On Tue, 20 Oct 2009 14:31:53 -0400
"Gary" wrote:
> I have several sites that are getting hit with form spam. I have the
> script set up to capture the IP address so I know from where they
> come. I found a short script that is supposed to stop these IP
> addresses from accessing the form page,
- Original Message -
From: "Ashley Sheridan"
To: "Dotan Cohen"
Cc: "Jim Lucas" ; "php-general."
Sent: Tuesday, October 20, 2009 4:02 AM
Subject: Re: [PHP] Sanitizing potential MySQL strings with no database
connection
On Tue, 2009-10-20 at 12:58 +0200, Dotan Cohen wrote:
> Dot
> -Original Message-
> From: Dotan Cohen [mailto:dotanco...@gmail.com]
> Sent: Friday, October 16, 2009 8:46 AM
> To: php-general.
> Subject: [PHP] How to pronounce PHP code over the phone?
>
> How would you read this out loud if you were to read it to someone
> over the phone?
>
> ($
Gary wrote on 2009-10-20 22:55:
I like that idea,so in other words they have to get to the form from another
page on the site, and you set a time limit for a minimum amount of time they
spend on the page(5-10 seconds)?
I don't set any time, just the session to prevent direct hits from a
spam
t first goes to the frontpage, then the form page, but so far I'm
> pretty happy with the solution, no spam for 3 years :-)
>
> --
> Kind regards
> Kim Emax - masterminds.dk
>
> __ Information from ESET Smart Security, version of virus
> si
Philip Thompson wrote on 2009-10-20 21:58:
I got it to draw the different background colors successfully. However,
drawing borders is not as straight forward. I'm sure I could get it
working as well... but I'd rather it work *out of the box*. Thanks for
the suggestion. ;)
Well, you're always
mers are coming from dynamic IP
>> addresses.
>>
>> Thanks,
>> Ash
>> http://www.ashleysheridan.co.uk
>>
>>
>>
>
> Add a hidden field that should not hold a value. Spam bots will try to
> fill all fields with that value, so if there is one send back a
Hey Gary
Gary wrote on 2009-10-20 20:31:
I have several sites that are getting hit with form spam. I have the script
set up to capture the IP address so I know from where they come.
I see that a lot suggested CAPTCHA, I don't like those either.
The IP solution will give you a constant main
On Tue, Oct 20, 2009 at 4:12 PM, Ashley Sheridan
wrote:
> On Tue, 2009-10-20 at 21:01 +0200, John Black wrote:
>
>> Gary wrote:
>> > I believe they are human spammers as all the input fields are correctly
>> > filled out (phone in phone, address in address etc).
>> > As I said they are mostly the
On Tue, 2009-10-20 at 21:01 +0200, John Black wrote:
> Gary wrote:
> > I believe they are human spammers as all the input fields are correctly
> > filled out (phone in phone, address in address etc).
> > As I said they are mostly the same IP.
> > Would it be better to include this script in the p
On Tue, 2009-10-20 at 15:46 -0300, Jonathan Tapicer wrote:
> On Tue, Oct 20, 2009 at 3:39 PM, Ashley Sheridan
> wrote:
> >
> > On Tue, 2009-10-20 at 15:36 -0300, Jonathan Tapicer wrote:
> >
> > That will work just for one IP, but they could spam you from another
> > IP. I suggest you add a good c
On Oct 20, 2009, at 2:40 PM, Floyd Resler wrote:
As far as I know ezPDF can't do what you want it to do. Of course,
you could always modify the code the suite your needs. Since it
already draws tables it probably wouldn't be too difficult to modify
it draw row backgrounds of different col
Jim Lucas wrote:
> Dotan Cohen wrote:
>> 2009/10/19 Kim Madsen :
>>> Dotan Cohen wrote on 2009-10-18 21:21:
>>>
I thought that one could not test if a database connection is
established or not, this is the most relevant thing that I found while
googling that:
http://bugs.php.net
On Tue, 20 Oct 2009 20:04:51 +0200, Nisse Engström wrote:
> On Mon, 19 Oct 2009 15:39:40 -0700, Jim Lucas wrote:
>
>> /**
>>* Character to escape...
>>* \x0 \n \r \ ' " \x1a
>> **/
>>
>> $patterns = array( "\x0", "\n", "\r", "\\", "'","\"", "
As far as I know ezPDF can't do what you want it to do. Of course,
you could always modify the code the suite your needs. Since it
already draws tables it probably wouldn't be too difficult to modify
it draw row backgrounds of different colors.
Take care,
Floyd
On Oct 20, 2009, at 3:25 P
Hi Tommy,
I've found both approaches (using setter/getter) as
recommended/non-recommended in documentation so this will be a difficult
decision.Unfortunately I'll not be able to take your way since the Email
class (simplified in the example) is going to be used in other classes as
well.
On S
;222.222.222", "333.333.333");
> > if (in_array ($_SERVER['REMOTE_ADDR'], $deny)) {
> > header("location: http://www.google.com/";);
> > exit();
> > } ?>Gary
> >
> >
> >
> > __ Information from ESET Smart Se
> if(@mysql_real_escape_string($variable) === false)
>
Perfect! The @ symbol suppresses the error and I can structure the
code according to whether or not there is a connection.
Thank you!
--
Dotan Cohen
http://what-is-what.com
http://gibberish.co.il
--
PHP General Mailing List (http://www.p
On Oct 19, 2009, at 4:21 PM, Floyd Resler wrote:
Nope. I've never had any troubles with it. I've been able to
produce all kinds of PDFs including loan agreements, inventory pick
lists with barcodes, and various others. I find it incredibly
powerful and easy to use.
Take care,
Floyd
S
Hi,
Thanks. I'll probably do the addEmail method. I was hoping to do as with
the other "non-array" properties.
On Sun, Oct 18, 2009 at 1:00 PM, Andy Shellam (Mailing Lists)
wrote:
> Hi,
>
>
> $u->emails[] = $e;
>
>
> I would hazard a guess because $u->emails isn't a concrete object (whereas
Dotan Cohen wrote:
> 2009/10/20 Andrea Giammarchi :
>> even better
>>
>> $error_reporting = error_reporting(0);
>> if(mysql_real_escape_string($variable) === false)
>> {
>> error_reporting($error_reporting);
>>
>> // create a default DB connection
>>
>> } else
>> error_reporting($error_
> If you're sure that all your data is UTF-8, and that
> all user-supplied data is *actually valid* UTF-8 (and
> not deliberately or accidentally malformed), then
> mysql_escape_string() should be just fine [1].
>
I cannot ensure that the users will not be malicious, even if it is
all internal u
google.com/";);
> exit();
> } ?>Gary
>
>
> __ Information from ESET Smart Security, version of virus
> signature database 4526 (20091020) __
>
> The message was checked by ESET Smart Security.
>
> http://www.eset.com
>
>
>
>
>
&
Gary wrote:
I believe they are human spammers as all the input fields are correctly
filled out (phone in phone, address in address etc).
As I said they are mostly the same IP.
Would it be better to include this script in the processing script rather
than at the top of the page?
If it is fixe
.333.333");
>> if (in_array ($_SERVER['REMOTE_ADDR'], $deny)) {
>>header("location: http://www.google.com/";);
>>exit();
>> } ?>Gary
>>
>>
>>
>> __ Information from ESET Smart Security, version of virus
>> signature
Jonathan Tapicer wrote:
I suggest you add a good captcha to the form and that way you can
avoid spam forever.
You can find a question/answer based CAPTCHA system here.
http://www.network-technologies.org/tiny.php?id=1
The system can be used to protect comment forms, email forms or act as a
bo
header("location: http://www.google.com/";);
>>exit();
>> } ?>Gary
>>
>
> Have you tried CAPTCHA?
>
> Paul
>
> --
> Paul M. Foster
>
> __ Information from ESET Smart Security, version of virus
> signature database 4526 (20091020
On Tue, Oct 20, 2009 at 3:39 PM, Ashley Sheridan
wrote:
>
> On Tue, 2009-10-20 at 15:36 -0300, Jonathan Tapicer wrote:
>
> That will work just for one IP, but they could spam you from another
> IP. I suggest you add a good captcha to the form and that way you can
> avoid spam forever.
>
> Regards,
On Tue, 2009-10-20 at 15:36 -0300, Jonathan Tapicer wrote:
> That will work just for one IP, but they could spam you from another
> IP. I suggest you add a good captcha to the form and that way you can
> avoid spam forever.
>
> Regards,
>
> Jonathan
Firstly, in_array() is used in his example,
On Tue, Oct 20, 2009 at 02:31:53PM -0400, Gary wrote:
> I have several sites that are getting hit with form spam. I have the script
> set up to capture the IP address so I know from where they come. I found a
> short script that is supposed to stop these IP addresses from accessing the
> form pa
ot;333.333.333");
> if (in_array ($_SERVER['REMOTE_ADDR'], $deny)) {
> header("location: http://www.google.com/";);
> exit();
> } ?>Gary
>
>
>
> __ Information from ESET Smart Security, version of virus
> signature database 4526 (20091020) __
>
>
>
> __ Information from ESET Smart Security, version of virus signature
> database 4526 (20091020) __
>
> The message was checked by ESET Smart Security.
>
> http://www.eset.com
>
>
>
>
>
A few things immediately spring to
s the FBI.
> >
> > Any thoughts on the script and its effectivness?
> >
> > > $deny = array("111.111.111", "222.222.222", "333.333.333");
> > if (in_array ($_SERVER['REMOTE_ADDR'], $deny)) {
> > header("location: htt
.333.333");
> if (in_array ($_SERVER['REMOTE_ADDR'], $deny)) {
> header("location: http://www.google.com/";);
> exit();
> } ?>Gary
>
>
>
> __ Information from ESET Smart Security, version of virus signature
> database 4526 (20091020) __
>Gary
__ Information from ESET Smart Security, version of virus signature
database 4526 (20091020) __
The message was checked by ESET Smart Security.
http://www.eset.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Dotan Cohen wrote on 2009-10-20 20:06:
if(mysql_real_escape_string($variable) === false)
{
// create a default DB connection
}
Here, the key seems to be to turn the warning level down, which I do
not have privileges to do on this server. But it fact this seems to be
the key that I was mis
2009/10/20 Andrea Giammarchi :
> even better
>
> $error_reporting = error_reporting(0);
> if(mysql_real_escape_string($variable) === false)
> {
> error_reporting($error_reporting);
>
> // create a default DB connection
>
> } else
> error_reporting($error_reporting);
> unset($error_repor
> No, and you clearly missed the point about that function being pretty much
> dead anyway.
>
I understand that mysql_escape_string() is depreciated. Asking about
other similar functions does not seem out of line.
> You mentioned also in your last email that you would make a DB connection if
>
On Mon, 19 Oct 2009 15:39:40 -0700, Jim Lucas wrote:
> I have no idea if it will work, [...]
Well, you're right so far...
>
> function clean_string($input) {
>
> /**
>* Character to escape...
>* \x0 \n \r \ ' " \x1a
> **/
>
> $patterns = array(
On Tue, 20 Oct 2009 14:58:32 +0200, Dotan Cohen wrote:
>> Yes, the mysql_real_escape_string() function uses the databases
>> character encoding to determine how to encode the string, whereas the
>> older deprecated version mysql_escape_string() required no connection
>> as it always assumed Latin-
Ashley Sheridan wrote:
> On Tue, 2009-10-20 at 19:01 +0300, Thodoris wrote:
>
>>
>>>
>>>
>>>
>>> How do you mean an invalid URL? A URL that is not valid as in $url =
>>> "poo" or a valid formed URL that doesn't exist?
>>>
>>> Thanks,
>>> Ash
>>> http://www.ashleysheridan.co.uk
>>>
>>>
>>>
>>>
>
http://php.net/manual/en/language.operators.errorcontrol.php ?
A better idea would be suppressing the error messages in a production site:
ini_set('display_errors',0);
--
Thodoris
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
resea soul wrote:
I'm using the function file_get_contents($url). If the url is invalid the
function displays a warning message while I am using my own customized
message. I want to get rid of the warning message.
This should do it:
@file_get_contents($url)
--
John
Gott ist eine faust
On Tue, 2009-10-20 at 19:01 +0300, Thodoris wrote:
>
>
> >
> >
> >
> >
> > How do you mean an invalid URL? A URL that is not valid as in $url =
> > "poo" or a valid formed URL that doesn't exist?
> >
> > Thanks,
> > Ash
> > http://www.ashleysheridan.co.uk
> >
> >
> >
> >
>
>
> Does
How do you mean an invalid URL? A URL that is not valid as in $url =
"poo" or a valid formed URL that doesn't exist?
Thanks,
Ash
http://www.ashleysheridan.co.uk
Does it really matter? In both cases the file_get_contents() wont be
able to open the URL and it will produce a warning or
On Tue, 2009-10-20 at 11:34 -0400, resea soul wrote:
> Hi,
>
> I'm using the function file_get_contents($url). If the url is invalid the
> function displays a warning message while I am using my own customized
> message. I want to get rid of the warning message.
>
> Thank you
How do you mean a
On Oct 20, 2009, at 10:34 AM, resea soul wrote:
Hi,
I'm using the function file_get_contents($url). If the url is
invalid the
function displays a warning message while I am using my own customized
message. I want to get rid of the warning message.
Thank you
@file_get_contents(...)
http://php.net/manual/en/language.operators.errorcontrol.php ?
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Hi,
I'm using the function file_get_contents($url). If the url is invalid the
function displays a warning message while I am using my own customized
message. I want to get rid of the warning message.
Thank you
even better
$error_reporting = error_reporting(0);
if(mysql_real_escape_string($variable) === false)
{
error_reporting($error_reporting);
// create a default DB connection
} else
error_reporting($error_reporting);
unset($error_reporting);
> From: an_...@hotmail.com
> To: a...@ash
> If says:
>
> Returns the escaped string, or FALSE on error.
>
> So all you have to do, is have warnings turned off (as it generates an
> E_WARNING if you have no active connection) and then look at the return
> value of a call to the function:
>
> if(mysql_real_escape_string($variable) === fa
On Tue, 2009-10-20 at 14:58 +0200, Dotan Cohen wrote:
> > Yes, the mysql_real_escape_string() function uses the databases character
> > encoding to determine how to encode the
> > string, whereas the older deprecated version mysql_escape_string() required
> > no connection as it always assumed
>
Hi,
did anybody read the book "Securing PHP Web Applications" by Tricia
Ballad & William Ballad?
(http://www.amazon.com/Securing-PHP-Applications-Tricia-Ballad/dp/0321534344/ref=sr_1_1?ie=UTF8&s=books&qid=1256042083&sr=8-1)
Any opinions?
L
--
PHP General Mailing List (http://www.php.net/)
> Yes, the mysql_real_escape_string() function uses the databases character
> encoding to determine how to encode the
> string, whereas the older deprecated version mysql_escape_string() required
> no connection as it always assumed
> Latin-1 (as far as I know)
Is there such a function that alwa
> Your only option might be to do something "smart". You can't use the proper
> mysql functions without a connection to a
> database, but you refuse to connect to a database until after you perform
> validation...
>
More accurate to say that the file in which the function is stored
does not know
On Tue, 2009-10-20 at 08:43 -0400, Bob McConnell wrote:
> From: Ashley Sheridan
>
> > On Tue, 2009-10-20 at 14:20 +0200, Andrea Giammarchi wrote:
> >> > Your only option might be to do something "smart". You can't use
> the
> >> > proper mysql functions without a connection to a database, but you
From: Ashley Sheridan
> On Tue, 2009-10-20 at 14:20 +0200, Andrea Giammarchi wrote:
>> > Your only option might be to do something "smart". You can't use
the
>> > proper mysql functions without a connection to a database, but you
>> > refuse to connect to a database until after you perform
validat
On Tue, 2009-10-20 at 14:20 +0200, Andrea Giammarchi wrote:
>
> > Your only option might be to do something "smart". You can't use the
> > proper mysql functions without a connection to a database, but you
> > refuse to connect to a database until after you perform validation...
> >
> > You do r
> Your only option might be to do something "smart". You can't use the
> proper mysql functions without a connection to a database, but you
> refuse to connect to a database until after you perform validation...
>
> You do realise you can have several db connections open at one time, so
> you co
> Dotan,
>
> You are making this thing harder then it has to be.
>
> All you need is to replicate the escaping of the same characters that
> mysql_real_escape_string() escapes. Simply do that. They are listed on the
> functions manual page on php.net
>
> http://php.net/mysql_real_escape_string
>
On Tue, 2009-10-20 at 12:58 +0200, Dotan Cohen wrote:
> > Dotan,
> >
> > You are making this thing harder then it has to be.
> >
> > All you need is to replicate the escaping of the same characters that
> > mysql_real_escape_string() escapes. Simply do that. They are listed on the
> > functions
Hi all.
I know this question has been asked a thousand times on the list, but
my searches in the archives are not being nice to me. So... please
don't kick me.
Currently, we use DOMPDF to generate PDFs from HTML. However, it's no
longer maintained and it has a few bugs that we just can no
2009/10/18 Paul M Foster
> On Sat, Oct 17, 2009 at 01:41:03AM -0400, Brian Hazelton wrote:
>
> > I am in charge of an email newsletter list and making sure it gets sent
> > out in time. My problem is I have never done broadcast emailing and
> > right now we have 400 subscribers but want to build
63 matches
Mail list logo
