manual.
>
--> Sorry I sent you this email to your personal account, Chris.
Morning,
Just a question out of pure curiosity. Why would one prefer using
mysql_real_escape_string (I'm using 5.1.6 so mysql_escape_string is
deprecated). and htmlentities instead of addslashes and stripslashes?
I'm going to guess the main reason is to stop SQL injections? But
wouldn't add- and stripslashes do the same?
attached mail follows:
On Thu, 2006-11-30 at 10:37 -0600, Johannes Lindenbaum wrote:
> Chris schrieb:
> > That part is correct.
> >
> > You shouldn't need to use addslashes - use mysql_real_escape_string or
> > mysql_escape_string depending on your (current) php version - they are
> > both "locale aware" and will escape things for you depending on mysql
> > server (re: language setup).
> >
> > Then just use htmlentities to display on the frontend rather than
> > using stripslashes.
> >
> > Of course other db's have similar functions, check the manual.
> >
>
> --> Sorry I sent you this email to your personal account, Chris.
>
> Morning,
>
> Just a question out of pure curiosity. Why would one prefer using
> mysql_real_escape_string (I'm using 5.1.6 so mysql_escape_string is
> deprecated). and htmlentities instead of addslashes and stripslashes?
>
> I'm going to guess the main reason is to stop SQL injections? But
> wouldn't add- and stripslashes do the same?
addslashes() and stripslashes() are generic and don't properly take into
consideration character set for the given database table. It states this
explciitly int he help for mysql_real_escape_string():
"Escapes special characters in the unescaped_string, taking
into account the current character set of the connection so
that it is safe to place it in a mysql_query(). If binary
data is to be inserted, this function must be used."
Cheers,
Rob.
--
.------------------------------------------------------------.
| InterJinn Application Framework - http://www.interjinn.com |
:------------------------------------------------------------:
| An application and templating framework for PHP. Boasting |
| a powerful, scalable system for accessing system services |
| such as forms, properties, sessions, and caches. InterJinn |
| also provides an extremely flexible architecture for |
| creating re-usable components quickly and easily. |
`------------------------------------------------------------'
attached mail follows:
On 11/30/06, Johannes Lindenbaum <johannesjlindenbaum.de> wrote:
> And on retrieval stripslashes().
You shouldn't have to stripslashes your data coming from the DB.
Addslashes and friends exist to escape your data. It is not part of
your data. So when you INSERT "Jingle\'s Bells" when you retrieve it
you should have "Jingle's Bells" not "Jingle\'s Bells" because \ was
syntax to escape the single quote.
attached mail follows:
On Wed, November 29, 2006 11:55 pm, Johannes Lindenbaum wrote:
> But... magic_quotes.
> If my understanding is correct magic quotes will give ', " and \ (for
> ASCII characters, e.g. \n) a preceding backslash to escape it. I also
> see that magic_quotes_gpc() is On by default. So all data in $_POST
> and
> $_GET etc. has escaping backslashes.
Yes, but the problem is that *ALL* data in GET/POST has the escaping
backslashes as if it were ASCII data, and it may *NOT* be ASCII data.
It might be UTF-8.
It might be UTF-16.
It might be some charset you've never even heard of.
And guess what?
addslashes() on non-ASCII data, UTF-8 for example, is like a condom
with a hole in it.
> If in a .htaccess I should set
> php_flag magic_quotes_gpc Off
>
> That would lead to $_POST data like Jingle's Bells to be passed as
> Jingle's Bells, not Jingle\'s Bells. Usually most of my $_POST data
> gets
> written into a MySQL table to which I perform addslashes().
Switch to:
http://php.net/mysql_real_escape_string
> And on
> retrieval stripslashes().
No, no, and no.
You do *NOT* use stripslashes() on the data coming OUT of MySQL.
Unless you've already screwed up and done BOTH addslashes() and
MagicQuotes, which in essence did addslashes() twice, so you added
bogus data to your database.
Jingle's Bells
+ [magic quotes] ===> Jingle\'s Bells
+ [addslashes] ===> Jingle\\\'s Bells
========================================
Corrupt data in MySQL: Jingle\'s Bells
The whole point of this escaping is to identify characters that MySQL
should store as data, rather than interpret as "non-data"
Jingle's Bells
+ [magic quotes *OR* addslashes *OR* mysql_real_escape_string]
=====> Jingle\'s Bells
==============================================================
Correct data in MySQL: Jingle's Bells
Once you've done that correctly, what MySQL actually stores is the
data, not the escapes it needed to identify the data.
So if you find yourself using stripslashes() on your MySQL data to get
it "right", then, in reality, you've already screwed up and stored
non-data as data.
So go back and fix your script to NOT double-escape the input, then
fix your bad data in MySQL to NOT have non-data (\ escape character)
as part of your data.
This is going to be a major pain, I know, but you'll only make it
worse the longer you put it off.
It will be a whole lot easier if you can "freeze" the input routines
to not take anything in between the time you fix those and when you
fix the data within the database...
If not, you'll want to note EXACTLY which rows have corrupted extra
backslashes and which do not, so you can apply stripslashes() to only
the corrupt data.
> If I keep on doing that - and just start coding with magic_quotes_gpc
> Off - my scripts shouldn't alter behaviour upon PHP 6 arrival, should
> they?
You are correct that turning off magic_quotes_gpc is a good way to
prepare for PHP 6.
This has been rant #53, brought to you by the character "\"
:-) :-) :-)
--
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some starving artist.
http://cdbaby.com/browse/from/lynch
Yeah, I get a buck. So?
attached mail follows:
Richard Lynch schrieb:
> On Wed, November 29, 2006 11:55 pm, Johannes Lindenbaum wrote:
>
>> But... magic_quotes.
>> If my understanding is correct magic quotes will give ', " and \ (for
>> ASCII characters, e.g. \n) a preceding backslash to escape it. I also
>> see that magic_quotes_gpc() is On by default. So all data in $_POST
>> and
>> $_GET etc. has escaping backslashes.
>>
>
> Yes, but the problem is that *ALL* data in GET/POST has the escaping
> backslashes as if it were ASCII data, and it may *NOT* be ASCII data.
>
> It might be UTF-8.
> It might be UTF-16.
> It might be some charset you've never even heard of.
>
> And guess what?
>
> addslashes() on non-ASCII data, UTF-8 for example, is like a condom
> with a hole in it.
>
>
>> If in a .htaccess I should set
>> php_flag magic_quotes_gpc Off
>>
>> That would lead to $_POST data like Jingle's Bells to be passed as
>> Jingle's Bells, not Jingle\'s Bells. Usually most of my $_POST data
>> gets
>> written into a MySQL table to which I perform addslashes().
>>
>
> Switch to:
> http://php.net/mysql_real_escape_string
>
>
>> And on
>> retrieval stripslashes().
>>
>
> No, no, and no.
>
> You do *NOT* use stripslashes() on the data coming OUT of MySQL.
>
> Unless you've already screwed up and done BOTH addslashes() and
> MagicQuotes, which in essence did addslashes() twice, so you added
> bogus data to your database.
>
> Jingle's Bells
> + [magic quotes] ===> Jingle\'s Bells
> + [addslashes] ===> Jingle\\\'s Bells
> ========================================
> Corrupt data in MySQL: Jingle\'s Bells
>
> The whole point of this escaping is to identify characters that MySQL
> should store as data, rather than interpret as "non-data"
>
> Jingle's Bells
> + [magic quotes *OR* addslashes *OR* mysql_real_escape_string]
> =====> Jingle\'s Bells
> ==============================================================
> Correct data in MySQL: Jingle's Bells
>
> Once you've done that correctly, what MySQL actually stores is the
> data, not the escapes it needed to identify the data.
>
> So if you find yourself using stripslashes() on your MySQL data to get
> it "right", then, in reality, you've already screwed up and stored
> non-data as data.
>
> So go back and fix your script to NOT double-escape the input, then
> fix your bad data in MySQL to NOT have non-data (\ escape character)
> as part of your data.
>
> This is going to be a major pain, I know, but you'll only make it
> worse the longer you put it off.
>
> It will be a whole lot easier if you can "freeze" the input routines
> to not take anything in between the time you fix those and when you
> fix the data within the database...
>
> If not, you'll want to note EXACTLY which rows have corrupted extra
> backslashes and which do not, so you can apply stripslashes() to only
> the corrupt data.
>
>
>> If I keep on doing that - and just start coding with magic_quotes_gpc
>> Off - my scripts shouldn't alter behaviour upon PHP 6 arrival, should
>> they?
>>
>
> You are correct that turning off magic_quotes_gpc is a good way to
> prepare for PHP 6.
>
> This has been rant #53, brought to you by the character "\"
> :-) :-) :-)
>
>
Thank you very much all of you - I know what I'm doing with my weekend.
I think I was disillusioned by the fact that I had a couple Queries
screw up because they were of the format (example):
INSERT INTO table (text) VALUES( '".$_POST['data']."');
where $_POST['data'] was filled with something similar to Jingle's Bells
(a single quote), thus screwing up the query, because it was trying to
do VALUES( 'Jingle's Bells');
So by pure ignorance I just added addslashes infront of my queries.
I've come a long way since then, and I'll probably just end up writing a
smartQuoting function for my MySQL class that will use
mysql_real_escape_string() on INSERTS so I have the correct data in my
table. :)
Thanks again!
attached mail follows:
Johannes Lindenbaum wrote:
> Just a question out of pure curiosity. Why would one prefer
> using mysql_real_escape_string (I'm using 5.1.6 so
> mysql_escape_string is deprecated). and htmlentities instead
> of addslashes and stripslashes?
This example might be helpful:
http://shiflett.org/archive/184
It highlights the importance of character encoding consistency by
demonstrating an SQL injection attack that is immune to addslashes() but
not mysql_real_escape_string().
Hope that helps.
Chris
--
Chris Shiflett
http://shiflett.org/
attached mail follows:
At 11:42 PM +0200 11/29/06, Dotan Cohen wrote:
>On 20/11/06, Paul Novitski <pauljuniperwebcraft.com> wrote:
>-snip-
>Paul, I just got around to reading this thread. The post of yours that
>I quote above has got to be one of the best posts that I've read in
>the 5 years that I've been on and off the php list. The way you break
>that regex down taught me things that have eluded me for half a
>decade. Although I have nothing to do with the OP, I really want to
>say thanks for that bit of information.
Paul:
Same here -- and I saved your explanation in my "references to
review". You ought to put that on your site.
Very well done.
tedd
--
-------
http://sperling.com http://ancientstones.com http://earthstones.com
attached mail follows:
On Wed, November 29, 2006 10:09 pm, Andrew Warner wrote:
> This login script works when I use Snoopy (php http class), but here
> with php curl the response is the redirected page. The s