php-windows Digest 22 Apr 2002 04:00:46 -0000 Issue 1105
Topics (messages 13214 through 13218):
Re: mail atachment
13214 by: Mike Flynn
problem with copy and move_uploaded_file
13215 by: masa
Security with PHP4, Apache, and Win9x
13216 by: Rick Kunkel
13218 by: RoboTeddy
Re: Outputting a string from mysql database
13217 by: jeff
Administrivia:
To subscribe to the digest, e-mail:
[EMAIL PROTECTED]
To unsubscribe from the digest, e-mail:
[EMAIL PROTECTED]
To post to the list, e-mail:
[EMAIL PROTECTED]
----------------------------------------------------------------------
--- Begin Message ---
At 06:56 AM 4/21/02 -0700, Camelia Moldovan wrote:
>Hi! How can I attach a file to a mail using PHP ?
>
>I tried to use some existing classes but I received lots of errors.
http://www.phpbuilder.com/columns/kartic20000807.php3
-Mike
--- End Message ---
--- Begin Message ---
I'm using php 4.2 apache 1.3. and win98.
here is my html code. It's straight from PHP docs.
<html>
<body>
<form enctype="multipart/form-data" action="test.php" method="post">
<input type="hidden" name="MAX_FILE_SIZE" value="1000">
Send this file: <input name="userfile[]" type="file">
<input type="submit" value="Send File">
</form>
</body>
</html>
and here is my PHP code. Because I could 'nt get the copy or
move_uploaded_file working I just tried to print the stuff
out. So here is my php code. (test.php)
<?php
$temp_name = $HTTP_POST_FILES['userfile']['tmp_name'];
$size = $HTTP_POST_FILES['userfile']['size'];
echo ($temp_name);
echo ($size);
?>
RESULT:
--------
none
0
--------
I have tried evrything with the php.ini file (I think ??)
and with the .conf file of apache to. Somewhere I must go
wrong... but where.... ?
--- End Message ---
--- Begin Message ---
Heya folks. I'm using Windows 98SE, Apache 1.3.6, and PHP 4.1.3 as an
Apache module. My question concerns security in this environment. Since
there are no real "users" in Win9x, is the Apache/PHP combo able to do
whatever the heck it wants to my filesystem?
I'm not versed in PHP yet, but from the things I've read, it looks like
filesystem objects can be read, written, or modified, and since Win9x has
no user-level security in it, I'm basically screwed if someone decides to
put a malicious PHP file on my server.
Does this sound right?
Thanks,
Rick Kunkel
--- End Message ---
--- Begin Message ---
You're partly right.
Relying on OS-based security isn't very practical in unix as well. As of
now, someone can screw you over if they go "unlink(C:/);" Instead, try
relying on safe mode, open base dir restrictions, disabled functions, etc.
You can set these up on a per-vhost basis in your apache configuration using
php_admin_value and other directives. Check the manual for more.
Ted
----- Original Message -----
From: "Rick Kunkel" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Sunday, April 21, 2002 8:08 PM
Subject: [PHP-WIN] Security with PHP4, Apache, and Win9x
> Heya folks. I'm using Windows 98SE, Apache 1.3.6, and PHP 4.1.3 as an
> Apache module. My question concerns security in this environment. Since
> there are no real "users" in Win9x, is the Apache/PHP combo able to do
> whatever the heck it wants to my filesystem?
>
> I'm not versed in PHP yet, but from the things I've read, it looks like
> filesystem objects can be read, written, or modified, and since Win9x has
> no user-level security in it, I'm basically screwed if someone decides to
> put a malicious PHP file on my server.
>
> Does this sound right?
>
> Thanks,
>
> Rick Kunkel
>
>
>
>
> --
> PHP Windows Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
--- End Message ---
--- Begin Message ---
J B's Supermarket is correct and it was inserted into tthe database without
using a form and php.
"Mike Flynn" <[EMAIL PROTECTED]> wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Are you sure that that last field truly contains "J B's Supermarket" in
the
> database? Are you sure the error wasn't produced while INSERTING the data
> into the database, thus resulting in only "J B" being put into the
> database? You should view your database data directly, like by using a
> webmin utility. If you do $row_info = mysql_fetch_row($result), and then
> show the row with the company name, a single quote (') shouldn't mess it
> up. But single quotes can mess up a query. Because if you think about
> your query, if you do it like this:
> INSERT INTO table (Name) VALUES ('J B's Supermarket')
> you can see how the single quote in the Name is messing up the query for
> MySQL -- it's making MySQL think it's the end of the value for Name. You
> need to escape single quotes when inserting them into a MySQL database.
If
> you do it via a form and have magicquotes turned on in your PHP.INI, then
> it's done automatically. Otherwise, you have to do it yourself.
>
> At 05:15 AM 4/16/2002 -0400, q wrote:
> >I have a field in a mysql table called table which is called names.
> >Examples of the information in this column :
> >
> >
> > Name
> >
> >Lottery Company
> >Mark MiniMark
> >J B's Supermarket
> >
> >
> >I connect to the datbase successful and I use the following php line to
> >get the information from the row: $row_info=mysql_fetch_row($result)
> >
> >Howevere when I try to output J B's Supermarket to the web page all I get
> >is J B. How can I get the entire display on the screen including the ' in
> >the name?
> >quincy
>
>
> Mike Flynn - Burlington, VT
> http://www.mikeflynn.net/ - [EMAIL PROTECTED]
> home=>work=>home=>store=>home [repeat daily]
>
--- End Message ---
