php-windows Digest 17 Sep 2001 06:19:46 -0000 Issue 758
Topics (messages 9365 through 9374):
Re: Safe mode w/ IIS4 + PHP
9365 by: Erick Baum
securing PHP on Win32
9366 by: Erick Baum
9369 by: CJD
9372 by: Erick Baum
Re: ImageTTFBBox problems can sombody help
9367 by: Stephan Figge
Re: [PHP] Re: ImageTTFBBox problems can sombody help
9368 by: Rasmus Lerdorf
Re: How to make a script run itself ?
9370 by: CJD
Re: form submission --- help
9371 by: CJD
Getting started - PHP on Win98
9373 by: Tomas Valusek
extending php (windows)
9374 by: vimmer
Administrivia:
To subscribe to the digest, e-mail:
[EMAIL PROTECTED]
To unsubscribe from the digest, e-mail:
[EMAIL PROTECTED]
To post to the list, e-mail:
[EMAIL PROTECTED]
----------------------------------------------------------------------
I am having a similar problem with Windows2000, IIS5, and the latest stable
PHP. I don't believe Safe Mode works in a Windows environment anyways,
because it does not understand Windows permissions as far as ownership.
However, I was told to use the open_basedir option which in php.ini. You
set it to the root of where you want files to be able to be opened from.
For example open_basedir = c:\inetpub\wwwroot\ which would only allow them
to open files located somewhere in that directory or a sub-directory under
it. Or you're supposed to be able to do something like open_basedir = .
which is supposed to tell it that a PHP script can only open files in the
directory and sub-directories where the script resides. This would be the
best option. But this does not work either. So if someone knows how to
secure a Windows 2000/IIS server from allowing people to open files from
anywhere on the server, we would greatly appreciate knowing how.
Erick
"Eric R. Gavin" <[EMAIL PROTECTED]> wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> I've looked all around on this stuff to no avail. It appears that Safe
Mode
> just isn't working on my machine. I'm running PHP as a CGI executable and
> with the config option:
>
> safe_mode = on
>
> I can still merrily delete files from the root of my C:
>
> Before I get a response of, "Well, just change the file system
privileges."
> It should be pointed out that I'm not doing that so that I can TEST safe
> mode. IIS has a lot of little hidden areas that need to be executable,
> writeable, etc.; and it would be TREMENDOUSLY difficult for me to secure
> this whole thing via file system privs. Enter Safe Mode.
>
> Or so I thought. Safe mode just seems to not be working at all. The UID
of
> the script I'm running is 0 and yet the UID of the root directory is 0.
>
> I AM, however, running all my virtual web servers as their own user. I
have
> confirmed this by denying privileges to Everyone on the root and producing
> failure; and then granting privileges ONLY to the web server "user" for
the
> root and getting success.
>
> So file system privs are working; but I'm confused as to why the uid of
the
> script is 0. This is the case even for a script that is not "owned" (NT
> file system-wise) by the Administrators group.
>
> Am I missing something?
>
> Thanks,
>
> Eric Gavin
>
>
We have been unable to secure our Windows 2000/IIS5 server from allowing
people to open any file on our server that they want to if they know the
path. The safe_mode doesn't really work on Windows. But I was told to use
the open_basedir option in our php.ini. I added this option and it had no
effect on the ability for people to open files anywhere on the server. I
tried numerous formats for the option, for example open_basedir =
c:\inetpub\wwwroot open_basedir = "c:\inetpub\wwwroot" open_basedir = .
and on and on, with quotes, without quotes, forward slashes, backslashes,
even without the drive letter more like a unix path and nothing seemed to
work.
Has anyone actually got this to work? If so, I would be very interested to
know what format you used for the option in the php.ini file. Or however
else you managed to get this to work.
Thanks,
Erick
Best thing to do is create a user for the webserver/php and run as this
user. You can then restrict the access of that user to specific areas. This
is OK if you are running a single server/domain model, but if running
virtual domains or multiplue websites, to secure the other peoples websites,
you'll need to have a server per website to stop roaming. I have tested
inhouse and with a poorly constructed PHP script, I can browse most file
systems, access other websites on the server and even write files to their
directories. If you are running a server and using PHP, then you need to do
a full security analysis of it before you launch it to the world, especially
on Win32. Not too bad if you're only hosting your own files and stuff, but
can become a nightmare if you have it open to the 'public' to upload their
php scripts.
"Erick Baum" <[EMAIL PROTECTED]> wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> We have been unable to secure our Windows 2000/IIS5 server from allowing
> people to open any file on our server that they want to if they know the
> path. The safe_mode doesn't really work on Windows. But I was told to
use
> the open_basedir option in our php.ini. I added this option and it had no
> effect on the ability for people to open files anywhere on the server. I
> tried numerous formats for the option, for example open_basedir =
> c:\inetpub\wwwroot open_basedir = "c:\inetpub\wwwroot" open_basedir =
.
> and on and on, with quotes, without quotes, forward slashes, backslashes,
> even without the drive letter more like a unix path and nothing seemed to
> work.
>
> Has anyone actually got this to work? If so, I would be very interested
to
> know what format you used for the option in the php.ini file. Or however
> else you managed to get this to work.
>
> Thanks,
> Erick
>
>
>
Yes, this is going to be on a public system hosting hundreds of web sites.
I can't believe there's no way to secure against something like this. There
must be a way. Lot's of ISP's are starting to support PHP. They certainly
all wouldn't be leaving something like this wide open. A good number are
probably hosting on Win32 so I must be missing something.
Thanks for the info.
Erick
"Cjd" <[EMAIL PROTECTED]> wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Best thing to do is create a user for the webserver/php and run as this
> user. You can then restrict the access of that user to specific areas.
This
> is OK if you are running a single server/domain model, but if running
> virtual domains or multiplue websites, to secure the other peoples
websites,
> you'll need to have a server per website to stop roaming. I have tested
> inhouse and with a poorly constructed PHP script, I can browse most file
> systems, access other websites on the server and even write files to their
> directories. If you are running a server and using PHP, then you need to
do
> a full security analysis of it before you launch it to the world,
especially
> on Win32. Not too bad if you're only hosting your own files and stuff, but
> can become a nightmare if you have it open to the 'public' to upload their
> php scripts.
>
>
> "Erick Baum" <[EMAIL PROTECTED]> wrote in message
> [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > We have been unable to secure our Windows 2000/IIS5 server from allowing
> > people to open any file on our server that they want to if they know the
> > path. The safe_mode doesn't really work on Windows. But I was told to
> use
> > the open_basedir option in our php.ini. I added this option and it had
no
> > effect on the ability for people to open files anywhere on the server.
I
> > tried numerous formats for the option, for example open_basedir =
> > c:\inetpub\wwwroot open_basedir = "c:\inetpub\wwwroot" open_basedir
=
> .
> > and on and on, with quotes, without quotes, forward slashes,
backslashes,
> > even without the drive letter more like a unix path and nothing seemed
to
> > work.
> >
> > Has anyone actually got this to work? If so, I would be very interested
> to
> > know what format you used for the option in the php.ini file. Or
however
> > else you managed to get this to work.
> >
> > Thanks,
> > Erick
> >
> >
> >
>
>
This is a Problem of PHP 4.06 which has a hardcoded font path. The path
can't be overridden by the TTF function parameters. The only possible thing
to do is to find out the correct path PHP is searching in, or use 4.05.
Should be something like c:/usr/share/fonts/truetype. You can try Filemon
from www.sysinternals.com to determine the directory.
Stephan Figge
"Claus Bloch" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> Hi
>
> I get an error :: Could not find/open font . My the font is locating at
the
> same dir as the file/string that call it:
> ImageTTFBBox($ttf_size,0,'DRAGONW.ttf',$show_txt);
>
> Is the setup of php wrong or what???
> If you can help me i bee happy
>
>
> Claus Bloch
> [EMAIL PROTECTED]
>
>
>
Well, the problem is actually in the GD-2 library, not in PHP itself.
-Rasmus
On Sun, 16 Sep 2001, Stephan Figge wrote:
> This is a Problem of PHP 4.06 which has a hardcoded font path. The path
> can't be overridden by the TTF function parameters. The only possible thing
> to do is to find out the correct path PHP is searching in, or use 4.05.
> Should be something like c:/usr/share/fonts/truetype. You can try Filemon
> from www.sysinternals.com to determine the directory.
>
> Stephan Figge
>
>
>
>
> "Claus Bloch" <[EMAIL PROTECTED]> wrote in message
> news:[EMAIL PROTECTED]...
> > Hi
> >
> > I get an error :: Could not find/open font . My the font is locating at
> the
> > same dir as the file/string that call it:
> > ImageTTFBBox($ttf_size,0,'DRAGONW.ttf',$show_txt);
> >
> > Is the setup of php wrong or what???
> > If you can help me i bee happy
> >
> >
> > Claus Bloch
> > [EMAIL PROTECTED]
> >
> >
> >
>
>
>
>
I do a similar thing. Sending a message to almost 2,000 people each month
(subscriptions - not spam!) on behalf of a client. I run it on the command
line, and it never times out.
"John Lim" <[EMAIL PROTECTED]> wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Check out the at command. It's available in Linux and Windows NT/2000.
You
> can run a php script from the command line using php.exe -q [filename]
>
>
> "Steen rabøl" <[EMAIL PROTECTED]> wrote in message
> 004501c13de1$22f0d8f0$0300000a@srjhp">news:004501c13de1$22f0d8f0$0300000a@srjhp...
> Hi
>
> I need to process some information and mail it to the users of my site
every
> night, and therefore I have made a script to handle the information and
mail
> it, no problem...
>
> But, now I have so many users that the script times-out, the result is
that
> not all users get what they want/need
>
> How can I make a script that keeps running until all information is
> processed ?
>
> Thanks in advance
>
> Steen
>
>
>
>
In the page which receives the post, simply do:
insert into TABLE (x,y,z) values ($x,$y,$z);
mail("me@mymail","subject","$x\n$y\n$z);
<[EMAIL PROTECTED]> wrote in message
OF8F2A938C.D46863F6-ON65256AC8.002FEFF3@domain">news:OF8F2A938C.D46863F6-ON65256AC8.002FEFF3@domain...
> Dear List members,
>
> Pl. consider my case:
>
> I have a form which on submit puts the data into table.
> I want the contents of the same may also be emailed to me when that is
> being submitted in table in database.
> That is I want to do 2 things while a button on form is submitted:
> 1. The data filled in form is emailed to me and
> 2. also the same is inserted into table.
>
> Pl. advise how I can do it. I am new in this field.
>
> Thanks in advance.
>
> AK
>
Hello,
I just downloaded and manually installed PHP 4.0.6 on my Win98 machine. As
long as I use a dial-up connection, no web server is installed.
I'd like to use PHP as an off-line preprocessor, generating html files to
disk. When I generated my first page, the generated code looked like this:
X-Powered-By: PHP/4.0.6
Content-type: text/html
<html>
<head>
<title>Pokus s PHP</title>
</head>
<body>
Hi, I'm a PHP script!
</body>
</html>
As you can see, there are two header lines in the beginning of file,
although I used a -f command-line switch. How can I get rid of these two
lines?
I also manually added a php file extension association with single action -
Run. I inserted this command line
c:\php\php.exe -f "%1" >"%1.html"
and expected to have resulting html in the same folder as a source php
file - but it doesn't work - why?
I have searched a manual for an explanation, but I've found nothing. Thanks
for any help.
Tomas Valusek
Hello
Where can i find some information how to extend php under windows ?
( ww.zend.com\apidoc - says how to write your own modules under linux )
Regards
Sebastian
