From reto at nerdbude.de Mon Aug 1 05:16:41 2005 From: reto at nerdbude.de (Reto M. Kiefer) Date: Mon, 01 Aug 2005 11:16:41 +0200 Subject: [nycphp-talk] OT Eclipse In-Reply-To: <47qfdc$1u1np2@smtp04.mrf.mail.rcn.net> References: <47qfdc$1u1np2@smtp04.mrf.mail.rcn.net> Message-ID: <42EDE879.8040903@nerdbude.de> Hi Pat, (Sorry, the first answer was pm...) >> Phpeclipse. Am curious -- what java development practices are you referring >> to? Maybe this is a result of my not perfect English, if so I am deeply sorry. Basically I meant that Truestudio copies a lot of things of the original JAVA IDE. For Example the Type hierarchy or the Open Type function. Moreover the directories and the files are organized in the PHP Explorer as Packages not as Folders etc. Personally I like this style because some other languages I'm using working the same way. And if you organize your projects in a PEAR packages style it is a true advantage for me while developing... I hope I could clarifiy my original intention. CU Reto From codebowl at gmail.com Mon Aug 1 09:47:45 2005 From: codebowl at gmail.com (Joseph Crawford) Date: Mon, 1 Aug 2005 09:47:45 -0400 Subject: [nycphp-talk] Session Handling Message-ID: <8d9a4280050801064770c117@mail.gmail.com> Hello Everyone, I have implemented my session handling to take place in the database rather than flat files on the system. No i have a question. I read somewhere that it is always good to check the IP of the user to make sure the session has not been hijacked. Would the following be secure enough for that? _db = $db; } public function init() { $this->_sess_id = session_id(); $this->_page = $_SERVER['REQUEST_URI']; $this->_ip = $_SERVER['REMOTE_ADDR']; $this->CheckIP(); } public function open($path, $name) { return TRUE; } /* Close session */ public function close() { /* This is used for a manual call of the session gc function */ $this->gc(0); return TRUE; } /* Read session data from database */ public function read($ses_id) { $session_sql = "SELECT * FROM " . $this->table . " WHERE ses_id = '$ses_id'"; $session_res = $this->_db->Query($session_sql); if (!$session_res) { return ''; } $session_num = $this->_db->NumRows($session_res); if ($session_num > 0) { $session_row = $this->_db->FetchArray($session_res); $ses_data = $session_row["ses_value"]; return $ses_data; } else { return ''; } } /* Write new data to database */ public function write($ses_id, $data) { $this->init(); $session_sql = "UPDATE " . $this->table . " SET ses_time='" . time() . "', page='".$this->_page . "', ses_value='$data' WHERE ses_id='$ses_id'"; $session_res = $this->_db->Query($session_sql); if (!$session_res) return FALSE; if($this->_db->AffectedRows()) return TRUE; $session_sql = "INSERT INTO " . $this->table . " (ses_id, ses_time, ses_start, page, ip, ses_value)" . " VALUES ('$ses_id', '" . time() . "', '" . time() . "', '$this->_page', '$this->_ip', '$data')"; $session_res = $this->_db->Query($session_sql); if (!$session_res) return FALSE; else return TRUE; } /* Destroy session record in database */ public function destroy($ses_id) { $session_sql = "DELETE FROM " . $this->table . " WHERE ses_id = '$ses_id'"; $session_res = $this->_db->Query($session_sql); if (!$session_res) return FALSE; else return TRUE; } /* Garbage collection, deletes old sessions */ public function gc($life) { $ses_life = strtotime("-5 minutes"); $session_sql = "DELETE FROM " . $this->table . " WHERE ses_time < $ses_life"; $session_res = $this->_db->Query($session_sql); if (!$session_res) return FALSE; else return TRUE; } private function UpdatePage() { $session_sql = "UPDATE ".$this->table." SET page='".mysql_real_escape_string($this->_page)."' WHERE ses_id='".$this->_sess_id."'"; $this->_db->Query($session_sql); } private function CheckIP() { $intIP = explode('.', $this->_ip); $curIP = explode('.', $_SERVER['REMOTE_ADDR']); if( !strcmp($intIP, $curIP) ) { $sess_sql = "DELETE FROM ".$this->table." WHERE ses_id='".$this->_sess_id."'"; $this->_db->Query($sess_sql); session_destroy(); } } } ?> Is this a good enough check for the IP? If the IP check fails it should remove the session from the database, but also it calls session_destroy Why did i do it this way rather than just calling $this->destroy() or just using session_destroy? I noticed that it was not actually removing the session from the database if i did not actuall make the database query myself. Any criticism would be appreciated as this is my first attempt at storing sessions in the database (with the help of a zend tutorial) -- Joseph Crawford Jr. Codebowl Solutions, Inc. 1-802-671-2021 codebowl at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From hendler at simmons.edu Mon Aug 1 10:01:27 2005 From: hendler at simmons.edu (Jonathan) Date: Mon, 01 Aug 2005 10:01:27 -0400 Subject: [nycphp-talk] Session Handling In-Reply-To: <8d9a4280050801064770c117@mail.gmail.com> References: <8d9a4280050801064770c117@mail.gmail.com> Message-ID: <42EE2B37.90606@simmons.edu> I've had similar questions regarding IP security. We didn't use IP addresses to uniquely identify users because they were redundant. We tried to hash browser agents and other items client items to identify users. Here is the belief that I would also like to know a definitive answer to that made us not use IP addresses: corporate networks, some schools, AOL, and other groups behind a gateway/router are all going to appear to be the same IP. There was a "forwarded" ip that could append an internal IP with the gateway IP or something to that affect, but I haven't implemented anything like that and would like to know if it is practical. We require cookies and SSL and that seems to do the trick for most secure apps. Joseph Crawford wrote: > Hello Everyone, > > I have implemented my session handling to take place in the database > rather than flat files on the system. No i have a question. I read > somewhere that it is always good to check the IP of the user to make > sure the session has not been hijacked. Would the following be secure > enough for that? > > > > class session > { > /* Define the mysql table you wish to use with > this class, this table MUST exist. */ > private $table = "sessions"; > private $_db; > private $_page; > private $_sess_id; > private $_ip; > > > public function __construct(Database $db) { > $this->_db = $db; > } > > public function init() { > $this->_sess_id = session_id(); > $this->_page = $_SERVER['REQUEST_URI']; > $this->_ip = $_SERVER['REMOTE_ADDR']; > > $this->CheckIP(); > } > > public function open($path, $name) { > > return TRUE; > } > > /* Close session */ > public function close() { > /* This is used for a manual call of the > session gc function */ > $this->gc(0); > return TRUE; > } > > /* Read session data from database */ > public function read($ses_id) { > > $session_sql = "SELECT * FROM " . $this->table > . " WHERE ses_id = '$ses_id'"; > $session_res = $this->_db->Query($session_sql); > if (!$session_res) { > return ''; > } > > $session_num = $this->_db->NumRows($session_res); > if ($session_num > 0) { > $session_row = $this->_db->FetchArray($session_res); > $ses_data = $session_row["ses_value"]; > return $ses_data; > } else { > return ''; > } > } > > /* Write new data to database */ > public function write($ses_id, $data) { > > $this->init(); > > $session_sql = "UPDATE " . $this->table > . " SET ses_time='" . time() > . "', page='".$this->_page > . "', ses_value='$data' WHERE ses_id='$ses_id'"; > $session_res = $this->_db->Query($session_sql); > if (!$session_res) return FALSE; > > if($this->_db->AffectedRows()) return TRUE; > > $session_sql = "INSERT INTO " . $this->table > . " (ses_id, ses_time, ses_start, page, ip, ses_value)" > . " VALUES ('$ses_id', '" . time() > . "', '" . time() . "', '$this->_page', '$this->_ip', '$data')"; > $session_res = $this->_db->Query($session_sql); > if (!$session_res) return FALSE; > else return TRUE; > } > > /* Destroy session record in database */ > public function destroy($ses_id) { > $session_sql = "DELETE FROM " . $this->table > . " WHERE ses_id = '$ses_id'"; > $session_res = $this->_db->Query($session_sql); > if (!$session_res) return FALSE; > else return TRUE; > } > > /* Garbage collection, deletes old sessions */ > public function gc($life) { > $ses_life = strtotime("-5 minutes"); > > $session_sql = "DELETE FROM " . $this->table > . " WHERE ses_time < $ses_life"; > $session_res = $this->_db->Query($session_sql); > > > if (!$session_res) return FALSE; > else return TRUE; > } > > private function UpdatePage() { > $session_sql = "UPDATE ".$this->table." SET > page='".mysql_real_escape_string($this->_page)."' WHERE > ses_id='".$this->_sess_id."'"; > $this->_db->Query($session_sql); > } > > private function CheckIP() { > $intIP = explode('.', $this->_ip); > $curIP = explode('.', $_SERVER['REMOTE_ADDR']); > if( !strcmp($intIP, $curIP) ) { > $sess_sql = "DELETE FROM ".$this->table." WHERE > ses_id='".$this->_sess_id."'"; > $this->_db->Query($sess_sql); > session_destroy(); > } > } > } > ?> > > > Is this a good enough check for the IP? If the IP check fails it > should remove the session from the database, but also it calls > session_destroy Why did i do it this way rather than just calling > $this->destroy() or just using session_destroy? I noticed that it was > not actually removing the session from the database if i did not > actuall make the database query myself. Any criticism would be > appreciated as this is my first attempt at storing sessions in the > database (with the help of a zend tutorial) > -- > Joseph Crawford Jr. > Codebowl Solutions, Inc. > 1-802-671-2021 > codebowl at gmail.com > >------------------------------------------------------------------------ > >_______________________________________________ >New York PHP Talk Mailing List >AMP Technology >Supporting Apache, MySQL and PHP >http://lists.nyphp.org/mailman/listinfo/talk >http://www.nyphp.org > From list at harveyk.com Mon Aug 1 12:16:23 2005 From: list at harveyk.com (harvey) Date: Mon, 01 Aug 2005 12:16:23 -0400 Subject: [nycphp-talk] Sssllloooowww Query In-Reply-To: <42D3E010.6030005@n0p.net> References: <6.1.0.6.2.20050712101400.030dbcc8@pop.earthlink.net> <42D3E010.6030005@n0p.net> Message-ID: <6.1.0.6.2.20050801121530.03152210@mail.harveyk.com> Thanks for the suggestion. It seems to make sense... At 11:21 AM 7/12/2005, Flavio daCosta wrote: >On 07/12/2005 10:44 AM, harvey wrote: > > I've got some code that works, but it's pretty slllooooww... > > --snip-- > >Unless I am missing something here, cant you just simplify it with a >LEFT JOIN and use only 1 result set? > >-- untested -- > >SELECT ms.subcat_id, ms.subcat_name, msab.show_fid >FROM music_subcats AS ms >LEFT JOIN music_showsandbands as msab > ON (ms.subcat_id = msab.band_fid AND msab.show_fid = $id) >ORDER BY ms.subcat_name ASC > >Then something like: >while ($row = mysql_fetch_assoc($allbands)) >{ > $format = ''; > $selected = $row['show_fid'] > 0 ? ' selected' : ''; > printf($format, $row['subcat_id'], $selected, $row['subcat_name'] ); >} > >-- untested -- > >Forgive me if I totally missed the boat on this one ;) > >Flavio >_______________________________________________ >New York PHP Talk Mailing List >AMP Technology >Supporting Apache, MySQL and PHP >http://lists.nyphp.org/mailman/listinfo/talk >http://www.nyphp.org From gary at helponboard.org Mon Aug 1 16:38:26 2005 From: gary at helponboard.org (gary at helponboard.org) Date: Mon, 01 Aug 2005 16:38:26 -0400 Subject: [nycphp-talk] http analyzer Message-ID: <20050801203827.61BC0A86EA@virtu.nyphp.org> An HTML attachment was scrubbed... URL: From dmintz at davidmintz.org Mon Aug 1 18:14:44 2005 From: dmintz at davidmintz.org (David Mintz) Date: Mon, 1 Aug 2005 18:14:44 -0400 (EDT) Subject: [nycphp-talk] http analyzer In-Reply-To: <20050801203827.61BC0A86EA@virtu.nyphp.org> References: <20050801203827.61BC0A86EA@virtu.nyphp.org> Message-ID: On Mon, 1 Aug 2005 gary at helponboard.org wrote: > > I have used a number of programs in the past to view the actual http conversation between the browser and the > webserver. I believe this is what you are trying to do.[...] If that's the case, then Apache Axis also ships with a thing called TCP Monitor. It works fine and the price is right. http://ws.apache.org/axis/java/user-guide.html#AppendixUsingTheAxisTCPMonitorTcpmon It's apparently designed for people who are trying to debug SOAP transactions but of course you can use it for whatever. I've had fun using it as a teaching tool for introductory PHP students -- showing them all that stuff that goes back and forth that you don't see in a graphical browser. --- David Mintz http://davidmintz.org/ From codebowl at gmail.com Mon Aug 1 19:22:16 2005 From: codebowl at gmail.com (Joseph Crawford) Date: Mon, 1 Aug 2005 19:22:16 -0400 Subject: [nycphp-talk] Experts help needed (Sessions) Message-ID: <8d9a42800508011622459c8b2e@mail.gmail.com> Guys, I have the following code in use however people can easilly hijack sessions i am not sure why but when a session is hijacked the IP address in the database changes, yet the session values are retained. Here is the code. _db = $db; $this->_browserList = array('offbyone' => 'ob1.gif', '3b_web' => '3b.gif', 'getrig' => 'get.gif', 'webtv' => 'webtv.gif', 'aol' => 'aol.gif', 'opera' => 'opera.gif', 'netposit' => 'netp.gif', 'ibrowse' => 'ibrowse.gif', 'abrowse' => 'abrowse.gif', 'firefox' => 'firefox.gif', 'firebird' => ' firebird.gif', 'phoenix' => 'firebird.gif', 'omniweb' => 'omni.gif', 'safari' => 'safari.gif', 'camino' => 'camino.gif', 'chimera' => 'camino.gif', 'konqueror' => 'konq.gif', 'icab' => 'icab.gif', 'dillo' => 'dillo.gif', 'epiphany' => 'epiph.gif', 'oregano' => 'oregano.gif', 'k-meleon' => ' kmel.gif', 'webcapture' => 'webcap.gif', 'galeon' => 'galeon.gif', 'lynx' => 'lynx.gif', 'netscape' => 'netscape.gif', 'entergy' => 'entergy.gif', 'msie' => 'ie.gif', 'mozilla' => 'moz.gif'); $this->_osList = array('linspire' => 'linspire.gif', 'lindows' => ' linspire.gif', 'beos' => 'beos.gif', 'skyos' => 'skyos.gif', 'atheos' => ' athe.gif', 'palmos' => 'palm.gif', 'nokia' => 'nokia.gif', 'blackberry' => ' blackb.gif', 'zeta' => 'zeta.gif', 'irix' => 'irix.gif', 'risc' => ' riscos.gif', 'os/2' => 'os2.gif', 'amigaos' => 'amiga.gif', 'freebsd' => ' fbsd.gif', 'netbsd' => 'nbsd.gif', 'sunos' => 'solaris.gif', 'solaris' => ' solaris.gif', 'os x' => 'osx.gif', 'osx' => 'osx.gif', 'darwin' => 'osx.gif', 'macintosh' => 'macintosh.gif', 'mac_' => 'macintosh.gif', 'qnx' => 'qnx.gif', 'linux' => 'linux.gif', 'unix' => 'unix.gif', 'x11' => 'x11.gif', 'windows' => 'windows.gif', 'win95' => 'windows.gif', 'win98' => 'windows.gif', 'winnt' => 'windows.gif'); self::setType(); } private function init() { if(!isset($this->_sess_id)) $this->_sess_id = session_id(); $this->_page = $_SERVER['REQUEST_URI']; if(!isset($this->_ip)) $this->_ip = $_SERVER['REMOTE_ADDR']; if(!isset($this->_typeIcon)) $this->setUserIcon(); if(!isset($this->_browser)) $this->setUserBrowser(); if(!isset($this->_os)) $this->setUserOS(); $this->CheckIP(); } public function open($path, $name) { return TRUE; } /* Close session */ public function close() { /* This is used for a manual call of the session gc function */ $this->gc(0); return TRUE; } /* Read session data from database */ public function read($ses_id) { $session_sql = "SELECT * FROM " . $this->table . " WHERE ses_id = '$ses_id'"; $session_res = $this->_db->Query($session_sql); if (!$session_res) { return ''; } $session_num = $this->_db->NumRows($session_res); if ($session_num > 0) { $session_row = $this->_db->FetchArray($session_res); $ses_data = $session_row["ses_value"]; return $ses_data; } else { return ''; } } /* Write new data to database */ public function write($ses_id, $data) { $this->init(); $session_sql = " INSERT INTO " .$this->table." (ses_id, type, typeicon, ses_time, ses_start, page, ip, browser, os, ses_value) VALUES ('".$ses_id."', '".self::$_type."', '".$this->_typeIcon."', ".time().", ".time().", '".$this->_page."', '".$this->_ip."', '".$this->_browser."', '".$this->_os."', '".$data."') ON DUPLICATE KEY UPDATE type='".self::$_type."', typeicon='".$this->_typeIcon."', ses_time=".time().", page='".$this->_page."', ses_value='".$data."'"; $session_res = $this->_db->Query($session_sql); if (!$session_res) return FALSE; else return TRUE; } /* Destroy session record in database */ public function destroy($ses_id) { $session_sql = "DELETE FROM " . $this->table . " WHERE ses_id = '$ses_id'"; $session_res = $this->_db->Query($session_sql); if (!$session_res) return FALSE; else return TRUE; } /* Garbage collection, deletes old sessions */ public function gc($life) { $ses_life = strtotime("-5 minutes"); $session_sql = "DELETE FROM " . $this->table . " WHERE ses_time < $ses_life"; $session_res = $this->_db->Query($session_sql); if (!$session_res) return FALSE; else return TRUE; } private function CheckIP() { echo '
'.$this->_ip.'
'; echo $_SERVER['REMOTE_ADDR']; if( strcmp($this->_ip, $_SERVER['REMOTE_ADDR']) ) { echo 'YOU HAVE HIJACKED A SESSION, SESSION DESTROYED!'; $sess_sql = "DELETE FROM ".$this->table." WHERE ses_id='".$this->_sess_id."'"; $this->_db->Query($sess_sql); session_destroy(); } } private function setUserIcon() { switch(self::$_type) { case 'AD': $this->_typeIcon .= 'images/icons/user/admin.png'; break; case 'CL': $this->_typeIcon .= 'images/icons/user/client.png'; break; case 'CO': $this->_typeIcon .= 'images/icons/user/contractor.png'; break; default: $this->_typeIcon .= 'images/icons/user/guest.png'; } } private function setUserBrowser() { foreach ($this->_browserList as $browser => $img) { if(stristr($_SERVER['HTTP_USER_AGENT'], $browser)) { $this->_browser .= 'images/icons/browser/'.$img; break; } } } private function setUserOS() { foreach ($this->_osList as $os => $img) { if(stristr($_SERVER['HTTP_USER_AGENT'], $os)) { $this->_os .= 'images/icons/os/'.$img; break; } } } static public function setType( $type = 'GU' ) { $type = substr($type, 0, 2); if(isset($type) && is_string($type) && strlen($type) == 2) self::$_type = strtoupper($type); } } ?> you can see that you can hijack a session by going to this page http://codebowl.homelinux.net:8001/csaf/test.php?PHPSESSID=0615292083a9ea7010f1fe935597751e you can also use a browser to open the page and create a session, then open a different browser like IE or Firefox (but not the same browser) and hijack your own session, as i have the page printing the session id so you can get it. I am not sure why when a session is hijacked the IP in the database is updated, this should not be the case. The SQL query i have in my write method should not do anything but insert or update if it exists. Any help i would really appreciate. I like the flexibility of sessions in the database but i dont like the idea of how easy it is to hijack the session without the system noticing and destroying it. -- Joseph Crawford Jr. Codebowl Solutions, Inc. 1-802-671-2021 codebowl at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From nestorflorez at earthlink.net Mon Aug 1 19:35:43 2005 From: nestorflorez at earthlink.net (Nestor Florez) Date: Mon, 1 Aug 2005 16:35:43 -0700 (GMT-07:00) Subject: [nycphp-talk] Experts help needed (Sessions) Message-ID: <1350701.1122939343518.JavaMail.root@wamui-chisos.atl.sa.earthlink.net> Why r u displaying the session id in as part of the query? Nestor :-) -----Original Message----- From: Joseph Crawford Sent: Aug 1, 2005 4:22 PM To: NYPHP Talk Subject: [nycphp-talk] Experts help needed (Sessions) Guys, I have the following code in use however people can easilly hijack sessions i am not sure why but when a session is hijacked the IP address in the database changes, yet the session values are retained. Here is the code. _db = $db; $this->_browserList = array('offbyone' => 'ob1.gif', '3b_web' => '3b.gif', 'getrig' => 'get.gif', 'webtv' => 'webtv.gif', 'aol' => 'aol.gif', 'opera' => 'opera.gif', 'netposit' => 'netp.gif', 'ibrowse' => 'ibrowse.gif', 'abrowse' => 'abrowse.gif', 'firefox' => 'firefox.gif', 'firebird' => ' firebird.gif', 'phoenix' => 'firebird.gif', 'omniweb' => 'omni.gif', 'safari' => 'safari.gif', 'camino' => 'camino.gif', 'chimera' => 'camino.gif', 'konqueror' => 'konq.gif', 'icab' => 'icab.gif', 'dillo' => 'dillo.gif', 'epiphany' => 'epiph.gif', 'oregano' => 'oregano.gif', 'k-meleon' => ' kmel.gif', 'webcapture' => 'webcap.gif', 'galeon' => 'galeon.gif', 'lynx' => 'lynx.gif', 'netscape' => 'netscape.gif', 'entergy' => 'entergy.gif', 'msie' => 'ie.gif', 'mozilla' => 'moz.gif'); $this->_osList = array('linspire' => 'linspire.gif', 'lindows' => ' linspire.gif', 'beos' => 'beos.gif', 'skyos' => 'skyos.gif', 'atheos' => ' athe.gif', 'palmos' => 'palm.gif', 'nokia' => 'nokia.gif', 'blackberry' => ' blackb.gif', 'zeta' => 'zeta.gif', 'irix' => 'irix.gif', 'risc' => ' riscos.gif', 'os/2' => 'os2.gif', 'amigaos' => 'amiga.gif', 'freebsd' => ' fbsd.gif', 'netbsd' => 'nbsd.gif', 'sunos' => 'solaris.gif', 'solaris' => ' solaris.gif', 'os x' => 'osx.gif', 'osx' => 'osx.gif', 'darwin' => 'osx.gif', 'macintosh' => 'macintosh.gif', 'mac_' => 'macintosh.gif', 'qnx' => 'qnx.gif', 'linux' => 'linux.gif', 'unix' => 'unix.gif', 'x11' => 'x11.gif', 'windows' => 'windows.gif', 'win95' => 'windows.gif', 'win98' => 'windows.gif', 'winnt' => 'windows.gif'); self::setType(); } private function init() { if(!isset($this->_sess_id)) $this->_sess_id = session_id(); $this->_page = $_SERVER['REQUEST_URI']; if(!isset($this->_ip)) $this->_ip = $_SERVER['REMOTE_ADDR']; if(!isset($this->_typeIcon)) $this->setUserIcon(); if(!isset($this->_browser)) $this->setUserBrowser(); if(!isset($this->_os)) $this->setUserOS(); $this->CheckIP(); } public function open($path, $name) { return TRUE; } /* Close session */ public function close() { /* This is used for a manual call of the session gc function */ $this->gc(0); return TRUE; } /* Read session data from database */ public function read($ses_id) { $session_sql = "SELECT * FROM " . $this->table . " WHERE ses_id = '$ses_id'"; $session_res = $this->_db->Query($session_sql); if (!$session_res) { return ''; } $session_num = $this->_db->NumRows($session_res); if ($session_num > 0) { $session_row = $this->_db->FetchArray($session_res); $ses_data = $session_row["ses_value"]; return $ses_data; } else { return ''; } } /* Write new data to database */ public function write($ses_id, $data) { $this->init(); $session_sql = " INSERT INTO " .$this->table." (ses_id, type, typeicon, ses_time, ses_start, page, ip, browser, os, ses_value) VALUES ('".$ses_id."', '".self::$_type."', '".$this->_typeIcon."', ".time().", ".time().", '".$this->_page."', '".$this->_ip."', '".$this->_browser."', '".$this->_os."', '".$data."') ON DUPLICATE KEY UPDATE type='".self::$_type."', typeicon='".$this->_typeIcon."', ses_time=".time().", page='".$this->_page."', ses_value='".$data."'"; $session_res = $this->_db->Query($session_sql); if (!$session_res) return FALSE; else return TRUE; } /* Destroy session record in database */ public function destroy($ses_id) { $session_sql = "DELETE FROM " . $this->table . " WHERE ses_id = '$ses_id'"; $session_res = $this->_db->Query($session_sql); if (!$session_res) return FALSE; else return TRUE; } /* Garbage collection, deletes old sessions */ public function gc($life) { $ses_life = strtotime("-5 minutes"); $session_sql = "DELETE FROM " . $this->table . " WHERE ses_time < $ses_life"; $session_res = $this->_db->Query($session_sql); if (!$session_res) return FALSE; else return TRUE; } private function CheckIP() { echo '
'.$this->_ip.'
'; echo $_SERVER['REMOTE_ADDR']; if( strcmp($this->_ip, $_SERVER['REMOTE_ADDR']) ) { echo 'YOU HAVE HIJACKED A SESSION, SESSION DESTROYED!'; $sess_sql = "DELETE FROM ".$this->table." WHERE ses_id='".$this->_sess_id."'"; $this->_db->Query($sess_sql); session_destroy(); } } private function setUserIcon() { switch(self::$_type) { case 'AD': $this->_typeIcon .= 'images/icons/user/admin.png'; break; case 'CL': $this->_typeIcon .= 'images/icons/user/client.png'; break; case 'CO': $this->_typeIcon .= 'images/icons/user/contractor.png'; break; default: $this->_typeIcon .= 'images/icons/user/guest.png'; } } private function setUserBrowser() { foreach ($this->_browserList as $browser => $img) { if(stristr($_SERVER['HTTP_USER_AGENT'], $browser)) { $this->_browser .= 'images/icons/browser/'.$img; break; } } } private function setUserOS() { foreach ($this->_osList as $os => $img) { if(stristr($_SERVER['HTTP_USER_AGENT'], $os)) { $this->_os .= 'images/icons/os/'.$img; break; } } } static public function setType( $type = 'GU' ) { $type = substr($type, 0, 2); if(isset($type) && is_string($type) && strlen($type) == 2) self::$_type = strtoupper($type); } } ?> you can see that you can hijack a session by going to this page http://codebowl.homelinux.net:8001/csaf/test.php?PHPSESSID=0615292083a9ea7010f1fe935597751e you can also use a browser to open the page and create a session, then open a different browser like IE or Firefox (but not the same browser) and hijack your own session, as i have the page printing the session id so you can get it. I am not sure why when a session is hijacked the IP in the database is updated, this should not be the case. The SQL query i have in my write method should not do anything but insert or update if it exists. Any help i would really appreciate. I like the flexibility of sessions in the database but i dont like the idea of how easy it is to hijack the session without the system noticing and destroying it. -- Joseph Crawford Jr. Codebowl Solutions, Inc. 1-802-671-2021 codebowl at gmail.com From codebowl at gmail.com Mon Aug 1 19:41:44 2005 From: codebowl at gmail.com (Joseph Crawford) Date: Mon, 1 Aug 2005 19:41:44 -0400 Subject: [nycphp-talk] Experts help needed (Sessions) In-Reply-To: <1350701.1122939343518.JavaMail.root@wamui-chisos.atl.sa.earthlink.net> References: <1350701.1122939343518.JavaMail.root@wamui-chisos.atl.sa.earthlink.net> Message-ID: <8d9a428005080116411feb1b5f@mail.gmail.com> it is an insert, i dont care atm if people see the session id's but i did narrow it down to the query something is wrong with the write method query. It seems to insert everytime, an update of all fields. any ideas why? -- Joseph Crawford Jr. Codebowl Solutions, Inc. 1-802-671-2021 codebowl at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From nasir81 at gmail.com Mon Aug 1 19:47:36 2005 From: nasir81 at gmail.com (Nasir Zubair) Date: Mon, 1 Aug 2005 19:47:36 -0400 Subject: [nycphp-talk] http analyzer In-Reply-To: <42EBAFB0.8070908@gmail.com> References: <42EBAFB0.8070908@gmail.com> Message-ID: <40fcda7305080116477f36eb05@mail.gmail.com> If you still want to view the full response from browser, you can always use telnet. to view nyphp.org/index.php # telnet nyphp.org 80 GET /index.php HTTP/1.1 Host: nyphp.org You need to press ENTER twice after "host: ..." line, to let the webserver know that you are done typing in your request. That'll show you the exact response including the headers and HTML. BTW, this is from Mr. Shiflett's book, HTTP Developer's Handbook. On 7/30/05, pete wrote: > Chris, > > For some reason I had this fixation that I had to see the actual html text > in the http analyzer. > > I realized after I wrote the email that as you have stated the view source > in a browser pretty much meets all my needs. Who knows what I was thinking. > DUH > > Thanks for responding, > Pete > > > > > pete wrote: > > What I want to see is simply the html of a web site. > > Most browsers have an option to view source. Is this different than what > you're wanting to do? > > Chris > > > _______________________________________________ > New York PHP Talk Mailing List > AMP Technology > Supporting Apache, MySQL and PHP > http://lists.nyphp.org/mailman/listinfo/talk > http://www.nyphp.org > > -- Nasir Zubair http://www.nasir.us/ From nestorflorez at earthlink.net Mon Aug 1 19:49:23 2005 From: nestorflorez at earthlink.net (Nestor Florez) Date: Mon, 1 Aug 2005 16:49:23 -0700 (GMT-07:00) Subject: [nycphp-talk] Experts help needed (Sessions) Message-ID: <9944941.1122940163731.JavaMail.root@wamui-chisos.atl.sa.earthlink.net> Joseph, I trick I use often is that I check the session ID and the referrer before allowing the user to continue to the next page. If the session Id and the referrer is not what I expect then I send them back to the login page. Is not infalable but it adds an extra layer. Nestor :-) -----Original Message----- From: Joseph Crawford Sent: Aug 1, 2005 4:41 PM To: NYPHP Talk Subject: Re: [nycphp-talk] Experts help needed (Sessions) it is an insert, i dont care atm if people see the session id's but i did narrow it down to the query something is wrong with the write method query. It seems to insert everytime, an update of all fields. any ideas why? -- Joseph Crawford Jr. Codebowl Solutions, Inc. 1-802-671-2021 codebowl at gmail.com From ashaw at iifwp.org Mon Aug 1 19:58:21 2005 From: ashaw at iifwp.org (Allen Shaw) Date: Tue, 02 Aug 2005 08:58:21 +0900 Subject: [nycphp-talk] Experts help needed (Sessions) In-Reply-To: <8d9a428005080116411feb1b5f@mail.gmail.com> References: <1350701.1122939343518.JavaMail.root@wamui-chisos.atl.sa.earthlink.net> <8d9a428005080116411feb1b5f@mail.gmail.com> Message-ID: <42EEB71D.2090504@iifwp.org> Hi Joseph, I see your query includes "INSERT INTO ... ON DUPLICATE KEY UPDATE". Is it possible that it's inserting a new row because there is no duplicate key? What are the keys on that table? - Allen Joseph Crawford wrote: > something is wrong with the write method query. It seems to insert > everytime, an update of all fields. any ideas why? -- Allen Shaw Polymer (http://polymerdb.org) Fine-grained control over how your users access your data: user permissions, reports, forms, ad-hoc queries -- all centrally managed. From codebowl at gmail.com Mon Aug 1 20:15:02 2005 From: codebowl at gmail.com (Joseph Crawford) Date: Mon, 1 Aug 2005 20:15:02 -0400 Subject: [nycphp-talk] Experts help needed (Sessions) In-Reply-To: <42EEB71D.2090504@iifwp.org> References: <1350701.1122939343518.JavaMail.root@wamui-chisos.atl.sa.earthlink.net> <8d9a428005080116411feb1b5f@mail.gmail.com> <42EEB71D.2090504@iifwp.org> Message-ID: <8d9a428005080117156c2fa21a@mail.gmail.com> the primary key is the session id so it should find a duplicate key just fine. when i enter the query into phpmyadmin when there are no matching records it says it inserted one record, then when i do it again it says it inserted 2 records this leads me to believe that it deletes the existing record then inserts the new but that's not how the docs say it's supposed to work. REPLACE uses that functionality not the UPDATE KEY -- Joseph Crawford Jr. Codebowl Solutions, Inc. 1-802-671-2021 codebowl at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From ashaw at iifwp.org Mon Aug 1 20:45:20 2005 From: ashaw at iifwp.org (Allen Shaw) Date: Tue, 02 Aug 2005 09:45:20 +0900 Subject: [nycphp-talk] Experts help needed (Sessions) In-Reply-To: <8d9a428005080117156c2fa21a@mail.gmail.com> References: <1350701.1122939343518.JavaMail.root@wamui-chisos.atl.sa.earthlink.net> <8d9a428005080116411feb1b5f@mail.gmail.com> <42EEB71D.2090504@iifwp.org> <8d9a428005080117156c2fa21a@mail.gmail.com> Message-ID: <42EEC220.4030401@iifwp.org> Hi Joseph, You may be experiencing a bug in MySQL. See this: http://bugs.mysql.com/bug.php?id=8732 What do you think? - Allen Joseph Crawford wrote: > the primary key is the session id so it should find a duplicate key > just fine. when i enter the query into phpmyadmin when there are no > matching records it says it inserted one record, then when i do it > again it says it inserted 2 records this leads me to believe that it > deletes the existing record then inserts the new but that's not how > the docs say it's supposed to work. REPLACE uses that functionality > not the UPDATE KEY -- Allen Shaw Polymer (http://polymerdb.org) Fine-grained control over how your users access your data: user permissions, reports, forms, ad-hoc queries -- all centrally managed. From codebowl at gmail.com Mon Aug 1 21:17:22 2005 From: codebowl at gmail.com (Joseph Crawford) Date: Mon, 1 Aug 2005 21:17:22 -0400 Subject: [nycphp-talk] Experts help needed (Sessions) In-Reply-To: <42EEC220.4030401@iifwp.org> References: <1350701.1122939343518.JavaMail.root@wamui-chisos.atl.sa.earthlink.net> <8d9a428005080116411feb1b5f@mail.gmail.com> <42EEB71D.2090504@iifwp.org> <8d9a428005080117156c2fa21a@mail.gmail.com> <42EEC220.4030401@iifwp.org> Message-ID: <8d9a428005080118177e9f2b2d@mail.gmail.com> Allen, thanks for bringing this to my attention, i think i will have to bail on this method and check and then insert or update. -- Joseph Crawford Jr. Codebowl Solutions, Inc. 1-802-671-2021 codebowl at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From codebowl at gmail.com Mon Aug 1 21:35:41 2005 From: codebowl at gmail.com (Joseph Crawford) Date: Mon, 1 Aug 2005 21:35:41 -0400 Subject: [nycphp-talk] Experts help needed (Sessions) In-Reply-To: <8d9a428005080118177e9f2b2d@mail.gmail.com> References: <1350701.1122939343518.JavaMail.root@wamui-chisos.atl.sa.earthlink.net> <8d9a428005080116411feb1b5f@mail.gmail.com> <42EEB71D.2090504@iifwp.org> <8d9a428005080117156c2fa21a@mail.gmail.com> <42EEC220.4030401@iifwp.org> <8d9a428005080118177e9f2b2d@mail.gmail.com> Message-ID: <8d9a428005080118356ad04369@mail.gmail.com> Anyone ever seen this error? *Fatal error*: Exception thrown without a stack frame in *Unknown* on line * 0* *Warning*: Unknown: A session is active. You cannot change the session module's ini settings at this time. in *Unknown* on line *0* -- Joseph Crawford Jr. Codebowl Solutions, Inc. 1-802-671-2021 codebowl at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From codebowl at gmail.com Tue Aug 2 09:32:39 2005 From: codebowl at gmail.com (Joseph Crawford) Date: Tue, 2 Aug 2005 09:32:39 -0400 Subject: [nycphp-talk] Experts help needed (Sessions) In-Reply-To: <8d9a428005080118356ad04369@mail.gmail.com> References: <1350701.1122939343518.JavaMail.root@wamui-chisos.atl.sa.earthlink.net> <8d9a428005080116411feb1b5f@mail.gmail.com> <42EEB71D.2090504@iifwp.org> <8d9a428005080117156c2fa21a@mail.gmail.com> <42EEC220.4030401@iifwp.org> <8d9a428005080118177e9f2b2d@mail.gmail.com> <8d9a428005080118356ad04369@mail.gmail.com> Message-ID: <8d9a428005080206323ac36e21@mail.gmail.com> ok i now have another issue and thought i would seek help here once again ;) the issue i am having is in the checkIP method, it checks the IP just fine and i had this working where it would delete the existing session and start a new one automatically however, if someone tried to hijack my session i wouldnt want to have to login all over again myself, i just want a new session started for the one who attempted to hijack my session. i have tried to use output buffering with ob_start(); at the beginning of my file and ob_end_flush() at the end of my file, that doesnt seem to help with the error i am getting. The following is the error i get *Warning*: session_regenerate_id() [function.session-regenerate-id]: Cannot send session cookie - headers already sent by (output started at E:\htdocs\csaf\test.php:10) in *E:\htdocs\csaf\lib\auth\session.php* on line *129* the session id for the hijacker is never re-generated they continue to use the hijacked session id and it allows them to use the other person's session. Worst case scenario is both users will have thier sessions reset by the script deleting the hijacked session from the database. here is my code _db = $db; $this->_browserList = array('offbyone' => 'ob1.gif', '3b_web' => '3b.gif', 'getrig' => 'get.gif', 'webtv' => 'webtv.gif', 'aol' => 'aol.gif', 'opera' => 'opera.gif', 'netposit' => 'netp.gif', 'ibrowse' => 'ibrowse.gif', 'abrowse' => 'abrowse.gif', 'firefox' => 'firefox.gif', 'firebird' => ' firebird.gif', 'phoenix' => 'firebird.gif', 'omniweb' => 'omni.gif', 'safari' => 'safari.gif', 'camino' => 'camino.gif', 'chimera' => 'camino.gif', 'konqueror' => 'konq.gif', 'icab' => 'icab.gif', 'dillo' => 'dillo.gif', 'epiphany' => 'epiph.gif', 'oregano' => 'oregano.gif', 'k-meleon' => ' kmel.gif', 'webcapture' => 'webcap.gif', 'galeon' => 'galeon.gif', 'lynx' => 'lynx.gif', 'netscape' => 'netscape.gif', 'entergy' => 'entergy.gif', 'msie' => 'ie.gif', 'mozilla' => 'moz.gif'); $this->_osList = array('linspire' => 'linspire.gif', 'lindows' => ' linspire.gif', 'beos' => 'beos.gif', 'skyos' => 'skyos.gif', 'atheos' => ' athe.gif', 'palmos' => 'palm.gif', 'nokia' => 'nokia.gif', 'blackberry' => ' blackb.gif', 'zeta' => 'zeta.gif', 'irix' => 'irix.gif', 'risc' => ' riscos.gif', 'os/2' => 'os2.gif', 'amigaos' => 'amiga.gif', 'freebsd' => ' fbsd.gif', 'netbsd' => 'nbsd.gif', 'sunos' => 'solaris.gif', 'solaris' => ' solaris.gif', 'os x' => 'osx.gif', 'osx' => 'osx.gif', 'darwin' => 'osx.gif', 'macintosh' => 'macintosh.gif', 'mac_' => 'macintosh.gif', 'qnx' => 'qnx.gif', 'linux' => 'linux.gif', 'unix' => 'unix.gif', 'x11' => 'x11.gif', 'windows' => 'windows.gif', 'win95' => 'windows.gif', 'win98' => 'windows.gif', 'winnt' => 'windows.gif'); self::setType(); } private function init($ses_id) { $this->_sess_id = $ses_id; if(!isset($this->_page)) $this->_page = $_SERVER['REQUEST_URI']; if(!isset($this->_ip)) $this->_ip = $_SERVER['REMOTE_ADDR']; $this->setUserIcon(); if(!isset($this->_browser)) $this->setUserBrowser(); if(!isset($this->_os)) $this->setUserOS(); $this->CheckIP(); } public function open($path, $name) { return TRUE; } /* Close session */ public function close() { /* This is used for a manual call of the session gc function */ $this->gc(0); return TRUE; } /* Read session data from database */ public function read($ses_id) { $session_sql = "SELECT * FROM " . $this->table . " WHERE ses_id = '$ses_id'"; $session_res = $this->_db->Query($session_sql); if (!$session_res) { return ''; } $session_num = $this->_db->NumRows($session_res); if ($session_num > 0) { $session_row = $this->_db->FetchArray($session_res); $ses_data = $session_row["ses_value"]; return $ses_data; } else { return ''; } } /* Write new data to database */ public function write($ses_id, $data) { $session_sql = "SELECT * FROM ".$this->table." WHERE ses_id='".$ses_id."'"; $res = $this->_db->Query($session_sql); $this->init($ses_id); if( $this->_db->NumRows($res) == 0 ) { $session_sql = " INSERT INTO " .$this->table." (ses_id, type, typeicon, ses_time, ses_start, page, ip, browser, os, ses_value) VALUES ('".$ses_id."', '".self::$_type."', '".$this->_typeIcon."', ".time().", ".time().", '".$this->_page."', '".$this->_ip."', '".$this->_browser."', '".$this->_os."', '".$data."')"; } else { $session_sql = "UPDATE ".$this->table." SET type='".self::$_type."', typeicon='".$this->_typeIcon."', ses_time=".time().", page='".$this->_page."', ses_value='".$data."' WHERE ses_id='".$ses_id."'"; } echo $session_sql; $session_res = $this->_db->Query($session_sql); if (!$session_res) return FALSE; else return TRUE; } /* Destroy session record in database */ public function destroy($ses_id) { $session_sql = "DELETE FROM " . $this->table . " WHERE ses_id = '$ses_id'"; $session_res = $this->_db->Query($session_sql); if (!$session_res) return FALSE; else return TRUE; } /* Garbage collection, deletes old sessions */ public function gc($life) { $ses_life = strtotime("-5 minutes"); $session_sql = "DELETE FROM " . $this->table . " WHERE ses_time < $ses_life"; $session_res = $this->_db->Query($session_sql); if (!$session_res) return FALSE; else return TRUE; } private function CheckIP() { $res = $this->_db->Query("SELECT ip FROM ".$this->table." WHERE ses_id='".$this->_sess_id."'"); if($this->_db->NumRows($res) > 0) { $data = $this->_db->FetchArray($res); echo $data['ip'].'
'; echo $_SERVER['REMOTE_ADDR']; if( strcmp($data['ip'], $_SERVER['REMOTE_ADDR']) != 0 ) { echo 'YOU HAVE HIJACKED A SESSION, SESSION DESTROYED!'; //$sess_sql = "DELETE FROM ".$this->table." WHERE ses_id='".$this->_sess_id."'"; //$this->_db->Query($sess_sql); $this->_sess_id = session_regenerate_id(); echo $this->_sess_id; } } } private function setUserIcon() { switch(self::$_type) { case 'AD': $this->_typeIcon .= 'images/icons/user/admin.png'; break; case 'CL': $this->_typeIcon .= 'images/icons/user/client.png'; break; case 'CO': $this->_typeIcon .= 'images/icons/user/contractor.png'; break; default: $this->_typeIcon .= 'images/icons/user/guest.png'; } } private function setUserBrowser() { foreach ($this->_browserList as $browser => $img) { if(stristr($_SERVER['HTTP_USER_AGENT'], $browser)) { $this->_browser .= 'images/icons/browser/'.$img; break; } } } private function setUserOS() { foreach ($this->_osList as $os => $img) { if(stristr($_SERVER['HTTP_USER_AGENT'], $os)) { $this->_os .= 'images/icons/os/'.$img; break; } } } static public function setType( $type = 'GU' ) { $type = substr($type, 0, 2); if(isset($type) && is_string($type) && strlen($type) == 2) self::$_type = strtoupper($type); } } ?> On 8/1/05, Joseph Crawford wrote: > > Anyone ever seen this error? > > *Fatal error*: Exception thrown without a stack frame in *Unknown* on line > *0* > > *Warning*: Unknown: A session is active. You cannot change the session > module's ini settings at this time. in *Unknown* on line *0* > > -- > Joseph Crawford Jr. > Codebowl Solutions, Inc. > 1-802-671-2021 > codebowl at gmail.com > -- Joseph Crawford Jr. Codebowl Solutions, Inc. 1-802-671-2021 codebowl at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From dcech at phpwerx.net Tue Aug 2 09:32:52 2005 From: dcech at phpwerx.net (Dan Cech) Date: Tue, 02 Aug 2005 09:32:52 -0400 Subject: [nycphp-talk] Experts help needed (Sessions) In-Reply-To: <8d9a42800508011622459c8b2e@mail.gmail.com> References: <8d9a42800508011622459c8b2e@mail.gmail.com> Message-ID: <42EF7604.2060900@phpwerx.net> Joseph, Your code is tied into all kinds of knots, you need to strip out all the extra cruft and get it working right before you add all the features for user icons etc, or even better add them in a subclass. Now, the reason your IP checking is not working is this: In your init() function you set: $this->_ip = $_SERVER['REMOTE_ADDR']; then you call CheckIp() which tests: strcmp($this->_ip,$_SERVER['REMOTE_ADDR']) Of course this will always be true. You need to do your IP checking in or after the read function, not before, because until it is read you don't know the previous IP. On a side note IP checking isn't a great security measure because it will cause problems for anyone whose IP is likely to change during a session, such as AOL users, etc. Dan Joseph Crawford wrote: > Guys, > > I have the following code in use however people can easilly hijack sessions > i am not sure why but when a session is hijacked the IP address in the > database changes, yet the session values are retained. Here is the code. > > > > > class session > { > /* Define the mysql table you wish to use with > this class, this table MUST exist. */ > private $table = "sessions"; > private $_db; > private $_page; > private $_sess_id; > private $_ip; > private $_browser; > private $_browserList; > private $_os; > private $_osList; > static private $_type; > private $_typeIcon; > > > public function __construct(Database $db) { > $this->_db = $db; > > $this->_browserList = array('offbyone' => 'ob1.gif', '3b_web' => '3b.gif', > 'getrig' => 'get.gif', 'webtv' => 'webtv.gif', 'aol' => 'aol.gif', 'opera' > => 'opera.gif', 'netposit' => 'netp.gif', 'ibrowse' => 'ibrowse.gif', > 'abrowse' => 'abrowse.gif', 'firefox' => 'firefox.gif', 'firebird' => ' > firebird.gif', 'phoenix' => 'firebird.gif', 'omniweb' => 'omni.gif', > 'safari' => 'safari.gif', 'camino' => 'camino.gif', 'chimera' => 'camino.gif', > 'konqueror' => 'konq.gif', 'icab' => 'icab.gif', 'dillo' => 'dillo.gif', > 'epiphany' => 'epiph.gif', 'oregano' => 'oregano.gif', 'k-meleon' => ' > kmel.gif', 'webcapture' => 'webcap.gif', 'galeon' => 'galeon.gif', 'lynx' => > 'lynx.gif', 'netscape' => 'netscape.gif', 'entergy' => 'entergy.gif', 'msie' > => 'ie.gif', 'mozilla' => 'moz.gif'); > $this->_osList = array('linspire' => 'linspire.gif', 'lindows' => ' > linspire.gif', 'beos' => 'beos.gif', 'skyos' => 'skyos.gif', 'atheos' => ' > athe.gif', 'palmos' => 'palm.gif', 'nokia' => 'nokia.gif', 'blackberry' => ' > blackb.gif', 'zeta' => 'zeta.gif', 'irix' => 'irix.gif', 'risc' => ' > riscos.gif', 'os/2' => 'os2.gif', 'amigaos' => 'amiga.gif', 'freebsd' => ' > fbsd.gif', 'netbsd' => 'nbsd.gif', 'sunos' => 'solaris.gif', 'solaris' => ' > solaris.gif', 'os x' => 'osx.gif', 'osx' => 'osx.gif', 'darwin' => 'osx.gif', > 'macintosh' => 'macintosh.gif', 'mac_' => 'macintosh.gif', 'qnx' => 'qnx.gif', > 'linux' => 'linux.gif', 'unix' => 'unix.gif', 'x11' => 'x11.gif', 'windows' > => 'windows.gif', 'win95' => 'windows.gif', 'win98' => 'windows.gif', > 'winnt' => 'windows.gif'); > self::setType(); > } > > private function init() { > if(!isset($this->_sess_id)) $this->_sess_id = session_id(); > $this->_page = $_SERVER['REQUEST_URI']; > if(!isset($this->_ip)) $this->_ip = $_SERVER['REMOTE_ADDR']; > if(!isset($this->_typeIcon)) $this->setUserIcon(); > if(!isset($this->_browser)) $this->setUserBrowser(); > if(!isset($this->_os)) $this->setUserOS(); > > $this->CheckIP(); > } > > public function open($path, $name) { > > return TRUE; > } > > /* Close session */ > public function close() { > /* This is used for a manual call of the > session gc function */ > $this->gc(0); > return TRUE; > } > > /* Read session data from database */ > public function read($ses_id) { > > $session_sql = "SELECT * FROM " . $this->table > . " WHERE ses_id = '$ses_id'"; > > $session_res = $this->_db->Query($session_sql); > if (!$session_res) { > return ''; > } > > $session_num = $this->_db->NumRows($session_res); > if ($session_num > 0) { > $session_row = $this->_db->FetchArray($session_res); > $ses_data = $session_row["ses_value"]; > return $ses_data; > } else { > return ''; > } > } > > /* Write new data to database */ > public function write($ses_id, $data) { > $this->init(); > $session_sql = " > INSERT INTO " > .$this->table." (ses_id, type, typeicon, ses_time, ses_start, page, ip, > browser, os, ses_value) > VALUES > ('".$ses_id."', '".self::$_type."', '".$this->_typeIcon."', ".time().", > ".time().", '".$this->_page."', '".$this->_ip."', '".$this->_browser."', > '".$this->_os."', '".$data."') > ON DUPLICATE KEY UPDATE > type='".self::$_type."', typeicon='".$this->_typeIcon."', > ses_time=".time().", page='".$this->_page."', ses_value='".$data."'"; > $session_res = $this->_db->Query($session_sql); > if (!$session_res) return FALSE; > else return TRUE; > > } > > /* Destroy session record in database */ > public function destroy($ses_id) { > $session_sql = "DELETE FROM " . $this->table > . " WHERE ses_id = '$ses_id'"; > > $session_res = $this->_db->Query($session_sql); > if (!$session_res) return FALSE; > else return TRUE; > } > > /* Garbage collection, deletes old sessions */ > public function gc($life) { > $ses_life = strtotime("-5 minutes"); > > $session_sql = "DELETE FROM " . $this->table > . " WHERE ses_time < $ses_life"; > > $session_res = $this->_db->Query($session_sql); > > > if (!$session_res) return FALSE; > else return TRUE; > } > > private function CheckIP() { > echo '
'.$this->_ip.'
'; > echo $_SERVER['REMOTE_ADDR']; > if( strcmp($this->_ip, $_SERVER['REMOTE_ADDR']) ) { > echo 'YOU HAVE HIJACKED A SESSION, SESSION DESTROYED!'; > $sess_sql = "DELETE FROM ".$this->table." WHERE > ses_id='".$this->_sess_id."'"; > $this->_db->Query($sess_sql); > session_destroy(); > } > } > > private function setUserIcon() { > switch(self::$_type) { > case 'AD': > $this->_typeIcon .= 'images/icons/user/admin.png'; > break; > case 'CL': > $this->_typeIcon .= 'images/icons/user/client.png'; > break; > case 'CO': > $this->_typeIcon .= 'images/icons/user/contractor.png'; > break; > default: > $this->_typeIcon .= 'images/icons/user/guest.png'; > } > } > > private function setUserBrowser() { > foreach ($this->_browserList as $browser => $img) { > if(stristr($_SERVER['HTTP_USER_AGENT'], $browser)) { > $this->_browser .= 'images/icons/browser/'.$img; > break; > } > } > } > > private function setUserOS() { > foreach ($this->_osList as $os => $img) { > if(stristr($_SERVER['HTTP_USER_AGENT'], $os)) { > $this->_os .= 'images/icons/os/'.$img; > break; > } > } > } > > static public function setType( $type = 'GU' ) { > $type = substr($type, 0, 2); > if(isset($type) && is_string($type) && strlen($type) == 2) self::$_type = > strtoupper($type); > } > } > ?> > > you can see that you can hijack a session by going to this page > > http://codebowl.homelinux.net:8001/csaf/test.php?PHPSESSID=0615292083a9ea7010f1fe935597751e > > you can also use a browser to open the page and create a session, then open > a different browser like IE or Firefox (but not the same browser) and hijack > your own session, as i have the page printing the session id so you can get > it. > > I am not sure why when a session is hijacked the IP in the database is > updated, this should not be the case. The SQL query i have in my write > method should not do anything but insert or update if it exists. > > Any help i would really appreciate. I like the flexibility of sessions in > the database but i dont like the idea of how easy it is to hijack the > session without the system noticing and destroying it. > > > > ------------------------------------------------------------------------ > > _______________________________________________ > New York PHP Talk Mailing List > AMP Technology > Supporting Apache, MySQL and PHP > http://lists.nyphp.org/mailman/listinfo/talk > http://www.nyphp.org From hendler at simmons.edu Tue Aug 2 09:57:28 2005 From: hendler at simmons.edu (Jonathan) Date: Tue, 02 Aug 2005 09:57:28 -0400 Subject: [nycphp-talk] Dedicated Hosts In-Reply-To: <42EF7604.2060900@phpwerx.net> References: <8d9a42800508011622459c8b2e@mail.gmail.com> <42EF7604.2060900@phpwerx.net> Message-ID: <42EF7BC8.6040300@simmons.edu> Hi All, Could y'all recommend a dedicated server host at 60-70 / mo. w/ plesk? (and minimal setup fee). I currently have a VPS and it's a bit sluggish. - Jonathan Hendler From preinheimer at gmail.com Tue Aug 2 10:22:22 2005 From: preinheimer at gmail.com (Paul Reinheimer) Date: Tue, 2 Aug 2005 10:22:22 -0400 Subject: [nycphp-talk] Dedicated Hosts In-Reply-To: <42EF7BC8.6040300@simmons.edu> References: <8d9a42800508011622459c8b2e@mail.gmail.com> <42EF7604.2060900@phpwerx.net> <42EF7BC8.6040300@simmons.edu> Message-ID: <6ec19ec705080207223421ca1e@mail.gmail.com> I've got a server with ServerMatrix, I've got root so the servers got whatever I want on it. Getting it with plesk is an extra $20/mnth. http://servermatrix.com/ I'm dropping $89/mnth for my server, with no plesk, so it's more than you were looking to spend, but I've been very happy with the level of service I've received over the past year (which really has just meant that they don't bother me and the server never goes offline :) ). Hrm, it looks like prices have gone up, wait for a sale :) paul On 8/2/05, Jonathan wrote: > Hi All, > > Could y'all recommend a dedicated server host at 60-70 / mo. w/ plesk? > (and minimal setup fee). I currently have a VPS and it's a bit sluggish. > > - Jonathan Hendler > _______________________________________________ > New York PHP Talk Mailing List > AMP Technology > Supporting Apache, MySQL and PHP > http://lists.nyphp.org/mailman/listinfo/talk > http://www.nyphp.org > -- Paul Reinheimer Zend Certified Engineer From tgales at tgaconnect.com Tue Aug 2 10:34:01 2005 From: tgales at tgaconnect.com (Tim Gales) Date: Tue, 02 Aug 2005 10:34:01 -0400 Subject: [nycphp-talk] Dedicated Hosts In-Reply-To: <42EF7BC8.6040300@simmons.edu> References: <8d9a42800508011622459c8b2e@mail.gmail.com> <42EF7604.2060900@phpwerx.net> <42EF7BC8.6040300@simmons.edu> Message-ID: <42EF8459.6000205@tgaconnect.com> Jonathan wrote: > Hi All, > > Could y'all recommend a dedicated server host at 60-70 / mo. w/ plesk? > (and minimal setup fee). I currently have a VPS and it's a bit sluggish. > You could take a look at: http://www.warpdrive.net/ The tech support guys are knowledgable and friendly -- T. Gales & Associates 'Helping People Connect with Technology' http://www.tgaconnect.com From tgales at tgaconnect.com Tue Aug 2 10:41:21 2005 From: tgales at tgaconnect.com (Tim Gales) Date: Tue, 02 Aug 2005 10:41:21 -0400 Subject: [nycphp-talk] Dedicated Hosts In-Reply-To: <42EF8459.6000205@tgaconnect.com> References: <8d9a42800508011622459c8b2e@mail.gmail.com> <42EF7604.2060900@phpwerx.net> <42EF7BC8.6040300@simmons.edu> <42EF8459.6000205@tgaconnect.com> Message-ID: <42EF8611.5040207@tgaconnect.com> Sorry about that missed the 'dedicated' -- probably ore than you want to spend Tim Gales wrote: > Jonathan wrote: > >>Hi All, >> >>Could y'all recommend a dedicated server host at 60-70 / mo. w/ plesk? >>(and minimal setup fee). I currently have a VPS and it's a bit sluggish. >> > > > You could take a look at: > http://www.warpdrive.net/ > > The tech support guys are knowledgable and friendly > > -- T. Gales & Associates 'Helping People Connect with Technology' http://www.tgaconnect.com From codebowl at gmail.com Tue Aug 2 10:46:26 2005 From: codebowl at gmail.com (Joseph Crawford) Date: Tue, 2 Aug 2005 10:46:26 -0400 Subject: [nycphp-talk] Experts help needed (Sessions) In-Reply-To: <42EF7604.2060900@phpwerx.net> References: <8d9a42800508011622459c8b2e@mail.gmail.com> <42EF7604.2060900@phpwerx.net> Message-ID: <8d9a42800508020746945a5c@mail.gmail.com> Dan, can you offer a better way to check for hijacked sessions? I now do see that AOL users go through a proxy tunnel and thier ip can change a lot. -- Joseph Crawford Jr. Codebowl Solutions, Inc. 1-802-671-2021 codebowl at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From cfeldmann at gmail.com Tue Aug 2 10:50:32 2005 From: cfeldmann at gmail.com (chris feldmann) Date: Tue, 2 Aug 2005 10:50:32 -0400 Subject: [nycphp-talk] http analyzer In-Reply-To: <40fcda7305080116477f36eb05@mail.gmail.com> References: <42EBAFB0.8070908@gmail.com> <40fcda7305080116477f36eb05@mail.gmail.com> Message-ID: <7e2c731f05080207504f49a64e@mail.gmail.com> Further, if you're interested in rendered source (as opposed to the source as delivered before any client-side manipulation) there are several options: The 'generated source' developer's bookmarklet (among many others): http://www.squarefree.com/bookmarklets/webdevel.html The "View Formatted Source" firefox extension (Very nice implementation; you can collapse code blocks and other goodies): https://addons.mozilla.org/extensions/moreinfo.php?id=697 The "View Renered Source" extension (consistently crashes firefox on amd64 gentoo for me, YMMD): https://addons.mozilla.org/extensions/moreinfo.php?id=655 chris On 8/1/05, Nasir Zubair wrote: > > If you still want to view the full response from browser, you can > always use telnet. > > to view nyphp.org/index.php > > # telnet nyphp.org 80 > GET /index.php HTTP/1.1 > Host: nyphp.org > > You need to press ENTER twice after "host: ..." line, to let the > webserver know that you are done typing in your request. That'll show > you the exact response including the headers and HTML. > > BTW, this is from Mr. Shiflett's book, HTTP Developer's Handbook. > > > On 7/30/05, pete wrote: > > Chris, > > > > For some reason I had this fixation that I had to see the actual html > text > > in the http analyzer. > > > > I realized after I wrote the email that as you have stated the view > source > > in a browser pretty much meets all my needs. Who knows what I was > thinking. > > DUH > > > > Thanks for responding, > > Pete > > > > > > > > > > pete wrote: > > > > What I want to see is simply the html of a web site. > > > > Most browsers have an option to view source. Is this different than what > > you're wanting to do? > > > > Chris > > > > > > _______________________________________________ > > New York PHP Talk Mailing List > > AMP Technology > > Supporting Apache, MySQL and PHP > > http://lists.nyphp.org/mailman/listinfo/talk > > http://www.nyphp.org > > > > > > > -- > Nasir Zubair > http://www.nasir.us/ > _______________________________________________ > New York PHP Talk Mailing List > AMP Technology > Supporting Apache, MySQL and PHP > http://lists.nyphp.org/mailman/listinfo/talk > http://www.nyphp.org > -------------- next part -------------- An HTML attachment was scrubbed... URL: From dan at danhorning.com Tue Aug 2 11:04:41 2005 From: dan at danhorning.com (Dan Horning) Date: Tue, 02 Aug 2005 11:04:41 -0400 Subject: [nycphp-talk] Dedicated Hosts In-Reply-To: <42EF7BC8.6040300@simmons.edu> References: <8d9a42800508011622459c8b2e@mail.gmail.com> <42EF7604.2060900@phpwerx.net> <42EF7BC8.6040300@simmons.edu> Message-ID: <42EF8B89.4060902@danhorning.com> for a little bit more you can have one with 1and1.com i've been very impressed with the available features see this link http://order.1and1.com/xml/order/ServerRoot all those have plesk. Jonathan wrote: >Hi All, > >Could y'all recommend a dedicated server host at 60-70 / mo. w/ plesk? >(and minimal setup fee). I currently have a VPS and it's a bit sluggish. > >- Jonathan Hendler >_______________________________________________ >New York PHP Talk Mailing List >AMP Technology >Supporting Apache, MySQL and PHP >http://lists.nyphp.org/mailman/listinfo/talk >http://www.nyphp.org > > From dwclifton at gmail.com Tue Aug 2 11:26:24 2005 From: dwclifton at gmail.com (Douglas Clifton) Date: Tue, 2 Aug 2005 11:26:24 -0400 Subject: [nycphp-talk] Dedicated Hosts In-Reply-To: References: Message-ID: <7d6cdcb0508020826ac734c6@mail.gmail.com> I also use Server Matrix, although you would be better of referring to them as the Planet. They have an outstanding network, uptime, speed and reliability are top-notch. If you know what you're doing and can admin your own server, you get root. Technical support is not great, but someone please name a hosting company that has good tech support. I know what Plesk is, never use it so...basically, for advanced users who want a dedicated box with great reliability, I recommend the Planet as well. Doug -- Douglas Clifton dwclifton at gmail.com http://loadaveragezero.com/ http://loadaveragezero.com/drx/rss/recent > From: Paul Reinheimer > To: NYPHP Talk > Date: Tue, 2 Aug 2005 10:22:22 -0400 > Subject: Re: [nycphp-talk] Dedicated Hosts > I've got a server with ServerMatrix, I've got root so the servers got > whatever > I want on it. Getting it with plesk is an extra $20/mnth. > http://servermatrix.com/ > > I'm dropping $89/mnth for my server, with no plesk, so it's more than > you were looking to spend, but I've been very happy with the level of > service I've received over the past year (which really has just meant > that they don't bother me and the server never goes offline :) ). From dmintz at davidmintz.org Tue Aug 2 12:50:14 2005 From: dmintz at davidmintz.org (David Mintz) Date: Tue, 2 Aug 2005 12:50:14 -0400 (EDT) Subject: [nycphp-talk] Experts help needed (Sessions) In-Reply-To: <8d9a42800508020746945a5c@mail.gmail.com> References: <8d9a42800508011622459c8b2e@mail.gmail.com> <42EF7604.2060900@phpwerx.net> <8d9a42800508020746945a5c@mail.gmail.com> Message-ID: On Tue, 2 Aug 2005, Joseph Crawford wrote: > Dan, > > can you offer a better way to check for hijacked sessions? I now do see that > AOL users go through a proxy tunnel and thier ip can change a lot. > I don't have it on my desk so I can't quote chapter and verse, but Chris Shiflett's HTTP Handbook has a section on session management that would surely interest you. http://shiflett.org/books/http-developers-handbook --- David Mintz http://davidmintz.org/ From codebowl at gmail.com Tue Aug 2 13:28:52 2005 From: codebowl at gmail.com (Joseph Crawford) Date: Tue, 2 Aug 2005 13:28:52 -0400 Subject: [nycphp-talk] Experts help needed (Sessions) In-Reply-To: References: <8d9a42800508011622459c8b2e@mail.gmail.com> <42EF7604.2060900@phpwerx.net> <8d9a42800508020746945a5c@mail.gmail.com> Message-ID: <8d9a428005080210287268f0a4@mail.gmail.com> Thanks, I just submitted an order for this book hopefully it will help me with this stuff ;) Anyone here that can explain why this is happening? with the current session class found below this is the issue when the CheckSession method is called it compares the IP addresses from when the session first started and the current IP address. X.X.X.* (I am also trying to think of a non ip way to compare) it has no problems finding that it is a hijacked session, however when i call the destroy method (also tried session_unset(); session_destroy(); and get the same results) it deletes the hijacked session so the session_destroy() works. What it is doing (side effect of my coding i think) is keeping all the session info such as $this->_page, $this->_browser, $this->_ses_id, etc... and just inserting a new record with your IP etc.. but the $_SESSION info is retained so you still in essence get the hijacked data. Also session_destroy() whatever is happening after that allows you to keep the same session_id as the hijacked session, so when you look in the db all that changes really is the users IP address. you can only see the results if you have DB access to change the IP in your session record or you have 2 machines with different ip addresses. -- Joseph Crawford Jr. Codebowl Solutions, Inc. 1-802-671-2021 codebowl at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From flakie at gmail.com Tue Aug 2 14:24:25 2005 From: flakie at gmail.com (Eric Rank) Date: Tue, 2 Aug 2005 13:24:25 -0500 Subject: [nycphp-talk] http analyzer In-Reply-To: <42E9FA8E.8000209@gmail.com> References: <42E9FA8E.8000209@gmail.com> Message-ID: Pete, I think you'd like Charles: http://www.xk72.com/charles/ It does exactly what you're looking to do. I haven't played with it extensively, but I believe that there's plugins for it that extend it's usefulness. For what it's worth, I believe you'll need a plugin to make it work with Firefox on windows. This is second hand information though. It workls splendidly with IE. Eric Rank On 7/29/05, pete wrote: > I have tried using ethereal to intercept HTTP and LIVE HTTP HEADERS > extension in firefox, What I want to see is simply the html of a web site. > LIVE HTTP HEADERS does not give me the text/html of a web site and ethereal > seems to truncate or not display the html after the first packet. > Multi-packet perhaps in TCP. I do not want to get bogged down in > understanding TCP, The data seems to be gzip compressed but again it is > too much work for me to figure this out thru TCP packets. > > There must be some sort of simple free or open source utility that allows > this. I am currently unemployed and really can't buy software. > > The site that I am intercepting does a post. I don't think that telnet > would fit the bill either. > > Correct me if u thin I am mistaken, > > Thanks in advance, > pete From agfische at email.smith.edu Tue Aug 2 14:47:39 2005 From: agfische at email.smith.edu (Aaron Fischer) Date: Tue, 2 Aug 2005 14:47:39 -0400 Subject: [nycphp-talk] Experts help needed (Sessions) In-Reply-To: References: <8d9a42800508011622459c8b2e@mail.gmail.com> <42EF7604.2060900@phpwerx.net> <8d9a42800508020746945a5c@mail.gmail.com> Message-ID: <6bd6656d336bb3d3daed600e106ccd2c@email.smith.edu> VERY sexy. It just got bumped to the top of my book purchasing list. Now if I could just find a few minutes to find that expense card... Thanks for the link, looks very good. -Aaron On Aug 2, 2005, at 12:50 PM, David Mintz wrote: > http://shiflett.org/books/http-developers-handbook From danielc at analysisandsolutions.com Tue Aug 2 14:52:08 2005 From: danielc at analysisandsolutions.com (Daniel Convissor) Date: Tue, 2 Aug 2005 14:52:08 -0400 Subject: [nycphp-talk] PHP Sessions on windows In-Reply-To: <0IKI00EEOIKI2BN1@mta10.srv.hcvlny.cv.net> References: <20050731212855.GA1999@panix.com> <0IKI00EEOIKI2BN1@mta10.srv.hcvlny.cv.net> Message-ID: <20050802185208.GA9135@panix.com> On Sun, Jul 31, 2005 at 06:21:56PM -0400, Tom wrote: > > As I mentioned earlier, it's weird because the file is getting written - > every time I press reload, I see the file. The web server running right now > as the Administrator account, I guess it just can't read the file? Sounds like that. So by "getting written every time" I assume you mean a brand new session file with a new name. --Dan -- T H E A N A L Y S I S A N D S O L U T I O N S C O M P A N Y data intensive web and database programming http://www.AnalysisAndSolutions.com/ 4015 7th Ave #4, Brooklyn NY 11232 v: 718-854-0335 f: 718-854-0409 From tom at supertom.com Tue Aug 2 15:04:56 2005 From: tom at supertom.com (Tom Melendez) Date: Tue, 02 Aug 2005 15:04:56 -0400 Subject: [nycphp-talk] PHP Sessions on windows In-Reply-To: <20050802185208.GA9135@panix.com> References: <20050731212855.GA1999@panix.com> <0IKI00EEOIKI2BN1@mta10.srv.hcvlny.cv.net> <20050802185208.GA9135@panix.com> Message-ID: <42EFC3D8.5070304@supertom.com> Yes, that's it. Every request, a new session file is written, with a new name. So, it has permissions to write, but it is almost like it can't read. There's nothing in the error log, and turning on all PHP errors doesn't provide any help, either. What a weird problem.... Tom http://www.liphp.org Daniel Convissor wrote: >On Sun, Jul 31, 2005 at 06:21:56PM -0400, Tom wrote: > > >>As I mentioned earlier, it's weird because the file is getting written - >>every time I press reload, I see the file. The web server running right now >>as the Administrator account, I guess it just can't read the file? >> >> > >Sounds like that. So by "getting written every time" I assume you mean a >brand new session file with a new name. > >--Dan > > > From max at neuropunks.org Tue Aug 2 15:10:50 2005 From: max at neuropunks.org (max) Date: Tue, 2 Aug 2005 14:10:50 -0500 Subject: [nycphp-talk] http analyzer In-Reply-To: References: <42E9FA8E.8000209@gmail.com> Message-ID: <20050802191050.GA5483@neuropunks.org> Another one to consider: http://www.portswigger.net/proxy/ also, take a look at all the tools on that site, pretty handy. On Tue, Aug 02, 2005 at 01:24:25PM -0500, Eric Rank wrote: > Pete, > > I think you'd like Charles: > > http://www.xk72.com/charles/ > > It does exactly what you're looking to do. I haven't played with it > extensively, but I believe that there's plugins for it that extend > it's usefulness. For what it's worth, I believe you'll need a plugin > to make it work with Firefox on windows. This is second hand > information though. It workls splendidly with IE. > > Eric Rank > > > > On 7/29/05, pete wrote: > > I have tried using ethereal to intercept HTTP and LIVE HTTP HEADERS > > extension in firefox, What I want to see is simply the html of a web site. > > LIVE HTTP HEADERS does not give me the text/html of a web site and ethereal > > seems to truncate or not display the html after the first packet. > > Multi-packet perhaps in TCP. I do not want to get bogged down in > > understanding TCP, The data seems to be gzip compressed but again it is > > too much work for me to figure this out thru TCP packets. > > > > There must be some sort of simple free or open source utility that allows > > this. I am currently unemployed and really can't buy software. > > > > The site that I am intercepting does a post. I don't think that telnet > > would fit the bill either. > > > > Correct me if u thin I am mistaken, > > > > Thanks in advance, > > pete > _______________________________________________ > New York PHP Talk Mailing List > AMP Technology > Supporting Apache, MySQL and PHP > http://lists.nyphp.org/mailman/listinfo/talk > http://www.nyphp.org > From odragola at gmail.com Tue Aug 2 15:47:06 2005 From: odragola at gmail.com (Odra Gola) Date: Tue, 2 Aug 2005 15:47:06 -0400 Subject: [nycphp-talk] SQL "WHERE" conditions in an array Message-ID: Hello, A while ago I've seen some code (function) to build SQL queries. It took a multidimentional associative array to build complex WHERE conditions. That's the feature that I really liked. I'm trying to find it again to no avail. Can someone point me to that code please? Thanks, Olaf -------------- next part -------------- An HTML attachment was scrubbed... URL: From danielc at analysisandsolutions.com Tue Aug 2 15:59:33 2005 From: danielc at analysisandsolutions.com (Daniel Convissor) Date: Tue, 2 Aug 2005 15:59:33 -0400 Subject: [nycphp-talk] PHP Sessions on windows In-Reply-To: <42EFC3D8.5070304@supertom.com> References: <20050731212855.GA1999@panix.com> <0IKI00EEOIKI2BN1@mta10.srv.hcvlny.cv.net> <20050802185208.GA9135@panix.com> <42EFC3D8.5070304@supertom.com> Message-ID: <20050802195933.GA28500@panix.com> Hey Tom: On Tue, Aug 02, 2005 at 03:04:56PM -0400, Tom Melendez wrote: > Yes, that's it. Every request, a new session file is written, with a > new name. File permissions could be it. But more likely, now that I think about it, is your browser is probably not accepting/sending the PHPSESSID cookie from/to your server. Either look in your browser's cookie list and/or put a test at the top of your script that checks $_COOKIE['PHPSESSID']. --Dan -- T H E A N A L Y S I S A N D S O L U T I O N S C O M P A N Y data intensive web and database programming http://www.AnalysisAndSolutions.com/ 4015 7th Ave #4, Brooklyn NY 11232 v: 718-854-0335 f: 718-854-0409 From danielc at analysisandsolutions.com Tue Aug 2 16:02:45 2005 From: danielc at analysisandsolutions.com (Daniel Convissor) Date: Tue, 2 Aug 2005 16:02:45 -0400 Subject: [nycphp-talk] SQL "WHERE" conditions in an array In-Reply-To: References: Message-ID: <20050802200245.GB28500@panix.com> Hey Odra: On Tue, Aug 02, 2005 at 03:47:06PM -0400, Odra Gola wrote: > Can someone point me to that code please? Rather than being lazy and making us do your work for you, how about posting an idea of how you'd do it and we'll give you feedback. If you don't have any ideas, you've got to do some reading to do on how to use PHP. Check out the foreach() syntax in the PHP manual. --Dan -- T H E A N A L Y S I S A N D S O L U T I O N S C O M P A N Y data intensive web and database programming http://www.AnalysisAndSolutions.com/ 4015 7th Ave #4, Brooklyn NY 11232 v: 718-854-0335 f: 718-854-0409 From greg.rundlett at gmail.com Tue Aug 2 16:13:57 2005 From: greg.rundlett at gmail.com (Greg Rundlett) Date: Tue, 2 Aug 2005 16:13:57 -0400 Subject: [nycphp-talk] persnickety problem while (reverse) proxying JPSpan (AJAX library) Message-ID: <5e2aaca405080213133f774356@mail.gmail.com> I'm wondering if anyone has insight into this problem.... I have JPSpan setup to run (within a Horde installation), and reverse proxied through another server (giving external users access to the application by way of the proxy server). When I am not using the proxy, a simple "HelloWorld" test succeeds. However, when the proxy is used, I get the following error: Server_Error: syntax error The client was helloworld calling sayhello The response was new Function("var t1 = \'Hello Greg\';return t1;"); The strange part is that the response is perfectly valid JS code, and can be eval'd in the JavaScript console just fine. I am under the impression, and you can verify for me, that this is what JPSpanServer is supposed to return. I was unsure about where the escaped single quotes were coming from, and so I turned off magic_quotes_gpc on the proxy server and restarted, but that had no effect. It is entirely possible that the magic_quotes are introduced somewhere in the Horde Framework, but seems irrelevant since the server response is valid JS code even when the single quotes are escaped. I'm still confused why this is getting reported as a syntax error. Is there a method in PostOffice that I could use to inspect the return response of a successful sayhello call? -- simply to compare it with the error version? I have been running through the examples to note any change in behavior between the straight version, and the proxied version. I discovered another bizarre issue: The /lib/jpspan/examples/testclient.php works fine when requested directly, but when proxied, the closing tags of some of the xml.js content are missing. For example, the '' in line 782 of http://pastebin.com/327779 or in more detail: the attached diff compares the output of testclient.php (normal) and testclient.php (proxied). NOTE that this case does not involve Horde in any way, so it certainly isn't due to namespace collisions. I have reviewed my mod_proxy_html rules, and there is nothing that resembles the transformation taking place; leaving me with absolutely no explanation. proxy rules (real name was changed to 'appAliasFoo' to protect the innocent :-) ProxyHTMLURLMap / /appAliasFoo/ c ProxyHTMLURLMap /appAliasFoo /appAliasFoo c # This handles the ab theme graphics ProxyHTMLURLMap '= \'/autobuilder/' '= \'/appAliasFoo/autobuilder/' Rh # A rewrite rule that ignores links, and targets js ProxyHTMLURLMap '= \'/themes/graphics/([^./]+)\.png' '= \'/appAliasFoo/themes/graphics/$1.png' R # A rewrite rule that tries to take care of the dynamically generated js of the treemenu # This rule does not impact the embedded js loaded by javascript.php, so a hack was put into tree.js #ProxyHTMLURLMap '/themes/graphics/tree/([^.]+)\.png' '/appAliasFoo/themes/graphics/tree/$1.png' R # The following rule interferred with administration.png when the trailing / was left out ProxyHTMLURLMap /admin/ /appAliasFoo/admin/ h ProxyHTMLURLMap /services/ /appAliasFoo/services/ h ProxyHTMLURLMap /login.php /appAliasFoo/login.php h I don't know that there is any bug in JPSpan, but I'm at my wits end in trying to figure out what is causing this not to work. Thanks for your help. testclient.php.diff 1,5c1 < < < < HttpClient Test Page < < < < < \ No newline at end of file -- Greg Rundlett Release Engineering Team SavaJe Technologies (978) 259-2029 [random sig fortune] Our informal mission is to improve the love life of operators worldwide. -- Peter Behrendt, president of Exabyte From cfeldmann at gmail.com Tue Aug 2 17:09:26 2005 From: cfeldmann at gmail.com (chris feldmann) Date: Tue, 2 Aug 2005 17:09:26 -0400 Subject: [nycphp-talk] http analyzer In-Reply-To: <20050802191050.GA5483@neuropunks.org> References: <42E9FA8E.8000209@gmail.com> <20050802191050.GA5483@neuropunks.org> Message-ID: <7e2c731f0508021409d68471b@mail.gmail.com> On 8/2/05, max wrote: > > Another one to consider: > http://www.portswigger.net/proxy/ > also, take a look at all the tools on that site, pretty handy. "The connection was refused when attempting to connect to www.portswigger.net " Typo? On Tue, Aug 02, 2005 at 01:24:25PM -0500, Eric Rank wrote: > > Pete, > > > > I think you'd like Charles: > > > > http://www.xk72.com/charles/ > > > > It does exactly what you're looking to do. I haven't played with it > > extensively, but I believe that there's plugins for it that extend > > it's usefulness. For what it's worth, I believe you'll need a plugin > > to make it work with Firefox on windows. This is second hand > > information though. It workls splendidly with IE. > > > > Eric Rank > > > > > > > > On 7/29/05, pete wrote: > > > I have tried using ethereal to intercept HTTP and LIVE HTTP HEADERS > > > extension in firefox, What I want to see is simply the html of a web > site. > > > LIVE HTTP HEADERS does not give me the text/html of a web site and > ethereal > > > seems to truncate or not display the html after the first packet. > > > Multi-packet perhaps in TCP. I do not want to get bogged down in > > > understanding TCP, The data seems to be gzip compressed but again it > is > > > too much work for me to figure this out thru TCP packets. > > > > > > There must be some sort of simple free or open source utility that > allows > > > this. I am currently unemployed and really can't buy software. > > > > > > The site that I am intercepting does a post. I don't think that telnet > > > would fit the bill either. > > > > > > Correct me if u thin I am mistaken, > > > > > > Thanks in advance, > > > pete > > _______________________________________________ > > New York PHP Talk Mailing List > > AMP Technology > > Supporting Apache, MySQL and PHP > > http://lists.nyphp.org/mailman/listinfo/talk > > http://www.nyphp.org > > > _______________________________________________ > New York PHP Talk Mailing List > AMP Technology > Supporting Apache, MySQL and PHP > http://lists.nyphp.org/mailman/listinfo/talk > http://www.nyphp.org > -------------- next part -------------- An HTML attachment was scrubbed... URL: From agfische at email.smith.edu Tue Aug 2 17:26:10 2005 From: agfische at email.smith.edu (Aaron Fischer) Date: Tue, 2 Aug 2005 17:26:10 -0400 Subject: [nycphp-talk] http analyzer In-Reply-To: <7e2c731f0508021409d68471b@mail.gmail.com> References: <42E9FA8E.8000209@gmail.com> <20050802191050.GA5483@neuropunks.org> <7e2c731f0508021409d68471b@mail.gmail.com> Message-ID: <47e5ebb1f7f8e90f783a9bcaa4a96dd2@email.smith.edu> No problems here. Have connected to the site form work and at home. -Aaron On Aug 2, 2005, at 5:09 PM, chris feldmann wrote: > On 8/2/05, max wrote: >> >> http://www.portswigger.net/proxy/ >> also, take a look at all the tools on that site, pretty handy. > "The connection was refused when attempting to connect to > www.portswigger.net" > > Typo? > ? > >> On Tue, Aug 02, 2005 at 01:24:25PM -0500, Eric Rank wrote: >> > Pete, >> > >> > I think you'd like Charles: >> > >> > http://www.xk72.com/charles/ >> > >> > It does exactly what you're looking to do. I haven't played with it >> > extensively, but I believe that there's plugins for it that extend >> > it's usefulness. For what it's worth, I believe you'll need a plugin >> > to make it work with Firefox on windows. This is second hand >> > information though. It workls splendidly with IE. >> > >> > Eric Rank >> > >> > >> > >> > On 7/29/05, pete wrote: >> > > I have tried using ethereal to intercept HTTP and LIVE HTTP >> HEADERS >> > > extension in firefox, What I want to see is simply the html of a >> web site. >> > > LIVE HTTP HEADERS does not give me the text/html of a web site >> and ethereal >> > > seems to truncate or not display the html after the first packet. >> > > Multi-packet perhaps in TCP. I do not want to get bogged down in >> > > understanding TCP, The data seems to be gzip compressed but again >> it is >> > > too much work for me to figure this out thru TCP packets. >> > > >> > > There must be some sort of simple free or open source utility >> that allows >> > > this. I am currently unemployed and really can't buy software. >> > > >> > > The site that I am intercepting does a post. I don't think that >> telnet >> > > would fit the bill either. >> > > >> > > Correct me if u thin I am mistaken, >> > > >> > > Thanks in advance, >> > > pete >> > _______________________________________________ >> > New York PHP Talk Mailing List >> > AMP Technology >> > Supporting Apache, MySQL and PHP >> > http://lists.nyphp.org/mailman/listinfo/talk >> > http://www.nyphp.org >> > >> _______________________________________________ >> New York PHP Talk Mailing List >> AMP Technology >> Supporting Apache, MySQL and PHP >> http://lists.nyphp.org/mailman/listinfo/talk >> http://www.nyphp.org > _______________________________________________ > New York PHP Talk Mailing List > AMP Technology > Supporting Apache, MySQL and PHP > http://lists.nyphp.org/mailman/listinfo/talk > http://www.nyphp.org -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/enriched Size: 2868 bytes Desc: not available URL: From odragola at gmail.com Tue Aug 2 17:32:14 2005 From: odragola at gmail.com (Odra Gola) Date: Tue, 2 Aug 2005 17:32:14 -0400 Subject: [nycphp-talk] SQL "WHERE" conditions in an array In-Reply-To: <20050802200245.GB28500@panix.com> References: <20050802200245.GB28500@panix.com> Message-ID: Dan, Thanks for your "helpful" response and for labeling me. All I asked was if someone knew what function I was referring to and where to find it. I did not request anyone to do my work. I do know "how to use PHP" better than you have assumed ... and guess what .. I also know how to use foreach(). The code I was referring to could build "multi-level" WHERE conditions with multiple ANDs and OR based on the structure of the passed array. foreach() in not quiet all of the concept behind it. I believe my question was clear and I didn't ask it because I'm lazy or because I'm not able to come up with a solution myself. I asked it simply because I have a deadline tomorrow and I 'm trying to save some time by not reinventing the wheel. I think any smart programmer would do the same in my situation. Your response however, was neither an answer to my question nor an advise. I actually think it was quiet rude and I'm lucky it's not an IRC channel, because I'm sure you'd ban me without thinking twice for asking a question. I've been a member of NYPHP for a few years and I hope that the list is still a place where people can ask questions. Correct me if I'm wrong. Thanks, O. On 8/2/05, Daniel Convissor wrote: > > Hey Odra: > > On Tue, Aug 02, 2005 at 03:47:06PM -0400, Odra Gola wrote: > > > Can someone point me to that code please? > > Rather than being lazy and making us do your work for you, how about > posting an idea of how you'd do it and we'll give you feedback. > > If you don't have any ideas, you've got to do some reading to do on how to > use PHP. Check out the foreach() syntax in the PHP manual. > > --Dan > > -- > T H E A N A L Y S I S A N D S O L U T I O N S C O M P A N Y > data intensive web and database programming > http://www.AnalysisAndSolutions.com/ > 4015 7th Ave #4, Brooklyn NY 11232 v: 718-854-0335 f: 718-854-0409 > _______________________________________________ > New York PHP Talk Mailing List > AMP Technology > Supporting Apache, MySQL and PHP > http://lists.nyphp.org/mailman/listinfo/talk > http://www.nyphp.org > -------------- next part -------------- An HTML attachment was scrubbed... URL: From codebowl at gmail.com Tue Aug 2 18:27:27 2005 From: codebowl at gmail.com (Joseph Crawford) Date: Tue, 2 Aug 2005 18:27:27 -0400 Subject: [nycphp-talk] Experts help needed (Sessions) In-Reply-To: <6bd6656d336bb3d3daed600e106ccd2c@email.smith.edu> References: <8d9a42800508011622459c8b2e@mail.gmail.com> <42EF7604.2060900@phpwerx.net> <8d9a42800508020746945a5c@mail.gmail.com> <6bd6656d336bb3d3daed600e106ccd2c@email.smith.edu> Message-ID: <8d9a42800508021527145f14a7@mail.gmail.com> Ok so i figured i would post this here since others may be wondering about this too. I couldnt figure out why when i was using output buffering that in my destroy method the session_regenerate_id() function would be complaining about the headers already being sent. After a few days of struggling with this i ran a debug session with zend studio and found that even after the page is displayed and output buffering is flushed the session class runs one last time, it calls the write method which in turn called my init method and when the session was destroyed it would call the session_regenerate_id() function and it would complain because the page was already sent to the browser. i guess my question here is do any of you guru's know how i can accomplish this? I tried to put the call to my init method into my read method but then it complained that i was trying to destroy a non existant session. Where can i put these checks that will run with each page load. I tried the constructor but that only seemed to run just one time, not once per page, just once. -- Joseph Crawford Jr. Codebowl Solutions, Inc. 1-802-671-2021 codebowl at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From cfeldmann at gmail.com Tue Aug 2 18:56:15 2005 From: cfeldmann at gmail.com (chris feldmann) Date: Tue, 2 Aug 2005 18:56:15 -0400 Subject: [nycphp-talk] http analyzer In-Reply-To: <47e5ebb1f7f8e90f783a9bcaa4a96dd2@email.smith.edu> References: <42E9FA8E.8000209@gmail.com> <20050802191050.GA5483@neuropunks.org> <7e2c731f0508021409d68471b@mail.gmail.com> <47e5ebb1f7f8e90f783a9bcaa4a96dd2@email.smith.edu> Message-ID: <7e2c731f05080215566b1c5a79@mail.gmail.com> On 8/2/05, Aaron Fischer wrote: > > No problems here. Have connected to the site form work and at home. > > -Aaron Yup, works from home. Might be a "proxy avoidance" filter at work. Never mind...... On Aug 2, 2005, at 5:09 PM, chris feldmann wrote: > > > On 8/2/05, max wrote: > >> > >> http://www.portswigger.net/proxy/ > >> also, take a look at all the tools on that site, pretty handy. > > "The connection was refused when attempting to connect to > > www.portswigger.net " > > > > Typo? > > > > > >> On Tue, Aug 02, 2005 at 01:24:25PM -0500, Eric Rank wrote: > >> > Pete, > >> > > >> > I think you'd like Charles: > >> > > >> > http://www.xk72.com/charles/ > >> > > >> > It does exactly what you're looking to do. I haven't played with it > >> > extensively, but I believe that there's plugins for it that extend > >> > it's usefulness. For what it's worth, I believe you'll need a plugin > >> > to make it work with Firefox on windows. This is second hand > >> > information though. It workls splendidly with IE. > >> > > >> > Eric Rank > >> > > >> > > >> > > >> > On 7/29/05, pete wrote: > >> > > I have tried using ethereal to intercept HTTP and LIVE HTTP > >> HEADERS > >> > > extension in firefox, What I want to see is simply the html of a > >> web site. > >> > > LIVE HTTP HEADERS does not give me the text/html of a web site > >> and ethereal > >> > > seems to truncate or not display the html after the first packet. > >> > > Multi-packet perhaps in TCP. I do not want to get bogged down in > >> > > understanding TCP, The data seems to be gzip compressed but again > >> it is > >> > > too much work for me to figure this out thru TCP packets. > >> > > > >> > > There must be some sort of simple free or open source utility > >> that allows > >> > > this. I am currently unemployed and really can't buy software. > >> > > > >> > > The site that I am intercepting does a post. I don't think that > >> telnet > >> > > would fit the bill either. > >> > > > >> > > Correct me if u thin I am mistaken, > >> > > > >> > > Thanks in advance, > >> > > pete > >> > _______________________________________________ > >> > New York PHP Talk Mailing List > >> > AMP Technology > >> > Supporting Apache, MySQL and PHP > >> > http://lists.nyphp.org/mailman/listinfo/talk > >> > http://www.nyphp.org > >> > > >> _______________________________________________ > >> New York PHP Talk Mailing List > >> AMP Technology > >> Supporting Apache, MySQL and PHP > >> http://lists.nyphp.org/mailman/listinfo/talk > >> http://www.nyphp.org > > _______________________________________________ > > New York PHP Talk Mailing List > > AMP Technology > > Supporting Apache, MySQL and PHP > > http://lists.nyphp.org/mailman/listinfo/talk > > http://www.nyphp.org > > _______________________________________________ > New York PHP Talk Mailing List > AMP Technology > Supporting Apache, MySQL and PHP > http://lists.nyphp.org/mailman/listinfo/talk > http://www.nyphp.org > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rolan at omnistep.com Wed Aug 3 00:22:59 2005 From: rolan at omnistep.com (Rolan Yang) Date: Wed, 03 Aug 2005 00:22:59 -0400 Subject: [nycphp-talk] Experts help needed (Sessions) In-Reply-To: <8d9a428005080206323ac36e21@mail.gmail.com> References: <1350701.1122939343518.JavaMail.root@wamui-chisos.atl.sa.earthlink.net> <8d9a428005080116411feb1b5f@mail.gmail.com> <42EEB71D.2090504@iifwp.org> <8d9a428005080117156c2fa21a@mail.gmail.com> <42EEC220.4030401@iifwp.org> <8d9a428005080118177e9f2b2d@mail.gmail.com> <8d9a428005080118356ad04369@mail.gmail.com> <8d9a428005080206323ac36e21@mail.gmail.com> Message-ID: <42F046A3.4040507@omnistep.com> Sometimes when people use AOL, the proxied http requests come in from multiple ip's. ~Rolan Joseph Crawford wrote: > ok i now have another issue and thought i would seek help here once > again ;) > > the issue i am having is in the checkIP method, it checks the IP just > fine and i had this working where it would delete the existing session > and start a new one automatically however, if someone tried to hijack > my session i wouldnt want to have to login all over again myself, i > just want a new session started for the one who attempted to hijack my > session. > From codebowl at gmail.com Wed Aug 3 08:32:24 2005 From: codebowl at gmail.com (Joseph Crawford) Date: Wed, 3 Aug 2005 08:32:24 -0400 Subject: [nycphp-talk] Experts help needed (Sessions) In-Reply-To: <42F046A3.4040507@omnistep.com> References: <1350701.1122939343518.JavaMail.root@wamui-chisos.atl.sa.earthlink.net> <8d9a428005080116411feb1b5f@mail.gmail.com> <42EEB71D.2090504@iifwp.org> <8d9a428005080117156c2fa21a@mail.gmail.com> <42EEC220.4030401@iifwp.org> <8d9a428005080118177e9f2b2d@mail.gmail.com> <8d9a428005080118356ad04369@mail.gmail.com> <8d9a428005080206323ac36e21@mail.gmail.com> <42F046A3.4040507@omnistep.com> Message-ID: <8d9a428005080305327d9862ac@mail.gmail.com> I finally solved this problem in realizing that you cannot run the IP (or other method) check within the session class rather you have to have a normal function that get's called right after session_start(); This solved my problems and allowed me to change the users session_id when a session was hijacked. Also i turned COOKIES ONLY to on using ini_set so users can no longer use the querystring. Now i need to figure out a way to check if cookies can be set, if not dont allow them to use the site ;) -- Joseph Crawford Jr. Codebowl Solutions, Inc. 1-802-671-2021 codebowl at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From codebowl at gmail.com Wed Aug 3 08:34:54 2005 From: codebowl at gmail.com (Joseph Crawford) Date: Wed, 3 Aug 2005 08:34:54 -0400 Subject: [nycphp-talk] Experts help needed (Sessions) In-Reply-To: <42F046A3.4040507@omnistep.com> References: <1350701.1122939343518.JavaMail.root@wamui-chisos.atl.sa.earthlink.net> <8d9a428005080116411feb1b5f@mail.gmail.com> <42EEB71D.2090504@iifwp.org> <8d9a428005080117156c2fa21a@mail.gmail.com> <42EEC220.4030401@iifwp.org> <8d9a428005080118177e9f2b2d@mail.gmail.com> <8d9a428005080118356ad04369@mail.gmail.com> <8d9a428005080206323ac36e21@mail.gmail.com> <42F046A3.4040507@omnistep.com> Message-ID: <8d9a428005080305344c2c261e@mail.gmail.com> Rolan, I have been trying to think of a method to use that wouldnt rely on the IP at all, however i cant base it on the user agent because how many people use IE and or FireFox? I cannot base it on the session id as that is what i am detecting someone hijacked and then i destroy the session. What else could i check? I guess i could use some javascript on the main page to grab some odd info from the user maybe something about thier hardware but i am not sure how that would go. I am sure Amazon, etc.. dont do that but yet they still secure thier sessions..... How? -- Joseph Crawford Jr. Codebowl Solutions, Inc. 1-802-671-2021 codebowl at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From dmintz at davidmintz.org Wed Aug 3 09:34:58 2005 From: dmintz at davidmintz.org (David Mintz) Date: Wed, 3 Aug 2005 09:34:58 -0400 (EDT) Subject: [nycphp-talk] Experts help needed (Sessions) In-Reply-To: <8d9a428005080305344c2c261e@mail.gmail.com> References: <1350701.1122939343518.JavaMail.root@wamui-chisos.atl.sa.earthlink.net> <8d9a428005080116411feb1b5f@mail.gmail.com> <42EEB71D.2090504@iifwp.org> <8d9a428005080117156c2fa21a@mail.gmail.com> <42EEC220.4030401@iifwp.org> <8d9a428005080118177e9f2b2d@mail.gmail.com> <8d9a428005080118356ad04369@mail.gmail.com> <8d9a428005080206323ac36e21@mail.gmail.com> <42F046A3.4040507@omnistep.com> <8d9a428005080305344c2c261e@mail.gmail.com> Message-ID: On Wed, 3 Aug 2005, Joseph Crawford wrote: > Rolan, > > I have been trying to think of a method to use that wouldnt rely on the IP > at all, however i cant base it on the user agent because how many people use > IE and or FireFox? I cannot base it on the session id as that is what i am > detecting someone hijacked and then i destroy the session. What else could i > check? I guess i could use some javascript on the main page to grab some odd > info from the user maybe something about thier hardware but i am not sure > how that would go. I am sure Amazon, etc.. dont do that but yet they still > secure thier sessions..... How? Here's a possiblity you should look at (sorry if I'm repeating myself): http://shiflett.org/code/http-developers-handbook/state_example.phps http://shiflett.org/code/http-developers-handbook/session_example.phps --- David Mintz http://davidmintz.org/ From lists at zaunere.com Wed Aug 3 10:35:29 2005 From: lists at zaunere.com (Hans Zaunere) Date: Wed, 3 Aug 2005 10:35:29 -0400 Subject: [nycphp-talk] SQL "WHERE" conditions in an array In-Reply-To: Message-ID: <0MKpFH-1E0KLD1M9G-0006Qm@mrelay.perfora.net> Odra, This still is the place to ask questions - perhaps there was a misunderstanding. Please post your question again (in plain text) and we'll see what we can do. --- Hans Zaunere President, Founder New York PHP http://www.nyphp.org AMP Technology Supporting Apache, MySQL and PHP From codebowl at gmail.com Wed Aug 3 10:48:31 2005 From: codebowl at gmail.com (Joseph Crawford) Date: Wed, 3 Aug 2005 10:48:31 -0400 Subject: [nycphp-talk] Experts help needed (Sessions) In-Reply-To: References: <1350701.1122939343518.JavaMail.root@wamui-chisos.atl.sa.earthlink.net> <42EEB71D.2090504@iifwp.org> <8d9a428005080117156c2fa21a@mail.gmail.com> <42EEC220.4030401@iifwp.org> <8d9a428005080118177e9f2b2d@mail.gmail.com> <8d9a428005080118356ad04369@mail.gmail.com> <8d9a428005080206323ac36e21@mail.gmail.com> <42F046A3.4040507@omnistep.com> <8d9a428005080305344c2c261e@mail.gmail.com> Message-ID: <8d9a428005080307484a7425df@mail.gmail.com> ok so i finally got the session stuff working, everything is working as expected... almost if you go to http://codebowl.homelinux.net:8001/csaf/test.php and refresh a few times, keep your eye on the Type icon. then click the Test2 link, notice the Type icon hasnt changed, refresh it changes. Everything seems to be 1 page behind. Anyone know of a work around for this, aside from adding a refresh to each page. -- Joseph Crawford Jr. Codebowl Solutions, Inc. 1-802-671-2021 codebowl at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From codebowl at gmail.com Wed Aug 3 10:55:35 2005 From: codebowl at gmail.com (Joseph Crawford) Date: Wed, 3 Aug 2005 10:55:35 -0400 Subject: [nycphp-talk] Experts help needed (Sessions) In-Reply-To: <8d9a428005080307484a7425df@mail.gmail.com> References: <1350701.1122939343518.JavaMail.root@wamui-chisos.atl.sa.earthlink.net> <8d9a428005080117156c2fa21a@mail.gmail.com> <42EEC220.4030401@iifwp.org> <8d9a428005080118177e9f2b2d@mail.gmail.com> <8d9a428005080118356ad04369@mail.gmail.com> <8d9a428005080206323ac36e21@mail.gmail.com> <42F046A3.4040507@omnistep.com> <8d9a428005080305344c2c261e@mail.gmail.com> <8d9a428005080307484a7425df@mail.gmail.com> Message-ID: <8d9a4280050803075569ba289@mail.gmail.com> i should also note that it's not a cache issue as i have added the following meta tags to both test.php and test2.php and it still lags by one refresh. This only happens to the record for the active user, i understand why it happens what i dont understand is how i can do a work around. It loads test2.php reads the sessions, writes the new session and shows the page, what i need is for it to write then read ;) -- Joseph Crawford Jr. Codebowl Solutions, Inc. 1-802-671-2021 codebowl at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From dcech at phpwerx.net Wed Aug 3 10:57:15 2005 From: dcech at phpwerx.net (Dan Cech) Date: Wed, 03 Aug 2005 10:57:15 -0400 Subject: [nycphp-talk] Experts help needed (Sessions) In-Reply-To: <8d9a428005080307484a7425df@mail.gmail.com> References: <1350701.1122939343518.JavaMail.root@wamui-chisos.atl.sa.earthlink.net> <42EEB71D.2090504@iifwp.org> <8d9a428005080117156c2fa21a@mail.gmail.com> <42EEC220.4030401@iifwp.org> <8d9a428005080118177e9f2b2d@mail.gmail.com> <8d9a428005080118356ad04369@mail.gmail.com> <8d9a428005080206323ac36e21@mail.gmail.com> <42F046A3.4040507@omnistep.com> <8d9a428005080305344c2c261e@mail.gmail.com> <8d9a428005080307484a7425df@mail.gmail.com> Message-ID: <42F0DB4B.8050103@phpwerx.net> Joseph, That is because the session data is not written until you close the page, so the updated data isn't visible until the page is refreshed. If you want to be able to see the current data, you need to rework the way the system is designed to write that data on page load rather than when the session is saved, or determine it on page load, store/display it in/from a global variable and write it with the session. Dan Joseph Crawford wrote: > ok so i finally got the session stuff working, everything is working as > expected... almost > > if you go to > http://codebowl.homelinux.net:8001/csaf/test.php > and refresh a few times, keep your eye on the Type icon. then click the > Test2 link, notice the Type icon hasnt changed, refresh it changes. > Everything seems to be 1 page behind. Anyone know of a work around for this, > aside from adding a refresh to each page. From hendler at simmons.edu Wed Aug 3 10:56:59 2005 From: hendler at simmons.edu (Jonathan) Date: Wed, 03 Aug 2005 10:56:59 -0400 Subject: [nycphp-talk] Experts help needed (Sessions) In-Reply-To: <8d9a428005080307484a7425df@mail.gmail.com> References: <1350701.1122939343518.JavaMail.root@wamui-chisos.atl.sa.earthlink.net> <42EEB71D.2090504@iifwp.org> <8d9a428005080117156c2fa21a@mail.gmail.com> <42EEC220.4030401@iifwp.org> <8d9a428005080118177e9f2b2d@mail.gmail.com> <8d9a428005080118356ad04369@mail.gmail.com> <8d9a428005080206323ac36e21@mail.gmail.com> <42F046A3.4040507@omnistep.com> <8d9a428005080305344c2c261e@mail.gmail.com> <8d9a428005080307484a7425df@mail.gmail.com> Message-ID: <42F0DB3B.4030801@simmons.edu> If I understand your issue, the session needs one extra step to refresh: I used to do a "redirect" , not a html refresh if that's what you mean. a header('location: etc etc'); I am not sure why sessions lag one step behind. Joseph Crawford wrote: > ok so i finally got the session stuff working, everything is working > as expected... almost > > if you go to > http://codebowl.homelinux.net:8001/csaf/test.php > and refresh a few times, keep your eye on the Type icon. then click > the Test2 link, notice the Type icon hasnt changed, refresh it > changes. Everything seems to be 1 page behind. Anyone know of a work > around for this, aside from adding a refresh to each page. > > -- > Joseph Crawford Jr. > Codebowl Solutions, Inc. > 1-802-671-2021 > codebowl at gmail.com > >------------------------------------------------------------------------ > >_______________________________________________ >New York PHP Talk Mailing List >AMP Technology >Supporting Apache, MySQL and PHP >http://lists.nyphp.org/mailman/listinfo/talk >http://www.nyphp.org > From codebowl at gmail.com Wed Aug 3 11:01:54 2005 From: codebowl at gmail.com (Joseph Crawford) Date: Wed, 3 Aug 2005 11:01:54 -0400 Subject: [nycphp-talk] Experts help needed (Sessions) In-Reply-To: <42F0DB3B.4030801@simmons.edu> References: <1350701.1122939343518.JavaMail.root@wamui-chisos.atl.sa.earthlink.net> <42EEC220.4030401@iifwp.org> <8d9a428005080118177e9f2b2d@mail.gmail.com> <8d9a428005080118356ad04369@mail.gmail.com> <8d9a428005080206323ac36e21@mail.gmail.com> <42F046A3.4040507@omnistep.com> <8d9a428005080305344c2c261e@mail.gmail.com> <8d9a428005080307484a7425df@mail.gmail.com> <42F0DB3B.4030801@simmons.edu> Message-ID: <8d9a4280050803080154d41465@mail.gmail.com> Dan, thanks for the info i was trying to determine if i could make php's internal sessions read before write but i guess it cannot, i will have to do one of 2 things. 1.) create my own session managment 2.) create the work around storing the values in the session as you suggested. Jonathan, it is always one step behind because of the way sessions work, it reads the current session then writes the new session. so it's reading the old and writing the new, i am not sure if there is a way to make php's session write then read or not i also dont know if that would be logical to do. -- Joseph Crawford Jr. Codebowl Solutions, Inc. 1-802-671-2021 codebowl at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From dcech at phpwerx.net Wed Aug 3 11:15:34 2005 From: dcech at phpwerx.net (Dan Cech) Date: Wed, 03 Aug 2005 11:15:34 -0400 Subject: [nycphp-talk] Experts help needed (Sessions) In-Reply-To: <8d9a4280050803080154d41465@mail.gmail.com> References: <1350701.1122939343518.JavaMail.root@wamui-chisos.atl.sa.earthlink.net> <42EEC220.4030401@iifwp.org> <8d9a428005080118177e9f2b2d@mail.gmail.com> <8d9a428005080118356ad04369@mail.gmail.com> <8d9a428005080206323ac36e21@mail.gmail.com> <42F046A3.4040507@omnistep.com> <8d9a428005080305344c2c261e@mail.gmail.com> <8d9a428005080307484a7425df@mail.gmail.com> <42F0DB3B.4030801@simmons.edu> <8d9a4280050803080154d41465@mail.gmail.com> Message-ID: <42F0DF96.1050200@phpwerx.net> Joseph, There is nothing stopping you from updating the session record from within the session read callback, and in fact it can be beneficial because your write function will then always have a record to update, and doesn't need to worry about insert capability. Dan Joseph Crawford wrote: > Dan, > > thanks for the info i was trying to determine if i could make php's internal > sessions read before write but i guess it cannot, i will have to do one of 2 > things. > > 1.) create my own session managment > 2.) create the work around storing the values in the session as you > suggested. From codebowl at gmail.com Wed Aug 3 11:18:51 2005 From: codebowl at gmail.com (Joseph Crawford) Date: Wed, 3 Aug 2005 11:18:51 -0400 Subject: [nycphp-talk] Experts help needed (Sessions) In-Reply-To: <42F0DF96.1050200@phpwerx.net> References: <1350701.1122939343518.JavaMail.root@wamui-chisos.atl.sa.earthlink.net> <8d9a428005080118356ad04369@mail.gmail.com> <8d9a428005080206323ac36e21@mail.gmail.com> <42F046A3.4040507@omnistep.com> <8d9a428005080305344c2c261e@mail.gmail.com> <8d9a428005080307484a7425df@mail.gmail.com> <42F0DB3B.4030801@simmons.edu> <8d9a4280050803080154d41465@mail.gmail.com> <42F0DF96.1050200@phpwerx.net> Message-ID: <8d9a4280050803081817147182@mail.gmail.com> Dan, the issue with the read method is this. when session_start() is called the user type is unknown. the user type is set when i do $user = new Admin(); $user = new Client(); etc.. i am trying to think of a way to make this take place before the session_start because then it would work fine i think. Right now if i use the read method it registers every user as a Guest. -- Joseph Crawford Jr. Codebowl Solutions, Inc. 1-802-671-2021 codebowl at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From dcech at phpwerx.net Wed Aug 3 11:28:10 2005 From: dcech at phpwerx.net (Dan Cech) Date: Wed, 03 Aug 2005 11:28:10 -0400 Subject: [nycphp-talk] Experts help needed (Sessions) In-Reply-To: <8d9a4280050803081817147182@mail.gmail.com> References: <1350701.1122939343518.JavaMail.root@wamui-chisos.atl.sa.earthlink.net> <8d9a428005080118356ad04369@mail.gmail.com> <8d9a428005080206323ac36e21@mail.gmail.com> <42F046A3.4040507@omnistep.com> <8d9a428005080305344c2c261e@mail.gmail.com> <8d9a428005080307484a7425df@mail.gmail.com> <42F0DB3B.4030801@simmons.edu> <8d9a4280050803080154d41465@mail.gmail.com> <42F0DF96.1050200@phpwerx.net> <8d9a4280050803081817147182@mail.gmail.com> Message-ID: <42F0E28A.8020105@phpwerx.net> Joseph, In that case just have your script insert/update the session table with the page-specific data when you know it, like: 1. start session 2. check logins, etc 3. insert/update session page data/type/etc 4. do real processing 5. save session data you would probably want to only use the save callback (step 5) to update the actual session contents, and use your own script to manage the rest of the data (in step 3). Adding a lock field to the session table may not be a bad idea either to prevent multiple or popup windows etc from messing up the session. Dan Joseph Crawford wrote: > Dan, > > the issue with the read method is this. > > when session_start() is called the user type is unknown. the user type is > set when i do > > $user = new Admin(); > $user = new Client(); > etc.. > > i am trying to think of a way to make this take place before the > session_start because then it would work fine i think. Right now if i use > the read method it registers every user as a Guest. From codebowl at gmail.com Wed Aug 3 11:55:26 2005 From: codebowl at gmail.com (Joseph Crawford) Date: Wed, 3 Aug 2005 11:55:26 -0400 Subject: [nycphp-talk] Chris Shiftlett's Session Example Message-ID: <8d9a428005080308555e1ba271@mail.gmail.com> http://shiflett.org/code/http-developers-handbook/session_example.phps guys i have a few questions about this. here is the snipplet i am concerned with # Make sure the user agent is correct $ua_should_be = urldecode($parsed_cookie['ua']); if ($_SERVER['HTTP_USER_AGENT'] != $ua_should_be) { $identity_validated = false; } does that seem redundant to anyone else? Why would you store a value in a cookie (on the clients machine) and then use that to compare to php's HTTP_USER_AGENT, couldnt the client just edit the cookie to be the same? Then once they go to the page it will see it as valid. -- Joseph Crawford Jr. Codebowl Solutions, Inc. 1-802-671-2021 codebowl at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From ken at secdat.com Wed Aug 3 12:18:07 2005 From: ken at secdat.com (Kenneth Downs) Date: Wed, 3 Aug 2005 12:18:07 -0400 (EDT) Subject: [nycphp-talk] SQL 'WHERE' conditions in an array In-Reply-To: References: Message-ID: <36297.38.117.147.25.1123085887.squirrel@38.117.147.25> You may want to look up "binary decision trees". This is not precisely what you are looking for but it is closely related and may give you some background. The basic idea behind any generated SQL statement is the fact that SQL statements that follow certain rules can themselves can be stored entirely in scalar data. Imagine this simple array: $Query = Array ( "tables"=> Array ( [0] = Array ( "table_name"=>"customers" ) ) ) or the more detailed: $Query = Array ( "tables"=> Array ( [0] = Array ( "table_name"=>"customers" "columns"=> Array ( "column1", "column2", "column3" ) ) ) ) Your code just loops through building a SELECT clause from the tables. If it cannot find the "columns" sub-array it puts in "*", else it lists the columns in that array. Everything else is just an embellishment of this, and of course remember TIMTOWTDI. > Hello, > A while ago I've seen some code (function) to build SQL queries. It took a > multidimentional associative array to build complex WHERE conditions. > That's > the feature that I really liked. I'm trying to find it again to no avail. > Can someone point me to that code please? > > Thanks, > Olaf > _______________________________________________ > New York PHP Talk Mailing List > AMP Technology > Supporting Apache, MySQL and PHP > http://lists.nyphp.org/mailman/listinfo/talk > http://www.nyphp.org -- Kenneth Downs Secure Data Software 631-379-0010 ken at secdat.com PO Box 708 East Setauket, NY 11733 From credulity at gmail.com Wed Aug 3 19:46:22 2005 From: credulity at gmail.com (pete) Date: Wed, 03 Aug 2005 19:46:22 -0400 Subject: [nycphp-talk] http analyzer Message-ID: <42F1574E.3050605@gmail.com> I am the original poster of the http analyzer thread. I have been following the thread and find it very interesting. I ma intrigued by: http://www.portswigger.net/proxy/ > http://www.xk72.com/charles/ I will try both. They both seem to be java based. At one time I learned java. I always thought it was slow. At least on my pentium II 450 MHZ 512 meg win XP. Thnaks all. I will keep following this thread. Pete From nasir81 at gmail.com Wed Aug 3 21:30:10 2005 From: nasir81 at gmail.com (Nasir Zubair) Date: Wed, 3 Aug 2005 21:30:10 -0400 Subject: [nycphp-talk] Chris Shiftlett's Session Example In-Reply-To: <8d9a428005080308555e1ba271@mail.gmail.com> References: <8d9a428005080308555e1ba271@mail.gmail.com> Message-ID: <40fcda73050803183054f0ff40@mail.gmail.com> One thing that comes to mind is that sometimes users will hand off the URL with session ID to a robot (downloader/screen scraper), which can emulate the USER_AGENT. However, if you store it in the cookie as well, you'll know when the robot is unable to reproduce the cookie variables. Just a thought. On 8/3/05, Joseph Crawford wrote: > http://shiflett.org/code/http-developers-handbook/session_example.phps > > guys i have a few questions about this. > > here is the snipplet i am concerned with > > # Make sure the user agent is correct > $ua_should_be = urldecode($parsed_cookie['ua']); > if ($_SERVER ['HTTP_USER_AGENT'] != $ua_should_be) > { > $identity_validated = false; > } > > does that seem redundant to anyone else? Why would you store a value in a > cookie (on the clients machine) and then use that to compare to php's > HTTP_USER_AGENT, couldnt the client just edit the cookie to be the same? > Then once they go to the page it will see it as valid. > > > -- > Joseph Crawford Jr. > Codebowl Solutions, Inc. > 1-802-671-2021 > codebowl at gmail.com > _______________________________________________ > New York PHP Talk Mailing List > AMP Technology > Supporting Apache, MySQL and PHP > http://lists.nyphp.org/mailman/listinfo/talk > http://www.nyphp.org > > -- Nasir Zubair http://www.nasir.us/ From danielc at analysisandsolutions.com Wed Aug 3 22:34:16 2005 From: danielc at analysisandsolutions.com (Daniel Convissor) Date: Wed, 3 Aug 2005 22:34:16 -0400 Subject: [nycphp-talk] SQL "WHERE" conditions in an array In-Reply-To: References: <20050802200245.GB28500@panix.com> Message-ID: <20050804023416.GA5516@panix.com> Hi Odra: I misread your email. Sorry. --Dan -- T H E A N A L Y S I S A N D S O L U T I O N S C O M P A N Y data intensive web and database programming http://www.AnalysisAndSolutions.com/ 4015 7th Ave #4, Brooklyn NY 11232 v: 718-854-0335 f: 718-854-0409 From nasir81 at gmail.com Wed Aug 3 23:32:31 2005 From: nasir81 at gmail.com (Nasir Zubair) Date: Wed, 3 Aug 2005 23:32:31 -0400 Subject: [nycphp-talk] [OT] Apache2 INIT script Message-ID: <40fcda7305080320324d21d7f8@mail.gmail.com> Hi all, I've installed Apache2 on my CentOS box, however, I cannot get it to load SSL when it starts with the system. It only start apache on port 80, without SSL. My installation is done from the source. However, I did take apart the 2.0.52 RPM from CentOS. The init script it provide didn't also help. Can anyone point me to the right direction? -- Nasir Zubair http://www.nasir.us/ From codebowl at gmail.com Thu Aug 4 08:58:59 2005 From: codebowl at gmail.com (Joseph Crawford) Date: Thu, 4 Aug 2005 08:58:59 -0400 Subject: [nycphp-talk] Experts help needed (Sessions) In-Reply-To: <42F0E28A.8020105@phpwerx.net> References: <1350701.1122939343518.JavaMail.root@wamui-chisos.atl.sa.earthlink.net> <42F046A3.4040507@omnistep.com> <8d9a428005080305344c2c261e@mail.gmail.com> <8d9a428005080307484a7425df@mail.gmail.com> <42F0DB3B.4030801@simmons.edu> <8d9a4280050803080154d41465@mail.gmail.com> <42F0DF96.1050200@phpwerx.net> <8d9a4280050803081817147182@mail.gmail.com> <42F0E28A.8020105@phpwerx.net> Message-ID: <8d9a428005080405587f7c4900@mail.gmail.com> guys is this a bit better way to check session validity? define('SES_KEY', md5('custom_string'.$_ENV['PROCESSOR_REVISION'].$_ENV['PROCESSOR_ARCHITECTURE'].$_ENV['PROCESSOR_LEVEL'].'custon_string')); $this->_key = md5($_SERVER['HTTP_USER_AGENT'].SES_KEY.$ses_id); that value is created and stored in the db on session start, then in my CheckSession function i am doing this if( $key !== $data['identifier'] ) this ends up creating an identifier similar to this 733f97f78f00cd6d2f0d7955698ebac4a2aad2e4fb76d0a5862838e087a20251 this is based on the users agent, the initial session key, and some server stuff with some custom strings that i put in there. This works just fine i just wanted to know if it would be easy for someone to hijack a session with this added security. I am also wondering if i should set a cookie, i am not yet sure that i want the user to be able to log back in after they close thier browser, i mean atleast not without going through the login form -- Joseph Crawford Jr. Codebowl Solutions, Inc. 1-802-671-2021 codebowl at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From codebowl at gmail.com Thu Aug 4 09:11:39 2005 From: codebowl at gmail.com (Joseph Crawford) Date: Thu, 4 Aug 2005 09:11:39 -0400 Subject: [nycphp-talk] Experts help needed (Sessions) In-Reply-To: <8d9a428005080405587f7c4900@mail.gmail.com> References: <1350701.1122939343518.JavaMail.root@wamui-chisos.atl.sa.earthlink.net> <8d9a428005080305344c2c261e@mail.gmail.com> <8d9a428005080307484a7425df@mail.gmail.com> <42F0DB3B.4030801@simmons.edu> <8d9a4280050803080154d41465@mail.gmail.com> <42F0DF96.1050200@phpwerx.net> <8d9a4280050803081817147182@mail.gmail.com> <42F0E28A.8020105@phpwerx.net> <8d9a428005080405587f7c4900@mail.gmail.com> Message-ID: <8d9a428005080406114cf555e@mail.gmail.com> I have also implemented this function function str_mix($str1, $str2) { if(strlen($str1) != strlen($str2)) return FALSE; else { $len1 = strlen($str1); $string = ''; for($x = 0; $x <= $len1; $x++) { $string .= $str1{$x}.$str2{$x}; } return $string; } } i thought of using str_shuffle but that gives different results every time, this basically just takes the 1st letter from the 1st string and the 1st letter from the 2nd string combines etc.. basically every other letter is string1 every other letter is string2. -- Joseph Crawford Jr. Codebowl Solutions, Inc. 1-802-671-2021 codebowl at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From dcech at phpwerx.net Thu Aug 4 09:40:37 2005 From: dcech at phpwerx.net (Dan Cech) Date: Thu, 04 Aug 2005 09:40:37 -0400 Subject: [nycphp-talk] Experts help needed (Sessions) In-Reply-To: <8d9a428005080405587f7c4900@mail.gmail.com> References: <1350701.1122939343518.JavaMail.root@wamui-chisos.atl.sa.earthlink.net> <42F046A3.4040507@omnistep.com> <8d9a428005080305344c2c261e@mail.gmail.com> <8d9a428005080307484a7425df@mail.gmail.com> <42F0DB3B.4030801@simmons.edu> <8d9a4280050803080154d41465@mail.gmail.com> <42F0DF96.1050200@phpwerx.net> <8d9a4280050803081817147182@mail.gmail.com> <42F0E28A.8020105@phpwerx.net> <8d9a428005080405587f7c4900@mail.gmail.com> Message-ID: <42F21AD5.4030002@phpwerx.net> Joseph, Your function would work the same way if it was: $this->_key = $_SERVER['HTTP_USER_AGENT']; If the attacker spoofs the client's HTTP_USER_AGENT string as well as the session id they will pass the test. Thus it doesn't actually provide any real added protection against session hijacking, because any attacker who can get hold of the session id will also be able to determine and spoof the user agent string. I wish I had a 'silver bullet' solution to the problem that I could recommend to you, but I don't. Dan Joseph Crawford wrote: > guys is this a bit better way to check session validity? > > define('SES_KEY', > md5('custom_string'.$_ENV['PROCESSOR_REVISION'].$_ENV['PROCESSOR_ARCHITECTURE'].$_ENV['PROCESSOR_LEVEL'].'custon_string')); > > $this->_key = md5($_SERVER['HTTP_USER_AGENT'].SES_KEY.$ses_id); > > that value is created and stored in the db on session start, then in my > CheckSession function i am doing this > > if( $key !== $data['identifier'] ) > > this ends up creating an identifier similar to this > > 733f97f78f00cd6d2f0d7955698ebac4a2aad2e4fb76d0a5862838e087a20251 > > this is based on the users agent, the initial session key, and some server > stuff with some custom strings that i put in there. > > This works just fine i just wanted to know if it would be easy for someone > to hijack a session with this added security. I am also wondering if i > should set a cookie, i am not yet sure that i want the user to be able to > log back in after they close thier browser, i mean atleast not without going > through the login form > > > > > ------------------------------------------------------------------------ > > _______________________________________________ > New York PHP Talk Mailing List > AMP Technology > Supporting Apache, MySQL and PHP > http://lists.nyphp.org/mailman/listinfo/talk > http://www.nyphp.org From codebowl at gmail.com Thu Aug 4 09:43:39 2005 From: codebowl at gmail.com (Joseph Crawford) Date: Thu, 4 Aug 2005 09:43:39 -0400 Subject: [nycphp-talk] Experts help needed (Sessions) In-Reply-To: <42F21AD5.4030002@phpwerx.net> References: <1350701.1122939343518.JavaMail.root@wamui-chisos.atl.sa.earthlink.net> <8d9a428005080307484a7425df@mail.gmail.com> <42F0DB3B.4030801@simmons.edu> <8d9a4280050803080154d41465@mail.gmail.com> <42F0DF96.1050200@phpwerx.net> <8d9a4280050803081817147182@mail.gmail.com> <42F0E28A.8020105@phpwerx.net> <8d9a428005080405587f7c4900@mail.gmail.com> <42F21AD5.4030002@phpwerx.net> Message-ID: <8d9a428005080406432dd58d5a@mail.gmail.com> Dan, thanks for pointing this out, i just thought that basing the identifier on more than just the clients stuff would help a bit, but i guess you're right the server stuff really wont make a difference. I would incorporate time() but then when i compare they wont be the same since i will have to re-generate the id, that is unless i uses ses_start time, that never changes i have some ideas i am going to flow with thanks... :) -- Joseph Crawford Jr. Codebowl Solutions, Inc. 1-802-671-2021 codebowl at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From andrew at plexpod.com Thu Aug 4 10:01:19 2005 From: andrew at plexpod.com (Andrew Yochum) Date: Thu, 4 Aug 2005 10:01:19 -0400 Subject: [nycphp-talk] [OT] Apache2 INIT script In-Reply-To: <40fcda7305080320324d21d7f8@mail.gmail.com> References: <40fcda7305080320324d21d7f8@mail.gmail.com> Message-ID: <20050804140119.GB31440@zoidberg.digitalpulp.com> On Wed, Aug 03, 2005 at 11:32:31PM -0400, Nasir Zubair wrote: > Hi all, > > I've installed Apache2 on my CentOS box, however, I cannot get it to > load SSL when it starts with the system. It only start apache on port > 80, without SSL. My installation is done from the source. However, I > did take apart the 2.0.52 RPM from CentOS. The init script it provide > didn't also help. > > Can anyone point me to the right direction? I'm not 100% sure about the init scripts on CentOS, but you might need to add a "-D SSL" into your /etc/sysconfig/httpd file's OPTIONS var. I assume this is the same as the /etc/conf.d/apache2 in gentoo where I know that to be the case. HTH, Andrew -- Andrew Yochum Plexpod andrew at plexpod.com 718-360-0879 From nasir81 at gmail.com Thu Aug 4 10:33:25 2005 From: nasir81 at gmail.com (Nasir Zubair) Date: Thu, 4 Aug 2005 10:33:25 -0400 Subject: [nycphp-talk] [OT] Apache2 INIT script In-Reply-To: <20050804140119.GB31440@zoidberg.digitalpulp.com> References: <40fcda7305080320324d21d7f8@mail.gmail.com> <20050804140119.GB31440@zoidberg.digitalpulp.com> Message-ID: <40fcda7305080407331a499af8@mail.gmail.com> Thank Andrew. I just added OPTIONS="-DSSL" to my /etc/rc.d/init.d/httpd. Worked like a charm. It gave me a chuckle to see "-DSSLing httpd:" instead of "Starting httpd" :-) On 8/4/05, Andrew Yochum wrote: > On Wed, Aug 03, 2005 at 11:32:31PM -0400, Nasir Zubair wrote: > > Hi all, > > > > I've installed Apache2 on my CentOS box, however, I cannot get it to > > load SSL when it starts with the system. It only start apache on port > > 80, without SSL. My installation is done from the source. However, I > > did take apart the 2.0.52 RPM from CentOS. The init script it provide > > didn't also help. > > > > Can anyone point me to the right direction? > > I'm not 100% sure about the init scripts on CentOS, but you might need > to add a "-D SSL" into your /etc/sysconfig/httpd file's OPTIONS var. I > assume this is the same as the /etc/conf.d/apache2 in gentoo where I > know that to be the case. > > HTH, > Andrew > > -- > Andrew Yochum > Plexpod > andrew at plexpod.com > 718-360-0879 > _______________________________________________ > New York PHP Talk Mailing List > AMP Technology > Supporting Apache, MySQL and PHP > http://lists.nyphp.org/mailman/listinfo/talk > http://www.nyphp.org > -- Nasir Zubair http://www.nasir.us/ From andrew at plexpod.com Thu Aug 4 11:14:59 2005 From: andrew at plexpod.com (Andrew Yochum) Date: Thu, 4 Aug 2005 11:14:59 -0400 Subject: [nycphp-talk] [OT] Apache2 INIT script In-Reply-To: <40fcda7305080407331a499af8@mail.gmail.com> References: <40fcda7305080320324d21d7f8@mail.gmail.com> <20050804140119.GB31440@zoidberg.digitalpulp.com> <40fcda7305080407331a499af8@mail.gmail.com> Message-ID: <20050804150641.GC31440@zoidberg.digitalpulp.com> On Thu, Aug 04, 2005 at 10:33:25AM -0400, Nasir Zubair wrote: > Thank Andrew. I just added OPTIONS="-DSSL" to my > /etc/rc.d/init.d/httpd. Worked like a charm. Excellent. FYI, this works by defining a variable that trips apache's config into loading the SSL module. It is most likely in a block like this in your apache config: LoadModule ssl_module extramodules/mod_ssl.so Followed by the SSL config wrapped in a block that is conditional based on the module being loaded like: #SSL config... > It gave me a chuckle to see "-DSSLing httpd:" instead of "Starting httpd" :-) It is satisfying to see a flexible config systems work as expected and needed, huh? :-) Regards, Andrew -- Andrew Yochum Plexpod andrew at plexpod.com 718-360-0879 From hendler at simmons.edu Thu Aug 4 11:33:13 2005 From: hendler at simmons.edu (Jonathan) Date: Thu, 04 Aug 2005 11:33:13 -0400 Subject: [nycphp-talk] Experts help needed (Sessions) In-Reply-To: <42F21AD5.4030002@phpwerx.net> References: <1350701.1122939343518.JavaMail.root@wamui-chisos.atl.sa.earthlink.net> <42F046A3.4040507@omnistep.com> <8d9a428005080305344c2c261e@mail.gmail.com> <8d9a428005080307484a7425df@mail.gmail.com> <42F0DB3B.4030801@simmons.edu> <8d9a4280050803080154d41465@mail.gmail.com> <42F0DF96.1050200@phpwerx.net> <8d9a4280050803081817147182@mail.gmail.com> <42F0E28A.8020105@phpwerx.net> <8d9a428005080405587f7c4900@mail.gmail.com> <42F21AD5.4030002@phpwerx.net> Message-ID: <42F23539.3030202@simmons.edu> I agree that is difficult to find a silver bullet solution. The internet itself has its limits with identity management, and perhaps that's good. Because of those limitations, security is as much about policy as technology. Generally combining cookies (that can't be hijacked with cross-site scripting js), a server side script to create unique and user aware hashes, and SSL the network is secure works well. There is a cost /benefit for a hijacking - if hijacking becomes increasingly complex, you have to be hiding something good to motivate anyone to come in. For example, if someone hijacked a users session in your system, what's the worst they could do? Could they get credit card information and pictures of the user naked? Or would the user only be able to post to NYPHP in their name? If the second is true you can always logging activity and communicating with the user, say sending an email confirmation like "You posted this" when you are really saying "Did you really post this?" I mean, security is really just a /sense/ of security. It's easier to write code that works with sessions because it is a simple policy: once you log in, you're in. But, if there is something particularly sensitive you may want to verify identity again, like asking for the password again, or a captcha, or sending an email. Sorry - I know I'm not giving code examples and you are in an implementation phase, but generally these steps have worked for me. - Jonathan Dan Cech wrote: >Joseph, > >Your function would work the same way if it was: > >$this->_key = $_SERVER['HTTP_USER_AGENT']; > >If the attacker spoofs the client's HTTP_USER_AGENT string as well as >the session id they will pass the test. > >Thus it doesn't actually provide any real added protection against >session hijacking, because any attacker who can get hold of the session >id will also be able to determine and spoof the user agent string. > >I wish I had a 'silver bullet' solution to the problem that I could >recommend to you, but I don't. > >Dan > >Joseph Crawford wrote: > > >>guys is this a bit better way to check session validity? >> >>define('SES_KEY', >>md5('custom_string'.$_ENV['PROCESSOR_REVISION'].$_ENV['PROCESSOR_ARCHITECTURE'].$_ENV['PROCESSOR_LEVEL'].'custon_string')); >> >>$this->_key = md5($_SERVER['HTTP_USER_AGENT'].SES_KEY.$ses_id); >> >>that value is created and stored in the db on session start, then in my >>CheckSession function i am doing this >> >>if( $key !== $data['identifier'] ) >> >>this ends up creating an identifier similar to this >> >>733f97f78f00cd6d2f0d7955698ebac4a2aad2e4fb76d0a5862838e087a20251 >> >>this is based on the users agent, the initial session key, and some server >>stuff with some custom strings that i put in there. >> >>This works just fine i just wanted to know if it would be easy for someone >>to hijack a session with this added security. I am also wondering if i >>should set a cookie, i am not yet sure that i want the user to be able to >>log back in after they close thier browser, i mean atleast not without going >>through the login form >> >> >> >> >>------------------------------------------------------------------------ >> >>_______________________________________________ >>New York PHP Talk Mailing List >>AMP Technology >>Supporting Apache, MySQL and PHP >>http://lists.nyphp.org/mailman/listinfo/talk >>http://www.nyphp.org >> >> > >_______________________________________________ >New York PHP Talk Mailing List >AMP Technology >Supporting Apache, MySQL and PHP >http://lists.nyphp.org/mailman/listinfo/talk >http://www.nyphp.org > > From codebowl at gmail.com Thu Aug 4 11:40:28 2005 From: codebowl at gmail.com (Joseph Crawford) Date: Thu, 4 Aug 2005 11:40:28 -0400 Subject: [nycphp-talk] Experts help needed (Sessions) In-Reply-To: <42F23539.3030202@simmons.edu> References: <1350701.1122939343518.JavaMail.root@wamui-chisos.atl.sa.earthlink.net> <8d9a428005080307484a7425df@mail.gmail.com> <42F0DB3B.4030801@simmons.edu> <8d9a4280050803080154d41465@mail.gmail.com> <42F0DF96.1050200@phpwerx.net> <8d9a4280050803081817147182@mail.gmail.com> <42F0E28A.8020105@phpwerx.net> <8d9a428005080405587f7c4900@mail.gmail.com> <42F21AD5.4030002@phpwerx.net> <42F23539.3030202@simmons.edu> Message-ID: <8d9a428005080408406d2728ae@mail.gmail.com> I think i finally got everything working the way i want it, i generate the hash and store it along side the session id, whenever the page is loaded it get's the hash from the db, and calculates the user s hash, if they match nothing is done, if they dont session_destroy is called and session_regenerate_id is called so the new user doesnt get the same session id as the one hijacked. Next i will implement a way to only do the check every X page loads for the user or something because every page querying this check could become resource intensive. I took a look at implementing adam's suggestion of regenerating the session id with every page load, i looked at doing this and then updating the current db record with the new id etc.. this would work if my hash didnt include the current session_id. The way it is now if i regenerate every page, every other page thinks the session has been hijacked ;) Maybe sometime down the road i will look at implementing this ability as i am sure it's a small restructure problem but i think it's ok for now ;) Now i get to work on my user managment and permissions system, figure out how i am going to implement the roles and who has what role ;) -- Joseph Crawford Jr. Codebowl Solutions, Inc. 1-802-671-2021 codebowl at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From dcech at phpwerx.net Thu Aug 4 12:05:55 2005 From: dcech at phpwerx.net (Dan Cech) Date: Thu, 04 Aug 2005 12:05:55 -0400 Subject: [nycphp-talk] Experts help needed (Sessions) In-Reply-To: <8d9a428005080408406d2728ae@mail.gmail.com> References: <1350701.1122939343518.JavaMail.root@wamui-chisos.atl.sa.earthlink.net> <8d9a428005080307484a7425df@mail.gmail.com> <42F0DB3B.4030801@simmons.edu> <8d9a4280050803080154d41465@mail.gmail.com> <42F0DF96.1050200@phpwerx.net> <8d9a4280050803081817147182@mail.gmail.com> <42F0E28A.8020105@phpwerx.net> <8d9a428005080405587f7c4900@mail.gmail.com> <42F21AD5.4030002@phpwerx.net> <42F23539.3030202@simmons.edu> <8d9a428005080408406d2728ae@mail.gmail.com> Message-ID: <42F23CE3.201@phpwerx.net> Joseph, Sounds like you're making progress. As for changing the session id on every page load, this can easily break session support when the user clicks the 'back' button or opens multiple windows if not done very carefully. If you're looking for something to help you with managing an ACL type permissions system I would recommend phpGACL (http://phpgacl.sourceforge.net). I'm a little biased as I engineered its database structure, but it sounds like it may be what you're looking for. Dan Joseph Crawford wrote: > I think i finally got everything working the way i want it, i generate the > hash and store it along side the session id, whenever the page is loaded it > get's the hash from the db, and calculates the user s hash, if they match > nothing is done, if they dont session_destroy is called and > session_regenerate_id is called so the new user doesnt get the same session > id as the one hijacked. Next i will implement a way to only do the check > every X page loads for the user or something because every page querying > this check could become resource intensive. I took a look at implementing > adam's suggestion of regenerating the session id with every page load, i > looked at doing this and then updating the current db record with the new id > etc.. this would work if my hash didnt include the current session_id. The > way it is now if i regenerate every page, every other page thinks the > session has been hijacked ;) > > Maybe sometime down the road i will look at implementing this ability as i > am sure it's a small restructure problem but i think it's ok for now ;) > > Now i get to work on my user managment and permissions system, figure out > how i am going to implement the roles and who has what role ;) From codebowl at gmail.com Thu Aug 4 12:08:06 2005 From: codebowl at gmail.com (Joseph Crawford) Date: Thu, 4 Aug 2005 12:08:06 -0400 Subject: [nycphp-talk] Experts help needed (Sessions) In-Reply-To: <42F23CE3.201@phpwerx.net> References: <1350701.1122939343518.JavaMail.root@wamui-chisos.atl.sa.earthlink.net> <8d9a4280050803080154d41465@mail.gmail.com> <42F0DF96.1050200@phpwerx.net> <8d9a4280050803081817147182@mail.gmail.com> <42F0E28A.8020105@phpwerx.net> <8d9a428005080405587f7c4900@mail.gmail.com> <42F21AD5.4030002@phpwerx.net> <42F23539.3030202@simmons.edu> <8d9a428005080408406d2728ae@mail.gmail.com> <42F23CE3.201@phpwerx.net> Message-ID: <8d9a42800508040908e8d3f35@mail.gmail.com> Dan, I looked into phpGACL and could not get it to work. -- Joseph Crawford Jr. Codebowl Solutions, Inc. 1-802-671-2021 codebowl at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From mwithington at PLMresearch.com Thu Aug 4 12:52:37 2005 From: mwithington at PLMresearch.com (Mark Withington) Date: Thu, 4 Aug 2005 12:52:37 -0400 Subject: [nycphp-talk] Apache look back functionality and PHP Message-ID: <1F3CD8DDFB6A9B4C9B8DD06E4A7DE358EF268F@network.PLMresearch.com> I've been trying to use a PHP front-end script for Imagemagick as described at evolt.org (see http://www.evolt.org/article/PHP_front-end _to_ImageMagick/17/55650/ ) The script relies upon $_SERVER['PATH_INFO'] and Apache's look back to find the front-end script (magick.php). The idea of the magick.php script is to accept Imagemagick commands embedded in a URL. Abstract: "The script will enable us to give convert commands by changing the query string. Maybe a simple example will better explain this idea. You've got an image: http://wwww.example.com/img/image.jpg. You copy the ImageMagick script magick.php to the same directory. The image is now also available as http://www.example.com/img/magick.php/image.jpg. So far, your image hasn't changed. Now, imagine you want a thumbnail of the image with a width of exactly 200 pixels. You can get that image by requesting the url: http://www.example.com/img/magick.php/image.jpg?resize(200)." For the life of me, I can't get Apache to look back and find the magick.php script, rather it simply looks at image.jpg and assumes it's a subdirectory. Has anyone had any experience with this script (a PHP front-end to ImageMagick as described at evolt.org) or Apache's look back functionality? -------------------------- Mark L. Withington PLMresearch "eBusiness for the Midsize Enterprise" PO Box 1354 Plymouth, MA 02362 o: 800-310-3992 ext. 704 f: 508-746-4973 v: 508-746-2383 m: 508-801-0181 http://www.PLMresearch.com Netscape/AOL/MSN IM: PLMresearch mwithington at plmresearch.com Public Key: http://www.plmdev.com/plmr/plmresearch.com/keys/MLW_public_key.asc Calendar: http://www.plmdev.com/plmr/plmresearch.com/calendar.php -------------- next part -------------- An HTML attachment was scrubbed... URL: From dwclifton at gmail.com Thu Aug 4 13:36:56 2005 From: dwclifton at gmail.com (Douglas Clifton) Date: Thu, 4 Aug 2005 13:36:56 -0400 Subject: [nycphp-talk] SQL 'WHERE' conditions in an array In-Reply-To: References: Message-ID: <7d6cdcb05080410366df24aa2@mail.gmail.com> $q->table = 'table_name'; $q->columns = array('column1', 'column2', 'column3'); print_r($q); function query($q) { $query = 'select '; $query .= ($q->columns) ? implode(',', $q->columns) : '*'; $query .= ' from ' . $q->table; return $query; } print query($q) . "\n"; unset($q->columns); print_r($q); print query($q) . "\n"; -------------------------- stdClass Object ( [table] => table_name [columns] => Array ( [0] => column1 [1] => column2 [2] => column3 ) ) select column1,column2,column3 from table_name stdClass Object ( [table] => table_name ) select * from table_name -- Douglas Clifton dwclifton at gmail.com http://loadaveragezero.com/ http://loadaveragezero.com/drx/rss/recent > ---------- Forwarded message ---------- > From: "Kenneth Downs" > To: "NYPHP Talk" > Date: Wed, 3 Aug 2005 12:18:07 -0400 (EDT) > Subject: Re: [nycphp-talk] SQL 'WHERE' conditions in an array > You may want to look up "binary decision trees". This is not precisely > what you are looking for but it is closely related and may give you some > background. > > The basic idea behind any generated SQL statement is the fact that SQL > statements that follow certain rules can themselves can be stored entirely > in scalar data. > > Imagine this simple array: > > $Query = Array > ( > "tables"=> Array > ( > [0] = Array > ( > "table_name"=>"customers" > ) > ) > ) > > or the more detailed: > > $Query = Array > ( > "tables"=> Array > ( > [0] = Array > ( > "table_name"=>"customers" > "columns"=> Array > ( > "column1", > "column2", > "column3" > ) > ) > ) > ) > > Your code just loops through building a SELECT clause from the tables. If > it cannot find the "columns" sub-array it puts in "*", else it lists the > columns in that array. > > Everything else is just an embellishment of this, and of course remember > TIMTOWTDI. > > > > Hello, > > A while ago I've seen some code (function) to build SQL queries. It took a > > multidimentional associative array to build complex WHERE conditions. > > That's > > the feature that I really liked. I'm trying to find it again to no avail. > > Can someone point me to that code please? > > > > Thanks, > > Olaf > > _______________________________________________ > > New York PHP Talk Mailing List > > AMP Technology > > Supporting Apache, MySQL and PHP > > http://lists.nyphp.org/mailman/listinfo/talk > > http://www.nyphp.org From joshmccormack at travelersdiary.com Thu Aug 4 14:16:01 2005 From: joshmccormack at travelersdiary.com (joshmccormack at travelersdiary.com) Date: Thu, 4 Aug 2005 20:16:01 +0200 Subject: [nycphp-talk] =?iso-8859-1?q?open_source_extranet_system=3F?= Message-ID: <0MKz5u-1E0kI60emZ-0006kY@mrelay.perfora.net> I want to set up an extranet system for a web development/design shop. Typical fare - create directories for clients and projects, password protected, up&down load, etc. Would be nice to use some templates, don't need polls and email and whatnot. Any suggestions? Josh From acas at sapo.pt Thu Aug 4 14:25:20 2005 From: acas at sapo.pt (Alberto dos Santos) Date: Thu, 4 Aug 2005 19:25:20 +0100 Subject: [nycphp-talk] open source extranet system? In-Reply-To: <0MKz5u-1E0kI60emZ-0006kY@mrelay.perfora.net> Message-ID: Try this, I like it for simple stuff: http://www.phpwcms.de/index.php -- Alberto dos Santos email: acas at sapo.pt skype: fatflash Este email e seus anexos est?o protegidos de v?rus e programas maliciosos. Se notar algo de anormal por favor informe-me. Obrigado. This email and it?s attachments are protected from virus and malicious software. If you notice something unusual please report. Thanks. Este email y sus anexos est?n protegidos contra virus y software mal?volo. Si usted nota algo inusual por favor divulgar. Gracias. Ces email et c'est des attachements sont prot?g?s contre le virus et le logiciel malveillant. Si vous notez quelque chose de peu commun svp pour rapporter. Merci. Questi email ? su collegamenti sono protetti dal virus e dal software cattivo. Se notate qualche cosa di insolito prego segnalare. Grazie. > -----Original Message----- > From: talk-bounces at lists.nyphp.org > [mailto:talk-bounces at lists.nyphp.org] On Behalf Of > joshmccormack at travelersdiary.com > Sent: Thursday, August 04, 2005 7:16 PM > To: talk at lists.nyphp.org > Subject: [nycphp-talk] open source extranet system? > > > I want to set up an extranet system for a web development/design shop. > Typical fare - create directories for clients and projects, password > protected, up&down load, etc. Would be nice to use some templates, > don't need polls and email and whatnot. Any suggestions? > > > Josh > _______________________________________________ > New York PHP Talk Mailing List > AMP Technology > Supporting Apache, MySQL and PHP > http://lists.nyphp.org/mailman/listinfo/talk > http://www.nyphp.org > From jellicle at gmail.com Thu Aug 4 14:30:06 2005 From: jellicle at gmail.com (Michael Sims) Date: Thu, 4 Aug 2005 14:30:06 -0400 Subject: [nycphp-talk] Apache look back functionality and PHP In-Reply-To: <1F3CD8DDFB6A9B4C9B8DD06E4A7DE358EF268F@network.PLMresearch.com> References: <1F3CD8DDFB6A9B4C9B8DD06E4A7DE358EF268F@network.PLMresearch.com> Message-ID: <200508041430.07153.jellicle@gmail.com> On Thursday 04 August 2005 12:52, Mark Withington wrote: > For the life of me, I can't get Apache to look back and find the > magick.php script, rather it simply looks at image.jpg and assumes > it's a subdirectory. Has anyone had any experience with this script > (a PHP front-end to ImageMagick as described at evolt.org) or > Apache's look back functionality? Well, I don't know anything about magick.php, but this should work with Apache. These URLS give identical results: http://www.nyphp.org/ - Apache uses default document http://www.nyphp.org/index.php - exact URL http://www.nyphp.org/index.php/foo/bar/baz/ - searches backwards until it finds index.php So, the URL http://www.example.com/magick.php/image.jpg/foobar/ should search backwards until it finds magick.php and hits it, and magick.php would then have the path_info to do something with, such as get, mangle, and output your image file. This Apache directive defaults to on (AFAIK) but perhaps you've turned it off: http://httpd.apache.org/docs/2.0/mod/core.html#acceptpathinfo Michael Sims From 1j0lkq002 at sneakemail.com Thu Aug 4 14:32:47 2005 From: 1j0lkq002 at sneakemail.com (inforequest) Date: Thu, 04 Aug 2005 14:32:47 -0400 Subject: [nycphp-talk] PHP apps under maemo for the Nokia 770 linux tablet? In-Reply-To: <7d6cdcb05080410366df24aa2@mail.gmail.com> References: <7d6cdcb05080410366df24aa2@mail.gmail.com> Message-ID: <3798-07861@sneakemail.com> Has anyone been looking at the Nokia 770/maemo platform? Any thoughts on PHP for development? -=john andrews http://www.mobileburn.com/gallery.jsp?Id=1381&source=RELATED http://www.maemo.org/ http://maemo.org/maemowiki/ http://www.indt.org.br/maemo/ From hendler at simmons.edu Thu Aug 4 14:45:17 2005 From: hendler at simmons.edu (Jonathan) Date: Thu, 04 Aug 2005 14:45:17 -0400 Subject: [nycphp-talk] PHP apps under maemo for the Nokia 770 linux tablet? In-Reply-To: <3798-07861@sneakemail.com> References: <7d6cdcb05080410366df24aa2@mail.gmail.com> <3798-07861@sneakemail.com> Message-ID: <42F2623D.6020603@simmons.edu> If you want to to develop for these plaforms XHTML-basic should work. As for javascript support I am not sure what browser the nokia has but my Zaurus ran Opera (slowly) My Zaurus also ran apache, PHP, ssh, etc. inforequest wrote: >Has anyone been looking at the Nokia 770/maemo platform? Any thoughts on >PHP for development? > >-=john andrews > >http://www.mobileburn.com/gallery.jsp?Id=1381&source=RELATED >http://www.maemo.org/ >http://maemo.org/maemowiki/ >http://www.indt.org.br/maemo/ > >_______________________________________________ >New York PHP Talk Mailing List >AMP Technology >Supporting Apache, MySQL and PHP >http://lists.nyphp.org/mailman/listinfo/talk >http://www.nyphp.org > > From mwithington at PLMresearch.com Thu Aug 4 14:50:43 2005 From: mwithington at PLMresearch.com (Mark Withington) Date: Thu, 4 Aug 2005 14:50:43 -0400 Subject: [nycphp-talk] Apache look back functionality and PHP Message-ID: <1F3CD8DDFB6A9B4C9B8DD06E4A7DE358EF2695@network.PLMresearch.com> Thanks for the input. That's what I thought. I'm running Apache 1.3** and I think the acceptpathinfo directive was default on back then. Wonder if it has something to do with the Zend debugger configured on the server? I get really weird results in the $_SERVER array that look a lot like the Zend stuff (e.g. dummy.php) -------------------------- Mark L. Withington PLMresearch "eBusiness for the Midsize Enterprise" PO Box 1354 Plymouth, MA 02362 o: 800-310-3992 ext. 704 f: 508-746-4973 v: 508-746-2383 m: 508-801-0181 http://www.PLMresearch.com Netscape/AOL/MSN IM: PLMresearch mwithington at plmresearch.com Public Key: http://www.plmdev.com/plmr/plmresearch.com/keys/MLW_public_key.asc Calendar: http://www.plmdev.com/plmr/plmresearch.com/calendar.php -----Original Message----- From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org]On Behalf Of Michael Sims Sent: Thursday, August 04, 2005 2:30 PM To: NYPHP Talk Subject: Re: [nycphp-talk] Apache look back functionality and PHP On Thursday 04 August 2005 12:52, Mark Withington wrote: > For the life of me, I can't get Apache to look back and find the > magick.php script, rather it simply looks at image.jpg and assumes > it's a subdirectory. Has anyone had any experience with this script > (a PHP front-end to ImageMagick as described at evolt.org) or > Apache's look back functionality? Well, I don't know anything about magick.php, but this should work with Apache. These URLS give identical results: http://www.nyphp.org/ - Apache uses default document http://www.nyphp.org/index.php - exact URL http://www.nyphp.org/index.php/foo/bar/baz/ - searches backwards until it finds index.php So, the URL http://www.example.com/magick.php/image.jpg/foobar/ should search backwards until it finds magick.php and hits it, and magick.php would then have the path_info to do something with, such as get, mangle, and output your image file. This Apache directive defaults to on (AFAIK) but perhaps you've turned it off: http://httpd.apache.org/docs/2.0/mod/core.html#acceptpathinfo Michael Sims _______________________________________________ New York PHP Talk Mailing List AMP Technology Supporting Apache, MySQL and PHP http://lists.nyphp.org/mailman/listinfo/talk http://www.nyphp.org From 1j0lkq002 at sneakemail.com Thu Aug 4 15:05:27 2005 From: 1j0lkq002 at sneakemail.com (inforequest) Date: Thu, 04 Aug 2005 15:05:27 -0400 Subject: [nycphp-talk] Apache look back functionality and PHP In-Reply-To: <1F3CD8DDFB6A9B4C9B8DD06E4A7DE358EF268F@network.PLMresearch.com> References: <1F3CD8DDFB6A9B4C9B8DD06E4A7DE358EF268F@network.PLMresearch.com> Message-ID: <15341-32736@sneakemail.com> I rely on Apache's lookback quite a bit and never have any trouble even across numerous hosts. Maybe take a close look at the script/parse instructions and your placement of the "?" in that query string. I think you need safe mode off for image magik, right? Maybetry a lookback example using a basic test script, before debugging the image magik scripts? -=john andrews Mark Withington mwithington-at-PLMresearch.com |nyphp dev/internal group use| wrote: > I've been trying to use a PHP front-end script for Imagemagick as > described at evolt.org (see > http://www.evolt.org/article/PHP_front-end_to_ImageMagick/17/55650/ ) > The script relies upon $_SERVER['PATH_INFO'] and Apache's look back > to find the front-end script (magick.php). The idea of the magick.php > script is to accept Imagemagick commands embedded in a URL. > > Abstract: > > "The script will enable us to give |convert| commands by changing the > query string. Maybe a simple example will better explain this idea. > You've got an image: |http://wwww.example.com/img/image.jpg|. You copy > the ImageMagick script |magick.php| to the same directory. The image > is now also available as > |http://www.example.com/img/magick.php/image.jpg|. So far, your image > hasn't changed. Now, imagine you want a thumbnail of the image with a > width of exactly 200 pixels. You can get that image by requesting the > url: |http://www.example.com/img/magick.php/image.jpg?resize(200)|." > > For the life of me, I can't get Apache to look > back and find the magick.php script, rather it simply looks at image.jpg and assumes it's a subdirectory. > Has anyone had any experience with this script (a PHP front-end to > ImageMagick as described at evolt.org) or Apache's look > back functionality? > > -------------------------- > Mark L. Withington > PLMresearch > "eBusiness for the Midsize Enterprise" > PO Box 1354 > Plymouth, MA 02362 > o: 800-310-3992 ext. 704 > f: 508-746-4973 > v: 508-746-2383 > m: 508-801-0181 > http://www.PLMresearch.com > Netscape/AOL/MSN IM: PLMresearch > mwithington at plmresearch.com > Public Key: > http://www.plmdev.com/plmr/plmresearch.com/keys/MLW_public_key.asc > Calendar: http://www.plmdev.com/plmr/plmresearch.com/calendar.php > From jsiegel1 at optonline.net Thu Aug 4 18:45:20 2005 From: jsiegel1 at optonline.net (Jeff Siegel) Date: Thu, 04 Aug 2005 18:45:20 -0400 Subject: [nycphp-talk] OT: 16 bit subsystem problem - printer driver install Message-ID: <0IKP004TRZ7MCF60@mta3.srv.hcvlny.cv.net> Wonder if anyone encountered this. I'm trying to install a printer driver on WinXP Pro. The driver is in the form of a self-unzipping exe. Once unzipped, it tries to run the setup procedure but an error message appears that mentions the inability to run a 16 bit subsystem. I've tried the following: a) Running from a DOS prompt b) Setting the "compatibility" properties for setup.exe. Needless to say (but of course...I'm saying it), nothing has worked. Is there something I'm overlooking? Jeff -------------- next part -------------- An HTML attachment was scrubbed... URL: From preinheimer at gmail.com Fri Aug 5 00:04:33 2005 From: preinheimer at gmail.com (Paul Reinheimer) Date: Fri, 5 Aug 2005 00:04:33 -0400 Subject: [nycphp-talk] OT: 16 bit subsystem problem - printer driver install In-Reply-To: <0IKP004TRZ7MCF60@mta3.srv.hcvlny.cv.net> References: <0IKP004TRZ7MCF60@mta3.srv.hcvlny.cv.net> Message-ID: <6ec19ec7050804210419fcd635@mail.gmail.com> Have you tried telling windows to find a printer, then when asked specifying the self extracted directory as the location of the drivers? paul On 8/4/05, Jeff Siegel wrote: > > Wonder if anyone encountered this. I'm trying to install a printer driver on > WinXP Pro. The driver is in the form of a self-unzipping exe. Once unzipped, > it tries to run the setup procedure but an error message appears that > mentions the inability to run a 16 bit subsystem. I've tried the following: > > a) Running from a DOS prompt > b) Setting the "compatibility" properties for setup.exe. > > Needless to say (but of course...I'm saying it), nothing has worked. > > Is there something I'm overlooking? > > Jeff > _______________________________________________ > New York PHP Talk Mailing List > AMP Technology > Supporting Apache, MySQL and PHP > http://lists.nyphp.org/mailman/listinfo/talk > http://www.nyphp.org > > -- Paul Reinheimer Zend Certified Engineer From papillion at gmail.com Fri Aug 5 02:44:25 2005 From: papillion at gmail.com (Anthony Papillion) Date: Thu, 4 Aug 2005 23:44:25 -0700 Subject: [nycphp-talk] Question about using ACL to direct user Message-ID: <5458518f05080423443b0c4ad4@mail.gmail.com> Hello Everyone, I'm in the process of designing a new application and I'm thinkin about using .htaccess files as my primary security device. Basically, I'll have my applications home directory. When the user hits that directory they will be prompted to log in by the default box the browser pops up for those things. Depending on the group that their username belongs to, they will be directed to either the /staff subdirectory or the /admin subdirectory. My questions are these: 1) Can I group users in an .htaccess file according to certain groups? 2) How can I retreive the username and group associated with the information the user provides via ACL? I'm pretty sure this can be done but I'm not too sure how to do it. Any help would be greatly appreciated. Thanks! Anthony M. Papillion Email: papillion at gmail.com Cell: (918) 926-0139 Yahoo IM: Techie74354 Skype: CajunTechie -------------- next part -------------- An HTML attachment was scrubbed... URL: From jsiegel1 at optonline.net Fri Aug 5 07:31:43 2005 From: jsiegel1 at optonline.net (Jeff Siegel) Date: Fri, 05 Aug 2005 07:31:43 -0400 Subject: [nycphp-talk] OT: 16 bit subsystem problem - printer driver install In-Reply-To: <6ec19ec7050804210419fcd635@mail.gmail.com> Message-ID: <0IKQ00BACYOWJ7PF@mta4.srv.hcvlny.cv.net> It (Windows) didn't like that approach (surprisingly). One suggestion I had gotten was to try safe mode and, failing that, do some registry hacking (turns out this is a known Windows issue). http://support.microsoft.com/default.aspx?scid=kb;en-us;Q314452 Jeff -----Original Message----- From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org] On Behalf Of Paul Reinheimer Sent: Thursday, August 04, 2005 11:05 PM To: NYPHP Talk Subject: Re: [nycphp-talk] OT: 16 bit subsystem problem - printer driver install Have you tried telling windows to find a printer, then when asked specifying the self extracted directory as the location of the drivers? paul On 8/4/05, Jeff Siegel wrote: > > Wonder if anyone encountered this. I'm trying to install a printer driver on > WinXP Pro. The driver is in the form of a self-unzipping exe. Once unzipped, > it tries to run the setup procedure but an error message appears that > mentions the inability to run a 16 bit subsystem. I've tried the following: > > a) Running from a DOS prompt > b) Setting the "compatibility" properties for setup.exe. > > Needless to say (but of course...I'm saying it), nothing has worked. > > Is there something I'm overlooking? > > Jeff > _______________________________________________ > New York PHP Talk Mailing List > AMP Technology > Supporting Apache, MySQL and PHP > http://lists.nyphp.org/mailman/listinfo/talk > http://www.nyphp.org > > -- Paul Reinheimer Zend Certified Engineer _______________________________________________ New York PHP Talk Mailing List AMP Technology Supporting Apache, MySQL and PHP http://lists.nyphp.org/mailman/listinfo/talk http://www.nyphp.org From lists at zaunere.com Fri Aug 5 07:39:00 2005 From: lists at zaunere.com (Hans Zaunere) Date: Fri, 5 Aug 2005 07:39:00 -0400 Subject: [nycphp-talk] FW: Is the web's love affair with PHP over? Message-ID: <0MKp2t-1E10XV2z6g-0002WV@mrelay.perfora.net> > A followup on yesterdays's article on PHP, Perl & Python. Looks like > Zend has been put very much on the defensive... > > Is the web's love affair with PHP over? > By Gavin Clarke in San Francisco > Published Thursday 4th August 2005 22:39 GMT > > > If Evans Data Corp (EDC) is to believed, then some big names in > enterprise systems have been rash in their support for open source scripting > language PHP. > > This last eight months saw Intel, SAP, Oracle and IBM all support PHP, > with investments or product backing through partnerships with PHP king Zend > Technologies. > > > However, EDC's survey has found PHP, along with scripting cousins Perl > and Python, is seeing drastically reduced adoption among developers in > Europe, the Middle East and Africa (EMEA). Use of PHP has dropped by a > quarter in EMEA during the last 12 months to just under 28 per cent > while 40 per cent of developers said they have no plans to evaluate or use > PHP. > > The EMEA numbers are a microcosm of a global trend, according to EDC. > Adoption of PHP is slowing in North America and slamming to a stop in Asia > Pacific. > > EDC believes PHP's recent glorious past is over, as customers spend > money on "more important" technologies to build mission > critical systems > and vendors like Microsoft and Sun Microsystems make more of > a concerted > marketing push around alternatives such as ASP.NET and > JavaServer Pages > (JSP). > > EDC chief operating officer John Andrew told The Register: "There are > some alternatives that are better promoted and packaged, and > people are > turning to those." > > Zend disputes EDC's figures with its own pro-PHP figures and dismisses > the view that Intel, SAP, Oracle and IBM placed bets on what > is turning > into an ephemeral developer strategy. Zend claims the number > of monthly > downloads of its Zend integrated development environment (IDE) today > number 20,000, up from 5,000 in September 2004, with an accompanying > 150% growth in the privately held company's revenue. Furthermore, Zend is > opening offices worldwide. > > As for stats, Zend points to Netcraft who claims 22m internet domains > use PHP, making it the internet's most popular scripting language. > > "Microsoft is interested in PHP - the next version of IIS is going to > support PHP. If there was no interest, or we were seeing a decline of > interest in PHP, why would they get their product to support > PHP?" asked > Zend vice president of marketing Michel Gerin. > > Furthermore, while EDC maintains PHP is not seeing "serious" deployment, > Zend claims changes to the language like the addition of Object > Orientation (OO) in PHP 5.0 mean the language is going beyond pure web > site development and into the enterprise as an alternative to > Java and C > ++. > > There-in, though, could lay a problem. If Java developers are indeed > picking-up PHP because - like almost anything else it seems - it is > simpler to use than Java, then it will hit the marketing wall of Sun, > BEA Systems, Borland, IBM and Oracle who either deliver serious Java > development tools or application servers. On C++, PHP must largely > contend with Microsoft's Goliath-like Visual Studio. > > Idol curiosity could have accounted for the PHP spike EDC > identified two > years ago as large numbers of developers planned to evaluate or adopt > PHP. When it came to using PHP, though, that's where > developers probably > turned to their familiar tools. > > While adoption may be slowing, PHP is not going away. With an estimated > 2.5m PHP developers and web sites going up on a daily basis that have > been built using PHP, the language is firmly ensconced in computing's > landscape. The only question seems to be: how deep can PHP go in business > computing? > > The decision by IBM and Oracle to provide native support for PHP in > their databases proves they have recognized PHP's ability to > harm their > core businesses, and their desire to avert any problems by > winning over > PHP developers. According to Gerin, IBM and Oracle want to ensure PHP > developers develop applications and web sites that use their databases > and not "PHP-optimized" databases like MySQL. "They want to be part of the > game," Gerin said. > > Andrew agrees that the big vendors are just keeping their > options open. > "I don't think PHP is going to go away fast - they have a > large share of > the market. Most of those suppliers have to remain open to > multiple ways > to be friendly," he said. > > If EDC is right, then the real problem is not for the tier one vendors > who have deep pockets and multi-platform support to ride out any > tactical snafu, but an emerging class of start-ups betting their > business on LAMP. Companies like SpikeSource and SourceLabs plan to > provide certification and testing for business software in the Linux, > Apache, MySQL and Perl/Python/PHP (LAMP) stack. But, what > happens if the > "P" part of the stack is losing developers and evaporates? > > Andrew is confidant LAMP will adapt, and other open source languages > will take the place of PHP. "[LAMP] was intended to be interchangeable - > that's the beauty of it. That's the beauty of open standards and open > source," he said. From lists at genoverly.net Fri Aug 5 08:03:40 2005 From: lists at genoverly.net (michael) Date: Fri, 5 Aug 2005 08:03:40 -0400 Subject: [nycphp-talk] Is the web's love affair with PHP over? Message-ID: <20050805080340.26a80eb2@genoverly.com> http://www.theregister.com/2005/08/04/php_evans/ The Register is the second source in as many days reporting this headline. Obviously, in our world, PHP is vibrant and strong. But, if the macro signs are pointing toward a downward trend, should we be at least a *little* alarmed? This may sound naive, but.. do they really think ASP and JSP are replacing PHP in the world? Is this just a stunt so Zend can hand out Netcraft numbers and use its name in the same sentense as "Intel, SAP, Oracle and IBM"? Let's see a raise of hands.. who is going to run PHP on IIS? Michael -- From leam at reuel.net Fri Aug 5 08:07:05 2005 From: leam at reuel.net (leam at reuel.net) Date: Fri, 5 Aug 2005 08:07:05 -0400 Subject: [nycphp-talk] FW: Is the web's love affair with PHP over? In-Reply-To: <0MKp2t-1E10XV2z6g-0002WV@mrelay.perfora.net> References: <0MKp2t-1E10XV2z6g-0002WV@mrelay.perfora.net> Message-ID: <20050805120705.GD2945@leitz.reuel.net> On Fri, Aug 05, 2005 at 07:39:00AM -0400, Hans Zaunere wrote: > > > A followup on yesterdays's article on PHP, Perl & Python. Looks like > > Zend has been put very much on the defensive... > > > > Is the web's love affair with PHP over? > > By Gavin Clarke in San Francisco > > Published Thursday 4th August 2005 22:39 GMT > > > > If Evans Data Corp (EDC) is to believed, then some big names in > > enterprise systems have been rash in their support for open source scripting > > language PHP. [snip] So, what does EDC do when they sober up and try to do real work? Having seen how the "big boys" play with their Java based Webspehre and Weblogic, I'll take PHP nay day. So far PHP hasn't taken several minutes to start up, hasn't dropped half-gig core files on my server, and hasn't required a slew of developers to get simple tasks done. I'm personally getting disgusted with the news media. They take something they know nothing about and try to get ratings by making whatever they stumble across seem important. Back to something of interest. This past weekend I noticed something funny, keep an eye out and it might return. Or maybe I'm just inhaling the same fumes as EDC. I normally keep a tab on Cnn.com, using Firefox 1.0.6 on Fedora Core 4. Several times this past weekend the little icon on CNN's tab turned to the 4 "S" logo of Sun! Too funny... ciao! leam From smanes at magpie.com Fri Aug 5 08:25:53 2005 From: smanes at magpie.com (Steve Manes) Date: Fri, 05 Aug 2005 08:25:53 -0400 Subject: [nycphp-talk] FW: Is the web's love affair with PHP over? In-Reply-To: <20050805120705.GD2945@leitz.reuel.net> References: <0MKp2t-1E10XV2z6g-0002WV@mrelay.perfora.net> <20050805120705.GD2945@leitz.reuel.net> Message-ID: <42F35AD1.60807@magpie.com> leam at reuel.net wrote: > So, what does EDC do when they sober up and try to do real work? > Having seen how the "big boys" play with their Java based Webspehre > and Weblogic, I'll take PHP nay day. So far PHP hasn't taken several > minutes to start up, hasn't dropped half-gig core files on my server, > and hasn't required a slew of developers to get simple tasks done. I wonder how much of this is due to pacific rim outsourcing of corporate web site construction? I know from experience that Indian outsource companies have little interest or investment in open source languages like PHP and Perl. Java, ASP and .NET rule there, possibly because the developers learned their craft through universities and commercial training/certification courses. From tgales at tgaconnect.com Fri Aug 5 08:36:49 2005 From: tgales at tgaconnect.com (Tim Gales) Date: Fri, 5 Aug 2005 08:36:49 -0400 Subject: [nycphp-talk] Is the web's love affair with PHP over? In-Reply-To: <20050805080340.26a80eb2@genoverly.com> References: <20050805080340.26a80eb2@genoverly.com> Message-ID: <200508050836.49913.tgales@tgaconnect.com> On Friday 05 August 2005 08:03 am, michael wrote: > http://www.theregister.com/2005/08/04/php_evans/ > > The Register is the second source in as many days reporting this > headline. Obviously, in our world, PHP is vibrant and strong. But, if > the macro signs are pointing toward a downward trend, should we be at > least a *little* alarmed? > > This may sound naive, but.. do they really think ASP and JSP are > replacing PHP in the world? It strikes me that it is the other way 'round ASP and JSP are established -- and it is PHP which is doing the replacing... Not replacing existing stuff, of course -- but creating an alternative for new projects. IBM legitimized personal computers in an era when you could find personal computers right next to the toy section in Radio Shack. I think IBM's support for PHP will make some people look at PHP in a different light. -- T. Gales & Associates 'Helping People Connect with Technology' http://www.tgaconnect.com From jsiegel1 at optonline.net Fri Aug 5 08:57:05 2005 From: jsiegel1 at optonline.net (Jeff Siegel) Date: Fri, 05 Aug 2005 08:57:05 -0400 Subject: [nycphp-talk] FW: Is the web's love affair with PHP over? In-Reply-To: <42F35AD1.60807@magpie.com> Message-ID: <0IKR00F1F2N7VX00@mta3.srv.hcvlny.cv.net> -----Original Message----- From: On Behalf Of Steve Manes Sent: Friday, August 05, 2005 7:26 AM To: NYPHP Talk Subject: Re: [nycphp-talk] FW: Is the web's love affair with PHP over? I know from experience that Indian outsource companies have little interest or investment in open source languages like PHP and Perl. Java, ASP and .NET rule there, possibly because the developers learned their craft through universities and commercial training/certification courses. Agreed. Having spent some time myself drinking the Microsoft Kool-Aid...I know that it is difficult - at least initially - to see things in non-Microsoft terms. Jeff From edwardpotter at gmail.com Fri Aug 5 09:34:29 2005 From: edwardpotter at gmail.com (edward potter) Date: Fri, 5 Aug 2005 09:34:29 -0400 Subject: [nycphp-talk] FW: Is the web's love affair with PHP over? In-Reply-To: <0IKR00F1F2N7VX00@mta3.srv.hcvlny.cv.net> References: <42F35AD1.60807@magpie.com> <0IKR00F1F2N7VX00@mta3.srv.hcvlny.cv.net> Message-ID: True Story: Startup spends 3 million over 18 months trying to offer a Java solution. Can't get it to work. PHP programmer comes in, does 90% of the project over the weekend. Ask VC, lets get the thing out the door. VC says has to be written in Java, programmer says "WTF?". Makes no sense at all. Why Java? VC says, "We heard Java was the buzz. I have zero interest in programming languages _ as long as I can say we used "Java, Java, Java" to our investors, I keep on getting paid." Needless to say 3 months later they folded. 25 people out of work. Food for thought! :-) ed On 8/5/05, Jeff Siegel wrote: > > > > -----Original Message----- > From: On Behalf Of Steve Manes > Sent: Friday, August 05, 2005 7:26 AM > To: NYPHP Talk > Subject: Re: [nycphp-talk] FW: Is the web's love affair with PHP over? > > I know from experience that Indian outsource > companies have little interest or investment in open source languages > like PHP and Perl. Java, ASP and .NET rule there, possibly because the > developers learned their craft through universities and commercial > training/certification courses. > > > Agreed. Having spent some time myself drinking the Microsoft Kool-Aid...I > know that it is difficult - at least initially - to see things in > non-Microsoft terms. > > Jeff > > _______________________________________________ > New York PHP Talk Mailing List > AMP Technology > Supporting Apache, MySQL and PHP > http://lists.nyphp.org/mailman/listinfo/talk > http://www.nyphp.org > From tom at supertom.com Fri Aug 5 10:03:04 2005 From: tom at supertom.com (Tom Melendez) Date: Fri, 05 Aug 2005 10:03:04 -0400 Subject: [nycphp-talk] APC experience/information/tutorials? In-Reply-To: <5458518f05080423443b0c4ad4@mail.gmail.com> References: <5458518f05080423443b0c4ad4@mail.gmail.com> Message-ID: <42F37198.3030208@supertom.com> Hey Folks, I'm looking for information on APC (Alternative PHP Cache). Anyone here use it, have any experiences with it, found good info on it, have debugging and optimization tips, etc. I haven't found much documentation on it. So far, the best info I found was in the INSTALL file, which actually listed the ini options available. I have it built and installed, but it really doesn't seem to be doing much for my application (running PHP 5.0.4/Apache 1.3.33 on Linux), and in fact, it causes some pages not to work. Any other caches I should look at. I've heard good things about Zend, but unfortunately their license doesn't work with my application's distribution model, so I really can't use it. Tips and advice greatly appreciated! Thanks, Tom http://www.liphp.org From hendler at simmons.edu Fri Aug 5 10:20:58 2005 From: hendler at simmons.edu (Jonathan) Date: Fri, 05 Aug 2005 10:20:58 -0400 Subject: [nycphp-talk] FW: Is the web's love affair with PHP over? In-Reply-To: References: <42F35AD1.60807@magpie.com> <0IKR00F1F2N7VX00@mta3.srv.hcvlny.cv.net> Message-ID: <42F375CA.4030107@simmons.edu> Preaching to the choir - but I'm diggin' it. I wrote a J2ME app. Spent 2 weeks to create a login form that used Java RMI, then SOAP. THen spent 10 minutes writing a XHTML-basic /php solution. Egads! Not ready for the Enterprise? Why? Scalibility? Or because the Enterprise needs to spend money and _sound_ good. edward potter wrote: >True Story: > >Startup spends 3 million over 18 months trying to offer a Java >solution. Can't get it to work. PHP programmer comes in, does 90% of >the project over the weekend. Ask VC, lets get the thing out the door. > VC says has to be written in Java, programmer says "WTF?". Makes no >sense at all. Why Java? VC says, "We heard Java was the buzz. I >have zero interest in programming languages _ as long as I can say we >used "Java, Java, Java" to our investors, I keep on getting paid." > >Needless to say 3 months later they folded. 25 people out of work. > >Food for thought! :-) ed > >On 8/5/05, Jeff Siegel wrote: > > >> >>-----Original Message----- >>From: On Behalf Of Steve Manes >>Sent: Friday, August 05, 2005 7:26 AM >>To: NYPHP Talk >>Subject: Re: [nycphp-talk] FW: Is the web's love affair with PHP over? >> >>I know from experience that Indian outsource >>companies have little interest or investment in open source languages >>like PHP and Perl. Java, ASP and .NET rule there, possibly because the >>developers learned their craft through universities and commercial >>training/certification courses. >> >> >>Agreed. Having spent some time myself drinking the Microsoft Kool-Aid...I >>know that it is difficult - at least initially - to see things in >>non-Microsoft terms. >> >>Jeff >> >>_______________________________________________ >>New York PHP Talk Mailing List >>AMP Technology >>Supporting Apache, MySQL and PHP >>http://lists.nyphp.org/mailman/listinfo/talk >>http://www.nyphp.org >> >> >> >_______________________________________________ >New York PHP Talk Mailing List >AMP Technology >Supporting Apache, MySQL and PHP >http://lists.nyphp.org/mailman/listinfo/talk >http://www.nyphp.org > > From jsiegel1 at optonline.net Fri Aug 5 10:32:23 2005 From: jsiegel1 at optonline.net (Jeff Siegel) Date: Fri, 05 Aug 2005 10:32:23 -0400 Subject: [nycphp-talk] FW: Is the web's love affair with PHP over? In-Reply-To: Message-ID: <0IKR00H2V721NX30@mta8.srv.hcvlny.cv.net> Wow! Good story!!! Is this a "publicly available" story (i.e., is there some website that reports this)or is this not public knowledge? Jeff -----Original Message----- From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org] On Behalf Of edward potter Sent: Friday, August 05, 2005 8:34 AM To: NYPHP Talk Subject: Re: [nycphp-talk] FW: Is the web's love affair with PHP over? True Story: Startup spends 3 million over 18 months trying to offer a Java solution. Can't get it to work. PHP programmer comes in, does 90% of the project over the weekend. Ask VC, lets get the thing out the door. VC says has to be written in Java, programmer says "WTF?". Makes no sense at all. Why Java? VC says, "We heard Java was the buzz. I have zero interest in programming languages _ as long as I can say we used "Java, Java, Java" to our investors, I keep on getting paid." Needless to say 3 months later they folded. 25 people out of work. Food for thought! :-) ed From cliff at pinestream.com Fri Aug 5 10:47:04 2005 From: cliff at pinestream.com (Cliff Hirsch) Date: Fri, 5 Aug 2005 10:47:04 -0400 Subject: [nycphp-talk] FW: Is the web's love affair with PHP over? In-Reply-To: <0IKR00H2V721NX30@mta8.srv.hcvlny.cv.net> Message-ID: <000901c599cc$8badd2d0$11a8a8c0@cliff> PHP rocks. But to play devil's advocate, I was at the Boston PHP meeting last night and one person said that he would not use PHP for certain large enterprise apps because of its lack of threading support. Not sure what this means or if it's a valid point, but I'm sure you'll do and can comment. r.e. that startup. I hope it wasn't in one of the crappy vintage 2000 VC funds that I'm in! Live and learn... -----Original Message----- From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org] On Behalf Of Jeff Siegel Sent: Friday, August 05, 2005 10:32 AM To: 'NYPHP Talk' Subject: Re: [nycphp-talk] FW: Is the web's love affair with PHP over? Wow! Good story!!! Is this a "publicly available" story (i.e., is there some website that reports this)or is this not public knowledge? Jeff -----Original Message----- From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org] On Behalf Of edward potter Sent: Friday, August 05, 2005 8:34 AM To: NYPHP Talk Subject: Re: [nycphp-talk] FW: Is the web's love affair with PHP over? True Story: Startup spends 3 million over 18 months trying to offer a Java solution. Can't get it to work. PHP programmer comes in, does 90% of the project over the weekend. Ask VC, lets get the thing out the door. VC says has to be written in Java, programmer says "WTF?". Makes no sense at all. Why Java? VC says, "We heard Java was the buzz. I have zero interest in programming languages _ as long as I can say we used "Java, Java, Java" to our investors, I keep on getting paid." Needless to say 3 months later they folded. 25 people out of work. Food for thought! :-) ed _______________________________________________ New York PHP Talk Mailing List AMP Technology Supporting Apache, MySQL and PHP http://lists.nyphp.org/mailman/listinfo/talk http://www.nyphp.org From hendler at simmons.edu Fri Aug 5 13:25:33 2005 From: hendler at simmons.edu (Jonathan) Date: Fri, 05 Aug 2005 13:25:33 -0400 Subject: [nycphp-talk] FW: Is the web's love affair with PHP over? In-Reply-To: <000901c599cc$8badd2d0$11a8a8c0@cliff> References: <000901c599cc$8badd2d0$11a8a8c0@cliff> Message-ID: <42F3A10D.7020205@simmons.edu> As far as writing multithreaded applications in php, George Schlossnagles book (pg 130) points out ways of using Child processes for multi-tasking on Unix systems - or you can always import java classes into PHP :-/ Maybe java needs multithreading because it doesn't want to _appear_ to be slow. ;) Cliff, I just moved from Boston to Florida. Wish I had gone to the meetings there. Cliff Hirsch wrote: >PHP rocks. But to play devil's advocate, I was at the Boston PHP meeting >last night and one person said that he would not use PHP for certain >large enterprise apps because of its lack of threading support. Not sure >what this means or if it's a valid point, but I'm sure you'll do and can >comment. > >r.e. that startup. I hope it wasn't in one of the crappy vintage 2000 VC >funds that I'm in! Live and learn... > >-----Original Message----- >From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org] >On Behalf Of Jeff Siegel >Sent: Friday, August 05, 2005 10:32 AM >To: 'NYPHP Talk' >Subject: Re: [nycphp-talk] FW: Is the web's love affair with PHP over? > > >Wow! Good story!!! Is this a "publicly available" story (i.e., is there >some website that reports this)or is this not public knowledge? > > >Jeff > >-----Original Message----- >From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org] >On Behalf Of edward potter >Sent: Friday, August 05, 2005 8:34 AM >To: NYPHP Talk >Subject: Re: [nycphp-talk] FW: Is the web's love affair with PHP over? > >True Story: > >Startup spends 3 million over 18 months trying to offer a Java solution. >Can't get it to work. PHP programmer comes in, does 90% of the project >over the weekend. Ask VC, lets get the thing out the door. VC says has >to be written in Java, programmer says "WTF?". Makes no sense at all. >Why Java? VC says, "We heard Java was the buzz. I have zero interest >in programming languages _ as long as I can say we used "Java, Java, >Java" to our investors, I keep on getting paid." > >Needless to say 3 months later they folded. 25 people out of work. > >Food for thought! :-) ed > > >_______________________________________________ >New York PHP Talk Mailing List >AMP Technology >Supporting Apache, MySQL and PHP >http://lists.nyphp.org/mailman/listinfo/talk >http://www.nyphp.org > >_______________________________________________ >New York PHP Talk Mailing List >AMP Technology >Supporting Apache, MySQL and PHP >http://lists.nyphp.org/mailman/listinfo/talk >http://www.nyphp.org > > From john at coolmacgames.com Fri Aug 5 13:49:11 2005 From: john at coolmacgames.com (John Nunez) Date: Fri, 5 Aug 2005 13:49:11 -0400 Subject: [nycphp-talk] SOAP Security? Message-ID: I have a task manager that I created in PHP over 2 years ago. Our company now has a intranet and they want to tie in the task manager. I have used SOAP to retrieve the list of tasks but how can I handle User Authentication. The one method that I was planning is have the intranet site login the user. If login is valid then generate a token and store it into a MySQL HEAP table. The SOAP result is a token and is sent with each request. With each request if the token is valid I will update it's LastAccess field in the database. Is there a flaw with this method? Thanks, John From henry at beewh.com Fri Aug 5 15:04:22 2005 From: henry at beewh.com (Henry Ponce) Date: Fri, 5 Aug 2005 16:04:22 -0300 Subject: [nycphp-talk] screen resolution redirection with php Message-ID: <200508051604.22272.henry@beewh.com> Hi all: I'm looking for a solution to my problem or if anybody can point me in the right direction so I can figure it out on my own. Here's the situation: I want to know what screen resolution a user is using. I found that this can be done with javascript. I found this function that does this and redirects... function redirectPage() { var url640x480 = "http://www.yoursite.com/640x480"; var url800x600 = "http://www.yoursite.com/800x600"; var url1024x768 = "http://www.yoursite.com/1024x768"; if ((screen.width == 640) && (screen.height == 480)) window.location.href= url640x480; else if ((screen.width == 800) && (screen.height == 600)) window.location.href= url800x600; else if ((screen.width == 1024) && (screen.height == 768)) window.location.href= url1024x768; else window.location.href= url640x480; } But i dont want this...i want to save in a cookie or $_SESSION variable the resolution info and based on that use one css, or another, use an include or not. etc... How can i handle this with php? is there a way? or am I stuck with javascript (which i know that is not 100% solution, since a user can turn off in browser), but in that case i can create a default design, css, etc for those cases. I was thinking of creating a cookie with javascript and then accessing that cookie with a php code. Just a thought.... Can anyone help me, point me in the right direction or share how you solved this issue? Henry From dcech at phpwerx.net Fri Aug 5 15:07:11 2005 From: dcech at phpwerx.net (Dan Cech) Date: Fri, 05 Aug 2005 15:07:11 -0400 Subject: [nycphp-talk] screen resolution redirection with php In-Reply-To: <200508051604.22272.henry@beewh.com> References: <200508051604.22272.henry@beewh.com> Message-ID: <42F3B8DF.3050601@phpwerx.net> Henry, A cookie set by the browser is a good way to do this. Dan Henry Ponce wrote: snip > I want to know what screen resolution a user is using. snip > I was thinking of creating a cookie with javascript and then accessing that > cookie with a php code. Just a thought.... > > Can anyone help me, point me in the right direction or share how you solved > this issue? > > Henry From 1j0lkq002 at sneakemail.com Fri Aug 5 15:14:02 2005 From: 1j0lkq002 at sneakemail.com (inforequest) Date: Fri, 05 Aug 2005 15:14:02 -0400 Subject: [nycphp-talk] FW: Is the web's love affair with PHP over? har har har In-Reply-To: <0MKp2t-1E10XV2z6g-0002WV@mrelay.perfora.net> References: <0MKp2t-1E10XV2z6g-0002WV@mrelay.perfora.net> Message-ID: <15441-75749@sneakemail.com> Hans Zaunere lists-at-zaunere.com |nyphp dev/internal group use| wrote: >>However, E DC's survey has found PHP, along with scripting cousins Perl >>and Python, is seeing drastically reduced adoption among developers in >>Europe, the Middle East and Africa (EMEA). Use of PHP has dropped by a >>quarter in EMEA during the last 12 months to just under 28 per cent >>while 40 per cent of developers said they have no plans to evaluate or use >>PHP. >>... >>EDC chief operating officer John Andrew >> If this was important, I'd say it's time to track the fundng for this company cause it sounds so much like marketing fud. Since it's not important, don't bother. PHP is about utility, not brand. That's important for everybody here except maybe Zend, who probably has to care about articles like this one. We don't -- we got here by getting the job done, and PHP enables us to do that. Okay everybody on this list that has never used any other language than PHP raise your hand. I thought so. We all have used what it took to get the job done, and will probably keep doing that. Like Jeff Siegel said -- the kool aid is very powerful. This article confirms that PHP is now a valid threat, worthy of attention and resources from those with alot to lose. Remember what Red Hat went thru as the first "legitimate" Linux distro? When I visited RedHat's campus in the earlier days I couldn't miss the quote on the big wall as you entered the building (I see they still use it as religion:http://www.redhat.com/truthhappens/) "*First they ignore you*. Then they laugh at you. *Then they fight you.* Then you win." - Mohandas Gandhi -=john andrews www.seo-fun.com (No relation to John Andrew, by the way ;-) From 1j0lkq002 at sneakemail.com Fri Aug 5 16:03:00 2005 From: 1j0lkq002 at sneakemail.com (inforequest) Date: Fri, 05 Aug 2005 16:03:00 -0400 Subject: [nycphp-talk] AWStats vs Webalizer - more experience In-Reply-To: <2277-27198@sneakemail.com> References: <2277-27198@sneakemail.com> Message-ID: <3466-93199@sneakemail.com> Apparently webalizer does not properly handle adservers, so the stats get fouled up once the ad server is running. AWStats does not have the same problems, and the gurus claim webalizer is for"simple web sites" http://forum.phpadsnew.com/index.php?showtopic=8176 -=john andrews From mitch.pirtle at gmail.com Fri Aug 5 16:40:03 2005 From: mitch.pirtle at gmail.com (Mitch Pirtle) Date: Fri, 5 Aug 2005 16:40:03 -0400 Subject: [nycphp-talk] open source extranet system? In-Reply-To: <0MKz5u-1E0kI60emZ-0006kY@mrelay.perfora.net> References: <0MKz5u-1E0kI60emZ-0006kY@mrelay.perfora.net> Message-ID: <330532b60508051340240ddc01@mail.gmail.com> I use NetOffice, as it is free - but it does have it's warts... -- Mitch, hoping someone has found something better ;-) From chendry at gmail.com Fri Aug 5 17:38:01 2005 From: chendry at gmail.com (Christopher Hendry) Date: Fri, 5 Aug 2005 14:38:01 -0700 Subject: [nycphp-talk] open source extranet system? In-Reply-To: <330532b60508051340240ddc01@mail.gmail.com> References: <0MKz5u-1E0kI60emZ-0006kY@mrelay.perfora.net> <330532b60508051340240ddc01@mail.gmail.com> Message-ID: <769e4ce050805143848991b8f@mail.gmail.com> -- Chris, getting worried that Mitch continues to talk about himself in the third person, and now is talking about software having warts... On 8/5/05, Mitch Pirtle wrote: > I use NetOffice, as it is free - but it does have it's warts... > > -- Mitch, hoping someone has found something better ;-) > _______________________________________________ > New York PHP Talk Mailing List > AMP Technology > Supporting Apache, MySQL and PHP > http://lists.nyphp.org/mailman/listinfo/talk > http://www.nyphp.org > -- "When you do things right, people won't be sure you've done anything at all." From 1j0lkq002 at sneakemail.com Fri Aug 5 18:49:57 2005 From: 1j0lkq002 at sneakemail.com (inforequest) Date: Fri, 05 Aug 2005 18:49:57 -0400 Subject: [nycphp-talk] open source extranet system? In-Reply-To: <0MKz5u-1E0kI60emZ-0006kY@mrelay.perfora.net> References: <0MKz5u-1E0kI60emZ-0006kY@mrelay.perfora.net> Message-ID: <27041-42028@sneakemail.com> joshmccormack-at-travelersdiary.com |nyphp dev/internal group use| wrote: >I want to set up an extranet system for a web development/design shop. >Typical fare - create directories for clients and projects, password >protected, up&down load, etc. Would be nice to use some templates, >don't need polls and email and whatnot. Any suggestions? > > >Josh >_______________________________________________ > > Bleeding edge might be Backpackit.com which is way cool, but has it's oddities, runs as a web service, and requires some new thinking about how we collaborate. In a perfect web world it might be awesome... as I suppose it is for those lucky enough to be working with savvy clients. I've been playing with it but can't get past the total commitment part. -=john andrews From arzala at gmail.com Sat Aug 6 00:39:55 2005 From: arzala at gmail.com (Anirudh Zala (Gmail)) Date: Sat, 6 Aug 2005 10:09:55 +0530 Subject: [nycphp-talk] Experts help needed (Sessions) References: <1350701.1122939343518.JavaMail.root@wamui-chisos.atl.sa.earthlink.net><8d9a428005080307484a7425df@mail.gmail.com><42F0DB3B.4030801@simmons.edu><8d9a4280050803080154d41465@mail.gmail.com><42F0DF96.1050200@phpwerx.net><8d9a4280050803081817147182@mail.gmail.com><42F0E28A.8020105@phpwerx.net><8d9a428005080405587f7c4900@mail.gmail.com><42F21AD5.4030002@phpwerx.net> <8d9a428005080406432dd58d5a@mail.gmail.com> Message-ID: <017501c59a40$f31c26a0$0164a8c0@aum1> Joseph, >From learning any good/new technique point of view it is good that you learn generating this kind of hard to break session keys, but from real world point of view, there is not much difference between PHP's standard session and yours custom made, because this is siutation like you are creating/modifying your existing lock bigger, stronger and harder to break but it's solutions to break/open it remains same like key is hanging near to your lock so anybody who knows how to open can open it easily. I am pointing at spoofing of session ids through analyzing network or by other methods. In that sense no matter how sronger you make your lock, there remains same key to open it. So you may think in both direction; lock as well as key. Thanks Anirudh Zala ----- Original Message ----- From: Joseph Crawford To: NYPHP Talk Sent: Thursday, August 04, 2005 7:13 PM Subject: Re: [nycphp-talk] Experts help needed (Sessions) Dan, thanks for pointing this out, i just thought that basing the identifier on more than just the clients stuff would help a bit, but i guess you're right the server stuff really wont make a difference. I would incorporate time() but then when i compare they wont be the same since i will have to re-generate the id, that is unless i uses ses_start time, that never changes i have some ideas i am going to flow with thanks... :) -- Joseph Crawford Jr. Codebowl Solutions, Inc. 1-802-671-2021 codebowl at gmail.com ------------------------------------------------------------------------------ _______________________________________________ New York PHP Talk Mailing List AMP Technology Supporting Apache, MySQL and PHP http://lists.nyphp.org/mailman/listinfo/talk http://www.nyphp.org -------------- next part -------------- An HTML attachment was scrubbed... URL: From arzala at gmail.com Sat Aug 6 02:15:24 2005 From: arzala at gmail.com (Anirudh Zala (Gmail)) Date: Sat, 6 Aug 2005 11:45:24 +0530 Subject: [nycphp-talk] FW: Is the web's love affair with PHP over? References: <0MKp2t-1E10XV2z6g-0002WV@mrelay.perfora.net><20050805120705.GD2945@leitz.reuel.net> <42F35AD1.60807@magpie.com> Message-ID: <02d101c59a4e$460868d0$0164a8c0@aum1> I doubt that this EMEA survey knowingly or unknowingly based upon only those companies or programmers who really do not have idea about all technologies available in the market and what suits them. Specially in Indian subcontinent, there is still bureaucracy at management level so what technology is to be selected to build application depends upon them rather than software people who actually are going to develop it. So you know what can happen in this situation. And how they select any existing technology from market is entirely dependent upon mouth marketing. See real time example of a small scale company going to be started, where Mr. X of company XXX software calls another company (about selection of technology to build applications), which is his relative's or who he knows better, to Mr. Y of YYY soft. ================================ X: Hello Y, how is everything? Y: Fine thanks, and you? X: Same, just started new business you know software development and outsourcing to America (what country is this? actually they point to US) and Canada. Y: Good to hear, best luck. X: Ybhai (it is tradition in India to call any person whom you are talking with), I need advice about what software is to be selected in building applications? I think PHP is in news, is it good to select it? What are you using it? Y: Xbhai, We use Java and ASP.Net because you know how easy it to install and you know whole world is using it without any trouble. You know Java supports threading, multitasking (this person really doesn't know whether multithreading really requires in software and application that they build or not), it is robust and made by Sun where my relative works in America and he recommended it to use. And ASP by world's richest man you know Bill gates. Above both are easy to find from market and not much problems in maintenance. And if any virus attacks are there, Format everything and start again. X: Ok, good we will choose this for our development as well. Brother tomorrow our programmer will come to your office to burn CDs of software that you have, so we will not need to find it from market, you know now pirated CDs are not of good quality. Y: Ok, no problem. Avjo (Avjo means Bye). ================================ Software developers who are really going to write code and to build applications can't give much feedback because it is question of their job and bread & butter, no choice. So they continue with what it is there. Now tell me who the hell is going to use PHP and other open source technologies, when scenario is like this where top management is not interested in digging the truth about what software can really provide solution to their need, and will not require more investment in proprietary software. People here (maybe in most of the world) like buzzwords like "Enterprise, Very costly, Robust, What a GUI, Easy to learn, Most available in market, .NET, Bill gates, Classes, Multithreading, Secure, Because my relative in America uses it, Because it is very costly but easily available from market through piracy etc." rather than actual usability of software and technologies, so if 1 company has adopted anything, other one will most likely to chose same. Where comes real time survey here to actually find what people really wants. However only medium and large scale companies are aware of Open source software and actually using them, but figure of such companies are not that much in comparison with small scale companies. (I call these small scale companies as Hawkers.) Even in education system, there is not any awareness of Open source software and still old software are being taught like Dos, FoxPro, Fortran, Dbase etc. just because they do not have expertise in new technologies like Linux, PHP, Mysql. And most importantly they do not want to get changed. Something is going, let it go. So it is luck by chance here that whether new company will adopt FOSS or Proprietary software. Interestingly, I just have been appointed to takes lectures in colleges of our region about subject "Computers applications to managers" for management students. And since they didn't know what technology, software to be taught for this, they asked me to prepare course curriculum for them. They needed teaching of something like Computers introduction, an OS and Office like suits. Since I am open source lover, I told them that I will teach them about Linux, and Openoffice and they said Ok. So management students are now learning "Application of FOSS in their business". Hence to spread FOSS more and more, we should target Top level management rather than bottom level programmers because only top level is most of the time going to take decision about everything. Interesting paradox, isn't it. I am not here comparing 2 sides Proprietary and Open source, but just depicting true picture of situation in our subcontinent. So we know what it appears is not truth always. However scenario is changing and more and more software companies are adopting open source standard but still it is much slower then expected. I know I am deviated here from main topic, but I felt to say something to this community and this group about what actuality is. Enjoy! Anirudh Zala ----- Original Message ----- From: Steve Manes To: NYPHP Talk Sent: Friday, August 05, 2005 5:55 PM Subject: Re: [nycphp-talk] FW: Is the web's love affair with PHP over? leam at reuel.net wrote: > So, what does EDC do when they sober up and try to do real work? > Having seen how the "big boys" play with their Java based Webspehre > and Weblogic, I'll take PHP nay day. So far PHP hasn't taken several > minutes to start up, hasn't dropped half-gig core files on my server, > and hasn't required a slew of developers to get simple tasks done. I wonder how much of this is due to pacific rim outsourcing of corporate web site construction? I know from experience that Indian outsource companies have little interest or investment in open source languages like PHP and Perl. Java, ASP and .NET rule there, possibly because the developers learned their craft through universities and commercial training/certification courses. _______________________________________________ New York PHP Talk Mailing List AMP Technology Supporting Apache, MySQL and PHP http://lists.nyphp.org/mailman/listinfo/talk http://www.nyphp.org -------------- next part -------------- An HTML attachment was scrubbed... URL: From jhegedus at centrifugeit.com Sat Aug 6 02:52:36 2005 From: jhegedus at centrifugeit.com (Jeff Hegedus) Date: Sat, 6 Aug 2005 01:52:36 -0500 Subject: [nycphp-talk] =?iso-8859-1?q?=28no_subject=29?= Message-ID: <200508060646.j766kXF0024291@centrifuge1.centrifugeit.com> Hi all, I have multiple domains but only a single IP address and I'd like to support encrypted connections for certain operations like login, credit card info, secure file upload and download, etc. I've heard a lot about how SSL can't be used with name based virtual hosting but I'm still looking for a solution that does not force me to set up a separate IP for each domain that has needs for secure operations. I've had a couple of ideas that I think might work but I'd like a few other smart folks to bounce the idea off if possible. 1. IPTABLES + APACHE REVERSE PROXY + MULTIPLE INTERNAL WEB SERVERS There are two domains. domain1 and domain2 both mapped to the internet address inet_ip by dns. The firewallServer located at inet_ip (internally this is internal_ip_4) has iptables installed and running. There is an iptables rule that redirects all traffic with a destination of inet_ip:443 that is not part of an established connection to internal_ip_3 (not sure exactly how to write this yet. Can anyone give a definitive answer on whether it is possible and how? If not, I'll look into it as time permits) Internal_ip_3 is running an apache server with name based virtual hosts and reverse proxy rules set up to map domain1 to internal_ip_1 and domain2 to internal_ip_2 Internal_ip_1 is running an apache server set up with SSL and a certificate for domain1 Internal_ip_2 is running an apache server set up with SSL and a certificate for domain2 I'm not sure if this is accurate, but I was thinking that if a client were to make a request to https://www.domain1.com the initial packet would come into the firewall server and be routed to internal_ip_3. I was also thinking that at this point the connection has not yet been made to the destination server so no encryption has actually been performed. This would allow Apache to freely read the header information. If this is correct, SSL shouldn't actually need to be installed on the internal_ip_3 server and port 443 could be set up as a standard http server OK, the above is one of the key points in this method of supporting SSL. Please let me know if you know this won't work. If the above is true, progress continues by the initial packet being routed to the internal_ip_1 server. This server has Apache set up with SSL and a certificate for domain1 The request is received and the handshake is performed. Finally, the response from Apache on internal_ip_2 is encrypted with the certificate for domain1 and returned to the client. Further requests come in from client1 that are encrypted but due to the fact that they are part of an established connection they are routed appropriately to the machine the client previously connected to. This is the second key question. Will conntrack actual be able to do this mapping with an encrypted packet. If it can't the whole thing falls apart. If this doesn't work exactly as is, would doing an SNAT when incoming packets hit the firewallServer and the reverseProxy allow it to work? Ok, that's that was my first attempt to design a solution. next. 2. ONE DOMAIN WITH SSL ENABLED THAT IS LEVERAGED FOR ALL LOGINS AND OTHER SECURE REQUIREMENTS I haven't worked out all of the details on this but it seems like it should be pretty manageable to have the site that needs secure services pass a site id and perhaps an original URL to the secure site. This should allow the secure site to brand the pages and fulfill secure services with things like site specific user lists and redirects to the referring page. This seems like a pretty workable solution with the key drawbacks being some confusion and potentially paranoia on the part of the user due to the URL not being part of the original domain and some additional coding and deployment complexity due to the fact that the functionality of a "site" would really be split across multiple domains. With any luck, proper branding could reduce the user confusion and proper architecture and documentation would make it easier for developers to implement. OK, that's the second attempt. I'd really appreciate any input anyone has. Thanks, Jeff -------------- next part -------------- An HTML attachment was scrubbed... URL: From rajlist at rajshekhar.net Sat Aug 6 04:38:12 2005 From: rajlist at rajshekhar.net (Raj Shekhar) Date: Sat, 06 Aug 2005 14:08:12 +0530 Subject: [nycphp-talk] FW: Is the web's love affair with PHP over? In-Reply-To: <0MKp2t-1E10XV2z6g-0002WV@mrelay.perfora.net> References: <0MKp2t-1E10XV2z6g-0002WV@mrelay.perfora.net> Message-ID: <42F476F4.2070500@rajshekhar.net> Hans Zaunere wrote: >>EDC believes PHP's recent glorious past is over, as customers spend >>money on "more important" technologies to build mission >>critical systems >>and vendors like Microsoft and Sun Microsystems make more of >>a concerted >>marketing push around alternatives such as ASP.NET and >>JavaServer Pages >>(JSP). All the languages that the report mentioned are in use by Yahoo! and Google - and these companies are more competent than Sun or Microsoft. Can the report explain what they (Y! and Google) do not know that Sun and MS know ? -- Raj Shekhar Y!IM : lunatech3007 blog : http://rajshekhar.net/blog home : http://rajshekhar.net Disclaimer : http://rajshekhar.net/disclaimer From mwithington at PLMresearch.com Sat Aug 6 08:24:31 2005 From: mwithington at PLMresearch.com (Mark Withington) Date: Sat, 6 Aug 2005 08:24:31 -0400 Subject: [nycphp-talk] Apache look back functionality and PHP Message-ID: <1F3CD8DDFB6A9B4C9B8DD06E4A7DE358D6A430@network.PLMresearch.com> It appears that my problem stems from the Apache version that I'm running (version 1.3.XX) - acceptpathinfo directive (e.g. look back) is only supported in Apache 2.0.30 and above. I thought I read somewhere that look back had always been supported in Apache, but it appears that was just wishful thinking. If I'm mistaken, please feel free to correct me. Thanks, Mark -------------------------- Mark L. Withington PLMresearch v: 508-746-2383 m: 508-801-0181 Calendar: http://www.plmresearch.com/calendar.php > -----Original Message----- > From: talk-bounces at lists.nyphp.org > [mailto:talk-bounces at lists.nyphp.org] On Behalf Of inforequest > Sent: Thursday, August 04, 2005 3:05 PM > To: talk at lists.nyphp.org > Subject: Re: [nycphp-talk] Apache look back functionality and PHP > > > I rely on Apache's lookback quite a bit and never have any > trouble even > across numerous hosts. Maybe take a close look at the script/parse > instructions and your placement of the "?" in that query > string. I think > you need safe mode off for image magik, right? > > Maybetry a lookback example using a basic test script, before > debugging > the image magik scripts? > > > > -=john andrews > > > Mark Withington mwithington-at-PLMresearch.com |nyphp > dev/internal group > use| wrote: > > > I've been trying to use a PHP front-end script for Imagemagick as > > described at evolt.org (see > > > http://www.evolt.org/article/PHP_front-end_to_ImageMagick/17/5 > 5650/ ) > > The script relies upon $_SERVER['PATH_INFO'] and Apache's > look back > > to find the front-end script (magick.php). The idea of the > magick.php > > script is to accept Imagemagick commands embedded in a URL. > > > > Abstract: > > > > "The script will enable us to give |convert| commands by > changing the > > query string. Maybe a simple example will better explain this idea. > > You've got an image: > |http://wwww.example.com/img/image.jpg|. You copy > > the ImageMagick script |magick.php| to the same directory. > The image > > is now also available as > > |http://www.example.com/img/magick.php/image.jpg|. So far, > your image > > hasn't changed. Now, imagine you want a thumbnail of the > image with a > > width of exactly 200 pixels. You can get that image by > requesting the > > url: |http://www.example.com/img/magick.php/image.jpg?resize(200)|." > > > > For the life of me, I can't get Apache to look > > back and find the magick.php script, rather it simply looks > at image.jpg and assumes it's a subdirectory. > > Has anyone had any experience with this script (a PHP front-end to > > ImageMagick as described at evolt.org) or Apache's look > > back functionality? > > > > -------------------------- > > Mark L. Withington > > PLMresearch > > "eBusiness for the Midsize Enterprise" > > PO Box 1354 > > Plymouth, MA 02362 > > o: 800-310-3992 ext. 704 > > f: 508-746-4973 > > v: 508-746-2383 > > m: 508-801-0181 > > http://www.PLMresearch.com > > Netscape/AOL/MSN IM: PLMresearch mwithington at plmresearch.com > > Public Key: > > http://www.plmdev.com/plmr/plmresearch.com/keys/MLW_public_key.asc > > Calendar: http://www.plmdev.com/plmr/plmresearch.com/calendar.php > > > _______________________________________________ > New York PHP Talk Mailing List > AMP Technology > Supporting Apache, MySQL and PHP > http://lists.nyphp.org/mailman/listinfo/talk > http://www.nyphp.org > From leam at reuel.net Sat Aug 6 08:27:54 2005 From: leam at reuel.net (leam at reuel.net) Date: Sat, 6 Aug 2005 08:27:54 -0400 Subject: [nycphp-talk] SW Piracy, and helping others (wuz:Is the web's love affair with PHP over?) In-Reply-To: <02d101c59a4e$460868d0$0164a8c0@aum1> References: <42F35AD1.60807@magpie.com> <02d101c59a4e$460868d0$0164a8c0@aum1> Message-ID: <20050806122754.GA3801@leitz.reuel.net> Cool, and probably too true. This is a place where Software priacy hurts economic interests; if small companies had to actually pay for the software they are using their choices might be more inclined to Free/Open Source. I know my clients are happy with using free software. :) Also, I wonder how many of us would be available to travel, or at least give talks about the free software that we use to groups who can't economically support a full fledged training program, etc? The thought of going someplace where these decisions are being made and telling them the options they have just seems too useful. Though I'm not an "Open Source or die!" sort of person I know open source software has so many advangates over the alternative it's easy to tell the truth and feel good about it. One more reason to keep posting Phundamentals and white-papers... ciao! leam On Sat, Aug 06, 2005 at 11:45:24AM +0530, Anirudh Zala (Gmail) wrote: > I doubt that this EMEA survey knowingly or unknowingly based upon only those companies or programmers who really do not have idea about all technologies available in the market and what suits them. > > Specially in Indian subcontinent, there is still bureaucracy at management level so what technology is to be selected to build application depends upon them rather than software people who actually are going to develop it. So you know what can happen in this situation. > > And how they select any existing technology from market is entirely dependent upon mouth marketing. See real time example of a small scale company going to be started, where Mr. X of company XXX software calls another company (about selection of technology to build applications), which is his relative's or who he knows better, to Mr. Y of YYY soft. > > ================================ > > X: Hello Y, how is everything? > Y: Fine thanks, and you? > X: Same, just started new business you know software development and outsourcing to America (what country is this? actually they point to US) and Canada. > Y: Good to hear, best luck. > > X: Ybhai (it is tradition in India to call any person whom you are talking with), I need advice about what software is to be selected in building applications? I think PHP is in news, is it good to select it? What are you using it? > > Y: Xbhai, We use Java and ASP.Net because you know how easy it to install and you know whole world is using it without any trouble. You know Java supports threading, multitasking (this person really doesn't know whether multithreading really requires in software and application that they build or not), it is robust and made by Sun where my relative works in America and he recommended it to use. And ASP by world's richest man you know Bill gates. Above both are easy to find from market and not much problems in maintenance. And if any virus attacks are there, Format everything and start again. > > X: Ok, good we will choose this for our development as well. Brother tomorrow our programmer will come to your office to burn CDs of software that you have, so we will not need to find it from market, you know now pirated CDs are not of good quality. > > Y: Ok, no problem. Avjo (Avjo means Bye). > > ================================ > > Software developers who are really going to write code and to build applications can't give much feedback because it is question of their job and bread & butter, no choice. So they continue with what it is there. > > Now tell me who the hell is going to use PHP and other open source technologies, when scenario is like this where top management is not interested in digging the truth about what software can really provide solution to their need, and will not require more investment in proprietary software. > > People here (maybe in most of the world) like buzzwords like "Enterprise, Very costly, Robust, What a GUI, Easy to learn, Most available in market, .NET, Bill gates, Classes, Multithreading, Secure, Because my relative in America uses it, Because it is very costly but easily available from market through piracy etc." rather than actual usability of software and technologies, so if 1 company has adopted anything, other one will most likely to chose same. Where comes real time survey here to actually find what people really wants. > > However only medium and large scale companies are aware of Open source software and actually using them, but figure of such companies are not that much in comparison with small scale companies. (I call these small scale companies as Hawkers.) > > Even in education system, there is not any awareness of Open source software and still old software are being taught like Dos, FoxPro, Fortran, Dbase etc. just because they do not have expertise in new technologies like Linux, PHP, Mysql. And most importantly they do not want to get changed. Something is going, let it go. So it is luck by chance here that whether new company will adopt FOSS or Proprietary software. > > Interestingly, I just have been appointed to takes lectures in colleges of our region about subject "Computers applications to managers" for management students. And since they didn't know what technology, software to be taught for this, they asked me to prepare course curriculum for them. They needed teaching of something like Computers introduction, an OS and Office like suits. Since I am open source lover, I told them that I will teach them about Linux, and Openoffice and they said Ok. So management students are now learning "Application of FOSS in their business". Hence to spread FOSS more and more, we should target Top level management rather than bottom level programmers because only top level is most of the time going to take decision about everything. Interesting paradox, isn't it. > > I am not here comparing 2 sides Proprietary and Open source, but just depicting true picture of situation in our subcontinent. So we know what it appears is not truth always. However scenario is changing and more and more software companies are adopting open source standard but still it is much slower then expected. > > I know I am deviated here from main topic, but I felt to say something to this community and this group about what actuality is. > > Enjoy! > > Anirudh Zala From evdo.hsdpa at gmail.com Sat Aug 6 13:24:59 2005 From: evdo.hsdpa at gmail.com (Robert Kim Wireless Internet Advisor) Date: Sat, 6 Aug 2005 10:24:59 -0700 Subject: [nycphp-talk] Formmail / Gmail filtering Message-ID: <1ec620e90508061024488e4f50@mail.gmail.com> guys... Anybody know how to hack GMAIL so that a) i can manually break up converstations. **** b) sort by or FILTER ONLY emails that have not gotten a response (from me or from the other party both filtering) why? well... people ask me for info. i reply immediately. if they dont get the email, they think i didnt respond. they get upset. and generally my email is sitting in their spam filter. so.. i want a way to look for emails that have NOT been responded to for 3+ hours. c) filter / forward based on time and # B, criteria do if / thens... _____________ **** a) the way around the problem for me is to simply chance my subject lines BEFORE they get sent ... or Auto Generated from my formmail... see http://evdo-coverage.com simple problem with gmail. all my conversations are bunched together EVEN IF they are unrelated ... simply due to subject line similarity. so.. i thought... instead of my FORMMAIL subject being the same " ! QUOTE REQUEST ! - New Client Contact !" it could be... " ! QUOTE REQUEST ! <--! NAME and COMPANY FIELD VARIABLE GOES HERE-->- New Client Contact !" anybody know formmail perl???? __________________ -- Robert Q Kim, Wireless Internet Advisor http://evdo-coverage.com http://wirelessinternetcoverage.com http://hsdpa-coverage.com 2611 S. Pacific Coast Highway 101 Suite 102 Cardiff by the Sea, CA 92007 206 984 0880 -------------- next part -------------- An HTML attachment was scrubbed... URL: From 1j0lkq002 at sneakemail.com Sat Aug 6 15:36:55 2005 From: 1j0lkq002 at sneakemail.com (inforequest) Date: Sat, 06 Aug 2005 12:36:55 -0700 Subject: [nycphp-talk] Apache look back functionality and PHP In-Reply-To: <1F3CD8DDFB6A9B4C9B8DD06E4A7DE358D6A430@network.PLMresearch.com> References: <1F3CD8DDFB6A9B4C9B8DD06E4A7DE358D6A430@network.PLMresearch.com> Message-ID: <16736-25236@sneakemail.com> Mark Withington mwithington-at-PLMresearch.com |nyphp dev/internal group use| wrote: >It appears that my problem stems from the Apache version that I'm running >(version 1.3.XX) - acceptpathinfo directive (e.g. look back) is only >supported in Apache 2.0.30 and above. I thought I read somewhere that look >back had always been supported in Apache, but it appears that was just >wishful thinking. If I'm mistaken, please feel free to correct me. > >Thanks, > >Mark > >-------------------------- >Mark L. Withington >PLMresearch >v: 508-746-2383 >m: 508-801-0181 >Calendar: http://www.plmresearch.com/calendar.php > Nah... can't be true. I only recently switched to 2.0 and I've been relying on combinations of FILE/Forcetype and apache's inherent directory walking for years. -=john andrews From 1j0lkq002 at sneakemail.com Sat Aug 6 15:42:07 2005 From: 1j0lkq002 at sneakemail.com (inforequest) Date: Sat, 06 Aug 2005 12:42:07 -0700 Subject: [nycphp-talk] Apache look back functionality and PHP In-Reply-To: <1F3CD8DDFB6A9B4C9B8DD06E4A7DE358D6A430@network.PLMresearch.com> References: <1F3CD8DDFB6A9B4C9B8DD06E4A7DE358D6A430@network.PLMresearch.com> Message-ID: <22969-59771@sneakemail.com> Mark Withington mwithington-at-PLMresearch.com |nyphp dev/internal group use| wrote: >It appears that my problem stems from the Apache version that I'm running >(version 1.3.XX) - acceptpathinfo directive (e.g. look back) is only >supported in Apache 2.0.30 and above. I thought I read somewhere that look >back had always been supported in Apache, but it appears that was just >wishful thinking. If I'm mistaken, please feel free to correct me. > >Thanks, > >Mark > >-------------------------- >Mark L. Withington >PLMresearch >v: 508-746-2383 >m: 508-801-0181 >Calendar: http://www.plmresearch.com/calendar.php > > Okay I took a look at Acceptpathnfo docs for v2 and I think I know what you mean. See the section of "default settings" because it reminds us that the default Apache HANDLER doesn't accept trailing string info on the resource name, but most SCRIPT handlers do (by default). Thus to use the default handler and get that railing info, you need this AcceptPathInfo stuff. Since I use a FILES directive to set a php handler for my root scripts, the trailing info is present without that (i.e. in 1.3x). -=john andrews From nyphp at enobrev.com Sat Aug 6 16:15:32 2005 From: nyphp at enobrev.com (Mark Armendariz) Date: Sat, 6 Aug 2005 13:15:32 -0700 Subject: [nycphp-talk] Formmail / Gmail filtering In-Reply-To: <1ec620e90508061024488e4f50@mail.gmail.com> Message-ID: <20050806201516.A37C5A863E@virtu.nyphp.org> Well for backup, you can log in via POP3 now, and there's an option in the settings to let you download all messages. Mark _____ From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org] On Behalf Of Robert Kim Wireless Internet Advisor Sent: Saturday, August 06, 2005 10:25 AM To: talk at lists.nyphp.org Subject: [nycphp-talk] Formmail / Gmail filtering guys... Anybody know how to hack GMAIL so that a) i can manually break up converstations. **** b) sort by or FILTER ONLY emails that have not gotten a response (from me or from the other party both filtering) why? well... people ask me for info. i reply immediately. if they dont get the email, they think i didnt respond. they get upset. and generally my email is sitting in their spam filter. so.. i want a way to look for emails that have NOT been responded to for 3+ hours. c) filter / forward based on time and # B, criteria do if / thens... _____________ **** a) the way around the problem for me is to simply chance my subject lines BEFORE they get sent ... or Auto Generated from my formmail... see http://evdo-coverage.com simple problem with gmail. all my conversations are bunched together EVEN IF they are unrelated ... simply due to subject line similarity. so.. i thought... instead of my FORMMAIL subject being the same " ! QUOTE REQUEST ! - New Client Contact !" it could be... " ! QUOTE REQUEST ! <--! NAME and COMPANY FIELD VARIABLE GOES HERE-->- New Client Contact !" anybody know formmail perl???? __________________ -- Robert Q Kim, Wireless Internet Advisor http://evdo-coverage.com http://wirelessinternetcoverage.com http://hsdpa-coverage.com 2611 S. Pacific Coast Highway 101 Suite 102 Cardiff by the Sea, CA 92007 206 984 0880 -- No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.0.338 / Virus Database: 267.10.1/64 - Release Date: 8/4/2005 -------------- next part -------------- An HTML attachment was scrubbed... URL: From shiflett at php.net Sat Aug 6 16:23:28 2005 From: shiflett at php.net (Chris Shiflett) Date: Sat, 06 Aug 2005 16:23:28 -0400 Subject: [nycphp-talk] Experts help needed (Sessions) In-Reply-To: References: <1350701.1122939343518.JavaMail.root@wamui-chisos.atl.sa.earthlink.net> <8d9a428005080116411feb1b5f@mail.gmail.com> <42EEB71D.2090504@iifwp.org> <8d9a428005080117156c2fa21a@mail.gmail.com> <42EEC220.4030401@iifwp.org> <8d9a428005080118177e9f2b2d@mail.gmail.com> <8d9a428005080118356ad04369@mail.gmail.com> <8d9a428005080206323ac36e21@mail.gmail.com> <42F046A3.4040507@omnistep.com> <8d9a428005080305344c2c261e@mail.gmail.com> Message-ID: <42F51C40.8090907@php.net> David Mintz wrote: > Here's a possiblity you should look at (sorry if I'm repeating myself): > > http://shiflett.org/code/http-developers-handbook/state_example.phps > http://shiflett.org/code/http-developers-handbook/session_example.phps Don't use those. :-) Those examples are meant to introduce some basic principles about state and session management in a generic way. The code is PHP, just because PHP is easy to read. It's not meant to be used by PHP developers, since the native session mechanism is much better. Chris -- Chris Shiflett Brain Bulb, The PHP Consultancy http://brainbulb.com/ From codebowl at gmail.com Sat Aug 6 16:34:35 2005 From: codebowl at gmail.com (Joseph Crawford) Date: Sat, 6 Aug 2005 16:34:35 -0400 Subject: [nycphp-talk] Experts help needed (Sessions) In-Reply-To: <42F51C40.8090907@php.net> References: <1350701.1122939343518.JavaMail.root@wamui-chisos.atl.sa.earthlink.net> <8d9a428005080117156c2fa21a@mail.gmail.com> <42EEC220.4030401@iifwp.org> <8d9a428005080118177e9f2b2d@mail.gmail.com> <8d9a428005080118356ad04369@mail.gmail.com> <8d9a428005080206323ac36e21@mail.gmail.com> <42F046A3.4040507@omnistep.com> <8d9a428005080305344c2c261e@mail.gmail.com> <42F51C40.8090907@php.net> Message-ID: <8d9a4280050806133437050066@mail.gmail.com> This has all been a learning experience for me as i have never done anything with sessions aside from using PHP's default file based sessions. I have posted my code for you experts to view so that maybe i can get some constructive criticism to make the code even better. Feel free to use this code in your applications if you feel you want to ;) init.php - http://codebowl.dontexist.net/csaf/sessions/init.phps test.php - http://codebowl.dontexist.net/csaf/sessions/test.phps test2.php - http://codebowl.dontexist.net/csaf/sessions/test2.phps test3.php - http://codebowl.dontexist.net/csaf/sessions/test3.phps session.php - http://codebowl.dontexist.net/csaf/sessions/session.phps iuser.php - http://codebowl.dontexist.net/csaf/sessions/iuser.phps user.php - http://codebowl.dontexist.net/csaf/sessions/user.phps client.php - http://codebowl.dontexist.net/csaf/sessions/client.phps contractor.php - http://codebowl.dontexist.net/csaf/sessions/contractor.phps admin.php - http://codebowl.dontexist.net/csaf/sessions/admin.phps again i would like to get some suggestions, flames, whatever about my code, if you cant look at it now please look at it when you have some extra time ;) I have finally gotten everything to work (well almost). I have the session output showing all active sessions aside from your own session because the icon and page change was always one page refresh behind. However everything works perfect if i dont show the current users session info. I would also like to thank all of those whom have contributed to this email and led my mind down roads which i may not have thought of right away ;) Thanks for all the help guys. I think my next step is to implement a using function like you would see in .NET so that i can do using('lib.auth") and have it include all the files in that dir ;) -- Joseph Crawford Jr. Codebowl Solutions, Inc. 1-802-671-2021 codebowl at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From shiflett at php.net Sat Aug 6 16:35:22 2005 From: shiflett at php.net (Chris Shiflett) Date: Sat, 06 Aug 2005 16:35:22 -0400 Subject: [nycphp-talk] Experts help needed (Sessions) In-Reply-To: <42F21AD5.4030002@phpwerx.net> References: <1350701.1122939343518.JavaMail.root@wamui-chisos.atl.sa.earthlink.net> <42F046A3.4040507@omnistep.com> <8d9a428005080305344c2c261e@mail.gmail.com> <8d9a428005080307484a7425df@mail.gmail.com> <42F0DB3B.4030801@simmons.edu> <8d9a4280050803080154d41465@mail.gmail.com> <42F0DF96.1050200@phpwerx.net> <8d9a4280050803081817147182@mail.gmail.com> <42F0E28A.8020105@phpwerx.net> <8d9a428005080405587f7c4900@mail.gmail.com> <42F21AD5.4030002@phpwerx.net> Message-ID: <42F51F0A.1000505@php.net> Dan Cech wrote: > Your function would work the same way if it was: > > $this->_key = $_SERVER['HTTP_USER_AGENT']; I was about to point this out, too. The data within $_ENV is going to be consistent, so it can't help you to identify inconsistencies in the client's requests. > Thus it doesn't actually provide any real added protection against > session hijacking, because any attacker who can get hold of the session > id will also be able to determine and spoof the user agent string. That's not necessarily true. Judging something according to its strength as an identifier doesn't make a lot of sense in this context, either, and this is another remark I frequently observe. The idea with these Defense in Depth mechanisms is to reduce the likelihood of session hijacking udner the condition that the session identifier has been captured. Every little thing helps. A valid argument against user agent checking is that it can be inconsistent for the same user due to inconsistent HTTP proxy behavior. Thus, while it can help you identify inconsistencies, it's possible that some of these are false positives. These can be reduced somewhat by recording a user's history - someone with a consistent user agent for the last 100 requests is unlikely to send a different one in the same session, and a simple password prompt as "punishment" can make sure that any false positives don't piss off your legitimate users too much. :-) Chris -- Chris Shiflett Brain Bulb, The PHP Consultancy http://brainbulb.com/ From codebowl at gmail.com Sat Aug 6 16:39:14 2005 From: codebowl at gmail.com (Joseph Crawford) Date: Sat, 6 Aug 2005 16:39:14 -0400 Subject: [nycphp-talk] Experts help needed (Sessions) In-Reply-To: <42F51F0A.1000505@php.net> References: <1350701.1122939343518.JavaMail.root@wamui-chisos.atl.sa.earthlink.net> <8d9a428005080307484a7425df@mail.gmail.com> <42F0DB3B.4030801@simmons.edu> <8d9a4280050803080154d41465@mail.gmail.com> <42F0DF96.1050200@phpwerx.net> <8d9a4280050803081817147182@mail.gmail.com> <42F0E28A.8020105@phpwerx.net> <8d9a428005080405587f7c4900@mail.gmail.com> <42F21AD5.4030002@phpwerx.net> <42F51F0A.1000505@php.net> Message-ID: <8d9a42800508061339134d58d3@mail.gmail.com> Chris, I appreciate your thoughts on the User Agent, maybe i will have to implement that type of tracking but i also think that if i compare the current user agent to an array of the last 100, wont that be time consuming and resource intensive.. that would get checked on every page load. I guess i could check it every X page loads but then again it wouldnt be a consistant check. I might have to check and see how much it would actually lag my site by doing that. I can imagine several thousand users doing that check every page load would not be that good ;) -- Joseph Crawford Jr. Codebowl Solutions, Inc. 1-802-671-2021 codebowl at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From shiflett at php.net Sat Aug 6 16:42:48 2005 From: shiflett at php.net (Chris Shiflett) Date: Sat, 06 Aug 2005 16:42:48 -0400 Subject: [nycphp-talk] Experts help needed (Sessions) In-Reply-To: <9944941.1122940163731.JavaMail.root@wamui-chisos.atl.sa.earthlink.net> References: <9944941.1122940163731.JavaMail.root@wamui-chisos.atl.sa.earthlink.net> Message-ID: <42F520C8.6080503@php.net> Nestor Florez wrote: > I trick I use often is that I check the session ID and the referrer > before allowing the user to continue to the next page. You should discontinue this practice. It can adversely affect your legitimate users, and it's a trivial safeguard with negligible value. Referer is sent by the client. Everyone on the planet knows exactly what you expect it to be. See the problem? It would actually be better to make the client choose heads or tails - at least this can only be guessed correctly about 50% of the time instead of 100% of the time. > Is not infalable but it adds an extra layer. This general approach is a good one (it's called Defense in Depth), but try to pick a safeguard that has some value. Hope that helps. Chris -- Chris Shiflett Brain Bulb, The PHP Consultancy http://brainbulb.com/ From shiflett at php.net Sat Aug 6 16:47:57 2005 From: shiflett at php.net (Chris Shiflett) Date: Sat, 06 Aug 2005 16:47:57 -0400 Subject: [nycphp-talk] Experts help needed (Sessions) In-Reply-To: <8d9a42800508021527145f14a7@mail.gmail.com> References: <8d9a42800508011622459c8b2e@mail.gmail.com> <42EF7604.2060900@phpwerx.net> <8d9a42800508020746945a5c@mail.gmail.com> <6bd6656d336bb3d3daed600e106ccd2c@email.smith.edu> <8d9a42800508021527145f14a7@mail.gmail.com> Message-ID: <42F521FD.3000401@php.net> Joseph Crawford wrote: > I couldnt figure out why when i was using output buffering that in my > destroy method the session_regenerate_id() function would be complaining > about the headers already being sent. This is a tough one. The problem is that the session mechanism's write handler executes after the output stream has been closed. Many people run into this when trying to output debugging information to the screen - you'll never see the debugging info that your write handler outputs. Hope that helps. Chris -- Chris Shiflett Brain Bulb, The PHP Consultancy http://brainbulb.com/ From codebowl at gmail.com Sat Aug 6 16:49:31 2005 From: codebowl at gmail.com (Joseph Crawford) Date: Sat, 6 Aug 2005 16:49:31 -0400 Subject: [nycphp-talk] Experts help needed (Sessions) In-Reply-To: <42F521FD.3000401@php.net> References: <8d9a42800508011622459c8b2e@mail.gmail.com> <42EF7604.2060900@phpwerx.net> <8d9a42800508020746945a5c@mail.gmail.com> <6bd6656d336bb3d3daed600e106ccd2c@email.smith.edu> <8d9a42800508021527145f14a7@mail.gmail.com> <42F521FD.3000401@php.net> Message-ID: <8d9a428005080613495fdf0568@mail.gmail.com> Chris, thanks for the answer to that.. I had struggled with that for days before i realised what it was. I continued to get the error and in most cases it was my database object throwing an exception due to a bad query format. -- Joseph Crawford Jr. Codebowl Solutions, Inc. 1-802-671-2021 codebowl at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From mwithington at PLMresearch.com Sat Aug 6 16:54:56 2005 From: mwithington at PLMresearch.com (Mark Withington) Date: Sat, 6 Aug 2005 16:54:56 -0400 Subject: [nycphp-talk] Apache look back functionality and PHP Message-ID: <1F3CD8DDFB6A9B4C9B8DD06E4A7DE358EF26AB@network.PLMresearch.com> Would love to hear more about your use of FILE/Forcetype to access apache's directory walking. Thanks, Mark -------------------------- Mark L. Withington PLMresearch "eBusiness for the Midsize Enterprise" PO Box 1354 Plymouth, MA 02362 o: 800-310-3992 ext. 704 f: 508-746-4973 v: 508-746-2383 m: 508-801-0181 http://www.PLMresearch.com Netscape/AOL/MSN IM: PLMresearch mwithington at plmresearch.com Public Key: http://www.plmdev.com/plmr/plmresearch.com/keys/MLW_public_key.asc Calendar: http://www.plmdev.com/plmr/plmresearch.com/calendar.php -----Original Message----- From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org]On Behalf Of inforequest Sent: Saturday, August 06, 2005 3:42 PM To: talk at lists.nyphp.org Subject: Re: [nycphp-talk] Apache look back functionality and PHP Mark Withington mwithington-at-PLMresearch.com |nyphp dev/internal group use| wrote: >It appears that my problem stems from the Apache version that I'm running >(version 1.3.XX) - acceptpathinfo directive (e.g. look back) is only >supported in Apache 2.0.30 and above. I thought I read somewhere that look >back had always been supported in Apache, but it appears that was just >wishful thinking. If I'm mistaken, please feel free to correct me. > >Thanks, > >Mark > >-------------------------- >Mark L. Withington >PLMresearch >v: 508-746-2383 >m: 508-801-0181 >Calendar: http://www.plmresearch.com/calendar.php > > Okay I took a look at Acceptpathnfo docs for v2 and I think I know what you mean. See the section of "default settings" because it reminds us that the default Apache HANDLER doesn't accept trailing string info on the resource name, but most SCRIPT handlers do (by default). Thus to use the default handler and get that railing info, you need this AcceptPathInfo stuff. Since I use a FILES directive to set a php handler for my root scripts, the trailing info is present without that (i.e. in 1.3x). -=john andrews _______________________________________________ New York PHP Talk Mailing List AMP Technology Supporting Apache, MySQL and PHP http://lists.nyphp.org/mailman/listinfo/talk http://www.nyphp.org From shiflett at php.net Sat Aug 6 17:14:43 2005 From: shiflett at php.net (Chris Shiflett) Date: Sat, 06 Aug 2005 17:14:43 -0400 Subject: [nycphp-talk] Chris Shiftlett's Session Example In-Reply-To: <8d9a428005080308555e1ba271@mail.gmail.com> References: <8d9a428005080308555e1ba271@mail.gmail.com> Message-ID: <42F52843.3020804@php.net> Joseph Crawford wrote: > # Make sure the user agent is correct > $ua_should_be = urldecode ( $parsed_cookie [ 'ua' ]); > if ( $_SERVER [ 'HTTP_USER_AGENT' ] != $ua_should_be ) > { > $identity_validated = false ; > } > > does that seem redundant to anyone else? It's not a particularly good example, since an attacker can pretty easily determine the format of the cookie string and spoof it. However, it's meant to illustrate the basic idea of consistency checking. Inconsistencies in a client's request are reason for suspicion, although legitimate users may send slightly inconsistent requests due to HTTP proxies and weird browser behavior (IE sends a different Accept header when you reload a page) on occasion. So, make sure your "punishment" is mild. :-) Hope that helps. Chris -- Chris Shiflett Brain Bulb, The PHP Consultancy http://brainbulb.com/ From shiflett at php.net Sat Aug 6 17:27:33 2005 From: shiflett at php.net (Chris Shiflett) Date: Sat, 06 Aug 2005 17:27:33 -0400 Subject: [nycphp-talk] Experts help needed (Sessions) In-Reply-To: <8d9a42800508061339134d58d3@mail.gmail.com> References: <1350701.1122939343518.JavaMail.root@wamui-chisos.atl.sa.earthlink.net> <8d9a428005080307484a7425df@mail.gmail.com> <42F0DB3B.4030801@simmons.edu> <8d9a4280050803080154d41465@mail.gmail.com> <42F0DF96.1050200@phpwerx.net> <8d9a4280050803081817147182@mail.gmail.com> <42F0E28A.8020105@phpwerx.net> <8d9a428005080405587f7c4900@mail.gmail.com> <42F21AD5.4030002@phpwerx.net> <42F51F0A.1000505@php.net> <8d9a42800508061339134d58d3@mail.gmail.com> Message-ID: <42F52B45.2050304@php.net> Joseph Crawford wrote: > I appreciate your thoughts on the User Agent, maybe i will have to > implement that type of tracking but i also think that if i compare the > current user agent to an array of the last 100, wont that be time > consuming and resource intensive George is the performance guy. :-) Yes, any safeguard is going to cost you some performance. I think this is fine as long as long as the negative impact of a safeguard has a linear correlation to your traffic. Exponential costs will kill you. For example, in this case, you could check against each user agent sent in the past requests for the current session, and this would be awful. Every time a user requests a page, the performance impact is higher than it was for the previous requests, because the cost is accumulating. A better approach would be to check an integer - whenever a user agent matches, you increment a counter. After a certain threshhold of your choosing, you can begin enforcing user agent consistency. Checking to see whether 7919 is greater than 50 is comparable to checking to see whether 100 is greater than 50. Thus, while the safeguard has a performance cost, it's a consistent one. Hope that helps. Chris -- Chris Shiflett Brain Bulb, The PHP Consultancy http://brainbulb.com/ From codebowl at gmail.com Sat Aug 6 17:39:25 2005 From: codebowl at gmail.com (Joseph Crawford) Date: Sat, 6 Aug 2005 17:39:25 -0400 Subject: [nycphp-talk] Experts help needed (Sessions) In-Reply-To: <42F52B45.2050304@php.net> References: <1350701.1122939343518.JavaMail.root@wamui-chisos.atl.sa.earthlink.net> <8d9a4280050803080154d41465@mail.gmail.com> <42F0DF96.1050200@phpwerx.net> <8d9a4280050803081817147182@mail.gmail.com> <42F0E28A.8020105@phpwerx.net> <8d9a428005080405587f7c4900@mail.gmail.com> <42F21AD5.4030002@phpwerx.net> <42F51F0A.1000505@php.net> <8d9a42800508061339134d58d3@mail.gmail.com> <42F52B45.2050304@php.net> Message-ID: <8d9a428005080614392323b245@mail.gmail.com> Chris, yet again someone shows me a method of doing something that i was not thinking about ;) thanks if i implement this i will be doing it this way, basically storing the last 10 UA's and checking those, once one is found that doesnt match it increments a count. The count hits a certain # the session is destroyed, is that what you meant? -- Joseph Crawford Jr. Codebowl Solutions, Inc. 1-802-671-2021 codebowl at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From shiflett at php.net Sat Aug 6 17:46:48 2005 From: shiflett at php.net (Chris Shiflett) Date: Sat, 06 Aug 2005 17:46:48 -0400 Subject: [nycphp-talk] Experts help needed (Sessions) In-Reply-To: <8d9a428005080614392323b245@mail.gmail.com> References: <1350701.1122939343518.JavaMail.root@wamui-chisos.atl.sa.earthlink.net> <8d9a4280050803080154d41465@mail.gmail.com> <42F0DF96.1050200@phpwerx.net> <8d9a4280050803081817147182@mail.gmail.com> <42F0E28A.8020105@phpwerx.net> <8d9a428005080405587f7c4900@mail.gmail.com> <42F21AD5.4030002@phpwerx.net> <42F51F0A.1000505@php.net> <8d9a42800508061339134d58d3@mail.gmail.com> <42F52B45.2050304@php.net> <8d9a428005080614392323b245@mail.gmail.com> Message-ID: <42F52FC8.1050401@php.net> Joseph Crawford wrote: > thanks if i implement this i will be doing it this way, basically > storing the last 10 UA's and checking those, once one is found that > doesnt match it increments a count. I would store one user agent and increment a counter whenever a match is found (not the other way around). Once that counter passes a certain threshhold of your choosing, enforce user agent consistency. I would reset the counter when a match is not found, otherwise the purpose is lost. > The count hits a certain # the session is destroyed, is that what > you meant? This is a pretty extreme reaction. A better approach is to prompt the user for a password. After all, this approach isn't foolproof, and neither is the implementation. There are situations (weird browser behavior, HTTP proxies, errors in your code, etc.) that can cause a legitimate user to fail one of your checks. Hope that helps. Chris -- Chris Shiflett Brain Bulb, The PHP Consultancy http://brainbulb.com/ From codebowl at gmail.com Sat Aug 6 17:50:25 2005 From: codebowl at gmail.com (Joseph Crawford) Date: Sat, 6 Aug 2005 17:50:25 -0400 Subject: [nycphp-talk] Experts help needed (Sessions) In-Reply-To: <42F52FC8.1050401@php.net> References: <1350701.1122939343518.JavaMail.root@wamui-chisos.atl.sa.earthlink.net> <8d9a4280050803081817147182@mail.gmail.com> <42F0E28A.8020105@phpwerx.net> <8d9a428005080405587f7c4900@mail.gmail.com> <42F21AD5.4030002@phpwerx.net> <42F51F0A.1000505@php.net> <8d9a42800508061339134d58d3@mail.gmail.com> <42F52B45.2050304@php.net> <8d9a428005080614392323b245@mail.gmail.com> <42F52FC8.1050401@php.net> Message-ID: <8d9a428005080614507a0761ef@mail.gmail.com> Chris, I think i see your point about not destroying the session. I should just ask for thier password, if it matches let them continue on, if not maybe allow 3 attempts and then destroy the session. if you are incrementing on a valid match of the UA, are you saying to stop checking once they hit a threshold of say 50 checks? -- Joseph Crawford Jr. Codebowl Solutions, Inc. 1-802-671-2021 codebowl at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From shiflett at php.net Sat Aug 6 17:58:52 2005 From: shiflett at php.net (Chris Shiflett) Date: Sat, 06 Aug 2005 17:58:52 -0400 Subject: [nycphp-talk] Experts help needed (Sessions) In-Reply-To: <8d9a428005080614507a0761ef@mail.gmail.com> References: <1350701.1122939343518.JavaMail.root@wamui-chisos.atl.sa.earthlink.net> <8d9a4280050803081817147182@mail.gmail.com> <42F0E28A.8020105@phpwerx.net> <8d9a428005080405587f7c4900@mail.gmail.com> <42F21AD5.4030002@phpwerx.net> <42F51F0A.1000505@php.net> <8d9a42800508061339134d58d3@mail.gmail.com> <42F52B45.2050304@php.net> <8d9a428005080614392323b245@mail.gmail.com> <42F52FC8.1050401@php.net> <8d9a428005080614507a0761ef@mail.gmail.com> Message-ID: <42F5329C.8000403@php.net> Joseph Crawford wrote: > if you are incrementing on a valid match of the UA, are you saying to > stop checking once they hit a threshold of say 50 checks? I'm saying to start enforcing the checking at that point. :-) This whole idea of recording history is just to increase the reliability of the approach - it's not necessary, but you're otherwise more likely to ask a legitimate user to provide the password again. This same approach can be used for more than just user agent - the idea is to identify things that are consistent in requests from your legitimate users, then you can identify inconsistencies as a reason for suspicion. Hope that helps. Chris -- Chris Shiflett Brain Bulb, The PHP Consultancy http://brainbulb.com/ From patrick at ramsden.com Sat Aug 6 17:58:11 2005 From: patrick at ramsden.com (Patrick Ramsden) Date: Sat, 6 Aug 2005 16:58:11 -0500 Subject: [nycphp-talk] (no subject) In-Reply-To: <200508060646.j766kXF0024291@centrifuge1.centrifugeit.com> Message-ID: <47qfdc$20adf3@smtp04.mrf.mail.rcn.net> Jeff- I looked into this a while back and came to the conclusion that you have to have different IP address or do it with the application logic. I'm no expert, so would be interested if someone knows of a solution. A couple of comments found from the Internet: - "Name-based virtual hosting cannot be used with SSL secure servers because of the nature of the SSL protocol." (http://httpd.apache.org/docs/1.3/vhosts/name-based.html#using). - Another site said "...when using SSL, all HTTP traffic is encrypted, and this includes the request's Host: header. This header is unavailable until the SSL handshake has been performed, and that in turn requires that the request has been dispatched to the appropriate virtual host, because the SSL handshake depends on that particular host's SSL certificate. For this reason, each SSL-enabled virtual host needs its own, unique IP address. You can still use name-based virtual hosts along with SSL-enabled virtual hosts in the same configuration file, though." -Pat _____ From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org] On Behalf Of Jeff Hegedus Sent: Saturday, August 06, 2005 1:53 AM To: talk at lists.nyphp.org Subject: [nycphp-talk] (no subject) Hi all, I have multiple domains but only a single IP address and I'd like to support encrypted connections for certain operations like login, credit card info, secure file upload and download, etc. I've heard a lot about how SSL can't be used with name based virtual hosting but I'm still looking for a solution that does not force me to set up a separate IP for each domain that has needs for secure operations. I've had a couple of ideas that I think might work but I'd like a few other smart folks to bounce the idea off if possible. 1. IPTABLES + APACHE REVERSE PROXY + MULTIPLE INTERNAL WEB SERVERS There are two domains. domain1 and domain2 both mapped to the internet address inet_ip by dns. The firewallServer located at inet_ip (internally this is internal_ip_4) has iptables installed and running. There is an iptables rule that redirects all traffic with a destination of inet_ip:443 that is not part of an established connection to internal_ip_3 (not sure exactly how to write this yet. Can anyone give a definitive answer on whether it is possible and how? If not, I'll look into it as time permits) Internal_ip_3 is running an apache server with name based virtual hosts and reverse proxy rules set up to map domain1 to internal_ip_1 and domain2 to internal_ip_2 Internal_ip_1 is running an apache server set up with SSL and a certificate for domain1 Internal_ip_2 is running an apache server set up with SSL and a certificate for domain2 I'm not sure if this is accurate, but I was thinking that if a client were to make a request to https://www.domain1.com the initial packet would come into the firewall server and be routed to internal_ip_3. I was also thinking that at this point the connection has not yet been made to the destination server so no encryption has actually been performed. This would allow Apache to freely read the header information. If this is correct, SSL shouldn't actually need to be installed on the internal_ip_3 server and port 443 could be set up as a standard http server OK, the above is one of the key points in this method of supporting SSL. Please let me know if you know this won't work. If the above is true, progress continues by the initial packet being routed to the internal_ip_1 server. This server has Apache set up with SSL and a certificate for domain1 The request is received and the handshake is performed. Finally, the response from Apache on internal_ip_2 is encrypted with the certificate for domain1 and returned to the client. Further requests come in from client1 that are encrypted but due to the fact that they are part of an established connection they are routed appropriately to the machine the client previously connected to. This is the second key question. Will conntrack actual be able to do this mapping with an encrypted packet. If it can't the whole thing falls apart. If this doesn't work exactly as is, would doing an SNAT when incoming packets hit the firewallServer and the reverseProxy allow it to work? Ok, that's that was my first attempt to design a solution. next. 2. ONE DOMAIN WITH SSL ENABLED THAT IS LEVERAGED FOR ALL LOGINS AND OTHER SECURE REQUIREMENTS I haven't worked out all of the details on this but it seems like it should be pretty manageable to have the site that needs secure services pass a site id and perhaps an original URL to the secure site. This should allow the secure site to brand the pages and fulfill secure services with things like site specific user lists and redirects to the referring page. This seems like a pretty workable solution with the key drawbacks being some confusion and potentially paranoia on the part of the user due to the URL not being part of the original domain and some additional coding and deployment complexity due to the fact that the functionality of a "site" would really be split across multiple domains. With any luck, proper branding could reduce the user confusion and proper architecture and documentation would make it easier for developers to implement. OK, that's the second attempt. I'd really appreciate any input anyone has. Thanks, Jeff -------------- next part -------------- An HTML attachment was scrubbed... URL: From codebowl at gmail.com Sat Aug 6 18:01:33 2005 From: codebowl at gmail.com (Joseph Crawford) Date: Sat, 6 Aug 2005 18:01:33 -0400 Subject: [nycphp-talk] Experts help needed (Sessions) In-Reply-To: <42F5329C.8000403@php.net> References: <1350701.1122939343518.JavaMail.root@wamui-chisos.atl.sa.earthlink.net> <8d9a428005080405587f7c4900@mail.gmail.com> <42F21AD5.4030002@phpwerx.net> <42F51F0A.1000505@php.net> <8d9a42800508061339134d58d3@mail.gmail.com> <42F52B45.2050304@php.net> <8d9a428005080614392323b245@mail.gmail.com> <42F52FC8.1050401@php.net> <8d9a428005080614507a0761ef@mail.gmail.com> <42F5329C.8000403@php.net> Message-ID: <8d9a428005080615012e9e8dbd@mail.gmail.com> Chris, so what you are suggesting is that i grab the users UA every page load, once i have 50 of them compare them to see how many i have that are not consistant? I think you confused me there lol. -- Joseph Crawford Jr. Codebowl Solutions, Inc. 1-802-671-2021 codebowl at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From shiflett at php.net Sat Aug 6 18:04:13 2005 From: shiflett at php.net (Chris Shiflett) Date: Sat, 06 Aug 2005 18:04:13 -0400 Subject: [nycphp-talk] (no subject) In-Reply-To: <47qfdc$20adf3@smtp04.mrf.mail.rcn.net> References: <47qfdc$20adf3@smtp04.mrf.mail.rcn.net> Message-ID: <42F533DD.2060109@php.net> Patrick Ramsden wrote: > I looked into this a while back and came to the conclusion that you have > to have different IP address or do it with the application logic. I'm > no expert, so would be interested if someone knows of a solution. I wrote a little about this here: http://shiflett.org/books/http-developers-handbook/chapters/18 There is a section on virtual hosting. Chris -- Chris Shiflett Brain Bulb, The PHP Consultancy http://brainbulb.com/ From codebowl at gmail.com Sat Aug 6 18:06:54 2005 From: codebowl at gmail.com (Joseph Crawford) Date: Sat, 6 Aug 2005 18:06:54 -0400 Subject: [nycphp-talk] (no subject) In-Reply-To: <42F533DD.2060109@php.net> References: <47qfdc$20adf3@smtp04.mrf.mail.rcn.net> <42F533DD.2060109@php.net> Message-ID: <8d9a428005080615067ae57207@mail.gmail.com> HAH i just bought that book ;) -- Joseph Crawford Jr. Codebowl Solutions, Inc. 1-802-671-2021 codebowl at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From shiflett at php.net Sun Aug 7 00:32:00 2005 From: shiflett at php.net (Chris Shiflett) Date: Sun, 07 Aug 2005 00:32:00 -0400 Subject: [nycphp-talk] Experts help needed (Sessions) In-Reply-To: <8d9a428005080615012e9e8dbd@mail.gmail.com> References: <1350701.1122939343518.JavaMail.root@wamui-chisos.atl.sa.earthlink.net> <8d9a428005080405587f7c4900@mail.gmail.com> <42F21AD5.4030002@phpwerx.net> <42F51F0A.1000505@php.net> <8d9a42800508061339134d58d3@mail.gmail.com> <42F52B45.2050304@php.net> <8d9a428005080614392323b245@mail.gmail.com> <42F52FC8.1050401@php.net> <8d9a428005080614507a0761ef@mail.gmail.com> <42F5329C.8000403@php.net> <8d9a428005080615012e9e8dbd@mail.gmail.com> Message-ID: <42F58EC0.2050805@php.net> Joseph Crawford wrote: > so what you are suggesting is that i grab the users UA every page load, > once i have 50 of them compare them to see how many i have that are not > consistant? Not at all. 1. Record the user agent. This is just a string, and you can record the MD5 of it to give yourself a consistent format and size (and eliminate some injection concerns). 2. Upon each visit, you'll have a conditional statement that compares the user agent in the current request with the one you recorded. If they are the same, increment the counter. If they are different, reset the counter (and perhaps record the new user agent). 3. If the counter passes a threshhold of your choosing, enforce the consistency check by prompting for a password when the user agents don't match. Something like that - you shouldn't be recording a bunch of user agents and doing lots of comparisons. Chris -- Chris Shiflett Brain Bulb, The PHP Consultancy http://brainbulb.com/ From jhegedus at centrifugeit.com Sun Aug 7 00:46:20 2005 From: jhegedus at centrifugeit.com (Jeff Hegedus) Date: Sat, 6 Aug 2005 23:46:20 -0500 Subject: [nycphp-talk] (no subject) In-Reply-To: <42F533DD.2060109@php.net> Message-ID: <200508070440.j774eWHM030314@centrifuge1.centrifugeit.com> Chris, Patrick, Thanks for the feedback. I thought the first idea probably wouldn't work due to the encryption of the header but I wanted to get some other opinions. Has anyone worked on a solution that had a single domain serving the SSL requests, authentication, credit card authorization, etc for multiple domains? Thanks, Jeff -----Original Message----- From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org] On Behalf Of Chris Shiflett Sent: Saturday, August 06, 2005 5:04 PM To: NYPHP Talk Subject: Re: [nycphp-talk] (no subject) Patrick Ramsden wrote: > I looked into this a while back and came to the conclusion that you have > to have different IP address or do it with the application logic. I'm > no expert, so would be interested if someone knows of a solution. I wrote a little about this here: http://shiflett.org/books/http-developers-handbook/chapters/18 There is a section on virtual hosting. Chris -- Chris Shiflett Brain Bulb, The PHP Consultancy http://brainbulb.com/ _______________________________________________ New York PHP Talk Mailing List AMP Technology Supporting Apache, MySQL and PHP http://lists.nyphp.org/mailman/listinfo/talk http://www.nyphp.org From dmintz at davidmintz.org Mon Aug 8 09:50:01 2005 From: dmintz at davidmintz.org (David Mintz) Date: Mon, 8 Aug 2005 09:50:01 -0400 (EDT) Subject: [nycphp-talk] Experts help needed (Sessions) In-Reply-To: <42F58EC0.2050805@php.net> References: <1350701.1122939343518.JavaMail.root@wamui-chisos.atl.sa.earthlink.net> <8d9a428005080405587f7c4900@mail.gmail.com> <42F21AD5.4030002@phpwerx.net> <42F51F0A.1000505@php.net> <8d9a42800508061339134d58d3@mail.gmail.com> <42F52B45.2050304@php.net> <8d9a428005080614392323b245@mail.gmail.com> <42F52FC8.1050401@php.net> <8d9a428005080614507a0761ef@mail.gmail.com> <42F5329C.8000403@php.net> <8d9a428005080615012e9e8dbd@mail.gmail.com> <42F58EC0.2050805@php.net> Message-ID: I thought that one of the main points of http://shiflett.org/code/http-developers-handbook/session_example.phps -- though it's for demo purposes only -- is the technique of re-writing all your URLs to include a token as a secondary identifier in addition to the session id so that an attacker has to steal both in order to succeed. Do the solutions you're playing also with work that way, or just by storing extra stuff in the session to compare with the current request? Also, isn't there a more than negligible chance that an attacker could be using the same UA as the victim? --- David Mintz http://davidmintz.org/ From codebowl at gmail.com Mon Aug 8 12:29:38 2005 From: codebowl at gmail.com (Joseph Crawford) Date: Mon, 8 Aug 2005 12:29:38 -0400 Subject: [nycphp-talk] Experts help needed (Sessions) In-Reply-To: References: <1350701.1122939343518.JavaMail.root@wamui-chisos.atl.sa.earthlink.net> <8d9a42800508061339134d58d3@mail.gmail.com> <42F52B45.2050304@php.net> <8d9a428005080614392323b245@mail.gmail.com> <42F52FC8.1050401@php.net> <8d9a428005080614507a0761ef@mail.gmail.com> <42F5329C.8000403@php.net> <8d9a428005080615012e9e8dbd@mail.gmail.com> <42F58EC0.2050805@php.net> Message-ID: <8d9a42800508080929656f42a@mail.gmail.com> the way i currently have it is like this define('SES_KEY', md5('CUSTOM_STRING')); $key = md5($_SERVER['HTTP_USER_AGENT'].SES_KEY.session_id().$data['ses_start']); $key = str_mix($key, SES_KEY); this will create a key 64 chars long. i needed a way to have it mix the strings but mix them the same way every time so str_shuffle would not work for me. I created the following function which just takes the first char from str1 and str2 and combines like so str1_1.str2_1.str1_2.str2_2.str1_3.str2_3, etc.. function str_mix($str1, $str2) { if(strlen($str1) != strlen($str2)) return FALSE; else { $len1 = strlen($str1) - 1; $string = ''; for($x = 0; $x <= $len1; $x++) { $string .= $str1{$x}.$str2{$x}; } return $string; } } i take this string and store it in the database next to the session_id. Every page load i create this string based on my custom string and the user info, and then i compare it with the one in the database. if they match everything is ok, if not, something is wrong. -- Joseph Crawford Jr. Codebowl Solutions, Inc. 1-802-671-2021 codebowl at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From gatzby3jr at gmail.com Mon Aug 8 12:44:49 2005 From: gatzby3jr at gmail.com (Brian O'Connor) Date: Mon, 8 Aug 2005 12:44:49 -0400 Subject: [nycphp-talk] Experts help needed (Sessions) In-Reply-To: <8d9a42800508080929656f42a@mail.gmail.com> References: <1350701.1122939343518.JavaMail.root@wamui-chisos.atl.sa.earthlink.net> <42F52B45.2050304@php.net> <8d9a428005080614392323b245@mail.gmail.com> <42F52FC8.1050401@php.net> <8d9a428005080614507a0761ef@mail.gmail.com> <42F5329C.8000403@php.net> <8d9a428005080615012e9e8dbd@mail.gmail.com> <42F58EC0.2050805@php.net> <8d9a42800508080929656f42a@mail.gmail.com> Message-ID: <29da5d150508080944115bd761@mail.gmail.com> Well I knew I was doing a poor job before, but this session discussion has finally brought me to finally design a new system. However, I think in order to prevent against something, you need to first learn how it works, which is why I write. What is session hijacking, and how do you do it? I'm currently designing a new site where security is very important, and I feel the need to go fully into this. If anyone could explain, or point me to some articles ( can't really afford books at the moment, about to leave for college and don't really have that much money ) I would greatly appreciate this. Thank you. On 8/8/05, Joseph Crawford wrote: > > the way i currently have it is like this > > define('SES_KEY', md5('CUSTOM_STRING')); > > $key = > md5($_SERVER['HTTP_USER_AGENT'].SES_KEY.session_id().$data['ses_start']); > $key = str_mix($key, SES_KEY); > > this will create a key 64 chars long. i needed a way to have it mix the > strings but mix them the same way every time so str_shuffle would not work > for me. I created the following function which just takes the first char > from str1 and str2 and combines like so > > str1_1.str2_1.str1_2.str2_2.str1_3.str2_3, etc.. > > function str_mix($str1, $str2) { > if(strlen($str1) != strlen($str2)) return FALSE; > else { > $len1 = strlen($str1) - 1; > $string = ''; > for($x = 0; $x <= $len1; $x++) { > $string .= $str1{$x}.$str2{$x}; > } > return $string; > } > } > > i take this string and store it in the database next to the session_id. > Every page load i create this string based on my custom string and the user > info, and then i compare it with the one in the database. if they match > everything is ok, if not, something is wrong. > > -- > Joseph Crawford Jr. > Codebowl Solutions, Inc. > 1-802-671-2021 > codebowl at gmail.com > > _______________________________________________ > New York PHP Talk Mailing List > AMP Technology > Supporting Apache, MySQL and PHP > http://lists.nyphp.org/mailman/listinfo/talk > http://www.nyphp.org > > -- Brian O'Connor -------------- next part -------------- An HTML attachment was scrubbed... URL: From rolan at omnistep.com Mon Aug 8 13:27:38 2005 From: rolan at omnistep.com (Rolan Yang) Date: Mon, 08 Aug 2005 13:27:38 -0400 Subject: [nycphp-talk] Experts help needed (Sessions) In-Reply-To: <42F520C8.6080503@php.net> References: <9944941.1122940163731.JavaMail.root@wamui-chisos.atl.sa.earthlink.net> <42F520C8.6080503@php.net> Message-ID: <42F7960A.60005@omnistep.com> Chris Shiflett wrote: >Nestor Florez wrote: > > >>I trick I use often is that I check the session ID and the referrer >>before allowing the user to continue to the next page. >> >> > >It would actually be better to make the client choose heads or tails - >at least this can only be guessed correctly about 50% of the time >instead of 100% of the time. > > > Heh, you are hilarious. Made me cough some ice tea out of my nose. How about a captcha on every page load? ;) >>Is not infalable but it adds an extra layer. >> >> > > > From rolan at omnistep.com Mon Aug 8 13:30:43 2005 From: rolan at omnistep.com (Rolan Yang) Date: Mon, 08 Aug 2005 13:30:43 -0400 Subject: [nycphp-talk] (no subject) In-Reply-To: <200508060646.j766kXF0024291@centrifuge1.centrifugeit.com> References: <200508060646.j766kXF0024291@centrifuge1.centrifugeit.com> Message-ID: <42F796C3.4070605@omnistep.com> #2 is the way to go. You might want to examine paypal's shopping cart or Verisign's payment system. ~Rolan From codebowl at gmail.com Mon Aug 8 15:37:28 2005 From: codebowl at gmail.com (Joseph Crawford) Date: Mon, 8 Aug 2005 15:37:28 -0400 Subject: [nycphp-talk] PHP 5 Baffles Me Message-ID: <8d9a42800508081237245aa62@mail.gmail.com> Hey Guys, i am working on a database class however i am not getting the expected results. Open(); $res = $db->Query("SELECT username FROM admins WHERE id=1"); $data = $db->FetchArray($res); $db->Close(); print_r($data); ?> i get the follwing error with that code. *Fatal error*: Call to undefined method Database::Open() in * E:\htdocs\csaf1\global.php* on line *156* if i do if($db instanceof Mysql) echo "YAY"; it never echo's but if i change Mysql to Database it will echo. Any help / explanation would be appreciated. -- Joseph Crawford Jr. Codebowl Solutions, Inc. 1-802-671-2021 codebowl at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From devrieda at gmail.com Mon Aug 8 18:27:10 2005 From: devrieda at gmail.com (Derek DeVries) Date: Mon, 8 Aug 2005 15:27:10 -0700 Subject: [nycphp-talk] PHP 5 Baffles Me In-Reply-To: <8d9a42800508081237245aa62@mail.gmail.com> References: <8d9a42800508081237245aa62@mail.gmail.com> Message-ID: <7bdec587050808152755664ee0@mail.gmail.com> You're calling a method of Database that doesn't exist, hence the error "Call to undefined method. You define the class Database, but it has no Open(), Query(), FetchArray() or Close() methods defined. If you want it to inherit methods from some base class, you're going to need to define your class doing something like: class Database extends BaseClass { } what is this using() function at the top? Is that a user defined function that does a require on a file in the path? ps... I hope that's not your actual user/pass pasted in the code... if so I would change it now that it has been shared with a bunch of strangers. Derek On 8/8/05, Joseph Crawford wrote: > Hey Guys, > > i am working on a database class however i am not getting the expected > results. > > using("System.Database.Drivers"); > class Database { > > public function __construct($dsn = > 'mysql://csaf:bose343 at localhost/csaf', $persistant = false) > { > $d = explode(':', $dsn); > $driver = ucfirst(strtolower($d[0])); > if(isset($driver)) { > if(isset($dsn)) return new $driver($dsn, $persistant); > else throw new DatabaseEx('Invalid DSN'); > } > else throw new DatabaseEx('Invalid Driver!'); > } > } > > $dsn = "mysql://user:pass at localhost/csaf"; > $db = new Database($dsn); > $db->Open(); > $res = $db->Query("SELECT username FROM admins WHERE id=1"); > $data = $db->FetchArray($res); > $db->Close(); > print_r($data); > ?> > > i get the follwing error with that code. > > Fatal error: Call to undefined method Database::Open() in > E:\htdocs\csaf1\global.php on line 156 > > if i do > if($db instanceof Mysql) echo "YAY"; > it never echo's but if i change Mysql to Database it will echo. > Any help / explanation would be appreciated. > > -- > Joseph Crawford Jr. > Codebowl Solutions, Inc. > 1-802-671-2021 > codebowl at gmail.com > _______________________________________________ > New York PHP Talk Mailing List > AMP Technology > Supporting Apache, MySQL and PHP > http://lists.nyphp.org/mailman/listinfo/talk > http://www.nyphp.org > > From codebowl at gmail.com Mon Aug 8 18:31:11 2005 From: codebowl at gmail.com (Joseph Crawford) Date: Mon, 8 Aug 2005 18:31:11 -0400 Subject: [nycphp-talk] PHP 5 Baffles Me In-Reply-To: <7bdec587050808152755664ee0@mail.gmail.com> References: <8d9a42800508081237245aa62@mail.gmail.com> <7bdec587050808152755664ee0@mail.gmail.com> Message-ID: <8d9a428005080815316f1c7d1b@mail.gmail.com> bah go ahead use that user/pass ;) wont get you anywhere it's a dev system lol i have nothing to hide here so..... -- Joseph Crawford Jr. Codebowl Solutions, Inc. 1-802-671-2021 codebowl at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From 1j0lkq002 at sneakemail.com Mon Aug 8 23:36:52 2005 From: 1j0lkq002 at sneakemail.com (inforequest) Date: Mon, 08 Aug 2005 20:36:52 -0700 Subject: [nycphp-talk] [OT] Re: PHP 5 Baffles Me In-Reply-To: <8d9a428005080815316f1c7d1b@mail.gmail.com> References: <8d9a42800508081237245aa62@mail.gmail.com> <7bdec587050808152755664ee0@mail.gmail.com> <8d9a428005080815316f1c7d1b@mail.gmail.com> Message-ID: <19010-52817@sneakemail.com> Joseph Crawford codebowl-at-gmail.com |nyphp dev/internal group use| wrote: > ...i have nothing to hide here so..... Famous last words (!) From codebowl at gmail.com Tue Aug 9 06:31:34 2005 From: codebowl at gmail.com (Joseph Crawford) Date: Tue, 9 Aug 2005 06:31:34 -0400 Subject: [nycphp-talk] [OT] Re: PHP 5 Baffles Me In-Reply-To: <19010-52817@sneakemail.com> References: <8d9a42800508081237245aa62@mail.gmail.com> <7bdec587050808152755664ee0@mail.gmail.com> <8d9a428005080815316f1c7d1b@mail.gmail.com> <19010-52817@sneakemail.com> Message-ID: <8d9a428005080903314236c98b@mail.gmail.com> lol does anyone think i would use the username and password user:pass cmon ;) -- Joseph Crawford Jr. Codebowl Solutions, Inc. 1-802-671-2021 codebowl at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From codebowl at gmail.com Tue Aug 9 06:32:07 2005 From: codebowl at gmail.com (Joseph Crawford) Date: Tue, 9 Aug 2005 06:32:07 -0400 Subject: [nycphp-talk] [OT] Re: PHP 5 Baffles Me In-Reply-To: <8d9a428005080903314236c98b@mail.gmail.com> References: <8d9a42800508081237245aa62@mail.gmail.com> <7bdec587050808152755664ee0@mail.gmail.com> <8d9a428005080815316f1c7d1b@mail.gmail.com> <19010-52817@sneakemail.com> <8d9a428005080903314236c98b@mail.gmail.com> Message-ID: <8d9a428005080903323b02f9b6@mail.gmail.com> oh i see it's in the constructor, well it was changed ;) -- Joseph Crawford Jr. Codebowl Solutions, Inc. 1-802-671-2021 codebowl at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From dmintz at davidmintz.org Tue Aug 9 09:26:45 2005 From: dmintz at davidmintz.org (David Mintz) Date: Tue, 9 Aug 2005 09:26:45 -0400 (EDT) Subject: [nycphp-talk] [OT] Re: PHP 5 Baffles Me In-Reply-To: <8d9a428005080903323b02f9b6@mail.gmail.com> References: <8d9a42800508081237245aa62@mail.gmail.com> <7bdec587050808152755664ee0@mail.gmail.com> <8d9a428005080815316f1c7d1b@mail.gmail.com> <19010-52817@sneakemail.com> <8d9a428005080903314236c98b@mail.gmail.com> <8d9a428005080903323b02f9b6@mail.gmail.com> Message-ID: On Tue, 9 Aug 2005, Joseph Crawford wrote: > oh i see it's in the constructor, well it was changed ;) > Speaking of which I also noticed your constructor returned things. I thought that constructors implicitly return an instance of their class and nothing else -- that is, they can succeed and return a class instance, throw an exception, or die. But maybe I am mistaken and should go back to the books. --- David Mintz http://davidmintz.org/ From codebowl at gmail.com Tue Aug 9 09:29:45 2005 From: codebowl at gmail.com (Joseph Crawford) Date: Tue, 9 Aug 2005 09:29:45 -0400 Subject: [nycphp-talk] [OT] Re: PHP 5 Baffles Me In-Reply-To: References: <8d9a42800508081237245aa62@mail.gmail.com> <7bdec587050808152755664ee0@mail.gmail.com> <8d9a428005080815316f1c7d1b@mail.gmail.com> <19010-52817@sneakemail.com> <8d9a428005080903314236c98b@mail.gmail.com> <8d9a428005080903323b02f9b6@mail.gmail.com> Message-ID: <8d9a42800508090629267516d5@mail.gmail.com> David, you were correct i could not have the constructore return a class like i was trying to do, rather i created a static method GetDriver that i am using to have the driver returned. -- Joseph Crawford Jr. Codebowl Solutions, Inc. 1-802-671-2021 codebowl at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From jellicle at gmail.com Tue Aug 9 16:17:25 2005 From: jellicle at gmail.com (Michael Sims) Date: Tue, 9 Aug 2005 16:17:25 -0400 Subject: [nycphp-talk] Session basics In-Reply-To: <29da5d150508080944115bd761@mail.gmail.com> References: <1350701.1122939343518.JavaMail.root@wamui-chisos.atl.sa.earthlink.net> <8d9a42800508080929656f42a@mail.gmail.com> <29da5d150508080944115bd761@mail.gmail.com> Message-ID: <200508091617.25624.jellicle@gmail.com> On Monday 08 August 2005 12:44, Brian O'Connor wrote: > Well I knew I was doing a poor job before, but this session discussion > has finally brought me to finally design a new system. However, I think > in order to prevent against something, you need to first learn how it > works, which is why I write. What is session hijacking, and how do you do > it? I'm currently designing a new site where security is very important, > and I feel the need to go fully into this. If anyone could explain, or > point me to some articles ( can't really afford books at the moment, > about to leave for college and don't really have that much money ) I > would greatly appreciate this. Thank you. Basics of sessions: 1) User logs in providing something he knows (username, password) 2) You assign (cookie) the browser with a long random string. You record the string in a datastore on the server. 3) Anytime you get hits from a browser which presents the long random string that's in your datastore, you can assume it's the same user - therefore you need not ask for the username/password again. Also, you know what the user did last - you can keep state across requests. 4) If time passes without access, you might delete the long random string in your datastore, rendering the browser's credentials invalid and requiring the user to log in again. Good points: 1) User doesn't have to log in for each page. Bad points: 1) If someone obtained the long random string, it would be like obtaining the user's username and password. Bad person's browser could present the long random string... Ways to hijack a session: 1) Eavesdrop on the user's datastream. By default, all of this is in plain text, including the initial sending of the username and password. Solution: use HTTPS. 2) Find a way to insert javascript on YOUR website that accesses the cookies the user is sending and resends them to BAD_WEBSITE. This is called cross-site-scripting, or XSS. Solution: design your website to not echo any user input back to the user without sanitizing it. Many, MANY sites are vulnerable to this. The only upside is that usually XSS attacks have to be customized for the site they are attacking - someone has to want to attack YOUR site, not just any site. The motivation for doing so is as valuable or as non-valuable as the accounts on your website are (so many of the vulnerable sites don't really need to care). Read up on XSS. 3) If your session id's are being maintained in the user's URLs rather than user cookies, an attacked just has to get the user to follow a link to BAD_WEBSITE, then the session id will show up in the HTTP_REFERER variable. Solution: cookies are much preferred over URL-variable sessions. 4) Hack your server. Solution: Don't let them hack your server. 5) Come along shortly after a user and use the same web browser he did. Solution: limit session length, warn users about logging in from public workstations, use session cookies that are deleted when the browser is closed, etc. Miscellaneous: 1) Some people store state info in the cookies themselves, where the user can get at and modify them. I prefer storing it serverside. For unimportant state info, like a user's choice of language for a site, it doesn't matter. For important state info, serverside is the only choice. 2) PHP's session info is stored in text files on the server. I prefer sessions that are stored in a real database. For small sites, it doesn't matter. For large sites, database is the only real choice. 3) Keep in mind that PHP's built-in session-handling is one implementation of the idea of "sessions", and not necessarily a good one for you. You can write a PHP app that does sessions, and does them very well, without using any of PHP's session-handling functions. 4) Storing and verifying other info about the user (such as their IP address, user-agent string, or what-have-you) is effectively requiring the user to present more than just the long random string to validate his session. Your sessions will break if you require something to be static (i.e., IP address) that actually isn't (AOL users behind an array of proxies). Also, if the attacker can steal the long random string, he can just as well get the browser user-agent, etc. etc. Michael Sims From dmintz at davidmintz.org Tue Aug 9 17:29:31 2005 From: dmintz at davidmintz.org (David Mintz) Date: Tue, 9 Aug 2005 17:29:31 -0400 (EDT) Subject: [nycphp-talk] [OT] SSH keys: what am I doing wrong? Message-ID: Inside my intranet I have (or had) passwordless SSH keys set up so I could ssh into the machines I administer with an absolute minimum of pain. I followed the instructions found on some how-to out there, and it worked fine for a long time. Today I replaced a failing drive in one of the machines, the drive that housed the /home partition. Put in new drive, partitioned it, etc., restored data from a tarball. SSH keys stopped working. The drive replacement event is the only difference between Before and After that I can think of. The offending box is called interps1. In my .ssh directory on my desktop, I have: [david at mintz ~]$ ls -l .ssh total 28 -rw------- 1 david david 887 Aug 9 15:18 identity -rw------- 1 david david 887 Apr 8 14:39 id_rsa -rw-r--r-- 1 david david 240 Apr 8 14:39 id_rsa.pub -rw-r--r-- 1 david david 2762 Jun 30 11:00 known_hosts The id_rsa and id_rsa.pub files where created with ssh-keygen back in April. There's another box called interps2 where I have my .ssh with that very same id_rsa.pub appended to my authorized_keys; passwordless SSH logins work fine from my desktop to that machine. I can also passwordlessly SSH into all the other machines to which I've copied my public key; that is, nothing has changed except with this interps1. So I started over from scratch with my .ssh directory on interps1, that is, I appended my id_rsa.pub (from my desktop) to .ssh/authorized_keys (on interps1) and tried again to ssh. Still I get prompted for password. I tried it with -v for verbosity and it doesn't seem to tell me anything I don't already know (i.e., it ain't working). I tried several other silly things as well but I don't want to bore you (too much). All three machines are running Fedora Core 3 and OpenSSH_3.9p1, OpenSSL 0.9.7a Any ideas what I could be doing wrong? A million thanks, --- David Mintz http://davidmintz.org/ From mwithington at PLMresearch.com Tue Aug 9 18:25:21 2005 From: mwithington at PLMresearch.com (Mark Withington) Date: Tue, 9 Aug 2005 18:25:21 -0400 Subject: [nycphp-talk] Spreadsheet/Excel/Writer.php Message-ID: <1F3CD8DDFB6A9B4C9B8DD06E4A7DE358D6A458@network.PLMresearch.com> Any Spreadsheet/Excel/Writer.php experts out there? I'm trying to paste bitmaps into spreadsheet cells via insertBitmap. The images appear without a hitch, I'm just not able to adjust the size of the cell (either via the insertBitmap parameters or setColumn/setRow). If anyone can point me to [better] documentation [than PEAR's], or has some words of wisdom they can share.... TIA, Mark -------------------------- Mark L. Withington PLMresearch "eBusiness for the Midsize Enterprise" PO Box 1354 Plymouth, MA 02362 o: 800-310-3992 ext. 704 f: 508-746-4973 v: 508-746-2383 m: 508-801-0181 http://www.PLMresearch.com Netscape/AOL/MSN IM: PLMresearch mwithington at plmresearch.com Public Key: http://www.plmresearch.com/keys/MLW_public_key.asc Calendar: http://www.plmresearch.com/calendar.php From smanes at magpie.com Tue Aug 9 19:45:03 2005 From: smanes at magpie.com (Steve Manes) Date: Tue, 09 Aug 2005 19:45:03 -0400 Subject: [nycphp-talk] Spreadsheet/Excel/Writer.php In-Reply-To: <1F3CD8DDFB6A9B4C9B8DD06E4A7DE358D6A458@network.PLMresearch.com> References: <1F3CD8DDFB6A9B4C9B8DD06E4A7DE358D6A458@network.PLMresearch.com> Message-ID: <42F93FFF.2080601@magpie.com> Mark Withington wrote: > Any Spreadsheet/Excel/Writer.php experts out there? I'm trying to paste > bitmaps into spreadsheet cells via insertBitmap. The images appear without > a hitch, I'm just not able to adjust the size of the cell (either via the > insertBitmap parameters or setColumn/setRow). > > If anyone can point me to [better] documentation [than PEAR's], or has some > words of wisdom they can share.... Documentation for Spreadsheet::Excel is sparse, I'm afraid, and the library is quirky enough that I wrote an API wrapper for it so I wouldn't have to remember all the gyrations I needed to use to generate a boilerplate report. Unfortunately I can't share it because my client considers it a trade secret. IIRC, setColumn() needs to be called to size the cells before any data is written to the worksheet, if that's any help. I've only used images to brand spreadsheets with client logos, always at 0,0. But I seem to remember that bitmaps tend to float over the spreadsheet anyway. That is, they're not bound by cells. From mwithington at PLMresearch.com Tue Aug 9 19:54:08 2005 From: mwithington at PLMresearch.com (Mark Withington) Date: Tue, 9 Aug 2005 19:54:08 -0400 Subject: [nycphp-talk] Spreadsheet/Excel/Writer.php Message-ID: <1F3CD8DDFB6A9B4C9B8DD06E4A7DE358D6A45C@network.PLMresearch.com> Great help. Thank you. -------------------------- Mark L. Withington PLMresearch v: 508-746-2383 m: 508-801-0181 Calendar: http://www.plmresearch.com/calendar.php > -----Original Message----- > From: talk-bounces at lists.nyphp.org > [mailto:talk-bounces at lists.nyphp.org] On Behalf Of Steve Manes > Sent: Tuesday, August 09, 2005 7:45 PM > To: NYPHP Talk > Subject: Re: [nycphp-talk] Spreadsheet/Excel/Writer.php > > > Mark Withington wrote: > > Any Spreadsheet/Excel/Writer.php experts out there? I'm trying to > > paste bitmaps into spreadsheet cells via insertBitmap. The images > > appear without a hitch, I'm just not able to adjust the size of the > > cell (either via the insertBitmap parameters or setColumn/setRow). > > > > If anyone can point me to [better] documentation [than > PEAR's], or has > > some words of wisdom they can share.... > > Documentation for Spreadsheet::Excel is sparse, I'm afraid, and the > library is quirky enough that I wrote an API wrapper for it so I > wouldn't have to remember all the gyrations I needed to use > to generate > a boilerplate report. Unfortunately I can't share it because > my client > considers it a trade secret. > > IIRC, setColumn() needs to be called to size the cells before > any data > is written to the worksheet, if that's any help. I've only > used images > to brand spreadsheets with client logos, always at 0,0. But > I seem to > remember that bitmaps tend to float over the spreadsheet > anyway. That > is, they're not bound by cells. > _______________________________________________ > New York PHP Talk Mailing List > AMP Technology > Supporting Apache, MySQL and PHP > http://lists.nyphp.org/mailman/listinfo/talk > http://www.nyphp.org > From hendler at simmons.edu Tue Aug 9 21:02:32 2005 From: hendler at simmons.edu (Jonathan) Date: Tue, 09 Aug 2005 21:02:32 -0400 Subject: [nycphp-talk] Spreadsheet/Excel/Writer.php In-Reply-To: <1F3CD8DDFB6A9B4C9B8DD06E4A7DE358D6A45C@network.PLMresearch.com> References: <1F3CD8DDFB6A9B4C9B8DD06E4A7DE358D6A45C@network.PLMresearch.com> Message-ID: <42F95228.9000608@simmons.edu> might try here: http://www.google.com/custom?domains=www.phpclasses.org&q=excel&sa=Search&sitesearch=www.phpclasses.org&client=pub-2951707118576741&forid=1&channel=5742870948&ie=ISO-8859-1&oe=ISO-8859-1&cof=GALT%3A%23663399%3BGL%3A1%3BDIV%3A%23222222%3BVLC%3A663399%3BAH%3Acenter%3BBGC%3AA3C5CC%3BLBGC%3AA3C5CC%3BALC%3A0000FF%3BLC%3A0000FF%3BT%3A000000%3BGFNT%3A0000FF%3BGIMP%3A0000FF%3BLH%3A50%3BLW%3A256%3BL%3Ahttp%3A%2F%2Ffiles.phpclasses.org%2Fgraphics%2Fgooglesearch.jpg%3BS%3Ahttp%3A%2F%2Fwww.phpclasses.org%2Fsearch.html%3BFORID%3A1%3B&hl=en personally I've only generated simple reports using html psuedo-excel. Mark Withington wrote: >Great help. Thank you. > >-------------------------- >Mark L. Withington >PLMresearch >v: 508-746-2383 >m: 508-801-0181 >Calendar: http://www.plmresearch.com/calendar.php > > > > > > >>-----Original Message----- >>From: talk-bounces at lists.nyphp.org >>[mailto:talk-bounces at lists.nyphp.org] On Behalf Of Steve Manes >>Sent: Tuesday, August 09, 2005 7:45 PM >>To: NYPHP Talk >>Subject: Re: [nycphp-talk] Spreadsheet/Excel/Writer.php >> >> >>Mark Withington wrote: >> >> >>>Any Spreadsheet/Excel/Writer.php experts out there? I'm trying to >>>paste bitmaps into spreadsheet cells via insertBitmap. The images >>>appear without a hitch, I'm just not able to adjust the size of the >>>cell (either via the insertBitmap parameters or setColumn/setRow). >>> >>>If anyone can point me to [better] documentation [than >>> >>> >>PEAR's], or has >> >> >>>some words of wisdom they can share.... >>> >>> >>Documentation for Spreadsheet::Excel is sparse, I'm afraid, and the >>library is quirky enough that I wrote an API wrapper for it so I >>wouldn't have to remember all the gyrations I needed to use >>to generate >>a boilerplate report. Unfortunately I can't share it because >>my client >>considers it a trade secret. >> >>IIRC, setColumn() needs to be called to size the cells before >>any data >>is written to the worksheet, if that's any help. I've only >>used images >>to brand spreadsheets with client logos, always at 0,0. But >>I seem to >>remember that bitmaps tend to float over the spreadsheet >>anyway. That >>is, they're not bound by cells. >>_______________________________________________ >>New York PHP Talk Mailing List >>AMP Technology >>Supporting Apache, MySQL and PHP >>http://lists.nyphp.org/mailman/listinfo/talk >>http://www.nyphp.org >> >> >> >_______________________________________________ >New York PHP Talk Mailing List >AMP Technology >Supporting Apache, MySQL and PHP >http://lists.nyphp.org/mailman/listinfo/talk >http://www.nyphp.org > > From rajlist at rajshekhar.net Tue Aug 9 23:30:36 2005 From: rajlist at rajshekhar.net (Raj Shekhar) Date: Wed, 10 Aug 2005 09:00:36 +0530 Subject: [nycphp-talk] [OT] SSH keys: what am I doing wrong? In-Reply-To: References: Message-ID: <42F974DC.1000602@rajshekhar.net> David Mintz wrote: > The id_rsa and id_rsa.pub files where created with ssh-keygen back in > April. There's another box called interps2 where I have my .ssh with that > very same id_rsa.pub appended to my authorized_keys; passwordless SSH > logins work fine from my desktop to that machine. I can also > passwordlessly SSH into all the other machines to which I've copied my > public key; that is, nothing has changed except with this interps1. Do not keep it password-less - do have a look at ssh-agent http://www.securityfocus.com/infocus/1812 > > So I started over from scratch with my .ssh directory on interps1, that > is, I appended my id_rsa.pub (from my desktop) to .ssh/authorized_keys (on > interps1) and tried again to ssh. Still I get prompted for password. I > tried it with -v for verbosity and it doesn't seem to tell me anything I > don't already know (i.e., it ain't working). Have a look at /var/log/messages on both the machines when you ssh. That should give you more hints. -- Raj Shekhar Y!IM : lunatech3007 blog : http://rajshekhar.net/blog home : http://rajshekhar.net Disclaimer : http://rajshekhar.net/disclaimer From cmerlo441 at gmail.com Wed Aug 10 00:24:27 2005 From: cmerlo441 at gmail.com (Christopher Merlo) Date: Wed, 10 Aug 2005 00:24:27 -0400 Subject: [nycphp-talk] [OT] SSH keys: what am I doing wrong? In-Reply-To: References: Message-ID: <9465864805080921243a75ced6@mail.gmail.com> On 8/9/05, David Mintz wrote: > So I started over from scratch with my .ssh directory on interps1, that > is, I appended my id_rsa.pub (from my desktop) to .ssh/authorized_keys (on > interps1) and tried again to ssh. Still I get prompted for password. Make sure the authorized_keys file is readable only by you. When you do an "ls -l" on the file, you should see something like this: -rw------- 1 cmerlo cmerlo 605 2005-08-09 23:04 .ssh/authorized_keys HTH. -c -- cmerlo441 at gmail.com http://www.theyellowbox.com/ From mwithington at PLMresearch.com Wed Aug 10 08:19:08 2005 From: mwithington at PLMresearch.com (Mark Withington) Date: Wed, 10 Aug 2005 08:19:08 -0400 Subject: [nycphp-talk] Spreadsheet/Excel/Writer.php Message-ID: <1F3CD8DDFB6A9B4C9B8DD06E4A7DE358D6A45F@network.PLMresearch.com> Steve, You were correct, setColumn() needs to be called to size the cells before any data is written to the worksheet. Now the $M question....anyone know what the units are in setColumn? Definitely not pixels. Maybe a conversion ratio? -------------------------- Mark L. Withington PLMresearch v: 508-746-2383 m: 508-801-0181 Calendar: http://www.plmresearch.com/calendar.php > -----Original Message----- > From: talk-bounces at lists.nyphp.org > [mailto:talk-bounces at lists.nyphp.org] On Behalf Of Steve Manes > Sent: Tuesday, August 09, 2005 7:45 PM > To: NYPHP Talk > Subject: Re: [nycphp-talk] Spreadsheet/Excel/Writer.php > > > Mark Withington wrote: > > Any Spreadsheet/Excel/Writer.php experts out there? I'm trying to > > paste bitmaps into spreadsheet cells via insertBitmap. The images > > appear without a hitch, I'm just not able to adjust the size of the > > cell (either via the insertBitmap parameters or setColumn/setRow). > > > > If anyone can point me to [better] documentation [than > PEAR's], or has > > some words of wisdom they can share.... > > Documentation for Spreadsheet::Excel is sparse, I'm afraid, and the > library is quirky enough that I wrote an API wrapper for it so I > wouldn't have to remember all the gyrations I needed to use > to generate > a boilerplate report. Unfortunately I can't share it because > my client > considers it a trade secret. > > IIRC, setColumn() needs to be called to size the cells before > any data > is written to the worksheet, if that's any help. I've only > used images > to brand spreadsheets with client logos, always at 0,0. But > I seem to > remember that bitmaps tend to float over the spreadsheet > anyway. That > is, they're not bound by cells. > _______________________________________________ > New York PHP Talk Mailing List > AMP Technology > Supporting Apache, MySQL and PHP > http://lists.nyphp.org/mailman/listinfo/talk > http://www.nyphp.org > From tgales at tgaconnect.com Wed Aug 10 09:02:06 2005 From: tgales at tgaconnect.com (Tim Gales) Date: Wed, 10 Aug 2005 09:02:06 -0400 Subject: [nycphp-talk] [OT] SSH keys: what am I doing wrong? In-Reply-To: References: Message-ID: <200508100902.07245.tgales@tgaconnect.com> David Mintz writes: >... SSH keys stopped working. > .. Still I get prompted for password. > I tried it with -v for verbosity and it doesn't seem to tell me anything I > don't already know (i.e., it ain't working). > Did you try '-vv' or '-vvv' ? Also you might try editing #SyslogFacility AUTH #LogLevel INFO in the sshd_config re: > I tried several other silly things... (hope the above were not 'silly') "I have great faith in fools; self-confidence my friends call it." -- Edgar Allan Poe T. Gales & Associates 'Helping People Connect with Technology' http://www.tgaconnect.com From dmintz at davidmintz.org Wed Aug 10 09:35:15 2005 From: dmintz at davidmintz.org (David Mintz) Date: Wed, 10 Aug 2005 09:35:15 -0400 (EDT) Subject: [nycphp-talk] [OT] SSH keys: what am I doing wrong? In-Reply-To: <9465864805080921243a75ced6@mail.gmail.com> References: <9465864805080921243a75ced6@mail.gmail.com> Message-ID: On Wed, 10 Aug 2005, Christopher Merlo wrote: > On 8/9/05, David Mintz wrote: > > > So I started over from scratch with my .ssh directory on interps1, that > > is, I appended my id_rsa.pub (from my desktop) to .ssh/authorized_keys (on > > interps1) and tried again to ssh. Still I get prompted for password. > > Make sure the authorized_keys file is readable only by you. When you > do an "ls -l" on the file, you should see something like this: > > -rw------- 1 cmerlo cmerlo 605 2005-08-09 23:04 .ssh/authorized_keys D'OOOOOOOOOOOOOOH! Just 20 seconds ago I figured that out and then checked my nyphp mail hoping it wasn't too late to say nevermind. Thank you. One of the hardest things to learn is when to get up and walk away. I walked out in digust yesterday, came back fresh today and solved it in literally under a minute. RTFM turned out to be fundamental once again. As for the passwordlessness, yes of course you're right. Problem is there are some things cron does over ssh from here to other machines out there (outside out intranet) and I haven't figured out how to do them with -- pardon them expression? -- nonpasswordless keys. I have read somewhere about ways to limit the command set that can be executed on the remote server, shoulda bookmarked that page. Thank you again, David --- David Mintz http://davidmintz.org/ From dmintz at davidmintz.org Wed Aug 10 09:47:04 2005 From: dmintz at davidmintz.org (David Mintz) Date: Wed, 10 Aug 2005 09:47:04 -0400 (EDT) Subject: [nycphp-talk] [OT] SSH keys: what am I doing wrong? In-Reply-To: <200508100902.07245.tgales@tgaconnect.com> References: <200508100902.07245.tgales@tgaconnect.com> Message-ID: On Wed, 10 Aug 2005, Tim Gales wrote: > David Mintz writes: > > >... SSH keys stopped working. > > .. Still I get prompted for password. > > I tried it with -v for verbosity and it doesn't seem to tell me anything I > > don't already know (i.e., it ain't working). > > > > Did you try '-vv' or '-vvv' ? I'll keep that in mind for next time -- or look up this thread in the archive (-: > > Also you might try editing > #SyslogFacility AUTH > #LogLevel INFO > in the sshd_config Ditto > > re: > > I tried several other silly things... > (hope the above were not 'silly') > > "I have great faith in fools; self-confidence my friends call it." > -- Edgar Allan Poe That's a good one. What's the one by some other sage about self-confidence verying in inverse proportion to knowledge? Underconfidently AND ignorantly yours, --- David Mintz http://davidmintz.org/ From dcech at phpwerx.net Wed Aug 10 09:51:37 2005 From: dcech at phpwerx.net (Dan Cech) Date: Wed, 10 Aug 2005 09:51:37 -0400 Subject: [nycphp-talk] Spreadsheet/Excel/Writer.php In-Reply-To: <1F3CD8DDFB6A9B4C9B8DD06E4A7DE358D6A45F@network.PLMresearch.com> References: <1F3CD8DDFB6A9B4C9B8DD06E4A7DE358D6A45F@network.PLMresearch.com> Message-ID: <42FA0669.4050807@phpwerx.net> Mark, I found the following snippet in the comments in Worksheet.php: > Convert the width of a cell from user's units to pixels. By > interpolation the relationship is: y = 7x +5. If the width hasn't been > set by the user we use the default value. If the col is hidden we use > a value of zero. HTH, Dan Mark Withington wrote: > Steve, > > You were correct, setColumn() needs to be called to size the cells before > any data is written to the worksheet. Now the $M question....anyone know > what the units are in setColumn? Definitely not pixels. Maybe a conversion > ratio? > > -------------------------- > Mark L. Withington > PLMresearch > v: 508-746-2383 > m: 508-801-0181 > Calendar: http://www.plmresearch.com/calendar.php From edwardpotter at gmail.com Wed Aug 10 11:19:54 2005 From: edwardpotter at gmail.com (edward potter) Date: Wed, 10 Aug 2005 11:19:54 -0400 Subject: [nycphp-talk] [OT] SSH keys: what am I doing wrong? In-Reply-To: References: <200508100902.07245.tgales@tgaconnect.com> Message-ID: Just curious, would this error be picked up in some log file somewhere, there are probably a dozen or more scattered about. Not sure if this one would have been detected, but who knows? I was always told: "Grasshopper, all is there, watch your breath, your path is long and windy, and always check the log files." On 8/10/05, David Mintz wrote: > On Wed, 10 Aug 2005, Tim Gales wrote: > > > David Mintz writes: > > > > >... SSH keys stopped working. > > > .. Still I get prompted for password. > > > I tried it with -v for verbosity and it doesn't seem to tell me anything I > > > don't already know (i.e., it ain't working). > > > > > > > Did you try '-vv' or '-vvv' ? > > I'll keep that in mind for next time -- or look up this thread in the > archive (-: > > > > > Also you might try editing > > #SyslogFacility AUTH > > #LogLevel INFO > > in the sshd_config > > Ditto > > > > > re: > > > I tried several other silly things... > > (hope the above were not 'silly') > > > > "I have great faith in fools; self-confidence my friends call it." > > -- Edgar Allan Poe > > > That's a good one. What's the one by some other sage about self-confidence > verying in inverse proportion to knowledge? > > Underconfidently AND ignorantly yours, > > --- > David Mintz > http://davidmintz.org/ > _______________________________________________ > New York PHP Talk Mailing List > AMP Technology > Supporting Apache, MySQL and PHP > http://lists.nyphp.org/mailman/listinfo/talk > http://www.nyphp.org > From gatzby3jr at gmail.com Wed Aug 10 12:10:54 2005 From: gatzby3jr at gmail.com (Brian O'Connor) Date: Wed, 10 Aug 2005 12:10:54 -0400 Subject: [nycphp-talk] Session basics In-Reply-To: <200508091617.25624.jellicle@gmail.com> References: <1350701.1122939343518.JavaMail.root@wamui-chisos.atl.sa.earthlink.net> <8d9a42800508080929656f42a@mail.gmail.com> <29da5d150508080944115bd761@mail.gmail.com> <200508091617.25624.jellicle@gmail.com> Message-ID: <29da5d15050810091013a1b556@mail.gmail.com> Thanks for the information, was greatly helpful. I have a question about the basics of sessions you listed though - you say that you provide the user with a cookie that contains a long string; what if they don't allow cookies? are you referring to the session as a cookie? And I have a question about my current system: As of right now, I create 3 sessions for each user: userID, user, and pass (md5 of it, I never directly deal with the user's password). The reason I think my current system is poor is because I trust the session, and I only check the 'userID' session for authentication. So for instance, if the userID is mine (ie, 16), and that userid has access to certain areas of the website, I allow it, without any further checks. Don't get me wrong, I don't think it's safe, but it's the system I created before I knew much about how php worked, so I didn't really know any better, which is why I'm trying to create a more secure system. On 8/9/05, Michael Sims wrote: > > On Monday 08 August 2005 12:44, Brian O'Connor wrote: > > > Well I knew I was doing a poor job before, but this session discussion > > has finally brought me to finally design a new system. However, I think > > in order to prevent against something, you need to first learn how it > > works, which is why I write. What is session hijacking, and how do you > do > > it? I'm currently designing a new site where security is very important, > > and I feel the need to go fully into this. If anyone could explain, or > > point me to some articles ( can't really afford books at the moment, > > about to leave for college and don't really have that much money ) I > > would greatly appreciate this. Thank you. > > Basics of sessions: > > 1) User logs in providing something he knows (username, password) > 2) You assign (cookie) the browser with a long random string. You record > the string in a datastore on the server. > 3) Anytime you get hits from a browser which presents the long random > string > that's in your datastore, you can assume it's the same user - therefore > you > need not ask for the username/password again. Also, you know what the user > did last - you can keep state across requests. > 4) If time passes without access, you might delete the long random string > in > your datastore, rendering the browser's credentials invalid and requiring > the user to log in again. > > Good points: > > 1) User doesn't have to log in for each page. > > Bad points: > > 1) If someone obtained the long random string, it would be like obtaining > the user's username and password. Bad person's browser could present the > long random string... > > Ways to hijack a session: > > 1) Eavesdrop on the user's datastream. By default, all of this is in plain > text, including the initial sending of the username and password. > Solution: use HTTPS. > > 2) Find a way to insert javascript on YOUR website that accesses the > cookies > the user is sending and resends them to BAD_WEBSITE. This is called > cross-site-scripting, or XSS. Solution: design your website to not echo > any user input back to the user without sanitizing it. Many, MANY sites > are vulnerable to this. The only upside is that usually XSS attacks have > to be customized for the site they are attacking - someone has to want to > attack YOUR site, not just any site. The motivation for doing so is as > valuable or as non-valuable as the accounts on your website are (so many > of > the vulnerable sites don't really need to care). Read up on XSS. > > 3) If your session id's are being maintained in the user's URLs rather > than > user cookies, an attacked just has to get the user to follow a link to > BAD_WEBSITE, then the session id will show up in the HTTP_REFERER > variable. > Solution: cookies are much preferred over URL-variable sessions. > > 4) Hack your server. Solution: Don't let them hack your server. > > 5) Come along shortly after a user and use the same web browser he did. > Solution: limit session length, warn users about logging in from public > workstations, use session cookies that are deleted when the browser is > closed, etc. > > Miscellaneous: > > 1) Some people store state info in the cookies themselves, where the user > can get at and modify them. I prefer storing it serverside. For > unimportant state info, like a user's choice of language for a site, it > doesn't matter. For important state info, serverside is the only choice. > > 2) PHP's session info is stored in text files on the server. I prefer > sessions that are stored in a real database. For small sites, it doesn't > matter. For large sites, database is the only real choice. > > 3) Keep in mind that PHP's built-in session-handling is one implementation > of the idea of "sessions", and not necessarily a good one for you. You can > write a PHP app that does sessions, and does them very well, without using > any of PHP's session-handling functions. > > 4) Storing and verifying other info about the user (such as their IP > address, user-agent string, or what-have-you) is effectively requiring the > user to present more than just the long random string to validate his > session. Your sessions will break if you require something to be static > (i.e., IP address) that actually isn't (AOL users behind an array of > proxies). Also, if the attacker can steal the long random string, he can > just as well get the browser user-agent, etc. etc. > > > Michael Sims > _______________________________________________ > New York PHP Talk Mailing List > AMP Technology > Supporting Apache, MySQL and PHP > http://lists.nyphp.org/mailman/listinfo/talk > http://www.nyphp.org > -- Brian O'Connor -------------- next part -------------- An HTML attachment was scrubbed... URL: From sailer at bnl.gov Wed Aug 10 13:07:34 2005 From: sailer at bnl.gov (Tim Sailer) Date: Wed, 10 Aug 2005 13:07:34 -0400 Subject: [nycphp-talk] [OT] SSH keys: what am I doing wrong? In-Reply-To: References: <9465864805080921243a75ced6@mail.gmail.com> Message-ID: <20050810170734.GA26256@bnl.gov> On Wed, Aug 10, 2005 at 09:35:15AM -0400, David Mintz wrote: > As for the passwordlessness, yes of course you're right. Problem is there > are some things cron does over ssh from here to other machines out there > (outside out intranet) and I haven't figured out how to do them with -- > pardon them expression? -- nonpasswordless keys. I have read somewhere > about ways to limit the command set that can be executed on the remote > server, shoulda bookmarked that page. man sshd. :) I use the command parameter quite a bit for passwordless keys. You simply have 'command=whatever' at the beginning of the key in authorized_keys. Most of what I use it for is rsync backups from a certain machine. Tim -- Tim Sailer Information and Special Technologies Program Office of CounterIntelligence Brookhaven National Laboratory (631) 344-3001 From dmintz at davidmintz.org Wed Aug 10 14:03:55 2005 From: dmintz at davidmintz.org (David Mintz) Date: Wed, 10 Aug 2005 14:03:55 -0400 (EDT) Subject: [nycphp-talk] Session basics In-Reply-To: <29da5d15050810091013a1b556@mail.gmail.com> References: <1350701.1122939343518.JavaMail.root@wamui-chisos.atl.sa.earthlink.net> <8d9a42800508080929656f42a@mail.gmail.com> <29da5d150508080944115bd761@mail.gmail.com> <200508091617.25624.jellicle@gmail.com> <29da5d15050810091013a1b556@mail.gmail.com> Message-ID: On Wed, 10 Aug 2005, Brian O'Connor wrote: > Thanks for the information, was greatly helpful. > > I have a question about the basics of sessions you listed though - you say > that you provide the user with a cookie that contains a long string; what if > they don't allow cookies? are you referring to the session as a cookie? > Very good questions. You might be interested in the lecture notes I wrote up for an introductory php course: http://davidmintz.org/php_course/5/session_5.pdf --- David Mintz http://davidmintz.org/ From jellicle at gmail.com Wed Aug 10 15:26:35 2005 From: jellicle at gmail.com (Michael Sims) Date: Wed, 10 Aug 2005 15:26:35 -0400 Subject: [nycphp-talk] Session basics In-Reply-To: <29da5d15050810091013a1b556@mail.gmail.com> References: <1350701.1122939343518.JavaMail.root@wamui-chisos.atl.sa.earthlink.net> <200508091617.25624.jellicle@gmail.com> <29da5d15050810091013a1b556@mail.gmail.com> Message-ID: <200508101526.35511.jellicle@gmail.com> On Wednesday 10 August 2005 12:10, Brian O'Connor wrote: > I have a question about the basics of sessions you listed though - you > say that you provide the user with a cookie that contains a long string; > what if they don't allow cookies? are you referring to the session as a > cookie? The cookie *is* the provided mechanism for maintaining state. To me, questions about maintaining state when the user has disabled cookies are like questions about how to display the color red when the user has pulled the red gun out of his monitor. You can try to maintain state in other ways, such as appending a GET variable to every URL. This is a poor substitute for cookies (and if the user is that concerned about tracking, they should manually delete that GET variable anyway, thwarting you.) If you *need* sessions, require cookies. > And I have a question about my current system: > As of right now, I create 3 sessions for each user: userID, user, and > pass (md5 of it, I never directly deal with the user's password). The > reason I think my current system is poor is because I trust the session, > and I only check the 'userID' session for authentication. So for > instance, if the userID is mine (ie, 16), and that userid has access to > certain areas of the website, I allow it, without any further checks. I think your terminology is a little confused. Remember that PHP's built-in functions are just one specific way to handle the generic idea of state-tracking. PHP uses a PHPSESSID for its long string. This is "behind-the-scenes" to you - you never explicitly assign it - if you're using the built-in functions. You could create and assign and use your own long random string and write your own session-handling code if you wished. That is, your browser is sending PHPSESSID (not 'userID'), and PHP is automagically seeking a session file with that name on disk, and retrieving your 'userID' variable from that file, and making it available to the rest of the PHP script. Assuming that PHPSESSIDs are random and long enough to be unguessable, this isn't a security flaw. Michael Sims From codebowl at gmail.com Wed Aug 10 18:42:14 2005 From: codebowl at gmail.com (Joseph Crawford) Date: Wed, 10 Aug 2005 18:42:14 -0400 Subject: [nycphp-talk] Sessions And UserAgents Message-ID: <8d9a42800508101542140752fd@mail.gmail.com> Can anyone here tell me how to make my useragent change when using mozilla firefox? The reason i ask is because i am working on a session class that will count how many times a users agent changes, if they hit a max limit it will ask the user for thier password again for security. The issue i am going to hit is not knowing how to change my UA so that i can test to make sure the functionality works. -- Joseph Crawford Jr. Codebowl Solutions, Inc. 1-802-671-2021 codebowl at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From nasir81 at gmail.com Wed Aug 10 19:11:31 2005 From: nasir81 at gmail.com (Nasir Zubair) Date: Wed, 10 Aug 2005 19:11:31 -0400 Subject: [nycphp-talk] Sessions And UserAgents In-Reply-To: <8d9a42800508101542140752fd@mail.gmail.com> References: <8d9a42800508101542140752fd@mail.gmail.com> Message-ID: <40fcda7305081016113ac8de5@mail.gmail.com> In FF address bar, type "about:config" to access the configuration area. Right click anywhere, choose "new" and add a "String". Enter the Preference Name to be "general.useragent.override" and use whatever value you wish. Also, I found this: http://extensionroom.mozdev.org/more-info/useragentswitcher not sure how good it is though. HTH On 8/10/05, Joseph Crawford wrote: > Can anyone here tell me how to make my useragent change when using mozilla > firefox? > > The reason i ask is because i am working on a session class that will count > how many times a users agent changes, if they hit a max limit it will ask > the user for thier password again for security. The issue i am going to hit > is not knowing how to change my UA so that i can test to make sure the > functionality works. > > -- > Joseph Crawford Jr. > Codebowl Solutions, Inc. > 1-802-671-2021 > codebowl at gmail.com > _______________________________________________ > New York PHP Talk Mailing List > AMP Technology > Supporting Apache, MySQL and PHP > http://lists.nyphp.org/mailman/listinfo/talk > http://www.nyphp.org > > -- Nasir Zubair http://www.nasir.us/ From danielc at analysisandsolutions.com Wed Aug 10 19:45:06 2005 From: danielc at analysisandsolutions.com (Daniel Convissor) Date: Wed, 10 Aug 2005 19:45:06 -0400 Subject: [nycphp-talk] Session basics In-Reply-To: <29da5d15050810091013a1b556@mail.gmail.com> References: <1350701.1122939343518.JavaMail.root@wamui-chisos.atl.sa.earthlink.net> <8d9a42800508080929656f42a@mail.gmail.com> <29da5d150508080944115bd761@mail.gmail.com> <200508091617.25624.jellicle@gmail.com> <29da5d15050810091013a1b556@mail.gmail.com> Message-ID: <20050810234506.GA22969@panix.com> On Wed, Aug 10, 2005 at 12:10:54PM -0400, Brian O'Connor wrote: > And I have a question about my current system: > As of right now, I create 3 sessions for each user: userID, user, and pass Do you mean you're setting three cookies? Don't. Don't set any cookies manually. Let PHP's session_start() do it for you. Then, to save data in the session, save it like this: $_SESSION['username'] = 'foo'; That saves it on the server, which is the whole point of sessions. --Dan -- T H E A N A L Y S I S A N D S O L U T I O N S C O M P A N Y data intensive web and database programming http://www.AnalysisAndSolutions.com/ 4015 7th Ave #4, Brooklyn NY 11232 v: 718-854-0335 f: 718-854-0409 From gatzby3jr at gmail.com Thu Aug 11 00:42:43 2005 From: gatzby3jr at gmail.com (Brian O'Connor) Date: Thu, 11 Aug 2005 00:42:43 -0400 Subject: [nycphp-talk] Session basics In-Reply-To: <20050810234506.GA22969@panix.com> References: <1350701.1122939343518.JavaMail.root@wamui-chisos.atl.sa.earthlink.net> <8d9a42800508080929656f42a@mail.gmail.com> <29da5d150508080944115bd761@mail.gmail.com> <200508091617.25624.jellicle@gmail.com> <29da5d15050810091013a1b556@mail.gmail.com> <20050810234506.GA22969@panix.com> Message-ID: <29da5d15050810214269e1a687@mail.gmail.com> I don't use cookies for that. I use $_SESSION['userID'], $_SESSION['user'], $_SESSION['pass']. I understand the concept of sessions, I don't understand the concept of hijacking them, and making a system to prevent hijacking them. On 8/10/05, Daniel Convissor wrote: > > On Wed, Aug 10, 2005 at 12:10:54PM -0400, Brian O'Connor wrote: > > > And I have a question about my current system: > > As of right now, I create 3 sessions for each user: userID, user, and > pass > > Do you mean you're setting three cookies? Don't. > > Don't set any cookies manually. Let PHP's session_start() do it for you. > > Then, to save data in the session, save it like this: > > $_SESSION['username'] = 'foo'; > > That saves it on the server, which is the whole point of sessions. > > --Dan > > -- > T H E A N A L Y S I S A N D S O L U T I O N S C O M P A N Y > data intensive web and database programming > http://www.AnalysisAndSolutions.com/ > 4015 7th Ave #4, Brooklyn NY 11232 v: 718-854-0335 f: 718-854-0409 > _______________________________________________ > New York PHP Talk Mailing List > AMP Technology > Supporting Apache, MySQL and PHP > http://lists.nyphp.org/mailman/listinfo/talk > http://www.nyphp.org > -- Brian O'Connor -------------- next part -------------- An HTML attachment was scrubbed... URL: From rolan at omnistep.com Thu Aug 11 01:40:33 2005 From: rolan at omnistep.com (Rolan Yang) Date: Thu, 11 Aug 2005 01:40:33 -0400 Subject: [nycphp-talk] Session basics In-Reply-To: <29da5d15050810214269e1a687@mail.gmail.com> References: <1350701.1122939343518.JavaMail.root@wamui-chisos.atl.sa.earthlink.net> <8d9a42800508080929656f42a@mail.gmail.com> <29da5d150508080944115bd761@mail.gmail.com> <200508091617.25624.jellicle@gmail.com> <29da5d15050810091013a1b556@mail.gmail.com> <20050810234506.GA22969@panix.com> <29da5d15050810214269e1a687@mail.gmail.com> Message-ID: <42FAE4D1.4060401@omnistep.com> One way to hijack a session is to hack in, compromise a machine on the network and run a sniffer. Most hackers are not running sniffers to hijack sessions though. They sniff to grab login/passwords from pop/imap/smtp/ftp/telnet. Requiring SSL/TLS protects you from this attack. Another way to hijack sessions is to find websites that still append the session data to the url and links. The *friendfinder.com sites and several others, which I shall not mention, maintain sessions like that. I believe if you disable cookies in your browser, PHP reverts to url based sessions*. Ok, so here's basically how it works: You find a php website which uses session cookies and allows you to post messages/stuff (eg. your dating profile). In your dating profile, you include some stuff about yourself "bla bla bla"... then add Then site back and wait. Every now and then, grep your web server logs for "blankpixel.gif". The referer field in the log will list the referring url... which contains the appended session cookie. At this point, you can just copy+paste the referer url into your browser, click "GO" an assume the identity of the person who viewed your dating profile. For this reason, passing session id's via GET requests are extremely dangerous. * safest thing to do is "enable session.use_only_cookies" and require that clients have cookies enabled.... and use https ~Rolan Brian O'Connor wrote: > I don't use cookies for that. I use $_SESSION['userID'], > $_SESSION['user'], $_SESSION['pass']. > > I understand the concept of sessions, I don't understand the concept > of hijacking them, and making a system to prevent hijacking them. > From codebowl at gmail.com Thu Aug 11 08:52:38 2005 From: codebowl at gmail.com (Joseph Crawford) Date: Thu, 11 Aug 2005 08:52:38 -0400 Subject: [nycphp-talk] Experts help needed (Sessions) In-Reply-To: <42F7960A.60005@omnistep.com> References: <9944941.1122940163731.JavaMail.root@wamui-chisos.atl.sa.earthlink.net> <42F520C8.6080503@php.net> <42F7960A.60005@omnistep.com> Message-ID: <8d9a4280050811055250b6f267@mail.gmail.com> Chris, the current way i have things working is like this. On the first page load set $_SESSION['HTTP_USER_AGENT'] On the next page load compare the agents. If they dont match increment the counter otherwise continue on as normal Once the counter hit's a limit of say 3 it shows the password box and tells the user they need to verify they are the same user. If they enter the correct password, everything is reset, otherwise a password check counter is incremented. If they enter the password wrong 3 times the system will destroy the session and assume it's not the correct user. My questions is, did i get a clear understanding of what you were saying to do and did i implement this the proper way according to your thoughts? -- Joseph Crawford Jr. Codebowl Solutions, Inc. 1-802-671-2021 codebowl at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From dcech at phpwerx.net Thu Aug 11 09:21:12 2005 From: dcech at phpwerx.net (Dan Cech) Date: Thu, 11 Aug 2005 09:21:12 -0400 Subject: [nycphp-talk] Experts help needed (Sessions) In-Reply-To: <8d9a4280050811055250b6f267@mail.gmail.com> References: <9944941.1122940163731.JavaMail.root@wamui-chisos.atl.sa.earthlink.net> <42F520C8.6080503@php.net> <42F7960A.60005@omnistep.com> <8d9a4280050811055250b6f267@mail.gmail.com> Message-ID: <42FB50C8.6020607@phpwerx.net> Joseph, From my understanding this is the opposite of what Chris was suggesting, because it does not adapt to usage patterns. On the first page load set $_SESSION['HTTP_USER_AGENT'] Also set $_SESSION['HTTP_USER_AGENT_MATCHES'] = 1 On each page load, if the user agent matches what is stored, increment $_SESSION['HTTP_USER_AGENT_MATCHES'] by 1 If the user agent does not match, and the count of matching agents is greater than some threshold, then prompt for a password. The idea is to protect people whose user agent does not change often without unduly penalising people whose user agent does (for whatever reason). The fact that the system 'learns' from the activity of the user to offer the best balance between security and convenience is what sets a system like this apart from the majority of rigid systems. It occurs to me that this would be a good structure to generalise and implement in an extensible class, as it can (and should) really be applied to many different security tasks. Dan Joseph Crawford wrote: > Chris, > > the current way i have things working is like this. > > On the first page load set $_SESSION['HTTP_USER_AGENT'] > On the next page load compare the agents. > If they dont match increment the counter > otherwise continue on as normal > > Once the counter hit's a limit of say 3 it shows the password box and tells > the user they need to verify they are the same user. If they enter the > correct password, everything is reset, otherwise a password check counter is > incremented. If they enter the password wrong 3 times the system will > destroy the session and assume it's not the correct user. > > My questions is, did i get a clear understanding of what you were saying to > do and did i implement this the proper way according to your thoughts? From agfische at email.smith.edu Thu Aug 11 09:51:32 2005 From: agfische at email.smith.edu (Aaron Fischer) Date: Thu, 11 Aug 2005 09:51:32 -0400 Subject: [nycphp-talk] Session basics In-Reply-To: <29da5d15050810214269e1a687@mail.gmail.com> References: <1350701.1122939343518.JavaMail.root@wamui-chisos.atl.sa.earthlink.net> <8d9a42800508080929656f42a@mail.gmail.com> <29da5d150508080944115bd761@mail.gmail.com> <200508091617.25624.jellicle@gmail.com> <29da5d15050810091013a1b556@mail.gmail.com> <20050810234506.GA22969@panix.com> <29da5d15050810214269e1a687@mail.gmail.com> Message-ID: <42FB57E4.2050900@email.smith.edu> Brian O'Connor wrote: > I don't use cookies for that. I use $_SESSION['userID'], > $_SESSION['user'], $_SESSION['pass']. > > I understand the concept of sessions, I don't understand the concept of > hijacking them, and making a system to prevent hijacking them. > > On 8/10/05, *Daniel Convissor* > wrote: > > On Wed, Aug 10, 2005 at 12:10:54PM -0400, Brian O'Connor wrote: > > > And I have a question about my current system: > > As of right now, I create 3 sessions for each user: userID, user, > and pass > > Do you mean you're setting three cookies? Don't. > > Don't set any cookies manually. Let PHP's session_start() do it for > you. > > Then, to save data in the session, save it like this: > > $_SESSION['username'] = 'foo'; > > That saves it on the server, which is the whole point of sessions. > > --Dan > I think you're still missing part of how php sessions work. The default is for sessions to use a cookie. When a new session is started a cookie is sent to the user that contains the unique session name. All other session variables are stored on the server. When going to a new page, the session name in the cookie is compared to the session name on the server. If they match, OK, things continue. If you don't want to use a cookie you can pass the session name along in the URL using the PHPSESSID constant. I believe that this is not recommended as it is very transparent. Also, in your example you are not creating three different sessions. You are creating one session and storing three different variables in that session. I believe that if you want to get more in depth about preventing sessions from being hijacked, that is when you get into writing your own session functions/classes (see the other ongoing sessions thread). I'm just a newbie of sorts myself, so I'm hoping the gurus will correct me if I have inaccuracies here. hth, -Aaron From shiflett at php.net Thu Aug 11 09:59:23 2005 From: shiflett at php.net (Chris Shiflett) Date: Thu, 11 Aug 2005 09:59:23 -0400 Subject: [nycphp-talk] Experts help needed (Sessions) In-Reply-To: <42FB50C8.6020607@phpwerx.net> References: <9944941.1122940163731.JavaMail.root@wamui-chisos.atl.sa.earthlink.net> <42F520C8.6080503@php.net> <42F7960A.60005@omnistep.com> <8d9a4280050811055250b6f267@mail.gmail.com> <42FB50C8.6020607@phpwerx.net> Message-ID: <42FB59BB.303@php.net> Dan Cech wrote: > From my understanding this is the opposite of what Chris was > suggesting, because it does not adapt to usage patterns. Dan is exactly right, and this is a good explanation of the reasoning: > The idea is to protect people whose user agent does not change often > without unduly penalising people whose user agent does (for whatever > reason). Enforcing consistency isn't a perfect solution, but if you can make things a bit harder for the bad guys without adversely affecting your good guys, it's a step in the right direction. :-) Chris -- Chris Shiflett Brain Bulb, The PHP Consultancy http://brainbulb.com/ From codebowl at gmail.com Thu Aug 11 10:28:15 2005 From: codebowl at gmail.com (Joseph Crawford) Date: Thu, 11 Aug 2005 10:28:15 -0400 Subject: [nycphp-talk] Experts help needed (Sessions) In-Reply-To: <42FB59BB.303@php.net> References: <9944941.1122940163731.JavaMail.root@wamui-chisos.atl.sa.earthlink.net> <42F520C8.6080503@php.net> <42F7960A.60005@omnistep.com> <8d9a4280050811055250b6f267@mail.gmail.com> <42FB50C8.6020607@phpwerx.net> <42FB59BB.303@php.net> Message-ID: <8d9a428005081107282af5b142@mail.gmail.com> That seems a bit backwards to me. If thier User Agent doesnt change and it hit's my threshold why should i prompt for a password? If thier user agent continuously changes they will never get prompted for the password. Isnt the idea to promp for the password if thier user agent changes often? I guess i am not understanding why it would work like this user hits the page User Agent stored user hits again User Agent Compared If they match increment counter When counter hits threshold prompt for password. -- Joseph Crawford Jr. Codebowl Solutions, Inc. 1-802-671-2021 codebowl at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From dcech at phpwerx.net Thu Aug 11 10:44:36 2005 From: dcech at phpwerx.net (Dan Cech) Date: Thu, 11 Aug 2005 10:44:36 -0400 Subject: [nycphp-talk] Experts help needed (Sessions) In-Reply-To: <8d9a428005081107282af5b142@mail.gmail.com> References: <9944941.1122940163731.JavaMail.root@wamui-chisos.atl.sa.earthlink.net> <42F520C8.6080503@php.net> <42F7960A.60005@omnistep.com> <8d9a4280050811055250b6f267@mail.gmail.com> <42FB50C8.6020607@phpwerx.net> <42FB59BB.303@php.net> <8d9a428005081107282af5b142@mail.gmail.com> Message-ID: <42FB6454.10700@phpwerx.net> Joseph, To understand the approach you need to take a step back and look at the bigger picture of what we're trying to achieve. Say we have a client who always uses the same browser, and all of a sudden you get a request that comes from a different browser. This does not fit the profile, and so we should prompt for a password because it is likely to be an attacker. If you have a client who for whatever reason changes their user agent string all the time, you don't want to enforce the user agent check because it will just annoy them, and probably lose you the client. So, you keep track of the user agent to see which the client in question is. If you are dealing with the former, enforce the check because it will increase their security, otherwise use a different check. The counter is there to determine which category the client in question falls into, so when their user agent hasn't changed for some number of page loads you assume they fall into the first category and enforce the check. This same approach could also be very powerful when applied to IP address checking, to provide protection for clients whose IP does not change often, without affecting those who do. Dan Joseph Crawford wrote: > That seems a bit backwards to me. > > If thier User Agent doesnt change and it hit's my threshold why should i > prompt for a password? If thier user agent continuously changes they will > never get prompted for the password. Isnt the idea to promp for the password > if thier user agent changes often? > > I guess i am not understanding why it would work like this > > user hits the page User Agent stored > user hits again User Agent Compared > If they match increment counter > > When counter hits threshold prompt for password. From codebowl at gmail.com Thu Aug 11 10:49:49 2005 From: codebowl at gmail.com (Joseph Crawford) Date: Thu, 11 Aug 2005 10:49:49 -0400 Subject: [nycphp-talk] Experts help needed (Sessions) In-Reply-To: <42FB6454.10700@phpwerx.net> References: <9944941.1122940163731.JavaMail.root@wamui-chisos.atl.sa.earthlink.net> <42F520C8.6080503@php.net> <42F7960A.60005@omnistep.com> <8d9a4280050811055250b6f267@mail.gmail.com> <42FB50C8.6020607@phpwerx.net> <42FB59BB.303@php.net> <8d9a428005081107282af5b142@mail.gmail.com> <42FB6454.10700@phpwerx.net> Message-ID: <8d9a4280050811074927bd2852@mail.gmail.com> ahh so you are only saying to prompt for the passwoird if they are over the threshold AND thier user agent changes, i understood it as everytime they hit the threshold to prompt. That makes a bit more sense, however for someone who's UA changes frequently they wont ever get prompted for thier password. What would you suggest to ensure thier security? -- Joseph Crawford Jr. Codebowl Solutions, Inc. 1-802-671-2021 codebowl at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From hendler at simmons.edu Thu Aug 11 11:02:02 2005 From: hendler at simmons.edu (Jonathan) Date: Thu, 11 Aug 2005 11:02:02 -0400 Subject: [nycphp-talk] Experts help needed (Sessions) In-Reply-To: <42FB6454.10700@phpwerx.net> References: <9944941.1122940163731.JavaMail.root@wamui-chisos.atl.sa.earthlink.net> <42F520C8.6080503@php.net> <42F7960A.60005@omnistep.com> <8d9a4280050811055250b6f267@mail.gmail.com> <42FB50C8.6020607@phpwerx.net> <42FB59BB.303@php.net> <8d9a428005081107282af5b142@mail.gmail.com> <42FB6454.10700@phpwerx.net> Message-ID: <42FB686A.9070404@simmons.edu> I like Dan's answer here very much. Rule based security is the only way intrusion detection, like preventing session hijacking, works effectively. And for further example - spam filtering, in addition to regular expressions, neural networks are even used because there is no one rule that works. I would also note that if a client hits more than 3-6 times a second, especially on a login, that something is wierd. I store these kinds of things in a MySQL hashtable. Dan Cech wrote: >Joseph, > >To understand the approach you need to take a step back and look at the >bigger picture of what we're trying to achieve. > >Say we have a client who always uses the same browser, and all of a >sudden you get a request that comes from a different browser. This does >not fit the profile, and so we should prompt for a password because it >is likely to be an attacker. > >If you have a client who for whatever reason changes their user agent >string all the time, you don't want to enforce the user agent check >because it will just annoy them, and probably lose you the client. > >So, you keep track of the user agent to see which the client in question >is. If you are dealing with the former, enforce the check because it >will increase their security, otherwise use a different check. > >The counter is there to determine which category the client in question >falls into, so when their user agent hasn't changed for some number of >page loads you assume they fall into the first category and enforce the >check. > >This same approach could also be very powerful when applied to IP >address checking, to provide protection for clients whose IP does not >change often, without affecting those who do. > >Dan > >Joseph Crawford wrote: > > >>That seems a bit backwards to me. >> >>If thier User Agent doesnt change and it hit's my threshold why should i >>prompt for a password? If thier user agent continuously changes they will >>never get prompted for the password. Isnt the idea to promp for the password >>if thier user agent changes often? >> >>I guess i am not understanding why it would work like this >> >>user hits the page User Agent stored >>user hits again User Agent Compared >>If they match increment counter >> >>When counter hits threshold prompt for password. >> >> >_______________________________________________ >New York PHP Talk Mailing List >AMP Technology >Supporting Apache, MySQL and PHP >http://lists.nyphp.org/mailman/listinfo/talk >http://www.nyphp.org > > From codebowl at gmail.com Thu Aug 11 12:56:30 2005 From: codebowl at gmail.com (Joseph Crawford) Date: Thu, 11 Aug 2005 12:56:30 -0400 Subject: [nycphp-talk] Experts help needed (Sessions) In-Reply-To: <42FB686A.9070404@simmons.edu> References: <9944941.1122940163731.JavaMail.root@wamui-chisos.atl.sa.earthlink.net> <42F520C8.6080503@php.net> <42F7960A.60005@omnistep.com> <8d9a4280050811055250b6f267@mail.gmail.com> <42FB50C8.6020607@phpwerx.net> <42FB59BB.303@php.net> <8d9a428005081107282af5b142@mail.gmail.com> <42FB6454.10700@phpwerx.net> <42FB686A.9070404@simmons.edu> Message-ID: <8d9a428005081109561f198670@mail.gmail.com> I understand what you are saying about if a users UA doesnt change often then all the sudden there is a change, this is not normal so i should enforce the check. However for the users that for whatever reason thier UA changes frequently what else could i check? Thier IP may change frequently as well so i cannot base the second check on that alone. Maybe i should integrate the IP checking in with the UA checking, and if thier UA changes frequently but thier ip does not, check the ip, if changed that's not normal, show the login. However what if it is an AOL user tunneling in through a proxy and for whatever reason thier UA changes frequently, thier IP could change from page to page as AOL tunnels through proxies. I guess i need to know what to do if the users UA and IP both change frequently, should i just ignore them and hope they dont have thier session hijacked? I understand what i am implementing should secure atleast 90% of users but what about the other 10% -- Joseph Crawford Jr. Codebowl Solutions, Inc. 1-802-671-2021 codebowl at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From codebowl at gmail.com Thu Aug 11 13:14:14 2005 From: codebowl at gmail.com (Joseph Crawford) Date: Thu, 11 Aug 2005 13:14:14 -0400 Subject: [nycphp-talk] Experts help needed (Sessions) In-Reply-To: <8d9a428005081109561f198670@mail.gmail.com> References: <9944941.1122940163731.JavaMail.root@wamui-chisos.atl.sa.earthlink.net> <42F520C8.6080503@php.net> <42F7960A.60005@omnistep.com> <8d9a4280050811055250b6f267@mail.gmail.com> <42FB50C8.6020607@phpwerx.net> <42FB59BB.303@php.net> <8d9a428005081107282af5b142@mail.gmail.com> <42FB6454.10700@phpwerx.net> <42FB686A.9070404@simmons.edu> <8d9a428005081109561f198670@mail.gmail.com> Message-ID: <8d9a428005081110145096c2e@mail.gmail.com> Guys here is my current CheckSession function code, can you critique it for me please ;) basically it checks to see if the users user agent changes, if it does it checks to see if it normally changes frequently, if it does it should do nothing, if it doesnt change frequently and it has changed, it then checks to see if the users ip address has changed. If both the UA and IP have changed and it's abnormal for the users UA to change it requests the passord. I have yet to add this functionality but plan to If the users UA does change frequently it will check to see if the users IP changes frequently if not and it has infact changed it will display the password page, otherwise it will keep on chugging and realise this is one of the say 10% users who's UA and IP changes frequently. function CheckSession() { global $db; // check the users user agent activity. if(isset($_POST['submit'])) { if(isset($_POST['passwd'])) { $table = strtolower($_SESSION['type'].'s'); $res = $db->Query("SELECT pass FROM ".$table." WHERE username='".$_SESSION['username']."' AND pass='".md5($_POST['passwd'])."'"); if($db->NumRows($res) == 0) { $pError = 'Invalid Password!'; // display password form // displayPasswordForm($pError); } else { // reset our session variables. unset($_SESSION['UA_CHECKS']); unset($_SESSION['HTTP_USER_AGENT']); unset($_SESSION['UA_CHANGES']); } } else { // displayPasswordForm($pError); } } if($_SESSION['UA_CHECKS'] >= UA_THRESHOLD) { } // check to see if UA_CHECKS is instanciated, if not set it to 0 if(!isset($_SESSION['UA_CHECKS'])) $_SESSION['UA_CHECKS'] = 0; // check to see if the users IP address has been set, if not set it. if(!isset($_SESSION['REMOTE_ADDR'])) $_SESSION['REMOTE_ADDR'] = $_SERVER['REMOTE_ADDR']; // check to see if the IP has changed if($_SESSION['REMOTE_ADDR'] != $_SERVER['REMOTE_ADDR']) { // It has changed, update and increment IP_CHANGES count $_SESSION['REMOTE_ADDR'] = $_SERVER['REMOTE_ADDR']; ++$_SESSION['IP_CHANGES']; } if(!isset($_SESSION['HTTP_USER_AGENT'])) $_SESSION['HTTP_USER_AGENT'] = $_SERVER['HTTP_USER_AGENT']; else { // check to see if the UA has changed if($_SESSION['HTTP_USER_AGENT'] != $_SERVER['HTTP_USER_AGENT']) { // Check to see if the UA_CHECKS has been completed UA_THRESHOLD times if($_SESSION['UA_CHECKS'] >= UA_THRESHOLD) { // It's not normal for the users UA to change frequently // check to see if the IP has changed at all if($_SESSION['IP_CHANGES'] != 0) { // The users IP changed also, display the password page. //display the password page } // UA_CHECKS has not met with UA_THRESHOLD increment the UA_CHANGES } else { if(!isset($_SESSION['UA_CHANGES'])) $_SESSION['UA_CHANGES'] = 0; ++$_SESSION['UA_CHANGES']; } } else { ++$_SESSION['UA_CHECKS']; } } } -- Joseph Crawford Jr. Codebowl Solutions, Inc. 1-802-671-2021 codebowl at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From gatzby3jr at gmail.com Thu Aug 11 13:46:51 2005 From: gatzby3jr at gmail.com (Brian O'Connor) Date: Thu, 11 Aug 2005 13:46:51 -0400 Subject: [nycphp-talk] Session basics In-Reply-To: <42FB57E4.2050900@email.smith.edu> References: <1350701.1122939343518.JavaMail.root@wamui-chisos.atl.sa.earthlink.net> <8d9a42800508080929656f42a@mail.gmail.com> <29da5d150508080944115bd761@mail.gmail.com> <200508091617.25624.jellicle@gmail.com> <29da5d15050810091013a1b556@mail.gmail.com> <20050810234506.GA22969@panix.com> <29da5d15050810214269e1a687@mail.gmail.com> <42FB57E4.2050900@email.smith.edu> Message-ID: <29da5d150508111046307b33ed@mail.gmail.com> He asked if I was setting the information in a cookie, or by using $_SESSION, so I told him. On 8/10/05, Daniel Convissor wrote:On Wed, Aug 10, 2005 at 12:10:54PM -0400, Brian O'Connor wrote: > And I have a question about my current system: > As of right now, I create 3 sessions for each user: userID, user, and pass Do you mean you're setting three cookies? Don't. Don't set any cookies manually. Let PHP's session_start() do it for you. Then, to save data in the session, save it like this: $_SESSION['username'] = 'foo'; That saves it on the server, which is the whole point of sessions. --Dan I understand that I'm not creating 3 different sessions, was just my terminology that I misused. So what you're saying is if I see a "?PHPSESSID=xxxxxxxxxxxx" in the URL of my site, than it is vulnerable? On 8/11/05, Aaron Fischer wrote: > > > Brian O'Connor wrote: > > I don't use cookies for that. I use $_SESSION['userID'], > > $_SESSION['user'], $_SESSION['pass']. > > > > I understand the concept of sessions, I don't understand the concept of > > hijacking them, and making a system to prevent hijacking them. > > > > On 8/10/05, *Daniel Convissor* > > wrote: > > > > On Wed, Aug 10, 2005 at 12:10:54PM -0400, Brian O'Connor wrote: > > > > > And I have a question about my current system: > > > As of right now, I create 3 sessions for each user: userID, user, > > and pass > > > > Do you mean you're setting three cookies? Don't. > > > > Don't set any cookies manually. Let PHP's session_start() do it for > > you. > > > > Then, to save data in the session, save it like this: > > > > $_SESSION['username'] = 'foo'; > > > > That saves it on the server, which is the whole point of sessions. > > > > --Dan > > > > I think you're still missing part of how php sessions work. > > The default is for sessions to use a cookie. When a new session is > started a cookie is sent to the user that contains the unique session > name. All other session variables are stored on the server. When going > to a new page, the session name in the cookie is compared to the session > name on the server. If they match, OK, things continue. > > If you don't want to use a cookie you can pass the session name along in > the URL using the PHPSESSID constant. I believe that this is not > recommended as it is very transparent. > > Also, in your example you are not creating three different sessions. > You are creating one session and storing three different variables in > that session. > > I believe that if you want to get more in depth about preventing > sessions from being hijacked, that is when you get into writing your own > session functions/classes (see the other ongoing sessions thread). > > I'm just a newbie of sorts myself, so I'm hoping the gurus will correct > me if I have inaccuracies here. > > hth, > > -Aaron > > _______________________________________________ > New York PHP Talk Mailing List > AMP Technology > Supporting Apache, MySQL and PHP > http://lists.nyphp.org/mailman/listinfo/talk > http://www.nyphp.org > -- Brian O'Connor -------------- next part -------------- An HTML attachment was scrubbed... URL: From dmintz at davidmintz.org Thu Aug 11 14:59:36 2005 From: dmintz at davidmintz.org (David Mintz) Date: Thu, 11 Aug 2005 14:59:36 -0400 (EDT) Subject: [nycphp-talk] Session basics In-Reply-To: <29da5d150508111046307b33ed@mail.gmail.com> References: <1350701.1122939343518.JavaMail.root@wamui-chisos.atl.sa.earthlink.net> <8d9a42800508080929656f42a@mail.gmail.com> <29da5d150508080944115bd761@mail.gmail.com> <200508091617.25624.jellicle@gmail.com> <29da5d15050810091013a1b556@mail.gmail.com> <20050810234506.GA22969@panix.com> <29da5d15050810214269e1a687@mail.gmail.com> <42FB57E4.2050900@email.smith.edu> <29da5d150508111046307b33ed@mail.gmail.com> Message-ID: On Thu, 11 Aug 2005, Brian O'Connor wrote: > So what you're saying is if I see a "?PHPSESSID=xxxxxxxxxxxx" in the URL of > my site, than it is vulnerable? Yeah. --- David Mintz http://davidmintz.org/ From 1j0lkq002 at sneakemail.com Thu Aug 11 15:13:19 2005 From: 1j0lkq002 at sneakemail.com (inforequest) Date: Thu, 11 Aug 2005 12:13:19 -0700 Subject: [nycphp-talk] Experts help needed (Sessions) In-Reply-To: <42FB6454.10700@phpwerx.net> References: <9944941.1122940163731.JavaMail.root@wamui-chisos.atl.sa.earthlink.net> <42F520C8.6080503@php.net> <42F7960A.60005@omnistep.com> <8d9a4280050811055250b6f267@mail.gmail.com> <42FB50C8.6020607@phpwerx.net> <42FB59BB.303@php.net> <8d9a428005081107282af5b142@mail.gmail.com> <42FB6454.10700@phpwerx.net> Message-ID: <28371-96480@sneakemail.com> Dan Cech dcech-at-phpwerx.net |nyphp dev/internal group use| wrote: >Joseph, > >To understand the approach you need to take a step back and look at the >bigger picture of what we're trying to achieve. > >Say we have a client who always uses the same browser, and all of a >sudden you get a request that comes from a different browser. This does >not fit the profile, and so we should prompt for a password because it >is likely to be an attacker. > >If you have a client who for whatever reason changes their user agent >string all the time, you don't want to enforce the user agent check >because it will just annoy them, and probably lose you the client. > >So, you keep track of the user agent to see which the client in question >is. If you are dealing with the former, enforce the check because it >will increase their security, otherwise use a different check. > >The counter is there to determine which category the client in question >falls into, so when their user agent hasn't changed for some number of >page loads you assume they fall into the first category and enforce the >check. > >This same approach could also be very powerful when applied to IP >address checking, to provide protection for clients whose IP does not >change often, without affecting those who do. > >Dan > I think this is a great discussion and very worthwhile, and some of these explanations should be very enlightening. However, we need to be aware of the problems associated with one of the "80/20 rules" (which these approaches "seem" to endorse). (satisfy 80% of the market and don't worry about the other non-mainstream 20%). * Let's not forget that vulnerability usually comes from lazy or incomplete coding. When corners are cut (for whatever reasons, with whatever validity), vulnerabilities are left in place.After reading this thread I can imagine coders carefuly coding so those with static IPs and static user agents get standard auth and those who vary get trapped by extra security checkpoints that are little more than re-checks of the same credentials. Sure, as the argument goes, there may be more risk so why not re-check. * Let's just make sure that you are testing your code well enough that your 20% are properly managed (chances are your dev machines will rarely go through the extra checks and if they do, you'll probably bypass it for convenience). Let's also make sure we aren't inconveniencing the most important market segment in that 20% -- I know some of my privacy websites would fail miserably if this sort of "extra security" were deployed. Once you start inspecting UA, you get into the browser standards world - plenty of browser/extension combinations mess with the UA or block it altogether. As already stated many times, proxies wreak havoc with IPs and UA strings. From a user-friendliness perspective, there is little more annoying to me than a definitive but erroneous statement from an error message or security check (like when I have cookies ENABLED and I get a message "Your browser does not accept cookies...please turn them on and try again"). Personally I prefer the concept of "translucent data", although I recognize it is not for everyone. Start with http://www.unixreview.com/documents/s=7781/ur0401o/ -=john andrews www.seo-fun.com From lists at natserv.com Thu Aug 11 23:17:40 2005 From: lists at natserv.com (Francisco Reyes) Date: Thu, 11 Aug 2005 23:17:40 -0400 (EDT) Subject: [nycphp-talk] [OT] SSH keys: what am I doing wrong? In-Reply-To: <9465864805080921243a75ced6@mail.gmail.com> References: <9465864805080921243a75ced6@mail.gmail.com> Message-ID: <20050811231635.P58572@zoraida.natserv.net> On Wed, 10 Aug 2005, Christopher Merlo wrote: > do an "ls -l" on the file, you should see something like this: > -rw------- 1 cmerlo cmerlo 605 2005-08-09 23:04 .ssh/authorized_keys Also check the .ssh directory itself itself can only be seen by you. Spent almost two hours trying to troubleshoot an SSH problem... and it was becase the user's .ssh directory had rights othern than 600 From shiflett at php.net Fri Aug 12 07:18:02 2005 From: shiflett at php.net (Chris Shiflett) Date: Fri, 12 Aug 2005 07:18:02 -0400 Subject: [nycphp-talk] September Talk Message-ID: <42FC856A.6040209@php.net> I'll be giving September's talk and wanted to offer a few possibilities to see what people are interested in hearing - if anything. :-) The talk I give doesn't have to be an existing talk but can be a medley of topics of your choosing, so feel free to mix and match or suggest specific areas of interest. 1. PHP Security Briefing Beginner/Lecture 60 Minutes 2. PHP Security Audit HOWTO Intermediate/Lecture 60 Minutes The first is a general talk covering many bases, including best practices, common vulnerabilities, and popular attacks. The second is a more specific talk that describes the art of the PHP security audit, including tips that I've picked up over the last few years. Other topics I can speak on include HTTP, state, and sessions, although these tend to be a bit less exciting. :-) Chris -- Chris Shiflett Brain Bulb, The PHP Consultancy http://brainbulb.com/ From joel at tagword.com Fri Aug 12 16:39:31 2005 From: joel at tagword.com (Joel De Gan) Date: Fri, 12 Aug 2005 16:39:31 -0400 Subject: [nycphp-talk] hiring? ideas? Message-ID: <1123879171.9025.37.camel@bezel> Hi all.. Recently found out my job contract will be winding down and have been looking around various job boards and whatnot to see what the Manhattan job market is like. I have a couple leads, but was wondering if anyone has any tips for this market in particular that would be helpful. I made a post on craigslist: http://newyork.craigslist.org/mnh/res/90477909.html Which had a couple bites and has one interview pending.. But figured I would ask here as many of you guys work in PHP shops. Thanks -Joel From gatzby3jr at gmail.com Fri Aug 12 16:09:55 2005 From: gatzby3jr at gmail.com (Brian O'Connor) Date: Fri, 12 Aug 2005 16:09:55 -0400 Subject: [nycphp-talk] hiring? ideas? In-Reply-To: <1123879171.9025.37.camel@bezel> References: <1123879171.9025.37.camel@bezel> Message-ID: <29da5d150508121309254fceb1@mail.gmail.com> Well, for starters there is the nyphp job list. (I'm assuming you haven't signed up on that, and if you have, my apologies). http://www.nyphp.org/content/mailinglist/mlist.php Hope that helps. On 8/12/05, Joel De Gan wrote: > > Hi all.. > Recently found out my job contract will be winding down and have been > looking around various job boards and whatnot to see what the Manhattan > job market is like. > > I have a couple leads, but was wondering if anyone has any tips for this > market in particular that would be helpful. > > I made a post on craigslist: > http://newyork.craigslist.org/mnh/res/90477909.html > > Which had a couple bites and has one interview pending.. > But figured I would ask here as many of you guys work in PHP shops. > > Thanks > -Joel > > _______________________________________________ > New York PHP Talk Mailing List > AMP Technology > Supporting Apache, MySQL and PHP > http://lists.nyphp.org/mailman/listinfo/talk > http://www.nyphp.org > -- Brian O'Connor -------------- next part -------------- An HTML attachment was scrubbed... URL: From joshmccormack at travelersdiary.com Fri Aug 12 16:16:01 2005 From: joshmccormack at travelersdiary.com (joshmccormack at travelersdiary.com) Date: Fri, 12 Aug 2005 22:16:01 +0200 Subject: [nycphp-talk] =?iso-8859-1?q?hiring=3F_ideas=3F?= Message-ID: <0MKoyl-1E3fwf3Xl4-0005NB@mrelay.perfora.net> Check out community connect. They're always looking for people. Other than that, I know of a couple of places that might be interested, if you want to send me your resume, I can pass it along. Josh Joel De Gan wrote on 08/12/2005, 10:39:31 PM: > Hi all.. > Recently found out my job contract will be winding down and have been > looking around various job boards and whatnot to see what the Manhattan > job market is like. > > I have a couple leads, but was wondering if anyone has any tips for this > market in particular that would be helpful. > > I made a post on craigslist: > http://newyork.craigslist.org/mnh/res/90477909.html > > Which had a couple bites and has one interview pending.. > But figured I would ask here as many of you guys work in PHP shops. > > Thanks > -Joel > > _______________________________________________ > New York PHP Talk Mailing List > AMP Technology > Supporting Apache, MySQL and PHP > http://lists.nyphp.org/mailman/listinfo/talk > http://www.nyphp.org From tom at supertom.com Fri Aug 12 16:55:44 2005 From: tom at supertom.com (Tom Melendez) Date: Fri, 12 Aug 2005 16:55:44 -0400 Subject: [nycphp-talk] somewhat OT: open source code auditing Message-ID: <42FD0CD0.8050705@supertom.com> Hey Folks, This is slightly off-topic, but I've just had the "higher-ups" come to me asking about open source and coding audits. I'm not speaking about collaborative tools or auditing from a security perspective, but rather from a legal perspective. Simply put, how do you know were a piece of code really came from? I'm hoping that others on the list have gone through this (or are actually going through it now) and can provide some insight. Some general questions: 1. When you decide to use a piece of open source software, what do you document? (package name, authors, download location, website, license, date/time, etc) 2. Do you feel the need to actually verify that they wrote it? Or is it enough to say, "This is a popular package, and it is generally accepted that this person wrote it." As this could relate to PHP: 1. The PEAR and PECL repositories - is there anything built into the package approval process that looks for this? I didn't see anything on the website. I would imagine that some Google searches probably occur just to make sure this package 2. Code posted on the PHP site by users? Is that "free" to use? I realize that most of us aren't lawyers, and we're getting help from our legal team, but any help you can provide is greatly appreciated. Thanks, Tom http://www.liphp.org From krook at us.ibm.com Fri Aug 12 23:31:20 2005 From: krook at us.ibm.com (Daniel Krook) Date: Fri, 12 Aug 2005 23:31:20 -0400 Subject: [nycphp-talk] PHP 6 features discussion Message-ID: There's a very active thread on the PHP internals list regarding major changes to PHP as suggested by Rasmus for version 6. Here's the original post, along with many, many replies supporting the suggestions to varying degrees: http://marc.theaimsgroup.com/?l=php-dev&m=112386891931477&w=2 http://marc.theaimsgroup.com/?t=112386908300002&r=1&w=2 http://marc.theaimsgroup.com/?t=112387117900002&r=1&w=2 I'm not a language-itself-PHP-developer, but some of these things seem quite radical (hence the version number, of course) for the end programmer (mainly points 7 and 8, which are admittedly considered lower profile). Thoughts on the proposed changes? Anything you might add yourself? Daniel Krook, Advisory IT Specialist Application Development, Production Services - Tools, ibm.com Personal: http://info.krook.org/ BluePages: http://bluepages.redirect.webahead.ibm.com/ BlogPages: http://blogpages.redirect.webahead.ibm.com/ From shiflett at php.net Fri Aug 12 23:35:42 2005 From: shiflett at php.net (Chris Shiflett) Date: Fri, 12 Aug 2005 23:35:42 -0400 Subject: [nycphp-talk] PHP 6 features discussion In-Reply-To: References: Message-ID: <42FD6A8E.4040107@php.net> Daniel Krook wrote: > There's a very active thread on the PHP internals list regarding major > changes to PHP as suggested by Rasmus for version 6. There's some other stuff going on, too: http://shiflett.org/archive/135 I'm optimistic about PHP's future after recent events. :-) Chris -- Chris Shiflett Brain Bulb, The PHP Consultancy http://brainbulb.com/ From matt at jobsforge.com Sat Aug 13 00:30:00 2005 From: matt at jobsforge.com (Matthew Terenzio) Date: Sat, 13 Aug 2005 00:30:00 -0400 Subject: [nycphp-talk] xml_parse and CLI Message-ID: <080457e49767db673afc15fe34668487@jobsforge.com> This block of code works fine on a web server, but fails with: XML error: XML declaration not finished at line 1 on CLI. Anyone understand why? The $data variable does in fact look like the remote XML doc, so the fopen and fread seem to be working. $xml_parser = xml_parser_create(); xml_set_element_handler($xml_parser, "startElement", "endElement"); xml_set_character_data_handler($xml_parser, "characterData"); if (!($fp = fopen($file, "r"))) { die("could not open XML input"); } while ($data = fread($fp, 4096)) { if (!xml_parse($xml_parser, $data, feof($fp))) { die(sprintf("XML error: %s at line %d", xml_error_string(xml_get_error_code($xml_parser)), xml_get_current_line_number($xml_parser))); } } xml_parser_free($xml_parser); From greg.rundlett at gmail.com Sat Aug 13 00:48:13 2005 From: greg.rundlett at gmail.com (Greg Rundlett) Date: Sat, 13 Aug 2005 00:48:13 -0400 Subject: [nycphp-talk] xml_parse and CLI In-Reply-To: <080457e49767db673afc15fe34668487@jobsforge.com> References: <080457e49767db673afc15fe34668487@jobsforge.com> Message-ID: <5e2aaca40508122148511461a1@mail.gmail.com> On 8/13/05, Matthew Terenzio wrote: > > This block of code works fine on a web server, but fails with: > > XML error: XML declaration not finished at line 1 > > on CLI. Anyone understand why? The $data variable does in fact look > like the remote XML doc, so the fopen and fread seem to be working. What does $file (and/or $data) look like? From matt at jobsforge.com Sat Aug 13 00:49:23 2005 From: matt at jobsforge.com (Matthew Terenzio) Date: Sat, 13 Aug 2005 00:49:23 -0400 Subject: [nycphp-talk] xml_parse and CLI In-Reply-To: <5e2aaca40508122148511461a1@mail.gmail.com> References: <080457e49767db673afc15fe34668487@jobsforge.com> <5e2aaca40508122148511461a1@mail.gmail.com> Message-ID: On Aug 13, 2005, at 12:48 AM, Greg Rundlett wrote: > On 8/13/05, Matthew Terenzio wrote: >> >> This block of code works fine on a web server, but fails with: >> >> XML error: XML declaration not finished at line 1 >> >> on CLI. Anyone understand why? The $data variable does in fact look >> like the remote XML doc, so the fopen and fread seem to be working. > > What does $file (and/or $data) look like? The only weird thing I see below is the escaping of the quotes.in the xml and rss versions. Florida - Current Watches, Warnings and Advisories for Florida Issued by the National Weather Service http://www.weather.gov/alerts/fl.html Sat, 13 Aug 2005 00:12:02 EDT 4 en-us robert.bunge at noaa.gov w-nws.webmaster at noaa.gov Current Watches, Warnings and Advisories for Florida Issued by the National Weather Service http://weather.gov/images/xml_logo.gif NOAA - National Weather Service http://weather.gov Flood Statement - Baker (Florida) http://www.weather.gov/alerts/fl.html#FLC003.JAXFLSJAX.140800 Flood Statement Issued At: 2005-08-12T14:08:00 Expired At: 2005-08-13T14:07:00 Issuing Weather Forecast Office Homepage: http://www.srh.noaa.gov/jax/ Flood Statement - Calhoun (Florida) http://www.weather.gov/alerts/fl.html#FLC013.TAEFLSTAE.015200 Flood Statement Issued At: 2005-08-13T01:52:00 Expired At: 2005-08-14T01:50:00 Issuing Weather Forecast Office Homepage: http://www.srh.noaa.gov/tlh/ Flood Statement - Citrus (Florida) http://www.weather.gov/alerts/fl.html#FLC017.TBWFLSTBW.012800 Flood Statement Issued At: 2005-08-13T01:28:00 Expired At: 2005-08-13T16:00:00 Issuing Weather Forecast Office Homepage: http://www.srh.noaa.gov/tbw/ Flood Statement - Columbia (Florida) http://www.weather.gov/alerts/fl.html#FLC023.JAXFLSJAX.140700 Flood Statement Issued At: 2005-08-12T14:07:00 Expired At: 2005-08-13T14:05:00 Issuing Weather Forecast Office Homepage: http://www.srh.noaa.gov/jax/ Flood Statement - Franklin (Florida) http://www.weather.gov/alerts/fl.html#FLC037.TAEFLSTAE.015200 Flood Statement Issued At: 2005-08-13T01:52:00 Expired At: 2005-08-14T01:50:00 Issuing Weather Forecast Office Homepage: http://www.srh.noaa.gov/tlh/ Flood Statement - Gilchrist (Florida) http://www.weather.gov/alerts/fl.html#FLC041.JAXFLSJAX.140700 Flood Statement Issued AtXML error: XML declaration not finished at line 1freebee# > _______________________________________________ > New York PHP Talk Mailing List > AMP Technology > Supporting Apache, MySQL and PHP > http://lists.nyphp.org/mailman/listinfo/talk > http://www.nyphp.org > From 1j0lkq002 at sneakemail.com Sat Aug 13 00:56:40 2005 From: 1j0lkq002 at sneakemail.com (inforequest) Date: Fri, 12 Aug 2005 21:56:40 -0700 Subject: [nycphp-talk] September Talk In-Reply-To: <42FC856A.6040209@php.net> References: <42FC856A.6040209@php.net> Message-ID: <16955-83528@sneakemail.com> Chris Shiflett shiflett-at-php.net |nyphp dev/internal group use| wrote: >I'll be giving September's talk and wanted to offer a few possibilities >to see what people are interested in hearing - if anything. :-) The talk >I give doesn't have to be an existing talk but can be a medley of topics >of your choosing, so feel free to mix and match or suggest specific >areas of interest. > >1. PHP Security Briefing > Beginner/Lecture > 60 Minutes > >2. PHP Security Audit HOWTO > Intermediate/Lecture > 60 Minutes > >The first is a general talk covering many bases, including best >practices, common vulnerabilities, and popular attacks. The second is a >more specific talk that describes the art of the PHP security audit, >including tips that I've picked up over the last few years. > >Other topics I can speak on include HTTP, state, and sessions, although >these tend to be a bit less exciting. :-) > >Chris > I caught your "Audit How To" talk in Vancouver and it was very good, thanks. I know the NYPHP audience would appreciate that one. If you also showed how past FOSS PHP alerts (such as those listed by Secunia) fit the models, and thus could have been detectred by the audit process, that would push it over the top quality-wise. -=john andrews www.seo-fun.com having fun in the Pacific Northwest From matt at jobsforge.com Sat Aug 13 01:00:44 2005 From: matt at jobsforge.com (Matthew Terenzio) Date: Sat, 13 Aug 2005 01:00:44 -0400 Subject: [nycphp-talk] xml_parse and CLI In-Reply-To: <5e2aaca40508122148511461a1@mail.gmail.com> References: <080457e49767db673afc15fe34668487@jobsforge.com> <5e2aaca40508122148511461a1@mail.gmail.com> Message-ID: <908bbb58b365743841b6a4012adb66d9@jobsforge.com> On Aug 13, 2005, at 12:48 AM, Greg Rundlett wrote: > On 8/13/05, Matthew Terenzio wrote: >> >> This block of code works fine on a web server, but fails with: >> >> XML error: XML declaration not finished at line 1 >> >> on CLI. Anyone understand why? The $data variable does in fact look >> like the remote XML doc, so the fopen and fread seem to be working. > > What does $file (and/or $data) look like? MagicQuotes was on by accident . Turned it off and it stopped escaping that stuff. Thanks. > _______________________________________________ > New York PHP Talk Mailing List > AMP Technology > Supporting Apache, MySQL and PHP > http://lists.nyphp.org/mailman/listinfo/talk > http://www.nyphp.org > > From tboronczyk at acmgfcu.org Sat Aug 13 01:37:36 2005 From: tboronczyk at acmgfcu.org (Timothy Boronczyk) Date: Sat, 13 Aug 2005 01:37:36 -0400 Subject: [nycphp-talk] September Talk Message-ID: <42FD8720.3000403@acmgfcu.org> The PHP Security Audit HOWTO sounds really interesting. I disagree that something with sessions wouldn't be all that interesting, though. Of course you'd have to put a new twist on it... instead of the same old custom storage of session data in a MySQL database, perhaps store them in an IMAP mailbox, shared memory segment, "duplexing" session tracking data to an audit printer in real time, etc. I dunno, maybe it's just late and I need some sleep. -Tim Chris Shiflett wrote: >I'll be giving September's talk and wanted to offer a few possibilities >to see what people are interested in hearing - if anything. :-) The talk >I give doesn't have to be an existing talk but can be a medley of topics >of your choosing, so feel free to mix and match or suggest specific >areas of interest. > >1. PHP Security Briefing > Beginner/Lecture > 60 Minutes > >2. PHP Security Audit HOWTO > Intermediate/Lecture > 60 Minutes > >The first is a general talk covering many bases, including best >practices, common vulnerabilities, and popular attacks. The second is a >more specific talk that describes the art of the PHP security audit, >including tips that I've picked up over the last few years. > >Other topics I can speak on include HTTP, state, and sessions, although >these tend to be a bit less exciting. :-) > From tboronczyk at acmgfcu.org Sat Aug 13 01:50:37 2005 From: tboronczyk at acmgfcu.org (Timothy Boronczyk) Date: Sat, 13 Aug 2005 01:50:37 -0400 Subject: [nycphp-talk] PHP 6 features discussion Message-ID: <42FD8A2D.10303@acmgfcu.org> With all the buzz and focus on 5, I totally forgot the development cycle continues! Woops! Like Chris, I'm optimistic about PHP's future, too... I definately like the idea of removing register_globals. I think the whole namespace thing (if implemented correctly) would be another big selling point; I hop that one can gain some support. Honestly, it would be nice too to have all the string functions have a consistant needle/haystack order as someone suggested too (it really is quite irksome), but I know that's too much to ask for. -Tim >Daniel Krook wrote: > > >>There's a very active thread on the PHP internals list regarding major >>changes to PHP as suggested by Rasmus for version 6. >> >> > >There's some other stuff going on, too: > >http://shiflett.org/archive/135 > >I'm optimistic about PHP's future after recent events. :-) > >Chris > From matt at jobsforge.com Sat Aug 13 11:16:25 2005 From: matt at jobsforge.com (Matthew Terenzio) Date: Sat, 13 Aug 2005 11:16:25 -0400 Subject: [nycphp-talk] PHP 6 features discussion In-Reply-To: <42FD8A2D.10303@acmgfcu.org> References: <42FD8A2D.10303@acmgfcu.org> Message-ID: <9c04b66e9e74c72575753213c4dc9262@jobsforge.com> i used to think we needed a 'throws' keyword for methods. As I tried to formulate my email, I changed my mind. I'm no language architect, but it seems to me that in Java you define a method and let others know that it may throw a certain type of exception. That way they know in advance and MUST handle it or it won't compile. But since we are not compiling, I guess all possible exceptions should be handled by the method or class creators, since it seems impossible to impart this knowledge to the class or method user. the class or method user shouldn't need to know anything about how the class works except what methods can be called, properties that are available etc. I don't know really , though -Matt On Aug 13, 2005, at 1:50 AM, Timothy Boronczyk wrote: > With all the buzz and focus on 5, I totally forgot the development > cycle > continues! Woops! > > Like Chris, I'm optimistic about PHP's future, too... I definately like > the idea of removing register_globals. I think the whole namespace > thing (if implemented correctly) would be another big selling point; I > hop that one can gain some support. Honestly, it would be nice too to > have all the string functions have a consistant needle/haystack order > as > someone suggested too (it really is quite irksome), but I know that's > too much to ask for. > > -Tim > >> Daniel Krook wrote: >> >> >>> There's a very active thread on the PHP internals list regarding >>> major >>> changes to PHP as suggested by Rasmus for version 6. >>> >>> >> >> There's some other stuff going on, too: >> >> http://shiflett.org/archive/135 >> >> I'm optimistic about PHP's future after recent events. :-) >> >> Chris >> > > _______________________________________________ > New York PHP Talk Mailing List > AMP Technology > Supporting Apache, MySQL and PHP > http://lists.nyphp.org/mailman/listinfo/talk > http://www.nyphp.org > From codebowl at gmail.com Sat Aug 13 18:32:38 2005 From: codebowl at gmail.com (Joseph Crawford) Date: Sat, 13 Aug 2005 18:32:38 -0400 Subject: [nycphp-talk] PHP 6 features discussion In-Reply-To: <9c04b66e9e74c72575753213c4dc9262@jobsforge.com> References: <42FD8A2D.10303@acmgfcu.org> <9c04b66e9e74c72575753213c4dc9262@jobsforge.com> Message-ID: <8d9a428005081315321bddf0da@mail.gmail.com> I would like to see the Type Hinting expanded in PHP 6. In 5 now you can do class Test { public function testDatabase( Database $db ) { } } what if i wanted to make sure it was a String, Integer, Boolean, Float, etc.. i would like to see that added to the type hinting ;) I suggested it hopefully they implement it ;) -- Joseph Crawford Jr. Codebowl Solutions, Inc. 1-802-671-2021 codebowl at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From plehrer at gmail.com Sun Aug 14 04:18:36 2005 From: plehrer at gmail.com (Peter Lehrer) Date: Sun, 14 Aug 2005 04:18:36 -0400 Subject: [nycphp-talk] test Message-ID: test -------------- next part -------------- An HTML attachment was scrubbed... URL: From jbaltz at altzman.com Sun Aug 14 11:17:32 2005 From: jbaltz at altzman.com (Jerry B. Altzman) Date: Sun, 14 Aug 2005 11:17:32 -0400 Subject: [nycphp-talk] hiring? ideas? In-Reply-To: <1123879171.9025.37.camel@bezel> References: <1123879171.9025.37.camel@bezel> Message-ID: <42FF608C.70205@altzman.com> On 8/12/2005 4:39 PM, Joel De Gan wrote: > Hi all.. > Recently found out my job contract will be winding down and have been > looking around various job boards and whatnot to see what the Manhattan > job market is like. My firm will be hiring soon. Why don't you forward me your CV? Are you willing to do stuff *other* than PHP, if need be? //jbaltz -- jerry b. altzman jbaltz at altzman.com KE3ML thank you for contributing to the heat death of the universe. From jbaltz at altzman.com Sun Aug 14 11:18:30 2005 From: jbaltz at altzman.com (Jerry B. Altzman) Date: Sun, 14 Aug 2005 11:18:30 -0400 Subject: [nycphp-talk] hiring? ideas? In-Reply-To: <42FF608C.70205@altzman.com> References: <1123879171.9025.37.camel@bezel> <42FF608C.70205@altzman.com> Message-ID: <42FF60C6.1040307@altzman.com> On 8/14/2005 11:17 AM, Jerry B. Altzman wrote: [...grrr....] Sorry should have been offlist. Apologies! //jbaltz -- jerry b. altzman jbaltz at altzman.com KE3ML thank you for contributing to the heat death of the universe. From dmintz at davidmintz.org Sun Aug 14 13:59:49 2005 From: dmintz at davidmintz.org (David Mintz) Date: Sun, 14 Aug 2005 13:59:49 -0400 (EDT) Subject: [nycphp-talk] PHP 6 features discussion In-Reply-To: <9c04b66e9e74c72575753213c4dc9262@jobsforge.com> References: <42FD8A2D.10303@acmgfcu.org> <9c04b66e9e74c72575753213c4dc9262@jobsforge.com> Message-ID: On Sat, 13 Aug 2005, Matthew Terenzio wrote: > i used to think we needed a 'throws' keyword for methods. > As I tried to formulate my email, I changed my mind. > > I'm no language architect, but it seems to me that in Java you define a > method and let others know that it may throw a certain type of > exception. > That way they know in advance and MUST handle it or it won't compile. > But since we are not compiling, I guess all possible exceptions should > be handled by the method or class creators, since it seems impossible > to impart this knowledge to the class or method user. > the class or method user shouldn't need to know anything about how the > class works except what methods can be called, properties that are > available etc. > I don't know really , though It might be nice if at least, short of forcing you to catch or throw a la Java, you could set some sort of error reporting to alert you that you might have had an uncaught exception from called $some->method() at line xxx. (Yes I'm aware of set_exception_handler(), but still...). --- David Mintz http://davidmintz.org/ From michael.southwell at nyphp.org Mon Aug 15 18:03:20 2005 From: michael.southwell at nyphp.org (Michael Southwell) Date: Mon, 15 Aug 2005 18:03:20 -0400 Subject: [nycphp-talk] transparent session ID not working Message-ID: <6.1.2.0.2.20050815175450.021259a0@mail.optonline.net> Here is a problem which I have been able to work around but haven't been able to understand. 1. form script starts a session, shows a form, submits it to a checking script. 2. checking script starts a session and checks whether some fields have been filled in. If not, uses header to go back to the form with an appropriate reminder. If so, stores post info into session and uses header to go back to form script. 3. form script starts session, retrieves session info, and emails it. This works perfectly unless cookies are turned off. When cookies are turned off, the docs say that PHP will send the SID as a get variable. But when I test in Firefox/WinXP the SID is not passed, and so the session info is not available to the email, and so the form info is not sent. The host has session.use_cookies set on, and session.use_only_cookies set off, and session.use_trans_sid set on. This to me means that the sessions should be working even without cookies--but they aren't. What no doubt obvious thing am I overlooking? Michael Southwell, Vice President for Education New York PHP http://www.nyphp.com/training - In-depth PHP Training Courses From rolan at omnistep.com Mon Aug 15 18:29:30 2005 From: rolan at omnistep.com (Rolan Yang) Date: Mon, 15 Aug 2005 18:29:30 -0400 Subject: [nycphp-talk] transparent session ID not working In-Reply-To: <6.1.2.0.2.20050815175450.021259a0@mail.optonline.net> References: <6.1.2.0.2.20050815175450.021259a0@mail.optonline.net> Message-ID: <4301174A.9080207@omnistep.com> I try my best not to use header redirects if possible. Things get kind of hairy sometimes. In your case, PHP might not be appending the sessions id's to your header("Location:webform.php"). You might want to try something like: if (!$_COOKIE['SID']) { // if there is no session id cookie set, redirect with the SID in the url. header("Location:webform.php?SID=$SID"); } else { // otherwise do a standard redirect header("Location:webform.php"); } I haven't tested the above, but conceptually it should work. ~Rolan Michael Southwell wrote: >Here is a problem which I have been able to work around but haven't been >able to understand. > >1. form script starts a session, shows a form, submits it to a checking >script. >2. > > From shiflett at php.net Mon Aug 15 19:20:46 2005 From: shiflett at php.net (Chris Shiflett) Date: Mon, 15 Aug 2005 19:20:46 -0400 Subject: [nycphp-talk] transparent session ID not working In-Reply-To: <6.1.2.0.2.20050815175450.021259a0@mail.optonline.net> References: <6.1.2.0.2.20050815175450.021259a0@mail.optonline.net> Message-ID: <4301234E.5050102@php.net> Michael Southwell wrote: > This works perfectly unless cookies are turned off. When cookies are > turned off, the docs say that PHP will send the SID as a get variable. This depends on session.use_trans_sid. With it enabled, PHP will rewrite URLs (as necessary) according to url_rewriter.tags, which defaults to a=href,area=href,frame=src,input=src,form=fakeentry,fieldset=. In other words, it's rewriting URLs in your HTML. It's not going to modify your calls to header() for you. Hope that helps. Chris -- Chris Shiflett Brain Bulb, The PHP Consultancy http://brainbulb.com/ From shiflett at php.net Mon Aug 15 19:26:23 2005 From: shiflett at php.net (Chris Shiflett) Date: Mon, 15 Aug 2005 19:26:23 -0400 Subject: [nycphp-talk] transparent session ID not working In-Reply-To: <4301174A.9080207@omnistep.com> References: <6.1.2.0.2.20050815175450.021259a0@mail.optonline.net> <4301174A.9080207@omnistep.com> Message-ID: <4301249F.6040705@php.net> Rolan Yang wrote: > I try my best not to use header redirects if possible. Things get kind > of hairy sometimes. [snip] > header("Location:webform.php"). Whenever someone mentions inconsistent behavior with the use of the Location header, it always seems to be because they do not format the header properly. Try this: header('Location: http://example.org/webform.php'); The header() function is great - PHP gives us a lot of control over the exact HTTP response that we send. However, this is also an opportunity for us to screw up the format. Be careful. :-) Chris -- Chris Shiflett Brain Bulb, The PHP Consultancy http://brainbulb.com/ From sjmci at optonline.net Tue Aug 16 08:23:58 2005 From: sjmci at optonline.net (Steve Solomon) Date: Tue, 16 Aug 2005 08:23:58 -0400 Subject: [nycphp-talk] transparent session ID not working Message-ID: <000301c5a25d$60b12ed0$6601a8c0@T1400> Re - session id not being passed when cookies are turned off. The following has always worked for me even when cookies are turned off. header('location: xxx?PHPSESSID='.session_id()); Just makes the url's a little messy. Steve Solomon, ROI Systems, Suffern, NY -------------- next part -------------- An HTML attachment was scrubbed... URL: From gisolfi at us.ibm.com Tue Aug 16 09:00:16 2005 From: gisolfi at us.ibm.com (Dan Gisolfi) Date: Tue, 16 Aug 2005 09:00:16 -0400 Subject: [nycphp-talk] Accessible Rich Internet Applications In-Reply-To: Message-ID: Yesterday IBM made a formal announcement about our code contributions to Firefox 1.5 (due out this September) with respect to Accessibility. These announcements focused on the technology Laurent Hasson and I demonstrated to NYPHP back on July 26th. Since the technology is DHTML based, it is applicable to PHP programmers. Details on the technology can be found at: www.mozilla.org/access/dhtml Details on the announcement can be found at a variety of places: IBM Contributes Open Source Code to Make FireFox Browser More Accessible http://www.ibm.com/press/PressServletForm.wss?MenuChoice=pressreleases&TemplateName=ShowPressReleaseTemplate&SelectString=t1.docunid=7839&TableName=DataheadApplicationClass&SESSIONKEY=any&WindowTitle=Press+Release&STATUS=publish IBM Contributes DHTML Accessibility Code to Mozilla http://www.mozillazine.org/talkback.html?article=7162 IBM Donates Code to Firefox http://slashdot.org/articles/05/08/15/1836246.shtml?tid=154&tid=136 http://www.internetnews.com/xSP/article.php/3527341 IBM helps Firefox reach disabled http://news.com.com/IBM+helps+Firefox+reach+disabled/2100-1032_3-5833354.html Dan Gisolfi -------------- next part -------------- An HTML attachment was scrubbed... URL: From chendry at gmail.com Tue Aug 16 09:10:10 2005 From: chendry at gmail.com (Christopher Hendry) Date: Tue, 16 Aug 2005 06:10:10 -0700 Subject: [nycphp-talk] Accessible Rich Internet Applications In-Reply-To: References: Message-ID: <769e4ce05081606107bf851b1@mail.gmail.com> Thanks Dan for yours and IBM's effort in this area. Are you still interested in preparing a webcast of your presentation for those that missed it? I'd be intrigued to see it again, as I've had more time to play with AJAX recently...though haven't gotten to testing RAD (and your JSF) yet. Whether the webcast is focused on your Javascript libraries or accessibility features, I'm sure there will be plenty interested (within and outside the NYPHP community). - Chris On 8/16/05, Dan Gisolfi wrote: > > Yesterday IBM made a formal announcement about our code contributions to > Firefox 1.5 (due out this September) with respect to Accessibility. These > announcements focused on the technology Laurent Hasson and I demonstrated to > NYPHP back on July 26th. Since the technology is DHTML based, it is > applicable to PHP programmers. > > Details on the technology can be found at: www.mozilla.org/access/dhtml > > Details on the announcement can be found at a variety of places: > > IBM Contributes Open Source Code to Make FireFox Browser More Accessible > http://www.ibm.com/press/PressServletForm.wss?MenuChoice=pressreleases&TemplateName=ShowPressReleaseTemplate&SelectString=t1.docunid=7839&TableName=DataheadApplicationClass&SESSIONKEY=any&WindowTitle=Press+Release&STATUS=publish > > IBM Contributes DHTML Accessibility Code to Mozilla > http://www.mozillazine.org/talkback.html?article=7162 > > IBM Donates Code to Firefox > http://slashdot.org/articles/05/08/15/1836246.shtml?tid=154&tid=136 > http://www.internetnews.com/xSP/article.php/3527341 > > IBM helps Firefox reach disabled > http://news.com.com/IBM+helps+Firefox+reach+disabled/2100-1032_3-5833354.html > > > Dan Gisolfi > _______________________________________________ > New York PHP Talk Mailing List > AMP Technology > Supporting Apache, MySQL and PHP > http://lists.nyphp.org/mailman/listinfo/talk > http://www.nyphp.org > > -- "When you do things right, people won't be sure you've done anything at all." From lists at zaunere.com Tue Aug 16 09:47:31 2005 From: lists at zaunere.com (Hans Zaunere) Date: Tue, 16 Aug 2005 09:47:31 -0400 Subject: [nycphp-talk] somewhat OT: open source code auditing In-Reply-To: <42FD0CD0.8050705@supertom.com> Message-ID: <0MKoyl-1E51mu2Tnq-00043i@mrelay.perfora.net> > Hey Folks, > > This is slightly off-topic, but I've just had the "higher-ups" come to > me asking about open source and coding audits. I'm not speaking about > collaborative tools or auditing from a security perspective, but rather > from a legal perspective. Simply put, how do you know were a piece of > code really came from? Maybe the SCO lawyers can help with this :) > I'm hoping that others on the list have gone through this (or are > actually going through it now) and can provide some insight. > > Some general questions: > 1. When you decide to use a piece of open source software, what do you > document? (package name, authors, download location, website, license, > date/time, etc) > 2. Do you feel the need to actually verify that they wrote it? Or is > it enough to say, "This is a popular package, and it is generally > accepted that this person wrote it." This really comes down to the license. If it's GPL, you basically are legally bound to make your "derived works" public as well. Of course, what defines derived works is not something clearly defined. > As this could relate to PHP: > 1. The PEAR and PECL repositories - is there anything built into the > package approval process that looks for this? I didn't see anything on > the website. I would imagine that some Google searches probably occur > just to make sure this package > 2. Code posted on the PHP site by users? Is that "free" to use? Ugh - there's that word again, free :) > I realize that most of us aren't lawyers, and we're getting help from > our legal team, but any help you can provide is greatly appreciated. It's certainly a sticky area. But, keep in mind, that most of the larger open source projects, like PHP and Apache, are licensed using a BSD style license. These questions should only be answered by lawyers, but most source from PEAR and PECL should have a header indicating the license. Typically, this is the PHP license, and so you're likely safe - but again, no one really knows :) H From michael.southwell at nyphp.org Tue Aug 16 09:48:52 2005 From: michael.southwell at nyphp.org (Michael Southwell) Date: Tue, 16 Aug 2005 09:48:52 -0400 Subject: [nycphp-talk] transparent session ID not working In-Reply-To: <000301c5a25d$60b12ed0$6601a8c0@T1400> References: <000301c5a25d$60b12ed0$6601a8c0@T1400> Message-ID: <6.1.2.0.2.20050816094515.02156e90@mail.optonline.net> At 08:23 AM 8/16/2005, you wrote: >Re - session id not being passed when cookies are turned off. > >The following has always worked for me even when cookies are turned off. > >header('location: xxx?PHPSESSID='.session_id()); yes, that does it (and as is usually the case, obvious once somebody says it); thanks. But as Chris Shiflett notes, header() format is important: the L in location should be capitalized, and there should be a space after the colon (it looks as though you do have one). >Just makes the url's a little messy. > >Steve Solomon, ROI Systems, Suffern, NY > > >_______________________________________________ >New York PHP Talk Mailing List >AMP Technology >Supporting Apache, MySQL and PHP >http://lists.nyphp.org/mailman/listinfo/talk >http://www.nyphp.org Michael Southwell, Vice President for Education New York PHP http://www.nyphp.com/training - In-depth PHP Training Courses From ashaw at iifwp.org Tue Aug 16 11:53:51 2005 From: ashaw at iifwp.org (Allen Shaw) Date: Tue, 16 Aug 2005 11:53:51 -0400 Subject: [nycphp-talk] character set filtering Message-ID: <43020C0F.3020203@iifwp.org> Hi All, I've googled around a little but probably am not using the right key words, so I ask for a few suggestions: Our online database system is meant sooner or later to allow several thousand of our contacts to start updating their own data records (with careful data screening on our side of course). The big sticking point for me is that we can't have them submitting it in just whatever character set they want. For example, we don't want to let a Japanese user send in his name in Chinese characters, or any kind of kana either; the Koreans shouldn't be allowed to submit Hangul, etc., etc. So somewhere in the system I have to screen user input to be sure it's limited to a certain character set. Questions I'm struggling with along this line are these: * What character set shall we use? (For example, of course we don't allow Chinese, Thai, Arabic, etc., but what about umlauts and the occassional enye?) That's an internal decision for us, I'm sure, but do you know of technical points I should be sure to consider? * How will I screen the incoming data? Do I just hack some regex together and run everything through it, or is there a library I should consider, etc.? * How totally without clue am I about this whole topic? If you have specific examples of sites that are doing a good job with this, or links to more I could read on the topic, that would be great, but I'd love to hear any suggestions or experience you can share. Thanks, Allen -- Allen Shaw Polymer (http://polymerdb.org) Fine-grained control over how your users access your data: user permissions, reports, forms, ad-hoc queries -- all centrally managed. From joel at tagword.com Tue Aug 16 13:30:04 2005 From: joel at tagword.com (Joel De Gan) Date: Tue, 16 Aug 2005 13:30:04 -0400 Subject: [nycphp-talk] hiring? ideas? In-Reply-To: <42FF608C.70205@altzman.com> References: <1123879171.9025.37.camel@bezel> <42FF608C.70205@altzman.com> Message-ID: <1124213404.8997.24.camel@bezel> Hey there.. The resume was in the posting.. http://tenshimedia.com/joel/ and yes.. PHP is just one of many skills I currently have. cheers -joel On Sun, 2005-08-14 at 11:17 -0400, Jerry B. Altzman wrote: > On 8/12/2005 4:39 PM, Joel De Gan wrote: > > Hi all.. > > Recently found out my job contract will be winding down and have been > > looking around various job boards and whatnot to see what the Manhattan > > job market is like. > > My firm will be hiring soon. Why don't you forward me your CV? Are you > willing to do stuff *other* than PHP, if need be? > > //jbaltz From john at coolmacgames.com Tue Aug 16 12:18:53 2005 From: john at coolmacgames.com (John Nunez) Date: Tue, 16 Aug 2005 12:18:53 -0400 Subject: [nycphp-talk] September Talk In-Reply-To: <42FC856A.6040209@php.net> References: <42FC856A.6040209@php.net> Message-ID: I would like to heard more on this subject. I won't make it to Sept.'s talk but what about podcasting it with slides? On Aug 12, 2005, at 7:18 AM, Chris Shiflett wrote: > 2. PHP Security Audit HOWTO > Intermediate/Lecture > 60 Minutes From ps at pswebcode.com Tue Aug 16 13:17:09 2005 From: ps at pswebcode.com (Peter Sawczynec) Date: Tue, 16 Aug 2005 13:17:09 -0400 Subject: [nycphp-talk] September Talk In-Reply-To: Message-ID: <004501c5a286$64954a30$6500a8c0@Liz> Can't agree more. Security topics as related to all installations, administration and in development should be advanced. In books security steps should be Chapter 3, not Chapter 11. In discussions security should be in Part 2 not in the closing Q&A. In READMEs security steps should be organized and grouped near the top of the file. In seminars recommended security should be discussed in the early hours of presentation. Security steps should not be recommended later, they must be early, mandatory, and restrictive. E.g.: kudos to MySQL for their most recent installer that clearly enjoins a password on root before deployment. Why are installs by default too insecure and users have to stumble onto the secure methods after the fact. Why not install locked down and let users stumble onto the loosening methods after the fact. Peter -----Original Message----- From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org] On Behalf Of John Nunez Sent: Tuesday, August 16, 2005 12:19 PM To: NYPHP Talk Subject: Re: [nycphp-talk] September Talk I would like to heard more on this subject. I won't make it to Sept.'s talk but what about podcasting it with slides? On Aug 12, 2005, at 7:18 AM, Chris Shiflett wrote: > 2. PHP Security Audit HOWTO > Intermediate/Lecture > 60 Minutes _______________________________________________ New York PHP Talk Mailing List AMP Technology Supporting Apache, MySQL and PHP http://lists.nyphp.org/mailman/listinfo/talk http://www.nyphp.org From 1j0lkq002 at sneakemail.com Tue Aug 16 17:19:44 2005 From: 1j0lkq002 at sneakemail.com (inforequest) Date: Tue, 16 Aug 2005 14:19:44 -0700 Subject: [nycphp-talk] September Talk In-Reply-To: <004501c5a286$64954a30$6500a8c0@Liz> References: <004501c5a286$64954a30$6500a8c0@Liz> Message-ID: <26848-59980@sneakemail.com> Peter Sawczynec ps-at-pswebcode.com |nyphp dev/internal group use| wrote: >E.g.: kudos to MySQL for their most recent installer that clearly enjoins a >password on root before deployment. > >Why are installs by default too insecure and users have to stumble onto the >secure methods after the fact. Why not install locked down and let users >stumble onto the loosening methods after the fact. > >Peter > > Because it is desired to have new users functional and appreciative of the system immediately, so they can see the good, and what differentiates the product from other options which are likely already professionally installed and configured on site. I suspect the looseness of default security is proportional to the rate of adoption by new technology users. Loose defaults = more initial adoption, strict defaults = more dropped users. I also suspect MySQL's imposing a default root pw has more to do with their lessened need to accommodate new users now that they are "established", than the call for increased default security. As many can attest, a strong root pw on a fresh install of MySQL does not a secure environment make. -=john andrews www.seo-fun.com From ps at pswebcode.com Tue Aug 16 18:14:31 2005 From: ps at pswebcode.com (Peter Sawczynec) Date: Tue, 16 Aug 2005 18:14:31 -0400 Subject: [nycphp-talk] September Talk In-Reply-To: <26848-59980@sneakemail.com> Message-ID: <006301c5a2af$eee99870$6500a8c0@Liz> I follow your thread entirely and empathize marginally with the observations. Further, though, I'll note that we all understand that we must pass a written test and road test to get a license to drive and almost the entire emphasis is on safety in this driving learning curve. We don't let newbie drivers just careen about unsafely at first just to get them on the road and adapted to driving. We don't let new electricians wire away till they get it right. I believe that the defacto standard for out of the box product and programming will become more like "locked down, instant secure setup", "data encrypted", "all SSL" and "no anonymous access". We will all be reading on newbie forums questions like: "How do I let my users access their admin site without a strong password or Smart card." And the answers will be: "Typically impossible. Why would you do that anyway, newbie?" I can only hope. Because I really want to use and trust the internet for banking, personal storage, controlling my home and appliances, and using a "safe" ATM without concern that my PIN is being scarfed by the staff behind the counter. Doesn't it bother you that emails and web sites have become digital ambushes. That dealing with your own bank has become caveat emptor. This is our personal privacy at stake and the forward reputation of our entire industry is in the cusp. I think we will need to look towards some self regulation or at least a common set of minimum standards for large-scale opensource projects. Maybe even have code get an association's security endorsement similar to Underwriters Laboratories, say. I'd certainly like to hear from more programmer's who believe that insecure programming methods can still be endorsed in any way. We need a security spearhead, one programmer, one product at a time, if that is what it takes. Peter -----Original Message----- From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org] On Behalf Of inforequest Sent: Tuesday, August 16, 2005 5:20 PM To: talk at lists.nyphp.org Subject: Re: [nycphp-talk] September Talk Peter Sawczynec ps-at-pswebcode.com |nyphp dev/internal group use| wrote: >E.g.: kudos to MySQL for their most recent installer that clearly >enjoins a password on root before deployment. > >Why are installs by default too insecure and users have to stumble onto >the secure methods after the fact. Why not install locked down and let >users stumble onto the loosening methods after the fact. > >Peter > > Because it is desired to have new users functional and appreciative of the system immediately, so they can see the good, and what differentiates the product from other options which are likely already professionally installed and configured on site. I suspect the looseness of default security is proportional to the rate of adoption by new technology users. Loose defaults = more initial adoption, strict defaults = more dropped users. I also suspect MySQL's imposing a default root pw has more to do with their lessened need to accommodate new users now that they are "established", than the call for increased default security. As many can attest, a strong root pw on a fresh install of MySQL does not a secure environment make. -=john andrews www.seo-fun.com _______________________________________________ New York PHP Talk Mailing List AMP Technology Supporting Apache, MySQL and PHP http://lists.nyphp.org/mailman/listinfo/talk http://www.nyphp.org From matt at jobsforge.com Tue Aug 16 18:41:02 2005 From: matt at jobsforge.com (Matthew Terenzio) Date: Tue, 16 Aug 2005 18:41:02 -0400 Subject: [nycphp-talk] September Talk In-Reply-To: <006301c5a2af$eee99870$6500a8c0@Liz> References: <006301c5a2af$eee99870$6500a8c0@Liz> Message-ID: <9e8fd2702de566a1f8e5baa3241a03c7@jobsforge.com> > > I believe that the defacto standard for out of the box product and > programming will become more like "locked down, instant secure setup", > "data > encrypted", "all SSL" and "no anonymous access". > > We will all be reading on newbie forums questions like: "How do I let > my > users access their admin site without a strong password or Smart > card." And > the answers will be: "Typically impossible. Why would you do that > anyway, > newbie?" > > I agree and disagree. I think it's great that FreeBSD comes shipped without the ability to SSH in as root. I was used to that ability in Red Hat, and when I tried FreeBSD, I was surprised for a moment, but then I thought about it, and if I ever use a Linux distro that allows that, it will be the first thing I change. But security is a moving target. A lot of hardening is in response to exploits, not as a result of pre-engineering. So, while I'm glad that experts may be willing to start things off with heightened security, I realize that security is an ongoing process. No average web programmer would be comfortable with the "secure" setup of a web security "expert" of five years ago. From 1j0lkq002 at sneakemail.com Tue Aug 16 18:45:08 2005 From: 1j0lkq002 at sneakemail.com (inforequest) Date: Tue, 16 Aug 2005 15:45:08 -0700 Subject: [nycphp-talk] September Talk -- getting OT on the security issue (again) but it is sooooo important, no? Some cynicism enclosed. In-Reply-To: <006301c5a2af$eee99870$6500a8c0@Liz> References: <006301c5a2af$eee99870$6500a8c0@Liz> Message-ID: <18035-70033@sneakemail.com> Peter Sawczynec ps-at-pswebcode.com |nyphp dev/internal group use| wrote: >I believe that the defacto standard for out of the box product and >programming will become more like "locked down, instant secure setup", "data >encrypted", "all SSL" and "no anonymous access". > > If that wish came true, there would be an immediate market for new systems that are not locked down. "Find a need and fill it" is a truism of free markets (and even not-so-free markets). >I can only hope. Because I really want to use and trust the internet for >banking, personal storage, controlling my home and appliances, and using a >"safe" ATM without concern that my PIN is being scarfed by the staff behind >the counter. > > In my OPIONION, there in lies the error. Where there is TRUST there will be exploitation, so whatever is behind the lock must be additionally protected against the inevitable exploitation. IMHO those who are LICENSED or otherwise REGULATED (in other words, those who have been granted a public trust -- like bankers) should be help accountable for the consequences of exploitations of systems which they have "trusted". That is the missing link, and until it is found should "we" be putting valuable assets (e.g. info) online? If my home appliances can be turned on remotely, they should not turn on unless I myself did it. If they do turn on and I didn't do it, I should not be responsible for the consequences. Who should? How can that accountable party make sure it was ME turning them on? Until technology can solve that, we should not make my home appliances part of the public internet. Until you are prepared to license the internet, it may be best NOT to trust it. Heresy... you bet! >That dealing with your own bank has become caveat emptor. > > You have ALWAYS been wise to deal carefully with your bank. Sometimes I think a few generations of Americans raised by post-war parents were spoiled with a mythical trusted government/trusted "system" belief, and that the recent world events are not so much highlighting a new problem, but conradicting the false hopes put forth in that upbringing. Welcome to reality, and I am sorry to here you were misled. >I'd certainly like to hear from more programmer's who believe that insecure >programming methods can still be endorsed in any way. > > I often arrive at the same conclusion on these issues: grant partial ownership (and subsequent accountability) to the coders. Secure programming is needed to the extent that the product behind the lock needs protection. Place the burden of PROTECTION onto the people building the locks, and the whole world changes. Consider what would happen if you held locksmiths accountable for losses whenever a lock was picked or otherwise evaded. What would happen? A whole slew of locksmiths would refuse to put locks onto doors, because they knew the locks would not prevent theft. They would need to know WHAT WAS BEING PROTECTED, WHAT OTHER ACTORS PARTICIPATED IN THE ENVIRONMENT, and would want some asurances that the system would not be used for other purposes that that for which it was designed and approved. Now consider programming..... I don't believe we could advance if we didn't build imperfect systems and analyze them. I don't think we could achieve social security without experiencing exploits and learning from them. I also don't believe we should trust these systems when we know they are not trustworthy (!) I leave the "why we do that anyway" as an exercise for the reader ;-) Suggested reading: RISKS Digest (mailing list), Systemantics (book), Translucent databases (concept and book), HIPAA (code of federal regulations -- good luck) -=john andrews www.seo-fun.com From 1j0lkq002 at sneakemail.com Tue Aug 16 18:53:27 2005 From: 1j0lkq002 at sneakemail.com (inforequest) Date: Tue, 16 Aug 2005 15:53:27 -0700 Subject: [nycphp-talk] September Talk - security discussion references In-Reply-To: <9e8fd2702de566a1f8e5baa3241a03c7@jobsforge.com> References: <006301c5a2af$eee99870$6500a8c0@Liz> <9e8fd2702de566a1f8e5baa3241a03c7@jobsforge.com> Message-ID: <17395-62322@sneakemail.com> RISKS Digest http://www.csl.sri.com/users/risko/risks.txt Systemantics This classic book by John Galls, well out of print. Whomever borrowed my copy failed to return it (I promise I won't say a word of complaint if you simply return it to me! Please?) Here is a summary http://www.answers.com/topic/systemantics here is Amazon : http://www.amazon.com/gp/product/customer-reviews/0812906748/ref=cm_cr_dp_pt/002-4625474-0696068?%5Fencoding=UTF8&n=507846&s=books Translucent Databases http://www.oreillynet.com/pub/a/network/2002/08/02/simson.html http://www.wayner.org/books/td/faq.php http://slashdot.org/article.pl?sid=02/06/26/1342218 ----------------------------------------------------------------------------------- -=john andrews www.seo-fun.com From hans at cyberxdesigns.com Tue Aug 16 20:28:53 2005 From: hans at cyberxdesigns.com (Hans C. Kaspersetz) Date: Tue, 16 Aug 2005 20:28:53 -0400 Subject: [nycphp-talk] September Talk - security discussion references In-Reply-To: <17395-62322@sneakemail.com> References: <006301c5a2af$eee99870$6500a8c0@Liz> <9e8fd2702de566a1f8e5baa3241a03c7@jobsforge.com> <17395-62322@sneakemail.com> Message-ID: <430284C5.1070506@cyberxdesigns.com> Someone near and dear told me when I was about 10 that 'Locks are to keep honest people honest.' I keep that bit of wisdom close to heart when closing my windows at home and building systems. HCK From hendler at simmons.edu Wed Aug 17 07:17:00 2005 From: hendler at simmons.edu (Jonathan) Date: Wed, 17 Aug 2005 07:17:00 -0400 Subject: [nycphp-talk] Graph Data Structures In-Reply-To: References: <42FD8A2D.10303@acmgfcu.org> <9c04b66e9e74c72575753213c4dc9262@jobsforge.com> Message-ID: <43031CAC.1080006@simmons.edu> I'm trying to formulate a question out of this. If there isn't one here, I hope the read is interesting. My goal is to create the simplest efficient graph data structures - that allow for cycles. The reason one would want cycles in a graph is the following: a->b and b->a (or b->a again with another arc (also known as a hypergraph)) or a->a where '->' is an arc Even if the arcs are labled, the data in 'a' is something I don't want to duplicate. I am using php version 4.3.11 If I try to do this with a simple php array: $a = array(); $b = array(); $a['b'] = & $b; $b['a'] = & $a; print_r($a); Array ( [a] => Array ( [b] => Array ( [a] => Array *RECURSION* ) ) ) I get this recursion error. Or, perhaps this is not an error at all. But I can't seem to use this function: function recursive_print($array) { foreach($array as $key => $value) { if (is_array($value)) { echo $key .'
' .recursive_print($value); } else { echo 'end'.$value; } } } So I went to the PEAR site - http://pear.php.net/package/Structures_Graph This pear package doesn't throw any errors but it also seems to balk - although I am not sure the *RECURSION* will affect functionality include 'Structures/Graph.php'; $directedGraph =& new Structures_Graph(true); $nodeOne =& new Structures_Graph_Node(); $nodeTwo =& new Structures_Graph_Node(); $directedGraph->addNode(&$nodeOne); $directedGraph->addNode(&$nodeTwo); $nodeOne->connectTo($nodeTwo); $nodeTwo->connectTo($nodeOne); Inside the code I found a comment about the Zend engine before the data structure procedes to iteratively loop through the the nodes to see if there are duplicates. /* ZE1 equality operators choke on the recursive cycle introduced by the _graph field in the Node object. So, we'll check references the hard way */ Even so, print_r produces many recursion warnings. Maybe I am just trying to use a hammer for a screwdriver. But can anyone offer any insight here? Thanks, - Jonathan Hendler -------------- next part -------------- An HTML attachment was scrubbed... URL: From codebowl at gmail.com Wed Aug 17 08:53:47 2005 From: codebowl at gmail.com (Joseph Crawford) Date: Wed, 17 Aug 2005 08:53:47 -0400 Subject: [nycphp-talk] PHP 5 Objects Message-ID: <8d9a428005081705534ed0deec@mail.gmail.com> Guys, Is there a way to accomplish this? i am creating a set of objects for storing objects serialized accross pages. I have the following The issue i am running into is when i save an object, how do i know what type the object is? How do i know it is of type User/Database/FileObject, etc... I cannot simply go through a ton of if statements, and i cannot force each class to have a __tostring() method. -- Joseph Crawford Jr. Codebowl Solutions, Inc. 1-802-671-2021 codebowl at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From codebowl at gmail.com Wed Aug 17 08:54:50 2005 From: codebowl at gmail.com (Joseph Crawford) Date: Wed, 17 Aug 2005 08:54:50 -0400 Subject: [nycphp-talk] PHP 5 Objects In-Reply-To: <8d9a428005081705534ed0deec@mail.gmail.com> References: <8d9a428005081705534ed0deec@mail.gmail.com> Message-ID: <8d9a428005081705546c1ff149@mail.gmail.com> ignore this i found the get_class() function ;) -- Joseph Crawford Jr. Codebowl Solutions, Inc. 1-802-671-2021 codebowl at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From ken at secdat.com Wed Aug 17 09:47:44 2005 From: ken at secdat.com (Kenneth Downs) Date: Wed, 17 Aug 2005 09:47:44 -0400 (EDT) Subject: [nycphp-talk] Graph Data Structures In-Reply-To: <43031CAC.1080006@simmons.edu> References: <42FD8A2D.10303@acmgfcu.org> <9c04b66e9e74c72575753213c4dc9262@jobsforge.com> <43031CAC.1080006@simmons.edu> Message-ID: <58736.38.117.147.25.1124286464.squirrel@38.117.147.25> Johathan, Have you considered putting the nodes into one array, and the arcs into a second? $nodes = array('a'=>array(..info..),'b'=>array(..info..)); $arcs = array(array('a','b'),array('b','a')) This allows each node's info to be stored only once, and allows you to then treat the arcs cleanly, allowing or disallowing any combo you may choose. You may have to write a little of your code to walk through things, but you'll have complete integrity and control. > I'm trying to formulate a question out of this. If there isn't one here, > I hope the read is interesting. > My goal is to create the simplest efficient graph data structures - that > allow for cycles. > > The reason one would want cycles in a graph is the following: > a->b > and > b->a > (or b->a again with another arc (also known as a hypergraph)) > or > a->a > > where '->' is an arc > Even if the arcs are labled, the data in 'a' is something I don't want > to duplicate. > > I am using php version 4.3.11 > > If I try to do this with a simple php array: > > $a = array(); > $b = array(); > > $a['b'] = & $b; > $b['a'] = & $a; > > print_r($a); > > Array > ( > [a] => Array > ( > [b] => Array > ( > [a] => Array > *RECURSION* > ) > > ) > > ) > > > I get this recursion error. Or, perhaps this is not an error at all. But > I can't seem to use this function: > > function recursive_print($array) > { > foreach($array as $key => $value) > { > if (is_array($value)) > { > echo $key .'
' .recursive_print($value); > } > else > { > echo 'end'.$value; > } > } > } > > So I went to the PEAR site - http://pear.php.net/package/Structures_Graph > This pear package doesn't throw any errors but it also seems to balk - > although I am not sure the *RECURSION* will affect functionality > > > include 'Structures/Graph.php'; > $directedGraph =& new Structures_Graph(true); > $nodeOne =& new Structures_Graph_Node(); > $nodeTwo =& new Structures_Graph_Node(); > > > $directedGraph->addNode(&$nodeOne); > $directedGraph->addNode(&$nodeTwo); > > > $nodeOne->connectTo($nodeTwo); > $nodeTwo->connectTo($nodeOne); > > > Inside the code I found a comment about the Zend engine before the data > structure procedes to iteratively loop through the the nodes to see if > there are duplicates. > /* > ZE1 equality operators choke on the recursive cycle > introduced by the _graph field in the Node object. > So, we'll check references the hard way > */ > > Even so, print_r produces many recursion warnings. > > Maybe I am just trying to use a hammer for a screwdriver. But can anyone > offer any insight here? > > Thanks, > > - Jonathan Hendler > > > > _______________________________________________ > New York PHP Talk Mailing List > AMP Technology > Supporting Apache, MySQL and PHP > http://lists.nyphp.org/mailman/listinfo/talk > http://www.nyphp.org -- Kenneth Downs Secure Data Software 631-379-0010 ken at secdat.com PO Box 708 East Setauket, NY 11733 From dcech at phpwerx.net Wed Aug 17 09:55:57 2005 From: dcech at phpwerx.net (Dan Cech) Date: Wed, 17 Aug 2005 09:55:57 -0400 Subject: [nycphp-talk] Graph Data Structures In-Reply-To: <58736.38.117.147.25.1124286464.squirrel@38.117.147.25> References: <42FD8A2D.10303@acmgfcu.org> <9c04b66e9e74c72575753213c4dc9262@jobsforge.com> <43031CAC.1080006@simmons.edu> <58736.38.117.147.25.1124286464.squirrel@38.117.147.25> Message-ID: <430341ED.1030408@phpwerx.net> Kenneth, That seems to be a very elegant solution to the problem, top stuff! Dan Kenneth Downs wrote: > Johathan, > > Have you considered putting the nodes into one array, and the arcs into a > second? > > $nodes = array('a'=>array(..info..),'b'=>array(..info..)); > > $arcs = array(array('a','b'),array('b','a')) > > This allows each node's info to be stored only once, and allows you to > then treat the arcs cleanly, allowing or disallowing any combo you may > choose. > > You may have to write a little of your code to walk through things, but > you'll have complete integrity and control. > > >>I'm trying to formulate a question out of this. If there isn't one here, >>I hope the read is interesting. >>My goal is to create the simplest efficient graph data structures - that >>allow for cycles. >> >>The reason one would want cycles in a graph is the following: >>a->b >>and >>b->a >>(or b->a again with another arc (also known as a hypergraph)) >>or >>a->a >> >> where '->' is an arc >>Even if the arcs are labled, the data in 'a' is something I don't want >>to duplicate. >> >>I am using php version 4.3.11 >> >>If I try to do this with a simple php array: >> >> $a = array(); >> $b = array(); >> >> $a['b'] = & $b; >> $b['a'] = & $a; >> >> print_r($a); >> >>Array >>( >> [a] => Array >> ( >> [b] => Array >> ( >> [a] => Array >> *RECURSION* >> ) >> >> ) >> >>) >> >> >>I get this recursion error. Or, perhaps this is not an error at all. But >>I can't seem to use this function: >> >> function recursive_print($array) >> { >> foreach($array as $key => $value) >> { >> if (is_array($value)) >> { >> echo $key .'
' .recursive_print($value); >> } >> else >> { >> echo 'end'.$value; >> } >> } >> } >> >>So I went to the PEAR site - http://pear.php.net/package/Structures_Graph >>This pear package doesn't throw any errors but it also seems to balk - >>although I am not sure the *RECURSION* will affect functionality >> >> >> include 'Structures/Graph.php'; >> $directedGraph =& new Structures_Graph(true); >> $nodeOne =& new Structures_Graph_Node(); >> $nodeTwo =& new Structures_Graph_Node(); >> >> >> $directedGraph->addNode(&$nodeOne); >> $directedGraph->addNode(&$nodeTwo); >> >> >> $nodeOne->connectTo($nodeTwo); >> $nodeTwo->connectTo($nodeOne); >> >> >>Inside the code I found a comment about the Zend engine before the data >>structure procedes to iteratively loop through the the nodes to see if >>there are duplicates. >> /* >> ZE1 equality operators choke on the recursive cycle >>introduced by the _graph field in the Node object. >> So, we'll check references the hard way >> */ >> >>Even so, print_r produces many recursion warnings. >> >>Maybe I am just trying to use a hammer for a screwdriver. But can anyone >>offer any insight here? >> >>Thanks, >> >>- Jonathan Hendler From dwclifton at gmail.com Wed Aug 17 10:21:21 2005 From: dwclifton at gmail.com (Douglas Clifton) Date: Wed, 17 Aug 2005 10:21:21 -0400 Subject: [nycphp-talk] Graph Data Structures In-Reply-To: References: Message-ID: <7d6cdcb0508170721228ae485@mail.gmail.com> Is it mandatory that you use PHP to solve your problem? If not, then I suggest you consider using Perl. Unless I'm mistaken, there doesn't seem to be quite the codebase in PHP for these sorts of abstract computer science problems. Perl is another story. CPAN contains 1000s of modules for this kind of thing, and a quick search revealed this promising package: http://search.cpan.org/~jhi/Graph-0.66/lib/Graph.pod Gasp! Someone posting a message about Perl to a PHP mailing list? Let me tell you, I was using Perl long before PHP was nothing but a bunch of CGI scripts (written in Perl mind you, and later in C). Also, the languages are very similar, so you may be able to port the Perl Graph library to PHP. HTH ~d -- Douglas Clifton dwclifton at gmail.com http://loadaveragezero.com/ http://loadaveragezero.com/app/s9y/ http://loadaveragezero.com/drx/rss/recent > ---------- Forwarded message ---------- > From: Jonathan > To: NYPHP Talk > Date: Wed, 17 Aug 2005 07:17:00 -0400 > Subject: [nycphp-talk] Graph Data Structures > I'm trying to formulate a question out of this. If there isn't one here, I > hope the read is interesting. > My goal is to create the simplest efficient graph data structures - that > allow for cycles. > > The reason one would want cycles in a graph is the following: > a->b > and > b->a > (or b->a again with another arc (also known as a hypergraph)) > or > a->a > > where '->' is an arc > Even if the arcs are labled, the data in 'a' is something I don't want to > duplicate. > > I am using php version 4.3.11 > > If I try to do this with a simple php array: > > $a = array(); > $b = array(); > > $a['b'] = & $b; > $b['a'] = & $a; > > print_r($a); > Array > ( > [a] => Array > ( > [b] => Array > ( > [a] => Array > *RECURSION* > ) > > ) > > ) > > I get this recursion error. Or, perhaps this is not an error at all. But I > can't seem to use this function: > > function recursive_print($array) > { > foreach($array as $key => $value) > { > if (is_array($value)) > { > echo $key .'
' .recursive_print($value); > } > else > { > echo 'end'.$value; > } > } > } > > So I went to the PEAR site - > http://pear.php.net/package/Structures_Graph > > This pear package doesn't throw any errors but it also seems to balk - > although I am not sure the *RECURSION* will affect functionality > > > include 'Structures/Graph.php'; > $directedGraph =& new Structures_Graph(true); > $nodeOne =& new Structures_Graph_Node(); > $nodeTwo =& new Structures_Graph_Node(); > > > $directedGraph->addNode(&$nodeOne); > $directedGraph->addNode(&$nodeTwo); > > > $nodeOne->connectTo($nodeTwo); > $nodeTwo->connectTo($nodeOne); > > > Inside the code I found a comment about the Zend engine before the data > structure procedes to iteratively loop through the the nodes to see if there > are duplicates. > /* > ZE1 equality operators choke on the recursive cycle introduced > by the _graph field in the Node object. > So, we'll check references the hard way > */ > > Even so, print_r produces many recursion warnings. > > Maybe I am just trying to use a hammer for a screwdriver. But can anyone > offer any insight here? > > Thanks, > > - Jonathan Hendler From hendler at simmons.edu Wed Aug 17 10:32:59 2005 From: hendler at simmons.edu (Jonathan) Date: Wed, 17 Aug 2005 10:32:59 -0400 Subject: [nycphp-talk] Graph Data Structures In-Reply-To: <58736.38.117.147.25.1124286464.squirrel@38.117.147.25> References: <42FD8A2D.10303@acmgfcu.org> <9c04b66e9e74c72575753213c4dc9262@jobsforge.com> <43031CAC.1080006@simmons.edu> <58736.38.117.147.25.1124286464.squirrel@38.117.147.25> Message-ID: <43034A9B.70001@simmons.edu> Hi Kenneth, Thanks very much. I like what you have posted! I think I would add keys to the arrays and add one more dimension so that there can be multiple graphs with the same label. $arcs['likes'][] = array('a','a'); $arcs['likes'][] = array('a','b'); $arcs['knows'][] = array('a','b'); $arcs['knows'][] = array('b','a'); $arcs['confusedby'][] = array('b','a'); I can get the functionality I need from this. I wonder how scalable this is. What if there are over 5 million arcs. My traversal algorithms would have to be very efficient. Another package I am looking at for graph manipulation is bundled with the PHP RDF package RAP. http://www.wiwiss.fu-berlin.de/suhl/bizer/rdfapi http://www.wiwiss.fu-berlin.de/suhl/bizer/rdfapi/tutorial/usingNamedGraphs.htm#ng-intro They use quads - where a quad is a labeled graph. In the above data structure, a new graph would just be a new set of arcs. So it looks like nothing is missing from this array based graph. Hmm, or why not $arcs['a']['likes']['b'] = true; $arcs['b']['likes']['b'] = false; or $arcs['b']['likes']['chocolate'][] = '80%'; $arcs['b']['likes']['chocolate'][] = 'quite significantly'; Then I can have a "triple" with a label and a value. This could be interesting. Kenneth Downs wrote: >Johathan, > >Have you considered putting the nodes into one array, and the arcs into a >second? > >$nodes = array('a'=>array(..info..),'b'=>array(..info..)); > >$arcs = array(array('a','b'),array('b','a')) > >This allows each node's info to be stored only once, and allows you to >then treat the arcs cleanly, allowing or disallowing any combo you may >choose. > >You may have to write a little of your code to walk through things, but >you'll have complete integrity and control. > > > >>I'm trying to formulate a question out of this. If there isn't one here, >>I hope the read is interesting. >>My goal is to create the simplest efficient graph data structures - that >>allow for cycles. >> >>The reason one would want cycles in a graph is the following: >>a->b >>and >>b->a >>(or b->a again with another arc (also known as a hypergraph)) >>or >>a->a >> >> where '->' is an arc >>Even if the arcs are labled, the data in 'a' is something I don't want >>to duplicate. >> >>I am using php version 4.3.11 >> >>If I try to do this with a simple php array: >> >> $a = array(); >> $b = array(); >> >> $a['b'] = & $b; >> $b['a'] = & $a; >> >> print_r($a); >> >>Array >>( >> [a] => Array >> ( >> [b] => Array >> ( >> [a] => Array >> *RECURSION* >> ) >> >> ) >> >>) >> >> >>I get this recursion error. Or, perhaps this is not an error at all. But >>I can't seem to use this function: >> >> function recursive_print($array) >> { >> foreach($array as $key => $value) >> { >> if (is_array($value)) >> { >> echo $key .'
' .recursive_print($value); >> } >> else >> { >> echo 'end'.$value; >> } >> } >> } >> >>So I went to the PEAR site - http://pear.php.net/package/Structures_Graph >>This pear package doesn't throw any errors but it also seems to balk - >>although I am not sure the *RECURSION* will affect functionality >> >> >> include 'Structures/Graph.php'; >> $directedGraph =& new Structures_Graph(true); >> $nodeOne =& new Structures_Graph_Node(); >> $nodeTwo =& new Structures_Graph_Node(); >> >> >> $directedGraph->addNode(&$nodeOne); >> $directedGraph->addNode(&$nodeTwo); >> >> >> $nodeOne->connectTo($nodeTwo); >> $nodeTwo->connectTo($nodeOne); >> >> >>Inside the code I found a comment about the Zend engine before the data >>structure procedes to iteratively loop through the the nodes to see if >>there are duplicates. >> /* >> ZE1 equality operators choke on the recursive cycle >>introduced by the _graph field in the Node object. >> So, we'll check references the hard way >> */ >> >>Even so, print_r produces many recursion warnings. >> >>Maybe I am just trying to use a hammer for a screwdriver. But can anyone >>offer any insight here? >> >>Thanks, >> >>- Jonathan Hendler >> >> >> >>_______________________________________________ >>New York PHP Talk Mailing List >>AMP Technology >>Supporting Apache, MySQL and PHP >>http://lists.nyphp.org/mailman/listinfo/talk >>http://www.nyphp.org >> >> > > > > From hendler at simmons.edu Wed Aug 17 10:45:25 2005 From: hendler at simmons.edu (Jonathan) Date: Wed, 17 Aug 2005 10:45:25 -0400 Subject: [nycphp-talk] Graph Data Structures In-Reply-To: <7d6cdcb0508170721228ae485@mail.gmail.com> References: <7d6cdcb0508170721228ae485@mail.gmail.com> Message-ID: <43034D85.1090604@simmons.edu> Hi Douglas, Perl is a perfectly rational choice and more proven for lower level number crunching and data structures than PHP, I believe. Python would also be a good choice. To reflect on language choice for certain problems is important. There are also graph libraries in C (http://www.cs.princeton.edu/~rs/) that could be used as custom/dynamically loading modules in PHP . Can I make a feature request for PHP 6 - a native and fast graph manipulation library? I chose PHP because it's so widely deployed in web hosting environments. Can I embed/call perl functions in php easily? (PHP doesn't run on Parrot yet) - Jonathan PS I also choose PHP because I started using PHP long after you were using Perl ;) Douglas Clifton wrote: >Is it mandatory that you use PHP to solve your problem? > >If not, then I suggest you consider using Perl. Unless I'm >mistaken, there doesn't seem to be quite the codebase >in PHP for these sorts of abstract computer science >problems. Perl is another story. CPAN contains 1000s >of modules for this kind of thing, and a quick search >revealed this promising package: > >http://search.cpan.org/~jhi/Graph-0.66/lib/Graph.pod > >Gasp! Someone posting a message about Perl to a PHP >mailing list? Let me tell you, I was using Perl long before >PHP was nothing but a bunch of CGI scripts (written in >Perl mind you, and later in C). > >Also, the languages are very similar, so you may be able >to port the Perl Graph library to PHP. HTH ~d > > > From hendler at simmons.edu Wed Aug 17 11:42:01 2005 From: hendler at simmons.edu (Jonathan) Date: Wed, 17 Aug 2005 11:42:01 -0400 Subject: [nycphp-talk] Graph Data Structures In-Reply-To: <43034D85.1090604@simmons.edu> References: <7d6cdcb0508170721228ae485@mail.gmail.com> <43034D85.1090604@simmons.edu> Message-ID: <43035AC9.1040206@simmons.edu> Doug, I found these articles relating to using perl from within PHP. Not sure about performance. http://wiki.cc/php/Perl http://www.zend.com/php5/articles/php5-perl.php Have you used these techniques? Any idea if perl.so is cross platform? Jonathan wrote: >Hi Douglas, > >Perl is a perfectly rational choice and more proven for lower level >number crunching and data structures than PHP, I believe. Python would >also be a good choice. To reflect on language choice for certain >problems is important. There are also graph libraries in C >(http://www.cs.princeton.edu/~rs/) that could be used as >custom/dynamically loading modules in PHP . Can I make a feature request >for PHP 6 - a native and fast graph manipulation library? > >I chose PHP because it's so widely deployed in web hosting environments. >Can I embed/call perl functions in php easily? (PHP doesn't run on >Parrot yet) > >- Jonathan > >PS > >I also choose PHP because I started using PHP long after you were using >Perl ;) > > >Douglas Clifton wrote: > > > >>Is it mandatory that you use PHP to solve your problem? >> >>If not, then I suggest you consider using Perl. Unless I'm >>mistaken, there doesn't seem to be quite the codebase >>in PHP for these sorts of abstract computer science >>problems. Perl is another story. CPAN contains 1000s >>of modules for this kind of thing, and a quick search >>revealed this promising package: >> >>http://search.cpan.org/~jhi/Graph-0.66/lib/Graph.pod >> >>Gasp! Someone posting a message about Perl to a PHP >>mailing list? Let me tell you, I was using Perl long before >>PHP was nothing but a bunch of CGI scripts (written in >>Perl mind you, and later in C). >> >>Also, the languages are very similar, so you may be able >>to port the Perl Graph library to PHP. HTH ~d >> >> >> >> >> > >_______________________________________________ >New York PHP Talk Mailing List >AMP Technology >Supporting Apache, MySQL and PHP >http://lists.nyphp.org/mailman/listinfo/talk >http://www.nyphp.org > > From dmintz at davidmintz.org Wed Aug 17 13:05:00 2005 From: dmintz at davidmintz.org (David Mintz) Date: Wed, 17 Aug 2005 13:05:00 -0400 (EDT) Subject: [nycphp-talk] CLI output question Message-ID: How do you print to STDOUT so that what you're printing ~replaces~ what you previously printed to STDOUT, instead of appending? You know, like the way PEAR installer shows you download progress with a btye counter that keeps updating itself? I haven't been able to Google this effectively because I don't quite know how to put it. I looked around for a PEAR package but couldn't find any. I examined some of the source involved in the pear installer but also came up empty. Thanks, --- David Mintz http://davidmintz.org/ From scott at crisscott.com Wed Aug 17 13:12:29 2005 From: scott at crisscott.com (Scott Mattocks) Date: Wed, 17 Aug 2005 13:12:29 -0400 Subject: [nycphp-talk] CLI output question In-Reply-To: References: Message-ID: <43036FFD.8080904@crisscott.com> David Mintz wrote: > How do you print to STDOUT so that what you're printing ~replaces~ what > you previously printed to STDOUT, instead of appending? You know, like the > way PEAR installer shows you download progress with a btye counter that > keeps updating itself? When you write a new line use \r instead of \n. This will take you back to the begining of the line where you can output new information. You have to explicitly overwrite any old characters for them to go away. If the second set of output is shorter than the first, the extra characters from the first line will still be seen. -- Scott Mattocks scott at crisscott.com http://www.crisscott.com http://pear.php.net/user/scottmattocks From tom at supertom.com Wed Aug 17 13:50:43 2005 From: tom at supertom.com (Tom Melendez) Date: Wed, 17 Aug 2005 13:50:43 -0400 Subject: [nycphp-talk] CLI output question In-Reply-To: References: Message-ID: <430378F3.70502@supertom.com> There's the console progressbar package: http://pear.php.net/package/Console_ProgressBar You may want to look at that (and the other console packages) to get some ideas. Good Luck! Tom http://www.liphp.org David Mintz wrote: >How do you print to STDOUT so that what you're printing ~replaces~ what >you previously printed to STDOUT, instead of appending? You know, like the >way PEAR installer shows you download progress with a btye counter that >keeps updating itself? > >I haven't been able to Google this effectively because I don't quite know >how to put it. > >I looked around for a PEAR package but couldn't find any. I examined some >of the source involved in the pear installer but also came up empty. > >Thanks, > >--- >David Mintz >http://davidmintz.org/ >_______________________________________________ >New York PHP Talk Mailing List >AMP Technology >Supporting Apache, MySQL and PHP >http://lists.nyphp.org/mailman/listinfo/talk >http://www.nyphp.org > > > From dmintz at davidmintz.org Wed Aug 17 14:11:14 2005 From: dmintz at davidmintz.org (David Mintz) Date: Wed, 17 Aug 2005 14:11:14 -0400 (EDT) Subject: [nycphp-talk] CLI output question In-Reply-To: <430378F3.70502@supertom.com> References: <430378F3.70502@supertom.com> Message-ID: Excellent -- I'm on my way. Thanks guys. --- David Mintz http://davidmintz.org/ From ken at secdat.com Wed Aug 17 15:00:05 2005 From: ken at secdat.com (Kenneth Downs) Date: Wed, 17 Aug 2005 15:00:05 -0400 (EDT) Subject: [nycphp-talk] Graph Data Structures In-Reply-To: <43034A9B.70001@simmons.edu> References: <42FD8A2D.10303@acmgfcu.org> <9c04b66e9e74c72575753213c4dc9262@jobsforge.com> <43031CAC.1080006@simmons.edu> <58736.38.117.147.25.1124286464.squirrel@38.117.147.25> <43034A9B.70001@simmons.edu> Message-ID: <33074.38.117.147.25.1124305205.squirrel@38.117.147.25> Jonathan, Glad this helped. If your graphs get big then you must do this in a database, don't attempt it in scripts. Many people recommend mySQl because it is free, but PostgreSQL is far more capable and is also free. > Hi Kenneth, > > Thanks very much. I like what you have posted! > I think I would add keys to the arrays and add one more dimension so > that there can be multiple graphs with the same label. > > $arcs['likes'][] = array('a','a'); > $arcs['likes'][] = array('a','b'); > $arcs['knows'][] = array('a','b'); > > $arcs['knows'][] = array('b','a'); > $arcs['confusedby'][] = array('b','a'); > > I can get the functionality I need from this. > I wonder how scalable this is. What if there are over 5 million arcs. My > traversal algorithms would have to be very efficient. > > Another package I am looking at for graph manipulation is bundled with > the PHP RDF package RAP. > > http://www.wiwiss.fu-berlin.de/suhl/bizer/rdfapi > http://www.wiwiss.fu-berlin.de/suhl/bizer/rdfapi/tutorial/usingNamedGraphs.htm#ng-intro > > They use quads - where a quad is a labeled graph. In the above data > structure, a new graph would just be a new set of arcs. So it looks like > nothing is missing from this array based graph. > > Hmm, or why not > > $arcs['a']['likes']['b'] = true; > $arcs['b']['likes']['b'] = false; > or > $arcs['b']['likes']['chocolate'][] = '80%'; > $arcs['b']['likes']['chocolate'][] = 'quite significantly'; > > Then I can have a "triple" with a label and a value. > > This could be interesting. > > > > > > > > > > > Kenneth Downs wrote: > >>Johathan, >> >>Have you considered putting the nodes into one array, and the arcs into a >>second? >> >>$nodes = array('a'=>array(..info..),'b'=>array(..info..)); >> >>$arcs = array(array('a','b'),array('b','a')) >> >>This allows each node's info to be stored only once, and allows you to >>then treat the arcs cleanly, allowing or disallowing any combo you may >>choose. >> >>You may have to write a little of your code to walk through things, but >>you'll have complete integrity and control. >> >> >> >>>I'm trying to formulate a question out of this. If there isn't one here, >>>I hope the read is interesting. >>>My goal is to create the simplest efficient graph data structures - that >>>allow for cycles. >>> >>>The reason one would want cycles in a graph is the following: >>>a->b >>>and >>>b->a >>>(or b->a again with another arc (also known as a hypergraph)) >>>or >>>a->a >>> >>> where '->' is an arc >>>Even if the arcs are labled, the data in 'a' is something I don't want >>>to duplicate. >>> >>>I am using php version 4.3.11 >>> >>>If I try to do this with a simple php array: >>> >>> $a = array(); >>> $b = array(); >>> >>> $a['b'] = & $b; >>> $b['a'] = & $a; >>> >>> print_r($a); >>> >>>Array >>>( >>> [a] => Array >>> ( >>> [b] => Array >>> ( >>> [a] => Array >>> *RECURSION* >>> ) >>> >>> ) >>> >>>) >>> >>> >>>I get this recursion error. Or, perhaps this is not an error at all. But >>>I can't seem to use this function: >>> >>> function recursive_print($array) >>> { >>> foreach($array as $key => $value) >>> { >>> if (is_array($value)) >>> { >>> echo $key .'
' .recursive_print($value); >>> } >>> else >>> { >>> echo 'end'.$value; >>> } >>> } >>> } >>> >>>So I went to the PEAR site - >>> http://pear.php.net/package/Structures_Graph >>>This pear package doesn't throw any errors but it also seems to balk - >>>although I am not sure the *RECURSION* will affect functionality >>> >>> >>> include 'Structures/Graph.php'; >>> $directedGraph =& new Structures_Graph(true); >>> $nodeOne =& new Structures_Graph_Node(); >>> $nodeTwo =& new Structures_Graph_Node(); >>> >>> >>> $directedGraph->addNode(&$nodeOne); >>> $directedGraph->addNode(&$nodeTwo); >>> >>> >>> $nodeOne->connectTo($nodeTwo); >>> $nodeTwo->connectTo($nodeOne); >>> >>> >>>Inside the code I found a comment about the Zend engine before the data >>>structure procedes to iteratively loop through the the nodes to see if >>>there are duplicates. >>> /* >>> ZE1 equality operators choke on the recursive cycle >>>introduced by the _graph field in the Node object. >>> So, we'll check references the hard way >>> */ >>> >>>Even so, print_r produces many recursion warnings. >>> >>>Maybe I am just trying to use a hammer for a screwdriver. But can anyone >>>offer any insight here? >>> >>>Thanks, >>> >>>- Jonathan Hendler >>> >>> >>> >>>_______________________________________________ >>>New York PHP Talk Mailing List >>>AMP Technology >>>Supporting Apache, MySQL and PHP >>>http://lists.nyphp.org/mailman/listinfo/talk >>>http://www.nyphp.org >>> >>> >> >> >> >> > > _______________________________________________ > New York PHP Talk Mailing List > AMP Technology > Supporting Apache, MySQL and PHP > http://lists.nyphp.org/mailman/listinfo/talk > http://www.nyphp.org > -- Kenneth Downs Secure Data Software 631-379-0010 ken at secdat.com PO Box 708 East Setauket, NY 11733 From hendler at simmons.edu Wed Aug 17 15:46:56 2005 From: hendler at simmons.edu (Jonathan) Date: Wed, 17 Aug 2005 15:46:56 -0400 Subject: [nycphp-talk] Graph Data Structures In-Reply-To: <33074.38.117.147.25.1124305205.squirrel@38.117.147.25> References: <42FD8A2D.10303@acmgfcu.org> <9c04b66e9e74c72575753213c4dc9262@jobsforge.com> <43031CAC.1080006@simmons.edu> <58736.38.117.147.25.1124286464.squirrel@38.117.147.25> <43034A9B.70001@simmons.edu> <33074.38.117.147.25.1124305205.squirrel@38.117.147.25> Message-ID: <43039430.7080703@simmons.edu> Going off topic: Thinking of ways to persist the graph : I've used MySQL a long time and see them as only getting better. But their dual license deters me from some uses. - what about SQLite - also completely free (LGPL, MIT, or Apache License I think), small, and fast? Or dbm functions if I only need to store hashes? I'll feel silly if I reinvent the work of the RAP RDF datastore. I'll have to write tests and a couple implementations so I can know what is faster and more efficient. Kenneth Downs wrote: >Jonathan, > >Glad this helped. > >If your graphs get big then you must do this in a database, don't attempt >it in scripts. > >Many people recommend mySQl because it is free, but PostgreSQL is far more >capable and is also free. > > > >>Hi Kenneth, >> >>Thanks very much. I like what you have posted! >>I think I would add keys to the arrays and add one more dimension so >>that there can be multiple graphs with the same label. >> >>$arcs['likes'][] = array('a','a'); >>$arcs['likes'][] = array('a','b'); >>$arcs['knows'][] = array('a','b'); >> >>$arcs['knows'][] = array('b','a'); >>$arcs['confusedby'][] = array('b','a'); >> >> I can get the functionality I need from this. >>I wonder how scalable this is. What if there are over 5 million arcs. My >>traversal algorithms would have to be very efficient. >> >>Another package I am looking at for graph manipulation is bundled with >>the PHP RDF package RAP. >> >>http://www.wiwiss.fu-berlin.de/suhl/bizer/rdfapi >>http://www.wiwiss.fu-berlin.de/suhl/bizer/rdfapi/tutorial/usingNamedGraphs.htm#ng-intro >> >>They use quads - where a quad is a labeled graph. In the above data >>structure, a new graph would just be a new set of arcs. So it looks like >>nothing is missing from this array based graph. >> >>Hmm, or why not >> >>$arcs['a']['likes']['b'] = true; >>$arcs['b']['likes']['b'] = false; >>or >>$arcs['b']['likes']['chocolate'][] = '80%'; >>$arcs['b']['likes']['chocolate'][] = 'quite significantly'; >> >>Then I can have a "triple" with a label and a value. >> >>This could be interesting. >> >> >> >> >> >> >> >> >> >> >>Kenneth Downs wrote: >> >> >> >>>Johathan, >>> >>>Have you considered putting the nodes into one array, and the arcs into a >>>second? >>> >>>$nodes = array('a'=>array(..info..),'b'=>array(..info..)); >>> >>>$arcs = array(array('a','b'),array('b','a')) >>> >>>This allows each node's info to be stored only once, and allows you to >>>then treat the arcs cleanly, allowing or disallowing any combo you may >>>choose. >>> >>>You may have to write a little of your code to walk through things, but >>>you'll have complete integrity and control. >>> >>> >>> >>> >>> >>>>I'm trying to formulate a question out of this. If there isn't one here, >>>>I hope the read is interesting. >>>>My goal is to create the simplest efficient graph data structures - that >>>>allow for cycles. >>>> >>>>The reason one would want cycles in a graph is the following: >>>>a->b >>>>and >>>>b->a >>>>(or b->a again with another arc (also known as a hypergraph)) >>>>or >>>>a->a >>>> >>>>where '->' is an arc >>>>Even if the arcs are labled, the data in 'a' is something I don't want >>>>to duplicate. >>>> >>>>I am using php version 4.3.11 >>>> >>>>If I try to do this with a simple php array: >>>> >>>> $a = array(); >>>> $b = array(); >>>> >>>> $a['b'] = & $b; >>>> $b['a'] = & $a; >>>> >>>> print_r($a); >>>> >>>>Array >>>>( >>>> [a] => Array >>>> ( >>>> [b] => Array >>>> ( >>>> [a] => Array >>>>*RECURSION* >>>> ) >>>> >>>> ) >>>> >>>>) >>>> >>>> >>>>I get this recursion error. Or, perhaps this is not an error at all. But >>>>I can't seem to use this function: >>>> >>>> function recursive_print($array) >>>> { >>>> foreach($array as $key => $value) >>>> { >>>> if (is_array($value)) >>>> { >>>> echo $key .'
' .recursive_print($value); >>>> } >>>> else >>>> { >>>> echo 'end'.$value; >>>> } >>>> } >>>> } >>>> >>>>So I went to the PEAR site - >>>>http://pear.php.net/package/Structures_Graph >>>>This pear package doesn't throw any errors but it also seems to balk - >>>>although I am not sure the *RECURSION* will affect functionality >>>> >>>> >>>> include 'Structures/Graph.php'; >>>> $directedGraph =& new Structures_Graph(true); >>>> $nodeOne =& new Structures_Graph_Node(); >>>> $nodeTwo =& new Structures_Graph_Node(); >>>> >>>> >>>> $directedGraph->addNode(&$nodeOne); >>>> $directedGraph->addNode(&$nodeTwo); >>>> >>>> >>>> $nodeOne->connectTo($nodeTwo); >>>> $nodeTwo->connectTo($nodeOne); >>>> >>>> >>>>Inside the code I found a comment about the Zend engine before the data >>>>structure procedes to iteratively loop through the the nodes to see if >>>>there are duplicates. >>>> /* >>>> ZE1 equality operators choke on the recursive cycle >>>>introduced by the _graph field in the Node object. >>>> So, we'll check references the hard way >>>> */ >>>> >>>>Even so, print_r produces many recursion warnings. >>>> >>>>Maybe I am just trying to use a hammer for a screwdriver. But can anyone >>>>offer any insight here? >>>> >>>>Thanks, >>>> >>>>- Jonathan Hendler >>>> >>>> >>>> >>>>_______________________________________________ >>>>New York PHP Talk Mailing List >>>>AMP Technology >>>>Supporting Apache, MySQL and PHP >>>>http://lists.nyphp.org/mailman/listinfo/talk >>>>http://www.nyphp.org >>>> >>>> >>>> >>>> >>> >>> >>> >>> >>_______________________________________________ >>New York PHP Talk Mailing List >>AMP Technology >>Supporting Apache, MySQL and PHP >>http://lists.nyphp.org/mailman/listinfo/talk >>http://www.nyphp.org >> >> >> > > > > From joel at tagword.com Wed Aug 17 17:40:54 2005 From: joel at tagword.com (Joel De Gan) Date: Wed, 17 Aug 2005 17:40:54 -0400 Subject: [nycphp-talk] CLI output question In-Reply-To: References: <430378F3.70502@supertom.com> Message-ID: <1124314854.8997.65.camel@bezel> here is one I made the other day for doing a spin-cursor on FTP transfers: // just call with no arguments inside a loop. function progress(){ global $spinnerpos; $spinner = array("/","-","\\","\\|","/","-","\\","\\|"); passthru("printf \"\\b\"".$spinner[$spinnerpos] ." "); $spinnerpos=($spinnerpos +1)%8; } Cheers. -joel On Wed, 2005-08-17 at 14:11 -0400, David Mintz wrote: > Excellent -- I'm on my way. Thanks guys. > > --- > David Mintz > http://davidmintz.org/ > _______________________________________________ > New York PHP Talk Mailing List > AMP Technology > Supporting Apache, MySQL and PHP > http://lists.nyphp.org/mailman/listinfo/talk > http://www.nyphp.org > > > From ken at secdat.com Wed Aug 17 16:13:15 2005 From: ken at secdat.com (Kenneth Downs) Date: Wed, 17 Aug 2005 16:13:15 -0400 (EDT) Subject: [nycphp-talk] Graph Data Structures In-Reply-To: <43039430.7080703@simmons.edu> References: <42FD8A2D.10303@acmgfcu.org> <9c04b66e9e74c72575753213c4dc9262@jobsforge.com> <43031CAC.1080006@simmons.edu> <58736.38.117.147.25.1124286464.squirrel@38.117.147.25> <43034A9B.70001@simmons.edu> <33074.38.117.147.25.1124305205.squirrel@38.117.147.25> <43039430.7080703@simmons.edu> Message-ID: <33088.38.117.147.25.1124309595.squirrel@38.117.147.25> My experience in db servers is limited to MS SQL Server, IBM DB/2 and Postgres. Postgres is the one I pick when the decision is mine. The others I really cannot comment on. Also, as for the table design, a google search on both web pages and newsgroups should yield some pre-existing solutions. > Going off topic: > > Thinking of ways to persist the graph : > I've used MySQL a long time and see them as only getting better. But > their dual license deters me from some uses. - what about SQLite - also > completely free (LGPL, MIT, or Apache License I think), small, and fast? > Or dbm functions if I only need to store hashes? > > I'll feel silly if I reinvent the work of the RAP RDF datastore. I'll > have to write tests and a couple implementations so I can know what is > faster and more efficient. > > > > > Kenneth Downs wrote: > >>Jonathan, >> >>Glad this helped. >> >>If your graphs get big then you must do this in a database, don't attempt >>it in scripts. >> >>Many people recommend mySQl because it is free, but PostgreSQL is far >> more >>capable and is also free. >> >> >> >>>Hi Kenneth, >>> >>>Thanks very much. I like what you have posted! >>>I think I would add keys to the arrays and add one more dimension so >>>that there can be multiple graphs with the same label. >>> >>>$arcs['likes'][] = array('a','a'); >>>$arcs['likes'][] = array('a','b'); >>>$arcs['knows'][] = array('a','b'); >>> >>>$arcs['knows'][] = array('b','a'); >>>$arcs['confusedby'][] = array('b','a'); >>> >>> I can get the functionality I need from this. >>>I wonder how scalable this is. What if there are over 5 million arcs. My >>>traversal algorithms would have to be very efficient. >>> >>>Another package I am looking at for graph manipulation is bundled with >>>the PHP RDF package RAP. >>> >>>http://www.wiwiss.fu-berlin.de/suhl/bizer/rdfapi >>>http://www.wiwiss.fu-berlin.de/suhl/bizer/rdfapi/tutorial/usingNamedGraphs.htm#ng-intro >>> >>>They use quads - where a quad is a labeled graph. In the above data >>>structure, a new graph would just be a new set of arcs. So it looks like >>>nothing is missing from this array based graph. >>> >>>Hmm, or why not >>> >>>$arcs['a']['likes']['b'] = true; >>>$arcs['b']['likes']['b'] = false; >>>or >>>$arcs['b']['likes']['chocolate'][] = '80%'; >>>$arcs['b']['likes']['chocolate'][] = 'quite significantly'; >>> >>>Then I can have a "triple" with a label and a value. >>> >>>This could be interesting. >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>>Kenneth Downs wrote: >>> >>> >>> >>>>Johathan, >>>> >>>>Have you considered putting the nodes into one array, and the arcs into >>>> a >>>>second? >>>> >>>>$nodes = array('a'=>array(..info..),'b'=>array(..info..)); >>>> >>>>$arcs = array(array('a','b'),array('b','a')) >>>> >>>>This allows each node's info to be stored only once, and allows you to >>>>then treat the arcs cleanly, allowing or disallowing any combo you may >>>>choose. >>>> >>>>You may have to write a little of your code to walk through things, but >>>>you'll have complete integrity and control. >>>> >>>> >>>> >>>> >>>> >>>>>I'm trying to formulate a question out of this. If there isn't one >>>>> here, >>>>>I hope the read is interesting. >>>>>My goal is to create the simplest efficient graph data structures - >>>>> that >>>>>allow for cycles. >>>>> >>>>>The reason one would want cycles in a graph is the following: >>>>>a->b >>>>>and >>>>>b->a >>>>>(or b->a again with another arc (also known as a hypergraph)) >>>>>or >>>>>a->a >>>>> >>>>>where '->' is an arc >>>>>Even if the arcs are labled, the data in 'a' is something I don't want >>>>>to duplicate. >>>>> >>>>>I am using php version 4.3.11 >>>>> >>>>>If I try to do this with a simple php array: >>>>> >>>>> $a = array(); >>>>> $b = array(); >>>>> >>>>> $a['b'] = & $b; >>>>> $b['a'] = & $a; >>>>> >>>>> print_r($a); >>>>> >>>>>Array >>>>>( >>>>> [a] => Array >>>>> ( >>>>> [b] => Array >>>>> ( >>>>> [a] => Array >>>>>*RECURSION* >>>>> ) >>>>> >>>>> ) >>>>> >>>>>) >>>>> >>>>> >>>>>I get this recursion error. Or, perhaps this is not an error at all. >>>>> But >>>>>I can't seem to use this function: >>>>> >>>>> function recursive_print($array) >>>>> { >>>>> foreach($array as $key => $value) >>>>> { >>>>> if (is_array($value)) >>>>> { >>>>> echo $key .'
' .recursive_print($value); >>>>> } >>>>> else >>>>> { >>>>> echo 'end'.$value; >>>>> } >>>>> } >>>>> } >>>>> >>>>>So I went to the PEAR site - >>>>>http://pear.php.net/package/Structures_Graph >>>>>This pear package doesn't throw any errors but it also seems to balk >>>>> - >>>>>although I am not sure the *RECURSION* will affect functionality >>>>> >>>>> >>>>> include 'Structures/Graph.php'; >>>>> $directedGraph =& new Structures_Graph(true); >>>>> $nodeOne =& new Structures_Graph_Node(); >>>>> $nodeTwo =& new Structures_Graph_Node(); >>>>> >>>>> >>>>> $directedGraph->addNode(&$nodeOne); >>>>> $directedGraph->addNode(&$nodeTwo); >>>>> >>>>> >>>>> $nodeOne->connectTo($nodeTwo); >>>>> $nodeTwo->connectTo($nodeOne); >>>>> >>>>> >>>>>Inside the code I found a comment about the Zend engine before the >>>>> data >>>>>structure procedes to iteratively loop through the the nodes to see if >>>>>there are duplicates. >>>>> /* >>>>> ZE1 equality operators choke on the recursive cycle >>>>>introduced by the _graph field in the Node object. >>>>> So, we'll check references the hard way >>>>> */ >>>>> >>>>>Even so, print_r produces many recursion warnings. >>>>> >>>>>Maybe I am just trying to use a hammer for a screwdriver. But can >>>>> anyone >>>>>offer any insight here? >>>>> >>>>>Thanks, >>>>> >>>>>- Jonathan Hendler >>>>> >>>>> >>>>> >>>>>_______________________________________________ >>>>>New York PHP Talk Mailing List >>>>>AMP Technology >>>>>Supporting Apache, MySQL and PHP >>>>>http://lists.nyphp.org/mailman/listinfo/talk >>>>>http://www.nyphp.org >>>>> >>>>> >>>>> >>>>> >>>> >>>> >>>> >>>> >>>_______________________________________________ >>>New York PHP Talk Mailing List >>>AMP Technology >>>Supporting Apache, MySQL and PHP >>>http://lists.nyphp.org/mailman/listinfo/talk >>>http://www.nyphp.org >>> >>> >>> >> >> >> >> > > _______________________________________________ > New York PHP Talk Mailing List > AMP Technology > Supporting Apache, MySQL and PHP > http://lists.nyphp.org/mailman/listinfo/talk > http://www.nyphp.org > -- Kenneth Downs Secure Data Software 631-379-0010 ken at secdat.com PO Box 708 East Setauket, NY 11733 From hendler at simmons.edu Wed Aug 17 16:27:04 2005 From: hendler at simmons.edu (Jonathan) Date: Wed, 17 Aug 2005 16:27:04 -0400 Subject: [nycphp-talk] DB servers and abstraction layers In-Reply-To: <33088.38.117.147.25.1124309595.squirrel@38.117.147.25> References: <42FD8A2D.10303@acmgfcu.org> <9c04b66e9e74c72575753213c4dc9262@jobsforge.com> <43031CAC.1080006@simmons.edu> <58736.38.117.147.25.1124286464.squirrel@38.117.147.25> <43034A9B.70001@simmons.edu> <33074.38.117.147.25.1124305205.squirrel@38.117.147.25> <43039430.7080703@simmons.edu> <33088.38.117.147.25.1124309595.squirrel@38.117.147.25> Message-ID: <43039D98.20903@simmons.edu> I'll likely use ADODB as a DB abstraction layer - they even have a C module. That should keep my options open. I like ADODB but I haven't used php's dbx or PEAR db either. I am not sure if some db features won't be available to me, like certain kinds of indexes or table types that I am used to setting in MySQL. As for Postgres, I fear the complexity a bit. Kenneth Downs wrote: >My experience in db servers is limited to MS SQL Server, IBM DB/2 and >Postgres. Postgres is the one I pick when the decision is mine. The >others I really cannot comment on. > >Also, as for the table design, a google search on both web pages and >newsgroups should yield some pre-existing solutions. > > > >>Going off topic: >> >>Thinking of ways to persist the graph : >>I've used MySQL a long time and see them as only getting better. But >>their dual license deters me from some uses. - what about SQLite - also >>completely free (LGPL, MIT, or Apache License I think), small, and fast? >>Or dbm functions if I only need to store hashes? >> >>I'll feel silly if I reinvent the work of the RAP RDF datastore. I'll >>have to write tests and a couple implementations so I can know what is >>faster and more efficient. >> >> >> >> >>Kenneth Downs wrote: >> >> >> >>>Jonathan, >>> >>>Glad this helped. >>> >>>If your graphs get big then you must do this in a database, don't attempt >>>it in scripts. >>> >>>Many people recommend mySQl because it is free, but PostgreSQL is far >>>more >>>capable and is also free. >>> >>> >>> >>> >>> >>>>Hi Kenneth, >>>> >>>>Thanks very much. I like what you have posted! >>>>I think I would add keys to the arrays and add one more dimension so >>>>that there can be multiple graphs with the same label. >>>> >>>>$arcs['likes'][] = array('a','a'); >>>>$arcs['likes'][] = array('a','b'); >>>>$arcs['knows'][] = array('a','b'); >>>> >>>>$arcs['knows'][] = array('b','a'); >>>>$arcs['confusedby'][] = array('b','a'); >>>> >>>>I can get the functionality I need from this. >>>>I wonder how scalable this is. What if there are over 5 million arcs. My >>>>traversal algorithms would have to be very efficient. >>>> >>>>Another package I am looking at for graph manipulation is bundled with >>>>the PHP RDF package RAP. >>>> >>>>http://www.wiwiss.fu-berlin.de/suhl/bizer/rdfapi >>>>http://www.wiwiss.fu-berlin.de/suhl/bizer/rdfapi/tutorial/usingNamedGraphs.htm#ng-intro >>>> >>>>They use quads - where a quad is a labeled graph. In the above data >>>>structure, a new graph would just be a new set of arcs. So it looks like >>>>nothing is missing from this array based graph. >>>> >>>>Hmm, or why not >>>> >>>>$arcs['a']['likes']['b'] = true; >>>>$arcs['b']['likes']['b'] = false; >>>>or >>>>$arcs['b']['likes']['chocolate'][] = '80%'; >>>>$arcs['b']['likes']['chocolate'][] = 'quite significantly'; >>>> >>>>Then I can have a "triple" with a label and a value. >>>> >>>>This could be interesting. >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>>Kenneth Downs wrote: >>>> >>>> >>>> >>>> >>>> >>>>>Johathan, >>>>> >>>>>Have you considered putting the nodes into one array, and the arcs into >>>>>a >>>>>second? >>>>> >>>>>$nodes = array('a'=>array(..info..),'b'=>array(..info..)); >>>>> >>>>>$arcs = array(array('a','b'),array('b','a')) >>>>> >>>>>This allows each node's info to be stored only once, and allows you to >>>>>then treat the arcs cleanly, allowing or disallowing any combo you may >>>>>choose. >>>>> >>>>>You may have to write a little of your code to walk through things, but >>>>>you'll have complete integrity and control. >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>>>I'm trying to formulate a question out of this. If there isn't one >>>>>>here, >>>>>>I hope the read is interesting. >>>>>>My goal is to create the simplest efficient graph data structures - >>>>>>that >>>>>>allow for cycles. >>>>>> >>>>>>The reason one would want cycles in a graph is the following: >>>>>>a->b >>>>>>and >>>>>>b->a >>>>>>(or b->a again with another arc (also known as a hypergraph)) >>>>>>or >>>>>>a->a >>>>>> >>>>>>where '->' is an arc >>>>>>Even if the arcs are labled, the data in 'a' is something I don't want >>>>>>to duplicate. >>>>>> >>>>>>I am using php version 4.3.11 >>>>>> >>>>>>If I try to do this with a simple php array: >>>>>> >>>>>> $a = array(); >>>>>> $b = array(); >>>>>> >>>>>> $a['b'] = & $b; >>>>>> $b['a'] = & $a; >>>>>> >>>>>> print_r($a); >>>>>> >>>>>>Array >>>>>>( >>>>>> [a] => Array >>>>>> ( >>>>>> [b] => Array >>>>>> ( >>>>>> [a] => Array >>>>>>*RECURSION* >>>>>> ) >>>>>> >>>>>> ) >>>>>> >>>>>>) >>>>>> >>>>>> >>>>>>I get this recursion error. Or, perhaps this is not an error at all. >>>>>>But >>>>>>I can't seem to use this function: >>>>>> >>>>>> function recursive_print($array) >>>>>> { >>>>>> foreach($array as $key => $value) >>>>>> { >>>>>> if (is_array($value)) >>>>>> { >>>>>> echo $key .'
' .recursive_print($value); >>>>>> } >>>>>> else >>>>>> { >>>>>> echo 'end'.$value; >>>>>> } >>>>>> } >>>>>> } >>>>>> >>>>>>So I went to the PEAR site - >>>>>>http://pear.php.net/package/Structures_Graph >>>>>>This pear package doesn't throw any errors but it also seems to balk >>>>>>- >>>>>>although I am not sure the *RECURSION* will affect functionality >>>>>> >>>>>> >>>>>> include 'Structures/Graph.php'; >>>>>> $directedGraph =& new Structures_Graph(true); >>>>>> $nodeOne =& new Structures_Graph_Node(); >>>>>> $nodeTwo =& new Structures_Graph_Node(); >>>>>> >>>>>> >>>>>> $directedGraph->addNode(&$nodeOne); >>>>>> $directedGraph->addNode(&$nodeTwo); >>>>>> >>>>>> >>>>>> $nodeOne->connectTo($nodeTwo); >>>>>> $nodeTwo->connectTo($nodeOne); >>>>>> >>>>>> >>>>>>Inside the code I found a comment about the Zend engine before the >>>>>>data >>>>>>structure procedes to iteratively loop through the the nodes to see if >>>>>>there are duplicates. >>>>>> /* >>>>>> ZE1 equality operators choke on the recursive cycle >>>>>>introduced by the _graph field in the Node object. >>>>>> So, we'll check references the hard way >>>>>> */ >>>>>> >>>>>>Even so, print_r produces many recursion warnings. >>>>>> >>>>>>Maybe I am just trying to use a hammer for a screwdriver. But can >>>>>>anyone >>>>>>offer any insight here? >>>>>> >>>>>>Thanks, >>>>>> >>>>>>- Jonathan Hendler >>>>>> >>>>>> >>>>>> >>>>>>_______________________________________________ >>>>>>New York PHP Talk Mailing List >>>>>>AMP Technology >>>>>>Supporting Apache, MySQL and PHP >>>>>>http://lists.nyphp.org/mailman/listinfo/talk >>>>>>http://www.nyphp.org >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>> >>>>> >>>>> >>>>> >>>>_______________________________________________ >>>>New York PHP Talk Mailing List >>>>AMP Technology >>>>Supporting Apache, MySQL and PHP >>>>http://lists.nyphp.org/mailman/listinfo/talk >>>>http://www.nyphp.org >>>> >>>> >>>> >>>> >>>> >>> >>> >>> >>> >>_______________________________________________ >>New York PHP Talk Mailing List >>AMP Technology >>Supporting Apache, MySQL and PHP >>http://lists.nyphp.org/mailman/listinfo/talk >>http://www.nyphp.org >> >> >> > > > > From joel at tagword.com Wed Aug 17 18:27:32 2005 From: joel at tagword.com (Joel De Gan) Date: Wed, 17 Aug 2005 18:27:32 -0400 Subject: [nycphp-talk] CLI output question In-Reply-To: <1124314854.8997.65.camel@bezel> References: <430378F3.70502@supertom.com> <1124314854.8997.65.camel@bezel> Message-ID: <1124317652.9027.73.camel@bezel> Was thinking about this some more and was poking around.. You could also go crazy and do this color... I had forgot about doing this a while back.. posted the code here for doing termcolored graphs.. http://edit.peoplesdns.com/index.php?show=61 just term color stuff here: http://edit.peoplesdns.com/index.php?show=61 cheers. -joel On Wed, 2005-08-17 at 17:40 -0400, Joel De Gan wrote: > here is one I made the other day for doing a spin-cursor on FTP > transfers: > > // just call with no arguments inside a loop. > function progress(){ > global $spinnerpos; > $spinner = array("/","-","\\","\\|","/","-","\\","\\|"); > passthru("printf \"\\b\"".$spinner[$spinnerpos] ." "); > $spinnerpos=($spinnerpos +1)%8; > } > > Cheers. > -joel > > > On Wed, 2005-08-17 at 14:11 -0400, David Mintz wrote: > > Excellent -- I'm on my way. Thanks guys. > > > > --- > > David Mintz > > http://davidmintz.org/ From dcech at phpwerx.net Wed Aug 17 16:53:21 2005 From: dcech at phpwerx.net (Dan Cech) Date: Wed, 17 Aug 2005 16:53:21 -0400 Subject: [nycphp-talk] CLI output question In-Reply-To: <1124314854.8997.65.camel@bezel> References: <430378F3.70502@supertom.com> <1124314854.8997.65.camel@bezel> Message-ID: <4303A3C1.80808@phpwerx.net> Joel, I played a little with your spinner and couldn't get it to work properly. I did come up with this though, which works on both my WinXP laptop and Linux dev server: function progress() { static $spinnerpos = 0; static $spinner = '-'; $spinners = array('-','\\','|','/'); echo $spinner; flush(); $spinnerpos = ($spinnerpos+1)%4; $spinner = "\x8".$spinners[$spinnerpos]; } Dan Joel De Gan wrote: > here is one I made the other day for doing a spin-cursor on FTP > transfers: > > // just call with no arguments inside a loop. > function progress(){ > global $spinnerpos; > $spinner = array("/","-","\\","\\|","/","-","\\","\\|"); > passthru("printf \"\\b\"".$spinner[$spinnerpos] ." "); > $spinnerpos=($spinnerpos +1)%8; > } > > Cheers. > -joel From ken at secdat.com Wed Aug 17 17:29:25 2005 From: ken at secdat.com (Kenneth Downs) Date: Wed, 17 Aug 2005 17:29:25 -0400 (EDT) Subject: [nycphp-talk] DB servers and abstraction layers In-Reply-To: <43039D98.20903@simmons.edu> References: <42FD8A2D.10303@acmgfcu.org> <9c04b66e9e74c72575753213c4dc9262@jobsforge.com> <43031CAC.1080006@simmons.edu> <58736.38.117.147.25.1124286464.squirrel@38.117.147.25> <43034A9B.70001@simmons.edu> <33074.38.117.147.25.1124305205.squirrel@38.117.147.25> <43039430.7080703@simmons.edu> <33088.38.117.147.25.1124309595.squirrel@38.117.147.25> <43039D98.20903@simmons.edu> Message-ID: <33249.38.117.147.25.1124314165.squirrel@38.117.147.25> The best system is usually the one that works, and if you are comfortable with mySQL then that is the one that works :) Let us know how this turns out. > I'll likely use ADODB as a DB abstraction layer - they even have a C > module. That should keep my options open. > I like ADODB but I haven't used php's dbx or PEAR db either. > I am not sure if some db features won't be available to me, like certain > kinds of indexes or table types that I am used to setting in MySQL. > As for Postgres, I fear the complexity a bit. > > > Kenneth Downs wrote: > >>My experience in db servers is limited to MS SQL Server, IBM DB/2 and >>Postgres. Postgres is the one I pick when the decision is mine. The >>others I really cannot comment on. >> >>Also, as for the table design, a google search on both web pages and >>newsgroups should yield some pre-existing solutions. >> >> >> >>>Going off topic: >>> >>>Thinking of ways to persist the graph : >>>I've used MySQL a long time and see them as only getting better. But >>>their dual license deters me from some uses. - what about SQLite - also >>>completely free (LGPL, MIT, or Apache License I think), small, and >>> fast? >>>Or dbm functions if I only need to store hashes? >>> >>>I'll feel silly if I reinvent the work of the RAP RDF datastore. I'll >>>have to write tests and a couple implementations so I can know what is >>>faster and more efficient. >>> >>> >>> >>> >>>Kenneth Downs wrote: >>> >>> >>> >>>>Jonathan, >>>> >>>>Glad this helped. >>>> >>>>If your graphs get big then you must do this in a database, don't >>>> attempt >>>>it in scripts. >>>> >>>>Many people recommend mySQl because it is free, but PostgreSQL is far >>>>more >>>>capable and is also free. >>>> >>>> >>>> >>>> >>>> >>>>>Hi Kenneth, >>>>> >>>>>Thanks very much. I like what you have posted! >>>>>I think I would add keys to the arrays and add one more dimension so >>>>>that there can be multiple graphs with the same label. >>>>> >>>>>$arcs['likes'][] = array('a','a'); >>>>>$arcs['likes'][] = array('a','b'); >>>>>$arcs['knows'][] = array('a','b'); >>>>> >>>>>$arcs['knows'][] = array('b','a'); >>>>>$arcs['confusedby'][] = array('b','a'); >>>>> >>>>>I can get the functionality I need from this. >>>>>I wonder how scalable this is. What if there are over 5 million arcs. >>>>> My >>>>>traversal algorithms would have to be very efficient. >>>>> >>>>>Another package I am looking at for graph manipulation is bundled with >>>>>the PHP RDF package RAP. >>>>> >>>>>http://www.wiwiss.fu-berlin.de/suhl/bizer/rdfapi >>>>>http://www.wiwiss.fu-berlin.de/suhl/bizer/rdfapi/tutorial/usingNamedGraphs.htm#ng-intro >>>>> >>>>>They use quads - where a quad is a labeled graph. In the above data >>>>>structure, a new graph would just be a new set of arcs. So it looks >>>>> like >>>>>nothing is missing from this array based graph. >>>>> >>>>>Hmm, or why not >>>>> >>>>>$arcs['a']['likes']['b'] = true; >>>>>$arcs['b']['likes']['b'] = false; >>>>>or >>>>>$arcs['b']['likes']['chocolate'][] = '80%'; >>>>>$arcs['b']['likes']['chocolate'][] = 'quite significantly'; >>>>> >>>>>Then I can have a "triple" with a label and a value. >>>>> >>>>>This could be interesting. >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>>Kenneth Downs wrote: >>>>> >>>>> >>>>> >>>>> >>>>> >>>>>>Johathan, >>>>>> >>>>>>Have you considered putting the nodes into one array, and the arcs >>>>>> into >>>>>>a >>>>>>second? >>>>>> >>>>>>$nodes = array('a'=>array(..info..),'b'=>array(..info..)); >>>>>> >>>>>>$arcs = array(array('a','b'),array('b','a')) >>>>>> >>>>>>This allows each node's info to be stored only once, and allows you >>>>>> to >>>>>>then treat the arcs cleanly, allowing or disallowing any combo you >>>>>> may >>>>>>choose. >>>>>> >>>>>>You may have to write a little of your code to walk through things, >>>>>> but >>>>>>you'll have complete integrity and control. >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>>>I'm trying to formulate a question out of this. If there isn't one >>>>>>>here, >>>>>>>I hope the read is interesting. >>>>>>>My goal is to create the simplest efficient graph data structures - >>>>>>>that >>>>>>>allow for cycles. >>>>>>> >>>>>>>The reason one would want cycles in a graph is the following: >>>>>>>a->b >>>>>>>and >>>>>>>b->a >>>>>>>(or b->a again with another arc (also known as a hypergraph)) >>>>>>>or >>>>>>>a->a >>>>>>> >>>>>>>where '->' is an arc >>>>>>>Even if the arcs are labled, the data in 'a' is something I don't >>>>>>> want >>>>>>>to duplicate. >>>>>>> >>>>>>>I am using php version 4.3.11 >>>>>>> >>>>>>>If I try to do this with a simple php array: >>>>>>> >>>>>>> $a = array(); >>>>>>> $b = array(); >>>>>>> >>>>>>> $a['b'] = & $b; >>>>>>> $b['a'] = & $a; >>>>>>> >>>>>>> print_r($a); >>>>>>> >>>>>>>Array >>>>>>>( >>>>>>> [a] => Array >>>>>>> ( >>>>>>> [b] => Array >>>>>>> ( >>>>>>> [a] => Array >>>>>>>*RECURSION* >>>>>>> ) >>>>>>> >>>>>>> ) >>>>>>> >>>>>>>) >>>>>>> >>>>>>> >>>>>>>I get this recursion error. Or, perhaps this is not an error at all. >>>>>>>But >>>>>>>I can't seem to use this function: >>>>>>> >>>>>>> function recursive_print($array) >>>>>>> { >>>>>>> foreach($array as $key => $value) >>>>>>> { >>>>>>> if (is_array($value)) >>>>>>> { >>>>>>> echo $key .'
' .recursive_print($value); >>>>>>> } >>>>>>> else >>>>>>> { >>>>>>> echo 'end'.$value; >>>>>>> } >>>>>>> } >>>>>>> } >>>>>>> >>>>>>>So I went to the PEAR site - >>>>>>>http://pear.php.net/package/Structures_Graph >>>>>>>This pear package doesn't throw any errors but it also seems to balk >>>>>>>- >>>>>>>although I am not sure the *RECURSION* will affect functionality >>>>>>> >>>>>>> >>>>>>> include 'Structures/Graph.php'; >>>>>>> $directedGraph =& new Structures_Graph(true); >>>>>>> $nodeOne =& new Structures_Graph_Node(); >>>>>>> $nodeTwo =& new Structures_Graph_Node(); >>>>>>> >>>>>>> >>>>>>> $directedGraph->addNode(&$nodeOne); >>>>>>> $directedGraph->addNode(&$nodeTwo); >>>>>>> >>>>>>> >>>>>>> $nodeOne->connectTo($nodeTwo); >>>>>>> $nodeTwo->connectTo($nodeOne); >>>>>>> >>>>>>> >>>>>>>Inside the code I found a comment about the Zend engine before the >>>>>>>data >>>>>>>structure procedes to iteratively loop through the the nodes to see >>>>>>> if >>>>>>>there are duplicates. >>>>>>> /* >>>>>>> ZE1 equality operators choke on the recursive cycle >>>>>>>introduced by the _graph field in the Node object. >>>>>>> So, we'll check references the hard way >>>>>>> */ >>>>>>> >>>>>>>Even so, print_r produces many recursion warnings. >>>>>>> >>>>>>>Maybe I am just trying to use a hammer for a screwdriver. But can >>>>>>>anyone >>>>>>>offer any insight here? >>>>>>> >>>>>>>Thanks, >>>>>>> >>>>>>>- Jonathan Hendler >>>>>>> >>>>>>> >>>>>>> >>>>>>>_______________________________________________ >>>>>>>New York PHP Talk Mailing List >>>>>>>AMP Technology >>>>>>>Supporting Apache, MySQL and PHP >>>>>>>http://lists.nyphp.org/mailman/listinfo/talk >>>>>>>http://www.nyphp.org >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>_______________________________________________ >>>>>New York PHP Talk Mailing List >>>>>AMP Technology >>>>>Supporting Apache, MySQL and PHP >>>>>http://lists.nyphp.org/mailman/listinfo/talk >>>>>http://www.nyphp.org >>>>> >>>>> >>>>> >>>>> >>>>> >>>> >>>> >>>> >>>> >>>_______________________________________________ >>>New York PHP Talk Mailing List >>>AMP Technology >>>Supporting Apache, MySQL and PHP >>>http://lists.nyphp.org/mailman/listinfo/talk >>>http://www.nyphp.org >>> >>> >>> >> >> >> >> > > _______________________________________________ > New York PHP Talk Mailing List > AMP Technology > Supporting Apache, MySQL and PHP > http://lists.nyphp.org/mailman/listinfo/talk > http://www.nyphp.org > -- Kenneth Downs Secure Data Software 631-379-0010 ken at secdat.com PO Box 708 East Setauket, NY 11733 From joel at tagword.com Wed Aug 17 19:27:47 2005 From: joel at tagword.com (Joel De Gan) Date: Wed, 17 Aug 2005 19:27:47 -0400 Subject: [nycphp-talk] CLI output question In-Reply-To: <4303A3C1.80808@phpwerx.net> References: <430378F3.70502@supertom.com> <1124314854.8997.65.camel@bezel> <4303A3C1.80808@phpwerx.net> Message-ID: <1124321267.9028.77.camel@bezel> Oh yea.. should have said that is only going to work on linux, all my development is done on linux so I usually don't even think about if something will work on windows.. -joel On Wed, 2005-08-17 at 16:53 -0400, Dan Cech wrote: > Joel, > > I played a little with your spinner and couldn't get it to work > properly. I did come up with this though, which works on both my WinXP > laptop and Linux dev server: > > function progress() > { > static $spinnerpos = 0; > static $spinner = '-'; > $spinners = array('-','\\','|','/'); > > echo $spinner; > flush(); > > $spinnerpos = ($spinnerpos+1)%4; > $spinner = "\x8".$spinners[$spinnerpos]; > } > > Dan > > Joel De Gan wrote: > > here is one I made the other day for doing a spin-cursor on FTP > > transfers: > > > > // just call with no arguments inside a loop. > > function progress(){ > > global $spinnerpos; > > $spinner = array("/","-","\\","\\|","/","-","\\","\\|"); > > passthru("printf \"\\b\"".$spinner[$spinnerpos] ." "); > > $spinnerpos=($spinnerpos +1)%8; > > } > > > > Cheers. > > -joel > _______________________________________________ > New York PHP Talk Mailing List > AMP Technology > Supporting Apache, MySQL and PHP > http://lists.nyphp.org/mailman/listinfo/talk > http://www.nyphp.org > > > From dmintz at davidmintz.org Wed Aug 17 20:40:15 2005 From: dmintz at davidmintz.org (David Mintz) Date: Wed, 17 Aug 2005 20:40:15 -0400 (EDT) Subject: [nycphp-talk] CLI output question In-Reply-To: <1124321267.9028.77.camel@bezel> References: <430378F3.70502@supertom.com> <1124314854.8997.65.camel@bezel> <4303A3C1.80808@phpwerx.net> <1124321267.9028.77.camel@bezel> Message-ID: On Wed, 17 Aug 2005, Joel De Gan wrote: > Oh yea.. > should have said that is only going to work on linux, all my development > is done on linux so I usually don't even think about if something will > work on windows.. Oh the joy of living under a rock! (-: --- David Mintz http://davidmintz.org/ From rolan at omnistep.com Wed Aug 17 23:15:12 2005 From: rolan at omnistep.com (Rolan Yang) Date: Wed, 17 Aug 2005 23:15:12 -0400 Subject: [nycphp-talk] CLI output question In-Reply-To: <1124314854.8997.65.camel@bezel> References: <430378F3.70502@supertom.com> <1124314854.8997.65.camel@bezel> Message-ID: <4303FD40.2050203@omnistep.com> Hah. reminds me of Acid-ANSI from the BBS days. Joel De Gan wrote: >here is one I made the other day for doing a spin-cursor on FTP >transfers: > >// just call with no arguments inside a loop. >function progress(){ > global $spinnerpos; > $spinner = array("/","-","\\","\\|","/","-","\\","\\|"); > passthru("printf \"\\b\"".$spinner[$spinnerpos] ." "); > $spinnerpos=($spinnerpos +1)%8; >} > >Cheers. >-joel > > > > From mitch.pirtle at gmail.com Thu Aug 18 00:15:12 2005 From: mitch.pirtle at gmail.com (Mitch Pirtle) Date: Thu, 18 Aug 2005 00:15:12 -0400 Subject: [nycphp-talk] Big changes in Mamboland Message-ID: <330532b60508172115cd76019@mail.gmail.com> Apologies for the crosspost, but it is a bit of a humdinger of an announcement ;-) So we're back from LinuxWorld in San Francisco (where we won Best Open Source Solution, woo-hoo!), and things have been moving at 1,000,000 miles per hour in Mamboland. If you follow Mambo, you've probably been tracking some of the dissension within the community after the recent formation of the Mambo Foundation by Miro Ltd. Tonight, the core development team has released an official response: http://opensourcematters.org Please visit here for updates on our future, and be sure to join the new forums to participate in our ongoing discussions with the community. We can't say any more than what is in the official statement right now, but we have retained the services of the Software Freedom Law Center and will be providing more details about our plan shortly. ALSO: If you're not familiar with the SFLC, it doesn't get much better. Here are a few of the people on the SFLC team: Eben Moglen, Lawrence Lessig, Dan Ravicher, and Daniel J. Weitzner, director of the W3C (World Wide Web Consortium). -- Mitch Pirtle OpenSourceMatters.org From cliff at pinestream.com Thu Aug 18 09:11:08 2005 From: cliff at pinestream.com (Cliff Hirsch) Date: Thu, 18 Aug 2005 09:11:08 -0400 Subject: [nycphp-talk] Mantis bugtracking documentation In-Reply-To: <4303FD40.2050203@omnistep.com> Message-ID: <005301c5a3f6$4c5ca730$11a8a8c0@cliff> Does anyone know of a good tutorial or documentation for Mantis? The documentation link on the Mantis website is broken. From mwithington at PLMresearch.com Thu Aug 18 09:18:48 2005 From: mwithington at PLMresearch.com (Mark Withington) Date: Thu, 18 Aug 2005 09:18:48 -0400 Subject: [nycphp-talk] Mantis bugtracking documentation Message-ID: <1F3CD8DDFB6A9B4C9B8DD06E4A7DE358EF273D@network.PLMresearch.com> Hmmm... I think I've got something kicking around. Will send it to you off-list if I can find it. -------------------------- Mark L. Withington PLMresearch v: 508-746-2383 m: 508-801-0181 Calendar: http://www.plmresearch.com/calendar.php > -----Original Message----- > From: talk-bounces at lists.nyphp.org > [mailto:talk-bounces at lists.nyphp.org] On Behalf Of Cliff Hirsch > Sent: Thursday, August 18, 2005 9:11 AM > To: 'NYPHP Talk' > Subject: [nycphp-talk] Mantis bugtracking documentation > > > Does anyone know of a good tutorial or documentation for > Mantis? The documentation link on the Mantis website is broken. > > _______________________________________________ > New York PHP Talk Mailing List > AMP Technology > Supporting Apache, MySQL and PHP > http://lists.nyphp.org/mailman/listinfo/talk > http://www.nyphp.org > From jay_nyphp at fastmail.fm Thu Aug 18 11:21:31 2005 From: jay_nyphp at fastmail.fm (Jayesh Sheth) Date: Thu, 18 Aug 2005 11:21:31 -0400 Subject: [nycphp-talk] 'CHECK TABLE' syntax for Postgres Message-ID: <1124378491.18456.240969212@webmail.messagingengine.com> Hello all, I am back from the land of the disappeared. How has the weather in NYPHPland been since I was gone? I have a question that I hope some Postgres gurus could answer. MySQL lets you run a query with the syntax 'CHECK TABLE my_table' to see what is wrong with it. More info: http://dev.mysql.com/doc/mysql/en/check-table.html I was wondering if Postgres has something similar, or if it uses an external tool. I did a fair bit of Googling, but have come up with nothing so far. Also - does it have something similar to MySQL's 'REPAIR TABLE' syntax if problems are found and tables need to be repaired? More info: http://dev.mysql.com/doc/mysql/en/repair-table.html Thanks in advance. Best regards, - Jay From max at neuropunks.org Thu Aug 18 11:35:32 2005 From: max at neuropunks.org (max) Date: Thu, 18 Aug 2005 10:35:32 -0500 Subject: [nycphp-talk] 'CHECK TABLE' syntax for Postgres In-Reply-To: <1124378491.18456.240969212@webmail.messagingengine.com> References: <1124378491.18456.240969212@webmail.messagingengine.com> Message-ID: <20050818153532.GA89247@neuropunks.org> May be you are looking for this: http://www.postgresql.org/docs/7.4/interactive/sql-vacuum.html ? Works for both 7.x and 8.x On Thu, Aug 18, 2005 at 11:21:31AM -0400, Jayesh Sheth wrote: > Hello all, > > I am back from the land of the disappeared. How has the weather in > NYPHPland been since I was gone? > > I have a question that I hope some Postgres gurus could answer. MySQL > lets you run a query with the syntax 'CHECK TABLE my_table' to see what > is wrong with it. More info: > http://dev.mysql.com/doc/mysql/en/check-table.html > > I was wondering if Postgres has something similar, or if it uses an > external tool. I did a fair bit of Googling, but have come up with > nothing so far. > > Also - does it have something similar to MySQL's 'REPAIR TABLE' syntax > if problems are found and tables need to be repaired? More info: > http://dev.mysql.com/doc/mysql/en/repair-table.html > > Thanks in advance. > > Best regards, > > - Jay > _______________________________________________ > New York PHP Talk Mailing List > AMP Technology > Supporting Apache, MySQL and PHP > http://lists.nyphp.org/mailman/listinfo/talk > http://www.nyphp.org > From jeff.loiselle at gmail.com Thu Aug 18 15:28:20 2005 From: jeff.loiselle at gmail.com (Jeff Loiselle) Date: Thu, 18 Aug 2005 15:28:20 -0400 Subject: [nycphp-talk] PEAR:DataObjects and Oracle Message-ID: <4b188711050818122839fa3021@mail.gmail.com> I've been having some trouble getting DataObjects to recognize the keys in Oracle. So, it generates the skeleton classes and ini file, but does not create key entries for each table. Anyone else have any luck using DataObjects and Oracle? /jeff --- Jeff Loiselle Web Developer, Musician, and Observer http://jeff.loiselles.com From gatzby3jr at gmail.com Thu Aug 18 15:42:51 2005 From: gatzby3jr at gmail.com (Brian O'Connor) Date: Thu, 18 Aug 2005 15:42:51 -0400 Subject: [nycphp-talk] News letter packages Message-ID: <29da5d15050818124219a00388@mail.gmail.com> Has anyone heard anything or used PHP multiple newsletter? http://www.phpmultiplenewsletters.com/index.html At the moment I'm a little too busy to create a custom one for what I need so I'm on the hunt for some premade ones, if anyone has used other software too that would be great- preferably free as this project is being funded by me and a friend of mine, and we're both going into college next year and could use all the cash we can get right now :) All I need it to do is be able to register users, and send them an email using a form, but not show the recipients the emails of the other users on the group (simple I know, but that's rather important to me). Thanks in advance -- Brian O'Connor -------------- next part -------------- An HTML attachment was scrubbed... URL: From steve.rieger at tbwachiat.com Thu Aug 18 16:06:09 2005 From: steve.rieger at tbwachiat.com (Steve Rieger) Date: Thu, 18 Aug 2005 16:06:09 -0400 Subject: [nycphp-talk] length parameter Message-ID: what does this mean any pointers Warning: fread(): Length parameter must be greater than 0. in /http/..../.../filegetter.inc on line 191
-- Steve Rieger AIM chozrim ICQ 53956607 Cell 646 335 8915 steve.rieger at tbwachiat.com This e-mail is intended only for the named person or entity to which it is addressed and contains valuable business information that is privileged, confidential and/or otherwise protected from disclosure. Dissemination, distribution or copying of this e-mail or the information herein by anyone other than the intended recipient, or an employee or agent responsible for delivering the message to the intended recipient, is strictly prohibited. All contents are the copyright property of TBWA\Chiat\Day, its agencies or a client of such agencies. If you are not the intended recipient, you are nevertheless bound to respect the worldwide legal rights of TBWA\Chiat\Day, its agencies and its clients. We require that unintended recipients delete the e-mail and destroy all electronic copies in their system, retaining no copies in any media. If you have received this e-mail in error, please immediately notify us via e-mail to disclaimer at tbwachiat.com. We appreciate your cooperation. We make no warranties as to the accuracy or completeness of this e-mail and accept no liability for its content or use. Any opinions expressed in this e-mail are those of the author and do not necessarily reflect the opinions of TBWA\Chiat\Day or any of its agencies or affiliates. From hendler at simmons.edu Thu Aug 18 17:00:19 2005 From: hendler at simmons.edu (Jonathan) Date: Thu, 18 Aug 2005 17:00:19 -0400 Subject: [nycphp-talk] length parameter In-Reply-To: References: Message-ID: <4304F6E3.3080907@simmons.edu> Hi Steve See in this example from php.net |$filename = "/usr/local/something.txt"; $handle = fopen($filename, "r"); $contents = fread($handle, filesize($filename)); fclose($handle); |What is happening for you is that the second parameter is 0 or less. This means that the file you are trying to load is probably empty. Steve Rieger wrote: >what does this mean > >any pointers > >Warning: fread(): Length parameter must be greater than 0. in >/http/..../.../filegetter.inc on line 191
> >-- >Steve Rieger >AIM chozrim >ICQ 53956607 >Cell 646 335 8915 >steve.rieger at tbwachiat.com > > > > >This e-mail is intended only for the named person or entity to which it is addressed and contains valuable business information that is privileged, confidential and/or otherwise protected from disclosure. Dissemination, distribution or copying of this e-mail or the information herein by anyone other than the intended recipient, or an employee or agent responsible for delivering the message to the intended recipient, is strictly prohibited. All contents are the copyright property of TBWA\Chiat\Day, its agencies or a client of such agencies. If you are not the intended recipient, you are nevertheless bound to respect the worldwide legal rights of TBWA\Chiat\Day, its agencies and its clients. We require that unintended recipients delete the e-mail and destroy all electronic copies in their system, retaining no copies in any media. If you have received this e-mail in error, please immediately notify us via e-mail to disclaimer at tbwachiat.com. We appreciate your cooperation. > >We make no warranties as to the accuracy or completeness of this e-mail and accept no liability for its content or use. Any opinions expressed in this e-mail are those of the author and do not necessarily reflect the opinions of TBWA\Chiat\Day or any of its agencies or affiliates. > > >_______________________________________________ >New York PHP Talk Mailing List >AMP Technology >Supporting Apache, MySQL and PHP >http://lists.nyphp.org/mailman/listinfo/talk >http://www.nyphp.org > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From steve.rieger at tbwachiat.com Thu Aug 18 17:06:40 2005 From: steve.rieger at tbwachiat.com (Steve Rieger) Date: Thu, 18 Aug 2005 17:06:40 -0400 Subject: [nycphp-talk] length parameter In-Reply-To: <4304F6E3.3080907@simmons.edu> References: <4304F6E3.3080907@simmons.edu> Message-ID: <5EA1F8F2-D379-4B53-A4AB-A572392CE7E4@tbwachiat.com> sorry for the disclaimer.... anyways the file is actually 958 MB large, it is mounted via nfs (that might make a difference) any file thats smaller than 230 MB i can download but any file that is larger than 250 i get that error. me no understand. On Aug 18, 2005, at 5:00 PM, Jonathan wrote: > Hi Steve > > See in this example from php.net > > $filename = "/usr/local/something.txt"; > $handle = fopen($filename, "r"); > $contents = fread($handle, filesize($filename)); > fclose($handle); > > What is happening for you is that the second parameter is 0 or less. > This means that the file you are trying to load is probably empty. > > Steve Rieger wrote: >> what does this mean >> >> any pointers >> >> Warning: fread(): Length parameter must be greater than 0. in >> /http/..../.../filegetter.inc on line 191 This e-mail is intended only for the named person or entity to which it is addressed and contains valuable business information that is privileged, confidential and/or otherwise protected from disclosure. Dissemination, distribution or copying of this e-mail or the information herein by anyone other than the intended recipient, or an employee or agent responsible for delivering the message to the intended recipient, is strictly prohibited. All contents are the copyright property of TBWA\Chiat\Day, its agencies or a client of such agencies. If you are not the intended recipient, you are nevertheless bound to respect the worldwide legal rights of TBWA\Chiat\Day, its agencies and its clients. We require that unintended recipients delete the e-mail and destroy all electronic copies in their system, retaining no copies in any media. If you have received this e-mail in error, please immediately notify us via e-mail to disclaimer at tbwachiat.com. We appreciate your cooperation. We make no warranties as to the accuracy or completeness of this e-mail and accept no liability for its content or use. Any opinions expressed in this e-mail are those of the author and do not necessarily reflect the opinions of TBWA\Chiat\Day or any of its agencies or affiliates. -------------- next part -------------- An HTML attachment was scrubbed... URL: From hendler at simmons.edu Thu Aug 18 17:18:07 2005 From: hendler at simmons.edu (Jonathan) Date: Thu, 18 Aug 2005 17:18:07 -0400 Subject: [nycphp-talk] length parameter In-Reply-To: <5EA1F8F2-D379-4B53-A4AB-A572392CE7E4@tbwachiat.com> References: <4304F6E3.3080907@simmons.edu> <5EA1F8F2-D379-4B53-A4AB-A572392CE7E4@tbwachiat.com> Message-ID: <4304FB0F.8040405@simmons.edu> I'm just quoting the PHP.net site again. Sorry if you've tried these things already. Is it a binary file? With large files you might need to break it up: | | *Note: * If you just want to get the contents of a file into a string, use *file_get_contents()* as it has much better performance than the code above. Steve Rieger wrote: > sorry for the disclaimer.... > > > > anyways > > the file is actually 958 MB large, it is mounted via nfs (that might > make a difference) > > any file thats smaller than 230 MB i can download but any file that is > larger than 250 i get that error. > > me no understand. > > > > > On Aug 18, 2005, at 5:00 PM, Jonathan wrote: > >> Hi Steve >> >> See in this example from php.net >> >> |$filename = "/usr/local/something.txt"; >> $handle = fopen($filename, "r"); >> $contents = fread($handle, filesize($filename)); >> fclose($handle); >> >> |What is happening for you is that the second parameter is 0 or less. >> This means that the file you are trying to load is probably empty. >> >> Steve Rieger wrote: >> >>>what does this mean >>> >>>any pointers >>> >>>*Warning*: fread(): Length parameter must be greater than 0. in >>>*/http/..../.../filegetter.inc* on line *191* >>> >>> > > ------------------------------------------------------------------------ > This e-mail is intended only for the named person or entity to which > it is addressed and contains valuable business information that is > privileged, confidential and/or otherwise protected from disclosure. > Dissemination, distribution or copying of this e-mail or the > information herein by anyone other than the intended recipient, or an > employee or agent responsible for delivering the message to the > intended recipient, is strictly prohibited. All contents are the > copyright property of TBWA\Chiat\Day, its agencies or a client of such > agencies. If you are not the intended recipient, you are nevertheless > bound to respect the worldwide legal rights of TBWA\Chiat\Day, its > agencies and its clients. We require that unintended recipients delete > the e-mail and destroy all electronic copies in their system, > retaining no copies in any media. If you have received this e-mail in > error, please immediately notify us via e-mail to > disclaimer at tbwachiat.com . We > appreciate your cooperation. > > We make no warranties as to the accuracy or completeness of this > e-mail and accept no liability for its content or use. Any opinions > expressed in this e-mail are those of the author and do not > necessarily reflect the opinions of TBWA\Chiat\Day or any of its > agencies or affiliates. > >------------------------------------------------------------------------ > >_______________________________________________ >New York PHP Talk Mailing List >AMP Technology >Supporting Apache, MySQL and PHP >http://lists.nyphp.org/mailman/listinfo/talk >http://www.nyphp.org > -------------- next part -------------- An HTML attachment was scrubbed... URL: From steve.rieger at tbwachiat.com Thu Aug 18 17:32:04 2005 From: steve.rieger at tbwachiat.com (Steve Rieger) Date: Thu, 18 Aug 2005 17:32:04 -0400 Subject: [nycphp-talk] length parameter In-Reply-To: <4304FB0F.8040405@simmons.edu> References: <4304F6E3.3080907@simmons.edu> <5EA1F8F2-D379-4B53-A4AB-A572392CE7E4@tbwachiat.com> <4304FB0F.8040405@simmons.edu> Message-ID: <95E725FD-D5E0-4072-A2D1-EFFEBA108910@tbwachiat.com> its actually a zip file On Aug 18, 2005, at 5:18 PM, Jonathan wrote: > I'm just quoting the PHP.net site again. > Sorry if you've tried these things already. > Is it a binary file? > > With large files you might need to break it up: > > > $handle = fopen("http://www.example.com/", "rb"); > $contents = ''; > while (!feof($handle)) { > $contents .= fread($handle, 8192); > } > fclose($handle); > ?> > Note: If you just want to get the contents of a file into a string, > use file_get_contents() as it has much better performance than the > code above. > > > > Steve Rieger wrote: >> sorry for the disclaimer.... >> >> >> >> anyways >> >> the file is actually 958 MB large, it is mounted via nfs (that >> might make a difference) >> >> any file thats smaller than 230 MB i can download but any file >> that is larger than 250 i get that error. >> >> me no understand. >> >> >> >> >> On Aug 18, 2005, at 5:00 PM, Jonathan wrote: >> >>> Hi Steve >>> >>> See in this example from php.net >>> >>> $filename = "/usr/local/something.txt"; >>> $handle = fopen($filename, "r"); >>> $contents = fread($handle, filesize($filename)); >>> fclose($handle); >>> >>> What is happening for you is that the second parameter is 0 or >>> less. >>> This means that the file you are trying to load is probably empty. >>> >>> Steve Rieger wrote: >>>> what does this mean >>>> >>>> any pointers >>>> >>>> Warning: fread(): Length parameter must be greater than 0. in >>>> /http/..../.../filegetter.inc on line 191 >>>> >> >> This e-mail is intended only for the named person or entity to >> which it is addressed and contains valuable business information >> that is privileged, confidential and/or otherwise protected from >> disclosure. Dissemination, distribution or copying of this e-mail >> or the information herein by anyone other than the intended >> recipient, or an employee or agent responsible for delivering the >> message to the intended recipient, is strictly prohibited. All >> contents are the copyright property of TBWA\Chiat\Day, its >> agencies or a client of such agencies. If you are not the intended >> recipient, you are nevertheless bound to respect the worldwide >> legal rights of TBWA\Chiat\Day, its agencies and its clients. We >> require that unintended recipients delete the e-mail and destroy >> all electronic copies in their system, retaining no copies in any >> media. If you have received this e-mail in error, please >> immediately notify us via e-mail to disclaimer at tbwachiat.com. We >> appreciate your cooperation. >> >> We make no warranties as to the accuracy or completeness of this e- >> mail and accept no liability for its content or use. Any opinions >> expressed in this e-mail are those of the author and do not >> necessarily reflect the opinions of TBWA\Chiat\Day or any of its >> agencies or affiliates. >> >> _______________________________________________ >> New York PHP Talk Mailing List >> AMP Technology >> Supporting Apache, MySQL and PHP >> http://lists.nyphp.org/mailman/listinfo/talk >> http://www.nyphp.org > > _______________________________________________ > New York PHP Talk Mailing List > AMP Technology > Supporting Apache, MySQL and PHP > http://lists.nyphp.org/mailman/listinfo/talk > http://www.nyphp.org This e-mail is intended only for the named person or entity to which it is addressed and contains valuable business information that is privileged, confidential and/or otherwise protected from disclosure. Dissemination, distribution or copying of this e-mail or the information herein by anyone other than the intended recipient, or an employee or agent responsible for delivering the message to the intended recipient, is strictly prohibited. All contents are the copyright property of TBWA\Chiat\Day, its agencies or a client of such agencies. If you are not the intended recipient, you are nevertheless bound to respect the worldwide legal rights of TBWA\Chiat\Day, its agencies and its clients. We require that unintended recipients delete the e-mail and destroy all electronic copies in their system, retaining no copies in any media. If you have received this e-mail in error, please immediately notify us via e-mail to disclaimer at tbwachiat.com. We appreciate your cooperation. We make no warranties as to the accuracy or completeness of this e-mail and accept no liability for its content or use. Any opinions expressed in this e-mail are those of the author and do not necessarily reflect the opinions of TBWA\Chiat\Day or any of its agencies or affiliates. -------------- next part -------------- An HTML attachment was scrubbed... URL: From hendler at simmons.edu Thu Aug 18 17:36:19 2005 From: hendler at simmons.edu (Jonathan) Date: Thu, 18 Aug 2005 17:36:19 -0400 Subject: [nycphp-talk] length parameter In-Reply-To: <95E725FD-D5E0-4072-A2D1-EFFEBA108910@tbwachiat.com> References: <4304F6E3.3080907@simmons.edu> <5EA1F8F2-D379-4B53-A4AB-A572392CE7E4@tbwachiat.com> <4304FB0F.8040405@simmons.edu> <95E725FD-D5E0-4072-A2D1-EFFEBA108910@tbwachiat.com> Message-ID: <4304FF53.5010502@simmons.edu> I see, so it's a binary file. Have you tried ? |fopen("http://www.example.com/", "rb"); | Steve Rieger wrote: > its actually a zip file > > On Aug 18, 2005, at 5:18 PM, Jonathan wrote: > >> I'm just quoting the PHP.net site again. >> Sorry if you've tried these things already. >> Is it a binary file? >> >> With large files you might need to break it up: >> >> >> |> $handle = fopen("http://www.example.com/", "rb"); >> $contents = ''; >> while (!feof($handle)) { >> $contents .= fread($handle, 8192); >> } >> fclose($handle); >> ?> | >> >> *Note: * If you just want to get the contents of a file into a >> string, use *file_get_contents()* >> as >> it has much better performance than the code above. >> >> >> >> Steve Rieger wrote: >> >>> sorry for the disclaimer.... >>> >>> >>> >>> anyways >>> >>> the file is actually 958 MB large, it is mounted via nfs (that might >>> make a difference) >>> >>> any file thats smaller than 230 MB i can download but any file that >>> is larger than 250 i get that error. >>> >>> me no understand. >>> >>> >>> >>> >>> On Aug 18, 2005, at 5:00 PM, Jonathan wrote: >>> >>>> Hi Steve >>>> >>>> See in this example from php.net >>>> >>>> |$filename = "/usr/local/something.txt"; >>>> $handle = fopen($filename, "r"); >>>> $contents = fread($handle, filesize($filename)); >>>> fclose($handle); >>>> >>>> |What is happening for you is that the second parameter is 0 or less. >>>> This means that the file you are trying to load is probably empty. >>>> >>>> Steve Rieger wrote: >>>> >>>>>what does this mean >>>>> >>>>>any pointers >>>>> >>>>>*Warning*: fread(): Length parameter must be greater than 0. in >>>>>*/http/..../.../filegetter.inc* on line *191* >>>>> >>>>> >>> >>> ------------------------------------------------------------------------ >>> This e-mail is intended only for the named person or entity to which >>> it is addressed and contains valuable business information that is >>> privileged, confidential and/or otherwise protected from disclosure. >>> Dissemination, distribution or copying of this e-mail or the >>> information herein by anyone other than the intended recipient, or >>> an employee or agent responsible for delivering the message to the >>> intended recipient, is strictly prohibited. All contents are the >>> copyright property of TBWA\Chiat\Day, its agencies or a client of >>> such agencies. If you are not the intended recipient, you are >>> nevertheless bound to respect the worldwide legal rights of >>> TBWA\Chiat\Day, its agencies and its clients. We require that >>> unintended recipients delete the e-mail and destroy all electronic >>> copies in their system, retaining no copies in any media. If you >>> have received this e-mail in error, please immediately notify us via >>> e-mail to disclaimer at tbwachiat.com >>> . We appreciate your cooperation. >>> >>> We make no warranties as to the accuracy or completeness of this >>> e-mail and accept no liability for its content or use. Any opinions >>> expressed in this e-mail are those of the author and do not >>> necessarily reflect the opinions of TBWA\Chiat\Day or any of its >>> agencies or affiliates. >>> >>>------------------------------------------------------------------------ >>> >>>_______________________________________________ >>>New York PHP Talk Mailing List >>>AMP Technology >>>Supporting Apache, MySQL and PHP >>>http://lists.nyphp.org/mailman/listinfo/talk >>>http://www.nyphp.org >>> >> >> _______________________________________________ >> New York PHP Talk Mailing List >> AMP Technology >> Supporting Apache, MySQL and PHP >> http://lists.nyphp.org/mailman/listinfo/talk >> http://www.nyphp.org > > > > ------------------------------------------------------------------------ > This e-mail is intended only for the named person or entity to which > it is addressed and contains valuable business information that is > privileged, confidential and/or otherwise protected from disclosure. > Dissemination, distribution or copying of this e-mail or the > information herein by anyone other than the intended recipient, or an > employee or agent responsible for delivering the message to the > intended recipient, is strictly prohibited. All contents are the > copyright property of TBWA\Chiat\Day, its agencies or a client of such > agencies. If you are not the intended recipient, you are nevertheless > bound to respect the worldwide legal rights of TBWA\Chiat\Day, its > agencies and its clients. We require that unintended recipients delete > the e-mail and destroy all electronic copies in their system, > retaining no copies in any media. If you have received this e-mail in > error, please immediately notify us via e-mail to > disclaimer at tbwachiat.com . We > appreciate your cooperation. > > We make no warranties as to the accuracy or completeness of this > e-mail and accept no liability for its content or use. Any opinions > expressed in this e-mail are those of the author and do not > necessarily reflect the opinions of TBWA\Chiat\Day or any of its > agencies or affiliates. > >------------------------------------------------------------------------ > >_______________________________________________ >New York PHP Talk Mailing List >AMP Technology >Supporting Apache, MySQL and PHP >http://lists.nyphp.org/mailman/listinfo/talk >http://www.nyphp.org > From lists at zaunere.com Thu Aug 18 23:35:17 2005 From: lists at zaunere.com (Hans Zaunere) Date: Thu, 18 Aug 2005 23:35:17 -0400 Subject: [nycphp-talk] Accessible Rich Internet Applications In-Reply-To: Message-ID: <0MKp2t-1E5xf41JLU-0002vT@mrelay.perfora.net> > Yesterday IBM made a formal announcement about our code > contributions to Firefox 1.5 (due out this September) with > respect to Accessibility. These announcements focused on the > technology Laurent Hasson and I demonstrated to NYPHP back on > July 26th. Since the technology is DHTML based, it is > applicable to PHP programmers. > > Details on the technology can be found at: > www.mozilla.org/access/dhtml > > Details on the announcement can be found at a variety of places: > > IBM Contributes Open Source Code to Make FireFox Browser More > Accessible > http://www.ibm.com/press/PressServletForm.wss?MenuChoice=press releases&TemplateName=ShowPressReleaseTemplate&SelectString=t1.docunid=7839> &TableName=DataheadApplicationClass&SESSIONKEY=any&WindowTitle > =Press+Release&STATUS=publish > > IBM Contributes DHTML Accessibility Code to Mozilla > http://www.mozillazine.org/talkback.html?article=7162 > > IBM Donates Code to Firefox > http://slashdot.org/articles/05/08/15/1836246.shtml?tid=154&tid=136 > http://www.internetnews.com/xSP/article.php/3527341 > > IBM helps Firefox reach disabled > http://news.com.com/IBM+helps+Firefox+reach+disabled/2100-1032 > _3-5833354.html This is great stuff - good to see this type of functionality coming out into the public. With PHP on the server and this type of flexibility in the client, the day of rich internet apps is coming quick. Looking forward to the next release of FireFox, and to getting a web cast out there as Chris mentioned. Thanks Dan --- Hans Zaunere President, Founder New York PHP http://www.nyphp.org AMP Technology Supporting Apache, MySQL and PHP From gatzby3jr at gmail.com Fri Aug 19 00:11:34 2005 From: gatzby3jr at gmail.com (Brian O'Connor) Date: Fri, 19 Aug 2005 00:11:34 -0400 Subject: [nycphp-talk] Session basics In-Reply-To: References: <1350701.1122939343518.JavaMail.root@wamui-chisos.atl.sa.earthlink.net> <8d9a42800508080929656f42a@mail.gmail.com> <29da5d150508080944115bd761@mail.gmail.com> <200508091617.25624.jellicle@gmail.com> <29da5d15050810091013a1b556@mail.gmail.com> <20050810234506.GA22969@panix.com> <29da5d15050810214269e1a687@mail.gmail.com> <42FB57E4.2050900@email.smith.edu> <29da5d150508111046307b33ed@mail.gmail.com> Message-ID: <29da5d150508182111415c7cc2@mail.gmail.com> Why is it that in my php.ini I have session.use_cookies set to 1, but when I view a site of mine it appends the links to say ?PHPSESSID=xxxxxxxxxxxxx, even though my browser has cookies enabled? I think I'm going to set session.use_only_cookies to 1 as well, but I'm always learly about limiting a portion of the community from viewing content if there's an availible workaround for it. On 8/11/05, David Mintz wrote: > > On Thu, 11 Aug 2005, Brian O'Connor wrote: > > > So what you're saying is if I see a "?PHPSESSID=xxxxxxxxxxxx" in the URL > of > > my site, than it is vulnerable? > > Yeah. > > > --- > David Mintz > http://davidmintz.org/ > _______________________________________________ > New York PHP Talk Mailing List > AMP Technology > Supporting Apache, MySQL and PHP > http://lists.nyphp.org/mailman/listinfo/talk > http://www.nyphp.org > -- Brian O'Connor -------------- next part -------------- An HTML attachment was scrubbed... URL: From gisolfi at us.ibm.com Fri Aug 19 01:01:17 2005 From: gisolfi at us.ibm.com (Dan Gisolfi) Date: Thu, 18 Aug 2005 23:01:17 -0600 Subject: [nycphp-talk] Out of the office. Message-ID: I will be out of the office starting 08/19/2005 and will not return until 08/29/2005. I will be out of the office between Aug19-Aug28 returning on the 29th. Please do not expect a response from me until my return. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rinaldy_roy at yahoo.com Fri Aug 19 02:45:13 2005 From: rinaldy_roy at yahoo.com (rinaldy roy) Date: Thu, 18 Aug 2005 23:45:13 -0700 (PDT) Subject: [nycphp-talk] HomeSite on Mac Message-ID: <20050819064513.797.qmail@web52709.mail.yahoo.com> I've Mac GT3 with OS 10.3 and new for HTML. I've read email on this group about the possibility using HomeSite on Mac by using Virtual PC. Could I have more detail explanation about this? Tx Rinaldy RM __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From hendler at simmons.edu Fri Aug 19 08:46:59 2005 From: hendler at simmons.edu (Jonathan) Date: Fri, 19 Aug 2005 08:46:59 -0400 Subject: [nycphp-talk] Roadsend In-Reply-To: <4304FF53.5010502@simmons.edu> References: <4304F6E3.3080907@simmons.edu> <5EA1F8F2-D379-4B53-A4AB-A572392CE7E4@tbwachiat.com> <4304FB0F.8040405@simmons.edu> <95E725FD-D5E0-4072-A2D1-EFFEBA108910@tbwachiat.com> <4304FF53.5010502@simmons.edu> Message-ID: <4305D4C3.8030608@simmons.edu> Has anyone here used Roadsend? (roadsend.com) A php compiler? From scott at crisscott.com Fri Aug 19 08:53:14 2005 From: scott at crisscott.com (Scott Mattocks) Date: Fri, 19 Aug 2005 08:53:14 -0400 Subject: [nycphp-talk] Roadsend In-Reply-To: <4305D4C3.8030608@simmons.edu> References: <4304F6E3.3080907@simmons.edu> <5EA1F8F2-D379-4B53-A4AB-A572392CE7E4@tbwachiat.com> <4304FB0F.8040405@simmons.edu> <95E725FD-D5E0-4072-A2D1-EFFEBA108910@tbwachiat.com> <4304FF53.5010502@simmons.edu> <4305D4C3.8030608@simmons.edu> Message-ID: <4305D63A.7060000@crisscott.com> Jonathan wrote: > Has anyone here used Roadsend? (roadsend.com) A php compiler? Checkout the list archives: http://lists.nyphp.org/pipermail/talk/2005-July/015405.html And the PHP-GTK mailing list archives: http://marc.theaimsgroup.com/?l=php-gtk-general&w=2&r=1&s=roadsend&q=b (for more results try searching for "php compiler") Scott Mattocks From hendler at simmons.edu Fri Aug 19 09:11:06 2005 From: hendler at simmons.edu (Jonathan) Date: Fri, 19 Aug 2005 09:11:06 -0400 Subject: [nycphp-talk] Roadsend In-Reply-To: <4305D63A.7060000@crisscott.com> References: <4304F6E3.3080907@simmons.edu> <5EA1F8F2-D379-4B53-A4AB-A572392CE7E4@tbwachiat.com> <4304FB0F.8040405@simmons.edu> <95E725FD-D5E0-4072-A2D1-EFFEBA108910@tbwachiat.com> <4304FF53.5010502@simmons.edu> <4305D4C3.8030608@simmons.edu> <4305D63A.7060000@crisscott.com> Message-ID: <4305DA6A.9080902@simmons.edu> Thanks Scott, for pointing me to those threads. Scott Mattocks wrote: >Jonathan wrote: > > >>Has anyone here used Roadsend? (roadsend.com) A php compiler? >> >> > >Checkout the list archives: >http://lists.nyphp.org/pipermail/talk/2005-July/015405.html > >And the PHP-GTK mailing list archives: >http://marc.theaimsgroup.com/?l=php-gtk-general&w=2&r=1&s=roadsend&q=b >(for more results try searching for "php compiler") > >Scott Mattocks >_______________________________________________ >New York PHP Talk Mailing List >AMP Technology >Supporting Apache, MySQL and PHP >http://lists.nyphp.org/mailman/listinfo/talk >http://www.nyphp.org > > From leam at reuel.net Fri Aug 19 10:06:12 2005 From: leam at reuel.net (leam at reuel.net) Date: Fri, 19 Aug 2005 10:06:12 -0400 Subject: [nycphp-talk] PHP GUI on Windows? Message-ID: <20050819140612.GB3160@leitz.reuel.net> Cool, thanks for the collateral reference to PHP GTK. It answers a problem that came in the mail last night. :) I friend wants me to write something that lets people enter data, the forms does some minor math, and then produces a printable output. Ideally the process would allow writing the data to a local file so the user could pull up old forms, edit them, and then print them again. I didn't know php-gtk existed, but am starting to try it in another window. Well, try to get it to work, I think. So far it doesn't look to be a robust install and the test scripts fail. :( But my question is, to do the above, what PHP extensions/tools would be needed? The user would tend to be non-technical, and there would be no mysql/apache; just PHP and the data files. It would need to run on Windows, from old verions to the newest. ciao! leam From scott at crisscott.com Fri Aug 19 10:39:57 2005 From: scott at crisscott.com (Scott Mattocks) Date: Fri, 19 Aug 2005 10:39:57 -0400 Subject: [nycphp-talk] PHP GUI on Windows? In-Reply-To: <20050819140612.GB3160@leitz.reuel.net> References: <20050819140612.GB3160@leitz.reuel.net> Message-ID: <4305EF3D.7030606@crisscott.com> leam at reuel.net wrote: > Well, try to get it to work, I think. So far it doesn't look to be a robust install and the test scripts fail. :( PHP-GTK has some odd dependencies at the moment. PHP-GTK 1.0.2 requires PHP 4.3.x and will not work with PHP 5. PHP-GTK 2.0 is still under development but requires PHP 5.1 or greater. If you have PHP 4.3.x and you are installing on windows, installation is easy. Just download a file, unzip it and copy a directory or two. Linux is a little more complicated but is 300% better than it was in the past. If you check the PHP-GTK mailing list archives, you will find answers to almost any installation issue. > > But my question is, to do the above, what PHP extensions/tools would be needed? The user would tend to be non-technical, and there would be no mysql/apache; just PHP and the data files. It would need to run on Windows, from old verions to the newest. I think PHP-GTK is a perfect solution but then again I may be a little biased. Scott From leam at reuel.net Fri Aug 19 11:00:33 2005 From: leam at reuel.net (leam at reuel.net) Date: Fri, 19 Aug 2005 11:00:33 -0400 Subject: [nycphp-talk] PHP GUI on Windows? In-Reply-To: <4305EF3D.7030606@crisscott.com> References: <20050819140612.GB3160@leitz.reuel.net> <4305EF3D.7030606@crisscott.com> Message-ID: <20050819150033.GC3160@leitz.reuel.net> On Fri, Aug 19, 2005 at 10:39:57AM -0400, Scott Mattocks wrote: > leam at reuel.net wrote: > > > > But my question is, to do the above, what PHP extensions/tools would be needed? The user would tend to be non-technical, and there would be no mysql/apache; just PHP and the data files. It would need to run on Windows, from old verions to the newest. > > I think PHP-GTK is a perfect solution but then again I may be a little > biased. > > Scott Hehe...why would that be? Okay, taking the php-gtk install issues out of the thread as I need to deal with those seperately, what tools would be required? I want to: 1. Create the PHP programs and extensions and have them on the CD the client gets. 2. I don't have any Windows compilers or PHP Zend-y type things either. What would be needed? 3. Is php-gtk 2.0 close enough that using PHP 5.x would be adviseable? This is a stand-alone app so I don't need to stick with PHP 4.x. Not that I mind either, but most of the web-sites I've seen are on PHP 4.x. 4. Are there old versions of windows that PHP doesn't run on? This is a serious question--many of the clients are on software that is very old. I'd not be surprised of someone had Win 95 or even Win 3.1. ciao! leam From scott at crisscott.com Fri Aug 19 11:22:42 2005 From: scott at crisscott.com (Scott Mattocks) Date: Fri, 19 Aug 2005 11:22:42 -0400 Subject: [nycphp-talk] PHP GUI on Windows? In-Reply-To: <20050819150033.GC3160@leitz.reuel.net> References: <20050819140612.GB3160@leitz.reuel.net> <4305EF3D.7030606@crisscott.com> <20050819150033.GC3160@leitz.reuel.net> Message-ID: <4305F942.9040505@crisscott.com> leam at reuel.net wrote: > Hehe...why would that be? Okay, taking the php-gtk install issues out of the thread as I need to deal with those seperately, what tools would be required? I want to: > > 1. Create the PHP programs and extensions and have them on the CD the client gets. > 2. I don't have any Windows compilers or PHP Zend-y type things either. What would be needed? Try bCompiler. It is a PECL package and claims to turn PHP scripts into full functioning executables that don't require PHP to be installed. I haven't used it myself but I have heard success stories. > 3. Is php-gtk 2.0 close enough that using PHP 5.x would be adviseable? This is a stand-alone app so I don't need to stick with PHP 4.x. Not that I mind either, but most of the web-sites I've seen are on PHP 4.x. PHP-GTK 2.0 hasn't even had an alpha release yet (mainly because of the installation issues) so I wouldn't recommend using it for production code quite yet. > 4. Are there old versions of windows that PHP doesn't run on? This is a serious question--many of the clients are on software that is very old. I'd not be surprised of someone had Win 95 or even Win 3.1. I believe that future releasees will drop support for win9x. Scott From hendler at simmons.edu Fri Aug 19 11:24:24 2005 From: hendler at simmons.edu (Jonathan) Date: Fri, 19 Aug 2005 11:24:24 -0400 Subject: [nycphp-talk] PHP GUI on Windows? In-Reply-To: <20050819150033.GC3160@leitz.reuel.net> References: <20050819140612.GB3160@leitz.reuel.net> <4305EF3D.7030606@crisscott.com> <20050819150033.GC3160@leitz.reuel.net> Message-ID: <4305F9A8.6010701@simmons.edu> I'm just stating some assumptions here so I might learn: Wouldn't winbinder let you run on windows natively? If you don't need a cross-platform gui or you can use native windows GUI. http://www.hypervisual.com/winbinder/ http://www.php-compiler.net/ wouldn't help you with win 3.1 or 95.... or would it? GTK is certainly the best cross platform choice for GUIs using php. What about XUL? (not sure what I am asking here... http://wiki.mozilla.org/XUL:Xul_Runner http://www.phppatterns.com/index.php/article/articleview/82/1/2/ http://pear.php.net/package/XML_XUL) leam at reuel.net wrote: >On Fri, Aug 19, 2005 at 10:39:57AM -0400, Scott Mattocks wrote: > > >>leam at reuel.net wrote: >> >> >>>But my question is, to do the above, what PHP extensions/tools would be needed? The user would tend to be non-technical, and there would be no mysql/apache; just PHP and the data files. It would need to run on Windows, from old verions to the newest. >>> >>> >>I think PHP-GTK is a perfect solution but then again I may be a little >>biased. >> >>Scott >> >> > >Hehe...why would that be? Okay, taking the php-gtk install issues out of the thread as I need to deal with those seperately, what tools would be required? I want to: > >1. Create the PHP programs and extensions and have them on the CD the client gets. >2. I don't have any Windows compilers or PHP Zend-y type things either. What would be needed? >3. Is php-gtk 2.0 close enough that using PHP 5.x would be adviseable? This is a stand-alone app so I don't need to stick with PHP 4.x. Not that I mind either, but most of the web-sites I've seen are on PHP 4.x. >4. Are there old versions of windows that PHP doesn't run on? This is a serious question--many of the clients are on software that is very old. I'd not be surprised of someone had Win 95 or even Win 3.1. > >ciao! > >leam > >_______________________________________________ >New York PHP Talk Mailing List >AMP Technology >Supporting Apache, MySQL and PHP >http://lists.nyphp.org/mailman/listinfo/talk >http://www.nyphp.org > > From hendler at simmons.edu Fri Aug 19 12:38:24 2005 From: hendler at simmons.edu (Jonathan) Date: Fri, 19 Aug 2005 12:38:24 -0400 Subject: [nycphp-talk] PHP GUI on Windows? In-Reply-To: <4305F9A8.6010701@simmons.edu> References: <20050819140612.GB3160@leitz.reuel.net> <4305EF3D.7030606@crisscott.com> <20050819150033.GC3160@leitz.reuel.net> <4305F9A8.6010701@simmons.edu> Message-ID: <43060B00.4050803@simmons.edu> Anybody used ActiveSiteCompiler? http://www.intorel.com/products/ActiveSiteCompiler/features.asp Jonathan wrote: >I'm just stating some assumptions here so I might learn: > >Wouldn't winbinder let you run on windows natively? If you don't need a >cross-platform gui or you can use native windows GUI. >http://www.hypervisual.com/winbinder/ > >http://www.php-compiler.net/ wouldn't help you with win 3.1 or 95.... or >would it? > >GTK is certainly the best cross platform choice for GUIs using php. > >What about XUL? (not sure what I am asking here... >http://wiki.mozilla.org/XUL:Xul_Runner >http://www.phppatterns.com/index.php/article/articleview/82/1/2/ >http://pear.php.net/package/XML_XUL) > > > >leam at reuel.net wrote: > > > >>On Fri, Aug 19, 2005 at 10:39:57AM -0400, Scott Mattocks wrote: >> >> >> >> >>>leam at reuel.net wrote: >>> >>> >>> >>> >>>>But my question is, to do the above, what PHP extensions/tools would be needed? The user would tend to be non-technical, and there would be no mysql/apache; just PHP and the data files. It would need to run on Windows, from old verions to the newest. >>>> >>>> >>>> >>>> >>>I think PHP-GTK is a perfect solution but then again I may be a little >>>biased. >>> >>>Scott >>> >>> >>> >>> >>Hehe...why would that be? Okay, taking the php-gtk install issues out of the thread as I need to deal with those seperately, what tools would be required? I want to: >> >>1. Create the PHP programs and extensions and have them on the CD the client gets. >>2. I don't have any Windows compilers or PHP Zend-y type things either. What would be needed? >>3. Is php-gtk 2.0 close enough that using PHP 5.x would be adviseable? This is a stand-alone app so I don't need to stick with PHP 4.x. Not that I mind either, but most of the web-sites I've seen are on PHP 4.x. >>4. Are there old versions of windows that PHP doesn't run on? This is a serious question--many of the clients are on software that is very old. I'd not be surprised of someone had Win 95 or even Win 3.1. >> >>ciao! >> >>leam >> >>_______________________________________________ >>New York PHP Talk Mailing List >>AMP Technology >>Supporting Apache, MySQL and PHP >>http://lists.nyphp.org/mailman/listinfo/talk >>http://www.nyphp.org >> >> >> >> > >_______________________________________________ >New York PHP Talk Mailing List >AMP Technology >Supporting Apache, MySQL and PHP >http://lists.nyphp.org/mailman/listinfo/talk >http://www.nyphp.org > > From shiflett at php.net Fri Aug 19 12:52:33 2005 From: shiflett at php.net (Chris Shiflett) Date: Fri, 19 Aug 2005 12:52:33 -0400 Subject: [nycphp-talk] Session basics In-Reply-To: <29da5d150508182111415c7cc2@mail.gmail.com> References: <1350701.1122939343518.JavaMail.root@wamui-chisos.atl.sa.earthlink.net> <8d9a42800508080929656f42a@mail.gmail.com> <29da5d150508080944115bd761@mail.gmail.com> <200508091617.25624.jellicle@gmail.com> <29da5d15050810091013a1b556@mail.gmail.com> <20050810234506.GA22969@panix.com> <29da5d15050810214269e1a687@mail.gmail.com> <42FB57E4.2050900@email.smith.edu> <29da5d150508111046307b33ed@mail.gmail.com> <29da5d150508182111415c7cc2@mail.gmail.com> Message-ID: <43060E51.9070003@php.net> Brian O'Connor wrote: > Why is it that in my php.ini I have session.use_cookies set to 1, but > when I view a site of mine it appends the links to say > ?PHPSESSID=xxxxxxxxxxxxx, even though my browser has cookies enabled? You probably have session.use_trans_sid enabled. PHP has to rewrite URLs on the first page, because it hasn't had a chance to determine whether the client has cookie support enabled. Hope that helps. Chris -- Chris Shiflett Brain Bulb, The PHP Consultancy http://brainbulb.com/ From agfische at email.smith.edu Fri Aug 19 13:46:49 2005 From: agfische at email.smith.edu (Aaron Fischer) Date: Fri, 19 Aug 2005 13:46:49 -0400 Subject: [nycphp-talk] Session basics In-Reply-To: <29da5d150508182111415c7cc2@mail.gmail.com> References: <1350701.1122939343518.JavaMail.root@wamui-chisos.atl.sa.earthlink.net> <8d9a42800508080929656f42a@mail.gmail.com> <29da5d150508080944115bd761@mail.gmail.com> <200508091617.25624.jellicle@gmail.com> <29da5d15050810091013a1b556@mail.gmail.com> <20050810234506.GA22969@panix.com> <29da5d15050810214269e1a687@mail.gmail.com> <42FB57E4.2050900@email.smith.edu> <29da5d150508111046307b33ed@mail.gmail.com> <29da5d150508182111415c7cc2@mail.gmail.com> Message-ID: <43061B09.8010609@email.smith.edu> Have you tested with different browsers? Brian O'Connor wrote: > Why is it that in my php.ini I have session.use_cookies set to 1, but > when I view a site of mine it appends the links to say > ?PHPSESSID=xxxxxxxxxxxxx, even though my browser has cookies enabled? > On 8/11/05, *David Mintz* > wrote: > > On Thu, 11 Aug 2005, Brian O'Connor wrote: > > > So what you're saying is if I see a "?PHPSESSID=xxxxxxxxxxxx" in > the URL of > > my site, than it is vulnerable? > > Yeah. From edwardpotter at gmail.com Fri Aug 19 13:56:55 2005 From: edwardpotter at gmail.com (edward potter) Date: Fri, 19 Aug 2005 13:56:55 -0400 Subject: [nycphp-talk] HomeSite on Mac In-Reply-To: <20050819064513.797.qmail@web52709.mail.yahoo.com> References: <20050819064513.797.qmail@web52709.mail.yahoo.com> Message-ID: I think you'll be much happier with BBedit on the Mac. And for CSS things this editor looks pretty cool: http://www.macrabbit.com/cssedit/ -ed On 8/19/05, rinaldy roy wrote: > I've Mac GT3 with OS 10.3 and new for HTML. I've read email on this group > about the possibility using HomeSite on Mac by using Virtual PC. Could I > have more detail explanation > about this? > > > > Tx > > Rinaldy RM > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com > _______________________________________________ > New York PHP Talk Mailing List > AMP Technology > Supporting Apache, MySQL and PHP > http://lists.nyphp.org/mailman/listinfo/talk > http://www.nyphp.org > > From bpilgrim1979 at gmail.com Fri Aug 19 14:04:00 2005 From: bpilgrim1979 at gmail.com (Billy Pilgrim) Date: Fri, 19 Aug 2005 14:04:00 -0400 Subject: [nycphp-talk] Session basics In-Reply-To: <43061B09.8010609@email.smith.edu> References: <1350701.1122939343518.JavaMail.root@wamui-chisos.atl.sa.earthlink.net> <200508091617.25624.jellicle@gmail.com> <29da5d15050810091013a1b556@mail.gmail.com> <20050810234506.GA22969@panix.com> <29da5d15050810214269e1a687@mail.gmail.com> <42FB57E4.2050900@email.smith.edu> <29da5d150508111046307b33ed@mail.gmail.com> <29da5d150508182111415c7cc2@mail.gmail.com> <43061B09.8010609@email.smith.edu> Message-ID: <6ee3253b05081911046ccaaeda@mail.gmail.com> For clickstream analysis, is there a way to link the phpsessid with apache 1.3 log files? If so, is it for the default php session handler? or a custom built one with mysql? From bpilgrim1979 at gmail.com Fri Aug 19 14:08:47 2005 From: bpilgrim1979 at gmail.com (Billy Pilgrim) Date: Fri, 19 Aug 2005 14:08:47 -0400 Subject: [nycphp-talk] Session basics In-Reply-To: References: <1350701.1122939343518.JavaMail.root@wamui-chisos.atl.sa.earthlink.net> <8d9a42800508080929656f42a@mail.gmail.com> <29da5d150508080944115bd761@mail.gmail.com> <200508091617.25624.jellicle@gmail.com> <29da5d15050810091013a1b556@mail.gmail.com> <20050810234506.GA22969@panix.com> <29da5d15050810214269e1a687@mail.gmail.com> <42FB57E4.2050900@email.smith.edu> <29da5d150508111046307b33ed@mail.gmail.com> Message-ID: <6ee3253b050819110867a84ced@mail.gmail.com> On 8/11/05, David Mintz wrote: > On Thu, 11 Aug 2005, Brian O'Connor wrote: > > > So what you're saying is if I see a "?PHPSESSID=xxxxxxxxxxxx" in the URL of > > my site, than it is vulnerable? > > Yeah. Not to mention that if someone bookmarks the page, the session id will get stored in the user's bookmark url! From chsnyder at gmail.com Fri Aug 19 14:20:16 2005 From: chsnyder at gmail.com (csnyder) Date: Fri, 19 Aug 2005 14:20:16 -0400 Subject: [nycphp-talk] All-in-one authentication class Message-ID: A graphic designer friend asked me if I knew of any drop-in PHP solutions for providing user authentication -- something that includes forms and logic for handling user registration (possibly with email confirmation), login, and password change. Using native PHP sessions of course. Good documentation / howto for non-programmers would be a bonus. PEAR auth is too barebones, as it expects you to create all the forms and much of the logic. Clew's pauth is too complex. There must be something like this out there... any suggestions? -- Chris Snyder http://chxo.com/ From agfische at email.smith.edu Fri Aug 19 14:27:25 2005 From: agfische at email.smith.edu (Aaron Fischer) Date: Fri, 19 Aug 2005 14:27:25 -0400 Subject: [nycphp-talk] Session basics In-Reply-To: <6ee3253b050819110867a84ced@mail.gmail.com> References: <1350701.1122939343518.JavaMail.root@wamui-chisos.atl.sa.earthlink.net> <8d9a42800508080929656f42a@mail.gmail.com> <29da5d150508080944115bd761@mail.gmail.com> <200508091617.25624.jellicle@gmail.com> <29da5d15050810091013a1b556@mail.gmail.com> <20050810234506.GA22969@panix.com> <29da5d15050810214269e1a687@mail.gmail.com> <42FB57E4.2050900@email.smith.edu> <29da5d150508111046307b33ed@mail.gmail.com> <6ee3253b050819110867a84ced@mail.gmail.com> Message-ID: <4306248D.9060605@email.smith.edu> If the session has expired such as in browser close or timeout, the bookmarked page won't be a liability as the session id in the URL won't find a matching session id on the server. Authentication would fail and the result might be the user being sent back to the login page. I think... Someone please correct me if I'm wrong. -Aaron Billy Pilgrim wrote: > > Not to mention that if someone bookmarks the page, the session id will > get stored in the user's bookmark url! > > >> >>>>So what you're saying is if I see a "?PHPSESSID=xxxxxxxxxxxx" in the URL of >>>my site, than it is vulnerable? >>Yeah. From smanes at magpie.com Fri Aug 19 14:42:31 2005 From: smanes at magpie.com (Steve Manes) Date: Fri, 19 Aug 2005 14:42:31 -0400 Subject: [nycphp-talk] 'CHECK TABLE' syntax for Postgres In-Reply-To: <1124378491.18456.240969212@webmail.messagingengine.com> References: <1124378491.18456.240969212@webmail.messagingengine.com> Message-ID: <43062817.7090209@magpie.com> Jayesh Sheth wrote: > I was wondering if Postgres has something similar, or if it uses an > external tool. I did a fair bit of Googling, but have come up with > nothing so far. VACUUM ANALYZE, probably. There's also a shell script version that can be run from a nightly crontab. From shiflett at php.net Fri Aug 19 14:58:44 2005 From: shiflett at php.net (Chris Shiflett) Date: Fri, 19 Aug 2005 14:58:44 -0400 Subject: [nycphp-talk] Session basics In-Reply-To: <4306248D.9060605@email.smith.edu> References: <1350701.1122939343518.JavaMail.root@wamui-chisos.atl.sa.earthlink.net> <8d9a42800508080929656f42a@mail.gmail.com> <29da5d150508080944115bd761@mail.gmail.com> <200508091617.25624.jellicle@gmail.com> <29da5d15050810091013a1b556@mail.gmail.com> <20050810234506.GA22969@panix.com> <29da5d15050810214269e1a687@mail.gmail.com> <42FB57E4.2050900@email.smith.edu> <29da5d150508111046307b33ed@mail.gmail.com> <6ee3253b050819110867a84ced@mail.gmail.com> <4306248D.9060605@email.smith.edu> Message-ID: <43062BE4.9020900@php.net> Aaron Fischer wrote: > If the session has expired such as in browser close or timeout, the > bookmarked page won't be a liability as the session id in the URL won't > find a matching session id on the server. The server doesn't know when the browser is closed, so that part's not right. It is true that a session timeout (on the server side) offers some protection against this type of accidental hijacking. Hope that helps. Chris -- Chris Shiflett Brain Bulb, The PHP Consultancy http://brainbulb.com/ From fields at hedge.net Fri Aug 19 17:59:56 2005 From: fields at hedge.net (Adam Fields) Date: Fri, 19 Aug 2005 17:59:56 -0400 Subject: [nycphp-talk] Desperate need for volunteer PHP programmers at VerifiedVoting Message-ID: <20050819215956.GG3439@lola.aquick.org> --------- Forwarded message --------- ***!!! PLEASE PASS AROUND, FORWARD, ETC. !!!*** [Verified Voting] has a desperate need for programmers with PHP and MySQL knowledge that have a few hours per week to help code the 2005 version of the [Election Incident Reporting System][EIRS] (EIRS). I volunteered to be the CVS release engineer but, out of need, have taken over development management. If you think you might be interested, please take a look at this volunteer recruitment page: Username: TWikiGuest Password: guest [Verified Voting]: http://www.verifiedvoting.org/ [EIRS]: http://voteprotect.org/ -- Joseph Lorenzo Hall UC Berkeley, SIMS PhD Student -- - Adam ** Expert Technical Project and Business Management **** System Performance Analysis and Architecture ****** [ http://www.everylastounce.com ] [ http://www.aquick.org/blog ] ............ Blog [ http://www.adamfields.com/resume.html ].. Experience [ http://www.flickr.com/photos/fields ] ... Photos [ http://www.buyadam.com/blog ].............Product Reviews [ http://del.icio.us/fields ] ............. Links From kigathi at gmail.com Fri Aug 19 22:17:08 2005 From: kigathi at gmail.com (Eric K.) Date: Fri, 19 Aug 2005 22:17:08 -0400 Subject: [nycphp-talk] Roadsend In-Reply-To: <4305DA6A.9080902@simmons.edu> References: <4304F6E3.3080907@simmons.edu> <5EA1F8F2-D379-4B53-A4AB-A572392CE7E4@tbwachiat.com> <4304FB0F.8040405@simmons.edu> <95E725FD-D5E0-4072-A2D1-EFFEBA108910@tbwachiat.com> <4304FF53.5010502@simmons.edu> <4305D4C3.8030608@simmons.edu> <4305D63A.7060000@crisscott.com> <4305DA6A.9080902@simmons.edu> Message-ID: I started that old NYPHP List thread and after trying Roadsend for a while I ended up abandoning it and switching to Perl and perlcc. The results were much better/faster for what I was doing (cross platform string/file manipulation). Just in case you were interested... On 8/19/05, Jonathan wrote: > Thanks Scott, for pointing me to those threads. > > Scott Mattocks wrote: > > >Jonathan wrote: > > > > > >>Has anyone here used Roadsend? (roadsend.com) A php compiler? > >> > >> > > > >Checkout the list archives: > >http://lists.nyphp.org/pipermail/talk/2005-July/015405.html > > > >And the PHP-GTK mailing list archives: > >http://marc.theaimsgroup.com/?l=php-gtk-general&w=2&r=1&s=roadsend&q=b > >(for more results try searching for "php compiler") > > > >Scott Mattocks > >_______________________________________________ > >New York PHP Talk Mailing List > >AMP Technology > >Supporting Apache, MySQL and PHP > >http://lists.nyphp.org/mailman/listinfo/talk > >http://www.nyphp.org > > > > > > _______________________________________________ > New York PHP Talk Mailing List > AMP Technology > Supporting Apache, MySQL and PHP > http://lists.nyphp.org/mailman/listinfo/talk > http://www.nyphp.org > -- Eric Kigathi kigathi at gmail.com 203 913 5109 From hendler at simmons.edu Sat Aug 20 06:11:30 2005 From: hendler at simmons.edu (Jonathan) Date: Sat, 20 Aug 2005 06:11:30 -0400 Subject: [nycphp-talk] Roadsend In-Reply-To: References: <4304F6E3.3080907@simmons.edu> <5EA1F8F2-D379-4B53-A4AB-A572392CE7E4@tbwachiat.com> <4304FB0F.8040405@simmons.edu> <95E725FD-D5E0-4072-A2D1-EFFEBA108910@tbwachiat.com> <4304FF53.5010502@simmons.edu> <4305D4C3.8030608@simmons.edu> <4305D63A.7060000@crisscott.com> <4305DA6A.9080902@simmons.edu> Message-ID: <430701D2.8080109@simmons.edu> Thanks Eric - Perl is certainly capable (Perl 6 and Parrot too). Python isn't anything to sniff at for compiling either. Since I'm already invested in PHP, I might start with native PHP and some accelerator and then porting to C/C++ to make shared libraries. I've sent some questions to roadsend - like if/when they'll have - php 5 support - apache 2 support - is it possible to build in custom .so/.dlls (I guess if you buy their source code license) Maybe I am getting outside PHPs niche into areas it "shouldn't" be used - \ I still think I can prototype what I want to in PHP though... Eric K. wrote: >I started that old NYPHP List thread and after trying Roadsend for a >while I ended up abandoning it and switching to Perl and perlcc. The >results were much better/faster for what I was doing (cross platform >string/file manipulation). > >Just in case you were interested... > >On 8/19/05, Jonathan wrote: > > >>Thanks Scott, for pointing me to those threads. >> >>Scott Mattocks wrote: >> >> >> >>>Jonathan wrote: >>> >>> >>> >>> >>>>Has anyone here used Roadsend? (roadsend.com) A php compiler? >>>> >>>> >>>> >>>> >>>Checkout the list archives: >>>http://lists.nyphp.org/pipermail/talk/2005-July/015405.html >>> >>>And the PHP-GTK mailing list archives: >>>http://marc.theaimsgroup.com/?l=php-gtk-general&w=2&r=1&s=roadsend&q=b >>>(for more results try searching for "php compiler") >>> >>>Scott Mattocks >>>_______________________________________________ >>>New York PHP Talk Mailing List >>>AMP Technology >>>Supporting Apache, MySQL and PHP >>>http://lists.nyphp.org/mailman/listinfo/talk >>>http://www.nyphp.org >>> >>> >>> >>> >>_______________________________________________ >>New York PHP Talk Mailing List >>AMP Technology >>Supporting Apache, MySQL and PHP >>http://lists.nyphp.org/mailman/listinfo/talk >>http://www.nyphp.org >> >> >> > > > > From lists at zaunere.com Sat Aug 20 13:53:38 2005 From: lists at zaunere.com (Hans Zaunere) Date: Sat, 20 Aug 2005 13:53:38 -0400 Subject: [nycphp-talk] Roadsend In-Reply-To: <430701D2.8080109@simmons.edu> Message-ID: <0MKp2t-1E6XXH0D6L-0007iN@mrelay.perfora.net> talk-bounces at lists.nyphp.org wrote on Saturday, August 20, 2005 6:12 AM: > Thanks Eric - > Perl is certainly capable (Perl 6 and Parrot too). Python isn't anything > to sniff at for compiling either. > Since I'm already invested in PHP, I might start with native PHP and > some accelerator and then porting to C/C++ to make shared libraries. > I've sent some questions to roadsend - like if/when they'll have > > - php 5 support > - apache 2 support > - is it possible to build in custom .so/.dlls (I guess if you buy their > source code license) There used to be (perhaps still are?) some Roadsend developers on this list. They're out in Long Island. I know the last time I spoke to them, they were working on some of the above items. Would be interested to hear where things stand now. --- Hans Zaunere President, Founder New York PHP http://www.nyphp.org AMP Technology Supporting Apache, MySQL and PHP From sryboston at hotmail.com Sun Aug 21 14:23:30 2005 From: sryboston at hotmail.com (-sry Boston) Date: Sun, 21 Aug 2005 13:23:30 -0500 Subject: [nycphp-talk] MD5 + Flash Message-ID: Hiya, If you're over on WWWAC you've already seen this but I'm asking here from another slant. I have no idea what I can or can't do withOUT having to create/manage a mySQL db...my server will let me do this easily enough but it's been over a year since I've thought of PHP or mySQL and I don't want to get so distracted by the programming mindset that I forget what I was doing in the first place (trying to do some marketing). Below is the process I'm trying to implement - step 5 is where I'm fuzzy...I know I could definitely have the URL come back to a PHP page that looks up the string in a db (and a very simple one, I'm sure, since it's just a list) but I'd rather just have the URL come back to the Flash file and do the checking from within the .swf, with ActionScript - is that easier or harder? Since you guys all love PHP and probably only half of you even like AS, I know it's a biased answer I'll get :-) but try to be objective and not play favorites on the languages here. What I want to do: (1) user gives me email address (2) with a PHP script (free from http://www.allhype.co.uk/tools/md5/ and a very nice script actually!!) I MD5 their email address (3) I send user a message (to validate the address works) that has their MD5'd address as a link for them to come back and get what they want (4) user clicks unique query string in the email I've sent them (4) I validate the string .....how/from where is the ??? :) (5) if valid, give them the Flash file; if not, give them an error message Any help much appreciated! -sry Sarah R. Yoffa http://books.sarahryoffa.com/ books at sarahryoffa.com ********************* Look for the exciting release of the newly-edited THE PHOENIX SHALL RISE AGAIN Coming to online booksellers - New Year's 2006. ********************* _________________________________________________________________ Express yourself instantly with MSN Messenger! Download today - it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ From lists at zaunere.com Sun Aug 21 17:45:41 2005 From: lists at zaunere.com (Hans Zaunere) Date: Sun, 21 Aug 2005 17:45:41 -0400 Subject: [nycphp-talk] MD5 + Flash In-Reply-To: Message-ID: <0MKp2t-1E6xdN3S4E-0001Lu@mrelay.perfora.net> talk-bounces at lists.nyphp.org wrote on Sunday, August 21, 2005 2:24 PM: > Hiya, > > If you're over on WWWAC you've already seen this but I'm asking here > from another slant. I have no idea what I can or can't do withOUT > having to create/manage a mySQL db...my server will let me do this > easily enough but it's been over a year since I've thought of PHP or > mySQL and I don't want to get so distracted by the programming > mindset that I forget what I was doing in the first place (trying to > do some marketing). > > Below is the process I'm trying to implement - step 5 is where I'm > fuzzy...I know I could definitely have the URL come back to a > PHP page that looks up the string in a db (and a very simple one, > I'm sure, since it's just a list) but I'd rather just have > the URL come > back to the Flash file and do the checking from within the .swf, > with ActionScript - is that easier or harder? Since you guys all love > PHP and probably only half of you even like AS, I know it's a biased > answer I'll get :-) but try to be objective and not play favorites on > the languages here. > > What I want to do: > > (1) user gives me email address > > (2) with a PHP script (free from http://www.allhype.co.uk/tools/md5/ > and a very nice script actually!!) I MD5 their email address > > (3) I send user a message (to validate the address works) that has > their MD5'd address as a link for them to come back and get what they > want > > (4) user clicks unique query string in the email I've sent them > > (4) I validate the string .....how/from where is the ??? :) > > (5) if valid, give them the Flash file; if not, give them an > error message You could do all of this with just Flash, etc. assuming Flash has MD5, as I'm sure it does, but you'll be limited. If you want to track who has downloaded what files, the browser they're using, etc. you won't be able to do so without a DB. There's also a security concern here. There's no way to know that the email address you've gotten originally, is the same as the one that's coming from the link. Since you're not storing anything anywhere, you have no way to keep persistent data. If I know that you're checking that an MD5 matches the MD5 of the email address, I can pass you any MD5 I want, and it'll validate. H From tbrennan at datasafeservices.com Sun Aug 21 20:16:17 2005 From: tbrennan at datasafeservices.com (Thomas Brennan) Date: Sun, 21 Aug 2005 20:16:17 -0400 Subject: [nycphp-talk] OWASP 9/29 Save The Date Message-ID: <1DA2AD8042527B4199C09042CFC0A94D18794B@jinx.datasafeservices.net> I would like to provide you with advanced notice and extend a special invite for you to join us at the next Open Web Application Security Meeting (OWASP) NJ Chapter meeting. The next event will be held at September 29th at ABN AMRO in Jersey City (across from the path station) - full details, speakers and RSVP information is located at the chapter website online: http://www.owasp.org/local/nnj.html Currently on the September Agenda: SPEAKER - OWASP - Topic: Review of OWASP Security Guide v2.0.1 Released at BlackHat SPEAKER - eEye Digital Security - Topic: Worm / Vulnerability Management SPEAKER - Application Security - Topic: Database Attacks SPEAKER - NitroSecurity - Topic: Analysis of Network Attacks ** You are encouraged to forward this email to others that you believe would benefit from this non-profit, educational peer-to-peer networking opportunity -- RSVP is required due to building security requirements see: http://www.owasp.org/local/nnj.html for details. At our November meeting we are looking forward to having NYPHP/Hans Zaunere speak concerning PHP Security Issues Enjoy the rest of your summer! Thomas Brennan, CISSP, CFSO, MCSA, C|EH DATA SAFE SERVICES "Because Security is NOT the default" 831-B Route 10 East, Whippany NJ 07981 Tel: 973-795-1046 | Fax: 973-428-0293 Web: www.datasafeservices.com From bpilgrim1979 at gmail.com Sun Aug 21 22:48:19 2005 From: bpilgrim1979 at gmail.com (Billy Pilgrim) Date: Sun, 21 Aug 2005 22:48:19 -0400 Subject: [nycphp-talk] Session basics In-Reply-To: <43062BE4.9020900@php.net> References: <1350701.1122939343518.JavaMail.root@wamui-chisos.atl.sa.earthlink.net> <29da5d15050810091013a1b556@mail.gmail.com> <20050810234506.GA22969@panix.com> <29da5d15050810214269e1a687@mail.gmail.com> <42FB57E4.2050900@email.smith.edu> <29da5d150508111046307b33ed@mail.gmail.com> <6ee3253b050819110867a84ced@mail.gmail.com> <4306248D.9060605@email.smith.edu> <43062BE4.9020900@php.net> Message-ID: <6ee3253b050821194874c5ddf0@mail.gmail.com> On 8/19/05, Chris Shiflett wrote: > Aaron Fischer wrote: > > If the session has expired such as in browser close or timeout, the > > bookmarked page won't be a liability as the session id in the URL won't > > find a matching session id on the server. > > The server doesn't know when the browser is closed, so that part's not > right. It is true that a session timeout (on the server side) offers > some protection against this type of accidental hijacking. A bookmarked session id might not result in a hijacked session, but it's not a good idea have session ids exposed and kept around like that. Consider another example: Someone is logged into a newspaper site and sees an interesing article. The user copies the url (with session id) and pastes it in an email to a friend. If the friend receives the email quickly and the server has a long timeout, accidential session hijacking could occur. The primary reason to have a session id in the url is if the browser doesn't support cookies, right? From chsnyder at gmail.com Mon Aug 22 08:35:30 2005 From: chsnyder at gmail.com (csnyder) Date: Mon, 22 Aug 2005 08:35:30 -0400 Subject: [nycphp-talk] MD5 + Flash In-Reply-To: References: Message-ID: On 8/21/05, -sry Boston wrote: > What I want to do: > > (1) user gives me email address > > (2) with a PHP script (free from http://www.allhype.co.uk/tools/md5/ > and a very nice script actually!!) I MD5 their email address > > (3) I send user a message (to validate the address works) that has > their MD5'd address as a link for them to come back and get what > they want > > (4) user clicks unique query string in the email I've sent them > > (4) I validate the string .....how/from where is the ??? :) > > (5) if valid, give them the Flash file; if not, give them an error message > > Any help much appreciated! I think you have the purpose of the MD5 hash confused. In this case, you want it to be an *unguessable* token that the user can bring back to you to prove that they got they got your validation message, and that they own the mailbox associated with the provided email address. In other words, it should be random. If it's just the hash of their email address, then an impersonator could easily generate the right token and validate an address that isn't their own (as Hans pointed out). You will need some sort of DB -- MySQL or flat file or otherwise -- to store the email address and the random token in the same record, so that when the user clicks the link with the token in it, you can look up the email and mark it valid. -- Chris Snyder http://chxo.com/ From gatzby3jr at gmail.com Mon Aug 22 12:29:19 2005 From: gatzby3jr at gmail.com (Brian O'Connor) Date: Mon, 22 Aug 2005 12:29:19 -0400 Subject: [nycphp-talk] Session basics In-Reply-To: <6ee3253b050821194874c5ddf0@mail.gmail.com> References: <1350701.1122939343518.JavaMail.root@wamui-chisos.atl.sa.earthlink.net> <20050810234506.GA22969@panix.com> <29da5d15050810214269e1a687@mail.gmail.com> <42FB57E4.2050900@email.smith.edu> <29da5d150508111046307b33ed@mail.gmail.com> <6ee3253b050819110867a84ced@mail.gmail.com> <4306248D.9060605@email.smith.edu> <43062BE4.9020900@php.net> <6ee3253b050821194874c5ddf0@mail.gmail.com> Message-ID: <29da5d15050822092969a81721@mail.gmail.com> Ahh, now I'm still confused :\ I added this to a main included file at the top: ini_set("session.use_trans_sid", 0); ini_set("session.use_only_cookies", 1); However, I'm still seeing "?PHPSESSID=xxxxxxxxxxx" in my URL's. I apologize in advance if I'm getting this wrong, but I tested it in IE and Firefox, and no luck either way. Not to mention that cookies are enabled on both browsers so it shouldn't even be resorting to the URL. I then put echo ini_get("session.use_only_cookies"); and the output is 1, but it is still giving the sessid through the URL. If anyone knows whats going on, I would appreciate some help fixing this :\ Thanks. On 8/21/05, Billy Pilgrim wrote: > > On 8/19/05, Chris Shiflett wrote: > > Aaron Fischer wrote: > > > If the session has expired such as in browser close or timeout, the > > > bookmarked page won't be a liability as the session id in the URL > won't > > > find a matching session id on the server. > > > > The server doesn't know when the browser is closed, so that part's not > > right. It is true that a session timeout (on the server side) offers > > some protection against this type of accidental hijacking. > > A bookmarked session id might not result in a hijacked session, but > it's not a good idea have session ids exposed and kept around like > that. > > Consider another example: Someone is logged into a newspaper site and > sees an interesing article. The user copies the url (with session id) > and pastes it in an email to a friend. If the friend receives the > email quickly and the server has a long timeout, accidential session > hijacking could occur. > > The primary reason to have a session id in the url is if the browser > doesn't support cookies, right? > _______________________________________________ > New York PHP Talk Mailing List > AMP Technology > Supporting Apache, MySQL and PHP > http://lists.nyphp.org/mailman/listinfo/talk > http://www.nyphp.org > -- Brian O'Connor -------------- next part -------------- An HTML attachment was scrubbed... URL: From sryboston at hotmail.com Mon Aug 22 12:37:57 2005 From: sryboston at hotmail.com (-sry Boston) Date: Mon, 22 Aug 2005 11:37:57 -0500 Subject: [nycphp-talk] MD5 + Flash In-Reply-To: Message-ID: Thanks for the explicit verification, Chris. You and Hans are both right, I am definitely fuzzy on using MD5 hashing (how and why). I also am not looking to do the serious user management Hans points out is lacking from my algorith, just as you guys noted, some quick little lookup verification. Thanks for the help...time to drag out the 7-yr-old Dell again, where my Apache/PHP/mySQL installation residies. Gonna be hard after working on the Toshiba Satellite, but thank you for the sanity check on this, guys! I'll just stick to PHP for the whole shebang--it's such a great language and all I really need out of Flash is the pretty picture part, not ActionScripting. -sry >From: csnyder >Reply-To: NYPHP Talk >To: NYPHP Talk >Subject: Re: [nycphp-talk] MD5 + Flash >Date: Mon, 22 Aug 2005 08:35:30 -0400 > >On 8/21/05, -sry Boston wrote: > > > What I want to do: > > > > (1) user gives me email address > > > > (2) with a PHP script (free from http://www.allhype.co.uk/tools/md5/ > > and a very nice script actually!!) I MD5 their email address > > > > (3) I send user a message (to validate the address works) that has > > their MD5'd address as a link for them to come back and get what > > they want > > > > (4) user clicks unique query string in the email I've sent them > > > > (4) I validate the string .....how/from where is the ??? :) > > > > (5) if valid, give them the Flash file; if not, give them an error >message > > > > Any help much appreciated! > >I think you have the purpose of the MD5 hash confused. In this case, >you want it to be an *unguessable* token that the user can bring back >to you to prove that they got they got your validation message, and >that they own the mailbox associated with the provided email address. > >In other words, it should be random. If it's just the hash of their >email address, then an impersonator could easily generate the right >token and validate an address that isn't their own (as Hans pointed >out). > >You will need some sort of DB -- MySQL or flat file or otherwise -- to >store the email address and the random token in the same record, so >that when the user clicks the link with the token in it, you can look >up the email and mark it valid. > >-- >Chris Snyder >http://chxo.com/ >_______________________________________________ >New York PHP Talk Mailing List >AMP Technology >Supporting Apache, MySQL and PHP >http://lists.nyphp.org/mailman/listinfo/talk >http://www.nyphp.org _________________________________________________________________ Express yourself instantly with MSN Messenger! Download today - it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ From matt at jobsforge.com Mon Aug 22 13:22:28 2005 From: matt at jobsforge.com (Matthew Terenzio) Date: Mon, 22 Aug 2005 13:22:28 -0400 Subject: [nycphp-talk] Session basics In-Reply-To: <29da5d15050822092969a81721@mail.gmail.com> References: <1350701.1122939343518.JavaMail.root@wamui-chisos.atl.sa.earthlink.net> <20050810234506.GA22969@panix.com> <29da5d15050810214269e1a687@mail.gmail.com> <42FB57E4.2050900@email.smith.edu> <29da5d150508111046307b33ed@mail.gmail.com> <6ee3253b050819110867a84ced@mail.gmail.com> <4306248D.9060605@email.smith.edu> <43062BE4.9020900@php.net> <6ee3253b050821194874c5ddf0@mail.gmail.com> <29da5d15050822092969a81721@mail.gmail.com> Message-ID: <8f0185a4e35a2df0c086a932ba3ead64@jobsforge.com> Not sure if this helps, but just in case . . . http://lists.nyphp.org/pipermail/talk/2005-January/013648.html On Aug 22, 2005, at 12:29 PM, Brian O'Connor wrote: > Ahh, now I'm still confused :\ > > I added this to a main included file at the top: > > ini_set("session.use_trans_sid", 0); > > ini_set("session.use_only_cookies", 1); > > However, I'm still seeing "?PHPSESSID=xxxxxxxxxxx" in my URL's. > > I apologize in advance if I'm getting this wrong, but I tested it in > IE and Firefox, and no luck either way.? Not to mention that cookies > are enabled on both browsers so it shouldn't even be resorting to the > URL.? > > I then put > > echo ini_get("session.use_only_cookies"); > > and the output is 1, but it is still giving the sessid through the > URL.? If anyone knows whats going on, I would appreciate some help > fixing this :\? Thanks. > > On 8/21/05, Billy Pilgrim > wrote:shiflett at php.net> wrote: >> > Aaron Fischer wrote: >> > > If the session has expired such as in browser close or timeout, >> the >> > > bookmarked page won't be a liability as the session id in the URL >> won't >> > > find a matching session id on the server. >> > >> > The server doesn't know when the browser is closed, so that part's >> not >> > right. It is true that a session timeout (on the server side) offers >> > some protection against this type of accidental hijacking. >> >> A bookmarked session id might not result in a hijacked session, but >> it's not a good idea have session ids exposed and kept around like >> that. >> >> Consider another example:??Someone is logged into a newspaper site and >> sees an interesing article.??The user copies the url (with session id) >> and pastes it in an email to a friend.??If the friend receives the >> email quickly and the server has a long timeout, accidential session >> hijacking could occur. >> >> The primary reason to have a session id in the url is if the browser >> doesn't support cookies, right? >> _______________________________________________ >> New York PHP Talk Mailing List >> AMP Technology >> Supporting Apache, MySQL and PHP >> http://lists.nyphp.org/mailman/listinfo/talk >> http://www.nyphp.org > > > > -- > Brian O'Connor_______________________________________________ > New York PHP Talk Mailing List > AMP Technology > Supporting Apache, MySQL and PHP > http://lists.nyphp.org/mailman/listinfo/talk > http://www.nyphp.org From chsnyder at gmail.com Mon Aug 22 13:32:10 2005 From: chsnyder at gmail.com (csnyder) Date: Mon, 22 Aug 2005 13:32:10 -0400 Subject: [nycphp-talk] MD5 + Flash In-Reply-To: References: Message-ID: On 8/22/05, -sry Boston wrote: > Thanks for the help...time to drag out the 7-yr-old Dell again, > where my Apache/PHP/mySQL installation residies. Gonna be > hard after working on the Toshiba Satellite, but thank you for > the sanity check on this, guys! I'll just stick to PHP for the whole > shebang--it's such a great language and all I really need out of > Flash is the pretty picture part, not ActionScripting. Heh, have fun! BTW, your Toshiba can run an AMP stack with no problem. Check out XAMPP for Windows (for instance) at http://www.apachefriends.org/en/xampp-windows.html From cliff at pinestream.com Mon Aug 22 13:41:31 2005 From: cliff at pinestream.com (Cliff Hirsch) Date: Mon, 22 Aug 2005 13:41:31 -0400 Subject: [nycphp-talk] MD5 + Flash In-Reply-To: Message-ID: <001e01c5a740$bbe304d0$11a8a8c0@cliff> XAMPP rocks. Just be careful of the placement and settings of INI files if you already have others on your machine. And look at your PHP.ini file. I thought the default setting for magic_quotes in PHP5 is off. XAMPP has it turned on, which caused some head scratching. -----Original Message----- From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org] On Behalf Of csnyder Sent: Monday, August 22, 2005 1:32 PM To: NYPHP Talk Subject: Re: [nycphp-talk] MD5 + Flash On 8/22/05, -sry Boston wrote: > Thanks for the help...time to drag out the 7-yr-old Dell again, where > my Apache/PHP/mySQL installation residies. Gonna be hard after working > on the Toshiba Satellite, but thank you for the sanity check on this, > guys! I'll just stick to PHP for the whole shebang--it's such a great > language and all I really need out of Flash is the pretty picture > part, not ActionScripting. Heh, have fun! BTW, your Toshiba can run an AMP stack with no problem. Check out XAMPP for Windows (for instance) at http://www.apachefriends.org/en/xampp-windows.html _______________________________________________ New York PHP Talk Mailing List AMP Technology Supporting Apache, MySQL and PHP http://lists.nyphp.org/mailman/listinfo/talk http://www.nyphp.org From nyphp at enobrev.com Mon Aug 22 13:44:45 2005 From: nyphp at enobrev.com (Mark Armendariz) Date: Mon, 22 Aug 2005 10:44:45 -0700 Subject: [nycphp-talk] MD5 + Flash In-Reply-To: Message-ID: <20050822174432.BFAAAA8633@virtu.nyphp.org> As a side note, Flash / Actionscript does not have native crypto functions / classes. Here's an incredible resource though, should you find you still need them... http://www.meychi.com/archive/000021.php Good luck! Mark From gatzby3jr at gmail.com Mon Aug 22 14:32:06 2005 From: gatzby3jr at gmail.com (Brian O'Connor) Date: Mon, 22 Aug 2005 14:32:06 -0400 Subject: [nycphp-talk] Session basics In-Reply-To: <8f0185a4e35a2df0c086a932ba3ead64@jobsforge.com> References: <1350701.1122939343518.JavaMail.root@wamui-chisos.atl.sa.earthlink.net> <42FB57E4.2050900@email.smith.edu> <29da5d150508111046307b33ed@mail.gmail.com> <6ee3253b050819110867a84ced@mail.gmail.com> <4306248D.9060605@email.smith.edu> <43062BE4.9020900@php.net> <6ee3253b050821194874c5ddf0@mail.gmail.com> <29da5d15050822092969a81721@mail.gmail.com> <8f0185a4e35a2df0c086a932ba3ead64@jobsforge.com> Message-ID: <29da5d15050822113260a50666@mail.gmail.com> That seems to be the same problem I'm having, so is it okay that the URL only gets rewritten on the first page? Because that's all I'm seeing as of now, but I thought that was almost as dangerous as it being there all the time. Appreciate the help. On 8/22/05, Matthew Terenzio wrote: > > Not sure if this helps, but just in case . . . > > http://lists.nyphp.org/pipermail/talk/2005-January/013648.html > > > On Aug 22, 2005, at 12:29 PM, Brian O'Connor wrote: > > > Ahh, now I'm still confused :\ > > > > I added this to a main included file at the top: > > > > ini_set("session.use_trans_sid", 0); > > > > ini_set("session.use_only_cookies", 1); > > > > However, I'm still seeing "?PHPSESSID=xxxxxxxxxxx" in my URL's. > > > > I apologize in advance if I'm getting this wrong, but I tested it in > > IE and Firefox, and no luck either way. Not to mention that cookies > > are enabled on both browsers so it shouldn't even be resorting to the > > URL. > > > > I then put > > > > echo ini_get("session.use_only_cookies"); > > > > and the output is 1, but it is still giving the sessid through the > > URL. If anyone knows whats going on, I would appreciate some help > > fixing this :\ Thanks. > > > > On 8/21/05, Billy Pilgrim > > wrote:shiflett at php.net> wrote: > >> > Aaron Fischer wrote: > >> > > If the session has expired such as in browser close or timeout, > >> the > >> > > bookmarked page won't be a liability as the session id in the URL > >> won't > >> > > find a matching session id on the server. > >> > > >> > The server doesn't know when the browser is closed, so that part's > >> not > >> > right. It is true that a session timeout (on the server side) offers > >> > some protection against this type of accidental hijacking. > >> > >> A bookmarked session id might not result in a hijacked session, but > >> it's not a good idea have session ids exposed and kept around like > >> that. > >> > >> Consider another example:Someone is logged into a newspaper site and > >> sees an interesing article.The user copies the url (with session id) > >> and pastes it in an email to a friend.If the friend receives the > >> email quickly and the server has a long timeout, accidential session > >> hijacking could occur. > >> > >> The primary reason to have a session id in the url is if the browser > >> doesn't support cookies, right? > >> _______________________________________________ > >> New York PHP Talk Mailing List > >> AMP Technology > >> Supporting Apache, MySQL and PHP > >> http://lists.nyphp.org/mailman/listinfo/talk > >> http://www.nyphp.org > > > > > > > > -- > > Brian O'Connor_______________________________________________ > > New York PHP Talk Mailing List > > AMP Technology > > Supporting Apache, MySQL and PHP > > http://lists.nyphp.org/mailman/listinfo/talk > > http://www.nyphp.org > > > _______________________________________________ > New York PHP Talk Mailing List > AMP Technology > Supporting Apache, MySQL and PHP > http://lists.nyphp.org/mailman/listinfo/talk > http://www.nyphp.org > -- Brian O'Connor -------------- next part -------------- An HTML attachment was scrubbed... URL: From hendler at simmons.edu Mon Aug 22 14:30:30 2005 From: hendler at simmons.edu (Jonathan) Date: Mon, 22 Aug 2005 14:30:30 -0400 Subject: [nycphp-talk] Roadsend In-Reply-To: <0MKp2t-1E6XXH0D6L-0007iN@mrelay.perfora.net> References: <0MKp2t-1E6XXH0D6L-0007iN@mrelay.perfora.net> Message-ID: <430A19C6.4070903@simmons.edu> Hans, here's what Shannon at Roadsend had to say: Hi Jonathan, Thanks for you interest in the Roadsend Compiler! hendler at simmons.edu wrote: > Hi, > I am considering a purchase within the next 3 months for an > application I want to distribute. I'm excited by the compiler but have > more questions. > I glanced at the FAQ, sorry if I missed something. > > 1. Are you planning PHP 5 support? Yes we are planning PHP 5 support, but it will probably not be available until a release sometime next year. Currently we are focused on adding more extension support through a compatibility layer that will allow the use of open source php extensions. We are also working on adding the ability to compile an application with a built in web server, so you can distribute web applications as stand alone programs. > 2. Are you planning Apache 2 support? The reason it only works under > apache 1.x is because the complier can create an apache module? Yes, but before native Apache 2 support shows up we will probably have a better CGI interface (using FastCGI) that would allow the use of a compiled apps under Apache 2, IIS and other web servers. > 3. Did you run your benchmarks against php with eAccelerater, etc.? The benchmarks posted on the site were run against a plain open source PHP install. > 4. For a stand alone webserver app - how does this work? I see that I > would have to write custom HTTP output - but what handles incoming > requests? Would I still bundle apache? In the current release there is no easy way to do a stand alone web server app. The new feature we are working on that I mentioned above will embed a small web server right into the final executable. When the executable is run, it begins listening on a (customizable) port so all the user has to do is point a browser to it. It will then begin serving (compiled) pages like a normal PHP application. You would not have to bundle anything besides the required binaries and supporting files (images, external files the app uses, required supporting libraries, etc). > 5. If I write my own .so or use libxml2 or mcrypt, technically > speaking, would I be able to create a binary that includes these > libraries? > Our compiler will allow you to create a binary that uses external libraries, but you are still responsible for adhering to the license restrictions for that particular library. For example, if you create a commercial, closed source application that requires the MySQL library, they require you to purchase a license, as explained here: http://www.mysql.com/company/legal/licensing/faq.html On the other hand, libxml2 and libpcre are free to use commercially, so it depends on the library. > Thanks very much for your time. > > Regards, > Jonathan Hendler > > Let me know if I can answer any more questions. Thanks, Shannon Roadsend, Inc. Hans Zaunere wrote: > There used to be (perhaps still are?) some Roadsend developers on this > list. > >They're out in Long Island. > >I know the last time I spoke to them, they were working on some of the above >items. Would be interested to hear where things stand now. > > >--- >Hans Zaunere >President, Founder >New York PHP >http://www.nyphp.org > >AMP Technology >Supporting Apache, MySQL and PHP > > >_______________________________________________ >New York PHP Talk Mailing List >AMP Technology >Supporting Apache, MySQL and PHP >http://lists.nyphp.org/mailman/listinfo/talk >http://www.nyphp.org > > From matt at jobsforge.com Mon Aug 22 16:59:26 2005 From: matt at jobsforge.com (Matthew Terenzio) Date: Mon, 22 Aug 2005 16:59:26 -0400 Subject: [nycphp-talk] Session basics In-Reply-To: <29da5d15050822113260a50666@mail.gmail.com> References: <1350701.1122939343518.JavaMail.root@wamui-chisos.atl.sa.earthlink.net> <42FB57E4.2050900@email.smith.edu> <29da5d150508111046307b33ed@mail.gmail.com> <6ee3253b050819110867a84ced@mail.gmail.com> <4306248D.9060605@email.smith.edu> <43062BE4.9020900@php.net> <6ee3253b050821194874c5ddf0@mail.gmail.com> <29da5d15050822092969a81721@mail.gmail.com> <8f0185a4e35a2df0c086a932ba3ead64@jobsforge.com> <29da5d15050822113260a50666@mail.gmail.com> Message-ID: As far as I understand, session.use_only_cookies should NOT rewrite the URL even on the first page. session.use_cookies WILL rewrite the first page and decide from then on whether to use cookies (if enabled) or continue rewriting. someone else can chime in if this doesn't sound right. Matt On Aug 22, 2005, at 2:32 PM, Brian O'Connor wrote: > That seems to be the same problem I'm having, so is it okay that the > URL only gets rewritten on the first page?? Because that's all I'm > seeing as of now, but I thought that was almost as dangerous as it > being there all the time. > > Appreciate the help. > > On 8/22/05, Matthew Terenzio wrote: >> >> http://lists.nyphp.org/pipermail/talk/2005-January/013648.html >> >> >> On Aug 22, 2005, at 12:29 PM, Brian O'Connor wrote: >> >> > Ahh, now I'm still confused :\ >> > >> >??I added this to a main included file at the top: >> > >> >??ini_set("session.use_trans_sid", 0); >> > >> >??ini_set("session.use_only_cookies ", 1); >> > >> >??However, I'm still seeing "?PHPSESSID=xxxxxxxxxxx" in my URL's. >> > >> >??I apologize in advance if I'm getting this wrong, but I tested it >> in >> > IE and Firefox, and no luck either way. Not to mention that cookies >> > are enabled on both browsers so it shouldn't even be resorting to >> the >> > URL. >> > >> >??I then put >> > >> >??echo ini_get("session.use_only_cookies"); >> > >> >??and the output is 1, but it is still giving the sessid through the >> > URL. If anyone knows whats going on, I would appreciate some help >> > fixing this :\ Thanks. >> > >> > On 8/21/05, Billy Pilgrim >> > wrote:shiflett at php.net> wrote: >> >> > Aaron Fischer wrote: >> >> > > If the session has expired such as in browser close or timeout, >> >> the >> >> > > bookmarked page won't be a liability as the session id in the >> URL >> >> won't >> >> > > find a matching session id on the server. >> >> > >> >> > The server doesn't know when the browser is closed, so that >> part's >> >> not >> >> > right. It is true that a session timeout (on the server side) >> offers >> >>??> some protection against this type of accidental hijacking. >> >> >> >> A bookmarked session id might not result in a hijacked session, but >> >> it's not a good idea have session ids exposed and kept around like >> >> that. >> >> >> >> Consider another example:Someone is logged into a newspaper site >> and >> >> sees an interesing article.The user copies the url (with session >> id) >> >> and pastes it in an email to a friend.If the friend receives the >> >>??email quickly and the server has a long timeout, accidential >> session >> >> hijacking could occur. >> >> >> >> The primary reason to have a session id in the url is if the >> browser >> >> doesn't support cookies, right? >> >> _______________________________________________ >> >> New York PHP Talk Mailing List >> >> AMP Technology >> >> Supporting Apache, MySQL and PHP >> >> http://lists.nyphp.org/mailman/listinfo/talk >> >>?? http://www.nyphp.org >> > >> > >> > >> > -- >> > Brian O'Connor_______________________________________________ >> > New York PHP Talk Mailing List >> > AMP Technology >> > Supporting Apache, MySQL and PHP >> > http://lists.nyphp.org/mailman/listinfo/talk >> > http://www.nyphp.org >> >> >> _______________________________________________ >> New York PHP Talk Mailing List >> AMP Technology >> Supporting Apache, MySQL and PHP >> http://lists.nyphp.org/mailman/listinfo/talk >> http://www.nyphp.org > > > > -- > Brian O'Connor_______________________________________________ > New York PHP Talk Mailing List > AMP Technology > Supporting Apache, MySQL and PHP > http://lists.nyphp.org/mailman/listinfo/talk > http://www.nyphp.org From rinaldy_roy at yahoo.com Mon Aug 22 20:33:51 2005 From: rinaldy_roy at yahoo.com (rinaldy roy) Date: Mon, 22 Aug 2005 17:33:51 -0700 (PDT) Subject: [nycphp-talk] New Start for D'base and ASP.Net In-Reply-To: Message-ID: <20050823003351.83232.qmail@web52710.mail.yahoo.com> Please advise how to start to exercise with Database for ASP.Net. What is the best tutorial Web for that purpose? Tx for your all guys Rinaldy RM talk-request at lists.nyphp.org wrote: Send talk mailing list submissions to talk at lists.nyphp.org To subscribe or unsubscribe via the World Wide Web, visit http://lists.nyphp.org/mailman/listinfo/talk or, via email, send a message with subject or body 'help' to talk-request at lists.nyphp.org You can reach the person managing the list at talk-owner at lists.nyphp.org When replying, please edit your Subject line so it is more specific than "Re: Contents of talk digest..." Today's Topics: 1. MD5 + Flash (-sry Boston) 2. Re: MD5 + Flash (Hans Zaunere) 3. OWASP 9/29 Save The Date (Thomas Brennan) 4. Re: Session basics (Billy Pilgrim) 5. Re: MD5 + Flash (csnyder) ---------------------------------------------------------------------- Message: 1 Date: Sun, 21 Aug 2005 13:23:30 -0500 From: "-sry Boston" Subject: [nycphp-talk] MD5 + Flash To: talk at lists.nyphp.org Message-ID: Content-Type: text/plain; format=flowed Hiya, If you're over on WWWAC you've already seen this but I'm asking here from another slant. I have no idea what I can or can't do withOUT having to create/manage a mySQL db...my server will let me do this easily enough but it's been over a year since I've thought of PHP or mySQL and I don't want to get so distracted by the programming mindset that I forget what I was doing in the first place (trying to do some marketing). Below is the process I'm trying to implement - step 5 is where I'm fuzzy...I know I could definitely have the URL come back to a PHP page that looks up the string in a db (and a very simple one, I'm sure, since it's just a list) but I'd rather just have the URL come back to the Flash file and do the checking from within the .swf, with ActionScript - is that easier or harder? Since you guys all love PHP and probably only half of you even like AS, I know it's a biased answer I'll get :-) but try to be objective and not play favorites on the languages here. What I want to do: (1) user gives me email address (2) with a PHP script (free from http://www.allhype.co.uk/tools/md5/ and a very nice script actually!!) I MD5 their email address (3) I send user a message (to validate the address works) that has their MD5'd address as a link for them to come back and get what they want (4) user clicks unique query string in the email I've sent them (4) I validate the string .....how/from where is the ??? :) (5) if valid, give them the Flash file; if not, give them an error message Any help much appreciated! -sry Sarah R. Yoffa http://books.sarahryoffa.com/ books at sarahryoffa.com ********************* Look for the exciting release of the newly-edited THE PHOENIX SHALL RISE AGAIN Coming to online booksellers - New Year's 2006. ********************* _________________________________________________________________ Express yourself instantly with MSN Messenger! Download today - it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ ------------------------------ Message: 2 Date: Sun, 21 Aug 2005 17:45:41 -0400 From: "Hans Zaunere" Subject: Re: [nycphp-talk] MD5 + Flash To: "'NYPHP Talk'" Message-ID: <0MKp2t-1E6xdN3S4E-0001Lu at mrelay.perfora.net> Content-Type: text/plain; charset="us-ascii" talk-bounces at lists.nyphp.org wrote on Sunday, August 21, 2005 2:24 PM: > Hiya, > > If you're over on WWWAC you've already seen this but I'm asking here > from another slant. I have no idea what I can or can't do withOUT > having to create/manage a mySQL db...my server will let me do this > easily enough but it's been over a year since I've thought of PHP or > mySQL and I don't want to get so distracted by the programming > mindset that I forget what I was doing in the first place (trying to > do some marketing). > > Below is the process I'm trying to implement - step 5 is where I'm > fuzzy...I know I could definitely have the URL come back to a > PHP page that looks up the string in a db (and a very simple one, > I'm sure, since it's just a list) but I'd rather just have > the URL come > back to the Flash file and do the checking from within the .swf, > with ActionScript - is that easier or harder? Since you guys all love > PHP and probably only half of you even like AS, I know it's a biased > answer I'll get :-) but try to be objective and not play favorites on > the languages here. > > What I want to do: > > (1) user gives me email address > > (2) with a PHP script (free from http://www.allhype.co.uk/tools/md5/ > and a very nice script actually!!) I MD5 their email address > > (3) I send user a message (to validate the address works) that has > their MD5'd address as a link for them to come back and get what they > want > > (4) user clicks unique query string in the email I've sent them > > (4) I validate the string .....how/from where is the ??? :) > > (5) if valid, give them the Flash file; if not, give them an > error message You could do all of this with just Flash, etc. assuming Flash has MD5, as I'm sure it does, but you'll be limited. If you want to track who has downloaded what files, the browser they're using, etc. you won't be able to do so without a DB. There's also a security concern here. There's no way to know that the email address you've gotten originally, is the same as the one that's coming from the link. Since you're not storing anything anywhere, you have no way to keep persistent data. If I know that you're checking that an MD5 matches the MD5 of the email address, I can pass you any MD5 I want, and it'll validate. H ------------------------------ Message: 3 Date: Sun, 21 Aug 2005 20:16:17 -0400 From: "Thomas Brennan" Subject: [nycphp-talk] OWASP 9/29 Save The Date To: Message-ID: <1DA2AD8042527B4199C09042CFC0A94D18794B at jinx.datasafeservices.net> Content-Type: text/plain; charset="US-ASCII" I would like to provide you with advanced notice and extend a special invite for you to join us at the next Open Web Application Security Meeting (OWASP) NJ Chapter meeting. The next event will be held at September 29th at ABN AMRO in Jersey City (across from the path station) - full details, speakers and RSVP information is located at the chapter website online: http://www.owasp.org/local/nnj.html Currently on the September Agenda: SPEAKER - OWASP - Topic: Review of OWASP Security Guide v2.0.1 Released at BlackHat SPEAKER - eEye Digital Security - Topic: Worm / Vulnerability Management SPEAKER - Application Security - Topic: Database Attacks SPEAKER - NitroSecurity - Topic: Analysis of Network Attacks ** You are encouraged to forward this email to others that you believe would benefit from this non-profit, educational peer-to-peer networking opportunity -- RSVP is required due to building security requirements see: http://www.owasp.org/local/nnj.html for details. At our November meeting we are looking forward to having NYPHP/Hans Zaunere speak concerning PHP Security Issues Enjoy the rest of your summer! Thomas Brennan, CISSP, CFSO, MCSA, C|EH DATA SAFE SERVICES "Because Security is NOT the default" 831-B Route 10 East, Whippany NJ 07981 Tel: 973-795-1046 | Fax: 973-428-0293 Web: www.datasafeservices.com ------------------------------ Message: 4 Date: Sun, 21 Aug 2005 22:48:19 -0400 From: Billy Pilgrim Subject: Re: [nycphp-talk] Session basics To: NYPHP Talk Message-ID: <6ee3253b050821194874c5ddf0 at mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1 On 8/19/05, Chris Shiflett wrote: > Aaron Fischer wrote: > > If the session has expired such as in browser close or timeout, the > > bookmarked page won't be a liability as the session id in the URL won't > > find a matching session id on the server. > > The server doesn't know when the browser is closed, so that part's not > right. It is true that a session timeout (on the server side) offers > some protection against this type of accidental hijacking. A bookmarked session id might not result in a hijacked session, but it's not a good idea have session ids exposed and kept around like that. Consider another example: Someone is logged into a newspaper site and sees an interesing article. The user copies the url (with session id) and pastes it in an email to a friend. If the friend receives the email quickly and the server has a long timeout, accidential session hijacking could occur. The primary reason to have a session id in the url is if the browser doesn't support cookies, right? ------------------------------ Message: 5 Date: Mon, 22 Aug 2005 08:35:30 -0400 From: csnyder Subject: Re: [nycphp-talk] MD5 + Flash To: NYPHP Talk Message-ID: Content-Type: text/plain; charset=ISO-8859-1 On 8/21/05, -sry Boston wrote: > What I want to do: > > (1) user gives me email address > > (2) with a PHP script (free from http://www.allhype.co.uk/tools/md5/ > and a very nice script actually!!) I MD5 their email address > > (3) I send user a message (to validate the address works) that has > their MD5'd address as a link for them to come back and get what > they want > > (4) user clicks unique query string in the email I've sent them > > (4) I validate the string .....how/from where is the ??? :) > > (5) if valid, give them the Flash file; if not, give them an error message > > Any help much appreciated! I think you have the purpose of the MD5 hash confused. In this case, you want it to be an *unguessable* token that the user can bring back to you to prove that they got they got your validation message, and that they own the mailbox associated with the provided email address. In other words, it should be random. If it's just the hash of their email address, then an impersonator could easily generate the right token and validate an address that isn't their own (as Hans pointed out). You will need some sort of DB -- MySQL or flat file or otherwise -- to store the email address and the random token in the same record, so that when the user clicks the link with the token in it, you can look up the email and mark it valid. -- Chris Snyder http://chxo.com/ ------------------------------ _______________________________________________ talk mailing list talk at lists.nyphp.org http://lists.nyphp.org/mailman/listinfo/talk End of talk Digest, Vol 27, Issue 50 ************************************ --------------------------------- Start your day with Yahoo! - make it your home page -------------- next part -------------- An HTML attachment was scrubbed... URL: From matt at jiffycomp.com Mon Aug 22 21:47:37 2005 From: matt at jiffycomp.com (Matt Morgan) Date: Mon, 22 Aug 2005 21:47:37 -0400 Subject: [nycphp-talk] somewhat OT: open source code auditing In-Reply-To: <0MKoyl-1E51mu2Tnq-00043i@mrelay.perfora.net> References: <0MKoyl-1E51mu2Tnq-00043i@mrelay.perfora.net> Message-ID: <430A8039.4030505@jiffycomp.com> Hans Zaunere wrote: > > >>Hey Folks, >> >>This is slightly off-topic, but I've just had the "higher-ups" come to >>me asking about open source and coding audits. I'm not speaking about >>collaborative tools or auditing from a security perspective, but rather >>from a legal perspective. Simply put, how do you know were a piece of >>code really came from? >> >> > >Maybe the SCO lawyers can help with this :) > > > >>I'm hoping that others on the list have gone through this (or are >>actually going through it now) and can provide some insight. >> >>Some general questions: >>1. When you decide to use a piece of open source software, what do you >>document? (package name, authors, download location, website, license, >>date/time, etc) >>2. Do you feel the need to actually verify that they wrote it? Or is >>it enough to say, "This is a popular package, and it is generally >>accepted that this person wrote it." >> >> > >This really comes down to the license. If it's GPL, you basically are legally bound to make your "derived works" public as well. Of course, what defines derived works is not something clearly defined. > > OK, I'm a little out of my element here, but I think that's not true. The GPL requires you to release the source for any derived works that you release. You are not required to release anything; it's just that if you do release something, you must also release the source. GPL-derived code that you want to keep internal to your organization is A-OK. > > >>As this could relate to PHP: >>1. The PEAR and PECL repositories - is there anything built into the >>package approval process that looks for this? I didn't see anything on >>the website. I would imagine that some Google searches probably occur >>just to make sure this package >>2. Code posted on the PHP site by users? Is that "free" to use? >> >> > >Ugh - there's that word again, free :) > > > >>I realize that most of us aren't lawyers, and we're getting help from >>our legal team, but any help you can provide is greatly appreciated. >> >> > >It's certainly a sticky area. But, keep in mind, that most of the larger open source projects, like PHP and Apache, are licensed using a BSD style license. These questions should only be answered by lawyers, but most source from PEAR and PECL should have a header indicating the license. Typically, this is the PHP license, and so you're likely safe - but again, no one really knows :) > >H > >_______________________________________________ >New York PHP Talk Mailing List >AMP Technology >Supporting Apache, MySQL and PHP >http://lists.nyphp.org/mailman/listinfo/talk >http://www.nyphp.org > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From arzala at gmail.com Tue Aug 23 00:39:24 2005 From: arzala at gmail.com (Anirudh Zala (Gmail)) Date: Tue, 23 Aug 2005 10:09:24 +0530 Subject: [nycphp-talk] Session Handling Message-ID: <010d01c5a79c$a7e90450$0164a8c0@aum1> Hello all, I have slightly different problem related to sessions when your session is idle for more than specified interval. In our case we are having high traffic website where hundreds of session are created every time. I wanted to increase session's inactive time out from default 24 to 2 hours. So we increased value of below php directive in httpd.conf php_value session.gc_maxlifetime 7200 But interestingly, this is not working at all and session is seen as garbage after it's default timeout period set by php (i.e 24 mins). We store session files at default location (i.e under "/tmp") and it supports "atime" attribute as well. phpinfo() also shows local value of above directive as set to 7200 but session doesn't remain active for that amount time and is deleted after 24 hours. I have noticed on various forums that many ppl have faced this problem, and they do not have solution either. Does anyone have any ideas about this problem? Or am I missing some more configurations? I am using LAMP technology to run my website and as far as I know everything is properly configured like php.ini and httpd.conf. Thanks, Anirudh Zala -------------- next part -------------- An HTML attachment was scrubbed... URL: From d126099 at atos.wmid.amu.edu.pl Tue Aug 23 05:46:00 2005 From: d126099 at atos.wmid.amu.edu.pl (Marcin Szkudlarek) Date: Tue, 23 Aug 2005 11:46:00 +0200 (CEST) Subject: [nycphp-talk] mysql question Message-ID: I have a simple table like this create table numbers (user int, number int); insert into numbers (user, number) values (1, 1); insert into numbers (user, number) values (1, 9); insert into numbers (user, number) values (1, 5); is it possible in mysql to write a query which gives me a result (1 row): "1,9,5" ? Marcin From jedicool at tpg.com.au Tue Aug 23 07:48:44 2005 From: jedicool at tpg.com.au (jedicool) Date: Tue, 23 Aug 2005 21:18:44 +0930 Subject: [nycphp-talk] Newbie needs help - why PHP over ASP? Message-ID: <430B0D1C.7000100@tpg.com.au> Hello all, A silly question perhaps but I'm fairly new to PHP and looking to do some work on a new MySQL driven website - I have been asked to provide reasons why PHP is a better option than ASP. I am not familiar with ASP so if anyone out there can trash it for me... I mean give good reasons why ASP should not be used for this application it would be really useful! I'm hoping to use this project to really push my PHP learning so I really don't want the owners of the site to go with ASP. :) Cheers, Jay South Australia From codebowl at gmail.com Tue Aug 23 08:26:19 2005 From: codebowl at gmail.com (Joseph Crawford) Date: Tue, 23 Aug 2005 08:26:19 -0400 Subject: [nycphp-talk] Newbie needs help - why PHP over ASP? In-Reply-To: <430B0D1C.7000100@tpg.com.au> References: <430B0D1C.7000100@tpg.com.au> Message-ID: <8d9a4280050823052634c5d4d6@mail.gmail.com> Well, here are a few reasons i can think of ;) PHP++ Cross Platform (can run on windows, linux, osx, etc..) Free to use Syntax is GREAT (personal opinion) Object Oriented very easy to expand in the future ASP 3.0-- Not Cross Platform (runs only on windows, unless you get a host running chilisoft and that's expensive from what i hear) You have to pay for your database (unless your site is small and can use an access database) Windows hosting is usually more expensive than unix hosting Syntax is well HORRIBLE (personal opinion) Not Object Oriented, Not as easy to expand in the future I guess it all comes down to whether the client is going to use ASP 3.0 (old style) or .NET If they are going with ASP 3.0 the above should say why PHP towers over ASP. However i do not have much experience with .NET aside from knowing the following. ASP.NET-- Hosting costs are usually higher since it has to run on windows (unless you program the site in C# and run mono on a unix box) It's not cross platform, the database you use you will have to pay for (unless the site is small and can run an access database) ASP.NET++ Comes packed with built in classes (All Object Oriented) Can use any .NET compliant language, even mix the pages with different languages (VB.NET , C#, J#, i hear delphi is working on .net or has released one.) When i say mix languages i know one page can use VB and another can use C# but as for mixing languages in one file i dont think you can do that. -- Joseph Crawford Jr. Codebowl Solutions, Inc. 1-802-671-2021 codebowl at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From lists at zaunere.com Tue Aug 23 09:08:39 2005 From: lists at zaunere.com (Hans Zaunere) Date: Tue, 23 Aug 2005 09:08:39 -0400 Subject: [nycphp-talk] Roadsend In-Reply-To: <430A19C6.4070903@simmons.edu> Message-ID: <0MKoyl-1E7YW83CKM-0000uE@mrelay.perfora.net> Hi Jonathan - thanks for the update. Good to hear what's going on from Roadsend... H talk-bounces at lists.nyphp.org wrote on Monday, August 22, 2005 2:31 PM: > Hans, here's what Shannon at Roadsend had to say: > > Hi Jonathan, > > Thanks for you interest in the Roadsend Compiler! > > hendler at simmons.edu wrote: > > > Hi, > > I am considering a purchase within the next 3 months for an > > application I want to distribute. I'm excited by the compiler but > > have more questions. I glanced at the FAQ, sorry if I missed > > something. > > > > 1. Are you planning PHP 5 support? > > > Yes we are planning PHP 5 support, but it will probably not > be available > until a release sometime next year. Currently we are focused > on adding > more extension support through a compatibility layer that > will allow the > use of open source php extensions. > > We are also working on adding the ability to compile an > application with > a built in web server, so you can distribute web applications > as stand > alone programs. > > > 2. Are you planning Apache 2 support? The reason it only works under > > apache 1.x is because the complier can create an apache module? > > > Yes, but before native Apache 2 support shows up we will > probably have a > better CGI interface (using FastCGI) that would allow the use of a > compiled apps under Apache 2, IIS and other web servers. > > > 3. Did you run your benchmarks against php with eAccelerater, etc.? > > > The benchmarks posted on the site were run against a plain > open source > PHP install. > > > 4. For a stand alone webserver app - how does this work? I see that > > I would have to write custom HTTP output - but what handles incoming > > requests? Would I still bundle apache? > > > In the current release there is no easy way to do a stand alone web > server app. > > The new feature we are working on that I mentioned above will embed a > small web server right into the final executable. When the executable > is run, it begins listening on a (customizable) port so all the > user has to > do is point a browser to it. It will then begin serving (compiled) > pages like a normal PHP application. > > You would not have to bundle anything besides the required > binaries and > supporting files (images, external files the app uses, required > supporting libraries, etc). > > > 5. If I write my own .so or use libxml2 or mcrypt, technically > > speaking, would I be able to create a binary that includes these > > libraries? > > > > Our compiler will allow you to create a binary that uses external > libraries, but you are still responsible for adhering to the license > restrictions for that particular library. For example, if you > create a > commercial, closed source application that requires the MySQL library, > they require you to purchase a license, as explained here: > http://www.mysql.com/company/legal/licensing/faq.html > > On the other hand, libxml2 and libpcre are free to use > commercially, so > it depends on the library. > > > Thanks very much for your time. > > > > Regards, > > Jonathan Hendler > > > > > > Let me know if I can answer any more questions. > > Thanks, > Shannon > Roadsend, Inc. > > Hans Zaunere wrote: > > > There used to be (perhaps still are?) some Roadsend developers on > > this list. > > > > They're out in Long Island. > > > > I know the last time I spoke to them, they were working on some of > > the above items. Would be interested to hear where things stand > > now. > > > > > > --- > > Hans Zaunere > > President, Founder > > New York PHP > > http://www.nyphp.org > > > > AMP Technology > > Supporting Apache, MySQL and PHP > > > > > > _______________________________________________ > > New York PHP Talk Mailing List > > AMP Technology > > Supporting Apache, MySQL and PHP > > http://lists.nyphp.org/mailman/listinfo/talk > > http://www.nyphp.org > > > > > > _______________________________________________ > New York PHP Talk Mailing List > AMP Technology > Supporting Apache, MySQL and PHP > http://lists.nyphp.org/mailman/listinfo/talk > http://www.nyphp.org From jellicle at gmail.com Tue Aug 23 09:37:14 2005 From: jellicle at gmail.com (Michael Sims) Date: Tue, 23 Aug 2005 09:37:14 -0400 Subject: [nycphp-talk] Session Handling In-Reply-To: <010d01c5a79c$a7e90450$0164a8c0@aum1> References: <010d01c5a79c$a7e90450$0164a8c0@aum1> Message-ID: <200508230937.15207.jellicle@gmail.com> On Tuesday 23 August 2005 00:39, Anirudh Zala (Gmail) wrote: > php_value session.gc_maxlifetime 7200 > > But interestingly, this is not working at all and session is seen as > garbage after it's default timeout period set by php (i.e 24 mins). We > store session files at default location (i.e under "/tmp") and it > supports "atime" attribute as well. phpinfo() also shows local value of > above directive as set to 7200 but session doesn't remain active for that > amount time and is deleted after 24 hours. > > I have noticed on various forums that many ppl have faced this problem, > and they do not have solution either. Does anyone have any ideas about > this problem? Or am I missing some more configurations? You probably have a shared hosting environment, where other websites are being hosted on your server too, right? I think this has even been addressed earlier in this thread, but here it is again. The PHP interpreter doesn't distinguish between sessions pertaining to different sites hosted on the same server. It treats all sessions equally, and wipes them out after the specified time period. So: Situation A: --You have session lifetime set high --Someone else hosted on server has it set to default lifetime Result: all sessions get wiped after 24 minutes Situation B: --You have session lifetime set to 1 minute --Someone else hosted on server has it set to default lifetime Result: all sessions get wiped after 1 minute, all other users hosted on that server start posting to newsgroups that their sessions are only lasting one minute and they don't know what is wrong I think if you change the session save path to someplace not shared with other users (but the webserver has to be able to read and write to it), you'll be okay. Michael Sims From shiflett at php.net Tue Aug 23 09:38:13 2005 From: shiflett at php.net (Chris Shiflett) Date: Tue, 23 Aug 2005 09:38:13 -0400 Subject: [nycphp-talk] somewhat OT: open source code auditing In-Reply-To: <430A8039.4030505@jiffycomp.com> References: <0MKoyl-1E51mu2Tnq-00043i@mrelay.perfora.net> <430A8039.4030505@jiffycomp.com> Message-ID: <430B26C5.2090708@php.net> Matt Morgan wrote: > The GPL requires you to release the source for any derived works that > you release. You are not required to release anything; it's just that if > you do release something, you must also release the source. GPL-derived > code that you want to keep internal to your organization is A-OK. This is my understanding as well. Chris -- Chris Shiflett Brain Bulb, The PHP Consultancy http://brainbulb.com/ From shiflett at php.net Tue Aug 23 09:42:59 2005 From: shiflett at php.net (Chris Shiflett) Date: Tue, 23 Aug 2005 09:42:59 -0400 Subject: [nycphp-talk] mysql question In-Reply-To: References: Message-ID: <430B27E3.1090701@php.net> Marcin Szkudlarek wrote: > I have a simple table like this > > create table numbers (user int, number int); > insert into numbers (user, number) values (1, 1); > insert into numbers (user, number) values (1, 9); > insert into numbers (user, number) values (1, 5); > > is it possible in mysql to write a query which gives me a result (1 row): > "1,9,5"? Well, it sounds like you're wanting: SELECT number FROM numbers That will give you the values in the number column. Of course, you can't have three values in a single row when you only have two columns, so I might not be answering you correctly. If so, can you clarify? Chris -- Chris Shiflett Brain Bulb, The PHP Consultancy http://brainbulb.com/ From shiflett at php.net Tue Aug 23 09:45:46 2005 From: shiflett at php.net (Chris Shiflett) Date: Tue, 23 Aug 2005 09:45:46 -0400 Subject: [nycphp-talk] Newbie needs help - why PHP over ASP? In-Reply-To: <430B0D1C.7000100@tpg.com.au> References: <430B0D1C.7000100@tpg.com.au> Message-ID: <430B288A.2070202@php.net> jedicool wrote: > A silly question perhaps but I'm fairly new to PHP and looking to do > some work on a new MySQL driven website - I have been asked to provide > reasons why PHP is a better option than ASP. One word: IIS (You can run ASP stuff in Apache, but I can't imagine that's a good choice either.) Chris -- Chris Shiflett Brain Bulb, The PHP Consultancy http://brainbulb.com/ From patrick at ramsden.com Tue Aug 23 10:02:18 2005 From: patrick at ramsden.com (Patrick Ramsden) Date: Tue, 23 Aug 2005 10:02:18 -0400 Subject: [nycphp-talk] Newbie needs help - why PHP over ASP? Message-ID: <380-22005822314218296@ramsden.com> > A silly question perhaps but I'm fairly new to PHP and looking to do > some work on a new MySQL driven website - I have been asked to provide > reasons why PHP is a better option than ASP. I'm a big PHP fan, but the choice should come down to programmer experience and the technology infrastructure. If they have Windows Servers, IIS, ASP.NET and Visual Studio (and preferably SQL Server), the company has people experienced maintaining them, and there isn't much of a likelihood that the environment will change, then ASP can be a good choice. I don't know how well it plays with MySQL, though, but seems like it should. I chose PHP over .NET from a cost perspective. All of the MS technologies above cost $$$, whereas many flavors of Linux, Apache, PHP, MySQL and a good PHP editor/IDE (I use Eclipse and Subclipse) can be had for free. -Pat From frank_wong2 at informationideas.com Tue Aug 23 10:39:28 2005 From: frank_wong2 at informationideas.com (Frank Wong) Date: Tue, 23 Aug 2005 10:39:28 -0400 Subject: [nycphp-talk] mysql question In-Reply-To: References: Message-ID: <430B3520.3040802@informationideas.com> Marcin Szkudlarek wrote: >I have a simple table like this > >create table numbers (user int, number int); >insert into numbers (user, number) values (1, 1); >insert into numbers (user, number) values (1, 9); >insert into numbers (user, number) values (1, 5); > >is it possible in mysql to write a query which gives me a result (1 row): >"1,9,5" ? > >Marcin > > As far as I know, that cannot be done with a single query. Your best bet is to query (SELECT number FROM numbers) then programatically get your results to the comma delimited format you want. It can also be done using stored procedures if the database you are using supports stored procedures. _____________ Frank From dmintz at davidmintz.org Tue Aug 23 10:44:29 2005 From: dmintz at davidmintz.org (David Mintz) Date: Tue, 23 Aug 2005 10:44:29 -0400 (EDT) Subject: [nycphp-talk] mysql question In-Reply-To: <430B3520.3040802@informationideas.com> References: <430B3520.3040802@informationideas.com> Message-ID: On Tue, 23 Aug 2005, Frank Wong wrote: > Marcin Szkudlarek wrote: > > >I have a simple table like this > > > >create table numbers (user int, number int); > >insert into numbers (user, number) values (1, 1); > >insert into numbers (user, number) values (1, 9); > >insert into numbers (user, number) values (1, 5); > > > >is it possible in mysql to write a query which gives me a result (1 row): > >"1,9,5" ? > > > >Marcin > > > > > As far as I know, that cannot be done with a single query. Your best > bet is to query (SELECT number FROM numbers) then programatically get > your results to the comma delimited format you want. It can also be > done using stored procedures if the database you are using supports > stored procedures. I would bet there is some really perverse virtuoso contortion you could do involving concat() and sub-SELECTs, but yeah, go with doing it programmatically. Haiku, anyone? --- David Mintz http://davidmintz.org/ From dmintz at davidmintz.org Tue Aug 23 10:49:09 2005 From: dmintz at davidmintz.org (David Mintz) Date: Tue, 23 Aug 2005 10:49:09 -0400 (EDT) Subject: [nycphp-talk] [a little OT] testing MSIE with CrossOver Office? Message-ID: Has anyone ever tried running MSIE under CrossOver Office? Really? How'd it go? The goal is to test pages in our old friend MSIE without having to reboot a dual-boot system into Windows or run two computers. It would be nice just to sit there and flip back and forth. Thanks, --- David Mintz http://davidmintz.org/ From jeff.knight at gmail.com Tue Aug 23 11:30:39 2005 From: jeff.knight at gmail.com (Jeff Knight) Date: Tue, 23 Aug 2005 11:30:39 -0400 Subject: [nycphp-talk] mysql question In-Reply-To: References: <430B3520.3040802@informationideas.com> Message-ID: <2ca9ba91050823083043428674@mail.gmail.com> INSERT INTO `numbers` (`user`, `number`) VALUES (1,1) , (1,9) , (1,5) ; On 8/23/05, David Mintz wrote: > On Tue, 23 Aug 2005, Frank Wong wrote: > > > Marcin Szkudlarek wrote: > > > > >I have a simple table like this > > > > > >create table numbers (user int, number int); > > >insert into numbers (user, number) values (1, 1); > > >insert into numbers (user, number) values (1, 9); > > >insert into numbers (user, number) values (1, 5); > > > > > >is it possible in mysql to write a query which gives me a result (1 row): > > >"1,9,5" ? > > > From jeff.knight at gmail.com Tue Aug 23 11:31:49 2005 From: jeff.knight at gmail.com (Jeff Knight) Date: Tue, 23 Aug 2005 11:31:49 -0400 Subject: [nycphp-talk] mysql question In-Reply-To: <2ca9ba91050823083043428674@mail.gmail.com> References: <430B3520.3040802@informationideas.com> <2ca9ba91050823083043428674@mail.gmail.com> Message-ID: <2ca9ba91050823083149ea7272@mail.gmail.com> Another victim of not enough coffee disease... don't let it happen to you! From papillion at gmail.com Tue Aug 23 12:04:47 2005 From: papillion at gmail.com (Anthony Papillion) Date: Tue, 23 Aug 2005 11:04:47 -0500 Subject: [nycphp-talk] Newbie needs help - why PHP over ASP? In-Reply-To: <8d9a4280050823052634c5d4d6@mail.gmail.com> References: <430B0D1C.7000100@tpg.com.au> <8d9a4280050823052634c5d4d6@mail.gmail.com> Message-ID: <5458518f05082309047bb5a37e@mail.gmail.com> Hi Joseph, While I am no fan of ASP or ASP.NET I did want to point out that, if someone did choose to use ASP they *can* interface with MySQL. It's not as easy as it is in PHP but it *is* an option. So, technically, one doesn't have to pay for the database. Anthony On 8/23/05, Joseph Crawford wrote: > Well, > > here are a few reasons i can think of ;) > > PHP++ > Cross Platform (can run on windows, linux, osx, etc..) > Free to use > Syntax is GREAT (personal opinion) > Object Oriented very easy to expand in the future > > ASP 3.0-- > Not Cross Platform (runs only on windows, unless you get a host running chilisoft and that's expensive from what i hear) > You have to pay for your database (unless your site is small and can use an access database) > Windows hosting is usually more expensive than unix hosting > Syntax is well HORRIBLE (personal opinion) > Not Object Oriented, Not as easy to expand in the future > > I guess it all comes down to whether the client is going to use ASP 3.0(old style) or .NET If they are going with ASP 3.0 the above should say why PHP towers over ASP. However i do not have much experience with .NET aside from knowing the following. > > ASP.NET-- > Hosting costs are usually higher since it has to run on windows (unless you program the site in C# and run mono on a unix box) > It's not cross platform, the database you use you will have to pay for (unless the site is small and can run an access database) > > ASP.NET++ > Comes packed with built in classes (All Object Oriented) > Can use any .NET compliant language, even mix the pages with different languages (VB.NET , C#, J#, i hear delphi is working on .net or has released one.) When i say mix languages i know one page can use VB and another can use C# but as for mixing languages in one file i dont think you can do that. > > -- > Joseph Crawford Jr. > Codebowl Solutions, Inc. > 1-802-671-2021 > codebowl at gmail.com > _______________________________________________ > New York PHP Talk Mailing List > AMP Technology > Supporting Apache, MySQL and PHP > http://lists.nyphp.org/mailman/listinfo/talk > http://www.nyphp.org > > -- Anthony Papillion Phone: (918) 926-0139 CAN ONE VOICE CHANGE THE WORLD? http://www.one.org -------------- next part -------------- An HTML attachment was scrubbed... URL: From chsnyder at gmail.com Tue Aug 23 12:28:13 2005 From: chsnyder at gmail.com (csnyder) Date: Tue, 23 Aug 2005 12:28:13 -0400 Subject: [nycphp-talk] [a little OT] testing MSIE with CrossOver Office? In-Reply-To: References: Message-ID: On 8/23/05, David Mintz wrote: > > Has anyone ever tried running MSIE under CrossOver Office? Really? How'd > it go? > > The goal is to test pages in our old friend MSIE without having to reboot > a dual-boot system into Windows or run two computers. It would be nice > just to sit there and flip back and forth. It works, and is useful for checking pages provided they don't rely on plugins. -- Chris Snyder http://chxo.com/ From wfan at VillageVoice.com Tue Aug 23 13:58:18 2005 From: wfan at VillageVoice.com (Fan, Wellington) Date: Tue, 23 Aug 2005 13:58:18 -0400 Subject: [nycphp-talk] fgetcsv alternatives? Message-ID: <4D2FAD9B00577645932AD7ED5FECA24532526C@mail> Hello Listies, the basic call to fgetcsv looks like this: array fgetcsv (int fp, int length) where: "fp must be a valid file pointer to a file successfully opened by fopen(), popen(), or fsockopen()" I have a large buffer that I'd like to parse as CSV -- so is there a function similar to fgetcsv() that could operate on a string buffer rather than a filehandle? -- Wellington From ashaw at iifwp.org Tue Aug 23 14:12:08 2005 From: ashaw at iifwp.org (Allen Shaw) Date: Tue, 23 Aug 2005 14:12:08 -0400 Subject: [nycphp-talk] fgetcsv alternatives? In-Reply-To: <4D2FAD9B00577645932AD7ED5FECA24532526C@mail> References: <4D2FAD9B00577645932AD7ED5FECA24532526C@mail> Message-ID: <430B66F8.4060802@iifwp.org> Fan, Wellington wrote: >I have a large buffer that I'd like to parse as CSV -- so is there a >function similar to fgetcsv() that could operate on a string buffer rather >than a filehandle? > Why not explode()? -- Allen Shaw Polymer (http://polymerdb.org) Fine-grained control over how your users access your data: user permissions, reports, forms, ad-hoc queries -- all centrally managed. From dcech at phpwerx.net Tue Aug 23 14:12:48 2005 From: dcech at phpwerx.net (Dan Cech) Date: Tue, 23 Aug 2005 14:12:48 -0400 Subject: [nycphp-talk] fgetcsv alternatives? In-Reply-To: <4D2FAD9B00577645932AD7ED5FECA24532526C@mail> References: <4D2FAD9B00577645932AD7ED5FECA24532526C@mail> Message-ID: <430B6720.4000909@phpwerx.net> Wellington, This isn't the most efficient function in the world, but it will get the job done and can handle embedded newlines and other CSV oddities. Dan function csv_parse($str,$f_delim = ',',$r_delim = "\n",$qual = '"') { $output = array(); $row = array(); $word = ''; $len = strlen($str); $inside = false; $skipchars = array($qual,'\\'); for ($i = 0; $i < $len; ++$i) { $c = $str[$i]; if (!$inside && $c == $f_delim) { $row[] = $word; $word = ''; } elseif (!$inside && $c == $r_delim) { $row[] = $word; $word = ''; $output[] = $row; $row = array(); } else if ($inside && in_array($c,$skipchars) && ($i+1 < $len && $str[$i+1] == $qual)) { $word .= $qual; ++$i; } else if ($c == $qual) { $inside = !$inside; } else { $word .= $c; } } $row[] = $word; $output[] = $row; return $output; } Fan, Wellington wrote: > Hello Listies, > > the basic call to fgetcsv looks like this: > array fgetcsv (int fp, int length) > > where: > "fp must be a valid file pointer to a file successfully opened by fopen(), > popen(), or fsockopen()" > > I have a large buffer that I'd like to parse as CSV -- so is there a > function similar to fgetcsv() that could operate on a string buffer rather > than a filehandle? > > -- > Wellington > _______________________________________________ > New York PHP Talk Mailing List > AMP Technology > Supporting Apache, MySQL and PHP > http://lists.nyphp.org/mailman/listinfo/talk > http://www.nyphp.org From wfan at VillageVoice.com Tue Aug 23 14:21:02 2005 From: wfan at VillageVoice.com (Fan, Wellington) Date: Tue, 23 Aug 2005 14:21:02 -0400 Subject: [nycphp-talk] fgetcsv alternatives? Message-ID: <4D2FAD9B00577645932AD7ED5FECA24532526D@mail> Because CSV is more complex than that -- delimiter characters that are actually data, the escaping of text qualifier characters, etc. > -----Original Message----- > From: Allen Shaw [mailto:ashaw at iifwp.org] > Sent: Tuesday, August 23, 2005 2:12 PM > To: NYPHP Talk > Subject: Re: [nycphp-talk] fgetcsv alternatives? > > > Fan, Wellington wrote: > > >I have a large buffer that I'd like to parse as CSV -- so is there a > >function similar to fgetcsv() that could operate on a string > buffer rather > >than a filehandle? > > > Why not explode()? > > $lines = explode("\n", $buffer); > foreach ($lines as $line) { > $fields = explode("\t", $line); > } > ?> > > -- > Allen Shaw > Polymer (http://polymerdb.org) > > Fine-grained control over how your users access your data: > user permissions, reports, forms, ad-hoc queries -- all > centrally managed. > > > > > > _______________________________________________ > New York PHP Talk Mailing List > AMP Technology > Supporting Apache, MySQL and PHP > http://lists.nyphp.org/mailman/listinfo/talk > http://www.nyphp.org > From wfan at VillageVoice.com Tue Aug 23 14:24:51 2005 From: wfan at VillageVoice.com (Fan, Wellington) Date: Tue, 23 Aug 2005 14:24:51 -0400 Subject: [nycphp-talk] fgetcsv alternatives? Message-ID: <4D2FAD9B00577645932AD7ED5FECA24532526E@mail> Dan, This looks great, though I haven't tried it. Thanks! I was also hoping, and just kinda curious, if there were some way of treating a buffer as a filehandle, since I could see that coming in handy. Thanks again! > -----Original Message----- > From: Dan Cech [mailto:dcech at phpwerx.net] > Sent: Tuesday, August 23, 2005 2:13 PM > To: NYPHP Talk > Subject: Re: [nycphp-talk] fgetcsv alternatives? > > > Wellington, > > This isn't the most efficient function in the world, but it > will get the > job done and can handle embedded newlines and other CSV oddities. > > Dan > > function csv_parse($str,$f_delim = ',',$r_delim = "\n",$qual = '"') > { > $output = array(); > $row = array(); > $word = ''; > > $len = strlen($str); > $inside = false; > > $skipchars = array($qual,'\\'); > > for ($i = 0; $i < $len; ++$i) { > $c = $str[$i]; > if (!$inside && $c == $f_delim) { > $row[] = $word; > $word = ''; > } elseif (!$inside && $c == $r_delim) { > $row[] = $word; > $word = ''; > $output[] = $row; > $row = array(); > } else if ($inside && in_array($c,$skipchars) && ($i+1 < $len && > $str[$i+1] == $qual)) { > $word .= $qual; > ++$i; > } else if ($c == $qual) { > $inside = !$inside; > } else { > $word .= $c; > } > } > > $row[] = $word; > $output[] = $row; > > return $output; > } > > Fan, Wellington wrote: > > Hello Listies, > > > > the basic call to fgetcsv looks like this: > > array fgetcsv (int fp, int length) > > > > where: > > "fp must be a valid file pointer to a file successfully > opened by fopen(), > > popen(), or fsockopen()" > > > > I have a large buffer that I'd like to parse as CSV -- so is there a > > function similar to fgetcsv() that could operate on a > string buffer rather > > than a filehandle? > > > > -- > > Wellington > > _______________________________________________ > > New York PHP Talk Mailing List > > AMP Technology > > Supporting Apache, MySQL and PHP > > http://lists.nyphp.org/mailman/listinfo/talk > > http://www.nyphp.org > > _______________________________________________ > New York PHP Talk Mailing List > AMP Technology > Supporting Apache, MySQL and PHP > http://lists.nyphp.org/mailman/listinfo/talk > http://www.nyphp.org > From kenrbnsn at rbnsn.com Tue Aug 23 14:42:39 2005 From: kenrbnsn at rbnsn.com (Ken Robinson) Date: Tue, 23 Aug 2005 14:42:39 -0400 Subject: [nycphp-talk] fgetcsv alternatives? In-Reply-To: <4D2FAD9B00577645932AD7ED5FECA24532526E@mail> References: <4D2FAD9B00577645932AD7ED5FECA24532526E@mail> Message-ID: <6.2.5.3.2.20050823144151.08bbc950@rbnsn.com> At 02:24 PM 8/23/2005, Fan, Wellington wrote: >Dan, > >This looks great, though I haven't tried it. Thanks! > >I was also hoping, and just kinda curious, if there were some way of >treating a buffer as a filehandle, since I could see that coming in handy. Can you write the buffer to a temp file, read it back in with fgetcsv, and then delete the temp file? Ken From ashaw at iifwp.org Tue Aug 23 14:48:00 2005 From: ashaw at iifwp.org (Allen Shaw) Date: Tue, 23 Aug 2005 14:48:00 -0400 Subject: [nycphp-talk] fgetcsv alternatives? In-Reply-To: <4D2FAD9B00577645932AD7ED5FECA24532526D@mail> References: <4D2FAD9B00577645932AD7ED5FECA24532526D@mail> Message-ID: <430B6F60.7060508@iifwp.org> An HTML attachment was scrubbed... URL: From dmintz at davidmintz.org Tue Aug 23 15:52:34 2005 From: dmintz at davidmintz.org (David Mintz) Date: Tue, 23 Aug 2005 15:52:34 -0400 (EDT) Subject: [nycphp-talk] PHP5/Apache problems after FC4 upgrade Message-ID: Foolish me, just upgraded from Fedora Core 3 to 4 (with CDs, choosing "Upgrade" rather than fresh install). Now Apache can't start, and the error is Syntax error on line 223 of /usr/local/apache/conf/httpd.conf: Cannot load /usr/local/apache/libexec/libphp5.so into server: libssl.so.4: cannot open shared object file: No such file or directory /usr/local/apache/bin/apachectl start: httpd could not be started Not really understanding what I am doing, I figure, let's just try re-compiling and re-installing first Apache, then PHP. Apache went fine. With PHP 5.0.4, 'make' pukes the following: grep: /usr/lib/libxml2.la: No such file or directory /bin/sed: can't read /usr/lib/libxml2.la: No such file or directory libtool: link: `/usr/lib/libxml2.la' is not a valid libtool archive make: *** [libphp5.la] Error 1 And /usr/lib contains: [david at mintz php-5.0.4]$ ls -lt /usr/lib/*libxml* lrwxrwxrwx 1 root root 27 Aug 23 09:18 /usr/lib/libxmlsec1-openssl.so -> libxmlsec1-openssl.so.1.2.7 lrwxrwxrwx 1 root root 27 Aug 23 09:18 /usr/lib/libxmlsec1-openssl.so.1 -> libxmlsec1-openssl.so.1.2.7 lrwxrwxrwx 1 root root 19 Aug 23 09:18 /usr/lib/libxmlsec1.so -> libxmlsec1.so.1.2.7 lrwxrwxrwx 1 root root 19 Aug 23 09:18 /usr/lib/libxmlsec1.so.1 -> libxmlsec1.so.1.2.7 lrwxrwxrwx 1 root root 17 Aug 23 09:04 /usr/lib/libxml2.so -> libxml2.so.2.6.19 lrwxrwxrwx 1 root root 16 Aug 23 08:56 /usr/lib/libxml.so.1 -> libxml.so.1.8.17 lrwxrwxrwx 1 root root 17 Aug 23 08:32 /usr/lib/libxml2.so.2 -> libxml2.so.2.6.19 -rwxr-xr-x 1 root root 1118880 Apr 2 06:21 /usr/lib/libxml2.so.2.6.19 -rw-r--r-- 1 root root 1484948 Apr 2 06:21 /usr/lib/libxml2.a -rwxr-xr-x 1 root root 189592 Mar 8 09:44 /usr/lib/libxmlsec1-openssl.so.1.2.7 -rwxr-xr-x 1 root root 372088 Mar 8 09:44 /usr/lib/libxmlsec1.so.1.2.7 -rwxr-xr-x 1 root root 445388 Feb 9 2005 /usr/lib/libxml.so.1.8.17 This is what my ./configure command looks like: '--with-gd' '--with-curl' '--with-mysql=/usr/local/mysql' '--with-xsl' '--enable-inline-optimization' '--with-apxs=/usr/local/apache/bin/apxs' '--enable-exif' '--with-xml' '--with-zlib-dir=/usr/local/lib' '--with-openssl' '--with-mcrypt' '--with-mysqli=/usr/local/mysql/bin/mysql_config' '--with-tidy' '--enable-soap' I have googled and twiddled for a couple of hours and nothing I come up with seems right on point. Any suggestions? Gratefully, --- David Mintz http://davidmintz.org/ From arzala at gmail.com Wed Aug 24 00:05:33 2005 From: arzala at gmail.com (Anirudh Zala (Gmail)) Date: Wed, 24 Aug 2005 09:35:33 +0530 Subject: [nycphp-talk] Session Handling References: <010d01c5a79c$a7e90450$0164a8c0@aum1> <200508230937.15207.jellicle@gmail.com> Message-ID: <007c01c5a861$15e720d0$0164a8c0@aum1> ----- Original Message ----- From: Michael Sims To: NYPHP Talk Sent: Tuesday, August 23, 2005 7:07 PM Subject: Re: [nycphp-talk] Session Handling On Tuesday 23 August 2005 00:39, Anirudh Zala (Gmail) wrote: > php_value session.gc_maxlifetime 7200 > > But interestingly, this is not working at all and session is seen as > garbage after it's default timeout period set by php (i.e 24 mins). We > store session files at default location (i.e under "/tmp") and it > supports "atime" attribute as well. phpinfo() also shows local value of > above directive as set to 7200 but session doesn't remain active for that > amount time and is deleted after 24 hours. > > I have noticed on various forums that many ppl have faced this problem, > and they do not have solution either. Does anyone have any ideas about > this problem? Or am I missing some more configurations? You probably have a shared hosting environment, where other websites are being hosted on your server too, right? I think this has even been addressed earlier in this thread, but here it is again. The PHP interpreter doesn't distinguish between sessions pertaining to different sites hosted on the same server. It treats all sessions equally, and wipes them out after the specified time period. So: Situation A: --You have session lifetime set high --Someone else hosted on server has it set to default lifetime Result: all sessions get wiped after 24 minutes Situation B: --You have session lifetime set to 1 minute --Someone else hosted on server has it set to default lifetime Result: all sessions get wiped after 1 minute, all other users hosted on that server start posting to newsgroups that their sessions are only lasting one minute and they don't know what is wrong I think if you change the session save path to someplace not shared with other users (but the webserver has to be able to read and write to it), you'll be okay. Thanks for suggestions, but this is not the case, I am experienced php programmer and aware with all these possible situation which can this problem. Although we are running different different websites, we have only single httpd.conf file where everything is hosted and I have set higher session time out value in that file only, so no other wiste is overridding it. I have also checked whether "atime" is enabled for session directory or not. And it is enabled. There is not even any other cron etc. script that can empty "/tmp" folder after regualr interval. I know most of reason where session time out may not work properly, but I have checked all of them and none of them is causing this problem. Sorry, I just forgot to mention these in my post, otherwise you could have though in different directions. Michael Sims _______________________________________________ New York PHP Talk Mailing List AMP Technology Supporting Apache, MySQL and PHP http://lists.nyphp.org/mailman/listinfo/talk http://www.nyphp.org From edwardpotter at gmail.com Wed Aug 24 00:09:53 2005 From: edwardpotter at gmail.com (edward potter) Date: Wed, 24 Aug 2005 00:09:53 -0400 Subject: [nycphp-talk] Newbie needs help - why PHP over ASP? In-Reply-To: <430B0D1C.7000100@tpg.com.au> References: <430B0D1C.7000100@tpg.com.au> Message-ID: I take a more pragmatic approach. PHP 5 : Wired . . . ASP : BOOOORING . . . I think if you want to just get it done, you can do find no better tool then PHP. If you want to learn a new language, you can spend all your time freed up by the PHP solution and explore Ruby, Python, Swing, et al. The ASP solutions (s) (in my limited experience) have about zero sex appeal. However I'm sure if you put the time into it, you can build some pretty good software using an all Windows based environment, if that's your target. I think Microsoft lucked out with the web. But I don't see them getting on to Web 2.0 any time soon. __ not in their corporate rule book (at least not yet). Just my 2 rupee's -ed :-) On 8/23/05, jedicool wrote: > Hello all, > > A silly question perhaps but I'm fairly new to PHP and looking to do > some work on a new MySQL driven website - I have been asked to provide > reasons why PHP is a better option than ASP. I am not familiar with ASP > so if anyone out there can trash it for me... I mean give good reasons > why ASP should not be used for this application it would be really > useful! I'm hoping to use this project to really push my PHP learning so > I really don't want the owners of the site to go with ASP. > > :) > > Cheers, > > Jay > South Australia > > _______________________________________________ > New York PHP Talk Mailing List > AMP Technology > Supporting Apache, MySQL and PHP > http://lists.nyphp.org/mailman/listinfo/talk > http://www.nyphp.org > From ken at secdat.com Wed Aug 24 09:27:34 2005 From: ken at secdat.com (Kenneth Downs) Date: Wed, 24 Aug 2005 09:27:34 -0400 (EDT) Subject: [nycphp-talk] Newbie needs help - why PHP over ASP? In-Reply-To: <430B0D1C.7000100@tpg.com.au> References: <430B0D1C.7000100@tpg.com.au> Message-ID: <37590.38.117.147.25.1124890054.squirrel@38.117.147.25> I can tell you why I tried ASP.Net and why I eventually walked away from it. First, cross-platform is big, it had to run on Linux. But I had to work out some basic ideas first about the app and I had no knowledge of Linux dev tools, while I was very comfortable with Windows, so this made anything .Net the easiest way to get started. So I put .net onto the Win2k laptop, installed MSDN and got started with the tutorials. Built the basic 3-tier and 4-tier model of a basic application. Then started working through my own ideas. The first trouble I ran into was how difficult it was to code manually. If you don't use the IDE it is nigh near impossible to grind out the simplest page. There is a huge overhead of declarations, namespaces and binding to work out. This is a problem because as I get older I am much less impressed with complexity and really like simple programs that are easy to read and understand on sight. But so far I withheld judgement and kept looking at it. The next trouble was dynamic database connections. In my systems users connect as who they are, not using an aliased generic connection. In PHP I can create a connection on-the-fly using session variables and work with it, while ASP.Net wants a gazillion different objects before you execute your first SELECT statement. Programmatically changing the connection to log in as somebody else did not seem to be something they were expecting anybody to do. I found nothing easy about dragging and dropping 3 or 4 objects around and setting all kinds of properties (that i could then not change dynamically) compared to this: $conn = pg_connect("host=1.2.3.4 dbname=.... etc) The IDE would do extremely perverse things to your page. If you went in and tried to monkey with the HTML, the editor inserts line breaks and spacing that appear to be deliberately obfuscating the page. This made it very frustrating to work through what was going on. At this point I was still getting useful work done prototyping the actual project, so I still pressed forward. However, the tide of opinion had changed and I was, as you might say, looking for trouble. The deal-killer turned out to be the very foundation of ASP.Net, what i believe really makes it bad, its concept of the 'code-behind' page that stores processing code separate from HTML code. This is the biggest departure from original ASP, it is what also truly distinguishes ASP.Net from PHP, and it is what makes ASP really really bad. The problems are: 1) It makes it very difficult to create completely dynamic pages. 2) You've got two pages no matter what (AFAICR), even when you don't need that kind of complexity. 3) It hides the details of execution flow and actually denies you access to those details. If you have ever seen the horrors of what happens when a programmer is shielded from architecture realities, you will appreciate the kind of resource hogs this is going to create. While it is clever to allow a programmer to put server-side event code in for a single control, it is also lunacy to execute round trips on these events. PHP requires you to know about the architecture so that you can code it right. Now, compare this to PHP, which meets the first requirement for programming: if the computer can do it, PHP can do it. But it also meets the second requirement: Don't fluff it up, just do the job! ASP.Net has, to put it mildly, a lot of fluff. PHP has so far is OO-sane, it provides OO without requiring it. That sums up the entire PHP experience regarding almost everything, it provides it and supports it but does not require it. > Hello all, > > A silly question perhaps but I'm fairly new to PHP and looking to do > some work on a new MySQL driven website - I have been asked to provide > reasons why PHP is a better option than ASP. I am not familiar with ASP > so if anyone out there can trash it for me... I mean give good reasons > why ASP should not be used for this application it would be really > useful! I'm hoping to use this project to really push my PHP learning so > I really don't want the owners of the site to go with ASP. > > :) > > Cheers, > > Jay > South Australia > > _______________________________________________ > New York PHP Talk Mailing List > AMP Technology > Supporting Apache, MySQL and PHP > http://lists.nyphp.org/mailman/listinfo/talk > http://www.nyphp.org > -- Kenneth Downs Secure Data Software 631-379-0010 ken at secdat.com PO Box 708 East Setauket, NY 11733 From ps at pswebcode.com Wed Aug 24 15:33:24 2005 From: ps at pswebcode.com (Peter Sawczynec) Date: Wed, 24 Aug 2005 15:33:24 -0400 Subject: [nycphp-talk] Apache MaxRequestsPerChild Question Message-ID: <003901c5a8e2$b4f382a0$6500a8c0@Liz> Does anyone have any experience with setting the MaxRequestsPerChild directive in the Apache config to some other value other than zero. Have you ever set MaxRequestsPerChild to another value. If so what number have you used? I want to limit the amount of resources kept in use, and want child processes curtailed more promptly. Warmest regards, Peter Sawczynec PSWebcode ps at pswebcode.com 718.543.3240 From ps at pswebcode.com Wed Aug 24 15:37:05 2005 From: ps at pswebcode.com (Peter Sawczynec) Date: Wed, 24 Aug 2005 15:37:05 -0400 Subject: [nycphp-talk] Using Apache to Limit Number of Users in a Directory Message-ID: <003a01c5a8e3$3e466310$6500a8c0@Liz> Sorry to disturb and look simple, but... Can I use any Apache directive(s) to limit the number of concurrent users allowed to surf a single directory in a larger site. Warmest regards, Peter Sawczynec PSWebcode ps at pswebcode.com 718.543.3240 -------------- next part -------------- An HTML attachment was scrubbed... URL: From ps at pswebcode.com Wed Aug 24 15:54:50 2005 From: ps at pswebcode.com (Peter Sawczynec) Date: Wed, 24 Aug 2005 15:54:50 -0400 Subject: [nycphp-talk] Apache Module Experiences Message-ID: <004401c5a8e5$b3ce8340$6500a8c0@Liz> Has anyone used: mod_throttle or or mod_bandwidth with Apache 1.3.x Any experiences to share? Warmest regards, Peter Sawczynec PSWebcode ps at pswebcode.com 718.543.3240 -------------- next part -------------- An HTML attachment was scrubbed... URL: From chsnyder at gmail.com Wed Aug 24 16:48:08 2005 From: chsnyder at gmail.com (csnyder) Date: Wed, 24 Aug 2005 16:48:08 -0400 Subject: [nycphp-talk] Apache MaxRequestsPerChild Question In-Reply-To: <003901c5a8e2$b4f382a0$6500a8c0@Liz> References: <003901c5a8e2$b4f382a0$6500a8c0@Liz> Message-ID: On 8/24/05, Peter Sawczynec wrote: > Does anyone have any experience with setting the MaxRequestsPerChild > directive in the Apache config to some other value other than zero. Yes. > Have you ever set MaxRequestsPerChild to another value. If so what number > have you used? 1024 but if you like to burn cpu cycles starting new httpd processes you can set it as low as 1, eh? It's up to you. > I want to limit the amount of resources kept in use, and want child > processes curtailed more promptly. If it's an unfixable memory leak you are concerned about, that will do it. But of course you know you're treating the symptom, not the problem. -- Chris Snyder http://chxo.com/ From tgales at tgaconnect.com Wed Aug 24 16:56:43 2005 From: tgales at tgaconnect.com (Tim Gales) Date: Wed, 24 Aug 2005 16:56:43 -0400 Subject: [nycphp-talk] OT: Is Apache confusing? Message-ID: <430CDF0B.8030500@tgaconnect.com> If you find yourself frustrated when trying to use Apache, maybe reading 'Why I Hate The Apache Web Server' will provide some (comic) relief... http://people.apache.org/~rbowen/presentations/apacheconEU2005/hate_apache.pdf -- T. Gales & Associates 'Helping People Connect with Technology' http://www.tgaconnect.com From jeff.knight at gmail.com Wed Aug 24 18:37:19 2005 From: jeff.knight at gmail.com (Jeff Knight) Date: Wed, 24 Aug 2005 18:37:19 -0400 Subject: [nycphp-talk] OT: Is Apache confusing? In-Reply-To: <430CDF0B.8030500@tgaconnect.com> References: <430CDF0B.8030500@tgaconnect.com> Message-ID: <2ca9ba9105082415375e298211@mail.gmail.com> No, you can't have a pony! On 8/24/05, Tim Gales wrote: > If you find yourself frustrated when trying to > use Apache, maybe reading 'Why I Hate The Apache > Web Server' will provide some (comic) relief... > > http://people.apache.org/~rbowen/presentations/apacheconEU2005/hate_apache.pdf > > > -- > T. Gales & Associates > 'Helping People Connect with Technology' > > http://www.tgaconnect.com > _______________________________________________ > New York PHP Talk Mailing List > AMP Technology > Supporting Apache, MySQL and PHP > http://lists.nyphp.org/mailman/listinfo/talk > http://www.nyphp.org > From jbaltz at altzman.com Wed Aug 24 19:17:38 2005 From: jbaltz at altzman.com (Jerry B. Altzman) Date: Wed, 24 Aug 2005 19:17:38 -0400 Subject: [nycphp-talk] OT: Is Apache confusing? In-Reply-To: <2ca9ba9105082415375e298211@mail.gmail.com> References: <430CDF0B.8030500@tgaconnect.com> <2ca9ba9105082415375e298211@mail.gmail.com> Message-ID: <430D0012.8050907@altzman.com> On 8/24/2005 6:37 PM, Jeff Knight wrote: > No, you can't have a pony! > On 8/24/05, Tim Gales wrote: >>If you find yourself frustrated when trying to >>use Apache, maybe reading 'Why I Hate The Apache >>Web Server' will provide some (comic) relief... Just remember: apache is the worst possible webserver out there, except for all the others. //jbaltz -- jerry b. altzman jbaltz at altzman.com KE3ML thank you for contributing to the heat death of the universe. From bpilgrim1979 at gmail.com Wed Aug 24 20:37:50 2005 From: bpilgrim1979 at gmail.com (Billy Pilgrim) Date: Wed, 24 Aug 2005 20:37:50 -0400 Subject: [nycphp-talk] Newbie needs help - why PHP over ASP? In-Reply-To: <430B0D1C.7000100@tpg.com.au> References: <430B0D1C.7000100@tpg.com.au> Message-ID: <6ee3253b050824173753ad8238@mail.gmail.com> On 8/23/05, jedicool wrote: > I have been asked to provide > reasons why PHP is a better option than ASP. This list is probably 95% programmers who actually code PHP on a daily basis. In some companies, .NET vs LAMP technology decisions are made by managers who don't program. They purchase research reports and read white papers and browse marketing brochures. You might look at: http://zend.com/solutions/why-php.php http://www.mysql.com/why-mysql/case-studies/ BP From andrew at plexpod.com Wed Aug 24 20:53:01 2005 From: andrew at plexpod.com (Andrew Yochum) Date: Wed, 24 Aug 2005 20:53:01 -0400 Subject: [nycphp-talk] OT: Is Apache confusing? In-Reply-To: <2ca9ba9105082415375e298211@mail.gmail.com> References: <430CDF0B.8030500@tgaconnect.com> <2ca9ba9105082415375e298211@mail.gmail.com> Message-ID: <200508242053.01498.andrew@plexpod.com> Try finding those options in IIS! ;-) Be thankful you have an Apache. All they have is a pony! On Wednesday 24 August 2005 18:37, Jeff Knight wrote: > No, you can't have a pony! > > On 8/24/05, Tim Gales wrote: > > If you find yourself frustrated when trying to > > use Apache, maybe reading 'Why I Hate The Apache > > Web Server' will provide some (comic) relief... > > > > http://people.apache.org/~rbowen/presentations/apacheconEU2005/hate_apach > >e.pdf > > > > > > -- > > T. Gales & Associates > > 'Helping People Connect with Technology' > > > > http://www.tgaconnect.com > > _______________________________________________ > > New York PHP Talk Mailing List > > AMP Technology > > Supporting Apache, MySQL and PHP > > http://lists.nyphp.org/mailman/listinfo/talk > > http://www.nyphp.org > > _______________________________________________ > New York PHP Talk Mailing List > AMP Technology > Supporting Apache, MySQL and PHP > http://lists.nyphp.org/mailman/listinfo/talk > http://www.nyphp.org -- Andrew Yochum Plexpod andrew at plexpod.com 718-360-0879 From matt at jiffycomp.com Wed Aug 24 21:56:43 2005 From: matt at jiffycomp.com (Matt Morgan) Date: Wed, 24 Aug 2005 21:56:43 -0400 Subject: [nycphp-talk] [a little OT] testing MSIE with CrossOver Office? In-Reply-To: References: Message-ID: <430D255B.5020401@jiffycomp.com> csnyder wrote: >On 8/23/05, David Mintz wrote: > > >>Has anyone ever tried running MSIE under CrossOver Office? Really? How'd >>it go? >> >>The goal is to test pages in our old friend MSIE without having to reboot >>a dual-boot system into Windows or run two computers. It would be nice >>just to sit there and flip back and forth. >> >> > >It works, and is useful for checking pages provided they don't rely on plugins. > > Just adding for good measure: you shouldn't need Crossover Office--it works well in plain old wine, too. -------------- next part -------------- An HTML attachment was scrubbed... URL: From lists at zaunere.com Thu Aug 25 06:29:00 2005 From: lists at zaunere.com (Hans Zaunere) Date: Thu, 25 Aug 2005 06:29:00 -0400 Subject: [nycphp-talk] Apache MaxRequestsPerChild Question In-Reply-To: <003901c5a8e2$b4f382a0$6500a8c0@Liz> Message-ID: <0MKoyl-1E8Eyj1iXm-0005cj@mrelay.perfora.net> talk-bounces at lists.nyphp.org wrote on Wednesday, August 24, 2005 3:33 PM: > Does anyone have any experience with setting the MaxRequestsPerChild > directive in the Apache config to some other value other than zero. > > Have you ever set MaxRequestsPerChild to another value. If so > what number have you used? Rarely - set it to 10000 on occaision... > I want to limit the amount of resources kept in use, and want child > processes curtailed more promptly. I only did it because of instability with some Oracle client libs that PHP was linked against. That was about 4 years ago, and I haven't done it again since. Generally, setting it higher than zero isn't needed, but you could set it to 10k or something (on a moderate trafficed site) for paranoic reasons (or, perhaps, if you're on Solaris or another UNIX that isn't as popular). --- Hans Zaunere President, Founder New York PHP http://www.nyphp.org AMP Technology Supporting Apache, MySQL and PHP From lists at zaunere.com Thu Aug 25 06:30:51 2005 From: lists at zaunere.com (Hans Zaunere) Date: Thu, 25 Aug 2005 06:30:51 -0400 Subject: [nycphp-talk] Using Apache to Limit Number of Users in a Directory In-Reply-To: <003a01c5a8e3$3e466310$6500a8c0@Liz> Message-ID: <0MKoyl-1E8F0V2ghY-0005Sg@mrelay.perfora.net> > Sorry to disturb and look simple, but... > > Can I use any Apache directive(s) to limit the number of > concurrent users allowed to surf a single directory in a larger site. Not aware of something that would provide this functionality on a per directory basis. Of course you can set the limit on a server wide basis, but if you want to track how many people are in a directory, you may need some PHP magic. --- Hans Zaunere President, Founder New York PHP http://www.nyphp.org AMP Technology Supporting Apache, MySQL and PHP From d126099 at atos.wmid.amu.edu.pl Thu Aug 25 07:10:22 2005 From: d126099 at atos.wmid.amu.edu.pl (Marcin Szkudlarek) Date: Thu, 25 Aug 2005 13:10:22 +0200 (CEST) Subject: [nycphp-talk] mysql duplicate entry Message-ID: I've noticed mysql "Duplicate entry" error after accidental system power down. It occurs for an auto increment primary key. Do you know how can I avoid it? Regards, Marcin Szkudlarek From lists at zaunere.com Thu Aug 25 07:25:33 2005 From: lists at zaunere.com (Hans Zaunere) Date: Thu, 25 Aug 2005 07:25:33 -0400 Subject: [nycphp-talk] mysql duplicate entry In-Reply-To: Message-ID: <0MKp2t-1E8FrS1SnJ-0006V2@mrelay.perfora.net> talk-bounces at lists.nyphp.org wrote on Thursday, August 25, 2005 7:10 AM: > I've noticed mysql "Duplicate entry" error after accidental > system power down. It occurs for an auto increment primary key. > Do you know how can I avoid it? Corrupted tables, likely MyISAM. Run CHECK TABLE/myisamchk H From ps at pswebcode.com Thu Aug 25 07:59:41 2005 From: ps at pswebcode.com (Peter Sawczynec) Date: Thu, 25 Aug 2005 07:59:41 -0400 Subject: [nycphp-talk] Using Apache to Limit Number of Users in aDirectory In-Reply-To: <0MKoyl-1E8F0V2ghY-0005Sg@mrelay.perfora.net> Message-ID: <000801c5a96c$7d169040$6500a8c0@Liz> Ultimately, I found two available Apache mods called mod_throttle and mod_bandwidth that can selectively throttle Apache. The documentation of mod_bandwidth clearly showed it could throttle by directory and/or virtual sites. But I am instead first attempting to resolve my situation with more basic techniques: Tuning Apache. Tuning MySQL. Building a slow-query log. Getting more RAM (as it is actually called for). Revisiting the PHP code. I can't find enough third-party endorsement of these throttling mods to go right ahead with them. Gracias compa?ero. Peter -----Original Message----- From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org] On Behalf Of Hans Zaunere Sent: Thursday, August 25, 2005 6:31 AM To: 'NYPHP Talk' Subject: Re: [nycphp-talk] Using Apache to Limit Number of Users in aDirectory > Sorry to disturb and look simple, but... > > Can I use any Apache directive(s) to limit the number of concurrent > users allowed to surf a single directory in a larger site. Not aware of something that would provide this functionality on a per directory basis. Of course you can set the limit on a server wide basis, but if you want to track how many people are in a directory, you may need some PHP magic. --- Hans Zaunere President, Founder New York PHP http://www.nyphp.org AMP Technology Supporting Apache, MySQL and PHP _______________________________________________ New York PHP Talk Mailing List AMP Technology Supporting Apache, MySQL and PHP http://lists.nyphp.org/mailman/listinfo/talk http://www.nyphp.org From mwithington at PLMresearch.com Thu Aug 25 10:06:36 2005 From: mwithington at PLMresearch.com (Mark Withington) Date: Thu, 25 Aug 2005 10:06:36 -0400 Subject: [nycphp-talk] Mantis bugtracking documentation Message-ID: <1F3CD8DDFB6A9B4C9B8DD06E4A7DE358EF2791@network.PLMresearch.com> Under the heading, "Better late than...." Here is a link to a good PDF primer on Mantis: http://www.cs.binghamton.edu/~steflik/cs495b/Mantis-quickstart-generic.pdf -------------------------- Mark L. Withington PLMresearch "eBusiness for the Midsize Enterprise" PO Box 1354 Plymouth, MA 02362 o: 800-310-3992 ext. 704 f: 508-746-4973 v: 508-746-2383 m: 508-801-0181 http://www.PLMresearch.com Netscape/AOL/MSN IM: PLMresearch mwithington at plmresearch.com Public Key: http://www.plmdev.com/plmr/plmresearch.com/keys/MLW_public_key.asc Calendar: http://www.plmdev.com/plmr/plmresearch.com/calendar.php -----Original Message----- From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org]On Behalf Of Cliff Hirsch Sent: Thursday, August 18, 2005 9:11 AM To: 'NYPHP Talk' Subject: [nycphp-talk] Mantis bugtracking documentation Does anyone know of a good tutorial or documentation for Mantis? The documentation link on the Mantis website is broken. _______________________________________________ New York PHP Talk Mailing List AMP Technology Supporting Apache, MySQL and PHP http://lists.nyphp.org/mailman/listinfo/talk http://www.nyphp.org From dmintz at davidmintz.org Thu Aug 25 10:07:59 2005 From: dmintz at davidmintz.org (David Mintz) Date: Thu, 25 Aug 2005 10:07:59 -0400 (EDT) Subject: [nycphp-talk] [a little OT] testing MSIE with CrossOver Office? In-Reply-To: <430D255B.5020401@jiffycomp.com> References: <430D255B.5020401@jiffycomp.com> Message-ID: Thanks guys. Maybe I will give wine a shot first since it's easier on the wallet. I've heard it can be a bit of a beast to figure out but I suppose I'll see for myself. On Wed, 24 Aug 2005, Matt Morgan wrote: > csnyder wrote: > >[snip] > >It works, and is useful for checking pages provided they don't rely on plugins. > > > > > Just adding for good measure: you shouldn't need Crossover Office--it > works well in plain old wine, too. > --- David Mintz http://davidmintz.org/ From dmintz at davidmintz.org Thu Aug 25 10:45:07 2005 From: dmintz at davidmintz.org (David Mintz) Date: Thu, 25 Aug 2005 10:45:07 -0400 (EDT) Subject: [nycphp-talk] PHP5/Apache problems after FC4 upgrade SOLVED Message-ID: FWIW, here is how I muddled through, in case somebody else one day is desperate enough to follow suit. I have minimal expertise in solving build errors, so if I don't find a solution here or from Mr Google, I just have to beat my head against it until it works. My ./configure includes --with-xml and --with-xsl. I was getting compile errors about libxml2.la not being a valid libtool archive. I tried mucking around with /usr/lib/libxml2.la and manually re-building libxml2, and for my trouble I got something like 'libxml2.la seems to have moved.' When I left these configure options out it worked fine. But I didn't want that so I finally * removed and reinstalled libxml2 via yum. yum erased several other packages that depended on it so I re-installed these after re-installing libxml2 * rm -rf /path/to/php-5.0.4 source directory resulting from unpacking php-5.0.4.tar.gz. * unpacked tarball and did ./configure [...], make, make install once again. HTH somebody. --- David Mintz http://davidmintz.org/ From gatzby3jr at gmail.com Thu Aug 25 11:20:56 2005 From: gatzby3jr at gmail.com (Brian O'Connor) Date: Thu, 25 Aug 2005 11:20:56 -0400 Subject: [nycphp-talk] Mantis bugtracking documentation In-Reply-To: <1F3CD8DDFB6A9B4C9B8DD06E4A7DE358EF2791@network.PLMresearch.com> References: <1F3CD8DDFB6A9B4C9B8DD06E4A7DE358EF2791@network.PLMresearch.com> Message-ID: <29da5d15050825082061860ad2@mail.gmail.com> On 8/25/05, Mark Withington wrote: > > Under the heading, "Better late than...." > > Here is a link to a good PDF primer on Mantis: > > http://www.cs.binghamton.edu/~steflik/cs495b/Mantis-quickstart-generic.pdf > > > -------------------------- > Mark L. Withington > PLMresearch > "eBusiness for the Midsize Enterprise" > PO Box 1354 > Plymouth, MA 02362 > o: 800-310-3992 ext. 704 > f: 508-746-4973 > v: 508-746-2383 > m: 508-801-0181 > http://www.PLMresearch.com > Netscape/AOL/MSN IM: PLMresearch > mwithington at plmresearch.com > Public Key: > http://www.plmdev.com/plmr/plmresearch.com/keys/MLW_public_key.asc > Calendar: http://www.plmdev.com/plmr/plmresearch.com/calendar.php > > > > -----Original Message----- > From: talk-bounces at lists.nyphp.org > [mailto:talk-bounces at lists.nyphp.org]On Behalf Of Cliff Hirsch > Sent: Thursday, August 18, 2005 9:11 AM > To: 'NYPHP Talk' > Subject: [nycphp-talk] Mantis bugtracking documentation > > > Does anyone know of a good tutorial or documentation for Mantis? The > documentation link on the Mantis website is broken. > > _______________________________________________ > New York PHP Talk Mailing List > AMP Technology > Supporting Apache, MySQL and PHP > http://lists.nyphp.org/mailman/listinfo/talk > http://www.nyphp.org > _______________________________________________ > New York PHP Talk Mailing List > AMP Technology > Supporting Apache, MySQL and PHP > http://lists.nyphp.org/mailman/listinfo/talk > http://www.nyphp.org > -- Brian O'Connor -------------- next part -------------- An HTML attachment was scrubbed... URL: From chris at theyellowbox.com Thu Aug 25 11:55:15 2005 From: chris at theyellowbox.com (Chris Merlo) Date: Thu, 25 Aug 2005 11:55:15 -0400 Subject: [nycphp-talk] PHP5/Apache problems after FC4 upgrade SOLVED In-Reply-To: References: Message-ID: <94658648050825085577b4e9ae@mail.gmail.com> On 8/25/05, David Mintz wrote: > * rm -rf /path/to/php-5.0.4 source directory resulting from unpacking > php-5.0.4.tar.gz. > > * unpacked tarball and did ./configure [...], make, make install once > again. Generally speaking, running "make distclean" should have the effect of removing the source tree and unpacking, and should be quicker. -- chris at theyellowbox.com http://www.theyellowbox.com/ From papillion at gmail.com Thu Aug 25 16:06:19 2005 From: papillion at gmail.com (Anthony Papillion) Date: Thu, 25 Aug 2005 15:06:19 -0500 Subject: [nycphp-talk] mysql duplicate entry In-Reply-To: <0MKp2t-1E8FrS1SnJ-0006V2@mrelay.perfora.net> References: <0MKp2t-1E8FrS1SnJ-0006V2@mrelay.perfora.net> Message-ID: <5458518f050825130643f929ef@mail.gmail.com> > Corrupted tables, likely MyISAM. Run CHECK TABLE/myisamchk This brings up a question in my mind: does myisamchk actually FIX the problems or just let you know where they are? Anthony Papillion Owner/Founder Advanced Data Concepts Ph: (918) 926-0139 From lists at zaunere.com Thu Aug 25 17:58:43 2005 From: lists at zaunere.com (Hans Zaunere) Date: Thu, 25 Aug 2005 17:58:43 -0400 Subject: [nycphp-talk] mysql duplicate entry In-Reply-To: <5458518f050825130643f929ef@mail.gmail.com> Message-ID: <0MKp2t-1E8PkC1F2w-00042b@mrelay.perfora.net> talk-bounces at lists.nyphp.org wrote on Thursday, August 25, 2005 4:06 PM: > > Corrupted tables, likely MyISAM. Run CHECK TABLE/myisamchk > > This brings up a question in my mind: does myisamchk actually FIX the > problems or just let you know where they are? It can do both, depending on the options. http://dev.mysql.com/doc/mysql/en/myisamchk-syntax.html --- Hans Zaunere President, Founder New York PHP http://www.nyphp.org AMP Technology Supporting Apache, MySQL and PHP From lists at zaunere.com Thu Aug 25 18:01:27 2005 From: lists at zaunere.com (Hans Zaunere) Date: Thu, 25 Aug 2005 18:01:27 -0400 Subject: [nycphp-talk] Using Apache to Limit Number of Users in aDirectory In-Reply-To: <000801c5a96c$7d169040$6500a8c0@Liz> Message-ID: <0MKp2t-1E8Pmq1hjM-0003sS@mrelay.perfora.net> talk-bounces at lists.nyphp.org wrote on Thursday, August 25, 2005 8:00 AM: > Ultimately, I found two available Apache mods called mod_throttle and > mod_bandwidth that can selectively throttle Apache. The documentation > of mod_bandwidth clearly showed it could throttle by directory > and/or virtual sites. > > But I am instead first attempting to resolve my situation with more basic > techniques: Tuning Apache. Tuning MySQL. Building a slow-query log. Getting > more RAM (as it is actually called for). Revisiting the PHP code. That's probably the right approach. Of course everything depends on hardware and your traffic pattern, but so often the database/PHP processing can be the bottleneck that's it's good to check pressure points in that area first. > I can't find enough third-party endorsement of these throttling mods to go > right ahead with them. I've worked more with mod_throttle than mod_bandwidth. I'd say it's more active, but it's just a educated guess from a couple of experiences in the past. --- Hans Zaunere President, Founder New York PHP http://www.nyphp.org AMP Technology Supporting Apache, MySQL and PHP From rinaldy_roy at yahoo.com Fri Aug 26 06:01:09 2005 From: rinaldy_roy at yahoo.com (rinaldy roy) Date: Fri, 26 Aug 2005 03:01:09 -0700 (PDT) Subject: [nycphp-talk] Operation must use an updateable query. In-Reply-To: Message-ID: <20050826100109.53275.qmail@web52715.mail.yahoo.com> I've just started my first HTML and MS Acces as below, but come up with error: Error Type: Microsoft OLE DB Provider for ODBC Drivers (0x80004005) [Microsoft][ODBC Microsoft Access Driver] Operation must use an updateable query. /pelanggan_tulis_2.asp, line 20 Browser Type: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Page: POST 24 bytes to /pelanggan_tulis_2.asp POST Data: Ipelanggan=aa&Ialamat=bb CekCon <% ipelanggan=Request("Ipelanggan") ialamat=Request("Ialamat") ' Set koneksi ke database Set conn=Server.Createobject( "ADODB.Connection" ) conn.Mode = 3 ' adModeReadWrite conn.Open "DSN=pelanggan;uid=Admin;pwd=;" Set rs = Server.CreateObject("ADODB.Recordset") sql="INSERT INTO master_pelanggan(nama_pelanggan, alamat)" sql=sql & "VALUES('"& ipelanggan &"', '"& ialamat &"')" set RS=Conn.Execute(SQL) Response.write "data masuk" %> --------------- How to fix it? RRY talk-request at lists.nyphp.org wrote: Send talk mailing list submissions to talk at lists.nyphp.org To subscribe or unsubscribe via the World Wide Web, visit http://lists.nyphp.org/mailman/listinfo/talk or, via email, send a message with subject or body 'help' to talk-request at lists.nyphp.org You can reach the person managing the list at talk-owner at lists.nyphp.org When replying, please edit your Subject line so it is more specific than "Re: Contents of talk digest..." Today's Topics: 1. MD5 + Flash (-sry Boston) 2. Re: MD5 + Flash (Hans Zaunere) 3. OWASP 9/29 Save The Date (Thomas Brennan) 4. Re: Session basics (Billy Pilgrim) 5. Re: MD5 + Flash (csnyder) ---------------------------------------------------------------------- Message: 1 Date: Sun, 21 Aug 2005 13:23:30 -0500 From: "-sry Boston" Subject: [nycphp-talk] MD5 + Flash To: talk at lists.nyphp.org Message-ID: Content-Type: text/plain; format=flowed Hiya, If you're over on WWWAC you've already seen this but I'm asking here from another slant. I have no idea what I can or can't do withOUT having to create/manage a mySQL db...my server will let me do this easily enough but it's been over a year since I've thought of PHP or mySQL and I don't want to get so distracted by the programming mindset that I forget what I was doing in the first place (trying to do some marketing). Below is the process I'm trying to implement - step 5 is where I'm fuzzy...I know I could definitely have the URL come back to a PHP page that looks up the string in a db (and a very simple one, I'm sure, since it's just a list) but I'd rather just have the URL come back to the Flash file and do the checking from within the .swf, with ActionScript - is that easier or harder? Since you guys all love PHP and probably only half of you even like AS, I know it's a biased answer I'll get :-) but try to be objective and not play favorites on the languages here. What I want to do: (1) user gives me email address (2) with a PHP script (free from http://www.allhype.co.uk/tools/md5/ and a very nice script actually!!) I MD5 their email address (3) I send user a message (to validate the address works) that has their MD5'd address as a link for them to come back and get what they want (4) user clicks unique query string in the email I've sent them (4) I validate the string .....how/from where is the ??? :) (5) if valid, give them the Flash file; if not, give them an error message Any help much appreciated! -sry Sarah R. Yoffa http://books.sarahryoffa.com/ books at sarahryoffa.com ********************* Look for the exciting release of the newly-edited THE PHOENIX SHALL RISE AGAIN Coming to online booksellers - New Year's 2006. ********************* _________________________________________________________________ Express yourself instantly with MSN Messenger! Download today - it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ ------------------------------ Message: 2 Date: Sun, 21 Aug 2005 17:45:41 -0400 From: "Hans Zaunere" Subject: Re: [nycphp-talk] MD5 + Flash To: "'NYPHP Talk'" Message-ID: <0MKp2t-1E6xdN3S4E-0001Lu at mrelay.perfora.net> Content-Type: text/plain; charset="us-ascii" talk-bounces at lists.nyphp.org wrote on Sunday, August 21, 2005 2:24 PM: > Hiya, > > If you're over on WWWAC you've already seen this but I'm asking here > from another slant. I have no idea what I can or can't do withOUT > having to create/manage a mySQL db...my server will let me do this > easily enough but it's been over a year since I've thought of PHP or > mySQL and I don't want to get so distracted by the programming > mindset that I forget what I was doing in the first place (trying to > do some marketing). > > Below is the process I'm trying to implement - step 5 is where I'm > fuzzy...I know I could definitely have the URL come back to a > PHP page that looks up the string in a db (and a very simple one, > I'm sure, since it's just a list) but I'd rather just have > the URL come > back to the Flash file and do the checking from within the .swf, > with ActionScript - is that easier or harder? Since you guys all love > PHP and probably only half of you even like AS, I know it's a biased > answer I'll get :-) but try to be objective and not play favorites on > the languages here. > > What I want to do: > > (1) user gives me email address > > (2) with a PHP script (free from http://www.allhype.co.uk/tools/md5/ > and a very nice script actually!!) I MD5 their email address > > (3) I send user a message (to validate the address works) that has > their MD5'd address as a link for them to come back and get what they > want > > (4) user clicks unique query string in the email I've sent them > > (4) I validate the string .....how/from where is the ??? :) > > (5) if valid, give them the Flash file; if not, give them an > error message You could do all of this with just Flash, etc. assuming Flash has MD5, as I'm sure it does, but you'll be limited. If you want to track who has downloaded what files, the browser they're using, etc. you won't be able to do so without a DB. There's also a security concern here. There's no way to know that the email address you've gotten originally, is the same as the one that's coming from the link. Since you're not storing anything anywhere, you have no way to keep persistent data. If I know that you're checking that an MD5 matches the MD5 of the email address, I can pass you any MD5 I want, and it'll validate. H ------------------------------ Message: 3 Date: Sun, 21 Aug 2005 20:16:17 -0400 From: "Thomas Brennan" Subject: [nycphp-talk] OWASP 9/29 Save The Date To: Message-ID: <1DA2AD8042527B4199C09042CFC0A94D18794B at jinx.datasafeservices.net> Content-Type: text/plain; charset="US-ASCII" I would like to provide you with advanced notice and extend a special invite for you to join us at the next Open Web Application Security Meeting (OWASP) NJ Chapter meeting. The next event will be held at September 29th at ABN AMRO in Jersey City (across from the path station) - full details, speakers and RSVP information is located at the chapter website online: http://www.owasp.org/local/nnj.html Currently on the September Agenda: SPEAKER - OWASP - Topic: Review of OWASP Security Guide v2.0.1 Released at BlackHat SPEAKER - eEye Digital Security - Topic: Worm / Vulnerability Management SPEAKER - Application Security - Topic: Database Attacks SPEAKER - NitroSecurity - Topic: Analysis of Network Attacks ** You are encouraged to forward this email to others that you believe would benefit from this non-profit, educational peer-to-peer networking opportunity -- RSVP is required due to building security requirements see: http://www.owasp.org/local/nnj.html for details. At our November meeting we are looking forward to having NYPHP/Hans Zaunere speak concerning PHP Security Issues Enjoy the rest of your summer! Thomas Brennan, CISSP, CFSO, MCSA, C|EH DATA SAFE SERVICES "Because Security is NOT the default" 831-B Route 10 East, Whippany NJ 07981 Tel: 973-795-1046 | Fax: 973-428-0293 Web: www.datasafeservices.com ------------------------------ Message: 4 Date: Sun, 21 Aug 2005 22:48:19 -0400 From: Billy Pilgrim Subject: Re: [nycphp-talk] Session basics To: NYPHP Talk Message-ID: <6ee3253b050821194874c5ddf0 at mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1 On 8/19/05, Chris Shiflett wrote: > Aaron Fischer wrote: > > If the session has expired such as in browser close or timeout, the > > bookmarked page won't be a liability as the session id in the URL won't > > find a matching session id on the server. > > The server doesn't know when the browser is closed, so that part's not > right. It is true that a session timeout (on the server side) offers > some protection against this type of accidental hijacking. A bookmarked session id might not result in a hijacked session, but it's not a good idea have session ids exposed and kept around like that. Consider another example: Someone is logged into a newspaper site and sees an interesing article. The user copies the url (with session id) and pastes it in an email to a friend. If the friend receives the email quickly and the server has a long timeout, accidential session hijacking could occur. The primary reason to have a session id in the url is if the browser doesn't support cookies, right? ------------------------------ Message: 5 Date: Mon, 22 Aug 2005 08:35:30 -0400 From: csnyder Subject: Re: [nycphp-talk] MD5 + Flash To: NYPHP Talk Message-ID: Content-Type: text/plain; charset=ISO-8859-1 On 8/21/05, -sry Boston wrote: > What I want to do: > > (1) user gives me email address > > (2) with a PHP script (free from http://www.allhype.co.uk/tools/md5/ > and a very nice script actually!!) I MD5 their email address > > (3) I send user a message (to validate the address works) that has > their MD5'd address as a link for them to come back and get what > they want > > (4) user clicks unique query string in the email I've sent them > > (4) I validate the string .....how/from where is the ??? :) > > (5) if valid, give them the Flash file; if not, give them an error message > > Any help much appreciated! I think you have the purpose of the MD5 hash confused. In this case, you want it to be an *unguessable* token that the user can bring back to you to prove that they got they got your validation message, and that they own the mailbox associated with the provided email address. In other words, it should be random. If it's just the hash of their email address, then an impersonator could easily generate the right token and validate an address that isn't their own (as Hans pointed out). You will need some sort of DB -- MySQL or flat file or otherwise -- to store the email address and the random token in the same record, so that when the user clicks the link with the token in it, you can look up the email and mark it valid. -- Chris Snyder http://chxo.com/ ------------------------------ _______________________________________________ talk mailing list talk at lists.nyphp.org http://lists.nyphp.org/mailman/listinfo/talk End of talk Digest, Vol 27, Issue 50 ************************************ --------------------------------- Yahoo! Mail for Mobile Take Yahoo! Mail with you! Check email on your mobile phone. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rinaldy_roy at yahoo.com Fri Aug 26 06:01:15 2005 From: rinaldy_roy at yahoo.com (rinaldy roy) Date: Fri, 26 Aug 2005 03:01:15 -0700 (PDT) Subject: [nycphp-talk] Operation must use an updateable query. In-Reply-To: Message-ID: <20050826100115.2822.qmail@web52706.mail.yahoo.com> I've just started my first HTML and MS Acces as below, but come up with error: Error Type: Microsoft OLE DB Provider for ODBC Drivers (0x80004005) [Microsoft][ODBC Microsoft Access Driver] Operation must use an updateable query. /pelanggan_tulis_2.asp, line 20 Browser Type: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Page: POST 24 bytes to /pelanggan_tulis_2.asp POST Data: Ipelanggan=aa&Ialamat=bb CekCon <% ipelanggan=Request("Ipelanggan") ialamat=Request("Ialamat") ' Set koneksi ke database Set conn=Server.Createobject( "ADODB.Connection" ) conn.Mode = 3 ' adModeReadWrite conn.Open "DSN=pelanggan;uid=Admin;pwd=;" Set rs = Server.CreateObject("ADODB.Recordset") sql="INSERT INTO master_pelanggan(nama_pelanggan, alamat)" sql=sql & "VALUES('"& ipelanggan &"', '"& ialamat &"')" set RS=Conn.Execute(SQL) Response.write "data masuk" %> --------------- How to fix it? RRY talk-request at lists.nyphp.org wrote: Send talk mailing list submissions to talk at lists.nyphp.org To subscribe or unsubscribe via the World Wide Web, visit http://lists.nyphp.org/mailman/listinfo/talk or, via email, send a message with subject or body 'help' to talk-request at lists.nyphp.org You can reach the person managing the list at talk-owner at lists.nyphp.org When replying, please edit your Subject line so it is more specific than "Re: Contents of talk digest..." Today's Topics: 1. MD5 + Flash (-sry Boston) 2. Re: MD5 + Flash (Hans Zaunere) 3. OWASP 9/29 Save The Date (Thomas Brennan) 4. Re: Session basics (Billy Pilgrim) 5. Re: MD5 + Flash (csnyder) ---------------------------------------------------------------------- Message: 1 Date: Sun, 21 Aug 2005 13:23:30 -0500 From: "-sry Boston" Subject: [nycphp-talk] MD5 + Flash To: talk at lists.nyphp.org Message-ID: Content-Type: text/plain; format=flowed Hiya, If you're over on WWWAC you've already seen this but I'm asking here from another slant. I have no idea what I can or can't do withOUT having to create/manage a mySQL db...my server will let me do this easily enough but it's been over a year since I've thought of PHP or mySQL and I don't want to get so distracted by the programming mindset that I forget what I was doing in the first place (trying to do some marketing). Below is the process I'm trying to implement - step 5 is where I'm fuzzy...I know I could definitely have the URL come back to a PHP page that looks up the string in a db (and a very simple one, I'm sure, since it's just a list) but I'd rather just have the URL come back to the Flash file and do the checking from within the .swf, with ActionScript - is that easier or harder? Since you guys all love PHP and probably only half of you even like AS, I know it's a biased answer I'll get :-) but try to be objective and not play favorites on the languages here. What I want to do: (1) user gives me email address (2) with a PHP script (free from http://www.allhype.co.uk/tools/md5/ and a very nice script actually!!) I MD5 their email address (3) I send user a message (to validate the address works) that has their MD5'd address as a link for them to come back and get what they want (4) user clicks unique query string in the email I've sent them (4) I validate the string .....how/from where is the ??? :) (5) if valid, give them the Flash file; if not, give them an error message Any help much appreciated! -sry Sarah R. Yoffa http://books.sarahryoffa.com/ books at sarahryoffa.com ********************* Look for the exciting release of the newly-edited THE PHOENIX SHALL RISE AGAIN Coming to online booksellers - New Year's 2006. ********************* _________________________________________________________________ Express yourself instantly with MSN Messenger! Download today - it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ ------------------------------ Message: 2 Date: Sun, 21 Aug 2005 17:45:41 -0400 From: "Hans Zaunere" Subject: Re: [nycphp-talk] MD5 + Flash To: "'NYPHP Talk'" Message-ID: <0MKp2t-1E6xdN3S4E-0001Lu at mrelay.perfora.net> Content-Type: text/plain; charset="us-ascii" talk-bounces at lists.nyphp.org wrote on Sunday, August 21, 2005 2:24 PM: > Hiya, > > If you're over on WWWAC you've already seen this but I'm asking here > from another slant. I have no idea what I can or can't do withOUT > having to create/manage a mySQL db...my server will let me do this > easily enough but it's been over a year since I've thought of PHP or > mySQL and I don't want to get so distracted by the programming > mindset that I forget what I was doing in the first place (trying to > do some marketing). > > Below is the process I'm trying to implement - step 5 is where I'm > fuzzy...I know I could definitely have the URL come back to a > PHP page that looks up the string in a db (and a very simple one, > I'm sure, since it's just a list) but I'd rather just have > the URL come > back to the Flash file and do the checking from within the .swf, > with ActionScript - is that easier or harder? Since you guys all love > PHP and probably only half of you even like AS, I know it's a biased > answer I'll get :-) but try to be objective and not play favorites on > the languages here. > > What I want to do: > > (1) user gives me email address > > (2) with a PHP script (free from http://www.allhype.co.uk/tools/md5/ > and a very nice script actually!!) I MD5 their email address > > (3) I send user a message (to validate the address works) that has > their MD5'd address as a link for them to come back and get what they > want > > (4) user clicks unique query string in the email I've sent them > > (4) I validate the string .....how/from where is the ??? :) > > (5) if valid, give them the Flash file; if not, give them an > error message You could do all of this with just Flash, etc. assuming Flash has MD5, as I'm sure it does, but you'll be limited. If you want to track who has downloaded what files, the browser they're using, etc. you won't be able to do so without a DB. There's also a security concern here. There's no way to know that the email address you've gotten originally, is the same as the one that's coming from the link. Since you're not storing anything anywhere, you have no way to keep persistent data. If I know that you're checking that an MD5 matches the MD5 of the email address, I can pass you any MD5 I want, and it'll validate. H ------------------------------ Message: 3 Date: Sun, 21 Aug 2005 20:16:17 -0400 From: "Thomas Brennan" Subject: [nycphp-talk] OWASP 9/29 Save The Date To: Message-ID: <1DA2AD8042527B4199C09042CFC0A94D18794B at jinx.datasafeservices.net> Content-Type: text/plain; charset="US-ASCII" I would like to provide you with advanced notice and extend a special invite for you to join us at the next Open Web Application Security Meeting (OWASP) NJ Chapter meeting. The next event will be held at September 29th at ABN AMRO in Jersey City (across from the path station) - full details, speakers and RSVP information is located at the chapter website online: http://www.owasp.org/local/nnj.html Currently on the September Agenda: SPEAKER - OWASP - Topic: Review of OWASP Security Guide v2.0.1 Released at BlackHat SPEAKER - eEye Digital Security - Topic: Worm / Vulnerability Management SPEAKER - Application Security - Topic: Database Attacks SPEAKER - NitroSecurity - Topic: Analysis of Network Attacks ** You are encouraged to forward this email to others that you believe would benefit from this non-profit, educational peer-to-peer networking opportunity -- RSVP is required due to building security requirements see: http://www.owasp.org/local/nnj.html for details. At our November meeting we are looking forward to having NYPHP/Hans Zaunere speak concerning PHP Security Issues Enjoy the rest of your summer! Thomas Brennan, CISSP, CFSO, MCSA, C|EH DATA SAFE SERVICES "Because Security is NOT the default" 831-B Route 10 East, Whippany NJ 07981 Tel: 973-795-1046 | Fax: 973-428-0293 Web: www.datasafeservices.com ------------------------------ Message: 4 Date: Sun, 21 Aug 2005 22:48:19 -0400 From: Billy Pilgrim Subject: Re: [nycphp-talk] Session basics To: NYPHP Talk Message-ID: <6ee3253b050821194874c5ddf0 at mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1 On 8/19/05, Chris Shiflett wrote: > Aaron Fischer wrote: > > If the session has expired such as in browser close or timeout, the > > bookmarked page won't be a liability as the session id in the URL won't > > find a matching session id on the server. > > The server doesn't know when the browser is closed, so that part's not > right. It is true that a session timeout (on the server side) offers > some protection against this type of accidental hijacking. A bookmarked session id might not result in a hijacked session, but it's not a good idea have session ids exposed and kept around like that. Consider another example: Someone is logged into a newspaper site and sees an interesing article. The user copies the url (with session id) and pastes it in an email to a friend. If the friend receives the email quickly and the server has a long timeout, accidential session hijacking could occur. The primary reason to have a session id in the url is if the browser doesn't support cookies, right? ------------------------------ Message: 5 Date: Mon, 22 Aug 2005 08:35:30 -0400 From: csnyder Subject: Re: [nycphp-talk] MD5 + Flash To: NYPHP Talk Message-ID: Content-Type: text/plain; charset=ISO-8859-1 On 8/21/05, -sry Boston wrote: > What I want to do: > > (1) user gives me email address > > (2) with a PHP script (free from http://www.allhype.co.uk/tools/md5/ > and a very nice script actually!!) I MD5 their email address > > (3) I send user a message (to validate the address works) that has > their MD5'd address as a link for them to come back and get what > they want > > (4) user clicks unique query string in the email I've sent them > > (4) I validate the string .....how/from where is the ??? :) > > (5) if valid, give them the Flash file; if not, give them an error message > > Any help much appreciated! I think you have the purpose of the MD5 hash confused. In this case, you want it to be an *unguessable* token that the user can bring back to you to prove that they got they got your validation message, and that they own the mailbox associated with the provided email address. In other words, it should be random. If it's just the hash of their email address, then an impersonator could easily generate the right token and validate an address that isn't their own (as Hans pointed out). You will need some sort of DB -- MySQL or flat file or otherwise -- to store the email address and the random token in the same record, so that when the user clicks the link with the token in it, you can look up the email and mark it valid. -- Chris Snyder http://chxo.com/ ------------------------------ _______________________________________________ talk mailing list talk at lists.nyphp.org http://lists.nyphp.org/mailman/listinfo/talk End of talk Digest, Vol 27, Issue 50 ************************************ --------------------------------- Start your day with Yahoo! - make it your home page -------------- next part -------------- An HTML attachment was scrubbed... URL: From gary at helponboard.org Fri Aug 26 08:20:05 2005 From: gary at helponboard.org (Gary Bonde) Date: Fri, 26 Aug 2005 08:20:05 -0400 Subject: [nycphp-talk] talk Digest, Vol 27, Issue 59 In-Reply-To: Message-ID: <20050826122009.A05A3A85F3@virtu.nyphp.org> Morning Rinaldy: The problem you are having is most likely to do with directory/file permissions on the access database. If you have control of the webserver than you need to use windows explorer and give write permissions to the directory and to the access database .mdb and .ldb. If you are not in control of the webserver you will need to ask your hosting provider to update the permissions. I have run into this problem a number of times when using access databases for web development. Hope this helps. Gary Bonde gary at helponboard.org Date: Fri, 26 Aug 2005 03:01:09 -0700 (PDT) From: rinaldy roy Subject: [nycphp-talk] Operation must use an updateable query. To: talk at lists.nyphp.org Message-ID: <20050826100109.53275.qmail at web52715.mail.yahoo.com> Content-Type: text/plain; charset="iso-8859-1" I've just started my first HTML and MS Acces as below, but come up with error: Error Type: Microsoft OLE DB Provider for ODBC Drivers (0x80004005) [Microsoft][ODBC Microsoft Access Driver] Operation must use an updateable query. /pelanggan_tulis_2.asp, line 20 Browser Type: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Page: POST 24 bytes to /pelanggan_tulis_2.asp POST Data: Ipelanggan=aa&Ialamat=bb CekCon <% ipelanggan=Request("Ipelanggan") ialamat=Request("Ialamat") ' Set koneksi ke database Set conn=Server.Createobject( "ADODB.Connection" ) conn.Mode = 3 ' adModeReadWrite conn.Open "DSN=pelanggan;uid=Admin;pwd=;" Set rs = Server.CreateObject("ADODB.Recordset") sql="INSERT INTO master_pelanggan(nama_pelanggan, alamat)" sql=sql & "VALUES('"& ipelanggan &"', '"& ialamat &"')" set RS=Conn.Execute(SQL) Response.write "data masuk" %> --------------- How to fix it? RRY -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.344 / Virus Database: 267.10.15/82 - Release Date: 8/25/2005 From michael.southwell at nyphp.org Fri Aug 26 09:18:14 2005 From: michael.southwell at nyphp.org (Michael Southwell) Date: Fri, 26 Aug 2005 09:18:14 -0400 Subject: [nycphp-talk] Operation must use an updateable query. In-Reply-To: <20050826100115.2822.qmail@web52706.mail.yahoo.com> References: <20050826100115.2822.qmail@web52706.mail.yahoo.com> Message-ID: <6.1.2.0.2.20050826091544.021ebec0@mail.optonline.net> This is a discussion list for the PHP language. Because you are using ASP, you need a discussion list for that language. Try http://aspadvice.com/ . Good luck! At 06:01 AM 8/26/2005, you wrote: > I've just started my first HTML and MS Acces as below, but come up with > error: > >Error Type: >Microsoft OLE DB Provider for ODBC Drivers (0x80004005) >[Microsoft][ODBC Microsoft Access Driver] Operation must use an updateable >query. >/pelanggan_tulis_2.asp, line 20 > >Browser Type: >Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) > >Page: >POST 24 bytes to /pelanggan_tulis_2.asp > >POST Data: >Ipelanggan=aa&Ialamat=bb > > > > > CekCon > > ><% >ipelanggan=Request("Ipelanggan") >ialamat=Request("Ialamat") >' Set koneksi ke database >Set conn=Server.Createobject( "ADODB.Connection" ) > conn.Mode = 3 ' adModeReadWrite > conn.Open "DSN=pelanggan;uid=Admin;pwd=;" > Set rs = Server.CreateObject("ADODB.Recordset") > sql="INSERT INTO master_pelanggan(nama_pelanggan, alamat)" > sql=sql & "VALUES('"& ipelanggan &"', '"& ialamat &"')" > set RS=Conn.Execute(SQL) >Response.write "data masuk" >%> > > > > >--------------- >How to fix it? > >RRY >talk-request at lists.nyphp.org wrote: >Send talk mailing list submissions to >talk at lists.nyphp.org > >To subscribe or unsubscribe via the World Wide Web, visit >http://lists.nyphp.org/mailman/listinfo/talk >or, via email, send a message with subject or body 'help' to >talk-request at lists.nyphp.org > >You can reach the person managing the list at >talk-owner at lists.nyphp.org > >When replying, please edit your Subject line so it is more specific >than "Re: Contents of talk digest..." > > >Today's Topics: > >1. MD5 + Flash (-sry Boston) >2. Re: MD5 + Flash (Hans Zaunere) >3. OWASP 9/29 Save The Date (Thomas Brennan) >4. Re: Session basics (Billy Pilgrim) >5. Re: MD5 + Flash (csnyder) > > >---------------------------------------------------------------------- > >Message: 1 >Date: Sun, 21 Aug 2005 13:23:30 -0500 >From: "-sry Boston" >Subject: [nycphp-talk] MD5 + Flash >To: talk at lists.nyphp.org >Message-ID: >Content-Type: text/plain; format=flowed > >Hiya, > >If you're over on WWWAC you've already seen this but I'm asking here >from another slant. I have no idea what I can or can't do withOUT >having to create/manage a mySQL db...my server will let me do this >easily enough but it's been over a year since I've thought of PHP or >mySQL and I don't want to get so distracted by the programming >mindset that I forget what I was doing in the first place (trying to >do some marketing). > >Below is the process I'm trying to implement - step 5 is where I'm >fuzzy...I know I could definitely have the URL come back to a >PHP page that looks up the string in a db (and a very simple one, >I'm sure, since it's just a list) but I'd rather just have the URL come >back to the Flash file and do the checking from within the .swf, >with ActionScript - is that easier or harder? Since you guys all love >PHP and probably only half of you even like AS, I know it's a biased >answer I'll get :-) but try to be objective and not play favorites >on the languages here. > >What I want to do: > >(1) user gives me email address > >(2) with a PHP script (free from http://www.allhype.co.uk/tools/md5/ >and a very nice script actually!!) I MD5 their email address > >(3) I send user a message (to validate the address works) that has >their MD5'd address as a link for them to come back and get what >they want > >(4) user clicks unique query string in the email I've sent them > >(4) I validate the string .....how/from where is the ??? :) > >(5) if valid, give them the Flash file; if not, give them an error message > >Any help much appreciated! > >-sry >Sarah R. Yoffa >http://books.sarahryoffa.com/ >books at sarahryoffa.com >********************* >Look for the exciting release of the newly-edited >THE PHOENIX SHALL RISE AGAIN >Coming to online booksellers - New Year's 2006. >********************* > >_________________________________________________________________ >Express yourself instantly with MSN Messenger! Download today - it's FREE! >http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ > > > >------------------------------ > >Message: 2 >Date: Sun, 21 Aug 2005 17:45:41 -0400 >From: "Hans Zaunere" >Subject: Re: [nycphp-talk] MD5 + Flash >To: "'NYPHP Talk'" >Message-ID: <0MKp2t-1E6xdN3S4E-0001Lu at mrelay.perfora.net> >Content-Type: text/plain; charset="us-ascii" > > > >talk-bounces at lists.nyphp.org wrote on Sunday, August 21, 2005 2:24 PM: > > Hiya, > > > > If you're over on WWWAC you've already seen this but I'm asking here > > from another slant. I have no idea what I can or can't do withOUT > > having to create/manage a mySQL db...my server will let me do this > > easily enough but it's been over a year since I've thought of PHP or > > mySQL and I don't want to get so distracted by the programming > > mindset that I forget what I was doing in the first place (trying to > > do some marketing). > > > > Below is the process I'm trying to implement - step 5 is where I'm > > fuzzy...I know I could definitely have the URL come back to a > > PHP page that looks up the string in a db (and a very simple one, > > I'm sure, since it's just a list) but I'd rather just have > > the URL come > > back to the Flash file and do the checking from within the .swf, > > with ActionScript - is that easier or harder? Since you guys all love > > PHP and probably only half of you even like AS, I know it's a biased > > answer I'll get :-) but try to be objective and not play favorites on > > the languages here. > > > > What I want to do: > > > > (1) user gives me email address > > > > (2) with a PHP script (free from http://www.allhype.co.uk/tools/md5/ > > and a very nice script actually!!) I MD5 their email address > > > > (3) I send user a message (to validate the address works) that has > > their MD5'd address as a link for them to come back and get what they > > want > > > > (4) user clicks unique query string in the email I've sent them > > > > (4) I validate the string .....how/from where is the ??? :) > > > > (5) if valid, give them the Flash file; if not, give them an > > error message > >You could do all of this with just Flash, etc. assuming Flash has MD5, as >I'm sure it does, but you'll be limited. If you want to track who has >downloaded what files, the browser they're using, etc. you won't be able to >do so without a DB. > >There's also a security concern here. There's no way to know that the email >address you've gotten originally, is the same as the one that's coming from >the link. Since you're not storing anything anywhere, you have no way to >keep persistent data. If I know that you're checking that an MD5 matches >the MD5 of the email address, I can pass you any MD5 I want, and it'll >validate. > >H > > > >------------------------------ > >Message: 3 >Date: Sun, 21 Aug 2005 20:16:17 -0400 >From: "Thomas Brennan" >Subject: [nycphp-talk] OWASP 9/29 Save The Date >To: >Message-ID: ><1DA2AD8042527B4199C09042CFC0A94D18794B at jinx.datasafeservices.net> >Content-Type: text/plain; charset="US-ASCII" > >I would like to provide you with advanced notice and extend a special >invite for you to join us at the next Open Web Application Security >Meeting (OWASP) NJ Chapter meeting. The next event will be held at >September 29th at ABN AMRO in Jersey City (across from the path station) >- full details, speakers and RSVP information is located at the chapter >website online: > >http://www.owasp.org/local/nnj.html > >Currently on the September Agenda: > >SPEAKER - OWASP - Topic: Review of OWASP Security Guide v2.0.1 Released >at BlackHat > >SPEAKER - eEye Digital Security - Topic: Worm / Vulnerability Management > > >SPEAKER - Application Security - Topic: Database Attacks > >SPEAKER - NitroSecurity - Topic: Analysis of Network Attacks > >** You are encouraged to forward this email to others that you believe >would benefit from this non-profit, educational peer-to-peer networking >opportunity -- RSVP is required due to building security requirements >see: http://www.owasp.org/local/nnj.html for details. > >At our November meeting we are looking forward to having NYPHP/Hans >Zaunere speak concerning PHP Security Issues > >Enjoy the rest of your summer! > >Thomas Brennan, CISSP, CFSO, MCSA, C|EH >DATA SAFE SERVICES >"Because Security is NOT the default" >831-B Route 10 East, Whippany NJ 07981 >Tel: 973-795-1046 | Fax: 973-428-0293 >Web: www.datasafeservices.com > > >------------------------------ > >Message: 4 >Date: Sun, 21 Aug 2005 22:48:19 -0400 >From: Billy Pilgrim >Subject: Re: [nycphp-talk] Session basics >To: NYPHP Talk >Message-ID: <6ee3253b050821194874c5ddf0 at mail.gmail.com> >Content-Type: text/plain; charset=ISO-8859-1 > >On 8/19/05, Chris Shiflett wrote: > > Aaron Fischer wrote: > > > If the session has expired such as in browser close or timeout, the > > > bookmarked page won't be a liability as the session id in the URL won't > > > find a matching session id on the server. > > > > The server doesn't know when the browser is closed, so that part's not > > right. It is true that a session timeout (on the server side) offers > > some protection against this type of accidental hijacking. > >A bookmarked session id might not result in a hijacked session, but >it's not a good idea have session ids exposed and kept around like >that. > >Consider another example: Someone is logged into a newspaper site and >sees an interesing article. The user copies the url (with session id) >and pastes it in an email to a friend. If the friend receives the >email quickly and the server has a long timeout, accidential session >hijacking could occur. > >The primary reason to have a session id in the url is if the browser >doesn't support cookies, right? > > >------------------------------ > >Message: 5 >Date: Mon, 22 Aug 2005 08:35:30 -0400 >From: csnyder >Subject: Re: [nycphp-talk] MD5 + Flash >To: NYPHP Talk >Message-ID: >Content-Type: text/plain; charset=ISO-8859-1 > >On 8/21/05, -sry Boston wrote: > > > What I want to do: > > > > (1) user gives me email address > > > > (2) with a PHP script (free from http://www.allhype.co.uk/tools/md5/ > > and a very nice script actually!!) I MD5 their email address > > > > (3) I send user a message (to validate the address works) that has > > their MD5'd address as a link for them to come back and get what > > they want > > > > (4) user clicks unique query string in the email I've sent them > > > > (4) I validate the string .....how/from where is the ??? :) > > > > (5) if valid, give them the Flash file; if not, give them an error message > > > > Any help much appreciated! > >I think you have the purpose of the MD5 hash confused. In this case, >you want it to be an *unguessable* token that the user can bring back >to you to prove that they got they got your validation message, and >that they own the mailbox associated with the provided email address. > >In other words, it should be random. If it's just the hash of their >email address, then an impersonator could easily generate the right >token and validate an address that isn't their own (as Hans pointed >out). > >You will need some sort of DB -- MySQL or flat file or otherwise -- to >store the email address and the random token in the same record, so >that when the user clicks the link with the token in it, you can look >up the email and mark it valid. > >-- >Chris Snyder >http://chxo.com/ > > >------------------------------ > >_______________________________________________ >talk mailing list >talk at lists.nyphp.org >http://lists.nyphp.org/mailman/listinfo/talk > > >End of talk Digest, Vol 27, Issue 50 >************************************ > > >Start your >day with Yahoo! - make it your home page >_______________________________________________ >New York PHP Talk Mailing List >AMP Technology >Supporting Apache, MySQL and PHP >http://lists.nyphp.org/mailman/listinfo/talk >http://www.nyphp.org Michael Southwell, Vice President for Education New York PHP http://www.nyphp.com/training - In-depth PHP Training Courses From papillion at gmail.com Fri Aug 26 14:52:46 2005 From: papillion at gmail.com (Anthony Papillion II) Date: Fri, 26 Aug 2005 13:52:46 -0500 Subject: [nycphp-talk] Operation must use an updateable query. In-Reply-To: <20050826100109.53275.qmail@web52715.mail.yahoo.com> References: <20050826100109.53275.qmail@web52715.mail.yahoo.com> Message-ID: <430F64FE.1010100@gmail.com> Even though this is a PHP discussion list this problem has a quick enough answer for me to offer an answer here. The most probable cause is that the IUSER account doesn't have modify or update permissions on the folder the database is in. Make sure IUSER has the right permissions on the folder and try again. This will probably solve your problem. Anthony rinaldy roy wrote: > I've just started my first HTML and MS Acces as below, but come up > with error: > > # Error Type: > Microsoft OLE DB Provider for ODBC Drivers (0x80004005) > [Microsoft][ODBC Microsoft Access Driver] Operation must use an > updateable query. > */pelanggan_tulis_2.asp, line 20* > # Browser Type: > Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) > # Page: > POST 24 bytes to /pelanggan_tulis_2.asp > # POST Data: > Ipelanggan=aa&Ialamat=bb > > > > > CekCon > > > <% > ipelanggan=Request("Ipelanggan") > ialamat=Request("Ialamat") > ' Set koneksi ke database > Set conn=Server.Createobject( "ADODB.Connection" ) > conn.Mode = 3 ' adModeReadWrite > conn.Open "DSN=pelanggan;uid=Admin;pwd=;" > Set rs = Server.CreateObject("ADODB.Recordset") > sql="INSERT INTO master_pelanggan(nama_pelanggan, alamat)" > sql=sql & "VALUES('"& ipelanggan &"', '"& ialamat &"')" > set RS=Conn.Execute(SQL) > Response.write "data masuk" > %> > > > > > --------------- > How to fix it? > > RRY > */talk-request at lists.nyphp.org/* wrote: > > Send talk mailing list submissions to > talk at lists.nyphp.org > > To subscribe or unsubscribe via the World Wide Web, visit > http://lists.nyphp.org/mailman/listinfo/talk > or, via email, send a message with subject or body 'help' to > talk-request at lists.nyphp.org > > You can reach the person managing the list at > talk-owner at lists.nyphp.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of talk digest..." > > > Today's Topics: > > 1. MD5 + Flash (-sry Boston) > 2. Re: MD5 + Flash (Hans Zaunere) > 3. OWASP 9/29 Save The Date (Thomas Brennan) > 4. Re: Session basics (Billy Pilgrim) > 5. Re: MD5 + Flash (csnyder) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Sun, 21 Aug 2005 13:23:30 -0500 > From: "-sry Boston" > Subject : [nycphp-talk] MD5 + Flash > To: talk at lists.nyphp.org > Message-ID: > Content-Type: text/plain; format=flowed > > Hiya, > > If you're over on WWWAC you've already seen this but I'm asking here > from another slant. I have no idea what I can or can't do withOUT > having to create/manage a mySQL db...my server will let me do this > easily enough but it's been over a year since I've thought of PHP or > mySQL and I don't want to get so distracted by the programming > mindset that I forget what I was doing in the first place (trying to > do some marketing). > > Below is the process I'm trying to implement - step 5 is where I'm > fuzzy...I know I could definitely have the URL come back to a > PHP page that looks up the string in a db (and a very simple one, > I'm sure, since it's just a list) but I'd rather just have the URL > come > back to the Flash file and do the checking from within the .swf, > with ActionScript - is that easier or harder? Since you guys all love > PHP and probably only half of you even like AS, I know it's a biased > answer I'll get :-) but try to be objective and not play favorites > on the languages here. > > What I want to do: > > (1) user gives me email address > > (2) with a PHP script (free from http://www.allhype.co.uk/tools/md5/ > and a very nice script actually!!) I MD5 their email address > > (3) I send user a message (to validate the address works) that has > their MD5'd address as a link for them to come back and get what > they want > > (4) user clicks unique query string in the email I've sent them > > (4) I validate the string .....how/from where is the ??? :) > > (5) if valid, give them the Flash file; if not, give them an error > message > > Any help much appreciated! > > -sry > Sarah R. Yoffa > http://books.sarahryoffa.com/ > books at sarahryoffa.com > ********************* > Look for the exciting release of the newly-edited > THE PHOENIX SHALL RISE AGAIN > Coming to online booksellers - New Year's 2006. > ********************* > > _________________________________________________________________ > Express yourself instantly with MSN Messenger! Download today - > it's FREE! > http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ > > > > ------------------------------ > > Message: 2 > Date: Sun, 21 Aug 2005 17:45:41 -0400 > From: "Hans Zaunere" > Subject: Re: [nycphp-talk] MD5 + Flash > To: "'NYPHP Talk'" > Message-ID: <0MKp2t-1E6xdN3S4E-0001Lu at mrelay.perfora.net> > Content-Type: text/plain; charset="us-ascii" > > > > talk-bounces at lists.nyphp.org wrote on Sunday, August 21, 2005 2:24 PM: > > Hiya, > > > > If you're over on WWWAC you've already seen this but I'm asking here > > from another slant. I have no idea what I can or can't do withOUT > > having to create/manage a mySQL db...my server will let me do this > > easily enough but it's been over a year since I've thought of PHP or > > mySQL and I don't want to get so distracted by the programming > > mindset that I forget what I was doing in the first place (trying to > > do some marketing). > > > > Below is the process I'm trying to implement - step 5 is where I'm > > fuzzy...I know I could definitely have the URL come back to a > > PHP page that looks up the string in a db (and a very simple one, > > I'm sure, since it's just a list) but I'd rather just have > > the URL come > > back to the Flash file and do the checking from within the .swf, > > with ActionScript - is that easier or harder? Since you guys all > love > > PHP and probably only half of you even like AS, I know it's a biased > > answer I'll get :-) but try to be objective and not play > favorites on > > the languages here. > > > > What I want to do: > > > > (1) user gives me email address > > > > (2) with a PHP script (free from http://www.allhype.co.uk/tools/md5/ > > and a very nice script actually!!) I MD5 their email address > > > > (3) I send user a message (to validate the address works) that has > > their MD5'd address as a link for them to come back and get what > they > > want > > > > (4) user clicks unique query string in the email I've sent them > > > > (4) I validate the string .....how/from where is the ??? :) > > > > (5) if valid, give them the Flash file; if not, give them an > > error message > > You could do all of this with just Flash, etc. assuming Flash has > MD5, as > I'm sure it does, but you'll be limited. If you want to track who has > downloaded what files, the browser they're using, etc. you won't > be able to > do so without a DB. > > There's also a security concern here. There's no way to know that > the email > address you've gotten originally, i s the same as the one that's > coming from > the link. Since you're not storing anything anywhere, you have no > way to > keep persistent data. If I know that you're checking that an MD5 > matches > the MD5 of the email address, I can pass you any MD5 I want, and it'll > validate. > > H > > > > ------------------------------ > > Message: 3 > Date: Sun, 21 Aug 2005 20:16:17 -0400 > From: "Thomas Brennan" > Subject: [nycphp-talk] OWASP 9/29 Save The Date > To: > Message-ID: > <1DA2AD8042527B4199C09042CFC0A94D18794B at jinx.datasafeservices.net> > Content-Type: text/plain; charset="US-ASCII" > > I would like to provide you with advanced notice and extend a special > invite for you to join us at the next Open Web Application Security > Meeting (OWASP) NJ Chapter meeting. The next event will be held at > September 29th at ABN AMRO in Jersey City (across from the path > station) > - full details, speakers an d RSVP information is located at the > chapter > website online: > > http://www.owasp.org/local/nnj.html > > Currently on the September Agenda: > > SPEAKER - OWASP - Topic: Review of OWASP Security Guide v2.0.1 > Released > at BlackHat > > SPEAKER - eEye Digital Security - Topic: Worm / Vulnerability > Management > > > SPEAKER - Application Security - Topic: Database Attacks > > SPEAKER - NitroSecurity - Topic: Analysis of Network Attacks > > ** You are encouraged to forward this email to others that you believe > would benefit from this non-profit, educational peer-to-peer > networking > opportunity -- RSVP is required due to building security requirements > see: http://www.owasp.org/local/nnj.html for details. > > At our November meeting we are looking forward to having NYPHP/Hans > Zaunere speak concerning PHP Security Issues > > Enjoy the rest of your summer! > > Thomas Brennan, CISSP, CFSO, MCSA, C|EH > DATA SAFE SERVICES > "Because Security i s NOT the default" > 831-B Route 10 East, Whippany NJ 07981 > Tel: 973-795-1046 | Fax: 973-428-0293 > Web: www.datasafeservices.com > > > ------------------------------ > > Message: 4 > Date: Sun, 21 Aug 2005 22:48:19 -0400 > From: Billy Pilgrim > Subject: Re: [nycphp-talk] Session basics > To: NYPHP Talk > Message-ID: <6ee3253b050821194874c5ddf0 at mail.gmail.com> > Content-Type: text/plain; charset=ISO-8859-1 > > On 8/19/05, Chris Shiflett wrote: > > Aaron Fischer wrote: > > > If the session has expired such as in browser close or > timeout, the > > > bookmarked page won't be a liability as the session id in the > URL won't > > > find a matching session id on the server. > > > > The server doesn't know when the browser is closed, so that > part's not > > right. It is true that a session timeout (on the server side) offers > > some protection against this ty pe of accidental hijacking. > > A bookmarked session id might not result in a hijacked session, but > it's not a good idea have session ids exposed and kept around like > that. > > Consider another example: Someone is logged into a newspaper site and > sees an interesing article. The user copies the url (with session id) > and pastes it in an email to a friend. If the friend receives the > email quickly and the server has a long timeout, accidential session > hijacking could occur. > > The primary reason to have a session id in the url is if the browser > doesn't support cookies, right? > > > ------------------------------ > > Message: 5 > Date: Mon, 22 Aug 2005 08:35:30 -0400 > From: csnyder > Subject: Re: [nycphp-talk] MD5 + Flash > To: NYPHP Talk > Message-ID: > Content-Type: text/plain; charset=ISO-8859-1 > > On 8/21/05, -sry Boston wrote: > > > What I want to do: > > > > (1) user gives me email address > > > > (2) with a PHP script (free from http://www.allhype.co.uk/tools/md5/ > > and a very nice script actually!!) I MD5 their email address > > > > (3) I send user a message (to validate the address works) that has > > their MD5'd address as a link for them to come back and get what > > they want > > > > (4) user clicks unique query string in the email I've sent them > > > > (4) I validate the string .....how/from where is the ??? :) > > > > (5) if valid, give them the Flash file; if not, give them an > error message > > > > Any help much appreciated! > > I think you have the purpose of the MD5 hash confused. In this case, > you want it to be an *unguessable* token that the user can bring back > to you to prove that they got they got your validation message, and > that they own the mailbox associ ated with the provided email address. > > In other words, it should be random. If it's just the hash of their > email address, then an impersonator could easily generate the right > token and validate an address that isn't their own (as Hans pointed > out). > > You will need some sort of DB -- MySQL or flat file or otherwise -- to > store the email address and the random token in the same record, so > that when the user clicks the link with the token in it, you can look > up the email and mark it valid. > > -- > Chris Snyder > http://chxo.com/ > > > ------------------------------ > > _______________________________________________ > talk mailing list > talk at lists.nyphp.org > http://lists.nyphp.org/mailman/listinfo/talk > > > End of talk Digest, Vol 27, Issue 50 > ************************************ > > ------------------------------------------------------------------------ > Yahoo! Mail for Mobile > Take Yahoo! Mail with you! > > Check email on your mobile phone. > >------------------------------------------------------------------------ > >_______________________________________________ >New York PHP Talk Mailing List >AMP Technology >Supporting Apache, MySQL and PHP >http://lists.nyphp.org/mailman/listinfo/talk >http://www.nyphp.org > From codebowl at gmail.com Sat Aug 27 08:53:49 2005 From: codebowl at gmail.com (Joseph Crawford) Date: Sat, 27 Aug 2005 08:53:49 -0400 Subject: [nycphp-talk] [OT] - PhpPatterns.com Message-ID: <8d9a4280050827055346349e93@mail.gmail.com> Anyone here know what's going on with phppatterns.com ? Seems to have been down for the last few weeks, well everytime i check anyway -- Joseph Crawford Jr. Codebowl Solutions, Inc. 1-802-671-2021 codebowl at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From spedeens at gmail.com Sat Aug 27 10:29:12 2005 From: spedeens at gmail.com (Denis Ramirez) Date: Sat, 27 Aug 2005 10:29:12 -0400 Subject: [nycphp-talk] Operation must use an updateable query. References: <20050826100109.53275.qmail@web52715.mail.yahoo.com> <430F64FE.1010100@gmail.com> Message-ID: <001801c5ab13$b251f0d0$0100a8c0@HODESK> I think Anthony is right..!!!! Cause This error usually happens on Windows NT, Windows 2000 or Windows XP and may be caused by any of the following conditions: - the database file or database folder doesn't have necessary security permissions to write to, or erase an .ldb file created by Microsoft Access when opening the database - the database file doesn't have sufficient security permissions or write permissions to be modified when updating data in it. The web browser is seen by the web server as a Internet User that has the server account IUSR. This user needs to have write permission to the database file and to the database folder. Resolution Follow these steps to resolve this issue: 1. Use Windows Explorer to find the folder on the disk, which contains the database file (.mdb). This is usually your project folder. 2. Right-click on the project folder and select Properties. 3. Uncheck the Read-only property. 4. Click on the Security tab in the properties window. (Attention: If you don't see such tab (Windows XP), close the properties window, open any folder, select Tools -> Folder Options -> View, and uncheck the option Use simple file sharing.) 5. Click Add and find, then select the user IUSR_. 6. Select the Write checkbox in the Allow; column to assign Write permissions to the IUSR account. http://support.yessoftware.com/files/kb/iusr3.gif Sorry my english.....!!! Denis Ramirez. ----- Original Message ----- From: "Anthony Papillion II" To: "NYPHP Talk" Sent: Friday, August 26, 2005 2:52 PM Subject: Re: [nycphp-talk] Operation must use an updateable query. Even though this is a PHP discussion list this problem has a quick enough answer for me to offer an answer here. The most probable cause is that the IUSER account doesn't have modify or update permissions on the folder the database is in. Make sure IUSER has the right permissions on the folder and try again. This will probably solve your problem. Anthony rinaldy roy wrote: > I've just started my first HTML and MS Acces as below, but come up > with error: > > # Error Type: > Microsoft OLE DB Provider for ODBC Drivers (0x80004005) > [Microsoft][ODBC Microsoft Access Driver] Operation must use an > updateable query. > */pelanggan_tulis_2.asp, line 20* > # Browser Type: > Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) > # Page: > POST 24 bytes to /pelanggan_tulis_2.asp > # POST Data: > Ipelanggan=aa&Ialamat=bb > > > > > CekCon > > > <% > ipelanggan=Request("Ipelanggan") > ialamat=Request("Ialamat") > ' Set koneksi ke database > Set conn=Server.Createobject( "ADODB.Connection" ) > conn.Mode = 3 ' adModeReadWrite > conn.Open "DSN=pelanggan;uid=Admin;pwd=;" > Set rs = Server.CreateObject("ADODB.Recordset") > sql="INSERT INTO master_pelanggan(nama_pelanggan, alamat)" > sql=sql & "VALUES('"& ipelanggan &"', '"& ialamat &"')" > set RS=Conn.Execute(SQL) > Response.write "data masuk" > %> > > > > > --------------- > How to fix it? > > RRY > */talk-request at lists.nyphp.org/* wrote: > > Send talk mailing list submissions to > talk at lists.nyphp.org > > To subscribe or unsubscribe via the World Wide Web, visit > http://lists.nyphp.org/mailman/listinfo/talk > or, via email, send a message with subject or body 'help' to > talk-request at lists.nyphp.org > > You can reach the person managing the list at > talk-owner at lists.nyphp.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of talk digest..." > > > Today's Topics: > > 1. MD5 + Flash (-sry Boston) > 2. Re: MD5 + Flash (Hans Zaunere) > 3. OWASP 9/29 Save The Date (Thomas Brennan) > 4. Re: Session basics (Billy Pilgrim) > 5. Re: MD5 + Flash (csnyder) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Sun, 21 Aug 2005 13:23:30 -0500 > From: "-sry Boston" > Subject : [nycphp-talk] MD5 + Flash > To: talk at lists.nyphp.org > Message-ID: > Content-Type: text/plain; format=flowed > > Hiya, > > If you're over on WWWAC you've already seen this but I'm asking here > from another slant. I have no idea what I can or can't do withOUT > having to create/manage a mySQL db...my server will let me do this > easily enough but it's been over a year since I've thought of PHP or > mySQL and I don't want to get so distracted by the programming > mindset that I forget what I was doing in the first place (trying to > do some marketing). > > Below is the process I'm trying to implement - step 5 is where I'm > fuzzy...I know I could definitely have the URL come back to a > PHP page that looks up the string in a db (and a very simple one, > I'm sure, since it's just a list) but I'd rather just have the URL > come > back to the Flash file and do the checking from within the .swf, > with ActionScript - is that easier or harder? Since you guys all love > PHP and probably only half of you even like AS, I know it's a biased > answer I'll get :-) but try to be objective and not play favorites > on the languages here. > > What I want to do: > > (1) user gives me email address > > (2) with a PHP script (free from http://www.allhype.co.uk/tools/md5/ > and a very nice script actually!!) I MD5 their email address > > (3) I send user a message (to validate the address works) that has > their MD5'd address as a link for them to come back and get what > they want > > (4) user clicks unique query string in the email I've sent them > > (4) I validate the string .....how/from where is the ??? :) > > (5) if valid, give them the Flash file; if not, give them an error > message > > Any help much appreciated! > > -sry > Sarah R. Yoffa > http://books.sarahryoffa.com/ > books at sarahryoffa.com > ********************* > Look for the exciting release of the newly-edited > THE PHOENIX SHALL RISE AGAIN > Coming to online booksellers - New Year's 2006. > ********************* > > _________________________________________________________________ > Express yourself instantly with MSN Messenger! Download today - > it's FREE! > http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ > > > > ------------------------------ > > Message: 2 > Date: Sun, 21 Aug 2005 17:45:41 -0400 > From: "Hans Zaunere" > Subject: Re: [nycphp-talk] MD5 + Flash > To: "'NYPHP Talk'" > Message-ID: <0MKp2t-1E6xdN3S4E-0001Lu at mrelay.perfora.net> > Content-Type: text/plain; charset="us-ascii" > > > > talk-bounces at lists.nyphp.org wrote on Sunday, August 21, 2005 2:24 PM: > > Hiya, > > > > If you're over on WWWAC you've already seen this but I'm asking here > > from another slant. I have no idea what I can or can't do withOUT > > having to create/manage a mySQL db...my server will let me do this > > easily enough but it's been over a year since I've thought of PHP or > > mySQL and I don't want to get so distracted by the programming > > mindset that I forget what I was doing in the first place (trying to > > do some marketing). > > > > Below is the process I'm trying to implement - step 5 is where I'm > > fuzzy...I know I could definitely have the URL come back to a > > PHP page that looks up the string in a db (and a very simple one, > > I'm sure, since it's just a list) but I'd rather just have > > the URL come > > back to the Flash file and do the checking from within the .swf, > > with ActionScript - is that easier or harder? Since you guys all > love > > PHP and probably only half of you even like AS, I know it's a biased > > answer I'll get :-) but try to be objective and not play > favorites on > > the languages here. > > > > What I want to do: > > > > (1) user gives me email address > > > > (2) with a PHP script (free from http://www.allhype.co.uk/tools/md5/ > > and a very nice script actually!!) I MD5 their email address > > > > (3) I send user a message (to validate the address works) that has > > their MD5'd address as a link for them to come back and get what > they > > want > > > > (4) user clicks unique query string in the email I've sent them > > > > (4) I validate the string .....how/from where is the ??? :) > > > > (5) if valid, give them the Flash file; if not, give them an > > error message > > You could do all of this with just Flash, etc. assuming Flash has > MD5, as > I'm sure it does, but you'll be limited. If you want to track who has > downloaded what files, the browser they're using, etc. you won't > be able to > do so without a DB. > > There's also a security concern here. There's no way to know that > the email > address you've gotten originally, i s the same as the one that's > coming from > the link. Since you're not storing anything anywhere, you have no > way to > keep persistent data. If I know that you're checking that an MD5 > matches > the MD5 of the email address, I can pass you any MD5 I want, and it'll > validate. > > H > > > > ------------------------------ > > Message: 3 > Date: Sun, 21 Aug 2005 20:16:17 -0400 > From: "Thomas Brennan" > Subject: [nycphp-talk] OWASP 9/29 Save The Date > To: > Message-ID: > <1DA2AD8042527B4199C09042CFC0A94D18794B at jinx.datasafeservices.net> > Content-Type: text/plain; charset="US-ASCII" > > I would like to provide you with advanced notice and extend a special > invite for you to join us at the next Open Web Application Security > Meeting (OWASP) NJ Chapter meeting. The next event will be held at > September 29th at ABN AMRO in Jersey City (across from the path > station) > - full details, speakers an d RSVP information is located at the > chapter > website online: > > http://www.owasp.org/local/nnj.html > > Currently on the September Agenda: > > SPEAKER - OWASP - Topic: Review of OWASP Security Guide v2.0.1 > Released > at BlackHat > > SPEAKER - eEye Digital Security - Topic: Worm / Vulnerability > Management > > > SPEAKER - Application Security - Topic: Database Attacks > > SPEAKER - NitroSecurity - Topic: Analysis of Network Attacks > > ** You are encouraged to forward this email to others that you believe > would benefit from this non-profit, educational peer-to-peer > networking > opportunity -- RSVP is required due to building security requirements > see: http://www.owasp.org/local/nnj.html for details. > > At our November meeting we are looking forward to having NYPHP/Hans > Zaunere speak concerning PHP Security Issues > > Enjoy the rest of your summer! > > Thomas Brennan, CISSP, CFSO, MCSA, C|EH > DATA SAFE SERVICES > "Because Security i s NOT the default" > 831-B Route 10 East, Whippany NJ 07981 > Tel: 973-795-1046 | Fax: 973-428-0293 > Web: www.datasafeservices.com > > > ------------------------------ > > Message: 4 > Date: Sun, 21 Aug 2005 22:48:19 -0400 > From: Billy Pilgrim > Subject: Re: [nycphp-talk] Session basics > To: NYPHP Talk > Message-ID: <6ee3253b050821194874c5ddf0 at mail.gmail.com> > Content-Type: text/plain; charset=ISO-8859-1 > > On 8/19/05, Chris Shiflett wrote: > > Aaron Fischer wrote: > > > If the session has expired such as in browser close or > timeout, the > > > bookmarked page won't be a liability as the session id in the > URL won't > > > find a matching session id on the server. > > > > The server doesn't know when the browser is closed, so that > part's not > > right. It is true that a session timeout (on the server side) offers > > some protection against this ty pe of accidental hijacking. > > A bookmarked session id might not result in a hijacked session, but > it's not a good idea have session ids exposed and kept around like > that. > > Consider another example: Someone is logged into a newspaper site and > sees an interesing article. The user copies the url (with session id) > and pastes it in an email to a friend. If the friend receives the > email quickly and the server has a long timeout, accidential session > hijacking could occur. > > The primary reason to have a session id in the url is if the browser > doesn't support cookies, right? > > > ------------------------------ > > Message: 5 > Date: Mon, 22 Aug 2005 08:35:30 -0400 > From: csnyder > Subject: Re: [nycphp-talk] MD5 + Flash > To: NYPHP Talk > Message-ID: > Content-Type: text/plain; charset=ISO-8859-1 > > On 8/21/05, -sry Boston wrote: > > > What I want to do: > > > > (1) user gives me email address > > > > (2) with a PHP script (free from http://www.allhype.co.uk/tools/md5/ > > and a very nice script actually!!) I MD5 their email address > > > > (3) I send user a message (to validate the address works) that has > > their MD5'd address as a link for them to come back and get what > > they want > > > > (4) user clicks unique query string in the email I've sent them > > > > (4) I validate the string .....how/from where is the ??? :) > > > > (5) if valid, give them the Flash file; if not, give them an > error message > > > > Any help much appreciated! > > I think you have the purpose of the MD5 hash confused. In this case, > you want it to be an *unguessable* token that the user can bring back > to you to prove that they got they got your validation message, and > that they own the mailbox associ ated with the provided email address. > > In other words, it should be random. If it's just the hash of their > email address, then an impersonator could easily generate the right > token and validate an address that isn't their own (as Hans pointed > out). > > You will need some sort of DB -- MySQL or flat file or otherwise -- to > store the email address and the random token in the same record, so > that when the user clicks the link with the token in it, you can look > up the email and mark it valid. > > -- > Chris Snyder > http://chxo.com/ > > > ------------------------------ > > _______________________________________________ > talk mailing list > talk at lists.nyphp.org > http://lists.nyphp.org/mailman/listinfo/talk > > > End of talk Digest, Vol 27, Issue 50 > ************************************ > > ------------------------------------------------------------------------ > Yahoo! Mail for Mobile > Take Yahoo! Mail with you! > > Check email on your mobile phone. > >------------------------------------------------------------------------ > >_______________________________________________ >New York PHP Talk Mailing List >AMP Technology >Supporting Apache, MySQL and PHP >http://lists.nyphp.org/mailman/listinfo/talk >http://www.nyphp.org > _______________________________________________ New York PHP Talk Mailing List AMP Technology Supporting Apache, MySQL and PHP http://lists.nyphp.org/mailman/listinfo/talk http://www.nyphp.org From rinaldy_roy at yahoo.com Mon Aug 29 01:49:10 2005 From: rinaldy_roy at yahoo.com (rinaldy roy) Date: Sun, 28 Aug 2005 22:49:10 -0700 (PDT) Subject: [nycphp-talk] Error: Microsoft VBScript compilation (0x800A0400) Message-ID: <20050829054910.71964.qmail@web52707.mail.yahoo.com> I've error meassage : < Microsoft VBScript compilation (0x800A0400) Expected statement /display_pelanggan.asp, line 39 from sample program as below: DISPLAY PELANGGAN <% ' -- Declare Variables Dim objConn ' Our Connection Object Dim objRS ' Our Recordset Object Dim strSQL ' Our SQL String to access the database Dim strConnection ' Our Connection string to access the database Dim i ' a counter variable ' -- Create objects Set objConn = Server.CreateObject("ADODB.Connection") Set objRS = Server.CreateObject("ADODB.Recordset") objConn.Open "DSN=pelanggan;uid=Admin;pwd=;" ' -- Our SQL Statement strSQL = "SELECT * FROM master_pelanggan" ' -- Populate our Recordset with data set objRS = objConn.Execute (strSQL) ' -- Open the Connection objConn.Open strConnection ' -- Populate our Recordset with data set objRS = objConn.Execute (strSQL) if (objRS.BOF and objRS.EOF) then response.write "No records found" response.end End if
" For i = 0 to objRS.Fields.Count - 1 Response.Write "" Next Response.write "" ' -- Now output the contents of the Recordset objRS.MoveFirst Do While Not objRS.EOF ' -- output the contents Response.Write "" For i = 0 to objRS.Fields.Count - 1 Response.Write "" Next Response.write "" ' -- move to the next record objRS.MoveNext Loop objRS.Close set objRS = Nothing objConn.Close set objConn = Nothing %> >From MS Office notes, It's suggested to update my windows application. Is there any solution? Regards, Rinaldy RM --------------------------------- Start your day with Yahoo! - make it your home page -------------- next part -------------- An HTML attachment was scrubbed... URL: From krook at us.ibm.com Mon Aug 29 09:27:14 2005 From: krook at us.ibm.com (Daniel Krook) Date: Mon, 29 Aug 2005 09:27:14 -0400 Subject: [nycphp-talk] Error: Microsoft VBScript compilation (0x800A0400) In-Reply-To: <20050829054910.71964.qmail@web52707.mail.yahoo.com> Message-ID: > I've error meassage : < Microsoft VBScript compilation (0x800A0400) > Expected statement ...snip... > From MS Office notes, It's suggested to update my windows > application. Is there any solution? > > Regards, > > Rinaldy RM Rinaldy, Again, this is not an appropriate place for ASP questions. Please do not post them here (those who do have answers should send them off list as well). And in the future, if you do have PHP related issues similar to this, at a minimum please consult Google before asking for help. http://www.google.com/search?hl=en&lr=&c2coff=1&q=Microsoft+VBScript+compilation+%280x800A0400%29&btnG=Search Thanks, -Dan Daniel Krook, Advisory IT Specialist Application Development, Production Services - Tools, ibm.com Personal: http://info.krook.org/ BluePages: http://bluepages.redirect.webahead.ibm.com/ BlogPages: http://blogpages.redirect.webahead.ibm.com/ From howard_nyc at yahoo.com Mon Aug 29 11:12:24 2005 From: howard_nyc at yahoo.com (Howard NYC) Date: Mon, 29 Aug 2005 08:12:24 -0700 (PDT) Subject: [nycphp-talk] [PHP+Eclipse] Q: how to install PHP plug in for Eclipse? Message-ID: <20050829151224.49282.qmail@web32910.mail.mud.yahoo.com> Q: how to install PHP plug in for Eclipse? As described in last week's face-to-face meeting (the slides for which I cannot find on NYPHP.ORG) Thanks, Howard -------------- next part -------------- An HTML attachment was scrubbed... URL: From hendler at simmons.edu Mon Aug 29 12:08:21 2005 From: hendler at simmons.edu (Jonathan) Date: Mon, 29 Aug 2005 12:08:21 -0400 Subject: [nycphp-talk] [PHP+Eclipse] Q: how to install PHP plug in for Eclipse? In-Reply-To: <20050829151224.49282.qmail@web32910.mail.mud.yahoo.com> References: <20050829151224.49282.qmail@web32910.mail.mud.yahoo.com> Message-ID: <431332F5.2040400@simmons.edu> This is pretty basic, but may help you until some one get's you the slides: http://www.plog4u.org/index.php/Using_PHPEclipse_:_Installation_:_Installing_PHPEclipse http://www.plog4u.org/index.php/Using_PHPEclipse Howard NYC wrote: > Q: how to install PHP plug in for Eclipse? > > As described in last week's face-to-face meeting (the slides for which > I cannot find on NYPHP.ORG) > > Thanks, > > Howard > > > > > >------------------------------------------------------------------------ > >_______________________________________________ >New York PHP Talk Mailing List >AMP Technology >Supporting Apache, MySQL and PHP >http://lists.nyphp.org/mailman/listinfo/talk >http://www.nyphp.org > From 1j0lkq002 at sneakemail.com Mon Aug 29 15:10:49 2005 From: 1j0lkq002 at sneakemail.com (inforequest) Date: Mon, 29 Aug 2005 12:10:49 -0700 Subject: [nycphp-talk] [PHP+Eclipse] Q: how to install PHP plug in for Eclipse? In-Reply-To: <431332F5.2040400@simmons.edu> References: <20050829151224.49282.qmail@web32910.mail.mud.yahoo.com> <431332F5.2040400@simmons.edu> Message-ID: <6963-90879@sneakemail.com> If you are on Windows (WAMP or XAMPP et al) there is an error in the wiki, so beware. It looks pretty obvious, but I didn't document the fix so I didn't update the wiki and can't provide step-by-step right now.. If you follow the instructions to edit php.ini and htppd.doc and the eclipse confi all is ok except in one place they have you specifically load a version-number-named php dll and later they specify a generic php dll (which obviously doesn't exist so you get an error). Again sorry for no positive specifics but at least with this quick reply you know there is a small issue. -=john andrews http://www.seo-fun.com Jonathan hendler-at-simmons.edu |nyphp dev/internal group use| wrote: >This is pretty basic, but may help you until some one get's you the slides: > >http://www.plog4u.org/index.php/Using_PHPEclipse_:_Installation_:_Installing_PHPEclipse >http://www.plog4u.org/index.php/Using_PHPEclipse > >Howard NYC wrote: > > > >>Q: how to install PHP plug in for Eclipse? >> >>As described in last week's face-to-face meeting (the slides for which >>I cannot find on NYPHP.ORG) >> >>Thanks, >> >>Howard >> >> >> From bpilgrim1979 at gmail.com Mon Aug 29 16:19:59 2005 From: bpilgrim1979 at gmail.com (Billy Pilgrim) Date: Mon, 29 Aug 2005 16:19:59 -0400 Subject: [nycphp-talk] [PHP+Eclipse] Q: how to install PHP plug in for Eclipse? In-Reply-To: <6963-90879@sneakemail.com> References: <20050829151224.49282.qmail@web32910.mail.mud.yahoo.com> <431332F5.2040400@simmons.edu> <6963-90879@sneakemail.com> Message-ID: <6ee3253b05082913194c793060@mail.gmail.com> Follow the instructions here: http://phpeclipse.de/tiki-read_article.php?articleId=21 http://phpeclipse.de/tiki-read_article.php?articleId=23 This installation uses Eclipse with webtools, then a software update for PHP. PHPEclipse (and Eclipse with webtools) are definitely improving and looking quite nice! 6-12 months ago PHPEclipse was a little buggy. BP From nasir81 at gmail.com Tue Aug 30 11:14:32 2005 From: nasir81 at gmail.com (Nasir Zubair) Date: Tue, 30 Aug 2005 11:14:32 -0400 Subject: [nycphp-talk] Dynamic Forms and Form Handlers Message-ID: <40fcda73050830081433887206@mail.gmail.com> Hi all, I'm working on a small project for my employer to collect data from clients. Although most of the fields are shared between all projects, there are slight variations (not every client has departments, or employee ids). To accomodate that, I need to be able to add/remove HTML fields on project basis. I would like NOT having to update both the HTML forms and php form handlers manually every time. Does anyone know of a barebone framework which will allow me to create such forms and form handlers? Or if you know of any resources which I can consult, that'll help. I think I can figure it out on my own, but it'll take longer than the time I have been given. Thanks. -- Nasir Zubair http://www.nasir.us/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From ldhasson at us.ibm.com Tue Aug 30 11:34:58 2005 From: ldhasson at us.ibm.com (Laurent Hasson) Date: Tue, 30 Aug 2005 11:34:58 -0400 Subject: [nycphp-talk] Laurent Hasson/Hawthorne/IBM is out of the office. Message-ID: I will be out of the office starting 2005.08.30 and will not return until 2005.09.01. I am moving to a new apartment. Reach me on my cell phone for emergencies only. I should be back online Wednesday early afternoon. From dmintz at davidmintz.org Tue Aug 30 12:57:41 2005 From: dmintz at davidmintz.org (David Mintz) Date: Tue, 30 Aug 2005 12:57:41 -0400 (EDT) Subject: [nycphp-talk] Dynamic Forms and Form Handlers In-Reply-To: <40fcda73050830081433887206@mail.gmail.com> References: <40fcda73050830081433887206@mail.gmail.com> Message-ID: On Tue, 30 Aug 2005, Nasir Zubair wrote: > I'm working on a small project for my employer to collect data from clients. [...] > I would like NOT having to update both the HTML forms and php form > handlers manually every time. Does anyone know of a barebone framework which > will allow me to create such forms and form handlers? Or if you know of any > resources which I can consult, that'll help. Just a thought: You could subclass HTML_QuickForm and have its constructor add all the elements you expect to be common to all the forms you will need. Then instances of your subclass can remove/add additional elements as needed. http://pear.php.net/manual/en/package.html.html-quickform.php --- David Mintz http://davidmintz.org/ From joyster at HeadwayCorp.com Tue Aug 30 19:24:49 2005 From: joyster at HeadwayCorp.com (Jeof Oyster) Date: Tue, 30 Aug 2005 19:24:49 -0400 Subject: [nycphp-talk] Regex reference? Message-ID: I'm clueless when it comes to Regular Expressions - I need to build one that would return false if any character except a number appears in the string. Anyone know of a good dummy-friendly regex reference? Jeof Oyster Webmaster / Information &Technology Office Phone: 212-672-6683 Fax: 215-975-6683 (efax) Email: joyster at headwaycorp.com http://www.headwaycorp.com ********************************************************************** The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. ********************************************************************** -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: HEADWAY_NEWGRAY_PMS_150.gif Type: image/gif Size: 3126 bytes Desc: HEADWAY_NEWGRAY_PMS_150.gif URL: From nasir81 at gmail.com Tue Aug 30 22:00:12 2005 From: nasir81 at gmail.com (Nasir Zubair) Date: Tue, 30 Aug 2005 22:00:12 -0400 Subject: [nycphp-talk] Dynamic Forms and Form Handlers In-Reply-To: References: <40fcda73050830081433887206@mail.gmail.com> Message-ID: <40fcda7305083019004c45e9c5@mail.gmail.com> Thanks David. On 8/30/05, David Mintz wrote: > > On Tue, 30 Aug 2005, Nasir Zubair wrote: > > > I'm working on a small project for my employer to collect data from > clients. > [...] > > I would like NOT having to update both the HTML forms and php form > > handlers manually every time. Does anyone know of a barebone framework > which > > will allow me to create such forms and form handlers? Or if you know of > any > > resources which I can consult, that'll help. > > Just a thought: You could subclass HTML_QuickForm and have its > constructor add all the elements you expect to be common to all the forms > you will need. Then instances of your subclass can remove/add additional > elements as needed. > > http://pear.php.net/manual/en/package.html.html-quickform.php > > --- > David Mintz > http://davidmintz.org/ > _______________________________________________ > New York PHP Talk Mailing List > AMP Technology > Supporting Apache, MySQL and PHP > http://lists.nyphp.org/mailman/listinfo/talk > http://www.nyphp.org > -- Nasir Zubair http://www.nasir.us/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From tgales at tgaconnect.com Tue Aug 30 22:45:16 2005 From: tgales at tgaconnect.com (Tim Gales) Date: Tue, 30 Aug 2005 22:45:16 -0400 Subject: [nycphp-talk] Regex reference? In-Reply-To: References: Message-ID: <431519BC.1000508@tgaconnect.com> Jeof Oyster wrote: > I'm clueless when it comes to Regular Expressions - I need to build one > that would return false if any character /except/ a number appears in > the string. Anyone know of a good dummy-friendly regex reference? > http://lists.nyphp.org/pipermail/talk/2004-April/009348.html -- T. Gales & Associates 'Helping People Connect with Technology' http://www.tgaconnect.com From acas at sapo.pt Wed Aug 31 06:33:09 2005 From: acas at sapo.pt (Alberto dos Santos) Date: Wed, 31 Aug 2005 11:33:09 +0100 Subject: [nycphp-talk] Regex reference? In-Reply-To: Message-ID: Hey Jeof take a look at http://www.regexbuddy.com/ they have a free trial, and it worked wonders for me. -- Alberto dos Santos _____ From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org] On Behalf Of Jeof Oyster Sent: Wednesday, August 31, 2005 12:25 AM To: talk at lists.nyphp.org Subject: [nycphp-talk] Regex reference? I'm clueless when it comes to Regular Expressions - I need to build one that would return false if any character except a number appears in the string. Anyone know of a good dummy-friendly regex reference? Jeof Oyster Webmaster / Information &Technology Office Phone: 212-672-6683 Fax: 215-975-6683 (efax) Email: joyster at headwaycorp.com http://www.headwaycorp.com ********************************************************************** The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. ********************************************************************** -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: HEADWAY_NEWGRAY_PMS_150.gif Type: image/gif Size: 3126 bytes Desc: not available URL: From lists at zaunere.com Wed Aug 31 08:57:26 2005 From: lists at zaunere.com (Hans Zaunere) Date: Wed, 31 Aug 2005 08:57:26 -0400 Subject: [nycphp-talk] [PHP+Eclipse] Q: how to install PHP plug in forEclipse? In-Reply-To: <20050829151224.49282.qmail@web32910.mail.mud.yahoo.com> Message-ID: <0MKp2t-1EAS9g3GIS-00068Q@mrelay.perfora.net> Howard, Howard NYC wrote on Monday, August 29, 2005 11:12 AM: > Q: how to install PHP plug in for Eclipse? > > As described in last week's face-to-face meeting (the slides for which I > cannot find on NYPHP.ORG) The slides don't cover installation, but I will be writing some stuff up to supplement them (and the slides should be on line this week). Basically installation is just a matter of unzipping the PHPEclipse zip file into the Eclipse directory. However, be sure to have WTP installed first, which also requires some pre-installation of other plug-ins (which you can use Eclipse's Software Update facility in the Help menu for). Best, --- Hans Zaunere President, Founder New York PHP http://www.nyphp.org AMP Technology Supporting Apache, MySQL and PHP From mwithington at PLMresearch.com Wed Aug 31 09:11:08 2005 From: mwithington at PLMresearch.com (Mark Withington) Date: Wed, 31 Aug 2005 09:11:08 -0400 Subject: [nycphp-talk] Image directory restriction Message-ID: <1F3CD8DDFB6A9B4C9B8DD06E4A7DE358EF27D1@network.PLMresearch.com> Perhaps a dumb question, can anyone recommend an effective way to restrict direct access to an images subdirectory? Specifically, I would like to serve up images _only_ through .php scripts on the server, not directly via a URL.... -------------------------- Mark L. Withington PLMresearch "eBusiness for the Midsize Enterprise" PO Box 1354 Plymouth, MA 02362 o: 800-310-3992 ext. 704 f: 508-746-4973 v: 508-746-2383 m: 508-801-0181 http://www.PLMresearch.com Netscape/AOL/MSN IM: PLMresearch mwithington at plmresearch.com Public Key: http://www.plmresearch.com/keys/MLW_public_key.asc Calendar: http://www.plmresearch.com/calendar.php From jbaltz at altzman.com Wed Aug 31 09:20:26 2005 From: jbaltz at altzman.com (Jerry B. Altzman) Date: Wed, 31 Aug 2005 09:20:26 -0400 Subject: [nycphp-talk] Image directory restriction In-Reply-To: <1F3CD8DDFB6A9B4C9B8DD06E4A7DE358EF27D1@network.PLMresearch.com> References: <1F3CD8DDFB6A9B4C9B8DD06E4A7DE358EF27D1@network.PLMresearch.com> Message-ID: <4315AE9A.30709@altzman.com> On 8/31/2005 9:11 AM, Mark Withington wrote: > Perhaps a dumb question, can anyone recommend an effective way to restrict > direct access to an images subdirectory? Specifically, I would like to > serve up images _only_ through .php scripts on the server, not directly via > a URL.... Put an .htaccess in the directory so that you can't browse to it at all, and have php include() the file in the web page directly? Or read it in and print it out? maybe? //jbaltz -- jerry b. altzman jbaltz at altzman.com KE3ML thank you for contributing to the heat death of the universe. From mwithington at PLMresearch.com Wed Aug 31 09:48:46 2005 From: mwithington at PLMresearch.com (Mark Withington) Date: Wed, 31 Aug 2005 09:48:46 -0400 Subject: [nycphp-talk] Image directory restriction Message-ID: <1F3CD8DDFB6A9B4C9B8DD06E4A7DE358EF27D6@network.PLMresearch.com> Here's a link that my brother suggested http://www.alistapart.com/articles/hotlinking/ for those interested. Think this might do the trick. -------------------------- Mark L. Withington PLMresearch v: 508-746-2383 m: 508-801-0181 Calendar: http://www.plmresearch.com/calendar.php > -----Original Message----- > From: talk-bounces at lists.nyphp.org > [mailto:talk-bounces at lists.nyphp.org] On Behalf Of Jerry B. Altzman > Sent: Wednesday, August 31, 2005 9:20 AM > To: NYPHP Talk > Subject: Re: [nycphp-talk] Image directory restriction > > > On 8/31/2005 9:11 AM, Mark Withington wrote: > > Perhaps a dumb question, can anyone recommend an effective way to > > restrict direct access to an images subdirectory? Specifically, I > > would like to serve up images _only_ through .php scripts on the > > server, not directly via a URL.... > > Put an .htaccess in the directory so that you can't browse to > it at all, > and have php include() the file in the web page directly? Or > read it in > and print it out? > > maybe? > > //jbaltz > -- > jerry b. altzman jbaltz at altzman.com KE3ML > thank you for contributing to the heat death of the universe. > _______________________________________________ > New York PHP Talk Mailing List > AMP Technology > Supporting Apache, MySQL and PHP > http://lists.nyphp.org/mailman/listinfo/talk > http://www.nyphp.org > From hendler at simmons.edu Wed Aug 31 09:52:20 2005 From: hendler at simmons.edu (Jonathan) Date: Wed, 31 Aug 2005 09:52:20 -0400 Subject: [nycphp-talk] Image directory restriction In-Reply-To: <1F3CD8DDFB6A9B4C9B8DD06E4A7DE358EF27D1@network.PLMresearch.com> References: <1F3CD8DDFB6A9B4C9B8DD06E4A7DE358EF27D1@network.PLMresearch.com> Message-ID: <4315B614.6000109@simmons.edu> Depending on speed requirements you can insert the binary data of an image in a database or restricted area of the filesystem and have a php script retrieve the image. Your html would look like this This is often used for tracking. If you just want directory listing prevented use .htaccess of apache to shut off the option for indexes. Mark Withington wrote: >Perhaps a dumb question, can anyone recommend an effective way to restrict >direct access to an images subdirectory? Specifically, I would like to >serve up images _only_ through .php scripts on the server, not directly via >a URL.... > >-------------------------- >Mark L. Withington >PLMresearch >"eBusiness for the Midsize Enterprise" >PO Box 1354 >Plymouth, MA 02362 >o: 800-310-3992 ext. 704 >f: 508-746-4973 >v: 508-746-2383 >m: 508-801-0181 >http://www.PLMresearch.com >Netscape/AOL/MSN IM: PLMresearch >mwithington at plmresearch.com >Public Key: http://www.plmresearch.com/keys/MLW_public_key.asc >Calendar: http://www.plmresearch.com/calendar.php > >_______________________________________________ >New York PHP Talk Mailing List >AMP Technology >Supporting Apache, MySQL and PHP >http://lists.nyphp.org/mailman/listinfo/talk >http://www.nyphp.org > > From jellicle at gmail.com Wed Aug 31 09:56:44 2005 From: jellicle at gmail.com (Michael Sims) Date: Wed, 31 Aug 2005 09:56:44 -0400 Subject: [nycphp-talk] Image directory restriction In-Reply-To: <1F3CD8DDFB6A9B4C9B8DD06E4A7DE358EF27D1@network.PLMresearch.com> References: <1F3CD8DDFB6A9B4C9B8DD06E4A7DE358EF27D1@network.PLMresearch.com> Message-ID: <200508310956.44443.jellicle@gmail.com> On Wednesday 31 August 2005 09:11, Mark Withington wrote: > Perhaps a dumb question, can anyone recommend an effective way to > restrict direct access to an images subdirectory? Specifically, I would > like to serve up images _only_ through .php scripts on the server, not > directly via a URL.... a) put the images directory outside the web tree. b) create a file named ".htaccess" in the directory with this line of text in it: "Deny from all". Michael Sims From preinheimer at gmail.com Wed Aug 31 12:16:54 2005 From: preinheimer at gmail.com (Paul Reinheimer) Date: Wed, 31 Aug 2005 12:16:54 -0400 Subject: [nycphp-talk] Image directory restriction In-Reply-To: <200508310956.44443.jellicle@gmail.com> References: <1F3CD8DDFB6A9B4C9B8DD06E4A7DE358EF27D1@network.PLMresearch.com> <200508310956.44443.jellicle@gmail.com> Message-ID: <6ec19ec705083109163e6d8c33@mail.gmail.com> +1 to putting the images outside the web tree, it's simple and completely effective paul On 8/31/05, Michael Sims wrote: > On Wednesday 31 August 2005 09:11, Mark Withington wrote: > > > Perhaps a dumb question, can anyone recommend an effective way to > > restrict direct access to an images subdirectory? Specifically, I would > > like to serve up images _only_ through .php scripts on the server, not > > directly via a URL.... > > a) put the images directory outside the web tree. > > b) create a file named ".htaccess" in the directory with this line of text > in it: "Deny from all". > > > Michael Sims > _______________________________________________ > New York PHP Talk Mailing List > AMP Technology > Supporting Apache, MySQL and PHP > http://lists.nyphp.org/mailman/listinfo/talk > http://www.nyphp.org > -- Paul Reinheimer Zend Certified Engineer From ps at pswebcode.com Wed Aug 31 12:47:43 2005 From: ps at pswebcode.com (Peter Sawczynec) Date: Wed, 31 Aug 2005 12:47:43 -0400 Subject: [nycphp-talk] Image directory restriction In-Reply-To: <1F3CD8DDFB6A9B4C9B8DD06E4A7DE358EF27D1@network.PLMresearch.com> Message-ID: <004c01c5ae4b$b9b89870$6500a8c0@Liz> -----Original Message----- From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org] On Behalf Of Mark Withington Sent: Wednesday, August 31, 2005 9:11 AM To: 'talk at lists.nyphp.org' Subject: [nycphp-talk] Image directory restriction Perhaps a dumb question, can anyone recommend an effective way to restrict direct access to an images subdirectory? Specifically, I would like to serve up images _only_ through .php scripts on the server, not directly via a URL.... -------------------------- Mark L. Withington PLMresearch "eBusiness for the Midsize Enterprise" PO Box 1354 Plymouth, MA 02362 o: 800-310-3992 ext. 704 f: 508-746-4973 v: 508-746-2383 m: 508-801-0181 http://www.PLMresearch.com Netscape/AOL/MSN IM: PLMresearch mwithington at plmresearch.com Public Key: http://www.plmresearch.com/keys/MLW_public_key.asc Calendar: http://www.plmresearch.com/calendar.php _______________________________________________ New York PHP Talk Mailing List AMP Technology Supporting Apache, MySQL and PHP http://lists.nyphp.org/mailman/listinfo/talk http://www.nyphp.org From jeff.loiselle at gmail.com Wed Aug 31 13:49:14 2005 From: jeff.loiselle at gmail.com (Jeff Loiselle) Date: Wed, 31 Aug 2005 13:49:14 -0400 Subject: [nycphp-talk] Image directory restriction In-Reply-To: <004c01c5ae4b$b9b89870$6500a8c0@Liz> References: <1F3CD8DDFB6A9B4C9B8DD06E4A7DE358EF27D1@network.PLMresearch.com> <004c01c5ae4b$b9b89870$6500a8c0@Liz> Message-ID: <4b18871105083110492b6e43cc@mail.gmail.com> Forgive if I'm wrong, but I believe you'll need to open the image data, send the correct http header so the browser will render it correctly, along with the actual data following the header. On 8/31/05, Peter Sawczynec wrote: > > > > > //file name: getimagescript.php > //pseudo code outline > > $image = gogetanimage($id); > > return $image; > > //do store images in dir outside of web dir > > ?> > > -----Original Message----- > From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org] On > Behalf Of Mark Withington > Sent: Wednesday, August 31, 2005 9:11 AM > To: 'talk at lists.nyphp.org' > Subject: [nycphp-talk] Image directory restriction > > > Perhaps a dumb question, can anyone recommend an effective way to restrict > direct access to an images subdirectory? Specifically, I would like to > serve up images _only_ through .php scripts on the server, not directly via > a URL.... > > -------------------------- > Mark L. Withington > PLMresearch > "eBusiness for the Midsize Enterprise" > PO Box 1354 > Plymouth, MA 02362 > o: 800-310-3992 ext. 704 > f: 508-746-4973 > v: 508-746-2383 > m: 508-801-0181 > http://www.PLMresearch.com > Netscape/AOL/MSN IM: PLMresearch > mwithington at plmresearch.com > Public Key: http://www.plmresearch.com/keys/MLW_public_key.asc > Calendar: http://www.plmresearch.com/calendar.php > > _______________________________________________ > New York PHP Talk Mailing List > AMP Technology > Supporting Apache, MySQL and PHP > http://lists.nyphp.org/mailman/listinfo/talk > http://www.nyphp.org > > > _______________________________________________ > New York PHP Talk Mailing List > AMP Technology > Supporting Apache, MySQL and PHP > http://lists.nyphp.org/mailman/listinfo/talk > http://www.nyphp.org > -- --- Jeff Loiselle Web Developer, Musician, and Observer http://jeff.loiselles.com From hendler at simmons.edu Wed Aug 31 14:03:38 2005 From: hendler at simmons.edu (Jonathan) Date: Wed, 31 Aug 2005 14:03:38 -0400 Subject: [nycphp-talk] Image directory restriction In-Reply-To: <4b18871105083110492b6e43cc@mail.gmail.com> References: <1F3CD8DDFB6A9B4C9B8DD06E4A7DE358EF27D1@network.PLMresearch.com> <004c01c5ae4b$b9b89870$6500a8c0@Liz> <4b18871105083110492b6e43cc@mail.gmail.com> Message-ID: <4315F0FA.6090907@simmons.edu> An HTML attachment was scrubbed... URL: From coling at macmicro.com Wed Aug 31 15:02:59 2005 From: coling at macmicro.com (Colin Goldberg) Date: Wed, 31 Aug 2005 15:02:59 -0400 Subject: [nycphp-talk] Dynamic Forms and Form Handlers Message-ID: You could use the display/visibility style attribute to show or hide fields. eg. make a decision in Javascript or PHP to set this attribute for each field - just wrap each field in a DIV tag with an ID. Colin Goldberg ---------------------------------------- From: Nasir Zubair Sent: Tuesday, August 30, 2005 10:02 PM To: NYPHP Talk Subject: Re: [nycphp-talk] Dynamic Forms and Form Handlers Thanks David. On 8/30/05, David Mintz wrote: On Tue, 30 Aug 2005, Nasir Zubair wrote: > I'm working on a small project for my employer to collect data from clients. [...] > I would like NOT having to update both the HTML forms and php form > handlers manually every time. Does anyone know of a barebone framework which > will allow me to create such forms and form handlers? Or if you know of any > resources which I can consult, that'll help. Just a thought:??You could subclass HTML_QuickForm and have its constructor add all the elements you expect to be common to all the forms you will need. Then instances of your subclass can remove/add additional elements as needed. http://pear.php.net/manual/en/package.html.html-quickform.php --- David Mintz http://davidmintz.org/ _______________________________________________ New York PHP Talk Mailing List AMP Technology Supporting Apache, MySQL and PHP http://lists.nyphp.org/mailman/listinfo/talk http://www.nyphp.org -- Nasir Zubair http://www.nasir.us/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From shiflett at php.net Wed Aug 31 19:59:15 2005 From: shiflett at php.net (Chris Shiflett) Date: Wed, 31 Aug 2005 19:59:15 -0400 Subject: [nycphp-talk] Regex reference? In-Reply-To: References: Message-ID: <43164453.5060103@php.net> Jeof Oyster wrote: > I'm clueless when it comes to Regular Expressions - I need to > build one that would return false if any character /except/ a > number appears in the string. ctype_digit() Hope that helps. Chris -- Chris Shiflett Brain Bulb, The PHP Consultancy http://brainbulb.com/ From phil at bearingasset.com Wed Aug 31 21:05:48 2005 From: phil at bearingasset.com (Phil Duffy) Date: Wed, 31 Aug 2005 21:05:48 -0400 Subject: [nycphp-talk] Partial Name Lookup Function in PEAR Message-ID: <20050901010551.48E98A863E@virtu.nyphp.org> Does PEAR offer a partial name lookup function? What is the best way to do a partial name lookup in a database-independent manner? If I must drop back to hard-coded MySQL calls, is the LOCATE() function the appropriate one to use in this situation? Any responses will be appreciated, including advice to direct these questions to another list. Phil Duffy -------------- next part -------------- An HTML attachment was scrubbed... URL: From leeeyerman at aol.com Wed Aug 31 21:18:49 2005 From: leeeyerman at aol.com (leeeyerman at aol.com) Date: Wed, 31 Aug 2005 21:18:49 -0400 Subject: [nycphp-talk] Partial Name Lookup Function in PEAR In-Reply-To: <20050901010551.48E98A863E@virtu.nyphp.org> References: <20050901010551.48E98A863E@virtu.nyphp.org> Message-ID: <8C77CAA3E05A480-94C-297D@MBLK-M28.sysops.aol.com> I do not know about PEAR but if you are just trying to look up a first or last name (or anything other name/text) using only a partial piece of information the LIKE command is best. SELECT "column" FROM "table" WHERE "column_name" LIKE [PATTERN] ie. SELECT * FROM pics WHERE pic_name LIKE '%ANG%' This would return all pic_name where ANG is contained in the string. http://www.1keydata.com/sql/sqllike.html http://www.techonthenet.com/sql/like.php -----Original Message----- From: Phil Duffy To: 'NYPHP Talk' Sent: Wed, 31 Aug 2005 21:05:48 -0400 Subject: [nycphp-talk] Partial Name Lookup Function in PEAR Does PEAR offer a partial name lookup function? What is the best way to do a partial name lookup in a database-independent manner? If I must drop back to hard-coded MySQL calls, is the LOCATE() function the appropriate one to use in this situation? Any responses will be appreciated, including advice to direct these questions to another list. Phil Duffy _______________________________________________ New York PHP Talk Mailing List AMP Technology Supporting Apache, MySQL and PHP http://lists.nyphp.org/mailman/listinfo/talk http://www.nyphp.org -------------- next part -------------- An HTML attachment was scrubbed... URL:
" & objRS.Fields(i).Name & "
" & objRS.Fields(i) & "