[PHP] Template Security Advice (WASP - http://wasp.sourceforge.net)

I'm finishing up my WASP framework 1.0 release (http:// wasp.sourceforge.net) and I'm trying to decide the best way to lay out the template directories. WASP uses HTML_Template_Flexy for its template system. The templates are compiled using "Chunk" classes that each refer to a html template

[PHP] NZ Aegir Users/Developers

Hi there, I'm on the hunt for some Aegir users/developers in New Zealand. Please email me offlist - [EMAIL PROTECTED] if you know of any. Cheers, Tim. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] Performance of server-side DOM?

Hello, I've been toying around, lately, with using PHP's DOM API (specifically, domxml because I'm still using PHP4) for doing some of my server side dynamic pages, instead of the 'classic' method of outputting a serial stream of html dynamically generated with, e.g. php print() statements. T

Re: [PHP] Can I call .html file as a form action instead of .php?

Michael Crute wrote: On 10/10/05, *Richard Lynch* <[EMAIL PROTECTED] > wrote: In addition to the Good column, let me add this: Once I made all my .html files go through PHP, I found myself adding a lot of cool little snippets to my files that I wouldn't ha

Re: [PHP] Can I call .html file as a form action instead of .php?

On 10/10/05, Richard Lynch <[EMAIL PROTECTED]> wrote: > > In addition to the Good column, let me add this: > > Once I made all my .html files go through PHP, I found myself adding a > lot of cool little snippets to my files that I wouldn't have bothered > with if I had to re-name the file, fix all

Re: [PHP] str_replace

Charles Stuart wrote: A student run server on my old campus used to turn off PHP for security reasons - ridiculous. Would it be possible to use XSS to call curl from a remote site? I'm just a beginner so that may or not make sense. I'm not really a beginner but I don't know if that makes s

Re: [PHP] Problem w/ Hidden Input Fields

hi Jason, Jason Ferguson wrote: I have a field with a value 86 characters long. Here is the entire form: Rootsweb

Re: [PHP] ARG: Seg Faults with PHP 5.0.5, now on Solaris and SLES9

Chuck wrote: After 3 months of headache and intermittent seg faults on Solaris 9, we decided to give SLES 9 a try. Now we get continuous seg faults. I am running apache 2.0.54 on SLES 9 with all updates, and Oracle 10.2.0.1. (everything is the 32-bit flavor) I built PHP as fol

[PHP] Problem w/ Hidden Input Fields

I have a field with a value 86 characters long. Here is the entire form: Rootsweb

Re: [PHP] session save path

On Mon, October 3, 2005 9:15 am, jonathan wrote: > I'm looking for where apache / php will be saving the user session > files. when I do a phpinfo(), it tells me that session.save_path will > be temp but when I look at the files in there, there are only a > couple of files and they say nwIN; > > Is

Re: [PHP] Making MYSQL's RAND() more random

On Mon, October 3, 2005 2:39 pm, Graham Anderson wrote: > what would be the best way to make MYSQL's RAND() more random ? > > my random result set always seems pretty predictable. The first > record > in the result set always seems to be the same 4 tracks :( > Would adding some kind of random seed

Re: [PHP] Can I call .html file as a form action instead of .php?

On Mon, October 3, 2005 9:23 pm, Jasper Bryant-Greene wrote: > 1/ Setting your webserver to consider all .html files to be PHP > scripts > is good and bad. It is sometimes considered good because it hides the ... > up-to-date...), but it's sometimes bad because it causes PHP to > process > all HTML

Re: [PHP] chown function

On Tue, October 4, 2005 12:21 am, Keith Spiller wrote: > chown("$endpath", "admin"); > > to try to change the owner of directories after using mkdir() > to create them. It continues to fail on my remote Fedora server. > > I know the path is correct because mkdir() works perfectly. > Apache sets th

Re: [PHP] storing passwords in $_SESSION

Dan Brow schrieb: > Thanks, figured that would be the case. Can't for life of me think why I > wanted to do that, must have had a brain infarction. I want to have an > expired session prompt so people can log back in with out having to > start at the login page. Would having the users login saved i

Re: [PHP] str_replace

A student run server on my old campus used to turn off PHP for security reasons - ridiculous. Would it be possible to use XSS to call curl from a remote site? I'm just a beginner so that may or not make sense. Indeed it does seem like JS is the solution - unfortunately - as it seems like

Re: [PHP] PHP5 Webhost

On Tue, October 4, 2005 11:29 am, Michael Crute wrote: > I am in the process of looking for a webhost for the company I work > for. I must have PHP5 support as the CMS I am using only supports > PHP5. Does anyone know of any good quality hosts that also support > PHP5 and MySQL for less than $40/mo

Re: [PHP] Dynamic sub directory listing without redirect

On Fri, October 7, 2005 10:19 pm, Terence wrote: > I am trying to allow dynamic URL's for my users to remember similiar > to: > > www.mysite.com/joesoap > > So I want to use "joesoap" in a PHP script to pick up the user's > details > from a MySQL database. If the "joesoap" does not exist in the tab

Re: [PHP] str_replace

I'm not completely sure, but I think they're talking shite. If curl is a security problem, then disable curl. They seem from what you've said, to be pretty irrational. I respect security paranoia, but this is ridicules. You could try replacing every letter in the word curl with it's &#xxx; equivle

Re: [PHP] How do I POST data with headers & make the browser follow?

On Sat, October 8, 2005 1:58 am, Ragnar wrote: > What I gather from Richards answer earlier that the difference between > $_POST, $_GET or $_COOKIE, $_SESSION is almost irrelevant, I might > as well store the detail in a session to be able to use them on page > 3 it seems. On a DEDICATED server, $

Re: [PHP] PHP5 Soap + .NET Webservice

On Mon, October 10, 2005 4:40 am, Chris Hemmings wrote: > Can anyone explain how this works, and, how to fix it. I'm can't find > any documentation on the problem I am having. colon-separated name-spaces in XML are a relatively new development. Your XML parser probably is not up to speed on them

[PHP] ARG: Seg Faults with PHP 5.0.5, now on Solaris and SLES9

After 3 months of headache and intermittent seg faults on Solaris 9, we decided to give SLES 9 a try. Now we get continuous seg faults. I am running apache 2.0.54 on SLES 9 with all updates, and Oracle 10.2.0.1. (everything is the 32-bit flavor) I built PHP as follows: adcinfops

RE: [PHP] storing passwords in $_SESSION

Why not store a cookie and session variable with a randomly generated ID code (see uniqid function in manuals) then just check to see if one is equal to the other on your "relogin" This way you don't record any "personal" user information and can still do an autologin type script. - Jeff -Or

[PHP] str_replace

Hi, I'm on shared hosting. Because of security concerns on their part [1], every time the text "curl u" is inputted, a 403 forbidden is given and the form is not submitted. This is of course a problem as I'm doing work for a children's literacy program, and plenty of people try to input "

Re: [PHP] storing passwords in $_SESSION

Sorry for the confusion, I should have changed the subject line to reflect my new idea. Thanks. On Mon, 2005-10-10 at 22:03 +0200, Emil Novak wrote: > Oh, just username... That's good idea. > > Emil NOVAK > LAMP Developer > > On 10/10/05, Dan Brow <[EMAIL PROTECTED]> wrote: > > I was meaning ju

Re: [PHP] Help with logic :(

On Mon, October 10, 2005 3:24 pm, Dan McCullough wrote: > create a function to check if the rndnumber=couponcode row count = 0 > if not then redo rndnumber if it does = 0 then insert rndnumber N! You are creating a RACE CONDITION in which ONE user might generate a 'val

Re: [PHP] Store a variable name in a database field.

On Mon, October 10, 2005 12:17 pm, Liam Delahunty wrote: > I'm sure this is a pretty basic question, but I have searched for a > decent answer and can't find one. > > I have a client that want to be able to write newsletters > (newsleters_tbl.email_body) and use fields from his contact table, so >

Re: [PHP] Re: Testing a String for 'most' Capitalised

On Mon, October 10, 2005 12:31 pm, zzapper wrote: > On Mon, 10 Oct 2005 15:27:05 +0100, wrote: > >>On 10/10/05, zzapper <[EMAIL PROTECTED]> wrote: >>> Hi, >>> >>> Image that there could be a string >>> >>> fred >>> Fred >>> FRED >>> >>> First of all I need to know that these are same which I can d

Re: [PHP] Help with logic :(

create a function to check if the rndnumber=couponcode row count = 0 if not then redo rndnumber if it does = 0 then insert rndnumber On 10/10/05, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > Hey guys, > > Having trouble coming up with a solution to this idea I am trying to > implement. > > I hav

Re: [PHP] default mail headers ?

On Mon, October 10, 2005 1:54 pm, Tim Traver wrote: > when using the mail() function in the base PHP distribution, is there > a > way to inject a default header onto all mail being sent out ? > > I thought at some point there was already a header that specified the > script that was making the mail

[PHP] PHP guru needed urgently

Hi- I'm in urgent (today/tomorrow) need of someone with strong PHP programming skills. I was adapting phpESP http://www.butterfat.net/wiki/Projects/phpESP/ an open source Survey program and have run into a couple road blocks that far exceed my programming skills. The two things I'd like

[PHP] Help with logic :(

Hey guys, Having trouble coming up with a solution to this idea I am trying to implement. I have a "Coupon" table. I am creating radonly generated coupon codes that go into this table. 12 chars in length - both number and letters - all lowercase. I figure I need to do the following: 1) generat

Re: [PHP] storing passwords in $_SESSION

Oh, just username... That's good idea. Emil NOVAK LAMP Developer On 10/10/05, Dan Brow <[EMAIL PROTECTED]> wrote: > I was meaning just the username, not the password, still the same issue? > > On Mon, 2005-10-10 at 21:35 +0200, Emil Novak wrote: > > Yet another unsafe way... You can try to write

Re: [PHP] user admin/site admin open source functions..

i'm trying to find an "open source" app that would provide me with user admin/site admin functionality. i've been playing with a few of the open source cms apps to get a feel for how they implement this kind of funtionality. i could rip out what i need, but it might be painful for something like m

[PHP] user admin/site admin open source functions..

hey... i'm trying to find an "open source" app that would provide me with user admin/site admin functionality. i've been playing with a few of the open source cms apps to get a feel for how they implement this kind of funtionality. i could rip out what i need, but it might be painful for something

Re: [PHP] storing passwords in $_SESSION

I was meaning just the username, not the password, still the same issue? On Mon, 2005-10-10 at 21:35 +0200, Emil Novak wrote: > Yet another unsafe way... You can try to write a program that reads > stored cookies in Temporary Internet Files - it's peace of cake for > somebody that is advanced prog

Re: [PHP] getting php to generate a 503

[EMAIL PROTECTED] wrote: I want to write a php page that can return a 503 with some useful information. ?> Is what I've done so far - yet it doesn't work, the headers don't seem to be modified and my page just returns the echoed contet and both firefox and IE blithely ignore the fact tha

Re: [PHP] storing passwords in $_SESSION

Yet another unsafe way... You can try to write a program that reads stored cookies in Temporary Internet Files - it's peace of cake for somebody that is advanced programmer. The best way is to "eliminate" lazy users - you simply do not implement "auto login". It's the fastest, safest and the easies

RE: [PHP] storing passwords in $_SESSION

Well, um. ya. Back to the drawing board. Save it in a cookie? On Mon, 2005-10-10 at 14:59 -0400, Kilbride, James wrote: > If the session expired.. how will session hold their user id?? > > > -Original Message- > > From: Dan Brow [mailto:[EMAIL PROTECTED] > > Sent: Monday, October 10, 2

[PHP] default mail headers ?

Hi all, when using the mail() function in the base PHP distribution, is there a way to inject a default header onto all mail being sent out ? I thought at some point there was already a header that specified the script that was making the mail() call in it, but it doesn't look like that is h

RE: [PHP] Pocket PC(Mobile 2003 particularly)

> -Original Message- > From: Jim Moseby [mailto:[EMAIL PROTECTED] > Sent: Monday, October 10, 2005 2:42 PM > To: Kilbride, James > Cc: php-general@lists.php.net > Subject: RE: [PHP] Pocket PC(Mobile 2003 particularly) > SNIPPED... > > The first. As to why? I have web applications that cur

Re: [PHP] storing passwords in $_SESSION

Thanks, figured that would be the case. Can't for life of me think why I wanted to do that, must have had a brain infarction. I want to have an expired session prompt so people can log back in with out having to start at the login page. Would having the users login saved in $_SESSION be alright? pr

Re[2]: [PHP] storing passwords in $_SESSION

Hi Jay, Monday, October 10, 2005, 7:36:12 PM, you wrote: > I would think it neither safe nor practical. Once a user has logged > in having the password in SESSION would be useless. Agreed totally, I am curious as to why this question seems to get asked a LOT though. I wonder what it is that caus

RE: [PHP] Pocket PC(Mobile 2003 particularly)

> > > > > > I am looking for a build of apache(or any http server) with > > PHP5 that > > > works for Pocket PC's. Specifically Windows Mobile. Can > > anybody point > > > me in a good direction to head in my search? I'm working > > here with the > > > PHP list because quite frankly PHP is

Re: [PHP] storing passwords in $_SESSION

Hi Dan, Monday, October 10, 2005, 7:43:31 PM, you wrote: > How secure is it to save a password in $_SESSION. > i.e. $_SESSION['password'] > is it safe and is it practical? No, and no (well, not if you want to be safe) More to the point - why would you ever want to? If you've found yourself i

Re: [PHP] storing passwords in $_SESSION

How secure is it to save a password in $_SESSION. i.e. $_SESSION['password'] is it safe and is it practical? Probably not. If you're on a shared server, I could write a PHP script to look in /tmp and read the contents of every session file there... -philip -- PHP General Mailing List (htt

RE: [PHP] storing passwords in $_SESSION

[snip] How secure is it to save a password in $_SESSION. i.e. $_SESSION['password'] is it safe and is it practical? [/snip] I would think it neither safe nor practical. Once a user has logged in having the password in SESSION would be useless. -- PHP General Mailing List (http://www.php.net/)

[PHP] storing passwords in $_SESSION

How secure is it to save a password in $_SESSION. i.e. $_SESSION['password'] is it safe and is it practical? Thanks, Dan. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Having resource variables over several scripts

Hey, actually, the key problem is that: I installed this ssh2 extension and want to connect to e.g. a server, and then, maybe on the next page, enter a command that will be executed on that server and so on. I can't connect to a server everytime (or: i COULD but I don't want to) because it tak

[PHP] Re: Testing a String for 'most' Capitalised

On Mon, 10 Oct 2005 15:27:05 +0100, wrote: >On 10/10/05, zzapper <[EMAIL PROTECTED]> wrote: >> Hi, >> >> Image that there could be a string >> >> fred >> Fred >> FRED >> >> First of all I need to know that these are same which I can do with >> strtolower, but how could I tell >> that 'FRED' is '

RE: [PHP] Having resource variables over several scripts

I was under the impression he was using the resource to get information then trying to pass that information... rereading it makes it seem otherwise, so sorry for the false information :-P I've never actually tried passing resources themselves among scripts so TG is most likely correct. As far a

[PHP] Store a variable name in a database field.

I'm sure this is a pretty basic question, but I have searched for a decent answer and can't find one. I have a client that want to be able to write newsletters (newsleters_tbl.email_body) and use fields from his contact table, so as we grind through the contact list for newsletters subscribers it

RE: [PHP] Having resource variables over several scripts

Ok, first let me disclaim that there are definitely a lot of people a lot smarter than me out there who may have figured this one out already, but as far as I know, resources like open file handles, database connection handles, objects, etc.. but especially anything that returns a resource numb

RE: [PHP] Having resource variables over several scripts

Ben, If you grab the resource and store it in a variable, you certainly should be able to send it via GET or POST. For that matter, you should be able to store the information in a SESSION variable too, so I'm not sure what is going wrong. Could you email the code you are using to grab the resou

Re: [PHP] Testing a String for 'most' Capitalised

Greg Donald wrote: On 10/10/05, Jochem Maas <[EMAIL PROTECTED]> wrote: I AM NOT THE OP THANKS, I'm quite capable of solving such a problem without the help of people who don't bother to think beyond 'sample data' ... Yeah, everyone should read minds automatically, I agree. I guess reading

RE: [PHP] Pocket PC(Mobile 2003 particularly)

> -Original Message- > From: Kilbride, James [mailto:[EMAIL PROTECTED] > Sent: Monday, October 10, 2005 11:45 AM > To: php-general@lists.php.net > Subject: [PHP] Pocket PC(Mobile 2003 particularly) > > > I am looking for a build of apache(or any http server) with PHP5 that > works for Po

[PHP] Pocket PC(Mobile 2003 particularly)

I am looking for a build of apache(or any http server) with PHP5 that works for Pocket PC's. Specifically Windows Mobile. Can anybody point me in a good direction to head in my search? I'm working here with the PHP list because quite frankly PHP is the critical part of this in my mind. Thanks. Jam

[PHP] pgpgacl usage...

hey... is there anyone here, who's actually used the phpgacl functions in an actual app... i'm looking for comments on the pros/cons/etc... thanks -bruce [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Testing a String for 'most' Capitalised

On 10/10/05, Jochem Maas <[EMAIL PROTECTED]> wrote: > I AM NOT THE OP THANKS, I'm quite capable of solving > such a problem without the help of people who don't bother > to think beyond 'sample data' ... Yeah, everyone should read minds automatically, I agree. > It's bloody obvious that > the dat

[PHP] Having resource variables over several scripts

Hey, I am trying to have e.g. a file opened over several scripts. When opening a file with "fopen" I receive a variable of the type resource (like "Resource ID #3"), but when I try to save this variable in the SESSION and try to use it on another page, I get a "null" variable. Because I need

Re: [PHP] Testing a String for 'most' Capitalised

Greg Donald wrote: On 10/10/05, Jochem Maas <[EMAIL PROTECTED]> wrote: cute - but it doesn't always work e.g.: $a = array( "FrEDDie", "fREDdIE", "FReddie" ); sort( $a ); echo $a[ 0 ]; // we want the 2nd item from the unsort array Works for the sample data you first posted. *shrug* I AM N

Re: [PHP] Testing a String for 'most' Capitalised

On 10/10/05, zzapper <[EMAIL PROTECTED]> wrote: > Hi, > > Image that there could be a string > > fred > Fred > FRED > > First of all I need to know that these are same which I can do with > strtolower, but how could I tell > that 'FRED' is 'most captilised? strlen(preg_replace('/[^[:upper:]]/',

Re: [PHP] Testing a String for 'most' Capitalised

On 10/10/05, Jochem Maas <[EMAIL PROTECTED]> wrote: > cute - but it doesn't always work e.g.: > > $a = array( "FrEDDie", "fREDdIE", "FReddie" ); > sort( $a ); > echo $a[ 0 ]; // we want the 2nd item from the unsort array Works for the sample data you first posted. *shrug* -- Greg Donald Zend Ce

[PHP] Remove X-PHP-SCRIPT from mail header

Hello! I'm looking for a way to remove or disable X-PHP-SCRIPT from mail headers, then sending emails from a PHP script. (now just shows the location of my php script) Do I have to recompile PHP for this? or just set a param in php.ini? Any ideas are very appreciated. many thanks, Mike

Re: [PHP] Testing a String for 'most' Capitalised

Greg Donald wrote: On 10/10/05, zzapper <[EMAIL PROTECTED]> wrote: Image that there could be a string fred Fred FRED First of all I need to know that these are same which I can do with strtolower, but how could I tell $a = array( 'fred', 'Fred', 'FRED' ); sort( $a ); echo $a[ 0 ]; cute

Re: [PHP] Testing a String for 'most' Capitalised

> > Image that there could be a string > > fred > > Fred > > FRED It isn't hard to do. > > First of all I need to know that these are same which I can do with > > strtolower Also note strcasecmp for this task - http://uk2.php.net/manual/en/function.strcasecmp.php -- PHP General Mailing List (h

Re: [PHP] Testing a String for 'most' Capitalised

On 10/10/05, zzapper <[EMAIL PROTECTED]> wrote: > Image that there could be a string > > fred > Fred > FRED > > First of all I need to know that these are same which I can do with > strtolower, > but how could I tell $a = array( 'fred', 'Fred', 'FRED' ); sort( $a ); echo $a[ 0 ]; -- Greg Donal

Re: [PHP] Testing a String for 'most' Capitalised

Image that there could be a string fred Fred FRED First of all I need to know that these are same which I can do with strtolower, but how could I tell that 'FRED' is 'most captilised? Iterate through the string and count the number of capitalised letters. You can do something like this (untest

[PHP] Testing a String for 'most' Capitalised

Hi, Image that there could be a string fred Fred FRED First of all I need to know that these are same which I can do with strtolower, but how could I tell that 'FRED' is 'most captilised? -- zzapper Success for Techies and Vim,Zsh tips http://SuccessTheory.com/ -- PHP General Mailing List (h

Re: [PHP] getting php to generate a 503

[EMAIL PROTECTED] wrote: I want to write a php page that can return a 503 with some useful information. try header("Status: 503 Service Unavailable"); echo "Page execution failed.\n"; ?> Is what I've done so far - yet it doesn't work, the headers don't seem to be modified and my pag

[PHP] getting php to generate a 503

I want to write a php page that can return a 503 with some useful information. Is what I've done so far - yet it doesn't work, the headers don't seem to be modified and my page just returns the echoed contet and both firefox and IE blithely ignore the fact that I set the server unavailable head

[PHP] PHP5 Soap + .NET Webservice

Hello, Can anyone explain how this works, and, how to fix it. I'm can't find any documentation on the problem I am having. I'm using a .NET webservice and a PHP SOAP call using version 5.0.4. The returned result does not seem correct because of all the stuff at the top, the 'xs' stuff. Thi

Re: [PHP] How do I POST data with headers & make the browser follow?

> basically what I am working on is integrating a step inbetween the checkout > and the payment gateway processing. > > The cardholder information is checked for enrolment in the first step, if > the cardholder is enrolled he will need to authenticate himself by password > (this is where the 2nd pa

Re: [PHP] caching parsed XML files as DOM objects in memory

I'm writing template library based on XML. But it's not very efficient to create new DomDocument, load XML template, process it and show on every page hit. XML parsing is not very fast, and because I'm parsing XHTML with entities, all DTD's are parsed too. I thought about something similar to java

Re: [PHP] GET variables and mySQL functions inside an Image header.

- Original Message - From: "Kristopher Kane" <[EMAIL PROTECTED]> To: Sent: Monday, October 10, 2005 8:33 AM Subject: [PHP] GET variables and mySQL functions inside an Image header. I am currently in Afghanistan and don't have much access to look these questions up. I consider them ba

Re: [PHP] GET variables and mySQL functions inside an Image header.

Kristopher Kane wrote: I am currently in Afghanistan and don't have much access to look these questions up. I consider them basic and regret having to post them here. When passing variables using GET as in: index.php?first=value?second=value My script is reading the first value, however through